willdot.net / at-container-registry
forked from evan.jarrett.net/at-container-registry
A container registry that uses the AT Protocol for manifest storage and S3 for blob storage.
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

fix app-passwords remove dead code

Evan Jarrett b085d53c 336dd5f9

+9 -540
-122
cmd/profile-update/main.go
··· 1 - package main 2 - 3 - import ( 4 - "context" 5 - "encoding/base64" 6 - "encoding/json" 7 - "flag" 8 - "fmt" 9 - "log" 10 - "os" 11 - "path/filepath" 12 - "strings" 13 - 14 - "atcr.io/pkg/atproto" 15 - atprotoAuth "atcr.io/pkg/auth/atproto" 16 - ) 17 - 18 - // DockerConfig represents ~/.docker/config.json 19 - type DockerConfig struct { 20 - Auths map[string]AuthEntry `json:"auths"` 21 - } 22 - 23 - type AuthEntry struct { 24 - Auth string `json:"auth"` // base64(username:password) 25 - } 26 - 27 - func main() { 28 - var defaultHold string 29 - var registryURL string 30 - 31 - flag.StringVar(&defaultHold, "default-hold", "", "Default hold endpoint URL (e.g., http://172.28.0.3:8080)") 32 - flag.StringVar(&registryURL, "registry", "127.0.0.1:5000", "Registry URL to read auth from Docker config") 33 - flag.Parse() 34 - 35 - // Read Docker config 36 - home, err := os.UserHomeDir() 37 - if err != nil { 38 - log.Fatalf("Failed to get home directory: %v", err) 39 - } 40 - dockerConfigPath := filepath.Join(home, ".docker", "config.json") 41 - 42 - configData, err := os.ReadFile(dockerConfigPath) 43 - if err != nil { 44 - log.Fatalf("Failed to read Docker config: %v\n\nMake sure you've logged in with: docker login %s", err, registryURL) 45 - } 46 - 47 - var dockerConfig DockerConfig 48 - if err := json.Unmarshal(configData, &dockerConfig); err != nil { 49 - log.Fatalf("Failed to parse Docker config: %v", err) 50 - } 51 - 52 - // Get auth for registry 53 - authEntry, ok := dockerConfig.Auths[registryURL] 54 - if !ok { 55 - log.Fatalf("No auth found for registry %s in Docker config", registryURL) 56 - } 57 - 58 - // Decode base64 auth (format: "username:password") 59 - authBytes, err := base64.StdEncoding.DecodeString(authEntry.Auth) 60 - if err != nil { 61 - log.Fatalf("Failed to decode auth: %v", err) 62 - } 63 - 64 - parts := strings.SplitN(string(authBytes), ":", 2) 65 - if len(parts) != 2 { 66 - log.Fatalf("Invalid auth format") 67 - } 68 - 69 - handle := parts[0] 70 - password := parts[1] // This should be an app password 71 - 72 - fmt.Printf("Handle: %s\n", handle) 73 - 74 - // Create session validator and get access token 75 - validator := atprotoAuth.NewSessionValidator() 76 - ctx := context.Background() 77 - 78 - did, pdsEndpoint, accessToken, err := validator.CreateSessionAndGetToken(ctx, handle, password) 79 - if err != nil { 80 - log.Fatalf("Failed to authenticate: %v", err) 81 - } 82 - 83 - fmt.Printf("DID: %s\n", did) 84 - fmt.Printf("PDS: %s\n\n", pdsEndpoint) 85 - 86 - // Create client with the access token from createSession 87 - client := atproto.NewClient(pdsEndpoint, did, accessToken) 88 - 89 - // Get current profile 90 - profile, err := atproto.GetProfile(ctx, client) 91 - if err != nil { 92 - log.Fatalf("Failed to get current profile: %v", err) 93 - } 94 - 95 - if profile == nil { 96 - if defaultHold == "" { 97 - fmt.Println("No existing profile found.") 98 - fmt.Println("\nTo create profile with default hold, use: -default-hold <url>") 99 - return 100 - } 101 - fmt.Println("No existing profile found. Creating new profile...") 102 - profile = atproto.NewSailorProfileRecord(defaultHold) 103 - } else { 104 - fmt.Printf("Current defaultHold: %s\n", profile.DefaultHold) 105 - if defaultHold == "" { 106 - // Just show current profile 107 - fmt.Println("\nTo update, use: -default-hold <url>") 108 - return 109 - } 110 - profile.DefaultHold = defaultHold 111 - } 112 - 113 - // Update profile 114 - if defaultHold != "" { 115 - err = atproto.UpdateProfile(ctx, client, profile) 116 - if err != nil { 117 - log.Fatalf("Failed to update profile: %v", err) 118 - } 119 - 120 - fmt.Printf("\n✓ Updated defaultHold to: %s\n", defaultHold) 121 - } 122 - }
+6 -40
pkg/auth/atproto/session.go
··· 19 19 // CachedSession represents a cached session 20 20 type CachedSession struct { 21 21 DID string 22 + Handle string 22 23 PDS string 23 24 AccessToken string 24 25 ExpiresAt time.Time ··· 83 84 AccessToken string `json:"access_token,omitempty"` // Alternative field name 84 85 } 85 86 86 - // ValidateCredentials validates username and password against ATProto 87 - // Returns the user's DID and PDS endpoint if valid 88 - func (v *SessionValidator) ValidateCredentials(ctx context.Context, identifier, password string) (did, pdsEndpoint string, err error) { 89 - // Resolve identifier (handle or DID) to PDS endpoint 90 - atID, err := syntax.ParseAtIdentifier(identifier) 91 - if err != nil { 92 - return "", "", fmt.Errorf("invalid identifier %q: %w", identifier, err) 93 - } 94 - 95 - ident, err := v.directory.Lookup(ctx, *atID) 96 - if err != nil { 97 - return "", "", fmt.Errorf("failed to resolve identity %q: %w", identifier, err) 98 - } 99 - 100 - resolvedDID := ident.DID.String() 101 - pds := ident.PDSEndpoint() 102 - if pds == "" { 103 - return "", "", fmt.Errorf("no PDS endpoint found for %q", identifier) 104 - } 105 - 106 - fmt.Printf("DEBUG: Resolved %s to DID=%s, PDS=%s\n", identifier, resolvedDID, pds) 107 - 108 - // Create session with the PDS 109 - fmt.Printf("DEBUG [atproto/session]: Creating session for %s at PDS %s\n", identifier, pds) 110 - sessionResp, err := v.createSession(ctx, pds, identifier, password) 111 - if err != nil { 112 - fmt.Printf("DEBUG [atproto/session]: Session creation failed: %v\n", err) 113 - return "", "", fmt.Errorf("authentication failed for %s at PDS %s: %w", identifier, pds, err) 114 - } 115 - 116 - fmt.Printf("DEBUG [atproto/session]: Session created successfully, DID=%s, Handle=%s, AccessJWT length=%d\n", 117 - sessionResp.DID, sessionResp.Handle, len(sessionResp.AccessJWT)) 118 - 119 - return sessionResp.DID, pds, nil 120 - } 121 - 122 - // CreateSessionAndGetToken creates a session and returns the DID, PDS endpoint, and access token 123 - func (v *SessionValidator) CreateSessionAndGetToken(ctx context.Context, identifier, password string) (did, pdsEndpoint, accessToken string, err error) { 87 + // CreateSessionAndGetToken creates a session and returns the DID, handle, and access token 88 + func (v *SessionValidator) CreateSessionAndGetToken(ctx context.Context, identifier, password string) (did, handle, accessToken string, err error) { 124 89 // Check cache first 125 90 cacheKey := getCacheKey(identifier, password) 126 91 if cached, ok := v.getCachedSession(cacheKey); ok { 127 92 fmt.Printf("DEBUG [atproto/session]: Using cached session for %s (DID=%s)\n", identifier, cached.DID) 128 - return cached.DID, cached.PDS, cached.AccessToken, nil 93 + return cached.DID, cached.Handle, cached.AccessToken, nil 129 94 } 130 95 131 96 fmt.Printf("DEBUG [atproto/session]: No cached session for %s, creating new session\n", identifier) ··· 156 121 // Cache the session (ATProto sessions typically last 2 hours) 157 122 v.setCachedSession(cacheKey, &CachedSession{ 158 123 DID: sessionResp.DID, 124 + Handle: sessionResp.Handle, 159 125 PDS: pds, 160 126 AccessToken: sessionResp.AccessJWT, 161 127 ExpiresAt: time.Now().Add(2 * time.Hour), 162 128 }) 163 129 fmt.Printf("DEBUG [atproto/session]: Cached session for %s (expires in 2 hours)\n", identifier) 164 130 165 - return sessionResp.DID, pds, sessionResp.AccessJWT, nil 131 + return sessionResp.DID, sessionResp.Handle, sessionResp.AccessJWT, nil 166 132 } 167 133 168 134 // createSession calls com.atproto.server.createSession
-112
pkg/auth/atproto/validator.go
··· 1 - package atproto 2 - 3 - import ( 4 - "context" 5 - "encoding/json" 6 - "fmt" 7 - "io" 8 - "net/http" 9 - 10 - "github.com/bluesky-social/indigo/atproto/identity" 11 - "github.com/bluesky-social/indigo/atproto/syntax" 12 - ) 13 - 14 - // TokenValidator validates ATProto OAuth access tokens 15 - type TokenValidator struct { 16 - httpClient *http.Client 17 - } 18 - 19 - // NewTokenValidator creates a new token validator 20 - func NewTokenValidator() *TokenValidator { 21 - return &TokenValidator{ 22 - httpClient: &http.Client{}, 23 - } 24 - } 25 - 26 - // SessionInfo represents the response from com.atproto.server.getSession 27 - type SessionInfo struct { 28 - DID string `json:"did"` 29 - Handle string `json:"handle"` 30 - Email string `json:"email,omitempty"` 31 - EmailConfirmed bool `json:"emailConfirmed,omitempty"` 32 - Active bool `json:"active,omitempty"` 33 - } 34 - 35 - // ValidateToken validates an ATProto OAuth access token by calling getSession 36 - // Returns the user's DID and handle if the token is valid 37 - // dpopProof is optional - if provided, uses DPoP auth; otherwise uses Bearer 38 - func (v *TokenValidator) ValidateToken(ctx context.Context, pdsEndpoint, accessToken, dpopProof string) (*SessionInfo, error) { 39 - // Call com.atproto.server.getSession with the access token 40 - url := fmt.Sprintf("%s/xrpc/com.atproto.server.getSession", pdsEndpoint) 41 - 42 - req, err := http.NewRequestWithContext(ctx, "GET", url, nil) 43 - if err != nil { 44 - return nil, fmt.Errorf("failed to create request: %w", err) 45 - } 46 - 47 - // Always use Bearer auth for getSession validation 48 - // The DPoP proof from the client is bound to their request to us (POST /auth/exchange), 49 - // not to our request to the PDS (GET /getSession) 50 - req.Header.Set("Authorization", "Bearer "+accessToken) 51 - 52 - fmt.Printf("DEBUG [validator]: calling %s with Bearer auth, token_prefix=%s...\n", 53 - url, accessToken[:min(20, len(accessToken))]) 54 - 55 - resp, err := v.httpClient.Do(req) 56 - if err != nil { 57 - return nil, fmt.Errorf("failed to get session: %w", err) 58 - } 59 - defer resp.Body.Close() 60 - 61 - // Read body once for both logging and error handling 62 - bodyBytes, _ := io.ReadAll(resp.Body) 63 - 64 - if resp.StatusCode == http.StatusUnauthorized { 65 - fmt.Printf("DEBUG [validator]: getSession returned 401: %s\n", string(bodyBytes)) 66 - return nil, fmt.Errorf("invalid or expired token") 67 - } 68 - 69 - if resp.StatusCode != http.StatusOK { 70 - fmt.Printf("DEBUG [validator]: getSession failed with status %d: %s\n", resp.StatusCode, string(bodyBytes)) 71 - return nil, fmt.Errorf("getSession failed with status %d: %s", resp.StatusCode, string(bodyBytes)) 72 - } 73 - 74 - var session SessionInfo 75 - if err := json.Unmarshal(bodyBytes, &session); err != nil { 76 - return nil, fmt.Errorf("failed to decode session: %w", err) 77 - } 78 - 79 - // Validate required fields 80 - if session.DID == "" { 81 - return nil, fmt.Errorf("session response missing DID") 82 - } 83 - if session.Handle == "" { 84 - return nil, fmt.Errorf("session response missing handle") 85 - } 86 - 87 - return &session, nil 88 - } 89 - 90 - // ValidateTokenWithResolver validates a token and automatically resolves the PDS endpoint 91 - // dpopProof is optional - if provided, uses DPoP auth; otherwise uses Bearer 92 - func (v *TokenValidator) ValidateTokenWithResolver(ctx context.Context, handle, accessToken, dpopProof string) (*SessionInfo, error) { 93 - // Resolve handle to PDS endpoint 94 - directory := identity.DefaultDirectory() 95 - atID, err := syntax.ParseAtIdentifier(handle) 96 - if err != nil { 97 - return nil, fmt.Errorf("invalid identifier %q: %w", handle, err) 98 - } 99 - 100 - ident, err := directory.Lookup(ctx, *atID) 101 - if err != nil { 102 - return nil, fmt.Errorf("failed to resolve PDS endpoint: %w", err) 103 - } 104 - 105 - pdsEndpoint := ident.PDSEndpoint() 106 - if pdsEndpoint == "" { 107 - return nil, fmt.Errorf("no PDS endpoint found for %q", handle) 108 - } 109 - 110 - // Validate token against the PDS 111 - return v.ValidateToken(ctx, pdsEndpoint, accessToken, dpopProof) 112 - }
-87
pkg/auth/oauth/interactive.go
··· 4 4 "context" 5 5 "fmt" 6 6 "net/http" 7 - "net/url" 8 - "sync" 9 7 "time" 10 8 11 9 "github.com/bluesky-social/indigo/atproto/auth/oauth" ··· 16 14 SessionData *oauth.ClientSessionData 17 15 Session *oauth.ClientSession 18 16 App *App 19 - } 20 - 21 - // RunInteractiveFlow runs an interactive OAuth flow for CLI tools 22 - // This is a simplified wrapper around indigo's OAuth flow 23 - func RunInteractiveFlow( 24 - ctx context.Context, 25 - baseURL string, 26 - handle string, 27 - scopes []string, 28 - onAuthURL func(string) error, 29 - ) (*InteractiveResult, error) { 30 - // Create temporary file store for this flow 31 - store, err := NewFileStore("/tmp/atcr-oauth-temp.json") 32 - if err != nil { 33 - return nil, fmt.Errorf("failed to create OAuth store: %w", err) 34 - } 35 - 36 - // Create OAuth app 37 - app, err := NewApp(baseURL, store) 38 - if err != nil { 39 - return nil, fmt.Errorf("failed to create OAuth app: %w", err) 40 - } 41 - 42 - // Set custom scopes if provided 43 - if len(scopes) > 0 { 44 - // Note: indigo's ClientApp doesn't expose SetScopes, so we need to use default scopes 45 - // This is a limitation of the current implementation 46 - // TODO: Enhance if custom scopes are needed 47 - } 48 - 49 - // Start auth flow 50 - authURL, err := app.StartAuthFlow(ctx, handle) 51 - if err != nil { 52 - return nil, fmt.Errorf("failed to start auth flow: %w", err) 53 - } 54 - 55 - // Call the callback to display the auth URL 56 - if err := onAuthURL(authURL); err != nil { 57 - return nil, fmt.Errorf("auth URL callback failed: %w", err) 58 - } 59 - 60 - // Wait for OAuth callback 61 - // The callback will be handled by the http.HandleFunc registered by the caller 62 - // We need to wait for ProcessCallback to be called 63 - // This is a bit awkward, but matches the old pattern 64 - 65 - // Setup a channel to receive callback params 66 - callbackChan := make(chan url.Values, 1) 67 - var setupOnce sync.Once 68 - 69 - // Return a function that the caller can use to process the callback 70 - // This is called from the HTTP handler 71 - processCallback := func(params url.Values) (*oauth.ClientSessionData, error) { 72 - setupOnce.Do(func() { 73 - callbackChan <- params 74 - }) 75 - sessionData, err := app.ProcessCallback(ctx, params) 76 - if err != nil { 77 - return nil, fmt.Errorf("failed to process callback: %w", err) 78 - } 79 - return sessionData, nil 80 - } 81 - 82 - // Wait for callback with timeout 83 - select { 84 - case params := <-callbackChan: 85 - sessionData, err := processCallback(params) 86 - if err != nil { 87 - return nil, err 88 - } 89 - 90 - // Resume session to get ClientSession 91 - session, err := app.ResumeSession(ctx, sessionData.AccountDID, sessionData.SessionID) 92 - if err != nil { 93 - return nil, fmt.Errorf("failed to resume session: %w", err) 94 - } 95 - 96 - return &InteractiveResult{ 97 - SessionData: sessionData, 98 - Session: session, 99 - App: app, 100 - }, nil 101 - case <-time.After(5 * time.Minute): 102 - return nil, fmt.Errorf("OAuth flow timed out after 5 minutes") 103 - } 104 17 } 105 18 106 19 // InteractiveFlowWithCallback runs an interactive OAuth flow with explicit callback handling
-97
pkg/auth/oauth/refresher.go
··· 3 3 import ( 4 4 "context" 5 5 "fmt" 6 - "net/http" 7 6 "sync" 8 7 9 8 "github.com/bluesky-social/indigo/atproto/auth/oauth" ··· 74 73 return r.resumeSession(ctx, did) 75 74 } 76 75 77 - // GetAccessToken gets a fresh access token for a DID 78 - // This is a convenience method that extracts the access token from the session 79 - func (r *Refresher) GetAccessToken(ctx context.Context, did string) (string, error) { 80 - session, err := r.GetSession(ctx, did) 81 - if err != nil { 82 - return "", err 83 - } 84 - 85 - // Get access token and DPoP nonce from session 86 - accessToken, _ := session.GetHostAccessData() 87 - return accessToken, nil 88 - } 89 - 90 - // GetHTTPClient returns an HTTP client with DPoP authentication for a DID 91 - // The client automatically adds DPoP headers and refreshes tokens as needed 92 - func (r *Refresher) GetHTTPClient(ctx context.Context, did string) (*http.Client, error) { 93 - session, err := r.GetSession(ctx, did) 94 - if err != nil { 95 - return nil, err 96 - } 97 - 98 - // Get API client from session 99 - // This client automatically handles DPoP and token refresh 100 - apiClient := session.APIClient() 101 - return apiClient.Client, nil 102 - } 103 - 104 76 // resumeSession loads a session from storage and caches it 105 77 func (r *Refresher) resumeSession(ctx context.Context, did string) (*oauth.ClientSession, error) { 106 78 // Parse DID ··· 153 125 delete(r.sessions, did) 154 126 r.mu.Unlock() 155 127 } 156 - 157 - // RevokeSession removes a session from both cache and storage 158 - func (r *Refresher) RevokeSession(ctx context.Context, did string) error { 159 - // Remove from cache 160 - r.mu.Lock() 161 - cached, ok := r.sessions[did] 162 - delete(r.sessions, did) 163 - r.mu.Unlock() 164 - 165 - if !ok { 166 - // Not cached, still try to delete from storage 167 - accountDID, err := syntax.ParseDID(did) 168 - if err != nil { 169 - return fmt.Errorf("failed to parse DID: %w", err) 170 - } 171 - 172 - // Find session ID from store 173 - fileStore, ok := r.app.clientApp.Store.(*FileStore) 174 - if !ok { 175 - return fmt.Errorf("store is not a FileStore") 176 - } 177 - 178 - sessions := fileStore.ListSessions() 179 - for _, sessionData := range sessions { 180 - if sessionData.AccountDID.String() == did { 181 - return r.app.clientApp.Store.DeleteSession(ctx, accountDID, sessionData.SessionID) 182 - } 183 - } 184 - 185 - return fmt.Errorf("no session found for DID: %s", did) 186 - } 187 - 188 - // Revoke the session via OAuth 189 - if err := cached.Session.RevokeSession(ctx); err != nil { 190 - fmt.Printf("WARNING: failed to revoke session for %s: %v\n", did, err) 191 - // Continue anyway to delete from storage 192 - } 193 - 194 - // Delete from storage 195 - accountDID, err := syntax.ParseDID(did) 196 - if err != nil { 197 - return fmt.Errorf("failed to parse DID: %w", err) 198 - } 199 - 200 - return r.app.clientApp.Store.DeleteSession(ctx, accountDID, cached.SessionID) 201 - } 202 - 203 - // CleanupExpiredSessions removes expired sessions from cache 204 - // Note: indigo handles token expiry automatically, but we clean up orphaned cache entries 205 - func (r *Refresher) CleanupExpiredSessions(ctx context.Context) { 206 - r.mu.Lock() 207 - defer r.mu.Unlock() 208 - 209 - // For each cached session, verify it still exists in storage 210 - for did, cached := range r.sessions { 211 - accountDID, err := syntax.ParseDID(did) 212 - if err != nil { 213 - delete(r.sessions, did) 214 - continue 215 - } 216 - 217 - // Try to get session from store 218 - _, err = r.app.clientApp.Store.GetSession(ctx, accountDID, cached.SessionID) 219 - if err != nil { 220 - // Session no longer exists, remove from cache 221 - delete(r.sessions, did) 222 - } 223 - } 224 - }
+3 -25
pkg/auth/oauth/server.go
··· 1 1 package oauth 2 2 3 3 import ( 4 - "context" 5 4 "fmt" 6 5 "html/template" 7 6 "net/http" 8 7 "time" 9 - 10 - "github.com/bluesky-social/indigo/atproto/syntax" 11 8 ) 12 9 13 10 // UISessionStore is the interface for UI session management ··· 102 99 fmt.Printf("DEBUG [oauth/server]: Invalidated cached session for DID=%s after creating new session\n", did) 103 100 } 104 101 105 - // We need to get the handle for UI sessions and settings redirect 106 - // Resolve DID to handle using our resolver 107 - handle, err := s.resolveHandle(r.Context(), did) 102 + // Look up identity 103 + ident, err := s.app.directory.LookupDID(r.Context(), sessionData.AccountDID) 104 + handle := ident.Handle.String() 108 105 if err != nil { 109 106 fmt.Printf("WARNING [oauth/server]: Failed to resolve DID to handle: %v, using DID as handle\n", err) 110 107 handle = did // Fallback to DID if resolution fails ··· 150 147 151 148 // Non-UI flow: redirect to settings to get API key 152 149 s.renderRedirectToSettings(w, handle) 153 - } 154 - 155 - // resolveHandle attempts to resolve a DID to a handle 156 - // This is a best-effort helper - we use the directory to look up the handle 157 - func (s *Server) resolveHandle(ctx context.Context, didStr string) (string, error) { 158 - // Parse DID 159 - did, err := syntax.ParseDID(didStr) 160 - if err != nil { 161 - return "", fmt.Errorf("invalid DID: %w", err) 162 - } 163 - 164 - // Look up identity 165 - ident, err := s.app.directory.LookupDID(ctx, did) 166 - if err != nil { 167 - return "", fmt.Errorf("failed to lookup DID: %w", err) 168 - } 169 - 170 - // Return handle (may be handle.invalid if verification failed) 171 - return ident.Handle.String(), nil 172 150 } 173 151 174 152 // renderRedirectToSettings redirects to the settings page to generate an API key
-57
pkg/server/handler.go
··· 1 - package server 2 - 3 - import ( 4 - "net/http" 5 - "strings" 6 - 7 - "github.com/bluesky-social/indigo/atproto/identity" 8 - ) 9 - 10 - // ATProtoHandler wraps an HTTP handler to provide name resolution 11 - // This is an optional layer if middleware doesn't provide enough control 12 - type ATProtoHandler struct { 13 - handler http.Handler 14 - directory identity.Directory 15 - } 16 - 17 - // NewATProtoHandler creates a new HTTP handler wrapper 18 - func NewATProtoHandler(handler http.Handler) *ATProtoHandler { 19 - return &ATProtoHandler{ 20 - handler: handler, 21 - directory: identity.DefaultDirectory(), 22 - } 23 - } 24 - 25 - // ServeHTTP handles HTTP requests with name resolution 26 - func (h *ATProtoHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { 27 - // Parse the request path to extract user/image 28 - // OCI Distribution API paths look like: 29 - // /v2/<name>/manifests/<reference> 30 - // /v2/<name>/blobs/<digest> 31 - 32 - path := r.URL.Path 33 - 34 - // Check if this is a v2 API request 35 - if strings.HasPrefix(path, "/v2/") { 36 - // Extract the repository name 37 - parts := strings.Split(strings.TrimPrefix(path, "/v2/"), "/") 38 - if len(parts) >= 2 { 39 - // parts[0] might be username/DID 40 - // We could do early resolution here if needed 41 - // For now, we'll let the middleware handle it 42 - } 43 - } 44 - 45 - // Delegate to the underlying handler 46 - // The registry middleware will handle the actual resolution 47 - h.handler.ServeHTTP(w, r) 48 - } 49 - 50 - // Note: In the current architecture, most of the name resolution 51 - // is handled by the registry middleware. This HTTP handler wrapper 52 - // is here for cases where you need to intercept requests before 53 - // they reach the distribution handlers, such as for: 54 - // - Custom authentication based on DIDs 55 - // - Request rewriting 56 - // - Early validation 57 - // - Custom API endpoints beyond OCI spec