feat: add com.atproto.server.getServiceAuth endpoint (#26)

* feat: add com.atproto.server.getServiceAuth endpoint

This endpoint is required for video uploads. Clients call it to get
a service JWT to authenticate with external services like the video
service (did:web:video.bsky.app).

The endpoint:
- Requires authentication
- Takes 'aud' (required) and 'lxm' (optional) query params
- Returns a signed service JWT with the requested audience and lxm claims

Adds 4 new tests for the endpoint.

* chore: add changeset for getServiceAuth endpoint

* fix: accept service JWTs for video upload auth

The video service (video.bsky.app) calls uploadBlob on the PDS using
a service JWT issued by getServiceAuth. The auth middleware now accepts
these ES256K-signed service JWTs in addition to HS256 session JWTs.

Auth flow:
1. Client gets service JWT via getServiceAuth(aud=PDS, lxm=uploadBlob)
2. Client sends video to video.bsky.app with this token
3. Video service calls uploadBlob on PDS using the same token
4. PDS verifies the service JWT signature and allows the upload

Adds verifyServiceJwt() function and integration test for the flow.

* refactor: restore keypair caching for service JWT verification

The actual fix was wrapping Buffer with Uint8Array, not removing caching.
Cloudflare Workers' Buffer polyfill doesn't work correctly with
@atproto/crypto's verifySignature() - it needs true Uint8Array instances.

Restores caching for better performance while keeping the Uint8Array fix.

* refactor: share keypair caching between modules

Extract keypair caching to a shared module (keypair.ts) used by both
service-auth.ts (for creating service JWTs) and session.ts (for verifying
them). This ensures consistent behavior and reduces code duplication.

* refactor: consolidate service auth code in service-auth.ts

Move keypair caching, verifyServiceJwt, and ServiceJwtPayload from
separate modules into service-auth.ts where they logically belong
alongside createServiceJwt.

* feat: add video embed and missing defs lexicons

Add app.bsky.embed.video schema for video post support, along with
all dependent defs schemas (embed.defs, actor.defs, feed.defs,
graph.defs, notification.defs) that are referenced by other lexicons.

* chore: add script to check for missing lexicon refs

Scans all lexicon JSON files for external references and verifies
that corresponding lexicon files exist. Useful for ensuring all
dependencies are satisfied when adding new schemas.

* ci: run lexicon ref check in update workflow

* fix: convert JSON to lexicon format before validating records

Use jsonToLex() to convert incoming JSON records to proper lexicon
format before validation. This handles $link -> CID conversion and
blob object -> BlobRef conversion, fixing video embed validation.

Author: ascorbic

.changeset/video-upload-auth.md

@@ -0,0 +1,7 @@
+---
+"@ascorbic/pds": minor
+---
+
+Add `com.atproto.server.getServiceAuth` endpoint for video upload authentication
+
+This endpoint is required for video uploads. Clients call it to get a service JWT to authenticate with external services like the video service (`did:web:video.bsky.app`).

.github/workflows/update-lexicons.yml

@@ -15,6 +15,8 @@ jobs:
         uses: actions/checkout@v5
       - name: Update lexicon schemas
         run: ./packages/pds/scripts/update-lexicons.sh
+      - name: Check for missing references
+        run: ./packages/pds/scripts/check-lexicon-refs.sh
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v8
         with:

packages/pds/scripts/check-lexicon-refs.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+#
+# Check for missing lexicon references
+# This script scans all lexicon JSON files and reports any external refs
+# that don't have corresponding lexicon files.
+#
+
+set -e
+
+LEXICONS_DIR="$(cd "$(dirname "$0")/../src/lexicons" && pwd)"
+
+echo "Checking lexicon references in: $LEXICONS_DIR"
+echo ""
+
+# Extract all external refs (those with a namespace, not just #fragment)
+# Format: "app.bsky.foo.bar#baz" -> we need "app.bsky.foo.bar"
+refs=$(grep -roh '"ref": "[^#"]*#[^"]*"' "$LEXICONS_DIR"/*.json 2>/dev/null | \
+  grep -v '^"ref": "#' | \
+  sed 's/"ref": "\([^#]*\)#.*/\1/' | \
+  sort -u)
+
+missing=()
+
+for ref in $refs; do
+  file="$LEXICONS_DIR/${ref}.json"
+  if [ ! -f "$file" ]; then
+    missing+=("$ref")
+  fi
+done
+
+if [ ${#missing[@]} -eq 0 ]; then
+  echo "✓ All lexicon references are satisfied!"
+  echo ""
+  exit 0
+else
+  echo "✗ Missing lexicon files for the following refs:"
+  echo ""
+  for ref in "${missing[@]}"; do
+    echo "  - $ref"
+  done
+  echo ""
+  echo "Add these to scripts/update-lexicons.sh and run it to fetch them."
+  exit 1
+fi

packages/pds/scripts/update-lexicons.sh

@@ -23,15 +23,18 @@ schemas=(
   "app/bsky/feed/like"
   "app/bsky/feed/repost"
   "app/bsky/feed/threadgate"
+  "app/bsky/feed/defs"
 
   # Actor schemas
   "app/bsky/actor/profile"
+  "app/bsky/actor/defs"
 
   # Graph schemas
   "app/bsky/graph/follow"
   "app/bsky/graph/block"
   "app/bsky/graph/list"
   "app/bsky/graph/listitem"
+  "app/bsky/graph/defs"
 
   # Richtext schemas
   "app/bsky/richtext/facet"
@@ -41,6 +44,11 @@ schemas=(
   "app/bsky/embed/external"
   "app/bsky/embed/record"
   "app/bsky/embed/recordWithMedia"
+  "app/bsky/embed/video"
+  "app/bsky/embed/defs"
+
+  # Notification schemas (referenced by actor.defs)
+  "app/bsky/notification/defs"
 )
 
 # Fetch each schema

packages/pds/src/index.ts

@@ -215,6 +215,13 @@ app.get("/xrpc/com.atproto.server.getAccountStatus", requireAuth, (c) =>
 	server.getAccountStatus(c, getAccountDO(c.env)),
 );
 
+// Service auth - used by clients to get JWTs for external services (video, etc.)
+app.get(
+	"/xrpc/com.atproto.server.getServiceAuth",
+	requireAuth,
+	server.getServiceAuth,
+);
+
 // Actor preferences (stub - returns empty preferences)
 app.get("/xrpc/app.bsky.actor.getPreferences", requireAuth, (c) => {
 	return c.json({ preferences: [] });