fix(pds): detect content-type from magic bytes for blobs with invalid type (#116)

* fix(pds): detect content-type from magic bytes for blobs with invalid type

When blobs are uploaded with Content-Type: */* (e.g., from video.bsky.app),
the getBlob endpoint now detects the actual content type from magic bytes.

Supports: MP4, MOV, M4V, JPEG, PNG, GIF, WebP, WebM

This fixes video playback issues where videos would stop working after
CDN cache expires because video.bsky.app rejects */* content type.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* Fingerprint on the way in and out

* changeset

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: ascorbic

.changeset/long-hairs-walk.md

@@ -0,0 +1,5 @@
+---
+"@getcirrus/pds": patch
+---
+
+Detect content type of blobs

packages/pds/src/format.ts

@@ -0,0 +1,87 @@
+/**
+ * Detect content type from file magic bytes.
+ * Returns the detected MIME type or null if unknown.
+ */
+export function detectContentType(bytes: Uint8Array): string | null {
+	// MP4/M4V/MOV - check for ftyp box
+	if (bytes.length >= 12) {
+		const ftyp = String.fromCharCode(
+			bytes[4]!,
+			bytes[5]!,
+			bytes[6]!,
+			bytes[7]!,
+		);
+		if (ftyp === "ftyp") {
+			// Check brand for more specific type
+			const brand = String.fromCharCode(
+				bytes[8]!,
+				bytes[9]!,
+				bytes[10]!,
+				bytes[11]!,
+			);
+			if (
+				brand === "isom" ||
+				brand === "iso2" ||
+				brand === "mp41" ||
+				brand === "mp42" ||
+				brand === "avc1"
+			) {
+				return "video/mp4";
+			}
+			if (brand === "M4V " || brand === "M4VH" || brand === "M4VP") {
+				return "video/x-m4v";
+			}
+			if (brand === "qt  ") {
+				return "video/quicktime";
+			}
+			// Default to mp4 for any ftyp
+			return "video/mp4";
+		}
+	}
+
+	// JPEG
+	if (bytes[0] === 0xff && bytes[1] === 0xd8 && bytes[2] === 0xff) {
+		return "image/jpeg";
+	}
+
+	// PNG
+	if (
+		bytes[0] === 0x89 &&
+		bytes[1] === 0x50 &&
+		bytes[2] === 0x4e &&
+		bytes[3] === 0x47
+	) {
+		return "image/png";
+	}
+
+	// GIF
+	if (bytes[0] === 0x47 && bytes[1] === 0x49 && bytes[2] === 0x46) {
+		return "image/gif";
+	}
+
+	// WebP
+	if (
+		bytes[0] === 0x52 &&
+		bytes[1] === 0x49 &&
+		bytes[2] === 0x46 &&
+		bytes[3] === 0x46 &&
+		bytes[8] === 0x57 &&
+		bytes[9] === 0x45 &&
+		bytes[10] === 0x42 &&
+		bytes[11] === 0x50
+	) {
+		return "image/webp";
+	}
+
+	// WebM
+	if (
+		bytes[0] === 0x1a &&
+		bytes[1] === 0x45 &&
+		bytes[2] === 0xdf &&
+		bytes[3] === 0xa3
+	) {
+		return "video/webm";
+	}
+
+	return null;
+}

packages/pds/src/xrpc/repo.ts

@@ -1,8 +1,9 @@
 import type { Context } from "hono";
 import { isDid } from "@atcute/lexicons/syntax";
-import { AccountDurableObject } from "../account-do";
-import type { AppEnv, AuthedAppEnv } from "../types";
-import { validator } from "../validation";
+import { AccountDurableObject } from "../account-do.js";
+import type { AppEnv, AuthedAppEnv } from "../types.js";
+import { validator } from "../validation.js";
+import { detectContentType } from "../format.js";
 
 function invalidRecordError(
 	c: Context<AuthedAppEnv>,
@@ -423,9 +424,12 @@ export async function uploadBlob(
 	c: Context<AuthedAppEnv>,
 	accountDO: DurableObjectStub<AccountDurableObject>,
 ): Promise<Response> {
-	const contentType =
-		c.req.header("Content-Type") || "application/octet-stream";
+	let contentType = c.req.header("Content-Type");
+
 	const bytes = new Uint8Array(await c.req.arrayBuffer());
+	if (!contentType || contentType === "*/*") {
+		contentType = detectContentType(bytes) || "application/octet-stream";
+	}
 
 	// Size limit check (60MB)
 	const MAX_BLOB_SIZE = 60 * 1024 * 1024;

packages/pds/src/xrpc/sync.ts

@@ -1,7 +1,8 @@
 import type { Context } from "hono";
 import { isDid, isNsid, isRecordKey } from "@atcute/lexicons/syntax";
 import type { AccountDurableObject } from "../account-do.js";
-import type { AppEnv } from "../types";
+import type { AppEnv } from "../types.js";
+import { detectContentType } from "../format.js";
 
 export async function getRepo(
 	c: Context<AppEnv>,
@@ -289,11 +290,37 @@ export async function getBlob(
 		);
 	}
 
+	// Determine content type, with fallback for missing or invalid values
+	let contentType = blob.httpMetadata?.contentType;
+
+	// If no content type or invalid wildcard, try to detect from content
+	if (!contentType || contentType === "*/*") {
+		// Read first few bytes to detect content type
+		const [headerStream, bodyStream] = blob.body.tee();
+		const reader = headerStream.getReader();
+		const { value: headerBytes } = await reader.read();
+		reader.releaseLock();
+
+		if (headerBytes && headerBytes.length >= 12) {
+			contentType =
+				detectContentType(headerBytes) || "application/octet-stream";
+		} else {
+			contentType = "application/octet-stream";
+		}
+
+		return new Response(bodyStream, {
+			status: 200,
+			headers: {
+				"Content-Type": contentType,
+				"Content-Length": blob.size.toString(),
+			},
+		});
+	}
+
 	return new Response(blob.body, {
 		status: 200,
 		headers: {
-			"Content-Type":
-				blob.httpMetadata?.contentType || "application/octet-stream",
+			"Content-Type": contentType,
 			"Content-Length": blob.size.toString(),
 		},
 	});
@@ -348,7 +375,10 @@ export async function getRecord(
 	// Validate collection is an NSID
 	if (!isNsid(collection)) {
 		return c.json(
-			{ error: "InvalidRequest", message: "Invalid collection format (must be NSID)" },
+			{
+				error: "InvalidRequest",
+				message: "Invalid collection format (must be NSID)",
+			},
 			400,
 		);
 	}

packages/pds/test/blobs.test.ts

@@ -225,6 +225,146 @@ describe("Blob Storage", () => {
 		});
 	});
 
+	describe("Content-Type Detection", () => {
+		it("should detect video/mp4 from magic bytes when stored with */*", async () => {
+			// Create a valid MP4 header (ftyp box with isom brand)
+			const mp4Header = new Uint8Array([
+				0x00, 0x00, 0x00, 0x14, // box size (20 bytes)
+				0x66, 0x74, 0x79, 0x70, // "ftyp"
+				0x69, 0x73, 0x6f, 0x6d, // "isom" brand
+				0x00, 0x00, 0x00, 0x01, // minor version
+				0x69, 0x73, 0x6f, 0x6d, // compatible brand
+			]);
+
+			// Upload with wildcard content type (simulating the bug)
+			const uploadResponse = await worker.fetch(
+				new Request("http://pds.test/xrpc/com.atproto.repo.uploadBlob", {
+					method: "POST",
+					headers: {
+						"Content-Type": "*/*",
+						Authorization: `Bearer ${env.AUTH_TOKEN}`,
+					},
+					body: mp4Header,
+				}),
+				env,
+			);
+
+			expect(uploadResponse.status).toBe(200);
+
+			const uploadData = (await uploadResponse.json()) as {
+				blob: { ref: { $link: string } };
+			};
+			const cid = uploadData.blob.ref.$link;
+
+			// Retrieve - should detect video/mp4 from magic bytes
+			const getResponse = await worker.fetch(
+				new Request(
+					`http://pds.test/xrpc/com.atproto.sync.getBlob?did=${env.DID}&cid=${cid}`,
+				),
+				env,
+			);
+
+			expect(getResponse.status).toBe(200);
+			expect(getResponse.headers.get("Content-Type")).toBe("video/mp4");
+		});
+
+		it("should detect image/jpeg from magic bytes when stored with */*", async () => {
+			// JPEG magic bytes
+			const jpegData = new Uint8Array([0xFF, 0xD8, 0xFF, 0xE0, 0x00, 0x10, 0x4A, 0x46, 0x49, 0x46, 0x00, 0x01]);
+
+			const uploadResponse = await worker.fetch(
+				new Request("http://pds.test/xrpc/com.atproto.repo.uploadBlob", {
+					method: "POST",
+					headers: {
+						"Content-Type": "*/*",
+						Authorization: `Bearer ${env.AUTH_TOKEN}`,
+					},
+					body: jpegData,
+				}),
+				env,
+			);
+
+			const uploadData = (await uploadResponse.json()) as {
+				blob: { ref: { $link: string } };
+			};
+			const cid = uploadData.blob.ref.$link;
+
+			const getResponse = await worker.fetch(
+				new Request(
+					`http://pds.test/xrpc/com.atproto.sync.getBlob?did=${env.DID}&cid=${cid}`,
+				),
+				env,
+			);
+
+			expect(getResponse.status).toBe(200);
+			expect(getResponse.headers.get("Content-Type")).toBe("image/jpeg");
+		});
+
+		it("should detect image/png from magic bytes", async () => {
+			// PNG magic bytes
+			const pngData = new Uint8Array([0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A, 0x00, 0x00, 0x00, 0x0D]);
+
+			const uploadResponse = await worker.fetch(
+				new Request("http://pds.test/xrpc/com.atproto.repo.uploadBlob", {
+					method: "POST",
+					headers: {
+						"Content-Type": "*/*",
+						Authorization: `Bearer ${env.AUTH_TOKEN}`,
+					},
+					body: pngData,
+				}),
+				env,
+			);
+
+			const uploadData = (await uploadResponse.json()) as {
+				blob: { ref: { $link: string } };
+			};
+			const cid = uploadData.blob.ref.$link;
+
+			const getResponse = await worker.fetch(
+				new Request(
+					`http://pds.test/xrpc/com.atproto.sync.getBlob?did=${env.DID}&cid=${cid}`,
+				),
+				env,
+			);
+
+			expect(getResponse.status).toBe(200);
+			expect(getResponse.headers.get("Content-Type")).toBe("image/png");
+		});
+
+		it("should fallback to application/octet-stream for unknown content", async () => {
+			// Random bytes that don't match any known format
+			const unknownData = new Uint8Array([0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C]);
+
+			const uploadResponse = await worker.fetch(
+				new Request("http://pds.test/xrpc/com.atproto.repo.uploadBlob", {
+					method: "POST",
+					headers: {
+						"Content-Type": "*/*",
+						Authorization: `Bearer ${env.AUTH_TOKEN}`,
+					},
+					body: unknownData,
+				}),
+				env,
+			);
+
+			const uploadData = (await uploadResponse.json()) as {
+				blob: { ref: { $link: string } };
+			};
+			const cid = uploadData.blob.ref.$link;
+
+			const getResponse = await worker.fetch(
+				new Request(
+					`http://pds.test/xrpc/com.atproto.sync.getBlob?did=${env.DID}&cid=${cid}`,
+				),
+				env,
+			);
+
+			expect(getResponse.status).toBe(200);
+			expect(getResponse.headers.get("Content-Type")).toBe("application/octet-stream");
+		});
+	});
+
 	describe("Integration", () => {
 		it("should handle upload and retrieval flow", async () => {
 			// Create test data