feat(pds): implement service auth for AppView proxy (#11)

Add service authentication to proxy authenticated requests to Bluesky
AppView. The PDS now creates a service JWT signed with its signing key
to vouch for the user when forwarding requests like getTimeline.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: ascorbic

packages/pds/src/index.ts

@@ -3,13 +3,16 @@ export { SqliteRepoStorage } from "./storage";
 export { AccountDurableObject } from "./account-do";
 export { BlobStore, type BlobRef } from "./blobs";
 export { Sequencer } from "./sequencer";
+export { createServiceJwt } from "./service-auth";
 
 import { Hono } from "hono";
 import { cors } from "hono/cors";
-import { proxy } from "hono/proxy";
 import { env } from "cloudflare:workers";
+import { Secp256k1Keypair } from "@atproto/crypto";
 import { ensureValidDid, ensureValidHandle } from "@atproto/syntax";
 import { requireAuth } from "./middleware/auth";
+import { createServiceJwt } from "./service-auth";
+import { verifyAccessToken } from "./session";
 import * as sync from "./xrpc/sync";
 import * as repo from "./xrpc/repo";
 import * as server from "./xrpc/server";
@@ -42,6 +45,18 @@ try {
 	);
 }
 
+// Bluesky AppView DID for service auth
+const APPVIEW_DID = "did:web:api.bsky.app";
+
+// Lazy-loaded keypair for service auth
+let keypairPromise: Promise<Secp256k1Keypair> | null = null;
+function getKeypair(): Promise<Secp256k1Keypair> {
+	if (!keypairPromise) {
+		keypairPromise = Secp256k1Keypair.import(env.SIGNING_KEY);
+	}
+	return keypairPromise;
+}
+
 const app = new Hono<{ Bindings: Env }>();
 
 // CORS middleware for all routes
@@ -180,11 +195,68 @@ app.get("/xrpc/app.bsky.ageassurance.getState", requireAuth, (c) => {
 });
 
 // Proxy unhandled XRPC requests to Bluesky AppView
-app.all("/xrpc/*", (c) => {
+app.all("/xrpc/*", async (c) => {
 	const url = new URL(c.req.url);
 	url.host = "api.bsky.app";
 	url.protocol = "https:";
-	return proxy(url, c.req);
+
+	// Extract XRPC method name from path (e.g., "app.bsky.feed.getTimeline")
+	const lxm = url.pathname.replace("/xrpc/", "");
+
+	// Check for authorization header
+	const auth = c.req.header("Authorization");
+	let headers: Record<string, string> = {};
+
+	if (auth?.startsWith("Bearer ")) {
+		const token = auth.slice(7);
+		const serviceDid = `did:web:${c.env.PDS_HOSTNAME}`;
+
+		// Try to verify the token - if valid, create a service JWT
+		try {
+			// Check static token first
+			let userDid: string;
+			if (token === c.env.AUTH_TOKEN) {
+				userDid = c.env.DID;
+			} else {
+				// Verify JWT
+				const payload = await verifyAccessToken(
+					token,
+					c.env.JWT_SECRET,
+					serviceDid,
+				);
+				userDid = payload.sub;
+			}
+
+			// Create service JWT for AppView
+			const keypair = await getKeypair();
+			const serviceJwt = await createServiceJwt({
+				iss: userDid,
+				aud: APPVIEW_DID,
+				lxm,
+				keypair,
+			});
+			headers["Authorization"] = `Bearer ${serviceJwt}`;
+		} catch {
+			// Token verification failed - forward without auth
+			// AppView will return appropriate error
+		}
+	}
+
+	// Forward request with potentially replaced auth header
+	const reqInit: RequestInit = {
+		method: c.req.method,
+		headers: {
+			...Object.fromEntries(c.req.raw.headers),
+			...headers,
+		},
+	};
+
+	// Include body for non-GET requests
+	if (c.req.method !== "GET" && c.req.method !== "HEAD") {
+		reqInit.body = c.req.raw.body;
+	}
+
+	return fetch(url.toString(), reqInit);
 });
 
 export default app;

packages/pds/src/service-auth.ts

@@ -0,0 +1,60 @@
+import { Secp256k1Keypair, randomStr } from "@atproto/crypto";
+
+const MINUTE = 60 * 1000;
+
+type ServiceJwtParams = {
+	iss: string;
+	aud: string;
+	lxm: string | null;
+	keypair: Secp256k1Keypair;
+};
+
+function jsonToB64Url(json: Record<string, unknown>): string {
+	return Buffer.from(JSON.stringify(json)).toString("base64url");
+}
+
+function noUndefinedVals<T extends Record<string, unknown>>(
+	obj: T,
+): Partial<T> {
+	const result: Partial<T> = {};
+	for (const [key, val] of Object.entries(obj)) {
+		if (val !== undefined) {
+			result[key as keyof T] = val as T[keyof T];
+		}
+	}
+	return result;
+}
+
+/**
+ * Create a service JWT for proxied requests to AppView.
+ * The JWT asserts that the PDS vouches for the user identified by `iss`.
+ */
+export async function createServiceJwt(
+	params: ServiceJwtParams,
+): Promise<string> {
+	const { iss, aud, keypair } = params;
+	const iat = Math.floor(Date.now() / 1000);
+	const exp = iat + MINUTE / 1000;
+	const lxm = params.lxm ?? undefined;
+	const jti = randomStr(16, "hex");
+
+	const header = {
+		typ: "JWT",
+		alg: keypair.jwtAlg,
+	};
+
+	const payload = noUndefinedVals({
+		iat,
+		iss,
+		aud,
+		exp,
+		lxm,
+		jti,
+	});
+
+	const toSignStr = `${jsonToB64Url(header)}.${jsonToB64Url(payload as Record<string, unknown>)}`;
+	const toSign = Buffer.from(toSignStr, "utf8");
+	const sig = Buffer.from(await keypair.sign(toSign));
+
+	return `${toSignStr}.${sig.toString("base64url")}`;
+}

packages/pds/test/service-auth.test.ts

@@ -0,0 +1,80 @@
+import { describe, it, expect } from "vitest";
+import { Secp256k1Keypair } from "@atproto/crypto";
+import { createServiceJwt } from "../src/service-auth";
+
+describe("Service Auth", () => {
+	it("creates valid service JWT", async () => {
+		const keypair = await Secp256k1Keypair.create({ exportable: true });
+
+		const jwt = await createServiceJwt({
+			iss: "did:web:alice.test",
+			aud: "did:web:api.bsky.app",
+			lxm: "app.bsky.feed.getTimeline",
+			keypair,
+		});
+
+		// JWT should have three parts
+		const parts = jwt.split(".");
+		expect(parts).toHaveLength(3);
+
+		// Decode header
+		const header = JSON.parse(Buffer.from(parts[0], "base64url").toString());
+		expect(header.typ).toBe("JWT");
+		expect(header.alg).toBe("ES256K");
+
+		// Decode payload
+		const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString());
+		expect(payload.iss).toBe("did:web:alice.test");
+		expect(payload.aud).toBe("did:web:api.bsky.app");
+		expect(payload.lxm).toBe("app.bsky.feed.getTimeline");
+		expect(payload.iat).toBeTypeOf("number");
+		expect(payload.exp).toBeTypeOf("number");
+		expect(payload.jti).toBeTypeOf("string");
+
+		// Expiry should be ~60 seconds from iat
+		expect(payload.exp - payload.iat).toBe(60);
+	});
+
+	it("creates JWT without lxm when null", async () => {
+		const keypair = await Secp256k1Keypair.create({ exportable: true });
+
+		const jwt = await createServiceJwt({
+			iss: "did:web:alice.test",
+			aud: "did:web:api.bsky.app",
+			lxm: null,
+			keypair,
+		});
+
+		const parts = jwt.split(".");
+		const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString());
+
+		// lxm should not be present when null
+		expect(payload.lxm).toBeUndefined();
+	});
+
+	it("creates verifiable signature", async () => {
+		const keypair = await Secp256k1Keypair.create({ exportable: true });
+
+		const jwt = await createServiceJwt({
+			iss: "did:web:alice.test",
+			aud: "did:web:api.bsky.app",
+			lxm: "com.atproto.sync.getRepo",
+			keypair,
+		});
+
+		const parts = jwt.split(".");
+		const msgBytes = Buffer.from(parts.slice(0, 2).join("."), "utf8");
+		const sigBytes = Buffer.from(parts[2], "base64url");
+
+		// Import verify function and use did:key format
+		const { verifySignature } = await import("@atproto/crypto");
+		const didKey = keypair.did();
+
+		const isValid = await verifySignature(didKey, msgBytes, sigBytes, {
+			jwtAlg: "ES256K",
+			allowMalleableSig: true,
+		});
+
+		expect(isValid).toBe(true);
+	});
+});