Class: AtprotoAuth::Identity::Resolver

Inherits:

Object

• Object
• AtprotoAuth::Identity::Resolver

Defined in:

lib/atproto_auth/identity/resolver.rb

Overview

Resolves and validates AT Protocol identities

Constant Summary

PLC_DIRECTORY_URL =

"https://plc.directory"

DID_PLC_PREFIX =

"did:plc:"

HANDLE_REGEX =

/^([a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$/

Instance Method Summary

• #get_did_info(did) ⇒ Hash

  Fetches and parses DID Document.

• #initialize(plc_directory: nil) ⇒ Resolver constructor

  Creates a new Identity resolver.

• #resolve_handle(handle) ⇒ Hash

  Resolves a handle to a DID Document.

• #verify_handle_binding(handle, did) ⇒ Boolean

  Verifies that a handle belongs to a DID.

• #verify_issuer_binding(did, issuer) ⇒ Boolean

  Verifies that an auth server (issuer) is authorized for a DID.

• #verify_pds_binding(did, pds_url) ⇒ Boolean

  Verifies that a PDS hosts a given DID.

Constructor Details

#initialize(plc_directory: nil) ⇒ Resolver

Creates a new Identity resolver

Parameters:

• plc_directory (String) (defaults to: nil) —

  Optional custom PLC directory URL

# File 'lib/atproto_auth/identity/resolver.rb', line 15

def initialize(plc_directory: nil)
  @plc_directory = plc_directory || PLC_DIRECTORY_URL
end

Instance Method Details

#get_did_info(did) ⇒ Hash

Fetches and parses DID Document

Parameters:

• did (String) —

  The DID to resolve

Returns:

• (Hash) —

  Resolution result with :did, :document, and :pds keys

Raises:

• (ResolutionError) —

  if resolution fails

# File 'lib/atproto_auth/identity/resolver.rb', line 41

def get_did_info(did)
  DID.new(did).validate!

  # Fetch and parse DID document
  doc_data = fetch_did_document(did)
  document = Document.new(doc_data)

  # Validate PDS URL format
  validate_pds_url!(document.pds)

  { did: did, document: document, pds: document.pds }
rescue DocumentError => e
  raise ResolutionError, "Invalid DID document: #{e.message}"
rescue StandardError => e
  raise ResolutionError, "Failed to resolve DID #{did}: #{e.message}"
end

#resolve_handle(handle) ⇒ Hash

Resolves a handle to a DID Document

Parameters:

• handle (String) —

  The handle to resolve (with or without @ prefix)

Returns:

• (Hash) —

  Resolution result with :did, :document, and :pds keys

Raises:

• (ResolutionError) —

  if resolution fails

# File 'lib/atproto_auth/identity/resolver.rb', line 23

def resolve_handle(handle)
  validate_handle!(handle)
  normalized = normalize_handle(handle)

  # First try DNS-based resolution
  did = resolve_handle_dns(normalized)
  return get_did_info(did) if did

  # Fall back to HTTP resolution via a known PDS
  resolve_handle_http(normalized)
rescue StandardError => e
  raise ResolutionError, "Failed to resolve handle #{handle}: #{e.message}"
end

#verify_handle_binding(handle, did) ⇒ Boolean

Verifies that a handle belongs to a DID

Parameters:

• handle (String) —

  Handle to verify

• did (String) —

  DID to check against

Returns:

• (Boolean) —

  true if verification succeeds

Raises:

• (ValidationError) —

  if verification fails

# File 'lib/atproto_auth/identity/resolver.rb', line 103

def verify_handle_binding(handle, did)
  info = get_did_info(did)

  unless info[:document].has_handle?(handle)
    raise ValidationError,
          "Handle #{handle} does not belong to DID #{did}"
  end

  true
rescue StandardError => e
  raise ValidationError, "Failed to verify handle binding: #{e.message}"
end

#verify_issuer_binding(did, issuer) ⇒ Boolean

Verifies that an auth server (issuer) is authorized for a DID

Parameters:

• did (String) —

  The DID to verify

• issuer (String) —

  The issuer URL to verify

Returns:

• (Boolean) —

  true if verification succeeds

Raises:

• (ValidationError) —

  if verification fails

# File 'lib/atproto_auth/identity/resolver.rb', line 79

def verify_issuer_binding(did, issuer)
  # Get PDS location from DID
  info = get_did_info(did)
  pds_url = info[:pds]

  # Fetch resource server metadata to find auth server
  resource_server = ServerMetadata::ResourceServer.from_url(pds_url)
  auth_server_url = resource_server.authorization_servers.first

  # Compare normalized URLs
  if normalize_url(auth_server_url) != normalize_url(issuer)
    raise ValidationError, "Issuer #{issuer} is not authorized for DID #{did}"
  end

  true
rescue StandardError => e
  raise ValidationError, "Failed to verify issuer binding: #{e.message}"
end

#verify_pds_binding(did, pds_url) ⇒ Boolean

Verifies that a PDS hosts a given DID

Parameters:

• did (String) —

  The DID to verify

• pds_url (String) —

  The PDS URL to check

Returns:

• (Boolean) —

  true if verification succeeds

Raises:

• (ValidationError) —

  if verification fails

# File 'lib/atproto_auth/identity/resolver.rb', line 63

def verify_pds_binding(did, pds_url)
  info = get_did_info(did)
  if normalize_url(info[:pds]) != normalize_url(pds_url)
    raise ValidationError, "PDS #{pds_url} is not authorized for DID #{did}"
  end

  true
rescue StandardError => e
  raise ValidationError, "Failed to verify PDS binding: #{e.message}"
end