Summary
Atmosphere's serve_wellknown_atproto_did() (and serve_wellknown_publication()) at includes/class-atmosphere.php:351-411 set status + Content-Type and exit, but never call nocache_headers(). That lets fronting page/CDN caches keep:
- a pre-connect 404 after OAuth succeeds (until the cache TTL expires, handle resolution stays broken)
- a post-disconnect 200 with a stale DID after
OAuth\Client::disconnect() deletes atmosphere_identity (Bluesky resolves the old DID against the new domain owner)
This matters most for the disconnect → reconnect-to-a-different-account flow: the prior OPTION_PREVIOUS_HANDLE snapshot-and-revert dance on the FOSSE side restores the previous handle on the PDS, but a cached 200 at /.well-known/atproto-did returning the old DID can still defeat Bluesky's bidirectional verification on the new identity until the cache expires.
Why it's coming up now
FOSSE's bundled-copy consumer used to mirror this handler and called nocache_headers() on both branches. We've now deleted FOSSE's duplicate (Automattic/fosse#170) so Atmosphere is the sole responder. Without nocache_headers(), the consumer-side defense is gone.
Suggested change
Add \nocache_headers(); to both well-known handlers before sending the response body:
public function serve_wellknown_atproto_did(): void {
if ( \get_query_var( 'atmosphere_wellknown' ) !== 'atproto-did' ) {
return;
}
if ( ! has_identity() ) {
\nocache_headers();
\status_header( 404 );
exit;
}
\nocache_headers();
\status_header( 200 );
\header( 'Content-Type: text/plain; charset=utf-8' );
echo \esc_html( get_did() );
exit;
}Same shape for serve_wellknown_publication().
Related
Summary
Atmosphere's
serve_wellknown_atproto_did()(andserve_wellknown_publication()) atincludes/class-atmosphere.php:351-411set status + Content-Type and exit, but never callnocache_headers(). That lets fronting page/CDN caches keep:OAuth\Client::disconnect()deletesatmosphere_identity(Bluesky resolves the old DID against the new domain owner)This matters most for the disconnect → reconnect-to-a-different-account flow: the prior
OPTION_PREVIOUS_HANDLEsnapshot-and-revert dance on the FOSSE side restores the previous handle on the PDS, but a cached200at/.well-known/atproto-didreturning the old DID can still defeat Bluesky's bidirectional verification on the new identity until the cache expires.Why it's coming up now
FOSSE's bundled-copy consumer used to mirror this handler and called
nocache_headers()on both branches. We've now deleted FOSSE's duplicate (Automattic/fosse#170) so Atmosphere is the sole responder. Withoutnocache_headers(), the consumer-side defense is gone.Suggested change
Add
\nocache_headers();to both well-known handlers before sending the response body:Same shape for
serve_wellknown_publication().Related