@atproto/bsky 0.0.170 → 0.0.171

package/src/config.ts

@@ -6,6 +6,17 @@ type LiveNowConfig = {
   domains: string[]
 }[]
 
+export interface KwsConfig {
+  apiKey: string
+  apiOrigin: string
+  authOrigin: string
+  clientId: string
+  redirectUrl: string
+  userAgent: string
+  verificationSecret: string
+  webhookSecret: string
+}
+
 export interface ServerConfigValues {
   // service
   version?: string
@@ -72,6 +83,7 @@ export interface ServerConfigValues {
   proxyMaxResponseSize?: number
   proxyMaxRetries?: number
   proxyPreferCompressed?: boolean
+  kws?: KwsConfig
 }
 
 export class ServerConfig {
@@ -222,6 +234,48 @@ export class ServerConfig {
     const proxyPreferCompressed =
       process.env.BSKY_PROXY_PREFER_COMPRESSED === 'true'
 
+    let kws: KwsConfig | undefined
+    const kwsApiKey = process.env.BSKY_KWS_API_KEY
+    const kwsApiOrigin = process.env.BSKY_KWS_API_ORIGIN
+    const kwsAuthOrigin = process.env.BSKY_KWS_AUTH_ORIGIN
+    const kwsClientId = process.env.BSKY_KWS_CLIENT_ID
+    const kwsRedirectUrl = process.env.BSKY_KWS_REDIRECT_URL
+    const kwsUserAgent = process.env.BSKY_KWS_USER_AGENT
+    const kwsVerificationSecret = process.env.BSKY_KWS_VERIFICATION_SECRET
+    const kwsWebhookSecret = process.env.BSKY_KWS_WEBHOOK_SIGNING_KEY
+    if (
+      kwsApiKey ||
+      kwsApiOrigin ||
+      kwsAuthOrigin ||
+      kwsClientId ||
+      kwsRedirectUrl ||
+      kwsUserAgent ||
+      kwsVerificationSecret ||
+      kwsWebhookSecret
+    ) {
+      assert(
+        kwsApiOrigin &&
+          kwsAuthOrigin &&
+          kwsClientId &&
+          kwsRedirectUrl &&
+          kwsUserAgent &&
+          kwsVerificationSecret &&
+          kwsWebhookSecret &&
+          kwsApiKey,
+        'all KWS environment variables must be set if any are set',
+      )
+      kws = {
+        apiKey: kwsApiKey,
+        apiOrigin: kwsApiOrigin,
+        authOrigin: kwsAuthOrigin,
+        clientId: kwsClientId,
+        redirectUrl: kwsRedirectUrl,
+        userAgent: kwsUserAgent,
+        verificationSecret: kwsVerificationSecret,
+        webhookSecret: kwsWebhookSecret,
+      }
+    }
+
     return new ServerConfig({
       version,
       debugMode,
@@ -279,6 +333,7 @@ export class ServerConfig {
       proxyMaxResponseSize,
       proxyMaxRetries,
       proxyPreferCompressed,
+      kws,
       ...stripUndefineds(overrides ?? {}),
     })
   }
@@ -513,6 +568,10 @@ export class ServerConfig {
   get proxyPreferCompressed(): boolean {
     return this.cfg.proxyPreferCompressed ?? true
   }
+
+  get kws() {
+    return this.cfg.kws
+  }
 }
 
 function stripUndefineds(

package/src/context.ts

@@ -12,6 +12,7 @@ import { CourierClient } from './courier'
 import { DataPlaneClient, HostList } from './data-plane/client'
 import { FeatureGates } from './feature-gates'
 import { Hydrator } from './hydration/hydrator'
+import { KwsClient } from './kws'
 import { httpLogger as log } from './logger'
 import { StashClient } from './stash'
 import {
@@ -41,6 +42,7 @@ export class AppContext {
       authVerifier: AuthVerifier
       featureGates: FeatureGates
       blobDispatcher: Dispatcher
+      kwsClient: KwsClient | undefined
     },
   ) {}
 
@@ -116,6 +118,10 @@ export class AppContext {
     return this.opts.blobDispatcher
   }
 
+  get kwsClient(): KwsClient | undefined {
+    return this.opts.kwsClient
+  }
+
   reqLabelers(req: express.Request): ParsedLabelers {
     const val = req.header('atproto-accept-labelers')
     let parsed: ParsedLabelers | null

package/src/data-plane/bsync/index.ts

@@ -9,6 +9,7 @@ import { jsonStringToLex } from '@atproto/lexicon'
 import { AtUri } from '@atproto/syntax'
 import { ids } from '../../lexicon/lexicons'
 import { SubjectActivitySubscription } from '../../lexicon/types/app/bsky/notification/defs'
+import { AgeAssuranceEvent } from '../../lexicon/types/app/bsky/unspecced/defs'
 import { httpLogger } from '../../logger'
 import { Service } from '../../proto/bsync_connect'
 import {
@@ -159,10 +160,10 @@ const createRoutes = (db: Database) => (router: ConnectRouter) =>
 
       const now = new Date().toISOString()
 
-      // index all items into private_data
+      // Index all items into private_data.
       await handleGenericOperation(db, req, now)
 
-      // maintain bespoke indexes for certain namespaces
+      // Maintain bespoke indexes for certain namespaces.
       if (
         namespace ===
         Namespaces.AppBskyNotificationDefsSubjectActivitySubscription
@@ -174,6 +175,16 @@ const createRoutes = (db: Database) => (router: ConnectRouter) =>
               'mock bsync put operation failed',
             ),
         )
+      } else if (
+        namespace === Namespaces.AppBskyUnspeccedDefsAgeAssuranceEvent
+      ) {
+        await handleAgeAssuranceEventOperation(db, req, now).catch(
+          (err: unknown) =>
+            httpLogger.warn(
+              { err, namespace },
+              'mock bsync put operation failed',
+            ),
+        )
       }
 
       return {
@@ -197,6 +208,43 @@ const createRoutes = (db: Database) => (router: ConnectRouter) =>
     },
   })
 
+// upsert into or remove from private_data
+const handleGenericOperation = async (
+  db: Database,
+  req: PutOperationRequest,
+  now: string,
+) => {
+  const { actorDid, namespace, key, method, payload } = req
+  if (method === Method.CREATE || method === Method.UPDATE) {
+    await db.db
+      .insertInto('private_data')
+      .values({
+        actorDid,
+        namespace,
+        key,
+        payload: Buffer.from(payload).toString('utf8'),
+        indexedAt: now,
+        updatedAt: now,
+      })
+      .onConflict((oc) =>
+        oc.columns(['actorDid', 'namespace', 'key']).doUpdateSet({
+          payload: excluded(db.db, 'payload'),
+          updatedAt: excluded(db.db, 'updatedAt'),
+        }),
+      )
+      .execute()
+  } else if (method === Method.DELETE) {
+    await db.db
+      .deleteFrom('private_data')
+      .where('actorDid', '=', actorDid)
+      .where('namespace', '=', namespace)
+      .where('key', '=', key)
+      .execute()
+  } else {
+    assert.fail(`unexpected method ${method}`)
+  }
+}
+
 const handleSubjectActivitySubscriptionOperation = async (
   db: Database,
   req: PutOperationRequest,
@@ -246,39 +294,27 @@ const handleSubjectActivitySubscriptionOperation = async (
     .execute()
 }
 
-// upsert into or remove from private_data
-const handleGenericOperation = async (
+const handleAgeAssuranceEventOperation = async (
   db: Database,
   req: PutOperationRequest,
-  now: string,
+  _now: string,
 ) => {
-  const { actorDid, namespace, key, method, payload } = req
-  if (method === Method.CREATE || method === Method.UPDATE) {
-    await db.db
-      .insertInto('private_data')
-      .values({
-        actorDid,
-        namespace,
-        key,
-        payload: Buffer.from(payload).toString('utf8'),
-        indexedAt: now,
-        updatedAt: now,
-      })
-      .onConflict((oc) =>
-        oc.columns(['actorDid', 'namespace', 'key']).doUpdateSet({
-          payload: excluded(db.db, 'payload'),
-          updatedAt: excluded(db.db, 'updatedAt'),
-        }),
-      )
-      .execute()
-  } else if (method === Method.DELETE) {
-    await db.db
-      .deleteFrom('private_data')
-      .where('actorDid', '=', actorDid)
-      .where('namespace', '=', namespace)
-      .where('key', '=', key)
-      .execute()
-  } else {
-    assert.fail(`unexpected method ${method}`)
+  const { actorDid, method, payload } = req
+  if (method !== Method.CREATE) return
+
+  const parsed = jsonStringToLex(
+    Buffer.from(payload).toString('utf8'),
+  ) as AgeAssuranceEvent
+  const { status, createdAt } = parsed
+
+  const update = {
+    ageAssuranceStatus: status,
+    ageAssuranceLastInitiatedAt: status === 'pending' ? createdAt : undefined,
   }
+
+  return db.db
+    .updateTable('actor')
+    .set(update)
+    .where('did', '=', actorDid)
+    .execute()
 }

package/src/data-plane/server/db/migrations/20250627T025331240Z-add-actor-age-assurance-columns.ts

@@ -0,0 +1,22 @@
+import { Kysely } from 'kysely'
+
+export async function up(db: Kysely<unknown>): Promise<void> {
+  await db.schema
+    .alterTable('actor')
+    .addColumn('ageAssuranceStatus', 'text')
+    .execute()
+
+  await db.schema
+    .alterTable('actor')
+    .addColumn('ageAssuranceLastInitiatedAt', 'varchar')
+    .execute()
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+  await db.schema.alterTable('actor').dropColumn('ageAssuranceStatus').execute()
+
+  await db.schema
+    .alterTable('actor')
+    .dropColumn('ageAssuranceLastInitiatedAt')
+    .execute()
+}

package/src/data-plane/server/db/migrations/index.ts

@@ -52,3 +52,4 @@ export * as _20250526T023712742Z from './20250526T023712742Z-like-repost-via'
 export * as _20250528T221913281Z from './20250528T221913281Z-add-record-tags'
 export * as _20250602T190357447Z from './20250602T190357447Z-add-private-data'
 export * as _20250611T140649895Z from './20250611T140649895Z-add-activity-subscription'
+export * as _20250627T025331240Z from './20250627T025331240Z-add-actor-age-assurance-columns'

package/src/data-plane/server/db/tables/actor.ts

@@ -7,6 +7,8 @@ export interface Actor {
   takedownRef: string | null
   upstreamStatus: string | null
   trustedVerifier: Generated<boolean>
+  ageAssuranceStatus: string | null
+  ageAssuranceLastInitiatedAt: string | null
 }
 
 export const tableName = 'actor'

package/src/data-plane/server/routes/profile.ts

@@ -22,7 +22,7 @@ type VerifiedBy = {
 
 export default (db: Database): Partial<ServiceImpl<typeof Service>> => ({
   async getActors(req) {
-    const { dids } = req
+    const { dids, returnAgeAssuranceForDids } = req
     if (dids.length === 0) {
       return { actors: [] }
     }
@@ -105,6 +105,7 @@ export default (db: Database): Partial<ServiceImpl<typeof Service>> => ({
         }
         return acc
       }, {} as VerifiedBy)
+      const ageAssuranceForDids = new Set(returnAgeAssuranceForDids)
 
       const activitySubscription = () => {
         const record = parseRecordBytes<AppBskyNotificationDeclaration.Record>(
@@ -128,6 +129,19 @@ export default (db: Database): Partial<ServiceImpl<typeof Service>> => ({
         }
       }
 
+      const ageAssuranceStatus = () => {
+        if (!ageAssuranceForDids.has(did)) {
+          return undefined
+        }
+
+        return {
+          status: row?.ageAssuranceStatus ?? 'unknown',
+          lastInitiatedAt: row?.ageAssuranceLastInitiatedAt
+            ? Timestamp.fromDate(new Date(row?.ageAssuranceLastInitiatedAt))
+            : undefined,
+        }
+      }
+
       return {
         exists: !!row,
         handle: row?.handle ?? undefined,
@@ -149,6 +163,7 @@ export default (db: Database): Partial<ServiceImpl<typeof Service>> => ({
         tags: [],
         profileTags: [],
         allowActivitySubscriptionsFrom: activitySubscription(),
+        ageAssuranceStatus: ageAssuranceStatus(),
       }
     })
     return { actors }

package/src/feature-gates.ts

@@ -13,6 +13,7 @@ export enum GateID {
    * appease TS
    */
   _ = '',
+  AgeAssurance = 'age_assurance',
 }
 
 /**

package/src/index.ts

@@ -10,7 +10,7 @@ import { AtpAgent } from '@atproto/api'
 import { DAY, SECOND } from '@atproto/common'
 import { Keypair } from '@atproto/crypto'
 import { IdResolver } from '@atproto/identity'
-import API, { blobResolver, health, wellKnown } from './api'
+import API, { blobResolver, external, health, wellKnown } from './api'
 import { createBlobDispatcher } from './api/blob-dispatcher'
 import { AuthVerifier, createPublicKeyObject } from './auth-verifier'
 import { authWithApiKey as bsyncAuth, createBsyncClient } from './bsync'
@@ -27,6 +27,7 @@ import { FeatureGates } from './feature-gates'
 import { Hydrator } from './hydration/hydrator'
 import * as imageServer from './image/server'
 import { ImageUriBuilder } from './image/uri'
+import { createKwsClient } from './kws'
 import { createServer } from './lexicon'
 import { loggerMiddleware } from './logger'
 import { createStashClient } from './stash'
@@ -58,6 +59,7 @@ export class BskyAppView {
   }): BskyAppView {
     const { config, signingKey } = opts
     const app = express()
+    app.set('trust proxy', true)
     app.use(cors({ maxAge: DAY / SECOND }))
     app.use(loggerMiddleware)
     app.use(compression())
@@ -150,6 +152,8 @@ export class BskyAppView {
         })
       : undefined
 
+    const kwsClient = config.kws ? createKwsClient(config.kws) : undefined
+
     const entrywayJwtPublicKey = config.entrywayJwtPublicKeyHex
       ? createPublicKeyObject(config.entrywayJwtPublicKeyHex)
       : undefined
@@ -186,6 +190,7 @@ export class BskyAppView {
       authVerifier,
       featureGates,
       blobDispatcher,
+      kwsClient,
     })
 
     let server = createServer({
@@ -205,6 +210,7 @@ export class BskyAppView {
     app.use(imageServer.createMiddleware(ctx, { prefix: '/img/' }))
     app.use(server.xrpc.router)
     app.use(error.handler)
+    app.use('/external', external.createRouter(ctx))
 
     return new BskyAppView({ ctx, app })
   }

package/src/kws.ts

@@ -0,0 +1,108 @@
+import { z } from 'zod'
+import { KwsExternalPayload } from './api/kws/types'
+import { serializeExternalPayload } from './api/kws/util'
+import { buildBasicAuth } from './auth-verifier'
+import { KwsConfig } from './config'
+import { httpLogger as log } from './logger'
+
+export const createKwsClient = (cfg: KwsConfig): KwsClient => {
+  return new KwsClient(cfg)
+}
+
+// Not `.strict()` to avoid breaking if KWS adds fields.
+const authResponseSchema = z.object({
+  access_token: z.string(),
+})
+
+export class KwsClient {
+  constructor(public cfg: KwsConfig) {}
+
+  private async auth() {
+    try {
+      const res = await fetch(
+        `${this.cfg.authOrigin}/auth/realms/kws/protocol/openid-connect/token`,
+        {
+          method: 'POST',
+          headers: {
+            Accept: 'application/json',
+            'Content-Type': 'application/x-www-form-urlencoded',
+            Authorization: buildBasicAuth(this.cfg.clientId, this.cfg.apiKey),
+          },
+          body: new URLSearchParams({
+            grant_type: 'client_credentials',
+            scope: 'verification',
+          }),
+        },
+      )
+      if (!res.ok) {
+        const errorText = await res.text()
+        throw new Error(
+          `Failed to fetch age assurance access token: status: ${res.status}, statusText: ${res.statusText}, errorText: ${errorText}`,
+        )
+      }
+
+      const auth = await res.json()
+      const authResponse = authResponseSchema.parse(auth)
+      return authResponse.access_token
+    } catch (err) {
+      log.error({ err }, 'Failed to authenticate with KWS')
+      throw err
+    }
+  }
+
+  private async fetchWithAuth(
+    url: string,
+    init: RequestInit,
+  ): Promise<Response> {
+    const accessToken = await this.auth()
+
+    return fetch(url, {
+      ...init,
+      headers: {
+        ...(init.headers ?? {}),
+        Authorization: `Bearer ${accessToken}`,
+      },
+    })
+  }
+
+  async sendEmail({
+    countryCode,
+    email,
+    externalPayload,
+    language,
+  }: {
+    countryCode: string
+    email: string
+    externalPayload: KwsExternalPayload
+    language: string
+  }) {
+    const res = await this.fetchWithAuth(
+      `${this.cfg.apiOrigin}/v1/verifications/send-email`,
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'User-Agent': this.cfg.userAgent,
+        },
+        body: JSON.stringify({
+          email,
+          externalPayload: serializeExternalPayload(externalPayload),
+          language,
+          location: countryCode,
+          userContext: 'adult',
+        }),
+      },
+    )
+
+    if (!res.ok) {
+      const errorText = await res.text()
+      log.error(
+        { status: res.status, statusText: res.statusText, errorText },
+        'Failed to send age assurance email',
+      )
+      throw new Error('Failed to send age assurance email')
+    }
+
+    return res.json()
+  }
+}

package/src/lexicon/index.ts

@@ -109,8 +109,8 @@ import * as AppBskyFeedGetFeedGenerators from './types/app/bsky/feed/getFeedGene
 import * as AppBskyFeedGetFeedSkeleton from './types/app/bsky/feed/getFeedSkeleton.js'
 import * as AppBskyFeedGetLikes from './types/app/bsky/feed/getLikes.js'
 import * as AppBskyFeedGetListFeed from './types/app/bsky/feed/getListFeed.js'
-import * as AppBskyFeedGetPosts from './types/app/bsky/feed/getPosts.js'
 import * as AppBskyFeedGetPostThread from './types/app/bsky/feed/getPostThread.js'
+import * as AppBskyFeedGetPosts from './types/app/bsky/feed/getPosts.js'
 import * as AppBskyFeedGetQuotes from './types/app/bsky/feed/getQuotes.js'
 import * as AppBskyFeedGetRepostedBy from './types/app/bsky/feed/getRepostedBy.js'
 import * as AppBskyFeedGetSuggestedFeeds from './types/app/bsky/feed/getSuggestedFeeds.js'
@@ -148,6 +148,7 @@ import * as AppBskyNotificationPutPreferences from './types/app/bsky/notificatio
 import * as AppBskyNotificationPutPreferencesV2 from './types/app/bsky/notification/putPreferencesV2.js'
 import * as AppBskyNotificationRegisterPush from './types/app/bsky/notification/registerPush.js'
 import * as AppBskyNotificationUpdateSeen from './types/app/bsky/notification/updateSeen.js'
+import * as AppBskyUnspeccedGetAgeAssuranceState from './types/app/bsky/unspecced/getAgeAssuranceState.js'
 import * as AppBskyUnspeccedGetConfig from './types/app/bsky/unspecced/getConfig.js'
 import * as AppBskyUnspeccedGetPopularFeedGenerators from './types/app/bsky/unspecced/getPopularFeedGenerators.js'
 import * as AppBskyUnspeccedGetPostThreadOtherV2 from './types/app/bsky/unspecced/getPostThreadOtherV2.js'
@@ -163,6 +164,7 @@ import * as AppBskyUnspeccedGetTaggedSuggestions from './types/app/bsky/unspecce
 import * as AppBskyUnspeccedGetTrendingTopics from './types/app/bsky/unspecced/getTrendingTopics.js'
 import * as AppBskyUnspeccedGetTrends from './types/app/bsky/unspecced/getTrends.js'
 import * as AppBskyUnspeccedGetTrendsSkeleton from './types/app/bsky/unspecced/getTrendsSkeleton.js'
+import * as AppBskyUnspeccedInitAgeAssurance from './types/app/bsky/unspecced/initAgeAssurance.js'
 import * as AppBskyUnspeccedSearchActorsSkeleton from './types/app/bsky/unspecced/searchActorsSkeleton.js'
 import * as AppBskyUnspeccedSearchPostsSkeleton from './types/app/bsky/unspecced/searchPostsSkeleton.js'
 import * as AppBskyUnspeccedSearchStarterPacksSkeleton from './types/app/bsky/unspecced/searchStarterPacksSkeleton.js'
@@ -1597,27 +1599,27 @@ export class AppBskyFeedNS {
     return this._server.xrpc.method(nsid, cfg)
   }
 
-  getPosts<A extends Auth = void>(
+  getPostThread<A extends Auth = void>(
     cfg: MethodConfigOrHandler<
       A,
-      AppBskyFeedGetPosts.QueryParams,
-      AppBskyFeedGetPosts.HandlerInput,
-      AppBskyFeedGetPosts.HandlerOutput
+      AppBskyFeedGetPostThread.QueryParams,
+      AppBskyFeedGetPostThread.HandlerInput,
+      AppBskyFeedGetPostThread.HandlerOutput
     >,
   ) {
-    const nsid = 'app.bsky.feed.getPosts' // @ts-ignore
+    const nsid = 'app.bsky.feed.getPostThread' // @ts-ignore
     return this._server.xrpc.method(nsid, cfg)
   }
 
-  getPostThread<A extends Auth = void>(
+  getPosts<A extends Auth = void>(
     cfg: MethodConfigOrHandler<
       A,
-      AppBskyFeedGetPostThread.QueryParams,
-      AppBskyFeedGetPostThread.HandlerInput,
-      AppBskyFeedGetPostThread.HandlerOutput
+      AppBskyFeedGetPosts.QueryParams,
+      AppBskyFeedGetPosts.HandlerInput,
+      AppBskyFeedGetPosts.HandlerOutput
     >,
   ) {
-    const nsid = 'app.bsky.feed.getPostThread' // @ts-ignore
+    const nsid = 'app.bsky.feed.getPosts' // @ts-ignore
     return this._server.xrpc.method(nsid, cfg)
   }
 
@@ -2105,6 +2107,18 @@ export class AppBskyUnspeccedNS {
     this._server = server
   }
 
+  getAgeAssuranceState<A extends Auth = void>(
+    cfg: MethodConfigOrHandler<
+      A,
+      AppBskyUnspeccedGetAgeAssuranceState.QueryParams,
+      AppBskyUnspeccedGetAgeAssuranceState.HandlerInput,
+      AppBskyUnspeccedGetAgeAssuranceState.HandlerOutput
+    >,
+  ) {
+    const nsid = 'app.bsky.unspecced.getAgeAssuranceState' // @ts-ignore
+    return this._server.xrpc.method(nsid, cfg)
+  }
+
   getConfig<A extends Auth = void>(
     cfg: MethodConfigOrHandler<
       A,
@@ -2285,6 +2299,18 @@ export class AppBskyUnspeccedNS {
     return this._server.xrpc.method(nsid, cfg)
   }
 
+  initAgeAssurance<A extends Auth = void>(
+    cfg: MethodConfigOrHandler<
+      A,
+      AppBskyUnspeccedInitAgeAssurance.QueryParams,
+      AppBskyUnspeccedInitAgeAssurance.HandlerInput,
+      AppBskyUnspeccedInitAgeAssurance.HandlerOutput
+    >,
+  ) {
+    const nsid = 'app.bsky.unspecced.initAgeAssurance' // @ts-ignore
+    return this._server.xrpc.method(nsid, cfg)
+  }
+
   searchActorsSkeleton<A extends Auth = void>(
     cfg: MethodConfigOrHandler<
       A,