@atproto/bsky 0.0.170 → 0.0.172

package/src/proto/courier_pb.ts

@@ -493,3 +493,249 @@ export class RegisterDeviceTokenResponse extends Message<RegisterDeviceTokenResp
     return proto3.util.equals(RegisterDeviceTokenResponse, a, b)
   }
 }
+
+/**
+ * @generated from message courier.UnregisterDeviceTokenRequest
+ */
+export class UnregisterDeviceTokenRequest extends Message<UnregisterDeviceTokenRequest> {
+  /**
+   * @generated from field: string did = 1;
+   */
+  did = ''
+
+  /**
+   * @generated from field: string token = 2;
+   */
+  token = ''
+
+  /**
+   * @generated from field: string app_id = 3;
+   */
+  appId = ''
+
+  /**
+   * @generated from field: courier.AppPlatform platform = 4;
+   */
+  platform = AppPlatform.UNSPECIFIED
+
+  constructor(data?: PartialMessage<UnregisterDeviceTokenRequest>) {
+    super()
+    proto3.util.initPartial(data, this)
+  }
+
+  static readonly runtime: typeof proto3 = proto3
+  static readonly typeName = 'courier.UnregisterDeviceTokenRequest'
+  static readonly fields: FieldList = proto3.util.newFieldList(() => [
+    { no: 1, name: 'did', kind: 'scalar', T: 9 /* ScalarType.STRING */ },
+    { no: 2, name: 'token', kind: 'scalar', T: 9 /* ScalarType.STRING */ },
+    { no: 3, name: 'app_id', kind: 'scalar', T: 9 /* ScalarType.STRING */ },
+    {
+      no: 4,
+      name: 'platform',
+      kind: 'enum',
+      T: proto3.getEnumType(AppPlatform),
+    },
+  ])
+
+  static fromBinary(
+    bytes: Uint8Array,
+    options?: Partial<BinaryReadOptions>,
+  ): UnregisterDeviceTokenRequest {
+    return new UnregisterDeviceTokenRequest().fromBinary(bytes, options)
+  }
+
+  static fromJson(
+    jsonValue: JsonValue,
+    options?: Partial<JsonReadOptions>,
+  ): UnregisterDeviceTokenRequest {
+    return new UnregisterDeviceTokenRequest().fromJson(jsonValue, options)
+  }
+
+  static fromJsonString(
+    jsonString: string,
+    options?: Partial<JsonReadOptions>,
+  ): UnregisterDeviceTokenRequest {
+    return new UnregisterDeviceTokenRequest().fromJsonString(
+      jsonString,
+      options,
+    )
+  }
+
+  static equals(
+    a:
+      | UnregisterDeviceTokenRequest
+      | PlainMessage<UnregisterDeviceTokenRequest>
+      | undefined,
+    b:
+      | UnregisterDeviceTokenRequest
+      | PlainMessage<UnregisterDeviceTokenRequest>
+      | undefined,
+  ): boolean {
+    return proto3.util.equals(UnregisterDeviceTokenRequest, a, b)
+  }
+}
+
+/**
+ * @generated from message courier.UnregisterDeviceTokenResponse
+ */
+export class UnregisterDeviceTokenResponse extends Message<UnregisterDeviceTokenResponse> {
+  constructor(data?: PartialMessage<UnregisterDeviceTokenResponse>) {
+    super()
+    proto3.util.initPartial(data, this)
+  }
+
+  static readonly runtime: typeof proto3 = proto3
+  static readonly typeName = 'courier.UnregisterDeviceTokenResponse'
+  static readonly fields: FieldList = proto3.util.newFieldList(() => [])
+
+  static fromBinary(
+    bytes: Uint8Array,
+    options?: Partial<BinaryReadOptions>,
+  ): UnregisterDeviceTokenResponse {
+    return new UnregisterDeviceTokenResponse().fromBinary(bytes, options)
+  }
+
+  static fromJson(
+    jsonValue: JsonValue,
+    options?: Partial<JsonReadOptions>,
+  ): UnregisterDeviceTokenResponse {
+    return new UnregisterDeviceTokenResponse().fromJson(jsonValue, options)
+  }
+
+  static fromJsonString(
+    jsonString: string,
+    options?: Partial<JsonReadOptions>,
+  ): UnregisterDeviceTokenResponse {
+    return new UnregisterDeviceTokenResponse().fromJsonString(
+      jsonString,
+      options,
+    )
+  }
+
+  static equals(
+    a:
+      | UnregisterDeviceTokenResponse
+      | PlainMessage<UnregisterDeviceTokenResponse>
+      | undefined,
+    b:
+      | UnregisterDeviceTokenResponse
+      | PlainMessage<UnregisterDeviceTokenResponse>
+      | undefined,
+  ): boolean {
+    return proto3.util.equals(UnregisterDeviceTokenResponse, a, b)
+  }
+}
+
+/**
+ * @generated from message courier.SetAgeRestrictedRequest
+ */
+export class SetAgeRestrictedRequest extends Message<SetAgeRestrictedRequest> {
+  /**
+   * @generated from field: string did = 1;
+   */
+  did = ''
+
+  /**
+   * @generated from field: bool age_restricted = 2;
+   */
+  ageRestricted = false
+
+  constructor(data?: PartialMessage<SetAgeRestrictedRequest>) {
+    super()
+    proto3.util.initPartial(data, this)
+  }
+
+  static readonly runtime: typeof proto3 = proto3
+  static readonly typeName = 'courier.SetAgeRestrictedRequest'
+  static readonly fields: FieldList = proto3.util.newFieldList(() => [
+    { no: 1, name: 'did', kind: 'scalar', T: 9 /* ScalarType.STRING */ },
+    {
+      no: 2,
+      name: 'age_restricted',
+      kind: 'scalar',
+      T: 8 /* ScalarType.BOOL */,
+    },
+  ])
+
+  static fromBinary(
+    bytes: Uint8Array,
+    options?: Partial<BinaryReadOptions>,
+  ): SetAgeRestrictedRequest {
+    return new SetAgeRestrictedRequest().fromBinary(bytes, options)
+  }
+
+  static fromJson(
+    jsonValue: JsonValue,
+    options?: Partial<JsonReadOptions>,
+  ): SetAgeRestrictedRequest {
+    return new SetAgeRestrictedRequest().fromJson(jsonValue, options)
+  }
+
+  static fromJsonString(
+    jsonString: string,
+    options?: Partial<JsonReadOptions>,
+  ): SetAgeRestrictedRequest {
+    return new SetAgeRestrictedRequest().fromJsonString(jsonString, options)
+  }
+
+  static equals(
+    a:
+      | SetAgeRestrictedRequest
+      | PlainMessage<SetAgeRestrictedRequest>
+      | undefined,
+    b:
+      | SetAgeRestrictedRequest
+      | PlainMessage<SetAgeRestrictedRequest>
+      | undefined,
+  ): boolean {
+    return proto3.util.equals(SetAgeRestrictedRequest, a, b)
+  }
+}
+
+/**
+ * @generated from message courier.SetAgeRestrictedResponse
+ */
+export class SetAgeRestrictedResponse extends Message<SetAgeRestrictedResponse> {
+  constructor(data?: PartialMessage<SetAgeRestrictedResponse>) {
+    super()
+    proto3.util.initPartial(data, this)
+  }
+
+  static readonly runtime: typeof proto3 = proto3
+  static readonly typeName = 'courier.SetAgeRestrictedResponse'
+  static readonly fields: FieldList = proto3.util.newFieldList(() => [])
+
+  static fromBinary(
+    bytes: Uint8Array,
+    options?: Partial<BinaryReadOptions>,
+  ): SetAgeRestrictedResponse {
+    return new SetAgeRestrictedResponse().fromBinary(bytes, options)
+  }
+
+  static fromJson(
+    jsonValue: JsonValue,
+    options?: Partial<JsonReadOptions>,
+  ): SetAgeRestrictedResponse {
+    return new SetAgeRestrictedResponse().fromJson(jsonValue, options)
+  }
+
+  static fromJsonString(
+    jsonString: string,
+    options?: Partial<JsonReadOptions>,
+  ): SetAgeRestrictedResponse {
+    return new SetAgeRestrictedResponse().fromJsonString(jsonString, options)
+  }
+
+  static equals(
+    a:
+      | SetAgeRestrictedResponse
+      | PlainMessage<SetAgeRestrictedResponse>
+      | undefined,
+    b:
+      | SetAgeRestrictedResponse
+      | PlainMessage<SetAgeRestrictedResponse>
+      | undefined,
+  ): boolean {
+    return proto3.util.equals(SetAgeRestrictedResponse, a, b)
+  }
+}

package/src/stash.ts

@@ -5,6 +5,7 @@ import {
   Preferences,
   SubjectActivitySubscription,
 } from './lexicon/types/app/bsky/notification/defs'
+import { AgeAssuranceEvent } from './lexicon/types/app/bsky/unspecced/defs'
 import { Method } from './proto/bsync_pb'
 
 type PickNSID<T extends { $type?: string }> = Exclude<T['$type'], undefined>
@@ -14,6 +15,8 @@ export const Namespaces = {
     'app.bsky.notification.defs#preferences' satisfies PickNSID<Preferences>,
   AppBskyNotificationDefsSubjectActivitySubscription:
     'app.bsky.notification.defs#subjectActivitySubscription' satisfies PickNSID<SubjectActivitySubscription>,
+  AppBskyUnspeccedDefsAgeAssuranceEvent:
+    'app.bsky.unspecced.defs#ageAssuranceEvent' satisfies PickNSID<AgeAssuranceEvent>,
 }
 
 export type Namespace = (typeof Namespaces)[keyof typeof Namespaces]

package/tests/views/age-assurance.test.ts

@@ -0,0 +1,425 @@
+import crypto from 'node:crypto'
+import { once } from 'node:events'
+import { Server, createServer } from 'node:http'
+import { AddressInfo } from 'node:net'
+import express, { Application } from 'express'
+import Statsig from 'statsig-node'
+import { AtpAgent } from '@atproto/api'
+import { SeedClient, TestNetwork, basicSeed } from '@atproto/dev-env'
+import {
+  KwsExternalPayload,
+  KwsVerificationQuery,
+  KwsWebhookBody,
+} from '../../src/api/kws/types'
+import {
+  parseExternalPayload,
+  serializeExternalPayload,
+} from '../../src/api/kws/util'
+import { GateID } from '../../src/feature-gates'
+import { ids } from '../../src/lexicon/lexicons'
+
+type Database = TestNetwork['bsky']['db']
+
+describe('age assurance views', () => {
+  const verificationSecret = 'verificationSecret'
+  const webhookSecret = 'webhookSecret'
+  const attemptId = crypto.randomUUID()
+  const redirectUrl = 'https://bsky.app/intent/age-assurance'
+
+  let network: TestNetwork
+  let db: Database
+  let agent: AtpAgent
+  let sc: SeedClient
+
+  let actorDid: string
+
+  let kwsServer: MockKwsServer
+  const authMock = jest.fn()
+  const sendEmailMock = jest.fn()
+
+  beforeAll(async () => {
+    kwsServer = new MockKwsServer({
+      verificationSecret,
+      webhookSecret,
+      authMock,
+      sendEmailMock,
+    })
+    await kwsServer.listen()
+
+    network = await TestNetwork.create({
+      dbPostgresSchema: 'bsky_views_age_assurance',
+      bsky: {
+        statsigEnv: 'test',
+        statsigKey: 'secret-key',
+        kws: {
+          apiKey: 'apiKey',
+          apiOrigin: kwsServer.url,
+          authOrigin: kwsServer.url,
+          clientId: 'clientId',
+          redirectUrl,
+          userAgent: 'userAgent',
+          verificationSecret,
+          webhookSecret,
+        },
+      },
+    })
+    Statsig.overrideGate(GateID.AgeAssurance, true)
+    db = network.bsky.db
+    agent = network.bsky.getClient()
+    sc = network.getSeedClient()
+    await basicSeed(sc)
+    await network.processAll()
+
+    actorDid = sc.dids.alice
+  })
+
+  beforeEach(async () => {
+    // Default mocks for KWS endpoints.
+    authMock.mockImplementation(
+      (_req: express.Request, res: express.Response) =>
+        res.json({
+          access_token:
+            'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0.INVALID',
+          expires_in: 3600,
+        }),
+    )
+    sendEmailMock.mockImplementation(
+      (_req: express.Request, res: express.Response) => {
+        res.json({})
+      },
+    )
+  })
+
+  afterEach(async () => {
+    jest.resetAllMocks()
+    await clearPrivateData(db)
+    await clearActorAgeAssurance(db)
+  })
+
+  afterAll(async () => {
+    await network.close()
+    await kwsServer.stop()
+  })
+
+  const getAgeAssurance = async (did: string) => {
+    const { data } = await agent.app.bsky.unspecced.getAgeAssuranceState(
+      {},
+      {
+        headers: await network.serviceHeaders(
+          did,
+          ids.AppBskyUnspeccedGetAgeAssuranceState,
+        ),
+      },
+    )
+    return data
+  }
+
+  const initAgeAssurance = async (did: string, email?: string) => {
+    const { data } = await agent.app.bsky.unspecced.initAgeAssurance(
+      {
+        email: email ?? sc.accounts[did].email,
+        language: 'en',
+        countryCode: 'CC',
+      },
+      {
+        headers: await network.serviceHeaders(
+          did,
+          ids.AppBskyUnspeccedInitAgeAssurance,
+        ),
+      },
+    )
+    return data
+  }
+
+  describe('parsing external payload', () => {
+    it('fails if actorDid is missing', () => {
+      const serialized = JSON.stringify({
+        attemptId,
+      } satisfies Partial<KwsExternalPayload>)
+
+      expect(() => parseExternalPayload(serialized)).toThrow(
+        `Invalid external payload`,
+      )
+    })
+
+    it('fails if attemptId is missing', () => {
+      const serialized = JSON.stringify({
+        actorDid,
+      } satisfies Partial<KwsExternalPayload>)
+
+      expect(() => parseExternalPayload(serialized)).toThrow(
+        `Invalid external payload`,
+      )
+    })
+
+    it('fails if extra field is present', () => {
+      const serialized = JSON.stringify({
+        actorDid,
+        attemptId,
+        extra: 'field',
+      } satisfies KwsExternalPayload & { extra: string })
+
+      expect(() => parseExternalPayload(serialized)).toThrow(
+        `Invalid external payload`,
+      )
+    })
+
+    it('does not fail if all fields are set', () => {
+      const externalPayload: KwsExternalPayload = {
+        actorDid,
+        attemptId,
+      }
+      const serialized = JSON.stringify(externalPayload)
+
+      const parsed = parseExternalPayload(serialized)
+      expect(parsed).toStrictEqual(externalPayload)
+    })
+  })
+
+  it('fetches AA state correctly if user never did the flow', async () => {
+    const aliceState = await getAgeAssurance(actorDid)
+    expect(aliceState).toEqual({
+      status: 'unknown',
+    })
+  })
+
+  it('validates email used for AA flow', async () => {
+    await expect(initAgeAssurance(actorDid, 'invalid-email')).rejects.toThrow(
+      'This email address is not supported,',
+    )
+  })
+
+  describe('verification response flow', () => {
+    it('performs the AA flow', async () => {
+      const state0 = await getAgeAssurance(actorDid)
+      expect(state0).toStrictEqual({
+        status: 'unknown',
+      })
+
+      const state1 = await initAgeAssurance(actorDid)
+      expect(state1).toStrictEqual({
+        status: 'pending',
+        lastInitiatedAt: expect.any(String),
+      })
+      expect(sendEmailMock).toHaveBeenCalledTimes(1)
+
+      const externalPayload: KwsExternalPayload = {
+        actorDid,
+        attemptId,
+      }
+      const status = { verified: true }
+      const verificationRes = await kwsServer.callVerificationResponse(
+        network.bsky.url,
+        { externalPayload, status },
+      )
+      expect(verificationRes.status).toBe(302)
+      expect(verificationRes.headers.get('Location')).toBe(
+        `${redirectUrl}?actorDid=${encodeURIComponent(actorDid)}&result=success`,
+      )
+
+      const state2 = await getAgeAssurance(actorDid)
+      expect(state2).toStrictEqual({
+        status: 'assured',
+        lastInitiatedAt: expect.any(String),
+      })
+    })
+
+    it('does not assure if the verification response has status not verified', async () => {
+      await initAgeAssurance(actorDid)
+
+      const externalPayload: KwsExternalPayload = {
+        actorDid,
+        attemptId,
+      }
+      const status = { verified: false }
+      const verificationRes = await kwsServer.callVerificationResponse(
+        network.bsky.url,
+        { externalPayload, status },
+      )
+      expect(verificationRes.status).toBe(302)
+      expect(verificationRes.headers.get('Location')).toBe(
+        `${redirectUrl}?result=unknown`,
+      )
+
+      const state = await getAgeAssurance(actorDid)
+      expect(state).toStrictEqual({
+        status: 'pending',
+        lastInitiatedAt: expect.any(String),
+      })
+    })
+  })
+
+  describe('webhook flow', () => {
+    it('performs the AA flow', async () => {
+      const state0 = await getAgeAssurance(actorDid)
+      expect(state0).toStrictEqual({
+        status: 'unknown',
+      })
+
+      const state1 = await initAgeAssurance(actorDid)
+      expect(state1).toStrictEqual({
+        status: 'pending',
+        lastInitiatedAt: expect.any(String),
+      })
+      expect(sendEmailMock).toHaveBeenCalledTimes(1)
+
+      const webhookRes = await kwsServer.callWebhook(network.bsky.url, {
+        payload: {
+          externalPayload: {
+            actorDid,
+            attemptId,
+          },
+          status: {
+            verified: true,
+          },
+        },
+      })
+      expect(webhookRes.status).toBe(200)
+
+      const state2 = await getAgeAssurance(actorDid)
+      expect(state2).toStrictEqual({
+        status: 'assured',
+        lastInitiatedAt: expect.any(String),
+      })
+    })
+
+    it('does not assure if the webhook has status not verified', async () => {
+      await initAgeAssurance(actorDid)
+
+      const webhookRes = await kwsServer.callWebhook(network.bsky.url, {
+        payload: {
+          externalPayload: {
+            actorDid,
+            attemptId,
+          },
+          status: {
+            verified: false,
+          },
+        },
+      })
+      expect(webhookRes.status).toBe(500)
+
+      const state = await getAgeAssurance(actorDid)
+      expect(state).toStrictEqual({
+        status: 'pending',
+        lastInitiatedAt: expect.any(String),
+      })
+    })
+  })
+})
+
+const clearPrivateData = async (db: Database) => {
+  await db.db.deleteFrom('private_data').execute()
+}
+
+const clearActorAgeAssurance = async (db: Database) => {
+  await db.db
+    .updateTable('actor')
+    .set({
+      ageAssuranceStatus: null,
+      ageAssuranceLastInitiatedAt: null,
+    })
+    .execute()
+}
+
+class MockKwsServer {
+  private verificationSecret: string
+  private webhookSecret: string
+  private app: Application
+  private server: Server
+
+  constructor({
+    verificationSecret,
+    webhookSecret,
+    authMock,
+    sendEmailMock,
+  }: {
+    verificationSecret: string
+    webhookSecret: string
+    authMock: jest.Mock
+    sendEmailMock: jest.Mock
+  }) {
+    this.verificationSecret = verificationSecret
+    this.webhookSecret = webhookSecret
+
+    this.app = express()
+      .post('/auth/realms/kws/protocol/openid-connect/token', (req, res) =>
+        authMock(req, res),
+      )
+      .post('/v1/verifications/send-email', (req, res) =>
+        sendEmailMock(req, res),
+      )
+
+    this.server = createServer(this.app)
+  }
+
+  async listen(port?: number) {
+    this.server.listen(port)
+    await once(this.server, 'listening')
+  }
+
+  async stop() {
+    this.server.close()
+    await once(this.server, 'close')
+  }
+
+  callVerificationResponse(
+    bskyUrl: string,
+    query: Omit<KwsVerificationQuery, 'signature'>,
+  ) {
+    const externalPayloadJson = JSON.stringify(query.externalPayload)
+    const statusJson = JSON.stringify(query.status)
+
+    const sig = crypto
+      .createHmac('sha256', this.verificationSecret)
+      .update(`${statusJson}:${externalPayloadJson}`)
+      .digest('hex')
+
+    const queryString = new URLSearchParams({
+      externalPayload: externalPayloadJson,
+      signature: sig,
+      status: statusJson,
+    }).toString()
+
+    return fetch(
+      `${bskyUrl}/external/kws/age-assurance-verification?${queryString}`,
+      {
+        method: 'GET',
+        redirect: 'manual',
+      },
+    )
+  }
+
+  callWebhook(bskyUrl: string, body: KwsWebhookBody): Promise<Response> {
+    const withSerializedExternalPayload = {
+      ...body,
+      payload: {
+        ...body.payload,
+        externalPayload: serializeExternalPayload(body.payload.externalPayload),
+      },
+    }
+    const bodyBuffer = Buffer.from(
+      JSON.stringify(withSerializedExternalPayload),
+    )
+
+    const timestamp = new Date().valueOf()
+    const sig = crypto
+      .createHmac('sha256', this.webhookSecret)
+      .update(`${timestamp}.${bodyBuffer}`)
+      .digest('hex')
+
+    return fetch(`${bskyUrl}/external/kws/age-assurance-webhook`, {
+      method: 'POST',
+      body: bodyBuffer,
+      headers: {
+        'x-kws-signature': `t=${timestamp},v1=${sig}`,
+        'Content-Type': 'application/json',
+      },
+    })
+  }
+
+  get url() {
+    const address = this.server.address() as AddressInfo
+    return `http://localhost:${address.port}`
+  }
+}