@atproto/bsky 0.0.198 → 0.0.200

package/src/api/kws/api.ts

@@ -1,42 +1,41 @@
 import express, { RequestHandler } from 'express'
 import { httpLogger as log } from '../../logger'
+import { AGE_ASSURANCE_CONFIG } from '../age-assurance/const'
 import {
-  AppContextWithKwsClient,
-  KwsVerificationIntermediateQuery,
-  KwsVerificationQuery,
-  verificationIntermediateQuerySchema,
-} from './types'
+  KWSExternalPayloadVersion,
+  parseKWSExternalPayloadV1WithV2Compat,
+} from '../age-assurance/kws/external-payload'
+import { createEvent } from '../age-assurance/stash'
+import { computeAgeAssuranceAccessOrThrow } from '../age-assurance/util'
+import { AppContextWithKwsClient } from './types'
 import {
   createStashEvent,
   getClientUa,
-  parseExternalPayload,
   parseStatus,
   validateSignature,
 } from './util'
 
-const validateRequest = (
+function parseQueryParams(
   ctx: AppContextWithKwsClient,
   req: express.Request,
-): KwsVerificationQuery => {
+): {
+  status: string
+  externalPayload: string
+} {
   try {
-    const intermediate: KwsVerificationIntermediateQuery =
-      verificationIntermediateQuerySchema.parse({
-        externalPayload: req.query.externalPayload,
-        signature: req.query.signature,
-        status: req.query.status,
-      })
+    const status = String(req.query.status)
+    const externalPayload = String(req.query.externalPayload)
+    const signature = String(req.query.signature)
 
-    const data = `${intermediate.status}:${intermediate.externalPayload}`
     validateSignature(
       ctx.cfg.kws.verificationSecret,
-      data,
-      intermediate.signature,
+      `${status}:${externalPayload}`,
+      signature,
     )
 
     return {
-      ...intermediate,
-      externalPayload: parseExternalPayload(intermediate.externalPayload),
-      status: parseStatus(intermediate.status),
+      status,
+      externalPayload,
     }
   } catch (err) {
     throw new Error('Invalid KWS API request', { cause: err })
@@ -48,29 +47,51 @@ export const verificationHandler =
   async (req: express.Request, res: express.Response) => {
     let actorDid: string | undefined
     try {
-      const query = validateRequest(ctx, req)
-      const {
-        externalPayload,
-        status: { verified },
-      } = query
+      const query = parseQueryParams(ctx, req)
+      const { verified } = parseStatus(query.status)
       if (!verified) {
         throw new Error(
           'Unexpected KWS verification response call with unverified status',
         )
       }
 
-      const { actorDid: externalPayloadActorDid, attemptId } = externalPayload
-      actorDid = externalPayloadActorDid
       // Assumes `app.set('trust proxy', ...)` configured with `true` or specific values.
       const completeIp = req.ip
       const completeUa = getClientUa(req)
-      await createStashEvent(ctx, {
-        actorDid,
-        attemptId,
-        completeIp,
-        completeUa,
-        status: 'assured',
-      })
+      const externalPayload = parseKWSExternalPayloadV1WithV2Compat(
+        query.externalPayload,
+      )
+      actorDid = externalPayload.actorDid
+
+      if (externalPayload.version === KWSExternalPayloadVersion.V2) {
+        const { countryCode, regionCode, attemptId } = externalPayload
+        const { access } = computeAgeAssuranceAccessOrThrow(
+          AGE_ASSURANCE_CONFIG,
+          {
+            countryCode: countryCode,
+            regionCode: regionCode,
+            verifiedMinimumAge: 18, // `adult-verified` is 18+ only
+          },
+        )
+        await createEvent(ctx, actorDid, {
+          attemptId,
+          status: 'assured',
+          access,
+          countryCode,
+          regionCode,
+          completeIp,
+          completeUa,
+        })
+      } else {
+        await createStashEvent(ctx, {
+          actorDid,
+          attemptId: externalPayload.attemptId,
+          status: 'assured',
+          completeIp,
+          completeUa,
+        })
+      }
+
       return res
         .status(302)
         .setHeader(

package/src/api/kws/index.ts

@@ -9,7 +9,13 @@ export const createRouter = (ctx: AppContext): Router => {
 
   const router = Router()
   router.use(raw({ type: 'application/json' }))
-  router.post('/age-assurance-webhook', webhookAuth(ctx), webhookHandler(ctx))
+  router.post(
+    '/age-assurance-webhook',
+    webhookAuth({
+      secret: ctx.cfg.kws.webhookSecret,
+    }),
+    webhookHandler(ctx),
+  )
   router.get('/age-assurance-verification', verificationHandler(ctx))
   return router
 }

package/src/api/kws/webhook.ts

@@ -1,19 +1,21 @@
 import express, { RequestHandler } from 'express'
 import { httpLogger as log } from '../../logger'
+import { AGE_ASSURANCE_CONFIG } from '../age-assurance/const'
+import {
+  KWSExternalPayloadVersion,
+  parseKWSExternalPayloadV1WithV2Compat,
+} from '../age-assurance/kws/external-payload'
+import { createEvent } from '../age-assurance/stash'
+import { computeAgeAssuranceAccessOrThrow } from '../age-assurance/util'
 import {
   AppContextWithKwsClient,
   KwsWebhookBody,
   webhookBodyIntermediateSchema,
 } from './types'
-import {
-  createStashEvent,
-  kwsWwwAuthenticate,
-  parseExternalPayload,
-  validateSignature,
-} from './util'
+import { createStashEvent, kwsWwwAuthenticate, validateSignature } from './util'
 
 export const webhookAuth =
-  (ctx: AppContextWithKwsClient): RequestHandler =>
+  ({ secret }: { secret: string }): RequestHandler =>
   (req: express.Request, res: express.Response, next: express.NextFunction) => {
     const body: Buffer = req.body
     const sigHeader = req.headers['x-kws-signature']
@@ -34,7 +36,7 @@ export const webhookAuth =
       }
 
       const data = `${timestamp}.${body}`
-      validateSignature(ctx.cfg.kws.webhookSecret, data, signature)
+      validateSignature(secret, data, signature)
       next()
     } catch (err) {
       log.error({ err }, 'Invalid KWS webhook signature')
@@ -51,21 +53,10 @@ type AgeAssuranceWebhookIntermediateBody = {
   }
 }
 
-const parseBody = (serialized: string): KwsWebhookBody => {
+const parseBody = (serialized: string): AgeAssuranceWebhookIntermediateBody => {
   try {
     const value: unknown = JSON.parse(serialized)
-    const intermediate: AgeAssuranceWebhookIntermediateBody =
-      webhookBodyIntermediateSchema.parse(value)
-
-    return {
-      ...intermediate,
-      payload: {
-        ...intermediate.payload,
-        externalPayload: parseExternalPayload(
-          intermediate.payload.externalPayload,
-        ),
-      },
-    }
+    return webhookBodyIntermediateSchema.parse(value)
   } catch (err) {
     throw new Error(`Invalid webhook body: ${serialized}`, { cause: err })
   }
@@ -74,7 +65,7 @@ const parseBody = (serialized: string): KwsWebhookBody => {
 export const webhookHandler =
   (ctx: AppContextWithKwsClient): RequestHandler =>
   async (req: express.Request, res: express.Response) => {
-    let body: KwsWebhookBody
+    let body: AgeAssuranceWebhookIntermediateBody
     try {
       body = parseBody(req.body)
     } catch (err) {
@@ -82,23 +73,55 @@ export const webhookHandler =
       return res.status(400).json(err)
     }
 
-    const {
-      payload: {
-        status: { verified },
-        externalPayload,
-      },
-    } = body
-    const { actorDid, attemptId } = externalPayload
+    const { verified } = body.payload.status
     if (!verified) {
       throw new Error('Unexpected KWS webhook call with unverified status')
     }
 
+    const externalPayload = parseKWSExternalPayloadV1WithV2Compat(
+      body.payload.externalPayload,
+    )
+    const isV2 = externalPayload.version === KWSExternalPayloadVersion.V2
+
+    let result: ReturnType<typeof computeAgeAssuranceAccessOrThrow> | undefined
+    if (isV2) {
+      const { attemptId, actorDid, countryCode, regionCode } = externalPayload
+      try {
+        result = computeAgeAssuranceAccessOrThrow(AGE_ASSURANCE_CONFIG, {
+          countryCode: countryCode,
+          regionCode: regionCode,
+          verifiedMinimumAge: 18, // `adult-verified` is 18+ only
+        })
+      } catch (err) {
+        // internal errors
+        log.error(
+          { err, attemptId, actorDid, countryCode, regionCode },
+          'Failed to compute age assurance access',
+        )
+      }
+    }
+
     try {
-      await createStashEvent(ctx, {
-        actorDid,
-        attemptId,
-        status: 'assured',
-      })
+      if (isV2) {
+        if (result) {
+          const { attemptId, actorDid, countryCode, regionCode } =
+            externalPayload
+          await createEvent(ctx, actorDid, {
+            attemptId,
+            status: 'assured',
+            access: result.access,
+            countryCode,
+            regionCode,
+          })
+        } // else do nothing
+      } else {
+        const { attemptId, actorDid } = externalPayload
+        await createStashEvent(ctx, {
+          attemptId: attemptId,
+          actorDid: actorDid,
+          status: 'assured',
+        })
+      }
       return res.status(200).end()
     } catch (err) {
       log.error({ err }, 'Failed to handle KWS webhook')

package/src/config.ts

@@ -13,8 +13,22 @@ export interface KwsConfig {
   clientId: string
   redirectUrl: string
   userAgent: string
+  /**
+   * V1 secret used to validate `adult-verifieid` redirects
+   */
   verificationSecret: string
+  /**
+   * V1 secret used to validate `adult-verified` webhooks
+   */
   webhookSecret: string
+  /**
+   * V2 secret used to validate `age-verified` webhooks
+   */
+  ageVerifiedWebhookSecret: string
+  /**
+   * V2 secret used to validate `age-verified` redirects
+   */
+  ageVerifiedRedirectSecret: string
 }
 
 export interface ServerConfigValues {
@@ -41,6 +55,10 @@ export interface ServerConfigValues {
   courierApiKey?: string
   courierHttpVersion?: '1.1' | '2'
   courierIgnoreBadTls?: boolean
+  rolodexUrl?: string
+  rolodexApiKey?: string
+  rolodexHttpVersion?: '1.1' | '2'
+  rolodexIgnoreBadTls?: boolean
   searchUrl?: string
   searchTagsHide: Set<string>
   suggestionsUrl?: string
@@ -172,6 +190,12 @@ export class ServerConfig {
     const courierIgnoreBadTls =
       process.env.BSKY_COURIER_IGNORE_BAD_TLS === 'true'
     assert(courierHttpVersion === '1.1' || courierHttpVersion === '2')
+    const rolodexUrl = process.env.BSKY_ROLODEX_URL || undefined
+    const rolodexApiKey = process.env.BSKY_ROLODEX_API_KEY || undefined
+    const rolodexHttpVersion = process.env.BSKY_ROLODEX_HTTP_VERSION || '2'
+    const rolodexIgnoreBadTls =
+      process.env.BSKY_ROLODEX_IGNORE_BAD_TLS === 'true'
+    assert(rolodexHttpVersion === '1.1' || rolodexHttpVersion === '2')
     const blobRateLimitBypassKey =
       process.env.BSKY_BLOB_RATE_LIMIT_BYPASS_KEY || undefined
     // single domain would be e.g. "mypds.com", subdomains are supported with a leading dot e.g. ".mypds.com"
@@ -251,6 +275,10 @@ export class ServerConfig {
     const kwsUserAgent = process.env.BSKY_KWS_USER_AGENT
     const kwsVerificationSecret = process.env.BSKY_KWS_VERIFICATION_SECRET
     const kwsWebhookSecret = process.env.BSKY_KWS_WEBHOOK_SECRET
+    const kwsAgeVerifiedWebhookSecret =
+      process.env.BSKY_KWS_AGE_VERIFIED_WEBHOOK_SECRET
+    const kwsAgeVerifiedRedirectSecret =
+      process.env.BSKY_KWS_AGE_VERIFIED_REDIRECT_SECRET
     if (
       kwsApiKey ||
       kwsApiOrigin ||
@@ -259,7 +287,9 @@ export class ServerConfig {
       kwsRedirectUrl ||
       kwsUserAgent ||
       kwsVerificationSecret ||
-      kwsWebhookSecret
+      kwsWebhookSecret ||
+      kwsAgeVerifiedWebhookSecret ||
+      kwsAgeVerifiedRedirectSecret
     ) {
       assert(
         kwsApiOrigin &&
@@ -269,7 +299,9 @@ export class ServerConfig {
           kwsUserAgent &&
           kwsVerificationSecret &&
           kwsWebhookSecret &&
-          kwsApiKey,
+          kwsApiKey &&
+          kwsAgeVerifiedWebhookSecret &&
+          kwsAgeVerifiedRedirectSecret,
         'all KWS environment variables must be set if any are set',
       )
       kws = {
@@ -281,6 +313,8 @@ export class ServerConfig {
         userAgent: kwsUserAgent,
         verificationSecret: kwsVerificationSecret,
         webhookSecret: kwsWebhookSecret,
+        ageVerifiedWebhookSecret: kwsAgeVerifiedWebhookSecret,
+        ageVerifiedRedirectSecret: kwsAgeVerifiedRedirectSecret,
       }
     }
 
@@ -323,6 +357,10 @@ export class ServerConfig {
       courierApiKey,
       courierHttpVersion,
       courierIgnoreBadTls,
+      rolodexUrl,
+      rolodexApiKey,
+      rolodexHttpVersion,
+      rolodexIgnoreBadTls,
       blobRateLimitBypassKey,
       blobRateLimitBypassHostname,
       adminPasswords,
@@ -446,6 +484,19 @@ export class ServerConfig {
     return this.cfg.courierIgnoreBadTls
   }
 
+  get rolodexUrl() {
+    return this.cfg.rolodexUrl
+  }
+  get rolodexApiKey() {
+    return this.cfg.rolodexApiKey
+  }
+  get rolodexHttpVersion() {
+    return this.cfg.rolodexHttpVersion
+  }
+  get rolodexIgnoreBadTls() {
+    return this.cfg.rolodexIgnoreBadTls
+  }
+
   get searchUrl() {
     return this.cfg.searchUrl
   }

package/src/context.ts

@@ -14,6 +14,7 @@ import { FeatureGates } from './feature-gates'
 import { Hydrator } from './hydration/hydrator'
 import { KwsClient } from './kws'
 import { httpLogger as log } from './logger'
+import { RolodexClient } from './rolodex'
 import { StashClient } from './stash'
 import {
   ParsedLabelers,
@@ -39,6 +40,7 @@ export class AppContext {
       bsyncClient: BsyncClient
       stashClient: StashClient
       courierClient: CourierClient | undefined
+      rolodexClient: RolodexClient | undefined
       authVerifier: AuthVerifier
       featureGates: FeatureGates
       blobDispatcher: Dispatcher
@@ -106,6 +108,10 @@ export class AppContext {
     return this.opts.courierClient
   }
 
+  get rolodexClient(): RolodexClient | undefined {
+    return this.opts.rolodexClient
+  }
+
   get authVerifier(): AuthVerifier {
     return this.opts.authVerifier
   }

package/src/data-plane/bsync/index.ts

@@ -8,6 +8,7 @@ import { TID } from '@atproto/common'
 import { jsonStringToLex } from '@atproto/lexicon'
 import { AtUri } from '@atproto/syntax'
 import { ids } from '../../lexicon/lexicons'
+import { Event as AgeAssuranceV2Event } from '../../lexicon/types/app/bsky/ageassurance/defs'
 import { Bookmark } from '../../lexicon/types/app/bsky/bookmark/defs'
 import { SubjectActivitySubscription } from '../../lexicon/types/app/bsky/notification/defs'
 import { AgeAssuranceEvent } from '../../lexicon/types/app/bsky/unspecced/defs'
@@ -175,6 +176,8 @@ const createRoutes = (db: Database) => (router: ConnectRouter) =>
           namespace === Namespaces.AppBskyUnspeccedDefsAgeAssuranceEvent
         ) {
           await handleAgeAssuranceEventOperation(db, req, now)
+        } else if (namespace === Namespaces.AppBskyAgeassuranceDefsEvent) {
+          await handleAgeAssuranceV2EventOperation(db, req, now)
         } else if (namespace === Namespaces.AppBskyBookmarkDefsBookmark) {
           await handleBookmarkOperation(db, req, now)
         }
@@ -314,6 +317,34 @@ const handleAgeAssuranceEventOperation = async (
     .execute()
 }
 
+const handleAgeAssuranceV2EventOperation = async (
+  db: Database,
+  req: PutOperationRequest,
+  _now: string,
+) => {
+  const { actorDid, method, payload } = req
+  if (method !== Method.CREATE) return
+
+  const parsed = jsonStringToLex(
+    Buffer.from(payload).toString('utf8'),
+  ) as AgeAssuranceV2Event
+  const { status, createdAt, access, countryCode, regionCode } = parsed
+
+  const update = {
+    ageAssuranceStatus: status,
+    ageAssuranceLastInitiatedAt: status === 'pending' ? createdAt : undefined,
+    ageAssuranceAccess: access,
+    ageAssuranceCountryCode: countryCode,
+    ageAssuranceRegionCode: regionCode,
+  }
+
+  return db.db
+    .updateTable('actor')
+    .set(update)
+    .where('did', '=', actorDid)
+    .execute()
+}
+
 const handleBookmarkOperation = async (
   db: Database,
   req: PutOperationRequest,

package/src/data-plane/server/db/migrations/20251120T004738098Z-update-actor-age-assurance-v2.ts

@@ -0,0 +1,28 @@
+import { Kysely } from 'kysely'
+
+export async function up(db: Kysely<unknown>): Promise<void> {
+  await db.schema
+    .alterTable('actor')
+    .addColumn('ageAssuranceAccess', 'text')
+    .execute()
+  await db.schema
+    .alterTable('actor')
+    .addColumn('ageAssuranceCountryCode', 'text')
+    .execute()
+  await db.schema
+    .alterTable('actor')
+    .addColumn('ageAssuranceRegionCode', 'text')
+    .execute()
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+  await db.schema.alterTable('actor').dropColumn('ageAssuranceAccess').execute()
+  await db.schema
+    .alterTable('actor')
+    .dropColumn('ageAssuranceCountryCode')
+    .execute()
+  await db.schema
+    .alterTable('actor')
+    .dropColumn('ageAssuranceRegionCode')
+    .execute()
+}

package/src/data-plane/server/db/migrations/index.ts

@@ -55,3 +55,4 @@ export * as _20250611T140649895Z from './20250611T140649895Z-add-activity-subscr
 export * as _20250627T025331240Z from './20250627T025331240Z-add-actor-age-assurance-columns'
 export * as _20250812T183735692Z from './20250812T183735692Z-add-bookmarks'
 export * as _20250813T174955711Z from './20250813T174955711Z-add-post-agg-bookmarks'
+export * as _20251120T004738098Z from './20251120T004738098Z-update-actor-age-assurance-v2'

package/src/data-plane/server/db/tables/actor.ts

@@ -9,6 +9,9 @@ export interface Actor {
   trustedVerifier: Generated<boolean>
   ageAssuranceStatus: string | null
   ageAssuranceLastInitiatedAt: string | null
+  ageAssuranceAccess: string | null
+  ageAssuranceCountryCode: string | null
+  ageAssuranceRegionCode: string | null
 }
 
 export const tableName = 'actor'

package/src/data-plane/server/routes/profile.ts

@@ -134,11 +134,22 @@ export default (db: Database): Partial<ServiceImpl<typeof Service>> => ({
           return undefined
         }
 
+        const status = row?.ageAssuranceStatus ?? 'unknown'
+        let access = row?.ageAssuranceAccess
+        if (status === 'assured') {
+          access = 'full'
+        } else if (status === 'blocked') {
+          access = 'none'
+        } else {
+          access = 'unknown'
+        }
+
         return {
-          status: row?.ageAssuranceStatus ?? 'unknown',
           lastInitiatedAt: row?.ageAssuranceLastInitiatedAt
             ? Timestamp.fromDate(new Date(row?.ageAssuranceLastInitiatedAt))
             : undefined,
+          status,
+          access,
         }
       }
 

package/src/hydration/actor.ts

@@ -179,7 +179,7 @@ export class ActorHydrator {
         return acc.set(did, null)
       }
 
-      const profile = actor.profile
+      const profile = actor.profile?.record
         ? parseRecord<ProfileRecord>(actor.profile, includeTakedowns)
         : undefined
 

package/src/hydration/hydrator.ts

@@ -1327,7 +1327,7 @@ export class Hydrator {
     const uri = new AtUri(uriStr)
     const [did] = await this.actor.getDids([uri.host])
     if (!did) return uriStr
-    uri.host = did
+    uri.hostname = did
     return uri.toString()
   }
 }

package/src/index.ts

@@ -30,6 +30,7 @@ import { ImageUriBuilder } from './image/uri'
 import { createKwsClient } from './kws'
 import { createServer } from './lexicon'
 import { loggerMiddleware } from './logger'
+import { authWithApiKey as rolodexAuth, createRolodexClient } from './rolodex'
 import { createStashClient } from './stash'
 import { Views } from './views'
 import { VideoUriBuilder } from './views/util'
@@ -156,6 +157,17 @@ export class BskyAppView {
         })
       : undefined
 
+    const rolodexClient = config.rolodexUrl
+      ? createRolodexClient({
+          baseUrl: config.rolodexUrl,
+          httpVersion: config.rolodexHttpVersion ?? '2',
+          nodeOptions: { rejectUnauthorized: !config.rolodexIgnoreBadTls },
+          interceptors: config.rolodexApiKey
+            ? [rolodexAuth(config.rolodexApiKey)]
+            : [],
+        })
+      : undefined
+
     const kwsClient = config.kws ? createKwsClient(config.kws) : undefined
 
     const entrywayJwtPublicKey = config.entrywayJwtPublicKeyHex
@@ -191,6 +203,7 @@ export class BskyAppView {
       bsyncClient,
       stashClient,
       courierClient,
+      rolodexClient,
       authVerifier,
       featureGates,
       blobDispatcher,