@atproto/bsky 0.0.36 → 0.0.37

package/CHANGELOG.md

@@ -1,5 +1,14 @@
 # @atproto/bsky
 
+## 0.0.37
+
+### Patch Changes
+
+- [#2279](https://github.com/bluesky-social/atproto/pull/2279) [`192223f12`](https://github.com/bluesky-social/atproto/commit/192223f127c0b226287df1ecfcd953636db08655) Thanks [@gaearon](https://github.com/gaearon)! - Change Following feed prefs to only show replies from people you follow by default
+
+- Updated dependencies [[`192223f12`](https://github.com/bluesky-social/atproto/commit/192223f127c0b226287df1ecfcd953636db08655)]:
+  - @atproto/api@0.10.5
+
 ## 0.0.36
 
 ### Patch Changes

package/dist/auth-verifier.d.ts

@@ -10,7 +10,7 @@ export declare enum RoleStatus {
 }
 type NullOutput = {
     credentials: {
-        type: 'null';
+        type: 'none';
         iss: null;
     };
 };
@@ -27,22 +27,22 @@ type RoleOutput = {
         admin: boolean;
     };
 };
-type AdminServiceOutput = {
+type ModServiceOutput = {
     credentials: {
-        type: 'admin_service';
+        type: 'mod_service';
         aud: string;
         iss: string;
     };
 };
 export type AuthVerifierOpts = {
     ownDid: string;
-    adminDid: string;
+    modServiceDid: string;
     adminPasses: string[];
 };
 export declare class AuthVerifier {
     dataplane: DataPlaneClient;
     ownDid: string;
-    adminDid: string;
+    modServiceDid: string;
     private adminPasses;
     constructor(dataplane: DataPlaneClient, opts: AuthVerifierOpts);
     standard: (ctx: ReqCtx) => Promise<StandardOutput>;
@@ -51,8 +51,8 @@ export declare class AuthVerifier {
     role: (ctx: ReqCtx) => RoleOutput;
     standardOrRole: (ctx: ReqCtx) => Promise<StandardOutput | RoleOutput>;
     optionalStandardOrRole: (ctx: ReqCtx) => Promise<StandardOutput | RoleOutput | NullOutput>;
-    adminService: (reqCtx: ReqCtx) => Promise<AdminServiceOutput>;
-    roleOrAdminService: (reqCtx: ReqCtx) => Promise<RoleOutput | AdminServiceOutput>;
+    modService: (reqCtx: ReqCtx) => Promise<ModServiceOutput>;
+    roleOrModService: (reqCtx: ReqCtx) => Promise<RoleOutput | ModServiceOutput>;
     parseRoleCreds(req: express.Request): {
         status: RoleStatus;
         admin: boolean;
@@ -71,8 +71,9 @@ export declare class AuthVerifier {
         iss: string;
         aud: string;
     }>;
+    isModService(iss: string): boolean;
     nullCreds(): NullOutput;
-    parseCreds(creds: StandardOutput | RoleOutput | AdminServiceOutput | NullOutput): {
+    parseCreds(creds: StandardOutput | RoleOutput | ModServiceOutput | NullOutput): {
         viewer: string | null;
         canViewTakedowns: boolean;
         canPerformTakedown: boolean;

package/dist/config.d.ts

@@ -17,6 +17,8 @@ export interface ServerConfigValues {
     courierIgnoreBadTls?: boolean;
     searchUrl?: string;
     cdnUrl?: string;
+    blobRateLimitBypassKey?: string;
+    blobRateLimitBypassHostname?: string;
     didPlcUrl: string;
     handleResolveNameservers?: string[];
     modServiceDid: string;
@@ -49,6 +51,8 @@ export declare class ServerConfig {
     get courierIgnoreBadTls(): boolean | undefined;
     get searchUrl(): string | undefined;
     get cdnUrl(): string | undefined;
+    get blobRateLimitBypassKey(): string | undefined;
+    get blobRateLimitBypassHostname(): string | undefined;
     get didPlcUrl(): string;
     get handleResolveNameservers(): string[] | undefined;
     get adminPasswords(): string[];

package/dist/index.js

@@ -132036,6 +132036,9 @@ var getHandle = (doc) => {
   return found.slice(5);
 };
 var getSigningKey = (doc) => {
+  return getVerificationMaterial(doc, "atproto");
+};
+var getVerificationMaterial = (doc, keyId) => {
   const did2 = getDid(doc);
   let keys = doc.verificationMethod;
   if (!keys)
@@ -132045,7 +132048,7 @@ var getSigningKey = (doc) => {
   if (!Array.isArray(keys)) {
     keys = [keys];
   }
-  const found = keys.find((key) => key.id === "#atproto" || key.id === `${did2}#atproto`);
+  const found = keys.find((key) => key.id === `#${keyId}` || key.id === `${did2}#${keyId}`);
   if (!found?.publicKeyMultibase)
     return void 0;
   return {
@@ -134406,6 +134409,10 @@ var schemaDict = {
             type: "string",
             description: "The subject line of the email sent to the user."
           },
+          content: {
+            type: "string",
+            description: "The content of the email sent to the user."
+          },
           comment: {
             type: "string",
             description: "Additional comment about the outgoing comm."
@@ -138553,7 +138560,8 @@ var schemaDict = {
           },
           hideRepliesByUnfollowed: {
             type: "boolean",
-            description: "Hide replies in the feed if they are not by followed users."
+            description: "Hide replies in the feed if they are not by followed users.",
+            default: true
           },
           hideRepliesByLikeCount: {
             type: "integer",
@@ -148834,6 +148842,10 @@ var schemaDict2 = {
             type: "string",
             description: "The subject line of the email sent to the user."
           },
+          content: {
+            type: "string",
+            description: "The content of the email sent to the user."
+          },
           comment: {
             type: "string",
             description: "Additional comment about the outgoing comm."
@@ -152981,7 +152993,8 @@ var schemaDict2 = {
           },
           hideRepliesByUnfollowed: {
             type: "boolean",
-            description: "Hide replies in the feed if they are not by followed users."
+            description: "Hide replies in the feed if they are not by followed users.",
+            default: true
           },
           hideRepliesByLikeCount: {
             type: "integer",
@@ -179402,13 +179415,21 @@ var AuthVerifier2 = class {
         if (!this.parseRoleCreds(ctx.req).admin) {
           throw new AuthRequiredError("bad credentials");
         }
-        return { credentials: { type: "standard", iss: iss2, aud: aud2 } };
+        return {
+          credentials: { type: "standard", iss: iss2, aud: aud2 }
+        };
       }
       const { iss, aud } = await this.verifyServiceJwt(ctx, {
         aud: this.ownDid,
         iss: null
       });
-      return { credentials: { type: "standard", iss, aud } };
+      return {
+        credentials: {
+          type: "standard",
+          iss,
+          aud
+        }
+      };
     };
     this.standardOptional = async (ctx) => {
       if (isBearerToken(ctx.req) || isBasicToken(ctx.req)) {
@@ -179464,22 +179485,22 @@ var AuthVerifier2 = class {
         }
       }
     };
-    this.adminService = async (reqCtx) => {
+    this.modService = async (reqCtx) => {
       const { iss, aud } = await this.verifyServiceJwt(reqCtx, {
         aud: this.ownDid,
-        iss: [this.adminDid]
+        iss: [this.modServiceDid, `${this.modServiceDid}#atproto_labeler`]
       });
-      return { credentials: { type: "admin_service", aud, iss } };
+      return { credentials: { type: "mod_service", aud, iss } };
     };
-    this.roleOrAdminService = async (reqCtx) => {
+    this.roleOrModService = async (reqCtx) => {
       if (isBearerToken(reqCtx.req)) {
-        return this.adminService(reqCtx);
+        return this.modService(reqCtx);
       } else {
         return this.role(reqCtx);
       }
     };
     this.ownDid = opts.ownDid;
-    this.adminDid = opts.adminDid;
+    this.modServiceDid = opts.modServiceDid;
     this.adminPasses = new Set(opts.adminPasses);
   }
   parseRoleCreds(req) {
@@ -179495,10 +179516,12 @@ var AuthVerifier2 = class {
     return { status: Invalid, admin: false };
   }
   async verifyServiceJwt(reqCtx, opts) {
-    const getSigningKey2 = async (did2, _forceRefresh) => {
-      if (opts.iss !== null && !opts.iss.includes(did2)) {
+    const getSigningKey2 = async (iss, _forceRefresh) => {
+      if (opts.iss !== null && !opts.iss.includes(iss)) {
         throw new AuthRequiredError("Untrusted issuer", "UntrustedIss");
       }
+      const [did2, serviceId] = iss.split("#");
+      const keyId = serviceId === "atproto_labeler" ? "atproto_label" : "atproto";
       let identity3;
       try {
         identity3 = await this.dataplane.getIdentityByDid({ did: did2 });
@@ -179509,7 +179532,7 @@ var AuthVerifier2 = class {
         throw err;
       }
       const keys = unpackIdentityKeys(identity3.keys);
-      const didKey = getKeyAsDidKey(keys, { id: "atproto" });
+      const didKey = getKeyAsDidKey(keys, { id: keyId });
       if (!didKey) {
         throw new AuthRequiredError("missing or bad key");
       }
@@ -179522,18 +179545,24 @@ var AuthVerifier2 = class {
     const payload = await verifyJwt(jwtStr, opts.aud, getSigningKey2);
     return { iss: payload.iss, aud: payload.aud };
   }
+  isModService(iss) {
+    return [
+      this.modServiceDid,
+      `${this.modServiceDid}#atproto_labeler`
+    ].includes(iss);
+  }
   nullCreds() {
     return {
       credentials: {
-        type: "null",
+        type: "none",
         iss: null
       }
     };
   }
   parseCreds(creds) {
     const viewer = creds.credentials.type === "standard" ? creds.credentials.iss : null;
-    const canViewTakedowns = creds.credentials.type === "role" && creds.credentials.admin || creds.credentials.type === "admin_service";
-    const canPerformTakedown = creds.credentials.type === "role" && creds.credentials.admin || creds.credentials.type === "admin_service";
+    const canViewTakedowns = creds.credentials.type === "role" && creds.credentials.admin || creds.credentials.type === "mod_service" || creds.credentials.type === "standard" && this.isModService(creds.credentials.iss);
+    const canPerformTakedown = creds.credentials.type === "role" && creds.credentials.admin || creds.credentials.type === "mod_service";
     return {
       viewer,
       canViewTakedowns,
@@ -183417,7 +183446,7 @@ function getTaggedSuggestions_default(server, ctx) {
 // src/api/com/atproto/admin/getSubjectStatus.ts
 function getSubjectStatus_default(server, ctx) {
   server.com.atproto.admin.getSubjectStatus({
-    auth: ctx.authVerifier.roleOrAdminService,
+    auth: ctx.authVerifier.roleOrModService,
     handler: async ({ params: params2 }) => {
       const { did: did2, uri: uri2, blob: blob2 } = params2;
       let body = null;
@@ -183499,7 +183528,7 @@ function isMain5(v) {
 // src/api/com/atproto/admin/updateSubjectStatus.ts
 function updateSubjectStatus_default(server, ctx) {
   server.com.atproto.admin.updateSubjectStatus({
-    auth: ctx.authVerifier.roleOrAdminService,
+    auth: ctx.authVerifier.roleOrModService,
     handler: async ({ input, auth }) => {
       const { canPerformTakedown } = ctx.authVerifier.parseCreds(auth);
       if (!canPerformTakedown) {
@@ -183567,7 +183596,7 @@ function updateSubjectStatus_default(server, ctx) {
 // src/api/com/atproto/admin/getAccountInfos.ts
 function getAccountInfos_default(server, ctx) {
   server.com.atproto.admin.getAccountInfos({
-    auth: ctx.authVerifier.roleOrAdminService,
+    auth: ctx.authVerifier.roleOrModService,
     handler: async ({ params: params2 }) => {
       const { dids } = params2;
       const actors = await ctx.hydrator.actor.getActors(dids, true);
@@ -183788,7 +183817,7 @@ async function resolveBlob(ctx, did2, cid2) {
   if (takenDown) {
     throw (0, import_http_errors2.default)(404, "Blob not found");
   }
-  const blobResult = await retryHttp(() => getBlob({ pds, did: did2, cid: cidStr }));
+  const blobResult = await retryHttp(() => getBlob(ctx, { pds, did: did2, cid: cidStr }));
   const imageStream = blobResult.data;
   const verifyCid = new VerifyCidTransform(cid2);
   forwardStreamErrors(imageStream, verifyCid);
@@ -183798,15 +183827,36 @@ async function resolveBlob(ctx, did2, cid2) {
     stream: imageStream.pipe(verifyCid)
   };
 }
-async function getBlob(opts) {
+async function getBlob(ctx, opts) {
   const { pds, did: did2, cid: cid2 } = opts;
   return import_axios4.default.get(`${pds}/xrpc/com.atproto.sync.getBlob`, {
     params: { did: did2, cid: cid2 },
     decompress: true,
     responseType: "stream",
-    timeout: 5e3
+    timeout: 5e3,
+    headers: getRateLimitBypassHeaders(ctx, pds)
   });
 }
+function getRateLimitBypassHeaders(ctx, pds) {
+  const {
+    blobRateLimitBypassKey: bypassKey,
+    blobRateLimitBypassHostname: bypassHostname
+  } = ctx.cfg;
+  if (!bypassKey || !bypassHostname) {
+    return {};
+  }
+  const url = new URL(pds);
+  if (bypassHostname.startsWith(".")) {
+    if (url.hostname.endsWith(bypassHostname)) {
+      return { "x-ratelimit-bypass": bypassKey };
+    }
+  } else {
+    if (url.hostname === bypassHostname) {
+      return { "x-ratelimit-bypass": bypassKey };
+    }
+  }
+  return {};
+}
 
 // src/api/index.ts
 function api_default(server, ctx) {
@@ -185527,6 +185577,9 @@ var ServerConfig = class {
     const courierHttpVersion = process.env.BSKY_COURIER_HTTP_VERSION || "2";
     const courierIgnoreBadTls = process.env.BSKY_COURIER_IGNORE_BAD_TLS === "true";
     (0, import_node_assert3.default)(courierHttpVersion === "1.1" || courierHttpVersion === "2");
+    const blobRateLimitBypassKey = process.env.BSKY_BLOB_RATE_LIMIT_BYPASS_KEY || void 0;
+    const blobRateLimitBypassHostname = process.env.BSKY_BLOB_RATE_LIMIT_BYPASS_HOSTNAME || void 0;
+    (0, import_node_assert3.default)(!blobRateLimitBypassKey || blobRateLimitBypassHostname, "must specify a hostname when using a blob rate limit bypass key");
     const adminPasswords = envList(process.env.BSKY_ADMIN_PASSWORDS || process.env.BSKY_ADMIN_PASSWORD);
     const modServiceDid = process.env.MOD_SERVICE_DID;
     (0, import_node_assert3.default)(modServiceDid);
@@ -185555,6 +185608,8 @@ var ServerConfig = class {
       courierApiKey,
       courierHttpVersion,
       courierIgnoreBadTls,
+      blobRateLimitBypassKey,
+      blobRateLimitBypassHostname,
       adminPasswords,
       modServiceDid,
       ...stripUndefineds(overrides ?? {})
@@ -185622,6 +185677,12 @@ var ServerConfig = class {
   get cdnUrl() {
     return this.cfg.cdnUrl;
   }
+  get blobRateLimitBypassKey() {
+    return this.cfg.blobRateLimitBypassKey;
+  }
+  get blobRateLimitBypassHostname() {
+    return this.cfg.blobRateLimitBypassHostname;
+  }
   get didPlcUrl() {
     return this.cfg.didPlcUrl;
   }
@@ -186585,7 +186646,7 @@ var BskyAppView = class {
     });
     const authVerifier = new AuthVerifier2(dataplane, {
       ownDid: config2.serverDid,
-      adminDid: config2.modServiceDid,
+      modServiceDid: config2.modServiceDid,
       adminPasses: config2.adminPasswords
     });
     const ctx = new context_default({