@atproto/pds 0.4.0-beta.3 → 0.4.0-beta.4

package/dist/lexicon/index.d.ts

@@ -20,6 +20,7 @@ import * as ComAtprotoAdminSearchRepos from './types/com/atproto/admin/searchRep
 import * as ComAtprotoAdminSendEmail from './types/com/atproto/admin/sendEmail';
 import * as ComAtprotoAdminUpdateAccountEmail from './types/com/atproto/admin/updateAccountEmail';
 import * as ComAtprotoAdminUpdateAccountHandle from './types/com/atproto/admin/updateAccountHandle';
+import * as ComAtprotoAdminUpdateAccountPassword from './types/com/atproto/admin/updateAccountPassword';
 import * as ComAtprotoAdminUpdateCommunicationTemplate from './types/com/atproto/admin/updateCommunicationTemplate';
 import * as ComAtprotoAdminUpdateSubjectStatus from './types/com/atproto/admin/updateSubjectStatus';
 import * as ComAtprotoIdentityGetRecommendedDidCredentials from './types/com/atproto/identity/getRecommendedDidCredentials';
@@ -192,6 +193,7 @@ export declare class ComAtprotoAdminNS {
     sendEmail<AV extends AuthVerifier>(cfg: ConfigOf<AV, ComAtprotoAdminSendEmail.Handler<ExtractAuth<AV>>, ComAtprotoAdminSendEmail.HandlerReqCtx<ExtractAuth<AV>>>): void;
     updateAccountEmail<AV extends AuthVerifier>(cfg: ConfigOf<AV, ComAtprotoAdminUpdateAccountEmail.Handler<ExtractAuth<AV>>, ComAtprotoAdminUpdateAccountEmail.HandlerReqCtx<ExtractAuth<AV>>>): void;
     updateAccountHandle<AV extends AuthVerifier>(cfg: ConfigOf<AV, ComAtprotoAdminUpdateAccountHandle.Handler<ExtractAuth<AV>>, ComAtprotoAdminUpdateAccountHandle.HandlerReqCtx<ExtractAuth<AV>>>): void;
+    updateAccountPassword<AV extends AuthVerifier>(cfg: ConfigOf<AV, ComAtprotoAdminUpdateAccountPassword.Handler<ExtractAuth<AV>>, ComAtprotoAdminUpdateAccountPassword.HandlerReqCtx<ExtractAuth<AV>>>): void;
     updateCommunicationTemplate<AV extends AuthVerifier>(cfg: ConfigOf<AV, ComAtprotoAdminUpdateCommunicationTemplate.Handler<ExtractAuth<AV>>, ComAtprotoAdminUpdateCommunicationTemplate.HandlerReqCtx<ExtractAuth<AV>>>): void;
     updateSubjectStatus<AV extends AuthVerifier>(cfg: ConfigOf<AV, ComAtprotoAdminUpdateSubjectStatus.Handler<ExtractAuth<AV>>, ComAtprotoAdminUpdateSubjectStatus.HandlerReqCtx<ExtractAuth<AV>>>): void;
 }

package/dist/lexicon/lexicons.d.ts

@@ -1695,6 +1695,32 @@ export declare const schemaDict: {
             };
         };
     };
+    ComAtprotoAdminUpdateAccountPassword: {
+        lexicon: number;
+        id: string;
+        defs: {
+            main: {
+                type: string;
+                description: string;
+                input: {
+                    encoding: string;
+                    schema: {
+                        type: string;
+                        required: string[];
+                        properties: {
+                            did: {
+                                type: string;
+                                format: string;
+                            };
+                            password: {
+                                type: string;
+                            };
+                        };
+                    };
+                };
+            };
+        };
+    };
     ComAtprotoAdminUpdateCommunicationTemplate: {
         lexicon: number;
         id: string;
@@ -8205,6 +8231,7 @@ export declare const ids: {
     ComAtprotoAdminSendEmail: string;
     ComAtprotoAdminUpdateAccountEmail: string;
     ComAtprotoAdminUpdateAccountHandle: string;
+    ComAtprotoAdminUpdateAccountPassword: string;
     ComAtprotoAdminUpdateCommunicationTemplate: string;
     ComAtprotoAdminUpdateSubjectStatus: string;
     ComAtprotoIdentityGetRecommendedDidCredentials: string;

package/dist/lexicon/types/com/atproto/admin/updateAccountPassword.d.ts

@@ -0,0 +1,26 @@
+import express from 'express';
+import { HandlerAuth } from '@atproto/xrpc-server';
+export interface QueryParams {
+}
+export interface InputSchema {
+    did: string;
+    password: string;
+    [k: string]: unknown;
+}
+export interface HandlerInput {
+    encoding: 'application/json';
+    body: InputSchema;
+}
+export interface HandlerError {
+    status: number;
+    message?: string;
+}
+export type HandlerOutput = HandlerError | void;
+export type HandlerReqCtx<HA extends HandlerAuth = never> = {
+    auth: HA;
+    params: QueryParams;
+    input: HandlerInput;
+    req: express.Request;
+    res: express.Response;
+};
+export type Handler<HA extends HandlerAuth = never> = (ctx: HandlerReqCtx<HA>) => Promise<HandlerOutput> | HandlerOutput;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atproto/pds",
-  "version": "0.4.0-beta.3",
+  "version": "0.4.0-beta.4",
   "license": "MIT",
   "description": "Reference implementation of atproto Personal Data Server (PDS)",
   "keywords": [
@@ -44,16 +44,16 @@
     "typed-emitter": "^2.1.0",
     "uint8arrays": "3.0.0",
     "zod": "^3.21.4",
-    "@atproto/api": "^0.10.0",
     "@atproto/aws": "^0.1.7",
     "@atproto/common": "^0.3.3",
+    "@atproto/api": "^0.10.0",
     "@atproto/crypto": "^0.3.0",
+    "@atproto/identity": "^0.3.2",
     "@atproto/lexicon": "^0.3.1",
     "@atproto/repo": "^0.3.7",
     "@atproto/syntax": "^0.1.5",
     "@atproto/xrpc": "^0.4.1",
-    "@atproto/xrpc-server": "^0.4.2",
-    "@atproto/identity": "^0.3.2"
+    "@atproto/xrpc-server": "^0.4.2"
   },
   "devDependencies": {
     "@atproto/pds-entryway": "npm:@atproto/pds@0.3.0-entryway.3",
@@ -70,8 +70,8 @@
     "ws": "^8.12.0",
     "@atproto/api": "^0.10.0",
     "@atproto/bsky": "^0.0.32",
-    "@atproto/lex-cli": "^0.3.0",
-    "@atproto/dev-env": "^0.2.32"
+    "@atproto/dev-env": "^0.2.32",
+    "@atproto/lex-cli": "^0.3.0"
   },
   "scripts": {
     "codegen": "lex gen-server ./src/lexicon ../../lexicons/com/atproto/*/* ../../lexicons/app/bsky/*/*",

package/src/account-manager/index.ts

@@ -370,6 +370,11 @@ export class AccountManager {
       'reset_password',
       opts.token,
     )
+    await this.updateAccountPassword({ did, password: opts.password })
+  }
+
+  async updateAccountPassword(opts: { did: string; password: string }) {
+    const { did } = opts
     const passwordScrypt = await scrypt.genSaltAndHash(opts.password)
     await this.db.transaction(async (dbTxn) =>
       Promise.all([

package/src/api/com/atproto/admin/index.ts

@@ -15,6 +15,7 @@ import disableInviteCodes from './disableInviteCodes'
 import getInviteCodes from './getInviteCodes'
 import updateAccountHandle from './updateAccountHandle'
 import updateAccountEmail from './updateAccountEmail'
+import updateAccountPassword from './updateAccountPassword'
 import sendEmail from './sendEmail'
 import deleteAccount from './deleteAccount'
 import queryModerationStatuses from './queryModerationStatuses'
@@ -40,6 +41,7 @@ export default function (server: Server, ctx: AppContext) {
   getInviteCodes(server, ctx)
   updateAccountHandle(server, ctx)
   updateAccountEmail(server, ctx)
+  updateAccountPassword(server, ctx)
   sendEmail(server, ctx)
   deleteAccount(server, ctx)
   listCommunicationTemplates(server, ctx)

package/src/api/com/atproto/admin/updateAccountPassword.ts

@@ -0,0 +1,28 @@
+import { AuthRequiredError } from '@atproto/xrpc-server'
+import { Server } from '../../../../lexicon'
+import AppContext from '../../../../context'
+import { authPassthru } from '../../../proxy'
+
+export default function (server: Server, ctx: AppContext) {
+  server.com.atproto.admin.updateAccountPassword({
+    auth: ctx.authVerifier.role,
+    handler: async ({ input, auth, req }) => {
+      if (!auth.credentials.admin) {
+        throw new AuthRequiredError(
+          'Must be an admin to update an account password',
+        )
+      }
+
+      if (ctx.entrywayAgent) {
+        await ctx.entrywayAgent.com.atproto.admin.updateAccountPassword(
+          input.body,
+          authPassthru(req, true),
+        )
+        return
+      }
+
+      const { did, password } = input.body
+      await ctx.accountManager.updateAccountPassword({ did, password })
+    },
+  })
+}

package/src/lexicon/index.ts

@@ -30,6 +30,7 @@ import * as ComAtprotoAdminSearchRepos from './types/com/atproto/admin/searchRep
 import * as ComAtprotoAdminSendEmail from './types/com/atproto/admin/sendEmail'
 import * as ComAtprotoAdminUpdateAccountEmail from './types/com/atproto/admin/updateAccountEmail'
 import * as ComAtprotoAdminUpdateAccountHandle from './types/com/atproto/admin/updateAccountHandle'
+import * as ComAtprotoAdminUpdateAccountPassword from './types/com/atproto/admin/updateAccountPassword'
 import * as ComAtprotoAdminUpdateCommunicationTemplate from './types/com/atproto/admin/updateCommunicationTemplate'
 import * as ComAtprotoAdminUpdateSubjectStatus from './types/com/atproto/admin/updateSubjectStatus'
 import * as ComAtprotoIdentityGetRecommendedDidCredentials from './types/com/atproto/identity/getRecommendedDidCredentials'
@@ -444,6 +445,17 @@ export class ComAtprotoAdminNS {
     return this._server.xrpc.method(nsid, cfg)
   }
 
+  updateAccountPassword<AV extends AuthVerifier>(
+    cfg: ConfigOf<
+      AV,
+      ComAtprotoAdminUpdateAccountPassword.Handler<ExtractAuth<AV>>,
+      ComAtprotoAdminUpdateAccountPassword.HandlerReqCtx<ExtractAuth<AV>>
+    >,
+  ) {
+    const nsid = 'com.atproto.admin.updateAccountPassword' // @ts-ignore
+    return this._server.xrpc.method(nsid, cfg)
+  }
+
   updateCommunicationTemplate<AV extends AuthVerifier>(
     cfg: ConfigOf<
       AV,

package/src/lexicon/lexicons.ts

@@ -1863,6 +1863,33 @@ export const schemaDict = {
       },
     },
   },
+  ComAtprotoAdminUpdateAccountPassword: {
+    lexicon: 1,
+    id: 'com.atproto.admin.updateAccountPassword',
+    defs: {
+      main: {
+        type: 'procedure',
+        description:
+          'Update the password for a user account as an administrator.',
+        input: {
+          encoding: 'application/json',
+          schema: {
+            type: 'object',
+            required: ['did', 'password'],
+            properties: {
+              did: {
+                type: 'string',
+                format: 'did',
+              },
+              password: {
+                type: 'string',
+              },
+            },
+          },
+        },
+      },
+    },
+  },
   ComAtprotoAdminUpdateCommunicationTemplate: {
     lexicon: 1,
     id: 'com.atproto.admin.updateCommunicationTemplate',
@@ -8860,6 +8887,8 @@ export const ids = {
   ComAtprotoAdminSendEmail: 'com.atproto.admin.sendEmail',
   ComAtprotoAdminUpdateAccountEmail: 'com.atproto.admin.updateAccountEmail',
   ComAtprotoAdminUpdateAccountHandle: 'com.atproto.admin.updateAccountHandle',
+  ComAtprotoAdminUpdateAccountPassword:
+    'com.atproto.admin.updateAccountPassword',
   ComAtprotoAdminUpdateCommunicationTemplate:
     'com.atproto.admin.updateCommunicationTemplate',
   ComAtprotoAdminUpdateSubjectStatus: 'com.atproto.admin.updateSubjectStatus',

package/src/lexicon/types/com/atproto/admin/updateAccountPassword.ts

@@ -0,0 +1,39 @@
+/**
+ * GENERATED CODE - DO NOT MODIFY
+ */
+import express from 'express'
+import { ValidationResult, BlobRef } from '@atproto/lexicon'
+import { lexicons } from '../../../../lexicons'
+import { isObj, hasProp } from '../../../../util'
+import { CID } from 'multiformats/cid'
+import { HandlerAuth, HandlerPipeThrough } from '@atproto/xrpc-server'
+
+export interface QueryParams {}
+
+export interface InputSchema {
+  did: string
+  password: string
+  [k: string]: unknown
+}
+
+export interface HandlerInput {
+  encoding: 'application/json'
+  body: InputSchema
+}
+
+export interface HandlerError {
+  status: number
+  message?: string
+}
+
+export type HandlerOutput = HandlerError | void
+export type HandlerReqCtx<HA extends HandlerAuth = never> = {
+  auth: HA
+  params: QueryParams
+  input: HandlerInput
+  req: express.Request
+  res: express.Response
+}
+export type Handler<HA extends HandlerAuth = never> = (
+  ctx: HandlerReqCtx<HA>,
+) => Promise<HandlerOutput> | HandlerOutput

package/tests/account.test.ts

@@ -559,4 +559,46 @@ describe('account', () => {
       }),
     ).resolves.toBeDefined()
   })
+
+  it('allows an admin to update password', async () => {
+    const tryUnauthed = agent.api.com.atproto.admin.updateAccountPassword({
+      did,
+      password: 'new-admin-pass',
+    })
+    await expect(tryUnauthed).rejects.toThrow('Authentication Required')
+
+    const tryAsModerator = agent.api.com.atproto.admin.updateAccountPassword(
+      { did, password: 'new-admin-pass' },
+      {
+        headers: network.pds.adminAuthHeaders('moderator'),
+        encoding: 'application/json',
+      },
+    )
+    await expect(tryAsModerator).rejects.toThrow(
+      'Must be an admin to update an account password',
+    )
+
+    await agent.api.com.atproto.admin.updateAccountPassword(
+      { did, password: 'new-admin-password' },
+      {
+        headers: network.pds.adminAuthHeaders('admin'),
+        encoding: 'application/json',
+      },
+    )
+
+    // old password fails
+    await expect(
+      agent.api.com.atproto.server.createSession({
+        identifier: did,
+        password,
+      }),
+    ).rejects.toThrow('Invalid identifier or password')
+
+    await expect(
+      agent.api.com.atproto.server.createSession({
+        identifier: did,
+        password: 'new-admin-password',
+      }),
+    ).resolves.toBeDefined()
+  })
 })