@atproto/pds 0.4.103 → 0.4.105

package/src/account-manager/{index.ts → account-manager.ts}

@@ -1,67 +1,43 @@
 import { KeyObject } from 'node:crypto'
-import { Selectable } from 'kysely'
 import { CID } from 'multiformats/cid'
 import { HOUR, wait } from '@atproto/common'
-import {
-  Account,
-  AccountInfo,
-  AccountStore,
-  Code,
-  DeviceData,
-  DeviceId,
-  DeviceStore,
-  FoundRequestResult,
-  NewTokenData,
-  RefreshToken,
-  RequestData,
-  RequestId,
-  RequestStore,
-  SignInCredentials,
-  TokenData,
-  TokenId,
-  TokenInfo,
-  TokenStore,
-  UpdateRequestData,
-} from '@atproto/oauth-provider'
-import { AuthRequiredError } from '@atproto/xrpc-server'
-import { ActorStore } from '../actor-store/actor-store'
+import { IdResolver } from '@atproto/identity'
+import { isValidTld } from '@atproto/syntax'
+import { AuthRequiredError, InvalidRequestError } from '@atproto/xrpc-server'
 import { AuthScope } from '../auth-verifier'
-import { BackgroundQueue } from '../background'
+import { DatabaseConfig } from '../config'
 import { softDeleted } from '../db'
-import { ImageUrlBuilder } from '../image/image-url-builder'
+import { hasExplicitSlur } from '../handle/explicit-slurs'
+import {
+  baseNormalizeAndValidate,
+  ensureHandleServiceConstraints,
+  isServiceDomain,
+} from '../handle/index'
 import { StatusAttr } from '../lexicon/types/com/atproto/admin/defs'
 import { AccountDb, EmailTokenPurpose, getDb, getMigrator } from './db'
 import * as account from './helpers/account'
 import { AccountStatus, ActorAccount } from './helpers/account'
 import * as auth from './helpers/auth'
-import * as authRequest from './helpers/authorization-request'
-import * as device from './helpers/device'
-import * as deviceAccount from './helpers/device-account'
 import * as emailToken from './helpers/email-token'
 import * as invite from './helpers/invite'
 import * as password from './helpers/password'
 import * as repo from './helpers/repo'
 import * as scrypt from './helpers/scrypt'
 import * as token from './helpers/token'
-import * as usedRefreshToken from './helpers/used-refresh-token'
 
 export { AccountStatus, formatAccountStatus } from './helpers/account'
 
-export class AccountManager
-  implements AccountStore, RequestStore, DeviceStore, TokenStore
-{
-  db: AccountDb
+export class AccountManager {
+  readonly db: AccountDb
 
   constructor(
-    private actorStore: ActorStore,
-    private imageUrlBuilder: ImageUrlBuilder,
-    private backgroundQueue: BackgroundQueue,
-    dbLocation: string,
-    private jwtKey: KeyObject,
-    private serviceDid: string,
-    disableWalAutoCheckpoint = false,
+    readonly idResolver: IdResolver,
+    readonly jwtKey: KeyObject,
+    readonly serviceDid: string,
+    readonly serviceHandleDomains: string[],
+    db: DatabaseConfig,
   ) {
-    this.db = getDb(dbLocation, disableWalAutoCheckpoint)
+    this.db = getDb(db.accountDbLoc, db.disableWalAutoCheckpoint)
   }
 
   async migrateOrThrow() {
@@ -121,7 +97,67 @@ export class AccountManager
     return res.active ? AccountStatus.Active : res.status
   }
 
-  async createAccount(opts: {
+  async normalizeAndValidateHandle(
+    handle: string,
+    {
+      did,
+      allowAnyValid,
+    }: {
+      did?: string
+      allowAnyValid?: boolean
+    } = {},
+  ): Promise<string> {
+    const normalized = baseNormalizeAndValidate(handle)
+
+    // tld validation
+    if (!isValidTld(normalized)) {
+      throw new InvalidRequestError(
+        'Handle TLD is invalid or disallowed',
+        'InvalidHandle',
+      )
+    }
+    // slur check
+    if (!allowAnyValid && hasExplicitSlur(normalized)) {
+      throw new InvalidRequestError(
+        'Inappropriate language in handle',
+        'InvalidHandle',
+      )
+    }
+    if (isServiceDomain(normalized, this.serviceHandleDomains)) {
+      // verify constraints on a service domain
+      ensureHandleServiceConstraints(
+        normalized,
+        this.serviceHandleDomains,
+        allowAnyValid,
+      )
+    } else {
+      if (did == null) {
+        throw new InvalidRequestError(
+          'Not a supported handle domain',
+          'UnsupportedDomain',
+        )
+      }
+      // verify resolution of a non-service domain
+      const resolvedDid = await this.idResolver.handle.resolve(normalized)
+      if (resolvedDid !== did) {
+        throw new InvalidRequestError('External handle did not resolve to DID')
+      }
+    }
+
+    return normalized
+  }
+
+  async createAccount({
+    did,
+    handle,
+    email,
+    password,
+    repoCid,
+    repoRev,
+    inviteCode,
+    deactivated,
+    refreshJwt,
+  }: {
     did: string
     handle: string
     email?: string
@@ -130,28 +166,12 @@ export class AccountManager
     repoRev: string
     inviteCode?: string
     deactivated?: boolean
+    refreshJwt?: string
   }) {
-    const {
-      did,
-      handle,
-      email,
-      password,
-      repoCid,
-      repoRev,
-      inviteCode,
-      deactivated,
-    } = opts
     const passwordScrypt = password
       ? await scrypt.genSaltAndHash(password)
       : undefined
 
-    const { accessJwt, refreshJwt } = await auth.createTokens({
-      did,
-      jwtKey: this.jwtKey,
-      serviceDid: this.serviceDid,
-      scope: AuthScope.Access,
-    })
-    const refreshPayload = auth.decodeRefreshToken(refreshJwt)
     const now = new Date().toISOString()
     await this.db.transaction(async (dbTxn) => {
       if (inviteCode) {
@@ -167,10 +187,36 @@ export class AccountManager
           inviteCode,
           now,
         }),
-        auth.storeRefreshToken(dbTxn, refreshPayload, null),
+        refreshJwt &&
+          auth.storeRefreshToken(
+            dbTxn,
+            auth.decodeRefreshToken(refreshJwt),
+            null,
+          ),
         repo.updateRoot(dbTxn, did, repoCid, repoRev),
       ])
     })
+  }
+
+  async createAccountAndSession(opts: {
+    did: string
+    handle: string
+    email?: string
+    password?: string
+    repoCid: CID
+    repoRev: string
+    inviteCode?: string
+    deactivated?: boolean
+  }) {
+    const { accessJwt, refreshJwt } = await auth.createTokens({
+      did: opts.did,
+      jwtKey: this.jwtKey,
+      serviceDid: this.serviceDid,
+      scope: AuthScope.Access,
+    })
+
+    await this.createAccount({ ...opts, refreshJwt })
+
     return { accessJwt, refreshJwt }
   }
 
@@ -502,250 +548,4 @@ export class AccountManager
       ]),
     )
   }
-
-  // AccountStore
-
-  private async buildAccount(row: Selectable<ActorAccount>): Promise<Account> {
-    const account = deviceAccount.toAccount(row, this.serviceDid)
-
-    if (!account.name || !account.picture) {
-      const did = account.sub
-
-      const profile = await this.actorStore.read(did, async (store) => {
-        return store.record.getProfileRecord()
-      })
-
-      if (profile) {
-        const { avatar, displayName } = profile
-
-        account.name ||= displayName
-        account.picture ||= avatar
-          ? this.imageUrlBuilder.build('avatar', did, avatar.ref.toString())
-          : undefined
-      }
-    }
-
-    return account
-  }
-
-  async authenticateAccount(
-    { username: identifier, password, remember = false }: SignInCredentials,
-    deviceId: DeviceId,
-  ): Promise<AccountInfo | null> {
-    try {
-      const { user, appPassword } = await this.login({ identifier, password })
-
-      if (appPassword) {
-        throw new AuthRequiredError('App passwords are not allowed')
-      }
-
-      await this.db.executeWithRetry(
-        deviceAccount.createOrUpdateQB(this.db, deviceId, user.did, remember),
-      )
-
-      return await this.getDeviceAccount(deviceId, user.did)
-    } catch (err) {
-      if (err instanceof AuthRequiredError) return null
-      throw err
-    }
-  }
-
-  async addAuthorizedClient(
-    deviceId: DeviceId,
-    sub: string,
-    clientId: string,
-  ): Promise<void> {
-    await this.db.transaction(async (dbTxn) => {
-      const row = await deviceAccount
-        .readQB(dbTxn, deviceId, sub)
-        .executeTakeFirstOrThrow()
-
-      const { authorizedClients } = deviceAccount.toDeviceAccountInfo(row)
-      if (!authorizedClients.includes(clientId)) {
-        await deviceAccount
-          .updateQB(dbTxn, deviceId, sub, {
-            authorizedClients: [...authorizedClients, clientId],
-          })
-          .execute()
-      }
-    })
-  }
-
-  async getDeviceAccount(
-    deviceId: DeviceId,
-    sub: string,
-  ): Promise<AccountInfo | null> {
-    const row = await deviceAccount
-      .getAccountInfoQB(this.db, deviceId, sub)
-      .executeTakeFirst()
-
-    if (!row) return null
-
-    return {
-      account: await this.buildAccount(row),
-      info: deviceAccount.toDeviceAccountInfo(row),
-    }
-  }
-
-  async listDeviceAccounts(deviceId: DeviceId): Promise<AccountInfo[]> {
-    const rows = await deviceAccount
-      .listRememberedQB(this.db, deviceId)
-      .execute()
-
-    return Promise.all(
-      rows.map(async (row) => ({
-        account: await this.buildAccount(row),
-        info: deviceAccount.toDeviceAccountInfo(row),
-      })),
-    )
-  }
-
-  async removeDeviceAccount(deviceId: DeviceId, sub: string): Promise<void> {
-    await this.db.executeWithRetry(
-      deviceAccount.removeQB(this.db, deviceId, sub),
-    )
-  }
-
-  // RequestStore
-
-  async createRequest(id: RequestId, data: RequestData): Promise<void> {
-    await this.db.executeWithRetry(authRequest.createQB(this.db, id, data))
-  }
-
-  async readRequest(id: RequestId): Promise<RequestData | null> {
-    try {
-      const row = await authRequest.readQB(this.db, id).executeTakeFirst()
-      if (!row) return null
-      return authRequest.rowToRequestData(row)
-    } finally {
-      // Take the opportunity to clean up expired requests. Do this after we got
-      // the current (potentially expired) request data to allow the provider to
-      // handle expired requests.
-      this.backgroundQueue.add(async () => {
-        await this.db.executeWithRetry(authRequest.removeOldExpiredQB(this.db))
-      })
-    }
-  }
-
-  async updateRequest(id: RequestId, data: UpdateRequestData): Promise<void> {
-    await this.db.executeWithRetry(authRequest.updateQB(this.db, id, data))
-  }
-
-  async deleteRequest(id: RequestId): Promise<void> {
-    await this.db.executeWithRetry(authRequest.removeByIdQB(this.db, id))
-  }
-
-  async findRequestByCode(code: Code): Promise<FoundRequestResult | null> {
-    const row = await authRequest.findByCodeQB(this.db, code).executeTakeFirst()
-    return row ? authRequest.rowToFoundRequestResult(row) : null
-  }
-
-  // DeviceStore
-
-  async createDevice(deviceId: DeviceId, data: DeviceData): Promise<void> {
-    await this.db.executeWithRetry(device.createQB(this.db, deviceId, data))
-  }
-
-  async readDevice(deviceId: DeviceId): Promise<null | DeviceData> {
-    const row = await device.readQB(this.db, deviceId).executeTakeFirst()
-    return row ? device.rowToDeviceData(row) : null
-  }
-
-  async updateDevice(
-    deviceId: DeviceId,
-    data: Partial<DeviceData>,
-  ): Promise<void> {
-    await this.db.executeWithRetry(device.updateQB(this.db, deviceId, data))
-  }
-
-  async deleteDevice(deviceId: DeviceId): Promise<void> {
-    // Will cascade to device_account (device_account_device_id_fk)
-    await this.db.executeWithRetry(device.removeQB(this.db, deviceId))
-  }
-
-  // TokenStore
-
-  async createToken(
-    id: TokenId,
-    data: TokenData,
-    refreshToken?: RefreshToken,
-  ): Promise<void> {
-    await this.db.transaction(async (dbTxn) => {
-      if (refreshToken) {
-        const { count } = await usedRefreshToken
-          .countQB(dbTxn, refreshToken)
-          .executeTakeFirstOrThrow()
-
-        if (count > 0) {
-          throw new Error('Refresh token already in use')
-        }
-      }
-
-      return token.createQB(dbTxn, id, data, refreshToken).execute()
-    })
-  }
-
-  async readToken(tokenId: TokenId): Promise<TokenInfo | null> {
-    const row = await token.findByQB(this.db, { tokenId }).executeTakeFirst()
-    return row ? token.toTokenInfo(row, this.serviceDid) : null
-  }
-
-  async deleteToken(tokenId: TokenId): Promise<void> {
-    // Will cascade to used_refresh_token (used_refresh_token_fk)
-    await this.db.executeWithRetry(token.removeQB(this.db, tokenId))
-  }
-
-  async rotateToken(
-    tokenId: TokenId,
-    newTokenId: TokenId,
-    newRefreshToken: RefreshToken,
-    newData: NewTokenData,
-  ): Promise<void> {
-    const err = await this.db.transaction(async (dbTxn) => {
-      const { id, currentRefreshToken } = await token
-        .forRotateQB(dbTxn, tokenId)
-        .executeTakeFirstOrThrow()
-
-      if (currentRefreshToken) {
-        await usedRefreshToken
-          .insertQB(dbTxn, id, currentRefreshToken)
-          .execute()
-      }
-
-      const { count } = await usedRefreshToken
-        .countQB(dbTxn, newRefreshToken)
-        .executeTakeFirstOrThrow()
-
-      if (count > 0) {
-        // Do NOT throw (we don't want the transaction to be rolled back)
-        return new Error('New refresh token already in use')
-      }
-
-      await token
-        .rotateQB(dbTxn, id, newTokenId, newRefreshToken, newData)
-        .execute()
-    })
-
-    if (err) throw err
-  }
-
-  async findTokenByRefreshToken(
-    refreshToken: RefreshToken,
-  ): Promise<TokenInfo | null> {
-    const used = await usedRefreshToken
-      .findByTokenQB(this.db, refreshToken)
-      .executeTakeFirst()
-
-    const search = used
-      ? { id: used.tokenId }
-      : { currentRefreshToken: refreshToken }
-
-    const row = await token.findByQB(this.db, search).executeTakeFirst()
-    return row ? token.toTokenInfo(row, this.serviceDid) : null
-  }
-
-  async findTokenByCode(code: Code): Promise<TokenInfo | null> {
-    const row = await token.findByQB(this.db, { code }).executeTakeFirst()
-    return row ? token.toTokenInfo(row, this.serviceDid) : null
-  }
 }

package/src/account-manager/helpers/device-account.ts

@@ -114,6 +114,7 @@ export const createOrUpdateQB = (
     .insertInto('device_account')
     .values({ did, deviceId, authorizedClients, ...values })
     .onConflict((oc) => oc.columns(['deviceId', 'did']).doUpdateSet(values))
+    .returning(['remember', 'authorizedClients', 'authenticatedAt'])
 }
 
 export const getAccountInfoQB = (