npm - @atproto/pds - Versions diffs - 0.4.103 → 0.4.105 - Mend

@atproto/pds 0.4.103 → 0.4.105

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (328) hide show

package/src/api/com/atproto/server/getSession.ts CHANGED Viewed

@@ -1,10 +1,10 @@
 import { INVALID_HANDLE } from '@atproto/syntax'
 import { InvalidRequestError } from '@atproto/xrpc-server'
-import { formatAccountStatus } from '../../../../account-manager'
+import { formatAccountStatus } from '../../../../account-manager/account-manager'
 import { AuthScope } from '../../../../auth-verifier'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
-import { authPassthru, resultPassthru } from '../../../proxy'
+import { resultPassthru } from '../../../proxy'
 import { didDocForSession } from './util'
 export default function (server: Server, ctx: AppContext) {
@@ -17,7 +17,7 @@ export default function (server: Server, ctx: AppContext) {
         return resultPassthru(
           await ctx.entrywayAgent.com.atproto.server.getSession(
             undefined,
-            authPassthru(req),
+            ctx.entrywayPassthruHeaders(req),
           ),
         )
       }

package/src/api/com/atproto/server/listAppPasswords.ts CHANGED Viewed

@@ -1,4 +1,3 @@
-import assert from 'node:assert'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { ids } from '../../../../lexicon/lexicons'
@@ -7,15 +6,14 @@ import { resultPassthru } from '../../../proxy'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.listAppPasswords({
     auth: ctx.authVerifier.accessStandard(),
-    handler: async ({ auth }) => {
+    handler: async ({ auth, req }) => {
       if (ctx.entrywayAgent) {
-        assert(ctx.cfg.entryway)
         return resultPassthru(
           await ctx.entrywayAgent.com.atproto.server.listAppPasswords(
             undefined,
-            await ctx.serviceAuthHeaders(
+            await ctx.entrywayAuthHeaders(
+              req,
               auth.credentials.did,
-              ctx.cfg.entryway.did,
               ids.ComAtprotoServerListAppPasswords,
             ),
           ),

package/src/api/com/atproto/server/refreshSession.ts CHANGED Viewed

@@ -1,10 +1,10 @@
 import { INVALID_HANDLE } from '@atproto/syntax'
 import { AuthRequiredError, InvalidRequestError } from '@atproto/xrpc-server'
-import { formatAccountStatus } from '../../../../account-manager'
+import { formatAccountStatus } from '../../../../account-manager/account-manager'
 import { AppContext } from '../../../../context'
 import { softDeleted } from '../../../../db/util'
 import { Server } from '../../../../lexicon'
-import { authPassthru, resultPassthru } from '../../../proxy'
+import { resultPassthru } from '../../../proxy'
 import { didDocForSession } from './util'
 export default function (server: Server, ctx: AppContext) {
@@ -32,7 +32,7 @@ export default function (server: Server, ctx: AppContext) {
         return resultPassthru(
           await ctx.entrywayAgent.com.atproto.server.refreshSession(
             undefined,
-            authPassthru(req),
+            ctx.entrywayPassthruHeaders(req),
           ),
         )
       }

package/src/api/com/atproto/server/requestAccountDelete.ts CHANGED Viewed

@@ -1,4 +1,3 @@
-import assert from 'node:assert'
 import { DAY, HOUR } from '@atproto/common'
 import { InvalidRequestError } from '@atproto/xrpc-server'
 import { AppContext } from '../../../../context'
@@ -20,7 +19,7 @@ export default function (server: Server, ctx: AppContext) {
       },
     ],
     auth: ctx.authVerifier.accessFull({ checkTakedown: true }),
-    handler: async ({ auth }) => {
+    handler: async ({ auth, req }) => {
       const did = auth.credentials.did
       const account = await ctx.accountManager.getAccount(did, {
         includeDeactivated: true,
@@ -31,12 +30,11 @@ export default function (server: Server, ctx: AppContext) {
       }
       if (ctx.entrywayAgent) {
-        assert(ctx.cfg.entryway)
         await ctx.entrywayAgent.com.atproto.server.requestAccountDelete(
           undefined,
-          await ctx.serviceAuthHeaders(
+          await ctx.entrywayAuthHeaders(
+            req,
             auth.credentials.did,
-            ctx.cfg.entryway.did,
             ids.ComAtprotoServerRequestAccountDelete,
           ),
         )

package/src/api/com/atproto/server/requestEmailConfirmation.ts CHANGED Viewed

@@ -1,4 +1,3 @@
-import assert from 'node:assert'
 import { DAY, HOUR } from '@atproto/common'
 import { InvalidRequestError } from '@atproto/xrpc-server'
 import { AppContext } from '../../../../context'
@@ -20,7 +19,7 @@ export default function (server: Server, ctx: AppContext) {
       },
     ],
     auth: ctx.authVerifier.accessStandard({ checkTakedown: true }),
-    handler: async ({ auth }) => {
+    handler: async ({ auth, req }) => {
       const did = auth.credentials.did
       const account = await ctx.accountManager.getAccount(did, {
         includeDeactivated: true,
@@ -31,12 +30,11 @@ export default function (server: Server, ctx: AppContext) {
       }
       if (ctx.entrywayAgent) {
-        assert(ctx.cfg.entryway)
         await ctx.entrywayAgent.com.atproto.server.requestEmailConfirmation(
           undefined,
-          await ctx.serviceAuthHeaders(
+          await ctx.entrywayAuthHeaders(
+            req,
             auth.credentials.did,
-            ctx.cfg.entryway.did,
             ids.ComAtprotoServerRequestEmailConfirmation,
           ),
         )

package/src/api/com/atproto/server/requestEmailUpdate.ts CHANGED Viewed

@@ -1,4 +1,3 @@
-import assert from 'node:assert'
 import { DAY, HOUR } from '@atproto/common'
 import { InvalidRequestError } from '@atproto/xrpc-server'
 import { AppContext } from '../../../../context'
@@ -21,7 +20,7 @@ export default function (server: Server, ctx: AppContext) {
       },
     ],
     auth: ctx.authVerifier.accessStandard({ checkTakedown: true }),
-    handler: async ({ auth }) => {
+    handler: async ({ auth, req }) => {
       const did = auth.credentials.did
       const account = await ctx.accountManager.getAccount(did, {
         includeDeactivated: true,
@@ -32,13 +31,12 @@ export default function (server: Server, ctx: AppContext) {
       }
       if (ctx.entrywayAgent) {
-        assert(ctx.cfg.entryway)
         return resultPassthru(
           await ctx.entrywayAgent.com.atproto.server.requestEmailUpdate(
             undefined,
-            await ctx.serviceAuthHeaders(
+            await ctx.entrywayAuthHeaders(
+              req,
               auth.credentials.did,
-              ctx.cfg.entryway.did,
               ids.ComAtprotoServerRequestEmailUpdate,
             ),
           ),

package/src/api/com/atproto/server/requestPasswordReset.ts CHANGED Viewed

@@ -2,7 +2,6 @@ import { DAY, HOUR } from '@atproto/common'
 import { InvalidRequestError } from '@atproto/xrpc-server'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
-import { authPassthru } from '../../../proxy'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.requestPasswordReset({
@@ -28,7 +27,7 @@ export default function (server: Server, ctx: AppContext) {
         if (ctx.entrywayAgent) {
           await ctx.entrywayAgent.com.atproto.server.requestPasswordReset(
             input.body,
-            authPassthru(req, true),
+            ctx.entrywayPassthruHeaders(req),
           )
           return
         }

package/src/api/com/atproto/server/resetPassword.ts CHANGED Viewed

@@ -1,7 +1,6 @@
 import { MINUTE } from '@atproto/common'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
-import { authPassthru } from '../../../proxy'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.resetPassword({
@@ -15,7 +14,7 @@ export default function (server: Server, ctx: AppContext) {
       if (ctx.entrywayAgent) {
         await ctx.entrywayAgent.com.atproto.server.resetPassword(
           input.body,
-          authPassthru(req, true),
+          ctx.entrywayPassthruHeaders(req),
         )
         return
       }

package/src/api/com/atproto/server/revokeAppPassword.ts CHANGED Viewed

@@ -1,4 +1,3 @@
-import assert from 'node:assert'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { ids } from '../../../../lexicon/lexicons'
@@ -6,14 +5,13 @@ import { ids } from '../../../../lexicon/lexicons'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.revokeAppPassword({
     auth: ctx.authVerifier.accessStandard(),
-    handler: async ({ auth, input }) => {
+    handler: async ({ auth, input, req }) => {
       if (ctx.entrywayAgent) {
-        assert(ctx.cfg.entryway)
         await ctx.entrywayAgent.com.atproto.server.revokeAppPassword(
           input.body,
-          await ctx.serviceAuthHeaders(
+          await ctx.entrywayAuthHeaders(
+            req,
             auth.credentials.did,
-            ctx.cfg.entryway.did,
             ids.ComAtprotoServerRevokeAppPassword,
           ),
         )

package/src/api/com/atproto/server/updateEmail.ts CHANGED Viewed

@@ -1,4 +1,3 @@
-import assert from 'node:assert'
 import { isEmailValid } from '@hapi/address'
 import { isDisposableEmail } from 'disposable-email-domains-js'
 import { InvalidRequestError } from '@atproto/xrpc-server'
@@ -10,7 +9,7 @@ import { ids } from '../../../../lexicon/lexicons'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.updateEmail({
     auth: ctx.authVerifier.accessFull({ checkTakedown: true }),
-    handler: async ({ auth, input }) => {
+    handler: async ({ auth, input, req }) => {
       const did = auth.credentials.did
       const { token, email } = input.body
       if (!isEmailValid(email) || isDisposableEmail(email)) {
@@ -26,12 +25,11 @@ export default function (server: Server, ctx: AppContext) {
       }
       if (ctx.entrywayAgent) {
-        assert(ctx.cfg.entryway)
         await ctx.entrywayAgent.com.atproto.server.updateEmail(
           input.body,
-          await ctx.serviceAuthHeaders(
+          await ctx.entrywayAuthHeaders(
+            req,
             auth.credentials.did,
-            ctx.cfg.entryway.did,
             ids.ComAtprotoServerUpdateEmail,
           ),
         )

package/src/api/com/atproto/sync/getRecord.ts CHANGED Viewed

@@ -1,5 +1,4 @@
 import stream from 'node:stream'
-import { CID } from 'multiformats/cid'
 import { byteIterableToStream } from '@atproto/common'
 import * as repo from '@atproto/repo'
 import { InvalidRequestError } from '@atproto/xrpc-server'
@@ -25,9 +24,7 @@ export default function (server: Server, ctx: AppContext) {
       let carStream: stream.Readable
       try {
         const storage = new SqlRepoReader(actorDb)
-        const commit = params.commit
-          ? CID.parse(params.commit)
-          : await storage.getRoot()
+        const commit = await storage.getRoot()
         if (!commit) {
           throw new InvalidRequestError(`Could not find repo for DID: ${did}`)

package/src/api/com/atproto/sync/getRepoStatus.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { formatAccountStatus } from '../../../../account-manager'
+import { formatAccountStatus } from '../../../../account-manager/account-manager'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { assertRepoAvailability } from './util'

package/src/api/com/atproto/sync/listRepos.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { InvalidRequestError } from '@atproto/xrpc-server'
-import { formatAccountStatus } from '../../../../account-manager'
+import { formatAccountStatus } from '../../../../account-manager/account-manager'
 import { AppContext } from '../../../../context'
 import { Cursor, GenericKeyset, paginate } from '../../../../db/pagination'
 import { Server } from '../../../../lexicon'

package/src/api/com/atproto/sync/subscribeRepos.ts CHANGED Viewed

@@ -45,9 +45,9 @@ export default function (server: Server, ctx: AppContext) {
           time: evt.time,
           ...evt.evt,
         }
-      } else if (evt.type === 'handle') {
+      } else if (evt.type === 'sync') {
         yield {
-          $type: '#handle',
+          $type: '#sync',
           seq: evt.seq,
           time: evt.time,
           ...evt.evt,
@@ -66,13 +66,6 @@ export default function (server: Server, ctx: AppContext) {
           time: evt.time,
           ...evt.evt,
         }
-      } else if (evt.type === 'tombstone') {
-        yield {
-          $type: '#tombstone',
-          seq: evt.seq,
-          time: evt.time,
-          ...evt.evt,
-        }
       }
     }
   })

package/src/api/com/atproto/temp/checkSignupQueue.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import { AuthScope } from '../../../../auth-verifier'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
-import { authPassthru, resultPassthru } from '../../../proxy'
+import { resultPassthru } from '../../../proxy'
 // THIS IS A TEMPORARY UNSPECCED ROUTE
 export default function (server: Server, ctx: AppContext) {
@@ -21,7 +21,7 @@ export default function (server: Server, ctx: AppContext) {
       return resultPassthru(
         await ctx.entrywayAgent.com.atproto.temp.checkSignupQueue(
           undefined,
-          authPassthru(req),
+          ctx.entrywayPassthruHeaders(req),
         ),
       )
     },

package/src/api/proxy.ts CHANGED Viewed

@@ -1,4 +1,5 @@
 import { IncomingMessage } from 'node:http'
+import express from 'express'
 import { Headers } from '@atproto/xrpc'
 import { InvalidRequestError } from '@atproto/xrpc-server'
@@ -10,21 +11,7 @@ export const resultPassthru = <T>(result: { headers: Headers; data: T }) => {
   }
 }
-// Output designed to passed as second arg to AtpAgent methods.
-// The encoding field here is a quirk of the AtpAgent.
-export function authPassthru(
-  req: IncomingMessage,
-  withEncoding?: false,
-): { headers: { authorization: string }; encoding: undefined } | undefined
-export function authPassthru(
-  req: IncomingMessage,
-  withEncoding: true,
-):
-  | { headers: { authorization: string }; encoding: 'application/json' }
-  | undefined
-export function authPassthru(req: IncomingMessage, withEncoding?: boolean) {
+export function authPassthru(req: IncomingMessage) {
   const { authorization } = req.headers
   if (authorization) {
@@ -45,9 +32,22 @@ export function authPassthru(req: IncomingMessage, withEncoding?: boolean) {
       throw new InvalidRequestError('DPoP requests cannot be proxied')
     }
-    return {
-      headers: { authorization },
-      encoding: withEncoding ? 'application/json' : undefined,
-    }
+    return { headers: { authorization } }
   }
 }
+// @NOTE this function may mutate its params input
+// future improvement here would be to forward along all untrusted ips rather than just the first (req.ip)
+export const forwardedFor = (
+  req: express.Request,
+  params: HeadersParam | undefined,
+) => {
+  const result: HeadersParam = params ?? { headers: {} }
+  const ip = req.ip
+  if (ip) {
+    result.headers['x-forwarded-for'] = ip
+  }
+  return result
+}
+type HeadersParam = { headers: Record<string, string> }

package/src/app-view.ts ADDED Viewed

@@ -0,0 +1,24 @@
+import { format } from 'node:util'
+import { AtpAgent } from '@atproto/api'
+export type AppViewOptions = {
+  url: string
+  did: string
+  cdnUrlPattern?: string
+}
+export class AppView {
+  public did: string
+  public agent: AtpAgent
+  private cdnUrlPattern?: string
+  constructor(options: AppViewOptions) {
+    this.did = options.did
+    this.agent = new AtpAgent({ service: options.url })
+    this.cdnUrlPattern = options.cdnUrlPattern
+  }
+  getImageUrl(pattern: string, did: string, cid: string): string | undefined {
+    if (this.cdnUrlPattern) return format(this.cdnUrlPattern, pattern, did, cid)
+  }
+}

package/src/auth-routes.ts CHANGED Viewed

@@ -1,8 +1,9 @@
 import { Router } from 'express'
 import { oauthProtectedResourceMetadataSchema } from '@atproto/oauth-provider'
 import { AppContext } from './context'
+import { oauthLogger } from './logger'
-export const createRouter = ({ authProvider, cfg }: AppContext): Router => {
+export const createRouter = ({ oauthProvider, cfg }: AppContext): Router => {
   const router = Router()
   const oauthProtectedResourceMetadata =
@@ -28,8 +29,13 @@ export const createRouter = ({ authProvider, cfg }: AppContext): Router => {
     res.status(200).json(oauthProtectedResourceMetadata)
   })
-  if (authProvider) {
-    router.use(authProvider.createRouter())
+  if (oauthProvider) {
+    const oauthMiddleware = oauthProvider.httpHandler({
+      onError: (req, res, err, message) => {
+        oauthLogger.error({ err, req }, message)
+      },
+    })
+    router.use(oauthMiddleware)
   }
   return router

package/src/auth-verifier.ts CHANGED Viewed

@@ -19,7 +19,7 @@ import {
   parseReqNsid,
   verifyJwt as verifyServiceJwt,
 } from '@atproto/xrpc-server'
-import { AccountManager } from './account-manager'
+import { AccountManager } from './account-manager/account-manager'
 import { softDeleted } from './db'
 type ReqCtx = AuthVerifierContext | StreamAuthVerifierContext

package/src/config/config.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import assert from 'node:assert'
 import path from 'node:path'
 import { DAY, HOUR, SECOND } from '@atproto/common'
-import { Customization } from '@atproto/oauth-provider'
+import { BrandingConfig, HcaptchaConfig } from '@atproto/oauth-provider'
 import { ServerEnvironment } from './env'
 // off-config but still from env:
@@ -261,38 +261,49 @@ export const envToCfg = (env: ServerEnvironment): ServerConfig => {
     : {
         issuer: serviceCfg.publicUrl,
         provider: {
-          customization: {
+          hcaptcha:
+            env.hcaptchaSiteKey &&
+            env.hcaptchaSecretKey &&
+            env.hcaptchaTokenSalt
+              ? {
+                  siteKey: env.hcaptchaSiteKey,
+                  secretKey: env.hcaptchaSecretKey,
+                  tokenSalt: env.hcaptchaTokenSalt,
+                }
+              : undefined,
+          branding: {
             name: env.serviceName ?? 'Personal PDS',
             logo: env.logoUrl,
             colors: {
               brand: env.brandColor,
               error: env.errorColor,
               warning: env.warningColor,
+              success: env.successColor,
             },
             links: [
               {
-                title: 'Home',
+                title: { en: 'Home', fr: 'Accueil' },
                 href: env.homeUrl,
-                rel: 'bookmark',
+                rel: 'canonical' as const, // Prevents login page from being indexed
               },
               {
-                title: 'Terms of Service',
+                title: { en: 'Terms of Service' },
                 href: env.termsOfServiceUrl,
-                rel: 'terms-of-service',
+                rel: 'terms-of-service' as const,
               },
               {
-                title: 'Privacy Policy',
+                title: { en: 'Privacy Policy' },
                 href: env.privacyPolicyUrl,
-                rel: 'privacy-policy',
+                rel: 'privacy-policy' as const,
               },
               {
-                title: 'Support',
+                title: { en: 'Support' },
                 href: env.supportUrl,
-                rel: 'help',
+                rel: 'help' as const,
               },
             ].filter(
-              (f): f is typeof f & { href: NonNullable<(typeof f)['href']> } =>
-                f.href != null,
+              <T extends { href?: string }>(f: T): f is T & { href: string } =>
+                f.href != null && f.href !== '',
             ),
           },
         },
@@ -435,7 +446,8 @@ export type OAuthConfig = {
   provider:
     | false
     | {
-        customization: Customization
+        hcaptcha?: HcaptchaConfig
+        branding: BrandingConfig
       }
 }

package/src/config/env.ts CHANGED Viewed

@@ -18,10 +18,16 @@ export const readEnv = (): ServerEnvironment => {
     blobUploadLimit: envInt('PDS_BLOB_UPLOAD_LIMIT'),
     devMode: envBool('PDS_DEV_MODE'),
+    // OAuth
+    hcaptchaSiteKey: envStr('PDS_HCAPTCHA_SITE_KEY'),
+    hcaptchaSecretKey: envStr('PDS_HCAPTCHA_SECRET_KEY'),
+    hcaptchaTokenSalt: envStr('PDS_HCAPTCHA_TOKEN_SALT'),
     // branding
     brandColor: envStr('PDS_PRIMARY_COLOR'),
     errorColor: envStr('PDS_ERROR_COLOR'),
     warningColor: envStr('PDS_WARNING_COLOR'),
+    successColor: envStr('PDS_SUCCESS_COLOR'),
     // database
     dataDirectory: envStr('PDS_DATA_DIRECTORY'),
@@ -150,10 +156,16 @@ export type ServerEnvironment = {
   blobUploadLimit?: number
   devMode?: boolean
+  // OAuth
+  hcaptchaSiteKey?: string
+  hcaptchaSecretKey?: string
+  hcaptchaTokenSalt?: string
   // branding
   brandColor?: string
   errorColor?: string
   warningColor?: string
+  successColor?: string
   // database
   dataDirectory?: string