npm - @atproto/pds - Versions diffs - 0.4.104 → 0.4.106 - Mend

@atproto/pds 0.4.104 → 0.4.106

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (209) hide show

package/CHANGELOG.md +34 -0
package/dist/account-manager/{index.d.ts → account-manager.d.ts} +26 -35
package/dist/account-manager/account-manager.d.ts.map +1 -0
package/dist/account-manager/{index.js → account-manager.js} +52 -207
package/dist/account-manager/account-manager.js.map +1 -0
package/dist/account-manager/helpers/account.d.ts +3 -3
package/dist/account-manager/helpers/device-account.d.ts +15 -15
package/dist/account-manager/helpers/device-account.d.ts.map +1 -1
package/dist/account-manager/helpers/device-account.js +2 -1
package/dist/account-manager/helpers/device-account.js.map +1 -1
package/dist/account-manager/helpers/token.d.ts +98 -98
package/dist/account-manager/oauth-store.d.ts +58 -0
package/dist/account-manager/oauth-store.d.ts.map +1 -0
package/dist/account-manager/oauth-store.js +417 -0
package/dist/account-manager/oauth-store.js.map +1 -0
package/dist/actor-store/record/reader.d.ts +3 -3
package/dist/actor-store/repo/reader.d.ts +2 -0
package/dist/actor-store/repo/reader.d.ts.map +1 -1
package/dist/actor-store/repo/reader.js +9 -0
package/dist/actor-store/repo/reader.js.map +1 -1
package/dist/actor-store/repo/sql-repo-reader.d.ts +1 -1
package/dist/actor-store/repo/transactor.d.ts.map +1 -1
package/dist/actor-store/repo/transactor.js +13 -4
package/dist/actor-store/repo/transactor.js.map +1 -1
package/dist/api/com/atproto/admin/deleteAccount.d.ts.map +1 -1
package/dist/api/com/atproto/admin/deleteAccount.js +2 -3
package/dist/api/com/atproto/admin/deleteAccount.js.map +1 -1
package/dist/api/com/atproto/admin/updateAccountHandle.d.ts.map +1 -1
package/dist/api/com/atproto/admin/updateAccountHandle.js +2 -6
package/dist/api/com/atproto/admin/updateAccountHandle.js.map +1 -1
package/dist/api/com/atproto/identity/resolveHandle.d.ts.map +1 -1
package/dist/api/com/atproto/identity/resolveHandle.js +2 -36
package/dist/api/com/atproto/identity/resolveHandle.js.map +1 -1
package/dist/api/com/atproto/identity/updateHandle.d.ts.map +1 -1
package/dist/api/com/atproto/identity/updateHandle.js +1 -7
package/dist/api/com/atproto/identity/updateHandle.js.map +1 -1
package/dist/api/com/atproto/server/activateAccount.d.ts.map +1 -1
package/dist/api/com/atproto/server/activateAccount.js +2 -18
package/dist/api/com/atproto/server/activateAccount.js.map +1 -1
package/dist/api/com/atproto/server/createAccount.d.ts.map +1 -1
package/dist/api/com/atproto/server/createAccount.js +7 -7
package/dist/api/com/atproto/server/createAccount.js.map +1 -1
package/dist/api/com/atproto/server/createSession.js +1 -1
package/dist/api/com/atproto/server/createSession.js.map +1 -1
package/dist/api/com/atproto/server/deleteAccount.d.ts.map +1 -1
package/dist/api/com/atproto/server/deleteAccount.js +2 -3
package/dist/api/com/atproto/server/deleteAccount.js.map +1 -1
package/dist/api/com/atproto/server/getSession.js +1 -1
package/dist/api/com/atproto/server/getSession.js.map +1 -1
package/dist/api/com/atproto/server/refreshSession.js +1 -1
package/dist/api/com/atproto/server/refreshSession.js.map +1 -1
package/dist/api/com/atproto/sync/getRecord.d.ts.map +1 -1
package/dist/api/com/atproto/sync/getRecord.js.map +1 -1
package/dist/api/com/atproto/sync/getRepoStatus.js +1 -1
package/dist/api/com/atproto/sync/getRepoStatus.js.map +1 -1
package/dist/api/com/atproto/sync/listRepos.js +1 -1
package/dist/api/com/atproto/sync/listRepos.js.map +1 -1
package/dist/api/com/atproto/sync/subscribeRepos.d.ts.map +1 -1
package/dist/api/com/atproto/sync/subscribeRepos.js +2 -10
package/dist/api/com/atproto/sync/subscribeRepos.js.map +1 -1
package/dist/app-view.d.ts +14 -0
package/dist/app-view.d.ts.map +1 -0
package/dist/app-view.js +36 -0
package/dist/app-view.js.map +1 -0
package/dist/auth-routes.d.ts +1 -1
package/dist/auth-routes.d.ts.map +1 -1
package/dist/auth-routes.js +9 -3
package/dist/auth-routes.js.map +1 -1
package/dist/auth-verifier.d.ts +1 -1
package/dist/auth-verifier.d.ts.map +1 -1
package/dist/config/config.d.ts +3 -2
package/dist/config/config.d.ts.map +1 -1
package/dist/config/config.js +17 -7
package/dist/config/config.js.map +1 -1
package/dist/config/env.d.ts +4 -0
package/dist/config/env.d.ts.map +1 -1
package/dist/config/env.js +5 -0
package/dist/config/env.js.map +1 -1
package/dist/context.d.ts +4 -4
package/dist/context.d.ts.map +1 -1
package/dist/context.js +24 -18
package/dist/context.js.map +1 -1
package/dist/handle/index.d.ts +0 -7
package/dist/handle/index.d.ts.map +1 -1
package/dist/handle/index.js +4 -58
package/dist/handle/index.js.map +1 -1
package/dist/image/image-url.d.ts +8 -0
package/dist/image/image-url.d.ts.map +1 -0
package/dist/image/image-url.js +26 -0
package/dist/image/image-url.js.map +1 -0
package/dist/lexicon/index.d.ts +6 -0
package/dist/lexicon/index.d.ts.map +1 -1
package/dist/lexicon/index.js +12 -0
package/dist/lexicon/index.js.map +1 -1
package/dist/lexicon/lexicons.d.ts +310 -130
package/dist/lexicon/lexicons.d.ts.map +1 -1
package/dist/lexicon/lexicons.js +171 -67
package/dist/lexicon/lexicons.js.map +1 -1
package/dist/lexicon/types/app/bsky/embed/video.d.ts +1 -0
package/dist/lexicon/types/app/bsky/embed/video.d.ts.map +1 -1
package/dist/lexicon/types/app/bsky/embed/video.js.map +1 -1
package/dist/lexicon/types/com/atproto/identity/defs.d.ts +17 -0
package/dist/lexicon/types/com/atproto/identity/defs.d.ts.map +1 -0
package/dist/lexicon/types/com/atproto/identity/defs.js +16 -0
package/dist/lexicon/types/com/atproto/identity/defs.js.map +1 -0
package/dist/lexicon/types/com/atproto/identity/refreshIdentity.d.ts +39 -0
package/dist/lexicon/types/com/atproto/identity/refreshIdentity.d.ts.map +1 -0
package/dist/lexicon/types/com/atproto/identity/refreshIdentity.js +7 -0
package/dist/lexicon/types/com/atproto/identity/refreshIdentity.js.map +1 -0
package/dist/lexicon/types/com/atproto/identity/resolveDid.d.ts +40 -0
package/dist/lexicon/types/com/atproto/identity/resolveDid.d.ts.map +1 -0
package/dist/lexicon/types/com/atproto/identity/resolveDid.js +7 -0
package/dist/lexicon/types/com/atproto/identity/resolveDid.js.map +1 -0
package/dist/lexicon/types/com/atproto/identity/resolveHandle.d.ts +1 -0
package/dist/lexicon/types/com/atproto/identity/resolveHandle.d.ts.map +1 -1
package/dist/lexicon/types/com/atproto/identity/resolveIdentity.d.ts +36 -0
package/dist/lexicon/types/com/atproto/identity/resolveIdentity.d.ts.map +1 -0
package/dist/lexicon/types/com/atproto/identity/resolveIdentity.js +7 -0
package/dist/lexicon/types/com/atproto/identity/resolveIdentity.js.map +1 -0
package/dist/lexicon/types/com/atproto/sync/subscribeRepos.d.ts +1 -30
package/dist/lexicon/types/com/atproto/sync/subscribeRepos.d.ts.map +1 -1
package/dist/lexicon/types/com/atproto/sync/subscribeRepos.js +0 -27
package/dist/lexicon/types/com/atproto/sync/subscribeRepos.js.map +1 -1
package/dist/lexicon/types/tools/ozone/team/listMembers.d.ts +1 -0
package/dist/lexicon/types/tools/ozone/team/listMembers.d.ts.map +1 -1
package/dist/mailer/index.d.ts +5 -5
package/dist/mailer/index.d.ts.map +1 -1
package/dist/mailer/index.js +6 -5
package/dist/mailer/index.js.map +1 -1
package/dist/read-after-write/viewer.d.ts +1 -1
package/dist/read-after-write/viewer.d.ts.map +1 -1
package/dist/repo/types.d.ts +6 -2
package/dist/repo/types.d.ts.map +1 -1
package/dist/repo/types.js.map +1 -1
package/dist/scripts/rebuild-repo.d.ts.map +1 -1
package/dist/scripts/rebuild-repo.js +2 -1
package/dist/scripts/rebuild-repo.js.map +1 -1
package/dist/sequencer/db/schema.d.ts +1 -1
package/dist/sequencer/db/schema.d.ts.map +1 -1
package/dist/sequencer/events.d.ts +27 -38
package/dist/sequencer/events.d.ts.map +1 -1
package/dist/sequencer/events.js +40 -58
package/dist/sequencer/events.js.map +1 -1
package/dist/sequencer/sequencer.d.ts +2 -3
package/dist/sequencer/sequencer.d.ts.map +1 -1
package/dist/sequencer/sequencer.js +5 -17
package/dist/sequencer/sequencer.js.map +1 -1
package/package.json +15 -15
package/src/account-manager/{index.ts → account-manager.ts} +107 -307
package/src/account-manager/helpers/device-account.ts +1 -0
package/src/account-manager/oauth-store.ts +494 -0
package/src/actor-store/repo/reader.ts +11 -0
package/src/actor-store/repo/transactor.ts +15 -4
package/src/api/com/atproto/admin/deleteAccount.ts +2 -3
package/src/api/com/atproto/admin/updateAccountHandle.ts +7 -8
package/src/api/com/atproto/identity/resolveHandle.ts +2 -11
package/src/api/com/atproto/identity/updateHandle.ts +4 -7
package/src/api/com/atproto/server/activateAccount.ts +4 -18
package/src/api/com/atproto/server/createAccount.ts +15 -11
package/src/api/com/atproto/server/createSession.ts +1 -1
package/src/api/com/atproto/server/deleteAccount.ts +2 -3
package/src/api/com/atproto/server/getSession.ts +1 -1
package/src/api/com/atproto/server/refreshSession.ts +1 -1
package/src/api/com/atproto/sync/getRecord.ts +0 -1
package/src/api/com/atproto/sync/getRepoStatus.ts +1 -1
package/src/api/com/atproto/sync/listRepos.ts +1 -1
package/src/api/com/atproto/sync/subscribeRepos.ts +2 -9
package/src/app-view.ts +24 -0
package/src/auth-routes.ts +9 -3
package/src/auth-verifier.ts +1 -1
package/src/config/config.ts +25 -13
package/src/config/env.ts +12 -0
package/src/context.ts +44 -24
package/src/handle/index.ts +6 -52
package/src/image/image-url.ts +16 -0
package/src/lexicon/index.ts +36 -0
package/src/lexicon/lexicons.ts +186 -67
package/src/lexicon/types/app/bsky/embed/video.ts +1 -0
package/src/lexicon/types/com/atproto/identity/defs.ts +30 -0
package/src/lexicon/types/com/atproto/identity/refreshIdentity.ts +52 -0
package/src/lexicon/types/com/atproto/identity/resolveDid.ts +52 -0
package/src/lexicon/types/com/atproto/identity/resolveHandle.ts +1 -0
package/src/lexicon/types/com/atproto/identity/resolveIdentity.ts +48 -0
package/src/lexicon/types/com/atproto/sync/subscribeRepos.ts +0 -59
package/src/lexicon/types/tools/ozone/team/listMembers.ts +1 -0
package/src/mailer/index.ts +7 -5
package/src/read-after-write/viewer.ts +1 -1
package/src/repo/types.ts +7 -2
package/src/scripts/rebuild-repo.ts +4 -1
package/src/sequencer/db/schema.ts +1 -8
package/src/sequencer/events.ts +47 -75
package/src/sequencer/sequencer.ts +9 -23
package/tests/account-deletion.test.ts +3 -5
package/tests/oauth.test.ts +286 -71
package/tests/sequencer.test.ts +20 -29
package/tests/sync/subscribe-repos.test.ts +89 -45
package/tsconfig.build.tsbuildinfo +1 -1
package/dist/account-manager/index.d.ts.map +0 -1
package/dist/account-manager/index.js.map +0 -1
package/dist/actor-store/repo/util.d.ts +0 -5
package/dist/actor-store/repo/util.d.ts.map +0 -1
package/dist/actor-store/repo/util.js +0 -25
package/dist/actor-store/repo/util.js.map +0 -1
package/dist/oauth/provider.d.ts +0 -10
package/dist/oauth/provider.d.ts.map +0 -1
package/dist/oauth/provider.js +0 -38
package/dist/oauth/provider.js.map +0 -1
package/src/actor-store/repo/util.ts +0 -22
package/src/oauth/provider.ts +0 -59

package/src/api/com/atproto/server/activateAccount.ts CHANGED Viewed

@@ -1,4 +1,3 @@
-import { CidSet } from '@atproto/repo'
 import { INVALID_HANDLE } from '@atproto/syntax'
 import { InvalidRequestError } from '@atproto/xrpc-server'
 import { AppContext } from '../../../../context'
@@ -31,22 +30,9 @@ export default function (server: Server, ctx: AppContext) {
       await ctx.accountManager.activateAccount(requester)
-      const commitData = await ctx.actorStore.read(requester, async (store) => {
-        const root = await store.repo.storage.getRootDetailed()
-        const blocks = await store.repo.storage.getBlocks([root.cid])
-        return {
-          cid: root.cid,
-          rev: root.rev,
-          since: null,
-          prev: null,
-          newBlocks: blocks.blocks,
-          relevantBlocks: blocks.blocks,
-          removedCids: new CidSet(),
-          ops: [],
-          blobs: new CidSet(),
-          prevData: null,
-        }
-      })
+      const syncData = await ctx.actorStore.read(requester, (store) =>
+        store.repo.getSyncEventData(),
+      )
       // @NOTE: we're over-emitting for now for backwards compatibility, can reduce this in the future
       const status = await ctx.accountManager.getAccountStatus(requester)
@@ -55,7 +41,7 @@ export default function (server: Server, ctx: AppContext) {
         requester,
         account.handle ?? INVALID_HANDLE,
       )
-      await ctx.sequencer.sequenceCommit(requester, commitData)
+      await ctx.sequencer.sequenceSyncEvt(requester, syncData)
     },
   })
 }

package/src/api/com/atproto/server/createAccount.ts CHANGED Viewed

@@ -5,14 +5,12 @@ import { DidDocument, MINUTE, check } from '@atproto/common'
 import { ExportableKeypair, Keypair, Secp256k1Keypair } from '@atproto/crypto'
 import { AtprotoData, ensureAtpDocument } from '@atproto/identity'
 import { AuthRequiredError, InvalidRequestError } from '@atproto/xrpc-server'
-import { AccountStatus } from '../../../../account-manager'
+import { AccountStatus } from '../../../../account-manager/account-manager'
 import { AppContext } from '../../../../context'
-import {
-  baseNormalizeAndValidate,
-  normalizeAndValidateHandle,
-} from '../../../../handle'
+import { baseNormalizeAndValidate } from '../../../../handle'
 import { Server } from '../../../../lexicon'
 import { InputSchema as CreateAccountInput } from '../../../../lexicon/types/com/atproto/server/createAccount'
+import { syncEvtDataFromCommit } from '../../../../sequencer'
 import { safeResolveDidDoc } from './util'
 export default function (server: Server, ctx: AppContext) {
@@ -23,6 +21,9 @@ export default function (server: Server, ctx: AppContext) {
     },
     auth: ctx.authVerifier.userServiceAuthOptional,
     handler: async ({ input, auth, req }) => {
+      // @NOTE Until this code and the OAuthStore's `createAccount` are
+      // refactored together, any change made here must be reflected over there.
       const requester = auth.credentials?.did ?? null
       const {
         did,
@@ -60,7 +61,7 @@ export default function (server: Server, ctx: AppContext) {
         didDoc = await safeResolveDidDoc(ctx, did, true)
-        creds = await ctx.accountManager.createAccount({
+        creds = await ctx.accountManager.createAccountAndSession({
           did,
           handle,
           email,
@@ -75,6 +76,10 @@ export default function (server: Server, ctx: AppContext) {
           await ctx.sequencer.sequenceIdentityEvt(did, handle)
           await ctx.sequencer.sequenceAccountEvt(did, AccountStatus.Active)
           await ctx.sequencer.sequenceCommit(did, commit)
+          await ctx.sequencer.sequenceSyncEvt(
+            did,
+            syncEvtDataFromCommit(commit),
+          )
         }
         await ctx.accountManager.updateRepoRoot(did, commit.cid, commit.rev)
         await ctx.actorStore.clearReservedKeypair(signingKey.did(), did)
@@ -183,11 +188,10 @@ const validateInputsForLocalPds = async (
   }
   // normalize & ensure valid handle
-  const handle = await normalizeAndValidateHandle({
-    ctx,
-    handle: input.handle,
-    did: input.did,
-  })
+  const handle = await ctx.accountManager.normalizeAndValidateHandle(
+    input.handle,
+    { did: input.did },
+  )
   // check that the invite code still has uses
   if (ctx.cfg.invites.required && inviteCode) {

package/src/api/com/atproto/server/createSession.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import { DAY, MINUTE } from '@atproto/common'
 import { INVALID_HANDLE } from '@atproto/syntax'
 import { AuthRequiredError } from '@atproto/xrpc-server'
-import { formatAccountStatus } from '../../../../account-manager'
+import { formatAccountStatus } from '../../../../account-manager/account-manager'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { resultPassthru } from '../../../proxy'

package/src/api/com/atproto/server/deleteAccount.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 import { MINUTE } from '@atproto/common'
 import { AuthRequiredError, InvalidRequestError } from '@atproto/xrpc-server'
-import { AccountStatus } from '../../../../account-manager'
+import { AccountStatus } from '../../../../account-manager/account-manager'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
@@ -48,8 +48,7 @@ export default function (server: Server, ctx: AppContext) {
         did,
         AccountStatus.Deleted,
       )
-      const tombstoneSeq = await ctx.sequencer.sequenceTombstone(did)
-      await ctx.sequencer.deleteAllForUser(did, [accountSeq, tombstoneSeq])
+      await ctx.sequencer.deleteAllForUser(did, [accountSeq])
     },
   })
 }

package/src/api/com/atproto/server/getSession.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 import { INVALID_HANDLE } from '@atproto/syntax'
 import { InvalidRequestError } from '@atproto/xrpc-server'
-import { formatAccountStatus } from '../../../../account-manager'
+import { formatAccountStatus } from '../../../../account-manager/account-manager'
 import { AuthScope } from '../../../../auth-verifier'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'

package/src/api/com/atproto/server/refreshSession.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 import { INVALID_HANDLE } from '@atproto/syntax'
 import { AuthRequiredError, InvalidRequestError } from '@atproto/xrpc-server'
-import { formatAccountStatus } from '../../../../account-manager'
+import { formatAccountStatus } from '../../../../account-manager/account-manager'
 import { AppContext } from '../../../../context'
 import { softDeleted } from '../../../../db/util'
 import { Server } from '../../../../lexicon'

package/src/api/com/atproto/sync/getRecord.ts CHANGED Viewed

@@ -1,5 +1,4 @@
 import stream from 'node:stream'
-import { CID } from 'multiformats/cid'
 import { byteIterableToStream } from '@atproto/common'
 import * as repo from '@atproto/repo'
 import { InvalidRequestError } from '@atproto/xrpc-server'

package/src/api/com/atproto/sync/getRepoStatus.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { formatAccountStatus } from '../../../../account-manager'
+import { formatAccountStatus } from '../../../../account-manager/account-manager'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { assertRepoAvailability } from './util'

package/src/api/com/atproto/sync/listRepos.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { InvalidRequestError } from '@atproto/xrpc-server'
-import { formatAccountStatus } from '../../../../account-manager'
+import { formatAccountStatus } from '../../../../account-manager/account-manager'
 import { AppContext } from '../../../../context'
 import { Cursor, GenericKeyset, paginate } from '../../../../db/pagination'
 import { Server } from '../../../../lexicon'

package/src/api/com/atproto/sync/subscribeRepos.ts CHANGED Viewed

@@ -45,9 +45,9 @@ export default function (server: Server, ctx: AppContext) {
           time: evt.time,
           ...evt.evt,
         }
-      } else if (evt.type === 'handle') {
+      } else if (evt.type === 'sync') {
         yield {
-          $type: '#handle',
+          $type: '#sync',
           seq: evt.seq,
           time: evt.time,
           ...evt.evt,
@@ -66,13 +66,6 @@ export default function (server: Server, ctx: AppContext) {
           time: evt.time,
           ...evt.evt,
         }
-      } else if (evt.type === 'tombstone') {
-        yield {
-          $type: '#tombstone',
-          seq: evt.seq,
-          time: evt.time,
-          ...evt.evt,
-        }
       }
     }
   })

package/src/app-view.ts ADDED Viewed

@@ -0,0 +1,24 @@
+import { format } from 'node:util'
+import { AtpAgent } from '@atproto/api'
+export type AppViewOptions = {
+  url: string
+  did: string
+  cdnUrlPattern?: string
+}
+export class AppView {
+  public did: string
+  public agent: AtpAgent
+  private cdnUrlPattern?: string
+  constructor(options: AppViewOptions) {
+    this.did = options.did
+    this.agent = new AtpAgent({ service: options.url })
+    this.cdnUrlPattern = options.cdnUrlPattern
+  }
+  getImageUrl(pattern: string, did: string, cid: string): string | undefined {
+    if (this.cdnUrlPattern) return format(this.cdnUrlPattern, pattern, did, cid)
+  }
+}

package/src/auth-routes.ts CHANGED Viewed

@@ -1,8 +1,9 @@
 import { Router } from 'express'
 import { oauthProtectedResourceMetadataSchema } from '@atproto/oauth-provider'
 import { AppContext } from './context'
+import { oauthLogger } from './logger'
-export const createRouter = ({ authProvider, cfg }: AppContext): Router => {
+export const createRouter = ({ oauthProvider, cfg }: AppContext): Router => {
   const router = Router()
   const oauthProtectedResourceMetadata =
@@ -28,8 +29,13 @@ export const createRouter = ({ authProvider, cfg }: AppContext): Router => {
     res.status(200).json(oauthProtectedResourceMetadata)
   })
-  if (authProvider) {
-    router.use(authProvider.createRouter())
+  if (oauthProvider) {
+    const oauthMiddleware = oauthProvider.httpHandler({
+      onError: (req, res, err, message) => {
+        oauthLogger.error({ err, req }, message)
+      },
+    })
+    router.use(oauthMiddleware)
   }
   return router

package/src/auth-verifier.ts CHANGED Viewed

@@ -19,7 +19,7 @@ import {
   parseReqNsid,
   verifyJwt as verifyServiceJwt,
 } from '@atproto/xrpc-server'
-import { AccountManager } from './account-manager'
+import { AccountManager } from './account-manager/account-manager'
 import { softDeleted } from './db'
 type ReqCtx = AuthVerifierContext | StreamAuthVerifierContext

package/src/config/config.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import assert from 'node:assert'
 import path from 'node:path'
 import { DAY, HOUR, SECOND } from '@atproto/common'
-import { Customization } from '@atproto/oauth-provider'
+import { BrandingInput, HcaptchaConfig } from '@atproto/oauth-provider'
 import { ServerEnvironment } from './env'
 // off-config but still from env:
@@ -261,38 +261,49 @@ export const envToCfg = (env: ServerEnvironment): ServerConfig => {
     : {
         issuer: serviceCfg.publicUrl,
         provider: {
-          customization: {
+          hcaptcha:
+            env.hcaptchaSiteKey &&
+            env.hcaptchaSecretKey &&
+            env.hcaptchaTokenSalt
+              ? {
+                  siteKey: env.hcaptchaSiteKey,
+                  secretKey: env.hcaptchaSecretKey,
+                  tokenSalt: env.hcaptchaTokenSalt,
+                }
+              : undefined,
+          branding: {
             name: env.serviceName ?? 'Personal PDS',
             logo: env.logoUrl,
             colors: {
               brand: env.brandColor,
               error: env.errorColor,
+              success: env.successColor,
               warning: env.warningColor,
             },
             links: [
               {
-                title: 'Home',
+                title: { en: 'Home', fr: 'Accueil' },
                 href: env.homeUrl,
-                rel: 'bookmark',
+                rel: 'canonical' as const, // Prevents login page from being indexed
               },
               {
-                title: 'Terms of Service',
+                title: { en: 'Terms of Service' },
                 href: env.termsOfServiceUrl,
-                rel: 'terms-of-service',
+                rel: 'terms-of-service' as const,
               },
               {
-                title: 'Privacy Policy',
+                title: { en: 'Privacy Policy' },
                 href: env.privacyPolicyUrl,
-                rel: 'privacy-policy',
+                rel: 'privacy-policy' as const,
               },
               {
-                title: 'Support',
+                title: { en: 'Support' },
                 href: env.supportUrl,
-                rel: 'help',
+                rel: 'help' as const,
               },
             ].filter(
-              (f): f is typeof f & { href: NonNullable<(typeof f)['href']> } =>
-                f.href != null,
+              <T extends { href?: string }>(f: T): f is T & { href: string } =>
+                f.href != null && f.href !== '',
             ),
           },
         },
@@ -435,7 +446,8 @@ export type OAuthConfig = {
   provider:
     | false
     | {
-        customization: Customization
+        hcaptcha?: HcaptchaConfig
+        branding: BrandingInput
       }
 }

package/src/config/env.ts CHANGED Viewed

@@ -18,10 +18,16 @@ export const readEnv = (): ServerEnvironment => {
     blobUploadLimit: envInt('PDS_BLOB_UPLOAD_LIMIT'),
     devMode: envBool('PDS_DEV_MODE'),
+    // OAuth
+    hcaptchaSiteKey: envStr('PDS_HCAPTCHA_SITE_KEY'),
+    hcaptchaSecretKey: envStr('PDS_HCAPTCHA_SECRET_KEY'),
+    hcaptchaTokenSalt: envStr('PDS_HCAPTCHA_TOKEN_SALT'),
     // branding
     brandColor: envStr('PDS_PRIMARY_COLOR'),
     errorColor: envStr('PDS_ERROR_COLOR'),
     warningColor: envStr('PDS_WARNING_COLOR'),
+    successColor: envStr('PDS_SUCCESS_COLOR'),
     // database
     dataDirectory: envStr('PDS_DATA_DIRECTORY'),
@@ -150,10 +156,16 @@ export type ServerEnvironment = {
   blobUploadLimit?: number
   devMode?: boolean
+  // OAuth
+  hcaptchaSiteKey?: string
+  hcaptchaSecretKey?: string
+  hcaptchaTokenSalt?: string
   // branding
   brandColor?: string
   errorColor?: string
   warningColor?: string
+  successColor?: string
   // database
   dataDirectory?: string

package/src/context.ts CHANGED Viewed

@@ -8,7 +8,12 @@ import { AtpAgent } from '@atproto/api'
 import { KmsKeypair, S3BlobStore } from '@atproto/aws'
 import * as crypto from '@atproto/crypto'
 import { IdResolver } from '@atproto/identity'
-import { JoseKey, OAuthVerifier } from '@atproto/oauth-provider'
+import {
+  AccessTokenType,
+  JoseKey,
+  OAuthProvider,
+  OAuthVerifier,
+} from '@atproto/oauth-provider'
 import { BlobStore } from '@atproto/repo'
 import {
   RateLimiter,
@@ -24,7 +29,8 @@ import {
   safeFetchWrap,
   unicastLookup,
 } from '@atproto-labs/fetch-node'
-import { AccountManager } from './account-manager'
+import { AccountManager } from './account-manager/account-manager'
+import { OAuthStore } from './account-manager/oauth-store'
 import { ActorStore } from './actor-store/actor-store'
 import { authPassthru, forwardedFor } from './api/proxy'
 import {
@@ -42,7 +48,6 @@ import { ImageUrlBuilder } from './image/image-url-builder'
 import { fetchLogger } from './logger'
 import { ServerMailer } from './mailer'
 import { ModerationMailer } from './mailer/moderation'
-import { PdsOAuthProvider } from './oauth/provider'
 import { LocalViewer, LocalViewerCreator } from './read-after-write/viewer'
 import { getRedisClient } from './redis'
 import { Sequencer } from './sequencer'
@@ -68,7 +73,7 @@ export type AppContextOptions = {
   entrywayAgent?: AtpAgent
   proxyAgent: undici.Dispatcher
   safeFetch: Fetch
-  authProvider?: PdsOAuthProvider
+  oauthProvider?: OAuthProvider
   authVerifier: AuthVerifier
   plcRotationKey: crypto.Keypair
   cfg: ServerConfig
@@ -96,7 +101,7 @@ export class AppContext {
   public proxyAgent: undici.Dispatcher
   public safeFetch: Fetch
   public authVerifier: AuthVerifier
-  public authProvider?: PdsOAuthProvider
+  public oauthProvider?: OAuthProvider
   public plcRotationKey: crypto.Keypair
   public cfg: ServerConfig
@@ -122,7 +127,7 @@ export class AppContext {
     this.proxyAgent = opts.proxyAgent
     this.safeFetch = opts.safeFetch
     this.authVerifier = opts.authVerifier
-    this.authProvider = opts.authProvider
+    this.oauthProvider = opts.oauthProvider
     this.plcRotationKey = opts.plcRotationKey
     this.cfg = opts.cfg
   }
@@ -247,13 +252,11 @@ export class AppContext {
     })
     const accountManager = new AccountManager(
-      actorStore,
-      imageUrlBuilder,
-      backgroundQueue,
-      cfg.db.accountDbLoc,
+      idResolver,
       jwtSecretKey,
       cfg.service.did,
-      cfg.db.disableWalAutoCheckpoint,
+      cfg.identity.serviceHandleDomains,
+      cfg.db,
     )
     await accountManager.migrateOrThrow()
@@ -323,26 +326,43 @@ export class AppContext {
       logError: false,
     })
-    const authProvider = cfg.oauth.provider
-      ? new PdsOAuthProvider({
+    const oauthProvider = cfg.oauth.provider
+      ? new OAuthProvider({
           issuer: cfg.oauth.issuer,
-          keyset: [
-            // Note: OpenID compatibility would require an RS256 private key in this list
-            await JoseKey.fromKeyLike(jwtSecretKey, undefined, 'HS256'),
-          ],
-          accountManager,
+          keyset: [await JoseKey.fromKeyLike(jwtSecretKey, undefined, 'HS256')],
+          store: new OAuthStore(
+            accountManager,
+            actorStore,
+            imageUrlBuilder,
+            backgroundQueue,
+            mailer,
+            sequencer,
+            plcClient,
+            plcRotationKey,
+            cfg.service.publicUrl,
+            cfg.identity.recoveryDidKey,
+          ),
           redis: redisScratch,
           dpopSecret: secrets.dpopSecret,
-          customization: cfg.oauth.provider.customization,
+          inviteCodeRequired: cfg.invites.required,
+          availableUserDomains: cfg.identity.serviceHandleDomains,
+          hcaptcha: cfg.oauth.provider.hcaptcha,
+          branding: cfg.oauth.provider.branding,
           safeFetch,
-          // @TODO: Make this configurable. The legacy implementation used to
-          // blindly trust the X-Forwarded-For header.
-          trustProxy: (_addr: string, _i: number) => true,
+          metadata: {
+            protected_resources: [new URL(cfg.oauth.issuer).origin],
+            scopes_supported: ['transition:generic', 'transition:chat.bsky'],
+          },
+          // If the PDS is both an authorization server & resource server (no
+          // entryway), there is no need to use JWTs as access tokens. Instead,
+          // the PDS can use tokenId as access tokens. This allows the PDS to
+          // always use up-to-date token data from the token store.
+          accessTokenType: AccessTokenType.id,
         })
       : undefined
     const oauthVerifier: OAuthVerifier =
-      authProvider ?? // OAuthProvider extends OAuthVerifier
+      oauthProvider ?? // OAuthProvider extends OAuthVerifier
       new OAuthVerifier({
         issuer: cfg.oauth.issuer,
         keyset: [await JoseKey.fromKeyLike(jwtPublicKey!, undefined, 'ES256K')],
@@ -388,7 +408,7 @@ export class AppContext {
       proxyAgent,
       safeFetch,
       authVerifier,
-      authProvider,
+      oauthProvider,
       plcRotationKey,
       cfg,
       ...(overrides ?? {}),

package/src/handle/index.ts CHANGED Viewed

@@ -1,61 +1,15 @@
-import * as ident from '@atproto/syntax'
+import {
+  InvalidHandleError,
+  normalizeAndEnsureValidHandle,
+} from '@atproto/syntax'
 import { InvalidRequestError } from '@atproto/xrpc-server'
-import { AppContext } from '../context'
-import { hasExplicitSlur } from './explicit-slurs'
 import { reservedSubdomains } from './reserved'
-export const normalizeAndValidateHandle = async (opts: {
-  ctx: AppContext
-  handle: string
-  did?: string
-  allowReserved?: boolean
-}): Promise<string> => {
-  const { ctx, did, allowReserved } = opts
-  // base formatting validation
-  const handle = baseNormalizeAndValidate(opts.handle)
-  // tld validation
-  if (!ident.isValidTld(handle)) {
-    throw new InvalidRequestError(
-      'Handle TLD is invalid or disallowed',
-      'InvalidHandle',
-    )
-  }
-  // slur check
-  if (hasExplicitSlur(handle)) {
-    throw new InvalidRequestError(
-      'Inappropriate language in handle',
-      'InvalidHandle',
-    )
-  }
-  if (isServiceDomain(handle, ctx.cfg.identity.serviceHandleDomains)) {
-    // verify constraints on a service domain
-    ensureHandleServiceConstraints(
-      handle,
-      ctx.cfg.identity.serviceHandleDomains,
-      allowReserved,
-    )
-  } else {
-    if (opts.did === undefined) {
-      throw new InvalidRequestError(
-        'Not a supported handle domain',
-        'UnsupportedDomain',
-      )
-    }
-    // verify resolution of a non-service domain
-    const resolvedDid = await ctx.idResolver.handle.resolve(handle)
-    if (resolvedDid !== did) {
-      throw new InvalidRequestError('External handle did not resolve to DID')
-    }
-  }
-  return handle
-}
 export const baseNormalizeAndValidate = (handle: string) => {
   try {
-    const normalized = ident.normalizeAndEnsureValidHandle(handle)
-    return normalized
+    return normalizeAndEnsureValidHandle(handle)
   } catch (err) {
-    if (err instanceof ident.InvalidHandleError) {
+    if (err instanceof InvalidHandleError) {
       throw new InvalidRequestError(err.message, 'InvalidHandle')
     }
     throw err

package/src/image/image-url.ts ADDED Viewed

@@ -0,0 +1,16 @@
+import { AppView } from '../app-view'
+import { ids } from '../lexicon/lexicons'
+export class ImageUrlBuilder {
+  constructor(
+    readonly pdsHostname: string,
+    readonly appview?: AppView,
+  ) {}
+  build(pattern: string, did: string, cid: string): string {
+    return (
+      this.appview?.getImageUrl(pattern, did, cid) ??
+      `https://${this.pdsHostname}/xrpc/${ids.ComAtprotoSyncGetBlob}?did=${did}&cid=${cid}`
+    )
+  }
+}

package/src/lexicon/index.ts CHANGED Viewed

@@ -24,8 +24,11 @@ import * as ComAtprotoAdminUpdateAccountHandle from './types/com/atproto/admin/u
 import * as ComAtprotoAdminUpdateAccountPassword from './types/com/atproto/admin/updateAccountPassword.js'
 import * as ComAtprotoAdminUpdateSubjectStatus from './types/com/atproto/admin/updateSubjectStatus.js'
 import * as ComAtprotoIdentityGetRecommendedDidCredentials from './types/com/atproto/identity/getRecommendedDidCredentials.js'
+import * as ComAtprotoIdentityRefreshIdentity from './types/com/atproto/identity/refreshIdentity.js'
 import * as ComAtprotoIdentityRequestPlcOperationSignature from './types/com/atproto/identity/requestPlcOperationSignature.js'
+import * as ComAtprotoIdentityResolveDid from './types/com/atproto/identity/resolveDid.js'
 import * as ComAtprotoIdentityResolveHandle from './types/com/atproto/identity/resolveHandle.js'
+import * as ComAtprotoIdentityResolveIdentity from './types/com/atproto/identity/resolveIdentity.js'
 import * as ComAtprotoIdentitySignPlcOperation from './types/com/atproto/identity/signPlcOperation.js'
 import * as ComAtprotoIdentitySubmitPlcOperation from './types/com/atproto/identity/submitPlcOperation.js'
 import * as ComAtprotoIdentityUpdateHandle from './types/com/atproto/identity/updateHandle.js'
@@ -480,6 +483,17 @@ export class ComAtprotoIdentityNS {
     return this._server.xrpc.method(nsid, cfg)
   }
+  refreshIdentity<AV extends AuthVerifier>(
+    cfg: ConfigOf<
+      AV,
+      ComAtprotoIdentityRefreshIdentity.Handler<ExtractAuth<AV>>,
+      ComAtprotoIdentityRefreshIdentity.HandlerReqCtx<ExtractAuth<AV>>
+    >,
+  ) {
+    const nsid = 'com.atproto.identity.refreshIdentity' // @ts-ignore
+    return this._server.xrpc.method(nsid, cfg)
+  }
   requestPlcOperationSignature<AV extends AuthVerifier>(
     cfg: ConfigOf<
       AV,
@@ -493,6 +507,17 @@ export class ComAtprotoIdentityNS {
     return this._server.xrpc.method(nsid, cfg)
   }
+  resolveDid<AV extends AuthVerifier>(
+    cfg: ConfigOf<
+      AV,
+      ComAtprotoIdentityResolveDid.Handler<ExtractAuth<AV>>,
+      ComAtprotoIdentityResolveDid.HandlerReqCtx<ExtractAuth<AV>>
+    >,
+  ) {
+    const nsid = 'com.atproto.identity.resolveDid' // @ts-ignore
+    return this._server.xrpc.method(nsid, cfg)
+  }
   resolveHandle<AV extends AuthVerifier>(
     cfg: ConfigOf<
       AV,
@@ -504,6 +529,17 @@ export class ComAtprotoIdentityNS {
     return this._server.xrpc.method(nsid, cfg)
   }
+  resolveIdentity<AV extends AuthVerifier>(
+    cfg: ConfigOf<
+      AV,
+      ComAtprotoIdentityResolveIdentity.Handler<ExtractAuth<AV>>,
+      ComAtprotoIdentityResolveIdentity.HandlerReqCtx<ExtractAuth<AV>>
+    >,
+  ) {
+    const nsid = 'com.atproto.identity.resolveIdentity' // @ts-ignore
+    return this._server.xrpc.method(nsid, cfg)
+  }
   signPlcOperation<AV extends AuthVerifier>(
     cfg: ConfigOf<
       AV,