@atproto/pds 0.4.122 → 0.4.124

package/dist/sequencer/db/migrations/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/sequencer/db/migrations/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,iDAAkC;AAElC,kBAAe;IACb,KAAK,EAAE,IAAI;CACZ,CAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/sequencer/db/migrations/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,iDAAkC;AAElC,kBAAe;IACb,KAAK,EAAE,IAAI;CACZ,CAAA"}

package/dist/sequencer/events.d.ts

@@ -31,7 +31,7 @@ export declare const commitEvt: z.ZodObject<{
     commit: z.ZodEffects<z.ZodEffects<z.ZodAny, any, any>, import("multiformats/cid").CID, any>;
     rev: z.ZodString;
     since: z.ZodNullable<z.ZodString>;
-    blocks: z.ZodType<Uint8Array, z.ZodTypeDef, Uint8Array>;
+    blocks: z.ZodType<Uint8Array<ArrayBuffer>, z.ZodTypeDef, Uint8Array<ArrayBuffer>>;
     ops: z.ZodArray<z.ZodObject<{
         action: z.ZodUnion<[z.ZodLiteral<"create">, z.ZodLiteral<"update">, z.ZodLiteral<"delete">]>;
         path: z.ZodString;
@@ -58,7 +58,7 @@ export declare const commitEvt: z.ZodObject<{
     since: string | null;
     rebase: boolean;
     tooBig: boolean;
-    blocks: Uint8Array;
+    blocks: Uint8Array<ArrayBuffer>;
     ops: {
         path: string;
         cid: import("multiformats/cid").CID | null;
@@ -73,7 +73,7 @@ export declare const commitEvt: z.ZodObject<{
     since: string | null;
     rebase: boolean;
     tooBig: boolean;
-    blocks: Uint8Array;
+    blocks: Uint8Array<ArrayBuffer>;
     ops: {
         path: string;
         action: "create" | "delete" | "update";
@@ -86,16 +86,16 @@ export declare const commitEvt: z.ZodObject<{
 export type CommitEvt = z.infer<typeof commitEvt>;
 export declare const syncEvt: z.ZodObject<{
     did: z.ZodString;
-    blocks: z.ZodType<Uint8Array, z.ZodTypeDef, Uint8Array>;
+    blocks: z.ZodType<Uint8Array<ArrayBuffer>, z.ZodTypeDef, Uint8Array<ArrayBuffer>>;
     rev: z.ZodString;
 }, "strip", z.ZodTypeAny, {
     did: string;
     rev: string;
-    blocks: Uint8Array;
+    blocks: Uint8Array<ArrayBuffer>;
 }, {
     did: string;
     rev: string;
-    blocks: Uint8Array;
+    blocks: Uint8Array<ArrayBuffer>;
 }>;
 export type SyncEvt = z.infer<typeof syncEvt>;
 export declare const identityEvt: z.ZodObject<{

package/dist/sequencer/events.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"events.d.ts","sourceRoot":"","sources":["../../src/sequencer/events.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAGvB,OAAO,EAAE,aAAa,EAAE,MAAM,oCAAoC,CAAA;AAClE,OAAO,EAAE,iBAAiB,EAAE,WAAW,EAAE,MAAM,SAAS,CAAA;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,MAAM,CAAA;AAEpC,eAAO,MAAM,eAAe,QACrB,MAAM,cACC,iBAAiB,KAC5B,OAAO,CAAC,aAAa,CAyBvB,CAAA;AAED,eAAO,MAAM,gBAAgB,QACtB,MAAM,QACL,WAAW,KAChB,OAAO,CAAC,aAAa,CAavB,CAAA;AAED,eAAO,MAAM,qBAAqB,eACpB,iBAAiB,KAC5B,WAaF,CAAA;AAED,eAAO,MAAM,oBAAoB,QAC1B,MAAM,WACF,MAAM,KACd,OAAO,CAAC,aAAa,CAavB,CAAA;AAED,eAAO,MAAM,mBAAmB,QACzB,MAAM,UACH,aAAa,KACpB,OAAO,CAAC,aAAa,CAevB,CAAA;AAED,eAAO,MAAM,WAAW;;;;;;;;;;;;;;;EAStB,CAAA;AACF,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAA;AAErD,eAAO,MAAM,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAWpB,CAAA;AACF,MAAM,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,SAAS,CAAC,CAAA;AAEjD,eAAO,MAAM,OAAO;;;;;;;;;;;;EAIlB,CAAA;AACF,MAAM,MAAM,OAAO,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,OAAO,CAAC,CAAA;AAE7C,eAAO,MAAM,WAAW;;;;;;;;;EAGtB,CAAA;AACF,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAA;AAErD,eAAO,MAAM,UAAU;;;;;;;;;;;;EAWrB,CAAA;AACF,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAA;AAEnD,KAAK,cAAc,GAAG;IACpB,IAAI,EAAE,QAAQ,CAAA;IACd,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,GAAG,EAAE,SAAS,CAAA;CACf,CAAA;AACD,KAAK,YAAY,GAAG;IAClB,IAAI,EAAE,MAAM,CAAA;IACZ,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,GAAG,EAAE,OAAO,CAAA;CACb,CAAA;AACD,KAAK,gBAAgB,GAAG;IACtB,IAAI,EAAE,UAAU,CAAA;IAChB,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,GAAG,EAAE,WAAW,CAAA;CACjB,CAAA;AACD,KAAK,eAAe,GAAG;IACrB,IAAI,EAAE,SAAS,CAAA;IACf,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,GAAG,EAAE,UAAU,CAAA;CAChB,CAAA;AACD,MAAM,MAAM,MAAM,GACd,cAAc,GACd,YAAY,GACZ,gBAAgB,GAChB,eAAe,CAAA"}
+{"version":3,"file":"events.d.ts","sourceRoot":"","sources":["../../src/sequencer/events.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAGvB,OAAO,EAAE,aAAa,EAAE,MAAM,oCAAoC,CAAA;AAClE,OAAO,EAAE,iBAAiB,EAAE,WAAW,EAAE,MAAM,SAAS,CAAA;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,MAAM,CAAA;AAEpC,eAAO,MAAM,eAAe,GAC1B,KAAK,MAAM,EACX,YAAY,iBAAiB,KAC5B,OAAO,CAAC,aAAa,CAyBvB,CAAA;AAED,eAAO,MAAM,gBAAgB,GAC3B,KAAK,MAAM,EACX,MAAM,WAAW,KAChB,OAAO,CAAC,aAAa,CAavB,CAAA;AAED,eAAO,MAAM,qBAAqB,GAChC,YAAY,iBAAiB,KAC5B,WAaF,CAAA;AAED,eAAO,MAAM,oBAAoB,GAC/B,KAAK,MAAM,EACX,SAAS,MAAM,KACd,OAAO,CAAC,aAAa,CAavB,CAAA;AAED,eAAO,MAAM,mBAAmB,GAC9B,KAAK,MAAM,EACX,QAAQ,aAAa,KACpB,OAAO,CAAC,aAAa,CAevB,CAAA;AAED,eAAO,MAAM,WAAW;;;;;;;;;;;;;;;EAStB,CAAA;AACF,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAA;AAErD,eAAO,MAAM,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAWpB,CAAA;AACF,MAAM,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,SAAS,CAAC,CAAA;AAEjD,eAAO,MAAM,OAAO;;;;;;;;;;;;EAIlB,CAAA;AACF,MAAM,MAAM,OAAO,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,OAAO,CAAC,CAAA;AAE7C,eAAO,MAAM,WAAW;;;;;;;;;EAGtB,CAAA;AACF,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAA;AAErD,eAAO,MAAM,UAAU;;;;;;;;;;;;EAWrB,CAAA;AACF,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAA;AAEnD,KAAK,cAAc,GAAG;IACpB,IAAI,EAAE,QAAQ,CAAA;IACd,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,GAAG,EAAE,SAAS,CAAA;CACf,CAAA;AACD,KAAK,YAAY,GAAG;IAClB,IAAI,EAAE,MAAM,CAAA;IACZ,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,GAAG,EAAE,OAAO,CAAA;CACb,CAAA;AACD,KAAK,gBAAgB,GAAG;IACtB,IAAI,EAAE,UAAU,CAAA;IAChB,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,GAAG,EAAE,WAAW,CAAA;CACjB,CAAA;AACD,KAAK,eAAe,GAAG;IACrB,IAAI,EAAE,SAAS,CAAA;IACf,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,GAAG,EAAE,UAAU,CAAA;CAChB,CAAA;AACD,MAAM,MAAM,MAAM,GACd,cAAc,GACd,YAAY,GACZ,gBAAgB,GAChB,eAAe,CAAA"}

package/dist/sequencer/sequencer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sequencer.d.ts","sourceRoot":"","sources":["../../src/sequencer/sequencer.ts"],"names":[],"mappings":"AACA,OAAO,YAAY,MAAM,eAAe,CAAA;AAExC,OAAO,EAAE,aAAa,EAAE,MAAM,oCAAoC,CAAA;AAClE,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAA;AAEtC,OAAO,EAAE,iBAAiB,EAAE,WAAW,EAAE,MAAM,SAAS,CAAA;AACxD,OAAO,EACL,YAAY,EACZ,aAAa,EACb,WAAW,EAGZ,MAAM,MAAM,CAAA;AACb,OAAO,EAIL,MAAM,EAMP,MAAM,UAAU,CAAA;AAEjB,cAAc,UAAU,CAAA;wCAEkC,gBAAgB;AAA1E,qBAAa,SAAU,SAAQ,cAA4C;IAOhE,UAAU,EAAE,MAAM;IAClB,QAAQ,EAAE,QAAQ;IAClB,QAAQ;IARjB,EAAE,EAAE,WAAW,CAAA;IACf,SAAS,UAAQ;IACjB,WAAW,EAAE,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAO;IACxC,kBAAkB,SAAI;gBAGb,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,QAAQ,EAClB,QAAQ,SAAI,EACnB,wBAAwB,UAAQ;IAQ5B,KAAK;IAWL,OAAO;IAQP,IAAI,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAU9B,IAAI,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAW5C,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAWvD,eAAe,CAAC,IAAI,EAAE;QAC1B,WAAW,CAAC,EAAE,MAAM,CAAA;QACpB,SAAS,CAAC,EAAE,MAAM,CAAA;QAClB,YAAY,CAAC,EAAE,MAAM,CAAA;QACrB,KAAK,CAAC,EAAE,MAAM,CAAA;KACf,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;YA6BP,MAAM;YAwBN,kBAAkB;IAM1B,WAAW,CAAC,GAAG,EAAE,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC;IAQhD,cAAc,CAClB,GAAG,EAAE,MAAM,EACX,UAAU,EAAE,iBAAiB,GAC5B,OAAO,CAAC,MAAM,CAAC;IAKZ,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW;IAK9C,mBAAmB,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAKlE,kBAAkB,CACtB,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,aAAa,GACpB,OAAO,CAAC,MAAM,CAAC;IAKZ,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,aAAa,GAAE,MAAM,EAAO;CAUjE;AAED,eAAO,MAAM,gBAAgB,SAAU,YAAY,EAAE,KAAG,MAAM,EAuC7D,CAAA;AAED,KAAK,MAAM,GAAG,YAAY,CAAA;AAE1B,KAAK,eAAe,GAAG;IACrB,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,IAAI,CAAA;IAChC,KAAK,EAAE,MAAM,IAAI,CAAA;CAClB,CAAA;AAED,MAAM,MAAM,gBAAgB,GAAG,YAAY,CAAC,eAAe,CAAC,CAAA;AAE5D,eAAe,SAAS,CAAA"}
+{"version":3,"file":"sequencer.d.ts","sourceRoot":"","sources":["../../src/sequencer/sequencer.ts"],"names":[],"mappings":"AACA,OAAO,YAAY,MAAM,eAAe,CAAA;AAExC,OAAO,EAAE,aAAa,EAAE,MAAM,oCAAoC,CAAA;AAClE,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAA;AAEtC,OAAO,EAAE,iBAAiB,EAAE,WAAW,EAAE,MAAM,SAAS,CAAA;AACxD,OAAO,EACL,YAAY,EACZ,aAAa,EACb,WAAW,EAGZ,MAAM,MAAM,CAAA;AACb,OAAO,EAIL,MAAM,EAMP,MAAM,UAAU,CAAA;AAEjB,cAAc,UAAU,CAAA;8BAEwB,UAAU,gBAAgB;AAA1E,qBAAa,SAAU,SAAQ,cAA4C;IAOhE,UAAU,EAAE,MAAM;IAClB,QAAQ,EAAE,QAAQ;IAClB,QAAQ;IARjB,EAAE,EAAE,WAAW,CAAA;IACf,SAAS,UAAQ;IACjB,WAAW,EAAE,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAO;IACxC,kBAAkB,SAAI;gBAGb,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,QAAQ,EAClB,QAAQ,SAAI,EACnB,wBAAwB,UAAQ;IAQ5B,KAAK;IAWL,OAAO;IAQP,IAAI,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAU9B,IAAI,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAW5C,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAWvD,eAAe,CAAC,IAAI,EAAE;QAC1B,WAAW,CAAC,EAAE,MAAM,CAAA;QACpB,SAAS,CAAC,EAAE,MAAM,CAAA;QAClB,YAAY,CAAC,EAAE,MAAM,CAAA;QACrB,KAAK,CAAC,EAAE,MAAM,CAAA;KACf,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;YA6BP,MAAM;YAwBN,kBAAkB;IAM1B,WAAW,CAAC,GAAG,EAAE,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC;IAQhD,cAAc,CAClB,GAAG,EAAE,MAAM,EACX,UAAU,EAAE,iBAAiB,GAC5B,OAAO,CAAC,MAAM,CAAC;IAKZ,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW;IAK9C,mBAAmB,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAKlE,kBAAkB,CACtB,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,aAAa,GACpB,OAAO,CAAC,MAAM,CAAC;IAKZ,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,aAAa,GAAE,MAAM,EAAO;CAUjE;AAED,eAAO,MAAM,gBAAgB,GAAI,MAAM,YAAY,EAAE,KAAG,MAAM,EAuC7D,CAAA;AAED,KAAK,MAAM,GAAG,YAAY,CAAA;AAE1B,KAAK,eAAe,GAAG;IACrB,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,IAAI,CAAA;IAChC,KAAK,EAAE,MAAM,IAAI,CAAA;CAClB,CAAA;AAED,MAAM,MAAM,gBAAgB,GAAG,YAAY,CAAC,eAAe,CAAC,CAAA;AAE5D,eAAe,SAAS,CAAA"}

package/dist/util/debug.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"debug.d.ts","sourceRoot":"","sources":["../../src/util/debug.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,UAAU,GAAI,IAAI,SAAS,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,GAAG,MAAM,IAAI,eAChD,UAAU,CAAC,IAAI,CAAC,8BAQxC,CAAA"}
+{"version":3,"file":"debug.d.ts","sourceRoot":"","sources":["../../src/util/debug.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,UAAU,GAAI,IAAI,SAAS,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,GAAG,EAAE,IAAI,IAAI,MACzD,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,8BAQxC,CAAA"}

package/dist/util/params.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"params.d.ts","sourceRoot":"","sources":["../../src/util/params.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,kBAAkB,CAAA;AAGtC,eAAO,MAAM,aAAa,QAAS,MAAM,KAAG,GAS3C,CAAA"}
+{"version":3,"file":"params.d.ts","sourceRoot":"","sources":["../../src/util/params.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,kBAAkB,CAAA;AAGtC,eAAO,MAAM,aAAa,GAAI,KAAK,MAAM,KAAG,GAS3C,CAAA"}

package/dist/well-known.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"well-known.d.ts","sourceRoot":"","sources":["../src/well-known.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAA;AAChC,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAA;AAEtC,eAAO,MAAM,YAAY,QAAS,UAAU,KAAG,MAyB9C,CAAA"}
+{"version":3,"file":"well-known.d.ts","sourceRoot":"","sources":["../src/well-known.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAA;AAChC,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAA;AAEtC,eAAO,MAAM,YAAY,GAAI,KAAK,UAAU,KAAG,MAyB9C,CAAA"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atproto/pds",
-  "version": "0.4.122",
+  "version": "0.4.124",
   "license": "MIT",
   "description": "Reference implementation of atproto Personal Data Server (PDS)",
   "keywords": [
@@ -50,13 +50,13 @@
     "zod": "^3.23.8",
     "@atproto-labs/fetch-node": "0.1.8",
     "@atproto-labs/xrpc-utils": "0.0.11",
-    "@atproto/api": "^0.14.21",
+    "@atproto/api": "^0.14.22",
     "@atproto/aws": "^0.2.20",
     "@atproto/common": "^0.4.10",
     "@atproto/crypto": "^0.4.4",
     "@atproto/identity": "^0.4.7",
     "@atproto/lexicon": "^0.4.10",
-    "@atproto/oauth-provider": "^0.6.6",
+    "@atproto/oauth-provider": "^0.7.0",
     "@atproto/repo": "^0.8.0",
     "@atproto/syntax": "^0.4.0",
     "@atproto/xrpc": "^0.6.12",
@@ -78,8 +78,9 @@
     "ts-node": "^10.8.2",
     "typescript": "^5.6.3",
     "ws": "^8.12.0",
-    "@atproto/api": "^0.14.21",
-    "@atproto/bsky": "^0.0.138",
+    "@atproto/api": "^0.14.22",
+    "@atproto/bsky": "^0.0.139",
+    "@atproto/dev-env": "^0.3.117",
     "@atproto/lex-cli": "^0.7.2",
     "@atproto/oauth-client-browser-example": "0.0.2"
   },

package/src/account-manager/db/migrations/005-oauth-account-management.ts

@@ -0,0 +1,112 @@
+import { Kysely } from 'kysely'
+import { HOUR } from '@atproto/common'
+import { ClientId, DeviceId } from '@atproto/oauth-provider'
+import { DateISO, JsonEncoded, toDateISO } from '../../../db'
+
+export async function up(
+  db: Kysely<{
+    device_account: {
+      did: string
+      deviceId: DeviceId
+
+      remember: 0 | 1
+      authenticatedAt: string
+      authorizedClients: JsonEncoded<ClientId[]>
+    }
+    account_device: {
+      did: string
+      deviceId: DeviceId
+
+      createdAt: DateISO
+      updatedAt: DateISO
+    }
+  }>,
+): Promise<void> {
+  // Security: Delete any leftover device accounts that are not remembered
+  await db
+    .deleteFrom('device_account')
+    .where('remember', '=', 0)
+    .where('authenticatedAt', '<', toDateISO(new Date(Date.now() - HOUR)))
+    .execute()
+
+  // replaces "device_account"
+  await db.schema
+    .createTable('account_device')
+    .addColumn('did', 'varchar', (col) => col.notNull())
+    .addColumn('deviceId', 'varchar', (col) => col.notNull())
+    .addColumn('createdAt', 'varchar', (col) => col.notNull())
+    .addColumn('updatedAt', 'varchar', (col) => col.notNull())
+    .addPrimaryKeyConstraint('account_device_pk', [
+      'deviceId', // first because this table will be joined from the "device" table
+      'did',
+    ])
+    .addForeignKeyConstraint(
+      'account_device_did_fk',
+      ['did'],
+      'account',
+      ['did'],
+      // cascade on delete, future-proofing on update (fk can't be altered)
+      (qb) => qb.onDelete('cascade').onUpdate('cascade'),
+    )
+    .addForeignKeyConstraint(
+      'account_device_device_id_fk',
+      ['deviceId'],
+      'device',
+      ['id'],
+      // cascade on delete, future-proofing on update (fk can't be altered)
+      (qb) => qb.onDelete('cascade').onUpdate('cascade'),
+    )
+    .execute()
+
+  // Migrate "device_account" to "account_device"
+  await db
+    .insertInto('account_device')
+    .columns(['did', 'deviceId', 'createdAt', 'updatedAt'])
+    .expression(
+      db
+        .selectFrom('device_account')
+        .select('did')
+        .select('deviceId')
+        .select('authenticatedAt as createdAt') // Best we can do
+        .select('authenticatedAt as updatedAt')
+        .where('remember', '=', 1),
+    )
+    .onConflict((oc) => oc.doNothing())
+    .execute()
+
+  // @NOTE No need to create an index on "deviceId" for "account_device" because
+  // it is the first column in the primary key constraint
+
+  await db.schema
+    .createIndex('account_device_did_idx')
+    .on('account_device')
+    .column('did')
+    .execute()
+
+  await db.schema
+    .createTable('authorized_client')
+    .addColumn('did', 'varchar', (col) => col.notNull())
+    .addColumn('clientId', 'varchar', (col) => col.notNull())
+    .addColumn('createdAt', 'varchar', (col) => col.notNull())
+    .addColumn('updatedAt', 'varchar', (col) => col.notNull())
+    .addColumn('data', 'varchar', (col) => col.notNull())
+    .addPrimaryKeyConstraint('authorized_client_pk', ['did', 'clientId'])
+    .addForeignKeyConstraint(
+      'authorized_client_did_fk',
+      ['did'],
+      'account',
+      ['did'],
+      // cascade on delete, future-proofing on update (fk can't be altered)
+      (qb) => qb.onDelete('cascade').onUpdate('cascade'),
+    )
+    .execute()
+
+  // We don't migrate the "device_account" authorized clients. Users will need
+  // to reauthorize the client during the next oauth flow (minor inconvenience
+  // for authenticated clients users).
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+  await db.schema.dropTable('authorized_client').execute()
+  await db.schema.dropTable('account_device').execute()
+}

package/src/account-manager/db/migrations/index.ts

@@ -2,10 +2,12 @@ import * as mig001 from './001-init'
 import * as mig002 from './002-account-deactivation'
 import * as mig003 from './003-privileged-app-passwords'
 import * as mig004 from './004-oauth'
+import * as mig005 from './005-oauth-account-management'
 
 export default {
   '001': mig001,
   '002': mig002,
   '003': mig003,
   '004': mig004,
+  '005': mig005,
 }

package/src/account-manager/db/schema/account-device.ts

@@ -0,0 +1,14 @@
+import { DeviceId } from '@atproto/oauth-provider'
+import { DateISO } from '../../../db'
+
+export interface AccountDevice {
+  did: string
+  deviceId: DeviceId
+
+  createdAt: DateISO
+  updatedAt: DateISO
+}
+
+export const tableName = 'account_device'
+
+export type PartialDB = { [tableName]: AccountDevice }

package/src/account-manager/db/schema/authorization-request.ts

@@ -1,11 +1,13 @@
 import { Selectable } from 'kysely'
 import {
+  ClientAuth,
   Code,
   DeviceId,
+  OAuthAuthorizationRequestParameters,
   OAuthClientId,
   RequestId,
 } from '@atproto/oauth-provider'
-import { DateISO, JsonObject } from '../../../db'
+import { DateISO, JsonEncoded } from '../../../db'
 
 export interface AuthorizationRequest {
   id: RequestId
@@ -13,8 +15,8 @@ export interface AuthorizationRequest {
   deviceId: DeviceId | null
 
   clientId: OAuthClientId
-  clientAuth: JsonObject
-  parameters: JsonObject
+  clientAuth: JsonEncoded<ClientAuth>
+  parameters: JsonEncoded<OAuthAuthorizationRequestParameters>
   expiresAt: DateISO
   code: Code | null
 }

package/src/account-manager/db/schema/authorized-client.ts

@@ -0,0 +1,19 @@
+import { Selectable } from 'kysely'
+import { AuthorizedClientData, OAuthClientId } from '@atproto/oauth-provider'
+import { DateISO, JsonEncoded } from '../../../db'
+
+export interface AuthorizedClient {
+  did: string
+  clientId: OAuthClientId
+
+  createdAt: DateISO
+  updatedAt: DateISO
+
+  data: JsonEncoded<AuthorizedClientData>
+}
+
+export type AuthorizedClientEntry = Selectable<AuthorizedClient>
+
+export const tableName = 'authorized_client'
+
+export type PartialDB = { [tableName]: AuthorizedClient }

package/src/account-manager/db/schema/index.ts

@@ -1,9 +1,10 @@
 import * as account from './account'
+import * as accountDevice from './account-device'
 import * as actor from './actor'
 import * as appPassword from './app-password'
 import * as oauthRequest from './authorization-request'
+import * as authorizedClient from './authorized-client'
 import * as device from './device'
-import * as deviceAccount from './device-account'
 import * as emailToken from './email-token'
 import * as inviteCode from './invite-code'
 import * as refreshToken from './refresh-token'
@@ -13,8 +14,9 @@ import * as usedRefreshToken from './used-refresh-token'
 
 export type DatabaseSchema = actor.PartialDB &
   account.PartialDB &
+  accountDevice.PartialDB &
+  authorizedClient.PartialDB &
   device.PartialDB &
-  deviceAccount.PartialDB &
   oauthRequest.PartialDB &
   token.PartialDB &
   usedRefreshToken.PartialDB &
@@ -26,8 +28,8 @@ export type DatabaseSchema = actor.PartialDB &
 
 export type { Actor, ActorEntry } from './actor'
 export type { Account, AccountEntry } from './account'
+export type { AccountDevice } from './account-device'
 export type { Device } from './device'
-export type { DeviceAccount } from './device-account'
 export type { AuthorizationRequest } from './authorization-request'
 export type { Token } from './token'
 export type { UsedRefreshToken } from './used-refresh-token'

package/src/account-manager/db/schema/token.ts

@@ -1,13 +1,16 @@
 import { Generated, Selectable } from 'kysely'
 import {
+  ClientAuth,
   Code,
   DeviceId,
+  OAuthAuthorizationDetails,
+  OAuthAuthorizationRequestParameters,
   OAuthClientId,
   RefreshToken,
   Sub,
   TokenId,
 } from '@atproto/oauth-provider'
-import { DateISO, JsonArray, JsonObject } from '../../../db/cast'
+import { DateISO, JsonEncoded } from '../../../db/cast'
 
 export interface Token {
   id: Generated<number>
@@ -18,10 +21,10 @@ export interface Token {
   updatedAt: DateISO
   expiresAt: DateISO
   clientId: OAuthClientId
-  clientAuth: JsonObject
+  clientAuth: JsonEncoded<ClientAuth>
   deviceId: DeviceId | null
-  parameters: JsonObject
-  details: JsonArray | null
+  parameters: JsonEncoded<OAuthAuthorizationRequestParameters>
+  details: JsonEncoded<OAuthAuthorizationDetails> | null
   code: Code | null
   currentRefreshToken: RefreshToken | null
 }

package/src/account-manager/helpers/account-device.ts

@@ -0,0 +1,66 @@
+import assert from 'node:assert'
+import { DeviceId } from '@atproto/oauth-provider'
+import { toDateISO } from '../../db'
+import { AccountDb } from '../db'
+import { selectAccountQB } from './account'
+
+export function upsertQB(db: AccountDb, deviceId: DeviceId, did: string) {
+  const now = new Date()
+
+  return db.db
+    .insertInto('account_device')
+    .values({
+      did,
+      deviceId,
+      createdAt: toDateISO(now),
+      updatedAt: toDateISO(now),
+    })
+    .onConflict((oc) =>
+      // uses pk
+      oc.columns(['deviceId', 'did']).doUpdateSet({
+        updatedAt: toDateISO(now),
+      }),
+    )
+}
+
+export function selectQB(
+  db: AccountDb,
+  filter: {
+    sub?: string
+    deviceId?: DeviceId
+  },
+) {
+  assert(
+    filter.sub != null || filter.deviceId != null,
+    'Either sub or deviceId must be provided',
+  )
+
+  return (
+    selectAccountQB(db, { includeDeactivated: true })
+      // note: query planner should use "account_device_pk" index
+      .innerJoin('account_device', 'account_device.did', 'actor.did')
+      .select([
+        'account_device.deviceId',
+        'account_device.createdAt as adCreatedAt',
+        'account_device.updatedAt as adUpdatedAt',
+      ])
+      .innerJoin('device', 'device.id', 'account_device.deviceId')
+      .select([
+        'device.sessionId',
+        'device.userAgent',
+        'device.ipAddress',
+        'device.lastSeenAt',
+      ])
+      .if(filter.sub != null, (qb) => qb.where('actor.did', '=', filter.sub!))
+      .if(filter.deviceId != null, (qb) =>
+        qb.where('account_device.deviceId', '=', filter.deviceId!),
+      )
+  )
+}
+
+export function removeQB(db: AccountDb, deviceId: DeviceId, did: string) {
+  return db.db
+    .deleteFrom('account_device')
+    .where('deviceId', '=', deviceId)
+    .where('did', '=', did)
+}

package/src/account-manager/helpers/authorization-request.ts

@@ -6,15 +6,15 @@ import {
   RequestId,
   UpdateRequestData,
 } from '@atproto/oauth-provider'
-import { fromDateISO, fromJsonObject, toDateISO, toJsonObject } from '../../db'
+import { fromDateISO, fromJson, toDateISO, toJson } from '../../db'
 import { AccountDb, AuthorizationRequest } from '../db'
 
 export const rowToRequestData = (
   row: Selectable<AuthorizationRequest>,
 ): RequestData => ({
   clientId: row.clientId,
-  clientAuth: fromJsonObject(row.clientAuth),
-  parameters: fromJsonObject(row.parameters),
+  clientAuth: fromJson(row.clientAuth),
+  parameters: fromJson(row.parameters),
   expiresAt: fromDateISO(row.expiresAt),
   deviceId: row.deviceId,
   sub: row.did,
@@ -37,8 +37,8 @@ const requestDataToRow = (
   deviceId: data.deviceId,
 
   clientId: data.clientId,
-  clientAuth: toJsonObject(data.clientAuth),
-  parameters: toJsonObject(data.parameters),
+  clientAuth: toJson(data.clientAuth),
+  parameters: toJson(data.parameters),
   expiresAt: toDateISO(data.expiresAt),
   code: data.code,
 })

package/src/account-manager/helpers/authorized-client.ts

@@ -0,0 +1,69 @@
+import {
+  AuthorizedClientData,
+  AuthorizedClients,
+  ClientId,
+  Sub,
+} from '@atproto/oauth-provider'
+import { fromJson, toDateISO, toJson } from '../../db'
+import { AccountDb } from '../db'
+
+export async function upsert(
+  db: AccountDb,
+  did: string,
+  clientId: ClientId,
+  data: AuthorizedClientData,
+) {
+  const now = new Date()
+
+  return db.db
+    .insertInto('authorized_client')
+    .values({
+      did,
+      clientId,
+      createdAt: toDateISO(now),
+      updatedAt: toDateISO(now),
+      data: toJson(data),
+    })
+    .onConflict((oc) =>
+      // uses "authorized_client_pk" idx
+      oc.columns(['did', 'clientId']).doUpdateSet({
+        updatedAt: toDateISO(now),
+        data: toJson(data),
+      }),
+    )
+    .executeTakeFirst()
+}
+
+export async function getAuthorizedClients(
+  db: AccountDb,
+  did: string,
+): Promise<AuthorizedClients> {
+  return (await getAuthorizedClientsMulti(db, [did])).get(did)!
+}
+
+export async function getAuthorizedClientsMulti(
+  db: AccountDb,
+  dids: Iterable<string>,
+): Promise<Map<Sub, AuthorizedClients>> {
+  // Using a Map will ensure unicity of dids (through unicity of keys)
+  const map = new Map<Sub, AuthorizedClients>(
+    Array.from(dids, (did) => [did, new Map()]),
+  )
+
+  if (map.size) {
+    const found = await db.db
+      .selectFrom('authorized_client')
+      .select('did')
+      .select('clientId')
+      .select('data')
+      // uses "authorized_client_pk"
+      .where('did', 'in', [...map.keys()])
+      .execute()
+
+    for (const { did, clientId, data } of found) {
+      map.get(did)!.set(clientId, fromJson(data))
+    }
+  }
+
+  return map
+}

package/src/account-manager/helpers/device.ts

@@ -3,7 +3,9 @@ import { DeviceData, DeviceId } from '@atproto/oauth-provider'
 import { fromDateISO, toDateISO } from '../../db'
 import { AccountDb, Device } from '../db'
 
-export const rowToDeviceData = (row: Selectable<Device>): DeviceData => ({
+export const rowToDeviceData = (
+  row: Omit<Selectable<Device>, 'id'>,
+): DeviceData => ({
   sessionId: row.sessionId,
   userAgent: row.userAgent,
   ipAddress: row.ipAddress,