@atproto/pds 0.4.123 → 0.4.125

package/src/account-manager/db/schema/authorized-client.ts

@@ -0,0 +1,19 @@
+import { Selectable } from 'kysely'
+import { AuthorizedClientData, OAuthClientId } from '@atproto/oauth-provider'
+import { DateISO, JsonEncoded } from '../../../db'
+
+export interface AuthorizedClient {
+  did: string
+  clientId: OAuthClientId
+
+  createdAt: DateISO
+  updatedAt: DateISO
+
+  data: JsonEncoded<AuthorizedClientData>
+}
+
+export type AuthorizedClientEntry = Selectable<AuthorizedClient>
+
+export const tableName = 'authorized_client'
+
+export type PartialDB = { [tableName]: AuthorizedClient }

package/src/account-manager/db/schema/index.ts

@@ -1,9 +1,10 @@
 import * as account from './account'
+import * as accountDevice from './account-device'
 import * as actor from './actor'
 import * as appPassword from './app-password'
 import * as oauthRequest from './authorization-request'
+import * as authorizedClient from './authorized-client'
 import * as device from './device'
-import * as deviceAccount from './device-account'
 import * as emailToken from './email-token'
 import * as inviteCode from './invite-code'
 import * as refreshToken from './refresh-token'
@@ -13,8 +14,9 @@ import * as usedRefreshToken from './used-refresh-token'
 
 export type DatabaseSchema = actor.PartialDB &
   account.PartialDB &
+  accountDevice.PartialDB &
+  authorizedClient.PartialDB &
   device.PartialDB &
-  deviceAccount.PartialDB &
   oauthRequest.PartialDB &
   token.PartialDB &
   usedRefreshToken.PartialDB &
@@ -26,8 +28,8 @@ export type DatabaseSchema = actor.PartialDB &
 
 export type { Actor, ActorEntry } from './actor'
 export type { Account, AccountEntry } from './account'
+export type { AccountDevice } from './account-device'
 export type { Device } from './device'
-export type { DeviceAccount } from './device-account'
 export type { AuthorizationRequest } from './authorization-request'
 export type { Token } from './token'
 export type { UsedRefreshToken } from './used-refresh-token'

package/src/account-manager/db/schema/token.ts

@@ -1,13 +1,16 @@
 import { Generated, Selectable } from 'kysely'
 import {
+  ClientAuth,
   Code,
   DeviceId,
+  OAuthAuthorizationDetails,
+  OAuthAuthorizationRequestParameters,
   OAuthClientId,
   RefreshToken,
   Sub,
   TokenId,
 } from '@atproto/oauth-provider'
-import { DateISO, JsonArray, JsonObject } from '../../../db/cast'
+import { DateISO, JsonEncoded } from '../../../db/cast'
 
 export interface Token {
   id: Generated<number>
@@ -18,10 +21,10 @@ export interface Token {
   updatedAt: DateISO
   expiresAt: DateISO
   clientId: OAuthClientId
-  clientAuth: JsonObject
+  clientAuth: JsonEncoded<ClientAuth>
   deviceId: DeviceId | null
-  parameters: JsonObject
-  details: JsonArray | null
+  parameters: JsonEncoded<OAuthAuthorizationRequestParameters>
+  details: JsonEncoded<OAuthAuthorizationDetails> | null
   code: Code | null
   currentRefreshToken: RefreshToken | null
 }

package/src/account-manager/helpers/account-device.ts

@@ -0,0 +1,66 @@
+import assert from 'node:assert'
+import { DeviceId } from '@atproto/oauth-provider'
+import { toDateISO } from '../../db'
+import { AccountDb } from '../db'
+import { selectAccountQB } from './account'
+
+export function upsertQB(db: AccountDb, deviceId: DeviceId, did: string) {
+  const now = new Date()
+
+  return db.db
+    .insertInto('account_device')
+    .values({
+      did,
+      deviceId,
+      createdAt: toDateISO(now),
+      updatedAt: toDateISO(now),
+    })
+    .onConflict((oc) =>
+      // uses pk
+      oc.columns(['deviceId', 'did']).doUpdateSet({
+        updatedAt: toDateISO(now),
+      }),
+    )
+}
+
+export function selectQB(
+  db: AccountDb,
+  filter: {
+    sub?: string
+    deviceId?: DeviceId
+  },
+) {
+  assert(
+    filter.sub != null || filter.deviceId != null,
+    'Either sub or deviceId must be provided',
+  )
+
+  return (
+    selectAccountQB(db, { includeDeactivated: true })
+      // note: query planner should use "account_device_pk" index
+      .innerJoin('account_device', 'account_device.did', 'actor.did')
+      .select([
+        'account_device.deviceId',
+        'account_device.createdAt as adCreatedAt',
+        'account_device.updatedAt as adUpdatedAt',
+      ])
+      .innerJoin('device', 'device.id', 'account_device.deviceId')
+      .select([
+        'device.sessionId',
+        'device.userAgent',
+        'device.ipAddress',
+        'device.lastSeenAt',
+      ])
+      .if(filter.sub != null, (qb) => qb.where('actor.did', '=', filter.sub!))
+      .if(filter.deviceId != null, (qb) =>
+        qb.where('account_device.deviceId', '=', filter.deviceId!),
+      )
+  )
+}
+
+export function removeQB(db: AccountDb, deviceId: DeviceId, did: string) {
+  return db.db
+    .deleteFrom('account_device')
+    .where('deviceId', '=', deviceId)
+    .where('did', '=', did)
+}

package/src/account-manager/helpers/authorization-request.ts

@@ -6,15 +6,15 @@ import {
   RequestId,
   UpdateRequestData,
 } from '@atproto/oauth-provider'
-import { fromDateISO, fromJsonObject, toDateISO, toJsonObject } from '../../db'
+import { fromDateISO, fromJson, toDateISO, toJson } from '../../db'
 import { AccountDb, AuthorizationRequest } from '../db'
 
 export const rowToRequestData = (
   row: Selectable<AuthorizationRequest>,
 ): RequestData => ({
   clientId: row.clientId,
-  clientAuth: fromJsonObject(row.clientAuth),
-  parameters: fromJsonObject(row.parameters),
+  clientAuth: fromJson(row.clientAuth),
+  parameters: fromJson(row.parameters),
   expiresAt: fromDateISO(row.expiresAt),
   deviceId: row.deviceId,
   sub: row.did,
@@ -37,8 +37,8 @@ const requestDataToRow = (
   deviceId: data.deviceId,
 
   clientId: data.clientId,
-  clientAuth: toJsonObject(data.clientAuth),
-  parameters: toJsonObject(data.parameters),
+  clientAuth: toJson(data.clientAuth),
+  parameters: toJson(data.parameters),
   expiresAt: toDateISO(data.expiresAt),
   code: data.code,
 })

package/src/account-manager/helpers/authorized-client.ts

@@ -0,0 +1,69 @@
+import {
+  AuthorizedClientData,
+  AuthorizedClients,
+  ClientId,
+  Sub,
+} from '@atproto/oauth-provider'
+import { fromJson, toDateISO, toJson } from '../../db'
+import { AccountDb } from '../db'
+
+export async function upsert(
+  db: AccountDb,
+  did: string,
+  clientId: ClientId,
+  data: AuthorizedClientData,
+) {
+  const now = new Date()
+
+  return db.db
+    .insertInto('authorized_client')
+    .values({
+      did,
+      clientId,
+      createdAt: toDateISO(now),
+      updatedAt: toDateISO(now),
+      data: toJson(data),
+    })
+    .onConflict((oc) =>
+      // uses "authorized_client_pk" idx
+      oc.columns(['did', 'clientId']).doUpdateSet({
+        updatedAt: toDateISO(now),
+        data: toJson(data),
+      }),
+    )
+    .executeTakeFirst()
+}
+
+export async function getAuthorizedClients(
+  db: AccountDb,
+  did: string,
+): Promise<AuthorizedClients> {
+  return (await getAuthorizedClientsMulti(db, [did])).get(did)!
+}
+
+export async function getAuthorizedClientsMulti(
+  db: AccountDb,
+  dids: Iterable<string>,
+): Promise<Map<Sub, AuthorizedClients>> {
+  // Using a Map will ensure unicity of dids (through unicity of keys)
+  const map = new Map<Sub, AuthorizedClients>(
+    Array.from(dids, (did) => [did, new Map()]),
+  )
+
+  if (map.size) {
+    const found = await db.db
+      .selectFrom('authorized_client')
+      .select('did')
+      .select('clientId')
+      .select('data')
+      // uses "authorized_client_pk"
+      .where('did', 'in', [...map.keys()])
+      .execute()
+
+    for (const { did, clientId, data } of found) {
+      map.get(did)!.set(clientId, fromJson(data))
+    }
+  }
+
+  return map
+}

package/src/account-manager/helpers/device.ts

@@ -3,7 +3,9 @@ import { DeviceData, DeviceId } from '@atproto/oauth-provider'
 import { fromDateISO, toDateISO } from '../../db'
 import { AccountDb, Device } from '../db'
 
-export const rowToDeviceData = (row: Selectable<Device>): DeviceData => ({
+export const rowToDeviceData = (
+  row: Omit<Selectable<Device>, 'id'>,
+): DeviceData => ({
   sessionId: row.sessionId,
   userAgent: row.userAgent,
   ipAddress: row.ipAddress,

package/src/account-manager/helpers/token.ts

@@ -2,75 +2,34 @@ import { Selectable } from 'kysely'
 import {
   Code,
   NewTokenData,
-  OAuthAuthorizationDetail,
   RefreshToken,
   TokenData,
   TokenId,
-  TokenInfo,
 } from '@atproto/oauth-provider'
-import {
-  fromDateISO,
-  fromJsonArray,
-  fromJsonObject,
-  toDateISO,
-  toJsonArray,
-  toJsonObject,
-} from '../../db'
+import { fromDateISO, fromJson, toDateISO, toJson } from '../../db'
 import { AccountDb, Token } from '../db'
-import { ActorAccount, selectAccountQB } from './account'
-import {
-  SelectableDeviceAccount,
-  toAccount,
-  toDeviceAccountInfo,
-} from './device-account'
-
-type LeftJoined<T> = { [K in keyof T]: null | T[K] }
+import { selectAccountQB } from './account'
 
-export type ActorAccountToken = Selectable<ActorAccount> &
-  Selectable<Omit<Token, 'id' | 'did'>> &
-  LeftJoined<SelectableDeviceAccount>
-
-export const toTokenInfo = (
-  row: ActorAccountToken,
-  audience: string,
-): TokenInfo => ({
-  id: row.tokenId,
-  data: {
+export function toTokenData(row: Selectable<Token>): TokenData {
+  return {
     createdAt: fromDateISO(row.createdAt),
     expiresAt: fromDateISO(row.expiresAt),
     updatedAt: fromDateISO(row.updatedAt),
     clientId: row.clientId,
-    clientAuth: fromJsonObject(row.clientAuth),
+    clientAuth: fromJson(row.clientAuth),
     deviceId: row.deviceId,
     sub: row.did,
-    parameters: fromJsonObject(row.parameters),
-    details: row.details
-      ? fromJsonArray<OAuthAuthorizationDetail>(row.details)
-      : null,
+    parameters: fromJson(row.parameters),
     code: row.code,
-  },
-  account: toAccount(row, audience),
-  info:
-    row.authenticatedAt != null &&
-    row.authorizedClients != null &&
-    row.remember != null
-      ? toDeviceAccountInfo(row as SelectableDeviceAccount)
-      : undefined,
-  currentRefreshToken: row.currentRefreshToken,
-})
+  }
+}
 
 const selectTokenInfoQB = (db: AccountDb) =>
   selectAccountQB(db, { includeDeactivated: true })
     // uses "token_did_idx" index (though unlikely in practice)
     .innerJoin('token', 'token.did', 'actor.did')
-    .leftJoin('device_account', (join) =>
-      join
-        // uses "device_account_pk" index
-        .on('device_account.did', '=', 'token.did')
-        // @ts-expect-error "deviceId" is nullable in token
-        .on('device_account.deviceId', '=', 'token.deviceId'),
-    )
     .select([
+      'token.id',
       'token.tokenId',
       'token.createdAt',
       'token.updatedAt',
@@ -83,9 +42,6 @@ const selectTokenInfoQB = (db: AccountDb) =>
       'token.details',
       'token.code',
       'token.currentRefreshToken',
-      'device_account.authenticatedAt',
-      'device_account.authorizedClients',
-      'device_account.remember',
     ])
 
 export const createQB = (
@@ -100,11 +56,11 @@ export const createQB = (
     expiresAt: toDateISO(data.expiresAt),
     updatedAt: toDateISO(data.updatedAt),
     clientId: data.clientId,
-    clientAuth: toJsonObject(data.clientAuth),
+    clientAuth: toJson(data.clientAuth),
     deviceId: data.deviceId,
     did: data.sub,
-    parameters: toJsonObject(data.parameters),
-    details: data.details ? toJsonArray(data.details) : null,
+    parameters: toJson(data.parameters),
+    details: data.details ? toJson(data.details) : null,
     code: data.code,
     currentRefreshToken: refreshToken || null,
   })
@@ -120,6 +76,7 @@ export const findByQB = (
   db: AccountDb,
   search: {
     id?: number
+    did?: string
     code?: Code
     tokenId?: TokenId
     currentRefreshToken?: RefreshToken
@@ -127,6 +84,7 @@ export const findByQB = (
 ) => {
   if (
     search.id === undefined &&
+    search.did === undefined &&
     search.code === undefined &&
     search.tokenId === undefined &&
     search.currentRefreshToken === undefined
@@ -140,6 +98,10 @@ export const findByQB = (
       // uses primary key index
       qb.where('token.id', '=', search.id!),
     )
+    .if(search.did !== undefined, (qb) =>
+      // uses "token_did_idx" index
+      qb.where('token.did', '=', search.did!),
+    )
     .if(search.code !== undefined, (qb) =>
       // uses "token_code_idx" partial index (hence the null check)
       qb
@@ -175,7 +137,7 @@ export const rotateQB = (
 
       expiresAt: toDateISO(newData.expiresAt),
       updatedAt: toDateISO(newData.updatedAt),
-      clientAuth: toJsonObject(newData.clientAuth),
+      clientAuth: toJson(newData.clientAuth),
     })
     // uses primary key index
     .where('id', '=', id)