@atproto/pds 0.4.137 → 0.4.139

package/src/auth-verifier.ts

@@ -46,17 +46,17 @@ export enum RoleStatus {
   Missing,
 }
 
-type NullOutput = {
+export type NullOutput = {
   credentials: null
 }
 
-type AdminTokenOutput = {
+export type AdminTokenOutput = {
   credentials: {
     type: 'admin_token'
   }
 }
 
-type ModServiceOutput = {
+export type ModServiceOutput = {
   credentials: {
     type: 'mod_service'
     aud: string
@@ -64,29 +64,35 @@ type ModServiceOutput = {
   }
 }
 
-type AccessOutput = {
+export type AccessOutput = {
   credentials: {
     type: 'access'
     did: string
     scope: AuthScope
-    audience: string | undefined
     isPrivileged: boolean
   }
-  artifacts: string
 }
 
-type RefreshOutput = {
+export type OAuthOutput = {
+  credentials: {
+    type: 'oauth'
+    did: string
+    scope: AuthScope
+    isPrivileged: boolean
+    oauthScopes: Set<string>
+  }
+}
+
+export type RefreshOutput = {
   credentials: {
     type: 'refresh'
     did: string
     scope: AuthScope
-    audience: string | undefined
     tokenId: string
   }
-  artifacts: string
 }
 
-type UserServiceAuthOutput = {
+export type UserServiceAuthOutput = {
   credentials: {
     type: 'user_service_auth'
     aud: string
@@ -139,7 +145,7 @@ export class AuthVerifier {
 
   accessStandard =
     (opts: Partial<AccessOpts> = {}) =>
-    async (ctx: ReqCtx): Promise<AccessOutput> => {
+    async (ctx: ReqCtx): Promise<AccessOutput | OAuthOutput> => {
       return this.validateAccessToken(
         ctx,
         [
@@ -154,7 +160,7 @@ export class AuthVerifier {
 
   accessFull =
     (opts: Partial<AccessOpts> = {}) =>
-    (ctx: ReqCtx): Promise<AccessOutput> => {
+    (ctx: ReqCtx): Promise<AccessOutput | OAuthOutput> => {
       return this.validateAccessToken(
         ctx,
         [AuthScope.Access, ...(opts.additional ?? [])],
@@ -164,7 +170,7 @@ export class AuthVerifier {
 
   accessPrivileged =
     (opts: Partial<AccessOpts> = {}) =>
-    (ctx: ReqCtx): Promise<AccessOutput> => {
+    (ctx: ReqCtx): Promise<AccessOutput | OAuthOutput> => {
       return this.validateAccessToken(ctx, [
         AuthScope.Access,
         AuthScope.AppPassPrivileged,
@@ -173,34 +179,30 @@ export class AuthVerifier {
     }
 
   refresh = async (ctx: ReqCtx): Promise<RefreshOutput> => {
-    const { did, scope, token, tokenId, audience } =
-      await this.validateRefreshToken(ctx)
+    const { did, scope, tokenId } = await this.validateRefreshToken(ctx)
 
     return {
       credentials: {
         type: 'refresh',
         did,
         scope,
-        audience,
         tokenId,
       },
-      artifacts: token,
     }
   }
 
   refreshExpired = async (ctx: ReqCtx): Promise<RefreshOutput> => {
-    const { did, scope, token, tokenId, audience } =
-      await this.validateRefreshToken(ctx, { clockTolerance: Infinity })
+    const { did, scope, tokenId } = await this.validateRefreshToken(ctx, {
+      clockTolerance: Infinity,
+    })
 
     return {
       credentials: {
         type: 'refresh',
         did,
         scope,
-        audience,
         tokenId,
       },
-      artifacts: token,
     }
   }
 
@@ -213,7 +215,7 @@ export class AuthVerifier {
     (opts: Partial<AccessOpts> = {}) =>
     async (
       ctx: ReqCtx,
-    ): Promise<AccessOutput | AdminTokenOutput | NullOutput> => {
+    ): Promise<AccessOutput | OAuthOutput | AdminTokenOutput | NullOutput> => {
       if (isAccessToken(ctx.req)) {
         return await this.accessStandard(opts)(ctx)
       } else if (isBasicToken(ctx.req)) {
@@ -258,7 +260,9 @@ export class AuthVerifier {
 
   accessOrUserServiceAuth =
     (opts: Partial<AccessOpts> = {}) =>
-    async (ctx: ReqCtx): Promise<UserServiceAuthOutput | AccessOutput> => {
+    async (
+      ctx: ReqCtx,
+    ): Promise<UserServiceAuthOutput | AccessOutput | OAuthOutput> => {
       const token = bearerTokenFromReq(ctx.req)
       if (token) {
         const payload = jose.decodeJwt(token)
@@ -411,10 +415,10 @@ export class AuthVerifier {
       checkTakedown = false,
       checkDeactivated = false,
     }: { checkTakedown?: boolean; checkDeactivated?: boolean } = {},
-  ): Promise<AccessOutput> {
+  ): Promise<AccessOutput | OAuthOutput> {
     this.setAuthHeaders(ctx)
 
-    let accessOutput: AccessOutput
+    let accessOutput: AccessOutput | OAuthOutput
 
     const [type] = parseAuthorizationHeader(ctx.req.headers.authorization)
     switch (type) {
@@ -467,7 +471,7 @@ export class AuthVerifier {
   protected async validateDpopAccessToken(
     ctx: ReqCtx,
     scopes: AuthScope[],
-  ): Promise<AccessOutput> {
+  ): Promise<OAuthOutput> {
     this.setAuthHeaders(ctx)
 
     const { req } = ctx
@@ -498,16 +502,16 @@ export class AuthVerifier {
         throw new InvalidRequestError('Malformed token', 'InvalidToken')
       }
 
-      const tokenScopes = new Set(result.claims.scope?.split(' '))
+      const oauthScopes = new Set(result.claims.scope?.split(' '))
 
-      if (!tokenScopes.has('transition:generic')) {
+      if (!oauthScopes.has('transition:generic')) {
         throw new AuthRequiredError(
           'Missing required scope: transition:generic',
           'InvalidToken',
         )
       }
 
-      const scopeEquivalent: AuthScope = tokenScopes.has('transition:chat.bsky')
+      const scopeEquivalent: AuthScope = oauthScopes.has('transition:chat.bsky')
         ? AuthScope.AppPassPrivileged
         : AuthScope.AppPass
 
@@ -530,13 +534,12 @@ export class AuthVerifier {
 
       return {
         credentials: {
-          type: 'access',
+          type: 'oauth',
           did: result.claims.sub,
           scope: scopeEquivalent,
-          audience: this.dids.pds,
+          oauthScopes,
           isPrivileged: scopeEquivalent === AuthScope.AppPassPrivileged,
         },
-        artifacts: result.token,
       }
     } catch (err) {
       // Make sure to include any WWW-Authenticate header in the response
@@ -558,24 +561,21 @@ export class AuthVerifier {
     ctx: ReqCtx,
     scopes: AuthScope[],
   ): Promise<AccessOutput> {
-    const { did, scope, token, audience } = await this.validateBearerToken(
-      ctx,
-      scopes,
-      { audience: this.dids.pds, typ: 'at+jwt' },
-    )
-    const isPrivileged = [
-      AuthScope.Access,
-      AuthScope.AppPassPrivileged,
-    ].includes(scope)
+    const { did, scope } = await this.validateBearerToken(ctx, scopes, {
+      audience: this.dids.pds,
+      typ: 'at+jwt',
+    })
+
+    const isPrivileged =
+      scope === AuthScope.Access || scope === AuthScope.AppPassPrivileged
+
     return {
       credentials: {
         type: 'access',
         did,
         scope,
-        audience,
         isPrivileged,
       },
-      artifacts: token,
     }
   }
 
@@ -632,7 +632,7 @@ export class AuthVerifier {
   }
 
   isUserOrAdmin(
-    auth: AccessOutput | AdminTokenOutput | NullOutput,
+    auth: AccessOutput | OAuthOutput | AdminTokenOutput | NullOutput,
     did: string,
   ): boolean {
     if (!auth.credentials) {

package/src/config/config.ts

@@ -272,7 +272,7 @@ export const envToCfg = (env: ServerEnvironment): ServerConfig => {
                 }
               : undefined,
           branding: {
-            name: env.serviceName ?? 'Personal PDS',
+            name: env.serviceName ?? `${hostname} PDS`,
             logo: env.logoUrl,
             colors: {
               light: env.lightColor,

package/src/context.ts

@@ -363,7 +363,11 @@ export class AppContext {
           safeFetch,
           metadata: {
             protected_resources: [new URL(cfg.oauth.issuer).origin],
-            scopes_supported: ['transition:generic', 'transition:chat.bsky'],
+            scopes_supported: [
+              'transition:email',
+              'transition:generic',
+              'transition:chat.bsky',
+            ],
           },
           // If the PDS is both an authorization server & resource server (no
           // entryway), there is no need to use JWTs as access tokens. Instead,

package/src/lexicon/lexicons.ts

@@ -6221,6 +6221,12 @@ export const schemaDict = {
               'Context provided by feed generator that may be passed back alongside interactions.',
             maxLength: 2000,
           },
+          reqId: {
+            type: 'string',
+            description:
+              'Unique identifier per request that may be passed back alongside interactions.',
+            maxLength: 100,
+          },
         },
       },
       replyRef: {
@@ -6259,6 +6265,14 @@ export const schemaDict = {
             type: 'ref',
             ref: 'lex:app.bsky.actor.defs#profileViewBasic',
           },
+          uri: {
+            type: 'string',
+            format: 'at-uri',
+          },
+          cid: {
+            type: 'string',
+            format: 'cid',
+          },
           indexedAt: {
             type: 'string',
             format: 'datetime',
@@ -6517,6 +6531,12 @@ export const schemaDict = {
               'Context on a feed item that was originally supplied by the feed generator on getFeedSkeleton.',
             maxLength: 2000,
           },
+          reqId: {
+            type: 'string',
+            description:
+              'Unique identifier per request that may be passed back alongside interactions.',
+            maxLength: 100,
+          },
         },
       },
       requestLess: {
@@ -7065,6 +7085,12 @@ export const schemaDict = {
                   ref: 'lex:app.bsky.feed.defs#skeletonFeedPost',
                 },
               },
+              reqId: {
+                type: 'string',
+                description:
+                  'Unique identifier per request that may be passed back alongside interactions.',
+                maxLength: 100,
+              },
             },
           },
         },
@@ -7558,6 +7584,10 @@ export const schemaDict = {
               type: 'string',
               format: 'datetime',
             },
+            via: {
+              type: 'ref',
+              ref: 'lex:com.atproto.repo.strongRef',
+            },
           },
         },
       },
@@ -7772,6 +7802,10 @@ export const schemaDict = {
               type: 'string',
               format: 'datetime',
             },
+            via: {
+              type: 'ref',
+              ref: 'lex:com.atproto.repo.strongRef',
+            },
           },
         },
       },
@@ -7784,7 +7818,7 @@ export const schemaDict = {
       main: {
         type: 'query',
         description:
-          'Find posts matching search criteria, returning views of those posts.',
+          'Find posts matching search criteria, returning views of those posts. Note that this API endpoint may require authentication (eg, not public) for some service providers and implementations.',
         parameters: {
           type: 'params',
           required: ['q'],
@@ -9827,7 +9861,7 @@ export const schemaDict = {
           reason: {
             type: 'string',
             description:
-              "Expected values are 'like', 'repost', 'follow', 'mention', 'reply', 'quote', 'starterpack-joined', 'verified', and 'unverified'.",
+              'The reason why this notification was delivered - e.g. your post was liked, or you received a new follower.',
             knownValues: [
               'like',
               'repost',
@@ -9838,6 +9872,8 @@ export const schemaDict = {
               'starterpack-joined',
               'verified',
               'unverified',
+              'like-via-repost',
+              'repost-via-repost',
             ],
           },
           reasonSubject: {

package/src/lexicon/types/app/bsky/feed/defs.ts

@@ -100,6 +100,8 @@ export interface FeedViewPost {
   reason?: $Typed<ReasonRepost> | $Typed<ReasonPin> | { $type: string }
   /** Context provided by feed generator that may be passed back alongside interactions. */
   feedContext?: string
+  /** Unique identifier per request that may be passed back alongside interactions. */
+  reqId?: string
 }
 
 const hashFeedViewPost = 'feedViewPost'
@@ -140,6 +142,8 @@ export function validateReplyRef<V>(v: V) {
 export interface ReasonRepost {
   $type?: 'app.bsky.feed.defs#reasonRepost'
   by: AppBskyActorDefs.ProfileViewBasic
+  uri?: string
+  cid?: string
   indexedAt: string
 }
 
@@ -376,6 +380,8 @@ export interface Interaction {
     | (string & {})
   /** Context on a feed item that was originally supplied by the feed generator on getFeedSkeleton. */
   feedContext?: string
+  /** Unique identifier per request that may be passed back alongside interactions. */
+  reqId?: string
 }
 
 const hashInteraction = 'interaction'

package/src/lexicon/types/app/bsky/feed/getFeedSkeleton.ts

@@ -29,6 +29,8 @@ export type InputSchema = undefined
 export interface OutputSchema {
   cursor?: string
   feed: AppBskyFeedDefs.SkeletonFeedPost[]
+  /** Unique identifier per request that may be passed back alongside interactions. */
+  reqId?: string
 }
 
 export type HandlerInput = undefined

package/src/lexicon/types/app/bsky/feed/like.ts

@@ -19,6 +19,7 @@ export interface Record {
   $type: 'app.bsky.feed.like'
   subject: ComAtprotoRepoStrongRef.Main
   createdAt: string
+  via?: ComAtprotoRepoStrongRef.Main
   [k: string]: unknown
 }
 

package/src/lexicon/types/app/bsky/feed/repost.ts

@@ -19,6 +19,7 @@ export interface Record {
   $type: 'app.bsky.feed.repost'
   subject: ComAtprotoRepoStrongRef.Main
   createdAt: string
+  via?: ComAtprotoRepoStrongRef.Main
   [k: string]: unknown
 }
 

package/src/lexicon/types/app/bsky/notification/listNotifications.ts

@@ -67,7 +67,7 @@ export interface Notification {
   uri: string
   cid: string
   author: AppBskyActorDefs.ProfileView
-  /** Expected values are 'like', 'repost', 'follow', 'mention', 'reply', 'quote', 'starterpack-joined', 'verified', and 'unverified'. */
+  /** The reason why this notification was delivered - e.g. your post was liked, or you received a new follower. */
   reason:
     | 'like'
     | 'repost'
@@ -78,6 +78,8 @@ export interface Notification {
     | 'starterpack-joined'
     | 'verified'
     | 'unverified'
+    | 'like-via-repost'
+    | 'repost-via-repost'
     | (string & {})
   reasonSubject?: string
   record: { [_ in string]: unknown }

package/src/pipethrough.ts

@@ -503,6 +503,7 @@ export const PROTECTED_METHODS = new Set<string>([
   ids.ComAtprotoServerCreateAppPassword,
   ids.ComAtprotoServerDeactivateAccount,
   ids.ComAtprotoServerGetAccountInviteCodes,
+  ids.ComAtprotoServerGetSession,
   ids.ComAtprotoServerListAppPasswords,
   ids.ComAtprotoServerRequestAccountDelete,
   ids.ComAtprotoServerRequestEmailConfirmation,