npm - @atproto/pds - Versions diffs - 0.4.164 → 0.4.166 - Mend

@atproto/pds 0.4.164 → 0.4.166

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (296) hide show

package/src/actor-store/preference/reader.ts CHANGED Viewed

@@ -1,13 +1,12 @@
-import { AuthScope } from '../../auth-verifier'
 import { ActorDb } from '../db'
-import { prefInScope } from './util'
+import { PrefAllowedOptions, prefAllowed } from './util'
 export class PreferenceReader {
   constructor(public db: ActorDb) {}
   async getPreferences(
     namespace: string,
-    scope: AuthScope,
+    opts: PrefAllowedOptions,
   ): Promise<AccountPreference[]> {
     const prefsRes = await this.db.db
       .selectFrom('account_pref')
@@ -16,7 +15,7 @@ export class PreferenceReader {
       .execute()
     return prefsRes
       .filter((pref) => !namespace || prefMatchNamespace(namespace, pref.name))
-      .filter((pref) => prefInScope(scope, pref.name))
+      .filter((pref) => prefAllowed(pref.name, opts))
       .map((pref) => JSON.parse(pref.valueJson) as AccountPreference)
   }
 }

package/src/actor-store/preference/transactor.ts CHANGED Viewed

@@ -1,17 +1,16 @@
 import { InvalidRequestError } from '@atproto/xrpc-server'
-import { AuthScope } from '../../auth-verifier'
 import {
   AccountPreference,
   PreferenceReader,
   prefMatchNamespace,
 } from './reader'
-import { prefInScope } from './util'
+import { PrefAllowedOptions, prefAllowed } from './util'
 export class PreferenceTransactor extends PreferenceReader {
   async putPreferences(
     values: AccountPreference[],
     namespace: string,
-    scope: AuthScope,
+    opts: PrefAllowedOptions,
   ): Promise<void> {
     this.db.assertTransaction()
     if (!values.every((value) => prefMatchNamespace(namespace, value.$type))) {
@@ -19,10 +18,10 @@ export class PreferenceTransactor extends PreferenceReader {
         `Some preferences are not in the ${namespace} namespace`,
       )
     }
-    const notInScope = values.filter((val) => !prefInScope(scope, val.$type))
-    if (notInScope.length > 0) {
+    const forbiddenPrefs = values.filter((val) => !prefAllowed(val.$type, opts))
+    if (forbiddenPrefs.length > 0) {
       throw new InvalidRequestError(
-        `Do not have authorization to set preferences: ${notInScope.join(', ')}`,
+        `Do not have authorization to set preferences: ${forbiddenPrefs.map((p) => p.$type).join(', ')}`,
       )
     }
     // get all current prefs for user and prep new pref rows
@@ -38,7 +37,7 @@ export class PreferenceTransactor extends PreferenceReader {
     })
     const allPrefIdsInNamespace = allPrefs
       .filter((pref) => prefMatchNamespace(namespace, pref.name))
-      .filter((pref) => prefInScope(scope, pref.name))
+      .filter((pref) => prefAllowed(pref.name, opts))
       .map((pref) => pref.id)
     // replace all prefs in given namespace
     if (allPrefIdsInNamespace.length) {

package/src/actor-store/preference/util.ts CHANGED Viewed

@@ -1,8 +1,18 @@
-import { AuthScope } from '../../auth-verifier'
+const FULL_ACCESS_ONLY_PREFS = new Set([
+  'app.bsky.actor.defs#personalDetailsPref',
+])
-const FULL_ACCESS_ONLY_PREFS = ['app.bsky.actor.defs#personalDetailsPref']
+export type PrefAllowedOptions = {
+  hasAccessFull?: boolean
+}
+export function prefAllowed(
+  prefType: string,
+  options?: PrefAllowedOptions,
+): boolean {
+  if (options?.hasAccessFull === true) {
+    return true
+  }
-export const prefInScope = (scope: AuthScope, prefType: string) => {
-  if (scope === AuthScope.Access) return true
-  return !FULL_ACCESS_ONLY_PREFS.includes(prefType)
+  return !FULL_ACCESS_ONLY_PREFS.has(prefType)
 }

package/src/api/app/bsky/actor/getPreferences.ts CHANGED Viewed

@@ -1,19 +1,44 @@
-import { AuthScope } from '../../../../auth-verifier'
+import { AuthScope, isAccessFull } from '../../../../auth-scope'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
+import { ids } from '../../../../lexicon/lexicons'
+import { computeProxyTo, pipethrough } from '../../../../pipethrough'
 export default function (server: Server, ctx: AppContext) {
-  if (!ctx.bskyAppView) return
+  const { bskyAppView } = ctx
+  if (!bskyAppView) return
   server.app.bsky.actor.getPreferences({
-    auth: ctx.authVerifier.accessStandard({
+    auth: ctx.authVerifier.authorization({
       additional: [AuthScope.Takendown],
+      authorize: (permissions, { req }) => {
+        const lxm = ids.AppBskyActorGetPreferences
+        const aud = computeProxyTo(ctx, req, lxm)
+        permissions.assertRpc({ aud, lxm })
+      },
     }),
-    handler: async ({ auth }) => {
-      const requester = auth.credentials.did
-      const preferences = await ctx.actorStore.read(requester, (store) =>
-        store.pref.getPreferences('app.bsky', auth.credentials.scope),
-      )
+    handler: async ({ auth, req }) => {
+      const { did } = auth.credentials
+      // If the request has a proxy header different from the bsky app view,
+      // we need to proxy the request to the requested app view.
+      // @TODO This behavior should not be implemented as part of the XRPC framework
+      const lxm = ids.AppBskyActorGetPreferences
+      const aud = computeProxyTo(ctx, req, lxm)
+      if (aud !== `${bskyAppView.did}#bsky_appview`) {
+        return pipethrough(ctx, req, { iss: did, aud, lxm })
+      }
+      const hasAccessFull =
+        auth.credentials.type === 'access' &&
+        isAccessFull(auth.credentials.scope)
+      const preferences = await ctx.actorStore.read(did, (store) => {
+        return store.pref.getPreferences('app.bsky', {
+          hasAccessFull,
+        })
+      })
       return {
         encoding: 'application/json',
         body: { preferences },

package/src/api/app/bsky/actor/getProfile.ts CHANGED Viewed

@@ -1,6 +1,8 @@
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
+import { ids } from '../../../../lexicon/lexicons'
 import { OutputSchema } from '../../../../lexicon/types/app/bsky/actor/getProfile'
+import { computeProxyTo } from '../../../../pipethrough'
 import {
   LocalRecords,
   LocalViewer,
@@ -11,7 +13,13 @@ export default function (server: Server, ctx: AppContext) {
   if (!ctx.bskyAppView) return
   server.app.bsky.actor.getProfile({
-    auth: ctx.authVerifier.accessStandard(),
+    auth: ctx.authVerifier.authorization({
+      authorize: (permissions, { req }) => {
+        const lxm = ids.AppBskyActorGetProfile
+        const aud = computeProxyTo(ctx, req, lxm)
+        permissions.assertRpc({ aud, lxm })
+      },
+    }),
     handler: async (reqCtx) => {
       return pipethroughReadAfterWrite(ctx, reqCtx, getProfileMunge)
     },

package/src/api/app/bsky/actor/getProfiles.ts CHANGED Viewed

@@ -1,6 +1,8 @@
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
+import { ids } from '../../../../lexicon/lexicons'
 import { OutputSchema } from '../../../../lexicon/types/app/bsky/actor/getProfiles'
+import { computeProxyTo } from '../../../../pipethrough'
 import {
   LocalRecords,
   LocalViewer,
@@ -11,7 +13,13 @@ export default function (server: Server, ctx: AppContext) {
   if (!ctx.bskyAppView) return
   server.app.bsky.actor.getProfiles({
-    auth: ctx.authVerifier.accessStandard(),
+    auth: ctx.authVerifier.authorization({
+      authorize: (permissions, { req }) => {
+        const lxm = ids.AppBskyActorGetProfiles
+        const aud = computeProxyTo(ctx, req, lxm)
+        permissions.assertRpc({ aud, lxm })
+      },
+    }),
     handler: async (reqCtx) => {
       return pipethroughReadAfterWrite(ctx, reqCtx, getProfilesMunge)
     },

package/src/api/app/bsky/actor/putPreferences.ts CHANGED Viewed

@@ -1,30 +1,53 @@
 import { InvalidRequestError } from '@atproto/xrpc-server'
 import { AccountPreference } from '../../../../actor-store/preference/reader'
+import { isAccessFull } from '../../../../auth-scope'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
+import { ids } from '../../../../lexicon/lexicons'
+import { computeProxyTo, pipethrough } from '../../../../pipethrough'
 export default function (server: Server, ctx: AppContext) {
-  if (!ctx.bskyAppView) return
+  const { bskyAppView } = ctx
+  if (!bskyAppView) return
   server.app.bsky.actor.putPreferences({
-    auth: ctx.authVerifier.accessStandard({ checkTakedown: true }),
-    handler: async ({ auth, input }) => {
-      const { preferences } = input.body
-      const requester = auth.credentials.did
+    auth: ctx.authVerifier.authorization({
+      checkTakedown: true,
+      authorize: (permissions, { req }) => {
+        const lxm = ids.AppBskyActorPutPreferences
+        const aud = computeProxyTo(ctx, req, lxm)
+        permissions.assertRpc({ aud, lxm })
+      },
+    }),
+    handler: async ({ req, auth, input }) => {
+      const { did } = auth.credentials
+      // If the request has a proxy header different from the bsky app view,
+      // we need to proxy the request to the requested app view.
+      // @TODO This behavior should not be implemented as part of the XRPC framework
+      const lxm = ids.AppBskyActorPutPreferences
+      const aud = computeProxyTo(ctx, req, lxm)
+      if (aud !== `${bskyAppView.did}#bsky_appview`) {
+        return pipethrough(ctx, req, { iss: did, aud, lxm })
+      }
       const checkedPreferences: AccountPreference[] = []
-      for (const pref of preferences) {
+      for (const pref of input.body.preferences) {
         if (typeof pref.$type === 'string') {
           checkedPreferences.push(pref as AccountPreference)
         } else {
           throw new InvalidRequestError('Preference is missing a $type')
         }
       }
-      await ctx.actorStore.transact(requester, async (actorTxn) => {
-        await actorTxn.pref.putPreferences(
-          checkedPreferences,
-          'app.bsky',
-          auth.credentials.scope,
-        )
+      const hasAccessFull =
+        auth.credentials.type === 'access' &&
+        isAccessFull(auth.credentials.scope)
+      await ctx.actorStore.transact(did, async (actorTxn) => {
+        await actorTxn.pref.putPreferences(checkedPreferences, 'app.bsky', {
+          hasAccessFull,
+        })
       })
     },
   })

package/src/api/app/bsky/feed/getActorLikes.ts CHANGED Viewed

@@ -1,6 +1,8 @@
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
+import { ids } from '../../../../lexicon/lexicons'
 import { OutputSchema } from '../../../../lexicon/types/app/bsky/feed/getActorLikes'
+import { computeProxyTo } from '../../../../pipethrough'
 import {
   LocalRecords,
   LocalViewer,
@@ -11,7 +13,13 @@ export default function (server: Server, ctx: AppContext) {
   if (!ctx.bskyAppView) return
   server.app.bsky.feed.getActorLikes({
-    auth: ctx.authVerifier.accessStandard(),
+    auth: ctx.authVerifier.authorization({
+      authorize: (permissions, { req }) => {
+        const lxm = ids.AppBskyFeedGetActorLikes
+        const aud = computeProxyTo(ctx, req, lxm)
+        permissions.assertRpc({ aud, lxm })
+      },
+    }),
     handler: async (reqCtx) => {
       return pipethroughReadAfterWrite(ctx, reqCtx, getAuthorMunge)
     },

package/src/api/app/bsky/feed/getAuthorFeed.ts CHANGED Viewed

@@ -1,7 +1,9 @@
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
+import { ids } from '../../../../lexicon/lexicons'
 import { isReasonRepost } from '../../../../lexicon/types/app/bsky/feed/defs'
 import { OutputSchema } from '../../../../lexicon/types/app/bsky/feed/getAuthorFeed'
+import { computeProxyTo } from '../../../../pipethrough'
 import {
   LocalRecords,
   LocalViewer,
@@ -12,7 +14,13 @@ export default function (server: Server, ctx: AppContext) {
   if (!ctx.bskyAppView) return
   server.app.bsky.feed.getAuthorFeed({
-    auth: ctx.authVerifier.accessStandard(),
+    auth: ctx.authVerifier.authorization({
+      authorize: (permissions, { req }) => {
+        const lxm = ids.AppBskyFeedGetAuthorFeed
+        const aud = computeProxyTo(ctx, req, lxm)
+        permissions.assertRpc({ aud, lxm })
+      },
+    }),
     handler: async (reqCtx) => {
       return pipethroughReadAfterWrite(ctx, reqCtx, getAuthorMunge)
     },

package/src/api/app/bsky/feed/getFeed.ts CHANGED Viewed

@@ -3,14 +3,21 @@ import { AtUri } from '@atproto/syntax'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { ids } from '../../../../lexicon/lexicons'
-import { pipethrough } from '../../../../pipethrough'
+import { computeProxyTo, pipethrough } from '../../../../pipethrough'
 export default function (server: Server, ctx: AppContext) {
   const { bskyAppView } = ctx
   if (!bskyAppView) return
   server.app.bsky.feed.getFeed({
-    auth: ctx.authVerifier.accessStandard(),
+    auth: ctx.authVerifier.authorization({
+      authorize: (permissions, { req }) => {
+        const lxm = ids.AppBskyFeedGetFeed
+        const aud = computeProxyTo(ctx, req, lxm)
+        permissions.assertRpc({ aud, lxm })
+        permissions.assertRpc({ aud, lxm: ids.AppBskyFeedGetFeedSkeleton })
+      },
+    }),
     handler: async ({ params, auth, req }) => {
       const requester = auth.credentials.did

package/src/api/app/bsky/feed/getPostThread.ts CHANGED Viewed

@@ -14,6 +14,7 @@ import {
 } from '../../../../lexicon/types/app/bsky/feed/getPostThread'
 import { Record as PostRecord } from '../../../../lexicon/types/app/bsky/feed/post'
 import { $Typed } from '../../../../lexicon/util'
+import { computeProxyTo } from '../../../../pipethrough'
 import {
   LocalRecords,
   LocalViewer,
@@ -28,7 +29,13 @@ export default function (server: Server, ctx: AppContext) {
   if (!ctx.bskyAppView) return
   server.app.bsky.feed.getPostThread({
-    auth: ctx.authVerifier.accessStandard(),
+    auth: ctx.authVerifier.authorization({
+      authorize: (permissions, { req }) => {
+        const lxm = ids.AppBskyFeedGetPostThread
+        const aud = computeProxyTo(ctx, req, lxm)
+        permissions.assertRpc({ aud, lxm })
+      },
+    }),
     handler: async (reqCtx) => {
       try {
         return await pipethroughReadAfterWrite(ctx, reqCtx, getPostThreadMunge)

package/src/api/app/bsky/feed/getTimeline.ts CHANGED Viewed

@@ -1,6 +1,8 @@
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
+import { ids } from '../../../../lexicon/lexicons'
 import { OutputSchema } from '../../../../lexicon/types/app/bsky/feed/getTimeline'
+import { computeProxyTo } from '../../../../pipethrough'
 import {
   LocalRecords,
   LocalViewer,
@@ -11,7 +13,13 @@ export default function (server: Server, ctx: AppContext) {
   if (!ctx.bskyAppView) return
   server.app.bsky.feed.getTimeline({
-    auth: ctx.authVerifier.accessStandard(),
+    auth: ctx.authVerifier.authorization({
+      authorize: (permissions, { req }) => {
+        const lxm = ids.AppBskyFeedGetTimeline
+        const aud = computeProxyTo(ctx, req, lxm)
+        permissions.assertRpc({ aud, lxm })
+      },
+    }),
     handler: async (reqCtx) => {
       return pipethroughReadAfterWrite(ctx, reqCtx, getTimelineMunge)
     },

package/src/api/app/bsky/notification/registerPush.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import { AtpAgent } from '@atproto/api'
 import { getNotif } from '@atproto/identity'
 import { InvalidRequestError } from '@atproto/xrpc-server'
-import { AuthScope } from '../../../../auth-verifier'
+import { AuthScope } from '../../../../auth-scope'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { ids } from '../../../../lexicon/lexicons'
@@ -12,14 +12,25 @@ export default function (server: Server, ctx: AppContext) {
   if (!bskyAppView) return
   server.app.bsky.notification.registerPush({
-    auth: ctx.authVerifier.accessStandard({
+    auth: ctx.authVerifier.authorization({
       additional: [AuthScope.SignupQueued],
+      authorize: () => {
+        // @NOTE this endpoint predates generic service proxying but we want to
+        // map the permission to the "RPC" scope for consistency. However, since
+        // the service info is only available in the request body, we can't
+        // assert permissions here.
+      },
     }),
     handler: async ({ auth, input }) => {
       const { serviceDid } = input.body
-      const {
-        credentials: { did },
-      } = auth
+      const { did } = auth.credentials
+      if (auth.credentials.type === 'oauth') {
+        auth.credentials.permissions.assertRpc({
+          aud: `${serviceDid}#bsky_notif`,
+          lxm: ids.AppBskyNotificationRegisterPush,
+        })
+      }
       const authHeaders = await ctx.serviceAuthHeaders(
         did,

package/src/api/com/atproto/identity/getRecommendedDidCredentials.ts CHANGED Viewed

@@ -3,7 +3,11 @@ import { Server } from '../../../../lexicon'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.identity.getRecommendedDidCredentials({
-    auth: ctx.authVerifier.accessStandard(),
+    auth: ctx.authVerifier.authorization({
+      authorize: () => {
+        // always allow
+      },
+    }),
     handler: async ({ auth }) => {
       const requester = auth.credentials.did
       const signingKey = await ctx.actorStore.keypair(requester)

package/src/api/com/atproto/identity/requestPlcOperationSignature.ts CHANGED Viewed

@@ -1,12 +1,19 @@
 import { InvalidRequestError } from '@atproto/xrpc-server'
-import { AuthScope } from '../../../../auth-verifier'
+import { ACCESS_FULL, AuthScope } from '../../../../auth-scope'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { ids } from '../../../../lexicon/lexicons'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.identity.requestPlcOperationSignature({
-    auth: ctx.authVerifier.accessFull({ additional: [AuthScope.Takendown] }),
+    auth: ctx.authVerifier.authorization({
+      // @NOTE Reflect any change in signPlcOperation
+      scopes: ACCESS_FULL,
+      additional: [AuthScope.Takendown],
+      authorize: (permissions) => {
+        permissions.assertIdentity({ attr: '*' })
+      },
+    }),
     handler: async ({ auth, req }) => {
       if (ctx.entrywayAgent) {
         await ctx.entrywayAgent.com.atproto.identity.requestPlcOperationSignature(

package/src/api/com/atproto/identity/signPlcOperation.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import * as plc from '@did-plc/lib'
 import { check } from '@atproto/common'
 import { InvalidRequestError } from '@atproto/xrpc-server'
+import { ACCESS_FULL, AuthScope } from '../../../../auth-scope'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { ids } from '../../../../lexicon/lexicons'
@@ -8,7 +9,14 @@ import { resultPassthru } from '../../../proxy'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.identity.signPlcOperation({
-    auth: ctx.authVerifier.accessFull(),
+    auth: ctx.authVerifier.authorization({
+      // @NOTE Should match auth rules from requestPlcOperationSignature
+      scopes: ACCESS_FULL,
+      additional: [AuthScope.Takendown],
+      authorize: (permissions) => {
+        permissions.assertIdentity({ attr: '*' })
+      },
+    }),
     handler: async ({ auth, input, req }) => {
       if (ctx.entrywayAgent) {
         return resultPassthru(

package/src/api/com/atproto/identity/submitPlcOperation.ts CHANGED Viewed

@@ -7,7 +7,11 @@ import { httpLogger as log } from '../../../../logger'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.identity.submitPlcOperation({
-    auth: ctx.authVerifier.accessStandard(),
+    auth: ctx.authVerifier.authorization({
+      authorize: (permissions) => {
+        permissions.assertIdentity({ attr: '*' })
+      },
+    }),
     handler: async ({ auth, input }) => {
       const requester = auth.credentials.did
       const op = input.body.operation

package/src/api/com/atproto/identity/updateHandle.ts CHANGED Viewed

@@ -7,7 +7,12 @@ import { httpLogger } from '../../../../logger'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.identity.updateHandle({
-    auth: ctx.authVerifier.accessStandard({ checkTakedown: true }),
+    auth: ctx.authVerifier.authorization({
+      checkTakedown: true,
+      authorize: (permissions) => {
+        permissions.assertIdentity({ attr: 'handle' })
+      },
+    }),
     rateLimit: [
       {
         durationMs: 5 * MINUTE,

package/src/api/com/atproto/moderation/createReport.ts CHANGED Viewed

@@ -1,14 +1,19 @@
 import { AtpAgent } from '@atproto/api'
-import { AuthScope } from '../../../../auth-verifier'
+import { AuthScope } from '../../../../auth-scope'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { ids } from '../../../../lexicon/lexicons'
-import { parseProxyInfo } from '../../../../pipethrough'
+import { computeProxyTo, parseProxyInfo } from '../../../../pipethrough'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.moderation.createReport({
-    auth: ctx.authVerifier.accessStandard({
+    auth: ctx.authVerifier.authorization({
       additional: [AuthScope.Takendown],
+      authorize: (permissions, { req }) => {
+        const lxm = ids.ComAtprotoModerationCreateReport
+        const aud = computeProxyTo(ctx, req, lxm)
+        permissions.assertRpc({ aud, lxm })
+      },
     }),
     handler: async ({ auth, input, req }) => {
       const { url, did: aud } = await parseProxyInfo(

package/src/api/com/atproto/repo/applyWrites.ts CHANGED Viewed

@@ -38,10 +38,14 @@ const ratelimitPoints = ({ input }: { input: HandlerInput }) => {
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.repo.applyWrites({
-    auth: ctx.authVerifier.accessStandard({
+    auth: ctx.authVerifier.authorization({
       checkTakedown: true,
       checkDeactivated: true,
+      authorize: () => {
+        // Performed in the handler as it is based on the request body
+      },
     }),
     rateLimit: [
       {
         name: 'repo-write-hour',
@@ -56,31 +60,35 @@ export default function (server: Server, ctx: AppContext) {
     ],
     handler: async ({ input, auth }) => {
-      const tx = input.body
-      const { repo, validate, swapCommit } = tx
-      const account = await ctx.accountManager.getAccount(repo, {
-        includeDeactivated: true,
-      })
-      if (!account) {
-        throw new InvalidRequestError(`Could not find repo: ${repo}`)
-      } else if (account.deactivatedAt) {
-        throw new InvalidRequestError('Account is deactivated')
-      }
+      const { repo, validate, swapCommit, writes } = input.body
-      const did = account.did
-      if (did !== auth.credentials.did) {
+      const { did } = auth.credentials
+      if (repo !== did) {
         throw new AuthRequiredError()
       }
-      if (tx.writes.length > 200) {
+      if (writes.length > 200) {
         throw new InvalidRequestError('Too many writes. Max: 200')
       }
+      // Verify permission of every unique "action" / "collection" pair
+      if (auth.credentials.type === 'oauth') {
+        // @NOTE Unlike "importRepo", we do not require "action" = "*" here.
+        for (const [action, collections] of [
+          ['create', new Set(writes.filter(isCreate).map((w) => w.collection))],
+          ['update', new Set(writes.filter(isUpdate).map((w) => w.collection))],
+          ['delete', new Set(writes.filter(isDelete).map((w) => w.collection))],
+        ] as const) {
+          for (const collection of collections) {
+            auth.credentials.permissions.assertRepo({ action, collection })
+          }
+        }
+      }
       // @NOTE should preserve order of ts.writes for final use in response
-      let writes: PreparedWrite[]
+      let preparedWrites: PreparedWrite[]
       try {
-        writes = await Promise.all(
-          tx.writes.map((write) => {
+        preparedWrites = await Promise.all(
+          writes.map(async (write) => {
             if (isCreate(write)) {
               return prepareCreate({
                 did,
@@ -121,7 +129,7 @@ export default function (server: Server, ctx: AppContext) {
       const commit = await ctx.actorStore.transact(did, async (actorTxn) => {
         const commit = await actorTxn.repo
-          .processWrites(writes, swapCommitCid)
+          .processWrites(preparedWrites, swapCommitCid)
           .catch((err) => {
             if (err instanceof BadCommitSwapError) {
               throw new InvalidRequestError(err.message, 'InvalidSwap')
@@ -150,7 +158,7 @@ export default function (server: Server, ctx: AppContext) {
             cid: commit.cid.toString(),
             rev: commit.rev,
           },
-          results: writes.map(writeToOutputResult),
+          results: preparedWrites.map(writeToOutputResult),
         },
       }
     },

package/src/api/com/atproto/repo/createRecord.ts CHANGED Viewed

@@ -14,9 +14,12 @@ import {
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.repo.createRecord({
-    auth: ctx.authVerifier.accessStandard({
+    auth: ctx.authVerifier.authorization({
       checkTakedown: true,
       checkDeactivated: true,
+      authorize: () => {
+        // Performed in the handler as it requires the request body
+      },
     }),
     rateLimit: [
       {
@@ -33,6 +36,14 @@ export default function (server: Server, ctx: AppContext) {
     handler: async ({ input, auth }) => {
       const { repo, collection, rkey, record, swapCommit, validate } =
         input.body
+      if (auth.credentials.type === 'oauth') {
+        auth.credentials.permissions.assertRepo({
+          action: 'create',
+          collection,
+        })
+      }
       const account = await ctx.accountManager.getAccount(repo, {
         includeDeactivated: true,
       })