@atproto/pds 0.4.164 → 0.4.166

package/src/lexicon/types/app/bsky/graph/getLists.ts

@@ -20,6 +20,8 @@ export type QueryParams = {
   actor: string
   limit: number
   cursor?: string
+  /** Optional filter by list purpose. If not specified, all supported types are returned. */
+  purposes?: 'modlist' | 'curatelist' | (string & {})[]
 }
 export type InputSchema = undefined
 

package/src/lexicon/types/app/bsky/graph/getListsWithMembership.ts

@@ -0,0 +1,63 @@
+/**
+ * GENERATED CODE - DO NOT MODIFY
+ */
+import { type ValidationResult, BlobRef } from '@atproto/lexicon'
+import { CID } from 'multiformats/cid'
+import { validate as _validate } from '../../../../lexicons'
+import {
+  type $Typed,
+  is$typed as _is$typed,
+  type OmitKey,
+} from '../../../../util'
+import type * as AppBskyGraphDefs from './defs.js'
+
+const is$typed = _is$typed,
+  validate = _validate
+const id = 'app.bsky.graph.getListsWithMembership'
+
+export type QueryParams = {
+  /** The account (actor) to check for membership. */
+  actor: string
+  limit: number
+  cursor?: string
+  /** Optional filter by list purpose. If not specified, all supported types are returned. */
+  purposes?: 'modlist' | 'curatelist' | (string & {})[]
+}
+export type InputSchema = undefined
+
+export interface OutputSchema {
+  cursor?: string
+  listsWithMembership: ListWithMembership[]
+}
+
+export type HandlerInput = void
+
+export interface HandlerSuccess {
+  encoding: 'application/json'
+  body: OutputSchema
+  headers?: { [key: string]: string }
+}
+
+export interface HandlerError {
+  status: number
+  message?: string
+}
+
+export type HandlerOutput = HandlerError | HandlerSuccess
+
+/** A list and an optional list item indicating membership of a target user to that list. */
+export interface ListWithMembership {
+  $type?: 'app.bsky.graph.getListsWithMembership#listWithMembership'
+  list: AppBskyGraphDefs.ListView
+  listItem?: AppBskyGraphDefs.ListItemView
+}
+
+const hashListWithMembership = 'listWithMembership'
+
+export function isListWithMembership<V>(v: V) {
+  return is$typed(v, id, hashListWithMembership)
+}
+
+export function validateListWithMembership<V>(v: V) {
+  return validate<ListWithMembership & V>(v, id, hashListWithMembership)
+}

package/src/lexicon/types/app/bsky/graph/getStarterPacksWithMembership.ts

@@ -0,0 +1,65 @@
+/**
+ * GENERATED CODE - DO NOT MODIFY
+ */
+import { type ValidationResult, BlobRef } from '@atproto/lexicon'
+import { CID } from 'multiformats/cid'
+import { validate as _validate } from '../../../../lexicons'
+import {
+  type $Typed,
+  is$typed as _is$typed,
+  type OmitKey,
+} from '../../../../util'
+import type * as AppBskyGraphDefs from './defs.js'
+
+const is$typed = _is$typed,
+  validate = _validate
+const id = 'app.bsky.graph.getStarterPacksWithMembership'
+
+export type QueryParams = {
+  /** The account (actor) to check for membership. */
+  actor: string
+  limit: number
+  cursor?: string
+}
+export type InputSchema = undefined
+
+export interface OutputSchema {
+  cursor?: string
+  starterPacksWithMembership: StarterPackWithMembership[]
+}
+
+export type HandlerInput = void
+
+export interface HandlerSuccess {
+  encoding: 'application/json'
+  body: OutputSchema
+  headers?: { [key: string]: string }
+}
+
+export interface HandlerError {
+  status: number
+  message?: string
+}
+
+export type HandlerOutput = HandlerError | HandlerSuccess
+
+/** A starter pack and an optional list item indicating membership of a target user to that starter pack. */
+export interface StarterPackWithMembership {
+  $type?: 'app.bsky.graph.getStarterPacksWithMembership#starterPackWithMembership'
+  starterPack: AppBskyGraphDefs.StarterPackView
+  listItem?: AppBskyGraphDefs.ListItemView
+}
+
+const hashStarterPackWithMembership = 'starterPackWithMembership'
+
+export function isStarterPackWithMembership<V>(v: V) {
+  return is$typed(v, id, hashStarterPackWithMembership)
+}
+
+export function validateStarterPackWithMembership<V>(v: V) {
+  return validate<StarterPackWithMembership & V>(
+    v,
+    id,
+    hashStarterPackWithMembership,
+  )
+}

package/src/pipethrough.ts

@@ -1,6 +1,6 @@
 import { IncomingHttpHeaders, ServerResponse } from 'node:http'
 import { PassThrough, Readable } from 'node:stream'
-import express from 'express'
+import { Request } from 'express'
 import { Dispatcher } from 'undici'
 import {
   decodeStream,
@@ -8,6 +8,7 @@ import {
   omit,
   streamToNodeBuffer,
 } from '@atproto/common'
+import { RpcScopeMatch } from '@atproto/oauth-scopes'
 import { ResponseType, XRPCError as XRPCClientError } from '@atproto/xrpc'
 import {
   CatchallHandler,
@@ -16,15 +17,20 @@ import {
   InternalServerError,
   InvalidRequestError,
   XRPCError as XRPCServerError,
+  excludeErrorResult,
   parseReqNsid,
 } from '@atproto/xrpc-server'
 import { buildProxiedContentEncoding } from '@atproto-labs/xrpc-utils'
+import { isAccessPrivileged } from './auth-scope'
 import { AppContext } from './context'
 import { ids } from './lexicon/lexicons'
 import { httpLogger } from './logger'
 
 export const proxyHandler = (ctx: AppContext): CatchallHandler => {
-  const accessStandard = ctx.authVerifier.accessStandard()
+  const performAuth = ctx.authVerifier.authorization<RpcScopeMatch>({
+    authorize: (permissions, { params }) => permissions.assertRpc(params),
+  })
+
   return async (req, res, next) => {
     // /!\ Hot path
     try {
@@ -50,13 +56,20 @@ export const proxyHandler = (ctx: AppContext): CatchallHandler => {
         throw new InvalidRequestError('Bad token method', 'InvalidToken')
       }
 
-      const auth = await accessStandard({ req, res })
-      if (!auth.credentials.isPrivileged && PRIVILEGED_METHODS.has(lxm)) {
+      const { url: origin, did: aud } = await parseProxyInfo(ctx, req, lxm)
+
+      const authResult = await performAuth({ req, res, params: { lxm, aud } })
+
+      const { credentials } = excludeErrorResult(authResult)
+
+      if (
+        credentials.type === 'access' &&
+        !isAccessPrivileged(credentials.scope) &&
+        PRIVILEGED_METHODS.has(lxm)
+      ) {
         throw new InvalidRequestError('Bad token method', 'InvalidToken')
       }
 
-      const { url: origin, did: aud } = await parseProxyInfo(ctx, req, lxm)
-
       const headers: IncomingHttpHeaders = {
         'accept-encoding': req.headers['accept-encoding'] || 'identity',
         'accept-language': req.headers['accept-language'],
@@ -67,9 +80,7 @@ export const proxyHandler = (ctx: AppContext): CatchallHandler => {
         'content-encoding': body && req.headers['content-encoding'],
         'content-length': body && req.headers['content-length'],
 
-        authorization: auth.credentials.did
-          ? `Bearer ${await ctx.serviceAuthJwt(auth.credentials.did, aud, lxm)}`
-          : undefined,
+        authorization: `Bearer ${await ctx.serviceAuthJwt(credentials.did, aud, lxm)}`,
       }
 
       const dispatchOptions: Dispatcher.RequestOptions = {
@@ -122,7 +133,7 @@ export type PipethroughOptions = {
 
 export async function pipethrough(
   ctx: AppContext,
-  req: express.Request,
+  req: Request,
   options?: PipethroughOptions,
 ): Promise<
   HandlerPipeThroughStream & {
@@ -189,9 +200,25 @@ export async function pipethrough(
 // Request setup/formatting
 // -------------------
 
+export function computeProxyTo(
+  ctx: AppContext,
+  req: Request,
+  lxm: string,
+): string {
+  const proxyToHeader = req.header('atproto-proxy')
+  if (proxyToHeader) return proxyToHeader
+
+  const service = defaultService(ctx, lxm)
+  if (service.serviceInfo) {
+    return `${service.serviceInfo.did}#${service.serviceId}`
+  }
+
+  throw new InvalidRequestError(`No service configured for ${lxm}`)
+}
+
 export async function parseProxyInfo(
   ctx: AppContext,
-  req: express.Request,
+  req: Request,
   lxm: string,
 ): Promise<{ url: string; did: string }> {
   // /!\ Hot path
@@ -199,8 +226,8 @@ export async function parseProxyInfo(
   const proxyToHeader = req.header('atproto-proxy')
   if (proxyToHeader) return parseProxyHeader(ctx, proxyToHeader)
 
-  const defaultProxy = defaultService(ctx, lxm)
-  if (defaultProxy) return defaultProxy
+  const { serviceInfo } = defaultService(ctx, lxm)
+  if (serviceInfo) return serviceInfo
 
   throw new InvalidRequestError(`No service configured for ${lxm}`)
 }
@@ -472,7 +499,7 @@ function* responseHeaders(
 // Utils
 // -------------------
 
-export const PRIVILEGED_METHODS = new Set<string>([
+export const CHAT_BSKY_METHODS = new Set<string>([
   ids.ChatBskyActorDeleteAccount,
   ids.ChatBskyActorExportAccountData,
   ids.ChatBskyConvoDeleteMessageForSelf,
@@ -487,6 +514,10 @@ export const PRIVILEGED_METHODS = new Set<string>([
   ids.ChatBskyConvoSendMessageBatch,
   ids.ChatBskyConvoUnmuteConvo,
   ids.ChatBskyConvoUpdateRead,
+])
+
+export const PRIVILEGED_METHODS = new Set<string>([
+  ...CHAT_BSKY_METHODS,
   ids.ComAtprotoServerCreateAccount,
 ])
 
@@ -515,7 +546,10 @@ export const PROTECTED_METHODS = new Set<string>([
 const defaultService = (
   ctx: AppContext,
   nsid: string,
-): { url: string; did: string } | null => {
+): {
+  serviceId: string
+  serviceInfo: { url: string; did: string } | null
+} => {
   switch (nsid) {
     case ids.ToolsOzoneTeamAddMember:
     case ids.ToolsOzoneTeamDeleteMember:
@@ -541,11 +575,20 @@ const defaultService = (
     case ids.ToolsOzoneSafelinkRemoveRule:
     case ids.ToolsOzoneSafelinkQueryEvents:
     case ids.ToolsOzoneSafelinkQueryRules:
-      return ctx.cfg.modService
+      return {
+        serviceId: 'atproto_labeler',
+        serviceInfo: ctx.cfg.modService,
+      }
     case ids.ComAtprotoModerationCreateReport:
-      return ctx.cfg.reportService
+      return {
+        serviceId: 'atproto_labeler',
+        serviceInfo: ctx.cfg.reportService,
+      }
     default:
-      return ctx.cfg.bskyAppView
+      return {
+        serviceId: 'bsky_appview',
+        serviceInfo: ctx.cfg.bskyAppView,
+      }
   }
 }
 

package/src/util/http.ts

@@ -0,0 +1,31 @@
+import { ServerResponse } from 'node:http'
+
+/**
+ * Set or appends a value to the `Vary` header in the response, only if the
+ * value is not already present.
+ */
+export function appendVary(res: ServerResponse, value: string) {
+  if (!varyContains(res, value.toLowerCase())) {
+    res.appendHeader('Vary', value)
+  }
+}
+
+function varyContains(res: ServerResponse, searchValue: string) {
+  const headerValue = res.getHeader('Vary')
+  switch (typeof headerValue) {
+    case 'string':
+      return varyStringContains(headerValue, searchValue)
+    case 'object':
+      // headerValue is a string[] here
+      return headerValue.some((h) => varyStringContains(h, searchValue))
+    default:
+      return false
+  }
+}
+
+function varyStringContains(headerValue: string, searchValue: string): boolean {
+  return headerValue
+    .split(',')
+    .map((v) => v.trim().toLowerCase())
+    .some((v) => v === searchValue || v === `*`)
+}

package/src/util/types.ts

@@ -0,0 +1,7 @@
+export type Simplify<T> = {
+  [K in keyof T]: T[K]
+} & NonNullable<unknown>
+
+export type WithRequired<T, K extends keyof T> = Simplify<
+  Omit<T, K> & Required<Pick<T, K>>
+>

package/tests/oauth.test.ts

@@ -180,7 +180,11 @@ describe('oauth', () => {
   })
 
   it('allows resetting the password', async () => {
-    const sendTemplateMock = await withMokedMailer(network)
+    const sendTemplateMock = jest
+      .spyOn(network.pds.ctx.mailer, 'sendResetPassword')
+      .mockImplementation(async () => {
+        // noop
+      })
 
     const page = await PageHelper.from(browser)
 
@@ -194,7 +198,7 @@ describe('oauth', () => {
       await input.press('Enter')
     })
 
-    await page.checkTitle('Se connecter')
+    await page.checkTitle('Connexion')
 
     await page.clickOnButton('Oublié ?')
 
@@ -210,17 +214,13 @@ describe('oauth', () => {
 
     expect(sendTemplateMock).toHaveBeenCalledTimes(1)
 
-    const [templateName, params] = sendTemplateMock.mock.calls[0]
-
-    expect(templateName).toBe('resetPassword')
+    const [params] = sendTemplateMock.mock.lastCall
     expect(params).toEqual({
       handle: 'alice.test',
       token: expect.any(String),
     })
 
-    const { token } = params as { token: string }
-
-    await page.typeInInput('code', token)
+    await page.typeInInput('code', params.token)
 
     await page.typeInInput('password', 'alice-new-pass')
 
@@ -233,8 +233,7 @@ describe('oauth', () => {
     // TODO: Find out why we can't use "using" here
     await page[Symbol.asyncDispose]()
 
-    // TODO: Find out why we can't use "using" here
-    sendTemplateMock[Symbol.dispose]()
+    sendTemplateMock.mockRestore()
   })
 
   it('Allows to sign-in trough OAuth', async () => {
@@ -250,12 +249,12 @@ describe('oauth', () => {
       await input.press('Enter')
     })
 
-    await page.checkTitle('Se connecter')
+    await page.checkTitle('Connexion')
 
     await page.typeIn('input[type="password"]', 'alice-new-pass')
 
     // Make sure the warning is visible
-    await page.ensureTextVisibility('Avertissement')
+    await page.ensureTextVisibility('Avertissement', 'h3')
 
     await page.clickOn(
       'label::-p-text(Se souvenir de ce compte sur cet appareil)',
@@ -317,31 +316,6 @@ describe('oauth', () => {
   })
 })
 
-async function withMokedMailer(network: TestNetworkNoAppView) {
-  // @ts-expect-error
-  const sendTemplateOrig = network.pds.ctx.mailer.sendTemplate
-  const sendTemplateMock = jest.fn(
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    async (templateName: unknown, params: unknown, mailOpts: unknown) => {
-      //
-    },
-  ) as jest.Mock<
-    Promise<void>,
-    [templateName: unknown, params: unknown, mailOpts: unknown]
-  > &
-    Disposable
-
-  sendTemplateMock[Symbol.dispose] = () => {
-    // @ts-expect-error
-    network.pds.ctx.mailer.sendTemplate = sendTemplateOrig
-  }
-
-  // @ts-expect-error
-  network.pds.ctx.mailer.sendTemplate = sendTemplateMock
-
-  return sendTemplateMock
-}
-
 function clientHandler(
   req: IncomingMessage,
   res: ServerResponse,

package/tests/preferences.test.ts

@@ -1,6 +1,5 @@
 import { AtpAgent } from '@atproto/api'
 import { SeedClient, TestNetworkNoAppView } from '@atproto/dev-env'
-import { AuthScope } from '../dist/auth-verifier'
 import usersSeed from './seeds/users'
 
 describe('user preferences', () => {
@@ -58,7 +57,9 @@ describe('user preferences', () => {
       store.pref.putPreferences(
         [{ $type: 'com.atproto.server.defs#unknown' }],
         'com.atproto',
-        AuthScope.Access,
+        {
+          hasAccessFull: true,
+        },
       ),
     )
     const { data } = await agent.api.app.bsky.actor.getPreferences(
@@ -109,7 +110,10 @@ describe('user preferences', () => {
     // Ensure other prefs were not clobbered
     const otherPrefs = await network.pds.ctx.actorStore.read(
       sc.dids.alice,
-      (store) => store.pref.getPreferences('com.atproto', AuthScope.Access),
+      (store) =>
+        store.pref.getPreferences('com.atproto', {
+          hasAccessFull: true,
+        }),
     )
     expect(otherPrefs).toEqual([{ $type: 'com.atproto.server.defs#unknown' }])
   })