@atproto/pds 0.4.165 → 0.4.166

package/dist/auth-verifier.js

@@ -36,32 +36,20 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.createPublicKeyObject = exports.createSecretKeyObject = exports.parseBasicAuth = exports.parseAuthorizationHeader = exports.AuthVerifier = exports.RoleStatus = exports.AuthScope = void 0;
+exports.createPublicKeyObject = exports.createSecretKeyObject = exports.AuthVerifier = void 0;
+exports.isUserOrAdmin = isUserOrAdmin;
 const node_crypto_1 = require("node:crypto");
 const jose = __importStar(require("jose"));
 const key_encoder_1 = __importDefault(require("key-encoder"));
 const common_1 = require("@atproto/common");
 const identity_1 = require("@atproto/identity");
 const oauth_provider_1 = require("@atproto/oauth-provider");
+const oauth_scopes_1 = require("@atproto/oauth-scopes");
 const xrpc_server_1 = require("@atproto/xrpc-server");
+const auth_scope_1 = require("./auth-scope");
 const db_1 = require("./db");
 const logger_1 = require("./logger");
-// @TODO sync-up with current method names, consider backwards compat.
-var AuthScope;
-(function (AuthScope) {
-    AuthScope["Access"] = "com.atproto.access";
-    AuthScope["Refresh"] = "com.atproto.refresh";
-    AuthScope["AppPass"] = "com.atproto.appPass";
-    AuthScope["AppPassPrivileged"] = "com.atproto.appPassPrivileged";
-    AuthScope["SignupQueued"] = "com.atproto.signupQueued";
-    AuthScope["Takendown"] = "com.atproto.takendown";
-})(AuthScope || (exports.AuthScope = AuthScope = {}));
-var RoleStatus;
-(function (RoleStatus) {
-    RoleStatus[RoleStatus["Valid"] = 0] = "Valid";
-    RoleStatus[RoleStatus["Invalid"] = 1] = "Invalid";
-    RoleStatus[RoleStatus["Missing"] = 2] = "Missing";
-})(RoleStatus || (exports.RoleStatus = RoleStatus = {}));
+const http_1 = require("./util/http");
 class AuthVerifier {
     constructor(accountManager, idResolver, oauthVerifier, opts) {
         Object.defineProperty(this, "accountManager", {
@@ -107,70 +95,21 @@ class AuthVerifier {
             value: void 0
         });
         // verifiers (arrow fns to preserve scope)
-        Object.defineProperty(this, "accessStandard", {
+        Object.defineProperty(this, "unauthenticated", {
             enumerable: true,
             configurable: true,
             writable: true,
-            value: (opts = {}) => async (ctx) => {
-                return this.validateAccessToken(ctx, [
-                    AuthScope.Access,
-                    AuthScope.AppPassPrivileged,
-                    AuthScope.AppPass,
-                    ...(opts.additional ?? []),
-                ], opts);
-            }
-        });
-        Object.defineProperty(this, "accessFull", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: (opts = {}) => (ctx) => {
-                return this.validateAccessToken(ctx, [AuthScope.Access, ...(opts.additional ?? [])], opts);
-            }
-        });
-        Object.defineProperty(this, "accessPrivileged", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: (opts = {}) => (ctx) => {
-                return this.validateAccessToken(ctx, [
-                    AuthScope.Access,
-                    AuthScope.AppPassPrivileged,
-                    ...(opts.additional ?? []),
-                ]);
-            }
-        });
-        Object.defineProperty(this, "refresh", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: async (ctx) => {
-                const { did, scope, tokenId } = await this.validateRefreshToken(ctx);
-                return {
-                    credentials: {
-                        type: 'refresh',
-                        did,
-                        scope,
-                        tokenId,
-                    },
-                };
-            }
-        });
-        Object.defineProperty(this, "refreshExpired", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: async (ctx) => {
-                const { did, scope, tokenId } = await this.validateRefreshToken(ctx, {
-                    clockTolerance: Infinity,
-                });
+            value: (ctx) => {
+                setAuthHeaders(ctx.res);
+                // @NOTE this auth method is typically used as fallback when no other auth
+                // method is applicable. This means that the presence of an "authorization"
+                // header means that that header is invalid (as it did not match any of the
+                // other auth methods).
+                if (ctx.req.headers['authorization']) {
+                    throw new xrpc_server_1.AuthRequiredError('Invalid authorization header');
+                }
                 return {
-                    credentials: {
-                        type: 'refresh',
-                        did,
-                        scope,
-                        tokenId,
-                    },
+                    credentials: null,
                 };
             }
         });
@@ -179,111 +118,78 @@ class AuthVerifier {
             configurable: true,
             writable: true,
             value: async (ctx) => {
-                this.setAuthHeaders(ctx);
-                return this.validateAdminToken(ctx);
-            }
-        });
-        Object.defineProperty(this, "optionalAccessOrAdminToken", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: (opts = {}) => async (ctx) => {
-                if (isAccessToken(ctx.req)) {
-                    return await this.accessStandard(opts)(ctx);
+                setAuthHeaders(ctx.res);
+                const parsed = parseBasicAuth(ctx.req);
+                if (!parsed) {
+                    throw new xrpc_server_1.AuthRequiredError();
                 }
-                else if (isBasicToken(ctx.req)) {
-                    return await this.adminToken(ctx);
-                }
-                else {
-                    return this.null(ctx);
+                const { username, password } = parsed;
+                if (username !== 'admin' || password !== this._adminPass) {
+                    throw new xrpc_server_1.AuthRequiredError();
                 }
+                return { credentials: { type: 'admin_token' } };
             }
         });
-        Object.defineProperty(this, "userServiceAuth", {
+        Object.defineProperty(this, "modService", {
             enumerable: true,
             configurable: true,
             writable: true,
             value: async (ctx) => {
-                const payload = await this.verifyServiceJwt(ctx, {
-                    aud: null,
-                    iss: null,
-                });
-                if (payload.aud !== this.dids.pds &&
-                    (!this.dids.entryway || payload.aud !== this.dids.entryway)) {
-                    throw new xrpc_server_1.AuthRequiredError('jwt audience does not match service did', 'BadJwtAudience');
+                setAuthHeaders(ctx.res);
+                if (!this.dids.modService) {
+                    throw new xrpc_server_1.AuthRequiredError('Untrusted issuer', 'UntrustedIss');
                 }
+                const payload = await this.verifyServiceJwt(ctx.req, {
+                    iss: [this.dids.modService, `${this.dids.modService}#atproto_labeler`],
+                });
                 return {
                     credentials: {
-                        type: 'user_service_auth',
-                        aud: payload.aud,
+                        type: 'mod_service',
                         did: payload.iss,
                     },
                 };
             }
         });
-        Object.defineProperty(this, "userServiceAuthOptional", {
+        Object.defineProperty(this, "moderator", {
             enumerable: true,
             configurable: true,
             writable: true,
             value: async (ctx) => {
-                if (isBearerToken(ctx.req)) {
-                    return await this.userServiceAuth(ctx);
+                const type = extractAuthType(ctx.req);
+                if (type === AuthType.BEARER) {
+                    return this.modService(ctx);
                 }
                 else {
-                    return this.null(ctx);
-                }
-            }
-        });
-        Object.defineProperty(this, "accessOrUserServiceAuth", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: (opts = {}) => async (ctx) => {
-                const token = bearerTokenFromReq(ctx.req);
-                if (token) {
-                    const payload = jose.decodeJwt(token);
-                    if (payload['lxm']) {
-                        return this.userServiceAuth(ctx);
-                    }
+                    return this.adminToken(ctx);
                 }
-                return this.accessStandard(opts)(ctx);
             }
         });
-        Object.defineProperty(this, "modService", {
+        Object.defineProperty(this, "userServiceAuth", {
             enumerable: true,
             configurable: true,
             writable: true,
             value: async (ctx) => {
-                if (!this.dids.modService) {
-                    throw new xrpc_server_1.AuthRequiredError('Untrusted issuer', 'UntrustedIss');
-                }
-                const payload = await this.verifyServiceJwt(ctx, {
-                    aud: null,
-                    iss: [this.dids.modService, `${this.dids.modService}#atproto_labeler`],
-                });
-                if (payload.aud !== this.dids.pds &&
-                    (!this.dids.entryway || payload.aud !== this.dids.entryway)) {
-                    throw new xrpc_server_1.AuthRequiredError('jwt audience does not match service did', 'BadJwtAudience');
-                }
+                setAuthHeaders(ctx.res);
+                const payload = await this.verifyServiceJwt(ctx.req);
                 return {
                     credentials: {
-                        type: 'mod_service',
-                        aud: payload.aud,
-                        iss: payload.iss,
+                        type: 'user_service_auth',
+                        did: payload.iss,
                     },
                 };
             }
         });
-        Object.defineProperty(this, "moderator", {
+        Object.defineProperty(this, "userServiceAuthOptional", {
             enumerable: true,
             configurable: true,
             writable: true,
             value: async (ctx) => {
-                if (isBearerToken(ctx.req)) {
-                    return this.modService(ctx);
+                const type = extractAuthType(ctx.req);
+                if (type === AuthType.BEARER) {
+                    return await this.userServiceAuth(ctx);
                 }
                 else {
-                    return this.adminToken(ctx);
+                    return this.unauthenticated(ctx);
                 }
             }
         });
@@ -292,132 +198,131 @@ class AuthVerifier {
         this._adminPass = opts.adminPass;
         this.dids = opts.dids;
     }
-    async validateAdminToken({ req, }) {
-        const parsed = (0, exports.parseBasicAuth)(req.headers.authorization);
-        if (!parsed) {
-            throw new xrpc_server_1.AuthRequiredError();
-        }
-        const { username, password } = parsed;
-        if (username !== 'admin' || password !== this._adminPass) {
-            throw new xrpc_server_1.AuthRequiredError();
-        }
-        return { credentials: { type: 'admin_token' } };
+    access(options) {
+        const { scopes, ...statusOptions } = options;
+        const verifyJwtOptions = {
+            audience: this.dids.pds,
+            typ: 'at+jwt',
+            scopes: 
+            // @NOTE We can reject taken down credentials based on the scope if
+            // "checkTakedown" is set.
+            statusOptions.checkTakedown && scopes.includes(auth_scope_1.AuthScope.Takendown)
+                ? scopes.filter((s) => s !== auth_scope_1.AuthScope.Takendown)
+                : scopes,
+        };
+        return async (ctx) => {
+            setAuthHeaders(ctx.res);
+            const { sub: did, scope } = await this.verifyBearerJwt(ctx.req, verifyJwtOptions);
+            await this.verifyStatus(did, statusOptions);
+            return {
+                credentials: { type: 'access', did, scope },
+            };
+        };
     }
-    async validateRefreshToken(ctx, verifyOptions) {
-        const result = await this.validateBearerToken(ctx, [AuthScope.Refresh], {
-            ...verifyOptions,
+    refresh(options) {
+        const verifyOptions = {
+            clockTolerance: options?.allowExpired ? Infinity : undefined,
             typ: 'refresh+jwt',
             // when using entryway, proxying refresh credentials
             audience: this.dids.entryway ? this.dids.entryway : this.dids.pds,
-        });
-        const tokenId = result.payload.jti;
-        if (!tokenId) {
-            throw new xrpc_server_1.AuthRequiredError('Unexpected missing refresh token id', 'MissingTokenId');
-        }
-        return { ...result, tokenId };
+            scopes: [auth_scope_1.AuthScope.Refresh],
+        };
+        return async (ctx) => {
+            setAuthHeaders(ctx.res);
+            const result = await this.verifyBearerJwt(ctx.req, verifyOptions);
+            const tokenId = result.jti;
+            if (!tokenId) {
+                throw new xrpc_server_1.AuthRequiredError('Unexpected missing refresh token id', 'MissingTokenId');
+            }
+            return {
+                credentials: {
+                    type: 'refresh',
+                    did: result.sub,
+                    scope: result.scope,
+                    tokenId,
+                },
+            };
+        };
     }
-    async validateBearerToken(ctx, scopes, verifyOptions) {
-        this.setAuthHeaders(ctx);
-        const token = bearerTokenFromReq(ctx.req);
-        if (!token) {
-            throw new xrpc_server_1.AuthRequiredError(undefined, 'AuthMissing');
-        }
-        const { payload, protectedHeader } = await this.jwtVerify(token, 
-        // @TODO: Once all access & refresh tokens have a "typ" claim (i.e. 90
-        // days after this code was deployed), replace the following line with
-        // "verifyOptions," (to re-enable the verification of the "typ" property
-        // from verifyJwt()). Once the change is made, the "if" block below that
-        // checks for "typ" can be removed.
-        {
-            ...verifyOptions,
-            typ: undefined,
+    authorization({ scopes = auth_scope_1.ACCESS_STANDARD, additional = [], ...options }) {
+        const access = this.access({
+            ...options,
+            scopes: [...scopes, ...additional],
         });
-        // @TODO: remove the next check once all access & refresh tokens have "typ"
-        // Note: when removing the check, make sure that the "verifyOptions"
-        // contains the "typ" property, so that the token is verified correctly by
-        // this.verifyJwt()
-        if (protectedHeader.typ && verifyOptions.typ !== protectedHeader.typ) {
-            // Temporarily allow historical tokens without "typ" to pass through. See:
-            // createAccessToken() and createRefreshToken() in
-            // src/account-manager/helpers/auth.ts
-            throw new xrpc_server_1.InvalidRequestError('Invalid token type', 'InvalidToken');
-        }
-        const { sub, aud, scope } = payload;
-        if (typeof sub !== 'string' || !sub.startsWith('did:')) {
-            throw new xrpc_server_1.InvalidRequestError('Malformed token', 'InvalidToken');
-        }
-        if (aud !== undefined &&
-            (typeof aud !== 'string' || !aud.startsWith('did:'))) {
-            throw new xrpc_server_1.InvalidRequestError('Malformed token', 'InvalidToken');
-        }
-        if (payload['cnf'] !== undefined) {
-            // Proof-of-Possession (PoP) tokens are not allowed here
-            // https://www.rfc-editor.org/rfc/rfc7800.html
-            throw new xrpc_server_1.InvalidRequestError('Malformed token', 'InvalidToken');
-        }
-        if (!isAuthScope(scope) || (scopes.length > 0 && !scopes.includes(scope))) {
-            throw new xrpc_server_1.InvalidRequestError('Bad token scope', 'InvalidToken');
-        }
-        return {
-            did: sub,
-            scope,
-            audience: aud,
-            token,
-            payload,
+        const oauth = this.oauth(options);
+        return async (ctx) => {
+            const type = extractAuthType(ctx.req);
+            if (type === AuthType.BEARER) {
+                return access(ctx);
+            }
+            if (type === AuthType.DPOP) {
+                return oauth(ctx);
+            }
+            // Auth headers are set through the access and oauth methods so we only
+            // need to set them here if we reach this point
+            setAuthHeaders(ctx.res);
+            if (type !== null) {
+                throw new xrpc_server_1.InvalidRequestError('Unexpected authorization type', 'InvalidToken');
+            }
+            throw new xrpc_server_1.AuthRequiredError(undefined, 'AuthMissing');
         };
     }
-    async validateAccessToken(ctx, scopes, { checkTakedown = false, checkDeactivated = false, } = {}) {
-        this.setAuthHeaders(ctx);
-        let accessOutput;
-        const [type] = (0, exports.parseAuthorizationHeader)(ctx.req.headers.authorization);
-        switch (type) {
-            case AuthType.BEARER: {
-                accessOutput = await this.validateBearerAccessToken(ctx, scopes);
-                break;
+    authorizationOrAdminTokenOptional(opts) {
+        const authorization = this.authorization(opts);
+        return async (ctx) => {
+            const type = extractAuthType(ctx.req);
+            if (type === AuthType.BEARER || type === AuthType.DPOP) {
+                return authorization(ctx);
             }
-            case AuthType.DPOP: {
-                accessOutput = await this.validateDpopAccessToken(ctx, scopes);
-                break;
+            else if (type === AuthType.BASIC) {
+                return this.adminToken(ctx);
             }
-            case null:
-                throw new xrpc_server_1.AuthRequiredError(undefined, 'AuthMissing');
-            default:
-                throw new xrpc_server_1.InvalidRequestError('Unexpected authorization type', 'InvalidToken');
-        }
-        if (checkTakedown || checkDeactivated) {
-            const found = await this.accountManager.getAccount(accessOutput.credentials.did, {
-                includeDeactivated: true,
-                includeTakenDown: true,
-            });
-            if (!found) {
-                // will be turned into ExpiredToken for the client if proxied by entryway
-                throw new xrpc_server_1.ForbiddenError('Account not found', 'AccountNotFound');
+            else {
+                return this.unauthenticated(ctx);
             }
-            if (checkTakedown && (0, db_1.softDeleted)(found)) {
-                throw new xrpc_server_1.AuthRequiredError('Account has been taken down', 'AccountTakedown');
+        };
+    }
+    authorizationOrUserServiceAuth(options) {
+        const authorizationVerifier = this.authorization(options);
+        return async (ctx) => {
+            if (isDefinitelyServiceAuth(ctx.req)) {
+                return this.userServiceAuth(ctx);
             }
-            if (checkDeactivated && found.deactivatedAt) {
-                throw new xrpc_server_1.AuthRequiredError('Account is deactivated', 'AccountDeactivated');
+            else {
+                return authorizationVerifier(ctx);
             }
-        }
-        return accessOutput;
+        };
     }
-    async validateDpopAccessToken(ctx, scopes) {
-        this.setAuthHeaders(ctx);
-        const { req } = ctx;
-        const res = 'res' in ctx ? ctx.res : null;
-        // https://datatracker.ietf.org/doc/html/rfc9449#section-8.2
-        if (res) {
+    oauth({ authorize, ...verifyStatusOptions }) {
+        const verifyTokenOptions = {
+            audience: [this.dids.pds],
+            scope: ['atproto'],
+        };
+        return async (ctx) => {
+            setAuthHeaders(ctx.res);
+            const { req, res } = ctx;
+            // https://datatracker.ietf.org/doc/html/rfc9449#section-8.2
             const dpopNonce = this.oauthVerifier.nextDpopNonce();
             if (dpopNonce) {
                 res.setHeader('DPoP-Nonce', dpopNonce);
                 res.appendHeader('Access-Control-Expose-Headers', 'DPoP-Nonce');
             }
-        }
-        try {
-            const originalUrl = ('originalUrl' in req && req.originalUrl) || req.url || '/';
+            const originalUrl = req.originalUrl || req.url || '/';
             const url = new URL(originalUrl, this._publicUrl);
-            const { tokenClaims, dpopProof } = await this.oauthVerifier.authenticateRequest(req.method || 'GET', url, req.headers, { audience: [this.dids.pds] });
+            const { tokenClaims, dpopProof } = await this.oauthVerifier
+                .authenticateRequest(req.method || 'GET', url, req.headers, verifyTokenOptions)
+                .catch((err) => {
+                // Make sure to include any WWW-Authenticate header in the response
+                // (particularly useful for DPoP's "use_dpop_nonce" error)
+                if (err instanceof oauth_provider_1.WWWAuthenticateError) {
+                    res.setHeader('WWW-Authenticate', err.wwwAuthenticateHeader);
+                    res.appendHeader('Access-Control-Expose-Headers', 'WWW-Authenticate');
+                }
+                if (err instanceof oauth_provider_1.OAuthError) {
+                    throw new xrpc_server_1.XRPCError(err.status, err.error_description, err.error);
+                }
+                throw err;
+            });
             // @TODO drop this once oauth provider no longer accepts DPoP proof with
             // query or fragment in "htu" claim.
             if (dpopProof?.htu.match(/[?#]/)) {
@@ -426,68 +331,103 @@ class AuthVerifier {
                     htu: dpopProof.htu,
                 }, 'DPoP proof "htu" contains query or fragment');
             }
-            const { sub } = tokenClaims;
-            if (typeof sub !== 'string' || !sub.startsWith('did:')) {
+            const { sub: did } = tokenClaims;
+            if (typeof did !== 'string' || !did.startsWith('did:')) {
                 throw new xrpc_server_1.InvalidRequestError('Malformed token', 'InvalidToken');
             }
-            const oauthScopes = new Set(tokenClaims.scope?.split(' '));
-            if (!oauthScopes.has('transition:generic')) {
-                throw new xrpc_server_1.AuthRequiredError('Missing required scope: transition:generic', 'InvalidToken');
-            }
-            const scopeEquivalent = oauthScopes.has('transition:chat.bsky')
-                ? AuthScope.AppPassPrivileged
-                : AuthScope.AppPass;
-            if (!scopes.includes(scopeEquivalent)) {
-                // AppPassPrivileged is sufficient but was not provided "transition:chat.bsky"
-                if (scopes.includes(AuthScope.AppPassPrivileged)) {
-                    throw new xrpc_server_1.InvalidRequestError('Missing required scope: transition:chat.bsky', 'InvalidToken');
-                }
-                // AuthScope.Access and AuthScope.SignupQueued do not have an OAuth
-                // scope equivalent.
-                throw new xrpc_server_1.InvalidRequestError('DPoP access token cannot be used for this request', 'InvalidToken');
+            await this.verifyStatus(did, verifyStatusOptions);
+            const permissions = new oauth_scopes_1.PermissionSetTransition(tokenClaims.scope?.split(' '));
+            // Should never happen
+            if (!permissions.scopes.has('atproto')) {
+                throw new xrpc_server_1.InvalidRequestError('OAuth token does not have "atproto" scope', 'InvalidToken');
             }
+            await authorize(permissions, ctx);
             return {
                 credentials: {
                     type: 'oauth',
-                    did: tokenClaims.sub,
-                    scope: scopeEquivalent,
-                    oauthScopes,
-                    isPrivileged: scopeEquivalent === AuthScope.AppPassPrivileged,
+                    did,
+                    permissions,
                 },
             };
-        }
-        catch (err) {
-            // Make sure to include any WWW-Authenticate header in the response
-            // (particularly useful for DPoP's "use_dpop_nonce" error)
-            if (res && err instanceof oauth_provider_1.WWWAuthenticateError) {
-                res.setHeader('WWW-Authenticate', err.wwwAuthenticateHeader);
-                res.appendHeader('Access-Control-Expose-Headers', 'WWW-Authenticate');
+        };
+    }
+    async verifyStatus(did, { checkTakedown = false, checkDeactivated = false }) {
+        if (checkTakedown || checkDeactivated) {
+            const found = await this.accountManager.getAccount(did, {
+                includeDeactivated: true,
+                includeTakenDown: true,
+            });
+            if (!found) {
+                // will be turned into ExpiredToken for the client if proxied by entryway
+                throw new xrpc_server_1.ForbiddenError('Account not found', 'AccountNotFound');
+            }
+            if (checkTakedown && (0, db_1.softDeleted)(found)) {
+                throw new xrpc_server_1.AuthRequiredError('Account has been taken down', 'AccountTakedown');
             }
-            if (err instanceof oauth_provider_1.OAuthError) {
-                throw new xrpc_server_1.XRPCError(err.status, err.error_description, err.error);
+            if (checkDeactivated && found.deactivatedAt) {
+                throw new xrpc_server_1.AuthRequiredError('Account is deactivated', 'AccountDeactivated');
             }
-            throw err;
         }
     }
-    async validateBearerAccessToken(ctx, scopes) {
-        const { did, scope } = await this.validateBearerToken(ctx, scopes, {
-            audience: this.dids.pds,
-            typ: 'at+jwt',
+    /**
+     * Wraps {@link jose.jwtVerify} into a function that also validates the token
+     * payload's type and wraps errors into {@link InvalidRequestError}.
+     */
+    async verifyBearerJwt(req, { scopes, ...options }) {
+        const token = bearerTokenFromReq(req);
+        if (!token) {
+            throw new xrpc_server_1.AuthRequiredError(undefined, 'AuthMissing');
+        }
+        const { payload, protectedHeader } = await jose
+            .jwtVerify(token, this._jwtKey, { ...options, typ: undefined })
+            .catch((cause) => {
+            if (cause instanceof jose.errors.JWTExpired) {
+                throw new xrpc_server_1.InvalidRequestError('Token has expired', 'ExpiredToken', {
+                    cause,
+                });
+            }
+            else {
+                throw new xrpc_server_1.InvalidRequestError('Token could not be verified', 'InvalidToken', { cause });
+            }
         });
-        const isPrivileged = scope === AuthScope.Access || scope === AuthScope.AppPassPrivileged;
-        return {
-            credentials: {
-                type: 'access',
-                did,
-                scope,
-                isPrivileged,
-            },
-        };
+        // @NOTE: the "typ" is now set in production environments, so we should be
+        // able to safely check it through jose.jwtVerify(). However, tests depend
+        // on @atproto/pds-entryway which does not set "typ" in the access tokens.
+        // For that reason, we still allow it to be missing.
+        if (protectedHeader.typ && options.typ !== protectedHeader.typ) {
+            throw new xrpc_server_1.InvalidRequestError('Invalid token type', 'InvalidToken');
+        }
+        const { sub, aud, scope, lxm, cnf, jti } = payload;
+        if (typeof lxm !== 'undefined') {
+            // Service auth tokens should never make it to here. But since service
+            // auth tokens do not have a "typ" header, the "typ" check above will not
+            // catch them. This check here is mainly to protect against the
+            // hypothetical case in which a PDS would issue service auth tokens using
+            // its private key.
+            throw new xrpc_server_1.InvalidRequestError('Malformed token', 'InvalidToken');
+        }
+        if (typeof cnf !== 'undefined') {
+            // Proof-of-Possession (PoP) tokens are not allowed here
+            // https://www.rfc-editor.org/rfc/rfc7800.html
+            throw new xrpc_server_1.InvalidRequestError('Malformed token', 'InvalidToken');
+        }
+        if (typeof sub !== 'string' || !sub.startsWith('did:')) {
+            throw new xrpc_server_1.InvalidRequestError('Malformed token', 'InvalidToken');
+        }
+        if (typeof aud !== 'string' || !aud.startsWith('did:')) {
+            throw new xrpc_server_1.InvalidRequestError('Malformed token', 'InvalidToken');
+        }
+        if (typeof jti !== 'string' && typeof jti !== 'undefined') {
+            throw new xrpc_server_1.InvalidRequestError('Malformed token', 'InvalidToken');
+        }
+        if (!(0, auth_scope_1.isAuthScope)(scope) || !scopes.includes(scope)) {
+            throw new xrpc_server_1.InvalidRequestError('Bad token scope', 'InvalidToken');
+        }
+        return { sub, aud, jti, scope: scope };
     }
-    async verifyServiceJwt(ctx, opts) {
-        this.setAuthHeaders(ctx);
+    async verifyServiceJwt(req, opts) {
         const getSigningKey = async (iss, forceRefresh) => {
-            if (opts.iss !== null && !opts.iss.includes(iss)) {
+            if (opts?.iss && !opts.iss.includes(iss)) {
                 throw new xrpc_server_1.AuthRequiredError('Untrusted issuer', 'UntrustedIss');
             }
             const [did, serviceId] = iss.split('#');
@@ -506,60 +446,41 @@ class AuthVerifier {
             }
             return didKey;
         };
-        const jwtStr = bearerTokenFromReq(ctx.req);
+        const jwtStr = bearerTokenFromReq(req);
         if (!jwtStr) {
             throw new xrpc_server_1.AuthRequiredError('missing jwt', 'MissingJwt');
         }
-        const nsid = (0, xrpc_server_1.parseReqNsid)(ctx.req);
-        const payload = await (0, xrpc_server_1.verifyJwt)(jwtStr, opts.aud, nsid, getSigningKey);
-        return { iss: payload.iss, aud: payload.aud };
-    }
-    null(ctx) {
-        this.setAuthHeaders(ctx);
-        return {
-            credentials: null,
-        };
-    }
-    isUserOrAdmin(auth, did) {
-        if (!auth.credentials) {
-            return false;
-        }
-        else if (auth.credentials.type === 'admin_token') {
-            return true;
-        }
-        else {
-            return auth.credentials.did === did;
-        }
-    }
-    async jwtVerify(token, verifyOptions) {
-        try {
-            return await jose.jwtVerify(token, this._jwtKey, verifyOptions);
-        }
-        catch (err) {
-            if (err?.['code'] === 'ERR_JWT_EXPIRED') {
-                throw new xrpc_server_1.InvalidRequestError('Token has expired', 'ExpiredToken');
-            }
-            throw new xrpc_server_1.InvalidRequestError('Token could not be verified', 'InvalidToken');
-        }
-    }
-    setAuthHeaders(ctx) {
-        const res = 'res' in ctx ? ctx.res : null;
-        if (res) {
-            res.setHeader('Cache-Control', 'private');
-            vary(res, 'Authorization');
+        const nsid = (0, xrpc_server_1.parseReqNsid)(req);
+        const payload = await (0, xrpc_server_1.verifyJwt)(jwtStr, null, nsid, getSigningKey);
+        if (payload.aud !== this.dids.pds &&
+            (!this.dids.entryway || payload.aud !== this.dids.entryway)) {
+            throw new xrpc_server_1.AuthRequiredError('jwt audience does not match service did', 'BadJwtAudience');
         }
+        return payload;
     }
 }
 exports.AuthVerifier = AuthVerifier;
 // HELPERS
 // ---------
+function isUserOrAdmin(auth, did) {
+    if (!auth.credentials) {
+        return false;
+    }
+    else if (auth.credentials.type === 'admin_token') {
+        return true;
+    }
+    else {
+        return auth.credentials.did === did;
+    }
+}
 var AuthType;
 (function (AuthType) {
     AuthType["BASIC"] = "Basic";
     AuthType["BEARER"] = "Bearer";
     AuthType["DPOP"] = "DPoP";
 })(AuthType || (AuthType = {}));
-const parseAuthorizationHeader = (authorization) => {
+const parseAuthorizationHeader = (req) => {
+    const authorization = req.headers['authorization'];
     if (!authorization)
         return [null];
     const result = authorization.split(' ');
@@ -573,26 +494,29 @@ const parseAuthorizationHeader = (authorization) => {
         return [type, result[1]];
     throw new xrpc_server_1.InvalidRequestError(`Unsupported authorization type: ${result[0]}`, 'InvalidToken');
 };
-exports.parseAuthorizationHeader = parseAuthorizationHeader;
-const isAccessToken = (req) => {
-    const [type] = (0, exports.parseAuthorizationHeader)(req.headers.authorization);
-    return type === AuthType.BEARER || type === AuthType.DPOP;
-};
-const isBearerToken = (req) => {
-    const [type] = (0, exports.parseAuthorizationHeader)(req.headers.authorization);
-    return type === AuthType.BEARER;
+/**
+ * @note Not all service auth tokens are guaranteed to have "lxm" claim, so this
+ * function should not be used to verify service auth tokens. It is only used to
+ * check if a token is definitely a service auth token.
+ */
+const isDefinitelyServiceAuth = (req) => {
+    const token = bearerTokenFromReq(req);
+    if (!token)
+        return false;
+    const payload = jose.decodeJwt(token);
+    return payload['lxm'] != null;
 };
-const isBasicToken = (req) => {
-    const [type] = (0, exports.parseAuthorizationHeader)(req.headers.authorization);
-    return type === AuthType.BASIC;
+const extractAuthType = (req) => {
+    const [type] = parseAuthorizationHeader(req);
+    return type;
 };
 const bearerTokenFromReq = (req) => {
-    const [type, token] = (0, exports.parseAuthorizationHeader)(req.headers.authorization);
+    const [type, token] = parseAuthorizationHeader(req);
     return type === AuthType.BEARER ? token : null;
 };
-const parseBasicAuth = (authorizationHeader) => {
+const parseBasicAuth = (req) => {
     try {
-        const [type, b64] = (0, exports.parseAuthorizationHeader)(authorizationHeader);
+        const [type, b64] = parseAuthorizationHeader(req);
         if (type !== AuthType.BASIC)
             return null;
         const decoded = Buffer.from(b64, 'base64').toString('utf8');
@@ -608,33 +532,18 @@ const parseBasicAuth = (authorizationHeader) => {
         return null;
     }
 };
-exports.parseBasicAuth = parseBasicAuth;
-const authScopes = new Set(Object.values(AuthScope));
-const isAuthScope = (val) => {
-    return authScopes.has(val);
-};
 const createSecretKeyObject = (secret) => {
     return (0, node_crypto_1.createSecretKey)(Buffer.from(secret));
 };
 exports.createSecretKeyObject = createSecretKeyObject;
+const keyEncoder = new key_encoder_1.default('secp256k1');
 const createPublicKeyObject = (publicKeyHex) => {
     const key = keyEncoder.encodePublic(publicKeyHex, 'raw', 'pem');
     return (0, node_crypto_1.createPublicKey)({ format: 'pem', key });
 };
 exports.createPublicKeyObject = createPublicKeyObject;
-const keyEncoder = new key_encoder_1.default('secp256k1');
-function vary(res, value) {
-    const current = res.getHeader('Vary');
-    if (current == null || typeof current === 'number') {
-        res.setHeader('Vary', value);
-    }
-    else {
-        const alreadyIncluded = Array.isArray(current)
-            ? current.some((value) => value.includes(value))
-            : current.includes(value);
-        if (!alreadyIncluded) {
-            res.appendHeader('Vary', value);
-        }
-    }
+function setAuthHeaders(res) {
+    res.setHeader('Cache-Control', 'private');
+    (0, http_1.appendVary)(res, 'Authorization');
 }
 //# sourceMappingURL=auth-verifier.js.map