npm - @atproto/pds - Versions diffs - 0.4.165 → 0.4.167 - Mend

@atproto/pds 0.4.165 → 0.4.167

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (282) hide show

package/src/api/com/atproto/server/checkAccountStatus.ts CHANGED Viewed

@@ -4,7 +4,11 @@ import { isValidDidDocForService } from './util'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.checkAccountStatus({
-    auth: ctx.authVerifier.accessStandard(),
+    auth: ctx.authVerifier.authorization({
+      authorize: () => {
+        // always allow
+      },
+    }),
     handler: async ({ auth }) => {
       const requester = auth.credentials.did
       const [

package/src/api/com/atproto/server/confirmEmail.ts CHANGED Viewed

@@ -5,7 +5,12 @@ import { ids } from '../../../../lexicon/lexicons'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.confirmEmail({
-    auth: ctx.authVerifier.accessStandard({ checkTakedown: true }),
+    auth: ctx.authVerifier.authorization({
+      checkTakedown: true,
+      authorize: (permissions) => {
+        permissions.assertAccount({ attr: 'email', action: 'manage' })
+      },
+    }),
     handler: async ({ auth, input, req }) => {
       const did = auth.credentials.did

package/src/api/com/atproto/server/createAppPassword.ts CHANGED Viewed

@@ -1,3 +1,5 @@
+import { ForbiddenError } from '@atproto/xrpc-server'
+import { ACCESS_FULL } from '../../../../auth-scope'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { ids } from '../../../../lexicon/lexicons'
@@ -5,8 +7,14 @@ import { resultPassthru } from '../../../proxy'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.createAppPassword({
-    auth: ctx.authVerifier.accessFull({
+    auth: ctx.authVerifier.authorization({
       checkTakedown: true,
+      scopes: ACCESS_FULL,
+      authorize: () => {
+        throw new ForbiddenError(
+          'OAuth credentials are not supported for this endpoint',
+        )
+      },
     }),
     handler: async ({ auth, input, req }) => {
       if (ctx.entrywayAgent) {

package/src/api/com/atproto/server/deactivateAccount.ts CHANGED Viewed

@@ -1,10 +1,19 @@
-import { AuthScope } from '../../../../auth-verifier'
+import { ForbiddenError } from '@atproto/xrpc-server'
+import { ACCESS_FULL, AuthScope } from '../../../../auth-scope'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.deactivateAccount({
-    auth: ctx.authVerifier.accessFull({ additional: [AuthScope.Takendown] }),
+    auth: ctx.authVerifier.authorization({
+      additional: [AuthScope.Takendown],
+      scopes: ACCESS_FULL,
+      authorize: () => {
+        throw new ForbiddenError(
+          'OAuth credentials are not supported for this endpoint',
+        )
+      },
+    }),
     handler: async ({ req, auth, input }) => {
       // in the case of entryway, the full flow is deactivateAccount (PDS) -> deactivateAccount (Entryway) -> updateSubjectStatus(PDS)
       if (ctx.entrywayAgent) {

package/src/api/com/atproto/server/deleteSession.ts CHANGED Viewed

@@ -12,7 +12,9 @@ export default function (server: Server, ctx: AppContext) {
     })
   } else {
     server.com.atproto.server.deleteSession({
-      auth: ctx.authVerifier.refreshExpired,
+      auth: ctx.authVerifier.refresh({
+        allowExpired: true,
+      }),
       handler: async ({ auth }) => {
         await ctx.accountManager.revokeRefreshToken(auth.credentials.tokenId)
       },

package/src/api/com/atproto/server/getAccountInviteCodes.ts CHANGED Viewed

@@ -1,5 +1,6 @@
-import { InvalidRequestError } from '@atproto/xrpc-server'
+import { ForbiddenError, InvalidRequestError } from '@atproto/xrpc-server'
 import { CodeDetail } from '../../../../account-manager/helpers/invite'
+import { ACCESS_FULL } from '../../../../auth-scope'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { ids } from '../../../../lexicon/lexicons'
@@ -8,7 +9,15 @@ import { genInvCodes } from './util'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.getAccountInviteCodes({
-    auth: ctx.authVerifier.accessFull({ checkTakedown: true }),
+    auth: ctx.authVerifier.authorization({
+      checkTakedown: true,
+      scopes: ACCESS_FULL,
+      authorize: () => {
+        throw new ForbiddenError(
+          'OAuth credentials are not supported for this endpoint',
+        )
+      },
+    }),
     handler: async ({ params, auth, req }) => {
       if (ctx.entrywayAgent) {
         return resultPassthru(

package/src/api/com/atproto/server/getServiceAuth.ts CHANGED Viewed

@@ -1,6 +1,10 @@
 import { HOUR, MINUTE } from '@atproto/common'
 import { InvalidRequestError, createServiceJwt } from '@atproto/xrpc-server'
-import { AuthScope } from '../../../../auth-verifier'
+import {
+  AuthScope,
+  isAccessPrivileged,
+  isTakendown,
+} from '../../../../auth-scope'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { ids } from '../../../../lexicon/lexicons'
@@ -8,19 +12,41 @@ import { PRIVILEGED_METHODS, PROTECTED_METHODS } from '../../../../pipethrough'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.getServiceAuth({
-    auth: ctx.authVerifier.accessStandard({
+    auth: ctx.authVerifier.authorization({
       additional: [AuthScope.Takendown],
+      authorize: (permissions, ctx) => {
+        const { aud, lxm = '*' } = ctx.params
+        permissions.assertRpc({ aud, lxm })
+      },
     }),
     handler: async ({ params, auth }) => {
       const did = auth.credentials.did
+      // @NOTE "exp" is expressed in seconds since epoch, not milliseconds
       const { aud, exp, lxm = null } = params
       // Takendown accounts should not be able to generate service auth tokens except for methods necessary for account migration
-      if (
-        auth.credentials.scope === AuthScope.Takendown &&
-        lxm !== ids.ComAtprotoServerCreateAccount
-      ) {
-        throw new InvalidRequestError('Bad token scope', 'InvalidToken')
+      if (auth.credentials.type === 'access') {
+        // @NOTE We should probably use "ForbiddenError" here. Using
+        // "InvalidRequestError" for legacy reasons.
+        if (
+          isTakendown(auth.credentials.scope) &&
+          lxm !== ids.ComAtprotoServerCreateAccount
+        ) {
+          throw new InvalidRequestError('Bad token scope', 'InvalidToken')
+        }
+        // @NOTE "oauth" based credentials already checked through permission
+        // set in "authorize" method above.
+        if (
+          lxm != null &&
+          PRIVILEGED_METHODS.has(lxm) &&
+          !isAccessPrivileged(auth.credentials.scope)
+        ) {
+          throw new InvalidRequestError(
+            `insufficient access to request a service auth token for the following method: ${lxm}`,
+          )
+        }
       }
       if (exp) {
@@ -43,17 +69,10 @@ export default function (server: Server, ctx: AppContext) {
         }
       }
-      if (lxm) {
-        if (PROTECTED_METHODS.has(lxm)) {
-          throw new InvalidRequestError(
-            `cannot request a service auth token for the following protected method: ${lxm}`,
-          )
-        }
-        if (!auth.credentials.isPrivileged && PRIVILEGED_METHODS.has(lxm)) {
-          throw new InvalidRequestError(
-            `insufficient access to request a service auth token for the following method: ${lxm}`,
-          )
-        }
+      if (lxm && PROTECTED_METHODS.has(lxm)) {
+        throw new InvalidRequestError(
+          `cannot request a service auth token for the following protected method: ${lxm}`,
+        )
       }
       const keypair = await ctx.actorStore.keypair(did)

package/src/api/com/atproto/server/getSession.ts CHANGED Viewed

@@ -2,27 +2,27 @@ import { ComAtprotoServerGetSession } from '@atproto/api'
 import { INVALID_HANDLE } from '@atproto/syntax'
 import { InvalidRequestError } from '@atproto/xrpc-server'
 import { formatAccountStatus } from '../../../../account-manager/account-manager'
-import { AccessOutput, AuthScope, OAuthOutput } from '../../../../auth-verifier'
+import { AccessOutput, OAuthOutput } from '../../../../auth-output'
+import { AuthScope } from '../../../../auth-scope'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { didDocForSession } from './util'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.getSession({
-    auth: ctx.authVerifier.accessStandard({
+    auth: ctx.authVerifier.authorization({
       additional: [AuthScope.SignupQueued],
+      authorize: () => {
+        // Always allowed. "email" access is checked in the handler.
+      },
     }),
     handler: async ({ auth, req }) => {
       if (ctx.entrywayAgent) {
-        // Allow proxying of dpop bound requests by using service auth instead
-        const headers =
-          auth.credentials.type === 'oauth' // DPoP bound tokens cannot be proxied
-            ? await ctx.entrywayAuthHeaders(
-                req,
-                auth.credentials.did,
-                'com.atproto.server.getSession',
-              )
-            : ctx.entrywayPassthruHeaders(req)
+        const headers = await ctx.entrywayAuthHeaders(
+          req,
+          auth.credentials.did,
+          'com.atproto.server.getSession',
+        )
         const res = await ctx.entrywayAgent.com.atproto.server.getSession(
           undefined,
@@ -65,23 +65,16 @@ export default function (server: Server, ctx: AppContext) {
 }
 function output(
-  { credentials }: AccessOutput | OAuthOutput,
+  { credentials }: OAuthOutput | AccessOutput,
   data: ComAtprotoServerGetSession.OutputSchema,
 ): ComAtprotoServerGetSession.OutputSchema {
-  switch (credentials.type) {
-    case 'access':
-      return data
-    case 'oauth':
-      if (!credentials.oauthScopes.has('transition:email')) {
-        const { email, emailAuthFactor, emailConfirmed, ...rest } = data
-        return rest
-      }
-      return data
-    default:
-      // @ts-expect-error
-      throw new Error(`Unknown credentials type: ${credentials.type}`)
+  if (
+    credentials.type === 'oauth' &&
+    !credentials.permissions.allowsAccount({ attr: 'email', action: 'read' })
+  ) {
+    const { email, emailAuthFactor, emailConfirmed, ...rest } = data
+    return rest
   }
+  return data
 }

package/src/api/com/atproto/server/listAppPasswords.ts CHANGED Viewed

@@ -1,3 +1,4 @@
+import { ForbiddenError } from '@atproto/xrpc-server'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { ids } from '../../../../lexicon/lexicons'
@@ -5,7 +6,13 @@ import { resultPassthru } from '../../../proxy'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.listAppPasswords({
-    auth: ctx.authVerifier.accessStandard(),
+    auth: ctx.authVerifier.authorization({
+      authorize: () => {
+        throw new ForbiddenError(
+          'OAuth credentials are not supported for this endpoint',
+        )
+      },
+    }),
     handler: async ({ auth, req }) => {
       if (ctx.entrywayAgent) {
         return resultPassthru(

package/src/api/com/atproto/server/refreshSession.ts CHANGED Viewed

@@ -9,7 +9,7 @@ import { didDocForSession } from './util'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.refreshSession({
-    auth: ctx.authVerifier.refresh,
+    auth: ctx.authVerifier.refresh(),
     handler: async ({ auth, req }) => {
       const did = auth.credentials.did
       const user = await ctx.accountManager.getAccount(did, {

package/src/api/com/atproto/server/requestAccountDelete.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import { DAY, HOUR } from '@atproto/common'
-import { InvalidRequestError } from '@atproto/xrpc-server'
+import { ForbiddenError, InvalidRequestError } from '@atproto/xrpc-server'
+import { ACCESS_FULL } from '../../../../auth-scope'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { ids } from '../../../../lexicon/lexicons'
@@ -18,7 +19,15 @@ export default function (server: Server, ctx: AppContext) {
         calcKey: ({ auth }) => auth.credentials.did,
       },
     ],
-    auth: ctx.authVerifier.accessFull({ checkTakedown: true }),
+    auth: ctx.authVerifier.authorization({
+      checkTakedown: true,
+      scopes: ACCESS_FULL,
+      authorize: () => {
+        throw new ForbiddenError(
+          'OAuth credentials are not supported for this endpoint',
+        )
+      },
+    }),
     handler: async ({ auth, req }) => {
       const did = auth.credentials.did
       const account = await ctx.accountManager.getAccount(did, {

package/src/api/com/atproto/server/requestEmailConfirmation.ts CHANGED Viewed

@@ -18,7 +18,12 @@ export default function (server: Server, ctx: AppContext) {
         calcKey: ({ auth }) => auth.credentials.did,
       },
     ],
-    auth: ctx.authVerifier.accessStandard({ checkTakedown: true }),
+    auth: ctx.authVerifier.authorization({
+      checkTakedown: true,
+      authorize: (permissions) => {
+        permissions.assertAccount({ attr: 'email', action: 'manage' })
+      },
+    }),
     handler: async ({ auth, req }) => {
       const did = auth.credentials.did
       const account = await ctx.accountManager.getAccount(did, {

package/src/api/com/atproto/server/requestEmailUpdate.ts CHANGED Viewed

@@ -19,7 +19,12 @@ export default function (server: Server, ctx: AppContext) {
         calcKey: ({ auth }) => auth.credentials.did,
       },
     ],
-    auth: ctx.authVerifier.accessStandard({ checkTakedown: true }),
+    auth: ctx.authVerifier.authorization({
+      checkTakedown: true,
+      authorize: (permissions) => {
+        permissions.assertAccount({ attr: 'email', action: 'manage' })
+      },
+    }),
     handler: async ({ auth, req }) => {
       const did = auth.credentials.did
       const account = await ctx.accountManager.getAccount(did, {

package/src/api/com/atproto/server/revokeAppPassword.ts CHANGED Viewed

@@ -1,10 +1,17 @@
+import { ForbiddenError } from '@atproto/xrpc-server'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { ids } from '../../../../lexicon/lexicons'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.revokeAppPassword({
-    auth: ctx.authVerifier.accessStandard(),
+    auth: ctx.authVerifier.authorization({
+      authorize: () => {
+        throw new ForbiddenError(
+          'OAuth credentials are not supported for this endpoint',
+        )
+      },
+    }),
     handler: async ({ auth, input, req }) => {
       if (ctx.entrywayAgent) {
         await ctx.entrywayAgent.com.atproto.server.revokeAppPassword(

package/src/api/com/atproto/server/updateEmail.ts CHANGED Viewed

@@ -1,14 +1,23 @@
 import { isEmailValid } from '@hapi/address'
 import { isDisposableEmail } from 'disposable-email-domains-js'
-import { InvalidRequestError } from '@atproto/xrpc-server'
+import { ForbiddenError, InvalidRequestError } from '@atproto/xrpc-server'
 import { UserAlreadyExistsError } from '../../../../account-manager/helpers/account'
+import { ACCESS_FULL } from '../../../../auth-scope'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { ids } from '../../../../lexicon/lexicons'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.updateEmail({
-    auth: ctx.authVerifier.accessFull({ checkTakedown: true }),
+    auth: ctx.authVerifier.authorization({
+      checkTakedown: true,
+      scopes: ACCESS_FULL,
+      authorize: () => {
+        throw new ForbiddenError(
+          'OAuth credentials are not supported for this endpoint',
+        )
+      },
+    }),
     handler: async ({ auth, input, req }) => {
       const did = auth.credentials.did
       const { token, email } = input.body

package/src/api/com/atproto/sync/deprecated/getCheckout.ts CHANGED Viewed

@@ -1,3 +1,4 @@
+import { isUserOrAdmin } from '../../../../../auth-verifier'
 import { AppContext } from '../../../../../context'
 import { Server } from '../../../../../lexicon'
 import { getCarStream } from '../getRepo'
@@ -5,14 +6,14 @@ import { assertRepoAvailability } from '../util'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.sync.getCheckout({
-    auth: ctx.authVerifier.optionalAccessOrAdminToken(),
+    auth: ctx.authVerifier.authorizationOrAdminTokenOptional({
+      authorize: () => {
+        // always allow
+      },
+    }),
     handler: async ({ params, auth }) => {
       const { did } = params
-      await assertRepoAvailability(
-        ctx,
-        did,
-        ctx.authVerifier.isUserOrAdmin(auth, did),
-      )
+      await assertRepoAvailability(ctx, did, isUserOrAdmin(auth, did))
       const carStream = await getCarStream(ctx, did)

package/src/api/com/atproto/sync/deprecated/getHead.ts CHANGED Viewed

@@ -1,18 +1,19 @@
 import { InvalidRequestError } from '@atproto/xrpc-server'
+import { isUserOrAdmin } from '../../../../../auth-verifier'
 import { AppContext } from '../../../../../context'
 import { Server } from '../../../../../lexicon'
 import { assertRepoAvailability } from '../util'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.sync.getHead({
-    auth: ctx.authVerifier.optionalAccessOrAdminToken(),
+    auth: ctx.authVerifier.authorizationOrAdminTokenOptional({
+      authorize: () => {
+        // always allow
+      },
+    }),
     handler: async ({ params, auth }) => {
       const { did } = params
-      await assertRepoAvailability(
-        ctx,
-        did,
-        ctx.authVerifier.isUserOrAdmin(auth, did),
-      )
+      await assertRepoAvailability(ctx, did, isUserOrAdmin(auth, did))
       const root = await ctx.actorStore.read(did, (store) =>
         store.repo.storage.getRoot(),

package/src/api/com/atproto/sync/getBlob.ts CHANGED Viewed

@@ -1,23 +1,23 @@
 import { CID } from 'multiformats/cid'
 import { BlobNotFoundError } from '@atproto/repo'
 import { InvalidRequestError } from '@atproto/xrpc-server'
-import { AuthScope } from '../../../../auth-verifier'
+import { AuthScope } from '../../../../auth-scope'
+import { isUserOrAdmin } from '../../../../auth-verifier'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { assertRepoAvailability } from './util'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.sync.getBlob({
-    auth: ctx.authVerifier.optionalAccessOrAdminToken({
+    auth: ctx.authVerifier.authorizationOrAdminTokenOptional({
       additional: [AuthScope.Takendown],
+      authorize: () => {
+        // always allow
+      },
     }),
     handler: async ({ params, res, auth }) => {
       const { did } = params
-      await assertRepoAvailability(
-        ctx,
-        did,
-        ctx.authVerifier.isUserOrAdmin(auth, did),
-      )
+      await assertRepoAvailability(ctx, did, isUserOrAdmin(auth, did))
       const cid = CID.parse(params.cid)
       const found = await ctx.actorStore.read(params.did, async (store) => {

package/src/api/com/atproto/sync/getBlocks.ts CHANGED Viewed

@@ -2,20 +2,21 @@ import { CID } from 'multiformats/cid'
 import { byteIterableToStream } from '@atproto/common'
 import { blocksToCarStream } from '@atproto/repo'
 import { InvalidRequestError } from '@atproto/xrpc-server'
+import { isUserOrAdmin } from '../../../../auth-verifier'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { assertRepoAvailability } from './util'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.sync.getBlocks({
-    auth: ctx.authVerifier.optionalAccessOrAdminToken(),
+    auth: ctx.authVerifier.authorizationOrAdminTokenOptional({
+      authorize: () => {
+        // always allow
+      },
+    }),
     handler: async ({ params, auth }) => {
       const { did } = params
-      await assertRepoAvailability(
-        ctx,
-        did,
-        ctx.authVerifier.isUserOrAdmin(auth, did),
-      )
+      await assertRepoAvailability(ctx, did, isUserOrAdmin(auth, did))
       const cids = params.cids.map((c) => CID.parse(c))
       const got = await ctx.actorStore.read(did, (store) =>

package/src/api/com/atproto/sync/getLatestCommit.ts CHANGED Viewed

@@ -1,18 +1,19 @@
 import { InvalidRequestError } from '@atproto/xrpc-server'
+import { isUserOrAdmin } from '../../../../auth-verifier'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { assertRepoAvailability } from './util'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.sync.getLatestCommit({
-    auth: ctx.authVerifier.optionalAccessOrAdminToken(),
+    auth: ctx.authVerifier.authorizationOrAdminTokenOptional({
+      authorize: () => {
+        // always allow
+      },
+    }),
     handler: async ({ params, auth }) => {
       const { did } = params
-      await assertRepoAvailability(
-        ctx,
-        did,
-        ctx.authVerifier.isUserOrAdmin(auth, did),
-      )
+      await assertRepoAvailability(ctx, did, isUserOrAdmin(auth, did))
       const root = await ctx.actorStore.read(did, (store) =>
         store.repo.storage.getRootDetailed(),

package/src/api/com/atproto/sync/getRecord.ts CHANGED Viewed

@@ -3,20 +3,21 @@ import { byteIterableToStream } from '@atproto/common'
 import * as repo from '@atproto/repo'
 import { InvalidRequestError } from '@atproto/xrpc-server'
 import { SqlRepoReader } from '../../../../actor-store/repo/sql-repo-reader'
+import { isUserOrAdmin } from '../../../../auth-verifier'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { assertRepoAvailability } from './util'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.sync.getRecord({
-    auth: ctx.authVerifier.optionalAccessOrAdminToken(),
+    auth: ctx.authVerifier.authorizationOrAdminTokenOptional({
+      authorize: () => {
+        // always allow
+      },
+    }),
     handler: async ({ params, auth }) => {
       const { did, collection, rkey } = params
-      await assertRepoAvailability(
-        ctx,
-        did,
-        ctx.authVerifier.isUserOrAdmin(auth, did),
-      )
+      await assertRepoAvailability(ctx, did, isUserOrAdmin(auth, did))
       // must open up the db outside of store interface so that we can close the file handle after finished streaming
       const actorDb = await ctx.actorStore.openDb(did)

package/src/api/com/atproto/sync/getRepo.ts CHANGED Viewed

@@ -5,23 +5,23 @@ import {
   RepoRootNotFoundError,
   SqlRepoReader,
 } from '../../../../actor-store/repo/sql-repo-reader'
-import { AuthScope } from '../../../../auth-verifier'
+import { AuthScope } from '../../../../auth-scope'
+import { isUserOrAdmin } from '../../../../auth-verifier'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { assertRepoAvailability } from './util'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.sync.getRepo({
-    auth: ctx.authVerifier.optionalAccessOrAdminToken({
+    auth: ctx.authVerifier.authorizationOrAdminTokenOptional({
       additional: [AuthScope.Takendown],
+      authorize: () => {
+        // always allow
+      },
     }),
     handler: async ({ params, auth }) => {
       const { did, since } = params
-      await assertRepoAvailability(
-        ctx,
-        did,
-        ctx.authVerifier.isUserOrAdmin(auth, did),
-      )
+      await assertRepoAvailability(ctx, did, isUserOrAdmin(auth, did))
       const carStream = await getCarStream(ctx, did, since)

package/src/api/com/atproto/sync/listBlobs.ts CHANGED Viewed

@@ -1,20 +1,20 @@
-import { AuthScope } from '../../../../auth-verifier'
+import { AuthScope } from '../../../../auth-scope'
+import { isUserOrAdmin } from '../../../../auth-verifier'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { assertRepoAvailability } from './util'
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.sync.listBlobs({
-    auth: ctx.authVerifier.optionalAccessOrAdminToken({
+    auth: ctx.authVerifier.authorizationOrAdminTokenOptional({
       additional: [AuthScope.Takendown],
+      authorize: () => {
+        // always allow
+      },
     }),
     handler: async ({ params, auth }) => {
       const { did, since, limit, cursor } = params
-      await assertRepoAvailability(
-        ctx,
-        did,
-        ctx.authVerifier.isUserOrAdmin(auth, did),
-      )
+      await assertRepoAvailability(ctx, did, isUserOrAdmin(auth, did))
       const blobCids = await ctx.actorStore.read(did, (store) =>
         store.repo.blob.listBlobs({ since, limit, cursor }),

package/src/api/com/atproto/temp/checkSignupQueue.ts CHANGED Viewed

@@ -1,4 +1,5 @@
-import { AuthScope } from '../../../../auth-verifier'
+import { ForbiddenError } from '@atproto/xrpc-server'
+import { AuthScope } from '../../../../auth-scope'
 import { AppContext } from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { resultPassthru } from '../../../proxy'
@@ -6,8 +7,13 @@ import { resultPassthru } from '../../../proxy'
 // THIS IS A TEMPORARY UNSPECCED ROUTE
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.temp.checkSignupQueue({
-    auth: ctx.authVerifier.accessStandard({
+    auth: ctx.authVerifier.authorization({
       additional: [AuthScope.SignupQueued],
+      authorize: () => {
+        throw new ForbiddenError(
+          'OAuth credentials are not supported for this endpoint',
+        )
+      },
     }),
     handler: async ({ req }) => {
       if (!ctx.entrywayAgent) {