@atproto/pds 0.4.195 → 0.4.197

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (37) hide show
  1. package/CHANGELOG.md +28 -0
  2. package/dist/account-manager/db/schema/lexicon.d.ts +2 -2
  3. package/dist/account-manager/db/schema/lexicon.d.ts.map +1 -1
  4. package/dist/account-manager/db/schema/lexicon.js.map +1 -1
  5. package/dist/api/com/atproto/admin/getInviteCodes.d.ts +1 -1
  6. package/dist/api/com/atproto/sync/listRepos.d.ts +1 -1
  7. package/dist/config/config.d.ts +1 -1
  8. package/dist/config/config.d.ts.map +1 -1
  9. package/dist/config/config.js +6 -3
  10. package/dist/config/config.js.map +1 -1
  11. package/dist/config/env.d.ts +100 -101
  12. package/dist/config/env.d.ts.map +1 -1
  13. package/dist/config/env.js +6 -5
  14. package/dist/config/env.js.map +1 -1
  15. package/dist/context.d.ts.map +1 -1
  16. package/dist/context.js +23 -39
  17. package/dist/context.js.map +1 -1
  18. package/dist/db/pagination.d.ts +1 -1
  19. package/dist/handle/index.d.ts +1 -1
  20. package/dist/handle/index.d.ts.map +1 -1
  21. package/dist/lexicon/lexicons.d.ts +4 -4
  22. package/dist/lexicon/lexicons.js +8 -8
  23. package/dist/lexicon/lexicons.js.map +1 -1
  24. package/dist/lexicon/types/tools/ozone/moderation/defs.d.ts +1 -1
  25. package/dist/lexicon/types/tools/ozone/moderation/defs.d.ts.map +1 -1
  26. package/dist/lexicon/types/tools/ozone/moderation/defs.js.map +1 -1
  27. package/dist/lexicon/types/tools/ozone/team/defs.d.ts +1 -1
  28. package/dist/lexicon/types/tools/ozone/team/defs.d.ts.map +1 -1
  29. package/dist/lexicon/types/tools/ozone/team/defs.js.map +1 -1
  30. package/package.json +12 -13
  31. package/src/account-manager/db/schema/lexicon.ts +2 -2
  32. package/src/config/config.ts +7 -3
  33. package/src/config/env.ts +6 -150
  34. package/src/context.ts +39 -47
  35. package/src/lexicon/lexicons.ts +8 -8
  36. package/src/lexicon/types/tools/ozone/moderation/defs.ts +4 -4
  37. package/src/lexicon/types/tools/ozone/team/defs.ts +4 -4
package/dist/context.js CHANGED
@@ -46,7 +46,6 @@ const api_1 = require("@atproto/api");
46
46
  const aws_1 = require("@atproto/aws");
47
47
  const crypto = __importStar(require("@atproto/crypto"));
48
48
  const identity_1 = require("@atproto/identity");
49
- const lexicon_resolver_1 = require("@atproto/lexicon-resolver");
50
49
  const oauth_provider_1 = require("@atproto/oauth-provider");
51
50
  const xrpc_server_1 = require("@atproto/xrpc-server");
52
51
  const fetch_node_1 = require("@atproto-labs/fetch-node");
@@ -366,43 +365,6 @@ class AppContext {
366
365
  return globalThis.fetch.call(this, input, init);
367
366
  },
368
367
  });
369
- const baseLexiconResolver = (0, lexicon_resolver_1.buildLexiconResolver)({
370
- idResolver,
371
- rpc: { fetch: safeFetch },
372
- });
373
- const getLexiconAuthority = (_nsid) => {
374
- // At the moment, only a single override strategy is supported by
375
- // specifying a did through which all the lexicons will be resolved. We
376
- // might need more granular control in the future (e.g. per-nsid
377
- // overrides)
378
- return cfg.lexicon.didAuthority;
379
- };
380
- const lexiconResolver = async (input) => {
381
- const nsid = String(input);
382
- try {
383
- const result = await baseLexiconResolver(input, {
384
- didAuthority: getLexiconAuthority(nsid),
385
- // Right now, the lexicon resolver is only used by the oauth-provider,
386
- // which caches the responses internally (through the LexiconStore).
387
- // Since the `LexiconResolver` does not allow specifying a
388
- // `forceRefresh` option, we hard code it here. Should PDSs need to
389
- // resolve lexicons for other purposes (e.g. record validation), we'd
390
- // probably want to either implement caching as built into the
391
- // lexiconResolver here, or allow the caller (oauth-provider, etc.) to
392
- // specify a `forceRefresh` option by altering the LexiconResolver
393
- // interface.
394
- forceRefresh: true,
395
- });
396
- const cid = result.cid.toString();
397
- const uri = result.uri.toString();
398
- logger_1.lexiconResolverLogger.info({ nsid, uri, cid }, 'Resolved lexicon');
399
- return result;
400
- }
401
- catch (err) {
402
- logger_1.lexiconResolverLogger.error({ nsid, err }, 'Lexicon resolution failed');
403
- throw err;
404
- }
405
- };
406
368
  const oauthProvider = cfg.oauth.provider
407
369
  ? new oauth_provider_1.OAuthProvider({
408
370
  issuer: cfg.oauth.issuer,
@@ -415,7 +377,29 @@ class AppContext {
415
377
  hcaptcha: cfg.oauth.provider.hcaptcha,
416
378
  branding: cfg.oauth.provider.branding,
417
379
  safeFetch,
418
- lexiconResolver,
380
+ lexResolver: new oauth_provider_1.LexResolver({
381
+ fetch: safeFetch,
382
+ plcDirectoryUrl: cfg.identity.plcUrl,
383
+ hooks: {
384
+ onResolveAuthority: ({ nsid }) => {
385
+ logger_1.lexiconResolverLogger.debug({ nsid: nsid.toString() }, 'Resolving lexicon DID authority');
386
+ // Override the lexicon did resolution to point to a custom PDS
387
+ return cfg.lexicon.didAuthority;
388
+ },
389
+ onResolveAuthorityResult({ nsid, did }) {
390
+ logger_1.lexiconResolverLogger.info({ nsid: nsid.toString(), did }, 'Resolved lexicon DID');
391
+ },
392
+ onResolveAuthorityError({ nsid, err }) {
393
+ logger_1.lexiconResolverLogger.error({ nsid: nsid.toString(), err }, 'Lexicon DID resolution error');
394
+ },
395
+ onFetchResult({ uri, cid }) {
396
+ logger_1.lexiconResolverLogger.info({ uri: uri.toString(), cid: cid.toString() }, 'Fetched lexicon');
397
+ },
398
+ onFetchError({ err, uri }) {
399
+ logger_1.lexiconResolverLogger.error({ uri: uri.toString(), err }, 'Lexicon fetch error');
400
+ },
401
+ },
402
+ }),
419
403
  metadata: {
420
404
  protected_resources: [new URL(cfg.oauth.issuer).origin],
421
405
  },
package/dist/context.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"context.js","sourceRoot":"","sources":["../src/context.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8DAAgC;AAChC,kDAAmC;AAGnC,uDAAwC;AACxC,iDAAkC;AAClC,+CAAgC;AAChC,sCAAuC;AACvC,sCAAsD;AACtD,wDAAyC;AACzC,gDAA8C;AAC9C,gEAGkC;AAClC,4DAKgC;AAEhC,sDAG6B;AAC7B,yDAKiC;AACjC,uEAAkE;AAClE,+DAA0D;AAC1D,qFAA+E;AAC/E,2DAAsD;AACtD,uCAAwD;AACxD,mDAIwB;AACxB,6CAA8C;AAC9C,mDAA6C;AAE7C,yCAAqC;AACrC,2CAA4C;AAC5C,qDAAgD;AAChD,iEAA2D;AAC3D,qCAA0E;AAC1E,qCAAuC;AACvC,oDAAsD;AACtD,sDAA2E;AAC3E,mCAAwC;AACxC,2CAAuC;AA6BvC,MAAa,UAAU;IA0BrB,YAAY,IAAuB;QAzB5B;;;;;WAAsB;QACtB;;;;;WAAqC;QACrC;;;;;WAA+B;QAC/B;;;;;WAAoB;QACpB;;;;;WAAkC;QAClC;;;;;WAAwB;QACxB;;;;;WAAsB;QACtB;;;;;WAAqB;QACrB;;;;;WAA8B;QAC9B;;;;;WAAoB;QACpB;;;;;WAAgC;QAChC;;;;;WAAoB;QACpB;;;;;WAAkB;QAClB;;;;;WAAyB;QACzB;;;;;WAAqC;QACrC;;;;;WAAoC;QACpC;;;;;WAAmC;QACnC;;;;;WAAwC;QACxC;;;;;WAA6B;QAC7B;;;;;WAAgB;QAChB;;;;;WAA0B;QAC1B;;;;;WAA6B;QAC7B;;;;;WAA8B;QAC9B;;;;;WAAiB;QAGtB,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAA;QACjC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAA;QAC/B,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,CAAA;QACnC,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAA;QACzB,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,CAAA;QAC7C,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAA;QAC7B,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAA;QACjC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAA;QAC/B,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,cAAc,CAAA;QACzC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAA;QAC/B,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,eAAe,CAAA;QAC3C,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,CAAA;QACrC,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAA;QAC7B,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,CAAA;QACnC,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,eAAe,CAAA;QAC3C,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,cAAc,CAAA;QACzC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,aAAa,CAAA;QACvC,IAAI,CAAC,kBAAkB,GAAG,IAAI,CAAC,kBAAkB,CAAA;QACjD,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAA;QACjC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAA;QAC/B,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,CAAA;QACrC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,aAAa,CAAA;QACvC,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,cAAc,CAAA;QACzC,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,CAAA;IACrB,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,UAAU,CACrB,GAAiB,EACjB,OAAsB,EACtB,SAAsC;QAEtC,MAAM,SAAS,GACb,GAAG,CAAC,SAAS,CAAC,QAAQ,KAAK,IAAI;YAC7B,CAAC,CAAC,iBAAW,CAAC,OAAO,CAAC;gBAClB,MAAM,EAAE,GAAG,CAAC,SAAS,CAAC,MAAM;gBAC5B,MAAM,EAAE,GAAG,CAAC,SAAS,CAAC,MAAM;gBAC5B,QAAQ,EAAE,GAAG,CAAC,SAAS,CAAC,QAAQ;gBAChC,cAAc,EAAE,GAAG,CAAC,SAAS,CAAC,cAAc;gBAC5C,WAAW,EAAE,GAAG,CAAC,SAAS,CAAC,WAAW;gBACtC,eAAe,EAAE,GAAG,CAAC,SAAS,CAAC,eAAe;aAC/C,CAAC;YACJ,CAAC,CAAC,8BAAa,CAAC,OAAO,CACnB,GAAG,CAAC,SAAS,CAAC,QAAQ,EACtB,GAAG,CAAC,SAAS,CAAC,YAAY,CAC3B,CAAA;QAEP,MAAM,aAAa,GACjB,GAAG,CAAC,KAAK,KAAK,IAAI;YAChB,CAAC,CAAC,UAAU,CAAC,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC;YAC/C,CAAC,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAA;QAEzD,MAAM,MAAM,GAAG,IAAI,qBAAY,CAAC,aAAa,EAAE,GAAG,CAAC,CAAA;QAEnD,MAAM,gBAAgB,GACpB,GAAG,CAAC,eAAe,KAAK,IAAI;YAC1B,CAAC,CAAC,UAAU,CAAC,eAAe,CAAC,GAAG,CAAC,eAAe,CAAC,OAAO,CAAC;YACzD,CAAC,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAA;QAEzD,MAAM,gBAAgB,GAAG,IAAI,6BAAgB,CAAC,gBAAgB,EAAE,GAAG,CAAC,CAAA;QAEpE,MAAM,QAAQ,GAAG,IAAI,0BAAc,CACjC,GAAG,CAAC,EAAE,CAAC,aAAa,EACpB,GAAG,CAAC,QAAQ,CAAC,aAAa,EAC1B,GAAG,CAAC,QAAQ,CAAC,WAAW,EACxB,GAAG,CAAC,EAAE,CAAC,wBAAwB,CAChC,CAAA;QACD,MAAM,QAAQ,CAAC,cAAc,EAAE,CAAA;QAE/B,MAAM,UAAU,GAAG,IAAI,qBAAU,CAAC;YAChC,MAAM,EAAE,GAAG,CAAC,QAAQ,CAAC,MAAM;YAC3B,QAAQ;YACR,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC,eAAe;YACrC,iBAAiB,EAAE,GAAG,CAAC,QAAQ,CAAC,uBAAuB;SACxD,CAAC,CAAA;QACF,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;QAErD,MAAM,eAAe,GAAG,IAAI,4BAAe,EAAE,CAAA;QAC7C,MAAM,QAAQ,GAAG,IAAI,mBAAQ,CAC3B,GAAG,CAAC,OAAO,CAAC,QAAQ,EACpB,GAAG,CAAC,QAAQ,EACZ,eAAe,CAChB,CAAA;QACD,MAAM,SAAS,GAAG,IAAI,qBAAS,CAC7B,GAAG,CAAC,EAAE,CAAC,cAAc,EACrB,QAAQ,EACR,SAAS,EACT,GAAG,CAAC,EAAE,CAAC,wBAAwB,CAChC,CAAA;QACD,MAAM,YAAY,GAAG,GAAG,CAAC,KAAK;YAC5B,CAAC,CAAC,IAAA,sBAAc,EAAC,GAAG,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC;YACvD,CAAC,CAAC,SAAS,CAAA;QAEb,MAAM,WAAW,GAAG,GAAG,CAAC,WAAW;YACjC,CAAC,CAAC,IAAI,2BAAW,CAAC,GAAG,CAAC,WAAW,CAAC;YAClC,CAAC,CAAC,SAAS,CAAA;QAEb,MAAM,eAAe,GAAG,GAAG,CAAC,UAAU;YACpC,CAAC,CAAC,IAAI,cAAQ,CAAC,EAAE,OAAO,EAAE,GAAG,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC;YAC/C,CAAC,CAAC,SAAS,CAAA;QACb,MAAM,cAAc,GAAG,GAAG,CAAC,aAAa;YACtC,CAAC,CAAC,IAAI,cAAQ,CAAC,EAAE,OAAO,EAAE,GAAG,CAAC,aAAa,CAAC,GAAG,EAAE,CAAC;YAClD,CAAC,CAAC,SAAS,CAAA;QACb,MAAM,aAAa,GAAG,GAAG,CAAC,QAAQ;YAChC,CAAC,CAAC,IAAI,cAAQ,CAAC,EAAE,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,CAAC;YAC7C,CAAC,CAAC,SAAS,CAAA;QACb,IAAI,kBAAwC,CAAA;QAC5C,IAAI,GAAG,CAAC,QAAQ,IAAI,OAAO,CAAC,kBAAkB,EAAE,CAAC;YAC/C,kBAAkB,GAAG,IAAI,cAAQ,CAAC,EAAE,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,CAAC,CAAA;YAChE,kBAAkB,CAAC,GAAG,CAAC,SAAS,CAC9B,eAAe,EACf,eAAe,CAAC,OAAO,EAAE,OAAO,CAAC,kBAAkB,CAAC,CACrD,CAAA;QACH,CAAC;QAED,MAAM,YAAY,GAAG,IAAA,qCAAqB,EAAC,OAAO,CAAC,SAAS,CAAC,CAAA;QAC7D,MAAM,YAAY,GAAG,GAAG,CAAC,QAAQ;YAC/B,CAAC,CAAC,IAAA,qCAAqB,EAAC,GAAG,CAAC,QAAQ,CAAC,eAAe,CAAC;YACrD,CAAC,CAAC,IAAI,CAAA;QAER,MAAM,eAAe,GAAG,IAAI,mCAAe,CACzC,GAAG,CAAC,OAAO,CAAC,QAAQ,EACpB,WAAW,CACZ,CAAA;QAED,MAAM,UAAU,GAAG,IAAI,wBAAU,CAAC,GAAG,CAAC,UAAU,EAAE;YAChD,SAAS;YACT,eAAe;SAChB,CAAC,CAAA;QAEF,MAAM,cAAc,GAAG,IAAI,gCAAc,CACvC,UAAU,EACV,YAAY,EACZ,GAAG,CAAC,OAAO,CAAC,GAAG,EACf,GAAG,CAAC,QAAQ,CAAC,oBAAoB,EACjC,GAAG,CAAC,EAAE,CACP,CAAA;QACD,MAAM,cAAc,CAAC,cAAc,EAAE,CAAA;QAErC,MAAM,cAAc,GAClB,OAAO,CAAC,cAAc,CAAC,QAAQ,KAAK,KAAK;YACvC,CAAC,CAAC,MAAM,gBAAU,CAAC,IAAI,CAAC;gBACpB,KAAK,EAAE,OAAO,CAAC,cAAc,CAAC,KAAK;aACpC,CAAC;YACJ,CAAC,CAAC,MAAM,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAClC,OAAO,CAAC,cAAc,CAAC,aAAa,CACrC,CAAA;QAEP,MAAM,WAAW,GAAG,oBAAW,CAAC,OAAO,CACrC,cAAc,EACd,eAAe,EACf,WAAW,CACZ,CAAA;QAED,qEAAqE;QACrE,MAAM,cAAc,GAAG,IAAI,MAAM,CAAC,KAAK,CAAC;YACtC,OAAO,EAAE,GAAG,CAAC,KAAK,CAAC,UAAU,EAAE,uBAAuB;YACtD,cAAc,EAAE,GAAG,CAAC,KAAK,CAAC,cAAc;YACxC,eAAe,EAAE,GAAG,CAAC,KAAK,CAAC,eAAe;YAC1C,WAAW,EAAE,GAAG,CAAC,KAAK,CAAC,WAAW;YAClC,OAAO,EAAE,GAAG,CAAC,KAAK,CAAC,qBAAqB;gBACtC,CAAC,CAAC,SAAS;gBACX,CAAC,CAAC,CAAC,MAAM,EAAE,IAAI,EAAE,EAAE;oBACf,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAC1B,MAAM,YAAY,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,CAAA;oBAClD,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;wBAC1B,MAAM,IAAI,KAAK,CAAC,uBAAuB,QAAQ,GAAG,CAAC,CAAA;oBACrD,CAAC;oBACD,IAAI,IAAA,wBAAW,EAAC,QAAQ,CAAC,KAAK,KAAK,EAAE,CAAC;wBACpC,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAA;oBAC7D,CAAC;oBACD,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;gBACtC,CAAC;YACL,OAAO,EAAE;gBACP,MAAM,EAAE,GAAG,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,0BAAa;aACpE;SACF,CAAC,CAAA;QACF,MAAM,UAAU,GACd,GAAG,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC;YACtB,CAAC,CAAC,IAAI,MAAM,CAAC,UAAU,CAAC,cAAc,EAAE;gBACpC,WAAW,EAAE,EAAE,EAAE,8BAA8B;gBAC/C,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC;gBACxB,UAAU,EAAE,GAAG,CAAC,KAAK,CAAC,UAAU;aACjC,CAAC;YACJ,CAAC,CAAC,cAAc,CAAA;QAEpB;;;;;;;;WAQG;QACH,MAAM,SAAS,GAAG,IAAA,0BAAa,EAAC;YAC9B,WAAW,EAAE,KAAK;YAClB,qBAAqB,EAAE,KAAK;YAC5B,eAAe,EAAE,GAAG,CAAC,KAAK,CAAC,eAAe;YAC1C,cAAc,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,qBAAqB;YAEhD,yEAAyE;YACzE,mEAAmE;YACnE,yEAAyE;YACzE,oEAAoE;YACpE,uEAAuE;YACvE,qEAAqE;YACrE,uEAAuE;YACvE,qEAAqE;YACrE,8BAA8B,EAAE,IAAI;YACpC,KAAK,EAAE,UAAU,KAAK,EAAE,IAAI;gBAC1B,MAAM,MAAM,GACV,IAAI,EAAE,MAAM,IAAI,CAAC,KAAK,YAAY,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAA;gBACnE,MAAM,GAAG,GAAG,KAAK,YAAY,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;gBAEhE,oBAAW,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,OAAO,CAAC,CAAA;gBAE1C,OAAO,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,CAAA;YACjD,CAAC;SACF,CAAC,CAAA;QAEF,MAAM,mBAAmB,GAAG,IAAA,uCAAoB,EAAC;YAC/C,UAAU;YACV,GAAG,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE;SAC1B,CAAC,CAAA;QAEF,MAAM,mBAAmB,GAAG,CAAC,KAAa,EAAsB,EAAE;YAChE,iEAAiE;YACjE,uEAAuE;YACvE,gEAAgE;YAChE,aAAa;YACb,OAAO,GAAG,CAAC,OAAO,CAAC,YAAY,CAAA;QACjC,CAAC,CAAA;QAED,MAAM,eAAe,GAAoB,KAAK,EAAE,KAAK,EAAE,EAAE;YACvD,MAAM,IAAI,GAAW,MAAM,CAAC,KAAK,CAAC,CAAA;YAClC,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,KAAK,EAAE;oBAC9C,YAAY,EAAE,mBAAmB,CAAC,IAAI,CAAC;oBACvC,sEAAsE;oBACtE,oEAAoE;oBACpE,0DAA0D;oBAC1D,mEAAmE;oBACnE,qEAAqE;oBACrE,8DAA8D;oBAC9D,sEAAsE;oBACtE,kEAAkE;oBAClE,aAAa;oBACb,YAAY,EAAE,IAAI;iBACnB,CAAC,CAAA;gBAEF,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAA;gBACjC,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAA;gBACjC,8BAAqB,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,kBAAkB,CAAC,CAAA;gBAElE,OAAO,MAAM,CAAA;YACf,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,8BAAqB,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,2BAA2B,CAAC,CAAA;gBAEvE,MAAM,GAAG,CAAA;YACX,CAAC;QACH,CAAC,CAAA;QAED,MAAM,aAAa,GAAG,GAAG,CAAC,KAAK,CAAC,QAAQ;YACtC,CAAC,CAAC,IAAI,8BAAa,CAAC;gBAChB,MAAM,EAAE,GAAG,CAAC,KAAK,CAAC,MAAM;gBACxB,MAAM,EAAE,CAAC,MAAM,wBAAO,CAAC,WAAW,CAAC,YAAY,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;gBACrE,KAAK,EAAE,IAAI,wBAAU,CACnB,cAAc,EACd,UAAU,EACV,eAAe,EACf,eAAe,EACf,MAAM,EACN,SAAS,EACT,SAAS,EACT,cAAc,EACd,GAAG,CAAC,OAAO,CAAC,SAAS,EACrB,GAAG,CAAC,QAAQ,CAAC,cAAc,CAC5B;gBACD,KAAK,EAAE,YAAY;gBACnB,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,kBAAkB,EAAE,GAAG,CAAC,OAAO,CAAC,QAAQ;gBACxC,oBAAoB,EAAE,GAAG,CAAC,QAAQ,CAAC,oBAAoB;gBACvD,QAAQ,EAAE,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ;gBACrC,QAAQ,EAAE,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ;gBACrC,SAAS;gBACT,eAAe;gBACf,QAAQ,EAAE;oBACR,mBAAmB,EAAE,CAAC,IAAI,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;iBACxD;gBACD,mEAAmE;gBACnE,gEAAgE;gBAChE,kEAAkE;gBAClE,oEAAoE;gBACpE,0DAA0D;gBAC1D,eAAe,EAAE,gCAAe,CAAC,QAAQ;gBAEzC,aAAa,CAAC,QAAQ;oBACpB,OAAO;wBACL,SAAS,EAAE,GAAG,CAAC,KAAK,CAAC,QAAQ,EAAE,cAAc,EAAE,QAAQ,CAAC,QAAQ,CAAC;qBAClE,CAAA;gBACH,CAAC;aACF,CAAC;YACJ,CAAC,CAAC,SAAS,CAAA;QAEb,MAAM,cAAc,GAAG,aAAa;YAClC,CAAC,CAAC,IAAI,6CAAoB,CAAC,aAAa,EAAE,YAAY,CAAC;YACvD,CAAC,CAAC,SAAS,CAAA;QAEb,MAAM,aAAa,GACjB,aAAa,IAAI,sCAAsC;YACvD,IAAI,8BAAa,CAAC;gBAChB,MAAM,EAAE,GAAG,CAAC,KAAK,CAAC,MAAM;gBACxB,MAAM,EAAE,CAAC,MAAM,wBAAO,CAAC,WAAW,CAAC,YAAa,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;gBACvE,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,KAAK,EAAE,YAAY;gBACnB,aAAa,EAAE,KAAK,EAAE,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,EAAE;oBAC9C,wEAAwE;oBACxE,oCAAoC;oBACpC,IAAI,SAAS,EAAE,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;wBACjC,oBAAW,CAAC,IAAI,CACd,EAAE,GAAG,EAAE,SAAS,CAAC,GAAG,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,EACpD,6CAA6C,CAC9C,CAAA;oBACH,CAAC;oBAED,IAAI,cAAc,EAAE,CAAC;wBACnB,OAAO,CAAC,KAAK,GAAG,MAAM,cAAc,CAAC,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;oBACjE,CAAC;oBAED,OAAO,OAAO,CAAA;gBAChB,CAAC;aACF,CAAC,CAAA;QAEJ,MAAM,YAAY,GAAG,IAAI,4BAAY,CACnC,cAAc,EACd,UAAU,EACV,aAAa,EACb;YACE,SAAS,EAAE,GAAG,CAAC,OAAO,CAAC,SAAS;YAChC,MAAM,EAAE,YAAY,IAAI,YAAY;YACpC,SAAS,EAAE,OAAO,CAAC,aAAa;YAChC,IAAI,EAAE;gBACJ,GAAG,EAAE,GAAG,CAAC,OAAO,CAAC,GAAG;gBACpB,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,GAAG;gBAC3B,UAAU,EAAE,GAAG,CAAC,UAAU,EAAE,GAAG;aAChC;SACF,CACF,CAAA;QAED,OAAO,IAAI,UAAU,CAAC;YACpB,UAAU;YACV,SAAS;YACT,WAAW;YACX,MAAM;YACN,gBAAgB;YAChB,QAAQ;YACR,UAAU;YACV,SAAS;YACT,cAAc;YACd,SAAS;YACT,eAAe;YACf,YAAY;YACZ,QAAQ;YACR,WAAW;YACX,eAAe;YACf,cAAc;YACd,aAAa;YACb,kBAAkB;YAClB,UAAU;YACV,SAAS;YACT,YAAY;YACZ,aAAa;YACb,cAAc;YACd,GAAG;YACH,GAAG,CAAC,SAAS,IAAI,EAAE,CAAC;SACrB,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,GAAW,EAAE,GAAW;QAC/C,IAAA,qBAAM,EAAC,IAAI,CAAC,WAAW,CAAC,CAAA;QACxB,OAAO,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;IAChE,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,GAAoB,EAAE,GAAW,EAAE,GAAW;QACtE,IAAA,qBAAM,EAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;QACzB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAC3C,GAAG,EACH,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,EACrB,GAAG,CACJ,CAAA;QACD,OAAO,IAAA,oBAAY,EAAC,GAAG,EAAE,OAAO,CAAC,CAAA;IACnC,CAAC;IAED,uBAAuB,CAAC,GAAoB;QAC1C,OAAO,IAAA,oBAAY,EAAC,GAAG,EAAE,IAAA,oBAAY,EAAC,GAAG,CAAC,CAAC,CAAA;IAC7C,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,GAAW,EAAE,GAAW,EAAE,GAAW;QAC5D,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAClD,OAAO,IAAA,sCAAwB,EAAC;YAC9B,GAAG,EAAE,GAAG;YACR,GAAG;YACH,GAAG;YACH,OAAO;SACR,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,GAAW,EAAE,GAAW,EAAE,GAAW;QACxD,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAClD,OAAO,IAAA,8BAAgB,EAAC;YACtB,GAAG,EAAE,GAAG;YACR,GAAG;YACH,GAAG;YACH,OAAO;SACR,CAAC,CAAA;IACJ,CAAC;CACF;AA3bD,gCA2bC;AAED,MAAM,eAAe,GAAG,CAAC,QAAgB,EAAE,QAAgB,EAAE,EAAE;IAC7D,MAAM,OAAO,GAAG,GAAG,CAAC,QAAQ,CAC1B,GAAG,CAAC,UAAU,CAAC,GAAG,QAAQ,IAAI,QAAQ,EAAE,EAAE,MAAM,CAAC,EACjD,WAAW,CACZ,CAAA;IACD,OAAO,SAAS,OAAO,EAAE,CAAA;AAC3B,CAAC,CAAA;AAED,kBAAe,UAAU,CAAA","sourcesContent":["import assert from 'node:assert'\nimport * as plc from '@did-plc/lib'\nimport express from 'express'\nimport { Redis } from 'ioredis'\nimport * as nodemailer from 'nodemailer'\nimport * as ui8 from 'uint8arrays'\nimport * as undici from 'undici'\nimport { AtpAgent } from '@atproto/api'\nimport { KmsKeypair, S3BlobStore } from '@atproto/aws'\nimport * as crypto from '@atproto/crypto'\nimport { IdResolver } from '@atproto/identity'\nimport {\n LexiconResolver,\n buildLexiconResolver,\n} from '@atproto/lexicon-resolver'\nimport {\n AccessTokenMode,\n JoseKey,\n OAuthProvider,\n OAuthVerifier,\n} from '@atproto/oauth-provider'\nimport { BlobStore } from '@atproto/repo'\nimport {\n createServiceAuthHeaders,\n createServiceJwt,\n} from '@atproto/xrpc-server'\nimport {\n Fetch,\n isUnicastIp,\n safeFetchWrap,\n unicastLookup,\n} from '@atproto-labs/fetch-node'\nimport { AccountManager } from './account-manager/account-manager'\nimport { OAuthStore } from './account-manager/oauth-store'\nimport { ScopeReferenceGetter } from './account-manager/scope-reference-getter'\nimport { ActorStore } from './actor-store/actor-store'\nimport { authPassthru, forwardedFor } from './api/proxy'\nimport {\n AuthVerifier,\n createPublicKeyObject,\n createSecretKeyObject,\n} from './auth-verifier'\nimport { BackgroundQueue } from './background'\nimport { BskyAppView } from './bsky-app-view'\nimport { ServerConfig, ServerSecrets } from './config'\nimport { Crawlers } from './crawlers'\nimport { DidSqliteCache } from './did-cache'\nimport { DiskBlobStore } from './disk-blobstore'\nimport { ImageUrlBuilder } from './image/image-url-builder'\nimport { fetchLogger, lexiconResolverLogger, oauthLogger } from './logger'\nimport { ServerMailer } from './mailer'\nimport { ModerationMailer } from './mailer/moderation'\nimport { LocalViewer, LocalViewerCreator } from './read-after-write/viewer'\nimport { getRedisClient } from './redis'\nimport { Sequencer } from './sequencer'\n\nexport type AppContextOptions = {\n actorStore: ActorStore\n blobstore: (did: string) => BlobStore\n localViewer: LocalViewerCreator\n mailer: ServerMailer\n moderationMailer: ModerationMailer\n didCache: DidSqliteCache\n idResolver: IdResolver\n plcClient: plc.Client\n accountManager: AccountManager\n sequencer: Sequencer\n backgroundQueue: BackgroundQueue\n redisScratch?: Redis\n crawlers: Crawlers\n bskyAppView?: BskyAppView\n moderationAgent?: AtpAgent\n reportingAgent?: AtpAgent\n entrywayAgent?: AtpAgent\n entrywayAdminAgent?: AtpAgent\n proxyAgent: undici.Dispatcher\n safeFetch: Fetch\n oauthProvider?: OAuthProvider\n authVerifier: AuthVerifier\n plcRotationKey: crypto.Keypair\n cfg: ServerConfig\n}\n\nexport class AppContext {\n public actorStore: ActorStore\n public blobstore: (did: string) => BlobStore\n public localViewer: LocalViewerCreator\n public mailer: ServerMailer\n public moderationMailer: ModerationMailer\n public didCache: DidSqliteCache\n public idResolver: IdResolver\n public plcClient: plc.Client\n public accountManager: AccountManager\n public sequencer: Sequencer\n public backgroundQueue: BackgroundQueue\n public redisScratch?: Redis\n public crawlers: Crawlers\n public bskyAppView?: BskyAppView\n public moderationAgent: AtpAgent | undefined\n public reportingAgent: AtpAgent | undefined\n public entrywayAgent: AtpAgent | undefined\n public entrywayAdminAgent: AtpAgent | undefined\n public proxyAgent: undici.Dispatcher\n public safeFetch: Fetch\n public authVerifier: AuthVerifier\n public oauthProvider?: OAuthProvider\n public plcRotationKey: crypto.Keypair\n public cfg: ServerConfig\n\n constructor(opts: AppContextOptions) {\n this.actorStore = opts.actorStore\n this.blobstore = opts.blobstore\n this.localViewer = opts.localViewer\n this.mailer = opts.mailer\n this.moderationMailer = opts.moderationMailer\n this.didCache = opts.didCache\n this.idResolver = opts.idResolver\n this.plcClient = opts.plcClient\n this.accountManager = opts.accountManager\n this.sequencer = opts.sequencer\n this.backgroundQueue = opts.backgroundQueue\n this.redisScratch = opts.redisScratch\n this.crawlers = opts.crawlers\n this.bskyAppView = opts.bskyAppView\n this.moderationAgent = opts.moderationAgent\n this.reportingAgent = opts.reportingAgent\n this.entrywayAgent = opts.entrywayAgent\n this.entrywayAdminAgent = opts.entrywayAdminAgent\n this.proxyAgent = opts.proxyAgent\n this.safeFetch = opts.safeFetch\n this.authVerifier = opts.authVerifier\n this.oauthProvider = opts.oauthProvider\n this.plcRotationKey = opts.plcRotationKey\n this.cfg = opts.cfg\n }\n\n static async fromConfig(\n cfg: ServerConfig,\n secrets: ServerSecrets,\n overrides?: Partial<AppContextOptions>,\n ): Promise<AppContext> {\n const blobstore =\n cfg.blobstore.provider === 's3'\n ? S3BlobStore.creator({\n bucket: cfg.blobstore.bucket,\n region: cfg.blobstore.region,\n endpoint: cfg.blobstore.endpoint,\n forcePathStyle: cfg.blobstore.forcePathStyle,\n credentials: cfg.blobstore.credentials,\n uploadTimeoutMs: cfg.blobstore.uploadTimeoutMs,\n })\n : DiskBlobStore.creator(\n cfg.blobstore.location,\n cfg.blobstore.tempLocation,\n )\n\n const mailTransport =\n cfg.email !== null\n ? nodemailer.createTransport(cfg.email.smtpUrl)\n : nodemailer.createTransport({ jsonTransport: true })\n\n const mailer = new ServerMailer(mailTransport, cfg)\n\n const modMailTransport =\n cfg.moderationEmail !== null\n ? nodemailer.createTransport(cfg.moderationEmail.smtpUrl)\n : nodemailer.createTransport({ jsonTransport: true })\n\n const moderationMailer = new ModerationMailer(modMailTransport, cfg)\n\n const didCache = new DidSqliteCache(\n cfg.db.didCacheDbLoc,\n cfg.identity.cacheStaleTTL,\n cfg.identity.cacheMaxTTL,\n cfg.db.disableWalAutoCheckpoint,\n )\n await didCache.migrateOrThrow()\n\n const idResolver = new IdResolver({\n plcUrl: cfg.identity.plcUrl,\n didCache,\n timeout: cfg.identity.resolverTimeout,\n backupNameservers: cfg.identity.handleBackupNameservers,\n })\n const plcClient = new plc.Client(cfg.identity.plcUrl)\n\n const backgroundQueue = new BackgroundQueue()\n const crawlers = new Crawlers(\n cfg.service.hostname,\n cfg.crawlers,\n backgroundQueue,\n )\n const sequencer = new Sequencer(\n cfg.db.sequencerDbLoc,\n crawlers,\n undefined,\n cfg.db.disableWalAutoCheckpoint,\n )\n const redisScratch = cfg.redis\n ? getRedisClient(cfg.redis.address, cfg.redis.password)\n : undefined\n\n const bskyAppView = cfg.bskyAppView\n ? new BskyAppView(cfg.bskyAppView)\n : undefined\n\n const moderationAgent = cfg.modService\n ? new AtpAgent({ service: cfg.modService.url })\n : undefined\n const reportingAgent = cfg.reportService\n ? new AtpAgent({ service: cfg.reportService.url })\n : undefined\n const entrywayAgent = cfg.entryway\n ? new AtpAgent({ service: cfg.entryway.url })\n : undefined\n let entrywayAdminAgent: AtpAgent | undefined\n if (cfg.entryway && secrets.entrywayAdminToken) {\n entrywayAdminAgent = new AtpAgent({ service: cfg.entryway.url })\n entrywayAdminAgent.api.setHeader(\n 'authorization',\n basicAuthHeader('admin', secrets.entrywayAdminToken),\n )\n }\n\n const jwtSecretKey = createSecretKeyObject(secrets.jwtSecret)\n const jwtPublicKey = cfg.entryway\n ? createPublicKeyObject(cfg.entryway.jwtPublicKeyHex)\n : null\n\n const imageUrlBuilder = new ImageUrlBuilder(\n cfg.service.hostname,\n bskyAppView,\n )\n\n const actorStore = new ActorStore(cfg.actorStore, {\n blobstore,\n backgroundQueue,\n })\n\n const accountManager = new AccountManager(\n idResolver,\n jwtSecretKey,\n cfg.service.did,\n cfg.identity.serviceHandleDomains,\n cfg.db,\n )\n await accountManager.migrateOrThrow()\n\n const plcRotationKey =\n secrets.plcRotationKey.provider === 'kms'\n ? await KmsKeypair.load({\n keyId: secrets.plcRotationKey.keyId,\n })\n : await crypto.Secp256k1Keypair.import(\n secrets.plcRotationKey.privateKeyHex,\n )\n\n const localViewer = LocalViewer.creator(\n accountManager,\n imageUrlBuilder,\n bskyAppView,\n )\n\n // An agent for performing HTTP requests based on user provided URLs.\n const proxyAgentBase = new undici.Agent({\n allowH2: cfg.proxy.allowHTTP2, // This is experimental\n headersTimeout: cfg.proxy.headersTimeout,\n maxResponseSize: cfg.proxy.maxResponseSize,\n bodyTimeout: cfg.proxy.bodyTimeout,\n factory: cfg.proxy.disableSsrfProtection\n ? undefined\n : (origin, opts) => {\n const { protocol, hostname } =\n origin instanceof URL ? origin : new URL(origin)\n if (protocol !== 'https:') {\n throw new Error(`Forbidden protocol \"${protocol}\"`)\n }\n if (isUnicastIp(hostname) === false) {\n throw new Error('Hostname resolved to non-unicast address')\n }\n return new undici.Pool(origin, opts)\n },\n connect: {\n lookup: cfg.proxy.disableSsrfProtection ? undefined : unicastLookup,\n },\n })\n const proxyAgent =\n cfg.proxy.maxRetries > 0\n ? new undici.RetryAgent(proxyAgentBase, {\n statusCodes: [], // Only retry on socket errors\n methods: ['GET', 'HEAD'],\n maxRetries: cfg.proxy.maxRetries,\n })\n : proxyAgentBase\n\n /**\n * A fetch() function that protects against SSRF attacks, large responses &\n * known bad domains. This function can safely be used to fetch user\n * provided URLs (unless \"disableSsrfProtection\" is true, of course).\n *\n * @note **DO NOT** wrap `safeFetch` with any logging or other transforms as\n * this might prevent the use of explicit `redirect: \"follow\"` init from\n * working. See {@link safeFetchWrap}.\n */\n const safeFetch = safeFetchWrap({\n allowIpHost: false,\n allowImplicitRedirect: false,\n responseMaxSize: cfg.fetch.maxResponseSize,\n ssrfProtection: !cfg.fetch.disableSsrfProtection,\n\n // @NOTE Since we are using NodeJS <= 20, unicastFetchWrap would normally\n // *not* be using a keep-alive agent if it we are providing a fetch\n // function that is different from `globalThis.fetch`. However, since the\n // fetch function below is indeed calling `globalThis.fetch` without\n // altering any argument, we can safely force the use of the keep-alive\n // agent. This would not be the case if we used \"loggedFetch\" as that\n // function does wrap the input & init arguments into a Request object,\n // which, on NodeJS<=20, results in init.dispatcher *not* being used.\n dangerouslyForceKeepAliveAgent: true,\n fetch: function (input, init) {\n const method =\n init?.method ?? (input instanceof Request ? input.method : 'GET')\n const uri = input instanceof Request ? input.url : String(input)\n\n fetchLogger.info({ method, uri }, 'fetch')\n\n return globalThis.fetch.call(this, input, init)\n },\n })\n\n const baseLexiconResolver = buildLexiconResolver({\n idResolver,\n rpc: { fetch: safeFetch },\n })\n\n const getLexiconAuthority = (_nsid: string): string | undefined => {\n // At the moment, only a single override strategy is supported by\n // specifying a did through which all the lexicons will be resolved. We\n // might need more granular control in the future (e.g. per-nsid\n // overrides)\n return cfg.lexicon.didAuthority\n }\n\n const lexiconResolver: LexiconResolver = async (input) => {\n const nsid: string = String(input)\n try {\n const result = await baseLexiconResolver(input, {\n didAuthority: getLexiconAuthority(nsid),\n // Right now, the lexicon resolver is only used by the oauth-provider,\n // which caches the responses internally (through the LexiconStore).\n // Since the `LexiconResolver` does not allow specifying a\n // `forceRefresh` option, we hard code it here. Should PDSs need to\n // resolve lexicons for other purposes (e.g. record validation), we'd\n // probably want to either implement caching as built into the\n // lexiconResolver here, or allow the caller (oauth-provider, etc.) to\n // specify a `forceRefresh` option by altering the LexiconResolver\n // interface.\n forceRefresh: true,\n })\n\n const cid = result.cid.toString()\n const uri = result.uri.toString()\n lexiconResolverLogger.info({ nsid, uri, cid }, 'Resolved lexicon')\n\n return result\n } catch (err) {\n lexiconResolverLogger.error({ nsid, err }, 'Lexicon resolution failed')\n\n throw err\n }\n }\n\n const oauthProvider = cfg.oauth.provider\n ? new OAuthProvider({\n issuer: cfg.oauth.issuer,\n keyset: [await JoseKey.fromKeyLike(jwtSecretKey, undefined, 'HS256')],\n store: new OAuthStore(\n accountManager,\n actorStore,\n imageUrlBuilder,\n backgroundQueue,\n mailer,\n sequencer,\n plcClient,\n plcRotationKey,\n cfg.service.publicUrl,\n cfg.identity.recoveryDidKey,\n ),\n redis: redisScratch,\n dpopSecret: secrets.dpopSecret,\n inviteCodeRequired: cfg.invites.required,\n availableUserDomains: cfg.identity.serviceHandleDomains,\n hcaptcha: cfg.oauth.provider.hcaptcha,\n branding: cfg.oauth.provider.branding,\n safeFetch,\n lexiconResolver,\n metadata: {\n protected_resources: [new URL(cfg.oauth.issuer).origin],\n },\n // If the PDS is both an authorization server & resource server (no\n // entryway), we can afford to check the token validity on every\n // request. This allows revoked tokens to be rejected immediately.\n // This also allows JWT to be shorter since some claims (notably the\n // \"scope\" claim) do not need to be included in the token.\n accessTokenMode: AccessTokenMode.stateful,\n\n getClientInfo(clientId) {\n return {\n isTrusted: cfg.oauth.provider?.trustedClients?.includes(clientId),\n }\n },\n })\n : undefined\n\n const scopeRefGetter = entrywayAgent\n ? new ScopeReferenceGetter(entrywayAgent, redisScratch)\n : undefined\n\n const oauthVerifier: OAuthVerifier =\n oauthProvider ?? // OAuthProvider extends OAuthVerifier\n new OAuthVerifier({\n issuer: cfg.oauth.issuer,\n keyset: [await JoseKey.fromKeyLike(jwtPublicKey!, undefined, 'ES256K')],\n dpopSecret: secrets.dpopSecret,\n redis: redisScratch,\n onDecodeToken: async ({ payload, dpopProof }) => {\n // @TODO drop this once oauth provider no longer accepts DPoP proof with\n // query or fragment in \"htu\" claim.\n if (dpopProof?.htu.match(/[?#]/)) {\n oauthLogger.info(\n { htu: dpopProof.htu, client_id: payload.client_id },\n 'DPoP proof \"htu\" contains query or fragment',\n )\n }\n\n if (scopeRefGetter) {\n payload.scope = await scopeRefGetter.dereference(payload.scope)\n }\n\n return payload\n },\n })\n\n const authVerifier = new AuthVerifier(\n accountManager,\n idResolver,\n oauthVerifier,\n {\n publicUrl: cfg.service.publicUrl,\n jwtKey: jwtPublicKey ?? jwtSecretKey,\n adminPass: secrets.adminPassword,\n dids: {\n pds: cfg.service.did,\n entryway: cfg.entryway?.did,\n modService: cfg.modService?.did,\n },\n },\n )\n\n return new AppContext({\n actorStore,\n blobstore,\n localViewer,\n mailer,\n moderationMailer,\n didCache,\n idResolver,\n plcClient,\n accountManager,\n sequencer,\n backgroundQueue,\n redisScratch,\n crawlers,\n bskyAppView,\n moderationAgent,\n reportingAgent,\n entrywayAgent,\n entrywayAdminAgent,\n proxyAgent,\n safeFetch,\n authVerifier,\n oauthProvider,\n plcRotationKey,\n cfg,\n ...(overrides ?? {}),\n })\n }\n\n async appviewAuthHeaders(did: string, lxm: string) {\n assert(this.bskyAppView)\n return this.serviceAuthHeaders(did, this.bskyAppView.did, lxm)\n }\n\n async entrywayAuthHeaders(req: express.Request, did: string, lxm: string) {\n assert(this.cfg.entryway)\n const headers = await this.serviceAuthHeaders(\n did,\n this.cfg.entryway.did,\n lxm,\n )\n return forwardedFor(req, headers)\n }\n\n entrywayPassthruHeaders(req: express.Request) {\n return forwardedFor(req, authPassthru(req))\n }\n\n async serviceAuthHeaders(did: string, aud: string, lxm: string) {\n const keypair = await this.actorStore.keypair(did)\n return createServiceAuthHeaders({\n iss: did,\n aud,\n lxm,\n keypair,\n })\n }\n\n async serviceAuthJwt(did: string, aud: string, lxm: string) {\n const keypair = await this.actorStore.keypair(did)\n return createServiceJwt({\n iss: did,\n aud,\n lxm,\n keypair,\n })\n }\n}\n\nconst basicAuthHeader = (username: string, password: string) => {\n const encoded = ui8.toString(\n ui8.fromString(`${username}:${password}`, 'utf8'),\n 'base64pad',\n )\n return `Basic ${encoded}`\n}\n\nexport default AppContext\n"]}
1
+ {"version":3,"file":"context.js","sourceRoot":"","sources":["../src/context.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8DAAgC;AAChC,kDAAmC;AAGnC,uDAAwC;AACxC,iDAAkC;AAClC,+CAAgC;AAChC,sCAAuC;AACvC,sCAAsD;AACtD,wDAAyC;AACzC,gDAA8C;AAC9C,4DAMgC;AAEhC,sDAG6B;AAC7B,yDAKiC;AACjC,uEAAkE;AAClE,+DAA0D;AAC1D,qFAA+E;AAC/E,2DAAsD;AACtD,uCAAwD;AACxD,mDAIwB;AACxB,6CAA8C;AAC9C,mDAA6C;AAE7C,yCAAqC;AACrC,2CAA4C;AAC5C,qDAAgD;AAChD,iEAA2D;AAC3D,qCAA0E;AAC1E,qCAAuC;AACvC,oDAAsD;AACtD,sDAA2E;AAC3E,mCAAwC;AACxC,2CAAuC;AA6BvC,MAAa,UAAU;IA0BrB,YAAY,IAAuB;QAzB5B;;;;;WAAsB;QACtB;;;;;WAAqC;QACrC;;;;;WAA+B;QAC/B;;;;;WAAoB;QACpB;;;;;WAAkC;QAClC;;;;;WAAwB;QACxB;;;;;WAAsB;QACtB;;;;;WAAqB;QACrB;;;;;WAA8B;QAC9B;;;;;WAAoB;QACpB;;;;;WAAgC;QAChC;;;;;WAAoB;QACpB;;;;;WAAkB;QAClB;;;;;WAAyB;QACzB;;;;;WAAqC;QACrC;;;;;WAAoC;QACpC;;;;;WAAmC;QACnC;;;;;WAAwC;QACxC;;;;;WAA6B;QAC7B;;;;;WAAgB;QAChB;;;;;WAA0B;QAC1B;;;;;WAA6B;QAC7B;;;;;WAA8B;QAC9B;;;;;WAAiB;QAGtB,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAA;QACjC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAA;QAC/B,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,CAAA;QACnC,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAA;QACzB,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,CAAA;QAC7C,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAA;QAC7B,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAA;QACjC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAA;QAC/B,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,cAAc,CAAA;QACzC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAA;QAC/B,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,eAAe,CAAA;QAC3C,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,CAAA;QACrC,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAA;QAC7B,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,CAAA;QACnC,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,eAAe,CAAA;QAC3C,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,cAAc,CAAA;QACzC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,aAAa,CAAA;QACvC,IAAI,CAAC,kBAAkB,GAAG,IAAI,CAAC,kBAAkB,CAAA;QACjD,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAA;QACjC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAA;QAC/B,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,CAAA;QACrC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,aAAa,CAAA;QACvC,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,cAAc,CAAA;QACzC,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,CAAA;IACrB,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,UAAU,CACrB,GAAiB,EACjB,OAAsB,EACtB,SAAsC;QAEtC,MAAM,SAAS,GACb,GAAG,CAAC,SAAS,CAAC,QAAQ,KAAK,IAAI;YAC7B,CAAC,CAAC,iBAAW,CAAC,OAAO,CAAC;gBAClB,MAAM,EAAE,GAAG,CAAC,SAAS,CAAC,MAAM;gBAC5B,MAAM,EAAE,GAAG,CAAC,SAAS,CAAC,MAAM;gBAC5B,QAAQ,EAAE,GAAG,CAAC,SAAS,CAAC,QAAQ;gBAChC,cAAc,EAAE,GAAG,CAAC,SAAS,CAAC,cAAc;gBAC5C,WAAW,EAAE,GAAG,CAAC,SAAS,CAAC,WAAW;gBACtC,eAAe,EAAE,GAAG,CAAC,SAAS,CAAC,eAAe;aAC/C,CAAC;YACJ,CAAC,CAAC,8BAAa,CAAC,OAAO,CACnB,GAAG,CAAC,SAAS,CAAC,QAAQ,EACtB,GAAG,CAAC,SAAS,CAAC,YAAY,CAC3B,CAAA;QAEP,MAAM,aAAa,GACjB,GAAG,CAAC,KAAK,KAAK,IAAI;YAChB,CAAC,CAAC,UAAU,CAAC,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC;YAC/C,CAAC,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAA;QAEzD,MAAM,MAAM,GAAG,IAAI,qBAAY,CAAC,aAAa,EAAE,GAAG,CAAC,CAAA;QAEnD,MAAM,gBAAgB,GACpB,GAAG,CAAC,eAAe,KAAK,IAAI;YAC1B,CAAC,CAAC,UAAU,CAAC,eAAe,CAAC,GAAG,CAAC,eAAe,CAAC,OAAO,CAAC;YACzD,CAAC,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAA;QAEzD,MAAM,gBAAgB,GAAG,IAAI,6BAAgB,CAAC,gBAAgB,EAAE,GAAG,CAAC,CAAA;QAEpE,MAAM,QAAQ,GAAG,IAAI,0BAAc,CACjC,GAAG,CAAC,EAAE,CAAC,aAAa,EACpB,GAAG,CAAC,QAAQ,CAAC,aAAa,EAC1B,GAAG,CAAC,QAAQ,CAAC,WAAW,EACxB,GAAG,CAAC,EAAE,CAAC,wBAAwB,CAChC,CAAA;QACD,MAAM,QAAQ,CAAC,cAAc,EAAE,CAAA;QAE/B,MAAM,UAAU,GAAG,IAAI,qBAAU,CAAC;YAChC,MAAM,EAAE,GAAG,CAAC,QAAQ,CAAC,MAAM;YAC3B,QAAQ;YACR,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC,eAAe;YACrC,iBAAiB,EAAE,GAAG,CAAC,QAAQ,CAAC,uBAAuB;SACxD,CAAC,CAAA;QACF,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;QAErD,MAAM,eAAe,GAAG,IAAI,4BAAe,EAAE,CAAA;QAC7C,MAAM,QAAQ,GAAG,IAAI,mBAAQ,CAC3B,GAAG,CAAC,OAAO,CAAC,QAAQ,EACpB,GAAG,CAAC,QAAQ,EACZ,eAAe,CAChB,CAAA;QACD,MAAM,SAAS,GAAG,IAAI,qBAAS,CAC7B,GAAG,CAAC,EAAE,CAAC,cAAc,EACrB,QAAQ,EACR,SAAS,EACT,GAAG,CAAC,EAAE,CAAC,wBAAwB,CAChC,CAAA;QACD,MAAM,YAAY,GAAG,GAAG,CAAC,KAAK;YAC5B,CAAC,CAAC,IAAA,sBAAc,EAAC,GAAG,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC;YACvD,CAAC,CAAC,SAAS,CAAA;QAEb,MAAM,WAAW,GAAG,GAAG,CAAC,WAAW;YACjC,CAAC,CAAC,IAAI,2BAAW,CAAC,GAAG,CAAC,WAAW,CAAC;YAClC,CAAC,CAAC,SAAS,CAAA;QAEb,MAAM,eAAe,GAAG,GAAG,CAAC,UAAU;YACpC,CAAC,CAAC,IAAI,cAAQ,CAAC,EAAE,OAAO,EAAE,GAAG,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC;YAC/C,CAAC,CAAC,SAAS,CAAA;QACb,MAAM,cAAc,GAAG,GAAG,CAAC,aAAa;YACtC,CAAC,CAAC,IAAI,cAAQ,CAAC,EAAE,OAAO,EAAE,GAAG,CAAC,aAAa,CAAC,GAAG,EAAE,CAAC;YAClD,CAAC,CAAC,SAAS,CAAA;QACb,MAAM,aAAa,GAAG,GAAG,CAAC,QAAQ;YAChC,CAAC,CAAC,IAAI,cAAQ,CAAC,EAAE,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,CAAC;YAC7C,CAAC,CAAC,SAAS,CAAA;QACb,IAAI,kBAAwC,CAAA;QAC5C,IAAI,GAAG,CAAC,QAAQ,IAAI,OAAO,CAAC,kBAAkB,EAAE,CAAC;YAC/C,kBAAkB,GAAG,IAAI,cAAQ,CAAC,EAAE,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,CAAC,CAAA;YAChE,kBAAkB,CAAC,GAAG,CAAC,SAAS,CAC9B,eAAe,EACf,eAAe,CAAC,OAAO,EAAE,OAAO,CAAC,kBAAkB,CAAC,CACrD,CAAA;QACH,CAAC;QAED,MAAM,YAAY,GAAG,IAAA,qCAAqB,EAAC,OAAO,CAAC,SAAS,CAAC,CAAA;QAC7D,MAAM,YAAY,GAAG,GAAG,CAAC,QAAQ;YAC/B,CAAC,CAAC,IAAA,qCAAqB,EAAC,GAAG,CAAC,QAAQ,CAAC,eAAe,CAAC;YACrD,CAAC,CAAC,IAAI,CAAA;QAER,MAAM,eAAe,GAAG,IAAI,mCAAe,CACzC,GAAG,CAAC,OAAO,CAAC,QAAQ,EACpB,WAAW,CACZ,CAAA;QAED,MAAM,UAAU,GAAG,IAAI,wBAAU,CAAC,GAAG,CAAC,UAAU,EAAE;YAChD,SAAS;YACT,eAAe;SAChB,CAAC,CAAA;QAEF,MAAM,cAAc,GAAG,IAAI,gCAAc,CACvC,UAAU,EACV,YAAY,EACZ,GAAG,CAAC,OAAO,CAAC,GAAG,EACf,GAAG,CAAC,QAAQ,CAAC,oBAAoB,EACjC,GAAG,CAAC,EAAE,CACP,CAAA;QACD,MAAM,cAAc,CAAC,cAAc,EAAE,CAAA;QAErC,MAAM,cAAc,GAClB,OAAO,CAAC,cAAc,CAAC,QAAQ,KAAK,KAAK;YACvC,CAAC,CAAC,MAAM,gBAAU,CAAC,IAAI,CAAC;gBACpB,KAAK,EAAE,OAAO,CAAC,cAAc,CAAC,KAAK;aACpC,CAAC;YACJ,CAAC,CAAC,MAAM,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAClC,OAAO,CAAC,cAAc,CAAC,aAAa,CACrC,CAAA;QAEP,MAAM,WAAW,GAAG,oBAAW,CAAC,OAAO,CACrC,cAAc,EACd,eAAe,EACf,WAAW,CACZ,CAAA;QAED,qEAAqE;QACrE,MAAM,cAAc,GAAG,IAAI,MAAM,CAAC,KAAK,CAAC;YACtC,OAAO,EAAE,GAAG,CAAC,KAAK,CAAC,UAAU,EAAE,uBAAuB;YACtD,cAAc,EAAE,GAAG,CAAC,KAAK,CAAC,cAAc;YACxC,eAAe,EAAE,GAAG,CAAC,KAAK,CAAC,eAAe;YAC1C,WAAW,EAAE,GAAG,CAAC,KAAK,CAAC,WAAW;YAClC,OAAO,EAAE,GAAG,CAAC,KAAK,CAAC,qBAAqB;gBACtC,CAAC,CAAC,SAAS;gBACX,CAAC,CAAC,CAAC,MAAM,EAAE,IAAI,EAAE,EAAE;oBACf,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAC1B,MAAM,YAAY,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,CAAA;oBAClD,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;wBAC1B,MAAM,IAAI,KAAK,CAAC,uBAAuB,QAAQ,GAAG,CAAC,CAAA;oBACrD,CAAC;oBACD,IAAI,IAAA,wBAAW,EAAC,QAAQ,CAAC,KAAK,KAAK,EAAE,CAAC;wBACpC,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAA;oBAC7D,CAAC;oBACD,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;gBACtC,CAAC;YACL,OAAO,EAAE;gBACP,MAAM,EAAE,GAAG,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,0BAAa;aACpE;SACF,CAAC,CAAA;QACF,MAAM,UAAU,GACd,GAAG,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC;YACtB,CAAC,CAAC,IAAI,MAAM,CAAC,UAAU,CAAC,cAAc,EAAE;gBACpC,WAAW,EAAE,EAAE,EAAE,8BAA8B;gBAC/C,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC;gBACxB,UAAU,EAAE,GAAG,CAAC,KAAK,CAAC,UAAU;aACjC,CAAC;YACJ,CAAC,CAAC,cAAc,CAAA;QAEpB;;;;;;;;WAQG;QACH,MAAM,SAAS,GAAG,IAAA,0BAAa,EAAC;YAC9B,WAAW,EAAE,KAAK;YAClB,qBAAqB,EAAE,KAAK;YAC5B,eAAe,EAAE,GAAG,CAAC,KAAK,CAAC,eAAe;YAC1C,cAAc,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,qBAAqB;YAEhD,yEAAyE;YACzE,mEAAmE;YACnE,yEAAyE;YACzE,oEAAoE;YACpE,uEAAuE;YACvE,qEAAqE;YACrE,uEAAuE;YACvE,qEAAqE;YACrE,8BAA8B,EAAE,IAAI;YACpC,KAAK,EAAE,UAAU,KAAK,EAAE,IAAI;gBAC1B,MAAM,MAAM,GACV,IAAI,EAAE,MAAM,IAAI,CAAC,KAAK,YAAY,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAA;gBACnE,MAAM,GAAG,GAAG,KAAK,YAAY,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;gBAEhE,oBAAW,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,OAAO,CAAC,CAAA;gBAE1C,OAAO,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,CAAA;YACjD,CAAC;SACF,CAAC,CAAA;QAEF,MAAM,aAAa,GAAG,GAAG,CAAC,KAAK,CAAC,QAAQ;YACtC,CAAC,CAAC,IAAI,8BAAa,CAAC;gBAChB,MAAM,EAAE,GAAG,CAAC,KAAK,CAAC,MAAM;gBACxB,MAAM,EAAE,CAAC,MAAM,wBAAO,CAAC,WAAW,CAAC,YAAY,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;gBACrE,KAAK,EAAE,IAAI,wBAAU,CACnB,cAAc,EACd,UAAU,EACV,eAAe,EACf,eAAe,EACf,MAAM,EACN,SAAS,EACT,SAAS,EACT,cAAc,EACd,GAAG,CAAC,OAAO,CAAC,SAAS,EACrB,GAAG,CAAC,QAAQ,CAAC,cAAc,CAC5B;gBACD,KAAK,EAAE,YAAY;gBACnB,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,kBAAkB,EAAE,GAAG,CAAC,OAAO,CAAC,QAAQ;gBACxC,oBAAoB,EAAE,GAAG,CAAC,QAAQ,CAAC,oBAAoB;gBACvD,QAAQ,EAAE,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ;gBACrC,QAAQ,EAAE,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ;gBACrC,SAAS;gBACT,WAAW,EAAE,IAAI,4BAAW,CAAC;oBAC3B,KAAK,EAAE,SAAS;oBAChB,eAAe,EAAE,GAAG,CAAC,QAAQ,CAAC,MAAM;oBACpC,KAAK,EAAE;wBACL,kBAAkB,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE;4BAC/B,8BAAqB,CAAC,KAAK,CACzB,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,EAAE,EACzB,iCAAiC,CAClC,CAAA;4BACD,+DAA+D;4BAC/D,OAAO,GAAG,CAAC,OAAO,CAAC,YAAY,CAAA;wBACjC,CAAC;wBACD,wBAAwB,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE;4BACpC,8BAAqB,CAAC,IAAI,CACxB,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,EAAE,GAAG,EAAE,EAC9B,sBAAsB,CACvB,CAAA;wBACH,CAAC;wBACD,uBAAuB,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE;4BACnC,8BAAqB,CAAC,KAAK,CACzB,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,EAAE,GAAG,EAAE,EAC9B,8BAA8B,CAC/B,CAAA;wBACH,CAAC;wBACD,aAAa,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE;4BACxB,8BAAqB,CAAC,IAAI,CACxB,EAAE,GAAG,EAAE,GAAG,CAAC,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,CAAC,QAAQ,EAAE,EAAE,EAC5C,iBAAiB,CAClB,CAAA;wBACH,CAAC;wBACD,YAAY,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE;4BACvB,8BAAqB,CAAC,KAAK,CACzB,EAAE,GAAG,EAAE,GAAG,CAAC,QAAQ,EAAE,EAAE,GAAG,EAAE,EAC5B,qBAAqB,CACtB,CAAA;wBACH,CAAC;qBACF;iBACF,CAAC;gBACF,QAAQ,EAAE;oBACR,mBAAmB,EAAE,CAAC,IAAI,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;iBACxD;gBACD,mEAAmE;gBACnE,gEAAgE;gBAChE,kEAAkE;gBAClE,oEAAoE;gBACpE,0DAA0D;gBAC1D,eAAe,EAAE,gCAAe,CAAC,QAAQ;gBAEzC,aAAa,CAAC,QAAQ;oBACpB,OAAO;wBACL,SAAS,EAAE,GAAG,CAAC,KAAK,CAAC,QAAQ,EAAE,cAAc,EAAE,QAAQ,CAAC,QAAQ,CAAC;qBAClE,CAAA;gBACH,CAAC;aACF,CAAC;YACJ,CAAC,CAAC,SAAS,CAAA;QAEb,MAAM,cAAc,GAAG,aAAa;YAClC,CAAC,CAAC,IAAI,6CAAoB,CAAC,aAAa,EAAE,YAAY,CAAC;YACvD,CAAC,CAAC,SAAS,CAAA;QAEb,MAAM,aAAa,GACjB,aAAa,IAAI,sCAAsC;YACvD,IAAI,8BAAa,CAAC;gBAChB,MAAM,EAAE,GAAG,CAAC,KAAK,CAAC,MAAM;gBACxB,MAAM,EAAE,CAAC,MAAM,wBAAO,CAAC,WAAW,CAAC,YAAa,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;gBACvE,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,KAAK,EAAE,YAAY;gBACnB,aAAa,EAAE,KAAK,EAAE,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,EAAE;oBAC9C,wEAAwE;oBACxE,oCAAoC;oBACpC,IAAI,SAAS,EAAE,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;wBACjC,oBAAW,CAAC,IAAI,CACd,EAAE,GAAG,EAAE,SAAS,CAAC,GAAG,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,EACpD,6CAA6C,CAC9C,CAAA;oBACH,CAAC;oBAED,IAAI,cAAc,EAAE,CAAC;wBACnB,OAAO,CAAC,KAAK,GAAG,MAAM,cAAc,CAAC,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;oBACjE,CAAC;oBAED,OAAO,OAAO,CAAA;gBAChB,CAAC;aACF,CAAC,CAAA;QAEJ,MAAM,YAAY,GAAG,IAAI,4BAAY,CACnC,cAAc,EACd,UAAU,EACV,aAAa,EACb;YACE,SAAS,EAAE,GAAG,CAAC,OAAO,CAAC,SAAS;YAChC,MAAM,EAAE,YAAY,IAAI,YAAY;YACpC,SAAS,EAAE,OAAO,CAAC,aAAa;YAChC,IAAI,EAAE;gBACJ,GAAG,EAAE,GAAG,CAAC,OAAO,CAAC,GAAG;gBACpB,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,GAAG;gBAC3B,UAAU,EAAE,GAAG,CAAC,UAAU,EAAE,GAAG;aAChC;SACF,CACF,CAAA;QAED,OAAO,IAAI,UAAU,CAAC;YACpB,UAAU;YACV,SAAS;YACT,WAAW;YACX,MAAM;YACN,gBAAgB;YAChB,QAAQ;YACR,UAAU;YACV,SAAS;YACT,cAAc;YACd,SAAS;YACT,eAAe;YACf,YAAY;YACZ,QAAQ;YACR,WAAW;YACX,eAAe;YACf,cAAc;YACd,aAAa;YACb,kBAAkB;YAClB,UAAU;YACV,SAAS;YACT,YAAY;YACZ,aAAa;YACb,cAAc;YACd,GAAG;YACH,GAAG,CAAC,SAAS,IAAI,EAAE,CAAC;SACrB,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,GAAW,EAAE,GAAW;QAC/C,IAAA,qBAAM,EAAC,IAAI,CAAC,WAAW,CAAC,CAAA;QACxB,OAAO,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;IAChE,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,GAAoB,EAAE,GAAW,EAAE,GAAW;QACtE,IAAA,qBAAM,EAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;QACzB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAC3C,GAAG,EACH,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,EACrB,GAAG,CACJ,CAAA;QACD,OAAO,IAAA,oBAAY,EAAC,GAAG,EAAE,OAAO,CAAC,CAAA;IACnC,CAAC;IAED,uBAAuB,CAAC,GAAoB;QAC1C,OAAO,IAAA,oBAAY,EAAC,GAAG,EAAE,IAAA,oBAAY,EAAC,GAAG,CAAC,CAAC,CAAA;IAC7C,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,GAAW,EAAE,GAAW,EAAE,GAAW;QAC5D,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAClD,OAAO,IAAA,sCAAwB,EAAC;YAC9B,GAAG,EAAE,GAAG;YACR,GAAG;YACH,GAAG;YACH,OAAO;SACR,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,GAAW,EAAE,GAAW,EAAE,GAAW;QACxD,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAClD,OAAO,IAAA,8BAAgB,EAAC;YACtB,GAAG,EAAE,GAAG;YACR,GAAG;YACH,GAAG;YACH,OAAO;SACR,CAAC,CAAA;IACJ,CAAC;CACF;AAtbD,gCAsbC;AAED,MAAM,eAAe,GAAG,CAAC,QAAgB,EAAE,QAAgB,EAAE,EAAE;IAC7D,MAAM,OAAO,GAAG,GAAG,CAAC,QAAQ,CAC1B,GAAG,CAAC,UAAU,CAAC,GAAG,QAAQ,IAAI,QAAQ,EAAE,EAAE,MAAM,CAAC,EACjD,WAAW,CACZ,CAAA;IACD,OAAO,SAAS,OAAO,EAAE,CAAA;AAC3B,CAAC,CAAA;AAED,kBAAe,UAAU,CAAA","sourcesContent":["import assert from 'node:assert'\nimport * as plc from '@did-plc/lib'\nimport express from 'express'\nimport { Redis } from 'ioredis'\nimport * as nodemailer from 'nodemailer'\nimport * as ui8 from 'uint8arrays'\nimport * as undici from 'undici'\nimport { AtpAgent } from '@atproto/api'\nimport { KmsKeypair, S3BlobStore } from '@atproto/aws'\nimport * as crypto from '@atproto/crypto'\nimport { IdResolver } from '@atproto/identity'\nimport {\n AccessTokenMode,\n JoseKey,\n LexResolver,\n OAuthProvider,\n OAuthVerifier,\n} from '@atproto/oauth-provider'\nimport { BlobStore } from '@atproto/repo'\nimport {\n createServiceAuthHeaders,\n createServiceJwt,\n} from '@atproto/xrpc-server'\nimport {\n Fetch,\n isUnicastIp,\n safeFetchWrap,\n unicastLookup,\n} from '@atproto-labs/fetch-node'\nimport { AccountManager } from './account-manager/account-manager'\nimport { OAuthStore } from './account-manager/oauth-store'\nimport { ScopeReferenceGetter } from './account-manager/scope-reference-getter'\nimport { ActorStore } from './actor-store/actor-store'\nimport { authPassthru, forwardedFor } from './api/proxy'\nimport {\n AuthVerifier,\n createPublicKeyObject,\n createSecretKeyObject,\n} from './auth-verifier'\nimport { BackgroundQueue } from './background'\nimport { BskyAppView } from './bsky-app-view'\nimport { ServerConfig, ServerSecrets } from './config'\nimport { Crawlers } from './crawlers'\nimport { DidSqliteCache } from './did-cache'\nimport { DiskBlobStore } from './disk-blobstore'\nimport { ImageUrlBuilder } from './image/image-url-builder'\nimport { fetchLogger, lexiconResolverLogger, oauthLogger } from './logger'\nimport { ServerMailer } from './mailer'\nimport { ModerationMailer } from './mailer/moderation'\nimport { LocalViewer, LocalViewerCreator } from './read-after-write/viewer'\nimport { getRedisClient } from './redis'\nimport { Sequencer } from './sequencer'\n\nexport type AppContextOptions = {\n actorStore: ActorStore\n blobstore: (did: string) => BlobStore\n localViewer: LocalViewerCreator\n mailer: ServerMailer\n moderationMailer: ModerationMailer\n didCache: DidSqliteCache\n idResolver: IdResolver\n plcClient: plc.Client\n accountManager: AccountManager\n sequencer: Sequencer\n backgroundQueue: BackgroundQueue\n redisScratch?: Redis\n crawlers: Crawlers\n bskyAppView?: BskyAppView\n moderationAgent?: AtpAgent\n reportingAgent?: AtpAgent\n entrywayAgent?: AtpAgent\n entrywayAdminAgent?: AtpAgent\n proxyAgent: undici.Dispatcher\n safeFetch: Fetch\n oauthProvider?: OAuthProvider\n authVerifier: AuthVerifier\n plcRotationKey: crypto.Keypair\n cfg: ServerConfig\n}\n\nexport class AppContext {\n public actorStore: ActorStore\n public blobstore: (did: string) => BlobStore\n public localViewer: LocalViewerCreator\n public mailer: ServerMailer\n public moderationMailer: ModerationMailer\n public didCache: DidSqliteCache\n public idResolver: IdResolver\n public plcClient: plc.Client\n public accountManager: AccountManager\n public sequencer: Sequencer\n public backgroundQueue: BackgroundQueue\n public redisScratch?: Redis\n public crawlers: Crawlers\n public bskyAppView?: BskyAppView\n public moderationAgent: AtpAgent | undefined\n public reportingAgent: AtpAgent | undefined\n public entrywayAgent: AtpAgent | undefined\n public entrywayAdminAgent: AtpAgent | undefined\n public proxyAgent: undici.Dispatcher\n public safeFetch: Fetch\n public authVerifier: AuthVerifier\n public oauthProvider?: OAuthProvider\n public plcRotationKey: crypto.Keypair\n public cfg: ServerConfig\n\n constructor(opts: AppContextOptions) {\n this.actorStore = opts.actorStore\n this.blobstore = opts.blobstore\n this.localViewer = opts.localViewer\n this.mailer = opts.mailer\n this.moderationMailer = opts.moderationMailer\n this.didCache = opts.didCache\n this.idResolver = opts.idResolver\n this.plcClient = opts.plcClient\n this.accountManager = opts.accountManager\n this.sequencer = opts.sequencer\n this.backgroundQueue = opts.backgroundQueue\n this.redisScratch = opts.redisScratch\n this.crawlers = opts.crawlers\n this.bskyAppView = opts.bskyAppView\n this.moderationAgent = opts.moderationAgent\n this.reportingAgent = opts.reportingAgent\n this.entrywayAgent = opts.entrywayAgent\n this.entrywayAdminAgent = opts.entrywayAdminAgent\n this.proxyAgent = opts.proxyAgent\n this.safeFetch = opts.safeFetch\n this.authVerifier = opts.authVerifier\n this.oauthProvider = opts.oauthProvider\n this.plcRotationKey = opts.plcRotationKey\n this.cfg = opts.cfg\n }\n\n static async fromConfig(\n cfg: ServerConfig,\n secrets: ServerSecrets,\n overrides?: Partial<AppContextOptions>,\n ): Promise<AppContext> {\n const blobstore =\n cfg.blobstore.provider === 's3'\n ? S3BlobStore.creator({\n bucket: cfg.blobstore.bucket,\n region: cfg.blobstore.region,\n endpoint: cfg.blobstore.endpoint,\n forcePathStyle: cfg.blobstore.forcePathStyle,\n credentials: cfg.blobstore.credentials,\n uploadTimeoutMs: cfg.blobstore.uploadTimeoutMs,\n })\n : DiskBlobStore.creator(\n cfg.blobstore.location,\n cfg.blobstore.tempLocation,\n )\n\n const mailTransport =\n cfg.email !== null\n ? nodemailer.createTransport(cfg.email.smtpUrl)\n : nodemailer.createTransport({ jsonTransport: true })\n\n const mailer = new ServerMailer(mailTransport, cfg)\n\n const modMailTransport =\n cfg.moderationEmail !== null\n ? nodemailer.createTransport(cfg.moderationEmail.smtpUrl)\n : nodemailer.createTransport({ jsonTransport: true })\n\n const moderationMailer = new ModerationMailer(modMailTransport, cfg)\n\n const didCache = new DidSqliteCache(\n cfg.db.didCacheDbLoc,\n cfg.identity.cacheStaleTTL,\n cfg.identity.cacheMaxTTL,\n cfg.db.disableWalAutoCheckpoint,\n )\n await didCache.migrateOrThrow()\n\n const idResolver = new IdResolver({\n plcUrl: cfg.identity.plcUrl,\n didCache,\n timeout: cfg.identity.resolverTimeout,\n backupNameservers: cfg.identity.handleBackupNameservers,\n })\n const plcClient = new plc.Client(cfg.identity.plcUrl)\n\n const backgroundQueue = new BackgroundQueue()\n const crawlers = new Crawlers(\n cfg.service.hostname,\n cfg.crawlers,\n backgroundQueue,\n )\n const sequencer = new Sequencer(\n cfg.db.sequencerDbLoc,\n crawlers,\n undefined,\n cfg.db.disableWalAutoCheckpoint,\n )\n const redisScratch = cfg.redis\n ? getRedisClient(cfg.redis.address, cfg.redis.password)\n : undefined\n\n const bskyAppView = cfg.bskyAppView\n ? new BskyAppView(cfg.bskyAppView)\n : undefined\n\n const moderationAgent = cfg.modService\n ? new AtpAgent({ service: cfg.modService.url })\n : undefined\n const reportingAgent = cfg.reportService\n ? new AtpAgent({ service: cfg.reportService.url })\n : undefined\n const entrywayAgent = cfg.entryway\n ? new AtpAgent({ service: cfg.entryway.url })\n : undefined\n let entrywayAdminAgent: AtpAgent | undefined\n if (cfg.entryway && secrets.entrywayAdminToken) {\n entrywayAdminAgent = new AtpAgent({ service: cfg.entryway.url })\n entrywayAdminAgent.api.setHeader(\n 'authorization',\n basicAuthHeader('admin', secrets.entrywayAdminToken),\n )\n }\n\n const jwtSecretKey = createSecretKeyObject(secrets.jwtSecret)\n const jwtPublicKey = cfg.entryway\n ? createPublicKeyObject(cfg.entryway.jwtPublicKeyHex)\n : null\n\n const imageUrlBuilder = new ImageUrlBuilder(\n cfg.service.hostname,\n bskyAppView,\n )\n\n const actorStore = new ActorStore(cfg.actorStore, {\n blobstore,\n backgroundQueue,\n })\n\n const accountManager = new AccountManager(\n idResolver,\n jwtSecretKey,\n cfg.service.did,\n cfg.identity.serviceHandleDomains,\n cfg.db,\n )\n await accountManager.migrateOrThrow()\n\n const plcRotationKey =\n secrets.plcRotationKey.provider === 'kms'\n ? await KmsKeypair.load({\n keyId: secrets.plcRotationKey.keyId,\n })\n : await crypto.Secp256k1Keypair.import(\n secrets.plcRotationKey.privateKeyHex,\n )\n\n const localViewer = LocalViewer.creator(\n accountManager,\n imageUrlBuilder,\n bskyAppView,\n )\n\n // An agent for performing HTTP requests based on user provided URLs.\n const proxyAgentBase = new undici.Agent({\n allowH2: cfg.proxy.allowHTTP2, // This is experimental\n headersTimeout: cfg.proxy.headersTimeout,\n maxResponseSize: cfg.proxy.maxResponseSize,\n bodyTimeout: cfg.proxy.bodyTimeout,\n factory: cfg.proxy.disableSsrfProtection\n ? undefined\n : (origin, opts) => {\n const { protocol, hostname } =\n origin instanceof URL ? origin : new URL(origin)\n if (protocol !== 'https:') {\n throw new Error(`Forbidden protocol \"${protocol}\"`)\n }\n if (isUnicastIp(hostname) === false) {\n throw new Error('Hostname resolved to non-unicast address')\n }\n return new undici.Pool(origin, opts)\n },\n connect: {\n lookup: cfg.proxy.disableSsrfProtection ? undefined : unicastLookup,\n },\n })\n const proxyAgent =\n cfg.proxy.maxRetries > 0\n ? new undici.RetryAgent(proxyAgentBase, {\n statusCodes: [], // Only retry on socket errors\n methods: ['GET', 'HEAD'],\n maxRetries: cfg.proxy.maxRetries,\n })\n : proxyAgentBase\n\n /**\n * A fetch() function that protects against SSRF attacks, large responses &\n * known bad domains. This function can safely be used to fetch user\n * provided URLs (unless \"disableSsrfProtection\" is true, of course).\n *\n * @note **DO NOT** wrap `safeFetch` with any logging or other transforms as\n * this might prevent the use of explicit `redirect: \"follow\"` init from\n * working. See {@link safeFetchWrap}.\n */\n const safeFetch = safeFetchWrap({\n allowIpHost: false,\n allowImplicitRedirect: false,\n responseMaxSize: cfg.fetch.maxResponseSize,\n ssrfProtection: !cfg.fetch.disableSsrfProtection,\n\n // @NOTE Since we are using NodeJS <= 20, unicastFetchWrap would normally\n // *not* be using a keep-alive agent if it we are providing a fetch\n // function that is different from `globalThis.fetch`. However, since the\n // fetch function below is indeed calling `globalThis.fetch` without\n // altering any argument, we can safely force the use of the keep-alive\n // agent. This would not be the case if we used \"loggedFetch\" as that\n // function does wrap the input & init arguments into a Request object,\n // which, on NodeJS<=20, results in init.dispatcher *not* being used.\n dangerouslyForceKeepAliveAgent: true,\n fetch: function (input, init) {\n const method =\n init?.method ?? (input instanceof Request ? input.method : 'GET')\n const uri = input instanceof Request ? input.url : String(input)\n\n fetchLogger.info({ method, uri }, 'fetch')\n\n return globalThis.fetch.call(this, input, init)\n },\n })\n\n const oauthProvider = cfg.oauth.provider\n ? new OAuthProvider({\n issuer: cfg.oauth.issuer,\n keyset: [await JoseKey.fromKeyLike(jwtSecretKey, undefined, 'HS256')],\n store: new OAuthStore(\n accountManager,\n actorStore,\n imageUrlBuilder,\n backgroundQueue,\n mailer,\n sequencer,\n plcClient,\n plcRotationKey,\n cfg.service.publicUrl,\n cfg.identity.recoveryDidKey,\n ),\n redis: redisScratch,\n dpopSecret: secrets.dpopSecret,\n inviteCodeRequired: cfg.invites.required,\n availableUserDomains: cfg.identity.serviceHandleDomains,\n hcaptcha: cfg.oauth.provider.hcaptcha,\n branding: cfg.oauth.provider.branding,\n safeFetch,\n lexResolver: new LexResolver({\n fetch: safeFetch,\n plcDirectoryUrl: cfg.identity.plcUrl,\n hooks: {\n onResolveAuthority: ({ nsid }) => {\n lexiconResolverLogger.debug(\n { nsid: nsid.toString() },\n 'Resolving lexicon DID authority',\n )\n // Override the lexicon did resolution to point to a custom PDS\n return cfg.lexicon.didAuthority\n },\n onResolveAuthorityResult({ nsid, did }) {\n lexiconResolverLogger.info(\n { nsid: nsid.toString(), did },\n 'Resolved lexicon DID',\n )\n },\n onResolveAuthorityError({ nsid, err }) {\n lexiconResolverLogger.error(\n { nsid: nsid.toString(), err },\n 'Lexicon DID resolution error',\n )\n },\n onFetchResult({ uri, cid }) {\n lexiconResolverLogger.info(\n { uri: uri.toString(), cid: cid.toString() },\n 'Fetched lexicon',\n )\n },\n onFetchError({ err, uri }) {\n lexiconResolverLogger.error(\n { uri: uri.toString(), err },\n 'Lexicon fetch error',\n )\n },\n },\n }),\n metadata: {\n protected_resources: [new URL(cfg.oauth.issuer).origin],\n },\n // If the PDS is both an authorization server & resource server (no\n // entryway), we can afford to check the token validity on every\n // request. This allows revoked tokens to be rejected immediately.\n // This also allows JWT to be shorter since some claims (notably the\n // \"scope\" claim) do not need to be included in the token.\n accessTokenMode: AccessTokenMode.stateful,\n\n getClientInfo(clientId) {\n return {\n isTrusted: cfg.oauth.provider?.trustedClients?.includes(clientId),\n }\n },\n })\n : undefined\n\n const scopeRefGetter = entrywayAgent\n ? new ScopeReferenceGetter(entrywayAgent, redisScratch)\n : undefined\n\n const oauthVerifier: OAuthVerifier =\n oauthProvider ?? // OAuthProvider extends OAuthVerifier\n new OAuthVerifier({\n issuer: cfg.oauth.issuer,\n keyset: [await JoseKey.fromKeyLike(jwtPublicKey!, undefined, 'ES256K')],\n dpopSecret: secrets.dpopSecret,\n redis: redisScratch,\n onDecodeToken: async ({ payload, dpopProof }) => {\n // @TODO drop this once oauth provider no longer accepts DPoP proof with\n // query or fragment in \"htu\" claim.\n if (dpopProof?.htu.match(/[?#]/)) {\n oauthLogger.info(\n { htu: dpopProof.htu, client_id: payload.client_id },\n 'DPoP proof \"htu\" contains query or fragment',\n )\n }\n\n if (scopeRefGetter) {\n payload.scope = await scopeRefGetter.dereference(payload.scope)\n }\n\n return payload\n },\n })\n\n const authVerifier = new AuthVerifier(\n accountManager,\n idResolver,\n oauthVerifier,\n {\n publicUrl: cfg.service.publicUrl,\n jwtKey: jwtPublicKey ?? jwtSecretKey,\n adminPass: secrets.adminPassword,\n dids: {\n pds: cfg.service.did,\n entryway: cfg.entryway?.did,\n modService: cfg.modService?.did,\n },\n },\n )\n\n return new AppContext({\n actorStore,\n blobstore,\n localViewer,\n mailer,\n moderationMailer,\n didCache,\n idResolver,\n plcClient,\n accountManager,\n sequencer,\n backgroundQueue,\n redisScratch,\n crawlers,\n bskyAppView,\n moderationAgent,\n reportingAgent,\n entrywayAgent,\n entrywayAdminAgent,\n proxyAgent,\n safeFetch,\n authVerifier,\n oauthProvider,\n plcRotationKey,\n cfg,\n ...(overrides ?? {}),\n })\n }\n\n async appviewAuthHeaders(did: string, lxm: string) {\n assert(this.bskyAppView)\n return this.serviceAuthHeaders(did, this.bskyAppView.did, lxm)\n }\n\n async entrywayAuthHeaders(req: express.Request, did: string, lxm: string) {\n assert(this.cfg.entryway)\n const headers = await this.serviceAuthHeaders(\n did,\n this.cfg.entryway.did,\n lxm,\n )\n return forwardedFor(req, headers)\n }\n\n entrywayPassthruHeaders(req: express.Request) {\n return forwardedFor(req, authPassthru(req))\n }\n\n async serviceAuthHeaders(did: string, aud: string, lxm: string) {\n const keypair = await this.actorStore.keypair(did)\n return createServiceAuthHeaders({\n iss: did,\n aud,\n lxm,\n keypair,\n })\n }\n\n async serviceAuthJwt(did: string, aud: string, lxm: string) {\n const keypair = await this.actorStore.keypair(did)\n return createServiceJwt({\n iss: did,\n aud,\n lxm,\n keypair,\n })\n }\n}\n\nconst basicAuthHeader = (username: string, password: string) => {\n const encoded = ui8.toString(\n ui8.fromString(`${username}:${password}`, 'utf8'),\n 'base64pad',\n )\n return `Basic ${encoded}`\n}\n\nexport default AppContext\n"]}
package/dist/db/pagination.d.ts CHANGED
@@ -47,7 +47,7 @@ export declare class TimeCidKeyset<TimeCidResult = CreatedAtCidResult> extends G
47
47
  secondary: string;
48
48
  };
49
49
  cursorToLabeledResult(cursor: Cursor): {
50
- primary: string;
50
+ primary: `${string}-${string}-${string}T${string}:${string}:${string}Z`;
51
51
  secondary: string;
52
52
  };
53
53
  }
package/dist/handle/index.d.ts CHANGED
@@ -1,4 +1,4 @@
1
- export declare const baseNormalizeAndValidate: (handle: string) => string;
1
+ export declare const baseNormalizeAndValidate: (handle: string) => `${string}.${string}`;
2
2
  export declare const isServiceDomain: (handle: string, availableUserDomains: string[]) => boolean;
3
3
  export declare const ensureHandleServiceConstraints: (handle: string, availableUserDomains: string[], allowReserved?: boolean) => void;
4
4
  //# sourceMappingURL=index.d.ts.map
package/dist/handle/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/handle/index.ts"],"names":[],"mappings":"AAOA,eAAO,MAAM,wBAAwB,GAAI,QAAQ,MAAM,WAStD,CAAA;AAED,eAAO,MAAM,eAAe,GAC1B,QAAQ,MAAM,EACd,sBAAsB,MAAM,EAAE,KAC7B,OAEF,CAAA;AAED,eAAO,MAAM,8BAA8B,GACzC,QAAQ,MAAM,EACd,sBAAsB,MAAM,EAAE,EAC9B,uBAAqB,KACpB,IAmBF,CAAA"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/handle/index.ts"],"names":[],"mappings":"AAOA,eAAO,MAAM,wBAAwB,GAAI,QAAQ,MAAM,0BAStD,CAAA;AAED,eAAO,MAAM,eAAe,GAC1B,QAAQ,MAAM,EACd,sBAAsB,MAAM,EAAE,KAC7B,OAEF,CAAA;AAED,eAAO,MAAM,8BAA8B,GACzC,QAAQ,MAAM,EACd,sBAAsB,MAAM,EAAE,EAC9B,uBAAqB,KACpB,IAmBF,CAAA"}
package/dist/lexicon/lexicons.d.ts CHANGED
@@ -14050,7 +14050,7 @@ export declare const schemaDict: {
14050
14050
  };
14051
14051
  readonly subjectReviewState: {
14052
14052
  readonly type: "string";
14053
- readonly knownValues: ["lex:tools.ozone.moderation.defs#reviewOpen", "lex:tools.ozone.moderation.defs#reviewEscalated", "lex:tools.ozone.moderation.defs#reviewClosed", "lex:tools.ozone.moderation.defs#reviewNone"];
14053
+ readonly knownValues: ["tools.ozone.moderation.defs#reviewOpen", "tools.ozone.moderation.defs#reviewEscalated", "tools.ozone.moderation.defs#reviewClosed", "tools.ozone.moderation.defs#reviewNone"];
14054
14054
  };
14055
14055
  readonly reviewOpen: {
14056
14056
  readonly type: "token";
@@ -17457,7 +17457,7 @@ export declare const schemaDict: {
17457
17457
  };
17458
17458
  readonly role: {
17459
17459
  readonly type: "string";
17460
- readonly knownValues: ["lex:tools.ozone.team.defs#roleAdmin", "lex:tools.ozone.team.defs#roleModerator", "lex:tools.ozone.team.defs#roleTriage", "lex:tools.ozone.team.defs#roleVerifier"];
17460
+ readonly knownValues: ["tools.ozone.team.defs#roleAdmin", "tools.ozone.team.defs#roleModerator", "tools.ozone.team.defs#roleTriage", "tools.ozone.team.defs#roleVerifier"];
17461
17461
  };
17462
17462
  };
17463
17463
  };
@@ -31725,7 +31725,7 @@ export declare const schemas: ({
31725
31725
  };
31726
31726
  readonly subjectReviewState: {
31727
31727
  readonly type: "string";
31728
- readonly knownValues: ["lex:tools.ozone.moderation.defs#reviewOpen", "lex:tools.ozone.moderation.defs#reviewEscalated", "lex:tools.ozone.moderation.defs#reviewClosed", "lex:tools.ozone.moderation.defs#reviewNone"];
31728
+ readonly knownValues: ["tools.ozone.moderation.defs#reviewOpen", "tools.ozone.moderation.defs#reviewEscalated", "tools.ozone.moderation.defs#reviewClosed", "tools.ozone.moderation.defs#reviewNone"];
31729
31729
  };
31730
31730
  readonly reviewOpen: {
31731
31731
  readonly type: "token";
@@ -35093,7 +35093,7 @@ export declare const schemas: ({
35093
35093
  };
35094
35094
  readonly role: {
35095
35095
  readonly type: "string";
35096
- readonly knownValues: ["lex:tools.ozone.team.defs#roleAdmin", "lex:tools.ozone.team.defs#roleModerator", "lex:tools.ozone.team.defs#roleTriage", "lex:tools.ozone.team.defs#roleVerifier"];
35096
+ readonly knownValues: ["tools.ozone.team.defs#roleAdmin", "tools.ozone.team.defs#roleModerator", "tools.ozone.team.defs#roleTriage", "tools.ozone.team.defs#roleVerifier"];
35097
35097
  };
35098
35098
  };
35099
35099
  };
package/dist/lexicon/lexicons.js CHANGED
@@ -14720,10 +14720,10 @@ exports.schemaDict = {
14720
14720
  subjectReviewState: {
14721
14721
  type: 'string',
14722
14722
  knownValues: [
14723
- 'lex:tools.ozone.moderation.defs#reviewOpen',
14724
- 'lex:tools.ozone.moderation.defs#reviewEscalated',
14725
- 'lex:tools.ozone.moderation.defs#reviewClosed',
14726
- 'lex:tools.ozone.moderation.defs#reviewNone',
14723
+ 'tools.ozone.moderation.defs#reviewOpen',
14724
+ 'tools.ozone.moderation.defs#reviewEscalated',
14725
+ 'tools.ozone.moderation.defs#reviewClosed',
14726
+ 'tools.ozone.moderation.defs#reviewNone',
14727
14727
  ],
14728
14728
  },
14729
14729
  reviewOpen: {
@@ -18384,10 +18384,10 @@ exports.schemaDict = {
18384
18384
  role: {
18385
18385
  type: 'string',
18386
18386
  knownValues: [
18387
- 'lex:tools.ozone.team.defs#roleAdmin',
18388
- 'lex:tools.ozone.team.defs#roleModerator',
18389
- 'lex:tools.ozone.team.defs#roleTriage',
18390
- 'lex:tools.ozone.team.defs#roleVerifier',
18387
+ 'tools.ozone.team.defs#roleAdmin',
18388
+ 'tools.ozone.team.defs#roleModerator',
18389
+ 'tools.ozone.team.defs#roleTriage',
18390
+ 'tools.ozone.team.defs#roleVerifier',
18391
18391
  ],
18392
18392
  },
18393
18393
  },