@atproto/pds 0.4.195 → 0.4.197

package/src/config/env.ts

@@ -1,6 +1,6 @@
 import { envBool, envInt, envList, envStr } from '@atproto/common'
 
-export const readEnv = (): ServerEnvironment => {
+export function readEnv() {
   return {
     // service
     port: envInt('PDS_PORT'),
@@ -73,7 +73,7 @@ export const readEnv = (): ServerEnvironment => {
     didCacheMaxTTL: envInt('PDS_DID_CACHE_MAX_TTL'),
     resolverTimeout: envInt('PDS_ID_RESOLVER_TIMEOUT'),
     recoveryDidKey: envStr('PDS_RECOVERY_DID_KEY'),
-    serviceHandleDomains: envList('PDS_SERVICE_HANDLE_DOMAINS'),
+    serviceHandleDomains: envList('PDS_SERVICE_HANDLE_DOMAINS'), // public hostname by default
     handleBackupNameservers: envList('PDS_HANDLE_BACKUP_NAMESERVERS'),
     enableDidDocWithSession: envBool('PDS_ENABLE_DID_DOC_WITH_SESSION'),
 
@@ -151,154 +151,10 @@ export const readEnv = (): ServerEnvironment => {
     proxyMaxResponseSize: envInt('PDS_PROXY_MAX_RESPONSE_SIZE'),
     proxyMaxRetries: envInt('PDS_PROXY_MAX_RETRIES'),
     proxyPreferCompressed: envBool('PDS_PROXY_PREFER_COMPRESSED'),
+
+    // lexicon resolution
+    lexiconDidAuthority: envStr('PDS_LEXICON_AUTHORITY_DID'),
   }
 }
 
-export type ServerEnvironment = {
-  // service
-  port?: number
-  hostname?: string
-  serviceDid?: string
-  serviceName?: string
-  version?: string
-  homeUrl?: string
-  logoUrl?: string
-  privacyPolicyUrl?: string
-  supportUrl?: string
-  termsOfServiceUrl?: string
-  contactEmailAddress?: string
-  acceptingImports?: boolean
-  maxImportSize?: number
-  blobUploadLimit?: number
-  devMode?: boolean
-
-  // OAuth
-  hcaptchaSiteKey?: string
-  hcaptchaSecretKey?: string
-  hcaptchaTokenSalt?: string
-  trustedOAuthClients?: string[]
-
-  // branding
-  lightColor?: string
-  darkColor?: string
-  primaryColor?: string
-  primaryColorContrast?: string
-  primaryColorHue?: number
-  errorColor?: string
-  errorColorContrast?: string
-  errorColorHue?: number
-  warningColor?: string
-  warningColorContrast?: string
-  warningColorHue?: number
-  successColor?: string
-  successColorContrast?: string
-  successColorHue?: number
-
-  // database
-  dataDirectory?: string
-  disableWalAutoCheckpoint?: boolean
-  accountDbLocation?: string
-  sequencerDbLocation?: string
-  didCacheDbLocation?: string
-
-  // actor store
-  actorStoreDirectory?: string
-  actorStoreCacheSize?: number
-
-  // blobstore: one required
-  blobstoreS3Bucket?: string
-  blobstoreDiskLocation?: string
-  blobstoreDiskTmpLocation?: string
-
-  // -- optional s3 parameters
-  blobstoreS3Region?: string
-  blobstoreS3Endpoint?: string
-  blobstoreS3ForcePathStyle?: boolean
-  blobstoreS3AccessKeyId?: string
-  blobstoreS3SecretAccessKey?: string
-  blobstoreS3UploadTimeoutMs?: number
-
-  // identity
-  didPlcUrl?: string
-  didCacheStaleTTL?: number
-  didCacheMaxTTL?: number
-  resolverTimeout?: number
-  recoveryDidKey?: string
-  serviceHandleDomains?: string[] // public hostname by default
-  handleBackupNameservers?: string[]
-  enableDidDocWithSession?: boolean
-
-  // entryway
-  entrywayUrl?: string
-  entrywayDid?: string
-  entrywayJwtVerifyKeyK256PublicKeyHex?: string
-  entrywayPlcRotationKey?: string
-
-  // invites
-  inviteRequired?: boolean
-  inviteInterval?: number
-  inviteEpoch?: number
-
-  // email
-  emailSmtpUrl?: string
-  emailFromAddress?: string
-  moderationEmailSmtpUrl?: string
-  moderationEmailAddress?: string
-
-  // subscription
-  maxSubscriptionBuffer?: number
-  repoBackfillLimitMs?: number
-
-  // appview
-  bskyAppViewUrl?: string
-  bskyAppViewDid?: string
-  bskyAppViewCdnUrlPattern?: string
-
-  // mod service
-  modServiceUrl?: string
-  modServiceDid?: string
-
-  // report service
-  reportServiceUrl?: string
-  reportServiceDid?: string
-
-  // rate limits
-  rateLimitsEnabled?: boolean
-  rateLimitBypassKey?: string
-  rateLimitBypassIps?: string[]
-
-  // redis
-  redisScratchAddress?: string
-  redisScratchPassword?: string
-
-  // crawler
-  crawlers?: string[]
-
-  // secrets
-  dpopSecret?: string
-  jwtSecret?: string
-  adminPassword?: string
-  entrywayAdminToken?: string
-
-  // keys
-  plcRotationKeyKmsKeyId?: string
-  plcRotationKeyK256PrivateKeyHex?: string
-
-  // user provided url http requests
-  disableSsrfProtection?: boolean
-
-  // fetch
-  fetchForceLogging?: boolean
-  fetchMaxResponseSize?: number
-
-  // lexicon resolver
-  lexiconDidAuthority?: string
-
-  // proxy
-  proxyAllowHTTP2?: boolean
-  proxyHeadersTimeout?: number
-  proxyBodyTimeout?: number
-  proxyMaxResponseSize?: number
-  proxyMaxRetries?: number
-  proxyPreferCompressed?: boolean
-}
+export type ServerEnvironment = Partial<ReturnType<typeof readEnv>>

package/src/context.ts

@@ -9,13 +9,10 @@ import { AtpAgent } from '@atproto/api'
 import { KmsKeypair, S3BlobStore } from '@atproto/aws'
 import * as crypto from '@atproto/crypto'
 import { IdResolver } from '@atproto/identity'
-import {
-  LexiconResolver,
-  buildLexiconResolver,
-} from '@atproto/lexicon-resolver'
 import {
   AccessTokenMode,
   JoseKey,
+  LexResolver,
   OAuthProvider,
   OAuthVerifier,
 } from '@atproto/oauth-provider'
@@ -328,48 +325,6 @@ export class AppContext {
       },
     })
 
-    const baseLexiconResolver = buildLexiconResolver({
-      idResolver,
-      rpc: { fetch: safeFetch },
-    })
-
-    const getLexiconAuthority = (_nsid: string): string | undefined => {
-      // At the moment, only a single override strategy is supported by
-      // specifying a did through which all the lexicons will be resolved. We
-      // might need more granular control in the future (e.g. per-nsid
-      // overrides)
-      return cfg.lexicon.didAuthority
-    }
-
-    const lexiconResolver: LexiconResolver = async (input) => {
-      const nsid: string = String(input)
-      try {
-        const result = await baseLexiconResolver(input, {
-          didAuthority: getLexiconAuthority(nsid),
-          // Right now, the lexicon resolver is only used by the oauth-provider,
-          // which caches the responses internally (through the LexiconStore).
-          // Since the `LexiconResolver` does not allow specifying a
-          // `forceRefresh` option, we hard code it here. Should PDSs need to
-          // resolve lexicons for other purposes (e.g. record validation), we'd
-          // probably want to either implement caching as built into the
-          // lexiconResolver here, or allow the caller (oauth-provider, etc.) to
-          // specify a `forceRefresh` option by altering the LexiconResolver
-          // interface.
-          forceRefresh: true,
-        })
-
-        const cid = result.cid.toString()
-        const uri = result.uri.toString()
-        lexiconResolverLogger.info({ nsid, uri, cid }, 'Resolved lexicon')
-
-        return result
-      } catch (err) {
-        lexiconResolverLogger.error({ nsid, err }, 'Lexicon resolution failed')
-
-        throw err
-      }
-    }
-
     const oauthProvider = cfg.oauth.provider
       ? new OAuthProvider({
           issuer: cfg.oauth.issuer,
@@ -393,7 +348,44 @@ export class AppContext {
           hcaptcha: cfg.oauth.provider.hcaptcha,
           branding: cfg.oauth.provider.branding,
           safeFetch,
-          lexiconResolver,
+          lexResolver: new LexResolver({
+            fetch: safeFetch,
+            plcDirectoryUrl: cfg.identity.plcUrl,
+            hooks: {
+              onResolveAuthority: ({ nsid }) => {
+                lexiconResolverLogger.debug(
+                  { nsid: nsid.toString() },
+                  'Resolving lexicon DID authority',
+                )
+                // Override the lexicon did resolution to point to a custom PDS
+                return cfg.lexicon.didAuthority
+              },
+              onResolveAuthorityResult({ nsid, did }) {
+                lexiconResolverLogger.info(
+                  { nsid: nsid.toString(), did },
+                  'Resolved lexicon DID',
+                )
+              },
+              onResolveAuthorityError({ nsid, err }) {
+                lexiconResolverLogger.error(
+                  { nsid: nsid.toString(), err },
+                  'Lexicon DID resolution error',
+                )
+              },
+              onFetchResult({ uri, cid }) {
+                lexiconResolverLogger.info(
+                  { uri: uri.toString(), cid: cid.toString() },
+                  'Fetched lexicon',
+                )
+              },
+              onFetchError({ err, uri }) {
+                lexiconResolverLogger.error(
+                  { uri: uri.toString(), err },
+                  'Lexicon fetch error',
+                )
+              },
+            },
+          }),
           metadata: {
             protected_resources: [new URL(cfg.oauth.issuer).origin],
           },

package/src/lexicon/lexicons.ts

@@ -15220,10 +15220,10 @@ export const schemaDict = {
       subjectReviewState: {
         type: 'string',
         knownValues: [
-          'lex:tools.ozone.moderation.defs#reviewOpen',
-          'lex:tools.ozone.moderation.defs#reviewEscalated',
-          'lex:tools.ozone.moderation.defs#reviewClosed',
-          'lex:tools.ozone.moderation.defs#reviewNone',
+          'tools.ozone.moderation.defs#reviewOpen',
+          'tools.ozone.moderation.defs#reviewEscalated',
+          'tools.ozone.moderation.defs#reviewClosed',
+          'tools.ozone.moderation.defs#reviewNone',
         ],
       },
       reviewOpen: {
@@ -19008,10 +19008,10 @@ export const schemaDict = {
           role: {
             type: 'string',
             knownValues: [
-              'lex:tools.ozone.team.defs#roleAdmin',
-              'lex:tools.ozone.team.defs#roleModerator',
-              'lex:tools.ozone.team.defs#roleTriage',
-              'lex:tools.ozone.team.defs#roleVerifier',
+              'tools.ozone.team.defs#roleAdmin',
+              'tools.ozone.team.defs#roleModerator',
+              'tools.ozone.team.defs#roleTriage',
+              'tools.ozone.team.defs#roleVerifier',
             ],
           },
         },

package/src/lexicon/types/tools/ozone/moderation/defs.ts

@@ -282,10 +282,10 @@ export function validateAccountStrike<V>(v: V) {
 }
 
 export type SubjectReviewState =
-  | 'lex:tools.ozone.moderation.defs#reviewOpen'
-  | 'lex:tools.ozone.moderation.defs#reviewEscalated'
-  | 'lex:tools.ozone.moderation.defs#reviewClosed'
-  | 'lex:tools.ozone.moderation.defs#reviewNone'
+  | 'tools.ozone.moderation.defs#reviewOpen'
+  | 'tools.ozone.moderation.defs#reviewEscalated'
+  | 'tools.ozone.moderation.defs#reviewClosed'
+  | 'tools.ozone.moderation.defs#reviewNone'
   | (string & {})
 
 /** Moderator review status of a subject: Open. Indicates that the subject needs to be reviewed by a moderator */

package/src/lexicon/types/tools/ozone/team/defs.ts

@@ -24,10 +24,10 @@ export interface Member {
   updatedAt?: string
   lastUpdatedBy?: string
   role:
-    | 'lex:tools.ozone.team.defs#roleAdmin'
-    | 'lex:tools.ozone.team.defs#roleModerator'
-    | 'lex:tools.ozone.team.defs#roleTriage'
-    | 'lex:tools.ozone.team.defs#roleVerifier'
+    | 'tools.ozone.team.defs#roleAdmin'
+    | 'tools.ozone.team.defs#roleModerator'
+    | 'tools.ozone.team.defs#roleTriage'
+    | 'tools.ozone.team.defs#roleVerifier'
     | (string & {})
 }