@atproto/pds 0.4.220 → 0.4.221

package/dist/lexicons/chat/bsky/group/addMembers.defs.d.ts

@@ -1,5 +1,6 @@
 import { l } from '@atproto/lex';
 import * as ConvoDefs from '../convo/defs.defs.js';
+import * as ActorDefs from '../actor/defs.defs.js';
 declare const $nsid = "chat.bsky.group.addMembers";
 export { $nsid };
 /** [NOTE: This is under active development and should be considered unstable while this note is here]. Adds members to a group. The members are added in 'request' status, so they have to accept it. This creates convo memberships. */
@@ -10,6 +11,7 @@ declare const main: l.Procedure<"chat.bsky.group.addMembers", l.ParamsSchema<{}>
     }>>;
 }>>, l.Payload<"application/json", l.ObjectSchema<{
     convo: l.RefSchema<l.Validator<ConvoDefs.ConvoView, ConvoDefs.ConvoView>>;
+    addedMembers: l.OptionalSchema<l.ArraySchema<l.RefSchema<l.Validator<ActorDefs.ProfileViewBasic, ActorDefs.ProfileViewBasic>>>>;
 }>>, readonly ["AccountSuspended", "BlockedActor", "GroupInvitesDisabled", "ConvoLocked", "InsufficientRole", "InvalidConvo", "MemberLimitReached", "NotFollowedBySender", "RecipientNotFound"]>;
 export { main };
 export type $Params = l.InferMethodParams<typeof main>;
@@ -24,5 +26,6 @@ export declare const $lxm: "chat.bsky.group.addMembers", $params: l.ParamsSchema
     }>>;
 }>>, $output: l.Payload<"application/json", l.ObjectSchema<{
     convo: l.RefSchema<l.Validator<ConvoDefs.ConvoView, ConvoDefs.ConvoView>>;
+    addedMembers: l.OptionalSchema<l.ArraySchema<l.RefSchema<l.Validator<ActorDefs.ProfileViewBasic, ActorDefs.ProfileViewBasic>>>>;
 }>>;
 //# sourceMappingURL=addMembers.defs.d.ts.map

package/dist/lexicons/chat/bsky/group/addMembers.defs.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"addMembers.defs.d.ts","sourceRoot":"","sources":["../../../../../src/lexicons/chat/bsky/group/addMembers.defs.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,CAAC,EAAE,MAAM,cAAc,CAAA;AAChC,OAAO,KAAK,SAAS,MAAM,uBAAuB,CAAA;AAElD,QAAA,MAAM,KAAK,+BAA+B,CAAA;AAE1C,OAAO,EAAE,KAAK,EAAE,CAAA;AAEhB,yOAAyO;AACzO,QAAA,MAAM,IAAI;;;;;;;gMAqBT,CAAA;AACD,OAAO,EAAE,IAAI,EAAE,CAAA;AAEf,MAAM,MAAM,OAAO,GAAG,CAAC,CAAC,iBAAiB,CAAC,OAAO,IAAI,CAAC,CAAA;AACtD,MAAM,MAAM,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,gBAAgB,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,CAAA;AACzE,MAAM,MAAM,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,oBAAoB,CAC/D,OAAO,IAAI,EACX,CAAC,CACF,CAAA;AACD,MAAM,MAAM,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,iBAAiB,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,CAAA;AAC3E,MAAM,MAAM,WAAW,CAAC,CAAC,GAAG,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,qBAAqB,CACjE,OAAO,IAAI,EACX,CAAC,CACF,CAAA;AAED,eAAO,MAAM,IAAI,8BAAY,EAC3B,OAAO,oBAAkB,EACzB,MAAM;;;;;GAAa,EACnB,OAAO;;GAAc,CAAA"}
+{"version":3,"file":"addMembers.defs.d.ts","sourceRoot":"","sources":["../../../../../src/lexicons/chat/bsky/group/addMembers.defs.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,CAAC,EAAE,MAAM,cAAc,CAAA;AAChC,OAAO,KAAK,SAAS,MAAM,uBAAuB,CAAA;AAClD,OAAO,KAAK,SAAS,MAAM,uBAAuB,CAAA;AAElD,QAAA,MAAM,KAAK,+BAA+B,CAAA;AAE1C,OAAO,EAAE,KAAK,EAAE,CAAA;AAEhB,yOAAyO;AACzO,QAAA,MAAM,IAAI;;;;;;;;gMA4BT,CAAA;AACD,OAAO,EAAE,IAAI,EAAE,CAAA;AAEf,MAAM,MAAM,OAAO,GAAG,CAAC,CAAC,iBAAiB,CAAC,OAAO,IAAI,CAAC,CAAA;AACtD,MAAM,MAAM,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,gBAAgB,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,CAAA;AACzE,MAAM,MAAM,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,oBAAoB,CAC/D,OAAO,IAAI,EACX,CAAC,CACF,CAAA;AACD,MAAM,MAAM,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,iBAAiB,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,CAAA;AAC3E,MAAM,MAAM,WAAW,CAAC,CAAC,GAAG,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,qBAAqB,CACjE,OAAO,IAAI,EACX,CAAC,CACF,CAAA;AAED,eAAO,MAAM,IAAI,8BAAY,EAC3B,OAAO,oBAAkB,EACzB,MAAM;;;;;GAAa,EACnB,OAAO;;;GAAc,CAAA"}

package/dist/lexicons/chat/bsky/group/addMembers.defs.js

@@ -39,6 +39,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.$output = exports.$input = exports.$params = exports.$lxm = exports.main = exports.$nsid = void 0;
 const lex_1 = require("@atproto/lex");
 const ConvoDefs = __importStar(require("../convo/defs.defs.js"));
+const ActorDefs = __importStar(require("../actor/defs.defs.js"));
 const $nsid = 'chat.bsky.group.addMembers';
 exports.$nsid = $nsid;
 /** [NOTE: This is under active development and should be considered unstable while this note is here]. Adds members to a group. The members are added in 'request' status, so they have to accept it. This creates convo memberships. */
@@ -47,6 +48,7 @@ const main = lex_1.l.procedure($nsid, lex_1.l.params(), lex_1.l.jsonPayload({
     members: lex_1.l.array(lex_1.l.string({ format: 'did' }), { minLength: 1 }),
 }), lex_1.l.jsonPayload({
     convo: lex_1.l.ref((() => ConvoDefs.convoView)),
+    addedMembers: lex_1.l.optional(lex_1.l.array(lex_1.l.ref((() => ActorDefs.profileViewBasic)))),
 }), [
     'AccountSuspended',
     'BlockedActor',

package/dist/lexicons/chat/bsky/group/addMembers.defs.js.map

@@ -1 +1 @@
-{"version":3,"file":"addMembers.defs.js","sourceRoot":"","sources":["../../../../../src/lexicons/chat/bsky/group/addMembers.defs.ts"],"names":[],"mappings":";AAAA;;GAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,sCAAgC;AAChC,iEAAkD;AAElD,MAAM,KAAK,GAAG,4BAA4B,CAAA;AAEjC,sBAAK;AAEd,yOAAyO;AACzO,MAAM,IAAI,GAAG,OAAC,CAAC,SAAS,CACtB,KAAK,EACL,OAAC,CAAC,MAAM,EAAE,EACV,OAAC,CAAC,WAAW,CAAC;IACZ,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE;IACnB,OAAO,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC;CAChE,CAAC,EACF,OAAC,CAAC,WAAW,CAAC;IACZ,KAAK,EAAE,OAAC,CAAC,GAAG,CAAsB,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,SAAS,CAAQ,CAAC;CACtE,CAAC,EACF;IACE,kBAAkB;IAClB,cAAc;IACd,sBAAsB;IACtB,aAAa;IACb,kBAAkB;IAClB,cAAc;IACd,oBAAoB;IACpB,qBAAqB;IACrB,mBAAmB;CACpB,CACF,CAAA;AACQ,oBAAI;AAcA,QAAA,IAAI,GAAG,IAAI,CAAC,IAAI,EAC3B,QAAA,OAAO,GAAG,IAAI,CAAC,UAAU,EACzB,QAAA,MAAM,GAAG,IAAI,CAAC,KAAK,EACnB,QAAA,OAAO,GAAG,IAAI,CAAC,MAAM,CAAA","sourcesContent":["/*\n * THIS FILE WAS GENERATED BY \"@atproto/lex\". DO NOT EDIT.\n */\n\nimport { l } from '@atproto/lex'\nimport * as ConvoDefs from '../convo/defs.defs.js'\n\nconst $nsid = 'chat.bsky.group.addMembers'\n\nexport { $nsid }\n\n/** [NOTE: This is under active development and should be considered unstable while this note is here]. Adds members to a group. The members are added in 'request' status, so they have to accept it. This creates convo memberships. */\nconst main = l.procedure(\n  $nsid,\n  l.params(),\n  l.jsonPayload({\n    convoId: l.string(),\n    members: l.array(l.string({ format: 'did' }), { minLength: 1 }),\n  }),\n  l.jsonPayload({\n    convo: l.ref<ConvoDefs.ConvoView>((() => ConvoDefs.convoView) as any),\n  }),\n  [\n    'AccountSuspended',\n    'BlockedActor',\n    'GroupInvitesDisabled',\n    'ConvoLocked',\n    'InsufficientRole',\n    'InvalidConvo',\n    'MemberLimitReached',\n    'NotFollowedBySender',\n    'RecipientNotFound',\n  ],\n)\nexport { main }\n\nexport type $Params = l.InferMethodParams<typeof main>\nexport type $Input<B = l.BinaryData> = l.InferMethodInput<typeof main, B>\nexport type $InputBody<B = l.BinaryData> = l.InferMethodInputBody<\n  typeof main,\n  B\n>\nexport type $Output<B = l.BinaryData> = l.InferMethodOutput<typeof main, B>\nexport type $OutputBody<B = l.BinaryData> = l.InferMethodOutputBody<\n  typeof main,\n  B\n>\n\nexport const $lxm = main.nsid,\n  $params = main.parameters,\n  $input = main.input,\n  $output = main.output\n"]}
+{"version":3,"file":"addMembers.defs.js","sourceRoot":"","sources":["../../../../../src/lexicons/chat/bsky/group/addMembers.defs.ts"],"names":[],"mappings":";AAAA;;GAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,sCAAgC;AAChC,iEAAkD;AAClD,iEAAkD;AAElD,MAAM,KAAK,GAAG,4BAA4B,CAAA;AAEjC,sBAAK;AAEd,yOAAyO;AACzO,MAAM,IAAI,GAAG,OAAC,CAAC,SAAS,CACtB,KAAK,EACL,OAAC,CAAC,MAAM,EAAE,EACV,OAAC,CAAC,WAAW,CAAC;IACZ,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE;IACnB,OAAO,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC;CAChE,CAAC,EACF,OAAC,CAAC,WAAW,CAAC;IACZ,KAAK,EAAE,OAAC,CAAC,GAAG,CAAsB,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,SAAS,CAAQ,CAAC;IACrE,YAAY,EAAE,OAAC,CAAC,QAAQ,CACtB,OAAC,CAAC,KAAK,CACL,OAAC,CAAC,GAAG,CACH,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,gBAAgB,CAAQ,CAC1C,CACF,CACF;CACF,CAAC,EACF;IACE,kBAAkB;IAClB,cAAc;IACd,sBAAsB;IACtB,aAAa;IACb,kBAAkB;IAClB,cAAc;IACd,oBAAoB;IACpB,qBAAqB;IACrB,mBAAmB;CACpB,CACF,CAAA;AACQ,oBAAI;AAcA,QAAA,IAAI,GAAG,IAAI,CAAC,IAAI,EAC3B,QAAA,OAAO,GAAG,IAAI,CAAC,UAAU,EACzB,QAAA,MAAM,GAAG,IAAI,CAAC,KAAK,EACnB,QAAA,OAAO,GAAG,IAAI,CAAC,MAAM,CAAA","sourcesContent":["/*\n * THIS FILE WAS GENERATED BY \"@atproto/lex\". DO NOT EDIT.\n */\n\nimport { l } from '@atproto/lex'\nimport * as ConvoDefs from '../convo/defs.defs.js'\nimport * as ActorDefs from '../actor/defs.defs.js'\n\nconst $nsid = 'chat.bsky.group.addMembers'\n\nexport { $nsid }\n\n/** [NOTE: This is under active development and should be considered unstable while this note is here]. Adds members to a group. The members are added in 'request' status, so they have to accept it. This creates convo memberships. */\nconst main = l.procedure(\n  $nsid,\n  l.params(),\n  l.jsonPayload({\n    convoId: l.string(),\n    members: l.array(l.string({ format: 'did' }), { minLength: 1 }),\n  }),\n  l.jsonPayload({\n    convo: l.ref<ConvoDefs.ConvoView>((() => ConvoDefs.convoView) as any),\n    addedMembers: l.optional(\n      l.array(\n        l.ref<ActorDefs.ProfileViewBasic>(\n          (() => ActorDefs.profileViewBasic) as any,\n        ),\n      ),\n    ),\n  }),\n  [\n    'AccountSuspended',\n    'BlockedActor',\n    'GroupInvitesDisabled',\n    'ConvoLocked',\n    'InsufficientRole',\n    'InvalidConvo',\n    'MemberLimitReached',\n    'NotFollowedBySender',\n    'RecipientNotFound',\n  ],\n)\nexport { main }\n\nexport type $Params = l.InferMethodParams<typeof main>\nexport type $Input<B = l.BinaryData> = l.InferMethodInput<typeof main, B>\nexport type $InputBody<B = l.BinaryData> = l.InferMethodInputBody<\n  typeof main,\n  B\n>\nexport type $Output<B = l.BinaryData> = l.InferMethodOutput<typeof main, B>\nexport type $OutputBody<B = l.BinaryData> = l.InferMethodOutputBody<\n  typeof main,\n  B\n>\n\nexport const $lxm = main.nsid,\n  $params = main.parameters,\n  $input = main.input,\n  $output = main.output\n"]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atproto/pds",
-  "version": "0.4.220",
+  "version": "0.4.221",
   "license": "MIT",
   "description": "Reference implementation of atproto Personal Data Server (PDS)",
   "keywords": [
@@ -45,27 +45,26 @@
     "undici": "^6.19.8",
     "zod": "^3.23.8",
     "@atproto-labs/fetch-node": "^0.2.0",
-    "@atproto-labs/simple-store-redis": "^0.0.1",
-    "@atproto-labs/simple-store-memory": "^0.1.4",
     "@atproto-labs/simple-store": "^0.3.0",
+    "@atproto-labs/simple-store-memory": "^0.1.4",
+    "@atproto-labs/simple-store-redis": "^0.0.1",
     "@atproto-labs/xrpc-utils": "^0.0.24",
+    "@atproto/aws": "^0.2.32",
     "@atproto/common": "^0.5.16",
     "@atproto/crypto": "^0.4.5",
     "@atproto/identity": "^0.4.12",
     "@atproto/lex": "^0.0.25",
-    "@atproto/aws": "^0.2.32",
     "@atproto/lex-cbor": "^0.0.16",
-    "@atproto/lex-json": "^0.0.16",
     "@atproto/lex-data": "^0.0.15",
+    "@atproto/lex-json": "^0.0.16",
+    "@atproto/oauth-provider": "^0.16.3",
     "@atproto/oauth-scopes": "^0.3.2",
-    "@atproto/oauth-provider": "^0.16.1",
-    "@atproto/xrpc": "^0.7.7",
+    "@atproto/repo": "^0.9.1",
     "@atproto/syntax": "^0.5.4",
-    "@atproto/xrpc-server": "^0.10.20",
-    "@atproto/repo": "^0.9.1"
+    "@atproto/xrpc": "^0.7.7",
+    "@atproto/xrpc-server": "^0.10.20"
   },
   "devDependencies": {
-    "@atproto/pds-entryway": "npm:@atproto/pds@0.3.0-entryway.3",
     "@did-plc/server": "^0.0.1",
     "@types/cors": "^2.8.12",
     "@types/express": "^4.17.13",
@@ -80,8 +79,8 @@
     "ts-node": "^10.8.2",
     "typescript": "^5.6.3",
     "ws": "^8.12.0",
-    "@atproto/api": "^0.19.9",
-    "@atproto/bsky": "^0.0.226",
+    "@atproto/api": "^0.19.11",
+    "@atproto/bsky": "^0.0.227",
     "@atproto/lex-document": "^0.0.20",
     "@atproto/oauth-client-browser-example": "^0.0.10"
   },

package/src/auth-verifier.ts

@@ -465,8 +465,8 @@ export class AuthVerifier {
       throw new AuthRequiredError(undefined, 'AuthMissing')
     }
 
-    const { payload, protectedHeader } = await jose
-      .jwtVerify(token, this._jwtKey, { ...options, typ: undefined })
+    const { payload } = await jose
+      .jwtVerify(token, this._jwtKey, options)
       .catch((cause) => {
         if (cause instanceof jose.errors.JWTExpired) {
           throw new InvalidRequestError('Token has expired', 'ExpiredToken', {
@@ -481,14 +481,6 @@ export class AuthVerifier {
         }
       })
 
-    // @NOTE: the "typ" is now set in production environments, so we should be
-    // able to safely check it through jose.jwtVerify(). However, tests depend
-    // on @atproto/pds-entryway which does not set "typ" in the access tokens.
-    // For that reason, we still allow it to be missing.
-    if (protectedHeader.typ && options.typ !== protectedHeader.typ) {
-      throw new InvalidRequestError('Invalid token type', 'InvalidToken')
-    }
-
     const { sub, aud, scope, lxm, cnf, jti } = payload
 
     if (typeof lxm !== 'undefined') {
@@ -634,7 +626,7 @@ const extractAuthType = (req: IncomingMessage): AuthType | null => {
   return type
 }
 
-const bearerTokenFromReq = (req: IncomingMessage) => {
+export const bearerTokenFromReq = (req: IncomingMessage) => {
   const [type, token] = parseAuthorizationHeader(req)
   return type === AuthType.BEARER ? token : null
 }

package/src/index.ts

@@ -32,7 +32,11 @@ import compression from './util/compression'
 import * as wellKnown from './well-known'
 
 export * from './lexicons.js'
-export { createSecretKeyObject } from './auth-verifier'
+export {
+  bearerTokenFromReq,
+  createPublicKeyObject,
+  createSecretKeyObject,
+} from './auth-verifier'
 export * from './config'
 export { AppContext } from './context'
 export { Database } from './db'

package/tests/auth.test.ts

@@ -331,7 +331,9 @@ describe('auth', () => {
       password: 'password',
     })
     const refreshWithAccess = refreshSession(account.accessJwt)
-    await expect(refreshWithAccess).rejects.toThrow('Invalid token type')
+    await expect(refreshWithAccess).rejects.toThrow(
+      'Token could not be verified',
+    )
   })
 
   it('expired refresh token cannot be used to refresh a session.', async () => {

package/tests/entryway-mock.ts

@@ -0,0 +1,317 @@
+import { createPrivateKey } from 'node:crypto'
+import * as http from 'node:http'
+import * as plcLib from '@did-plc/lib'
+import { HttpTerminator, createHttpTerminator } from 'http-terminator'
+import * as jose from 'jose'
+import KeyEncoder from 'key-encoder'
+import * as ui8 from 'uint8arrays'
+import { AtpAgent } from '@atproto/api'
+import { getVerificationMaterial } from '@atproto/common'
+import { Secp256k1Keypair, randomStr } from '@atproto/crypto'
+import { IdResolver, getDidKeyFromMultibase } from '@atproto/identity'
+import { DidString, HandleString } from '@atproto/syntax'
+import {
+  AuthRequiredError,
+  createServer,
+  parseReqNsid,
+  verifyJwt as verifyServiceJwt,
+} from '@atproto/xrpc-server'
+import { bearerTokenFromReq, createPublicKeyObject } from '../src/auth-verifier'
+import { com } from '../src/lexicons/index.js'
+
+interface Account {
+  did: DidString
+  handle: HandleString
+  email?: string
+}
+
+interface MockEntrywayOpts {
+  port: number
+  serviceDid: string
+  plcUrl: string
+  pdsUrl: string
+  pdsDid: string
+  adminPassword: string
+  jwtSigningKey: Secp256k1Keypair
+  plcRotationKey: Secp256k1Keypair
+}
+
+type AccessAuthResult = { credentials: { did: string; type: 'access' } }
+type ServiceAuthResult = { credentials: { did: string; type: 'service' } }
+
+export class MockEntryway {
+  public url: string
+  public serviceDid: string
+  public plcRotationKey: Secp256k1Keypair
+  public idResolver: IdResolver
+
+  private server: http.Server
+  private terminator: HttpTerminator
+  private accounts = new Map<string, Account>()
+
+  private constructor(
+    server: http.Server,
+    terminator: HttpTerminator,
+    idResolver: IdResolver,
+    opts: MockEntrywayOpts,
+  ) {
+    this.server = server
+    this.terminator = terminator
+    this.url = `http://localhost:${opts.port}`
+    this.serviceDid = opts.serviceDid
+    this.plcRotationKey = opts.plcRotationKey
+    this.idResolver = idResolver
+  }
+
+  static async create(opts: MockEntrywayOpts): Promise<MockEntryway> {
+    const keyEncoder = new KeyEncoder('secp256k1')
+    const privateKeyHex = ui8.toString(await opts.jwtSigningKey.export(), 'hex')
+    const privatePem = keyEncoder.encodePrivate(privateKeyHex, 'raw', 'pem')
+    const jwtPrivateKey = createPrivateKey({ format: 'pem', key: privatePem })
+    const jwtPublicKey = createPublicKeyObject(
+      opts.jwtSigningKey.publicKeyStr('hex'),
+    )
+
+    const plcClient = new plcLib.Client(opts.plcUrl)
+    const pdsAgent = new AtpAgent({ service: opts.pdsUrl })
+    const idResolver = new IdResolver({ plcUrl: opts.plcUrl })
+
+    const accounts = new Map<string, Account>()
+
+    const getSigningKey = async (
+      iss: string,
+      forceRefresh: boolean,
+    ): Promise<string> => {
+      const [did, serviceId] = iss.split('#')
+      if (serviceId) {
+        throw new AuthRequiredError('no service id expected in iss claim')
+      }
+      const didDoc = await idResolver.did.resolve(did, forceRefresh)
+      if (!didDoc) {
+        throw new AuthRequiredError(`could not resolve did: ${did}`)
+      }
+      const parsedKey = getVerificationMaterial(didDoc, 'atproto')
+      if (!parsedKey) {
+        throw new AuthRequiredError('missing or bad key in did doc')
+      }
+      const didKey = getDidKeyFromMultibase(parsedKey)
+      if (!didKey) {
+        throw new AuthRequiredError('missing or bad key in did doc')
+      }
+      return didKey
+    }
+
+    const bearerToken = (req: http.IncomingMessage): string => {
+      const token = bearerTokenFromReq(req)
+      if (!token) {
+        throw new AuthRequiredError('missing bearer token')
+      }
+      return token
+    }
+
+    // Auth: verify user access token (typ: 'at+jwt') signed by entryway
+    const accessAuth = async ({
+      req,
+    }: {
+      req: http.IncomingMessage
+    }): Promise<AccessAuthResult> => {
+      try {
+        const token = bearerToken(req)
+        const { protectedHeader, payload } = await jose.jwtVerify(
+          token,
+          jwtPublicKey,
+        )
+        if (protectedHeader.typ !== 'at+jwt') {
+          throw new AuthRequiredError('expected typ: at+jwt')
+        }
+        if (!payload.sub) {
+          throw new AuthRequiredError('missing sub in token')
+        }
+        return { credentials: { did: payload.sub, type: 'access' } }
+      } catch (err) {
+        console.log(err)
+        throw err
+      }
+    }
+
+    // Auth: verify service auth token from PDS (no typ / typ !== 'at+jwt')
+    const serviceAuth = async ({
+      req,
+    }: {
+      req: http.IncomingMessage
+    }): Promise<ServiceAuthResult> => {
+      try {
+        const token = bearerToken(req)
+        const { typ } = jose.decodeProtectedHeader(token)
+        if (typ === 'at+jwt') {
+          throw new AuthRequiredError(
+            'expected service auth: typ must not be at+jwt',
+          )
+        }
+        const nsid = parseReqNsid(req)
+        const payload = await verifyServiceJwt(
+          token,
+          opts.serviceDid,
+          nsid,
+          getSigningKey,
+        )
+        return { credentials: { did: payload.iss, type: 'service' } }
+      } catch (err) {
+        console.log(err)
+        throw err
+      }
+    }
+
+    // Auth: accept either access token or service auth
+    const accessOrServiceAuth = async ({
+      req,
+    }: {
+      req: http.IncomingMessage
+    }): Promise<AccessAuthResult | ServiceAuthResult> => {
+      const token = bearerToken(req)
+      const { typ } = jose.decodeProtectedHeader(token)
+      if (typ === 'at+jwt') {
+        return accessAuth({ req })
+      }
+      return serviceAuth({ req })
+    }
+
+    const server = createServer()
+
+    server.add(com.atproto.server.createAccount, {
+      handler: async ({ input }) => {
+        const { email, handle } = input.body
+
+        // Reserve a signing key on the PDS
+        const {
+          data: { signingKey },
+        } = await pdsAgent.com.atproto.server.reserveSigningKey({})
+
+        // Create PLC operation
+        const plcCreate = await plcLib.createOp({
+          signingKey,
+          rotationKeys: [opts.plcRotationKey.did()],
+          handle,
+          pds: opts.pdsUrl,
+          signer: opts.plcRotationKey,
+        })
+
+        // Create account on PDS (no auth needed — userServiceAuthOptional)
+        await pdsAgent.com.atproto.server.createAccount({
+          did: plcCreate.did,
+          handle,
+          plcOp: plcCreate.op,
+        })
+
+        // Store account in memory
+        accounts.set(plcCreate.did, {
+          did: plcCreate.did as DidString,
+          handle,
+          email,
+        })
+
+        // Sign access + refresh JWTs
+        const now = Math.floor(Date.now() / 1000)
+        const accessJwt = await new jose.SignJWT({
+          scope: 'com.atproto.access',
+        })
+          .setProtectedHeader({ alg: 'ES256K', typ: 'at+jwt' })
+          .setSubject(plcCreate.did)
+          .setAudience(opts.pdsDid)
+          .setIssuedAt(now)
+          .setExpirationTime(now + 60 * 60)
+          .setJti(randomStr(16, 'base32'))
+          .sign(jwtPrivateKey)
+
+        const refreshJwt = await new jose.SignJWT({
+          scope: 'com.atproto.refresh',
+        })
+          .setProtectedHeader({ alg: 'ES256K', typ: 'at+jwt' })
+          .setSubject(plcCreate.did)
+          .setAudience(opts.pdsDid)
+          .setIssuedAt(now)
+          .setExpirationTime(now + 90 * 24 * 60 * 60)
+          .setJti(randomStr(16, 'base32'))
+          .sign(jwtPrivateKey)
+
+        return {
+          encoding: 'application/json' as const,
+          body: {
+            did: plcCreate.did as DidString,
+            handle,
+            accessJwt,
+            refreshJwt,
+          },
+        }
+      },
+    })
+
+    server.add(com.atproto.server.getSession, {
+      auth: accessOrServiceAuth,
+      handler: async ({ auth }) => {
+        const account = accounts.get(auth.credentials.did)
+        if (!account) {
+          throw new Error(
+            `Could not find account for DID: ${auth.credentials.did}`,
+          )
+        }
+        return {
+          encoding: 'application/json' as const,
+          body: {
+            did: account.did,
+            handle: account.handle,
+            email: account.email,
+            emailConfirmed: false,
+          },
+        }
+      },
+    })
+
+    server.add(com.atproto.identity.updateHandle, {
+      auth: serviceAuth,
+      handler: async ({ auth, input }) => {
+        // The PDS sends { did, handle } where did is the target user
+        const body = input.body as typeof input.body & { did?: string }
+        const targetDid = body.did || auth.credentials.did
+        const newHandle = body.handle
+
+        // Update handle in PLC
+        await plcClient.updateHandle(targetDid, opts.plcRotationKey, newHandle)
+
+        // Update in-memory account
+        const account = accounts.get(targetDid)
+        if (account) {
+          account.handle = newHandle
+        }
+
+        // Notify PDS via admin endpoint
+        const adminAuth = Buffer.from(`admin:${opts.adminPassword}`).toString(
+          'base64',
+        )
+        await pdsAgent.com.atproto.admin.updateAccountHandle(
+          { did: targetDid, handle: newHandle },
+          {
+            headers: { authorization: `Basic ${adminAuth}` },
+            encoding: 'application/json',
+          },
+        )
+      },
+    })
+
+    const httpServer = server.listen(opts.port)
+    const terminator = createHttpTerminator({ server: httpServer })
+
+    const instance = new MockEntryway(httpServer, terminator, idResolver, opts)
+    instance.accounts = accounts
+
+    return instance
+  }
+
+  getAccount(did: string): Account | undefined {
+    return this.accounts.get(did)
+  }
+
+  async destroy(): Promise<void> {
+    await this.terminator.terminate()
+  }
+}

package/tests/entryway.test.ts

@@ -1,22 +1,17 @@
 import assert from 'node:assert'
-import * as os from 'node:os'
-import * as path from 'node:path'
 import * as plcLib from '@did-plc/lib'
 import getPort from 'get-port'
-import { decodeJwt } from 'jose'
-import * as ui8 from 'uint8arrays'
 import { AtpAgent } from '@atproto/api'
-import { Secp256k1Keypair, randomStr } from '@atproto/crypto'
+import { Secp256k1Keypair } from '@atproto/crypto'
 import { SeedClient, TestPds, TestPlc, mockResolvers } from '@atproto/dev-env'
 import { isDidString } from '@atproto/lex'
-import * as pdsEntryway from '@atproto/pds-entryway'
 import { DidString } from '@atproto/syntax'
-import { parseReqNsid } from '@atproto/xrpc-server'
+import { MockEntryway } from './entryway-mock'
 
 describe('entryway', () => {
   let plc: TestPlc
   let pds: TestPds
-  let entryway: pdsEntryway.PDS
+  let entryway: MockEntryway
   let pdsAgent: AtpAgent
   let entrywayAgent: AtpAgent
   let alice: DidString
@@ -30,7 +25,7 @@ describe('entryway', () => {
     pds = await TestPds.create({
       entrywayUrl: `http://localhost:${entrywayPort}`,
       entrywayDid: 'did:example:entryway',
-      entrywayJwtVerifyKeyK256PublicKeyHex: getPublicHex(jwtSigningKey),
+      entrywayJwtVerifyKeyK256PublicKeyHex: jwtSigningKey.publicKeyStr('hex'),
       entrywayPlcRotationKey: plcRotationKey.did(),
       adminPassword: 'admin-pass',
       serviceHandleDomains: [],
@@ -38,29 +33,21 @@ describe('entryway', () => {
       serviceDid: 'did:example:pds',
       inviteRequired: false,
     })
-    entryway = await createEntryway({
-      dbPostgresSchema: 'entryway',
+    entryway = await MockEntryway.create({
       port: entrywayPort,
-      adminPassword: 'admin-pass',
-      jwtSigningKeyK256PrivateKeyHex: await getPrivateHex(jwtSigningKey),
-      plcRotationKeyK256PrivateKeyHex: await getPrivateHex(plcRotationKey),
-      inviteRequired: false,
       serviceDid: 'did:example:entryway',
-      didPlcUrl: plc.url,
+      plcUrl: plc.url,
+      pdsUrl: pds.url,
+      pdsDid: 'did:example:pds',
+      adminPassword: 'admin-pass',
+      jwtSigningKey,
+      plcRotationKey,
     })
     mockResolvers(pds.ctx.idResolver, pds)
-    mockResolvers(entryway.ctx.idResolver, pds)
-    await entryway.ctx.db.db
-      .insertInto('pds')
-      .values({
-        did: pds.ctx.cfg.service.did,
-        host: new URL(pds.ctx.cfg.service.publicUrl).host,
-        weight: 1,
-      })
-      .execute()
+    mockResolvers(entryway.idResolver, pds)
     pdsAgent = pds.getAgent()
     entrywayAgent = new AtpAgent({
-      service: entryway.ctx.cfg.service.publicUrl,
+      service: entryway.url,
     })
   })
 
@@ -110,9 +97,7 @@ describe('entryway', () => {
     const doc = await pds.ctx.idResolver.did.resolve(alice)
     const handleToDid = await pds.ctx.idResolver.handle.resolve('alice2.test')
     const accountFromPds = await pds.ctx.accountManager.getAccount(alice)
-    const accountFromEntryway = await entryway.ctx.services
-      .account(entryway.ctx.db)
-      .getAccount(alice)
+    const accountFromEntryway = entryway.getAccount(alice)
     expect(doc?.alsoKnownAs).toEqual(['at://alice2.test'])
     expect(handleToDid).toEqual(alice)
     expect(accountFromPds?.handle).toEqual('alice2.test')
@@ -128,13 +113,10 @@ describe('entryway', () => {
         'com.atproto.identity.updateHandle',
       ),
     )
-    const doc = await entryway.ctx.idResolver.did.resolve(alice)
-    const handleToDid =
-      await entryway.ctx.idResolver.handle.resolve('alice3.test')
+    const doc = await entryway.idResolver.did.resolve(alice)
+    const handleToDid = await entryway.idResolver.handle.resolve('alice3.test')
     const accountFromPds = await pds.ctx.accountManager.getAccount(alice)
-    const accountFromEntryway = await entryway.ctx.services
-      .account(entryway.ctx.db)
-      .getAccount(alice)
+    const accountFromEntryway = entryway.getAccount(alice)
     expect(doc?.alsoKnownAs).toEqual(['at://alice3.test'])
     expect(handleToDid).toEqual(alice)
     expect(accountFromPds?.handle).toEqual('alice3.test')
@@ -148,7 +130,7 @@ describe('entryway', () => {
     const rotationKey = await Secp256k1Keypair.create()
     const plcCreate = await plcLib.createOp({
       signingKey,
-      rotationKeys: [rotationKey.did(), entryway.ctx.plcRotationKey.did()],
+      rotationKeys: [rotationKey.did(), entryway.plcRotationKey.did()],
       handle: 'weirdalice.test',
       pds: pds.ctx.cfg.service.publicUrl,
       signer: rotationKey,
@@ -161,67 +143,3 @@ describe('entryway', () => {
     await expect(tryCreateAccount).rejects.toThrow('invalid plc operation')
   })
 })
-
-const createEntryway = async (
-  config: pdsEntryway.ServerEnvironment & {
-    adminPassword: string
-    jwtSigningKeyK256PrivateKeyHex: string
-    plcRotationKeyK256PrivateKeyHex: string
-  },
-) => {
-  const signingKey = await Secp256k1Keypair.create({ exportable: true })
-  const recoveryKey = await Secp256k1Keypair.create({ exportable: true })
-  const env: pdsEntryway.ServerEnvironment = {
-    isEntryway: true,
-    recoveryDidKey: recoveryKey.did(),
-    serviceHandleDomains: ['.test'],
-    dbPostgresUrl: process.env.DB_POSTGRES_URL,
-    blobstoreDiskLocation: path.join(os.tmpdir(), randomStr(8, 'base32')),
-    bskyAppViewUrl: 'https://appview.invalid',
-    bskyAppViewDid: 'did:example:invalid',
-    bskyAppViewCdnUrlPattern: 'http://cdn.appview.com/%s/%s/%s',
-    jwtSecret: randomStr(8, 'base32'),
-    repoSigningKeyK256PrivateKeyHex: await getPrivateHex(signingKey),
-    modServiceUrl: 'https://mod.invalid',
-    modServiceDid: 'did:example:invalid',
-    ...config,
-  }
-  const cfg = pdsEntryway.envToCfg(env)
-  const secrets = pdsEntryway.envToSecrets(env)
-  const server = await pdsEntryway.PDS.create(cfg, secrets)
-  await server.ctx.db.migrateToLatestOrThrow()
-  await server.start()
-  // patch entryway access token verification to handle internal service auth pds -> entryway
-  const origValidateAccessToken =
-    server.ctx.authVerifier.validateAccessToken.bind(server.ctx.authVerifier)
-  server.ctx.authVerifier.validateAccessToken = async (req, scopes) => {
-    const jwt = req.headers.authorization?.replace('Bearer ', '') ?? ''
-    const claims = decodeJwt(jwt)
-    if (claims.aud === 'did:example:entryway') {
-      assert(claims.lxm === parseReqNsid(req), 'bad lxm claim in service auth')
-      assert(claims.aud, 'missing aud claim in service auth')
-      assert(claims.iss, 'missing iss claim in service auth')
-      return {
-        artifacts: jwt,
-        credentials: {
-          type: 'access',
-          scope: 'com.atproto.access' as any,
-          audience: claims.aud,
-          did: claims.iss,
-        },
-      }
-    }
-    return origValidateAccessToken(req, scopes)
-  }
-  // @TODO temp hack because entryway teardown calls signupActivator.run() by mistake
-  server.ctx.signupActivator.run = server.ctx.signupActivator.destroy
-  return server
-}
-
-const getPublicHex = (key: Secp256k1Keypair) => {
-  return key.publicKeyStr('hex')
-}
-
-const getPrivateHex = async (key: Secp256k1Keypair) => {
-  return ui8.toString(await key.export(), 'hex')
-}