@atproto/pds 0.4.226 → 0.5.1

package/src/api/com/atproto/server/confirmEmail.ts

@@ -1,44 +1,39 @@
-import { InvalidRequestError, Server } from '@atproto/xrpc-server'
+import { Server } from '@atproto/xrpc-server'
 import { AppContext } from '../../../../context.js'
 import { com } from '../../../../lexicons/index.js'
+import { requestEmailConfirmationAuth } from './requestEmailConfirmation.js'
 
 export default function (server: Server, ctx: AppContext) {
-  server.add(com.atproto.server.confirmEmail, {
-    auth: ctx.authVerifier.authorization({
-      checkTakedown: true,
-      authorize: (permissions) => {
-        permissions.assertAccount({ attr: 'email', action: 'manage' })
-      },
-    }),
-    handler: async ({ auth, input: { body }, req }) => {
-      const { did } = auth.credentials
+  const { entrywayClient } = ctx
 
-      const user = await ctx.accountManager.getAccount(did, {
-        includeDeactivated: true,
-      })
-      if (!user) {
-        throw new InvalidRequestError('user not found', 'AccountNotFound')
-      }
+  // @NOTE Ensure that both endpoints use the same authentication logic
+  const auth = requestEmailConfirmationAuth(ctx)
 
-      if (ctx.entrywayClient) {
+  if (entrywayClient) {
+    server.add(com.atproto.server.confirmEmail, {
+      auth,
+      handler: async ({ auth, input: { body }, req }) => {
         const { headers } = await ctx.entrywayAuthHeaders(
           req,
           auth.credentials.did,
           com.atproto.server.confirmEmail.$lxm,
         )
-        await ctx.entrywayClient.xrpc(com.atproto.server.confirmEmail, {
+        await entrywayClient.xrpc(com.atproto.server.confirmEmail, {
           headers,
           body,
         })
-        return
-      }
-
-      const { token, email } = body
-
-      if (user.email !== email.toLowerCase()) {
-        throw new InvalidRequestError('invalid email', 'InvalidEmail')
-      }
-      await ctx.accountManager.confirmEmail({ did, token })
-    },
-  })
+      },
+    })
+  } else {
+    server.add(com.atproto.server.confirmEmail, {
+      auth,
+      handler: async ({ auth, input: { body } }) => {
+        await ctx.accountManager.confirmEmail(
+          auth.credentials.did,
+          body.email,
+          body.token,
+        )
+      },
+    })
+  }
 }

package/src/api/com/atproto/server/getServiceAuth.ts

@@ -1,4 +1,5 @@
 import { HOUR, MINUTE } from '@atproto/common'
+import { isAtprotoDid, isAtprotoDidRefAbsolute } from '@atproto/did'
 import { l } from '@atproto/lex'
 import {
   InvalidRequestError,
@@ -34,6 +35,12 @@ export default function (server: Server, ctx: AppContext) {
       // @NOTE "exp" is expressed in seconds since epoch, not milliseconds
       const { aud, exp, lxm = null } = params
 
+      if (!isAtprotoDid(aud) && !isAtprotoDidRefAbsolute(aud)) {
+        throw new InvalidRequestError(
+          'aud must be a valid atproto DID or did#serviceId reference',
+        )
+      }
+
       // Takendown accounts should not be able to generate service auth tokens except for methods necessary for account migration
       if (auth.credentials.type === 'access') {
         // @NOTE We should probably use "ForbiddenError" here. Using

package/src/api/com/atproto/server/requestEmailConfirmation.ts

@@ -1,61 +1,68 @@
 import { DAY, HOUR } from '@atproto/common'
-import { InvalidRequestError, Server } from '@atproto/xrpc-server'
+import {
+  MethodAuthVerifier,
+  MethodRateLimit,
+  Server,
+} from '@atproto/xrpc-server'
+import { AccessOutput, OAuthOutput } from '../../../../auth-output.js'
 import { AppContext } from '../../../../context.js'
 import { com } from '../../../../lexicons/index.js'
 
+// Exposed as a utility to ensure auth in confirmEmail and requestEmailConfirmation
+export function requestEmailConfirmationAuth(
+  ctx: AppContext,
+): MethodAuthVerifier<AccessOutput | OAuthOutput> {
+  return ctx.authVerifier.authorization({
+    checkTakedown: true,
+    authorize: (permissions) => {
+      permissions.assertAccount({ attr: 'email', action: 'manage' })
+    },
+  })
+}
+
+const rateLimit: MethodRateLimit<AccessOutput | OAuthOutput> = [
+  {
+    durationMs: DAY,
+    points: 15,
+    calcKey: ({ auth }) => auth.credentials.did,
+  },
+  {
+    durationMs: HOUR,
+    points: 5,
+    calcKey: ({ auth }) => auth.credentials.did,
+  },
+]
+
 export default function (server: Server, ctx: AppContext) {
-  server.add(com.atproto.server.requestEmailConfirmation, {
-    rateLimit: [
-      {
-        durationMs: DAY,
-        points: 15,
-        calcKey: ({ auth }) => auth.credentials.did,
-      },
-      {
-        durationMs: HOUR,
-        points: 5,
-        calcKey: ({ auth }) => auth.credentials.did,
-      },
-    ],
-    auth: ctx.authVerifier.authorization({
-      checkTakedown: true,
-      authorize: (permissions) => {
-        permissions.assertAccount({ attr: 'email', action: 'manage' })
-      },
-    }),
-    handler: async ({ auth, req }) => {
-      const did = auth.credentials.did
-      const account = await ctx.accountManager.getAccount(did, {
-        includeDeactivated: true,
-        includeTakenDown: true,
-      })
-      if (!account) {
-        throw new InvalidRequestError('account not found')
-      }
+  const { entrywayClient } = ctx
 
-      if (ctx.entrywayClient) {
+  const auth = requestEmailConfirmationAuth(ctx)
+
+  if (entrywayClient) {
+    server.add(com.atproto.server.requestEmailConfirmation, {
+      auth,
+      rateLimit,
+      handler: async ({ auth, req }) => {
         const { headers } = await ctx.entrywayAuthHeaders(
           req,
           auth.credentials.did,
           com.atproto.server.requestEmailConfirmation.$lxm,
         )
 
-        await ctx.entrywayClient.xrpc(
-          com.atproto.server.requestEmailConfirmation,
-          { headers },
-        )
-
-        return
-      }
-
-      if (!account.email) {
-        throw new InvalidRequestError('account does not have an email address')
-      }
-      const token = await ctx.accountManager.createEmailToken(
-        did,
-        'confirm_email',
-      )
-      await ctx.mailer.sendConfirmEmail({ token }, { to: account.email })
-    },
-  })
+        await entrywayClient.xrpc(com.atproto.server.requestEmailConfirmation, {
+          headers,
+        })
+      },
+    })
+  } else {
+    server.add(com.atproto.server.requestEmailConfirmation, {
+      auth,
+      rateLimit,
+      handler: async ({ auth }) => {
+        const did = auth.credentials.did
+        const locale = undefined // @TODO get the locale somehow
+        await ctx.accountManager.requestEmailConfirmation(did, { locale })
+      },
+    })
+  }
 }

package/src/api/com/atproto/server/requestEmailUpdate.ts

@@ -1,70 +1,86 @@
 import { DAY, HOUR } from '@atproto/common'
-import { InvalidRequestError, Server } from '@atproto/xrpc-server'
+import {
+  ForbiddenError,
+  MethodAuthVerifier,
+  MethodRateLimit,
+  Server,
+} from '@atproto/xrpc-server'
+import { AccessOutput, OAuthOutput } from '../../../../auth-output.js'
+import { ACCESS_FULL } from '../../../../auth-scope.js'
 import { AppContext } from '../../../../context.js'
 import { com } from '../../../../lexicons/index.js'
 
+// Exposed as a utility to ensure auth in updateEmail and requestEmailUpdate
+// stay consistent.
+export function requestEmailUpdateAuth(
+  ctx: AppContext,
+): MethodAuthVerifier<AccessOutput | OAuthOutput> {
+  return ctx.authVerifier.authorization({
+    checkTakedown: true,
+    scopes: ACCESS_FULL,
+    authorize: () => {
+      throw new ForbiddenError(
+        'Use the account manager interface to update email address associated with an account',
+      )
+    },
+  })
+}
+
+const rateLimit: MethodRateLimit<AccessOutput | OAuthOutput> = [
+  {
+    durationMs: DAY,
+    points: 15,
+    calcKey: ({ auth }) => auth.credentials.did,
+  },
+  {
+    durationMs: HOUR,
+    points: 5,
+    calcKey: ({ auth }) => auth.credentials.did,
+  },
+]
+
 export default function (server: Server, ctx: AppContext) {
   const { entrywayClient } = ctx
 
-  server.add(com.atproto.server.requestEmailUpdate, {
-    rateLimit: [
-      {
-        durationMs: DAY,
-        points: 15,
-        calcKey: ({ auth }) => auth.credentials.did,
-      },
-      {
-        durationMs: HOUR,
-        points: 5,
-        calcKey: ({ auth }) => auth.credentials.did,
-      },
-    ],
-    auth: ctx.authVerifier.authorization({
-      checkTakedown: true,
-      authorize: (permissions) => {
-        permissions.assertAccount({ attr: 'email', action: 'manage' })
-      },
-    }),
-    handler: async ({ auth, req }) => {
-      const did = auth.credentials.did
-      const account = await ctx.accountManager.getAccount(did, {
-        includeDeactivated: true,
-        includeTakenDown: true,
-      })
-      if (!account) {
-        throw new InvalidRequestError('account not found')
-      }
+  const auth = requestEmailUpdateAuth(ctx)
 
-      if (entrywayClient) {
+  if (entrywayClient) {
+    server.add(com.atproto.server.requestEmailUpdate, {
+      rateLimit,
+      auth,
+      handler: async ({ auth, req }) => {
         const { headers } = await ctx.entrywayAuthHeaders(
           req,
           auth.credentials.did,
           com.atproto.server.requestEmailUpdate.$lxm,
         )
+
         return entrywayClient.xrpc(com.atproto.server.requestEmailUpdate, {
           headers,
         })
-      }
+      },
+    })
+  } else {
+    server.add(com.atproto.server.requestEmailUpdate, {
+      rateLimit,
+      auth,
+      handler: async ({ auth }) => {
+        const did = auth.credentials.did
 
-      if (!account.email) {
-        throw new InvalidRequestError('account does not have an email address')
-      }
+        // @TODO get the locale somehow (either by adding a field in the request
+        // body, or by using the `Accept-Language` header).
+        const locale = undefined
 
-      const tokenRequired = !!account.emailConfirmedAt
-      if (tokenRequired) {
-        const token = await ctx.accountManager.createEmailToken(
+        const { tokenRequired } = await ctx.accountManager.requestEmailUpdate(
           did,
-          'update_email',
+          { locale },
         )
-        await ctx.mailer.sendUpdateEmail({ token }, { to: account.email })
-      }
 
-      return {
-        encoding: 'application/json' as const,
-        body: {
-          tokenRequired,
-        },
-      }
-    },
-  })
+        return {
+          encoding: 'application/json' as const,
+          body: { tokenRequired },
+        }
+      },
+    })
+  }
 }

package/src/api/com/atproto/server/updateEmail.ts

@@ -1,82 +1,52 @@
-import { isEmailValid } from '@hapi/address'
-import { isDisposableEmail } from 'disposable-email-domains-js'
-import {
-  ForbiddenError,
-  InvalidRequestError,
-  Server,
-} from '@atproto/xrpc-server'
+import { InvalidRequestError, Server } from '@atproto/xrpc-server'
 import { UserAlreadyExistsError } from '../../../../account-manager/helpers/account.js'
-import { ACCESS_FULL } from '../../../../auth-scope.js'
 import { AppContext } from '../../../../context.js'
 import { com } from '../../../../lexicons/index.js'
+import { requestEmailUpdateAuth } from './requestEmailUpdate.js'
 
 export default function (server: Server, ctx: AppContext) {
-  server.add(com.atproto.server.updateEmail, {
-    auth: ctx.authVerifier.authorization({
-      checkTakedown: true,
-      scopes: ACCESS_FULL,
-      authorize: () => {
-        throw new ForbiddenError(
-          'OAuth credentials are not supported for this endpoint',
-        )
-      },
-    }),
-    handler: async ({ auth, input: { body }, req }) => {
-      const did = auth.credentials.did
-      const { token, email } = body
-      if (!isEmailValid(email) || isDisposableEmail(email)) {
-        throw new InvalidRequestError(
-          'This email address is not supported, please use a different email.',
-        )
-      }
-      const account = await ctx.accountManager.getAccount(did, {
-        includeDeactivated: true,
-      })
-      if (!account) {
-        throw new InvalidRequestError('account not found')
-      }
+  const { entrywayClient } = ctx
+
+  // @NOTE Ensure that both endpoints use the same authentication logic
+  const auth = requestEmailUpdateAuth(ctx)
 
-      if (ctx.entrywayClient) {
+  if (entrywayClient) {
+    server.add(com.atproto.server.updateEmail, {
+      auth,
+      handler: async ({ auth, input: { body }, req }) => {
         const { headers } = await ctx.entrywayAuthHeaders(
           req,
           auth.credentials.did,
           com.atproto.server.updateEmail.$lxm,
         )
 
-        await ctx.entrywayClient.xrpc(com.atproto.server.updateEmail, {
+        await entrywayClient.xrpc(com.atproto.server.updateEmail, {
           headers,
           body,
         })
+      },
+    })
+  } else {
+    server.add(com.atproto.server.updateEmail, {
+      auth,
+      handler: async ({ auth, input: { body } }) => {
+        const did = auth.credentials.did
+        const { token, email } = body
 
-        return
-      }
+        // @TODO get the locale somehow (either by adding a field in the request
+        // body, or by using the `Accept-Language` header).
+        const locale = undefined
 
-      // require valid token if account email is confirmed
-      if (account.emailConfirmedAt) {
-        if (!token) {
-          throw new InvalidRequestError(
-            'confirmation token required',
-            'TokenRequired',
-          )
-        }
-        await ctx.accountManager.assertValidEmailToken(
-          did,
-          'update_email',
-          token,
-        )
-      }
+        try {
+          await ctx.accountManager.updateEmail(did, email, token, { locale })
+        } catch (cause) {
+          if (cause instanceof UserAlreadyExistsError) {
+            throw new InvalidRequestError(cause.message, undefined, { cause })
+          }
 
-      try {
-        await ctx.accountManager.updateEmail({ did, email })
-      } catch (err) {
-        if (err instanceof UserAlreadyExistsError) {
-          throw new InvalidRequestError(
-            'This email address is already in use, please use a different email.',
-          )
-        } else {
-          throw err
+          throw cause
         }
-      }
-    },
-  })
+      },
+    })
+  }
 }

package/src/config/config.ts

@@ -1,10 +1,15 @@
 import assert from 'node:assert'
 import path from 'node:path'
 import { DAY, HOUR, SECOND } from '@atproto/common'
-import { BrandingInput, HcaptchaConfig } from '@atproto/oauth-provider'
+import {
+  BrandingInput as BrandingConfig,
+  HcaptchaConfig,
+} from '@atproto/oauth-provider'
 import { ensureValidDid } from '@atproto/syntax'
 import { ServerEnvironment } from './env.js'
 
+export type { BrandingConfig }
+
 // off-config but still from env:
 // logging: LOG_LEVEL, LOG_SYSTEMS, LOG_ENABLED, LOG_DESTINATION
 
@@ -152,6 +157,7 @@ export const envToCfg = (env: ServerEnvironment): ServerConfig => {
     emailCfg = {
       smtpUrl: env.emailSmtpUrl,
       fromAddress: env.emailFromAddress,
+      disableConfirmationLink: env.emailDisableConfirmationLink ?? false,
     }
   }
 
@@ -167,6 +173,7 @@ export const envToCfg = (env: ServerEnvironment): ServerConfig => {
     moderationEmailCfg = {
       smtpUrl: env.moderationEmailSmtpUrl,
       fromAddress: env.moderationEmailAddress,
+      disableConfirmationLink: false,
     }
   }
 
@@ -254,6 +261,62 @@ export const envToCfg = (env: ServerEnvironment): ServerConfig => {
     preferCompressed: env.proxyPreferCompressed ?? false,
   }
 
+  const brandingCfg = {
+    name: env.serviceName ?? `${hostname} PDS`,
+    logo: env.logoUrl,
+    colors: {
+      light: env.lightColor,
+      dark: env.darkColor,
+
+      contrastSaturation: env.contrastSaturation,
+
+      primary: env.primaryColor,
+      primaryContrast: env.primaryColorContrast,
+      primaryHue: env.primaryColorHue,
+
+      error: env.errorColor,
+      errorContrast: env.errorColorContrast,
+      errorHue: env.errorColorHue,
+
+      warning: env.warningColor,
+      warningContrast: env.warningColorContrast,
+      warningHue: env.warningColorHue,
+
+      info: env.infoColor,
+      infoContrast: env.infoColorContrast,
+      infoHue: env.infoColorHue,
+
+      success: env.successColor,
+      successContrast: env.successColorContrast,
+      successHue: env.successColorHue,
+    },
+    links: [
+      {
+        title: { en: 'Home', fr: 'Accueil' },
+        href: env.homeUrl,
+        rel: 'canonical' as const, // Prevents login page from being indexed
+      },
+      {
+        title: { en: 'Terms of Service' },
+        href: env.termsOfServiceUrl,
+        rel: 'terms-of-service' as const,
+      },
+      {
+        title: { en: 'Privacy Policy' },
+        href: env.privacyPolicyUrl,
+        rel: 'privacy-policy' as const,
+      },
+      {
+        title: { en: 'Support' },
+        href: env.supportUrl,
+        rel: 'help' as const,
+      },
+    ].filter(
+      <T extends { href?: string }>(f: T): f is T & { href: string } =>
+        f.href != null && f.href !== '',
+    ),
+  }
+
   const oauthCfg: ServerConfig['oauth'] = entrywayCfg
     ? {
         issuer: entrywayCfg.url,
@@ -272,61 +335,7 @@ export const envToCfg = (env: ServerEnvironment): ServerConfig => {
                   tokenSalt: env.hcaptchaTokenSalt,
                 }
               : undefined,
-          branding: {
-            name: env.serviceName ?? `${hostname} PDS`,
-            logo: env.logoUrl,
-            colors: {
-              light: env.lightColor,
-              dark: env.darkColor,
-
-              contrastSaturation: env.contrastSaturation,
-
-              primary: env.primaryColor,
-              primaryContrast: env.primaryColorContrast,
-              primaryHue: env.primaryColorHue,
-
-              error: env.errorColor,
-              errorContrast: env.errorColorContrast,
-              errorHue: env.errorColorHue,
-
-              warning: env.warningColor,
-              warningContrast: env.warningColorContrast,
-              warningHue: env.warningColorHue,
-
-              info: env.infoColor,
-              infoContrast: env.infoColorContrast,
-              infoHue: env.infoColorHue,
-
-              success: env.successColor,
-              successContrast: env.successColorContrast,
-              successHue: env.successColorHue,
-            },
-            links: [
-              {
-                title: { en: 'Home', fr: 'Accueil' },
-                href: env.homeUrl,
-                rel: 'canonical' as const, // Prevents login page from being indexed
-              },
-              {
-                title: { en: 'Terms of Service' },
-                href: env.termsOfServiceUrl,
-                rel: 'terms-of-service' as const,
-              },
-              {
-                title: { en: 'Privacy Policy' },
-                href: env.privacyPolicyUrl,
-                rel: 'privacy-policy' as const,
-              },
-              {
-                title: { en: 'Support' },
-                href: env.supportUrl,
-                rel: 'help' as const,
-              },
-            ].filter(
-              <T extends { href?: string }>(f: T): f is T & { href: string } =>
-                f.href != null && f.href !== '',
-            ),
-          },
+          branding: brandingCfg,
           trustedClients: env.trustedOAuthClients,
         },
       }
@@ -358,6 +367,7 @@ export const envToCfg = (env: ServerEnvironment): ServerConfig => {
     fetch: fetchCfg,
     lexicon: lexiconCfg,
     proxy: proxyCfg,
+    branding: brandingCfg,
     oauth: oauthCfg,
   }
 }
@@ -381,6 +391,7 @@ export type ServerConfig = {
   crawlers: string[]
   fetch: FetchConfig
   proxy: ProxyConfig
+  branding: BrandingConfig
   oauth: OAuthConfig
   lexicon: LexiconResolverConfig
 }
@@ -477,7 +488,7 @@ export type OAuthConfig = {
   issuer: string
   provider?: {
     hcaptcha?: HcaptchaConfig
-    branding: BrandingInput
+    branding: BrandingConfig
     trustedClients?: string[]
   }
 }
@@ -499,6 +510,7 @@ export type InvitesConfig =
 export type EmailConfig = {
   smtpUrl: string
   fromAddress: string
+  disableConfirmationLink: boolean
 }
 
 export type SubscriptionConfig = {

package/src/config/env.ts

@@ -97,6 +97,9 @@ export function readEnv() {
     // email
     emailSmtpUrl: envStr('PDS_EMAIL_SMTP_URL'),
     emailFromAddress: envStr('PDS_EMAIL_FROM_ADDRESS'),
+    emailDisableConfirmationLink: envBool(
+      'PDS_EMAIL_DISABLE_CONFIRMATION_LINK',
+    ),
     moderationEmailSmtpUrl: envStr('PDS_MODERATION_EMAIL_SMTP_URL'),
     moderationEmailAddress: envStr('PDS_MODERATION_EMAIL_ADDRESS'),
 

package/src/context.ts

@@ -156,7 +156,7 @@ export class AppContext {
         ? nodemailer.createTransport(cfg.email.smtpUrl)
         : nodemailer.createTransport({ jsonTransport: true })
 
-    const mailer = new ServerMailer(mailTransport, cfg)
+    const mailer = new ServerMailer(mailTransport, cfg.email, cfg.branding)
 
     const modMailTransport =
       cfg.moderationEmail !== null
@@ -270,6 +270,7 @@ export class AppContext {
     const accountManager = new AccountManager(
       idResolver,
       jwtSecretKey,
+      mailer,
       cfg.service.did,
       cfg.identity.serviceHandleDomains,
       cfg.db,