@atproto/pds 0.4.24 → 0.4.26

package/dist/lexicon/types/com/atproto/server/createAppPassword.d.ts

@@ -9,6 +9,8 @@ export interface QueryParams {
 export interface InputSchema {
     /** A short name for the App Password, to help distinguish them. */
     name: string;
+    /** If an app password has 'privileged' access to possibly sensitive account state. Meant for use with trusted clients. */
+    privileged?: boolean;
     [k: string]: unknown;
 }
 export type OutputSchema = AppPassword;
@@ -41,6 +43,7 @@ export interface AppPassword {
     name: string;
     password: string;
     createdAt: string;
+    privileged?: boolean;
     [k: string]: unknown;
 }
 export declare function isAppPassword(v: unknown): v is AppPassword;

package/dist/lexicon/types/com/atproto/server/createAppPassword.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"createAppPassword.d.ts","sourceRoot":"","sources":["../../../../../../src/lexicon/types/com/atproto/server/createAppPassword.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,OAAO,MAAM,SAAS,CAAA;AAC7B,OAAO,EAAE,gBAAgB,EAAW,MAAM,kBAAkB,CAAA;AAI5D,OAAO,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAA;AAEtE,MAAM,WAAW,WAAW;CAAG;AAE/B,MAAM,WAAW,WAAW;IAC1B,mEAAmE;IACnE,IAAI,EAAE,MAAM,CAAA;IACZ,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAA;CACrB;AAED,MAAM,MAAM,YAAY,GAAG,WAAW,CAAA;AAEtC,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,kBAAkB,CAAA;IAC5B,IAAI,EAAE,WAAW,CAAA;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,kBAAkB,CAAA;IAC5B,IAAI,EAAE,YAAY,CAAA;IAClB,OAAO,CAAC,EAAE;QAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAA;CACpC;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,KAAK,CAAC,EAAE,iBAAiB,CAAA;CAC1B;AAED,MAAM,MAAM,aAAa,GAAG,YAAY,GAAG,cAAc,GAAG,kBAAkB,CAAA;AAC9E,MAAM,MAAM,aAAa,CAAC,EAAE,SAAS,WAAW,GAAG,KAAK,IAAI;IAC1D,IAAI,EAAE,EAAE,CAAA;IACR,MAAM,EAAE,WAAW,CAAA;IACnB,KAAK,EAAE,YAAY,CAAA;IACnB,GAAG,EAAE,OAAO,CAAC,OAAO,CAAA;IACpB,GAAG,EAAE,OAAO,CAAC,QAAQ,CAAA;CACtB,CAAA;AACD,MAAM,MAAM,OAAO,CAAC,EAAE,SAAS,WAAW,GAAG,KAAK,IAAI,CACpD,GAAG,EAAE,aAAa,CAAC,EAAE,CAAC,KACnB,OAAO,CAAC,aAAa,CAAC,GAAG,aAAa,CAAA;AAE3C,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,EAAE,MAAM,CAAA;IAChB,SAAS,EAAE,MAAM,CAAA;IACjB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAA;CACrB;AAED,wBAAgB,aAAa,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,IAAI,WAAW,CAM1D;AAED,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAKhE"}
+{"version":3,"file":"createAppPassword.d.ts","sourceRoot":"","sources":["../../../../../../src/lexicon/types/com/atproto/server/createAppPassword.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,OAAO,MAAM,SAAS,CAAA;AAC7B,OAAO,EAAE,gBAAgB,EAAW,MAAM,kBAAkB,CAAA;AAI5D,OAAO,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAA;AAEtE,MAAM,WAAW,WAAW;CAAG;AAE/B,MAAM,WAAW,WAAW;IAC1B,mEAAmE;IACnE,IAAI,EAAE,MAAM,CAAA;IACZ,0HAA0H;IAC1H,UAAU,CAAC,EAAE,OAAO,CAAA;IACpB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAA;CACrB;AAED,MAAM,MAAM,YAAY,GAAG,WAAW,CAAA;AAEtC,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,kBAAkB,CAAA;IAC5B,IAAI,EAAE,WAAW,CAAA;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,kBAAkB,CAAA;IAC5B,IAAI,EAAE,YAAY,CAAA;IAClB,OAAO,CAAC,EAAE;QAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAA;CACpC;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,KAAK,CAAC,EAAE,iBAAiB,CAAA;CAC1B;AAED,MAAM,MAAM,aAAa,GAAG,YAAY,GAAG,cAAc,GAAG,kBAAkB,CAAA;AAC9E,MAAM,MAAM,aAAa,CAAC,EAAE,SAAS,WAAW,GAAG,KAAK,IAAI;IAC1D,IAAI,EAAE,EAAE,CAAA;IACR,MAAM,EAAE,WAAW,CAAA;IACnB,KAAK,EAAE,YAAY,CAAA;IACnB,GAAG,EAAE,OAAO,CAAC,OAAO,CAAA;IACpB,GAAG,EAAE,OAAO,CAAC,QAAQ,CAAA;CACtB,CAAA;AACD,MAAM,MAAM,OAAO,CAAC,EAAE,SAAS,WAAW,GAAG,KAAK,IAAI,CACpD,GAAG,EAAE,aAAa,CAAC,EAAE,CAAC,KACnB,OAAO,CAAC,aAAa,CAAC,GAAG,aAAa,CAAA;AAE3C,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,EAAE,MAAM,CAAA;IAChB,SAAS,EAAE,MAAM,CAAA;IACjB,UAAU,CAAC,EAAE,OAAO,CAAA;IACpB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAA;CACrB;AAED,wBAAgB,aAAa,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,IAAI,WAAW,CAM1D;AAED,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAKhE"}

package/dist/lexicon/types/com/atproto/server/createAppPassword.js.map

@@ -1 +1 @@
-{"version":3,"file":"createAppPassword.js","sourceRoot":"","sources":["../../../../../../src/lexicon/types/com/atproto/server/createAppPassword.ts"],"names":[],"mappings":";;;AAKA,mDAA+C;AAC/C,2CAAiD;AAkDjD,SAAgB,aAAa,CAAC,CAAU;IACtC,OAAO,CACL,IAAA,YAAK,EAAC,CAAC,CAAC;QACR,IAAA,cAAO,EAAC,CAAC,EAAE,OAAO,CAAC;QACnB,CAAC,CAAC,KAAK,KAAK,kDAAkD,CAC/D,CAAA;AACH,CAAC;AAND,sCAMC;AAED,SAAgB,mBAAmB,CAAC,CAAU;IAC5C,OAAO,mBAAQ,CAAC,QAAQ,CACtB,kDAAkD,EAClD,CAAC,CACF,CAAA;AACH,CAAC;AALD,kDAKC"}
+{"version":3,"file":"createAppPassword.js","sourceRoot":"","sources":["../../../../../../src/lexicon/types/com/atproto/server/createAppPassword.ts"],"names":[],"mappings":";;;AAKA,mDAA+C;AAC/C,2CAAiD;AAqDjD,SAAgB,aAAa,CAAC,CAAU;IACtC,OAAO,CACL,IAAA,YAAK,EAAC,CAAC,CAAC;QACR,IAAA,cAAO,EAAC,CAAC,EAAE,OAAO,CAAC;QACnB,CAAC,CAAC,KAAK,KAAK,kDAAkD,CAC/D,CAAA;AACH,CAAC;AAND,sCAMC;AAED,SAAgB,mBAAmB,CAAC,CAAU;IAC5C,OAAO,mBAAQ,CAAC,QAAQ,CACtB,kDAAkD,EAClD,CAAC,CACF,CAAA;AACH,CAAC;AALD,kDAKC"}

package/dist/lexicon/types/com/atproto/server/listAppPasswords.d.ts

@@ -36,6 +36,7 @@ export type Handler<HA extends HandlerAuth = never> = (ctx: HandlerReqCtx<HA>) =
 export interface AppPassword {
     name: string;
     createdAt: string;
+    privileged?: boolean;
     [k: string]: unknown;
 }
 export declare function isAppPassword(v: unknown): v is AppPassword;

package/dist/lexicon/types/com/atproto/server/listAppPasswords.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"listAppPasswords.d.ts","sourceRoot":"","sources":["../../../../../../src/lexicon/types/com/atproto/server/listAppPasswords.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,OAAO,MAAM,SAAS,CAAA;AAC7B,OAAO,EAAE,gBAAgB,EAAW,MAAM,kBAAkB,CAAA;AAI5D,OAAO,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAA;AAEtE,MAAM,WAAW,WAAW;CAAG;AAE/B,MAAM,MAAM,WAAW,GAAG,SAAS,CAAA;AAEnC,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,WAAW,EAAE,CAAA;IACxB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAA;CACrB;AAED,MAAM,MAAM,YAAY,GAAG,SAAS,CAAA;AAEpC,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,kBAAkB,CAAA;IAC5B,IAAI,EAAE,YAAY,CAAA;IAClB,OAAO,CAAC,EAAE;QAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAA;CACpC;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,KAAK,CAAC,EAAE,iBAAiB,CAAA;CAC1B;AAED,MAAM,MAAM,aAAa,GAAG,YAAY,GAAG,cAAc,GAAG,kBAAkB,CAAA;AAC9E,MAAM,MAAM,aAAa,CAAC,EAAE,SAAS,WAAW,GAAG,KAAK,IAAI;IAC1D,IAAI,EAAE,EAAE,CAAA;IACR,MAAM,EAAE,WAAW,CAAA;IACnB,KAAK,EAAE,YAAY,CAAA;IACnB,GAAG,EAAE,OAAO,CAAC,OAAO,CAAA;IACpB,GAAG,EAAE,OAAO,CAAC,QAAQ,CAAA;CACtB,CAAA;AACD,MAAM,MAAM,OAAO,CAAC,EAAE,SAAS,WAAW,GAAG,KAAK,IAAI,CACpD,GAAG,EAAE,aAAa,CAAC,EAAE,CAAC,KACnB,OAAO,CAAC,aAAa,CAAC,GAAG,aAAa,CAAA;AAE3C,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAA;IACZ,SAAS,EAAE,MAAM,CAAA;IACjB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAA;CACrB;AAED,wBAAgB,aAAa,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,IAAI,WAAW,CAM1D;AAED,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAEhE"}
+{"version":3,"file":"listAppPasswords.d.ts","sourceRoot":"","sources":["../../../../../../src/lexicon/types/com/atproto/server/listAppPasswords.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,OAAO,MAAM,SAAS,CAAA;AAC7B,OAAO,EAAE,gBAAgB,EAAW,MAAM,kBAAkB,CAAA;AAI5D,OAAO,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAA;AAEtE,MAAM,WAAW,WAAW;CAAG;AAE/B,MAAM,MAAM,WAAW,GAAG,SAAS,CAAA;AAEnC,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,WAAW,EAAE,CAAA;IACxB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAA;CACrB;AAED,MAAM,MAAM,YAAY,GAAG,SAAS,CAAA;AAEpC,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,kBAAkB,CAAA;IAC5B,IAAI,EAAE,YAAY,CAAA;IAClB,OAAO,CAAC,EAAE;QAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAA;CACpC;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,KAAK,CAAC,EAAE,iBAAiB,CAAA;CAC1B;AAED,MAAM,MAAM,aAAa,GAAG,YAAY,GAAG,cAAc,GAAG,kBAAkB,CAAA;AAC9E,MAAM,MAAM,aAAa,CAAC,EAAE,SAAS,WAAW,GAAG,KAAK,IAAI;IAC1D,IAAI,EAAE,EAAE,CAAA;IACR,MAAM,EAAE,WAAW,CAAA;IACnB,KAAK,EAAE,YAAY,CAAA;IACnB,GAAG,EAAE,OAAO,CAAC,OAAO,CAAA;IACpB,GAAG,EAAE,OAAO,CAAC,QAAQ,CAAA;CACtB,CAAA;AACD,MAAM,MAAM,OAAO,CAAC,EAAE,SAAS,WAAW,GAAG,KAAK,IAAI,CACpD,GAAG,EAAE,aAAa,CAAC,EAAE,CAAC,KACnB,OAAO,CAAC,aAAa,CAAC,GAAG,aAAa,CAAA;AAE3C,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAA;IACZ,SAAS,EAAE,MAAM,CAAA;IACjB,UAAU,CAAC,EAAE,OAAO,CAAA;IACpB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAA;CACrB;AAED,wBAAgB,aAAa,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,IAAI,WAAW,CAM1D;AAED,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAEhE"}

package/dist/lexicon/types/com/atproto/server/listAppPasswords.js.map

@@ -1 +1 @@
-{"version":3,"file":"listAppPasswords.js","sourceRoot":"","sources":["../../../../../../src/lexicon/types/com/atproto/server/listAppPasswords.ts"],"names":[],"mappings":";;;AAKA,mDAA+C;AAC/C,2CAAiD;AA6CjD,SAAgB,aAAa,CAAC,CAAU;IACtC,OAAO,CACL,IAAA,YAAK,EAAC,CAAC,CAAC;QACR,IAAA,cAAO,EAAC,CAAC,EAAE,OAAO,CAAC;QACnB,CAAC,CAAC,KAAK,KAAK,iDAAiD,CAC9D,CAAA;AACH,CAAC;AAND,sCAMC;AAED,SAAgB,mBAAmB,CAAC,CAAU;IAC5C,OAAO,mBAAQ,CAAC,QAAQ,CAAC,iDAAiD,EAAE,CAAC,CAAC,CAAA;AAChF,CAAC;AAFD,kDAEC"}
+{"version":3,"file":"listAppPasswords.js","sourceRoot":"","sources":["../../../../../../src/lexicon/types/com/atproto/server/listAppPasswords.ts"],"names":[],"mappings":";;;AAKA,mDAA+C;AAC/C,2CAAiD;AA8CjD,SAAgB,aAAa,CAAC,CAAU;IACtC,OAAO,CACL,IAAA,YAAK,EAAC,CAAC,CAAC;QACR,IAAA,cAAO,EAAC,CAAC,EAAE,OAAO,CAAC;QACnB,CAAC,CAAC,KAAK,KAAK,iDAAiD,CAC9D,CAAA;AACH,CAAC;AAND,sCAMC;AAED,SAAgB,mBAAmB,CAAC,CAAU;IAC5C,OAAO,mBAAQ,CAAC,QAAQ,CAAC,iDAAiD,EAAE,CAAC,CAAC,CAAA;AAChF,CAAC;AAFD,kDAEC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atproto/pds",
-  "version": "0.4.24",
+  "version": "0.4.26",
   "license": "MIT",
   "description": "Reference implementation of atproto Personal Data Server (PDS)",
   "keywords": [
@@ -43,12 +43,12 @@
     "typed-emitter": "^2.1.0",
     "uint8arrays": "3.0.0",
     "zod": "^3.21.4",
-    "@atproto/api": "^0.12.12",
     "@atproto/aws": "^0.2.0",
     "@atproto/common": "^0.4.0",
+    "@atproto/api": "^0.12.12",
     "@atproto/crypto": "^0.4.0",
-    "@atproto/identity": "^0.4.0",
     "@atproto/lexicon": "^0.4.0",
+    "@atproto/identity": "^0.4.0",
     "@atproto/repo": "^0.4.0",
     "@atproto/syntax": "^0.3.0",
     "@atproto/xrpc": "^0.5.0",

package/src/account-manager/db/migrations/003-privileged-app-passwords.ts

@@ -0,0 +1,12 @@
+import { Kysely } from 'kysely'
+
+export async function up(db: Kysely<unknown>): Promise<void> {
+  await db.schema
+    .alterTable('app_password')
+    .addColumn('privileged', 'integer', (col) => col.notNull().defaultTo(0))
+    .execute()
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+  await db.schema.alterTable('app_password').dropColumn('privileged').execute()
+}

package/src/account-manager/db/migrations/index.ts

@@ -1,7 +1,9 @@
 import * as mig001 from './001-init'
 import * as mig002 from './002-account-deactivation'
+import * as mig003 from './003-privileged-app-passwords'
 
 export default {
   '001': mig001,
   '002': mig002,
+  '003': mig003,
 }

package/src/account-manager/db/schema/app-password.ts

@@ -3,6 +3,7 @@ export interface AppPassword {
   name: string
   passwordScrypt: string
   createdAt: string
+  privileged: 0 | 1
 }
 
 export const tableName = 'app_password'

package/src/account-manager/helpers/auth.ts

@@ -5,6 +5,7 @@ import * as ui8 from 'uint8arrays'
 import * as crypto from '@atproto/crypto'
 import { AuthScope } from '../../auth-verifier'
 import { AccountDb } from '../db'
+import { AppPassDescript } from './password'
 
 export type AuthToken = {
   scope: AuthScope
@@ -87,7 +88,7 @@ export const decodeRefreshToken = (jwt: string) => {
 export const storeRefreshToken = async (
   db: AccountDb,
   payload: RefreshToken,
-  appPasswordName: string | null,
+  appPassword: AppPassDescript | null,
 ) => {
   const [result] = await db.executeWithRetry(
     db.db
@@ -95,7 +96,7 @@ export const storeRefreshToken = async (
       .values({
         id: payload.jti,
         did: payload.sub,
-        appPasswordName,
+        appPasswordName: appPassword?.name,
         expiresAt: new Date(payload.exp * 1000).toISOString(),
       })
       .onConflict((oc) => oc.doNothing()), // E.g. when re-granting during a refresh grace period
@@ -104,11 +105,31 @@ export const storeRefreshToken = async (
 }
 
 export const getRefreshToken = async (db: AccountDb, id: string) => {
-  return db.db
+  const res = await db.db
     .selectFrom('refresh_token')
+    .leftJoin(
+      'app_password',
+      'app_password.name',
+      'refresh_token.appPasswordName',
+    )
     .where('id', '=', id)
-    .selectAll()
+    .selectAll('refresh_token')
+    .select('app_password.privileged')
     .executeTakeFirst()
+  if (!res) return null
+  const { did, expiresAt, appPasswordName, nextId, privileged } = res
+  return {
+    id,
+    did,
+    expiresAt,
+    nextId,
+    appPassword: appPasswordName
+      ? {
+          name: appPasswordName,
+          privileged: privileged === 1 ? true : false,
+        }
+      : null,
+  }
 }
 
 export const deleteExpiredRefreshTokens = async (
@@ -181,4 +202,11 @@ export const getRefreshTokenId = () => {
   return ui8.toString(crypto.randomBytes(32), 'base64')
 }
 
+export const formatScope = (appPassword: AppPassDescript | null): AuthScope => {
+  if (!appPassword) return AuthScope.Access
+  return appPassword.privileged
+    ? AuthScope.AppPassPrivileged
+    : AuthScope.AppPass
+}
+
 export class ConcurrentRefreshError extends Error {}

package/src/account-manager/helpers/password.ts

@@ -4,6 +4,11 @@ import * as scrypt from './scrypt'
 import { AccountDb } from '../db'
 import { AppPassword } from '../../lexicon/types/com/atproto/server/createAppPassword'
 
+export type AppPassDescript = {
+  name: string
+  privileged: boolean
+}
+
 export const verifyAccountPassword = async (
   db: AccountDb,
   did: string,
@@ -21,7 +26,7 @@ export const verifyAppPassword = async (
   db: AccountDb,
   did: string,
   password: string,
-): Promise<string | null> => {
+): Promise<AppPassDescript | null> => {
   const passwordScrypt = await scrypt.hashAppPassword(did, password)
   const found = await db.db
     .selectFrom('app_password')
@@ -29,7 +34,11 @@ export const verifyAppPassword = async (
     .where('did', '=', did)
     .where('passwordScrypt', '=', passwordScrypt)
     .executeTakeFirst()
-  return found?.name ?? null
+  if (!found) return null
+  return {
+    name: found.name,
+    privileged: found.privileged === 1 ? true : false,
+  }
 }
 
 export const updateUserPassword = async (
@@ -51,6 +60,7 @@ export const createAppPassword = async (
   db: AccountDb,
   did: string,
   name: string,
+  privileged: boolean,
 ): Promise<AppPassword> => {
   // create an app password with format:
   // 1234-abcd-5678-efgh
@@ -71,6 +81,7 @@ export const createAppPassword = async (
         name,
         passwordScrypt,
         createdAt: new Date().toISOString(),
+        privileged: privileged ? 1 : 0,
       })
       .returningAll(),
   )
@@ -81,18 +92,25 @@ export const createAppPassword = async (
     name,
     password,
     createdAt: got.createdAt,
+    privileged,
   }
 }
 
 export const listAppPasswords = async (
   db: AccountDb,
   did: string,
-): Promise<{ name: string; createdAt: string }[]> => {
-  return db.db
+): Promise<{ name: string; createdAt: string; privileged: boolean }[]> => {
+  const res = await db.db
     .selectFrom('app_password')
-    .select(['name', 'createdAt'])
+    .select(['name', 'createdAt', 'privileged'])
     .where('did', '=', did)
+    .orderBy('createdAt', 'desc')
     .execute()
+  return res.map((row) => ({
+    name: row.name,
+    createdAt: row.createdAt,
+    privileged: row.privileged === 1 ? true : false,
+  }))
 }
 
 export const deleteAppPassword = async (

package/src/account-manager/index.ts

@@ -162,15 +162,18 @@ export class AccountManager {
   // Auth
   // ----------
 
-  async createSession(did: string, appPasswordName: string | null) {
+  async createSession(
+    did: string,
+    appPassword: password.AppPassDescript | null,
+  ) {
     const { accessJwt, refreshJwt } = await auth.createTokens({
       did,
       jwtKey: this.jwtKey,
       serviceDid: this.serviceDid,
-      scope: appPasswordName === null ? AuthScope.Access : AuthScope.AppPass,
+      scope: auth.formatScope(appPassword),
     })
     const refreshPayload = auth.decodeRefreshToken(refreshJwt)
-    await auth.storeRefreshToken(this.db, refreshPayload, appPasswordName)
+    await auth.storeRefreshToken(this.db, refreshPayload, appPassword)
     return { accessJwt, refreshJwt }
   }
 
@@ -205,8 +208,7 @@ export class AccountManager {
       did: token.did,
       jwtKey: this.jwtKey,
       serviceDid: this.serviceDid,
-      scope:
-        token.appPasswordName === null ? AuthScope.Access : AuthScope.AppPass,
+      scope: auth.formatScope(token.appPassword),
       jti: nextId,
     })
 
@@ -219,7 +221,7 @@ export class AccountManager {
             expiresAt: expiresAt.toISOString(),
             nextId,
           }),
-          auth.storeRefreshToken(dbTxn, refreshPayload, token.appPasswordName),
+          auth.storeRefreshToken(dbTxn, refreshPayload, token.appPassword),
         ]),
       )
     } catch (err) {
@@ -238,8 +240,8 @@ export class AccountManager {
   // Passwords
   // ----------
 
-  async createAppPassword(did: string, name: string) {
-    return password.createAppPassword(this.db, did, name)
+  async createAppPassword(did: string, name: string, privileged: boolean) {
+    return password.createAppPassword(this.db, did, name, privileged)
   }
 
   async listAppPasswords(did: string) {
@@ -256,7 +258,7 @@ export class AccountManager {
   async verifyAppPassword(
     did: string,
     passwordStr: string,
-  ): Promise<string | null> {
+  ): Promise<password.AppPassDescript | null> {
     return password.verifyAppPassword(this.db, did, passwordStr)
   }
 

package/src/api/chat/index.ts

@@ -4,85 +4,85 @@ import { pipethrough, pipethroughProcedure } from '../../pipethrough'
 
 export default function (server: Server, ctx: AppContext) {
   server.chat.bsky.actor.deleteAccount({
-    auth: ctx.authVerifier.accessNotAppPassword,
+    auth: ctx.authVerifier.accessAppPassPrivileged,
     handler: async ({ req, auth }) => {
       return pipethroughProcedure(ctx, req, auth.credentials.did)
     },
   })
   server.chat.bsky.actor.exportAccountData({
-    auth: ctx.authVerifier.accessNotAppPassword,
+    auth: ctx.authVerifier.accessAppPassPrivileged,
     handler: ({ req, auth }) => {
       return pipethrough(ctx, req, auth.credentials.did)
     },
   })
   server.chat.bsky.convo.deleteMessageForSelf({
-    auth: ctx.authVerifier.accessNotAppPassword,
+    auth: ctx.authVerifier.accessAppPassPrivileged,
     handler: ({ req, auth, input }) => {
       return pipethroughProcedure(ctx, req, auth.credentials.did, input.body)
     },
   })
   server.chat.bsky.convo.getConvo({
-    auth: ctx.authVerifier.accessNotAppPassword,
+    auth: ctx.authVerifier.accessAppPassPrivileged,
     handler: ({ req, auth }) => {
       return pipethrough(ctx, req, auth.credentials.did)
     },
   })
   server.chat.bsky.convo.getConvoForMembers({
-    auth: ctx.authVerifier.accessNotAppPassword,
+    auth: ctx.authVerifier.accessAppPassPrivileged,
     handler: ({ req, auth }) => {
       return pipethrough(ctx, req, auth.credentials.did)
     },
   })
   server.chat.bsky.convo.getLog({
-    auth: ctx.authVerifier.accessNotAppPassword,
+    auth: ctx.authVerifier.accessAppPassPrivileged,
     handler: ({ req, auth }) => {
       return pipethrough(ctx, req, auth.credentials.did)
     },
   })
   server.chat.bsky.convo.getMessages({
-    auth: ctx.authVerifier.accessNotAppPassword,
+    auth: ctx.authVerifier.accessAppPassPrivileged,
     handler: ({ req, auth }) => {
       return pipethrough(ctx, req, auth.credentials.did)
     },
   })
   server.chat.bsky.convo.leaveConvo({
-    auth: ctx.authVerifier.accessNotAppPassword,
+    auth: ctx.authVerifier.accessAppPassPrivileged,
     handler: ({ req, auth, input }) => {
       return pipethroughProcedure(ctx, req, auth.credentials.did, input.body)
     },
   })
   server.chat.bsky.convo.listConvos({
-    auth: ctx.authVerifier.accessNotAppPassword,
+    auth: ctx.authVerifier.accessAppPassPrivileged,
     handler: ({ req, auth }) => {
       return pipethrough(ctx, req, auth.credentials.did)
     },
   })
   server.chat.bsky.convo.muteConvo({
-    auth: ctx.authVerifier.accessNotAppPassword,
+    auth: ctx.authVerifier.accessAppPassPrivileged,
     handler: ({ req, auth, input }) => {
       return pipethroughProcedure(ctx, req, auth.credentials.did, input.body)
     },
   })
   server.chat.bsky.convo.sendMessage({
-    auth: ctx.authVerifier.accessNotAppPassword,
+    auth: ctx.authVerifier.accessAppPassPrivileged,
     handler: ({ req, auth, input }) => {
       return pipethroughProcedure(ctx, req, auth.credentials.did, input.body)
     },
   })
   server.chat.bsky.convo.sendMessageBatch({
-    auth: ctx.authVerifier.accessNotAppPassword,
+    auth: ctx.authVerifier.accessAppPassPrivileged,
     handler: ({ req, auth, input }) => {
       return pipethroughProcedure(ctx, req, auth.credentials.did, input.body)
     },
   })
   server.chat.bsky.convo.unmuteConvo({
-    auth: ctx.authVerifier.accessNotAppPassword,
+    auth: ctx.authVerifier.accessAppPassPrivileged,
     handler: ({ req, auth, input }) => {
       return pipethroughProcedure(ctx, req, auth.credentials.did, input.body)
     },
   })
   server.chat.bsky.convo.updateRead({
-    auth: ctx.authVerifier.accessNotAppPassword,
+    auth: ctx.authVerifier.accessAppPassPrivileged,
     handler: ({ req, auth, input }) => {
       return pipethroughProcedure(ctx, req, auth.credentials.did, input.body)
     },

package/src/api/com/atproto/identity/requestPlcOperationSignature.ts

@@ -5,7 +5,7 @@ import { authPassthru } from '../../../proxy'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.identity.requestPlcOperationSignature({
-    auth: ctx.authVerifier.accessNotAppPassword,
+    auth: ctx.authVerifier.accessFull,
     handler: async ({ auth, req }) => {
       if (ctx.entrywayAgent) {
         await ctx.entrywayAgent.com.atproto.identity.requestPlcOperationSignature(

package/src/api/com/atproto/identity/signPlcOperation.ts

@@ -7,7 +7,7 @@ import { authPassthru, resultPassthru } from '../../../proxy'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.identity.signPlcOperation({
-    auth: ctx.authVerifier.accessNotAppPassword,
+    auth: ctx.authVerifier.accessFull,
     handler: async ({ auth, input, req }) => {
       if (ctx.entrywayAgent) {
         return resultPassthru(

package/src/api/com/atproto/repo/importRepo.ts

@@ -17,7 +17,7 @@ import { BlobRef, LexValue, RepoRecord } from '@atproto/lexicon'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.repo.importRepo({
-    auth: ctx.authVerifier.accessNotAppPassword,
+    auth: ctx.authVerifier.accessFull,
     handler: async ({ input, auth }) => {
       const did = auth.credentials.did
       if (!ctx.cfg.service.acceptingImports) {

package/src/api/com/atproto/server/activateAccount.ts

@@ -7,7 +7,7 @@ import { assertValidDidDocumentForService } from './util'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.activateAccount({
-    auth: ctx.authVerifier.accessNotAppPassword,
+    auth: ctx.authVerifier.accessFull,
     handler: async ({ auth }) => {
       const requester = auth.credentials.did
 

package/src/api/com/atproto/server/createAppPassword.ts

@@ -4,7 +4,7 @@ import { authPassthru, resultPassthru } from '../../../proxy'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.createAppPassword({
-    auth: ctx.authVerifier.accessNotAppPassword,
+    auth: ctx.authVerifier.accessFull,
     handler: async ({ auth, input, req }) => {
       if (ctx.entrywayAgent) {
         return resultPassthru(
@@ -19,7 +19,9 @@ export default function (server: Server, ctx: AppContext) {
       const appPassword = await ctx.accountManager.createAppPassword(
         auth.credentials.did,
         name,
+        input.body.privileged ?? false,
       )
+
       return {
         encoding: 'application/json',
         body: appPassword,

package/src/api/com/atproto/server/createSession.ts

@@ -6,6 +6,7 @@ import { softDeleted } from '../../../../db/util'
 import { Server } from '../../../../lexicon'
 import { didDocForSession } from './util'
 import { authPassthru, resultPassthru } from '../../../proxy'
+import { AppPassDescript } from '../../../../account-manager/helpers/password'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.createSession({
@@ -48,17 +49,17 @@ export default function (server: Server, ctx: AppContext) {
         throw new AuthRequiredError('Invalid identifier or password')
       }
 
-      let appPasswordName: string | null = null
+      let appPassword: AppPassDescript | null = null
       const validAccountPass = await ctx.accountManager.verifyAccountPassword(
         user.did,
         password,
       )
       if (!validAccountPass) {
-        appPasswordName = await ctx.accountManager.verifyAppPassword(
+        appPassword = await ctx.accountManager.verifyAppPassword(
           user.did,
           password,
         )
-        if (appPasswordName === null) {
+        if (appPassword === null) {
           throw new AuthRequiredError('Invalid identifier or password')
         }
       }
@@ -71,7 +72,7 @@ export default function (server: Server, ctx: AppContext) {
       }
 
       const [{ accessJwt, refreshJwt }, didDoc] = await Promise.all([
-        ctx.accountManager.createSession(user.did, appPasswordName),
+        ctx.accountManager.createSession(user.did, appPassword),
         didDocForSession(ctx, user.did),
       ])
 

package/src/api/com/atproto/server/deactivateAccount.ts

@@ -3,7 +3,7 @@ import AppContext from '../../../../context'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.deactivateAccount({
-    auth: ctx.authVerifier.accessNotAppPassword,
+    auth: ctx.authVerifier.accessFull,
     handler: async ({ auth, input }) => {
       const requester = auth.credentials.did
       await ctx.accountManager.deactivateAccount(

package/src/api/com/atproto/server/getAccountInviteCodes.ts

@@ -7,7 +7,7 @@ import { authPassthru, resultPassthru } from '../../../proxy'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.getAccountInviteCodes({
-    auth: ctx.authVerifier.accessNotAppPassword,
+    auth: ctx.authVerifier.accessFull,
     handler: async ({ params, auth, req }) => {
       if (ctx.entrywayAgent) {
         return resultPassthru(

package/src/api/com/atproto/server/getServiceAuth.ts

@@ -4,7 +4,7 @@ import { Server } from '../../../../lexicon'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.getServiceAuth({
-    auth: ctx.authVerifier.access,
+    auth: ctx.authVerifier.accessAppPassPrivileged,
     handler: async ({ params, auth }) => {
       const did = auth.credentials.did
       const keypair = await ctx.actorStore.keypair(did)

package/src/api/com/atproto/server/updateEmail.ts

@@ -7,7 +7,7 @@ import { UserAlreadyExistsError } from '../../../../account-manager/helpers/acco
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.updateEmail({
-    auth: ctx.authVerifier.accessNotAppPassword,
+    auth: ctx.authVerifier.accessFull,
     handler: async ({ auth, input, req }) => {
       const did = auth.credentials.did
       const { token, email } = input.body

package/src/auth-verifier.ts

@@ -23,6 +23,7 @@ export enum AuthScope {
   Access = 'com.atproto.access',
   Refresh = 'com.atproto.refresh',
   AppPass = 'com.atproto.appPass',
+  AppPassPrivileged = 'com.atproto.appPassPrivileged',
   Deactivated = 'com.atproto.deactivated',
 }
 
@@ -117,6 +118,7 @@ export class AuthVerifier {
   access = (ctx: ReqCtx): Promise<AccessOutput> => {
     return this.validateAccessToken(ctx.req, [
       AuthScope.Access,
+      AuthScope.AppPassPrivileged,
       AuthScope.AppPass,
     ])
   }
@@ -124,6 +126,7 @@ export class AuthVerifier {
   accessCheckTakedown = async (ctx: ReqCtx): Promise<AccessOutput> => {
     const result = await this.validateAccessToken(ctx.req, [
       AuthScope.Access,
+      AuthScope.AppPassPrivileged,
       AuthScope.AppPass,
     ])
     const found = await this.accountManager.getAccount(result.credentials.did, {
@@ -142,14 +145,22 @@ export class AuthVerifier {
     return result
   }
 
-  accessNotAppPassword = (ctx: ReqCtx): Promise<AccessOutput> => {
+  accessFull = (ctx: ReqCtx): Promise<AccessOutput> => {
     return this.validateAccessToken(ctx.req, [AuthScope.Access])
   }
 
+  accessAppPassPrivileged = (ctx: ReqCtx): Promise<AccessOutput> => {
+    return this.validateAccessToken(ctx.req, [
+      AuthScope.Access,
+      AuthScope.AppPassPrivileged,
+    ])
+  }
+
   accessDeactived = (ctx: ReqCtx): Promise<AccessOutput> => {
     return this.validateAccessToken(ctx.req, [
       AuthScope.Access,
       AuthScope.AppPass,
+      AuthScope.AppPassPrivileged,
       AuthScope.Deactivated,
     ])
   }

package/src/lexicon/lexicons.ts

@@ -2052,6 +2052,11 @@ export const schemaDict = {
                 description:
                   'A short name for the App Password, to help distinguish them.',
               },
+              privileged: {
+                type: 'boolean',
+                description:
+                  "If an app password has 'privileged' access to possibly sensitive account state. Meant for use with trusted clients.",
+              },
             },
           },
         },
@@ -2082,6 +2087,9 @@ export const schemaDict = {
             type: 'string',
             format: 'datetime',
           },
+          privileged: {
+            type: 'boolean',
+          },
         },
       },
     },
@@ -2629,6 +2637,9 @@ export const schemaDict = {
             type: 'string',
             format: 'datetime',
           },
+          privileged: {
+            type: 'boolean',
+          },
         },
       },
     },