@atproto/pds 0.4.25 → 0.4.26
Sign up to get free protection for your applications and to get access to all the features.
- package/CHANGELOG.md +6 -0
- package/dist/account-manager/db/migrations/003-privileged-app-passwords.d.ts +4 -0
- package/dist/account-manager/db/migrations/003-privileged-app-passwords.d.ts.map +1 -0
- package/dist/account-manager/db/migrations/003-privileged-app-passwords.js +15 -0
- package/dist/account-manager/db/migrations/003-privileged-app-passwords.js.map +1 -0
- package/dist/account-manager/db/migrations/index.d.ts +2 -0
- package/dist/account-manager/db/migrations/index.d.ts.map +1 -1
- package/dist/account-manager/db/migrations/index.js +2 -0
- package/dist/account-manager/db/migrations/index.js.map +1 -1
- package/dist/account-manager/db/schema/app-password.d.ts +1 -0
- package/dist/account-manager/db/schema/app-password.d.ts.map +1 -1
- package/dist/account-manager/db/schema/app-password.js.map +1 -1
- package/dist/account-manager/helpers/auth.d.ts +9 -4
- package/dist/account-manager/helpers/auth.d.ts.map +1 -1
- package/dist/account-manager/helpers/auth.js +30 -5
- package/dist/account-manager/helpers/auth.js.map +1 -1
- package/dist/account-manager/helpers/password.d.ts +7 -2
- package/dist/account-manager/helpers/password.d.ts.map +1 -1
- package/dist/account-manager/helpers/password.js +17 -4
- package/dist/account-manager/helpers/password.js.map +1 -1
- package/dist/account-manager/index.d.ts +5 -3
- package/dist/account-manager/index.d.ts.map +1 -1
- package/dist/account-manager/index.js +7 -7
- package/dist/account-manager/index.js.map +1 -1
- package/dist/api/chat/index.js +14 -14
- package/dist/api/chat/index.js.map +1 -1
- package/dist/api/com/atproto/identity/requestPlcOperationSignature.js +1 -1
- package/dist/api/com/atproto/identity/requestPlcOperationSignature.js.map +1 -1
- package/dist/api/com/atproto/identity/signPlcOperation.js +1 -1
- package/dist/api/com/atproto/identity/signPlcOperation.js.map +1 -1
- package/dist/api/com/atproto/repo/importRepo.js +1 -1
- package/dist/api/com/atproto/repo/importRepo.js.map +1 -1
- package/dist/api/com/atproto/server/activateAccount.js +1 -1
- package/dist/api/com/atproto/server/activateAccount.js.map +1 -1
- package/dist/api/com/atproto/server/createAppPassword.d.ts.map +1 -1
- package/dist/api/com/atproto/server/createAppPassword.js +2 -2
- package/dist/api/com/atproto/server/createAppPassword.js.map +1 -1
- package/dist/api/com/atproto/server/createSession.d.ts.map +1 -1
- package/dist/api/com/atproto/server/createSession.js +4 -4
- package/dist/api/com/atproto/server/createSession.js.map +1 -1
- package/dist/api/com/atproto/server/deactivateAccount.js +1 -1
- package/dist/api/com/atproto/server/deactivateAccount.js.map +1 -1
- package/dist/api/com/atproto/server/getAccountInviteCodes.js +1 -1
- package/dist/api/com/atproto/server/getAccountInviteCodes.js.map +1 -1
- package/dist/api/com/atproto/server/getServiceAuth.js +1 -1
- package/dist/api/com/atproto/server/getServiceAuth.js.map +1 -1
- package/dist/api/com/atproto/server/updateEmail.js +1 -1
- package/dist/api/com/atproto/server/updateEmail.js.map +1 -1
- package/dist/auth-verifier.d.ts +3 -1
- package/dist/auth-verifier.d.ts.map +1 -1
- package/dist/auth-verifier.js +16 -1
- package/dist/auth-verifier.js.map +1 -1
- package/dist/lexicon/lexicons.d.ts +10 -0
- package/dist/lexicon/lexicons.d.ts.map +1 -1
- package/dist/lexicon/lexicons.js +10 -0
- package/dist/lexicon/lexicons.js.map +1 -1
- package/dist/lexicon/types/com/atproto/server/createAppPassword.d.ts +3 -0
- package/dist/lexicon/types/com/atproto/server/createAppPassword.d.ts.map +1 -1
- package/dist/lexicon/types/com/atproto/server/createAppPassword.js.map +1 -1
- package/dist/lexicon/types/com/atproto/server/listAppPasswords.d.ts +1 -0
- package/dist/lexicon/types/com/atproto/server/listAppPasswords.d.ts.map +1 -1
- package/dist/lexicon/types/com/atproto/server/listAppPasswords.js.map +1 -1
- package/package.json +3 -3
- package/src/account-manager/db/migrations/003-privileged-app-passwords.ts +12 -0
- package/src/account-manager/db/migrations/index.ts +2 -0
- package/src/account-manager/db/schema/app-password.ts +1 -0
- package/src/account-manager/helpers/auth.ts +32 -4
- package/src/account-manager/helpers/password.ts +23 -5
- package/src/account-manager/index.ts +11 -9
- package/src/api/chat/index.ts +14 -14
- package/src/api/com/atproto/identity/requestPlcOperationSignature.ts +1 -1
- package/src/api/com/atproto/identity/signPlcOperation.ts +1 -1
- package/src/api/com/atproto/repo/importRepo.ts +1 -1
- package/src/api/com/atproto/server/activateAccount.ts +1 -1
- package/src/api/com/atproto/server/createAppPassword.ts +3 -1
- package/src/api/com/atproto/server/createSession.ts +5 -4
- package/src/api/com/atproto/server/deactivateAccount.ts +1 -1
- package/src/api/com/atproto/server/getAccountInviteCodes.ts +1 -1
- package/src/api/com/atproto/server/getServiceAuth.ts +1 -1
- package/src/api/com/atproto/server/updateEmail.ts +1 -1
- package/src/auth-verifier.ts +12 -1
- package/src/lexicon/lexicons.ts +11 -0
- package/src/lexicon/types/com/atproto/server/createAppPassword.ts +3 -0
- package/src/lexicon/types/com/atproto/server/listAppPasswords.ts +1 -0
- package/tests/app-passwords.test.ts +108 -7
@@ -9,6 +9,8 @@ export interface QueryParams {
|
|
9
9
|
export interface InputSchema {
|
10
10
|
/** A short name for the App Password, to help distinguish them. */
|
11
11
|
name: string;
|
12
|
+
/** If an app password has 'privileged' access to possibly sensitive account state. Meant for use with trusted clients. */
|
13
|
+
privileged?: boolean;
|
12
14
|
[k: string]: unknown;
|
13
15
|
}
|
14
16
|
export type OutputSchema = AppPassword;
|
@@ -41,6 +43,7 @@ export interface AppPassword {
|
|
41
43
|
name: string;
|
42
44
|
password: string;
|
43
45
|
createdAt: string;
|
46
|
+
privileged?: boolean;
|
44
47
|
[k: string]: unknown;
|
45
48
|
}
|
46
49
|
export declare function isAppPassword(v: unknown): v is AppPassword;
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"createAppPassword.d.ts","sourceRoot":"","sources":["../../../../../../src/lexicon/types/com/atproto/server/createAppPassword.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,OAAO,MAAM,SAAS,CAAA;AAC7B,OAAO,EAAE,gBAAgB,EAAW,MAAM,kBAAkB,CAAA;AAI5D,OAAO,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAA;AAEtE,MAAM,WAAW,WAAW;CAAG;AAE/B,MAAM,WAAW,WAAW;IAC1B,mEAAmE;IACnE,IAAI,EAAE,MAAM,CAAA;IACZ,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAA;CACrB;AAED,MAAM,MAAM,YAAY,GAAG,WAAW,CAAA;AAEtC,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,kBAAkB,CAAA;IAC5B,IAAI,EAAE,WAAW,CAAA;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,kBAAkB,CAAA;IAC5B,IAAI,EAAE,YAAY,CAAA;IAClB,OAAO,CAAC,EAAE;QAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAA;CACpC;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,KAAK,CAAC,EAAE,iBAAiB,CAAA;CAC1B;AAED,MAAM,MAAM,aAAa,GAAG,YAAY,GAAG,cAAc,GAAG,kBAAkB,CAAA;AAC9E,MAAM,MAAM,aAAa,CAAC,EAAE,SAAS,WAAW,GAAG,KAAK,IAAI;IAC1D,IAAI,EAAE,EAAE,CAAA;IACR,MAAM,EAAE,WAAW,CAAA;IACnB,KAAK,EAAE,YAAY,CAAA;IACnB,GAAG,EAAE,OAAO,CAAC,OAAO,CAAA;IACpB,GAAG,EAAE,OAAO,CAAC,QAAQ,CAAA;CACtB,CAAA;AACD,MAAM,MAAM,OAAO,CAAC,EAAE,SAAS,WAAW,GAAG,KAAK,IAAI,CACpD,GAAG,EAAE,aAAa,CAAC,EAAE,CAAC,KACnB,OAAO,CAAC,aAAa,CAAC,GAAG,aAAa,CAAA;AAE3C,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,EAAE,MAAM,CAAA;IAChB,SAAS,EAAE,MAAM,CAAA;IACjB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAA;CACrB;AAED,wBAAgB,aAAa,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,IAAI,WAAW,CAM1D;AAED,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAKhE"}
|
1
|
+
{"version":3,"file":"createAppPassword.d.ts","sourceRoot":"","sources":["../../../../../../src/lexicon/types/com/atproto/server/createAppPassword.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,OAAO,MAAM,SAAS,CAAA;AAC7B,OAAO,EAAE,gBAAgB,EAAW,MAAM,kBAAkB,CAAA;AAI5D,OAAO,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAA;AAEtE,MAAM,WAAW,WAAW;CAAG;AAE/B,MAAM,WAAW,WAAW;IAC1B,mEAAmE;IACnE,IAAI,EAAE,MAAM,CAAA;IACZ,0HAA0H;IAC1H,UAAU,CAAC,EAAE,OAAO,CAAA;IACpB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAA;CACrB;AAED,MAAM,MAAM,YAAY,GAAG,WAAW,CAAA;AAEtC,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,kBAAkB,CAAA;IAC5B,IAAI,EAAE,WAAW,CAAA;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,kBAAkB,CAAA;IAC5B,IAAI,EAAE,YAAY,CAAA;IAClB,OAAO,CAAC,EAAE;QAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAA;CACpC;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,KAAK,CAAC,EAAE,iBAAiB,CAAA;CAC1B;AAED,MAAM,MAAM,aAAa,GAAG,YAAY,GAAG,cAAc,GAAG,kBAAkB,CAAA;AAC9E,MAAM,MAAM,aAAa,CAAC,EAAE,SAAS,WAAW,GAAG,KAAK,IAAI;IAC1D,IAAI,EAAE,EAAE,CAAA;IACR,MAAM,EAAE,WAAW,CAAA;IACnB,KAAK,EAAE,YAAY,CAAA;IACnB,GAAG,EAAE,OAAO,CAAC,OAAO,CAAA;IACpB,GAAG,EAAE,OAAO,CAAC,QAAQ,CAAA;CACtB,CAAA;AACD,MAAM,MAAM,OAAO,CAAC,EAAE,SAAS,WAAW,GAAG,KAAK,IAAI,CACpD,GAAG,EAAE,aAAa,CAAC,EAAE,CAAC,KACnB,OAAO,CAAC,aAAa,CAAC,GAAG,aAAa,CAAA;AAE3C,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,EAAE,MAAM,CAAA;IAChB,SAAS,EAAE,MAAM,CAAA;IACjB,UAAU,CAAC,EAAE,OAAO,CAAA;IACpB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAA;CACrB;AAED,wBAAgB,aAAa,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,IAAI,WAAW,CAM1D;AAED,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAKhE"}
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"createAppPassword.js","sourceRoot":"","sources":["../../../../../../src/lexicon/types/com/atproto/server/createAppPassword.ts"],"names":[],"mappings":";;;AAKA,mDAA+C;AAC/C,2CAAiD;
|
1
|
+
{"version":3,"file":"createAppPassword.js","sourceRoot":"","sources":["../../../../../../src/lexicon/types/com/atproto/server/createAppPassword.ts"],"names":[],"mappings":";;;AAKA,mDAA+C;AAC/C,2CAAiD;AAqDjD,SAAgB,aAAa,CAAC,CAAU;IACtC,OAAO,CACL,IAAA,YAAK,EAAC,CAAC,CAAC;QACR,IAAA,cAAO,EAAC,CAAC,EAAE,OAAO,CAAC;QACnB,CAAC,CAAC,KAAK,KAAK,kDAAkD,CAC/D,CAAA;AACH,CAAC;AAND,sCAMC;AAED,SAAgB,mBAAmB,CAAC,CAAU;IAC5C,OAAO,mBAAQ,CAAC,QAAQ,CACtB,kDAAkD,EAClD,CAAC,CACF,CAAA;AACH,CAAC;AALD,kDAKC"}
|
@@ -36,6 +36,7 @@ export type Handler<HA extends HandlerAuth = never> = (ctx: HandlerReqCtx<HA>) =
|
|
36
36
|
export interface AppPassword {
|
37
37
|
name: string;
|
38
38
|
createdAt: string;
|
39
|
+
privileged?: boolean;
|
39
40
|
[k: string]: unknown;
|
40
41
|
}
|
41
42
|
export declare function isAppPassword(v: unknown): v is AppPassword;
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"listAppPasswords.d.ts","sourceRoot":"","sources":["../../../../../../src/lexicon/types/com/atproto/server/listAppPasswords.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,OAAO,MAAM,SAAS,CAAA;AAC7B,OAAO,EAAE,gBAAgB,EAAW,MAAM,kBAAkB,CAAA;AAI5D,OAAO,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAA;AAEtE,MAAM,WAAW,WAAW;CAAG;AAE/B,MAAM,MAAM,WAAW,GAAG,SAAS,CAAA;AAEnC,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,WAAW,EAAE,CAAA;IACxB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAA;CACrB;AAED,MAAM,MAAM,YAAY,GAAG,SAAS,CAAA;AAEpC,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,kBAAkB,CAAA;IAC5B,IAAI,EAAE,YAAY,CAAA;IAClB,OAAO,CAAC,EAAE;QAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAA;CACpC;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,KAAK,CAAC,EAAE,iBAAiB,CAAA;CAC1B;AAED,MAAM,MAAM,aAAa,GAAG,YAAY,GAAG,cAAc,GAAG,kBAAkB,CAAA;AAC9E,MAAM,MAAM,aAAa,CAAC,EAAE,SAAS,WAAW,GAAG,KAAK,IAAI;IAC1D,IAAI,EAAE,EAAE,CAAA;IACR,MAAM,EAAE,WAAW,CAAA;IACnB,KAAK,EAAE,YAAY,CAAA;IACnB,GAAG,EAAE,OAAO,CAAC,OAAO,CAAA;IACpB,GAAG,EAAE,OAAO,CAAC,QAAQ,CAAA;CACtB,CAAA;AACD,MAAM,MAAM,OAAO,CAAC,EAAE,SAAS,WAAW,GAAG,KAAK,IAAI,CACpD,GAAG,EAAE,aAAa,CAAC,EAAE,CAAC,KACnB,OAAO,CAAC,aAAa,CAAC,GAAG,aAAa,CAAA;AAE3C,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAA;IACZ,SAAS,EAAE,MAAM,CAAA;IACjB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAA;CACrB;AAED,wBAAgB,aAAa,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,IAAI,WAAW,CAM1D;AAED,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAEhE"}
|
1
|
+
{"version":3,"file":"listAppPasswords.d.ts","sourceRoot":"","sources":["../../../../../../src/lexicon/types/com/atproto/server/listAppPasswords.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,OAAO,MAAM,SAAS,CAAA;AAC7B,OAAO,EAAE,gBAAgB,EAAW,MAAM,kBAAkB,CAAA;AAI5D,OAAO,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAA;AAEtE,MAAM,WAAW,WAAW;CAAG;AAE/B,MAAM,MAAM,WAAW,GAAG,SAAS,CAAA;AAEnC,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,WAAW,EAAE,CAAA;IACxB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAA;CACrB;AAED,MAAM,MAAM,YAAY,GAAG,SAAS,CAAA;AAEpC,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,kBAAkB,CAAA;IAC5B,IAAI,EAAE,YAAY,CAAA;IAClB,OAAO,CAAC,EAAE;QAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAA;CACpC;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,KAAK,CAAC,EAAE,iBAAiB,CAAA;CAC1B;AAED,MAAM,MAAM,aAAa,GAAG,YAAY,GAAG,cAAc,GAAG,kBAAkB,CAAA;AAC9E,MAAM,MAAM,aAAa,CAAC,EAAE,SAAS,WAAW,GAAG,KAAK,IAAI;IAC1D,IAAI,EAAE,EAAE,CAAA;IACR,MAAM,EAAE,WAAW,CAAA;IACnB,KAAK,EAAE,YAAY,CAAA;IACnB,GAAG,EAAE,OAAO,CAAC,OAAO,CAAA;IACpB,GAAG,EAAE,OAAO,CAAC,QAAQ,CAAA;CACtB,CAAA;AACD,MAAM,MAAM,OAAO,CAAC,EAAE,SAAS,WAAW,GAAG,KAAK,IAAI,CACpD,GAAG,EAAE,aAAa,CAAC,EAAE,CAAC,KACnB,OAAO,CAAC,aAAa,CAAC,GAAG,aAAa,CAAA;AAE3C,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAA;IACZ,SAAS,EAAE,MAAM,CAAA;IACjB,UAAU,CAAC,EAAE,OAAO,CAAA;IACpB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAA;CACrB;AAED,wBAAgB,aAAa,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,IAAI,WAAW,CAM1D;AAED,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAEhE"}
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"listAppPasswords.js","sourceRoot":"","sources":["../../../../../../src/lexicon/types/com/atproto/server/listAppPasswords.ts"],"names":[],"mappings":";;;AAKA,mDAA+C;AAC/C,2CAAiD;
|
1
|
+
{"version":3,"file":"listAppPasswords.js","sourceRoot":"","sources":["../../../../../../src/lexicon/types/com/atproto/server/listAppPasswords.ts"],"names":[],"mappings":";;;AAKA,mDAA+C;AAC/C,2CAAiD;AA8CjD,SAAgB,aAAa,CAAC,CAAU;IACtC,OAAO,CACL,IAAA,YAAK,EAAC,CAAC,CAAC;QACR,IAAA,cAAO,EAAC,CAAC,EAAE,OAAO,CAAC;QACnB,CAAC,CAAC,KAAK,KAAK,iDAAiD,CAC9D,CAAA;AACH,CAAC;AAND,sCAMC;AAED,SAAgB,mBAAmB,CAAC,CAAU;IAC5C,OAAO,mBAAQ,CAAC,QAAQ,CAAC,iDAAiD,EAAE,CAAC,CAAC,CAAA;AAChF,CAAC;AAFD,kDAEC"}
|
package/package.json
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
{
|
2
2
|
"name": "@atproto/pds",
|
3
|
-
"version": "0.4.
|
3
|
+
"version": "0.4.26",
|
4
4
|
"license": "MIT",
|
5
5
|
"description": "Reference implementation of atproto Personal Data Server (PDS)",
|
6
6
|
"keywords": [
|
@@ -43,12 +43,12 @@
|
|
43
43
|
"typed-emitter": "^2.1.0",
|
44
44
|
"uint8arrays": "3.0.0",
|
45
45
|
"zod": "^3.21.4",
|
46
|
-
"@atproto/api": "^0.12.12",
|
47
46
|
"@atproto/aws": "^0.2.0",
|
48
47
|
"@atproto/common": "^0.4.0",
|
48
|
+
"@atproto/api": "^0.12.12",
|
49
49
|
"@atproto/crypto": "^0.4.0",
|
50
|
-
"@atproto/identity": "^0.4.0",
|
51
50
|
"@atproto/lexicon": "^0.4.0",
|
51
|
+
"@atproto/identity": "^0.4.0",
|
52
52
|
"@atproto/repo": "^0.4.0",
|
53
53
|
"@atproto/syntax": "^0.3.0",
|
54
54
|
"@atproto/xrpc": "^0.5.0",
|
@@ -0,0 +1,12 @@
|
|
1
|
+
import { Kysely } from 'kysely'
|
2
|
+
|
3
|
+
export async function up(db: Kysely<unknown>): Promise<void> {
|
4
|
+
await db.schema
|
5
|
+
.alterTable('app_password')
|
6
|
+
.addColumn('privileged', 'integer', (col) => col.notNull().defaultTo(0))
|
7
|
+
.execute()
|
8
|
+
}
|
9
|
+
|
10
|
+
export async function down(db: Kysely<unknown>): Promise<void> {
|
11
|
+
await db.schema.alterTable('app_password').dropColumn('privileged').execute()
|
12
|
+
}
|
@@ -5,6 +5,7 @@ import * as ui8 from 'uint8arrays'
|
|
5
5
|
import * as crypto from '@atproto/crypto'
|
6
6
|
import { AuthScope } from '../../auth-verifier'
|
7
7
|
import { AccountDb } from '../db'
|
8
|
+
import { AppPassDescript } from './password'
|
8
9
|
|
9
10
|
export type AuthToken = {
|
10
11
|
scope: AuthScope
|
@@ -87,7 +88,7 @@ export const decodeRefreshToken = (jwt: string) => {
|
|
87
88
|
export const storeRefreshToken = async (
|
88
89
|
db: AccountDb,
|
89
90
|
payload: RefreshToken,
|
90
|
-
|
91
|
+
appPassword: AppPassDescript | null,
|
91
92
|
) => {
|
92
93
|
const [result] = await db.executeWithRetry(
|
93
94
|
db.db
|
@@ -95,7 +96,7 @@ export const storeRefreshToken = async (
|
|
95
96
|
.values({
|
96
97
|
id: payload.jti,
|
97
98
|
did: payload.sub,
|
98
|
-
appPasswordName,
|
99
|
+
appPasswordName: appPassword?.name,
|
99
100
|
expiresAt: new Date(payload.exp * 1000).toISOString(),
|
100
101
|
})
|
101
102
|
.onConflict((oc) => oc.doNothing()), // E.g. when re-granting during a refresh grace period
|
@@ -104,11 +105,31 @@ export const storeRefreshToken = async (
|
|
104
105
|
}
|
105
106
|
|
106
107
|
export const getRefreshToken = async (db: AccountDb, id: string) => {
|
107
|
-
|
108
|
+
const res = await db.db
|
108
109
|
.selectFrom('refresh_token')
|
110
|
+
.leftJoin(
|
111
|
+
'app_password',
|
112
|
+
'app_password.name',
|
113
|
+
'refresh_token.appPasswordName',
|
114
|
+
)
|
109
115
|
.where('id', '=', id)
|
110
|
-
.selectAll()
|
116
|
+
.selectAll('refresh_token')
|
117
|
+
.select('app_password.privileged')
|
111
118
|
.executeTakeFirst()
|
119
|
+
if (!res) return null
|
120
|
+
const { did, expiresAt, appPasswordName, nextId, privileged } = res
|
121
|
+
return {
|
122
|
+
id,
|
123
|
+
did,
|
124
|
+
expiresAt,
|
125
|
+
nextId,
|
126
|
+
appPassword: appPasswordName
|
127
|
+
? {
|
128
|
+
name: appPasswordName,
|
129
|
+
privileged: privileged === 1 ? true : false,
|
130
|
+
}
|
131
|
+
: null,
|
132
|
+
}
|
112
133
|
}
|
113
134
|
|
114
135
|
export const deleteExpiredRefreshTokens = async (
|
@@ -181,4 +202,11 @@ export const getRefreshTokenId = () => {
|
|
181
202
|
return ui8.toString(crypto.randomBytes(32), 'base64')
|
182
203
|
}
|
183
204
|
|
205
|
+
export const formatScope = (appPassword: AppPassDescript | null): AuthScope => {
|
206
|
+
if (!appPassword) return AuthScope.Access
|
207
|
+
return appPassword.privileged
|
208
|
+
? AuthScope.AppPassPrivileged
|
209
|
+
: AuthScope.AppPass
|
210
|
+
}
|
211
|
+
|
184
212
|
export class ConcurrentRefreshError extends Error {}
|
@@ -4,6 +4,11 @@ import * as scrypt from './scrypt'
|
|
4
4
|
import { AccountDb } from '../db'
|
5
5
|
import { AppPassword } from '../../lexicon/types/com/atproto/server/createAppPassword'
|
6
6
|
|
7
|
+
export type AppPassDescript = {
|
8
|
+
name: string
|
9
|
+
privileged: boolean
|
10
|
+
}
|
11
|
+
|
7
12
|
export const verifyAccountPassword = async (
|
8
13
|
db: AccountDb,
|
9
14
|
did: string,
|
@@ -21,7 +26,7 @@ export const verifyAppPassword = async (
|
|
21
26
|
db: AccountDb,
|
22
27
|
did: string,
|
23
28
|
password: string,
|
24
|
-
): Promise<
|
29
|
+
): Promise<AppPassDescript | null> => {
|
25
30
|
const passwordScrypt = await scrypt.hashAppPassword(did, password)
|
26
31
|
const found = await db.db
|
27
32
|
.selectFrom('app_password')
|
@@ -29,7 +34,11 @@ export const verifyAppPassword = async (
|
|
29
34
|
.where('did', '=', did)
|
30
35
|
.where('passwordScrypt', '=', passwordScrypt)
|
31
36
|
.executeTakeFirst()
|
32
|
-
|
37
|
+
if (!found) return null
|
38
|
+
return {
|
39
|
+
name: found.name,
|
40
|
+
privileged: found.privileged === 1 ? true : false,
|
41
|
+
}
|
33
42
|
}
|
34
43
|
|
35
44
|
export const updateUserPassword = async (
|
@@ -51,6 +60,7 @@ export const createAppPassword = async (
|
|
51
60
|
db: AccountDb,
|
52
61
|
did: string,
|
53
62
|
name: string,
|
63
|
+
privileged: boolean,
|
54
64
|
): Promise<AppPassword> => {
|
55
65
|
// create an app password with format:
|
56
66
|
// 1234-abcd-5678-efgh
|
@@ -71,6 +81,7 @@ export const createAppPassword = async (
|
|
71
81
|
name,
|
72
82
|
passwordScrypt,
|
73
83
|
createdAt: new Date().toISOString(),
|
84
|
+
privileged: privileged ? 1 : 0,
|
74
85
|
})
|
75
86
|
.returningAll(),
|
76
87
|
)
|
@@ -81,18 +92,25 @@ export const createAppPassword = async (
|
|
81
92
|
name,
|
82
93
|
password,
|
83
94
|
createdAt: got.createdAt,
|
95
|
+
privileged,
|
84
96
|
}
|
85
97
|
}
|
86
98
|
|
87
99
|
export const listAppPasswords = async (
|
88
100
|
db: AccountDb,
|
89
101
|
did: string,
|
90
|
-
): Promise<{ name: string; createdAt: string }[]> => {
|
91
|
-
|
102
|
+
): Promise<{ name: string; createdAt: string; privileged: boolean }[]> => {
|
103
|
+
const res = await db.db
|
92
104
|
.selectFrom('app_password')
|
93
|
-
.select(['name', 'createdAt'])
|
105
|
+
.select(['name', 'createdAt', 'privileged'])
|
94
106
|
.where('did', '=', did)
|
107
|
+
.orderBy('createdAt', 'desc')
|
95
108
|
.execute()
|
109
|
+
return res.map((row) => ({
|
110
|
+
name: row.name,
|
111
|
+
createdAt: row.createdAt,
|
112
|
+
privileged: row.privileged === 1 ? true : false,
|
113
|
+
}))
|
96
114
|
}
|
97
115
|
|
98
116
|
export const deleteAppPassword = async (
|
@@ -162,15 +162,18 @@ export class AccountManager {
|
|
162
162
|
// Auth
|
163
163
|
// ----------
|
164
164
|
|
165
|
-
async createSession(
|
165
|
+
async createSession(
|
166
|
+
did: string,
|
167
|
+
appPassword: password.AppPassDescript | null,
|
168
|
+
) {
|
166
169
|
const { accessJwt, refreshJwt } = await auth.createTokens({
|
167
170
|
did,
|
168
171
|
jwtKey: this.jwtKey,
|
169
172
|
serviceDid: this.serviceDid,
|
170
|
-
scope:
|
173
|
+
scope: auth.formatScope(appPassword),
|
171
174
|
})
|
172
175
|
const refreshPayload = auth.decodeRefreshToken(refreshJwt)
|
173
|
-
await auth.storeRefreshToken(this.db, refreshPayload,
|
176
|
+
await auth.storeRefreshToken(this.db, refreshPayload, appPassword)
|
174
177
|
return { accessJwt, refreshJwt }
|
175
178
|
}
|
176
179
|
|
@@ -205,8 +208,7 @@ export class AccountManager {
|
|
205
208
|
did: token.did,
|
206
209
|
jwtKey: this.jwtKey,
|
207
210
|
serviceDid: this.serviceDid,
|
208
|
-
scope:
|
209
|
-
token.appPasswordName === null ? AuthScope.Access : AuthScope.AppPass,
|
211
|
+
scope: auth.formatScope(token.appPassword),
|
210
212
|
jti: nextId,
|
211
213
|
})
|
212
214
|
|
@@ -219,7 +221,7 @@ export class AccountManager {
|
|
219
221
|
expiresAt: expiresAt.toISOString(),
|
220
222
|
nextId,
|
221
223
|
}),
|
222
|
-
auth.storeRefreshToken(dbTxn, refreshPayload, token.
|
224
|
+
auth.storeRefreshToken(dbTxn, refreshPayload, token.appPassword),
|
223
225
|
]),
|
224
226
|
)
|
225
227
|
} catch (err) {
|
@@ -238,8 +240,8 @@ export class AccountManager {
|
|
238
240
|
// Passwords
|
239
241
|
// ----------
|
240
242
|
|
241
|
-
async createAppPassword(did: string, name: string) {
|
242
|
-
return password.createAppPassword(this.db, did, name)
|
243
|
+
async createAppPassword(did: string, name: string, privileged: boolean) {
|
244
|
+
return password.createAppPassword(this.db, did, name, privileged)
|
243
245
|
}
|
244
246
|
|
245
247
|
async listAppPasswords(did: string) {
|
@@ -256,7 +258,7 @@ export class AccountManager {
|
|
256
258
|
async verifyAppPassword(
|
257
259
|
did: string,
|
258
260
|
passwordStr: string,
|
259
|
-
): Promise<
|
261
|
+
): Promise<password.AppPassDescript | null> {
|
260
262
|
return password.verifyAppPassword(this.db, did, passwordStr)
|
261
263
|
}
|
262
264
|
|
package/src/api/chat/index.ts
CHANGED
@@ -4,85 +4,85 @@ import { pipethrough, pipethroughProcedure } from '../../pipethrough'
|
|
4
4
|
|
5
5
|
export default function (server: Server, ctx: AppContext) {
|
6
6
|
server.chat.bsky.actor.deleteAccount({
|
7
|
-
auth: ctx.authVerifier.
|
7
|
+
auth: ctx.authVerifier.accessAppPassPrivileged,
|
8
8
|
handler: async ({ req, auth }) => {
|
9
9
|
return pipethroughProcedure(ctx, req, auth.credentials.did)
|
10
10
|
},
|
11
11
|
})
|
12
12
|
server.chat.bsky.actor.exportAccountData({
|
13
|
-
auth: ctx.authVerifier.
|
13
|
+
auth: ctx.authVerifier.accessAppPassPrivileged,
|
14
14
|
handler: ({ req, auth }) => {
|
15
15
|
return pipethrough(ctx, req, auth.credentials.did)
|
16
16
|
},
|
17
17
|
})
|
18
18
|
server.chat.bsky.convo.deleteMessageForSelf({
|
19
|
-
auth: ctx.authVerifier.
|
19
|
+
auth: ctx.authVerifier.accessAppPassPrivileged,
|
20
20
|
handler: ({ req, auth, input }) => {
|
21
21
|
return pipethroughProcedure(ctx, req, auth.credentials.did, input.body)
|
22
22
|
},
|
23
23
|
})
|
24
24
|
server.chat.bsky.convo.getConvo({
|
25
|
-
auth: ctx.authVerifier.
|
25
|
+
auth: ctx.authVerifier.accessAppPassPrivileged,
|
26
26
|
handler: ({ req, auth }) => {
|
27
27
|
return pipethrough(ctx, req, auth.credentials.did)
|
28
28
|
},
|
29
29
|
})
|
30
30
|
server.chat.bsky.convo.getConvoForMembers({
|
31
|
-
auth: ctx.authVerifier.
|
31
|
+
auth: ctx.authVerifier.accessAppPassPrivileged,
|
32
32
|
handler: ({ req, auth }) => {
|
33
33
|
return pipethrough(ctx, req, auth.credentials.did)
|
34
34
|
},
|
35
35
|
})
|
36
36
|
server.chat.bsky.convo.getLog({
|
37
|
-
auth: ctx.authVerifier.
|
37
|
+
auth: ctx.authVerifier.accessAppPassPrivileged,
|
38
38
|
handler: ({ req, auth }) => {
|
39
39
|
return pipethrough(ctx, req, auth.credentials.did)
|
40
40
|
},
|
41
41
|
})
|
42
42
|
server.chat.bsky.convo.getMessages({
|
43
|
-
auth: ctx.authVerifier.
|
43
|
+
auth: ctx.authVerifier.accessAppPassPrivileged,
|
44
44
|
handler: ({ req, auth }) => {
|
45
45
|
return pipethrough(ctx, req, auth.credentials.did)
|
46
46
|
},
|
47
47
|
})
|
48
48
|
server.chat.bsky.convo.leaveConvo({
|
49
|
-
auth: ctx.authVerifier.
|
49
|
+
auth: ctx.authVerifier.accessAppPassPrivileged,
|
50
50
|
handler: ({ req, auth, input }) => {
|
51
51
|
return pipethroughProcedure(ctx, req, auth.credentials.did, input.body)
|
52
52
|
},
|
53
53
|
})
|
54
54
|
server.chat.bsky.convo.listConvos({
|
55
|
-
auth: ctx.authVerifier.
|
55
|
+
auth: ctx.authVerifier.accessAppPassPrivileged,
|
56
56
|
handler: ({ req, auth }) => {
|
57
57
|
return pipethrough(ctx, req, auth.credentials.did)
|
58
58
|
},
|
59
59
|
})
|
60
60
|
server.chat.bsky.convo.muteConvo({
|
61
|
-
auth: ctx.authVerifier.
|
61
|
+
auth: ctx.authVerifier.accessAppPassPrivileged,
|
62
62
|
handler: ({ req, auth, input }) => {
|
63
63
|
return pipethroughProcedure(ctx, req, auth.credentials.did, input.body)
|
64
64
|
},
|
65
65
|
})
|
66
66
|
server.chat.bsky.convo.sendMessage({
|
67
|
-
auth: ctx.authVerifier.
|
67
|
+
auth: ctx.authVerifier.accessAppPassPrivileged,
|
68
68
|
handler: ({ req, auth, input }) => {
|
69
69
|
return pipethroughProcedure(ctx, req, auth.credentials.did, input.body)
|
70
70
|
},
|
71
71
|
})
|
72
72
|
server.chat.bsky.convo.sendMessageBatch({
|
73
|
-
auth: ctx.authVerifier.
|
73
|
+
auth: ctx.authVerifier.accessAppPassPrivileged,
|
74
74
|
handler: ({ req, auth, input }) => {
|
75
75
|
return pipethroughProcedure(ctx, req, auth.credentials.did, input.body)
|
76
76
|
},
|
77
77
|
})
|
78
78
|
server.chat.bsky.convo.unmuteConvo({
|
79
|
-
auth: ctx.authVerifier.
|
79
|
+
auth: ctx.authVerifier.accessAppPassPrivileged,
|
80
80
|
handler: ({ req, auth, input }) => {
|
81
81
|
return pipethroughProcedure(ctx, req, auth.credentials.did, input.body)
|
82
82
|
},
|
83
83
|
})
|
84
84
|
server.chat.bsky.convo.updateRead({
|
85
|
-
auth: ctx.authVerifier.
|
85
|
+
auth: ctx.authVerifier.accessAppPassPrivileged,
|
86
86
|
handler: ({ req, auth, input }) => {
|
87
87
|
return pipethroughProcedure(ctx, req, auth.credentials.did, input.body)
|
88
88
|
},
|
@@ -5,7 +5,7 @@ import { authPassthru } from '../../../proxy'
|
|
5
5
|
|
6
6
|
export default function (server: Server, ctx: AppContext) {
|
7
7
|
server.com.atproto.identity.requestPlcOperationSignature({
|
8
|
-
auth: ctx.authVerifier.
|
8
|
+
auth: ctx.authVerifier.accessFull,
|
9
9
|
handler: async ({ auth, req }) => {
|
10
10
|
if (ctx.entrywayAgent) {
|
11
11
|
await ctx.entrywayAgent.com.atproto.identity.requestPlcOperationSignature(
|
@@ -7,7 +7,7 @@ import { authPassthru, resultPassthru } from '../../../proxy'
|
|
7
7
|
|
8
8
|
export default function (server: Server, ctx: AppContext) {
|
9
9
|
server.com.atproto.identity.signPlcOperation({
|
10
|
-
auth: ctx.authVerifier.
|
10
|
+
auth: ctx.authVerifier.accessFull,
|
11
11
|
handler: async ({ auth, input, req }) => {
|
12
12
|
if (ctx.entrywayAgent) {
|
13
13
|
return resultPassthru(
|
@@ -17,7 +17,7 @@ import { BlobRef, LexValue, RepoRecord } from '@atproto/lexicon'
|
|
17
17
|
|
18
18
|
export default function (server: Server, ctx: AppContext) {
|
19
19
|
server.com.atproto.repo.importRepo({
|
20
|
-
auth: ctx.authVerifier.
|
20
|
+
auth: ctx.authVerifier.accessFull,
|
21
21
|
handler: async ({ input, auth }) => {
|
22
22
|
const did = auth.credentials.did
|
23
23
|
if (!ctx.cfg.service.acceptingImports) {
|
@@ -7,7 +7,7 @@ import { assertValidDidDocumentForService } from './util'
|
|
7
7
|
|
8
8
|
export default function (server: Server, ctx: AppContext) {
|
9
9
|
server.com.atproto.server.activateAccount({
|
10
|
-
auth: ctx.authVerifier.
|
10
|
+
auth: ctx.authVerifier.accessFull,
|
11
11
|
handler: async ({ auth }) => {
|
12
12
|
const requester = auth.credentials.did
|
13
13
|
|
@@ -4,7 +4,7 @@ import { authPassthru, resultPassthru } from '../../../proxy'
|
|
4
4
|
|
5
5
|
export default function (server: Server, ctx: AppContext) {
|
6
6
|
server.com.atproto.server.createAppPassword({
|
7
|
-
auth: ctx.authVerifier.
|
7
|
+
auth: ctx.authVerifier.accessFull,
|
8
8
|
handler: async ({ auth, input, req }) => {
|
9
9
|
if (ctx.entrywayAgent) {
|
10
10
|
return resultPassthru(
|
@@ -19,7 +19,9 @@ export default function (server: Server, ctx: AppContext) {
|
|
19
19
|
const appPassword = await ctx.accountManager.createAppPassword(
|
20
20
|
auth.credentials.did,
|
21
21
|
name,
|
22
|
+
input.body.privileged ?? false,
|
22
23
|
)
|
24
|
+
|
23
25
|
return {
|
24
26
|
encoding: 'application/json',
|
25
27
|
body: appPassword,
|
@@ -6,6 +6,7 @@ import { softDeleted } from '../../../../db/util'
|
|
6
6
|
import { Server } from '../../../../lexicon'
|
7
7
|
import { didDocForSession } from './util'
|
8
8
|
import { authPassthru, resultPassthru } from '../../../proxy'
|
9
|
+
import { AppPassDescript } from '../../../../account-manager/helpers/password'
|
9
10
|
|
10
11
|
export default function (server: Server, ctx: AppContext) {
|
11
12
|
server.com.atproto.server.createSession({
|
@@ -48,17 +49,17 @@ export default function (server: Server, ctx: AppContext) {
|
|
48
49
|
throw new AuthRequiredError('Invalid identifier or password')
|
49
50
|
}
|
50
51
|
|
51
|
-
let
|
52
|
+
let appPassword: AppPassDescript | null = null
|
52
53
|
const validAccountPass = await ctx.accountManager.verifyAccountPassword(
|
53
54
|
user.did,
|
54
55
|
password,
|
55
56
|
)
|
56
57
|
if (!validAccountPass) {
|
57
|
-
|
58
|
+
appPassword = await ctx.accountManager.verifyAppPassword(
|
58
59
|
user.did,
|
59
60
|
password,
|
60
61
|
)
|
61
|
-
if (
|
62
|
+
if (appPassword === null) {
|
62
63
|
throw new AuthRequiredError('Invalid identifier or password')
|
63
64
|
}
|
64
65
|
}
|
@@ -71,7 +72,7 @@ export default function (server: Server, ctx: AppContext) {
|
|
71
72
|
}
|
72
73
|
|
73
74
|
const [{ accessJwt, refreshJwt }, didDoc] = await Promise.all([
|
74
|
-
ctx.accountManager.createSession(user.did,
|
75
|
+
ctx.accountManager.createSession(user.did, appPassword),
|
75
76
|
didDocForSession(ctx, user.did),
|
76
77
|
])
|
77
78
|
|
@@ -3,7 +3,7 @@ import AppContext from '../../../../context'
|
|
3
3
|
|
4
4
|
export default function (server: Server, ctx: AppContext) {
|
5
5
|
server.com.atproto.server.deactivateAccount({
|
6
|
-
auth: ctx.authVerifier.
|
6
|
+
auth: ctx.authVerifier.accessFull,
|
7
7
|
handler: async ({ auth, input }) => {
|
8
8
|
const requester = auth.credentials.did
|
9
9
|
await ctx.accountManager.deactivateAccount(
|
@@ -7,7 +7,7 @@ import { authPassthru, resultPassthru } from '../../../proxy'
|
|
7
7
|
|
8
8
|
export default function (server: Server, ctx: AppContext) {
|
9
9
|
server.com.atproto.server.getAccountInviteCodes({
|
10
|
-
auth: ctx.authVerifier.
|
10
|
+
auth: ctx.authVerifier.accessFull,
|
11
11
|
handler: async ({ params, auth, req }) => {
|
12
12
|
if (ctx.entrywayAgent) {
|
13
13
|
return resultPassthru(
|
@@ -4,7 +4,7 @@ import { Server } from '../../../../lexicon'
|
|
4
4
|
|
5
5
|
export default function (server: Server, ctx: AppContext) {
|
6
6
|
server.com.atproto.server.getServiceAuth({
|
7
|
-
auth: ctx.authVerifier.
|
7
|
+
auth: ctx.authVerifier.accessAppPassPrivileged,
|
8
8
|
handler: async ({ params, auth }) => {
|
9
9
|
const did = auth.credentials.did
|
10
10
|
const keypair = await ctx.actorStore.keypair(did)
|
@@ -7,7 +7,7 @@ import { UserAlreadyExistsError } from '../../../../account-manager/helpers/acco
|
|
7
7
|
|
8
8
|
export default function (server: Server, ctx: AppContext) {
|
9
9
|
server.com.atproto.server.updateEmail({
|
10
|
-
auth: ctx.authVerifier.
|
10
|
+
auth: ctx.authVerifier.accessFull,
|
11
11
|
handler: async ({ auth, input, req }) => {
|
12
12
|
const did = auth.credentials.did
|
13
13
|
const { token, email } = input.body
|
package/src/auth-verifier.ts
CHANGED
@@ -23,6 +23,7 @@ export enum AuthScope {
|
|
23
23
|
Access = 'com.atproto.access',
|
24
24
|
Refresh = 'com.atproto.refresh',
|
25
25
|
AppPass = 'com.atproto.appPass',
|
26
|
+
AppPassPrivileged = 'com.atproto.appPassPrivileged',
|
26
27
|
Deactivated = 'com.atproto.deactivated',
|
27
28
|
}
|
28
29
|
|
@@ -117,6 +118,7 @@ export class AuthVerifier {
|
|
117
118
|
access = (ctx: ReqCtx): Promise<AccessOutput> => {
|
118
119
|
return this.validateAccessToken(ctx.req, [
|
119
120
|
AuthScope.Access,
|
121
|
+
AuthScope.AppPassPrivileged,
|
120
122
|
AuthScope.AppPass,
|
121
123
|
])
|
122
124
|
}
|
@@ -124,6 +126,7 @@ export class AuthVerifier {
|
|
124
126
|
accessCheckTakedown = async (ctx: ReqCtx): Promise<AccessOutput> => {
|
125
127
|
const result = await this.validateAccessToken(ctx.req, [
|
126
128
|
AuthScope.Access,
|
129
|
+
AuthScope.AppPassPrivileged,
|
127
130
|
AuthScope.AppPass,
|
128
131
|
])
|
129
132
|
const found = await this.accountManager.getAccount(result.credentials.did, {
|
@@ -142,14 +145,22 @@ export class AuthVerifier {
|
|
142
145
|
return result
|
143
146
|
}
|
144
147
|
|
145
|
-
|
148
|
+
accessFull = (ctx: ReqCtx): Promise<AccessOutput> => {
|
146
149
|
return this.validateAccessToken(ctx.req, [AuthScope.Access])
|
147
150
|
}
|
148
151
|
|
152
|
+
accessAppPassPrivileged = (ctx: ReqCtx): Promise<AccessOutput> => {
|
153
|
+
return this.validateAccessToken(ctx.req, [
|
154
|
+
AuthScope.Access,
|
155
|
+
AuthScope.AppPassPrivileged,
|
156
|
+
])
|
157
|
+
}
|
158
|
+
|
149
159
|
accessDeactived = (ctx: ReqCtx): Promise<AccessOutput> => {
|
150
160
|
return this.validateAccessToken(ctx.req, [
|
151
161
|
AuthScope.Access,
|
152
162
|
AuthScope.AppPass,
|
163
|
+
AuthScope.AppPassPrivileged,
|
153
164
|
AuthScope.Deactivated,
|
154
165
|
])
|
155
166
|
}
|
package/src/lexicon/lexicons.ts
CHANGED
@@ -2052,6 +2052,11 @@ export const schemaDict = {
|
|
2052
2052
|
description:
|
2053
2053
|
'A short name for the App Password, to help distinguish them.',
|
2054
2054
|
},
|
2055
|
+
privileged: {
|
2056
|
+
type: 'boolean',
|
2057
|
+
description:
|
2058
|
+
"If an app password has 'privileged' access to possibly sensitive account state. Meant for use with trusted clients.",
|
2059
|
+
},
|
2055
2060
|
},
|
2056
2061
|
},
|
2057
2062
|
},
|
@@ -2082,6 +2087,9 @@ export const schemaDict = {
|
|
2082
2087
|
type: 'string',
|
2083
2088
|
format: 'datetime',
|
2084
2089
|
},
|
2090
|
+
privileged: {
|
2091
|
+
type: 'boolean',
|
2092
|
+
},
|
2085
2093
|
},
|
2086
2094
|
},
|
2087
2095
|
},
|
@@ -2629,6 +2637,9 @@ export const schemaDict = {
|
|
2629
2637
|
type: 'string',
|
2630
2638
|
format: 'datetime',
|
2631
2639
|
},
|
2640
|
+
privileged: {
|
2641
|
+
type: 'boolean',
|
2642
|
+
},
|
2632
2643
|
},
|
2633
2644
|
},
|
2634
2645
|
},
|