npm - @atproto/pds - Versions diffs - 0.4.33 → 0.4.35 - Mend

@atproto/pds 0.4.33 → 0.4.35

Files changed (227) hide show

package/CHANGELOG.md +17 -0
package/dist/account-manager/db/migrations/004-oauth.d.ts +4 -0
package/dist/account-manager/db/migrations/004-oauth.d.ts.map +1 -0
package/dist/account-manager/db/migrations/004-oauth.js +106 -0
package/dist/account-manager/db/migrations/004-oauth.js.map +1 -0
package/dist/account-manager/db/migrations/index.d.ts +2 -0
package/dist/account-manager/db/migrations/index.d.ts.map +1 -1
package/dist/account-manager/db/migrations/index.js +2 -0
package/dist/account-manager/db/migrations/index.js.map +1 -1
package/dist/account-manager/db/schema/authorization-request.d.ts +19 -0
package/dist/account-manager/db/schema/authorization-request.d.ts.map +1 -0
package/dist/account-manager/db/schema/authorization-request.js +5 -0
package/dist/account-manager/db/schema/authorization-request.js.map +1 -0
package/dist/account-manager/db/schema/device-account.d.ts +14 -0
package/dist/account-manager/db/schema/device-account.d.ts.map +1 -0
package/dist/account-manager/db/schema/device-account.js +5 -0
package/dist/account-manager/db/schema/device-account.js.map +1 -0
package/dist/account-manager/db/schema/device.d.ts +16 -0
package/dist/account-manager/db/schema/device.d.ts.map +1 -0
package/dist/account-manager/db/schema/device.js +5 -0
package/dist/account-manager/db/schema/device.js.map +1 -0
package/dist/account-manager/db/schema/index.d.ts +11 -1
package/dist/account-manager/db/schema/index.d.ts.map +1 -1
package/dist/account-manager/db/schema/token.d.ts +24 -0
package/dist/account-manager/db/schema/token.d.ts.map +1 -0
package/dist/account-manager/db/schema/token.js +5 -0
package/dist/account-manager/db/schema/token.js.map +1 -0
package/dist/account-manager/db/schema/used-refresh-token.d.ts +12 -0
package/dist/account-manager/db/schema/used-refresh-token.d.ts.map +1 -0
package/dist/account-manager/db/schema/used-refresh-token.js +5 -0
package/dist/account-manager/db/schema/used-refresh-token.js.map +1 -0
package/dist/account-manager/helpers/account.d.ts +27 -5
package/dist/account-manager/helpers/account.d.ts.map +1 -1
package/dist/account-manager/helpers/account.js +15 -14
package/dist/account-manager/helpers/account.js.map +1 -1
package/dist/account-manager/helpers/authorization-request.d.ts +12 -0
package/dist/account-manager/helpers/authorization-request.d.ts.map +1 -0
package/dist/account-manager/helpers/authorization-request.js +59 -0
package/dist/account-manager/helpers/authorization-request.js.map +1 -0
package/dist/account-manager/helpers/device-account.d.ts +108 -0
package/dist/account-manager/helpers/device-account.d.ts.map +1 -0
package/dist/account-manager/helpers/device-account.js +82 -0
package/dist/account-manager/helpers/device-account.js.map +1 -0
package/dist/account-manager/helpers/device.d.ts +9 -0
package/dist/account-manager/helpers/device.d.ts.map +1 -0
package/dist/account-manager/helpers/device.js +32 -0
package/dist/account-manager/helpers/device.js.map +1 -0
package/dist/account-manager/helpers/token.d.ts +485 -0
package/dist/account-manager/helpers/token.d.ts.map +1 -0
package/dist/account-manager/helpers/token.js +123 -0
package/dist/account-manager/helpers/token.js.map +1 -0
package/dist/account-manager/helpers/used-refresh-token.d.ts +10 -0
package/dist/account-manager/helpers/used-refresh-token.d.ts.map +1 -0
package/dist/account-manager/helpers/used-refresh-token.js +25 -0
package/dist/account-manager/helpers/used-refresh-token.js.map +1 -0
package/dist/account-manager/index.d.ts +36 -6
package/dist/account-manager/index.d.ts.map +1 -1
package/dist/account-manager/index.js +223 -22
package/dist/account-manager/index.js.map +1 -1
package/dist/actor-store/preference/reader.d.ts +2 -1
package/dist/actor-store/preference/reader.d.ts.map +1 -1
package/dist/actor-store/preference/reader.js +3 -1
package/dist/actor-store/preference/reader.js.map +1 -1
package/dist/actor-store/preference/transactor.d.ts +2 -1
package/dist/actor-store/preference/transactor.d.ts.map +1 -1
package/dist/actor-store/preference/transactor.js +7 -1
package/dist/actor-store/preference/transactor.js.map +1 -1
package/dist/actor-store/preference/util.d.ts +3 -0
package/dist/actor-store/preference/util.d.ts.map +1 -0
package/dist/actor-store/preference/util.js +12 -0
package/dist/actor-store/preference/util.js.map +1 -0
package/dist/actor-store/record/reader.d.ts +1 -1
package/dist/api/app/bsky/actor/getPreferences.d.ts.map +1 -1
package/dist/api/app/bsky/actor/getPreferences.js +1 -6
package/dist/api/app/bsky/actor/getPreferences.js.map +1 -1
package/dist/api/app/bsky/actor/putPreferences.d.ts.map +1 -1
package/dist/api/app/bsky/actor/putPreferences.js +1 -1
package/dist/api/app/bsky/actor/putPreferences.js.map +1 -1
package/dist/api/app/bsky/util/resolver.d.ts +1 -1
package/dist/api/com/atproto/server/createSession.d.ts.map +1 -1
package/dist/api/com/atproto/server/createSession.js +7 -31
package/dist/api/com/atproto/server/createSession.js.map +1 -1
package/dist/api/com/atproto/server/deleteSession.d.ts.map +1 -1
package/dist/api/com/atproto/server/deleteSession.js +14 -13
package/dist/api/com/atproto/server/deleteSession.js.map +1 -1
package/dist/api/com/atproto/server/getSession.d.ts.map +1 -1
package/dist/api/com/atproto/server/getSession.js +4 -2
package/dist/api/com/atproto/server/getSession.js.map +1 -1
package/dist/api/com/atproto/server/refreshSession.d.ts.map +1 -1
package/dist/api/com/atproto/server/refreshSession.js +4 -2
package/dist/api/com/atproto/server/refreshSession.js.map +1 -1
package/dist/api/com/atproto/sync/getRepoStatus.d.ts.map +1 -1
package/dist/api/com/atproto/sync/getRepoStatus.js +2 -1
package/dist/api/com/atproto/sync/getRepoStatus.js.map +1 -1
package/dist/api/com/atproto/sync/listRepos.js +2 -2
package/dist/api/com/atproto/sync/listRepos.js.map +1 -1
package/dist/api/proxy.d.ts.map +1 -1
package/dist/api/proxy.js +15 -2
package/dist/api/proxy.js.map +1 -1
package/dist/auth-routes.d.ts +4 -0
package/dist/auth-routes.d.ts.map +1 -0
package/dist/auth-routes.js +24 -0
package/dist/auth-routes.js.map +1 -0
package/dist/auth-verifier.d.ts +32 -11
package/dist/auth-verifier.d.ts.map +1 -1
package/dist/auth-verifier.js +238 -79
package/dist/auth-verifier.js.map +1 -1
package/dist/config/config.d.ts +12 -0
package/dist/config/config.d.ts.map +1 -1
package/dist/config/config.js +45 -0
package/dist/config/config.js.map +1 -1
package/dist/config/env.d.ts +8 -0
package/dist/config/env.d.ts.map +1 -1
package/dist/config/env.js +10 -0
package/dist/config/env.js.map +1 -1
package/dist/config/secrets.d.ts +1 -0
package/dist/config/secrets.d.ts.map +1 -1
package/dist/config/secrets.js +1 -0
package/dist/config/secrets.js.map +1 -1
package/dist/context.d.ts +6 -0
package/dist/context.d.ts.map +1 -1
package/dist/context.js +71 -13
package/dist/context.js.map +1 -1
package/dist/db/cast.d.ts +15 -0
package/dist/db/cast.d.ts.map +1 -0
package/dist/db/cast.js +66 -0
package/dist/db/cast.js.map +1 -0
package/dist/db/db.d.ts +2 -2
package/dist/db/db.d.ts.map +1 -1
package/dist/db/db.js +9 -7
package/dist/db/db.js.map +1 -1
package/dist/db/index.d.ts +1 -0
package/dist/db/index.d.ts.map +1 -1
package/dist/db/index.js +1 -0
package/dist/db/index.js.map +1 -1
package/dist/error.d.ts.map +1 -1
package/dist/error.js +5 -0
package/dist/error.js.map +1 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +2 -0
package/dist/index.js.map +1 -1
package/dist/lexicon/index.d.ts +4 -0
package/dist/lexicon/index.d.ts.map +1 -1
package/dist/lexicon/index.js +8 -0
package/dist/lexicon/index.js.map +1 -1
package/dist/lexicon/lexicons.d.ts +51 -0
package/dist/lexicon/lexicons.d.ts.map +1 -1
package/dist/lexicon/lexicons.js +51 -0
package/dist/lexicon/lexicons.js.map +1 -1
package/dist/lexicon/types/app/bsky/feed/defs.d.ts +1 -0
package/dist/lexicon/types/app/bsky/feed/defs.d.ts.map +1 -1
package/dist/lexicon/types/app/bsky/feed/defs.js.map +1 -1
package/dist/lexicon/types/app/bsky/graph/muteThread.d.ts +29 -0
package/dist/lexicon/types/app/bsky/graph/muteThread.d.ts.map +1 -0
package/dist/lexicon/types/app/bsky/graph/muteThread.js +3 -0
package/dist/lexicon/types/app/bsky/graph/muteThread.js.map +1 -0
package/dist/lexicon/types/app/bsky/graph/unmuteThread.d.ts +29 -0
package/dist/lexicon/types/app/bsky/graph/unmuteThread.d.ts.map +1 -0
package/dist/lexicon/types/app/bsky/graph/unmuteThread.js +3 -0
package/dist/lexicon/types/app/bsky/graph/unmuteThread.js.map +1 -0
package/dist/logger.d.ts +13 -11
package/dist/logger.d.ts.map +1 -1
package/dist/logger.js +80 -64
package/dist/logger.js.map +1 -1
package/dist/oauth/detailed-account-store.d.ts +27 -0
package/dist/oauth/detailed-account-store.d.ts.map +1 -0
package/dist/oauth/detailed-account-store.js +76 -0
package/dist/oauth/detailed-account-store.js.map +1 -0
package/dist/oauth/provider.d.ts +16 -0
package/dist/oauth/provider.d.ts.map +1 -0
package/dist/oauth/provider.js +45 -0
package/dist/oauth/provider.js.map +1 -0
package/dist/pipethrough.d.ts.map +1 -1
package/dist/pipethrough.js.map +1 -1
package/dist/sequencer/events.d.ts +2 -2
package/example.env +21 -3
package/package.json +9 -7
package/src/account-manager/db/migrations/004-oauth.ts +122 -0
package/src/account-manager/db/migrations/index.ts +2 -0
package/src/account-manager/db/schema/authorization-request.ts +26 -0
package/src/account-manager/db/schema/device-account.ts +15 -0
package/src/account-manager/db/schema/device.ts +18 -0
package/src/account-manager/db/schema/index.ts +15 -0
package/src/account-manager/db/schema/token.ts +34 -0
package/src/account-manager/db/schema/used-refresh-token.ts +13 -0
package/src/account-manager/helpers/account.ts +16 -21
package/src/account-manager/helpers/authorization-request.ts +82 -0
package/src/account-manager/helpers/device-account.ts +135 -0
package/src/account-manager/helpers/device.ts +45 -0
package/src/account-manager/helpers/token.ts +185 -0
package/src/account-manager/helpers/used-refresh-token.ts +30 -0
package/src/account-manager/index.ts +325 -20
package/src/actor-store/preference/reader.ts +8 -2
package/src/actor-store/preference/transactor.ts +10 -0
package/src/actor-store/preference/util.ts +8 -0
package/src/api/app/bsky/actor/getPreferences.ts +2 -9
package/src/api/app/bsky/actor/putPreferences.ts +5 -1
package/src/api/com/atproto/server/createSession.ts +8 -44
package/src/api/com/atproto/server/deleteSession.ts +14 -20
package/src/api/com/atproto/server/getSession.ts +7 -2
package/src/api/com/atproto/server/refreshSession.ts +6 -2
package/src/api/com/atproto/sync/getRepoStatus.ts +3 -1
package/src/api/com/atproto/sync/listRepos.ts +1 -1
package/src/api/proxy.ts +18 -2
package/src/auth-routes.ts +27 -0
package/src/auth-verifier.ts +312 -92
package/src/config/config.ts +66 -0
package/src/config/env.ts +24 -0
package/src/config/secrets.ts +2 -0
package/src/context.ts +80 -14
package/src/db/cast.ts +59 -0
package/src/db/db.ts +15 -12
package/src/db/index.ts +1 -0
package/src/error.ts +7 -0
package/src/index.ts +2 -0
package/src/lexicon/index.ts +24 -0
package/src/lexicon/lexicons.ts +52 -0
package/src/lexicon/types/app/bsky/feed/defs.ts +1 -0
package/src/lexicon/types/app/bsky/graph/muteThread.ts +38 -0
package/src/lexicon/types/app/bsky/graph/unmuteThread.ts +38 -0
package/src/logger.ts +83 -38
package/src/oauth/detailed-account-store.ts +96 -0
package/src/oauth/provider.ts +77 -0
package/src/pipethrough.ts +3 -2
package/tests/preferences.test.ts +67 -1
package/tests/proxied/__snapshots__/feedgen.test.ts.snap +4 -1
package/tests/proxied/__snapshots__/views.test.ts.snap +116 -38

package/src/account-manager/helpers/device-account.ts ADDED Viewed

@@ -0,0 +1,135 @@
+import {
+  Account,
+  DeviceAccountInfo,
+  DeviceId,
+  OAuthClientId,
+} from '@atproto/oauth-provider'
+import { Insertable, Selectable } from 'kysely'
+import { fromDateISO, fromJsonArray, toDateISO, toJsonArray } from '../../db'
+import { AccountDb } from '../db'
+import { DeviceAccount } from '../db/schema/device-account'
+import { ActorAccount, selectAccountQB } from './account'
+export type SelectableDeviceAccount = Pick<
+  Selectable<DeviceAccount>,
+  'authenticatedAt' | 'authorizedClients' | 'remember'
+>
+const selectAccountInfoQB = (db: AccountDb, deviceId: DeviceId) =>
+  selectAccountQB(db, { includeDeactivated: true })
+    // note: query planner should use "device_account_pk" index
+    .innerJoin('device_account', 'device_account.did', 'actor.did')
+    .innerJoin('device', 'device.id', 'device_account.deviceId')
+    .where('device.id', '=', deviceId)
+    .select([
+      'device_account.authenticatedAt',
+      'device_account.remember',
+      'device_account.authorizedClients',
+    ])
+export type InsertableField = {
+  authenticatedAt: Date
+  authorizedClients: OAuthClientId[]
+  remember: boolean
+}
+function toInsertable<V extends Partial<InsertableField>>(
+  values: V,
+): Pick<Insertable<DeviceAccount>, keyof V & keyof Insertable<DeviceAccount>>
+function toInsertable(
+  values: Partial<InsertableField>,
+): Partial<Insertable<DeviceAccount>> {
+  const row: Partial<Insertable<DeviceAccount>> = {}
+  if (values.authenticatedAt) {
+    row.authenticatedAt = toDateISO(values.authenticatedAt)
+  }
+  if (values.remember !== undefined) {
+    row.remember = values.remember === true ? 1 : 0
+  }
+  if (values.authorizedClients) {
+    row.authorizedClients = toJsonArray(values.authorizedClients)
+  }
+  return row
+}
+export function toDeviceAccountInfo(
+  row: SelectableDeviceAccount,
+): DeviceAccountInfo {
+  return {
+    remembered: row.remember === 1,
+    authenticatedAt: fromDateISO(row.authenticatedAt),
+    authorizedClients: fromJsonArray<OAuthClientId>(row.authorizedClients),
+  }
+}
+export function toAccount(
+  row: Selectable<ActorAccount>,
+  audience: string,
+): Account {
+  return {
+    sub: row.did,
+    aud: audience,
+    email: row.email || undefined,
+    email_verified: row.email ? row.emailConfirmedAt != null : undefined,
+    preferred_username: row.handle || undefined,
+  }
+}
+export const readQB = (db: AccountDb, deviceId: DeviceId, did: string) =>
+  db.db
+    .selectFrom('device_account')
+    .where('did', '=', did)
+    .where('deviceId', '=', deviceId)
+    .select(['remember', 'authorizedClients', 'authenticatedAt'])
+export const updateQB = (
+  db: AccountDb,
+  deviceId: DeviceId,
+  did: string,
+  entry: {
+    authenticatedAt?: Date
+    authorizedClients?: OAuthClientId[]
+    remember?: boolean
+  },
+) =>
+  db.db
+    .updateTable('device_account')
+    .set(toInsertable(entry))
+    .where('did', '=', did)
+    .where('deviceId', '=', deviceId)
+export const createOrUpdateQB = (
+  db: AccountDb,
+  deviceId: DeviceId,
+  did: string,
+  remember: boolean,
+) => {
+  const { authorizedClients, ...values } = toInsertable({
+    remember,
+    authenticatedAt: new Date(),
+    authorizedClients: [],
+  })
+  return db.db
+    .insertInto('device_account')
+    .values({ did, deviceId, authorizedClients, ...values })
+    .onConflict((oc) => oc.columns(['deviceId', 'did']).doUpdateSet(values))
+}
+export const getAccountInfoQB = (
+  db: AccountDb,
+  deviceId: DeviceId,
+  did: string,
+) => {
+  return selectAccountInfoQB(db, deviceId).where('actor.did', '=', did)
+}
+export const listRememberedQB = (db: AccountDb, deviceId: DeviceId) =>
+  selectAccountInfoQB(db, deviceId).where('device_account.remember', '=', 1)
+export const removeQB = (db: AccountDb, deviceId: DeviceId, did: string) =>
+  db.db
+    .deleteFrom('device_account')
+    .where('deviceId', '=', deviceId)
+    .where('did', '=', did)

package/src/account-manager/helpers/device.ts ADDED Viewed

@@ -0,0 +1,45 @@
+import { DeviceId, DeviceData } from '@atproto/oauth-provider'
+import { AccountDb, Device } from '../db'
+import { fromDateISO, toDateISO } from '../../db'
+import { Selectable } from 'kysely'
+export const rowToDeviceData = (row: Selectable<Device>): DeviceData => ({
+  sessionId: row.sessionId,
+  userAgent: row.userAgent,
+  ipAddress: row.ipAddress,
+  lastSeenAt: fromDateISO(row.lastSeenAt),
+})
+export const createQB = (
+  db: AccountDb,
+  deviceId: DeviceId,
+  { sessionId, userAgent, ipAddress, lastSeenAt }: DeviceData,
+) =>
+  db.db.insertInto('device').values({
+    id: deviceId,
+    sessionId,
+    userAgent,
+    ipAddress,
+    lastSeenAt: toDateISO(lastSeenAt),
+  })
+export const readQB = (db: AccountDb, deviceId: DeviceId) =>
+  db.db.selectFrom('device').where('id', '=', deviceId).selectAll()
+export const updateQB = (
+  db: AccountDb,
+  deviceId: DeviceId,
+  { sessionId, userAgent, ipAddress, lastSeenAt }: Partial<DeviceData>,
+) =>
+  db.db
+    .updateTable('device')
+    .if(sessionId != null, (qb) => qb.set({ sessionId }))
+    .if(userAgent != null, (qb) => qb.set({ userAgent }))
+    .if(ipAddress != null, (qb) => qb.set({ ipAddress }))
+    .if(lastSeenAt != null, (qb) =>
+      qb.set({ lastSeenAt: toDateISO(lastSeenAt!) }),
+    )
+    .where('id', '=', deviceId)
+export const removeQB = (db: AccountDb, deviceId: DeviceId) =>
+  db.db.deleteFrom('device').where('id', '=', deviceId)

package/src/account-manager/helpers/token.ts ADDED Viewed

@@ -0,0 +1,185 @@
+import {
+  Code,
+  NewTokenData,
+  OAuthAuthorizationDetail,
+  RefreshToken,
+  TokenData,
+  TokenId,
+  TokenInfo,
+} from '@atproto/oauth-provider'
+import { Selectable } from 'kysely'
+import {
+  fromDateISO,
+  fromJsonArray,
+  fromJsonObject,
+  toDateISO,
+  toJsonArray,
+  toJsonObject,
+} from '../../db'
+import { AccountDb, Token } from '../db'
+import { ActorAccount, selectAccountQB } from './account'
+import {
+  SelectableDeviceAccount,
+  toAccount,
+  toDeviceAccountInfo,
+} from './device-account'
+type LeftJoined<T> = { [K in keyof T]: null | T[K] }
+export type ActorAccountToken = Selectable<ActorAccount> &
+  Selectable<Omit<Token, 'id' | 'did'>> &
+  LeftJoined<SelectableDeviceAccount>
+export const toTokenInfo = (
+  row: ActorAccountToken,
+  audience: string,
+): TokenInfo => ({
+  id: row.tokenId,
+  data: {
+    createdAt: fromDateISO(row.createdAt),
+    expiresAt: fromDateISO(row.expiresAt),
+    updatedAt: fromDateISO(row.updatedAt),
+    clientId: row.clientId,
+    clientAuth: fromJsonObject(row.clientAuth),
+    deviceId: row.deviceId,
+    sub: row.did,
+    parameters: fromJsonObject(row.parameters),
+    details: row.details
+      ? fromJsonArray<OAuthAuthorizationDetail>(row.details)
+      : null,
+    code: row.code,
+  },
+  account: toAccount(row, audience),
+  info:
+    row.authenticatedAt != null &&
+    row.authorizedClients != null &&
+    row.remember != null
+      ? toDeviceAccountInfo(row as SelectableDeviceAccount)
+      : undefined,
+  currentRefreshToken: row.currentRefreshToken,
+})
+const selectTokenInfoQB = (db: AccountDb) =>
+  selectAccountQB(db, { includeDeactivated: true })
+    // uses "token_did_idx" index (though unlikely in practice)
+    .innerJoin('token', 'token.did', 'actor.did')
+    .leftJoin('device_account', (join) =>
+      join
+        // uses "device_account_pk" index
+        .on('device_account.did', '=', 'token.did')
+        // @ts-expect-error "deviceId" is nullable in token
+        .on('device_account.deviceId', '=', 'token.deviceId'),
+    )
+    .select([
+      'token.tokenId',
+      'token.createdAt',
+      'token.updatedAt',
+      'token.expiresAt',
+      'token.clientId',
+      'token.clientAuth',
+      'token.deviceId',
+      'token.did',
+      'token.parameters',
+      'token.details',
+      'token.code',
+      'token.currentRefreshToken',
+      'device_account.authenticatedAt',
+      'device_account.authorizedClients',
+      'device_account.remember',
+    ])
+export const createQB = (
+  db: AccountDb,
+  tokenId: TokenId,
+  data: TokenData,
+  refreshToken?: RefreshToken,
+) =>
+  db.db.insertInto('token').values({
+    tokenId,
+    createdAt: toDateISO(data.createdAt),
+    expiresAt: toDateISO(data.expiresAt),
+    updatedAt: toDateISO(data.updatedAt),
+    clientId: data.clientId,
+    clientAuth: toJsonObject(data.clientAuth),
+    deviceId: data.deviceId,
+    did: data.sub,
+    parameters: toJsonObject(data.parameters),
+    details: data.details ? toJsonArray(data.details) : null,
+    code: data.code,
+    currentRefreshToken: refreshToken || null,
+  })
+export const forRotateQB = (db: AccountDb, id: TokenId) =>
+  db.db
+    .selectFrom('token')
+    .where('tokenId', '=', id)
+    .where('currentRefreshToken', 'is not', null)
+    .select(['id', 'currentRefreshToken'])
+export const findByQB = (
+  db: AccountDb,
+  search: {
+    id?: number
+    code?: Code
+    tokenId?: TokenId
+    currentRefreshToken?: RefreshToken
+  },
+) => {
+  if (
+    search.id === undefined &&
+    search.code === undefined &&
+    search.tokenId === undefined &&
+    search.currentRefreshToken === undefined
+  ) {
+    // Prevent accidental scan
+    throw new TypeError('At least one search parameter is required')
+  }
+  return selectTokenInfoQB(db)
+    .if(search.id !== undefined, (qb) =>
+      // uses primary key index
+      qb.where('token.id', '=', search.id!),
+    )
+    .if(search.code !== undefined, (qb) =>
+      // uses "token_code_idx" partial index (hence the null check)
+      qb
+        .where('token.code', '=', search.code!)
+        .where('token.code', 'is not', null),
+    )
+    .if(search.tokenId !== undefined, (qb) =>
+      // uses "token_token_id_idx"
+      qb.where('token.tokenId', '=', search.tokenId!),
+    )
+    .if(search.currentRefreshToken !== undefined, (qb) =>
+      // uses "token_refresh_token_unique_idx"
+      qb.where('token.currentRefreshToken', '=', search.currentRefreshToken!),
+    )
+}
+export const removeByDidQB = (db: AccountDb, did: string) =>
+  // uses "token_did_idx" index
+  db.db.deleteFrom('token').where('did', '=', did)
+export const rotateQB = (
+  db: AccountDb,
+  id: number,
+  newTokenId: TokenId,
+  newRefreshToken: RefreshToken,
+  newData: NewTokenData,
+) =>
+  db.db
+    .updateTable('token')
+    .set({
+      tokenId: newTokenId,
+      currentRefreshToken: newRefreshToken,
+      expiresAt: toDateISO(newData.expiresAt),
+      updatedAt: toDateISO(newData.updatedAt),
+      clientAuth: toJsonObject(newData.clientAuth),
+    })
+    // uses primary key index
+    .where('id', '=', id)
+export const removeQB = (db: AccountDb, tokenId: TokenId) =>
+  // uses "used_refresh_token_fk" to cascade delete
+  db.db.deleteFrom('token').where('tokenId', '=', tokenId)

package/src/account-manager/helpers/used-refresh-token.ts ADDED Viewed

@@ -0,0 +1,30 @@
+import { RefreshToken } from '@atproto/oauth-provider'
+import { AccountDb } from '../db'
+/**
+ * Note that the used refresh tokens will be removed once the token is revoked.
+ * This is done through the foreign key constraint in the database.
+ */
+export const insertQB = (
+  db: AccountDb,
+  tokenId: number,
+  refreshToken: RefreshToken,
+) =>
+  db.db
+    .insertInto('used_refresh_token')
+    .values({ tokenId, refreshToken })
+    .onConflict((oc) => oc.doNothing())
+export const findByTokenQB = (db: AccountDb, refreshToken: RefreshToken) =>
+  db.db
+    .selectFrom('used_refresh_token')
+    // uses primary key index
+    .where('refreshToken', '=', refreshToken)
+    .select('tokenId')
+export const countQB = (db: AccountDb, refreshToken: RefreshToken) =>
+  db.db
+    .selectFrom('used_refresh_token')
+    // uses primary key index
+    .where('refreshToken', '=', refreshToken)
+    .select((qb) => qb.fn.count<number>('refreshToken').as('count'))