@atproto/pds 0.4.33 → 0.4.35

package/src/account-manager/index.ts

@@ -1,25 +1,57 @@
-import { KeyObject } from 'node:crypto'
-import { HOUR } from '@atproto/common'
+import { HOUR, wait } from '@atproto/common'
+import {
+  AccountInfo,
+  AccountStore,
+  Code,
+  DeviceData,
+  DeviceId,
+  DeviceStore,
+  FoundRequestResult,
+  LoginCredentials,
+  NewTokenData,
+  RefreshToken,
+  RequestData,
+  RequestId,
+  RequestStore,
+  TokenData,
+  TokenId,
+  TokenInfo,
+  TokenStore,
+  UpdateRequestData,
+} from '@atproto/oauth-provider'
+import { AuthRequiredError } from '@atproto/xrpc-server'
 import { CID } from 'multiformats/cid'
+import { KeyObject } from 'node:crypto'
+
+import { AuthScope } from '../auth-verifier'
+import { BackgroundQueue } from '../background'
+import { softDeleted } from '../db'
+import { StatusAttr } from '../lexicon/types/com/atproto/admin/defs'
 import { AccountDb, EmailTokenPurpose, getDb, getMigrator } from './db'
-import * as scrypt from './helpers/scrypt'
 import * as account from './helpers/account'
-import { AccountStatus } from './helpers/account'
-import { ActorAccount } from './helpers/account'
-import * as repo from './helpers/repo'
+import { AccountStatus, ActorAccount } from './helpers/account'
 import * as auth from './helpers/auth'
+import * as authRequest from './helpers/authorization-request'
+import * as deviceAccount from './helpers/device-account'
+import * as device from './helpers/device'
+import * as emailToken from './helpers/email-token'
 import * as invite from './helpers/invite'
 import * as password from './helpers/password'
-import * as emailToken from './helpers/email-token'
-import { AuthScope } from '../auth-verifier'
-import { StatusAttr } from '../lexicon/types/com/atproto/admin/defs'
+import * as repo from './helpers/repo'
+import * as scrypt from './helpers/scrypt'
+import * as token from './helpers/token'
+import * as usedRefreshToken from './helpers/used-refresh-token'
 
 export { AccountStatus } from './helpers/account'
+export { formatAccountStatus } from './helpers/account'
 
-export class AccountManager {
+export class AccountManager
+  implements AccountStore, RequestStore, DeviceStore, TokenStore
+{
   db: AccountDb
 
   constructor(
+    private backgroundQueue: BackgroundQueue,
     dbLocation: string,
     private jwtKey: KeyObject,
     private serviceDid: string,
@@ -73,15 +105,9 @@ export class AccountManager {
       includeDeactivated: true,
       includeTakenDown: true,
     })
-    if (!got) {
-      return AccountStatus.Deleted
-    } else if (got.takedownRef) {
-      return AccountStatus.Takendown
-    } else if (got.deactivatedAt) {
-      return AccountStatus.Deactivated
-    } else {
-      return AccountStatus.Active
-    }
+
+    const res = account.formatAccountStatus(got)
+    return res.active ? AccountStatus.Active : res.status
   }
 
   async createAccount(opts: {
@@ -148,10 +174,11 @@ export class AccountManager {
   }
 
   async takedownAccount(did: string, takedown: StatusAttr) {
-    await this.db.transaction((dbTxn) =>
+    await this.db.transaction(async (dbTxn) =>
       Promise.all([
         account.updateAccountTakedownStatus(dbTxn, did, takedown),
         auth.revokeRefreshTokensByDid(dbTxn, did),
+        token.removeByDidQB(dbTxn, did).execute(),
       ]),
     )
   }
@@ -250,6 +277,63 @@ export class AccountManager {
     return auth.revokeRefreshToken(this.db, id)
   }
 
+  // Login
+  // ----------
+
+  async login({
+    identifier,
+    password,
+  }: {
+    identifier: string
+    password: string
+  }): Promise<{
+    user: ActorAccount
+    appPassword: password.AppPassDescript | null
+  }> {
+    const start = Date.now()
+    try {
+      const identifierNormalized = identifier.toLowerCase()
+
+      const user = identifierNormalized.includes('@')
+        ? await this.getAccountByEmail(identifierNormalized, {
+            includeDeactivated: true,
+            includeTakenDown: true,
+          })
+        : await this.getAccount(identifierNormalized, {
+            includeDeactivated: true,
+            includeTakenDown: true,
+          })
+
+      if (!user) {
+        throw new AuthRequiredError('Invalid identifier or password')
+      }
+
+      let appPassword: password.AppPassDescript | null = null
+      const validAccountPass = await this.verifyAccountPassword(
+        user.did,
+        password,
+      )
+      if (!validAccountPass) {
+        appPassword = await this.verifyAppPassword(user.did, password)
+        if (appPassword === null) {
+          throw new AuthRequiredError('Invalid identifier or password')
+        }
+      }
+
+      if (softDeleted(user)) {
+        throw new AuthRequiredError(
+          'Account has been taken down',
+          'AccountTakedown',
+        )
+      }
+
+      return { user, appPassword }
+    } finally {
+      // Mitigate timing attacks
+      await wait(350 - (Date.now() - start))
+    }
+  }
+
   // Passwords
   // ----------
 
@@ -399,4 +483,225 @@ export class AccountManager {
       ]),
     )
   }
+
+  // AccountStore
+
+  async authenticateAccount(
+    { username: identifier, password, remember = false }: LoginCredentials,
+    deviceId: DeviceId,
+  ): Promise<AccountInfo | null> {
+    try {
+      const { user, appPassword } = await this.login({ identifier, password })
+
+      if (appPassword) {
+        throw new AuthRequiredError('App passwords are not allowed')
+      }
+
+      await this.db.executeWithRetry(
+        deviceAccount.createOrUpdateQB(this.db, deviceId, user.did, remember),
+      )
+
+      return await this.getDeviceAccount(deviceId, user.did)
+    } catch (err) {
+      if (err instanceof AuthRequiredError) return null
+      throw err
+    }
+  }
+
+  async addAuthorizedClient(
+    deviceId: DeviceId,
+    sub: string,
+    clientId: string,
+  ): Promise<void> {
+    await this.db.transaction(async (dbTxn) => {
+      const row = await deviceAccount
+        .readQB(dbTxn, deviceId, sub)
+        .executeTakeFirstOrThrow()
+
+      const { authorizedClients } = deviceAccount.toDeviceAccountInfo(row)
+      if (!authorizedClients.includes(clientId)) {
+        await deviceAccount
+          .updateQB(dbTxn, deviceId, sub, {
+            authorizedClients: [...authorizedClients, clientId],
+          })
+          .execute()
+      }
+    })
+  }
+
+  async getDeviceAccount(
+    deviceId: DeviceId,
+    sub: string,
+  ): Promise<AccountInfo | null> {
+    const row = await deviceAccount
+      .getAccountInfoQB(this.db, deviceId, sub)
+      .executeTakeFirst()
+
+    if (!row) return null
+
+    return {
+      account: deviceAccount.toAccount(row, this.serviceDid),
+      info: deviceAccount.toDeviceAccountInfo(row),
+    }
+  }
+
+  async listDeviceAccounts(deviceId: DeviceId): Promise<AccountInfo[]> {
+    const rows = await deviceAccount
+      .listRememberedQB(this.db, deviceId)
+      .execute()
+
+    return rows.map((row) => ({
+      account: deviceAccount.toAccount(row, this.serviceDid),
+      info: deviceAccount.toDeviceAccountInfo(row),
+    }))
+  }
+
+  async removeDeviceAccount(deviceId: DeviceId, sub: string): Promise<void> {
+    await this.db.executeWithRetry(
+      deviceAccount.removeQB(this.db, deviceId, sub),
+    )
+  }
+
+  // RequestStore
+
+  async createRequest(id: RequestId, data: RequestData): Promise<void> {
+    await this.db.executeWithRetry(authRequest.createQB(this.db, id, data))
+  }
+
+  async readRequest(id: RequestId): Promise<RequestData | null> {
+    try {
+      const row = await authRequest.readQB(this.db, id).executeTakeFirst()
+      if (!row) return null
+      return authRequest.rowToRequestData(row)
+    } finally {
+      // Take the opportunity to clean up expired requests. Do this after we got
+      // the current (potentially expired) request data to allow the provider to
+      // handle expired requests.
+      this.backgroundQueue.add(async () => {
+        await this.db.executeWithRetry(authRequest.removeOldExpiredQB(this.db))
+      })
+    }
+  }
+
+  async updateRequest(id: RequestId, data: UpdateRequestData): Promise<void> {
+    await this.db.executeWithRetry(authRequest.updateQB(this.db, id, data))
+  }
+
+  async deleteRequest(id: RequestId): Promise<void> {
+    await this.db.executeWithRetry(authRequest.removeByIdQB(this.db, id))
+  }
+
+  async findRequestByCode(code: Code): Promise<FoundRequestResult | null> {
+    const row = await authRequest.findByCodeQB(this.db, code).executeTakeFirst()
+    return row ? authRequest.rowToFoundRequestResult(row) : null
+  }
+
+  // DeviceStore
+
+  async createDevice(deviceId: DeviceId, data: DeviceData): Promise<void> {
+    await this.db.executeWithRetry(device.createQB(this.db, deviceId, data))
+  }
+
+  async readDevice(deviceId: DeviceId): Promise<null | DeviceData> {
+    const row = await device.readQB(this.db, deviceId).executeTakeFirst()
+    return row ? device.rowToDeviceData(row) : null
+  }
+
+  async updateDevice(
+    deviceId: DeviceId,
+    data: Partial<DeviceData>,
+  ): Promise<void> {
+    await this.db.executeWithRetry(device.updateQB(this.db, deviceId, data))
+  }
+
+  async deleteDevice(deviceId: DeviceId): Promise<void> {
+    // Will cascade to device_account (device_account_device_id_fk)
+    await this.db.executeWithRetry(device.removeQB(this.db, deviceId))
+  }
+
+  // TokenStore
+
+  async createToken(
+    id: TokenId,
+    data: TokenData,
+    refreshToken?: RefreshToken,
+  ): Promise<void> {
+    await this.db.transaction(async (dbTxn) => {
+      if (refreshToken) {
+        const { count } = await usedRefreshToken
+          .countQB(dbTxn, refreshToken)
+          .executeTakeFirstOrThrow()
+
+        if (count > 0) {
+          throw new Error('Refresh token already in use')
+        }
+      }
+
+      return token.createQB(dbTxn, id, data, refreshToken).execute()
+    })
+  }
+
+  async readToken(tokenId: TokenId): Promise<TokenInfo | null> {
+    const row = await token.findByQB(this.db, { tokenId }).executeTakeFirst()
+    return row ? token.toTokenInfo(row, this.serviceDid) : null
+  }
+
+  async deleteToken(tokenId: TokenId): Promise<void> {
+    // Will cascade to used_refresh_token (used_refresh_token_fk)
+    await this.db.executeWithRetry(token.removeQB(this.db, tokenId))
+  }
+
+  async rotateToken(
+    tokenId: TokenId,
+    newTokenId: TokenId,
+    newRefreshToken: RefreshToken,
+    newData: NewTokenData,
+  ): Promise<void> {
+    const err = await this.db.transaction(async (dbTxn) => {
+      const { id, currentRefreshToken } = await token
+        .forRotateQB(dbTxn, tokenId)
+        .executeTakeFirstOrThrow()
+
+      if (currentRefreshToken) {
+        await usedRefreshToken
+          .insertQB(dbTxn, id, currentRefreshToken)
+          .execute()
+      }
+
+      const { count } = await usedRefreshToken
+        .countQB(dbTxn, newRefreshToken)
+        .executeTakeFirstOrThrow()
+
+      if (count > 0) {
+        // Do NOT throw (we don't want the transaction to be rolled back)
+        return new Error('New refresh token already in use')
+      }
+
+      await token
+        .rotateQB(dbTxn, id, newTokenId, newRefreshToken, newData)
+        .execute()
+    })
+
+    if (err) throw err
+  }
+
+  async findTokenByRefreshToken(
+    refreshToken: RefreshToken,
+  ): Promise<TokenInfo | null> {
+    const used = await usedRefreshToken
+      .findByTokenQB(this.db, refreshToken)
+      .executeTakeFirst()
+
+    const search = used
+      ? { id: used.tokenId }
+      : { currentRefreshToken: refreshToken }
+
+    const row = await token.findByQB(this.db, search).executeTakeFirst()
+    return row ? token.toTokenInfo(row, this.serviceDid) : null
+  }
+
+  async findTokenByCode(code: Code): Promise<TokenInfo | null> {
+    const row = await token.findByQB(this.db, { code }).executeTakeFirst()
+    return row ? token.toTokenInfo(row, this.serviceDid) : null
+  }
 }

package/src/actor-store/preference/reader.ts

@@ -1,9 +1,14 @@
+import { AuthScope } from '../../auth-verifier'
 import { ActorDb } from '../db'
+import { prefInScope } from './util'
 
 export class PreferenceReader {
   constructor(public db: ActorDb) {}
 
-  async getPreferences(namespace?: string): Promise<AccountPreference[]> {
+  async getPreferences(
+    namespace: string,
+    scope: AuthScope,
+  ): Promise<AccountPreference[]> {
     const prefsRes = await this.db.db
       .selectFrom('account_pref')
       .orderBy('id')
@@ -11,7 +16,8 @@ export class PreferenceReader {
       .execute()
     return prefsRes
       .filter((pref) => !namespace || prefMatchNamespace(namespace, pref.name))
-      .map((pref) => JSON.parse(pref.valueJson))
+      .filter((pref) => prefInScope(scope, pref.name))
+      .map((pref) => JSON.parse(pref.valueJson) as AccountPreference)
   }
 }
 

package/src/actor-store/preference/transactor.ts

@@ -4,11 +4,14 @@ import {
   AccountPreference,
   prefMatchNamespace,
 } from './reader'
+import { AuthScope } from '../../auth-verifier'
+import { prefInScope } from './util'
 
 export class PreferenceTransactor extends PreferenceReader {
   async putPreferences(
     values: AccountPreference[],
     namespace: string,
+    scope: AuthScope,
   ): Promise<void> {
     this.db.assertTransaction()
     if (!values.every((value) => prefMatchNamespace(namespace, value.$type))) {
@@ -16,6 +19,12 @@ export class PreferenceTransactor extends PreferenceReader {
         `Some preferences are not in the ${namespace} namespace`,
       )
     }
+    const notInScope = values.filter((val) => !prefInScope(scope, val.$type))
+    if (notInScope.length > 0) {
+      throw new InvalidRequestError(
+        `Do not have authorization to set preferences: ${notInScope.join(', ')}`,
+      )
+    }
     // get all current prefs for user and prep new pref rows
     const allPrefs = await this.db.db
       .selectFrom('account_pref')
@@ -29,6 +38,7 @@ export class PreferenceTransactor extends PreferenceReader {
     })
     const allPrefIdsInNamespace = allPrefs
       .filter((pref) => prefMatchNamespace(namespace, pref.name))
+      .filter((pref) => prefInScope(scope, pref.name))
       .map((pref) => pref.id)
     // replace all prefs in given namespace
     if (allPrefIdsInNamespace.length) {

package/src/actor-store/preference/util.ts

@@ -0,0 +1,8 @@
+import { AuthScope } from '../../auth-verifier'
+
+const FULL_ACCESS_ONLY_PREFS = ['app.bsky.actor.defs#personalDetailsPref']
+
+export const prefInScope = (scope: AuthScope, prefType: string) => {
+  if (scope === AuthScope.Access) return true
+  return !FULL_ACCESS_ONLY_PREFS.includes(prefType)
+}

package/src/api/app/bsky/actor/getPreferences.ts

@@ -1,6 +1,5 @@
 import { Server } from '../../../../lexicon'
 import AppContext from '../../../../context'
-import { AuthScope } from '../../../../auth-verifier'
 
 export default function (server: Server, ctx: AppContext) {
   if (!ctx.cfg.bskyAppView) return
@@ -8,15 +7,9 @@ export default function (server: Server, ctx: AppContext) {
     auth: ctx.authVerifier.accessStandard(),
     handler: async ({ auth }) => {
       const requester = auth.credentials.did
-      let preferences = await ctx.actorStore.read(requester, (store) =>
-        store.pref.getPreferences('app.bsky'),
+      const preferences = await ctx.actorStore.read(requester, (store) =>
+        store.pref.getPreferences('app.bsky', auth.credentials.scope),
       )
-      if (auth.credentials.scope !== AuthScope.Access) {
-        // filter out personal details for app passwords
-        preferences = preferences.filter(
-          (pref) => pref.$type !== 'app.bsky.actor.defs#personalDetailsPref',
-        )
-      }
       return {
         encoding: 'application/json',
         body: { preferences },

package/src/api/app/bsky/actor/putPreferences.ts

@@ -19,7 +19,11 @@ export default function (server: Server, ctx: AppContext) {
         }
       }
       await ctx.actorStore.transact(requester, async (actorTxn) => {
-        await actorTxn.pref.putPreferences(checkedPreferences, 'app.bsky')
+        await actorTxn.pref.putPreferences(
+          checkedPreferences,
+          'app.bsky',
+          auth.credentials.scope,
+        )
       })
     },
   })

package/src/api/com/atproto/server/createSession.ts

@@ -1,12 +1,11 @@
 import { DAY, MINUTE } from '@atproto/common'
 import { INVALID_HANDLE } from '@atproto/syntax'
-import { AuthRequiredError } from '@atproto/xrpc-server'
+
+import { formatAccountStatus } from '../../../../account-manager'
 import AppContext from '../../../../context'
-import { softDeleted } from '../../../../db/util'
 import { Server } from '../../../../lexicon'
-import { didDocForSession } from './util'
 import { authPassthru, resultPassthru } from '../../../proxy'
-import { AppPassDescript } from '../../../../account-manager/helpers/password'
+import { didDocForSession } from './util'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.createSession({
@@ -32,50 +31,15 @@ export default function (server: Server, ctx: AppContext) {
         )
       }
 
-      const { password } = input.body
-      const identifier = input.body.identifier.toLowerCase()
-
-      const user = identifier.includes('@')
-        ? await ctx.accountManager.getAccountByEmail(identifier, {
-            includeDeactivated: true,
-            includeTakenDown: true,
-          })
-        : await ctx.accountManager.getAccount(identifier, {
-            includeDeactivated: true,
-            includeTakenDown: true,
-          })
-
-      if (!user) {
-        throw new AuthRequiredError('Invalid identifier or password')
-      }
-
-      let appPassword: AppPassDescript | null = null
-      const validAccountPass = await ctx.accountManager.verifyAccountPassword(
-        user.did,
-        password,
-      )
-      if (!validAccountPass) {
-        appPassword = await ctx.accountManager.verifyAppPassword(
-          user.did,
-          password,
-        )
-        if (appPassword === null) {
-          throw new AuthRequiredError('Invalid identifier or password')
-        }
-      }
-
-      if (softDeleted(user)) {
-        throw new AuthRequiredError(
-          'Account has been taken down',
-          'AccountTakedown',
-        )
-      }
+      const { user, appPassword } = await ctx.accountManager.login(input.body)
 
       const [{ accessJwt, refreshJwt }, didDoc] = await Promise.all([
         ctx.accountManager.createSession(user.did, appPassword),
         didDocForSession(ctx, user.did),
       ])
 
+      const { status, active } = formatAccountStatus(user)
+
       return {
         encoding: 'application/json',
         body: {
@@ -86,8 +50,8 @@ export default function (server: Server, ctx: AppContext) {
           emailConfirmed: !!user.emailConfirmedAt,
           accessJwt,
           refreshJwt,
-          active: user.active,
-          status: user.status,
+          active,
+          status,
         },
       }
     },

package/src/api/com/atproto/server/deleteSession.ts

@@ -1,28 +1,22 @@
-import { AuthScope } from '../../../../auth-verifier'
 import AppContext from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { authPassthru } from '../../../proxy'
 
 export default function (server: Server, ctx: AppContext) {
-  server.com.atproto.server.deleteSession(async ({ req }) => {
-    if (ctx.entrywayAgent) {
-      await ctx.entrywayAgent.com.atproto.server.deleteSession(
+  const { entrywayAgent } = ctx
+  if (entrywayAgent) {
+    server.com.atproto.server.deleteSession(async (reqCtx) => {
+      await entrywayAgent.com.atproto.server.deleteSession(
         undefined,
-        authPassthru(req, true),
+        authPassthru(reqCtx.req, true),
       )
-      return
-    }
-
-    const result = await ctx.authVerifier.validateBearerToken(
-      req,
-      [AuthScope.Refresh],
-      { clockTolerance: Infinity }, // ignore expiration
-    )
-    const id = result.payload.jti
-    if (!id) {
-      throw new Error('Unexpected missing refresh token id')
-    }
-
-    await ctx.accountManager.revokeRefreshToken(id)
-  })
+    })
+  } else {
+    server.com.atproto.server.deleteSession({
+      auth: ctx.authVerifier.refreshExpired,
+      handler: async ({ auth }) => {
+        await ctx.accountManager.revokeRefreshToken(auth.credentials.tokenId)
+      },
+    })
+  }
 }

package/src/api/com/atproto/server/getSession.ts

@@ -1,5 +1,7 @@
 import { InvalidRequestError } from '@atproto/xrpc-server'
 import { INVALID_HANDLE } from '@atproto/syntax'
+
+import { formatAccountStatus } from '../../../../account-manager'
 import AppContext from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { authPassthru, resultPassthru } from '../../../proxy'
@@ -31,6 +33,9 @@ export default function (server: Server, ctx: AppContext) {
           `Could not find user info for account: ${did}`,
         )
       }
+
+      const { status, active } = formatAccountStatus(user)
+
       return {
         encoding: 'application/json',
         body: {
@@ -39,8 +44,8 @@ export default function (server: Server, ctx: AppContext) {
           email: user.email ?? undefined,
           didDoc,
           emailConfirmed: !!user.emailConfirmedAt,
-          active: user.active,
-          status: user.status,
+          active,
+          status,
         },
       }
     },

package/src/api/com/atproto/server/refreshSession.ts

@@ -1,5 +1,7 @@
 import { INVALID_HANDLE } from '@atproto/syntax'
 import { AuthRequiredError, InvalidRequestError } from '@atproto/xrpc-server'
+
+import { formatAccountStatus } from '../../../../account-manager'
 import AppContext from '../../../../context'
 import { softDeleted } from '../../../../db/util'
 import { Server } from '../../../../lexicon'
@@ -44,6 +46,8 @@ export default function (server: Server, ctx: AppContext) {
         throw new InvalidRequestError('Token has been revoked', 'ExpiredToken')
       }
 
+      const { status, active } = formatAccountStatus(user)
+
       return {
         encoding: 'application/json',
         body: {
@@ -52,8 +56,8 @@ export default function (server: Server, ctx: AppContext) {
           handle: user.handle ?? INVALID_HANDLE,
           accessJwt: rotated.accessJwt,
           refreshJwt: rotated.refreshJwt,
-          active: user.active,
-          status: user.status,
+          active,
+          status,
         },
       }
     },