@atproto/pds 0.4.33 → 0.4.35

package/src/config/config.ts

@@ -1,6 +1,7 @@
 import path from 'node:path'
 import assert from 'node:assert'
 import { DAY, HOUR, SECOND } from '@atproto/common'
+import { Customization } from '@atproto/oauth-provider'
 import { ServerEnvironment } from './env'
 
 // off-config but still from env:
@@ -234,6 +235,54 @@ export const envToCfg = (env: ServerEnvironment): ServerConfig => {
 
   const crawlersCfg: ServerConfig['crawlers'] = env.crawlers ?? []
 
+  const fetchCfg: ServerConfig['fetch'] = {
+    disableSsrfProtection: env.fetchDisableSsrfProtection ?? false,
+  }
+
+  const oauthCfg: ServerConfig['oauth'] = entrywayCfg
+    ? {
+        issuer: entrywayCfg.url,
+        provider: false,
+      }
+    : {
+        issuer: serviceCfg.publicUrl,
+        provider: {
+          customization: {
+            name: env.serviceName ?? 'Personal PDS',
+            logo: env.logoUrl,
+            colors: {
+              primary: env.primaryColor,
+              error: env.errorColor,
+            },
+            links: [
+              {
+                title: 'Home',
+                href: env.homeUrl,
+                rel: 'bookmark',
+              },
+              {
+                title: 'Terms of Service',
+                href: env.termsOfServiceUrl,
+                rel: 'terms-of-service',
+              },
+              {
+                title: 'Privacy Policy',
+                href: env.privacyPolicyUrl,
+                rel: 'privacy-policy',
+              },
+              {
+                title: 'Support',
+                href: env.supportUrl,
+                rel: 'help',
+              },
+            ].filter(
+              (f): f is typeof f & { href: NonNullable<(typeof f)['href']> } =>
+                f.href != null,
+            ),
+          },
+        },
+      }
+
   return {
     service: serviceCfg,
     db: dbCfg,
@@ -251,6 +300,8 @@ export const envToCfg = (env: ServerEnvironment): ServerConfig => {
     redis: redisCfg,
     rateLimits: rateLimitsCfg,
     crawlers: crawlersCfg,
+    fetch: fetchCfg,
+    oauth: oauthCfg,
   }
 }
 
@@ -271,6 +322,8 @@ export type ServerConfig = {
   redis: RedisScratchConfig | null
   rateLimits: RateLimitsConfig
   crawlers: string[]
+  fetch: FetchConfig
+  oauth: OAuthConfig
 }
 
 export type ServiceConfig = {
@@ -337,6 +390,19 @@ export type EntrywayConfig = {
   plcRotationKey: string
 }
 
+export type FetchConfig = {
+  disableSsrfProtection: boolean
+}
+
+export type OAuthConfig = {
+  issuer: string
+  provider:
+    | false
+    | {
+        customization: Customization
+      }
+}
+
 export type InvitesConfig =
   | {
       required: true

package/src/config/env.ts

@@ -6,14 +6,22 @@ export const readEnv = (): ServerEnvironment => {
     port: envInt('PDS_PORT'),
     hostname: envStr('PDS_HOSTNAME'),
     serviceDid: envStr('PDS_SERVICE_DID'),
+    serviceName: envStr('PDS_SERVICE_NAME'),
     version: envStr('PDS_VERSION'),
+    homeUrl: envStr('PDS_HOME_URL'),
+    logoUrl: envStr('PDS_LOGO_URL'),
     privacyPolicyUrl: envStr('PDS_PRIVACY_POLICY_URL'),
+    supportUrl: envStr('PDS_SUPPORT_URL'),
     termsOfServiceUrl: envStr('PDS_TERMS_OF_SERVICE_URL'),
     contactEmailAddress: envStr('PDS_CONTACT_EMAIL_ADDRESS'),
     acceptingImports: envBool('PDS_ACCEPTING_REPO_IMPORTS'),
     blobUploadLimit: envInt('PDS_BLOB_UPLOAD_LIMIT'),
     devMode: envBool('PDS_DEV_MODE'),
 
+    // branding
+    primaryColor: envStr('PDS_PRIMARY_COLOR'),
+    errorColor: envStr('PDS_ERROR_COLOR'),
+
     // database
     dataDirectory: envStr('PDS_DATA_DIRECTORY'),
     disableWalAutoCheckpoint: envBool('PDS_SQLITE_DISABLE_WAL_AUTO_CHECKPOINT'),
@@ -97,6 +105,7 @@ export const readEnv = (): ServerEnvironment => {
     crawlers: envList('PDS_CRAWLERS'),
 
     // secrets
+    dpopSecret: envStr('PDS_DPOP_SECRET'),
     jwtSecret: envStr('PDS_JWT_SECRET'),
     adminPassword: envStr('PDS_ADMIN_PASSWORD'),
 
@@ -106,6 +115,9 @@ export const readEnv = (): ServerEnvironment => {
     plcRotationKeyK256PrivateKeyHex: envStr(
       'PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX',
     ),
+
+    // fetch
+    fetchDisableSsrfProtection: envBool('PDS_DISABLE_SSRF_PROTECTION'),
   }
 }
 
@@ -114,14 +126,22 @@ export type ServerEnvironment = {
   port?: number
   hostname?: string
   serviceDid?: string
+  serviceName?: string
   version?: string
+  homeUrl?: string
+  logoUrl?: string
   privacyPolicyUrl?: string
+  supportUrl?: string
   termsOfServiceUrl?: string
   contactEmailAddress?: string
   acceptingImports?: boolean
   blobUploadLimit?: number
   devMode?: boolean
 
+  // branding
+  primaryColor?: string
+  errorColor?: string
+
   // database
   dataDirectory?: string
   disableWalAutoCheckpoint?: boolean
@@ -203,10 +223,14 @@ export type ServerEnvironment = {
   crawlers?: string[]
 
   // secrets
+  dpopSecret?: string
   jwtSecret?: string
   adminPassword?: string
 
   // keys
   plcRotationKeyKmsKeyId?: string
   plcRotationKeyK256PrivateKeyHex?: string
+
+  // fetch
+  fetchDisableSsrfProtection?: boolean
 }

package/src/config/secrets.ts

@@ -27,6 +27,7 @@ export const envToSecrets = (env: ServerEnvironment): ServerSecrets => {
   }
 
   return {
+    dpopSecret: env.dpopSecret,
     jwtSecret: env.jwtSecret,
     adminPassword: env.adminPassword,
     plcRotationKey,
@@ -34,6 +35,7 @@ export const envToSecrets = (env: ServerEnvironment): ServerSecrets => {
 }
 
 export type ServerSecrets = {
+  dpopSecret?: string
   jwtSecret: string
   adminPassword: string
   plcRotationKey: SigningKeyKms | SigningKeyMemory

package/src/context.ts

@@ -12,12 +12,21 @@ import {
   RateLimiterOpts,
   createServiceAuthHeaders,
 } from '@atproto/xrpc-server'
+import {
+  JoseKey,
+  Fetch,
+  safeFetchWrap,
+  OAuthVerifier,
+} from '@atproto/oauth-provider'
+
 import { ServerConfig, ServerSecrets } from './config'
+import { PdsOAuthProvider } from './oauth/provider'
 import {
   AuthVerifier,
   createPublicKeyObject,
   createSecretKeyObject,
 } from './auth-verifier'
+import { fetchLogger } from './logger'
 import { ServerMailer } from './mailer'
 import { ModerationMailer } from './mailer/moderation'
 import { BlobStore } from '@atproto/repo'
@@ -50,6 +59,8 @@ export type AppContextOptions = {
   moderationAgent?: AtpAgent
   reportingAgent?: AtpAgent
   entrywayAgent?: AtpAgent
+  safeFetch: Fetch
+  authProvider?: PdsOAuthProvider
   authVerifier: AuthVerifier
   plcRotationKey: crypto.Keypair
   cfg: ServerConfig
@@ -74,7 +85,9 @@ export class AppContext {
   public moderationAgent: AtpAgent | undefined
   public reportingAgent: AtpAgent | undefined
   public entrywayAgent: AtpAgent | undefined
+  public safeFetch: Fetch
   public authVerifier: AuthVerifier
+  public authProvider?: PdsOAuthProvider
   public plcRotationKey: crypto.Keypair
   public cfg: ServerConfig
 
@@ -97,7 +110,9 @@ export class AppContext {
     this.moderationAgent = opts.moderationAgent
     this.reportingAgent = opts.reportingAgent
     this.entrywayAgent = opts.entrywayAgent
+    this.safeFetch = opts.safeFetch
     this.authVerifier = opts.authVerifier
+    this.authProvider = opts.authProvider
     this.plcRotationKey = opts.plcRotationKey
     this.cfg = opts.cfg
   }
@@ -206,7 +221,12 @@ export class AppContext {
       : undefined
 
     const jwtSecretKey = createSecretKeyObject(secrets.jwtSecret)
+    const jwtPublicKey = cfg.entryway
+      ? createPublicKeyObject(cfg.entryway.jwtPublicKeyHex)
+      : null
+
     const accountManager = new AccountManager(
+      backgroundQueue,
       cfg.db.accountDbLoc,
       jwtSecretKey,
       cfg.service.did,
@@ -214,20 +234,6 @@ export class AppContext {
     )
     await accountManager.migrateOrThrow()
 
-    const jwtKey = cfg.entryway
-      ? createPublicKeyObject(cfg.entryway.jwtPublicKeyHex)
-      : jwtSecretKey
-
-    const authVerifier = new AuthVerifier(accountManager, idResolver, {
-      jwtKey, // @TODO support multiple keys?
-      adminPass: secrets.adminPassword,
-      dids: {
-        pds: cfg.service.did,
-        entryway: cfg.entryway?.did,
-        modService: cfg.modService?.did,
-      },
-    })
-
     const plcRotationKey =
       secrets.plcRotationKey.provider === 'kms'
         ? await KmsKeypair.load({
@@ -250,6 +256,64 @@ export class AppContext {
       appviewCdnUrlPattern: cfg.bskyAppView?.cdnUrlPattern,
     })
 
+    // A fetch() function that protects against SSRF attacks, large responses &
+    // known bad domains. This function can safely be used to fetch user
+    // provided URLs (unless "disableSsrfProtection" is true, of course).
+    const safeFetch = safeFetchWrap({
+      allowHttp: cfg.fetch.disableSsrfProtection,
+      responseMaxSize: 512 * 1024, // 512kB
+      ssrfProtection: !cfg.fetch.disableSsrfProtection,
+      fetch: async (input, init) => {
+        const request = input instanceof Request ? input : null
+        const method = init?.method ?? request?.method ?? 'GET'
+        const uri = request?.url ?? String(input)
+        fetchLogger.debug({ method, uri }, 'fetch')
+        return globalThis.fetch(input, init)
+      },
+    })
+
+    const authProvider = cfg.oauth.provider
+      ? new PdsOAuthProvider({
+          issuer: cfg.oauth.issuer,
+          keyset: [
+            // Note: OpenID compatibility would require an RS256 private key in this list
+            await JoseKey.fromKeyLike(jwtSecretKey, undefined, 'HS256'),
+          ],
+          accountManager,
+          actorStore,
+          localViewer,
+          redis: redisScratch,
+          dpopSecret: secrets.dpopSecret,
+          customization: cfg.oauth.provider.customization,
+          safeFetch,
+        })
+      : undefined
+
+    const oauthVerifier: OAuthVerifier =
+      authProvider ?? // OAuthProvider extends OAuthVerifier
+      new OAuthVerifier({
+        issuer: cfg.oauth.issuer,
+        keyset: [await JoseKey.fromKeyLike(jwtPublicKey!, undefined, 'ES256K')],
+        dpopSecret: secrets.dpopSecret,
+        redis: redisScratch,
+      })
+
+    const authVerifier = new AuthVerifier(
+      accountManager,
+      idResolver,
+      oauthVerifier,
+      {
+        publicUrl: cfg.service.publicUrl,
+        jwtKey: jwtPublicKey ?? jwtSecretKey,
+        adminPass: secrets.adminPassword,
+        dids: {
+          pds: cfg.service.did,
+          entryway: cfg.entryway?.did,
+          modService: cfg.modService?.did,
+        },
+      },
+    )
+
     return new AppContext({
       actorStore,
       blobstore,
@@ -269,7 +333,9 @@ export class AppContext {
       moderationAgent,
       reportingAgent,
       entrywayAgent,
+      safeFetch,
       authVerifier,
+      authProvider,
       plcRotationKey,
       cfg,
       ...(overrides ?? {}),

package/src/db/cast.ts

@@ -0,0 +1,59 @@
+export type DateISO = `${string}T${string}Z`
+export const toDateISO = (date: Date): DateISO => date.toISOString() as DateISO
+export const fromDateISO = (date: DateISO): Date => new Date(date)
+
+export type Json = string
+export const toJson = (obj: unknown): Json => {
+  const json = JSON.stringify(obj)
+  if (json === undefined) throw new TypeError('Input not JSONifyable')
+  return json as Json
+}
+export const fromJson = <T>(json: Json): T => {
+  try {
+    return JSON.parse(json) as T
+  } catch (cause) {
+    throw new TypeError('Database contains invalid JSON', { cause })
+  }
+}
+
+export type JsonArray = `[${string}]`
+export const isJsonArray = (json: string): json is JsonArray =>
+  // Although the JSON in the DB should have been encoded using toJson,
+  // there should not be any leading or trailing whitespace. We will still trim
+  // the string to protect against any manual editing of the DB.
+  json.trimStart().startsWith('[') && json.trimEnd().endsWith(']')
+export function assertJsonArray(json: string): asserts json is JsonArray {
+  if (!isJsonArray(json)) throw new TypeError('Not an Array')
+}
+export const toJsonArray = (obj: readonly unknown[]): JsonArray => {
+  const json = toJson(obj)
+  assertJsonArray(json)
+  return json as JsonArray
+}
+export const fromJsonArray = <T>(json: JsonArray): T[] => {
+  assertJsonArray(json)
+  return fromJson(json) as T[]
+}
+
+export type JsonObject = `{${string}}`
+const isJsonObject = (json: string): json is JsonObject =>
+  // Although the JSON in the DB should have been encoded using toJson,
+  // there should not be any leading or trailing whitespace. We will still trim
+  // the string to protect against any manual editing of the DB.
+  json.trimStart().startsWith('{') && json.trimEnd().endsWith('}')
+function assertJsonObject(json: string): asserts json is JsonObject {
+  if (!isJsonObject(json)) throw new TypeError('Not an Object')
+}
+export const toJsonObject = (
+  obj: Readonly<Record<string, unknown>>,
+): JsonObject => {
+  const json = toJson(obj)
+  assertJsonObject(json)
+  return json as JsonObject
+}
+export const fromJsonObject = <T extends Record<string, unknown>>(
+  json: JsonObject,
+): T => {
+  assertJsonObject(json)
+  return fromJson(json) as T
+}

package/src/db/db.ts

@@ -51,7 +51,7 @@ export class Database<Schema> {
   }
 
   async transactionNoRetry<T>(
-    fn: (db: Database<Schema>) => Promise<T>,
+    fn: (db: Database<Schema>) => T | Promise<T>,
   ): Promise<T> {
     this.assertNotTransaction()
     const leakyTxPlugin = new LeakyTxPlugin()
@@ -60,22 +60,25 @@ export class Database<Schema> {
       .transaction()
       .execute(async (txn) => {
         const dbTxn = new Database(txn)
-        const txRes = await fn(dbTxn)
-          .catch(async (err) => {
-            leakyTxPlugin.endTx()
-            // ensure that all in-flight queries are flushed & the connection is open
-            await dbTxn.db.getExecutor().provideConnection(async () => {})
-            throw err
-          })
-          .finally(() => leakyTxPlugin.endTx())
-        const hooks = dbTxn.commitHooks
-        return { hooks, txRes }
+        try {
+          const txRes = await fn(dbTxn)
+          leakyTxPlugin.endTx()
+          const hooks = dbTxn.commitHooks
+          return { hooks, txRes }
+        } catch (err) {
+          leakyTxPlugin.endTx()
+          // ensure that all in-flight queries are flushed & the connection is open
+          await txn.getExecutor().provideConnection(async () => {})
+          throw err
+        }
       })
     hooks.map((hook) => hook())
     return txRes
   }
 
-  async transaction<T>(fn: (db: Database<Schema>) => Promise<T>): Promise<T> {
+  async transaction<T>(
+    fn: (db: Database<Schema>) => T | Promise<T>,
+  ): Promise<T> {
     return retrySqlite(() => this.transactionNoRetry(fn))
   }
 

package/src/db/index.ts

@@ -1,3 +1,4 @@
 export * from './db'
+export * from './cast'
 export * from './migrator'
 export * from './util'

package/src/error.ts

@@ -1,12 +1,19 @@
 import { XRPCError } from '@atproto/xrpc-server'
 import { ErrorRequestHandler } from 'express'
 import { httpLogger as log } from './logger'
+import { OAuthError } from '@atproto/oauth-provider'
 
 export const handler: ErrorRequestHandler = (err, _req, res, next) => {
   log.error(err, 'unexpected internal server error')
   if (res.headersSent) {
     return next(err)
   }
+
+  if (err instanceof OAuthError) {
+    res.status(err.status).json(err.toJSON())
+    return
+  }
+
   const serverError = XRPCError.fromError(err)
   res.status(serverError.type).json(serverError.payload)
 }

package/src/index.ts

@@ -11,6 +11,7 @@ import events from 'events'
 import { Options as XrpcServerOptions } from '@atproto/xrpc-server'
 import { DAY, HOUR, MINUTE, SECOND } from '@atproto/common'
 import API from './api'
+import * as authRoutes from './auth-routes'
 import * as basicRoutes from './basic-routes'
 import * as wellKnown from './well-known'
 import * as error from './error'
@@ -99,6 +100,7 @@ export class PDS {
 
     server = API(server, ctx)
 
+    app.use(authRoutes.createRouter(ctx))
     app.use(basicRoutes.createRouter(ctx))
     app.use(wellKnown.createRouter(ctx))
     app.use(server.xrpc.router)

package/src/lexicon/index.ts

@@ -120,8 +120,10 @@ import * as AppBskyGraphGetRelationships from './types/app/bsky/graph/getRelatio
 import * as AppBskyGraphGetSuggestedFollowsByActor from './types/app/bsky/graph/getSuggestedFollowsByActor'
 import * as AppBskyGraphMuteActor from './types/app/bsky/graph/muteActor'
 import * as AppBskyGraphMuteActorList from './types/app/bsky/graph/muteActorList'
+import * as AppBskyGraphMuteThread from './types/app/bsky/graph/muteThread'
 import * as AppBskyGraphUnmuteActor from './types/app/bsky/graph/unmuteActor'
 import * as AppBskyGraphUnmuteActorList from './types/app/bsky/graph/unmuteActorList'
+import * as AppBskyGraphUnmuteThread from './types/app/bsky/graph/unmuteThread'
 import * as AppBskyLabelerGetServices from './types/app/bsky/labeler/getServices'
 import * as AppBskyNotificationGetUnreadCount from './types/app/bsky/notification/getUnreadCount'
 import * as AppBskyNotificationListNotifications from './types/app/bsky/notification/listNotifications'
@@ -1604,6 +1606,17 @@ export class AppBskyGraphNS {
     return this._server.xrpc.method(nsid, cfg)
   }
 
+  muteThread<AV extends AuthVerifier>(
+    cfg: ConfigOf<
+      AV,
+      AppBskyGraphMuteThread.Handler<ExtractAuth<AV>>,
+      AppBskyGraphMuteThread.HandlerReqCtx<ExtractAuth<AV>>
+    >,
+  ) {
+    const nsid = 'app.bsky.graph.muteThread' // @ts-ignore
+    return this._server.xrpc.method(nsid, cfg)
+  }
+
   unmuteActor<AV extends AuthVerifier>(
     cfg: ConfigOf<
       AV,
@@ -1625,6 +1638,17 @@ export class AppBskyGraphNS {
     const nsid = 'app.bsky.graph.unmuteActorList' // @ts-ignore
     return this._server.xrpc.method(nsid, cfg)
   }
+
+  unmuteThread<AV extends AuthVerifier>(
+    cfg: ConfigOf<
+      AV,
+      AppBskyGraphUnmuteThread.Handler<ExtractAuth<AV>>,
+      AppBskyGraphUnmuteThread.HandlerReqCtx<ExtractAuth<AV>>
+    >,
+  ) {
+    const nsid = 'app.bsky.graph.unmuteThread' // @ts-ignore
+    return this._server.xrpc.method(nsid, cfg)
+  }
 }
 
 export class AppBskyLabelerNS {

package/src/lexicon/lexicons.ts

@@ -5102,6 +5102,9 @@ export const schemaDict = {
             type: 'string',
             format: 'at-uri',
           },
+          threadMuted: {
+            type: 'boolean',
+          },
           replyDisabled: {
             type: 'boolean',
           },
@@ -7675,6 +7678,30 @@ export const schemaDict = {
       },
     },
   },
+  AppBskyGraphMuteThread: {
+    lexicon: 1,
+    id: 'app.bsky.graph.muteThread',
+    defs: {
+      main: {
+        type: 'procedure',
+        description:
+          'Mutes a thread preventing notifications from the thread and any of its children. Mutes are private in Bluesky. Requires auth.',
+        input: {
+          encoding: 'application/json',
+          schema: {
+            type: 'object',
+            required: ['root'],
+            properties: {
+              root: {
+                type: 'string',
+                format: 'at-uri',
+              },
+            },
+          },
+        },
+      },
+    },
+  },
   AppBskyGraphUnmuteActor: {
     lexicon: 1,
     id: 'app.bsky.graph.unmuteActor',
@@ -7721,6 +7748,29 @@ export const schemaDict = {
       },
     },
   },
+  AppBskyGraphUnmuteThread: {
+    lexicon: 1,
+    id: 'app.bsky.graph.unmuteThread',
+    defs: {
+      main: {
+        type: 'procedure',
+        description: 'Unmutes the specified thread. Requires auth.',
+        input: {
+          encoding: 'application/json',
+          schema: {
+            type: 'object',
+            required: ['root'],
+            properties: {
+              root: {
+                type: 'string',
+                format: 'at-uri',
+              },
+            },
+          },
+        },
+      },
+    },
+  },
   AppBskyLabelerDefs: {
     lexicon: 1,
     id: 'app.bsky.labeler.defs',
@@ -11105,8 +11155,10 @@ export const ids = {
   AppBskyGraphListitem: 'app.bsky.graph.listitem',
   AppBskyGraphMuteActor: 'app.bsky.graph.muteActor',
   AppBskyGraphMuteActorList: 'app.bsky.graph.muteActorList',
+  AppBskyGraphMuteThread: 'app.bsky.graph.muteThread',
   AppBskyGraphUnmuteActor: 'app.bsky.graph.unmuteActor',
   AppBskyGraphUnmuteActorList: 'app.bsky.graph.unmuteActorList',
+  AppBskyGraphUnmuteThread: 'app.bsky.graph.unmuteThread',
   AppBskyLabelerDefs: 'app.bsky.labeler.defs',
   AppBskyLabelerGetServices: 'app.bsky.labeler.getServices',
   AppBskyLabelerService: 'app.bsky.labeler.service',

package/src/lexicon/types/app/bsky/feed/defs.ts

@@ -49,6 +49,7 @@ export function validatePostView(v: unknown): ValidationResult {
 export interface ViewerState {
   repost?: string
   like?: string
+  threadMuted?: boolean
   replyDisabled?: boolean
   [k: string]: unknown
 }

package/src/lexicon/types/app/bsky/graph/muteThread.ts

@@ -0,0 +1,38 @@
+/**
+ * GENERATED CODE - DO NOT MODIFY
+ */
+import express from 'express'
+import { ValidationResult, BlobRef } from '@atproto/lexicon'
+import { lexicons } from '../../../../lexicons'
+import { isObj, hasProp } from '../../../../util'
+import { CID } from 'multiformats/cid'
+import { HandlerAuth, HandlerPipeThrough } from '@atproto/xrpc-server'
+
+export interface QueryParams {}
+
+export interface InputSchema {
+  root: string
+  [k: string]: unknown
+}
+
+export interface HandlerInput {
+  encoding: 'application/json'
+  body: InputSchema
+}
+
+export interface HandlerError {
+  status: number
+  message?: string
+}
+
+export type HandlerOutput = HandlerError | void
+export type HandlerReqCtx<HA extends HandlerAuth = never> = {
+  auth: HA
+  params: QueryParams
+  input: HandlerInput
+  req: express.Request
+  res: express.Response
+}
+export type Handler<HA extends HandlerAuth = never> = (
+  ctx: HandlerReqCtx<HA>,
+) => Promise<HandlerOutput> | HandlerOutput