@atproto/pds 0.4.33 → 0.4.35

package/src/lexicon/types/app/bsky/graph/unmuteThread.ts

@@ -0,0 +1,38 @@
+/**
+ * GENERATED CODE - DO NOT MODIFY
+ */
+import express from 'express'
+import { ValidationResult, BlobRef } from '@atproto/lexicon'
+import { lexicons } from '../../../../lexicons'
+import { isObj, hasProp } from '../../../../util'
+import { CID } from 'multiformats/cid'
+import { HandlerAuth, HandlerPipeThrough } from '@atproto/xrpc-server'
+
+export interface QueryParams {}
+
+export interface InputSchema {
+  root: string
+  [k: string]: unknown
+}
+
+export interface HandlerInput {
+  encoding: 'application/json'
+  body: InputSchema
+}
+
+export interface HandlerError {
+  status: number
+  message?: string
+}
+
+export type HandlerOutput = HandlerError | void
+export type HandlerReqCtx<HA extends HandlerAuth = never> = {
+  auth: HA
+  params: QueryParams
+  input: HandlerInput
+  req: express.Request
+  res: express.Response
+}
+export type Handler<HA extends HandlerAuth = never> = (
+  ctx: HandlerReqCtx<HA>,
+) => Promise<HandlerOutput> | HandlerOutput

package/src/logger.ts

@@ -1,8 +1,6 @@
-import pino from 'pino'
+import { stdSerializers } from 'pino'
 import pinoHttp from 'pino-http'
 import { subsystemLogger } from '@atproto/common'
-import * as jose from 'jose'
-import { parseBasicAuth } from './auth-verifier'
 
 export const dbLogger = subsystemLogger('pds:db')
 export const didCacheLogger = subsystemLogger('pds:did-cache')
@@ -13,44 +11,91 @@ export const mailerLogger = subsystemLogger('pds:mailer')
 export const labelerLogger = subsystemLogger('pds:labeler')
 export const crawlerLogger = subsystemLogger('pds:crawler')
 export const httpLogger = subsystemLogger('pds')
+export const fetchLogger = subsystemLogger('pds:fetch')
+export const oauthLogger = subsystemLogger('pds:oauth')
 
 export const loggerMiddleware = pinoHttp({
   logger: httpLogger,
   serializers: {
-    err: (err) => {
-      return {
-        code: err?.code,
-        message: err?.message,
-      }
-    },
-    req: (req) => {
-      const serialized = pino.stdSerializers.req(req)
-      const authHeader = serialized.headers.authorization || ''
-      let auth: string | undefined = undefined
-      if (authHeader.startsWith('Bearer ')) {
-        const token = authHeader.slice('Bearer '.length)
-        const { sub } = jose.decodeJwt(token)
-        if (sub) {
-          auth = 'Bearer ' + sub
-        } else {
-          auth = 'Bearer Invalid'
-        }
-      }
-      if (authHeader.startsWith('Basic ')) {
-        const parsed = parseBasicAuth(authHeader)
-        if (!parsed) {
-          auth = 'Basic Invalid'
-        } else {
-          auth = 'Basic ' + parsed.username
-        }
-      }
-      return {
-        ...serialized,
-        headers: {
-          ...serialized.headers,
-          authorization: auth,
-        },
-      }
-    },
+    err: errSerializer,
+    req: reqSerializer,
   },
 })
+
+function errSerializer(err: any) {
+  return {
+    code: err?.code,
+    message: err?.message,
+  }
+}
+
+function reqSerializer(req: any) {
+  const serialized = stdSerializers.req(req)
+  serialized.headers = obfuscateHeaders(serialized.headers)
+  return serialized
+}
+
+function obfuscateHeaders(headers: Record<string, string>) {
+  const obfuscatedHeaders: Record<string, string> = {}
+  for (const key in headers) {
+    if (key.toLowerCase() === 'authorization') {
+      obfuscatedHeaders[key] = obfuscateAuthHeader(headers[key])
+    } else if (key.toLowerCase() === 'dpop') {
+      obfuscatedHeaders[key] = obfuscateJws(headers[key]) || 'Invalid'
+    } else {
+      obfuscatedHeaders[key] = headers[key]
+    }
+  }
+  return obfuscatedHeaders
+}
+
+function obfuscateAuthHeader(authHeader: string): string {
+  // This is a hot path (runs on every request). Avoid using split() or regex.
+
+  const spaceIdx = authHeader.indexOf(' ')
+  if (spaceIdx === -1) return 'Invalid'
+
+  const type = authHeader.slice(0, spaceIdx)
+  switch (type.toLowerCase()) {
+    case 'bearer':
+      return `${type} ${obfuscateBearer(authHeader.slice(spaceIdx + 1))}`
+    case 'dpop':
+      return `${type} ${obfuscateJws(authHeader.slice(spaceIdx + 1)) || 'Invalid'}`
+    case 'basic':
+      return `${type} ${obfuscateBasic(authHeader.slice(spaceIdx + 1)) || 'Invalid'}`
+    default:
+      return `Invalid`
+  }
+}
+
+function obfuscateBasic(token: string): null | string {
+  if (!token) return null
+  const buffer = Buffer.from(token, 'base64')
+  if (!buffer.length) return null // Buffer.from will silently ignore invalid base64 chars
+  const authHeader = buffer.toString('utf8')
+  const colIdx = authHeader.indexOf(':')
+  if (colIdx === -1) return null
+  const username = authHeader.slice(0, colIdx)
+  return `${username}:***`
+}
+
+function obfuscateBearer(token: string): string {
+  return obfuscateJws(token) || obfuscateToken(token)
+}
+
+function obfuscateToken(token: string): string {
+  return token ? '***' : ''
+}
+
+function obfuscateJws(token: string): null | string {
+  const firstDot = token.indexOf('.')
+  if (firstDot === -1) return null
+
+  const secondDot = token.indexOf('.', firstDot + 1)
+  if (secondDot === -1) return null
+
+  if (token.indexOf('.', secondDot + 1) !== -1) return null
+
+  // Strip the signature
+  return token.slice(0, secondDot) + '.obfuscated'
+}

package/src/oauth/detailed-account-store.ts

@@ -0,0 +1,96 @@
+import {
+  AccountInfo,
+  AccountStore,
+  DeviceId,
+  LoginCredentials,
+} from '@atproto/oauth-provider'
+
+import { AccountManager } from '../account-manager/index'
+import { ActorStore } from '../actor-store/index'
+import { ProfileViewBasic } from '../lexicon/types/app/bsky/actor/defs'
+import { LocalViewerCreator } from '../read-after-write/index'
+
+/**
+ * Although the {@link AccountManager} class implements the {@link AccountStore}
+ * interface, the accounts it returns do not contain any profile information
+ * (display name, avatar, etc). This is due to the fact that the account manager
+ * does not have access to the account's repos. The {@link DetailedAccountStore}
+ * is a wrapper around the {@link AccountManager} that enriches the accounts
+ * with profile information using the account's repos through the
+ * {@link ActorStore}.
+ */
+export class DetailedAccountStore implements AccountStore {
+  constructor(
+    private accountManager: AccountManager,
+    private actorStore: ActorStore,
+    private localViewer: LocalViewerCreator,
+  ) {}
+
+  private async getProfile(did: string): Promise<ProfileViewBasic | null> {
+    // TODO: Should we cache this?
+    return this.actorStore.read(did, async (actorStoreReader) => {
+      const localViewer = this.localViewer(actorStoreReader)
+      return localViewer.getProfileBasic()
+    })
+  }
+
+  private async enrichAccountInfo(
+    accountInfo: AccountInfo,
+  ): Promise<AccountInfo> {
+    const { account } = accountInfo
+    if (!account.picture || !account.name) {
+      const profile = await this.getProfile(account.sub)
+      if (profile) {
+        account.picture ||= profile.avatar
+        account.name ||= profile.displayName
+      }
+    }
+
+    return accountInfo
+  }
+
+  async authenticateAccount(
+    credentials: LoginCredentials,
+    deviceId: DeviceId,
+  ): Promise<AccountInfo | null> {
+    const accountInfo = await this.accountManager.authenticateAccount(
+      credentials,
+      deviceId,
+    )
+    if (!accountInfo) return null
+    return this.enrichAccountInfo(accountInfo)
+  }
+
+  async addAuthorizedClient(
+    deviceId: DeviceId,
+    sub: string,
+    clientId: string,
+  ): Promise<void> {
+    return this.accountManager.addAuthorizedClient(deviceId, sub, clientId)
+  }
+
+  async getDeviceAccount(
+    deviceId: DeviceId,
+    sub: string,
+  ): Promise<AccountInfo | null> {
+    const accountInfo = await this.accountManager.getDeviceAccount(
+      deviceId,
+      sub,
+    )
+    if (!accountInfo) return null
+    return this.enrichAccountInfo(accountInfo)
+  }
+
+  async listDeviceAccounts(deviceId: DeviceId): Promise<AccountInfo[]> {
+    const accountInfos = await this.accountManager.listDeviceAccounts(deviceId)
+    return Promise.all(
+      accountInfos.map(async (accountInfo) =>
+        this.enrichAccountInfo(accountInfo),
+      ),
+    )
+  }
+
+  async removeDeviceAccount(deviceId: DeviceId, sub: string): Promise<void> {
+    return this.accountManager.removeDeviceAccount(deviceId, sub)
+  }
+}

package/src/oauth/provider.ts

@@ -0,0 +1,77 @@
+import {
+  AccessTokenType,
+  OAuthProvider,
+  OAuthProviderOptions,
+} from '@atproto/oauth-provider'
+
+import { AccountManager } from '../account-manager/index'
+import { ActorStore } from '../actor-store/index'
+import { oauthLogger } from '../logger'
+import { LocalViewerCreator } from '../read-after-write/index'
+import { DetailedAccountStore } from './detailed-account-store'
+
+export type AuthProviderOptions = {
+  accountManager: AccountManager
+  actorStore: ActorStore
+  localViewer: LocalViewerCreator
+} & Pick<
+  OAuthProviderOptions,
+  'issuer' | 'redis' | 'keyset' | 'dpopSecret' | 'customization'
+> &
+  Required<Pick<OAuthProviderOptions, 'safeFetch'>>
+
+export class PdsOAuthProvider extends OAuthProvider {
+  constructor({
+    accountManager,
+    actorStore,
+    localViewer,
+    keyset,
+    redis,
+    dpopSecret,
+    issuer,
+    customization,
+    safeFetch,
+  }: AuthProviderOptions) {
+    super({
+      issuer,
+      keyset,
+      dpopSecret,
+      redis,
+      safeFetch,
+      customization,
+      metadata: {
+        // PdsOAuthProvider is used when the PDS is both an authorization server
+        // & resource server, in which case the issuer origin is also the
+        // resource server uri.
+        protected_resources: [new URL(issuer).origin],
+      },
+
+      accountStore: new DetailedAccountStore(
+        accountManager,
+        actorStore,
+        localViewer,
+      ),
+      requestStore: accountManager,
+      deviceStore: accountManager,
+      tokenStore: accountManager,
+
+      // If the PDS is both an authorization server & resource server (no
+      // entryway), there is no need to use JWTs as access tokens. Instead,
+      // the PDS can use tokenId as access tokens. This allows the PDS to
+      // always use up-to-date token data from the token store.
+      accessTokenType: AccessTokenType.id,
+
+      onClientInfo: (clientId) => ({
+        isFirstParty: clientId === 'https://bsky.app/',
+        // @TODO make client client list configurable:
+        isTrusted: undefined,
+      }),
+    })
+  }
+
+  createRouter() {
+    return this.httpHandler({
+      onError: (req, res, err, message) => oauthLogger.error({ err }, message),
+    })
+  }
+}

package/src/pipethrough.ts

@@ -22,7 +22,8 @@ export const proxyHandler = (ctx: AppContext): CatchallHandler => {
       const { url, aud } = await formatUrlAndAud(ctx, req)
       const auth = await accessStandard({ req })
       const headers = await formatHeaders(ctx, req, aud, auth.credentials.did)
-      const body = stream.Readable.toWeb(req)
+      const body: webStream.ReadableStream<Uint8Array> =
+        stream.Readable.toWeb(req)
       const reqInit = formatReqInit(req, headers, body)
       const proxyRes = await makeRequest(url, reqInit)
       await pipeProxyRes(proxyRes, res)
@@ -113,7 +114,7 @@ export const formatHeaders = async (
 const formatReqInit = (
   req: express.Request,
   headers: Record<string, string>,
-  body?: Uint8Array | ReadableStream,
+  body?: Uint8Array | webStream.ReadableStream<Uint8Array>,
 ): RequestInit => {
   if (req.method === 'GET') {
     return {

package/tests/preferences.test.ts

@@ -1,11 +1,13 @@
 import { TestNetworkNoAppView, SeedClient } from '@atproto/dev-env'
 import AtpAgent from '@atproto/api'
 import usersSeed from './seeds/users'
+import { AuthScope } from '../dist/auth-verifier'
 
 describe('user preferences', () => {
   let network: TestNetworkNoAppView
   let agent: AtpAgent
   let sc: SeedClient
+  let appPassHeaders: { authorization: string }
 
   beforeAll(async () => {
     network = await TestNetworkNoAppView.create({
@@ -14,6 +16,16 @@ describe('user preferences', () => {
     agent = network.pds.getClient()
     sc = network.getSeedClient()
     await usersSeed(sc)
+    const appPass = await network.pds.ctx.accountManager.createAppPassword(
+      sc.dids.alice,
+      'test app pass',
+      false,
+    )
+    const res = await agent.com.atproto.server.createSession({
+      identifier: sc.dids.alice,
+      password: appPass.password,
+    })
+    appPassHeaders = { authorization: `Bearer ${res.data.accessJwt}` }
   })
 
   afterAll(async () => {
@@ -46,6 +58,7 @@ describe('user preferences', () => {
       store.pref.putPreferences(
         [{ $type: 'com.atproto.server.defs#unknown' }],
         'com.atproto',
+        AuthScope.Access,
       ),
     )
     const { data } = await agent.api.app.bsky.actor.getPreferences(
@@ -96,7 +109,7 @@ describe('user preferences', () => {
     // Ensure other prefs were not clobbered
     const otherPrefs = await network.pds.ctx.actorStore.read(
       sc.dids.alice,
-      (store) => store.pref.getPreferences('com.atproto'),
+      (store) => store.pref.getPreferences('com.atproto', AuthScope.Access),
     )
     expect(otherPrefs).toEqual([{ $type: 'com.atproto.server.defs#unknown' }])
   })
@@ -178,4 +191,57 @@ describe('user preferences', () => {
       'Input/preferences/1 must be an object which includes the "$type" property',
     )
   })
+
+  it('does not read permissioned preferences with an app password', async () => {
+    await agent.api.app.bsky.actor.putPreferences(
+      {
+        preferences: [
+          {
+            $type: 'app.bsky.actor.defs#personalDetailsPref',
+            birthDate: new Date().toISOString(),
+          },
+        ],
+      },
+      { headers: sc.getHeaders(sc.dids.alice), encoding: 'application/json' },
+    )
+    const res = await agent.api.app.bsky.actor.getPreferences(
+      {},
+      { headers: appPassHeaders },
+    )
+    expect(res.data.preferences).toEqual([])
+  })
+
+  it('does not write permissioned preferences with an app password', async () => {
+    const tryPut = agent.api.app.bsky.actor.putPreferences(
+      {
+        preferences: [
+          {
+            $type: 'app.bsky.actor.defs#personalDetailsPref',
+            birthDate: new Date().toISOString(),
+          },
+        ],
+      },
+      { headers: appPassHeaders, encoding: 'application/json' },
+    )
+    await expect(tryPut).rejects.toThrow(
+      /Do not have authorization to set preferences/,
+    )
+  })
+
+  it('does not remove permissioned preferences with an app password', async () => {
+    await agent.api.app.bsky.actor.putPreferences(
+      {
+        preferences: [],
+      },
+      { headers: appPassHeaders, encoding: 'application/json' },
+    )
+    const res = await agent.api.app.bsky.actor.getPreferences(
+      {},
+      { headers: sc.getHeaders(sc.dids.alice) },
+    )
+    const scopedPref = res.data.preferences.find(
+      (pref) => pref.$type === 'app.bsky.actor.defs#personalDetailsPref',
+    )
+    expect(scopedPref).toBeDefined()
+  })
 })

package/tests/proxied/__snapshots__/feedgen.test.ts.snap

@@ -59,7 +59,9 @@ Object {
         "replyCount": 0,
         "repostCount": 0,
         "uri": "record(0)",
-        "viewer": Object {},
+        "viewer": Object {
+          "threadMuted": false,
+        },
       },
     },
     Object {
@@ -178,6 +180,7 @@ Object {
         "uri": "record(2)",
         "viewer": Object {
           "like": "record(8)",
+          "threadMuted": false,
         },
       },
     },