@atproto/pds 0.4.34 → 0.4.35
Sign up to get free protection for your applications and to get access to all the features.
- package/CHANGELOG.md +10 -0
- package/dist/account-manager/db/migrations/004-oauth.d.ts +4 -0
- package/dist/account-manager/db/migrations/004-oauth.d.ts.map +1 -0
- package/dist/account-manager/db/migrations/004-oauth.js +106 -0
- package/dist/account-manager/db/migrations/004-oauth.js.map +1 -0
- package/dist/account-manager/db/migrations/index.d.ts +2 -0
- package/dist/account-manager/db/migrations/index.d.ts.map +1 -1
- package/dist/account-manager/db/migrations/index.js +2 -0
- package/dist/account-manager/db/migrations/index.js.map +1 -1
- package/dist/account-manager/db/schema/authorization-request.d.ts +19 -0
- package/dist/account-manager/db/schema/authorization-request.d.ts.map +1 -0
- package/dist/account-manager/db/schema/authorization-request.js +5 -0
- package/dist/account-manager/db/schema/authorization-request.js.map +1 -0
- package/dist/account-manager/db/schema/device-account.d.ts +14 -0
- package/dist/account-manager/db/schema/device-account.d.ts.map +1 -0
- package/dist/account-manager/db/schema/device-account.js +5 -0
- package/dist/account-manager/db/schema/device-account.js.map +1 -0
- package/dist/account-manager/db/schema/device.d.ts +16 -0
- package/dist/account-manager/db/schema/device.d.ts.map +1 -0
- package/dist/account-manager/db/schema/device.js +5 -0
- package/dist/account-manager/db/schema/device.js.map +1 -0
- package/dist/account-manager/db/schema/index.d.ts +11 -1
- package/dist/account-manager/db/schema/index.d.ts.map +1 -1
- package/dist/account-manager/db/schema/token.d.ts +24 -0
- package/dist/account-manager/db/schema/token.d.ts.map +1 -0
- package/dist/account-manager/db/schema/token.js +5 -0
- package/dist/account-manager/db/schema/token.js.map +1 -0
- package/dist/account-manager/db/schema/used-refresh-token.d.ts +12 -0
- package/dist/account-manager/db/schema/used-refresh-token.d.ts.map +1 -0
- package/dist/account-manager/db/schema/used-refresh-token.js +5 -0
- package/dist/account-manager/db/schema/used-refresh-token.js.map +1 -0
- package/dist/account-manager/helpers/account.d.ts +27 -5
- package/dist/account-manager/helpers/account.d.ts.map +1 -1
- package/dist/account-manager/helpers/account.js +15 -14
- package/dist/account-manager/helpers/account.js.map +1 -1
- package/dist/account-manager/helpers/authorization-request.d.ts +12 -0
- package/dist/account-manager/helpers/authorization-request.d.ts.map +1 -0
- package/dist/account-manager/helpers/authorization-request.js +59 -0
- package/dist/account-manager/helpers/authorization-request.js.map +1 -0
- package/dist/account-manager/helpers/device-account.d.ts +108 -0
- package/dist/account-manager/helpers/device-account.d.ts.map +1 -0
- package/dist/account-manager/helpers/device-account.js +82 -0
- package/dist/account-manager/helpers/device-account.js.map +1 -0
- package/dist/account-manager/helpers/device.d.ts +9 -0
- package/dist/account-manager/helpers/device.d.ts.map +1 -0
- package/dist/account-manager/helpers/device.js +32 -0
- package/dist/account-manager/helpers/device.js.map +1 -0
- package/dist/account-manager/helpers/token.d.ts +485 -0
- package/dist/account-manager/helpers/token.d.ts.map +1 -0
- package/dist/account-manager/helpers/token.js +123 -0
- package/dist/account-manager/helpers/token.js.map +1 -0
- package/dist/account-manager/helpers/used-refresh-token.d.ts +10 -0
- package/dist/account-manager/helpers/used-refresh-token.d.ts.map +1 -0
- package/dist/account-manager/helpers/used-refresh-token.js +25 -0
- package/dist/account-manager/helpers/used-refresh-token.js.map +1 -0
- package/dist/account-manager/index.d.ts +36 -6
- package/dist/account-manager/index.d.ts.map +1 -1
- package/dist/account-manager/index.js +223 -22
- package/dist/account-manager/index.js.map +1 -1
- package/dist/actor-store/preference/reader.js.map +1 -1
- package/dist/actor-store/record/reader.d.ts +1 -1
- package/dist/api/app/bsky/util/resolver.d.ts +1 -1
- package/dist/api/com/atproto/server/createSession.d.ts.map +1 -1
- package/dist/api/com/atproto/server/createSession.js +7 -31
- package/dist/api/com/atproto/server/createSession.js.map +1 -1
- package/dist/api/com/atproto/server/deleteSession.d.ts.map +1 -1
- package/dist/api/com/atproto/server/deleteSession.js +14 -13
- package/dist/api/com/atproto/server/deleteSession.js.map +1 -1
- package/dist/api/com/atproto/server/getSession.d.ts.map +1 -1
- package/dist/api/com/atproto/server/getSession.js +4 -2
- package/dist/api/com/atproto/server/getSession.js.map +1 -1
- package/dist/api/com/atproto/server/refreshSession.d.ts.map +1 -1
- package/dist/api/com/atproto/server/refreshSession.js +4 -2
- package/dist/api/com/atproto/server/refreshSession.js.map +1 -1
- package/dist/api/com/atproto/sync/getRepoStatus.d.ts.map +1 -1
- package/dist/api/com/atproto/sync/getRepoStatus.js +2 -1
- package/dist/api/com/atproto/sync/getRepoStatus.js.map +1 -1
- package/dist/api/com/atproto/sync/listRepos.js +2 -2
- package/dist/api/com/atproto/sync/listRepos.js.map +1 -1
- package/dist/api/proxy.d.ts.map +1 -1
- package/dist/api/proxy.js +15 -2
- package/dist/api/proxy.js.map +1 -1
- package/dist/auth-routes.d.ts +4 -0
- package/dist/auth-routes.d.ts.map +1 -0
- package/dist/auth-routes.js +24 -0
- package/dist/auth-routes.js.map +1 -0
- package/dist/auth-verifier.d.ts +32 -11
- package/dist/auth-verifier.d.ts.map +1 -1
- package/dist/auth-verifier.js +238 -79
- package/dist/auth-verifier.js.map +1 -1
- package/dist/config/config.d.ts +12 -0
- package/dist/config/config.d.ts.map +1 -1
- package/dist/config/config.js +45 -0
- package/dist/config/config.js.map +1 -1
- package/dist/config/env.d.ts +8 -0
- package/dist/config/env.d.ts.map +1 -1
- package/dist/config/env.js +10 -0
- package/dist/config/env.js.map +1 -1
- package/dist/config/secrets.d.ts +1 -0
- package/dist/config/secrets.d.ts.map +1 -1
- package/dist/config/secrets.js +1 -0
- package/dist/config/secrets.js.map +1 -1
- package/dist/context.d.ts +6 -0
- package/dist/context.d.ts.map +1 -1
- package/dist/context.js +71 -13
- package/dist/context.js.map +1 -1
- package/dist/db/cast.d.ts +15 -0
- package/dist/db/cast.d.ts.map +1 -0
- package/dist/db/cast.js +66 -0
- package/dist/db/cast.js.map +1 -0
- package/dist/db/db.d.ts +2 -2
- package/dist/db/db.d.ts.map +1 -1
- package/dist/db/db.js +9 -7
- package/dist/db/db.js.map +1 -1
- package/dist/db/index.d.ts +1 -0
- package/dist/db/index.d.ts.map +1 -1
- package/dist/db/index.js +1 -0
- package/dist/db/index.js.map +1 -1
- package/dist/error.d.ts.map +1 -1
- package/dist/error.js +5 -0
- package/dist/error.js.map +1 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +2 -0
- package/dist/index.js.map +1 -1
- package/dist/logger.d.ts +13 -11
- package/dist/logger.d.ts.map +1 -1
- package/dist/logger.js +80 -64
- package/dist/logger.js.map +1 -1
- package/dist/oauth/detailed-account-store.d.ts +27 -0
- package/dist/oauth/detailed-account-store.d.ts.map +1 -0
- package/dist/oauth/detailed-account-store.js +76 -0
- package/dist/oauth/detailed-account-store.js.map +1 -0
- package/dist/oauth/provider.d.ts +16 -0
- package/dist/oauth/provider.d.ts.map +1 -0
- package/dist/oauth/provider.js +45 -0
- package/dist/oauth/provider.js.map +1 -0
- package/dist/pipethrough.d.ts.map +1 -1
- package/dist/pipethrough.js.map +1 -1
- package/dist/sequencer/events.d.ts +2 -2
- package/example.env +21 -3
- package/package.json +6 -4
- package/src/account-manager/db/migrations/004-oauth.ts +122 -0
- package/src/account-manager/db/migrations/index.ts +2 -0
- package/src/account-manager/db/schema/authorization-request.ts +26 -0
- package/src/account-manager/db/schema/device-account.ts +15 -0
- package/src/account-manager/db/schema/device.ts +18 -0
- package/src/account-manager/db/schema/index.ts +15 -0
- package/src/account-manager/db/schema/token.ts +34 -0
- package/src/account-manager/db/schema/used-refresh-token.ts +13 -0
- package/src/account-manager/helpers/account.ts +16 -21
- package/src/account-manager/helpers/authorization-request.ts +82 -0
- package/src/account-manager/helpers/device-account.ts +135 -0
- package/src/account-manager/helpers/device.ts +45 -0
- package/src/account-manager/helpers/token.ts +185 -0
- package/src/account-manager/helpers/used-refresh-token.ts +30 -0
- package/src/account-manager/index.ts +325 -20
- package/src/actor-store/preference/reader.ts +1 -1
- package/src/api/com/atproto/server/createSession.ts +8 -44
- package/src/api/com/atproto/server/deleteSession.ts +14 -20
- package/src/api/com/atproto/server/getSession.ts +7 -2
- package/src/api/com/atproto/server/refreshSession.ts +6 -2
- package/src/api/com/atproto/sync/getRepoStatus.ts +3 -1
- package/src/api/com/atproto/sync/listRepos.ts +1 -1
- package/src/api/proxy.ts +18 -2
- package/src/auth-routes.ts +27 -0
- package/src/auth-verifier.ts +312 -92
- package/src/config/config.ts +66 -0
- package/src/config/env.ts +24 -0
- package/src/config/secrets.ts +2 -0
- package/src/context.ts +80 -14
- package/src/db/cast.ts +59 -0
- package/src/db/db.ts +15 -12
- package/src/db/index.ts +1 -0
- package/src/error.ts +7 -0
- package/src/index.ts +2 -0
- package/src/logger.ts +83 -38
- package/src/oauth/detailed-account-store.ts +96 -0
- package/src/oauth/provider.ts +77 -0
- package/src/pipethrough.ts +3 -2
@@ -0,0 +1,122 @@
|
|
1
|
+
import { Kysely, sql } from 'kysely'
|
2
|
+
|
3
|
+
export async function up(db: Kysely<unknown>): Promise<void> {
|
4
|
+
await db.schema
|
5
|
+
.createTable('authorization_request')
|
6
|
+
.addColumn('id', 'varchar', (col) => col.primaryKey())
|
7
|
+
.addColumn('did', 'varchar')
|
8
|
+
.addColumn('deviceId', 'varchar')
|
9
|
+
.addColumn('clientId', 'varchar', (col) => col.notNull())
|
10
|
+
.addColumn('clientAuth', 'varchar', (col) => col.notNull())
|
11
|
+
.addColumn('parameters', 'varchar', (col) => col.notNull())
|
12
|
+
.addColumn('expiresAt', 'varchar', (col) => col.notNull())
|
13
|
+
.addColumn('code', 'varchar')
|
14
|
+
.execute()
|
15
|
+
|
16
|
+
await db.schema
|
17
|
+
.createIndex('authorization_request_code_idx')
|
18
|
+
.unique()
|
19
|
+
.on('authorization_request')
|
20
|
+
// https://github.com/kysely-org/kysely/issues/302
|
21
|
+
.expression(sql`code DESC) WHERE (code IS NOT NULL`)
|
22
|
+
.execute()
|
23
|
+
|
24
|
+
await db.schema
|
25
|
+
.createIndex('authorization_request_expires_at_idx')
|
26
|
+
.on('authorization_request')
|
27
|
+
.column('expiresAt')
|
28
|
+
.execute()
|
29
|
+
|
30
|
+
await db.schema
|
31
|
+
.createTable('device')
|
32
|
+
.addColumn('id', 'varchar', (col) => col.primaryKey())
|
33
|
+
.addColumn('sessionId', 'varchar', (col) => col.notNull())
|
34
|
+
.addColumn('userAgent', 'varchar')
|
35
|
+
.addColumn('ipAddress', 'varchar', (col) => col.notNull())
|
36
|
+
.addColumn('lastSeenAt', 'varchar', (col) => col.notNull())
|
37
|
+
.addUniqueConstraint('device_session_id_idx', ['sessionId'])
|
38
|
+
.execute()
|
39
|
+
|
40
|
+
await db.schema
|
41
|
+
.createTable('device_account')
|
42
|
+
.addColumn('did', 'varchar', (col) => col.notNull())
|
43
|
+
.addColumn('deviceId', 'varchar', (col) => col.notNull())
|
44
|
+
.addColumn('authenticatedAt', 'varchar', (col) => col.notNull())
|
45
|
+
.addColumn('remember', 'boolean', (col) => col.notNull())
|
46
|
+
.addColumn('authorizedClients', 'varchar', (col) => col.notNull())
|
47
|
+
.addPrimaryKeyConstraint('device_account_pk', [
|
48
|
+
'deviceId', // first because this table will be joined from the "device" table
|
49
|
+
'did',
|
50
|
+
])
|
51
|
+
.addForeignKeyConstraint(
|
52
|
+
'device_account_device_id_fk',
|
53
|
+
['deviceId'],
|
54
|
+
'device',
|
55
|
+
['id'],
|
56
|
+
(qb) => qb.onDelete('cascade').onUpdate('cascade'),
|
57
|
+
)
|
58
|
+
.execute()
|
59
|
+
|
60
|
+
await db.schema
|
61
|
+
.createTable('token')
|
62
|
+
.addColumn('id', 'integer', (col) => col.primaryKey().autoIncrement())
|
63
|
+
.addColumn('did', 'varchar', (col) => col.notNull())
|
64
|
+
.addColumn('tokenId', 'varchar', (col) => col.notNull())
|
65
|
+
.addColumn('createdAt', 'varchar', (col) => col.notNull())
|
66
|
+
.addColumn('updatedAt', 'varchar', (col) => col.notNull())
|
67
|
+
.addColumn('expiresAt', 'varchar', (col) => col.notNull())
|
68
|
+
.addColumn('clientId', 'varchar', (col) => col.notNull())
|
69
|
+
.addColumn('clientAuth', 'varchar', (col) => col.notNull())
|
70
|
+
.addColumn('deviceId', 'varchar')
|
71
|
+
.addColumn('parameters', 'varchar', (col) => col.notNull())
|
72
|
+
.addColumn('details', 'varchar')
|
73
|
+
.addColumn('code', 'varchar')
|
74
|
+
.addColumn('currentRefreshToken', 'varchar')
|
75
|
+
.addUniqueConstraint('token_current_refresh_token_unique_idx', [
|
76
|
+
'currentRefreshToken',
|
77
|
+
])
|
78
|
+
.addUniqueConstraint('token_id_unique_idx', ['tokenId'])
|
79
|
+
.execute()
|
80
|
+
|
81
|
+
await db.schema
|
82
|
+
.createIndex('token_did_idx')
|
83
|
+
.on('token')
|
84
|
+
.column('did')
|
85
|
+
.execute()
|
86
|
+
|
87
|
+
await db.schema
|
88
|
+
.createIndex('token_code_idx')
|
89
|
+
.unique()
|
90
|
+
.on('token')
|
91
|
+
// https://github.com/kysely-org/kysely/issues/302
|
92
|
+
.expression(sql`code DESC) WHERE (code IS NOT NULL`)
|
93
|
+
.execute()
|
94
|
+
|
95
|
+
await db.schema
|
96
|
+
.createTable('used_refresh_token')
|
97
|
+
.addColumn('refreshToken', 'varchar', (col) => col.primaryKey())
|
98
|
+
.addColumn('tokenId', 'integer', (col) => col.notNull())
|
99
|
+
.addForeignKeyConstraint(
|
100
|
+
'used_refresh_token_fk',
|
101
|
+
['tokenId'],
|
102
|
+
'token',
|
103
|
+
['id'],
|
104
|
+
// uses "used_refresh_token_id_idx" index (when cascading)
|
105
|
+
(qb) => qb.onDelete('cascade').onUpdate('cascade'),
|
106
|
+
)
|
107
|
+
.execute()
|
108
|
+
|
109
|
+
await db.schema
|
110
|
+
.createIndex('used_refresh_token_id_idx')
|
111
|
+
.on('used_refresh_token')
|
112
|
+
.column('tokenId')
|
113
|
+
.execute()
|
114
|
+
}
|
115
|
+
|
116
|
+
export async function down(db: Kysely<unknown>): Promise<void> {
|
117
|
+
await db.schema.dropTable('used_refresh_token').execute()
|
118
|
+
await db.schema.dropTable('token').execute()
|
119
|
+
await db.schema.dropTable('device_account').execute()
|
120
|
+
await db.schema.dropTable('device').execute()
|
121
|
+
await db.schema.dropTable('authorization_request').execute()
|
122
|
+
}
|
@@ -1,9 +1,11 @@
|
|
1
1
|
import * as mig001 from './001-init'
|
2
2
|
import * as mig002 from './002-account-deactivation'
|
3
3
|
import * as mig003 from './003-privileged-app-passwords'
|
4
|
+
import * as mig004 from './004-oauth'
|
4
5
|
|
5
6
|
export default {
|
6
7
|
'001': mig001,
|
7
8
|
'002': mig002,
|
8
9
|
'003': mig003,
|
10
|
+
'004': mig004,
|
9
11
|
}
|
@@ -0,0 +1,26 @@
|
|
1
|
+
import {
|
2
|
+
Code,
|
3
|
+
DeviceId,
|
4
|
+
OAuthClientId,
|
5
|
+
RequestId,
|
6
|
+
} from '@atproto/oauth-provider'
|
7
|
+
import { Selectable } from 'kysely'
|
8
|
+
import { DateISO, JsonObject } from '../../../db'
|
9
|
+
|
10
|
+
export interface AuthorizationRequest {
|
11
|
+
id: RequestId
|
12
|
+
did: string | null
|
13
|
+
deviceId: DeviceId | null
|
14
|
+
|
15
|
+
clientId: OAuthClientId
|
16
|
+
clientAuth: JsonObject
|
17
|
+
parameters: JsonObject
|
18
|
+
expiresAt: DateISO
|
19
|
+
code: Code | null
|
20
|
+
}
|
21
|
+
|
22
|
+
export type AuthorizationRequestEntry = Selectable<AuthorizationRequest>
|
23
|
+
|
24
|
+
export const tableName = 'authorization_request'
|
25
|
+
|
26
|
+
export type PartialDB = { [tableName]: AuthorizationRequest }
|
@@ -0,0 +1,15 @@
|
|
1
|
+
import { DeviceId } from '@atproto/oauth-provider'
|
2
|
+
import { DateISO, JsonArray } from '../../../db'
|
3
|
+
|
4
|
+
export interface DeviceAccount {
|
5
|
+
did: string
|
6
|
+
deviceId: DeviceId
|
7
|
+
|
8
|
+
authenticatedAt: DateISO
|
9
|
+
authorizedClients: JsonArray
|
10
|
+
remember: 0 | 1
|
11
|
+
}
|
12
|
+
|
13
|
+
export const tableName = 'device_account'
|
14
|
+
|
15
|
+
export type PartialDB = { [tableName]: DeviceAccount }
|
@@ -0,0 +1,18 @@
|
|
1
|
+
import { DeviceId, SessionId } from '@atproto/oauth-provider'
|
2
|
+
import { Selectable } from 'kysely'
|
3
|
+
import { DateISO } from '../../../db'
|
4
|
+
|
5
|
+
export interface Device {
|
6
|
+
id: DeviceId
|
7
|
+
sessionId: SessionId
|
8
|
+
|
9
|
+
userAgent: string | null
|
10
|
+
ipAddress: string
|
11
|
+
lastSeenAt: DateISO
|
12
|
+
}
|
13
|
+
|
14
|
+
export type DeviceEntry = Selectable<Device>
|
15
|
+
|
16
|
+
export const tableName = 'device'
|
17
|
+
|
18
|
+
export type PartialDB = { [tableName]: Device }
|
@@ -1,5 +1,10 @@
|
|
1
1
|
import * as actor from './actor'
|
2
2
|
import * as account from './account'
|
3
|
+
import * as device from './device'
|
4
|
+
import * as deviceAccount from './device-account'
|
5
|
+
import * as oauthRequest from './authorization-request'
|
6
|
+
import * as token from './token'
|
7
|
+
import * as usedRefreshToken from './used-refresh-token'
|
3
8
|
import * as repoRoot from './repo-root'
|
4
9
|
import * as refreshToken from './refresh-token'
|
5
10
|
import * as appPassword from './app-password'
|
@@ -8,6 +13,11 @@ import * as emailToken from './email-token'
|
|
8
13
|
|
9
14
|
export type DatabaseSchema = actor.PartialDB &
|
10
15
|
account.PartialDB &
|
16
|
+
device.PartialDB &
|
17
|
+
deviceAccount.PartialDB &
|
18
|
+
oauthRequest.PartialDB &
|
19
|
+
token.PartialDB &
|
20
|
+
usedRefreshToken.PartialDB &
|
11
21
|
refreshToken.PartialDB &
|
12
22
|
appPassword.PartialDB &
|
13
23
|
repoRoot.PartialDB &
|
@@ -16,6 +26,11 @@ export type DatabaseSchema = actor.PartialDB &
|
|
16
26
|
|
17
27
|
export type { Actor, ActorEntry } from './actor'
|
18
28
|
export type { Account, AccountEntry } from './account'
|
29
|
+
export type { Device } from './device'
|
30
|
+
export type { DeviceAccount } from './device-account'
|
31
|
+
export type { AuthorizationRequest } from './authorization-request'
|
32
|
+
export type { Token } from './token'
|
33
|
+
export type { UsedRefreshToken } from './used-refresh-token'
|
19
34
|
export type { RepoRoot } from './repo-root'
|
20
35
|
export type { RefreshToken } from './refresh-token'
|
21
36
|
export type { AppPassword } from './app-password'
|
@@ -0,0 +1,34 @@
|
|
1
|
+
import {
|
2
|
+
Code,
|
3
|
+
DeviceId,
|
4
|
+
OAuthClientId,
|
5
|
+
RefreshToken,
|
6
|
+
Sub,
|
7
|
+
TokenId,
|
8
|
+
} from '@atproto/oauth-provider'
|
9
|
+
import { Generated, Selectable } from 'kysely'
|
10
|
+
|
11
|
+
import { DateISO, JsonArray, JsonObject } from '../../../db/cast'
|
12
|
+
|
13
|
+
export interface Token {
|
14
|
+
id: Generated<number>
|
15
|
+
did: Sub
|
16
|
+
|
17
|
+
tokenId: TokenId
|
18
|
+
createdAt: DateISO
|
19
|
+
updatedAt: DateISO
|
20
|
+
expiresAt: DateISO
|
21
|
+
clientId: OAuthClientId
|
22
|
+
clientAuth: JsonObject
|
23
|
+
deviceId: DeviceId | null
|
24
|
+
parameters: JsonObject
|
25
|
+
details: JsonArray | null
|
26
|
+
code: Code | null
|
27
|
+
currentRefreshToken: RefreshToken | null
|
28
|
+
}
|
29
|
+
|
30
|
+
export type TokenEntry = Selectable<Token>
|
31
|
+
|
32
|
+
export const tableName = 'token'
|
33
|
+
|
34
|
+
export type PartialDB = { [tableName]: Token }
|
@@ -0,0 +1,13 @@
|
|
1
|
+
import { RefreshToken } from '@atproto/oauth-provider'
|
2
|
+
import { Selectable } from 'kysely'
|
3
|
+
|
4
|
+
export interface UsedRefreshToken {
|
5
|
+
tokenId: number
|
6
|
+
refreshToken: RefreshToken
|
7
|
+
}
|
8
|
+
|
9
|
+
export type UsedRefreshTokenEntry = Selectable<UsedRefreshToken>
|
10
|
+
|
11
|
+
export const tableName = 'used_refresh_token'
|
12
|
+
|
13
|
+
export type PartialDB = { [tableName]: UsedRefreshToken }
|
@@ -9,8 +9,6 @@ export type ActorAccount = ActorEntry & {
|
|
9
9
|
email: string | null
|
10
10
|
emailConfirmedAt: string | null
|
11
11
|
invitesDisabled: 0 | 1 | null
|
12
|
-
active: boolean
|
13
|
-
status?: AccountStatus
|
14
12
|
}
|
15
13
|
|
16
14
|
export type AvailabilityFlags = {
|
@@ -26,7 +24,7 @@ export enum AccountStatus {
|
|
26
24
|
Deactivated = 'deactivated',
|
27
25
|
}
|
28
26
|
|
29
|
-
const selectAccountQB = (db: AccountDb, flags?: AvailabilityFlags) => {
|
27
|
+
export const selectAccountQB = (db: AccountDb, flags?: AvailabilityFlags) => {
|
30
28
|
const { includeTakenDown = false, includeDeactivated = false } = flags ?? {}
|
31
29
|
const { ref } = db.db.dynamic
|
32
30
|
return db.db
|
@@ -63,7 +61,7 @@ export const getAccount = async (
|
|
63
61
|
}
|
64
62
|
})
|
65
63
|
.executeTakeFirst()
|
66
|
-
return found
|
64
|
+
return found || null
|
67
65
|
}
|
68
66
|
|
69
67
|
export const getAccountByEmail = async (
|
@@ -74,7 +72,7 @@ export const getAccountByEmail = async (
|
|
74
72
|
const found = await selectAccountQB(db, flags)
|
75
73
|
.where('email', '=', email.toLowerCase())
|
76
74
|
.executeTakeFirst()
|
77
|
-
return found
|
75
|
+
return found || null
|
78
76
|
}
|
79
77
|
|
80
78
|
export const registerActor = async (
|
@@ -267,22 +265,19 @@ export const activateAccount = async (db: AccountDb, did: string) => {
|
|
267
265
|
)
|
268
266
|
}
|
269
267
|
|
270
|
-
export const formatAccountStatus = (
|
271
|
-
|
272
|
-
|
273
|
-
|
274
|
-
|
275
|
-
|
276
|
-
|
277
|
-
|
278
|
-
if (account.takedownRef) {
|
279
|
-
status
|
268
|
+
export const formatAccountStatus = (
|
269
|
+
account: null | {
|
270
|
+
takedownRef: string | null
|
271
|
+
deactivatedAt: string | null
|
272
|
+
},
|
273
|
+
) => {
|
274
|
+
if (!account) {
|
275
|
+
return { active: false, status: AccountStatus.Deleted } as const
|
276
|
+
} else if (account.takedownRef) {
|
277
|
+
return { active: false, status: AccountStatus.Takendown } as const
|
280
278
|
} else if (account.deactivatedAt) {
|
281
|
-
status
|
282
|
-
}
|
283
|
-
|
284
|
-
return {
|
285
|
-
active,
|
286
|
-
status,
|
279
|
+
return { active: false, status: AccountStatus.Deactivated } as const
|
280
|
+
} else {
|
281
|
+
return { active: true, status: undefined } as const
|
287
282
|
}
|
288
283
|
}
|
@@ -0,0 +1,82 @@
|
|
1
|
+
import {
|
2
|
+
Code,
|
3
|
+
FoundRequestResult,
|
4
|
+
RequestData,
|
5
|
+
RequestId,
|
6
|
+
UpdateRequestData,
|
7
|
+
} from '@atproto/oauth-provider'
|
8
|
+
import { AccountDb, AuthorizationRequest } from '../db'
|
9
|
+
import { fromDateISO, fromJsonObject, toDateISO, toJsonObject } from '../../db'
|
10
|
+
import { Insertable, Selectable } from 'kysely'
|
11
|
+
|
12
|
+
export const rowToRequestData = (
|
13
|
+
row: Selectable<AuthorizationRequest>,
|
14
|
+
): RequestData => ({
|
15
|
+
clientId: row.clientId,
|
16
|
+
clientAuth: fromJsonObject(row.clientAuth),
|
17
|
+
parameters: fromJsonObject(row.parameters),
|
18
|
+
expiresAt: fromDateISO(row.expiresAt),
|
19
|
+
deviceId: row.deviceId,
|
20
|
+
sub: row.did,
|
21
|
+
code: row.code,
|
22
|
+
})
|
23
|
+
|
24
|
+
export const rowToFoundRequestResult = (
|
25
|
+
row: Selectable<AuthorizationRequest>,
|
26
|
+
): FoundRequestResult => ({
|
27
|
+
id: row.id,
|
28
|
+
data: rowToRequestData(row),
|
29
|
+
})
|
30
|
+
|
31
|
+
const requestDataToRow = (
|
32
|
+
id: RequestId,
|
33
|
+
data: RequestData,
|
34
|
+
): Insertable<AuthorizationRequest> => ({
|
35
|
+
id,
|
36
|
+
did: data.sub,
|
37
|
+
deviceId: data.deviceId,
|
38
|
+
|
39
|
+
clientId: data.clientId,
|
40
|
+
clientAuth: toJsonObject(data.clientAuth),
|
41
|
+
parameters: toJsonObject(data.parameters),
|
42
|
+
expiresAt: toDateISO(data.expiresAt),
|
43
|
+
code: data.code,
|
44
|
+
})
|
45
|
+
|
46
|
+
export const createQB = (db: AccountDb, id: RequestId, data: RequestData) =>
|
47
|
+
db.db.insertInto('authorization_request').values(requestDataToRow(id, data))
|
48
|
+
|
49
|
+
export const readQB = (db: AccountDb, id: RequestId) =>
|
50
|
+
db.db.selectFrom('authorization_request').where('id', '=', id).selectAll()
|
51
|
+
|
52
|
+
export const updateQB = (
|
53
|
+
db: AccountDb,
|
54
|
+
id: RequestId,
|
55
|
+
{ code, sub, deviceId, expiresAt }: UpdateRequestData,
|
56
|
+
) =>
|
57
|
+
db.db
|
58
|
+
.updateTable('authorization_request')
|
59
|
+
.if(code !== undefined, (qb) => qb.set({ code }))
|
60
|
+
.if(sub !== undefined, (qb) => qb.set({ did: sub }))
|
61
|
+
.if(deviceId !== undefined, (qb) => qb.set({ deviceId }))
|
62
|
+
.if(expiresAt != null, (qb) => qb.set({ expiresAt: toDateISO(expiresAt!) }))
|
63
|
+
.where('id', '=', id)
|
64
|
+
|
65
|
+
export const removeOldExpiredQB = (db: AccountDb, delay = 600e3) =>
|
66
|
+
// We allow some delay for the expiration time so that expired requests
|
67
|
+
// can still be returned to the OAuthProvider library for error handling.
|
68
|
+
db.db
|
69
|
+
.deleteFrom('authorization_request')
|
70
|
+
// uses "authorization_request_expires_at_idx" index
|
71
|
+
.where('expiresAt', '<', toDateISO(new Date(Date.now() - delay)))
|
72
|
+
|
73
|
+
export const removeByIdQB = (db: AccountDb, id: RequestId) =>
|
74
|
+
db.db.deleteFrom('authorization_request').where('id', '=', id)
|
75
|
+
|
76
|
+
export const findByCodeQB = (db: AccountDb, code: Code) =>
|
77
|
+
db.db
|
78
|
+
.selectFrom('authorization_request')
|
79
|
+
// uses "authorization_request_code_idx" partial index (hence the null check)
|
80
|
+
.where('code', '=', code)
|
81
|
+
.where('code', 'is not', null)
|
82
|
+
.selectAll()
|
@@ -0,0 +1,135 @@
|
|
1
|
+
import {
|
2
|
+
Account,
|
3
|
+
DeviceAccountInfo,
|
4
|
+
DeviceId,
|
5
|
+
OAuthClientId,
|
6
|
+
} from '@atproto/oauth-provider'
|
7
|
+
import { Insertable, Selectable } from 'kysely'
|
8
|
+
|
9
|
+
import { fromDateISO, fromJsonArray, toDateISO, toJsonArray } from '../../db'
|
10
|
+
import { AccountDb } from '../db'
|
11
|
+
import { DeviceAccount } from '../db/schema/device-account'
|
12
|
+
import { ActorAccount, selectAccountQB } from './account'
|
13
|
+
|
14
|
+
export type SelectableDeviceAccount = Pick<
|
15
|
+
Selectable<DeviceAccount>,
|
16
|
+
'authenticatedAt' | 'authorizedClients' | 'remember'
|
17
|
+
>
|
18
|
+
|
19
|
+
const selectAccountInfoQB = (db: AccountDb, deviceId: DeviceId) =>
|
20
|
+
selectAccountQB(db, { includeDeactivated: true })
|
21
|
+
// note: query planner should use "device_account_pk" index
|
22
|
+
.innerJoin('device_account', 'device_account.did', 'actor.did')
|
23
|
+
.innerJoin('device', 'device.id', 'device_account.deviceId')
|
24
|
+
.where('device.id', '=', deviceId)
|
25
|
+
.select([
|
26
|
+
'device_account.authenticatedAt',
|
27
|
+
'device_account.remember',
|
28
|
+
'device_account.authorizedClients',
|
29
|
+
])
|
30
|
+
|
31
|
+
export type InsertableField = {
|
32
|
+
authenticatedAt: Date
|
33
|
+
authorizedClients: OAuthClientId[]
|
34
|
+
remember: boolean
|
35
|
+
}
|
36
|
+
|
37
|
+
function toInsertable<V extends Partial<InsertableField>>(
|
38
|
+
values: V,
|
39
|
+
): Pick<Insertable<DeviceAccount>, keyof V & keyof Insertable<DeviceAccount>>
|
40
|
+
function toInsertable(
|
41
|
+
values: Partial<InsertableField>,
|
42
|
+
): Partial<Insertable<DeviceAccount>> {
|
43
|
+
const row: Partial<Insertable<DeviceAccount>> = {}
|
44
|
+
if (values.authenticatedAt) {
|
45
|
+
row.authenticatedAt = toDateISO(values.authenticatedAt)
|
46
|
+
}
|
47
|
+
if (values.remember !== undefined) {
|
48
|
+
row.remember = values.remember === true ? 1 : 0
|
49
|
+
}
|
50
|
+
if (values.authorizedClients) {
|
51
|
+
row.authorizedClients = toJsonArray(values.authorizedClients)
|
52
|
+
}
|
53
|
+
return row
|
54
|
+
}
|
55
|
+
|
56
|
+
export function toDeviceAccountInfo(
|
57
|
+
row: SelectableDeviceAccount,
|
58
|
+
): DeviceAccountInfo {
|
59
|
+
return {
|
60
|
+
remembered: row.remember === 1,
|
61
|
+
authenticatedAt: fromDateISO(row.authenticatedAt),
|
62
|
+
authorizedClients: fromJsonArray<OAuthClientId>(row.authorizedClients),
|
63
|
+
}
|
64
|
+
}
|
65
|
+
|
66
|
+
export function toAccount(
|
67
|
+
row: Selectable<ActorAccount>,
|
68
|
+
audience: string,
|
69
|
+
): Account {
|
70
|
+
return {
|
71
|
+
sub: row.did,
|
72
|
+
aud: audience,
|
73
|
+
email: row.email || undefined,
|
74
|
+
email_verified: row.email ? row.emailConfirmedAt != null : undefined,
|
75
|
+
preferred_username: row.handle || undefined,
|
76
|
+
}
|
77
|
+
}
|
78
|
+
|
79
|
+
export const readQB = (db: AccountDb, deviceId: DeviceId, did: string) =>
|
80
|
+
db.db
|
81
|
+
.selectFrom('device_account')
|
82
|
+
.where('did', '=', did)
|
83
|
+
.where('deviceId', '=', deviceId)
|
84
|
+
.select(['remember', 'authorizedClients', 'authenticatedAt'])
|
85
|
+
|
86
|
+
export const updateQB = (
|
87
|
+
db: AccountDb,
|
88
|
+
deviceId: DeviceId,
|
89
|
+
did: string,
|
90
|
+
entry: {
|
91
|
+
authenticatedAt?: Date
|
92
|
+
authorizedClients?: OAuthClientId[]
|
93
|
+
remember?: boolean
|
94
|
+
},
|
95
|
+
) =>
|
96
|
+
db.db
|
97
|
+
.updateTable('device_account')
|
98
|
+
.set(toInsertable(entry))
|
99
|
+
.where('did', '=', did)
|
100
|
+
.where('deviceId', '=', deviceId)
|
101
|
+
|
102
|
+
export const createOrUpdateQB = (
|
103
|
+
db: AccountDb,
|
104
|
+
deviceId: DeviceId,
|
105
|
+
did: string,
|
106
|
+
remember: boolean,
|
107
|
+
) => {
|
108
|
+
const { authorizedClients, ...values } = toInsertable({
|
109
|
+
remember,
|
110
|
+
authenticatedAt: new Date(),
|
111
|
+
authorizedClients: [],
|
112
|
+
})
|
113
|
+
|
114
|
+
return db.db
|
115
|
+
.insertInto('device_account')
|
116
|
+
.values({ did, deviceId, authorizedClients, ...values })
|
117
|
+
.onConflict((oc) => oc.columns(['deviceId', 'did']).doUpdateSet(values))
|
118
|
+
}
|
119
|
+
|
120
|
+
export const getAccountInfoQB = (
|
121
|
+
db: AccountDb,
|
122
|
+
deviceId: DeviceId,
|
123
|
+
did: string,
|
124
|
+
) => {
|
125
|
+
return selectAccountInfoQB(db, deviceId).where('actor.did', '=', did)
|
126
|
+
}
|
127
|
+
|
128
|
+
export const listRememberedQB = (db: AccountDb, deviceId: DeviceId) =>
|
129
|
+
selectAccountInfoQB(db, deviceId).where('device_account.remember', '=', 1)
|
130
|
+
|
131
|
+
export const removeQB = (db: AccountDb, deviceId: DeviceId, did: string) =>
|
132
|
+
db.db
|
133
|
+
.deleteFrom('device_account')
|
134
|
+
.where('deviceId', '=', deviceId)
|
135
|
+
.where('did', '=', did)
|
@@ -0,0 +1,45 @@
|
|
1
|
+
import { DeviceId, DeviceData } from '@atproto/oauth-provider'
|
2
|
+
import { AccountDb, Device } from '../db'
|
3
|
+
import { fromDateISO, toDateISO } from '../../db'
|
4
|
+
import { Selectable } from 'kysely'
|
5
|
+
|
6
|
+
export const rowToDeviceData = (row: Selectable<Device>): DeviceData => ({
|
7
|
+
sessionId: row.sessionId,
|
8
|
+
userAgent: row.userAgent,
|
9
|
+
ipAddress: row.ipAddress,
|
10
|
+
lastSeenAt: fromDateISO(row.lastSeenAt),
|
11
|
+
})
|
12
|
+
|
13
|
+
export const createQB = (
|
14
|
+
db: AccountDb,
|
15
|
+
deviceId: DeviceId,
|
16
|
+
{ sessionId, userAgent, ipAddress, lastSeenAt }: DeviceData,
|
17
|
+
) =>
|
18
|
+
db.db.insertInto('device').values({
|
19
|
+
id: deviceId,
|
20
|
+
sessionId,
|
21
|
+
userAgent,
|
22
|
+
ipAddress,
|
23
|
+
lastSeenAt: toDateISO(lastSeenAt),
|
24
|
+
})
|
25
|
+
|
26
|
+
export const readQB = (db: AccountDb, deviceId: DeviceId) =>
|
27
|
+
db.db.selectFrom('device').where('id', '=', deviceId).selectAll()
|
28
|
+
|
29
|
+
export const updateQB = (
|
30
|
+
db: AccountDb,
|
31
|
+
deviceId: DeviceId,
|
32
|
+
{ sessionId, userAgent, ipAddress, lastSeenAt }: Partial<DeviceData>,
|
33
|
+
) =>
|
34
|
+
db.db
|
35
|
+
.updateTable('device')
|
36
|
+
.if(sessionId != null, (qb) => qb.set({ sessionId }))
|
37
|
+
.if(userAgent != null, (qb) => qb.set({ userAgent }))
|
38
|
+
.if(ipAddress != null, (qb) => qb.set({ ipAddress }))
|
39
|
+
.if(lastSeenAt != null, (qb) =>
|
40
|
+
qb.set({ lastSeenAt: toDateISO(lastSeenAt!) }),
|
41
|
+
)
|
42
|
+
.where('id', '=', deviceId)
|
43
|
+
|
44
|
+
export const removeQB = (db: AccountDb, deviceId: DeviceId) =>
|
45
|
+
db.db.deleteFrom('device').where('id', '=', deviceId)
|