@atproto/pds 0.4.34 → 0.4.36

package/src/account-manager/helpers/token.ts

@@ -0,0 +1,185 @@
+import {
+  Code,
+  NewTokenData,
+  OAuthAuthorizationDetail,
+  RefreshToken,
+  TokenData,
+  TokenId,
+  TokenInfo,
+} from '@atproto/oauth-provider'
+import { Selectable } from 'kysely'
+import {
+  fromDateISO,
+  fromJsonArray,
+  fromJsonObject,
+  toDateISO,
+  toJsonArray,
+  toJsonObject,
+} from '../../db'
+import { AccountDb, Token } from '../db'
+import { ActorAccount, selectAccountQB } from './account'
+import {
+  SelectableDeviceAccount,
+  toAccount,
+  toDeviceAccountInfo,
+} from './device-account'
+
+type LeftJoined<T> = { [K in keyof T]: null | T[K] }
+
+export type ActorAccountToken = Selectable<ActorAccount> &
+  Selectable<Omit<Token, 'id' | 'did'>> &
+  LeftJoined<SelectableDeviceAccount>
+
+export const toTokenInfo = (
+  row: ActorAccountToken,
+  audience: string,
+): TokenInfo => ({
+  id: row.tokenId,
+  data: {
+    createdAt: fromDateISO(row.createdAt),
+    expiresAt: fromDateISO(row.expiresAt),
+    updatedAt: fromDateISO(row.updatedAt),
+    clientId: row.clientId,
+    clientAuth: fromJsonObject(row.clientAuth),
+    deviceId: row.deviceId,
+    sub: row.did,
+    parameters: fromJsonObject(row.parameters),
+    details: row.details
+      ? fromJsonArray<OAuthAuthorizationDetail>(row.details)
+      : null,
+    code: row.code,
+  },
+  account: toAccount(row, audience),
+  info:
+    row.authenticatedAt != null &&
+    row.authorizedClients != null &&
+    row.remember != null
+      ? toDeviceAccountInfo(row as SelectableDeviceAccount)
+      : undefined,
+  currentRefreshToken: row.currentRefreshToken,
+})
+
+const selectTokenInfoQB = (db: AccountDb) =>
+  selectAccountQB(db, { includeDeactivated: true })
+    // uses "token_did_idx" index (though unlikely in practice)
+    .innerJoin('token', 'token.did', 'actor.did')
+    .leftJoin('device_account', (join) =>
+      join
+        // uses "device_account_pk" index
+        .on('device_account.did', '=', 'token.did')
+        // @ts-expect-error "deviceId" is nullable in token
+        .on('device_account.deviceId', '=', 'token.deviceId'),
+    )
+    .select([
+      'token.tokenId',
+      'token.createdAt',
+      'token.updatedAt',
+      'token.expiresAt',
+      'token.clientId',
+      'token.clientAuth',
+      'token.deviceId',
+      'token.did',
+      'token.parameters',
+      'token.details',
+      'token.code',
+      'token.currentRefreshToken',
+      'device_account.authenticatedAt',
+      'device_account.authorizedClients',
+      'device_account.remember',
+    ])
+
+export const createQB = (
+  db: AccountDb,
+  tokenId: TokenId,
+  data: TokenData,
+  refreshToken?: RefreshToken,
+) =>
+  db.db.insertInto('token').values({
+    tokenId,
+    createdAt: toDateISO(data.createdAt),
+    expiresAt: toDateISO(data.expiresAt),
+    updatedAt: toDateISO(data.updatedAt),
+    clientId: data.clientId,
+    clientAuth: toJsonObject(data.clientAuth),
+    deviceId: data.deviceId,
+    did: data.sub,
+    parameters: toJsonObject(data.parameters),
+    details: data.details ? toJsonArray(data.details) : null,
+    code: data.code,
+    currentRefreshToken: refreshToken || null,
+  })
+
+export const forRotateQB = (db: AccountDb, id: TokenId) =>
+  db.db
+    .selectFrom('token')
+    .where('tokenId', '=', id)
+    .where('currentRefreshToken', 'is not', null)
+    .select(['id', 'currentRefreshToken'])
+
+export const findByQB = (
+  db: AccountDb,
+  search: {
+    id?: number
+    code?: Code
+    tokenId?: TokenId
+    currentRefreshToken?: RefreshToken
+  },
+) => {
+  if (
+    search.id === undefined &&
+    search.code === undefined &&
+    search.tokenId === undefined &&
+    search.currentRefreshToken === undefined
+  ) {
+    // Prevent accidental scan
+    throw new TypeError('At least one search parameter is required')
+  }
+
+  return selectTokenInfoQB(db)
+    .if(search.id !== undefined, (qb) =>
+      // uses primary key index
+      qb.where('token.id', '=', search.id!),
+    )
+    .if(search.code !== undefined, (qb) =>
+      // uses "token_code_idx" partial index (hence the null check)
+      qb
+        .where('token.code', '=', search.code!)
+        .where('token.code', 'is not', null),
+    )
+    .if(search.tokenId !== undefined, (qb) =>
+      // uses "token_token_id_idx"
+      qb.where('token.tokenId', '=', search.tokenId!),
+    )
+    .if(search.currentRefreshToken !== undefined, (qb) =>
+      // uses "token_refresh_token_unique_idx"
+      qb.where('token.currentRefreshToken', '=', search.currentRefreshToken!),
+    )
+}
+
+export const removeByDidQB = (db: AccountDb, did: string) =>
+  // uses "token_did_idx" index
+  db.db.deleteFrom('token').where('did', '=', did)
+
+export const rotateQB = (
+  db: AccountDb,
+  id: number,
+  newTokenId: TokenId,
+  newRefreshToken: RefreshToken,
+  newData: NewTokenData,
+) =>
+  db.db
+    .updateTable('token')
+    .set({
+      tokenId: newTokenId,
+      currentRefreshToken: newRefreshToken,
+
+      expiresAt: toDateISO(newData.expiresAt),
+      updatedAt: toDateISO(newData.updatedAt),
+      clientAuth: toJsonObject(newData.clientAuth),
+    })
+    // uses primary key index
+    .where('id', '=', id)
+
+export const removeQB = (db: AccountDb, tokenId: TokenId) =>
+  // uses "used_refresh_token_fk" to cascade delete
+  db.db.deleteFrom('token').where('tokenId', '=', tokenId)

package/src/account-manager/helpers/used-refresh-token.ts

@@ -0,0 +1,30 @@
+import { RefreshToken } from '@atproto/oauth-provider'
+import { AccountDb } from '../db'
+
+/**
+ * Note that the used refresh tokens will be removed once the token is revoked.
+ * This is done through the foreign key constraint in the database.
+ */
+export const insertQB = (
+  db: AccountDb,
+  tokenId: number,
+  refreshToken: RefreshToken,
+) =>
+  db.db
+    .insertInto('used_refresh_token')
+    .values({ tokenId, refreshToken })
+    .onConflict((oc) => oc.doNothing())
+
+export const findByTokenQB = (db: AccountDb, refreshToken: RefreshToken) =>
+  db.db
+    .selectFrom('used_refresh_token')
+    // uses primary key index
+    .where('refreshToken', '=', refreshToken)
+    .select('tokenId')
+
+export const countQB = (db: AccountDb, refreshToken: RefreshToken) =>
+  db.db
+    .selectFrom('used_refresh_token')
+    // uses primary key index
+    .where('refreshToken', '=', refreshToken)
+    .select((qb) => qb.fn.count<number>('refreshToken').as('count'))

package/src/account-manager/index.ts

@@ -1,25 +1,57 @@
-import { KeyObject } from 'node:crypto'
-import { HOUR } from '@atproto/common'
+import { HOUR, wait } from '@atproto/common'
+import {
+  AccountInfo,
+  AccountStore,
+  Code,
+  DeviceData,
+  DeviceId,
+  DeviceStore,
+  FoundRequestResult,
+  LoginCredentials,
+  NewTokenData,
+  RefreshToken,
+  RequestData,
+  RequestId,
+  RequestStore,
+  TokenData,
+  TokenId,
+  TokenInfo,
+  TokenStore,
+  UpdateRequestData,
+} from '@atproto/oauth-provider'
+import { AuthRequiredError } from '@atproto/xrpc-server'
 import { CID } from 'multiformats/cid'
+import { KeyObject } from 'node:crypto'
+
+import { AuthScope } from '../auth-verifier'
+import { BackgroundQueue } from '../background'
+import { softDeleted } from '../db'
+import { StatusAttr } from '../lexicon/types/com/atproto/admin/defs'
 import { AccountDb, EmailTokenPurpose, getDb, getMigrator } from './db'
-import * as scrypt from './helpers/scrypt'
 import * as account from './helpers/account'
-import { AccountStatus } from './helpers/account'
-import { ActorAccount } from './helpers/account'
-import * as repo from './helpers/repo'
+import { AccountStatus, ActorAccount } from './helpers/account'
 import * as auth from './helpers/auth'
+import * as authRequest from './helpers/authorization-request'
+import * as deviceAccount from './helpers/device-account'
+import * as device from './helpers/device'
+import * as emailToken from './helpers/email-token'
 import * as invite from './helpers/invite'
 import * as password from './helpers/password'
-import * as emailToken from './helpers/email-token'
-import { AuthScope } from '../auth-verifier'
-import { StatusAttr } from '../lexicon/types/com/atproto/admin/defs'
+import * as repo from './helpers/repo'
+import * as scrypt from './helpers/scrypt'
+import * as token from './helpers/token'
+import * as usedRefreshToken from './helpers/used-refresh-token'
 
 export { AccountStatus } from './helpers/account'
+export { formatAccountStatus } from './helpers/account'
 
-export class AccountManager {
+export class AccountManager
+  implements AccountStore, RequestStore, DeviceStore, TokenStore
+{
   db: AccountDb
 
   constructor(
+    private backgroundQueue: BackgroundQueue,
     dbLocation: string,
     private jwtKey: KeyObject,
     private serviceDid: string,
@@ -73,15 +105,9 @@ export class AccountManager {
       includeDeactivated: true,
       includeTakenDown: true,
     })
-    if (!got) {
-      return AccountStatus.Deleted
-    } else if (got.takedownRef) {
-      return AccountStatus.Takendown
-    } else if (got.deactivatedAt) {
-      return AccountStatus.Deactivated
-    } else {
-      return AccountStatus.Active
-    }
+
+    const res = account.formatAccountStatus(got)
+    return res.active ? AccountStatus.Active : res.status
   }
 
   async createAccount(opts: {
@@ -148,10 +174,11 @@ export class AccountManager {
   }
 
   async takedownAccount(did: string, takedown: StatusAttr) {
-    await this.db.transaction((dbTxn) =>
+    await this.db.transaction(async (dbTxn) =>
       Promise.all([
         account.updateAccountTakedownStatus(dbTxn, did, takedown),
         auth.revokeRefreshTokensByDid(dbTxn, did),
+        token.removeByDidQB(dbTxn, did).execute(),
       ]),
     )
   }
@@ -250,6 +277,63 @@ export class AccountManager {
     return auth.revokeRefreshToken(this.db, id)
   }
 
+  // Login
+  // ----------
+
+  async login({
+    identifier,
+    password,
+  }: {
+    identifier: string
+    password: string
+  }): Promise<{
+    user: ActorAccount
+    appPassword: password.AppPassDescript | null
+  }> {
+    const start = Date.now()
+    try {
+      const identifierNormalized = identifier.toLowerCase()
+
+      const user = identifierNormalized.includes('@')
+        ? await this.getAccountByEmail(identifierNormalized, {
+            includeDeactivated: true,
+            includeTakenDown: true,
+          })
+        : await this.getAccount(identifierNormalized, {
+            includeDeactivated: true,
+            includeTakenDown: true,
+          })
+
+      if (!user) {
+        throw new AuthRequiredError('Invalid identifier or password')
+      }
+
+      let appPassword: password.AppPassDescript | null = null
+      const validAccountPass = await this.verifyAccountPassword(
+        user.did,
+        password,
+      )
+      if (!validAccountPass) {
+        appPassword = await this.verifyAppPassword(user.did, password)
+        if (appPassword === null) {
+          throw new AuthRequiredError('Invalid identifier or password')
+        }
+      }
+
+      if (softDeleted(user)) {
+        throw new AuthRequiredError(
+          'Account has been taken down',
+          'AccountTakedown',
+        )
+      }
+
+      return { user, appPassword }
+    } finally {
+      // Mitigate timing attacks
+      await wait(350 - (Date.now() - start))
+    }
+  }
+
   // Passwords
   // ----------
 
@@ -399,4 +483,225 @@ export class AccountManager {
       ]),
     )
   }
+
+  // AccountStore
+
+  async authenticateAccount(
+    { username: identifier, password, remember = false }: LoginCredentials,
+    deviceId: DeviceId,
+  ): Promise<AccountInfo | null> {
+    try {
+      const { user, appPassword } = await this.login({ identifier, password })
+
+      if (appPassword) {
+        throw new AuthRequiredError('App passwords are not allowed')
+      }
+
+      await this.db.executeWithRetry(
+        deviceAccount.createOrUpdateQB(this.db, deviceId, user.did, remember),
+      )
+
+      return await this.getDeviceAccount(deviceId, user.did)
+    } catch (err) {
+      if (err instanceof AuthRequiredError) return null
+      throw err
+    }
+  }
+
+  async addAuthorizedClient(
+    deviceId: DeviceId,
+    sub: string,
+    clientId: string,
+  ): Promise<void> {
+    await this.db.transaction(async (dbTxn) => {
+      const row = await deviceAccount
+        .readQB(dbTxn, deviceId, sub)
+        .executeTakeFirstOrThrow()
+
+      const { authorizedClients } = deviceAccount.toDeviceAccountInfo(row)
+      if (!authorizedClients.includes(clientId)) {
+        await deviceAccount
+          .updateQB(dbTxn, deviceId, sub, {
+            authorizedClients: [...authorizedClients, clientId],
+          })
+          .execute()
+      }
+    })
+  }
+
+  async getDeviceAccount(
+    deviceId: DeviceId,
+    sub: string,
+  ): Promise<AccountInfo | null> {
+    const row = await deviceAccount
+      .getAccountInfoQB(this.db, deviceId, sub)
+      .executeTakeFirst()
+
+    if (!row) return null
+
+    return {
+      account: deviceAccount.toAccount(row, this.serviceDid),
+      info: deviceAccount.toDeviceAccountInfo(row),
+    }
+  }
+
+  async listDeviceAccounts(deviceId: DeviceId): Promise<AccountInfo[]> {
+    const rows = await deviceAccount
+      .listRememberedQB(this.db, deviceId)
+      .execute()
+
+    return rows.map((row) => ({
+      account: deviceAccount.toAccount(row, this.serviceDid),
+      info: deviceAccount.toDeviceAccountInfo(row),
+    }))
+  }
+
+  async removeDeviceAccount(deviceId: DeviceId, sub: string): Promise<void> {
+    await this.db.executeWithRetry(
+      deviceAccount.removeQB(this.db, deviceId, sub),
+    )
+  }
+
+  // RequestStore
+
+  async createRequest(id: RequestId, data: RequestData): Promise<void> {
+    await this.db.executeWithRetry(authRequest.createQB(this.db, id, data))
+  }
+
+  async readRequest(id: RequestId): Promise<RequestData | null> {
+    try {
+      const row = await authRequest.readQB(this.db, id).executeTakeFirst()
+      if (!row) return null
+      return authRequest.rowToRequestData(row)
+    } finally {
+      // Take the opportunity to clean up expired requests. Do this after we got
+      // the current (potentially expired) request data to allow the provider to
+      // handle expired requests.
+      this.backgroundQueue.add(async () => {
+        await this.db.executeWithRetry(authRequest.removeOldExpiredQB(this.db))
+      })
+    }
+  }
+
+  async updateRequest(id: RequestId, data: UpdateRequestData): Promise<void> {
+    await this.db.executeWithRetry(authRequest.updateQB(this.db, id, data))
+  }
+
+  async deleteRequest(id: RequestId): Promise<void> {
+    await this.db.executeWithRetry(authRequest.removeByIdQB(this.db, id))
+  }
+
+  async findRequestByCode(code: Code): Promise<FoundRequestResult | null> {
+    const row = await authRequest.findByCodeQB(this.db, code).executeTakeFirst()
+    return row ? authRequest.rowToFoundRequestResult(row) : null
+  }
+
+  // DeviceStore
+
+  async createDevice(deviceId: DeviceId, data: DeviceData): Promise<void> {
+    await this.db.executeWithRetry(device.createQB(this.db, deviceId, data))
+  }
+
+  async readDevice(deviceId: DeviceId): Promise<null | DeviceData> {
+    const row = await device.readQB(this.db, deviceId).executeTakeFirst()
+    return row ? device.rowToDeviceData(row) : null
+  }
+
+  async updateDevice(
+    deviceId: DeviceId,
+    data: Partial<DeviceData>,
+  ): Promise<void> {
+    await this.db.executeWithRetry(device.updateQB(this.db, deviceId, data))
+  }
+
+  async deleteDevice(deviceId: DeviceId): Promise<void> {
+    // Will cascade to device_account (device_account_device_id_fk)
+    await this.db.executeWithRetry(device.removeQB(this.db, deviceId))
+  }
+
+  // TokenStore
+
+  async createToken(
+    id: TokenId,
+    data: TokenData,
+    refreshToken?: RefreshToken,
+  ): Promise<void> {
+    await this.db.transaction(async (dbTxn) => {
+      if (refreshToken) {
+        const { count } = await usedRefreshToken
+          .countQB(dbTxn, refreshToken)
+          .executeTakeFirstOrThrow()
+
+        if (count > 0) {
+          throw new Error('Refresh token already in use')
+        }
+      }
+
+      return token.createQB(dbTxn, id, data, refreshToken).execute()
+    })
+  }
+
+  async readToken(tokenId: TokenId): Promise<TokenInfo | null> {
+    const row = await token.findByQB(this.db, { tokenId }).executeTakeFirst()
+    return row ? token.toTokenInfo(row, this.serviceDid) : null
+  }
+
+  async deleteToken(tokenId: TokenId): Promise<void> {
+    // Will cascade to used_refresh_token (used_refresh_token_fk)
+    await this.db.executeWithRetry(token.removeQB(this.db, tokenId))
+  }
+
+  async rotateToken(
+    tokenId: TokenId,
+    newTokenId: TokenId,
+    newRefreshToken: RefreshToken,
+    newData: NewTokenData,
+  ): Promise<void> {
+    const err = await this.db.transaction(async (dbTxn) => {
+      const { id, currentRefreshToken } = await token
+        .forRotateQB(dbTxn, tokenId)
+        .executeTakeFirstOrThrow()
+
+      if (currentRefreshToken) {
+        await usedRefreshToken
+          .insertQB(dbTxn, id, currentRefreshToken)
+          .execute()
+      }
+
+      const { count } = await usedRefreshToken
+        .countQB(dbTxn, newRefreshToken)
+        .executeTakeFirstOrThrow()
+
+      if (count > 0) {
+        // Do NOT throw (we don't want the transaction to be rolled back)
+        return new Error('New refresh token already in use')
+      }
+
+      await token
+        .rotateQB(dbTxn, id, newTokenId, newRefreshToken, newData)
+        .execute()
+    })
+
+    if (err) throw err
+  }
+
+  async findTokenByRefreshToken(
+    refreshToken: RefreshToken,
+  ): Promise<TokenInfo | null> {
+    const used = await usedRefreshToken
+      .findByTokenQB(this.db, refreshToken)
+      .executeTakeFirst()
+
+    const search = used
+      ? { id: used.tokenId }
+      : { currentRefreshToken: refreshToken }
+
+    const row = await token.findByQB(this.db, search).executeTakeFirst()
+    return row ? token.toTokenInfo(row, this.serviceDid) : null
+  }
+
+  async findTokenByCode(code: Code): Promise<TokenInfo | null> {
+    const row = await token.findByQB(this.db, { code }).executeTakeFirst()
+    return row ? token.toTokenInfo(row, this.serviceDid) : null
+  }
 }

package/src/actor-store/preference/reader.ts

@@ -17,7 +17,7 @@ export class PreferenceReader {
     return prefsRes
       .filter((pref) => !namespace || prefMatchNamespace(namespace, pref.name))
       .filter((pref) => prefInScope(scope, pref.name))
-      .map((pref) => JSON.parse(pref.valueJson))
+      .map((pref) => JSON.parse(pref.valueJson) as AccountPreference)
   }
 }
 

package/src/api/com/atproto/server/createSession.ts

@@ -1,12 +1,11 @@
 import { DAY, MINUTE } from '@atproto/common'
 import { INVALID_HANDLE } from '@atproto/syntax'
-import { AuthRequiredError } from '@atproto/xrpc-server'
+
+import { formatAccountStatus } from '../../../../account-manager'
 import AppContext from '../../../../context'
-import { softDeleted } from '../../../../db/util'
 import { Server } from '../../../../lexicon'
-import { didDocForSession } from './util'
 import { authPassthru, resultPassthru } from '../../../proxy'
-import { AppPassDescript } from '../../../../account-manager/helpers/password'
+import { didDocForSession } from './util'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.createSession({
@@ -32,50 +31,15 @@ export default function (server: Server, ctx: AppContext) {
         )
       }
 
-      const { password } = input.body
-      const identifier = input.body.identifier.toLowerCase()
-
-      const user = identifier.includes('@')
-        ? await ctx.accountManager.getAccountByEmail(identifier, {
-            includeDeactivated: true,
-            includeTakenDown: true,
-          })
-        : await ctx.accountManager.getAccount(identifier, {
-            includeDeactivated: true,
-            includeTakenDown: true,
-          })
-
-      if (!user) {
-        throw new AuthRequiredError('Invalid identifier or password')
-      }
-
-      let appPassword: AppPassDescript | null = null
-      const validAccountPass = await ctx.accountManager.verifyAccountPassword(
-        user.did,
-        password,
-      )
-      if (!validAccountPass) {
-        appPassword = await ctx.accountManager.verifyAppPassword(
-          user.did,
-          password,
-        )
-        if (appPassword === null) {
-          throw new AuthRequiredError('Invalid identifier or password')
-        }
-      }
-
-      if (softDeleted(user)) {
-        throw new AuthRequiredError(
-          'Account has been taken down',
-          'AccountTakedown',
-        )
-      }
+      const { user, appPassword } = await ctx.accountManager.login(input.body)
 
       const [{ accessJwt, refreshJwt }, didDoc] = await Promise.all([
         ctx.accountManager.createSession(user.did, appPassword),
         didDocForSession(ctx, user.did),
       ])
 
+      const { status, active } = formatAccountStatus(user)
+
       return {
         encoding: 'application/json',
         body: {
@@ -86,8 +50,8 @@ export default function (server: Server, ctx: AppContext) {
           emailConfirmed: !!user.emailConfirmedAt,
           accessJwt,
           refreshJwt,
-          active: user.active,
-          status: user.status,
+          active,
+          status,
         },
       }
     },