@atproto/pds 0.4.34 → 0.4.36

package/src/api/com/atproto/server/deleteSession.ts

@@ -1,28 +1,22 @@
-import { AuthScope } from '../../../../auth-verifier'
 import AppContext from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { authPassthru } from '../../../proxy'
 
 export default function (server: Server, ctx: AppContext) {
-  server.com.atproto.server.deleteSession(async ({ req }) => {
-    if (ctx.entrywayAgent) {
-      await ctx.entrywayAgent.com.atproto.server.deleteSession(
+  const { entrywayAgent } = ctx
+  if (entrywayAgent) {
+    server.com.atproto.server.deleteSession(async (reqCtx) => {
+      await entrywayAgent.com.atproto.server.deleteSession(
         undefined,
-        authPassthru(req, true),
+        authPassthru(reqCtx.req, true),
       )
-      return
-    }
-
-    const result = await ctx.authVerifier.validateBearerToken(
-      req,
-      [AuthScope.Refresh],
-      { clockTolerance: Infinity }, // ignore expiration
-    )
-    const id = result.payload.jti
-    if (!id) {
-      throw new Error('Unexpected missing refresh token id')
-    }
-
-    await ctx.accountManager.revokeRefreshToken(id)
-  })
+    })
+  } else {
+    server.com.atproto.server.deleteSession({
+      auth: ctx.authVerifier.refreshExpired,
+      handler: async ({ auth }) => {
+        await ctx.accountManager.revokeRefreshToken(auth.credentials.tokenId)
+      },
+    })
+  }
 }

package/src/api/com/atproto/server/getSession.ts

@@ -1,5 +1,7 @@
 import { InvalidRequestError } from '@atproto/xrpc-server'
 import { INVALID_HANDLE } from '@atproto/syntax'
+
+import { formatAccountStatus } from '../../../../account-manager'
 import AppContext from '../../../../context'
 import { Server } from '../../../../lexicon'
 import { authPassthru, resultPassthru } from '../../../proxy'
@@ -31,6 +33,9 @@ export default function (server: Server, ctx: AppContext) {
           `Could not find user info for account: ${did}`,
         )
       }
+
+      const { status, active } = formatAccountStatus(user)
+
       return {
         encoding: 'application/json',
         body: {
@@ -39,8 +44,8 @@ export default function (server: Server, ctx: AppContext) {
           email: user.email ?? undefined,
           didDoc,
           emailConfirmed: !!user.emailConfirmedAt,
-          active: user.active,
-          status: user.status,
+          active,
+          status,
         },
       }
     },

package/src/api/com/atproto/server/refreshSession.ts

@@ -1,5 +1,7 @@
 import { INVALID_HANDLE } from '@atproto/syntax'
 import { AuthRequiredError, InvalidRequestError } from '@atproto/xrpc-server'
+
+import { formatAccountStatus } from '../../../../account-manager'
 import AppContext from '../../../../context'
 import { softDeleted } from '../../../../db/util'
 import { Server } from '../../../../lexicon'
@@ -44,6 +46,8 @@ export default function (server: Server, ctx: AppContext) {
         throw new InvalidRequestError('Token has been revoked', 'ExpiredToken')
       }
 
+      const { status, active } = formatAccountStatus(user)
+
       return {
         encoding: 'application/json',
         body: {
@@ -52,8 +56,8 @@ export default function (server: Server, ctx: AppContext) {
           handle: user.handle ?? INVALID_HANDLE,
           accessJwt: rotated.accessJwt,
           refreshJwt: rotated.refreshJwt,
-          active: user.active,
-          status: user.status,
+          active,
+          status,
         },
       }
     },

package/src/api/com/atproto/sync/getRepoStatus.ts

@@ -1,13 +1,15 @@
 import { Server } from '../../../../lexicon'
 import AppContext from '../../../../context'
 import { assertRepoAvailability } from './util'
+import { formatAccountStatus } from '../../../../account-manager'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.sync.getRepoStatus({
     handler: async ({ params }) => {
       const { did } = params
       const account = await assertRepoAvailability(ctx, did, true)
-      const { active, status } = account
+
+      const { active, status } = formatAccountStatus(account)
 
       let rev: string | undefined = undefined
       if (active) {

package/src/api/com/atproto/sync/listRepos.ts

@@ -2,7 +2,7 @@ import { InvalidRequestError } from '@atproto/xrpc-server'
 import { Server } from '../../../../lexicon'
 import AppContext from '../../../../context'
 import { Cursor, GenericKeyset, paginate } from '../../../../db/pagination'
-import { formatAccountStatus } from '../../../../account-manager/helpers/account'
+import { formatAccountStatus } from '../../../../account-manager'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.sync.listRepos(async ({ params }) => {

package/src/api/proxy.ts

@@ -1,4 +1,5 @@
 import { Headers } from '@atproto/xrpc'
+import { InvalidRequestError } from '@atproto/xrpc-server'
 import { IncomingMessage } from 'node:http'
 
 export const resultPassthru = <T>(result: { headers: Headers; data: T }) => {
@@ -24,9 +25,24 @@ export function authPassthru(
   | undefined
 
 export function authPassthru(req: IncomingMessage, withEncoding?: boolean) {
-  if (req.headers.authorization) {
+  const { authorization } = req.headers
+
+  if (authorization) {
+    // DPoP requests are bound to the endpoint being called. Allowing them to be
+    // proxied would require that the receiving end allows DPoP proof not
+    // created for him. Since proxying is mainly there to support legacy
+    // clients, and DPoP is a new feature, we don't support DPoP requests
+    // through the proxy.
+
+    // This is fine since app views are usually called using the requester's
+    // credentials when "auth.credentials.type === 'access'", which is the only
+    // case were DPoP is used.
+    if (authorization.startsWith('DPoP ') || req.headers['dpop']) {
+      throw new InvalidRequestError('DPoP requests cannot be proxied')
+    }
+
     return {
-      headers: { authorization: req.headers.authorization },
+      headers: { authorization },
       encoding: withEncoding ? 'application/json' : undefined,
     }
   }

package/src/auth-routes.ts

@@ -0,0 +1,27 @@
+import { oauthProtectedResourceMetadataSchema } from '@atproto/oauth-provider'
+import { Router } from 'express'
+
+import AppContext from './context'
+
+export const createRouter = ({ authProvider, cfg }: AppContext): Router => {
+  const router = Router()
+
+  const oauthProtectedResourceMetadata =
+    oauthProtectedResourceMetadataSchema.parse({
+      resource: cfg.service.publicUrl,
+      authorization_servers: [cfg.entryway?.url ?? cfg.service.publicUrl],
+      bearer_methods_supported: ['header'],
+      scopes_supported: ['profile', 'email', 'phone'],
+      resource_documentation: 'https://atproto.com',
+    })
+
+  router.get('/.well-known/oauth-protected-resource', (req, res) => {
+    res.status(200).json(oauthProtectedResourceMetadata)
+  })
+
+  if (authProvider) {
+    router.use(authProvider.createRouter())
+  }
+
+  return router
+}