@atproto/pds 0.4.34 → 0.4.36

package/src/account-manager/db/migrations/004-oauth.ts

@@ -0,0 +1,122 @@
+import { Kysely, sql } from 'kysely'
+
+export async function up(db: Kysely<unknown>): Promise<void> {
+  await db.schema
+    .createTable('authorization_request')
+    .addColumn('id', 'varchar', (col) => col.primaryKey())
+    .addColumn('did', 'varchar')
+    .addColumn('deviceId', 'varchar')
+    .addColumn('clientId', 'varchar', (col) => col.notNull())
+    .addColumn('clientAuth', 'varchar', (col) => col.notNull())
+    .addColumn('parameters', 'varchar', (col) => col.notNull())
+    .addColumn('expiresAt', 'varchar', (col) => col.notNull())
+    .addColumn('code', 'varchar')
+    .execute()
+
+  await db.schema
+    .createIndex('authorization_request_code_idx')
+    .unique()
+    .on('authorization_request')
+    // https://github.com/kysely-org/kysely/issues/302
+    .expression(sql`code DESC) WHERE (code IS NOT NULL`)
+    .execute()
+
+  await db.schema
+    .createIndex('authorization_request_expires_at_idx')
+    .on('authorization_request')
+    .column('expiresAt')
+    .execute()
+
+  await db.schema
+    .createTable('device')
+    .addColumn('id', 'varchar', (col) => col.primaryKey())
+    .addColumn('sessionId', 'varchar', (col) => col.notNull())
+    .addColumn('userAgent', 'varchar')
+    .addColumn('ipAddress', 'varchar', (col) => col.notNull())
+    .addColumn('lastSeenAt', 'varchar', (col) => col.notNull())
+    .addUniqueConstraint('device_session_id_idx', ['sessionId'])
+    .execute()
+
+  await db.schema
+    .createTable('device_account')
+    .addColumn('did', 'varchar', (col) => col.notNull())
+    .addColumn('deviceId', 'varchar', (col) => col.notNull())
+    .addColumn('authenticatedAt', 'varchar', (col) => col.notNull())
+    .addColumn('remember', 'boolean', (col) => col.notNull())
+    .addColumn('authorizedClients', 'varchar', (col) => col.notNull())
+    .addPrimaryKeyConstraint('device_account_pk', [
+      'deviceId', // first because this table will be joined from the "device" table
+      'did',
+    ])
+    .addForeignKeyConstraint(
+      'device_account_device_id_fk',
+      ['deviceId'],
+      'device',
+      ['id'],
+      (qb) => qb.onDelete('cascade').onUpdate('cascade'),
+    )
+    .execute()
+
+  await db.schema
+    .createTable('token')
+    .addColumn('id', 'integer', (col) => col.primaryKey().autoIncrement())
+    .addColumn('did', 'varchar', (col) => col.notNull())
+    .addColumn('tokenId', 'varchar', (col) => col.notNull())
+    .addColumn('createdAt', 'varchar', (col) => col.notNull())
+    .addColumn('updatedAt', 'varchar', (col) => col.notNull())
+    .addColumn('expiresAt', 'varchar', (col) => col.notNull())
+    .addColumn('clientId', 'varchar', (col) => col.notNull())
+    .addColumn('clientAuth', 'varchar', (col) => col.notNull())
+    .addColumn('deviceId', 'varchar')
+    .addColumn('parameters', 'varchar', (col) => col.notNull())
+    .addColumn('details', 'varchar')
+    .addColumn('code', 'varchar')
+    .addColumn('currentRefreshToken', 'varchar')
+    .addUniqueConstraint('token_current_refresh_token_unique_idx', [
+      'currentRefreshToken',
+    ])
+    .addUniqueConstraint('token_id_unique_idx', ['tokenId'])
+    .execute()
+
+  await db.schema
+    .createIndex('token_did_idx')
+    .on('token')
+    .column('did')
+    .execute()
+
+  await db.schema
+    .createIndex('token_code_idx')
+    .unique()
+    .on('token')
+    // https://github.com/kysely-org/kysely/issues/302
+    .expression(sql`code DESC) WHERE (code IS NOT NULL`)
+    .execute()
+
+  await db.schema
+    .createTable('used_refresh_token')
+    .addColumn('refreshToken', 'varchar', (col) => col.primaryKey())
+    .addColumn('tokenId', 'integer', (col) => col.notNull())
+    .addForeignKeyConstraint(
+      'used_refresh_token_fk',
+      ['tokenId'],
+      'token',
+      ['id'],
+      // uses "used_refresh_token_id_idx" index (when cascading)
+      (qb) => qb.onDelete('cascade').onUpdate('cascade'),
+    )
+    .execute()
+
+  await db.schema
+    .createIndex('used_refresh_token_id_idx')
+    .on('used_refresh_token')
+    .column('tokenId')
+    .execute()
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+  await db.schema.dropTable('used_refresh_token').execute()
+  await db.schema.dropTable('token').execute()
+  await db.schema.dropTable('device_account').execute()
+  await db.schema.dropTable('device').execute()
+  await db.schema.dropTable('authorization_request').execute()
+}

package/src/account-manager/db/migrations/index.ts

@@ -1,9 +1,11 @@
 import * as mig001 from './001-init'
 import * as mig002 from './002-account-deactivation'
 import * as mig003 from './003-privileged-app-passwords'
+import * as mig004 from './004-oauth'
 
 export default {
   '001': mig001,
   '002': mig002,
   '003': mig003,
+  '004': mig004,
 }

package/src/account-manager/db/schema/authorization-request.ts

@@ -0,0 +1,26 @@
+import {
+  Code,
+  DeviceId,
+  OAuthClientId,
+  RequestId,
+} from '@atproto/oauth-provider'
+import { Selectable } from 'kysely'
+import { DateISO, JsonObject } from '../../../db'
+
+export interface AuthorizationRequest {
+  id: RequestId
+  did: string | null
+  deviceId: DeviceId | null
+
+  clientId: OAuthClientId
+  clientAuth: JsonObject
+  parameters: JsonObject
+  expiresAt: DateISO
+  code: Code | null
+}
+
+export type AuthorizationRequestEntry = Selectable<AuthorizationRequest>
+
+export const tableName = 'authorization_request'
+
+export type PartialDB = { [tableName]: AuthorizationRequest }

package/src/account-manager/db/schema/device-account.ts

@@ -0,0 +1,15 @@
+import { DeviceId } from '@atproto/oauth-provider'
+import { DateISO, JsonArray } from '../../../db'
+
+export interface DeviceAccount {
+  did: string
+  deviceId: DeviceId
+
+  authenticatedAt: DateISO
+  authorizedClients: JsonArray
+  remember: 0 | 1
+}
+
+export const tableName = 'device_account'
+
+export type PartialDB = { [tableName]: DeviceAccount }

package/src/account-manager/db/schema/device.ts

@@ -0,0 +1,18 @@
+import { DeviceId, SessionId } from '@atproto/oauth-provider'
+import { Selectable } from 'kysely'
+import { DateISO } from '../../../db'
+
+export interface Device {
+  id: DeviceId
+  sessionId: SessionId
+
+  userAgent: string | null
+  ipAddress: string
+  lastSeenAt: DateISO
+}
+
+export type DeviceEntry = Selectable<Device>
+
+export const tableName = 'device'
+
+export type PartialDB = { [tableName]: Device }

package/src/account-manager/db/schema/index.ts

@@ -1,5 +1,10 @@
 import * as actor from './actor'
 import * as account from './account'
+import * as device from './device'
+import * as deviceAccount from './device-account'
+import * as oauthRequest from './authorization-request'
+import * as token from './token'
+import * as usedRefreshToken from './used-refresh-token'
 import * as repoRoot from './repo-root'
 import * as refreshToken from './refresh-token'
 import * as appPassword from './app-password'
@@ -8,6 +13,11 @@ import * as emailToken from './email-token'
 
 export type DatabaseSchema = actor.PartialDB &
   account.PartialDB &
+  device.PartialDB &
+  deviceAccount.PartialDB &
+  oauthRequest.PartialDB &
+  token.PartialDB &
+  usedRefreshToken.PartialDB &
   refreshToken.PartialDB &
   appPassword.PartialDB &
   repoRoot.PartialDB &
@@ -16,6 +26,11 @@ export type DatabaseSchema = actor.PartialDB &
 
 export type { Actor, ActorEntry } from './actor'
 export type { Account, AccountEntry } from './account'
+export type { Device } from './device'
+export type { DeviceAccount } from './device-account'
+export type { AuthorizationRequest } from './authorization-request'
+export type { Token } from './token'
+export type { UsedRefreshToken } from './used-refresh-token'
 export type { RepoRoot } from './repo-root'
 export type { RefreshToken } from './refresh-token'
 export type { AppPassword } from './app-password'

package/src/account-manager/db/schema/token.ts

@@ -0,0 +1,34 @@
+import {
+  Code,
+  DeviceId,
+  OAuthClientId,
+  RefreshToken,
+  Sub,
+  TokenId,
+} from '@atproto/oauth-provider'
+import { Generated, Selectable } from 'kysely'
+
+import { DateISO, JsonArray, JsonObject } from '../../../db/cast'
+
+export interface Token {
+  id: Generated<number>
+  did: Sub
+
+  tokenId: TokenId
+  createdAt: DateISO
+  updatedAt: DateISO
+  expiresAt: DateISO
+  clientId: OAuthClientId
+  clientAuth: JsonObject
+  deviceId: DeviceId | null
+  parameters: JsonObject
+  details: JsonArray | null
+  code: Code | null
+  currentRefreshToken: RefreshToken | null
+}
+
+export type TokenEntry = Selectable<Token>
+
+export const tableName = 'token'
+
+export type PartialDB = { [tableName]: Token }

package/src/account-manager/db/schema/used-refresh-token.ts

@@ -0,0 +1,13 @@
+import { RefreshToken } from '@atproto/oauth-provider'
+import { Selectable } from 'kysely'
+
+export interface UsedRefreshToken {
+  tokenId: number
+  refreshToken: RefreshToken
+}
+
+export type UsedRefreshTokenEntry = Selectable<UsedRefreshToken>
+
+export const tableName = 'used_refresh_token'
+
+export type PartialDB = { [tableName]: UsedRefreshToken }

package/src/account-manager/helpers/account.ts

@@ -9,8 +9,6 @@ export type ActorAccount = ActorEntry & {
   email: string | null
   emailConfirmedAt: string | null
   invitesDisabled: 0 | 1 | null
-  active: boolean
-  status?: AccountStatus
 }
 
 export type AvailabilityFlags = {
@@ -26,7 +24,7 @@ export enum AccountStatus {
   Deactivated = 'deactivated',
 }
 
-const selectAccountQB = (db: AccountDb, flags?: AvailabilityFlags) => {
+export const selectAccountQB = (db: AccountDb, flags?: AvailabilityFlags) => {
   const { includeTakenDown = false, includeDeactivated = false } = flags ?? {}
   const { ref } = db.db.dynamic
   return db.db
@@ -63,7 +61,7 @@ export const getAccount = async (
       }
     })
     .executeTakeFirst()
-  return found ? { ...found, ...formatAccountStatus(found) } : null
+  return found || null
 }
 
 export const getAccountByEmail = async (
@@ -74,7 +72,7 @@ export const getAccountByEmail = async (
   const found = await selectAccountQB(db, flags)
     .where('email', '=', email.toLowerCase())
     .executeTakeFirst()
-  return found ? { ...found, ...formatAccountStatus(found) } : null
+  return found || null
 }
 
 export const registerActor = async (
@@ -267,22 +265,19 @@ export const activateAccount = async (db: AccountDb, did: string) => {
   )
 }
 
-export const formatAccountStatus = (account: {
-  takedownRef: string | null
-  deactivatedAt: string | null
-}): {
-  active: boolean
-  status?: AccountStatus
-} => {
-  let status: AccountStatus | undefined = undefined
-  if (account.takedownRef) {
-    status = AccountStatus.Takendown
+export const formatAccountStatus = (
+  account: null | {
+    takedownRef: string | null
+    deactivatedAt: string | null
+  },
+) => {
+  if (!account) {
+    return { active: false, status: AccountStatus.Deleted } as const
+  } else if (account.takedownRef) {
+    return { active: false, status: AccountStatus.Takendown } as const
   } else if (account.deactivatedAt) {
-    status = AccountStatus.Deactivated
-  }
-  const active = !status
-  return {
-    active,
-    status,
+    return { active: false, status: AccountStatus.Deactivated } as const
+  } else {
+    return { active: true, status: undefined } as const
   }
 }

package/src/account-manager/helpers/authorization-request.ts

@@ -0,0 +1,82 @@
+import {
+  Code,
+  FoundRequestResult,
+  RequestData,
+  RequestId,
+  UpdateRequestData,
+} from '@atproto/oauth-provider'
+import { AccountDb, AuthorizationRequest } from '../db'
+import { fromDateISO, fromJsonObject, toDateISO, toJsonObject } from '../../db'
+import { Insertable, Selectable } from 'kysely'
+
+export const rowToRequestData = (
+  row: Selectable<AuthorizationRequest>,
+): RequestData => ({
+  clientId: row.clientId,
+  clientAuth: fromJsonObject(row.clientAuth),
+  parameters: fromJsonObject(row.parameters),
+  expiresAt: fromDateISO(row.expiresAt),
+  deviceId: row.deviceId,
+  sub: row.did,
+  code: row.code,
+})
+
+export const rowToFoundRequestResult = (
+  row: Selectable<AuthorizationRequest>,
+): FoundRequestResult => ({
+  id: row.id,
+  data: rowToRequestData(row),
+})
+
+const requestDataToRow = (
+  id: RequestId,
+  data: RequestData,
+): Insertable<AuthorizationRequest> => ({
+  id,
+  did: data.sub,
+  deviceId: data.deviceId,
+
+  clientId: data.clientId,
+  clientAuth: toJsonObject(data.clientAuth),
+  parameters: toJsonObject(data.parameters),
+  expiresAt: toDateISO(data.expiresAt),
+  code: data.code,
+})
+
+export const createQB = (db: AccountDb, id: RequestId, data: RequestData) =>
+  db.db.insertInto('authorization_request').values(requestDataToRow(id, data))
+
+export const readQB = (db: AccountDb, id: RequestId) =>
+  db.db.selectFrom('authorization_request').where('id', '=', id).selectAll()
+
+export const updateQB = (
+  db: AccountDb,
+  id: RequestId,
+  { code, sub, deviceId, expiresAt }: UpdateRequestData,
+) =>
+  db.db
+    .updateTable('authorization_request')
+    .if(code !== undefined, (qb) => qb.set({ code }))
+    .if(sub !== undefined, (qb) => qb.set({ did: sub }))
+    .if(deviceId !== undefined, (qb) => qb.set({ deviceId }))
+    .if(expiresAt != null, (qb) => qb.set({ expiresAt: toDateISO(expiresAt!) }))
+    .where('id', '=', id)
+
+export const removeOldExpiredQB = (db: AccountDb, delay = 600e3) =>
+  // We allow some delay for the expiration time so that expired requests
+  // can still be returned to the OAuthProvider library for error handling.
+  db.db
+    .deleteFrom('authorization_request')
+    // uses "authorization_request_expires_at_idx" index
+    .where('expiresAt', '<', toDateISO(new Date(Date.now() - delay)))
+
+export const removeByIdQB = (db: AccountDb, id: RequestId) =>
+  db.db.deleteFrom('authorization_request').where('id', '=', id)
+
+export const findByCodeQB = (db: AccountDb, code: Code) =>
+  db.db
+    .selectFrom('authorization_request')
+    // uses "authorization_request_code_idx" partial index (hence the null check)
+    .where('code', '=', code)
+    .where('code', 'is not', null)
+    .selectAll()

package/src/account-manager/helpers/device-account.ts

@@ -0,0 +1,135 @@
+import {
+  Account,
+  DeviceAccountInfo,
+  DeviceId,
+  OAuthClientId,
+} from '@atproto/oauth-provider'
+import { Insertable, Selectable } from 'kysely'
+
+import { fromDateISO, fromJsonArray, toDateISO, toJsonArray } from '../../db'
+import { AccountDb } from '../db'
+import { DeviceAccount } from '../db/schema/device-account'
+import { ActorAccount, selectAccountQB } from './account'
+
+export type SelectableDeviceAccount = Pick<
+  Selectable<DeviceAccount>,
+  'authenticatedAt' | 'authorizedClients' | 'remember'
+>
+
+const selectAccountInfoQB = (db: AccountDb, deviceId: DeviceId) =>
+  selectAccountQB(db, { includeDeactivated: true })
+    // note: query planner should use "device_account_pk" index
+    .innerJoin('device_account', 'device_account.did', 'actor.did')
+    .innerJoin('device', 'device.id', 'device_account.deviceId')
+    .where('device.id', '=', deviceId)
+    .select([
+      'device_account.authenticatedAt',
+      'device_account.remember',
+      'device_account.authorizedClients',
+    ])
+
+export type InsertableField = {
+  authenticatedAt: Date
+  authorizedClients: OAuthClientId[]
+  remember: boolean
+}
+
+function toInsertable<V extends Partial<InsertableField>>(
+  values: V,
+): Pick<Insertable<DeviceAccount>, keyof V & keyof Insertable<DeviceAccount>>
+function toInsertable(
+  values: Partial<InsertableField>,
+): Partial<Insertable<DeviceAccount>> {
+  const row: Partial<Insertable<DeviceAccount>> = {}
+  if (values.authenticatedAt) {
+    row.authenticatedAt = toDateISO(values.authenticatedAt)
+  }
+  if (values.remember !== undefined) {
+    row.remember = values.remember === true ? 1 : 0
+  }
+  if (values.authorizedClients) {
+    row.authorizedClients = toJsonArray(values.authorizedClients)
+  }
+  return row
+}
+
+export function toDeviceAccountInfo(
+  row: SelectableDeviceAccount,
+): DeviceAccountInfo {
+  return {
+    remembered: row.remember === 1,
+    authenticatedAt: fromDateISO(row.authenticatedAt),
+    authorizedClients: fromJsonArray<OAuthClientId>(row.authorizedClients),
+  }
+}
+
+export function toAccount(
+  row: Selectable<ActorAccount>,
+  audience: string,
+): Account {
+  return {
+    sub: row.did,
+    aud: audience,
+    email: row.email || undefined,
+    email_verified: row.email ? row.emailConfirmedAt != null : undefined,
+    preferred_username: row.handle || undefined,
+  }
+}
+
+export const readQB = (db: AccountDb, deviceId: DeviceId, did: string) =>
+  db.db
+    .selectFrom('device_account')
+    .where('did', '=', did)
+    .where('deviceId', '=', deviceId)
+    .select(['remember', 'authorizedClients', 'authenticatedAt'])
+
+export const updateQB = (
+  db: AccountDb,
+  deviceId: DeviceId,
+  did: string,
+  entry: {
+    authenticatedAt?: Date
+    authorizedClients?: OAuthClientId[]
+    remember?: boolean
+  },
+) =>
+  db.db
+    .updateTable('device_account')
+    .set(toInsertable(entry))
+    .where('did', '=', did)
+    .where('deviceId', '=', deviceId)
+
+export const createOrUpdateQB = (
+  db: AccountDb,
+  deviceId: DeviceId,
+  did: string,
+  remember: boolean,
+) => {
+  const { authorizedClients, ...values } = toInsertable({
+    remember,
+    authenticatedAt: new Date(),
+    authorizedClients: [],
+  })
+
+  return db.db
+    .insertInto('device_account')
+    .values({ did, deviceId, authorizedClients, ...values })
+    .onConflict((oc) => oc.columns(['deviceId', 'did']).doUpdateSet(values))
+}
+
+export const getAccountInfoQB = (
+  db: AccountDb,
+  deviceId: DeviceId,
+  did: string,
+) => {
+  return selectAccountInfoQB(db, deviceId).where('actor.did', '=', did)
+}
+
+export const listRememberedQB = (db: AccountDb, deviceId: DeviceId) =>
+  selectAccountInfoQB(db, deviceId).where('device_account.remember', '=', 1)
+
+export const removeQB = (db: AccountDb, deviceId: DeviceId, did: string) =>
+  db.db
+    .deleteFrom('device_account')
+    .where('deviceId', '=', deviceId)
+    .where('did', '=', did)

package/src/account-manager/helpers/device.ts

@@ -0,0 +1,45 @@
+import { DeviceId, DeviceData } from '@atproto/oauth-provider'
+import { AccountDb, Device } from '../db'
+import { fromDateISO, toDateISO } from '../../db'
+import { Selectable } from 'kysely'
+
+export const rowToDeviceData = (row: Selectable<Device>): DeviceData => ({
+  sessionId: row.sessionId,
+  userAgent: row.userAgent,
+  ipAddress: row.ipAddress,
+  lastSeenAt: fromDateISO(row.lastSeenAt),
+})
+
+export const createQB = (
+  db: AccountDb,
+  deviceId: DeviceId,
+  { sessionId, userAgent, ipAddress, lastSeenAt }: DeviceData,
+) =>
+  db.db.insertInto('device').values({
+    id: deviceId,
+    sessionId,
+    userAgent,
+    ipAddress,
+    lastSeenAt: toDateISO(lastSeenAt),
+  })
+
+export const readQB = (db: AccountDb, deviceId: DeviceId) =>
+  db.db.selectFrom('device').where('id', '=', deviceId).selectAll()
+
+export const updateQB = (
+  db: AccountDb,
+  deviceId: DeviceId,
+  { sessionId, userAgent, ipAddress, lastSeenAt }: Partial<DeviceData>,
+) =>
+  db.db
+    .updateTable('device')
+    .if(sessionId != null, (qb) => qb.set({ sessionId }))
+    .if(userAgent != null, (qb) => qb.set({ userAgent }))
+    .if(ipAddress != null, (qb) => qb.set({ ipAddress }))
+    .if(lastSeenAt != null, (qb) =>
+      qb.set({ lastSeenAt: toDateISO(lastSeenAt!) }),
+    )
+    .where('id', '=', deviceId)
+
+export const removeQB = (db: AccountDb, deviceId: DeviceId) =>
+  db.db.deleteFrom('device').where('id', '=', deviceId)