@atproto/pds 0.4.52 → 0.4.54
Sign up to get free protection for your applications and to get access to all the features.
- package/CHANGELOG.md +31 -0
- package/dist/account-manager/helpers/auth.d.ts.map +1 -1
- package/dist/account-manager/helpers/auth.js +8 -2
- package/dist/account-manager/helpers/auth.js.map +1 -1
- package/dist/api/com/atproto/admin/sendEmail.js +1 -4
- package/dist/api/com/atproto/admin/sendEmail.js.map +1 -1
- package/dist/api/com/atproto/admin/updateAccountEmail.js +2 -2
- package/dist/api/com/atproto/admin/updateAccountEmail.js.map +1 -1
- package/dist/api/com/atproto/admin/updateAccountPassword.js +2 -2
- package/dist/api/com/atproto/admin/updateAccountPassword.js.map +1 -1
- package/dist/api/com/atproto/identity/requestPlcOperationSignature.d.ts +1 -1
- package/dist/api/com/atproto/identity/requestPlcOperationSignature.d.ts.map +1 -1
- package/dist/api/com/atproto/identity/requestPlcOperationSignature.js +8 -3
- package/dist/api/com/atproto/identity/requestPlcOperationSignature.js.map +1 -1
- package/dist/api/com/atproto/identity/signPlcOperation.d.ts +1 -1
- package/dist/api/com/atproto/identity/signPlcOperation.d.ts.map +1 -1
- package/dist/api/com/atproto/identity/signPlcOperation.js +9 -3
- package/dist/api/com/atproto/identity/signPlcOperation.js.map +1 -1
- package/dist/api/com/atproto/identity/updateHandle.d.ts.map +1 -1
- package/dist/api/com/atproto/identity/updateHandle.js +8 -3
- package/dist/api/com/atproto/identity/updateHandle.js.map +1 -1
- package/dist/api/com/atproto/server/activateAccount.d.ts +1 -1
- package/dist/api/com/atproto/server/activateAccount.d.ts.map +1 -1
- package/dist/api/com/atproto/server/activateAccount.js +9 -4
- package/dist/api/com/atproto/server/activateAccount.js.map +1 -1
- package/dist/api/com/atproto/server/confirmEmail.d.ts +1 -1
- package/dist/api/com/atproto/server/confirmEmail.d.ts.map +1 -1
- package/dist/api/com/atproto/server/confirmEmail.js +8 -3
- package/dist/api/com/atproto/server/confirmEmail.js.map +1 -1
- package/dist/api/com/atproto/server/createAppPassword.d.ts.map +1 -1
- package/dist/api/com/atproto/server/createAppPassword.js +8 -2
- package/dist/api/com/atproto/server/createAppPassword.js.map +1 -1
- package/dist/api/com/atproto/server/deactivateAccount.d.ts +1 -1
- package/dist/api/com/atproto/server/deactivateAccount.d.ts.map +1 -1
- package/dist/api/com/atproto/server/deactivateAccount.js +8 -3
- package/dist/api/com/atproto/server/deactivateAccount.js.map +1 -1
- package/dist/api/com/atproto/server/getAccountInviteCodes.d.ts +1 -1
- package/dist/api/com/atproto/server/getAccountInviteCodes.d.ts.map +1 -1
- package/dist/api/com/atproto/server/getAccountInviteCodes.js +9 -3
- package/dist/api/com/atproto/server/getAccountInviteCodes.js.map +1 -1
- package/dist/api/com/atproto/server/getServiceAuth.d.ts.map +1 -1
- package/dist/api/com/atproto/server/getServiceAuth.js +7 -4
- package/dist/api/com/atproto/server/getServiceAuth.js.map +1 -1
- package/dist/api/com/atproto/server/listAppPasswords.d.ts.map +1 -1
- package/dist/api/com/atproto/server/listAppPasswords.js +8 -2
- package/dist/api/com/atproto/server/listAppPasswords.js.map +1 -1
- package/dist/api/com/atproto/server/requestAccountDelete.d.ts +1 -1
- package/dist/api/com/atproto/server/requestAccountDelete.d.ts.map +1 -1
- package/dist/api/com/atproto/server/requestAccountDelete.js +8 -3
- package/dist/api/com/atproto/server/requestAccountDelete.js.map +1 -1
- package/dist/api/com/atproto/server/requestEmailConfirmation.d.ts +1 -1
- package/dist/api/com/atproto/server/requestEmailConfirmation.d.ts.map +1 -1
- package/dist/api/com/atproto/server/requestEmailConfirmation.js +8 -3
- package/dist/api/com/atproto/server/requestEmailConfirmation.js.map +1 -1
- package/dist/api/com/atproto/server/requestEmailUpdate.d.ts +1 -1
- package/dist/api/com/atproto/server/requestEmailUpdate.d.ts.map +1 -1
- package/dist/api/com/atproto/server/requestEmailUpdate.js +8 -2
- package/dist/api/com/atproto/server/requestEmailUpdate.js.map +1 -1
- package/dist/api/com/atproto/server/revokeAppPassword.d.ts.map +1 -1
- package/dist/api/com/atproto/server/revokeAppPassword.js +8 -3
- package/dist/api/com/atproto/server/revokeAppPassword.js.map +1 -1
- package/dist/api/com/atproto/server/updateEmail.d.ts +1 -1
- package/dist/api/com/atproto/server/updateEmail.d.ts.map +1 -1
- package/dist/api/com/atproto/server/updateEmail.js +6 -4
- package/dist/api/com/atproto/server/updateEmail.js.map +1 -1
- package/dist/api/proxy.js +5 -1
- package/dist/api/proxy.js.map +1 -1
- package/dist/auth-routes.d.ts.map +1 -1
- package/dist/auth-routes.js +3 -1
- package/dist/auth-routes.js.map +1 -1
- package/dist/auth-verifier.d.ts +2 -2
- package/dist/auth-verifier.d.ts.map +1 -1
- package/dist/auth-verifier.js +46 -15
- package/dist/auth-verifier.js.map +1 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +6 -6
- package/dist/index.js.map +1 -1
- package/dist/lexicon/lexicons.d.ts +7 -0
- package/dist/lexicon/lexicons.d.ts.map +1 -1
- package/dist/lexicon/lexicons.js +8 -1
- package/dist/lexicon/lexicons.js.map +1 -1
- package/dist/lexicon/types/app/bsky/embed/record.d.ts +1 -0
- package/dist/lexicon/types/app/bsky/embed/record.d.ts.map +1 -1
- package/dist/lexicon/types/app/bsky/embed/record.js.map +1 -1
- package/dist/lexicon/types/app/bsky/feed/getPostThread.d.ts +1 -0
- package/dist/lexicon/types/app/bsky/feed/getPostThread.d.ts.map +1 -1
- package/dist/oauth/provider.d.ts.map +1 -1
- package/dist/oauth/provider.js +1 -0
- package/dist/oauth/provider.js.map +1 -1
- package/dist/pipethrough.d.ts +1 -0
- package/dist/pipethrough.d.ts.map +1 -1
- package/dist/pipethrough.js +23 -2
- package/dist/pipethrough.js.map +1 -1
- package/package.json +11 -11
- package/src/account-manager/helpers/auth.ts +8 -2
- package/src/api/com/atproto/admin/sendEmail.ts +5 -5
- package/src/api/com/atproto/admin/updateAccountEmail.ts +1 -1
- package/src/api/com/atproto/admin/updateAccountPassword.ts +1 -1
- package/src/api/com/atproto/identity/requestPlcOperationSignature.ts +13 -5
- package/src/api/com/atproto/identity/signPlcOperation.ts +15 -6
- package/src/api/com/atproto/identity/updateHandle.ts +10 -3
- package/src/api/com/atproto/server/activateAccount.ts +14 -5
- package/src/api/com/atproto/server/confirmEmail.ts +13 -5
- package/src/api/com/atproto/server/createAppPassword.ts +12 -3
- package/src/api/com/atproto/server/deactivateAccount.ts +11 -4
- package/src/api/com/atproto/server/getAccountInviteCodes.ts +14 -5
- package/src/api/com/atproto/server/getServiceAuth.ts +14 -9
- package/src/api/com/atproto/server/listAppPasswords.ts +11 -3
- package/src/api/com/atproto/server/requestAccountDelete.ts +12 -4
- package/src/api/com/atproto/server/requestEmailConfirmation.ts +12 -4
- package/src/api/com/atproto/server/requestEmailUpdate.ts +13 -4
- package/src/api/com/atproto/server/revokeAppPassword.ts +10 -3
- package/src/api/com/atproto/server/updateEmail.ts +14 -6
- package/src/api/proxy.ts +5 -1
- package/src/auth-routes.ts +3 -1
- package/src/auth-verifier.ts +63 -21
- package/src/index.ts +6 -7
- package/src/lexicon/lexicons.ts +8 -1
- package/src/lexicon/types/app/bsky/embed/record.ts +1 -0
- package/src/lexicon/types/app/bsky/feed/getPostThread.ts +1 -0
- package/src/oauth/provider.ts +2 -0
- package/src/pipethrough.ts +25 -1
- package/tests/app-passwords.test.ts +2 -2
- package/tests/auth.test.ts +1 -1
- package/tests/entryway.test.ts +30 -4
- package/tests/proxied/__snapshots__/feedgen.test.ts.snap +1 -0
- package/tests/proxied/__snapshots__/views.test.ts.snap +10 -0
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"getServiceAuth.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/getServiceAuth.ts"],"names":[],"mappings":"AAEA,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAG5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,
|
1
|
+
{"version":3,"file":"getServiceAuth.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/getServiceAuth.ts"],"names":[],"mappings":"AAEA,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAG5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QAyDvD"}
|
@@ -22,10 +22,13 @@ function default_1(server, ctx) {
|
|
22
22
|
throw new xrpc_server_1.InvalidRequestError('cannot request a method-less token with an expiration more than a minute in the future', 'BadExpiration');
|
23
23
|
}
|
24
24
|
}
|
25
|
-
if (
|
26
|
-
lxm
|
27
|
-
|
28
|
-
|
25
|
+
if (lxm) {
|
26
|
+
if (pipethrough_1.PROTECTED_METHODS.has(lxm)) {
|
27
|
+
throw new xrpc_server_1.InvalidRequestError(`cannot request a service auth token for the following protected method: ${lxm}`);
|
28
|
+
}
|
29
|
+
if (!auth.credentials.isPrivileged && pipethrough_1.PRIVILEGED_METHODS.has(lxm)) {
|
30
|
+
throw new xrpc_server_1.InvalidRequestError(`insufficient access to request a service auth token for the following method: ${lxm}`);
|
31
|
+
}
|
29
32
|
}
|
30
33
|
const keypair = await ctx.actorStore.keypair(did);
|
31
34
|
const token = await (0, xrpc_server_1.createServiceJwt)({
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"getServiceAuth.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/getServiceAuth.ts"],"names":[],"mappings":";;AAAA,sDAA4E;AAC5E,4CAA8C;AAG9C,
|
1
|
+
{"version":3,"file":"getServiceAuth.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/getServiceAuth.ts"],"names":[],"mappings":";;AAAA,sDAA4E;AAC5E,4CAA8C;AAG9C,yDAA+E;AAE/E,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,cAAc,CAAC;QACvC,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,cAAc,EAAE;QACvC,OAAO,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE;YAClC,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YAChC,MAAM,EAAE,GAAG,EAAE,GAAG,GAAG,IAAI,EAAE,GAAG,MAAM,CAAA;YAClC,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS,CAAA;YACtD,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,IAAI,GAAG,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;gBAC7B,IAAI,IAAI,GAAG,CAAC,EAAE,CAAC;oBACb,MAAM,IAAI,iCAAmB,CAC3B,uBAAuB,EACvB,eAAe,CAChB,CAAA;gBACH,CAAC;qBAAM,IAAI,IAAI,GAAG,aAAI,EAAE,CAAC;oBACvB,MAAM,IAAI,iCAAmB,CAC3B,2EAA2E,EAC3E,eAAe,CAChB,CAAA;gBACH,CAAC;qBAAM,IAAI,CAAC,GAAG,IAAI,IAAI,GAAG,eAAM,EAAE,CAAC;oBACjC,MAAM,IAAI,iCAAmB,CAC3B,wFAAwF,EACxF,eAAe,CAChB,CAAA;gBACH,CAAC;YACH,CAAC;YAED,IAAI,GAAG,EAAE,CAAC;gBACR,IAAI,+BAAiB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC/B,MAAM,IAAI,iCAAmB,CAC3B,2EAA2E,GAAG,EAAE,CACjF,CAAA;gBACH,CAAC;gBACD,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,YAAY,IAAI,gCAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;oBAClE,MAAM,IAAI,iCAAmB,CAC3B,iFAAiF,GAAG,EAAE,CACvF,CAAA;gBACH,CAAC;YACH,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;YAEjD,MAAM,KAAK,GAAG,MAAM,IAAA,8BAAgB,EAAC;gBACnC,GAAG,EAAE,GAAG;gBACR,GAAG;gBACH,GAAG;gBACH,GAAG;gBACH,OAAO;aACR,CAAC,CAAA;YACF,OAAO;gBACL,QAAQ,EAAE,kBAAkB;gBAC5B,IAAI,EAAE;oBACJ,KAAK;iBACN;aACF,CAAA;QACH,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AAzDD,4BAyDC"}
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"listAppPasswords.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/listAppPasswords.ts"],"names":[],"mappings":"
|
1
|
+
{"version":3,"file":"listAppPasswords.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/listAppPasswords.ts"],"names":[],"mappings":"AAEA,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAI5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QA2BvD"}
|
@@ -1,12 +1,18 @@
|
|
1
1
|
"use strict";
|
2
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
3
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
4
|
+
};
|
2
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
6
|
+
const node_assert_1 = __importDefault(require("node:assert"));
|
7
|
+
const lexicons_1 = require("../../../../lexicon/lexicons");
|
3
8
|
const proxy_1 = require("../../../proxy");
|
4
9
|
function default_1(server, ctx) {
|
5
10
|
server.com.atproto.server.listAppPasswords({
|
6
11
|
auth: ctx.authVerifier.accessStandard(),
|
7
|
-
handler: async ({ auth
|
12
|
+
handler: async ({ auth }) => {
|
8
13
|
if (ctx.entrywayAgent) {
|
9
|
-
|
14
|
+
(0, node_assert_1.default)(ctx.cfg.entryway);
|
15
|
+
return (0, proxy_1.resultPassthru)(await ctx.entrywayAgent.com.atproto.server.listAppPasswords(undefined, await ctx.serviceAuthHeaders(auth.credentials.did, ctx.cfg.entryway.did, lexicons_1.ids.ComAtprotoServerListAppPasswords)));
|
10
16
|
}
|
11
17
|
const passwords = await ctx.accountManager.listAppPasswords(auth.credentials.did);
|
12
18
|
return {
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"listAppPasswords.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/listAppPasswords.ts"],"names":[],"mappings":"
|
1
|
+
{"version":3,"file":"listAppPasswords.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/listAppPasswords.ts"],"names":[],"mappings":";;;;;AAAA,8DAAgC;AAIhC,2DAAkD;AAClD,0CAA+C;AAE/C,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC;QACzC,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,cAAc,EAAE;QACvC,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;YAC1B,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,IAAA,qBAAM,EAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;gBACxB,OAAO,IAAA,sBAAc,EACnB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CACzD,SAAS,EACT,MAAM,GAAG,CAAC,kBAAkB,CAC1B,IAAI,CAAC,WAAW,CAAC,GAAG,EACpB,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,EACpB,cAAG,CAAC,gCAAgC,CACrC,CACF,CACF,CAAA;YACH,CAAC;YAED,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,gBAAgB,CACzD,IAAI,CAAC,WAAW,CAAC,GAAG,CACrB,CAAA;YACD,OAAO;gBACL,QAAQ,EAAE,kBAAkB;gBAC5B,IAAI,EAAE,EAAE,SAAS,EAAE;aACpB,CAAA;QACH,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AA3BD,4BA2BC"}
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"requestAccountDelete.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestAccountDelete.ts"],"names":[],"mappings":"
|
1
|
+
{"version":3,"file":"requestAccountDelete.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestAccountDelete.ts"],"names":[],"mappings":"AAKA,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAG5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QAgDvD"}
|
@@ -1,8 +1,12 @@
|
|
1
1
|
"use strict";
|
2
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
3
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
4
|
+
};
|
2
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
6
|
+
const node_assert_1 = __importDefault(require("node:assert"));
|
3
7
|
const common_1 = require("@atproto/common");
|
4
8
|
const xrpc_server_1 = require("@atproto/xrpc-server");
|
5
|
-
const
|
9
|
+
const lexicons_1 = require("../../../../lexicon/lexicons");
|
6
10
|
function default_1(server, ctx) {
|
7
11
|
server.com.atproto.server.requestAccountDelete({
|
8
12
|
rateLimit: [
|
@@ -18,7 +22,7 @@ function default_1(server, ctx) {
|
|
18
22
|
},
|
19
23
|
],
|
20
24
|
auth: ctx.authVerifier.accessFull({ checkTakedown: true }),
|
21
|
-
handler: async ({ auth
|
25
|
+
handler: async ({ auth }) => {
|
22
26
|
const did = auth.credentials.did;
|
23
27
|
const account = await ctx.accountManager.getAccount(did, {
|
24
28
|
includeDeactivated: true,
|
@@ -28,7 +32,8 @@ function default_1(server, ctx) {
|
|
28
32
|
throw new xrpc_server_1.InvalidRequestError('account not found');
|
29
33
|
}
|
30
34
|
if (ctx.entrywayAgent) {
|
31
|
-
|
35
|
+
(0, node_assert_1.default)(ctx.cfg.entryway);
|
36
|
+
await ctx.entrywayAgent.com.atproto.server.requestAccountDelete(undefined, await ctx.serviceAuthHeaders(auth.credentials.did, ctx.cfg.entryway.did, lexicons_1.ids.ComAtprotoServerRequestAccountDelete));
|
32
37
|
return;
|
33
38
|
}
|
34
39
|
if (!account.email) {
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"requestAccountDelete.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestAccountDelete.ts"],"names":[],"mappings":"
|
1
|
+
{"version":3,"file":"requestAccountDelete.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestAccountDelete.ts"],"names":[],"mappings":";;;;;AAAA,8DAAgC;AAEhC,4CAA2C;AAC3C,sDAA0D;AAI1D,2DAAkD;AAElD,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,oBAAoB,CAAC;QAC7C,SAAS,EAAE;YACT;gBACE,UAAU,EAAE,YAAG;gBACf,MAAM,EAAE,EAAE;gBACV,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;YACD;gBACE,UAAU,EAAE,aAAI;gBAChB,MAAM,EAAE,CAAC;gBACT,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;SACF;QACD,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,UAAU,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QAC1D,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;YAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YAChC,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG,EAAE;gBACvD,kBAAkB,EAAE,IAAI;gBACxB,gBAAgB,EAAE,IAAI;aACvB,CAAC,CAAA;YACF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,iCAAmB,CAAC,mBAAmB,CAAC,CAAA;YACpD,CAAC;YAED,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,IAAA,qBAAM,EAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;gBACxB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,oBAAoB,CAC7D,SAAS,EACT,MAAM,GAAG,CAAC,kBAAkB,CAC1B,IAAI,CAAC,WAAW,CAAC,GAAG,EACpB,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,EACpB,cAAG,CAAC,oCAAoC,CACzC,CACF,CAAA;gBACD,OAAM;YACR,CAAC;YAED,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;gBACnB,MAAM,IAAI,iCAAmB,CAAC,wCAAwC,CAAC,CAAA;YACzE,CAAC;YACD,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,gBAAgB,CACrD,GAAG,EACH,gBAAgB,CACjB,CAAA;YACD,MAAM,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAA;QACtE,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AAhDD,4BAgDC"}
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"requestEmailConfirmation.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestEmailConfirmation.ts"],"names":[],"mappings":"
|
1
|
+
{"version":3,"file":"requestEmailConfirmation.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestEmailConfirmation.ts"],"names":[],"mappings":"AAKA,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAG5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QAgDvD"}
|
@@ -1,8 +1,12 @@
|
|
1
1
|
"use strict";
|
2
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
3
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
4
|
+
};
|
2
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
6
|
+
const node_assert_1 = __importDefault(require("node:assert"));
|
3
7
|
const common_1 = require("@atproto/common");
|
4
8
|
const xrpc_server_1 = require("@atproto/xrpc-server");
|
5
|
-
const
|
9
|
+
const lexicons_1 = require("../../../../lexicon/lexicons");
|
6
10
|
function default_1(server, ctx) {
|
7
11
|
server.com.atproto.server.requestEmailConfirmation({
|
8
12
|
rateLimit: [
|
@@ -18,7 +22,7 @@ function default_1(server, ctx) {
|
|
18
22
|
},
|
19
23
|
],
|
20
24
|
auth: ctx.authVerifier.accessStandard({ checkTakedown: true }),
|
21
|
-
handler: async ({ auth
|
25
|
+
handler: async ({ auth }) => {
|
22
26
|
const did = auth.credentials.did;
|
23
27
|
const account = await ctx.accountManager.getAccount(did, {
|
24
28
|
includeDeactivated: true,
|
@@ -28,7 +32,8 @@ function default_1(server, ctx) {
|
|
28
32
|
throw new xrpc_server_1.InvalidRequestError('account not found');
|
29
33
|
}
|
30
34
|
if (ctx.entrywayAgent) {
|
31
|
-
|
35
|
+
(0, node_assert_1.default)(ctx.cfg.entryway);
|
36
|
+
await ctx.entrywayAgent.com.atproto.server.requestEmailConfirmation(undefined, await ctx.serviceAuthHeaders(auth.credentials.did, ctx.cfg.entryway.did, lexicons_1.ids.ComAtprotoServerRequestEmailConfirmation));
|
32
37
|
return;
|
33
38
|
}
|
34
39
|
if (!account.email) {
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"requestEmailConfirmation.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestEmailConfirmation.ts"],"names":[],"mappings":"
|
1
|
+
{"version":3,"file":"requestEmailConfirmation.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestEmailConfirmation.ts"],"names":[],"mappings":";;;;;AAAA,8DAAgC;AAEhC,4CAA2C;AAC3C,sDAA0D;AAI1D,2DAAkD;AAElD,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,wBAAwB,CAAC;QACjD,SAAS,EAAE;YACT;gBACE,UAAU,EAAE,YAAG;gBACf,MAAM,EAAE,EAAE;gBACV,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;YACD;gBACE,UAAU,EAAE,aAAI;gBAChB,MAAM,EAAE,CAAC;gBACT,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;SACF;QACD,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,cAAc,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QAC9D,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;YAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YAChC,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG,EAAE;gBACvD,kBAAkB,EAAE,IAAI;gBACxB,gBAAgB,EAAE,IAAI;aACvB,CAAC,CAAA;YACF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,iCAAmB,CAAC,mBAAmB,CAAC,CAAA;YACpD,CAAC;YAED,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,IAAA,qBAAM,EAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;gBACxB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,wBAAwB,CACjE,SAAS,EACT,MAAM,GAAG,CAAC,kBAAkB,CAC1B,IAAI,CAAC,WAAW,CAAC,GAAG,EACpB,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,EACpB,cAAG,CAAC,wCAAwC,CAC7C,CACF,CAAA;gBACD,OAAM;YACR,CAAC;YAED,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;gBACnB,MAAM,IAAI,iCAAmB,CAAC,wCAAwC,CAAC,CAAA;YACzE,CAAC;YACD,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,gBAAgB,CACrD,GAAG,EACH,eAAe,CAChB,CAAA;YACD,MAAM,GAAG,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAA;QACrE,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AAhDD,4BAgDC"}
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"requestEmailUpdate.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestEmailUpdate.ts"],"names":[],"mappings":"
|
1
|
+
{"version":3,"file":"requestEmailUpdate.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestEmailUpdate.ts"],"names":[],"mappings":"AAKA,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAI5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QA4DvD"}
|
@@ -1,8 +1,13 @@
|
|
1
1
|
"use strict";
|
2
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
3
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
4
|
+
};
|
2
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
6
|
+
const node_assert_1 = __importDefault(require("node:assert"));
|
3
7
|
const common_1 = require("@atproto/common");
|
4
8
|
const xrpc_server_1 = require("@atproto/xrpc-server");
|
5
9
|
const proxy_1 = require("../../../proxy");
|
10
|
+
const lexicons_1 = require("../../../../lexicon/lexicons");
|
6
11
|
function default_1(server, ctx) {
|
7
12
|
server.com.atproto.server.requestEmailUpdate({
|
8
13
|
rateLimit: [
|
@@ -18,7 +23,7 @@ function default_1(server, ctx) {
|
|
18
23
|
},
|
19
24
|
],
|
20
25
|
auth: ctx.authVerifier.accessStandard({ checkTakedown: true }),
|
21
|
-
handler: async ({ auth
|
26
|
+
handler: async ({ auth }) => {
|
22
27
|
const did = auth.credentials.did;
|
23
28
|
const account = await ctx.accountManager.getAccount(did, {
|
24
29
|
includeDeactivated: true,
|
@@ -28,7 +33,8 @@ function default_1(server, ctx) {
|
|
28
33
|
throw new xrpc_server_1.InvalidRequestError('account not found');
|
29
34
|
}
|
30
35
|
if (ctx.entrywayAgent) {
|
31
|
-
|
36
|
+
(0, node_assert_1.default)(ctx.cfg.entryway);
|
37
|
+
return (0, proxy_1.resultPassthru)(await ctx.entrywayAgent.com.atproto.server.requestEmailUpdate(undefined, await ctx.serviceAuthHeaders(auth.credentials.did, ctx.cfg.entryway.did, lexicons_1.ids.ComAtprotoServerRequestEmailUpdate)));
|
32
38
|
}
|
33
39
|
if (!account.email) {
|
34
40
|
throw new xrpc_server_1.InvalidRequestError('account does not have an email address');
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"requestEmailUpdate.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestEmailUpdate.ts"],"names":[],"mappings":"
|
1
|
+
{"version":3,"file":"requestEmailUpdate.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestEmailUpdate.ts"],"names":[],"mappings":";;;;;AAAA,8DAAgC;AAEhC,4CAA2C;AAC3C,sDAA0D;AAI1D,0CAA+C;AAC/C,2DAAkD;AAElD,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,kBAAkB,CAAC;QAC3C,SAAS,EAAE;YACT;gBACE,UAAU,EAAE,YAAG;gBACf,MAAM,EAAE,EAAE;gBACV,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;YACD;gBACE,UAAU,EAAE,aAAI;gBAChB,MAAM,EAAE,CAAC;gBACT,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;SACF;QACD,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,cAAc,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QAC9D,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;YAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YAChC,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG,EAAE;gBACvD,kBAAkB,EAAE,IAAI;gBACxB,gBAAgB,EAAE,IAAI;aACvB,CAAC,CAAA;YACF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,iCAAmB,CAAC,mBAAmB,CAAC,CAAA;YACpD,CAAC;YAED,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,IAAA,qBAAM,EAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;gBACxB,OAAO,IAAA,sBAAc,EACnB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,kBAAkB,CAC3D,SAAS,EACT,MAAM,GAAG,CAAC,kBAAkB,CAC1B,IAAI,CAAC,WAAW,CAAC,GAAG,EACpB,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,EACpB,cAAG,CAAC,kCAAkC,CACvC,CACF,CACF,CAAA;YACH,CAAC;YAED,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;gBACnB,MAAM,IAAI,iCAAmB,CAAC,wCAAwC,CAAC,CAAA;YACzE,CAAC;YAED,MAAM,aAAa,GAAG,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAA;YAChD,IAAI,aAAa,EAAE,CAAC;gBAClB,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,gBAAgB,CACrD,GAAG,EACH,cAAc,CACf,CAAA;gBACD,MAAM,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAA;YACpE,CAAC;YAED,OAAO;gBACL,QAAQ,EAAE,kBAAkB;gBAC5B,IAAI,EAAE;oBACJ,aAAa;iBACd;aACF,CAAA;QACH,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AA5DD,4BA4DC"}
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"revokeAppPassword.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/revokeAppPassword.ts"],"names":[],"mappings":"
|
1
|
+
{"version":3,"file":"revokeAppPassword.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/revokeAppPassword.ts"],"names":[],"mappings":"AAEA,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAG5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QAuBvD"}
|
@@ -1,12 +1,17 @@
|
|
1
1
|
"use strict";
|
2
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
3
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
4
|
+
};
|
2
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
3
|
-
const
|
6
|
+
const node_assert_1 = __importDefault(require("node:assert"));
|
7
|
+
const lexicons_1 = require("../../../../lexicon/lexicons");
|
4
8
|
function default_1(server, ctx) {
|
5
9
|
server.com.atproto.server.revokeAppPassword({
|
6
10
|
auth: ctx.authVerifier.accessStandard(),
|
7
|
-
handler: async ({ auth, input
|
11
|
+
handler: async ({ auth, input }) => {
|
8
12
|
if (ctx.entrywayAgent) {
|
9
|
-
|
13
|
+
(0, node_assert_1.default)(ctx.cfg.entryway);
|
14
|
+
await ctx.entrywayAgent.com.atproto.server.revokeAppPassword(input.body, await ctx.serviceAuthHeaders(auth.credentials.did, ctx.cfg.entryway.did, lexicons_1.ids.ComAtprotoServerRevokeAppPassword));
|
10
15
|
return;
|
11
16
|
}
|
12
17
|
const requester = auth.credentials.did;
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"revokeAppPassword.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/revokeAppPassword.ts"],"names":[],"mappings":"
|
1
|
+
{"version":3,"file":"revokeAppPassword.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/revokeAppPassword.ts"],"names":[],"mappings":";;;;;AAAA,8DAAgC;AAIhC,2DAAkD;AAElD,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,iBAAiB,CAAC;QAC1C,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,cAAc,EAAE;QACvC,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE;YACjC,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,IAAA,qBAAM,EAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;gBACxB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,iBAAiB,CAC1D,KAAK,CAAC,IAAI,EACV,MAAM,GAAG,CAAC,kBAAkB,CAC1B,IAAI,CAAC,WAAW,CAAC,GAAG,EACpB,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,EACpB,cAAG,CAAC,iCAAiC,CACtC,CACF,CAAA;gBACD,OAAM;YACR,CAAC;YAED,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YACtC,MAAM,EAAE,IAAI,EAAE,GAAG,KAAK,CAAC,IAAI,CAAA;YAE3B,MAAM,GAAG,CAAC,cAAc,CAAC,iBAAiB,CAAC,SAAS,EAAE,IAAI,CAAC,CAAA;QAC7D,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AAvBD,4BAuBC"}
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"updateEmail.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/updateEmail.ts"],"names":[],"mappings":"
|
1
|
+
{"version":3,"file":"updateEmail.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/updateEmail.ts"],"names":[],"mappings":"AAMA,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAG5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QA2DvD"}
|
@@ -3,14 +3,15 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
3
3
|
return (mod && mod.__esModule) ? mod : { "default": mod };
|
4
4
|
};
|
5
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
6
|
-
const
|
6
|
+
const node_assert_1 = __importDefault(require("node:assert"));
|
7
7
|
const xrpc_server_1 = require("@atproto/xrpc-server");
|
8
|
-
const
|
8
|
+
const disposable_email_1 = __importDefault(require("disposable-email"));
|
9
9
|
const account_1 = require("../../../../account-manager/helpers/account");
|
10
|
+
const lexicons_1 = require("../../../../lexicon/lexicons");
|
10
11
|
function default_1(server, ctx) {
|
11
12
|
server.com.atproto.server.updateEmail({
|
12
13
|
auth: ctx.authVerifier.accessFull({ checkTakedown: true }),
|
13
|
-
handler: async ({ auth, input
|
14
|
+
handler: async ({ auth, input }) => {
|
14
15
|
const did = auth.credentials.did;
|
15
16
|
const { token, email } = input.body;
|
16
17
|
if (!disposable_email_1.default.validate(email)) {
|
@@ -23,7 +24,8 @@ function default_1(server, ctx) {
|
|
23
24
|
throw new xrpc_server_1.InvalidRequestError('account not found');
|
24
25
|
}
|
25
26
|
if (ctx.entrywayAgent) {
|
26
|
-
|
27
|
+
(0, node_assert_1.default)(ctx.cfg.entryway);
|
28
|
+
await ctx.entrywayAgent.com.atproto.server.updateEmail(input.body, await ctx.serviceAuthHeaders(auth.credentials.did, ctx.cfg.entryway.did, lexicons_1.ids.ComAtprotoServerUpdateEmail));
|
27
29
|
return;
|
28
30
|
}
|
29
31
|
// require valid token if account email is confirmed
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"updateEmail.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/updateEmail.ts"],"names":[],"mappings":";;;;;AAAA,
|
1
|
+
{"version":3,"file":"updateEmail.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/updateEmail.ts"],"names":[],"mappings":";;;;;AAAA,8DAAgC;AAEhC,sDAA0D;AAC1D,wEAAyC;AAEzC,yEAAoF;AAGpF,2DAAkD;AAElD,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC;QACpC,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,UAAU,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QAC1D,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE;YACjC,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YAChC,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC,IAAI,CAAA;YACnC,IAAI,CAAC,0BAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBAChC,MAAM,IAAI,iCAAmB,CAC3B,oEAAoE,CACrE,CAAA;YACH,CAAC;YACD,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG,EAAE;gBACvD,kBAAkB,EAAE,IAAI;aACzB,CAAC,CAAA;YACF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,iCAAmB,CAAC,mBAAmB,CAAC,CAAA;YACpD,CAAC;YAED,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,IAAA,qBAAM,EAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;gBACxB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CACpD,KAAK,CAAC,IAAI,EACV,MAAM,GAAG,CAAC,kBAAkB,CAC1B,IAAI,CAAC,WAAW,CAAC,GAAG,EACpB,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,EACpB,cAAG,CAAC,2BAA2B,CAChC,CACF,CAAA;gBACD,OAAM;YACR,CAAC;YAED,oDAAoD;YACpD,IAAI,OAAO,CAAC,gBAAgB,EAAE,CAAC;gBAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;oBACX,MAAM,IAAI,iCAAmB,CAC3B,6BAA6B,EAC7B,eAAe,CAChB,CAAA;gBACH,CAAC;gBACD,MAAM,GAAG,CAAC,cAAc,CAAC,qBAAqB,CAC5C,GAAG,EACH,cAAc,EACd,KAAK,CACN,CAAA;YACH,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,GAAG,CAAC,cAAc,CAAC,WAAW,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAA;YACtD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,GAAG,YAAY,gCAAsB,EAAE,CAAC;oBAC1C,MAAM,IAAI,iCAAmB,CAC3B,qEAAqE,CACtE,CAAA;gBACH,CAAC;qBAAM,CAAC;oBACN,MAAM,GAAG,CAAA;gBACX,CAAC;YACH,CAAC;QACH,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AA3DD,4BA2DC"}
|
package/dist/api/proxy.js
CHANGED
@@ -21,7 +21,11 @@ function authPassthru(req, withEncoding) {
|
|
21
21
|
// This is fine since app views are usually called using the requester's
|
22
22
|
// credentials when "auth.credentials.type === 'access'", which is the only
|
23
23
|
// case were DPoP is used.
|
24
|
-
|
24
|
+
const [type] = authorization.split(' ', 1);
|
25
|
+
if (!type) {
|
26
|
+
throw new xrpc_server_1.InvalidRequestError('Invalid authorization header');
|
27
|
+
}
|
28
|
+
if (type.toLowerCase() === 'dpop' || req.headers['dpop']) {
|
25
29
|
throw new xrpc_server_1.InvalidRequestError('DPoP requests cannot be proxied');
|
26
30
|
}
|
27
31
|
return {
|
package/dist/api/proxy.js.map
CHANGED
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"proxy.js","sourceRoot":"","sources":["../../src/api/proxy.ts"],"names":[],"mappings":";;;AACA,sDAA0D;AAGnD,MAAM,cAAc,GAAG,CAAI,MAAqC,EAAE,EAAE;IACzE,sEAAsE;IACtE,OAAO;QACL,QAAQ,EAAE,kBAA2B;QACrC,IAAI,EAAE,MAAM,CAAC,IAAI;KAClB,CAAA;AACH,CAAC,CAAA;AANY,QAAA,cAAc,kBAM1B;AAgBD,SAAgB,YAAY,CAAC,GAAoB,EAAE,YAAsB;IACvE,MAAM,EAAE,aAAa,EAAE,GAAG,GAAG,CAAC,OAAO,CAAA;IAErC,IAAI,aAAa,EAAE,CAAC;QAClB,4EAA4E;QAC5E,qEAAqE;QACrE,oEAAoE;QACpE,qEAAqE;QACrE,qBAAqB;QAErB,wEAAwE;QACxE,2EAA2E;QAC3E,0BAA0B;QAC1B,IAAI,aAAa,CAAC,
|
1
|
+
{"version":3,"file":"proxy.js","sourceRoot":"","sources":["../../src/api/proxy.ts"],"names":[],"mappings":";;;AACA,sDAA0D;AAGnD,MAAM,cAAc,GAAG,CAAI,MAAqC,EAAE,EAAE;IACzE,sEAAsE;IACtE,OAAO;QACL,QAAQ,EAAE,kBAA2B;QACrC,IAAI,EAAE,MAAM,CAAC,IAAI;KAClB,CAAA;AACH,CAAC,CAAA;AANY,QAAA,cAAc,kBAM1B;AAgBD,SAAgB,YAAY,CAAC,GAAoB,EAAE,YAAsB;IACvE,MAAM,EAAE,aAAa,EAAE,GAAG,GAAG,CAAC,OAAO,CAAA;IAErC,IAAI,aAAa,EAAE,CAAC;QAClB,4EAA4E;QAC5E,qEAAqE;QACrE,oEAAoE;QACpE,qEAAqE;QACrE,qBAAqB;QAErB,wEAAwE;QACxE,2EAA2E;QAC3E,0BAA0B;QAC1B,MAAM,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,CAAA;QAC1C,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,iCAAmB,CAAC,8BAA8B,CAAC,CAAA;QAC/D,CAAC;QACD,IAAI,IAAI,CAAC,WAAW,EAAE,KAAK,MAAM,IAAI,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YACzD,MAAM,IAAI,iCAAmB,CAAC,iCAAiC,CAAC,CAAA;QAClE,CAAC;QAED,OAAO;YACL,OAAO,EAAE,EAAE,aAAa,EAAE;YAC1B,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,SAAS;SACxD,CAAA;IACH,CAAC;AACH,CAAC;AA1BD,oCA0BC"}
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"auth-routes.d.ts","sourceRoot":"","sources":["../src/auth-routes.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAA;AAEhC,OAAO,UAAU,MAAM,WAAW,CAAA;AAElC,eAAO,MAAM,YAAY,0BAA2B,UAAU,KAAG,
|
1
|
+
{"version":3,"file":"auth-routes.d.ts","sourceRoot":"","sources":["../src/auth-routes.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAA;AAEhC,OAAO,UAAU,MAAM,WAAW,CAAA;AAElC,eAAO,MAAM,YAAY,0BAA2B,UAAU,KAAG,MAuBhE,CAAA"}
|
package/dist/auth-routes.js
CHANGED
@@ -9,10 +9,12 @@ const createRouter = ({ authProvider, cfg }) => {
|
|
9
9
|
resource: cfg.service.publicUrl,
|
10
10
|
authorization_servers: [cfg.entryway?.url ?? cfg.service.publicUrl],
|
11
11
|
bearer_methods_supported: ['header'],
|
12
|
-
scopes_supported: [
|
12
|
+
scopes_supported: [],
|
13
13
|
resource_documentation: 'https://atproto.com',
|
14
14
|
});
|
15
15
|
router.get('/.well-known/oauth-protected-resource', (req, res) => {
|
16
|
+
res.setHeader('Access-Control-Allow-Origin', '*');
|
17
|
+
res.setHeader('Access-Control-Allow-Method', '*');
|
16
18
|
res.status(200).json(oauthProtectedResourceMetadata);
|
17
19
|
});
|
18
20
|
if (authProvider) {
|
package/dist/auth-routes.js.map
CHANGED
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"auth-routes.js","sourceRoot":"","sources":["../src/auth-routes.ts"],"names":[],"mappings":";;;AAAA,4DAA8E;AAC9E,qCAAgC;AAIzB,MAAM,YAAY,GAAG,CAAC,EAAE,YAAY,EAAE,GAAG,EAAc,EAAU,EAAE;IACxE,MAAM,MAAM,GAAG,IAAA,gBAAM,GAAE,CAAA;IAEvB,MAAM,8BAA8B,GAClC,qDAAoC,CAAC,KAAK,CAAC;QACzC,QAAQ,EAAE,GAAG,CAAC,OAAO,CAAC,SAAS;QAC/B,qBAAqB,EAAE,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC;QACnE,wBAAwB,EAAE,CAAC,QAAQ,CAAC;QACpC,gBAAgB,EAAE,
|
1
|
+
{"version":3,"file":"auth-routes.js","sourceRoot":"","sources":["../src/auth-routes.ts"],"names":[],"mappings":";;;AAAA,4DAA8E;AAC9E,qCAAgC;AAIzB,MAAM,YAAY,GAAG,CAAC,EAAE,YAAY,EAAE,GAAG,EAAc,EAAU,EAAE;IACxE,MAAM,MAAM,GAAG,IAAA,gBAAM,GAAE,CAAA;IAEvB,MAAM,8BAA8B,GAClC,qDAAoC,CAAC,KAAK,CAAC;QACzC,QAAQ,EAAE,GAAG,CAAC,OAAO,CAAC,SAAS;QAC/B,qBAAqB,EAAE,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC;QACnE,wBAAwB,EAAE,CAAC,QAAQ,CAAC;QACpC,gBAAgB,EAAE,EAAE;QACpB,sBAAsB,EAAE,qBAAqB;KAC9C,CAAC,CAAA;IAEJ,MAAM,CAAC,GAAG,CAAC,uCAAuC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAC/D,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAA;QACjD,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAA;QACjD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAA;IACtD,CAAC,CAAC,CAAA;IAEF,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,YAAY,EAAE,CAAC,CAAA;IACzC,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC,CAAA;AAvBY,QAAA,YAAY,gBAuBxB"}
|
package/dist/auth-verifier.d.ts
CHANGED
@@ -107,8 +107,8 @@ export declare class AuthVerifier {
|
|
107
107
|
modService: (ctx: ReqCtx) => Promise<ModServiceOutput>;
|
108
108
|
moderator: (ctx: ReqCtx) => Promise<AdminTokenOutput | ModServiceOutput>;
|
109
109
|
protected validateAdminToken({ req, }: ReqCtx): Promise<AdminTokenOutput>;
|
110
|
-
protected validateRefreshToken(ctx: ReqCtx, verifyOptions?: Omit<jose.JWTVerifyOptions, 'audience'>): Promise<ValidatedRefreshBearer>;
|
111
|
-
protected validateBearerToken(ctx: ReqCtx, scopes: AuthScope[], verifyOptions
|
110
|
+
protected validateRefreshToken(ctx: ReqCtx, verifyOptions?: Omit<jose.JWTVerifyOptions, 'audience' | 'typ'>): Promise<ValidatedRefreshBearer>;
|
111
|
+
protected validateBearerToken(ctx: ReqCtx, scopes: AuthScope[], verifyOptions: jose.JWTVerifyOptions & Required<Pick<jose.JWTVerifyOptions, 'audience' | 'typ'>>): Promise<ValidatedBearer>;
|
112
112
|
protected validateAccessToken(ctx: ReqCtx, scopes: AuthScope[], { checkTakedown, checkDeactivated, }?: {
|
113
113
|
checkTakedown?: boolean;
|
114
114
|
checkDeactivated?: boolean;
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"auth-verifier.d.ts","sourceRoot":"","sources":["../src/auth-verifier.ts"],"names":[],"mappings":";AAAA,OAAO,EAAE,SAAS,EAAoC,MAAM,aAAa,CAAA;AAIzE,OAAO,EAAE,UAAU,EAA0B,MAAM,mBAAmB,CAAA;AACtE,OAAO,EAEL,aAAa,EAEd,MAAM,yBAAyB,CAAA;AAChC,OAAO,EAEL,mBAAmB,EAGnB,yBAAyB,EAI1B,MAAM,sBAAsB,CAAA;AAC7B,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAE5B,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAA;AAGlD,KAAK,MAAM,GAAG,mBAAmB,GAAG,yBAAyB,CAAA;AAG7D,oBAAY,SAAS;IACnB,MAAM,uBAAuB;IAC7B,OAAO,wBAAwB;IAC/B,OAAO,wBAAwB;IAC/B,iBAAiB,kCAAkC;IACnD,YAAY,6BAA6B;CAC1C;AAED,MAAM,MAAM,UAAU,GAAG;IACvB,UAAU,EAAE,SAAS,EAAE,CAAA;IACvB,aAAa,EAAE,OAAO,CAAA;IACtB,gBAAgB,EAAE,OAAO,CAAA;CAC1B,CAAA;AAED,oBAAY,UAAU;IACpB,KAAK,IAAA;IACL,OAAO,IAAA;IACP,OAAO,IAAA;CACR;AAED,KAAK,UAAU,GAAG;IAChB,WAAW,EAAE,IAAI,CAAA;CAClB,CAAA;AAED,KAAK,gBAAgB,GAAG;IACtB,WAAW,EAAE;QACX,IAAI,EAAE,aAAa,CAAA;KACpB,CAAA;CACF,CAAA;AAED,KAAK,gBAAgB,GAAG;IACtB,WAAW,EAAE;QACX,IAAI,EAAE,aAAa,CAAA;QACnB,GAAG,EAAE,MAAM,CAAA;QACX,GAAG,EAAE,MAAM,CAAA;KACZ,CAAA;CACF,CAAA;AAED,KAAK,YAAY,GAAG;IAClB,WAAW,EAAE;QACX,IAAI,EAAE,QAAQ,CAAA;QACd,GAAG,EAAE,MAAM,CAAA;QACX,KAAK,EAAE,SAAS,CAAA;QAChB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;QAC5B,YAAY,EAAE,OAAO,CAAA;KACtB,CAAA;IACD,SAAS,EAAE,MAAM,CAAA;CAClB,CAAA;AAED,KAAK,aAAa,GAAG;IACnB,WAAW,EAAE;QACX,IAAI,EAAE,SAAS,CAAA;QACf,GAAG,EAAE,MAAM,CAAA;QACX,KAAK,EAAE,SAAS,CAAA;QAChB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;QAC5B,OAAO,EAAE,MAAM,CAAA;KAChB,CAAA;IACD,SAAS,EAAE,MAAM,CAAA;CAClB,CAAA;AAED,KAAK,qBAAqB,GAAG;IAC3B,WAAW,EAAE;QACX,IAAI,EAAE,mBAAmB,CAAA;QACzB,GAAG,EAAE,MAAM,CAAA;QACX,GAAG,EAAE,MAAM,CAAA;KACZ,CAAA;CACF,CAAA;AAED,KAAK,eAAe,GAAG;IACrB,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,EAAE,SAAS,CAAA;IAChB,KAAK,EAAE,MAAM,CAAA;IACb,OAAO,EAAE,IAAI,CAAC,UAAU,CAAA;IACxB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;CAC7B,CAAA;AAED,KAAK,sBAAsB,GAAG,eAAe,GAAG;IAC9C,OAAO,EAAE,MAAM,CAAA;CAChB,CAAA;AAED,MAAM,MAAM,gBAAgB,GAAG;IAC7B,SAAS,EAAE,MAAM,CAAA;IACjB,MAAM,EAAE,SAAS,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;IACjB,IAAI,EAAE;QACJ,GAAG,EAAE,MAAM,CAAA;QACX,QAAQ,CAAC,EAAE,MAAM,CAAA;QACjB,UAAU,CAAC,EAAE,MAAM,CAAA;KACpB,CAAA;CACF,CAAA;AAED,qBAAa,YAAY;IAOd,cAAc,EAAE,cAAc;IAC9B,UAAU,EAAE,UAAU;IACtB,aAAa,EAAE,aAAa;IARrC,OAAO,CAAC,UAAU,CAAQ;IAC1B,OAAO,CAAC,OAAO,CAAW;IAC1B,OAAO,CAAC,UAAU,CAAQ;IACnB,IAAI,EAAE,gBAAgB,CAAC,MAAM,CAAC,CAAA;gBAG5B,cAAc,EAAE,cAAc,EAC9B,UAAU,EAAE,UAAU,EACtB,aAAa,EAAE,aAAa,EACnC,IAAI,EAAE,gBAAgB;IAUxB,cAAc,UACL,QAAQ,UAAU,CAAC,WACpB,MAAM,KAAG,QAAQ,YAAY,CAAC,CAWnC;IAEH,UAAU,UACD,QAAQ,UAAU,CAAC,WACpB,MAAM,KAAG,QAAQ,YAAY,CAAC,CAMnC;IAEH,gBAAgB,UACP,QAAQ,UAAU,CAAC,WACpB,MAAM,KAAG,QAAQ,YAAY,CAAC,CAMnC;IAEH,OAAO,QAAe,MAAM,KAAG,QAAQ,aAAa,CAAC,CAcpD;IAED,cAAc,QAAe,MAAM,KAAG,QAAQ,aAAa,CAAC,CAc3D;IAED,UAAU,QAAe,MAAM,KAAG,QAAQ,gBAAgB,CAAC,CAG1D;IAED,0BAA0B,QACnB,MAAM,KACV,QAAQ,YAAY,GAAG,gBAAgB,GAAG,UAAU,CAAC,CAQvD;IAED,eAAe,QAAe,MAAM,KAAG,QAAQ,qBAAqB,CAAC,CAqBpE;IAED,uBAAuB,QAChB,MAAM,KACV,QAAQ,qBAAqB,GAAG,UAAU,CAAC,CAM7C;IAED,uBAAuB,UACd,QAAQ,UAAU,CAAC,WACd,MAAM,KAAG,QAAQ,qBAAqB,GAAG,YAAY,CAAC,CASjE;IAEH,UAAU,QAAe,MAAM,KAAG,QAAQ,gBAAgB,CAAC,CAwB1D;IAED,SAAS,QACF,MAAM,KACV,QAAQ,gBAAgB,GAAG,gBAAgB,CAAC,CAM9C;cAEe,kBAAkB,CAAC,EACjC,GAAG,GACJ,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;cAarB,oBAAoB,CAClC,GAAG,EAAE,MAAM,EACX,aAAa,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,UAAU,CAAC,
|
1
|
+
{"version":3,"file":"auth-verifier.d.ts","sourceRoot":"","sources":["../src/auth-verifier.ts"],"names":[],"mappings":";AAAA,OAAO,EAAE,SAAS,EAAoC,MAAM,aAAa,CAAA;AAIzE,OAAO,EAAE,UAAU,EAA0B,MAAM,mBAAmB,CAAA;AACtE,OAAO,EAEL,aAAa,EAEd,MAAM,yBAAyB,CAAA;AAChC,OAAO,EAEL,mBAAmB,EAGnB,yBAAyB,EAI1B,MAAM,sBAAsB,CAAA;AAC7B,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAE5B,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAA;AAGlD,KAAK,MAAM,GAAG,mBAAmB,GAAG,yBAAyB,CAAA;AAG7D,oBAAY,SAAS;IACnB,MAAM,uBAAuB;IAC7B,OAAO,wBAAwB;IAC/B,OAAO,wBAAwB;IAC/B,iBAAiB,kCAAkC;IACnD,YAAY,6BAA6B;CAC1C;AAED,MAAM,MAAM,UAAU,GAAG;IACvB,UAAU,EAAE,SAAS,EAAE,CAAA;IACvB,aAAa,EAAE,OAAO,CAAA;IACtB,gBAAgB,EAAE,OAAO,CAAA;CAC1B,CAAA;AAED,oBAAY,UAAU;IACpB,KAAK,IAAA;IACL,OAAO,IAAA;IACP,OAAO,IAAA;CACR;AAED,KAAK,UAAU,GAAG;IAChB,WAAW,EAAE,IAAI,CAAA;CAClB,CAAA;AAED,KAAK,gBAAgB,GAAG;IACtB,WAAW,EAAE;QACX,IAAI,EAAE,aAAa,CAAA;KACpB,CAAA;CACF,CAAA;AAED,KAAK,gBAAgB,GAAG;IACtB,WAAW,EAAE;QACX,IAAI,EAAE,aAAa,CAAA;QACnB,GAAG,EAAE,MAAM,CAAA;QACX,GAAG,EAAE,MAAM,CAAA;KACZ,CAAA;CACF,CAAA;AAED,KAAK,YAAY,GAAG;IAClB,WAAW,EAAE;QACX,IAAI,EAAE,QAAQ,CAAA;QACd,GAAG,EAAE,MAAM,CAAA;QACX,KAAK,EAAE,SAAS,CAAA;QAChB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;QAC5B,YAAY,EAAE,OAAO,CAAA;KACtB,CAAA;IACD,SAAS,EAAE,MAAM,CAAA;CAClB,CAAA;AAED,KAAK,aAAa,GAAG;IACnB,WAAW,EAAE;QACX,IAAI,EAAE,SAAS,CAAA;QACf,GAAG,EAAE,MAAM,CAAA;QACX,KAAK,EAAE,SAAS,CAAA;QAChB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;QAC5B,OAAO,EAAE,MAAM,CAAA;KAChB,CAAA;IACD,SAAS,EAAE,MAAM,CAAA;CAClB,CAAA;AAED,KAAK,qBAAqB,GAAG;IAC3B,WAAW,EAAE;QACX,IAAI,EAAE,mBAAmB,CAAA;QACzB,GAAG,EAAE,MAAM,CAAA;QACX,GAAG,EAAE,MAAM,CAAA;KACZ,CAAA;CACF,CAAA;AAED,KAAK,eAAe,GAAG;IACrB,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,EAAE,SAAS,CAAA;IAChB,KAAK,EAAE,MAAM,CAAA;IACb,OAAO,EAAE,IAAI,CAAC,UAAU,CAAA;IACxB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;CAC7B,CAAA;AAED,KAAK,sBAAsB,GAAG,eAAe,GAAG;IAC9C,OAAO,EAAE,MAAM,CAAA;CAChB,CAAA;AAED,MAAM,MAAM,gBAAgB,GAAG;IAC7B,SAAS,EAAE,MAAM,CAAA;IACjB,MAAM,EAAE,SAAS,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;IACjB,IAAI,EAAE;QACJ,GAAG,EAAE,MAAM,CAAA;QACX,QAAQ,CAAC,EAAE,MAAM,CAAA;QACjB,UAAU,CAAC,EAAE,MAAM,CAAA;KACpB,CAAA;CACF,CAAA;AAED,qBAAa,YAAY;IAOd,cAAc,EAAE,cAAc;IAC9B,UAAU,EAAE,UAAU;IACtB,aAAa,EAAE,aAAa;IARrC,OAAO,CAAC,UAAU,CAAQ;IAC1B,OAAO,CAAC,OAAO,CAAW;IAC1B,OAAO,CAAC,UAAU,CAAQ;IACnB,IAAI,EAAE,gBAAgB,CAAC,MAAM,CAAC,CAAA;gBAG5B,cAAc,EAAE,cAAc,EAC9B,UAAU,EAAE,UAAU,EACtB,aAAa,EAAE,aAAa,EACnC,IAAI,EAAE,gBAAgB;IAUxB,cAAc,UACL,QAAQ,UAAU,CAAC,WACpB,MAAM,KAAG,QAAQ,YAAY,CAAC,CAWnC;IAEH,UAAU,UACD,QAAQ,UAAU,CAAC,WACpB,MAAM,KAAG,QAAQ,YAAY,CAAC,CAMnC;IAEH,gBAAgB,UACP,QAAQ,UAAU,CAAC,WACpB,MAAM,KAAG,QAAQ,YAAY,CAAC,CAMnC;IAEH,OAAO,QAAe,MAAM,KAAG,QAAQ,aAAa,CAAC,CAcpD;IAED,cAAc,QAAe,MAAM,KAAG,QAAQ,aAAa,CAAC,CAc3D;IAED,UAAU,QAAe,MAAM,KAAG,QAAQ,gBAAgB,CAAC,CAG1D;IAED,0BAA0B,QACnB,MAAM,KACV,QAAQ,YAAY,GAAG,gBAAgB,GAAG,UAAU,CAAC,CAQvD;IAED,eAAe,QAAe,MAAM,KAAG,QAAQ,qBAAqB,CAAC,CAqBpE;IAED,uBAAuB,QAChB,MAAM,KACV,QAAQ,qBAAqB,GAAG,UAAU,CAAC,CAM7C;IAED,uBAAuB,UACd,QAAQ,UAAU,CAAC,WACd,MAAM,KAAG,QAAQ,qBAAqB,GAAG,YAAY,CAAC,CASjE;IAEH,UAAU,QAAe,MAAM,KAAG,QAAQ,gBAAgB,CAAC,CAwB1D;IAED,SAAS,QACF,MAAM,KACV,QAAQ,gBAAgB,GAAG,gBAAgB,CAAC,CAM9C;cAEe,kBAAkB,CAAC,EACjC,GAAG,GACJ,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;cAarB,oBAAoB,CAClC,GAAG,EAAE,MAAM,EACX,aAAa,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,UAAU,GAAG,KAAK,CAAC,GAC9D,OAAO,CAAC,sBAAsB,CAAC;cAiBlB,mBAAmB,CACjC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,SAAS,EAAE,EACnB,aAAa,EAAE,IAAI,CAAC,gBAAgB,GAClC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,UAAU,GAAG,KAAK,CAAC,CAAC,GAC1D,OAAO,CAAC,eAAe,CAAC;cA2DX,mBAAmB,CACjC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,SAAS,EAAE,EACnB,EACE,aAAqB,EACrB,gBAAwB,GACzB,GAAE;QAAE,aAAa,CAAC,EAAE,OAAO,CAAC;QAAC,gBAAgB,CAAC,EAAE,OAAO,CAAA;KAAO,GAC9D,OAAO,CAAC,YAAY,CAAC;cAqDR,uBAAuB,CACrC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,SAAS,EAAE,GAClB,OAAO,CAAC,YAAY,CAAC;cA4FR,yBAAyB,CACvC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,SAAS,EAAE,GAClB,OAAO,CAAC,YAAY,CAAC;cAsBR,gBAAgB,CAC9B,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;QAAE,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,GAAG,EAAE,MAAM,EAAE,GAAG,IAAI,CAAA;KAAE;;;;IA2CpD,SAAS,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU;IAOvC,aAAa,CACX,IAAI,EAAE,YAAY,GAAG,gBAAgB,GAAG,UAAU,EAClD,GAAG,EAAE,MAAM,GACV,OAAO;cAUM,SAAS,CACvB,KAAK,EAAE,MAAM,EACb,aAAa,CAAC,EAAE,IAAI,CAAC,gBAAgB;IAevC,SAAS,CAAC,cAAc,CAAC,GAAG,EAAE,MAAM;CAOrC;AAKD,aAAK,QAAQ;IACX,KAAK,UAAU;IACf,MAAM,WAAW;IACjB,IAAI,SAAS;CACd;AAED,eAAO,MAAM,wBAAwB,mBACnB,MAAM,KACrB,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAqB/C,CAAA;AAsBD,eAAO,MAAM,cAAc,yBACH,MAAM,KAC3B;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAAG,IAc3C,CAAA;AAOD,eAAO,MAAM,qBAAqB,WAAY,MAAM,KAAG,SAEtD,CAAA;AAED,eAAO,MAAM,qBAAqB,iBAAkB,MAAM,KAAG,SAG5D,CAAA"}
|
package/dist/auth-verifier.js
CHANGED
@@ -296,6 +296,7 @@ class AuthVerifier {
|
|
296
296
|
async validateRefreshToken(ctx, verifyOptions) {
|
297
297
|
const result = await this.validateBearerToken(ctx, [AuthScope.Refresh], {
|
298
298
|
...verifyOptions,
|
299
|
+
typ: 'refresh+jwt',
|
299
300
|
// when using entryway, proxying refresh credentials
|
300
301
|
audience: this.dids.entryway ? this.dids.entryway : this.dids.pds,
|
301
302
|
});
|
@@ -311,13 +312,25 @@ class AuthVerifier {
|
|
311
312
|
if (!token) {
|
312
313
|
throw new xrpc_server_1.AuthRequiredError(undefined, 'AuthMissing');
|
313
314
|
}
|
314
|
-
const { payload, protectedHeader } = await this.jwtVerify(token,
|
315
|
-
|
316
|
-
|
317
|
-
|
318
|
-
|
319
|
-
|
320
|
-
|
315
|
+
const { payload, protectedHeader } = await this.jwtVerify(token,
|
316
|
+
// @TODO: Once all access & refresh tokens have a "typ" claim (i.e. 90
|
317
|
+
// days after this code was deployed), replace the following line with
|
318
|
+
// "verifyOptions," (to re-enable the verification of the "typ" property
|
319
|
+
// from verifyJwt()). Once the change is made, the "if" block below that
|
320
|
+
// checks for "typ" can be removed.
|
321
|
+
{
|
322
|
+
...verifyOptions,
|
323
|
+
typ: undefined,
|
324
|
+
});
|
325
|
+
// @TODO: remove the next check once all access & refresh tokens have "typ"
|
326
|
+
// Note: when removing the check, make sure that the "verifyOptions"
|
327
|
+
// contains the "typ" property, so that the token is verified correctly by
|
328
|
+
// this.verifyJwt()
|
329
|
+
if (protectedHeader.typ && verifyOptions.typ !== protectedHeader.typ) {
|
330
|
+
// Temporarily allow historical tokens without "typ" to pass through. See:
|
331
|
+
// createAccessToken() and createRefreshToken() in
|
332
|
+
// src/account-manager/helpers/auth.ts
|
333
|
+
throw new xrpc_server_1.InvalidRequestError('Invalid token type', 'InvalidToken');
|
321
334
|
}
|
322
335
|
const { sub, aud, scope } = payload;
|
323
336
|
if (typeof sub !== 'string' || !sub.startsWith('did:')) {
|
@@ -327,8 +340,9 @@ class AuthVerifier {
|
|
327
340
|
(typeof aud !== 'string' || !aud.startsWith('did:'))) {
|
328
341
|
throw new xrpc_server_1.InvalidRequestError('Malformed token', 'InvalidToken');
|
329
342
|
}
|
330
|
-
if (payload
|
331
|
-
//
|
343
|
+
if (payload['cnf'] !== undefined) {
|
344
|
+
// Proof-of-Possession (PoP) tokens are not allowed here
|
345
|
+
// https://www.rfc-editor.org/rfc/rfc7800.html
|
332
346
|
throw new xrpc_server_1.InvalidRequestError('Malformed token', 'InvalidToken');
|
333
347
|
}
|
334
348
|
if (!isAuthScope(scope) || (scopes.length > 0 && !scopes.includes(scope))) {
|
@@ -379,9 +393,6 @@ class AuthVerifier {
|
|
379
393
|
return accessOutput;
|
380
394
|
}
|
381
395
|
async validateDpopAccessToken(ctx, scopes) {
|
382
|
-
if (!scopes.includes(AuthScope.Access)) {
|
383
|
-
throw new xrpc_server_1.InvalidRequestError('DPoP access token cannot be used for this request', 'InvalidToken');
|
384
|
-
}
|
385
396
|
this.setAuthHeaders(ctx);
|
386
397
|
const { req } = ctx;
|
387
398
|
const res = 'res' in ctx ? ctx.res : null;
|
@@ -401,13 +412,33 @@ class AuthVerifier {
|
|
401
412
|
if (typeof sub !== 'string' || !sub.startsWith('did:')) {
|
402
413
|
throw new xrpc_server_1.InvalidRequestError('Malformed token', 'InvalidToken');
|
403
414
|
}
|
415
|
+
const tokenScopes = new Set(result.claims.scope?.split(' '));
|
416
|
+
if (!tokenScopes.has('transition:generic')) {
|
417
|
+
throw new xrpc_server_1.AuthRequiredError('Missing required scope: transition:generic', 'InvalidToken');
|
418
|
+
}
|
419
|
+
const scopeEquivalent = tokenScopes.has('transition:chat.bsky')
|
420
|
+
? AuthScope.AppPassPrivileged
|
421
|
+
: AuthScope.AppPass;
|
422
|
+
if (!scopes.includes(scopeEquivalent)) {
|
423
|
+
// AppPassPrivileged is sufficient but was not provided "transition:chat.bsky"
|
424
|
+
if (scopes.includes(AuthScope.AppPassPrivileged)) {
|
425
|
+
throw new xrpc_server_1.InvalidRequestError('Missing required scope: transition:chat.bsky', 'InvalidToken');
|
426
|
+
}
|
427
|
+
// AuthScope.Access and AuthScope.SignupQueued do not have an OAuth
|
428
|
+
// scope equivalent.
|
429
|
+
throw new xrpc_server_1.InvalidRequestError('DPoP access token cannot be used for this request', 'InvalidToken');
|
430
|
+
}
|
431
|
+
const isPrivileged = [
|
432
|
+
AuthScope.Access,
|
433
|
+
AuthScope.AppPassPrivileged,
|
434
|
+
].includes(scopeEquivalent);
|
404
435
|
return {
|
405
436
|
credentials: {
|
406
437
|
type: 'access',
|
407
438
|
did: result.claims.sub,
|
408
|
-
scope:
|
439
|
+
scope: scopeEquivalent,
|
409
440
|
audience: this.dids.pds,
|
410
|
-
isPrivileged
|
441
|
+
isPrivileged,
|
411
442
|
},
|
412
443
|
artifacts: result.token,
|
413
444
|
};
|
@@ -426,7 +457,7 @@ class AuthVerifier {
|
|
426
457
|
}
|
427
458
|
}
|
428
459
|
async validateBearerAccessToken(ctx, scopes) {
|
429
|
-
const { did, scope, token, audience } = await this.validateBearerToken(ctx, scopes, { audience: this.dids.pds });
|
460
|
+
const { did, scope, token, audience } = await this.validateBearerToken(ctx, scopes, { audience: this.dids.pds, typ: 'at+jwt' });
|
430
461
|
const isPrivileged = [
|
431
462
|
AuthScope.Access,
|
432
463
|
AuthScope.AppPassPrivileged,
|