@atproto/pds 0.4.53 → 0.4.54

Sign up to get free protection for your applications and to get access to all the features.
Files changed (121) hide show
  1. package/CHANGELOG.md +24 -0
  2. package/dist/account-manager/helpers/auth.d.ts.map +1 -1
  3. package/dist/account-manager/helpers/auth.js +8 -2
  4. package/dist/account-manager/helpers/auth.js.map +1 -1
  5. package/dist/api/com/atproto/admin/sendEmail.js +1 -4
  6. package/dist/api/com/atproto/admin/sendEmail.js.map +1 -1
  7. package/dist/api/com/atproto/admin/updateAccountEmail.js +2 -2
  8. package/dist/api/com/atproto/admin/updateAccountEmail.js.map +1 -1
  9. package/dist/api/com/atproto/admin/updateAccountPassword.js +2 -2
  10. package/dist/api/com/atproto/admin/updateAccountPassword.js.map +1 -1
  11. package/dist/api/com/atproto/identity/requestPlcOperationSignature.d.ts +1 -1
  12. package/dist/api/com/atproto/identity/requestPlcOperationSignature.d.ts.map +1 -1
  13. package/dist/api/com/atproto/identity/requestPlcOperationSignature.js +8 -3
  14. package/dist/api/com/atproto/identity/requestPlcOperationSignature.js.map +1 -1
  15. package/dist/api/com/atproto/identity/signPlcOperation.d.ts +1 -1
  16. package/dist/api/com/atproto/identity/signPlcOperation.d.ts.map +1 -1
  17. package/dist/api/com/atproto/identity/signPlcOperation.js +9 -3
  18. package/dist/api/com/atproto/identity/signPlcOperation.js.map +1 -1
  19. package/dist/api/com/atproto/identity/updateHandle.d.ts.map +1 -1
  20. package/dist/api/com/atproto/identity/updateHandle.js +8 -3
  21. package/dist/api/com/atproto/identity/updateHandle.js.map +1 -1
  22. package/dist/api/com/atproto/server/activateAccount.d.ts +1 -1
  23. package/dist/api/com/atproto/server/activateAccount.d.ts.map +1 -1
  24. package/dist/api/com/atproto/server/activateAccount.js +9 -4
  25. package/dist/api/com/atproto/server/activateAccount.js.map +1 -1
  26. package/dist/api/com/atproto/server/confirmEmail.d.ts +1 -1
  27. package/dist/api/com/atproto/server/confirmEmail.d.ts.map +1 -1
  28. package/dist/api/com/atproto/server/confirmEmail.js +8 -3
  29. package/dist/api/com/atproto/server/confirmEmail.js.map +1 -1
  30. package/dist/api/com/atproto/server/createAppPassword.d.ts.map +1 -1
  31. package/dist/api/com/atproto/server/createAppPassword.js +8 -2
  32. package/dist/api/com/atproto/server/createAppPassword.js.map +1 -1
  33. package/dist/api/com/atproto/server/deactivateAccount.d.ts +1 -1
  34. package/dist/api/com/atproto/server/deactivateAccount.d.ts.map +1 -1
  35. package/dist/api/com/atproto/server/deactivateAccount.js +8 -3
  36. package/dist/api/com/atproto/server/deactivateAccount.js.map +1 -1
  37. package/dist/api/com/atproto/server/getAccountInviteCodes.d.ts +1 -1
  38. package/dist/api/com/atproto/server/getAccountInviteCodes.d.ts.map +1 -1
  39. package/dist/api/com/atproto/server/getAccountInviteCodes.js +9 -3
  40. package/dist/api/com/atproto/server/getAccountInviteCodes.js.map +1 -1
  41. package/dist/api/com/atproto/server/getServiceAuth.d.ts.map +1 -1
  42. package/dist/api/com/atproto/server/getServiceAuth.js +7 -4
  43. package/dist/api/com/atproto/server/getServiceAuth.js.map +1 -1
  44. package/dist/api/com/atproto/server/listAppPasswords.d.ts.map +1 -1
  45. package/dist/api/com/atproto/server/listAppPasswords.js +8 -2
  46. package/dist/api/com/atproto/server/listAppPasswords.js.map +1 -1
  47. package/dist/api/com/atproto/server/requestAccountDelete.d.ts +1 -1
  48. package/dist/api/com/atproto/server/requestAccountDelete.d.ts.map +1 -1
  49. package/dist/api/com/atproto/server/requestAccountDelete.js +8 -3
  50. package/dist/api/com/atproto/server/requestAccountDelete.js.map +1 -1
  51. package/dist/api/com/atproto/server/requestEmailConfirmation.d.ts +1 -1
  52. package/dist/api/com/atproto/server/requestEmailConfirmation.d.ts.map +1 -1
  53. package/dist/api/com/atproto/server/requestEmailConfirmation.js +8 -3
  54. package/dist/api/com/atproto/server/requestEmailConfirmation.js.map +1 -1
  55. package/dist/api/com/atproto/server/requestEmailUpdate.d.ts +1 -1
  56. package/dist/api/com/atproto/server/requestEmailUpdate.d.ts.map +1 -1
  57. package/dist/api/com/atproto/server/requestEmailUpdate.js +8 -2
  58. package/dist/api/com/atproto/server/requestEmailUpdate.js.map +1 -1
  59. package/dist/api/com/atproto/server/revokeAppPassword.d.ts.map +1 -1
  60. package/dist/api/com/atproto/server/revokeAppPassword.js +8 -3
  61. package/dist/api/com/atproto/server/revokeAppPassword.js.map +1 -1
  62. package/dist/api/com/atproto/server/updateEmail.d.ts +1 -1
  63. package/dist/api/com/atproto/server/updateEmail.d.ts.map +1 -1
  64. package/dist/api/com/atproto/server/updateEmail.js +6 -4
  65. package/dist/api/com/atproto/server/updateEmail.js.map +1 -1
  66. package/dist/api/proxy.js +5 -1
  67. package/dist/api/proxy.js.map +1 -1
  68. package/dist/auth-routes.d.ts.map +1 -1
  69. package/dist/auth-routes.js +3 -1
  70. package/dist/auth-routes.js.map +1 -1
  71. package/dist/auth-verifier.d.ts +2 -2
  72. package/dist/auth-verifier.d.ts.map +1 -1
  73. package/dist/auth-verifier.js +46 -15
  74. package/dist/auth-verifier.js.map +1 -1
  75. package/dist/index.d.ts.map +1 -1
  76. package/dist/index.js +6 -6
  77. package/dist/index.js.map +1 -1
  78. package/dist/lexicon/lexicons.d.ts +4 -0
  79. package/dist/lexicon/lexicons.d.ts.map +1 -1
  80. package/dist/lexicon/lexicons.js +4 -0
  81. package/dist/lexicon/lexicons.js.map +1 -1
  82. package/dist/lexicon/types/app/bsky/feed/getPostThread.d.ts +1 -0
  83. package/dist/lexicon/types/app/bsky/feed/getPostThread.d.ts.map +1 -1
  84. package/dist/oauth/provider.d.ts.map +1 -1
  85. package/dist/oauth/provider.js +1 -0
  86. package/dist/oauth/provider.js.map +1 -1
  87. package/dist/pipethrough.d.ts +1 -0
  88. package/dist/pipethrough.d.ts.map +1 -1
  89. package/dist/pipethrough.js +23 -2
  90. package/dist/pipethrough.js.map +1 -1
  91. package/package.json +11 -11
  92. package/src/account-manager/helpers/auth.ts +8 -2
  93. package/src/api/com/atproto/admin/sendEmail.ts +5 -5
  94. package/src/api/com/atproto/admin/updateAccountEmail.ts +1 -1
  95. package/src/api/com/atproto/admin/updateAccountPassword.ts +1 -1
  96. package/src/api/com/atproto/identity/requestPlcOperationSignature.ts +13 -5
  97. package/src/api/com/atproto/identity/signPlcOperation.ts +15 -6
  98. package/src/api/com/atproto/identity/updateHandle.ts +10 -3
  99. package/src/api/com/atproto/server/activateAccount.ts +14 -5
  100. package/src/api/com/atproto/server/confirmEmail.ts +13 -5
  101. package/src/api/com/atproto/server/createAppPassword.ts +12 -3
  102. package/src/api/com/atproto/server/deactivateAccount.ts +11 -4
  103. package/src/api/com/atproto/server/getAccountInviteCodes.ts +14 -5
  104. package/src/api/com/atproto/server/getServiceAuth.ts +14 -9
  105. package/src/api/com/atproto/server/listAppPasswords.ts +11 -3
  106. package/src/api/com/atproto/server/requestAccountDelete.ts +12 -4
  107. package/src/api/com/atproto/server/requestEmailConfirmation.ts +12 -4
  108. package/src/api/com/atproto/server/requestEmailUpdate.ts +13 -4
  109. package/src/api/com/atproto/server/revokeAppPassword.ts +10 -3
  110. package/src/api/com/atproto/server/updateEmail.ts +14 -6
  111. package/src/api/proxy.ts +5 -1
  112. package/src/auth-routes.ts +3 -1
  113. package/src/auth-verifier.ts +63 -21
  114. package/src/index.ts +6 -7
  115. package/src/lexicon/lexicons.ts +4 -0
  116. package/src/lexicon/types/app/bsky/feed/getPostThread.ts +1 -0
  117. package/src/oauth/provider.ts +2 -0
  118. package/src/pipethrough.ts +25 -1
  119. package/tests/app-passwords.test.ts +2 -2
  120. package/tests/auth.test.ts +1 -1
  121. package/tests/entryway.test.ts +30 -4
@@ -22,10 +22,13 @@ function default_1(server, ctx) {
22
22
  throw new xrpc_server_1.InvalidRequestError('cannot request a method-less token with an expiration more than a minute in the future', 'BadExpiration');
23
23
  }
24
24
  }
25
- if (!auth.credentials.isPrivileged &&
26
- lxm &&
27
- pipethrough_1.PRIVILEGED_METHODS.has(lxm)) {
28
- throw new xrpc_server_1.InvalidRequestError(`cannot request a service auth token for the following method with an app password: ${lxm}`);
25
+ if (lxm) {
26
+ if (pipethrough_1.PROTECTED_METHODS.has(lxm)) {
27
+ throw new xrpc_server_1.InvalidRequestError(`cannot request a service auth token for the following protected method: ${lxm}`);
28
+ }
29
+ if (!auth.credentials.isPrivileged && pipethrough_1.PRIVILEGED_METHODS.has(lxm)) {
30
+ throw new xrpc_server_1.InvalidRequestError(`insufficient access to request a service auth token for the following method: ${lxm}`);
31
+ }
29
32
  }
30
33
  const keypair = await ctx.actorStore.keypair(did);
31
34
  const token = await (0, xrpc_server_1.createServiceJwt)({
@@ -1 +1 @@
1
- {"version":3,"file":"getServiceAuth.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/getServiceAuth.ts"],"names":[],"mappings":";;AAAA,sDAA4E;AAC5E,4CAA8C;AAG9C,yDAA4D;AAE5D,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,cAAc,CAAC;QACvC,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,cAAc,EAAE;QACvC,OAAO,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE;YAClC,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YAChC,MAAM,EAAE,GAAG,EAAE,GAAG,GAAG,IAAI,EAAE,GAAG,MAAM,CAAA;YAClC,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS,CAAA;YACtD,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,IAAI,GAAG,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;gBAC7B,IAAI,IAAI,GAAG,CAAC,EAAE,CAAC;oBACb,MAAM,IAAI,iCAAmB,CAC3B,uBAAuB,EACvB,eAAe,CAChB,CAAA;gBACH,CAAC;qBAAM,IAAI,IAAI,GAAG,aAAI,EAAE,CAAC;oBACvB,MAAM,IAAI,iCAAmB,CAC3B,2EAA2E,EAC3E,eAAe,CAChB,CAAA;gBACH,CAAC;qBAAM,IAAI,CAAC,GAAG,IAAI,IAAI,GAAG,eAAM,EAAE,CAAC;oBACjC,MAAM,IAAI,iCAAmB,CAC3B,wFAAwF,EACxF,eAAe,CAChB,CAAA;gBACH,CAAC;YACH,CAAC;YACD,IACE,CAAC,IAAI,CAAC,WAAW,CAAC,YAAY;gBAC9B,GAAG;gBACH,gCAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,EAC3B,CAAC;gBACD,MAAM,IAAI,iCAAmB,CAC3B,sFAAsF,GAAG,EAAE,CAC5F,CAAA;YACH,CAAC;YACD,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;YAEjD,MAAM,KAAK,GAAG,MAAM,IAAA,8BAAgB,EAAC;gBACnC,GAAG,EAAE,GAAG;gBACR,GAAG;gBACH,GAAG;gBACH,GAAG;gBACH,OAAO;aACR,CAAC,CAAA;YACF,OAAO;gBACL,QAAQ,EAAE,kBAAkB;gBAC5B,IAAI,EAAE;oBACJ,KAAK;iBACN;aACF,CAAA;QACH,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AApDD,4BAoDC"}
1
+ {"version":3,"file":"getServiceAuth.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/getServiceAuth.ts"],"names":[],"mappings":";;AAAA,sDAA4E;AAC5E,4CAA8C;AAG9C,yDAA+E;AAE/E,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,cAAc,CAAC;QACvC,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,cAAc,EAAE;QACvC,OAAO,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE;YAClC,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YAChC,MAAM,EAAE,GAAG,EAAE,GAAG,GAAG,IAAI,EAAE,GAAG,MAAM,CAAA;YAClC,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS,CAAA;YACtD,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,IAAI,GAAG,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;gBAC7B,IAAI,IAAI,GAAG,CAAC,EAAE,CAAC;oBACb,MAAM,IAAI,iCAAmB,CAC3B,uBAAuB,EACvB,eAAe,CAChB,CAAA;gBACH,CAAC;qBAAM,IAAI,IAAI,GAAG,aAAI,EAAE,CAAC;oBACvB,MAAM,IAAI,iCAAmB,CAC3B,2EAA2E,EAC3E,eAAe,CAChB,CAAA;gBACH,CAAC;qBAAM,IAAI,CAAC,GAAG,IAAI,IAAI,GAAG,eAAM,EAAE,CAAC;oBACjC,MAAM,IAAI,iCAAmB,CAC3B,wFAAwF,EACxF,eAAe,CAChB,CAAA;gBACH,CAAC;YACH,CAAC;YAED,IAAI,GAAG,EAAE,CAAC;gBACR,IAAI,+BAAiB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC/B,MAAM,IAAI,iCAAmB,CAC3B,2EAA2E,GAAG,EAAE,CACjF,CAAA;gBACH,CAAC;gBACD,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,YAAY,IAAI,gCAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;oBAClE,MAAM,IAAI,iCAAmB,CAC3B,iFAAiF,GAAG,EAAE,CACvF,CAAA;gBACH,CAAC;YACH,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;YAEjD,MAAM,KAAK,GAAG,MAAM,IAAA,8BAAgB,EAAC;gBACnC,GAAG,EAAE,GAAG;gBACR,GAAG;gBACH,GAAG;gBACH,GAAG;gBACH,OAAO;aACR,CAAC,CAAA;YACF,OAAO;gBACL,QAAQ,EAAE,kBAAkB;gBAC5B,IAAI,EAAE;oBACJ,KAAK;iBACN;aACF,CAAA;QACH,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AAzDD,4BAyDC"}
@@ -1 +1 @@
1
- {"version":3,"file":"listAppPasswords.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/listAppPasswords.ts"],"names":[],"mappings":"AAAA,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAG5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QAsBvD"}
1
+ {"version":3,"file":"listAppPasswords.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/listAppPasswords.ts"],"names":[],"mappings":"AAEA,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAI5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QA2BvD"}
@@ -1,12 +1,18 @@
1
1
  "use strict";
2
+ var __importDefault = (this && this.__importDefault) || function (mod) {
3
+ return (mod && mod.__esModule) ? mod : { "default": mod };
4
+ };
2
5
  Object.defineProperty(exports, "__esModule", { value: true });
6
+ const node_assert_1 = __importDefault(require("node:assert"));
7
+ const lexicons_1 = require("../../../../lexicon/lexicons");
3
8
  const proxy_1 = require("../../../proxy");
4
9
  function default_1(server, ctx) {
5
10
  server.com.atproto.server.listAppPasswords({
6
11
  auth: ctx.authVerifier.accessStandard(),
7
- handler: async ({ auth, req }) => {
12
+ handler: async ({ auth }) => {
8
13
  if (ctx.entrywayAgent) {
9
- return (0, proxy_1.resultPassthru)(await ctx.entrywayAgent.com.atproto.server.listAppPasswords(undefined, (0, proxy_1.authPassthru)(req)));
14
+ (0, node_assert_1.default)(ctx.cfg.entryway);
15
+ return (0, proxy_1.resultPassthru)(await ctx.entrywayAgent.com.atproto.server.listAppPasswords(undefined, await ctx.serviceAuthHeaders(auth.credentials.did, ctx.cfg.entryway.did, lexicons_1.ids.ComAtprotoServerListAppPasswords)));
10
16
  }
11
17
  const passwords = await ctx.accountManager.listAppPasswords(auth.credentials.did);
12
18
  return {
@@ -1 +1 @@
1
- {"version":3,"file":"listAppPasswords.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/listAppPasswords.ts"],"names":[],"mappings":";;AAEA,0CAA6D;AAE7D,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC;QACzC,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,cAAc,EAAE;QACvC,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,EAAE;YAC/B,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,OAAO,IAAA,sBAAc,EACnB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CACzD,SAAS,EACT,IAAA,oBAAY,EAAC,GAAG,CAAC,CAClB,CACF,CAAA;YACH,CAAC;YAED,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,gBAAgB,CACzD,IAAI,CAAC,WAAW,CAAC,GAAG,CACrB,CAAA;YACD,OAAO;gBACL,QAAQ,EAAE,kBAAkB;gBAC5B,IAAI,EAAE,EAAE,SAAS,EAAE;aACpB,CAAA;QACH,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AAtBD,4BAsBC"}
1
+ {"version":3,"file":"listAppPasswords.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/listAppPasswords.ts"],"names":[],"mappings":";;;;;AAAA,8DAAgC;AAIhC,2DAAkD;AAClD,0CAA+C;AAE/C,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC;QACzC,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,cAAc,EAAE;QACvC,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;YAC1B,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,IAAA,qBAAM,EAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;gBACxB,OAAO,IAAA,sBAAc,EACnB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CACzD,SAAS,EACT,MAAM,GAAG,CAAC,kBAAkB,CAC1B,IAAI,CAAC,WAAW,CAAC,GAAG,EACpB,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,EACpB,cAAG,CAAC,gCAAgC,CACrC,CACF,CACF,CAAA;YACH,CAAC;YAED,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,gBAAgB,CACzD,IAAI,CAAC,WAAW,CAAC,GAAG,CACrB,CAAA;YACD,OAAO;gBACL,QAAQ,EAAE,kBAAkB;gBAC5B,IAAI,EAAE,EAAE,SAAS,EAAE;aACpB,CAAA;QACH,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AA3BD,4BA2BC"}
@@ -1,4 +1,4 @@
1
- import { Server } from '../../../../lexicon';
2
1
  import AppContext from '../../../../context';
2
+ import { Server } from '../../../../lexicon';
3
3
  export default function (server: Server, ctx: AppContext): void;
4
4
  //# sourceMappingURL=requestAccountDelete.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"requestAccountDelete.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestAccountDelete.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAC5C,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAG5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QA2CvD"}
1
+ {"version":3,"file":"requestAccountDelete.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestAccountDelete.ts"],"names":[],"mappings":"AAKA,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAG5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QAgDvD"}
@@ -1,8 +1,12 @@
1
1
  "use strict";
2
+ var __importDefault = (this && this.__importDefault) || function (mod) {
3
+ return (mod && mod.__esModule) ? mod : { "default": mod };
4
+ };
2
5
  Object.defineProperty(exports, "__esModule", { value: true });
6
+ const node_assert_1 = __importDefault(require("node:assert"));
3
7
  const common_1 = require("@atproto/common");
4
8
  const xrpc_server_1 = require("@atproto/xrpc-server");
5
- const proxy_1 = require("../../../proxy");
9
+ const lexicons_1 = require("../../../../lexicon/lexicons");
6
10
  function default_1(server, ctx) {
7
11
  server.com.atproto.server.requestAccountDelete({
8
12
  rateLimit: [
@@ -18,7 +22,7 @@ function default_1(server, ctx) {
18
22
  },
19
23
  ],
20
24
  auth: ctx.authVerifier.accessFull({ checkTakedown: true }),
21
- handler: async ({ auth, req }) => {
25
+ handler: async ({ auth }) => {
22
26
  const did = auth.credentials.did;
23
27
  const account = await ctx.accountManager.getAccount(did, {
24
28
  includeDeactivated: true,
@@ -28,7 +32,8 @@ function default_1(server, ctx) {
28
32
  throw new xrpc_server_1.InvalidRequestError('account not found');
29
33
  }
30
34
  if (ctx.entrywayAgent) {
31
- await ctx.entrywayAgent.com.atproto.server.requestAccountDelete(undefined, (0, proxy_1.authPassthru)(req));
35
+ (0, node_assert_1.default)(ctx.cfg.entryway);
36
+ await ctx.entrywayAgent.com.atproto.server.requestAccountDelete(undefined, await ctx.serviceAuthHeaders(auth.credentials.did, ctx.cfg.entryway.did, lexicons_1.ids.ComAtprotoServerRequestAccountDelete));
32
37
  return;
33
38
  }
34
39
  if (!account.email) {
@@ -1 +1 @@
1
- {"version":3,"file":"requestAccountDelete.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestAccountDelete.ts"],"names":[],"mappings":";;AAAA,4CAA2C;AAC3C,sDAA0D;AAG1D,0CAA6C;AAE7C,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,oBAAoB,CAAC;QAC7C,SAAS,EAAE;YACT;gBACE,UAAU,EAAE,YAAG;gBACf,MAAM,EAAE,EAAE;gBACV,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;YACD;gBACE,UAAU,EAAE,aAAI;gBAChB,MAAM,EAAE,CAAC;gBACT,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;SACF;QACD,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,UAAU,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QAC1D,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,EAAE;YAC/B,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YAChC,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG,EAAE;gBACvD,kBAAkB,EAAE,IAAI;gBACxB,gBAAgB,EAAE,IAAI;aACvB,CAAC,CAAA;YACF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,iCAAmB,CAAC,mBAAmB,CAAC,CAAA;YACpD,CAAC;YAED,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,oBAAoB,CAC7D,SAAS,EACT,IAAA,oBAAY,EAAC,GAAG,CAAC,CAClB,CAAA;gBACD,OAAM;YACR,CAAC;YAED,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;gBACnB,MAAM,IAAI,iCAAmB,CAAC,wCAAwC,CAAC,CAAA;YACzE,CAAC;YACD,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,gBAAgB,CACrD,GAAG,EACH,gBAAgB,CACjB,CAAA;YACD,MAAM,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAA;QACtE,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AA3CD,4BA2CC"}
1
+ {"version":3,"file":"requestAccountDelete.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestAccountDelete.ts"],"names":[],"mappings":";;;;;AAAA,8DAAgC;AAEhC,4CAA2C;AAC3C,sDAA0D;AAI1D,2DAAkD;AAElD,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,oBAAoB,CAAC;QAC7C,SAAS,EAAE;YACT;gBACE,UAAU,EAAE,YAAG;gBACf,MAAM,EAAE,EAAE;gBACV,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;YACD;gBACE,UAAU,EAAE,aAAI;gBAChB,MAAM,EAAE,CAAC;gBACT,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;SACF;QACD,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,UAAU,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QAC1D,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;YAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YAChC,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG,EAAE;gBACvD,kBAAkB,EAAE,IAAI;gBACxB,gBAAgB,EAAE,IAAI;aACvB,CAAC,CAAA;YACF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,iCAAmB,CAAC,mBAAmB,CAAC,CAAA;YACpD,CAAC;YAED,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,IAAA,qBAAM,EAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;gBACxB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,oBAAoB,CAC7D,SAAS,EACT,MAAM,GAAG,CAAC,kBAAkB,CAC1B,IAAI,CAAC,WAAW,CAAC,GAAG,EACpB,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,EACpB,cAAG,CAAC,oCAAoC,CACzC,CACF,CAAA;gBACD,OAAM;YACR,CAAC;YAED,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;gBACnB,MAAM,IAAI,iCAAmB,CAAC,wCAAwC,CAAC,CAAA;YACzE,CAAC;YACD,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,gBAAgB,CACrD,GAAG,EACH,gBAAgB,CACjB,CAAA;YACD,MAAM,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAA;QACtE,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AAhDD,4BAgDC"}
@@ -1,4 +1,4 @@
1
- import { Server } from '../../../../lexicon';
2
1
  import AppContext from '../../../../context';
2
+ import { Server } from '../../../../lexicon';
3
3
  export default function (server: Server, ctx: AppContext): void;
4
4
  //# sourceMappingURL=requestEmailConfirmation.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"requestEmailConfirmation.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestEmailConfirmation.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAC5C,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAG5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QA2CvD"}
1
+ {"version":3,"file":"requestEmailConfirmation.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestEmailConfirmation.ts"],"names":[],"mappings":"AAKA,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAG5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QAgDvD"}
@@ -1,8 +1,12 @@
1
1
  "use strict";
2
+ var __importDefault = (this && this.__importDefault) || function (mod) {
3
+ return (mod && mod.__esModule) ? mod : { "default": mod };
4
+ };
2
5
  Object.defineProperty(exports, "__esModule", { value: true });
6
+ const node_assert_1 = __importDefault(require("node:assert"));
3
7
  const common_1 = require("@atproto/common");
4
8
  const xrpc_server_1 = require("@atproto/xrpc-server");
5
- const proxy_1 = require("../../../proxy");
9
+ const lexicons_1 = require("../../../../lexicon/lexicons");
6
10
  function default_1(server, ctx) {
7
11
  server.com.atproto.server.requestEmailConfirmation({
8
12
  rateLimit: [
@@ -18,7 +22,7 @@ function default_1(server, ctx) {
18
22
  },
19
23
  ],
20
24
  auth: ctx.authVerifier.accessStandard({ checkTakedown: true }),
21
- handler: async ({ auth, req }) => {
25
+ handler: async ({ auth }) => {
22
26
  const did = auth.credentials.did;
23
27
  const account = await ctx.accountManager.getAccount(did, {
24
28
  includeDeactivated: true,
@@ -28,7 +32,8 @@ function default_1(server, ctx) {
28
32
  throw new xrpc_server_1.InvalidRequestError('account not found');
29
33
  }
30
34
  if (ctx.entrywayAgent) {
31
- await ctx.entrywayAgent.com.atproto.server.requestEmailConfirmation(undefined, (0, proxy_1.authPassthru)(req));
35
+ (0, node_assert_1.default)(ctx.cfg.entryway);
36
+ await ctx.entrywayAgent.com.atproto.server.requestEmailConfirmation(undefined, await ctx.serviceAuthHeaders(auth.credentials.did, ctx.cfg.entryway.did, lexicons_1.ids.ComAtprotoServerRequestEmailConfirmation));
32
37
  return;
33
38
  }
34
39
  if (!account.email) {
@@ -1 +1 @@
1
- {"version":3,"file":"requestEmailConfirmation.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestEmailConfirmation.ts"],"names":[],"mappings":";;AAAA,4CAA2C;AAC3C,sDAA0D;AAG1D,0CAA6C;AAE7C,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,wBAAwB,CAAC;QACjD,SAAS,EAAE;YACT;gBACE,UAAU,EAAE,YAAG;gBACf,MAAM,EAAE,EAAE;gBACV,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;YACD;gBACE,UAAU,EAAE,aAAI;gBAChB,MAAM,EAAE,CAAC;gBACT,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;SACF;QACD,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,cAAc,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QAC9D,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,EAAE;YAC/B,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YAChC,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG,EAAE;gBACvD,kBAAkB,EAAE,IAAI;gBACxB,gBAAgB,EAAE,IAAI;aACvB,CAAC,CAAA;YACF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,iCAAmB,CAAC,mBAAmB,CAAC,CAAA;YACpD,CAAC;YAED,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,wBAAwB,CACjE,SAAS,EACT,IAAA,oBAAY,EAAC,GAAG,CAAC,CAClB,CAAA;gBACD,OAAM;YACR,CAAC;YAED,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;gBACnB,MAAM,IAAI,iCAAmB,CAAC,wCAAwC,CAAC,CAAA;YACzE,CAAC;YACD,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,gBAAgB,CACrD,GAAG,EACH,eAAe,CAChB,CAAA;YACD,MAAM,GAAG,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAA;QACrE,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AA3CD,4BA2CC"}
1
+ {"version":3,"file":"requestEmailConfirmation.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestEmailConfirmation.ts"],"names":[],"mappings":";;;;;AAAA,8DAAgC;AAEhC,4CAA2C;AAC3C,sDAA0D;AAI1D,2DAAkD;AAElD,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,wBAAwB,CAAC;QACjD,SAAS,EAAE;YACT;gBACE,UAAU,EAAE,YAAG;gBACf,MAAM,EAAE,EAAE;gBACV,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;YACD;gBACE,UAAU,EAAE,aAAI;gBAChB,MAAM,EAAE,CAAC;gBACT,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;SACF;QACD,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,cAAc,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QAC9D,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;YAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YAChC,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG,EAAE;gBACvD,kBAAkB,EAAE,IAAI;gBACxB,gBAAgB,EAAE,IAAI;aACvB,CAAC,CAAA;YACF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,iCAAmB,CAAC,mBAAmB,CAAC,CAAA;YACpD,CAAC;YAED,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,IAAA,qBAAM,EAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;gBACxB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,wBAAwB,CACjE,SAAS,EACT,MAAM,GAAG,CAAC,kBAAkB,CAC1B,IAAI,CAAC,WAAW,CAAC,GAAG,EACpB,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,EACpB,cAAG,CAAC,wCAAwC,CAC7C,CACF,CAAA;gBACD,OAAM;YACR,CAAC;YAED,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;gBACnB,MAAM,IAAI,iCAAmB,CAAC,wCAAwC,CAAC,CAAA;YACzE,CAAC;YACD,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,gBAAgB,CACrD,GAAG,EACH,eAAe,CAChB,CAAA;YACD,MAAM,GAAG,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAA;QACrE,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AAhDD,4BAgDC"}
@@ -1,4 +1,4 @@
1
- import { Server } from '../../../../lexicon';
2
1
  import AppContext from '../../../../context';
2
+ import { Server } from '../../../../lexicon';
3
3
  export default function (server: Server, ctx: AppContext): void;
4
4
  //# sourceMappingURL=requestEmailUpdate.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"requestEmailUpdate.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestEmailUpdate.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAC5C,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAG5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QAuDvD"}
1
+ {"version":3,"file":"requestEmailUpdate.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestEmailUpdate.ts"],"names":[],"mappings":"AAKA,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAI5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QA4DvD"}
@@ -1,8 +1,13 @@
1
1
  "use strict";
2
+ var __importDefault = (this && this.__importDefault) || function (mod) {
3
+ return (mod && mod.__esModule) ? mod : { "default": mod };
4
+ };
2
5
  Object.defineProperty(exports, "__esModule", { value: true });
6
+ const node_assert_1 = __importDefault(require("node:assert"));
3
7
  const common_1 = require("@atproto/common");
4
8
  const xrpc_server_1 = require("@atproto/xrpc-server");
5
9
  const proxy_1 = require("../../../proxy");
10
+ const lexicons_1 = require("../../../../lexicon/lexicons");
6
11
  function default_1(server, ctx) {
7
12
  server.com.atproto.server.requestEmailUpdate({
8
13
  rateLimit: [
@@ -18,7 +23,7 @@ function default_1(server, ctx) {
18
23
  },
19
24
  ],
20
25
  auth: ctx.authVerifier.accessStandard({ checkTakedown: true }),
21
- handler: async ({ auth, req }) => {
26
+ handler: async ({ auth }) => {
22
27
  const did = auth.credentials.did;
23
28
  const account = await ctx.accountManager.getAccount(did, {
24
29
  includeDeactivated: true,
@@ -28,7 +33,8 @@ function default_1(server, ctx) {
28
33
  throw new xrpc_server_1.InvalidRequestError('account not found');
29
34
  }
30
35
  if (ctx.entrywayAgent) {
31
- return (0, proxy_1.resultPassthru)(await ctx.entrywayAgent.com.atproto.server.requestEmailUpdate(undefined, (0, proxy_1.authPassthru)(req)));
36
+ (0, node_assert_1.default)(ctx.cfg.entryway);
37
+ return (0, proxy_1.resultPassthru)(await ctx.entrywayAgent.com.atproto.server.requestEmailUpdate(undefined, await ctx.serviceAuthHeaders(auth.credentials.did, ctx.cfg.entryway.did, lexicons_1.ids.ComAtprotoServerRequestEmailUpdate)));
32
38
  }
33
39
  if (!account.email) {
34
40
  throw new xrpc_server_1.InvalidRequestError('account does not have an email address');
@@ -1 +1 @@
1
- {"version":3,"file":"requestEmailUpdate.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestEmailUpdate.ts"],"names":[],"mappings":";;AAAA,4CAA2C;AAC3C,sDAA0D;AAG1D,0CAA6D;AAE7D,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,kBAAkB,CAAC;QAC3C,SAAS,EAAE;YACT;gBACE,UAAU,EAAE,YAAG;gBACf,MAAM,EAAE,EAAE;gBACV,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;YACD;gBACE,UAAU,EAAE,aAAI;gBAChB,MAAM,EAAE,CAAC;gBACT,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;SACF;QACD,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,cAAc,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QAC9D,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,EAAE;YAC/B,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YAChC,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG,EAAE;gBACvD,kBAAkB,EAAE,IAAI;gBACxB,gBAAgB,EAAE,IAAI;aACvB,CAAC,CAAA;YACF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,iCAAmB,CAAC,mBAAmB,CAAC,CAAA;YACpD,CAAC;YAED,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,OAAO,IAAA,sBAAc,EACnB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,kBAAkB,CAC3D,SAAS,EACT,IAAA,oBAAY,EAAC,GAAG,CAAC,CAClB,CACF,CAAA;YACH,CAAC;YAED,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;gBACnB,MAAM,IAAI,iCAAmB,CAAC,wCAAwC,CAAC,CAAA;YACzE,CAAC;YAED,MAAM,aAAa,GAAG,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAA;YAChD,IAAI,aAAa,EAAE,CAAC;gBAClB,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,gBAAgB,CACrD,GAAG,EACH,cAAc,CACf,CAAA;gBACD,MAAM,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAA;YACpE,CAAC;YAED,OAAO;gBACL,QAAQ,EAAE,kBAAkB;gBAC5B,IAAI,EAAE;oBACJ,aAAa;iBACd;aACF,CAAA;QACH,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AAvDD,4BAuDC"}
1
+ {"version":3,"file":"requestEmailUpdate.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestEmailUpdate.ts"],"names":[],"mappings":";;;;;AAAA,8DAAgC;AAEhC,4CAA2C;AAC3C,sDAA0D;AAI1D,0CAA+C;AAC/C,2DAAkD;AAElD,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,kBAAkB,CAAC;QAC3C,SAAS,EAAE;YACT;gBACE,UAAU,EAAE,YAAG;gBACf,MAAM,EAAE,EAAE;gBACV,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;YACD;gBACE,UAAU,EAAE,aAAI;gBAChB,MAAM,EAAE,CAAC;gBACT,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;SACF;QACD,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,cAAc,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QAC9D,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;YAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YAChC,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG,EAAE;gBACvD,kBAAkB,EAAE,IAAI;gBACxB,gBAAgB,EAAE,IAAI;aACvB,CAAC,CAAA;YACF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,iCAAmB,CAAC,mBAAmB,CAAC,CAAA;YACpD,CAAC;YAED,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,IAAA,qBAAM,EAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;gBACxB,OAAO,IAAA,sBAAc,EACnB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,kBAAkB,CAC3D,SAAS,EACT,MAAM,GAAG,CAAC,kBAAkB,CAC1B,IAAI,CAAC,WAAW,CAAC,GAAG,EACpB,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,EACpB,cAAG,CAAC,kCAAkC,CACvC,CACF,CACF,CAAA;YACH,CAAC;YAED,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;gBACnB,MAAM,IAAI,iCAAmB,CAAC,wCAAwC,CAAC,CAAA;YACzE,CAAC;YAED,MAAM,aAAa,GAAG,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAA;YAChD,IAAI,aAAa,EAAE,CAAC;gBAClB,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,gBAAgB,CACrD,GAAG,EACH,cAAc,CACf,CAAA;gBACD,MAAM,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAA;YACpE,CAAC;YAED,OAAO;gBACL,QAAQ,EAAE,kBAAkB;gBAC5B,IAAI,EAAE;oBACJ,aAAa;iBACd;aACF,CAAA;QACH,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AA5DD,4BA4DC"}
@@ -1 +1 @@
1
- {"version":3,"file":"revokeAppPassword.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/revokeAppPassword.ts"],"names":[],"mappings":"AAAA,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAG5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QAkBvD"}
1
+ {"version":3,"file":"revokeAppPassword.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/revokeAppPassword.ts"],"names":[],"mappings":"AAEA,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAG5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QAuBvD"}
@@ -1,12 +1,17 @@
1
1
  "use strict";
2
+ var __importDefault = (this && this.__importDefault) || function (mod) {
3
+ return (mod && mod.__esModule) ? mod : { "default": mod };
4
+ };
2
5
  Object.defineProperty(exports, "__esModule", { value: true });
3
- const proxy_1 = require("../../../proxy");
6
+ const node_assert_1 = __importDefault(require("node:assert"));
7
+ const lexicons_1 = require("../../../../lexicon/lexicons");
4
8
  function default_1(server, ctx) {
5
9
  server.com.atproto.server.revokeAppPassword({
6
10
  auth: ctx.authVerifier.accessStandard(),
7
- handler: async ({ auth, input, req }) => {
11
+ handler: async ({ auth, input }) => {
8
12
  if (ctx.entrywayAgent) {
9
- await ctx.entrywayAgent.com.atproto.server.revokeAppPassword(input.body, (0, proxy_1.authPassthru)(req, true));
13
+ (0, node_assert_1.default)(ctx.cfg.entryway);
14
+ await ctx.entrywayAgent.com.atproto.server.revokeAppPassword(input.body, await ctx.serviceAuthHeaders(auth.credentials.did, ctx.cfg.entryway.did, lexicons_1.ids.ComAtprotoServerRevokeAppPassword));
10
15
  return;
11
16
  }
12
17
  const requester = auth.credentials.did;
@@ -1 +1 @@
1
- {"version":3,"file":"revokeAppPassword.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/revokeAppPassword.ts"],"names":[],"mappings":";;AAEA,0CAA6C;AAE7C,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,iBAAiB,CAAC;QAC1C,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,cAAc,EAAE;QACvC,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,EAAE;YACtC,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,iBAAiB,CAC1D,KAAK,CAAC,IAAI,EACV,IAAA,oBAAY,EAAC,GAAG,EAAE,IAAI,CAAC,CACxB,CAAA;gBACD,OAAM;YACR,CAAC;YAED,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YACtC,MAAM,EAAE,IAAI,EAAE,GAAG,KAAK,CAAC,IAAI,CAAA;YAE3B,MAAM,GAAG,CAAC,cAAc,CAAC,iBAAiB,CAAC,SAAS,EAAE,IAAI,CAAC,CAAA;QAC7D,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AAlBD,4BAkBC"}
1
+ {"version":3,"file":"revokeAppPassword.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/revokeAppPassword.ts"],"names":[],"mappings":";;;;;AAAA,8DAAgC;AAIhC,2DAAkD;AAElD,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,iBAAiB,CAAC;QAC1C,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,cAAc,EAAE;QACvC,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE;YACjC,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,IAAA,qBAAM,EAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;gBACxB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,iBAAiB,CAC1D,KAAK,CAAC,IAAI,EACV,MAAM,GAAG,CAAC,kBAAkB,CAC1B,IAAI,CAAC,WAAW,CAAC,GAAG,EACpB,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,EACpB,cAAG,CAAC,iCAAiC,CACtC,CACF,CAAA;gBACD,OAAM;YACR,CAAC;YAED,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YACtC,MAAM,EAAE,IAAI,EAAE,GAAG,KAAK,CAAC,IAAI,CAAA;YAE3B,MAAM,GAAG,CAAC,cAAc,CAAC,iBAAiB,CAAC,SAAS,EAAE,IAAI,CAAC,CAAA;QAC7D,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AAvBD,4BAuBC"}
@@ -1,4 +1,4 @@
1
- import { Server } from '../../../../lexicon';
2
1
  import AppContext from '../../../../context';
2
+ import { Server } from '../../../../lexicon';
3
3
  export default function (server: Server, ctx: AppContext): void;
4
4
  //# sourceMappingURL=updateEmail.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"updateEmail.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/updateEmail.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAC5C,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAI5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QAsDvD"}
1
+ {"version":3,"file":"updateEmail.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/updateEmail.ts"],"names":[],"mappings":"AAMA,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAG5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QA2DvD"}
@@ -3,14 +3,15 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
3
3
  return (mod && mod.__esModule) ? mod : { "default": mod };
4
4
  };
5
5
  Object.defineProperty(exports, "__esModule", { value: true });
6
- const disposable_email_1 = __importDefault(require("disposable-email"));
6
+ const node_assert_1 = __importDefault(require("node:assert"));
7
7
  const xrpc_server_1 = require("@atproto/xrpc-server");
8
- const proxy_1 = require("../../../proxy");
8
+ const disposable_email_1 = __importDefault(require("disposable-email"));
9
9
  const account_1 = require("../../../../account-manager/helpers/account");
10
+ const lexicons_1 = require("../../../../lexicon/lexicons");
10
11
  function default_1(server, ctx) {
11
12
  server.com.atproto.server.updateEmail({
12
13
  auth: ctx.authVerifier.accessFull({ checkTakedown: true }),
13
- handler: async ({ auth, input, req }) => {
14
+ handler: async ({ auth, input }) => {
14
15
  const did = auth.credentials.did;
15
16
  const { token, email } = input.body;
16
17
  if (!disposable_email_1.default.validate(email)) {
@@ -23,7 +24,8 @@ function default_1(server, ctx) {
23
24
  throw new xrpc_server_1.InvalidRequestError('account not found');
24
25
  }
25
26
  if (ctx.entrywayAgent) {
26
- await ctx.entrywayAgent.com.atproto.server.updateEmail(input.body, (0, proxy_1.authPassthru)(req, true));
27
+ (0, node_assert_1.default)(ctx.cfg.entryway);
28
+ await ctx.entrywayAgent.com.atproto.server.updateEmail(input.body, await ctx.serviceAuthHeaders(auth.credentials.did, ctx.cfg.entryway.did, lexicons_1.ids.ComAtprotoServerUpdateEmail));
27
29
  return;
28
30
  }
29
31
  // require valid token if account email is confirmed
@@ -1 +1 @@
1
- {"version":3,"file":"updateEmail.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/updateEmail.ts"],"names":[],"mappings":";;;;;AAAA,wEAAyC;AACzC,sDAA0D;AAG1D,0CAA6C;AAC7C,yEAAoF;AAEpF,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC;QACpC,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,UAAU,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QAC1D,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,EAAE;YACtC,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YAChC,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC,IAAI,CAAA;YACnC,IAAI,CAAC,0BAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBAChC,MAAM,IAAI,iCAAmB,CAC3B,oEAAoE,CACrE,CAAA;YACH,CAAC;YACD,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG,EAAE;gBACvD,kBAAkB,EAAE,IAAI;aACzB,CAAC,CAAA;YACF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,iCAAmB,CAAC,mBAAmB,CAAC,CAAA;YACpD,CAAC;YAED,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CACpD,KAAK,CAAC,IAAI,EACV,IAAA,oBAAY,EAAC,GAAG,EAAE,IAAI,CAAC,CACxB,CAAA;gBACD,OAAM;YACR,CAAC;YAED,oDAAoD;YACpD,IAAI,OAAO,CAAC,gBAAgB,EAAE,CAAC;gBAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;oBACX,MAAM,IAAI,iCAAmB,CAC3B,6BAA6B,EAC7B,eAAe,CAChB,CAAA;gBACH,CAAC;gBACD,MAAM,GAAG,CAAC,cAAc,CAAC,qBAAqB,CAC5C,GAAG,EACH,cAAc,EACd,KAAK,CACN,CAAA;YACH,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,GAAG,CAAC,cAAc,CAAC,WAAW,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAA;YACtD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,GAAG,YAAY,gCAAsB,EAAE,CAAC;oBAC1C,MAAM,IAAI,iCAAmB,CAC3B,qEAAqE,CACtE,CAAA;gBACH,CAAC;qBAAM,CAAC;oBACN,MAAM,GAAG,CAAA;gBACX,CAAC;YACH,CAAC;QACH,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AAtDD,4BAsDC"}
1
+ {"version":3,"file":"updateEmail.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/updateEmail.ts"],"names":[],"mappings":";;;;;AAAA,8DAAgC;AAEhC,sDAA0D;AAC1D,wEAAyC;AAEzC,yEAAoF;AAGpF,2DAAkD;AAElD,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC;QACpC,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,UAAU,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QAC1D,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE;YACjC,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YAChC,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC,IAAI,CAAA;YACnC,IAAI,CAAC,0BAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBAChC,MAAM,IAAI,iCAAmB,CAC3B,oEAAoE,CACrE,CAAA;YACH,CAAC;YACD,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG,EAAE;gBACvD,kBAAkB,EAAE,IAAI;aACzB,CAAC,CAAA;YACF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,iCAAmB,CAAC,mBAAmB,CAAC,CAAA;YACpD,CAAC;YAED,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,IAAA,qBAAM,EAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;gBACxB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CACpD,KAAK,CAAC,IAAI,EACV,MAAM,GAAG,CAAC,kBAAkB,CAC1B,IAAI,CAAC,WAAW,CAAC,GAAG,EACpB,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,EACpB,cAAG,CAAC,2BAA2B,CAChC,CACF,CAAA;gBACD,OAAM;YACR,CAAC;YAED,oDAAoD;YACpD,IAAI,OAAO,CAAC,gBAAgB,EAAE,CAAC;gBAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;oBACX,MAAM,IAAI,iCAAmB,CAC3B,6BAA6B,EAC7B,eAAe,CAChB,CAAA;gBACH,CAAC;gBACD,MAAM,GAAG,CAAC,cAAc,CAAC,qBAAqB,CAC5C,GAAG,EACH,cAAc,EACd,KAAK,CACN,CAAA;YACH,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,GAAG,CAAC,cAAc,CAAC,WAAW,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAA;YACtD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,GAAG,YAAY,gCAAsB,EAAE,CAAC;oBAC1C,MAAM,IAAI,iCAAmB,CAC3B,qEAAqE,CACtE,CAAA;gBACH,CAAC;qBAAM,CAAC;oBACN,MAAM,GAAG,CAAA;gBACX,CAAC;YACH,CAAC;QACH,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AA3DD,4BA2DC"}
package/dist/api/proxy.js CHANGED
@@ -21,7 +21,11 @@ function authPassthru(req, withEncoding) {
21
21
  // This is fine since app views are usually called using the requester's
22
22
  // credentials when "auth.credentials.type === 'access'", which is the only
23
23
  // case were DPoP is used.
24
- if (authorization.startsWith('DPoP ') || req.headers['dpop']) {
24
+ const [type] = authorization.split(' ', 1);
25
+ if (!type) {
26
+ throw new xrpc_server_1.InvalidRequestError('Invalid authorization header');
27
+ }
28
+ if (type.toLowerCase() === 'dpop' || req.headers['dpop']) {
25
29
  throw new xrpc_server_1.InvalidRequestError('DPoP requests cannot be proxied');
26
30
  }
27
31
  return {
@@ -1 +1 @@
1
- {"version":3,"file":"proxy.js","sourceRoot":"","sources":["../../src/api/proxy.ts"],"names":[],"mappings":";;;AACA,sDAA0D;AAGnD,MAAM,cAAc,GAAG,CAAI,MAAqC,EAAE,EAAE;IACzE,sEAAsE;IACtE,OAAO;QACL,QAAQ,EAAE,kBAA2B;QACrC,IAAI,EAAE,MAAM,CAAC,IAAI;KAClB,CAAA;AACH,CAAC,CAAA;AANY,QAAA,cAAc,kBAM1B;AAgBD,SAAgB,YAAY,CAAC,GAAoB,EAAE,YAAsB;IACvE,MAAM,EAAE,aAAa,EAAE,GAAG,GAAG,CAAC,OAAO,CAAA;IAErC,IAAI,aAAa,EAAE,CAAC;QAClB,4EAA4E;QAC5E,qEAAqE;QACrE,oEAAoE;QACpE,qEAAqE;QACrE,qBAAqB;QAErB,wEAAwE;QACxE,2EAA2E;QAC3E,0BAA0B;QAC1B,IAAI,aAAa,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAC7D,MAAM,IAAI,iCAAmB,CAAC,iCAAiC,CAAC,CAAA;QAClE,CAAC;QAED,OAAO;YACL,OAAO,EAAE,EAAE,aAAa,EAAE;YAC1B,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,SAAS;SACxD,CAAA;IACH,CAAC;AACH,CAAC;AAtBD,oCAsBC"}
1
+ {"version":3,"file":"proxy.js","sourceRoot":"","sources":["../../src/api/proxy.ts"],"names":[],"mappings":";;;AACA,sDAA0D;AAGnD,MAAM,cAAc,GAAG,CAAI,MAAqC,EAAE,EAAE;IACzE,sEAAsE;IACtE,OAAO;QACL,QAAQ,EAAE,kBAA2B;QACrC,IAAI,EAAE,MAAM,CAAC,IAAI;KAClB,CAAA;AACH,CAAC,CAAA;AANY,QAAA,cAAc,kBAM1B;AAgBD,SAAgB,YAAY,CAAC,GAAoB,EAAE,YAAsB;IACvE,MAAM,EAAE,aAAa,EAAE,GAAG,GAAG,CAAC,OAAO,CAAA;IAErC,IAAI,aAAa,EAAE,CAAC;QAClB,4EAA4E;QAC5E,qEAAqE;QACrE,oEAAoE;QACpE,qEAAqE;QACrE,qBAAqB;QAErB,wEAAwE;QACxE,2EAA2E;QAC3E,0BAA0B;QAC1B,MAAM,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,CAAA;QAC1C,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,iCAAmB,CAAC,8BAA8B,CAAC,CAAA;QAC/D,CAAC;QACD,IAAI,IAAI,CAAC,WAAW,EAAE,KAAK,MAAM,IAAI,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YACzD,MAAM,IAAI,iCAAmB,CAAC,iCAAiC,CAAC,CAAA;QAClE,CAAC;QAED,OAAO;YACL,OAAO,EAAE,EAAE,aAAa,EAAE;YAC1B,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,SAAS;SACxD,CAAA;IACH,CAAC;AACH,CAAC;AA1BD,oCA0BC"}
@@ -1 +1 @@
1
- {"version":3,"file":"auth-routes.d.ts","sourceRoot":"","sources":["../src/auth-routes.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAA;AAEhC,OAAO,UAAU,MAAM,WAAW,CAAA;AAElC,eAAO,MAAM,YAAY,0BAA2B,UAAU,KAAG,MAqBhE,CAAA"}
1
+ {"version":3,"file":"auth-routes.d.ts","sourceRoot":"","sources":["../src/auth-routes.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAA;AAEhC,OAAO,UAAU,MAAM,WAAW,CAAA;AAElC,eAAO,MAAM,YAAY,0BAA2B,UAAU,KAAG,MAuBhE,CAAA"}
@@ -9,10 +9,12 @@ const createRouter = ({ authProvider, cfg }) => {
9
9
  resource: cfg.service.publicUrl,
10
10
  authorization_servers: [cfg.entryway?.url ?? cfg.service.publicUrl],
11
11
  bearer_methods_supported: ['header'],
12
- scopes_supported: ['profile', 'email', 'phone'],
12
+ scopes_supported: [],
13
13
  resource_documentation: 'https://atproto.com',
14
14
  });
15
15
  router.get('/.well-known/oauth-protected-resource', (req, res) => {
16
+ res.setHeader('Access-Control-Allow-Origin', '*');
17
+ res.setHeader('Access-Control-Allow-Method', '*');
16
18
  res.status(200).json(oauthProtectedResourceMetadata);
17
19
  });
18
20
  if (authProvider) {
@@ -1 +1 @@
1
- {"version":3,"file":"auth-routes.js","sourceRoot":"","sources":["../src/auth-routes.ts"],"names":[],"mappings":";;;AAAA,4DAA8E;AAC9E,qCAAgC;AAIzB,MAAM,YAAY,GAAG,CAAC,EAAE,YAAY,EAAE,GAAG,EAAc,EAAU,EAAE;IACxE,MAAM,MAAM,GAAG,IAAA,gBAAM,GAAE,CAAA;IAEvB,MAAM,8BAA8B,GAClC,qDAAoC,CAAC,KAAK,CAAC;QACzC,QAAQ,EAAE,GAAG,CAAC,OAAO,CAAC,SAAS;QAC/B,qBAAqB,EAAE,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC;QACnE,wBAAwB,EAAE,CAAC,QAAQ,CAAC;QACpC,gBAAgB,EAAE,CAAC,SAAS,EAAE,OAAO,EAAE,OAAO,CAAC;QAC/C,sBAAsB,EAAE,qBAAqB;KAC9C,CAAC,CAAA;IAEJ,MAAM,CAAC,GAAG,CAAC,uCAAuC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAC/D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAA;IACtD,CAAC,CAAC,CAAA;IAEF,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,YAAY,EAAE,CAAC,CAAA;IACzC,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC,CAAA;AArBY,QAAA,YAAY,gBAqBxB"}
1
+ {"version":3,"file":"auth-routes.js","sourceRoot":"","sources":["../src/auth-routes.ts"],"names":[],"mappings":";;;AAAA,4DAA8E;AAC9E,qCAAgC;AAIzB,MAAM,YAAY,GAAG,CAAC,EAAE,YAAY,EAAE,GAAG,EAAc,EAAU,EAAE;IACxE,MAAM,MAAM,GAAG,IAAA,gBAAM,GAAE,CAAA;IAEvB,MAAM,8BAA8B,GAClC,qDAAoC,CAAC,KAAK,CAAC;QACzC,QAAQ,EAAE,GAAG,CAAC,OAAO,CAAC,SAAS;QAC/B,qBAAqB,EAAE,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC;QACnE,wBAAwB,EAAE,CAAC,QAAQ,CAAC;QACpC,gBAAgB,EAAE,EAAE;QACpB,sBAAsB,EAAE,qBAAqB;KAC9C,CAAC,CAAA;IAEJ,MAAM,CAAC,GAAG,CAAC,uCAAuC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAC/D,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAA;QACjD,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAA;QACjD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAA;IACtD,CAAC,CAAC,CAAA;IAEF,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,YAAY,EAAE,CAAC,CAAA;IACzC,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC,CAAA;AAvBY,QAAA,YAAY,gBAuBxB"}
@@ -107,8 +107,8 @@ export declare class AuthVerifier {
107
107
  modService: (ctx: ReqCtx) => Promise<ModServiceOutput>;
108
108
  moderator: (ctx: ReqCtx) => Promise<AdminTokenOutput | ModServiceOutput>;
109
109
  protected validateAdminToken({ req, }: ReqCtx): Promise<AdminTokenOutput>;
110
- protected validateRefreshToken(ctx: ReqCtx, verifyOptions?: Omit<jose.JWTVerifyOptions, 'audience'>): Promise<ValidatedRefreshBearer>;
111
- protected validateBearerToken(ctx: ReqCtx, scopes: AuthScope[], verifyOptions?: jose.JWTVerifyOptions): Promise<ValidatedBearer>;
110
+ protected validateRefreshToken(ctx: ReqCtx, verifyOptions?: Omit<jose.JWTVerifyOptions, 'audience' | 'typ'>): Promise<ValidatedRefreshBearer>;
111
+ protected validateBearerToken(ctx: ReqCtx, scopes: AuthScope[], verifyOptions: jose.JWTVerifyOptions & Required<Pick<jose.JWTVerifyOptions, 'audience' | 'typ'>>): Promise<ValidatedBearer>;
112
112
  protected validateAccessToken(ctx: ReqCtx, scopes: AuthScope[], { checkTakedown, checkDeactivated, }?: {
113
113
  checkTakedown?: boolean;
114
114
  checkDeactivated?: boolean;
@@ -1 +1 @@
1
- {"version":3,"file":"auth-verifier.d.ts","sourceRoot":"","sources":["../src/auth-verifier.ts"],"names":[],"mappings":";AAAA,OAAO,EAAE,SAAS,EAAoC,MAAM,aAAa,CAAA;AAIzE,OAAO,EAAE,UAAU,EAA0B,MAAM,mBAAmB,CAAA;AACtE,OAAO,EAEL,aAAa,EAEd,MAAM,yBAAyB,CAAA;AAChC,OAAO,EAEL,mBAAmB,EAGnB,yBAAyB,EAI1B,MAAM,sBAAsB,CAAA;AAC7B,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAE5B,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAA;AAGlD,KAAK,MAAM,GAAG,mBAAmB,GAAG,yBAAyB,CAAA;AAG7D,oBAAY,SAAS;IACnB,MAAM,uBAAuB;IAC7B,OAAO,wBAAwB;IAC/B,OAAO,wBAAwB;IAC/B,iBAAiB,kCAAkC;IACnD,YAAY,6BAA6B;CAC1C;AAED,MAAM,MAAM,UAAU,GAAG;IACvB,UAAU,EAAE,SAAS,EAAE,CAAA;IACvB,aAAa,EAAE,OAAO,CAAA;IACtB,gBAAgB,EAAE,OAAO,CAAA;CAC1B,CAAA;AAED,oBAAY,UAAU;IACpB,KAAK,IAAA;IACL,OAAO,IAAA;IACP,OAAO,IAAA;CACR;AAED,KAAK,UAAU,GAAG;IAChB,WAAW,EAAE,IAAI,CAAA;CAClB,CAAA;AAED,KAAK,gBAAgB,GAAG;IACtB,WAAW,EAAE;QACX,IAAI,EAAE,aAAa,CAAA;KACpB,CAAA;CACF,CAAA;AAED,KAAK,gBAAgB,GAAG;IACtB,WAAW,EAAE;QACX,IAAI,EAAE,aAAa,CAAA;QACnB,GAAG,EAAE,MAAM,CAAA;QACX,GAAG,EAAE,MAAM,CAAA;KACZ,CAAA;CACF,CAAA;AAED,KAAK,YAAY,GAAG;IAClB,WAAW,EAAE;QACX,IAAI,EAAE,QAAQ,CAAA;QACd,GAAG,EAAE,MAAM,CAAA;QACX,KAAK,EAAE,SAAS,CAAA;QAChB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;QAC5B,YAAY,EAAE,OAAO,CAAA;KACtB,CAAA;IACD,SAAS,EAAE,MAAM,CAAA;CAClB,CAAA;AAED,KAAK,aAAa,GAAG;IACnB,WAAW,EAAE;QACX,IAAI,EAAE,SAAS,CAAA;QACf,GAAG,EAAE,MAAM,CAAA;QACX,KAAK,EAAE,SAAS,CAAA;QAChB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;QAC5B,OAAO,EAAE,MAAM,CAAA;KAChB,CAAA;IACD,SAAS,EAAE,MAAM,CAAA;CAClB,CAAA;AAED,KAAK,qBAAqB,GAAG;IAC3B,WAAW,EAAE;QACX,IAAI,EAAE,mBAAmB,CAAA;QACzB,GAAG,EAAE,MAAM,CAAA;QACX,GAAG,EAAE,MAAM,CAAA;KACZ,CAAA;CACF,CAAA;AAED,KAAK,eAAe,GAAG;IACrB,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,EAAE,SAAS,CAAA;IAChB,KAAK,EAAE,MAAM,CAAA;IACb,OAAO,EAAE,IAAI,CAAC,UAAU,CAAA;IACxB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;CAC7B,CAAA;AAED,KAAK,sBAAsB,GAAG,eAAe,GAAG;IAC9C,OAAO,EAAE,MAAM,CAAA;CAChB,CAAA;AAED,MAAM,MAAM,gBAAgB,GAAG;IAC7B,SAAS,EAAE,MAAM,CAAA;IACjB,MAAM,EAAE,SAAS,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;IACjB,IAAI,EAAE;QACJ,GAAG,EAAE,MAAM,CAAA;QACX,QAAQ,CAAC,EAAE,MAAM,CAAA;QACjB,UAAU,CAAC,EAAE,MAAM,CAAA;KACpB,CAAA;CACF,CAAA;AAED,qBAAa,YAAY;IAOd,cAAc,EAAE,cAAc;IAC9B,UAAU,EAAE,UAAU;IACtB,aAAa,EAAE,aAAa;IARrC,OAAO,CAAC,UAAU,CAAQ;IAC1B,OAAO,CAAC,OAAO,CAAW;IAC1B,OAAO,CAAC,UAAU,CAAQ;IACnB,IAAI,EAAE,gBAAgB,CAAC,MAAM,CAAC,CAAA;gBAG5B,cAAc,EAAE,cAAc,EAC9B,UAAU,EAAE,UAAU,EACtB,aAAa,EAAE,aAAa,EACnC,IAAI,EAAE,gBAAgB;IAUxB,cAAc,UACL,QAAQ,UAAU,CAAC,WACpB,MAAM,KAAG,QAAQ,YAAY,CAAC,CAWnC;IAEH,UAAU,UACD,QAAQ,UAAU,CAAC,WACpB,MAAM,KAAG,QAAQ,YAAY,CAAC,CAMnC;IAEH,gBAAgB,UACP,QAAQ,UAAU,CAAC,WACpB,MAAM,KAAG,QAAQ,YAAY,CAAC,CAMnC;IAEH,OAAO,QAAe,MAAM,KAAG,QAAQ,aAAa,CAAC,CAcpD;IAED,cAAc,QAAe,MAAM,KAAG,QAAQ,aAAa,CAAC,CAc3D;IAED,UAAU,QAAe,MAAM,KAAG,QAAQ,gBAAgB,CAAC,CAG1D;IAED,0BAA0B,QACnB,MAAM,KACV,QAAQ,YAAY,GAAG,gBAAgB,GAAG,UAAU,CAAC,CAQvD;IAED,eAAe,QAAe,MAAM,KAAG,QAAQ,qBAAqB,CAAC,CAqBpE;IAED,uBAAuB,QAChB,MAAM,KACV,QAAQ,qBAAqB,GAAG,UAAU,CAAC,CAM7C;IAED,uBAAuB,UACd,QAAQ,UAAU,CAAC,WACd,MAAM,KAAG,QAAQ,qBAAqB,GAAG,YAAY,CAAC,CASjE;IAEH,UAAU,QAAe,MAAM,KAAG,QAAQ,gBAAgB,CAAC,CAwB1D;IAED,SAAS,QACF,MAAM,KACV,QAAQ,gBAAgB,GAAG,gBAAgB,CAAC,CAM9C;cAEe,kBAAkB,CAAC,EACjC,GAAG,GACJ,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;cAarB,oBAAoB,CAClC,GAAG,EAAE,MAAM,EACX,aAAa,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,UAAU,CAAC,GACtD,OAAO,CAAC,sBAAsB,CAAC;cAgBlB,mBAAmB,CACjC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,SAAS,EAAE,EACnB,aAAa,CAAC,EAAE,IAAI,CAAC,gBAAgB,GACpC,OAAO,CAAC,eAAe,CAAC;cA+CX,mBAAmB,CACjC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,SAAS,EAAE,EACnB,EACE,aAAqB,EACrB,gBAAwB,GACzB,GAAE;QAAE,aAAa,CAAC,EAAE,OAAO,CAAC;QAAC,gBAAgB,CAAC,EAAE,OAAO,CAAA;KAAO,GAC9D,OAAO,CAAC,YAAY,CAAC;cAqDR,uBAAuB,CACrC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,SAAS,EAAE,GAClB,OAAO,CAAC,YAAY,CAAC;cAgER,yBAAyB,CACvC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,SAAS,EAAE,GAClB,OAAO,CAAC,YAAY,CAAC;cAsBR,gBAAgB,CAC9B,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;QAAE,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,GAAG,EAAE,MAAM,EAAE,GAAG,IAAI,CAAA;KAAE;;;;IA2CpD,SAAS,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU;IAOvC,aAAa,CACX,IAAI,EAAE,YAAY,GAAG,gBAAgB,GAAG,UAAU,EAClD,GAAG,EAAE,MAAM,GACV,OAAO;cAUM,SAAS,CACvB,KAAK,EAAE,MAAM,EACb,aAAa,CAAC,EAAE,IAAI,CAAC,gBAAgB;IAevC,SAAS,CAAC,cAAc,CAAC,GAAG,EAAE,MAAM;CAOrC;AAKD,aAAK,QAAQ;IACX,KAAK,UAAU;IACf,MAAM,WAAW;IACjB,IAAI,SAAS;CACd;AAED,eAAO,MAAM,wBAAwB,mBACnB,MAAM,KACrB,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAqB/C,CAAA;AAsBD,eAAO,MAAM,cAAc,yBACH,MAAM,KAC3B;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAAG,IAc3C,CAAA;AAOD,eAAO,MAAM,qBAAqB,WAAY,MAAM,KAAG,SAEtD,CAAA;AAED,eAAO,MAAM,qBAAqB,iBAAkB,MAAM,KAAG,SAG5D,CAAA"}
1
+ {"version":3,"file":"auth-verifier.d.ts","sourceRoot":"","sources":["../src/auth-verifier.ts"],"names":[],"mappings":";AAAA,OAAO,EAAE,SAAS,EAAoC,MAAM,aAAa,CAAA;AAIzE,OAAO,EAAE,UAAU,EAA0B,MAAM,mBAAmB,CAAA;AACtE,OAAO,EAEL,aAAa,EAEd,MAAM,yBAAyB,CAAA;AAChC,OAAO,EAEL,mBAAmB,EAGnB,yBAAyB,EAI1B,MAAM,sBAAsB,CAAA;AAC7B,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAE5B,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAA;AAGlD,KAAK,MAAM,GAAG,mBAAmB,GAAG,yBAAyB,CAAA;AAG7D,oBAAY,SAAS;IACnB,MAAM,uBAAuB;IAC7B,OAAO,wBAAwB;IAC/B,OAAO,wBAAwB;IAC/B,iBAAiB,kCAAkC;IACnD,YAAY,6BAA6B;CAC1C;AAED,MAAM,MAAM,UAAU,GAAG;IACvB,UAAU,EAAE,SAAS,EAAE,CAAA;IACvB,aAAa,EAAE,OAAO,CAAA;IACtB,gBAAgB,EAAE,OAAO,CAAA;CAC1B,CAAA;AAED,oBAAY,UAAU;IACpB,KAAK,IAAA;IACL,OAAO,IAAA;IACP,OAAO,IAAA;CACR;AAED,KAAK,UAAU,GAAG;IAChB,WAAW,EAAE,IAAI,CAAA;CAClB,CAAA;AAED,KAAK,gBAAgB,GAAG;IACtB,WAAW,EAAE;QACX,IAAI,EAAE,aAAa,CAAA;KACpB,CAAA;CACF,CAAA;AAED,KAAK,gBAAgB,GAAG;IACtB,WAAW,EAAE;QACX,IAAI,EAAE,aAAa,CAAA;QACnB,GAAG,EAAE,MAAM,CAAA;QACX,GAAG,EAAE,MAAM,CAAA;KACZ,CAAA;CACF,CAAA;AAED,KAAK,YAAY,GAAG;IAClB,WAAW,EAAE;QACX,IAAI,EAAE,QAAQ,CAAA;QACd,GAAG,EAAE,MAAM,CAAA;QACX,KAAK,EAAE,SAAS,CAAA;QAChB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;QAC5B,YAAY,EAAE,OAAO,CAAA;KACtB,CAAA;IACD,SAAS,EAAE,MAAM,CAAA;CAClB,CAAA;AAED,KAAK,aAAa,GAAG;IACnB,WAAW,EAAE;QACX,IAAI,EAAE,SAAS,CAAA;QACf,GAAG,EAAE,MAAM,CAAA;QACX,KAAK,EAAE,SAAS,CAAA;QAChB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;QAC5B,OAAO,EAAE,MAAM,CAAA;KAChB,CAAA;IACD,SAAS,EAAE,MAAM,CAAA;CAClB,CAAA;AAED,KAAK,qBAAqB,GAAG;IAC3B,WAAW,EAAE;QACX,IAAI,EAAE,mBAAmB,CAAA;QACzB,GAAG,EAAE,MAAM,CAAA;QACX,GAAG,EAAE,MAAM,CAAA;KACZ,CAAA;CACF,CAAA;AAED,KAAK,eAAe,GAAG;IACrB,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,EAAE,SAAS,CAAA;IAChB,KAAK,EAAE,MAAM,CAAA;IACb,OAAO,EAAE,IAAI,CAAC,UAAU,CAAA;IACxB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;CAC7B,CAAA;AAED,KAAK,sBAAsB,GAAG,eAAe,GAAG;IAC9C,OAAO,EAAE,MAAM,CAAA;CAChB,CAAA;AAED,MAAM,MAAM,gBAAgB,GAAG;IAC7B,SAAS,EAAE,MAAM,CAAA;IACjB,MAAM,EAAE,SAAS,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;IACjB,IAAI,EAAE;QACJ,GAAG,EAAE,MAAM,CAAA;QACX,QAAQ,CAAC,EAAE,MAAM,CAAA;QACjB,UAAU,CAAC,EAAE,MAAM,CAAA;KACpB,CAAA;CACF,CAAA;AAED,qBAAa,YAAY;IAOd,cAAc,EAAE,cAAc;IAC9B,UAAU,EAAE,UAAU;IACtB,aAAa,EAAE,aAAa;IARrC,OAAO,CAAC,UAAU,CAAQ;IAC1B,OAAO,CAAC,OAAO,CAAW;IAC1B,OAAO,CAAC,UAAU,CAAQ;IACnB,IAAI,EAAE,gBAAgB,CAAC,MAAM,CAAC,CAAA;gBAG5B,cAAc,EAAE,cAAc,EAC9B,UAAU,EAAE,UAAU,EACtB,aAAa,EAAE,aAAa,EACnC,IAAI,EAAE,gBAAgB;IAUxB,cAAc,UACL,QAAQ,UAAU,CAAC,WACpB,MAAM,KAAG,QAAQ,YAAY,CAAC,CAWnC;IAEH,UAAU,UACD,QAAQ,UAAU,CAAC,WACpB,MAAM,KAAG,QAAQ,YAAY,CAAC,CAMnC;IAEH,gBAAgB,UACP,QAAQ,UAAU,CAAC,WACpB,MAAM,KAAG,QAAQ,YAAY,CAAC,CAMnC;IAEH,OAAO,QAAe,MAAM,KAAG,QAAQ,aAAa,CAAC,CAcpD;IAED,cAAc,QAAe,MAAM,KAAG,QAAQ,aAAa,CAAC,CAc3D;IAED,UAAU,QAAe,MAAM,KAAG,QAAQ,gBAAgB,CAAC,CAG1D;IAED,0BAA0B,QACnB,MAAM,KACV,QAAQ,YAAY,GAAG,gBAAgB,GAAG,UAAU,CAAC,CAQvD;IAED,eAAe,QAAe,MAAM,KAAG,QAAQ,qBAAqB,CAAC,CAqBpE;IAED,uBAAuB,QAChB,MAAM,KACV,QAAQ,qBAAqB,GAAG,UAAU,CAAC,CAM7C;IAED,uBAAuB,UACd,QAAQ,UAAU,CAAC,WACd,MAAM,KAAG,QAAQ,qBAAqB,GAAG,YAAY,CAAC,CASjE;IAEH,UAAU,QAAe,MAAM,KAAG,QAAQ,gBAAgB,CAAC,CAwB1D;IAED,SAAS,QACF,MAAM,KACV,QAAQ,gBAAgB,GAAG,gBAAgB,CAAC,CAM9C;cAEe,kBAAkB,CAAC,EACjC,GAAG,GACJ,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;cAarB,oBAAoB,CAClC,GAAG,EAAE,MAAM,EACX,aAAa,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,UAAU,GAAG,KAAK,CAAC,GAC9D,OAAO,CAAC,sBAAsB,CAAC;cAiBlB,mBAAmB,CACjC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,SAAS,EAAE,EACnB,aAAa,EAAE,IAAI,CAAC,gBAAgB,GAClC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,UAAU,GAAG,KAAK,CAAC,CAAC,GAC1D,OAAO,CAAC,eAAe,CAAC;cA2DX,mBAAmB,CACjC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,SAAS,EAAE,EACnB,EACE,aAAqB,EACrB,gBAAwB,GACzB,GAAE;QAAE,aAAa,CAAC,EAAE,OAAO,CAAC;QAAC,gBAAgB,CAAC,EAAE,OAAO,CAAA;KAAO,GAC9D,OAAO,CAAC,YAAY,CAAC;cAqDR,uBAAuB,CACrC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,SAAS,EAAE,GAClB,OAAO,CAAC,YAAY,CAAC;cA4FR,yBAAyB,CACvC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,SAAS,EAAE,GAClB,OAAO,CAAC,YAAY,CAAC;cAsBR,gBAAgB,CAC9B,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;QAAE,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,GAAG,EAAE,MAAM,EAAE,GAAG,IAAI,CAAA;KAAE;;;;IA2CpD,SAAS,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU;IAOvC,aAAa,CACX,IAAI,EAAE,YAAY,GAAG,gBAAgB,GAAG,UAAU,EAClD,GAAG,EAAE,MAAM,GACV,OAAO;cAUM,SAAS,CACvB,KAAK,EAAE,MAAM,EACb,aAAa,CAAC,EAAE,IAAI,CAAC,gBAAgB;IAevC,SAAS,CAAC,cAAc,CAAC,GAAG,EAAE,MAAM;CAOrC;AAKD,aAAK,QAAQ;IACX,KAAK,UAAU;IACf,MAAM,WAAW;IACjB,IAAI,SAAS;CACd;AAED,eAAO,MAAM,wBAAwB,mBACnB,MAAM,KACrB,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAqB/C,CAAA;AAsBD,eAAO,MAAM,cAAc,yBACH,MAAM,KAC3B;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAAG,IAc3C,CAAA;AAOD,eAAO,MAAM,qBAAqB,WAAY,MAAM,KAAG,SAEtD,CAAA;AAED,eAAO,MAAM,qBAAqB,iBAAkB,MAAM,KAAG,SAG5D,CAAA"}
@@ -296,6 +296,7 @@ class AuthVerifier {
296
296
  async validateRefreshToken(ctx, verifyOptions) {
297
297
  const result = await this.validateBearerToken(ctx, [AuthScope.Refresh], {
298
298
  ...verifyOptions,
299
+ typ: 'refresh+jwt',
299
300
  // when using entryway, proxying refresh credentials
300
301
  audience: this.dids.entryway ? this.dids.entryway : this.dids.pds,
301
302
  });
@@ -311,13 +312,25 @@ class AuthVerifier {
311
312
  if (!token) {
312
313
  throw new xrpc_server_1.AuthRequiredError(undefined, 'AuthMissing');
313
314
  }
314
- const { payload, protectedHeader } = await this.jwtVerify(token, verifyOptions);
315
- if (protectedHeader.typ === 'dpop+jwt') {
316
- // @TODO we should make sure that bearer access tokens do have their "typ"
317
- // claim, and allow list the possible value(s) here (typically "at+jwt"),
318
- // instead of using a deny list. This would be more secure & future proof
319
- // against new token types that would be introduced in the future
320
- throw new xrpc_server_1.InvalidRequestError('Malformed token', 'InvalidToken');
315
+ const { payload, protectedHeader } = await this.jwtVerify(token,
316
+ // @TODO: Once all access & refresh tokens have a "typ" claim (i.e. 90
317
+ // days after this code was deployed), replace the following line with
318
+ // "verifyOptions," (to re-enable the verification of the "typ" property
319
+ // from verifyJwt()). Once the change is made, the "if" block below that
320
+ // checks for "typ" can be removed.
321
+ {
322
+ ...verifyOptions,
323
+ typ: undefined,
324
+ });
325
+ // @TODO: remove the next check once all access & refresh tokens have "typ"
326
+ // Note: when removing the check, make sure that the "verifyOptions"
327
+ // contains the "typ" property, so that the token is verified correctly by
328
+ // this.verifyJwt()
329
+ if (protectedHeader.typ && verifyOptions.typ !== protectedHeader.typ) {
330
+ // Temporarily allow historical tokens without "typ" to pass through. See:
331
+ // createAccessToken() and createRefreshToken() in
332
+ // src/account-manager/helpers/auth.ts
333
+ throw new xrpc_server_1.InvalidRequestError('Invalid token type', 'InvalidToken');
321
334
  }
322
335
  const { sub, aud, scope } = payload;
323
336
  if (typeof sub !== 'string' || !sub.startsWith('did:')) {
@@ -327,8 +340,9 @@ class AuthVerifier {
327
340
  (typeof aud !== 'string' || !aud.startsWith('did:'))) {
328
341
  throw new xrpc_server_1.InvalidRequestError('Malformed token', 'InvalidToken');
329
342
  }
330
- if (payload.cnf?.jkt) {
331
- // DPoP bound tokens must not be usable as regular Bearer tokens
343
+ if (payload['cnf'] !== undefined) {
344
+ // Proof-of-Possession (PoP) tokens are not allowed here
345
+ // https://www.rfc-editor.org/rfc/rfc7800.html
332
346
  throw new xrpc_server_1.InvalidRequestError('Malformed token', 'InvalidToken');
333
347
  }
334
348
  if (!isAuthScope(scope) || (scopes.length > 0 && !scopes.includes(scope))) {
@@ -379,9 +393,6 @@ class AuthVerifier {
379
393
  return accessOutput;
380
394
  }
381
395
  async validateDpopAccessToken(ctx, scopes) {
382
- if (!scopes.includes(AuthScope.Access)) {
383
- throw new xrpc_server_1.InvalidRequestError('DPoP access token cannot be used for this request', 'InvalidToken');
384
- }
385
396
  this.setAuthHeaders(ctx);
386
397
  const { req } = ctx;
387
398
  const res = 'res' in ctx ? ctx.res : null;
@@ -401,13 +412,33 @@ class AuthVerifier {
401
412
  if (typeof sub !== 'string' || !sub.startsWith('did:')) {
402
413
  throw new xrpc_server_1.InvalidRequestError('Malformed token', 'InvalidToken');
403
414
  }
415
+ const tokenScopes = new Set(result.claims.scope?.split(' '));
416
+ if (!tokenScopes.has('transition:generic')) {
417
+ throw new xrpc_server_1.AuthRequiredError('Missing required scope: transition:generic', 'InvalidToken');
418
+ }
419
+ const scopeEquivalent = tokenScopes.has('transition:chat.bsky')
420
+ ? AuthScope.AppPassPrivileged
421
+ : AuthScope.AppPass;
422
+ if (!scopes.includes(scopeEquivalent)) {
423
+ // AppPassPrivileged is sufficient but was not provided "transition:chat.bsky"
424
+ if (scopes.includes(AuthScope.AppPassPrivileged)) {
425
+ throw new xrpc_server_1.InvalidRequestError('Missing required scope: transition:chat.bsky', 'InvalidToken');
426
+ }
427
+ // AuthScope.Access and AuthScope.SignupQueued do not have an OAuth
428
+ // scope equivalent.
429
+ throw new xrpc_server_1.InvalidRequestError('DPoP access token cannot be used for this request', 'InvalidToken');
430
+ }
431
+ const isPrivileged = [
432
+ AuthScope.Access,
433
+ AuthScope.AppPassPrivileged,
434
+ ].includes(scopeEquivalent);
404
435
  return {
405
436
  credentials: {
406
437
  type: 'access',
407
438
  did: result.claims.sub,
408
- scope: AuthScope.Access,
439
+ scope: scopeEquivalent,
409
440
  audience: this.dids.pds,
410
- isPrivileged: true,
441
+ isPrivileged,
411
442
  },
412
443
  artifacts: result.token,
413
444
  };
@@ -426,7 +457,7 @@ class AuthVerifier {
426
457
  }
427
458
  }
428
459
  async validateBearerAccessToken(ctx, scopes) {
429
- const { did, scope, token, audience } = await this.validateBearerToken(ctx, scopes, { audience: this.dids.pds });
460
+ const { did, scope, token, audience } = await this.validateBearerToken(ctx, scopes, { audience: this.dids.pds, typ: 'at+jwt' });
430
461
  const isPrivileged = [
431
462
  AuthScope.Access,
432
463
  AuthScope.AppPassPrivileged,