@atproto/pds 0.4.53 → 0.4.55

package/dist/api/com/atproto/server/getServiceAuth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"getServiceAuth.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/getServiceAuth.ts"],"names":[],"mappings":"AAEA,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAG5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QAoDvD"}
+{"version":3,"file":"getServiceAuth.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/getServiceAuth.ts"],"names":[],"mappings":"AAEA,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAG5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QAyDvD"}

package/dist/api/com/atproto/server/getServiceAuth.js

@@ -22,10 +22,13 @@ function default_1(server, ctx) {
                     throw new xrpc_server_1.InvalidRequestError('cannot request a method-less token with an expiration more than a minute in the future', 'BadExpiration');
                 }
             }
-            if (!auth.credentials.isPrivileged &&
-                lxm &&
-                pipethrough_1.PRIVILEGED_METHODS.has(lxm)) {
-                throw new xrpc_server_1.InvalidRequestError(`cannot request a service auth token for the following method with an app password: ${lxm}`);
+            if (lxm) {
+                if (pipethrough_1.PROTECTED_METHODS.has(lxm)) {
+                    throw new xrpc_server_1.InvalidRequestError(`cannot request a service auth token for the following protected method: ${lxm}`);
+                }
+                if (!auth.credentials.isPrivileged && pipethrough_1.PRIVILEGED_METHODS.has(lxm)) {
+                    throw new xrpc_server_1.InvalidRequestError(`insufficient access to request a service auth token for the following method: ${lxm}`);
+                }
             }
             const keypair = await ctx.actorStore.keypair(did);
             const token = await (0, xrpc_server_1.createServiceJwt)({

package/dist/api/com/atproto/server/getServiceAuth.js.map

@@ -1 +1 @@
-{"version":3,"file":"getServiceAuth.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/getServiceAuth.ts"],"names":[],"mappings":";;AAAA,sDAA4E;AAC5E,4CAA8C;AAG9C,yDAA4D;AAE5D,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,cAAc,CAAC;QACvC,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,cAAc,EAAE;QACvC,OAAO,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE;YAClC,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YAChC,MAAM,EAAE,GAAG,EAAE,GAAG,GAAG,IAAI,EAAE,GAAG,MAAM,CAAA;YAClC,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS,CAAA;YACtD,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,IAAI,GAAG,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;gBAC7B,IAAI,IAAI,GAAG,CAAC,EAAE,CAAC;oBACb,MAAM,IAAI,iCAAmB,CAC3B,uBAAuB,EACvB,eAAe,CAChB,CAAA;gBACH,CAAC;qBAAM,IAAI,IAAI,GAAG,aAAI,EAAE,CAAC;oBACvB,MAAM,IAAI,iCAAmB,CAC3B,2EAA2E,EAC3E,eAAe,CAChB,CAAA;gBACH,CAAC;qBAAM,IAAI,CAAC,GAAG,IAAI,IAAI,GAAG,eAAM,EAAE,CAAC;oBACjC,MAAM,IAAI,iCAAmB,CAC3B,wFAAwF,EACxF,eAAe,CAChB,CAAA;gBACH,CAAC;YACH,CAAC;YACD,IACE,CAAC,IAAI,CAAC,WAAW,CAAC,YAAY;gBAC9B,GAAG;gBACH,gCAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,EAC3B,CAAC;gBACD,MAAM,IAAI,iCAAmB,CAC3B,sFAAsF,GAAG,EAAE,CAC5F,CAAA;YACH,CAAC;YACD,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;YAEjD,MAAM,KAAK,GAAG,MAAM,IAAA,8BAAgB,EAAC;gBACnC,GAAG,EAAE,GAAG;gBACR,GAAG;gBACH,GAAG;gBACH,GAAG;gBACH,OAAO;aACR,CAAC,CAAA;YACF,OAAO;gBACL,QAAQ,EAAE,kBAAkB;gBAC5B,IAAI,EAAE;oBACJ,KAAK;iBACN;aACF,CAAA;QACH,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AApDD,4BAoDC"}
+{"version":3,"file":"getServiceAuth.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/getServiceAuth.ts"],"names":[],"mappings":";;AAAA,sDAA4E;AAC5E,4CAA8C;AAG9C,yDAA+E;AAE/E,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,cAAc,CAAC;QACvC,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,cAAc,EAAE;QACvC,OAAO,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE;YAClC,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YAChC,MAAM,EAAE,GAAG,EAAE,GAAG,GAAG,IAAI,EAAE,GAAG,MAAM,CAAA;YAClC,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS,CAAA;YACtD,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,IAAI,GAAG,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;gBAC7B,IAAI,IAAI,GAAG,CAAC,EAAE,CAAC;oBACb,MAAM,IAAI,iCAAmB,CAC3B,uBAAuB,EACvB,eAAe,CAChB,CAAA;gBACH,CAAC;qBAAM,IAAI,IAAI,GAAG,aAAI,EAAE,CAAC;oBACvB,MAAM,IAAI,iCAAmB,CAC3B,2EAA2E,EAC3E,eAAe,CAChB,CAAA;gBACH,CAAC;qBAAM,IAAI,CAAC,GAAG,IAAI,IAAI,GAAG,eAAM,EAAE,CAAC;oBACjC,MAAM,IAAI,iCAAmB,CAC3B,wFAAwF,EACxF,eAAe,CAChB,CAAA;gBACH,CAAC;YACH,CAAC;YAED,IAAI,GAAG,EAAE,CAAC;gBACR,IAAI,+BAAiB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC/B,MAAM,IAAI,iCAAmB,CAC3B,2EAA2E,GAAG,EAAE,CACjF,CAAA;gBACH,CAAC;gBACD,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,YAAY,IAAI,gCAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;oBAClE,MAAM,IAAI,iCAAmB,CAC3B,iFAAiF,GAAG,EAAE,CACvF,CAAA;gBACH,CAAC;YACH,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;YAEjD,MAAM,KAAK,GAAG,MAAM,IAAA,8BAAgB,EAAC;gBACnC,GAAG,EAAE,GAAG;gBACR,GAAG;gBACH,GAAG;gBACH,GAAG;gBACH,OAAO;aACR,CAAC,CAAA;YACF,OAAO;gBACL,QAAQ,EAAE,kBAAkB;gBAC5B,IAAI,EAAE;oBACJ,KAAK;iBACN;aACF,CAAA;QACH,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AAzDD,4BAyDC"}

package/dist/api/com/atproto/server/listAppPasswords.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"listAppPasswords.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/listAppPasswords.ts"],"names":[],"mappings":"AAAA,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAG5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QAsBvD"}
+{"version":3,"file":"listAppPasswords.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/listAppPasswords.ts"],"names":[],"mappings":"AAEA,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAI5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QA2BvD"}

package/dist/api/com/atproto/server/listAppPasswords.js

@@ -1,12 +1,18 @@
 "use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
+const node_assert_1 = __importDefault(require("node:assert"));
+const lexicons_1 = require("../../../../lexicon/lexicons");
 const proxy_1 = require("../../../proxy");
 function default_1(server, ctx) {
     server.com.atproto.server.listAppPasswords({
         auth: ctx.authVerifier.accessStandard(),
-        handler: async ({ auth, req }) => {
+        handler: async ({ auth }) => {
             if (ctx.entrywayAgent) {
-                return (0, proxy_1.resultPassthru)(await ctx.entrywayAgent.com.atproto.server.listAppPasswords(undefined, (0, proxy_1.authPassthru)(req)));
+                (0, node_assert_1.default)(ctx.cfg.entryway);
+                return (0, proxy_1.resultPassthru)(await ctx.entrywayAgent.com.atproto.server.listAppPasswords(undefined, await ctx.serviceAuthHeaders(auth.credentials.did, ctx.cfg.entryway.did, lexicons_1.ids.ComAtprotoServerListAppPasswords)));
             }
             const passwords = await ctx.accountManager.listAppPasswords(auth.credentials.did);
             return {

package/dist/api/com/atproto/server/listAppPasswords.js.map

@@ -1 +1 @@
-{"version":3,"file":"listAppPasswords.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/listAppPasswords.ts"],"names":[],"mappings":";;AAEA,0CAA6D;AAE7D,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC;QACzC,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,cAAc,EAAE;QACvC,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,EAAE;YAC/B,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,OAAO,IAAA,sBAAc,EACnB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CACzD,SAAS,EACT,IAAA,oBAAY,EAAC,GAAG,CAAC,CAClB,CACF,CAAA;YACH,CAAC;YAED,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,gBAAgB,CACzD,IAAI,CAAC,WAAW,CAAC,GAAG,CACrB,CAAA;YACD,OAAO;gBACL,QAAQ,EAAE,kBAAkB;gBAC5B,IAAI,EAAE,EAAE,SAAS,EAAE;aACpB,CAAA;QACH,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AAtBD,4BAsBC"}
+{"version":3,"file":"listAppPasswords.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/listAppPasswords.ts"],"names":[],"mappings":";;;;;AAAA,8DAAgC;AAIhC,2DAAkD;AAClD,0CAA+C;AAE/C,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC;QACzC,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,cAAc,EAAE;QACvC,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;YAC1B,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,IAAA,qBAAM,EAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;gBACxB,OAAO,IAAA,sBAAc,EACnB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CACzD,SAAS,EACT,MAAM,GAAG,CAAC,kBAAkB,CAC1B,IAAI,CAAC,WAAW,CAAC,GAAG,EACpB,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,EACpB,cAAG,CAAC,gCAAgC,CACrC,CACF,CACF,CAAA;YACH,CAAC;YAED,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,gBAAgB,CACzD,IAAI,CAAC,WAAW,CAAC,GAAG,CACrB,CAAA;YACD,OAAO;gBACL,QAAQ,EAAE,kBAAkB;gBAC5B,IAAI,EAAE,EAAE,SAAS,EAAE;aACpB,CAAA;QACH,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AA3BD,4BA2BC"}

package/dist/api/com/atproto/server/requestAccountDelete.d.ts

@@ -1,4 +1,4 @@
-import { Server } from '../../../../lexicon';
 import AppContext from '../../../../context';
+import { Server } from '../../../../lexicon';
 export default function (server: Server, ctx: AppContext): void;
 //# sourceMappingURL=requestAccountDelete.d.ts.map

package/dist/api/com/atproto/server/requestAccountDelete.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"requestAccountDelete.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestAccountDelete.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAC5C,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAG5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QA2CvD"}
+{"version":3,"file":"requestAccountDelete.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestAccountDelete.ts"],"names":[],"mappings":"AAKA,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAG5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QAgDvD"}

package/dist/api/com/atproto/server/requestAccountDelete.js

@@ -1,8 +1,12 @@
 "use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
+const node_assert_1 = __importDefault(require("node:assert"));
 const common_1 = require("@atproto/common");
 const xrpc_server_1 = require("@atproto/xrpc-server");
-const proxy_1 = require("../../../proxy");
+const lexicons_1 = require("../../../../lexicon/lexicons");
 function default_1(server, ctx) {
     server.com.atproto.server.requestAccountDelete({
         rateLimit: [
@@ -18,7 +22,7 @@ function default_1(server, ctx) {
             },
         ],
         auth: ctx.authVerifier.accessFull({ checkTakedown: true }),
-        handler: async ({ auth, req }) => {
+        handler: async ({ auth }) => {
             const did = auth.credentials.did;
             const account = await ctx.accountManager.getAccount(did, {
                 includeDeactivated: true,
@@ -28,7 +32,8 @@ function default_1(server, ctx) {
                 throw new xrpc_server_1.InvalidRequestError('account not found');
             }
             if (ctx.entrywayAgent) {
-                await ctx.entrywayAgent.com.atproto.server.requestAccountDelete(undefined, (0, proxy_1.authPassthru)(req));
+                (0, node_assert_1.default)(ctx.cfg.entryway);
+                await ctx.entrywayAgent.com.atproto.server.requestAccountDelete(undefined, await ctx.serviceAuthHeaders(auth.credentials.did, ctx.cfg.entryway.did, lexicons_1.ids.ComAtprotoServerRequestAccountDelete));
                 return;
             }
             if (!account.email) {

package/dist/api/com/atproto/server/requestAccountDelete.js.map

@@ -1 +1 @@
-{"version":3,"file":"requestAccountDelete.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestAccountDelete.ts"],"names":[],"mappings":";;AAAA,4CAA2C;AAC3C,sDAA0D;AAG1D,0CAA6C;AAE7C,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,oBAAoB,CAAC;QAC7C,SAAS,EAAE;YACT;gBACE,UAAU,EAAE,YAAG;gBACf,MAAM,EAAE,EAAE;gBACV,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;YACD;gBACE,UAAU,EAAE,aAAI;gBAChB,MAAM,EAAE,CAAC;gBACT,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;SACF;QACD,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,UAAU,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QAC1D,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,EAAE;YAC/B,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YAChC,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG,EAAE;gBACvD,kBAAkB,EAAE,IAAI;gBACxB,gBAAgB,EAAE,IAAI;aACvB,CAAC,CAAA;YACF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,iCAAmB,CAAC,mBAAmB,CAAC,CAAA;YACpD,CAAC;YAED,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,oBAAoB,CAC7D,SAAS,EACT,IAAA,oBAAY,EAAC,GAAG,CAAC,CAClB,CAAA;gBACD,OAAM;YACR,CAAC;YAED,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;gBACnB,MAAM,IAAI,iCAAmB,CAAC,wCAAwC,CAAC,CAAA;YACzE,CAAC;YACD,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,gBAAgB,CACrD,GAAG,EACH,gBAAgB,CACjB,CAAA;YACD,MAAM,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAA;QACtE,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AA3CD,4BA2CC"}
+{"version":3,"file":"requestAccountDelete.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestAccountDelete.ts"],"names":[],"mappings":";;;;;AAAA,8DAAgC;AAEhC,4CAA2C;AAC3C,sDAA0D;AAI1D,2DAAkD;AAElD,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,oBAAoB,CAAC;QAC7C,SAAS,EAAE;YACT;gBACE,UAAU,EAAE,YAAG;gBACf,MAAM,EAAE,EAAE;gBACV,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;YACD;gBACE,UAAU,EAAE,aAAI;gBAChB,MAAM,EAAE,CAAC;gBACT,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;SACF;QACD,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,UAAU,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QAC1D,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;YAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YAChC,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG,EAAE;gBACvD,kBAAkB,EAAE,IAAI;gBACxB,gBAAgB,EAAE,IAAI;aACvB,CAAC,CAAA;YACF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,iCAAmB,CAAC,mBAAmB,CAAC,CAAA;YACpD,CAAC;YAED,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,IAAA,qBAAM,EAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;gBACxB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,oBAAoB,CAC7D,SAAS,EACT,MAAM,GAAG,CAAC,kBAAkB,CAC1B,IAAI,CAAC,WAAW,CAAC,GAAG,EACpB,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,EACpB,cAAG,CAAC,oCAAoC,CACzC,CACF,CAAA;gBACD,OAAM;YACR,CAAC;YAED,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;gBACnB,MAAM,IAAI,iCAAmB,CAAC,wCAAwC,CAAC,CAAA;YACzE,CAAC;YACD,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,gBAAgB,CACrD,GAAG,EACH,gBAAgB,CACjB,CAAA;YACD,MAAM,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAA;QACtE,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AAhDD,4BAgDC"}

package/dist/api/com/atproto/server/requestEmailConfirmation.d.ts

@@ -1,4 +1,4 @@
-import { Server } from '../../../../lexicon';
 import AppContext from '../../../../context';
+import { Server } from '../../../../lexicon';
 export default function (server: Server, ctx: AppContext): void;
 //# sourceMappingURL=requestEmailConfirmation.d.ts.map

package/dist/api/com/atproto/server/requestEmailConfirmation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"requestEmailConfirmation.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestEmailConfirmation.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAC5C,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAG5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QA2CvD"}
+{"version":3,"file":"requestEmailConfirmation.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestEmailConfirmation.ts"],"names":[],"mappings":"AAKA,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAG5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QAgDvD"}

package/dist/api/com/atproto/server/requestEmailConfirmation.js

@@ -1,8 +1,12 @@
 "use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
+const node_assert_1 = __importDefault(require("node:assert"));
 const common_1 = require("@atproto/common");
 const xrpc_server_1 = require("@atproto/xrpc-server");
-const proxy_1 = require("../../../proxy");
+const lexicons_1 = require("../../../../lexicon/lexicons");
 function default_1(server, ctx) {
     server.com.atproto.server.requestEmailConfirmation({
         rateLimit: [
@@ -18,7 +22,7 @@ function default_1(server, ctx) {
             },
         ],
         auth: ctx.authVerifier.accessStandard({ checkTakedown: true }),
-        handler: async ({ auth, req }) => {
+        handler: async ({ auth }) => {
             const did = auth.credentials.did;
             const account = await ctx.accountManager.getAccount(did, {
                 includeDeactivated: true,
@@ -28,7 +32,8 @@ function default_1(server, ctx) {
                 throw new xrpc_server_1.InvalidRequestError('account not found');
             }
             if (ctx.entrywayAgent) {
-                await ctx.entrywayAgent.com.atproto.server.requestEmailConfirmation(undefined, (0, proxy_1.authPassthru)(req));
+                (0, node_assert_1.default)(ctx.cfg.entryway);
+                await ctx.entrywayAgent.com.atproto.server.requestEmailConfirmation(undefined, await ctx.serviceAuthHeaders(auth.credentials.did, ctx.cfg.entryway.did, lexicons_1.ids.ComAtprotoServerRequestEmailConfirmation));
                 return;
             }
             if (!account.email) {

package/dist/api/com/atproto/server/requestEmailConfirmation.js.map

@@ -1 +1 @@
-{"version":3,"file":"requestEmailConfirmation.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestEmailConfirmation.ts"],"names":[],"mappings":";;AAAA,4CAA2C;AAC3C,sDAA0D;AAG1D,0CAA6C;AAE7C,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,wBAAwB,CAAC;QACjD,SAAS,EAAE;YACT;gBACE,UAAU,EAAE,YAAG;gBACf,MAAM,EAAE,EAAE;gBACV,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;YACD;gBACE,UAAU,EAAE,aAAI;gBAChB,MAAM,EAAE,CAAC;gBACT,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;SACF;QACD,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,cAAc,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QAC9D,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,EAAE;YAC/B,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YAChC,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG,EAAE;gBACvD,kBAAkB,EAAE,IAAI;gBACxB,gBAAgB,EAAE,IAAI;aACvB,CAAC,CAAA;YACF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,iCAAmB,CAAC,mBAAmB,CAAC,CAAA;YACpD,CAAC;YAED,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,wBAAwB,CACjE,SAAS,EACT,IAAA,oBAAY,EAAC,GAAG,CAAC,CAClB,CAAA;gBACD,OAAM;YACR,CAAC;YAED,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;gBACnB,MAAM,IAAI,iCAAmB,CAAC,wCAAwC,CAAC,CAAA;YACzE,CAAC;YACD,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,gBAAgB,CACrD,GAAG,EACH,eAAe,CAChB,CAAA;YACD,MAAM,GAAG,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAA;QACrE,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AA3CD,4BA2CC"}
+{"version":3,"file":"requestEmailConfirmation.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestEmailConfirmation.ts"],"names":[],"mappings":";;;;;AAAA,8DAAgC;AAEhC,4CAA2C;AAC3C,sDAA0D;AAI1D,2DAAkD;AAElD,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,wBAAwB,CAAC;QACjD,SAAS,EAAE;YACT;gBACE,UAAU,EAAE,YAAG;gBACf,MAAM,EAAE,EAAE;gBACV,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;YACD;gBACE,UAAU,EAAE,aAAI;gBAChB,MAAM,EAAE,CAAC;gBACT,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;SACF;QACD,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,cAAc,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QAC9D,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;YAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YAChC,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG,EAAE;gBACvD,kBAAkB,EAAE,IAAI;gBACxB,gBAAgB,EAAE,IAAI;aACvB,CAAC,CAAA;YACF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,iCAAmB,CAAC,mBAAmB,CAAC,CAAA;YACpD,CAAC;YAED,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,IAAA,qBAAM,EAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;gBACxB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,wBAAwB,CACjE,SAAS,EACT,MAAM,GAAG,CAAC,kBAAkB,CAC1B,IAAI,CAAC,WAAW,CAAC,GAAG,EACpB,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,EACpB,cAAG,CAAC,wCAAwC,CAC7C,CACF,CAAA;gBACD,OAAM;YACR,CAAC;YAED,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;gBACnB,MAAM,IAAI,iCAAmB,CAAC,wCAAwC,CAAC,CAAA;YACzE,CAAC;YACD,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,gBAAgB,CACrD,GAAG,EACH,eAAe,CAChB,CAAA;YACD,MAAM,GAAG,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAA;QACrE,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AAhDD,4BAgDC"}

package/dist/api/com/atproto/server/requestEmailUpdate.d.ts

@@ -1,4 +1,4 @@
-import { Server } from '../../../../lexicon';
 import AppContext from '../../../../context';
+import { Server } from '../../../../lexicon';
 export default function (server: Server, ctx: AppContext): void;
 //# sourceMappingURL=requestEmailUpdate.d.ts.map

package/dist/api/com/atproto/server/requestEmailUpdate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"requestEmailUpdate.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestEmailUpdate.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAC5C,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAG5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QAuDvD"}
+{"version":3,"file":"requestEmailUpdate.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestEmailUpdate.ts"],"names":[],"mappings":"AAKA,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAI5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QA4DvD"}

package/dist/api/com/atproto/server/requestEmailUpdate.js

@@ -1,8 +1,13 @@
 "use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
+const node_assert_1 = __importDefault(require("node:assert"));
 const common_1 = require("@atproto/common");
 const xrpc_server_1 = require("@atproto/xrpc-server");
 const proxy_1 = require("../../../proxy");
+const lexicons_1 = require("../../../../lexicon/lexicons");
 function default_1(server, ctx) {
     server.com.atproto.server.requestEmailUpdate({
         rateLimit: [
@@ -18,7 +23,7 @@ function default_1(server, ctx) {
             },
         ],
         auth: ctx.authVerifier.accessStandard({ checkTakedown: true }),
-        handler: async ({ auth, req }) => {
+        handler: async ({ auth }) => {
             const did = auth.credentials.did;
             const account = await ctx.accountManager.getAccount(did, {
                 includeDeactivated: true,
@@ -28,7 +33,8 @@ function default_1(server, ctx) {
                 throw new xrpc_server_1.InvalidRequestError('account not found');
             }
             if (ctx.entrywayAgent) {
-                return (0, proxy_1.resultPassthru)(await ctx.entrywayAgent.com.atproto.server.requestEmailUpdate(undefined, (0, proxy_1.authPassthru)(req)));
+                (0, node_assert_1.default)(ctx.cfg.entryway);
+                return (0, proxy_1.resultPassthru)(await ctx.entrywayAgent.com.atproto.server.requestEmailUpdate(undefined, await ctx.serviceAuthHeaders(auth.credentials.did, ctx.cfg.entryway.did, lexicons_1.ids.ComAtprotoServerRequestEmailUpdate)));
             }
             if (!account.email) {
                 throw new xrpc_server_1.InvalidRequestError('account does not have an email address');

package/dist/api/com/atproto/server/requestEmailUpdate.js.map

@@ -1 +1 @@
-{"version":3,"file":"requestEmailUpdate.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestEmailUpdate.ts"],"names":[],"mappings":";;AAAA,4CAA2C;AAC3C,sDAA0D;AAG1D,0CAA6D;AAE7D,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,kBAAkB,CAAC;QAC3C,SAAS,EAAE;YACT;gBACE,UAAU,EAAE,YAAG;gBACf,MAAM,EAAE,EAAE;gBACV,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;YACD;gBACE,UAAU,EAAE,aAAI;gBAChB,MAAM,EAAE,CAAC;gBACT,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;SACF;QACD,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,cAAc,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QAC9D,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,EAAE;YAC/B,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YAChC,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG,EAAE;gBACvD,kBAAkB,EAAE,IAAI;gBACxB,gBAAgB,EAAE,IAAI;aACvB,CAAC,CAAA;YACF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,iCAAmB,CAAC,mBAAmB,CAAC,CAAA;YACpD,CAAC;YAED,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,OAAO,IAAA,sBAAc,EACnB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,kBAAkB,CAC3D,SAAS,EACT,IAAA,oBAAY,EAAC,GAAG,CAAC,CAClB,CACF,CAAA;YACH,CAAC;YAED,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;gBACnB,MAAM,IAAI,iCAAmB,CAAC,wCAAwC,CAAC,CAAA;YACzE,CAAC;YAED,MAAM,aAAa,GAAG,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAA;YAChD,IAAI,aAAa,EAAE,CAAC;gBAClB,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,gBAAgB,CACrD,GAAG,EACH,cAAc,CACf,CAAA;gBACD,MAAM,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAA;YACpE,CAAC;YAED,OAAO;gBACL,QAAQ,EAAE,kBAAkB;gBAC5B,IAAI,EAAE;oBACJ,aAAa;iBACd;aACF,CAAA;QACH,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AAvDD,4BAuDC"}
+{"version":3,"file":"requestEmailUpdate.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/requestEmailUpdate.ts"],"names":[],"mappings":";;;;;AAAA,8DAAgC;AAEhC,4CAA2C;AAC3C,sDAA0D;AAI1D,0CAA+C;AAC/C,2DAAkD;AAElD,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,kBAAkB,CAAC;QAC3C,SAAS,EAAE;YACT;gBACE,UAAU,EAAE,YAAG;gBACf,MAAM,EAAE,EAAE;gBACV,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;YACD;gBACE,UAAU,EAAE,aAAI;gBAChB,MAAM,EAAE,CAAC;gBACT,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG;aAC5C;SACF;QACD,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,cAAc,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QAC9D,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;YAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YAChC,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG,EAAE;gBACvD,kBAAkB,EAAE,IAAI;gBACxB,gBAAgB,EAAE,IAAI;aACvB,CAAC,CAAA;YACF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,iCAAmB,CAAC,mBAAmB,CAAC,CAAA;YACpD,CAAC;YAED,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,IAAA,qBAAM,EAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;gBACxB,OAAO,IAAA,sBAAc,EACnB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,kBAAkB,CAC3D,SAAS,EACT,MAAM,GAAG,CAAC,kBAAkB,CAC1B,IAAI,CAAC,WAAW,CAAC,GAAG,EACpB,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,EACpB,cAAG,CAAC,kCAAkC,CACvC,CACF,CACF,CAAA;YACH,CAAC;YAED,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;gBACnB,MAAM,IAAI,iCAAmB,CAAC,wCAAwC,CAAC,CAAA;YACzE,CAAC;YAED,MAAM,aAAa,GAAG,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAA;YAChD,IAAI,aAAa,EAAE,CAAC;gBAClB,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,gBAAgB,CACrD,GAAG,EACH,cAAc,CACf,CAAA;gBACD,MAAM,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAA;YACpE,CAAC;YAED,OAAO;gBACL,QAAQ,EAAE,kBAAkB;gBAC5B,IAAI,EAAE;oBACJ,aAAa;iBACd;aACF,CAAA;QACH,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AA5DD,4BA4DC"}

package/dist/api/com/atproto/server/revokeAppPassword.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"revokeAppPassword.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/revokeAppPassword.ts"],"names":[],"mappings":"AAAA,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAG5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QAkBvD"}
+{"version":3,"file":"revokeAppPassword.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/revokeAppPassword.ts"],"names":[],"mappings":"AAEA,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAG5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QAuBvD"}

package/dist/api/com/atproto/server/revokeAppPassword.js

@@ -1,12 +1,17 @@
 "use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
-const proxy_1 = require("../../../proxy");
+const node_assert_1 = __importDefault(require("node:assert"));
+const lexicons_1 = require("../../../../lexicon/lexicons");
 function default_1(server, ctx) {
     server.com.atproto.server.revokeAppPassword({
         auth: ctx.authVerifier.accessStandard(),
-        handler: async ({ auth, input, req }) => {
+        handler: async ({ auth, input }) => {
             if (ctx.entrywayAgent) {
-                await ctx.entrywayAgent.com.atproto.server.revokeAppPassword(input.body, (0, proxy_1.authPassthru)(req, true));
+                (0, node_assert_1.default)(ctx.cfg.entryway);
+                await ctx.entrywayAgent.com.atproto.server.revokeAppPassword(input.body, await ctx.serviceAuthHeaders(auth.credentials.did, ctx.cfg.entryway.did, lexicons_1.ids.ComAtprotoServerRevokeAppPassword));
                 return;
             }
             const requester = auth.credentials.did;

package/dist/api/com/atproto/server/revokeAppPassword.js.map

@@ -1 +1 @@
-{"version":3,"file":"revokeAppPassword.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/revokeAppPassword.ts"],"names":[],"mappings":";;AAEA,0CAA6C;AAE7C,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,iBAAiB,CAAC;QAC1C,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,cAAc,EAAE;QACvC,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,EAAE;YACtC,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,iBAAiB,CAC1D,KAAK,CAAC,IAAI,EACV,IAAA,oBAAY,EAAC,GAAG,EAAE,IAAI,CAAC,CACxB,CAAA;gBACD,OAAM;YACR,CAAC;YAED,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YACtC,MAAM,EAAE,IAAI,EAAE,GAAG,KAAK,CAAC,IAAI,CAAA;YAE3B,MAAM,GAAG,CAAC,cAAc,CAAC,iBAAiB,CAAC,SAAS,EAAE,IAAI,CAAC,CAAA;QAC7D,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AAlBD,4BAkBC"}
+{"version":3,"file":"revokeAppPassword.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/revokeAppPassword.ts"],"names":[],"mappings":";;;;;AAAA,8DAAgC;AAIhC,2DAAkD;AAElD,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,iBAAiB,CAAC;QAC1C,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,cAAc,EAAE;QACvC,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE;YACjC,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,IAAA,qBAAM,EAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;gBACxB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,iBAAiB,CAC1D,KAAK,CAAC,IAAI,EACV,MAAM,GAAG,CAAC,kBAAkB,CAC1B,IAAI,CAAC,WAAW,CAAC,GAAG,EACpB,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,EACpB,cAAG,CAAC,iCAAiC,CACtC,CACF,CAAA;gBACD,OAAM;YACR,CAAC;YAED,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YACtC,MAAM,EAAE,IAAI,EAAE,GAAG,KAAK,CAAC,IAAI,CAAA;YAE3B,MAAM,GAAG,CAAC,cAAc,CAAC,iBAAiB,CAAC,SAAS,EAAE,IAAI,CAAC,CAAA;QAC7D,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AAvBD,4BAuBC"}

package/dist/api/com/atproto/server/updateEmail.d.ts

@@ -1,4 +1,4 @@
-import { Server } from '../../../../lexicon';
 import AppContext from '../../../../context';
+import { Server } from '../../../../lexicon';
 export default function (server: Server, ctx: AppContext): void;
 //# sourceMappingURL=updateEmail.d.ts.map

package/dist/api/com/atproto/server/updateEmail.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"updateEmail.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/updateEmail.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAC5C,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAI5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QAsDvD"}
+{"version":3,"file":"updateEmail.d.ts","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/updateEmail.ts"],"names":[],"mappings":"AAMA,OAAO,UAAU,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAG5C,MAAM,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,QA2DvD"}

package/dist/api/com/atproto/server/updateEmail.js

@@ -3,14 +3,15 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-const disposable_email_1 = __importDefault(require("disposable-email"));
+const node_assert_1 = __importDefault(require("node:assert"));
 const xrpc_server_1 = require("@atproto/xrpc-server");
-const proxy_1 = require("../../../proxy");
+const disposable_email_1 = __importDefault(require("disposable-email"));
 const account_1 = require("../../../../account-manager/helpers/account");
+const lexicons_1 = require("../../../../lexicon/lexicons");
 function default_1(server, ctx) {
     server.com.atproto.server.updateEmail({
         auth: ctx.authVerifier.accessFull({ checkTakedown: true }),
-        handler: async ({ auth, input, req }) => {
+        handler: async ({ auth, input }) => {
             const did = auth.credentials.did;
             const { token, email } = input.body;
             if (!disposable_email_1.default.validate(email)) {
@@ -23,7 +24,8 @@ function default_1(server, ctx) {
                 throw new xrpc_server_1.InvalidRequestError('account not found');
             }
             if (ctx.entrywayAgent) {
-                await ctx.entrywayAgent.com.atproto.server.updateEmail(input.body, (0, proxy_1.authPassthru)(req, true));
+                (0, node_assert_1.default)(ctx.cfg.entryway);
+                await ctx.entrywayAgent.com.atproto.server.updateEmail(input.body, await ctx.serviceAuthHeaders(auth.credentials.did, ctx.cfg.entryway.did, lexicons_1.ids.ComAtprotoServerUpdateEmail));
                 return;
             }
             // require valid token if account email is confirmed

package/dist/api/com/atproto/server/updateEmail.js.map

@@ -1 +1 @@
-{"version":3,"file":"updateEmail.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/updateEmail.ts"],"names":[],"mappings":";;;;;AAAA,wEAAyC;AACzC,sDAA0D;AAG1D,0CAA6C;AAC7C,yEAAoF;AAEpF,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC;QACpC,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,UAAU,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QAC1D,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,EAAE;YACtC,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YAChC,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC,IAAI,CAAA;YACnC,IAAI,CAAC,0BAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBAChC,MAAM,IAAI,iCAAmB,CAC3B,oEAAoE,CACrE,CAAA;YACH,CAAC;YACD,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG,EAAE;gBACvD,kBAAkB,EAAE,IAAI;aACzB,CAAC,CAAA;YACF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,iCAAmB,CAAC,mBAAmB,CAAC,CAAA;YACpD,CAAC;YAED,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CACpD,KAAK,CAAC,IAAI,EACV,IAAA,oBAAY,EAAC,GAAG,EAAE,IAAI,CAAC,CACxB,CAAA;gBACD,OAAM;YACR,CAAC;YAED,oDAAoD;YACpD,IAAI,OAAO,CAAC,gBAAgB,EAAE,CAAC;gBAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;oBACX,MAAM,IAAI,iCAAmB,CAC3B,6BAA6B,EAC7B,eAAe,CAChB,CAAA;gBACH,CAAC;gBACD,MAAM,GAAG,CAAC,cAAc,CAAC,qBAAqB,CAC5C,GAAG,EACH,cAAc,EACd,KAAK,CACN,CAAA;YACH,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,GAAG,CAAC,cAAc,CAAC,WAAW,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAA;YACtD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,GAAG,YAAY,gCAAsB,EAAE,CAAC;oBAC1C,MAAM,IAAI,iCAAmB,CAC3B,qEAAqE,CACtE,CAAA;gBACH,CAAC;qBAAM,CAAC;oBACN,MAAM,GAAG,CAAA;gBACX,CAAC;YACH,CAAC;QACH,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AAtDD,4BAsDC"}
+{"version":3,"file":"updateEmail.js","sourceRoot":"","sources":["../../../../../src/api/com/atproto/server/updateEmail.ts"],"names":[],"mappings":";;;;;AAAA,8DAAgC;AAEhC,sDAA0D;AAC1D,wEAAyC;AAEzC,yEAAoF;AAGpF,2DAAkD;AAElD,mBAAyB,MAAc,EAAE,GAAe;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC;QACpC,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,UAAU,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QAC1D,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE;YACjC,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAA;YAChC,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC,IAAI,CAAA;YACnC,IAAI,CAAC,0BAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBAChC,MAAM,IAAI,iCAAmB,CAC3B,oEAAoE,CACrE,CAAA;YACH,CAAC;YACD,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG,EAAE;gBACvD,kBAAkB,EAAE,IAAI;aACzB,CAAC,CAAA;YACF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,iCAAmB,CAAC,mBAAmB,CAAC,CAAA;YACpD,CAAC;YAED,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,IAAA,qBAAM,EAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;gBACxB,MAAM,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CACpD,KAAK,CAAC,IAAI,EACV,MAAM,GAAG,CAAC,kBAAkB,CAC1B,IAAI,CAAC,WAAW,CAAC,GAAG,EACpB,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,EACpB,cAAG,CAAC,2BAA2B,CAChC,CACF,CAAA;gBACD,OAAM;YACR,CAAC;YAED,oDAAoD;YACpD,IAAI,OAAO,CAAC,gBAAgB,EAAE,CAAC;gBAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;oBACX,MAAM,IAAI,iCAAmB,CAC3B,6BAA6B,EAC7B,eAAe,CAChB,CAAA;gBACH,CAAC;gBACD,MAAM,GAAG,CAAC,cAAc,CAAC,qBAAqB,CAC5C,GAAG,EACH,cAAc,EACd,KAAK,CACN,CAAA;YACH,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,GAAG,CAAC,cAAc,CAAC,WAAW,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAA;YACtD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,GAAG,YAAY,gCAAsB,EAAE,CAAC;oBAC1C,MAAM,IAAI,iCAAmB,CAC3B,qEAAqE,CACtE,CAAA;gBACH,CAAC;qBAAM,CAAC;oBACN,MAAM,GAAG,CAAA;gBACX,CAAC;YACH,CAAC;QACH,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AA3DD,4BA2DC"}

package/dist/api/proxy.js

@@ -21,7 +21,11 @@ function authPassthru(req, withEncoding) {
         // This is fine since app views are usually called using the requester's
         // credentials when "auth.credentials.type === 'access'", which is the only
         // case were DPoP is used.
-        if (authorization.startsWith('DPoP ') || req.headers['dpop']) {
+        const [type] = authorization.split(' ', 1);
+        if (!type) {
+            throw new xrpc_server_1.InvalidRequestError('Invalid authorization header');
+        }
+        if (type.toLowerCase() === 'dpop' || req.headers['dpop']) {
             throw new xrpc_server_1.InvalidRequestError('DPoP requests cannot be proxied');
         }
         return {

package/dist/api/proxy.js.map

@@ -1 +1 @@
-{"version":3,"file":"proxy.js","sourceRoot":"","sources":["../../src/api/proxy.ts"],"names":[],"mappings":";;;AACA,sDAA0D;AAGnD,MAAM,cAAc,GAAG,CAAI,MAAqC,EAAE,EAAE;IACzE,sEAAsE;IACtE,OAAO;QACL,QAAQ,EAAE,kBAA2B;QACrC,IAAI,EAAE,MAAM,CAAC,IAAI;KAClB,CAAA;AACH,CAAC,CAAA;AANY,QAAA,cAAc,kBAM1B;AAgBD,SAAgB,YAAY,CAAC,GAAoB,EAAE,YAAsB;IACvE,MAAM,EAAE,aAAa,EAAE,GAAG,GAAG,CAAC,OAAO,CAAA;IAErC,IAAI,aAAa,EAAE,CAAC;QAClB,4EAA4E;QAC5E,qEAAqE;QACrE,oEAAoE;QACpE,qEAAqE;QACrE,qBAAqB;QAErB,wEAAwE;QACxE,2EAA2E;QAC3E,0BAA0B;QAC1B,IAAI,aAAa,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAC7D,MAAM,IAAI,iCAAmB,CAAC,iCAAiC,CAAC,CAAA;QAClE,CAAC;QAED,OAAO;YACL,OAAO,EAAE,EAAE,aAAa,EAAE;YAC1B,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,SAAS;SACxD,CAAA;IACH,CAAC;AACH,CAAC;AAtBD,oCAsBC"}
+{"version":3,"file":"proxy.js","sourceRoot":"","sources":["../../src/api/proxy.ts"],"names":[],"mappings":";;;AACA,sDAA0D;AAGnD,MAAM,cAAc,GAAG,CAAI,MAAqC,EAAE,EAAE;IACzE,sEAAsE;IACtE,OAAO;QACL,QAAQ,EAAE,kBAA2B;QACrC,IAAI,EAAE,MAAM,CAAC,IAAI;KAClB,CAAA;AACH,CAAC,CAAA;AANY,QAAA,cAAc,kBAM1B;AAgBD,SAAgB,YAAY,CAAC,GAAoB,EAAE,YAAsB;IACvE,MAAM,EAAE,aAAa,EAAE,GAAG,GAAG,CAAC,OAAO,CAAA;IAErC,IAAI,aAAa,EAAE,CAAC;QAClB,4EAA4E;QAC5E,qEAAqE;QACrE,oEAAoE;QACpE,qEAAqE;QACrE,qBAAqB;QAErB,wEAAwE;QACxE,2EAA2E;QAC3E,0BAA0B;QAC1B,MAAM,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,CAAA;QAC1C,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,iCAAmB,CAAC,8BAA8B,CAAC,CAAA;QAC/D,CAAC;QACD,IAAI,IAAI,CAAC,WAAW,EAAE,KAAK,MAAM,IAAI,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YACzD,MAAM,IAAI,iCAAmB,CAAC,iCAAiC,CAAC,CAAA;QAClE,CAAC;QAED,OAAO;YACL,OAAO,EAAE,EAAE,aAAa,EAAE;YAC1B,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,SAAS;SACxD,CAAA;IACH,CAAC;AACH,CAAC;AA1BD,oCA0BC"}

package/dist/auth-routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-routes.d.ts","sourceRoot":"","sources":["../src/auth-routes.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAA;AAEhC,OAAO,UAAU,MAAM,WAAW,CAAA;AAElC,eAAO,MAAM,YAAY,0BAA2B,UAAU,KAAG,MAqBhE,CAAA"}
+{"version":3,"file":"auth-routes.d.ts","sourceRoot":"","sources":["../src/auth-routes.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAA;AAEhC,OAAO,UAAU,MAAM,WAAW,CAAA;AAElC,eAAO,MAAM,YAAY,0BAA2B,UAAU,KAAG,MAuBhE,CAAA"}

package/dist/auth-routes.js

@@ -9,10 +9,12 @@ const createRouter = ({ authProvider, cfg }) => {
         resource: cfg.service.publicUrl,
         authorization_servers: [cfg.entryway?.url ?? cfg.service.publicUrl],
         bearer_methods_supported: ['header'],
-        scopes_supported: ['profile', 'email', 'phone'],
+        scopes_supported: [],
         resource_documentation: 'https://atproto.com',
     });
     router.get('/.well-known/oauth-protected-resource', (req, res) => {
+        res.setHeader('Access-Control-Allow-Origin', '*');
+        res.setHeader('Access-Control-Allow-Method', '*');
         res.status(200).json(oauthProtectedResourceMetadata);
     });
     if (authProvider) {

package/dist/auth-routes.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth-routes.js","sourceRoot":"","sources":["../src/auth-routes.ts"],"names":[],"mappings":";;;AAAA,4DAA8E;AAC9E,qCAAgC;AAIzB,MAAM,YAAY,GAAG,CAAC,EAAE,YAAY,EAAE,GAAG,EAAc,EAAU,EAAE;IACxE,MAAM,MAAM,GAAG,IAAA,gBAAM,GAAE,CAAA;IAEvB,MAAM,8BAA8B,GAClC,qDAAoC,CAAC,KAAK,CAAC;QACzC,QAAQ,EAAE,GAAG,CAAC,OAAO,CAAC,SAAS;QAC/B,qBAAqB,EAAE,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC;QACnE,wBAAwB,EAAE,CAAC,QAAQ,CAAC;QACpC,gBAAgB,EAAE,CAAC,SAAS,EAAE,OAAO,EAAE,OAAO,CAAC;QAC/C,sBAAsB,EAAE,qBAAqB;KAC9C,CAAC,CAAA;IAEJ,MAAM,CAAC,GAAG,CAAC,uCAAuC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAC/D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAA;IACtD,CAAC,CAAC,CAAA;IAEF,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,YAAY,EAAE,CAAC,CAAA;IACzC,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC,CAAA;AArBY,QAAA,YAAY,gBAqBxB"}
+{"version":3,"file":"auth-routes.js","sourceRoot":"","sources":["../src/auth-routes.ts"],"names":[],"mappings":";;;AAAA,4DAA8E;AAC9E,qCAAgC;AAIzB,MAAM,YAAY,GAAG,CAAC,EAAE,YAAY,EAAE,GAAG,EAAc,EAAU,EAAE;IACxE,MAAM,MAAM,GAAG,IAAA,gBAAM,GAAE,CAAA;IAEvB,MAAM,8BAA8B,GAClC,qDAAoC,CAAC,KAAK,CAAC;QACzC,QAAQ,EAAE,GAAG,CAAC,OAAO,CAAC,SAAS;QAC/B,qBAAqB,EAAE,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC;QACnE,wBAAwB,EAAE,CAAC,QAAQ,CAAC;QACpC,gBAAgB,EAAE,EAAE;QACpB,sBAAsB,EAAE,qBAAqB;KAC9C,CAAC,CAAA;IAEJ,MAAM,CAAC,GAAG,CAAC,uCAAuC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAC/D,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAA;QACjD,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAA;QACjD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAA;IACtD,CAAC,CAAC,CAAA;IAEF,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,YAAY,EAAE,CAAC,CAAA;IACzC,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC,CAAA;AAvBY,QAAA,YAAY,gBAuBxB"}

package/dist/auth-verifier.d.ts

@@ -107,8 +107,8 @@ export declare class AuthVerifier {
     modService: (ctx: ReqCtx) => Promise<ModServiceOutput>;
     moderator: (ctx: ReqCtx) => Promise<AdminTokenOutput | ModServiceOutput>;
     protected validateAdminToken({ req, }: ReqCtx): Promise<AdminTokenOutput>;
-    protected validateRefreshToken(ctx: ReqCtx, verifyOptions?: Omit<jose.JWTVerifyOptions, 'audience'>): Promise<ValidatedRefreshBearer>;
-    protected validateBearerToken(ctx: ReqCtx, scopes: AuthScope[], verifyOptions?: jose.JWTVerifyOptions): Promise<ValidatedBearer>;
+    protected validateRefreshToken(ctx: ReqCtx, verifyOptions?: Omit<jose.JWTVerifyOptions, 'audience' | 'typ'>): Promise<ValidatedRefreshBearer>;
+    protected validateBearerToken(ctx: ReqCtx, scopes: AuthScope[], verifyOptions: jose.JWTVerifyOptions & Required<Pick<jose.JWTVerifyOptions, 'audience' | 'typ'>>): Promise<ValidatedBearer>;
     protected validateAccessToken(ctx: ReqCtx, scopes: AuthScope[], { checkTakedown, checkDeactivated, }?: {
         checkTakedown?: boolean;
         checkDeactivated?: boolean;

package/dist/auth-verifier.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-verifier.d.ts","sourceRoot":"","sources":["../src/auth-verifier.ts"],"names":[],"mappings":";AAAA,OAAO,EAAE,SAAS,EAAoC,MAAM,aAAa,CAAA;AAIzE,OAAO,EAAE,UAAU,EAA0B,MAAM,mBAAmB,CAAA;AACtE,OAAO,EAEL,aAAa,EAEd,MAAM,yBAAyB,CAAA;AAChC,OAAO,EAEL,mBAAmB,EAGnB,yBAAyB,EAI1B,MAAM,sBAAsB,CAAA;AAC7B,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAE5B,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAA;AAGlD,KAAK,MAAM,GAAG,mBAAmB,GAAG,yBAAyB,CAAA;AAG7D,oBAAY,SAAS;IACnB,MAAM,uBAAuB;IAC7B,OAAO,wBAAwB;IAC/B,OAAO,wBAAwB;IAC/B,iBAAiB,kCAAkC;IACnD,YAAY,6BAA6B;CAC1C;AAED,MAAM,MAAM,UAAU,GAAG;IACvB,UAAU,EAAE,SAAS,EAAE,CAAA;IACvB,aAAa,EAAE,OAAO,CAAA;IACtB,gBAAgB,EAAE,OAAO,CAAA;CAC1B,CAAA;AAED,oBAAY,UAAU;IACpB,KAAK,IAAA;IACL,OAAO,IAAA;IACP,OAAO,IAAA;CACR;AAED,KAAK,UAAU,GAAG;IAChB,WAAW,EAAE,IAAI,CAAA;CAClB,CAAA;AAED,KAAK,gBAAgB,GAAG;IACtB,WAAW,EAAE;QACX,IAAI,EAAE,aAAa,CAAA;KACpB,CAAA;CACF,CAAA;AAED,KAAK,gBAAgB,GAAG;IACtB,WAAW,EAAE;QACX,IAAI,EAAE,aAAa,CAAA;QACnB,GAAG,EAAE,MAAM,CAAA;QACX,GAAG,EAAE,MAAM,CAAA;KACZ,CAAA;CACF,CAAA;AAED,KAAK,YAAY,GAAG;IAClB,WAAW,EAAE;QACX,IAAI,EAAE,QAAQ,CAAA;QACd,GAAG,EAAE,MAAM,CAAA;QACX,KAAK,EAAE,SAAS,CAAA;QAChB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;QAC5B,YAAY,EAAE,OAAO,CAAA;KACtB,CAAA;IACD,SAAS,EAAE,MAAM,CAAA;CAClB,CAAA;AAED,KAAK,aAAa,GAAG;IACnB,WAAW,EAAE;QACX,IAAI,EAAE,SAAS,CAAA;QACf,GAAG,EAAE,MAAM,CAAA;QACX,KAAK,EAAE,SAAS,CAAA;QAChB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;QAC5B,OAAO,EAAE,MAAM,CAAA;KAChB,CAAA;IACD,SAAS,EAAE,MAAM,CAAA;CAClB,CAAA;AAED,KAAK,qBAAqB,GAAG;IAC3B,WAAW,EAAE;QACX,IAAI,EAAE,mBAAmB,CAAA;QACzB,GAAG,EAAE,MAAM,CAAA;QACX,GAAG,EAAE,MAAM,CAAA;KACZ,CAAA;CACF,CAAA;AAED,KAAK,eAAe,GAAG;IACrB,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,EAAE,SAAS,CAAA;IAChB,KAAK,EAAE,MAAM,CAAA;IACb,OAAO,EAAE,IAAI,CAAC,UAAU,CAAA;IACxB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;CAC7B,CAAA;AAED,KAAK,sBAAsB,GAAG,eAAe,GAAG;IAC9C,OAAO,EAAE,MAAM,CAAA;CAChB,CAAA;AAED,MAAM,MAAM,gBAAgB,GAAG;IAC7B,SAAS,EAAE,MAAM,CAAA;IACjB,MAAM,EAAE,SAAS,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;IACjB,IAAI,EAAE;QACJ,GAAG,EAAE,MAAM,CAAA;QACX,QAAQ,CAAC,EAAE,MAAM,CAAA;QACjB,UAAU,CAAC,EAAE,MAAM,CAAA;KACpB,CAAA;CACF,CAAA;AAED,qBAAa,YAAY;IAOd,cAAc,EAAE,cAAc;IAC9B,UAAU,EAAE,UAAU;IACtB,aAAa,EAAE,aAAa;IARrC,OAAO,CAAC,UAAU,CAAQ;IAC1B,OAAO,CAAC,OAAO,CAAW;IAC1B,OAAO,CAAC,UAAU,CAAQ;IACnB,IAAI,EAAE,gBAAgB,CAAC,MAAM,CAAC,CAAA;gBAG5B,cAAc,EAAE,cAAc,EAC9B,UAAU,EAAE,UAAU,EACtB,aAAa,EAAE,aAAa,EACnC,IAAI,EAAE,gBAAgB;IAUxB,cAAc,UACL,QAAQ,UAAU,CAAC,WACpB,MAAM,KAAG,QAAQ,YAAY,CAAC,CAWnC;IAEH,UAAU,UACD,QAAQ,UAAU,CAAC,WACpB,MAAM,KAAG,QAAQ,YAAY,CAAC,CAMnC;IAEH,gBAAgB,UACP,QAAQ,UAAU,CAAC,WACpB,MAAM,KAAG,QAAQ,YAAY,CAAC,CAMnC;IAEH,OAAO,QAAe,MAAM,KAAG,QAAQ,aAAa,CAAC,CAcpD;IAED,cAAc,QAAe,MAAM,KAAG,QAAQ,aAAa,CAAC,CAc3D;IAED,UAAU,QAAe,MAAM,KAAG,QAAQ,gBAAgB,CAAC,CAG1D;IAED,0BAA0B,QACnB,MAAM,KACV,QAAQ,YAAY,GAAG,gBAAgB,GAAG,UAAU,CAAC,CAQvD;IAED,eAAe,QAAe,MAAM,KAAG,QAAQ,qBAAqB,CAAC,CAqBpE;IAED,uBAAuB,QAChB,MAAM,KACV,QAAQ,qBAAqB,GAAG,UAAU,CAAC,CAM7C;IAED,uBAAuB,UACd,QAAQ,UAAU,CAAC,WACd,MAAM,KAAG,QAAQ,qBAAqB,GAAG,YAAY,CAAC,CASjE;IAEH,UAAU,QAAe,MAAM,KAAG,QAAQ,gBAAgB,CAAC,CAwB1D;IAED,SAAS,QACF,MAAM,KACV,QAAQ,gBAAgB,GAAG,gBAAgB,CAAC,CAM9C;cAEe,kBAAkB,CAAC,EACjC,GAAG,GACJ,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;cAarB,oBAAoB,CAClC,GAAG,EAAE,MAAM,EACX,aAAa,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,UAAU,CAAC,GACtD,OAAO,CAAC,sBAAsB,CAAC;cAgBlB,mBAAmB,CACjC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,SAAS,EAAE,EACnB,aAAa,CAAC,EAAE,IAAI,CAAC,gBAAgB,GACpC,OAAO,CAAC,eAAe,CAAC;cA+CX,mBAAmB,CACjC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,SAAS,EAAE,EACnB,EACE,aAAqB,EACrB,gBAAwB,GACzB,GAAE;QAAE,aAAa,CAAC,EAAE,OAAO,CAAC;QAAC,gBAAgB,CAAC,EAAE,OAAO,CAAA;KAAO,GAC9D,OAAO,CAAC,YAAY,CAAC;cAqDR,uBAAuB,CACrC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,SAAS,EAAE,GAClB,OAAO,CAAC,YAAY,CAAC;cAgER,yBAAyB,CACvC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,SAAS,EAAE,GAClB,OAAO,CAAC,YAAY,CAAC;cAsBR,gBAAgB,CAC9B,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;QAAE,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,GAAG,EAAE,MAAM,EAAE,GAAG,IAAI,CAAA;KAAE;;;;IA2CpD,SAAS,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU;IAOvC,aAAa,CACX,IAAI,EAAE,YAAY,GAAG,gBAAgB,GAAG,UAAU,EAClD,GAAG,EAAE,MAAM,GACV,OAAO;cAUM,SAAS,CACvB,KAAK,EAAE,MAAM,EACb,aAAa,CAAC,EAAE,IAAI,CAAC,gBAAgB;IAevC,SAAS,CAAC,cAAc,CAAC,GAAG,EAAE,MAAM;CAOrC;AAKD,aAAK,QAAQ;IACX,KAAK,UAAU;IACf,MAAM,WAAW;IACjB,IAAI,SAAS;CACd;AAED,eAAO,MAAM,wBAAwB,mBACnB,MAAM,KACrB,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAqB/C,CAAA;AAsBD,eAAO,MAAM,cAAc,yBACH,MAAM,KAC3B;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAAG,IAc3C,CAAA;AAOD,eAAO,MAAM,qBAAqB,WAAY,MAAM,KAAG,SAEtD,CAAA;AAED,eAAO,MAAM,qBAAqB,iBAAkB,MAAM,KAAG,SAG5D,CAAA"}
+{"version":3,"file":"auth-verifier.d.ts","sourceRoot":"","sources":["../src/auth-verifier.ts"],"names":[],"mappings":";AAAA,OAAO,EAAE,SAAS,EAAoC,MAAM,aAAa,CAAA;AAIzE,OAAO,EAAE,UAAU,EAA0B,MAAM,mBAAmB,CAAA;AACtE,OAAO,EAEL,aAAa,EAEd,MAAM,yBAAyB,CAAA;AAChC,OAAO,EAEL,mBAAmB,EAGnB,yBAAyB,EAI1B,MAAM,sBAAsB,CAAA;AAC7B,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAE5B,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAA;AAGlD,KAAK,MAAM,GAAG,mBAAmB,GAAG,yBAAyB,CAAA;AAG7D,oBAAY,SAAS;IACnB,MAAM,uBAAuB;IAC7B,OAAO,wBAAwB;IAC/B,OAAO,wBAAwB;IAC/B,iBAAiB,kCAAkC;IACnD,YAAY,6BAA6B;CAC1C;AAED,MAAM,MAAM,UAAU,GAAG;IACvB,UAAU,EAAE,SAAS,EAAE,CAAA;IACvB,aAAa,EAAE,OAAO,CAAA;IACtB,gBAAgB,EAAE,OAAO,CAAA;CAC1B,CAAA;AAED,oBAAY,UAAU;IACpB,KAAK,IAAA;IACL,OAAO,IAAA;IACP,OAAO,IAAA;CACR;AAED,KAAK,UAAU,GAAG;IAChB,WAAW,EAAE,IAAI,CAAA;CAClB,CAAA;AAED,KAAK,gBAAgB,GAAG;IACtB,WAAW,EAAE;QACX,IAAI,EAAE,aAAa,CAAA;KACpB,CAAA;CACF,CAAA;AAED,KAAK,gBAAgB,GAAG;IACtB,WAAW,EAAE;QACX,IAAI,EAAE,aAAa,CAAA;QACnB,GAAG,EAAE,MAAM,CAAA;QACX,GAAG,EAAE,MAAM,CAAA;KACZ,CAAA;CACF,CAAA;AAED,KAAK,YAAY,GAAG;IAClB,WAAW,EAAE;QACX,IAAI,EAAE,QAAQ,CAAA;QACd,GAAG,EAAE,MAAM,CAAA;QACX,KAAK,EAAE,SAAS,CAAA;QAChB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;QAC5B,YAAY,EAAE,OAAO,CAAA;KACtB,CAAA;IACD,SAAS,EAAE,MAAM,CAAA;CAClB,CAAA;AAED,KAAK,aAAa,GAAG;IACnB,WAAW,EAAE;QACX,IAAI,EAAE,SAAS,CAAA;QACf,GAAG,EAAE,MAAM,CAAA;QACX,KAAK,EAAE,SAAS,CAAA;QAChB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;QAC5B,OAAO,EAAE,MAAM,CAAA;KAChB,CAAA;IACD,SAAS,EAAE,MAAM,CAAA;CAClB,CAAA;AAED,KAAK,qBAAqB,GAAG;IAC3B,WAAW,EAAE;QACX,IAAI,EAAE,mBAAmB,CAAA;QACzB,GAAG,EAAE,MAAM,CAAA;QACX,GAAG,EAAE,MAAM,CAAA;KACZ,CAAA;CACF,CAAA;AAED,KAAK,eAAe,GAAG;IACrB,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,EAAE,SAAS,CAAA;IAChB,KAAK,EAAE,MAAM,CAAA;IACb,OAAO,EAAE,IAAI,CAAC,UAAU,CAAA;IACxB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;CAC7B,CAAA;AAED,KAAK,sBAAsB,GAAG,eAAe,GAAG;IAC9C,OAAO,EAAE,MAAM,CAAA;CAChB,CAAA;AAED,MAAM,MAAM,gBAAgB,GAAG;IAC7B,SAAS,EAAE,MAAM,CAAA;IACjB,MAAM,EAAE,SAAS,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;IACjB,IAAI,EAAE;QACJ,GAAG,EAAE,MAAM,CAAA;QACX,QAAQ,CAAC,EAAE,MAAM,CAAA;QACjB,UAAU,CAAC,EAAE,MAAM,CAAA;KACpB,CAAA;CACF,CAAA;AAED,qBAAa,YAAY;IAOd,cAAc,EAAE,cAAc;IAC9B,UAAU,EAAE,UAAU;IACtB,aAAa,EAAE,aAAa;IARrC,OAAO,CAAC,UAAU,CAAQ;IAC1B,OAAO,CAAC,OAAO,CAAW;IAC1B,OAAO,CAAC,UAAU,CAAQ;IACnB,IAAI,EAAE,gBAAgB,CAAC,MAAM,CAAC,CAAA;gBAG5B,cAAc,EAAE,cAAc,EAC9B,UAAU,EAAE,UAAU,EACtB,aAAa,EAAE,aAAa,EACnC,IAAI,EAAE,gBAAgB;IAUxB,cAAc,UACL,QAAQ,UAAU,CAAC,WACpB,MAAM,KAAG,QAAQ,YAAY,CAAC,CAWnC;IAEH,UAAU,UACD,QAAQ,UAAU,CAAC,WACpB,MAAM,KAAG,QAAQ,YAAY,CAAC,CAMnC;IAEH,gBAAgB,UACP,QAAQ,UAAU,CAAC,WACpB,MAAM,KAAG,QAAQ,YAAY,CAAC,CAMnC;IAEH,OAAO,QAAe,MAAM,KAAG,QAAQ,aAAa,CAAC,CAcpD;IAED,cAAc,QAAe,MAAM,KAAG,QAAQ,aAAa,CAAC,CAc3D;IAED,UAAU,QAAe,MAAM,KAAG,QAAQ,gBAAgB,CAAC,CAG1D;IAED,0BAA0B,QACnB,MAAM,KACV,QAAQ,YAAY,GAAG,gBAAgB,GAAG,UAAU,CAAC,CAQvD;IAED,eAAe,QAAe,MAAM,KAAG,QAAQ,qBAAqB,CAAC,CAqBpE;IAED,uBAAuB,QAChB,MAAM,KACV,QAAQ,qBAAqB,GAAG,UAAU,CAAC,CAM7C;IAED,uBAAuB,UACd,QAAQ,UAAU,CAAC,WACd,MAAM,KAAG,QAAQ,qBAAqB,GAAG,YAAY,CAAC,CASjE;IAEH,UAAU,QAAe,MAAM,KAAG,QAAQ,gBAAgB,CAAC,CAwB1D;IAED,SAAS,QACF,MAAM,KACV,QAAQ,gBAAgB,GAAG,gBAAgB,CAAC,CAM9C;cAEe,kBAAkB,CAAC,EACjC,GAAG,GACJ,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;cAarB,oBAAoB,CAClC,GAAG,EAAE,MAAM,EACX,aAAa,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,UAAU,GAAG,KAAK,CAAC,GAC9D,OAAO,CAAC,sBAAsB,CAAC;cAiBlB,mBAAmB,CACjC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,SAAS,EAAE,EACnB,aAAa,EAAE,IAAI,CAAC,gBAAgB,GAClC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,UAAU,GAAG,KAAK,CAAC,CAAC,GAC1D,OAAO,CAAC,eAAe,CAAC;cA2DX,mBAAmB,CACjC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,SAAS,EAAE,EACnB,EACE,aAAqB,EACrB,gBAAwB,GACzB,GAAE;QAAE,aAAa,CAAC,EAAE,OAAO,CAAC;QAAC,gBAAgB,CAAC,EAAE,OAAO,CAAA;KAAO,GAC9D,OAAO,CAAC,YAAY,CAAC;cAqDR,uBAAuB,CACrC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,SAAS,EAAE,GAClB,OAAO,CAAC,YAAY,CAAC;cA4FR,yBAAyB,CACvC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,SAAS,EAAE,GAClB,OAAO,CAAC,YAAY,CAAC;cAsBR,gBAAgB,CAC9B,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;QAAE,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,GAAG,EAAE,MAAM,EAAE,GAAG,IAAI,CAAA;KAAE;;;;IA2CpD,SAAS,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU;IAOvC,aAAa,CACX,IAAI,EAAE,YAAY,GAAG,gBAAgB,GAAG,UAAU,EAClD,GAAG,EAAE,MAAM,GACV,OAAO;cAUM,SAAS,CACvB,KAAK,EAAE,MAAM,EACb,aAAa,CAAC,EAAE,IAAI,CAAC,gBAAgB;IAevC,SAAS,CAAC,cAAc,CAAC,GAAG,EAAE,MAAM;CAOrC;AAKD,aAAK,QAAQ;IACX,KAAK,UAAU;IACf,MAAM,WAAW;IACjB,IAAI,SAAS;CACd;AAED,eAAO,MAAM,wBAAwB,mBACnB,MAAM,KACrB,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAqB/C,CAAA;AAsBD,eAAO,MAAM,cAAc,yBACH,MAAM,KAC3B;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAAG,IAc3C,CAAA;AAOD,eAAO,MAAM,qBAAqB,WAAY,MAAM,KAAG,SAEtD,CAAA;AAED,eAAO,MAAM,qBAAqB,iBAAkB,MAAM,KAAG,SAG5D,CAAA"}

package/dist/auth-verifier.js

@@ -296,6 +296,7 @@ class AuthVerifier {
     async validateRefreshToken(ctx, verifyOptions) {
         const result = await this.validateBearerToken(ctx, [AuthScope.Refresh], {
             ...verifyOptions,
+            typ: 'refresh+jwt',
             // when using entryway, proxying refresh credentials
             audience: this.dids.entryway ? this.dids.entryway : this.dids.pds,
         });
@@ -311,13 +312,25 @@ class AuthVerifier {
         if (!token) {
             throw new xrpc_server_1.AuthRequiredError(undefined, 'AuthMissing');
         }
-        const { payload, protectedHeader } = await this.jwtVerify(token, verifyOptions);
-        if (protectedHeader.typ === 'dpop+jwt') {
-            // @TODO we should make sure that bearer access tokens do have their "typ"
-            // claim, and allow list the possible value(s) here (typically "at+jwt"),
-            // instead of using a deny list. This would be more secure & future proof
-            // against new token types that would be introduced in the future
-            throw new xrpc_server_1.InvalidRequestError('Malformed token', 'InvalidToken');
+        const { payload, protectedHeader } = await this.jwtVerify(token, 
+        // @TODO: Once all access & refresh tokens have a "typ" claim (i.e. 90
+        // days after this code was deployed), replace the following line with
+        // "verifyOptions," (to re-enable the verification of the "typ" property
+        // from verifyJwt()). Once the change is made, the "if" block below that
+        // checks for "typ" can be removed.
+        {
+            ...verifyOptions,
+            typ: undefined,
+        });
+        // @TODO: remove the next check once all access & refresh tokens have "typ"
+        // Note: when removing the check, make sure that the "verifyOptions"
+        // contains the "typ" property, so that the token is verified correctly by
+        // this.verifyJwt()
+        if (protectedHeader.typ && verifyOptions.typ !== protectedHeader.typ) {
+            // Temporarily allow historical tokens without "typ" to pass through. See:
+            // createAccessToken() and createRefreshToken() in
+            // src/account-manager/helpers/auth.ts
+            throw new xrpc_server_1.InvalidRequestError('Invalid token type', 'InvalidToken');
         }
         const { sub, aud, scope } = payload;
         if (typeof sub !== 'string' || !sub.startsWith('did:')) {
@@ -327,8 +340,9 @@ class AuthVerifier {
             (typeof aud !== 'string' || !aud.startsWith('did:'))) {
             throw new xrpc_server_1.InvalidRequestError('Malformed token', 'InvalidToken');
         }
-        if (payload.cnf?.jkt) {
-            // DPoP bound tokens must not be usable as regular Bearer tokens
+        if (payload['cnf'] !== undefined) {
+            // Proof-of-Possession (PoP) tokens are not allowed here
+            // https://www.rfc-editor.org/rfc/rfc7800.html
             throw new xrpc_server_1.InvalidRequestError('Malformed token', 'InvalidToken');
         }
         if (!isAuthScope(scope) || (scopes.length > 0 && !scopes.includes(scope))) {
@@ -379,9 +393,6 @@ class AuthVerifier {
         return accessOutput;
     }
     async validateDpopAccessToken(ctx, scopes) {
-        if (!scopes.includes(AuthScope.Access)) {
-            throw new xrpc_server_1.InvalidRequestError('DPoP access token cannot be used for this request', 'InvalidToken');
-        }
         this.setAuthHeaders(ctx);
         const { req } = ctx;
         const res = 'res' in ctx ? ctx.res : null;
@@ -401,13 +412,33 @@ class AuthVerifier {
             if (typeof sub !== 'string' || !sub.startsWith('did:')) {
                 throw new xrpc_server_1.InvalidRequestError('Malformed token', 'InvalidToken');
             }
+            const tokenScopes = new Set(result.claims.scope?.split(' '));
+            if (!tokenScopes.has('transition:generic')) {
+                throw new xrpc_server_1.AuthRequiredError('Missing required scope: transition:generic', 'InvalidToken');
+            }
+            const scopeEquivalent = tokenScopes.has('transition:chat.bsky')
+                ? AuthScope.AppPassPrivileged
+                : AuthScope.AppPass;
+            if (!scopes.includes(scopeEquivalent)) {
+                // AppPassPrivileged is sufficient but was not provided "transition:chat.bsky"
+                if (scopes.includes(AuthScope.AppPassPrivileged)) {
+                    throw new xrpc_server_1.InvalidRequestError('Missing required scope: transition:chat.bsky', 'InvalidToken');
+                }
+                // AuthScope.Access and AuthScope.SignupQueued do not have an OAuth
+                // scope equivalent.
+                throw new xrpc_server_1.InvalidRequestError('DPoP access token cannot be used for this request', 'InvalidToken');
+            }
+            const isPrivileged = [
+                AuthScope.Access,
+                AuthScope.AppPassPrivileged,
+            ].includes(scopeEquivalent);
             return {
                 credentials: {
                     type: 'access',
                     did: result.claims.sub,
-                    scope: AuthScope.Access,
+                    scope: scopeEquivalent,
                     audience: this.dids.pds,
-                    isPrivileged: true,
+                    isPrivileged,
                 },
                 artifacts: result.token,
             };
@@ -426,7 +457,7 @@ class AuthVerifier {
         }
     }
     async validateBearerAccessToken(ctx, scopes) {
-        const { did, scope, token, audience } = await this.validateBearerToken(ctx, scopes, { audience: this.dids.pds });
+        const { did, scope, token, audience } = await this.validateBearerToken(ctx, scopes, { audience: this.dids.pds, typ: 'at+jwt' });
         const isPrivileged = [
             AuthScope.Access,
             AuthScope.AppPassPrivileged,