@atproto/pds 0.4.53 → 0.4.55

package/src/api/com/atproto/server/requestAccountDelete.ts

@@ -1,8 +1,11 @@
+import assert from 'node:assert'
+
 import { DAY, HOUR } from '@atproto/common'
 import { InvalidRequestError } from '@atproto/xrpc-server'
-import { Server } from '../../../../lexicon'
+
 import AppContext from '../../../../context'
-import { authPassthru } from '../../../proxy'
+import { Server } from '../../../../lexicon'
+import { ids } from '../../../../lexicon/lexicons'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.requestAccountDelete({
@@ -19,7 +22,7 @@ export default function (server: Server, ctx: AppContext) {
       },
     ],
     auth: ctx.authVerifier.accessFull({ checkTakedown: true }),
-    handler: async ({ auth, req }) => {
+    handler: async ({ auth }) => {
       const did = auth.credentials.did
       const account = await ctx.accountManager.getAccount(did, {
         includeDeactivated: true,
@@ -30,9 +33,14 @@ export default function (server: Server, ctx: AppContext) {
       }
 
       if (ctx.entrywayAgent) {
+        assert(ctx.cfg.entryway)
         await ctx.entrywayAgent.com.atproto.server.requestAccountDelete(
           undefined,
-          authPassthru(req),
+          await ctx.serviceAuthHeaders(
+            auth.credentials.did,
+            ctx.cfg.entryway.did,
+            ids.ComAtprotoServerRequestAccountDelete,
+          ),
         )
         return
       }

package/src/api/com/atproto/server/requestEmailConfirmation.ts

@@ -1,8 +1,11 @@
+import assert from 'node:assert'
+
 import { DAY, HOUR } from '@atproto/common'
 import { InvalidRequestError } from '@atproto/xrpc-server'
-import { Server } from '../../../../lexicon'
+
 import AppContext from '../../../../context'
-import { authPassthru } from '../../../proxy'
+import { Server } from '../../../../lexicon'
+import { ids } from '../../../../lexicon/lexicons'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.requestEmailConfirmation({
@@ -19,7 +22,7 @@ export default function (server: Server, ctx: AppContext) {
       },
     ],
     auth: ctx.authVerifier.accessStandard({ checkTakedown: true }),
-    handler: async ({ auth, req }) => {
+    handler: async ({ auth }) => {
       const did = auth.credentials.did
       const account = await ctx.accountManager.getAccount(did, {
         includeDeactivated: true,
@@ -30,9 +33,14 @@ export default function (server: Server, ctx: AppContext) {
       }
 
       if (ctx.entrywayAgent) {
+        assert(ctx.cfg.entryway)
         await ctx.entrywayAgent.com.atproto.server.requestEmailConfirmation(
           undefined,
-          authPassthru(req),
+          await ctx.serviceAuthHeaders(
+            auth.credentials.did,
+            ctx.cfg.entryway.did,
+            ids.ComAtprotoServerRequestEmailConfirmation,
+          ),
         )
         return
       }

package/src/api/com/atproto/server/requestEmailUpdate.ts

@@ -1,8 +1,12 @@
+import assert from 'node:assert'
+
 import { DAY, HOUR } from '@atproto/common'
 import { InvalidRequestError } from '@atproto/xrpc-server'
-import { Server } from '../../../../lexicon'
+
 import AppContext from '../../../../context'
-import { authPassthru, resultPassthru } from '../../../proxy'
+import { Server } from '../../../../lexicon'
+import { resultPassthru } from '../../../proxy'
+import { ids } from '../../../../lexicon/lexicons'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.requestEmailUpdate({
@@ -19,7 +23,7 @@ export default function (server: Server, ctx: AppContext) {
       },
     ],
     auth: ctx.authVerifier.accessStandard({ checkTakedown: true }),
-    handler: async ({ auth, req }) => {
+    handler: async ({ auth }) => {
       const did = auth.credentials.did
       const account = await ctx.accountManager.getAccount(did, {
         includeDeactivated: true,
@@ -30,10 +34,15 @@ export default function (server: Server, ctx: AppContext) {
       }
 
       if (ctx.entrywayAgent) {
+        assert(ctx.cfg.entryway)
         return resultPassthru(
           await ctx.entrywayAgent.com.atproto.server.requestEmailUpdate(
             undefined,
-            authPassthru(req),
+            await ctx.serviceAuthHeaders(
+              auth.credentials.did,
+              ctx.cfg.entryway.did,
+              ids.ComAtprotoServerRequestEmailUpdate,
+            ),
           ),
         )
       }

package/src/api/com/atproto/server/revokeAppPassword.ts

@@ -1,15 +1,22 @@
+import assert from 'node:assert'
+
 import AppContext from '../../../../context'
 import { Server } from '../../../../lexicon'
-import { authPassthru } from '../../../proxy'
+import { ids } from '../../../../lexicon/lexicons'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.revokeAppPassword({
     auth: ctx.authVerifier.accessStandard(),
-    handler: async ({ auth, input, req }) => {
+    handler: async ({ auth, input }) => {
       if (ctx.entrywayAgent) {
+        assert(ctx.cfg.entryway)
         await ctx.entrywayAgent.com.atproto.server.revokeAppPassword(
           input.body,
-          authPassthru(req, true),
+          await ctx.serviceAuthHeaders(
+            auth.credentials.did,
+            ctx.cfg.entryway.did,
+            ids.ComAtprotoServerRevokeAppPassword,
+          ),
         )
         return
       }

package/src/api/com/atproto/server/updateEmail.ts

@@ -1,14 +1,17 @@
-import disposable from 'disposable-email'
+import assert from 'node:assert'
+
 import { InvalidRequestError } from '@atproto/xrpc-server'
-import { Server } from '../../../../lexicon'
-import AppContext from '../../../../context'
-import { authPassthru } from '../../../proxy'
+import disposable from 'disposable-email'
+
 import { UserAlreadyExistsError } from '../../../../account-manager/helpers/account'
+import AppContext from '../../../../context'
+import { Server } from '../../../../lexicon'
+import { ids } from '../../../../lexicon/lexicons'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.server.updateEmail({
     auth: ctx.authVerifier.accessFull({ checkTakedown: true }),
-    handler: async ({ auth, input, req }) => {
+    handler: async ({ auth, input }) => {
       const did = auth.credentials.did
       const { token, email } = input.body
       if (!disposable.validate(email)) {
@@ -24,9 +27,14 @@ export default function (server: Server, ctx: AppContext) {
       }
 
       if (ctx.entrywayAgent) {
+        assert(ctx.cfg.entryway)
         await ctx.entrywayAgent.com.atproto.server.updateEmail(
           input.body,
-          authPassthru(req, true),
+          await ctx.serviceAuthHeaders(
+            auth.credentials.did,
+            ctx.cfg.entryway.did,
+            ids.ComAtprotoServerUpdateEmail,
+          ),
         )
         return
       }

package/src/api/proxy.ts

@@ -37,7 +37,11 @@ export function authPassthru(req: IncomingMessage, withEncoding?: boolean) {
     // This is fine since app views are usually called using the requester's
     // credentials when "auth.credentials.type === 'access'", which is the only
     // case were DPoP is used.
-    if (authorization.startsWith('DPoP ') || req.headers['dpop']) {
+    const [type] = authorization.split(' ', 1)
+    if (!type) {
+      throw new InvalidRequestError('Invalid authorization header')
+    }
+    if (type.toLowerCase() === 'dpop' || req.headers['dpop']) {
       throw new InvalidRequestError('DPoP requests cannot be proxied')
     }
 

package/src/auth-routes.ts

@@ -11,11 +11,13 @@ export const createRouter = ({ authProvider, cfg }: AppContext): Router => {
       resource: cfg.service.publicUrl,
       authorization_servers: [cfg.entryway?.url ?? cfg.service.publicUrl],
       bearer_methods_supported: ['header'],
-      scopes_supported: ['profile', 'email', 'phone'],
+      scopes_supported: [],
       resource_documentation: 'https://atproto.com',
     })
 
   router.get('/.well-known/oauth-protected-resource', (req, res) => {
+    res.setHeader('Access-Control-Allow-Origin', '*')
+    res.setHeader('Access-Control-Allow-Method', '*')
     res.status(200).json(oauthProtectedResourceMetadata)
   })
 

package/src/auth-verifier.ts

@@ -320,10 +320,11 @@ export class AuthVerifier {
 
   protected async validateRefreshToken(
     ctx: ReqCtx,
-    verifyOptions?: Omit<jose.JWTVerifyOptions, 'audience'>,
+    verifyOptions?: Omit<jose.JWTVerifyOptions, 'audience' | 'typ'>,
   ): Promise<ValidatedRefreshBearer> {
     const result = await this.validateBearerToken(ctx, [AuthScope.Refresh], {
       ...verifyOptions,
+      typ: 'refresh+jwt',
       // when using entryway, proxying refresh credentials
       audience: this.dids.entryway ? this.dids.entryway : this.dids.pds,
     })
@@ -340,7 +341,8 @@ export class AuthVerifier {
   protected async validateBearerToken(
     ctx: ReqCtx,
     scopes: AuthScope[],
-    verifyOptions?: jose.JWTVerifyOptions,
+    verifyOptions: jose.JWTVerifyOptions &
+      Required<Pick<jose.JWTVerifyOptions, 'audience' | 'typ'>>,
   ): Promise<ValidatedBearer> {
     this.setAuthHeaders(ctx)
 
@@ -351,15 +353,26 @@ export class AuthVerifier {
 
     const { payload, protectedHeader } = await this.jwtVerify(
       token,
-      verifyOptions,
+      // @TODO: Once all access & refresh tokens have a "typ" claim (i.e. 90
+      // days after this code was deployed), replace the following line with
+      // "verifyOptions," (to re-enable the verification of the "typ" property
+      // from verifyJwt()). Once the change is made, the "if" block below that
+      // checks for "typ" can be removed.
+      {
+        ...verifyOptions,
+        typ: undefined,
+      },
     )
 
-    if (protectedHeader.typ === 'dpop+jwt') {
-      // @TODO we should make sure that bearer access tokens do have their "typ"
-      // claim, and allow list the possible value(s) here (typically "at+jwt"),
-      // instead of using a deny list. This would be more secure & future proof
-      // against new token types that would be introduced in the future
-      throw new InvalidRequestError('Malformed token', 'InvalidToken')
+    // @TODO: remove the next check once all access & refresh tokens have "typ"
+    // Note: when removing the check, make sure that the "verifyOptions"
+    // contains the "typ" property, so that the token is verified correctly by
+    // this.verifyJwt()
+    if (protectedHeader.typ && verifyOptions.typ !== protectedHeader.typ) {
+      // Temporarily allow historical tokens without "typ" to pass through. See:
+      // createAccessToken() and createRefreshToken() in
+      // src/account-manager/helpers/auth.ts
+      throw new InvalidRequestError('Invalid token type', 'InvalidToken')
     }
 
     const { sub, aud, scope } = payload
@@ -372,8 +385,9 @@ export class AuthVerifier {
     ) {
       throw new InvalidRequestError('Malformed token', 'InvalidToken')
     }
-    if ((payload.cnf as any)?.jkt) {
-      // DPoP bound tokens must not be usable as regular Bearer tokens
+    if (payload['cnf'] !== undefined) {
+      // Proof-of-Possession (PoP) tokens are not allowed here
+      // https://www.rfc-editor.org/rfc/rfc7800.html
       throw new InvalidRequestError('Malformed token', 'InvalidToken')
     }
     if (!isAuthScope(scope) || (scopes.length > 0 && !scopes.includes(scope))) {
@@ -452,13 +466,6 @@ export class AuthVerifier {
     ctx: ReqCtx,
     scopes: AuthScope[],
   ): Promise<AccessOutput> {
-    if (!scopes.includes(AuthScope.Access)) {
-      throw new InvalidRequestError(
-        'DPoP access token cannot be used for this request',
-        'InvalidToken',
-      )
-    }
-
     this.setAuthHeaders(ctx)
 
     const { req } = ctx
@@ -489,13 +496,48 @@ export class AuthVerifier {
         throw new InvalidRequestError('Malformed token', 'InvalidToken')
       }
 
+      const tokenScopes = new Set(result.claims.scope?.split(' '))
+
+      if (!tokenScopes.has('transition:generic')) {
+        throw new AuthRequiredError(
+          'Missing required scope: transition:generic',
+          'InvalidToken',
+        )
+      }
+
+      const scopeEquivalent: AuthScope = tokenScopes.has('transition:chat.bsky')
+        ? AuthScope.AppPassPrivileged
+        : AuthScope.AppPass
+
+      if (!scopes.includes(scopeEquivalent)) {
+        // AppPassPrivileged is sufficient but was not provided "transition:chat.bsky"
+        if (scopes.includes(AuthScope.AppPassPrivileged)) {
+          throw new InvalidRequestError(
+            'Missing required scope: transition:chat.bsky',
+            'InvalidToken',
+          )
+        }
+
+        // AuthScope.Access and AuthScope.SignupQueued do not have an OAuth
+        // scope equivalent.
+        throw new InvalidRequestError(
+          'DPoP access token cannot be used for this request',
+          'InvalidToken',
+        )
+      }
+
+      const isPrivileged = [
+        AuthScope.Access,
+        AuthScope.AppPassPrivileged,
+      ].includes(scopeEquivalent)
+
       return {
         credentials: {
           type: 'access',
           did: result.claims.sub,
-          scope: AuthScope.Access,
+          scope: scopeEquivalent,
           audience: this.dids.pds,
-          isPrivileged: true,
+          isPrivileged,
         },
         artifacts: result.token,
       }
@@ -522,7 +564,7 @@ export class AuthVerifier {
     const { did, scope, token, audience } = await this.validateBearerToken(
       ctx,
       scopes,
-      { audience: this.dids.pds },
+      { audience: this.dids.pds, typ: 'at+jwt' },
     )
     const isPrivileged = [
       AuthScope.Access,

package/src/index.ts

@@ -54,12 +54,6 @@ export class PDS {
     secrets: ServerSecrets,
     overrides?: Partial<AppContextOptions>,
   ): Promise<PDS> {
-    const app = express()
-    app.set('trust proxy', true)
-    app.use(cors({ maxAge: DAY / SECOND }))
-    app.use(loggerMiddleware)
-    app.use(compression())
-
     const ctx = await AppContext.fromConfig(cfg, secrets, overrides)
 
     const xrpcOpts: XrpcServerOptions = {
@@ -100,7 +94,12 @@ export class PDS {
 
     server = API(server, ctx)
 
-    app.use(authRoutes.createRouter(ctx))
+    const app = express()
+    app.set('trust proxy', true)
+    app.use(loggerMiddleware)
+    app.use(compression())
+    app.use(authRoutes.createRouter(ctx)) // Before CORS
+    app.use(cors({ maxAge: DAY / SECOND }))
     app.use(basicRoutes.createRouter(ctx))
     app.use(wellKnown.createRouter(ctx))
     app.use(server.xrpc.router)

package/src/lexicon/lexicons.ts

@@ -6251,6 +6251,10 @@ export const schemaDict = {
                   'lex:app.bsky.feed.defs#blockedPost',
                 ],
               },
+              threadgate: {
+                type: 'ref',
+                ref: 'lex:app.bsky.feed.defs#threadgateView',
+              },
             },
           },
         },

package/src/lexicon/types/app/bsky/feed/getPostThread.ts

@@ -26,6 +26,7 @@ export interface OutputSchema {
     | AppBskyFeedDefs.NotFoundPost
     | AppBskyFeedDefs.BlockedPost
     | { $type: string; [k: string]: unknown }
+  threadgate?: AppBskyFeedDefs.ThreadgateView
   [k: string]: unknown
 }
 

package/src/oauth/provider.ts

@@ -44,6 +44,8 @@ export class PdsOAuthProvider extends OAuthProvider {
         // & resource server, in which case the issuer origin is also the
         // resource server uri.
         protected_resources: [new URL(issuer).origin],
+
+        scopes_supported: ['transition:generic', 'transition:chat.bsky'],
       },
 
       accountStore: new DetailedAccountStore(

package/src/pipethrough.ts

@@ -22,7 +22,10 @@ export const proxyHandler = (ctx: AppContext): CatchallHandler => {
     try {
       const { url, aud, nsid } = await formatUrlAndAud(ctx, req)
       const auth = await accessStandard({ req, res })
-      if (!auth.credentials.isPrivileged && PRIVILEGED_METHODS.has(nsid)) {
+      if (
+        PROTECTED_METHODS.has(nsid) ||
+        (!auth.credentials.isPrivileged && PRIVILEGED_METHODS.has(nsid))
+      ) {
         throw new InvalidRequestError('Bad token method', 'InvalidToken')
       }
       const headers = await formatHeaders(ctx, req, {
@@ -276,6 +279,27 @@ export const PRIVILEGED_METHODS = new Set([
   ids.ComAtprotoServerCreateAccount,
 ])
 
+// These endpoints are related to account management and must be used directly,
+// not proxied or service-authed. Service auth may be utilized between PDS and
+// entryway for these methods.
+export const PROTECTED_METHODS = new Set([
+  ids.ComAtprotoAdminSendEmail,
+  ids.ComAtprotoIdentityRequestPlcOperationSignature,
+  ids.ComAtprotoIdentitySignPlcOperation,
+  ids.ComAtprotoIdentityUpdateHandle,
+  ids.ComAtprotoServerActivateAccount,
+  ids.ComAtprotoServerConfirmEmail,
+  ids.ComAtprotoServerCreateAppPassword,
+  ids.ComAtprotoServerDeactivateAccount,
+  ids.ComAtprotoServerGetAccountInviteCodes,
+  ids.ComAtprotoServerListAppPasswords,
+  ids.ComAtprotoServerRequestAccountDelete,
+  ids.ComAtprotoServerRequestEmailConfirmation,
+  ids.ComAtprotoServerRequestEmailUpdate,
+  ids.ComAtprotoServerRevokeAppPassword,
+  ids.ComAtprotoServerUpdateEmail,
+])
+
 const defaultService = (
   ctx: AppContext,
   nsid: string,

package/tests/app-passwords.test.ts

@@ -118,7 +118,7 @@ describe('app_passwords', () => {
       lxm: 'com.atproto.server.createAccount',
     })
     await expect(attempt).rejects.toThrow(
-      /cannot request a service auth token for the following method with an app password/,
+      /insufficient access to request a service auth token for the following method/,
     )
   })
 
@@ -159,7 +159,7 @@ describe('app_passwords', () => {
       lxm: 'com.atproto.server.createAccount',
     })
     await expect(priviAttempt).rejects.toThrow(
-      /cannot request a service auth token for the following method with an app password/,
+      /insufficient access to request a service auth token for the following method/,
     )
 
     // allows only full access auth

package/tests/auth.test.ts

@@ -243,7 +243,7 @@ describe('auth', () => {
       password: 'password',
     })
     const refreshWithAccess = refreshSession(account.accessJwt)
-    await expect(refreshWithAccess).rejects.toThrow('Bad token scope')
+    await expect(refreshWithAccess).rejects.toThrow('Invalid token type')
   })
 
   it('expired refresh token cannot be used to refresh a session.', async () => {

package/tests/entryway.test.ts

@@ -1,6 +1,9 @@
 import * as os from 'node:os'
 import * as path from 'node:path'
+import assert from 'node:assert'
+import { decodeJwt } from 'jose'
 import * as plcLib from '@did-plc/lib'
+import { parseReqNsid } from '@atproto/xrpc-server'
 import { AtpAgent } from '@atproto/api'
 import { Secp256k1Keypair, randomStr } from '@atproto/crypto'
 import { SeedClient, TestPds, TestPlc, mockResolvers } from '@atproto/dev-env'
@@ -114,10 +117,11 @@ describe('entryway', () => {
   it('updates handle from entryway.', async () => {
     await entrywayAgent.api.com.atproto.identity.updateHandle(
       { handle: 'alice3.test' },
-      {
-        headers: SeedClient.getHeaders(accessToken),
-        encoding: 'application/json',
-      },
+      await pds.ctx.serviceAuthHeaders(
+        alice,
+        'did:example:entryway',
+        'com.atproto.identity.updateHandle',
+      ),
     )
     const doc = await entryway.ctx.idResolver.did.resolve(alice)
     const handleToDid =
@@ -182,6 +186,28 @@ const createEntryway = async (
   const server = await pdsEntryway.PDS.create(cfg, secrets)
   await server.ctx.db.migrateToLatestOrThrow()
   await server.start()
+  // patch entryway access token verification to handle internal service auth pds -> entryway
+  const origValidateAccessToken =
+    server.ctx.authVerifier.validateAccessToken.bind(server.ctx.authVerifier)
+  server.ctx.authVerifier.validateAccessToken = async (req, scopes) => {
+    const jwt = req.headers.authorization?.replace('Bearer ', '') ?? ''
+    const claims = decodeJwt(jwt)
+    if (claims.aud === 'did:example:entryway') {
+      assert(claims.lxm === parseReqNsid(req), 'bad lxm claim in service auth')
+      assert(claims.aud, 'missing aud claim in service auth')
+      assert(claims.iss, 'missing iss claim in service auth')
+      return {
+        artifacts: jwt,
+        credentials: {
+          type: 'access',
+          scope: 'com.atproto.access' as any,
+          audience: claims.aud,
+          did: claims.iss,
+        },
+      }
+    }
+    return origValidateAccessToken(req, scopes)
+  }
   // @TODO temp hack because entryway teardown calls signupActivator.run() by mistake
   server.ctx.signupActivator.run = server.ctx.signupActivator.destroy
   return server