@atproto/pds 0.5.11 → 0.5.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (322) hide show
  1. package/CHANGELOG.md +46 -0
  2. package/dist/api/app/bsky/notification/index.d.ts.map +1 -1
  3. package/dist/api/app/bsky/notification/index.js +2 -0
  4. package/dist/api/app/bsky/notification/index.js.map +1 -1
  5. package/dist/api/app/bsky/notification/unregisterPush.d.ts +4 -0
  6. package/dist/api/app/bsky/notification/unregisterPush.d.ts.map +1 -0
  7. package/dist/api/app/bsky/notification/unregisterPush.js +48 -0
  8. package/dist/api/app/bsky/notification/unregisterPush.js.map +1 -0
  9. package/package.json +42 -38
  10. package/build.templates.cjs +0 -22
  11. package/example.env +0 -42
  12. package/jest.config.cjs +0 -27
  13. package/src/account-manager/account-manager.ts +0 -916
  14. package/src/account-manager/db/index.ts +0 -21
  15. package/src/account-manager/db/migrations/001-init.ts +0 -115
  16. package/src/account-manager/db/migrations/002-account-deactivation.ts +0 -17
  17. package/src/account-manager/db/migrations/003-privileged-app-passwords.ts +0 -12
  18. package/src/account-manager/db/migrations/004-oauth.ts +0 -122
  19. package/src/account-manager/db/migrations/005-oauth-account-management.ts +0 -136
  20. package/src/account-manager/db/migrations/006-oauth-permission-sets.ts +0 -20
  21. package/src/account-manager/db/migrations/007-lexicon-failures-index.ts +0 -14
  22. package/src/account-manager/db/migrations/index.ts +0 -17
  23. package/src/account-manager/db/schema/account-device.ts +0 -14
  24. package/src/account-manager/db/schema/account.ts +0 -16
  25. package/src/account-manager/db/schema/actor.ts +0 -17
  26. package/src/account-manager/db/schema/app-password.ts +0 -13
  27. package/src/account-manager/db/schema/authorization-request.ts +0 -30
  28. package/src/account-manager/db/schema/authorized-client.ts +0 -23
  29. package/src/account-manager/db/schema/device.ts +0 -18
  30. package/src/account-manager/db/schema/email-token.ts +0 -19
  31. package/src/account-manager/db/schema/index.ts +0 -43
  32. package/src/account-manager/db/schema/invite-code.ts +0 -24
  33. package/src/account-manager/db/schema/lexicon.ts +0 -15
  34. package/src/account-manager/db/schema/refresh-token.ts +0 -11
  35. package/src/account-manager/db/schema/repo-root.ts +0 -12
  36. package/src/account-manager/db/schema/token.ts +0 -38
  37. package/src/account-manager/db/schema/used-refresh-token.ts +0 -13
  38. package/src/account-manager/helpers/account-device.ts +0 -63
  39. package/src/account-manager/helpers/account.ts +0 -355
  40. package/src/account-manager/helpers/auth.ts +0 -222
  41. package/src/account-manager/helpers/authorization-request.ts +0 -90
  42. package/src/account-manager/helpers/authorized-client.ts +0 -75
  43. package/src/account-manager/helpers/device.ts +0 -47
  44. package/src/account-manager/helpers/email-token.ts +0 -87
  45. package/src/account-manager/helpers/invite.ts +0 -263
  46. package/src/account-manager/helpers/lexicon.ts +0 -67
  47. package/src/account-manager/helpers/password.ts +0 -136
  48. package/src/account-manager/helpers/repo.ts +0 -24
  49. package/src/account-manager/helpers/scrypt.ts +0 -53
  50. package/src/account-manager/helpers/token.ts +0 -158
  51. package/src/account-manager/helpers/used-refresh-token.ts +0 -30
  52. package/src/account-manager/oauth-store.ts +0 -880
  53. package/src/account-manager/scope-reference-getter.ts +0 -106
  54. package/src/actor-store/actor-store-reader.ts +0 -45
  55. package/src/actor-store/actor-store-resources.ts +0 -8
  56. package/src/actor-store/actor-store-transactor.ts +0 -31
  57. package/src/actor-store/actor-store-writer.ts +0 -17
  58. package/src/actor-store/actor-store.ts +0 -210
  59. package/src/actor-store/blob/reader.ts +0 -160
  60. package/src/actor-store/blob/transactor.ts +0 -383
  61. package/src/actor-store/db/index.ts +0 -20
  62. package/src/actor-store/db/migrations/001-init.ts +0 -105
  63. package/src/actor-store/db/migrations/index.ts +0 -5
  64. package/src/actor-store/db/schema/account-pref.ts +0 -11
  65. package/src/actor-store/db/schema/backlink.ts +0 -9
  66. package/src/actor-store/db/schema/blob.ts +0 -14
  67. package/src/actor-store/db/schema/index.ts +0 -23
  68. package/src/actor-store/db/schema/record-blob.ts +0 -8
  69. package/src/actor-store/db/schema/record.ts +0 -14
  70. package/src/actor-store/db/schema/repo-block.ts +0 -10
  71. package/src/actor-store/db/schema/repo-root.ts +0 -10
  72. package/src/actor-store/migrate.ts +0 -39
  73. package/src/actor-store/preference/reader.ts +0 -48
  74. package/src/actor-store/preference/transactor.ts +0 -55
  75. package/src/actor-store/preference/util.ts +0 -39
  76. package/src/actor-store/record/reader.ts +0 -374
  77. package/src/actor-store/record/transactor.ts +0 -111
  78. package/src/actor-store/repo/reader.ts +0 -31
  79. package/src/actor-store/repo/sql-repo-reader.ts +0 -150
  80. package/src/actor-store/repo/sql-repo-transactor.ts +0 -105
  81. package/src/actor-store/repo/transactor.ts +0 -227
  82. package/src/api/app/bsky/actor/getPreferences.ts +0 -57
  83. package/src/api/app/bsky/actor/getProfile.ts +0 -41
  84. package/src/api/app/bsky/actor/getProfiles.ts +0 -51
  85. package/src/api/app/bsky/actor/index.ts +0 -13
  86. package/src/api/app/bsky/actor/putPreferences.ts +0 -62
  87. package/src/api/app/bsky/feed/getActorLikes.ts +0 -63
  88. package/src/api/app/bsky/feed/getAuthorFeed.ts +0 -84
  89. package/src/api/app/bsky/feed/getFeed.ts +0 -47
  90. package/src/api/app/bsky/feed/getPostThread.ts +0 -251
  91. package/src/api/app/bsky/feed/getTimeline.ts +0 -50
  92. package/src/api/app/bsky/feed/index.ts +0 -15
  93. package/src/api/app/bsky/index.ts +0 -11
  94. package/src/api/app/bsky/notification/index.ts +0 -7
  95. package/src/api/app/bsky/notification/registerPush.ts +0 -71
  96. package/src/api/app/bsky/util/resolver.ts +0 -20
  97. package/src/api/com/atproto/admin/deleteAccount.ts +0 -22
  98. package/src/api/com/atproto/admin/disableAccountInvites.ts +0 -18
  99. package/src/api/com/atproto/admin/disableInviteCodes.ts +0 -21
  100. package/src/api/com/atproto/admin/enableAccountInvites.ts +0 -18
  101. package/src/api/com/atproto/admin/getAccountInfo.ts +0 -32
  102. package/src/api/com/atproto/admin/getAccountInfos.ts +0 -34
  103. package/src/api/com/atproto/admin/getInviteCodes.ts +0 -126
  104. package/src/api/com/atproto/admin/getSubjectStatus.ts +0 -76
  105. package/src/api/com/atproto/admin/index.ts +0 -31
  106. package/src/api/com/atproto/admin/sendEmail.ts +0 -47
  107. package/src/api/com/atproto/admin/updateAccountEmail.ts +0 -32
  108. package/src/api/com/atproto/admin/updateAccountHandle.ts +0 -47
  109. package/src/api/com/atproto/admin/updateAccountPassword.ts +0 -34
  110. package/src/api/com/atproto/admin/updateSubjectStatus.ts +0 -68
  111. package/src/api/com/atproto/admin/util.ts +0 -66
  112. package/src/api/com/atproto/identity/getRecommendedDidCredentials.ts +0 -50
  113. package/src/api/com/atproto/identity/index.ts +0 -17
  114. package/src/api/com/atproto/identity/requestPlcOperationSignature.ts +0 -59
  115. package/src/api/com/atproto/identity/resolveHandle.ts +0 -50
  116. package/src/api/com/atproto/identity/signPlcOperation.ts +0 -85
  117. package/src/api/com/atproto/identity/submitPlcOperation.ts +0 -65
  118. package/src/api/com/atproto/identity/updateHandle.ts +0 -66
  119. package/src/api/com/atproto/index.ts +0 -19
  120. package/src/api/com/atproto/moderation/createReport.ts +0 -41
  121. package/src/api/com/atproto/moderation/index.ts +0 -7
  122. package/src/api/com/atproto/repo/applyWrites.ts +0 -226
  123. package/src/api/com/atproto/repo/createRecord.ts +0 -143
  124. package/src/api/com/atproto/repo/deleteRecord.ts +0 -122
  125. package/src/api/com/atproto/repo/describeRepo.ts +0 -43
  126. package/src/api/com/atproto/repo/getRecord.ts +0 -40
  127. package/src/api/com/atproto/repo/importRepo.ts +0 -101
  128. package/src/api/com/atproto/repo/index.ts +0 -25
  129. package/src/api/com/atproto/repo/listMissingBlobs.ts +0 -29
  130. package/src/api/com/atproto/repo/listRecords.ts +0 -36
  131. package/src/api/com/atproto/repo/putRecord.ts +0 -211
  132. package/src/api/com/atproto/repo/uploadBlob.ts +0 -60
  133. package/src/api/com/atproto/server/activateAccount.ts +0 -37
  134. package/src/api/com/atproto/server/checkAccountStatus.ts +0 -51
  135. package/src/api/com/atproto/server/confirmEmail.ts +0 -39
  136. package/src/api/com/atproto/server/createAccount.ts +0 -327
  137. package/src/api/com/atproto/server/createAppPassword.ts +0 -53
  138. package/src/api/com/atproto/server/createInviteCode.ts +0 -38
  139. package/src/api/com/atproto/server/createInviteCodes.ts +0 -42
  140. package/src/api/com/atproto/server/createSession.ts +0 -97
  141. package/src/api/com/atproto/server/deactivateAccount.ts +0 -41
  142. package/src/api/com/atproto/server/deleteAccount.ts +0 -85
  143. package/src/api/com/atproto/server/deleteSession.ts +0 -23
  144. package/src/api/com/atproto/server/describeServer.ts +0 -29
  145. package/src/api/com/atproto/server/getAccountInviteCodes.ts +0 -142
  146. package/src/api/com/atproto/server/getServiceAuth.ts +0 -111
  147. package/src/api/com/atproto/server/getSession.ts +0 -80
  148. package/src/api/com/atproto/server/index.ts +0 -55
  149. package/src/api/com/atproto/server/listAppPasswords.ts +0 -45
  150. package/src/api/com/atproto/server/refreshSession.ts +0 -72
  151. package/src/api/com/atproto/server/requestAccountDelete.ts +0 -66
  152. package/src/api/com/atproto/server/requestEmailConfirmation.ts +0 -68
  153. package/src/api/com/atproto/server/requestEmailUpdate.ts +0 -86
  154. package/src/api/com/atproto/server/requestPasswordReset.ts +0 -52
  155. package/src/api/com/atproto/server/reserveSigningKey.ts +0 -15
  156. package/src/api/com/atproto/server/resetPassword.ts +0 -50
  157. package/src/api/com/atproto/server/revokeAppPassword.ts +0 -42
  158. package/src/api/com/atproto/server/updateEmail.ts +0 -52
  159. package/src/api/com/atproto/server/util.ts +0 -136
  160. package/src/api/com/atproto/sync/deprecated/getCheckout.ts +0 -27
  161. package/src/api/com/atproto/sync/deprecated/getHead.ts +0 -33
  162. package/src/api/com/atproto/sync/getBlob.ts +0 -61
  163. package/src/api/com/atproto/sync/getBlocks.ts +0 -37
  164. package/src/api/com/atproto/sync/getLatestCommit.ts +0 -33
  165. package/src/api/com/atproto/sync/getRecord.ts +0 -49
  166. package/src/api/com/atproto/sync/getRepo.ts +0 -75
  167. package/src/api/com/atproto/sync/getRepoStatus.ts +0 -34
  168. package/src/api/com/atproto/sync/index.ts +0 -27
  169. package/src/api/com/atproto/sync/listBlobs.ts +0 -33
  170. package/src/api/com/atproto/sync/listRepos.ts +0 -74
  171. package/src/api/com/atproto/sync/subscribeRepos.ts +0 -73
  172. package/src/api/com/atproto/sync/util.ts +0 -37
  173. package/src/api/com/atproto/temp/checkSignupQueue.ts +0 -34
  174. package/src/api/com/atproto/temp/index.ts +0 -7
  175. package/src/api/index.ts +0 -10
  176. package/src/api/proxy.ts +0 -44
  177. package/src/app-view.ts +0 -24
  178. package/src/auth-output.ts +0 -52
  179. package/src/auth-routes.ts +0 -64
  180. package/src/auth-scope.ts +0 -40
  181. package/src/auth-verifier.ts +0 -668
  182. package/src/background.ts +0 -65
  183. package/src/basic-routes.ts +0 -52
  184. package/src/bsky-app-view.ts +0 -33
  185. package/src/config/config.ts +0 -553
  186. package/src/config/env.ts +0 -167
  187. package/src/config/index.ts +0 -3
  188. package/src/config/secrets.ts +0 -54
  189. package/src/context.ts +0 -523
  190. package/src/crawlers.ts +0 -46
  191. package/src/db/cast.ts +0 -52
  192. package/src/db/db.ts +0 -140
  193. package/src/db/index.ts +0 -4
  194. package/src/db/migrator.ts +0 -40
  195. package/src/db/pagination.ts +0 -132
  196. package/src/db/tables/moderation.ts +0 -80
  197. package/src/db/util.ts +0 -108
  198. package/src/did-cache/db/index.ts +0 -21
  199. package/src/did-cache/db/migrations.ts +0 -17
  200. package/src/did-cache/db/schema.ts +0 -9
  201. package/src/did-cache/index.ts +0 -131
  202. package/src/disk-blobstore.ts +0 -172
  203. package/src/error.ts +0 -19
  204. package/src/handle/explicit-slurs.ts +0 -22
  205. package/src/handle/index.ts +0 -49
  206. package/src/handle/reserved.ts +0 -1059
  207. package/src/image/image-url-builder.ts +0 -16
  208. package/src/index.ts +0 -189
  209. package/src/lexicons.ts +0 -4
  210. package/src/logger.ts +0 -35
  211. package/src/mailer/index.ts +0 -111
  212. package/src/mailer/moderation.ts +0 -33
  213. package/src/mailer/templates/confirm-email.d.ts +0 -4
  214. package/src/mailer/templates/confirm-email.hbs +0 -158
  215. package/src/mailer/templates/delete-account.d.ts +0 -4
  216. package/src/mailer/templates/delete-account.hbs +0 -156
  217. package/src/mailer/templates/plc-operation.d.ts +0 -4
  218. package/src/mailer/templates/plc-operation.hbs +0 -153
  219. package/src/mailer/templates/reset-password.d.ts +0 -4
  220. package/src/mailer/templates/reset-password.hbs +0 -154
  221. package/src/mailer/templates/update-email.d.ts +0 -4
  222. package/src/mailer/templates/update-email.hbs +0 -153
  223. package/src/mailer/templates.ts +0 -17
  224. package/src/pipethrough.ts +0 -716
  225. package/src/rate-limits.ts +0 -59
  226. package/src/read-after-write/index.ts +0 -3
  227. package/src/read-after-write/types.ts +0 -35
  228. package/src/read-after-write/util.ts +0 -101
  229. package/src/read-after-write/viewer.ts +0 -290
  230. package/src/redis.ts +0 -25
  231. package/src/repo/index.ts +0 -2
  232. package/src/repo/prepare.ts +0 -266
  233. package/src/repo/types.ts +0 -65
  234. package/src/scripts/README.md +0 -40
  235. package/src/scripts/index.ts +0 -20
  236. package/src/scripts/publish-identity.ts +0 -60
  237. package/src/scripts/rebuild-repo.ts +0 -119
  238. package/src/scripts/rotate-keys.ts +0 -146
  239. package/src/scripts/sequencer-recovery/index.ts +0 -23
  240. package/src/scripts/sequencer-recovery/recoverer.ts +0 -297
  241. package/src/scripts/sequencer-recovery/recovery-db.ts +0 -65
  242. package/src/scripts/sequencer-recovery/repair-repos.ts +0 -49
  243. package/src/scripts/sequencer-recovery/user-queues.ts +0 -44
  244. package/src/scripts/util.ts +0 -7
  245. package/src/sequencer/db/index.ts +0 -21
  246. package/src/sequencer/db/migrations/001-init.ts +0 -35
  247. package/src/sequencer/db/migrations/index.ts +0 -5
  248. package/src/sequencer/db/schema.ts +0 -19
  249. package/src/sequencer/events.ts +0 -199
  250. package/src/sequencer/index.ts +0 -3
  251. package/src/sequencer/outbox.ts +0 -123
  252. package/src/sequencer/sequencer.ts +0 -290
  253. package/src/util/compression.ts +0 -16
  254. package/src/util/debug.ts +0 -10
  255. package/src/util/http.ts +0 -31
  256. package/src/util/types.ts +0 -7
  257. package/src/well-known.ts +0 -30
  258. package/test.env +0 -2
  259. package/tests/__snapshots__/takedown-appeal.test.ts.snap +0 -43
  260. package/tests/_oauth_client_assets_middleware.ts +0 -23
  261. package/tests/_puppeteer.ts +0 -147
  262. package/tests/_types.d.ts +0 -16
  263. package/tests/_util.ts +0 -191
  264. package/tests/account-deactivation.test.ts +0 -204
  265. package/tests/account-deletion.test.ts +0 -300
  266. package/tests/account-manager.test.ts +0 -462
  267. package/tests/account-migration.test.ts +0 -221
  268. package/tests/account-status.test.ts +0 -206
  269. package/tests/account.test.ts +0 -595
  270. package/tests/app-passwords.test.ts +0 -262
  271. package/tests/auth.test.ts +0 -405
  272. package/tests/blob-deletes.test.ts +0 -204
  273. package/tests/create-post.test.ts +0 -79
  274. package/tests/crud.test.ts +0 -1595
  275. package/tests/db.test.ts +0 -170
  276. package/tests/email-confirmation.test.ts +0 -227
  277. package/tests/entryway-mock.ts +0 -323
  278. package/tests/entryway.test.ts +0 -145
  279. package/tests/file-uploads.test.ts +0 -301
  280. package/tests/get-service-auth.test.ts +0 -81
  281. package/tests/handle-validation.test.ts +0 -56
  282. package/tests/handles.test.ts +0 -274
  283. package/tests/invite-codes.test.ts +0 -367
  284. package/tests/invites-admin.test.ts +0 -252
  285. package/tests/moderation.test.ts +0 -280
  286. package/tests/moderator-auth.test.ts +0 -177
  287. package/tests/oauth.test.ts +0 -334
  288. package/tests/plc-operations.test.ts +0 -239
  289. package/tests/preferences.test.ts +0 -352
  290. package/tests/proxied/__snapshots__/admin.test.ts.snap +0 -516
  291. package/tests/proxied/__snapshots__/feedgen.test.ts.snap +0 -215
  292. package/tests/proxied/__snapshots__/views.test.ts.snap +0 -4456
  293. package/tests/proxied/admin.test.ts +0 -340
  294. package/tests/proxied/feedgen.test.ts +0 -66
  295. package/tests/proxied/notif.test.ts +0 -85
  296. package/tests/proxied/procedures.test.ts +0 -175
  297. package/tests/proxied/proxy-catchall.test.ts +0 -256
  298. package/tests/proxied/proxy-header.test.ts +0 -239
  299. package/tests/proxied/proxy-oauth-aud.test.ts +0 -182
  300. package/tests/proxied/read-after-write.test.ts +0 -382
  301. package/tests/proxied/views.test.ts +0 -608
  302. package/tests/races.test.ts +0 -89
  303. package/tests/rate-limits.test.ts +0 -70
  304. package/tests/recovery.test.ts +0 -180
  305. package/tests/seeds/basic.ts +0 -165
  306. package/tests/seeds/follows.ts +0 -57
  307. package/tests/seeds/likes.ts +0 -14
  308. package/tests/seeds/reposts.ts +0 -18
  309. package/tests/seeds/thread.ts +0 -40
  310. package/tests/seeds/users-bulk.ts +0 -246
  311. package/tests/seeds/users.ts +0 -67
  312. package/tests/sequencer.test.ts +0 -251
  313. package/tests/server.test.ts +0 -151
  314. package/tests/sync/invertible-ops.test.ts +0 -99
  315. package/tests/sync/list.test.ts +0 -43
  316. package/tests/sync/subscribe-repos.test.ts +0 -672
  317. package/tests/sync/sync.test.ts +0 -316
  318. package/tests/takedown-appeal.test.ts +0 -166
  319. package/tsconfig.build.json +0 -9
  320. package/tsconfig.build.tsbuildinfo +0 -1
  321. package/tsconfig.json +0 -7
  322. package/tsconfig.tests.json +0 -8
@@ -1,222 +0,0 @@
1
- import assert from 'node:assert'
2
- import { KeyObject } from 'node:crypto'
3
- import * as jose from 'jose'
4
- import * as ui8 from 'uint8arrays'
5
- import * as crypto from '@atproto/crypto'
6
- import { AuthScope } from '../../auth-scope.js'
7
- import { AccountDb } from '../db/index.js'
8
- import { AppPassDescript } from './password.js'
9
-
10
- export type AuthToken = {
11
- scope: AuthScope
12
- sub: string
13
- exp: number
14
- }
15
-
16
- export type RefreshToken = AuthToken & { scope: AuthScope.Refresh; jti: string }
17
-
18
- export const createTokens = async (opts: {
19
- did: string
20
- jwtKey: KeyObject
21
- serviceDid: string
22
- scope?: AuthScope
23
- jti?: string
24
- expiresIn?: string | number
25
- }) => {
26
- const { did, jwtKey, serviceDid, scope, jti, expiresIn } = opts
27
- const [accessJwt, refreshJwt] = await Promise.all([
28
- createAccessToken({ did, jwtKey, serviceDid, scope, expiresIn }),
29
- createRefreshToken({ did, jwtKey, serviceDid, jti, expiresIn }),
30
- ])
31
- return { accessJwt, refreshJwt }
32
- }
33
-
34
- export const createAccessToken = (opts: {
35
- did: string
36
- jwtKey: KeyObject
37
- serviceDid: string
38
- scope?: AuthScope
39
- expiresIn?: string | number
40
- }): Promise<string> => {
41
- const {
42
- did,
43
- jwtKey,
44
- serviceDid,
45
- scope = AuthScope.Access,
46
- expiresIn = '120mins',
47
- } = opts
48
- const signer = new jose.SignJWT({ scope })
49
- .setProtectedHeader({
50
- typ: 'at+jwt', // https://www.rfc-editor.org/rfc/rfc9068.html
51
- alg: 'HS256', // only symmetric keys supported
52
- })
53
- .setAudience(serviceDid)
54
- .setSubject(did)
55
- .setIssuedAt()
56
- .setExpirationTime(expiresIn)
57
- return signer.sign(jwtKey)
58
- }
59
-
60
- export const createRefreshToken = (opts: {
61
- did: string
62
- jwtKey: KeyObject
63
- serviceDid: string
64
- jti?: string
65
- expiresIn?: string | number
66
- }): Promise<string> => {
67
- const {
68
- did,
69
- jwtKey,
70
- serviceDid,
71
- jti = getRefreshTokenId(),
72
- expiresIn = '90days',
73
- } = opts
74
- const signer = new jose.SignJWT({ scope: AuthScope.Refresh })
75
- .setProtectedHeader({
76
- typ: 'refresh+jwt',
77
- alg: 'HS256', // only symmetric keys supported
78
- })
79
- .setAudience(serviceDid)
80
- .setSubject(did)
81
- .setJti(jti)
82
- .setIssuedAt()
83
- .setExpirationTime(expiresIn)
84
- return signer.sign(jwtKey)
85
- }
86
-
87
- // @NOTE unsafe for verification, should only be used w/ direct output from createRefreshToken() or createTokens()
88
- export const decodeRefreshToken = (jwt: string) => {
89
- const token = jose.decodeJwt(jwt)
90
- assert.ok(token.scope === AuthScope.Refresh, 'not a refresh token')
91
- return token as RefreshToken
92
- }
93
-
94
- export const storeRefreshToken = async (
95
- db: AccountDb,
96
- payload: RefreshToken,
97
- appPassword: AppPassDescript | null,
98
- ) => {
99
- const [result] = await db.executeWithRetry(
100
- db.db
101
- .insertInto('refresh_token')
102
- .values({
103
- id: payload.jti,
104
- did: payload.sub,
105
- appPasswordName: appPassword?.name,
106
- expiresAt: new Date(payload.exp * 1000).toISOString(),
107
- })
108
- .onConflict((oc) => oc.doNothing()), // E.g. when re-granting during a refresh grace period
109
- )
110
- return result
111
- }
112
-
113
- export const getRefreshToken = async (db: AccountDb, id: string) => {
114
- const res = await db.db
115
- .selectFrom('refresh_token')
116
- .leftJoin('app_password', (join) =>
117
- join
118
- .onRef('app_password.did', '=', 'refresh_token.did')
119
- .onRef('app_password.name', '=', 'refresh_token.appPasswordName'),
120
- )
121
- .where('id', '=', id)
122
- .selectAll('refresh_token')
123
- .select('app_password.privileged')
124
- .executeTakeFirst()
125
- if (!res) return null
126
- const { did, expiresAt, appPasswordName, nextId, privileged } = res
127
- return {
128
- id,
129
- did,
130
- expiresAt,
131
- nextId,
132
- appPassword: appPasswordName
133
- ? {
134
- name: appPasswordName,
135
- privileged: privileged === 1 ? true : false,
136
- }
137
- : null,
138
- }
139
- }
140
-
141
- export const deleteExpiredRefreshTokens = async (
142
- db: AccountDb,
143
- did: string,
144
- now: string,
145
- ) => {
146
- await db.executeWithRetry(
147
- db.db
148
- .deleteFrom('refresh_token')
149
- .where('did', '=', did)
150
- .where('expiresAt', '<=', now),
151
- )
152
- }
153
-
154
- export const addRefreshGracePeriod = async (
155
- db: AccountDb,
156
- opts: {
157
- id: string
158
- expiresAt: string
159
- nextId: string
160
- },
161
- ) => {
162
- const { id, expiresAt, nextId } = opts
163
- const [res] = await db.executeWithRetry(
164
- db.db
165
- .updateTable('refresh_token')
166
- .where('id', '=', id)
167
- .where((eb) =>
168
- eb.or([eb('nextId', 'is', null), eb('nextId', '=', nextId)]),
169
- )
170
- .set({ expiresAt, nextId })
171
- .returningAll(),
172
- )
173
- if (!res) {
174
- throw new ConcurrentRefreshError()
175
- }
176
- }
177
-
178
- export const revokeRefreshToken = async (db: AccountDb, id: string) => {
179
- const [{ numDeletedRows }] = await db.executeWithRetry(
180
- db.db.deleteFrom('refresh_token').where('id', '=', id),
181
- )
182
- return numDeletedRows > 0
183
- }
184
-
185
- export const revokeRefreshTokensByDid = async (db: AccountDb, did: string) => {
186
- const [{ numDeletedRows }] = await db.executeWithRetry(
187
- db.db.deleteFrom('refresh_token').where('did', '=', did),
188
- )
189
- return numDeletedRows > 0
190
- }
191
-
192
- export const revokeAppPasswordRefreshToken = async (
193
- db: AccountDb,
194
- did: string,
195
- appPassName: string,
196
- ) => {
197
- const [{ numDeletedRows }] = await db.executeWithRetry(
198
- db.db
199
- .deleteFrom('refresh_token')
200
- .where('did', '=', did)
201
- .where('appPasswordName', '=', appPassName),
202
- )
203
-
204
- return numDeletedRows > 0
205
- }
206
-
207
- export const getRefreshTokenId = () => {
208
- return ui8.toString(crypto.randomBytes(32), 'base64')
209
- }
210
-
211
- export const formatScope = (
212
- appPassword: AppPassDescript | null,
213
- isSoftDeleted?: boolean,
214
- ): AuthScope => {
215
- if (isSoftDeleted) return AuthScope.Takendown
216
- if (!appPassword) return AuthScope.Access
217
- return appPassword.privileged
218
- ? AuthScope.AppPassPrivileged
219
- : AuthScope.AppPass
220
- }
221
-
222
- export class ConcurrentRefreshError extends Error {}
@@ -1,90 +0,0 @@
1
- import assert from 'node:assert'
2
- import { Insertable, Selectable } from 'kysely'
3
- import {
4
- Code,
5
- FoundRequestResult,
6
- RequestData,
7
- RequestId,
8
- UpdateRequestData,
9
- } from '@atproto/oauth-provider'
10
- import { fromDateISO, fromJson, toDateISO, toJson } from '../../db/index.js'
11
- import { AccountDb, AuthorizationRequest } from '../db/index.js'
12
-
13
- export const rowToRequestData = (
14
- row: Selectable<AuthorizationRequest>,
15
- ): RequestData => ({
16
- clientId: row.clientId,
17
- clientAuth: fromJson(row.clientAuth),
18
- parameters: fromJson(row.parameters),
19
- expiresAt: fromDateISO(row.expiresAt),
20
- deviceId: row.deviceId,
21
- did: row.did,
22
- code: row.code,
23
- })
24
-
25
- export const rowToFoundRequestResult = (
26
- row: Selectable<AuthorizationRequest>,
27
- ): FoundRequestResult => ({
28
- requestId: row.id,
29
- data: rowToRequestData(row),
30
- })
31
-
32
- const requestDataToRow = (
33
- id: RequestId,
34
- data: RequestData,
35
- ): Insertable<AuthorizationRequest> => ({
36
- id,
37
- did: data.did,
38
- deviceId: data.deviceId,
39
-
40
- clientId: data.clientId,
41
- clientAuth: toJson(data.clientAuth),
42
- parameters: toJson(data.parameters),
43
- expiresAt: toDateISO(data.expiresAt),
44
- code: data.code,
45
- })
46
-
47
- export const createQB = (db: AccountDb, id: RequestId, data: RequestData) =>
48
- db.db.insertInto('authorization_request').values(requestDataToRow(id, data))
49
-
50
- export const readQB = (db: AccountDb, id: RequestId) =>
51
- db.db.selectFrom('authorization_request').where('id', '=', id).selectAll()
52
-
53
- export const updateQB = (
54
- db: AccountDb,
55
- id: RequestId,
56
- { code, did, deviceId, expiresAt, parameters, ...rest }: UpdateRequestData,
57
- ) => {
58
- assert(!Object.keys(rest).length, 'Unexpected fields in UpdateRequestData')
59
- return db.db
60
- .updateTable('authorization_request')
61
- .$if(code !== undefined, (qb) => qb.set({ code }))
62
- .$if(did !== undefined, (qb) => qb.set({ did }))
63
- .$if(deviceId !== undefined, (qb) => qb.set({ deviceId }))
64
- .$if(expiresAt != null, (qb) =>
65
- qb.set({ expiresAt: toDateISO(expiresAt!) }),
66
- )
67
- .$if(parameters != null, (qb) =>
68
- qb.set({ parameters: toJson(parameters!) }),
69
- )
70
- .where('id', '=', id)
71
- }
72
-
73
- export const removeOldExpiredQB = (db: AccountDb, delay = 600e3) =>
74
- // We allow some delay for the expiration time so that expired requests
75
- // can still be returned to the OAuthProvider library for error handling.
76
- db.db
77
- .deleteFrom('authorization_request')
78
- // uses "authorization_request_expires_at_idx" index
79
- .where('expiresAt', '<', toDateISO(new Date(Date.now() - delay)))
80
-
81
- export const removeByIdQB = (db: AccountDb, id: RequestId) =>
82
- db.db.deleteFrom('authorization_request').where('id', '=', id)
83
-
84
- export const consumeByCodeQB = (db: AccountDb, code: Code) =>
85
- db.db
86
- .deleteFrom('authorization_request')
87
- // uses "authorization_request_code_idx" partial index (hence the null check)
88
- .where('code', '=', code)
89
- .where('code', 'is not', null)
90
- .returningAll()
@@ -1,75 +0,0 @@
1
- import {
2
- AuthorizedClientData,
3
- AuthorizedClients,
4
- ClientId,
5
- Did,
6
- } from '@atproto/oauth-provider'
7
- import { fromJson, toDateISO, toJson } from '../../db/index.js'
8
- import { AccountDb } from '../db/index.js'
9
-
10
- export async function upsert(
11
- db: AccountDb,
12
- did: Did,
13
- clientId: ClientId,
14
- data: AuthorizedClientData,
15
- ) {
16
- const now = new Date()
17
-
18
- return db.db
19
- .insertInto('authorized_client')
20
- .values({
21
- did,
22
- clientId,
23
- createdAt: toDateISO(now),
24
- updatedAt: toDateISO(now),
25
- data: toJson(data),
26
- })
27
- .onConflict((oc) =>
28
- // uses "authorized_client_pk" idx
29
- oc.columns(['did', 'clientId']).doUpdateSet({
30
- updatedAt: toDateISO(now),
31
- data: toJson(data),
32
- }),
33
- )
34
- .executeTakeFirst()
35
- }
36
-
37
- export async function getAuthorizedClients(
38
- db: AccountDb,
39
- did: Did,
40
- ): Promise<AuthorizedClients> {
41
- return (await getAuthorizedClientsMulti(db, [did])).get(did)!
42
- }
43
-
44
- export async function deleteAllAuthorizedClients(db: AccountDb, did: Did) {
45
- await db.executeWithRetry(
46
- db.db.deleteFrom('authorized_client').where('did', '=', did),
47
- )
48
- }
49
-
50
- export async function getAuthorizedClientsMulti(
51
- db: AccountDb,
52
- dids: Iterable<Did>,
53
- ): Promise<Map<Did, AuthorizedClients>> {
54
- // Using a Map will ensure unicity of dids (through unicity of keys)
55
- const map = new Map<Did, AuthorizedClients>(
56
- Array.from(dids, (did) => [did, new Map()]),
57
- )
58
-
59
- if (map.size) {
60
- const found = await db.db
61
- .selectFrom('authorized_client')
62
- .select('did')
63
- .select('clientId')
64
- .select('data')
65
- // uses "authorized_client_pk"
66
- .where('did', 'in', [...map.keys()])
67
- .execute()
68
-
69
- for (const { did, clientId, data } of found) {
70
- map.get(did)!.set(clientId, fromJson(data))
71
- }
72
- }
73
-
74
- return map
75
- }
@@ -1,47 +0,0 @@
1
- import { Selectable } from 'kysely'
2
- import { DeviceData, DeviceId } from '@atproto/oauth-provider'
3
- import { fromDateISO, toDateISO } from '../../db/index.js'
4
- import { AccountDb, Device } from '../db/index.js'
5
-
6
- export const rowToDeviceData = (
7
- row: Omit<Selectable<Device>, 'id'>,
8
- ): DeviceData => ({
9
- sessionId: row.sessionId,
10
- userAgent: row.userAgent,
11
- ipAddress: row.ipAddress,
12
- lastSeenAt: fromDateISO(row.lastSeenAt),
13
- })
14
-
15
- export const createQB = (
16
- db: AccountDb,
17
- deviceId: DeviceId,
18
- { sessionId, userAgent, ipAddress, lastSeenAt }: DeviceData,
19
- ) =>
20
- db.db.insertInto('device').values({
21
- id: deviceId,
22
- sessionId,
23
- userAgent,
24
- ipAddress,
25
- lastSeenAt: toDateISO(lastSeenAt),
26
- })
27
-
28
- export const readQB = (db: AccountDb, deviceId: DeviceId) =>
29
- db.db.selectFrom('device').where('id', '=', deviceId).selectAll()
30
-
31
- export const updateQB = (
32
- db: AccountDb,
33
- deviceId: DeviceId,
34
- { sessionId, userAgent, ipAddress, lastSeenAt }: Partial<DeviceData>,
35
- ) =>
36
- db.db
37
- .updateTable('device')
38
- .$if(sessionId != null, (qb) => qb.set({ sessionId }))
39
- .$if(userAgent != null, (qb) => qb.set({ userAgent }))
40
- .$if(ipAddress != null, (qb) => qb.set({ ipAddress }))
41
- .$if(lastSeenAt != null, (qb) =>
42
- qb.set({ lastSeenAt: toDateISO(lastSeenAt!) }),
43
- )
44
- .where('id', '=', deviceId)
45
-
46
- export const removeQB = (db: AccountDb, deviceId: DeviceId) =>
47
- db.db.deleteFrom('device').where('id', '=', deviceId)
@@ -1,87 +0,0 @@
1
- import { MINUTE, lessThanAgoMs } from '@atproto/common'
2
- import { DidString, currentDatetimeString } from '@atproto/lex'
3
- import { InvalidRequestError } from '@atproto/xrpc-server'
4
- import { getRandomToken } from '../../api/com/atproto/server/util.js'
5
- import { AccountDb, EmailTokenPurpose } from '../db/index.js'
6
-
7
- export const createEmailToken = async (
8
- db: AccountDb,
9
- did: DidString,
10
- purpose: EmailTokenPurpose,
11
- ): Promise<string> => {
12
- const token = getRandomToken().toUpperCase()
13
- const now = currentDatetimeString()
14
- await db.executeWithRetry(
15
- db.db
16
- .insertInto('email_token')
17
- .values({ purpose, did, token, requestedAt: now })
18
- .onConflict((oc) =>
19
- oc.columns(['purpose', 'did']).doUpdateSet({ token, requestedAt: now }),
20
- ),
21
- )
22
- return token
23
- }
24
-
25
- export const deleteEmailToken = async (
26
- db: AccountDb,
27
- did: DidString,
28
- purpose: EmailTokenPurpose,
29
- ) => {
30
- await db.executeWithRetry(
31
- db.db
32
- .deleteFrom('email_token')
33
- .where('did', '=', did)
34
- .where('purpose', '=', purpose),
35
- )
36
- }
37
-
38
- export const deleteAllEmailTokens = async (db: AccountDb, did: DidString) => {
39
- await db.executeWithRetry(
40
- db.db.deleteFrom('email_token').where('did', '=', did),
41
- )
42
- }
43
-
44
- export const assertValidToken = async (
45
- db: AccountDb,
46
- did: DidString,
47
- purpose: EmailTokenPurpose,
48
- token: string,
49
- expirationLen = 15 * MINUTE,
50
- ) => {
51
- const res = await db.db
52
- .selectFrom('email_token')
53
- .selectAll()
54
- .where('purpose', '=', purpose)
55
- .where('did', '=', did)
56
- .where('token', '=', token.toUpperCase())
57
- .executeTakeFirst()
58
- if (!res) {
59
- throw new InvalidRequestError('Token is invalid', 'InvalidToken')
60
- }
61
- const expired = !lessThanAgoMs(new Date(res.requestedAt), expirationLen)
62
- if (expired) {
63
- throw new InvalidRequestError('Token is expired', 'ExpiredToken')
64
- }
65
- }
66
-
67
- export const assertValidTokenAndFindDid = async (
68
- db: AccountDb,
69
- purpose: EmailTokenPurpose,
70
- token: string,
71
- expirationLen = 15 * MINUTE,
72
- ): Promise<DidString> => {
73
- const res = await db.db
74
- .selectFrom('email_token')
75
- .select(['did', 'requestedAt'])
76
- .where('purpose', '=', purpose)
77
- .where('token', '=', token.toUpperCase())
78
- .executeTakeFirst()
79
- if (!res) {
80
- throw new InvalidRequestError('Token is invalid', 'InvalidToken')
81
- }
82
- const expired = !lessThanAgoMs(new Date(res.requestedAt), expirationLen)
83
- if (expired) {
84
- throw new InvalidRequestError('Token is expired', 'ExpiredToken')
85
- }
86
- return res.did
87
- }