@atproto/pds 0.5.12 → 0.5.14
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +36 -0
- package/dist/api/app/bsky/notification/index.d.ts.map +1 -1
- package/dist/api/app/bsky/notification/index.js +2 -0
- package/dist/api/app/bsky/notification/index.js.map +1 -1
- package/dist/api/app/bsky/notification/unregisterPush.d.ts +4 -0
- package/dist/api/app/bsky/notification/unregisterPush.d.ts.map +1 -0
- package/dist/api/app/bsky/notification/unregisterPush.js +48 -0
- package/dist/api/app/bsky/notification/unregisterPush.js.map +1 -0
- package/package.json +42 -38
- package/build.templates.cjs +0 -22
- package/example.env +0 -42
- package/jest.config.cjs +0 -27
- package/src/account-manager/account-manager.ts +0 -916
- package/src/account-manager/db/index.ts +0 -21
- package/src/account-manager/db/migrations/001-init.ts +0 -115
- package/src/account-manager/db/migrations/002-account-deactivation.ts +0 -17
- package/src/account-manager/db/migrations/003-privileged-app-passwords.ts +0 -12
- package/src/account-manager/db/migrations/004-oauth.ts +0 -122
- package/src/account-manager/db/migrations/005-oauth-account-management.ts +0 -136
- package/src/account-manager/db/migrations/006-oauth-permission-sets.ts +0 -20
- package/src/account-manager/db/migrations/007-lexicon-failures-index.ts +0 -14
- package/src/account-manager/db/migrations/index.ts +0 -17
- package/src/account-manager/db/schema/account-device.ts +0 -14
- package/src/account-manager/db/schema/account.ts +0 -16
- package/src/account-manager/db/schema/actor.ts +0 -17
- package/src/account-manager/db/schema/app-password.ts +0 -13
- package/src/account-manager/db/schema/authorization-request.ts +0 -30
- package/src/account-manager/db/schema/authorized-client.ts +0 -23
- package/src/account-manager/db/schema/device.ts +0 -18
- package/src/account-manager/db/schema/email-token.ts +0 -19
- package/src/account-manager/db/schema/index.ts +0 -43
- package/src/account-manager/db/schema/invite-code.ts +0 -24
- package/src/account-manager/db/schema/lexicon.ts +0 -15
- package/src/account-manager/db/schema/refresh-token.ts +0 -11
- package/src/account-manager/db/schema/repo-root.ts +0 -12
- package/src/account-manager/db/schema/token.ts +0 -38
- package/src/account-manager/db/schema/used-refresh-token.ts +0 -13
- package/src/account-manager/helpers/account-device.ts +0 -63
- package/src/account-manager/helpers/account.ts +0 -355
- package/src/account-manager/helpers/auth.ts +0 -222
- package/src/account-manager/helpers/authorization-request.ts +0 -90
- package/src/account-manager/helpers/authorized-client.ts +0 -75
- package/src/account-manager/helpers/device.ts +0 -47
- package/src/account-manager/helpers/email-token.ts +0 -87
- package/src/account-manager/helpers/invite.ts +0 -263
- package/src/account-manager/helpers/lexicon.ts +0 -67
- package/src/account-manager/helpers/password.ts +0 -136
- package/src/account-manager/helpers/repo.ts +0 -24
- package/src/account-manager/helpers/scrypt.ts +0 -53
- package/src/account-manager/helpers/token.ts +0 -158
- package/src/account-manager/helpers/used-refresh-token.ts +0 -30
- package/src/account-manager/oauth-store.ts +0 -880
- package/src/account-manager/scope-reference-getter.ts +0 -106
- package/src/actor-store/actor-store-reader.ts +0 -45
- package/src/actor-store/actor-store-resources.ts +0 -8
- package/src/actor-store/actor-store-transactor.ts +0 -31
- package/src/actor-store/actor-store-writer.ts +0 -17
- package/src/actor-store/actor-store.ts +0 -210
- package/src/actor-store/blob/reader.ts +0 -160
- package/src/actor-store/blob/transactor.ts +0 -383
- package/src/actor-store/db/index.ts +0 -20
- package/src/actor-store/db/migrations/001-init.ts +0 -105
- package/src/actor-store/db/migrations/index.ts +0 -5
- package/src/actor-store/db/schema/account-pref.ts +0 -11
- package/src/actor-store/db/schema/backlink.ts +0 -9
- package/src/actor-store/db/schema/blob.ts +0 -14
- package/src/actor-store/db/schema/index.ts +0 -23
- package/src/actor-store/db/schema/record-blob.ts +0 -8
- package/src/actor-store/db/schema/record.ts +0 -14
- package/src/actor-store/db/schema/repo-block.ts +0 -10
- package/src/actor-store/db/schema/repo-root.ts +0 -10
- package/src/actor-store/migrate.ts +0 -39
- package/src/actor-store/preference/reader.ts +0 -48
- package/src/actor-store/preference/transactor.ts +0 -55
- package/src/actor-store/preference/util.ts +0 -39
- package/src/actor-store/record/reader.ts +0 -374
- package/src/actor-store/record/transactor.ts +0 -111
- package/src/actor-store/repo/reader.ts +0 -31
- package/src/actor-store/repo/sql-repo-reader.ts +0 -150
- package/src/actor-store/repo/sql-repo-transactor.ts +0 -105
- package/src/actor-store/repo/transactor.ts +0 -227
- package/src/api/app/bsky/actor/getPreferences.ts +0 -57
- package/src/api/app/bsky/actor/getProfile.ts +0 -41
- package/src/api/app/bsky/actor/getProfiles.ts +0 -51
- package/src/api/app/bsky/actor/index.ts +0 -13
- package/src/api/app/bsky/actor/putPreferences.ts +0 -62
- package/src/api/app/bsky/feed/getActorLikes.ts +0 -63
- package/src/api/app/bsky/feed/getAuthorFeed.ts +0 -84
- package/src/api/app/bsky/feed/getFeed.ts +0 -47
- package/src/api/app/bsky/feed/getPostThread.ts +0 -251
- package/src/api/app/bsky/feed/getTimeline.ts +0 -50
- package/src/api/app/bsky/feed/index.ts +0 -15
- package/src/api/app/bsky/index.ts +0 -11
- package/src/api/app/bsky/notification/index.ts +0 -7
- package/src/api/app/bsky/notification/registerPush.ts +0 -71
- package/src/api/app/bsky/util/resolver.ts +0 -20
- package/src/api/com/atproto/admin/deleteAccount.ts +0 -22
- package/src/api/com/atproto/admin/disableAccountInvites.ts +0 -18
- package/src/api/com/atproto/admin/disableInviteCodes.ts +0 -21
- package/src/api/com/atproto/admin/enableAccountInvites.ts +0 -18
- package/src/api/com/atproto/admin/getAccountInfo.ts +0 -32
- package/src/api/com/atproto/admin/getAccountInfos.ts +0 -34
- package/src/api/com/atproto/admin/getInviteCodes.ts +0 -126
- package/src/api/com/atproto/admin/getSubjectStatus.ts +0 -76
- package/src/api/com/atproto/admin/index.ts +0 -31
- package/src/api/com/atproto/admin/sendEmail.ts +0 -47
- package/src/api/com/atproto/admin/updateAccountEmail.ts +0 -32
- package/src/api/com/atproto/admin/updateAccountHandle.ts +0 -47
- package/src/api/com/atproto/admin/updateAccountPassword.ts +0 -34
- package/src/api/com/atproto/admin/updateSubjectStatus.ts +0 -68
- package/src/api/com/atproto/admin/util.ts +0 -66
- package/src/api/com/atproto/identity/getRecommendedDidCredentials.ts +0 -50
- package/src/api/com/atproto/identity/index.ts +0 -17
- package/src/api/com/atproto/identity/requestPlcOperationSignature.ts +0 -59
- package/src/api/com/atproto/identity/resolveHandle.ts +0 -50
- package/src/api/com/atproto/identity/signPlcOperation.ts +0 -85
- package/src/api/com/atproto/identity/submitPlcOperation.ts +0 -65
- package/src/api/com/atproto/identity/updateHandle.ts +0 -66
- package/src/api/com/atproto/index.ts +0 -19
- package/src/api/com/atproto/moderation/createReport.ts +0 -41
- package/src/api/com/atproto/moderation/index.ts +0 -7
- package/src/api/com/atproto/repo/applyWrites.ts +0 -226
- package/src/api/com/atproto/repo/createRecord.ts +0 -143
- package/src/api/com/atproto/repo/deleteRecord.ts +0 -122
- package/src/api/com/atproto/repo/describeRepo.ts +0 -43
- package/src/api/com/atproto/repo/getRecord.ts +0 -40
- package/src/api/com/atproto/repo/importRepo.ts +0 -101
- package/src/api/com/atproto/repo/index.ts +0 -25
- package/src/api/com/atproto/repo/listMissingBlobs.ts +0 -29
- package/src/api/com/atproto/repo/listRecords.ts +0 -36
- package/src/api/com/atproto/repo/putRecord.ts +0 -211
- package/src/api/com/atproto/repo/uploadBlob.ts +0 -60
- package/src/api/com/atproto/server/activateAccount.ts +0 -37
- package/src/api/com/atproto/server/checkAccountStatus.ts +0 -51
- package/src/api/com/atproto/server/confirmEmail.ts +0 -39
- package/src/api/com/atproto/server/createAccount.ts +0 -327
- package/src/api/com/atproto/server/createAppPassword.ts +0 -53
- package/src/api/com/atproto/server/createInviteCode.ts +0 -38
- package/src/api/com/atproto/server/createInviteCodes.ts +0 -42
- package/src/api/com/atproto/server/createSession.ts +0 -97
- package/src/api/com/atproto/server/deactivateAccount.ts +0 -41
- package/src/api/com/atproto/server/deleteAccount.ts +0 -85
- package/src/api/com/atproto/server/deleteSession.ts +0 -23
- package/src/api/com/atproto/server/describeServer.ts +0 -29
- package/src/api/com/atproto/server/getAccountInviteCodes.ts +0 -142
- package/src/api/com/atproto/server/getServiceAuth.ts +0 -111
- package/src/api/com/atproto/server/getSession.ts +0 -80
- package/src/api/com/atproto/server/index.ts +0 -55
- package/src/api/com/atproto/server/listAppPasswords.ts +0 -45
- package/src/api/com/atproto/server/refreshSession.ts +0 -72
- package/src/api/com/atproto/server/requestAccountDelete.ts +0 -66
- package/src/api/com/atproto/server/requestEmailConfirmation.ts +0 -68
- package/src/api/com/atproto/server/requestEmailUpdate.ts +0 -86
- package/src/api/com/atproto/server/requestPasswordReset.ts +0 -52
- package/src/api/com/atproto/server/reserveSigningKey.ts +0 -15
- package/src/api/com/atproto/server/resetPassword.ts +0 -50
- package/src/api/com/atproto/server/revokeAppPassword.ts +0 -42
- package/src/api/com/atproto/server/updateEmail.ts +0 -52
- package/src/api/com/atproto/server/util.ts +0 -136
- package/src/api/com/atproto/sync/deprecated/getCheckout.ts +0 -27
- package/src/api/com/atproto/sync/deprecated/getHead.ts +0 -33
- package/src/api/com/atproto/sync/getBlob.ts +0 -61
- package/src/api/com/atproto/sync/getBlocks.ts +0 -37
- package/src/api/com/atproto/sync/getLatestCommit.ts +0 -33
- package/src/api/com/atproto/sync/getRecord.ts +0 -49
- package/src/api/com/atproto/sync/getRepo.ts +0 -75
- package/src/api/com/atproto/sync/getRepoStatus.ts +0 -34
- package/src/api/com/atproto/sync/index.ts +0 -27
- package/src/api/com/atproto/sync/listBlobs.ts +0 -33
- package/src/api/com/atproto/sync/listRepos.ts +0 -74
- package/src/api/com/atproto/sync/subscribeRepos.ts +0 -73
- package/src/api/com/atproto/sync/util.ts +0 -37
- package/src/api/com/atproto/temp/checkSignupQueue.ts +0 -34
- package/src/api/com/atproto/temp/index.ts +0 -7
- package/src/api/index.ts +0 -10
- package/src/api/proxy.ts +0 -44
- package/src/app-view.ts +0 -24
- package/src/auth-output.ts +0 -52
- package/src/auth-routes.ts +0 -64
- package/src/auth-scope.ts +0 -40
- package/src/auth-verifier.ts +0 -668
- package/src/background.ts +0 -65
- package/src/basic-routes.ts +0 -52
- package/src/bsky-app-view.ts +0 -33
- package/src/config/config.ts +0 -553
- package/src/config/env.ts +0 -167
- package/src/config/index.ts +0 -3
- package/src/config/secrets.ts +0 -54
- package/src/context.ts +0 -523
- package/src/crawlers.ts +0 -46
- package/src/db/cast.ts +0 -52
- package/src/db/db.ts +0 -140
- package/src/db/index.ts +0 -4
- package/src/db/migrator.ts +0 -40
- package/src/db/pagination.ts +0 -132
- package/src/db/tables/moderation.ts +0 -80
- package/src/db/util.ts +0 -108
- package/src/did-cache/db/index.ts +0 -21
- package/src/did-cache/db/migrations.ts +0 -17
- package/src/did-cache/db/schema.ts +0 -9
- package/src/did-cache/index.ts +0 -131
- package/src/disk-blobstore.ts +0 -172
- package/src/error.ts +0 -19
- package/src/handle/explicit-slurs.ts +0 -22
- package/src/handle/index.ts +0 -49
- package/src/handle/reserved.ts +0 -1059
- package/src/image/image-url-builder.ts +0 -16
- package/src/index.ts +0 -189
- package/src/lexicons.ts +0 -4
- package/src/logger.ts +0 -35
- package/src/mailer/index.ts +0 -111
- package/src/mailer/moderation.ts +0 -33
- package/src/mailer/templates/confirm-email.d.ts +0 -4
- package/src/mailer/templates/confirm-email.hbs +0 -158
- package/src/mailer/templates/delete-account.d.ts +0 -4
- package/src/mailer/templates/delete-account.hbs +0 -156
- package/src/mailer/templates/plc-operation.d.ts +0 -4
- package/src/mailer/templates/plc-operation.hbs +0 -153
- package/src/mailer/templates/reset-password.d.ts +0 -4
- package/src/mailer/templates/reset-password.hbs +0 -154
- package/src/mailer/templates/update-email.d.ts +0 -4
- package/src/mailer/templates/update-email.hbs +0 -153
- package/src/mailer/templates.ts +0 -17
- package/src/pipethrough.ts +0 -716
- package/src/rate-limits.ts +0 -59
- package/src/read-after-write/index.ts +0 -3
- package/src/read-after-write/types.ts +0 -35
- package/src/read-after-write/util.ts +0 -101
- package/src/read-after-write/viewer.ts +0 -290
- package/src/redis.ts +0 -25
- package/src/repo/index.ts +0 -2
- package/src/repo/prepare.ts +0 -266
- package/src/repo/types.ts +0 -65
- package/src/scripts/README.md +0 -40
- package/src/scripts/index.ts +0 -20
- package/src/scripts/publish-identity.ts +0 -60
- package/src/scripts/rebuild-repo.ts +0 -119
- package/src/scripts/rotate-keys.ts +0 -146
- package/src/scripts/sequencer-recovery/index.ts +0 -23
- package/src/scripts/sequencer-recovery/recoverer.ts +0 -297
- package/src/scripts/sequencer-recovery/recovery-db.ts +0 -65
- package/src/scripts/sequencer-recovery/repair-repos.ts +0 -49
- package/src/scripts/sequencer-recovery/user-queues.ts +0 -44
- package/src/scripts/util.ts +0 -7
- package/src/sequencer/db/index.ts +0 -21
- package/src/sequencer/db/migrations/001-init.ts +0 -35
- package/src/sequencer/db/migrations/index.ts +0 -5
- package/src/sequencer/db/schema.ts +0 -19
- package/src/sequencer/events.ts +0 -199
- package/src/sequencer/index.ts +0 -3
- package/src/sequencer/outbox.ts +0 -123
- package/src/sequencer/sequencer.ts +0 -290
- package/src/util/compression.ts +0 -16
- package/src/util/debug.ts +0 -10
- package/src/util/http.ts +0 -31
- package/src/util/types.ts +0 -7
- package/src/well-known.ts +0 -30
- package/test.env +0 -2
- package/tests/__snapshots__/takedown-appeal.test.ts.snap +0 -43
- package/tests/_oauth_client_assets_middleware.ts +0 -23
- package/tests/_puppeteer.ts +0 -147
- package/tests/_types.d.ts +0 -16
- package/tests/_util.ts +0 -191
- package/tests/account-deactivation.test.ts +0 -204
- package/tests/account-deletion.test.ts +0 -300
- package/tests/account-manager.test.ts +0 -462
- package/tests/account-migration.test.ts +0 -221
- package/tests/account-status.test.ts +0 -206
- package/tests/account.test.ts +0 -595
- package/tests/app-passwords.test.ts +0 -262
- package/tests/auth.test.ts +0 -405
- package/tests/blob-deletes.test.ts +0 -204
- package/tests/create-post.test.ts +0 -79
- package/tests/crud.test.ts +0 -1595
- package/tests/db.test.ts +0 -170
- package/tests/email-confirmation.test.ts +0 -227
- package/tests/entryway-mock.ts +0 -323
- package/tests/entryway.test.ts +0 -145
- package/tests/file-uploads.test.ts +0 -301
- package/tests/get-service-auth.test.ts +0 -81
- package/tests/handle-validation.test.ts +0 -56
- package/tests/handles.test.ts +0 -274
- package/tests/invite-codes.test.ts +0 -367
- package/tests/invites-admin.test.ts +0 -252
- package/tests/moderation.test.ts +0 -280
- package/tests/moderator-auth.test.ts +0 -177
- package/tests/oauth.test.ts +0 -334
- package/tests/plc-operations.test.ts +0 -239
- package/tests/preferences.test.ts +0 -352
- package/tests/proxied/__snapshots__/admin.test.ts.snap +0 -516
- package/tests/proxied/__snapshots__/feedgen.test.ts.snap +0 -215
- package/tests/proxied/__snapshots__/views.test.ts.snap +0 -4456
- package/tests/proxied/admin.test.ts +0 -340
- package/tests/proxied/feedgen.test.ts +0 -66
- package/tests/proxied/notif.test.ts +0 -85
- package/tests/proxied/procedures.test.ts +0 -175
- package/tests/proxied/proxy-catchall.test.ts +0 -256
- package/tests/proxied/proxy-header.test.ts +0 -239
- package/tests/proxied/proxy-oauth-aud.test.ts +0 -182
- package/tests/proxied/read-after-write.test.ts +0 -382
- package/tests/proxied/views.test.ts +0 -608
- package/tests/races.test.ts +0 -89
- package/tests/rate-limits.test.ts +0 -70
- package/tests/recovery.test.ts +0 -180
- package/tests/seeds/basic.ts +0 -165
- package/tests/seeds/follows.ts +0 -57
- package/tests/seeds/likes.ts +0 -14
- package/tests/seeds/reposts.ts +0 -18
- package/tests/seeds/thread.ts +0 -40
- package/tests/seeds/users-bulk.ts +0 -246
- package/tests/seeds/users.ts +0 -67
- package/tests/sequencer.test.ts +0 -251
- package/tests/server.test.ts +0 -151
- package/tests/sync/invertible-ops.test.ts +0 -99
- package/tests/sync/list.test.ts +0 -43
- package/tests/sync/subscribe-repos.test.ts +0 -672
- package/tests/sync/sync.test.ts +0 -316
- package/tests/takedown-appeal.test.ts +0 -166
- package/tsconfig.build.json +0 -9
- package/tsconfig.build.tsbuildinfo +0 -1
- package/tsconfig.json +0 -7
- package/tsconfig.tests.json +0 -8
|
@@ -1,256 +0,0 @@
|
|
|
1
|
-
import { once } from 'node:events'
|
|
2
|
-
import http from 'node:http'
|
|
3
|
-
import { AddressInfo } from 'node:net'
|
|
4
|
-
import { setTimeout as sleep } from 'node:timers/promises'
|
|
5
|
-
import * as plc from '@did-plc/lib'
|
|
6
|
-
import express from 'express'
|
|
7
|
-
// eslint-disable-next-line import/default
|
|
8
|
-
import httpTerminator from 'http-terminator'
|
|
9
|
-
import AtpAgent from '@atproto/api'
|
|
10
|
-
import { Keypair } from '@atproto/crypto'
|
|
11
|
-
import { TestNetworkNoAppView } from '@atproto/dev-env'
|
|
12
|
-
import { LexiconDocument } from '@atproto/lex-document'
|
|
13
|
-
|
|
14
|
-
const lexicons = [
|
|
15
|
-
{
|
|
16
|
-
lexicon: 1,
|
|
17
|
-
id: 'com.example.ok',
|
|
18
|
-
defs: {
|
|
19
|
-
main: {
|
|
20
|
-
type: 'query',
|
|
21
|
-
output: {
|
|
22
|
-
encoding: 'application/json',
|
|
23
|
-
schema: { type: 'object', properties: { foo: { type: 'string' } } },
|
|
24
|
-
},
|
|
25
|
-
},
|
|
26
|
-
},
|
|
27
|
-
},
|
|
28
|
-
{
|
|
29
|
-
lexicon: 1,
|
|
30
|
-
id: 'com.example.slow',
|
|
31
|
-
defs: {
|
|
32
|
-
main: {
|
|
33
|
-
type: 'query',
|
|
34
|
-
output: {
|
|
35
|
-
encoding: 'application/json',
|
|
36
|
-
schema: { type: 'object', properties: { foo: { type: 'string' } } },
|
|
37
|
-
},
|
|
38
|
-
},
|
|
39
|
-
},
|
|
40
|
-
},
|
|
41
|
-
{
|
|
42
|
-
lexicon: 1,
|
|
43
|
-
id: 'com.example.abort',
|
|
44
|
-
defs: {
|
|
45
|
-
main: {
|
|
46
|
-
type: 'query',
|
|
47
|
-
output: {
|
|
48
|
-
encoding: 'application/json',
|
|
49
|
-
schema: { type: 'object', properties: { foo: { type: 'string' } } },
|
|
50
|
-
},
|
|
51
|
-
},
|
|
52
|
-
},
|
|
53
|
-
},
|
|
54
|
-
{
|
|
55
|
-
lexicon: 1,
|
|
56
|
-
id: 'com.example.error',
|
|
57
|
-
defs: {
|
|
58
|
-
main: {
|
|
59
|
-
type: 'query',
|
|
60
|
-
output: {
|
|
61
|
-
encoding: 'application/json',
|
|
62
|
-
schema: { type: 'object', properties: { foo: { type: 'string' } } },
|
|
63
|
-
},
|
|
64
|
-
},
|
|
65
|
-
},
|
|
66
|
-
},
|
|
67
|
-
] as const satisfies LexiconDocument[]
|
|
68
|
-
|
|
69
|
-
describe('proxy header', () => {
|
|
70
|
-
let network: TestNetworkNoAppView
|
|
71
|
-
let alice: AtpAgent
|
|
72
|
-
|
|
73
|
-
let proxyServer: ProxyServer
|
|
74
|
-
|
|
75
|
-
beforeAll(async () => {
|
|
76
|
-
network = await TestNetworkNoAppView.create({
|
|
77
|
-
dbPostgresSchema: 'proxy_catchall',
|
|
78
|
-
})
|
|
79
|
-
|
|
80
|
-
const serviceId = 'proxy_test'
|
|
81
|
-
|
|
82
|
-
proxyServer = await ProxyServer.create(
|
|
83
|
-
network.pds.ctx.plcClient,
|
|
84
|
-
network.pds.ctx.plcRotationKey,
|
|
85
|
-
serviceId,
|
|
86
|
-
)
|
|
87
|
-
|
|
88
|
-
alice = network.pds.getAgent().withProxy(serviceId, proxyServer.did)
|
|
89
|
-
|
|
90
|
-
for (const lex of lexicons) alice.lex.add(lex)
|
|
91
|
-
|
|
92
|
-
await alice.createAccount({
|
|
93
|
-
email: 'alice@test.com',
|
|
94
|
-
handle: 'alice.test',
|
|
95
|
-
password: 'alice-pass',
|
|
96
|
-
})
|
|
97
|
-
await network.processAll()
|
|
98
|
-
})
|
|
99
|
-
|
|
100
|
-
afterAll(async () => {
|
|
101
|
-
await proxyServer?.close()
|
|
102
|
-
await network?.close()
|
|
103
|
-
})
|
|
104
|
-
|
|
105
|
-
it('rejects when upstream unavailable', async () => {
|
|
106
|
-
const serviceId = 'foo_bar'
|
|
107
|
-
|
|
108
|
-
const proxyServer = await ProxyServer.create(
|
|
109
|
-
network.pds.ctx.plcClient,
|
|
110
|
-
network.pds.ctx.plcRotationKey,
|
|
111
|
-
serviceId,
|
|
112
|
-
)
|
|
113
|
-
|
|
114
|
-
// Make sure the service is not available
|
|
115
|
-
await proxyServer.close()
|
|
116
|
-
|
|
117
|
-
const client = alice.withProxy(serviceId, proxyServer.did)
|
|
118
|
-
for (const lex of lexicons) client.lex.add(lex)
|
|
119
|
-
|
|
120
|
-
await expect(client.call('com.example.ok')).rejects.toThrow(
|
|
121
|
-
'Upstream service unreachable',
|
|
122
|
-
)
|
|
123
|
-
})
|
|
124
|
-
|
|
125
|
-
it('successfully proxies requests', async () => {
|
|
126
|
-
await expect(alice.call('com.example.ok')).resolves.toMatchObject({
|
|
127
|
-
data: { foo: 'ok' },
|
|
128
|
-
success: true,
|
|
129
|
-
})
|
|
130
|
-
})
|
|
131
|
-
|
|
132
|
-
it('handles cancelled upstream requests', async () => {
|
|
133
|
-
await expect(alice.call('com.example.abort')).rejects.toThrow('terminated')
|
|
134
|
-
})
|
|
135
|
-
|
|
136
|
-
it('handles failing upstream requests', async () => {
|
|
137
|
-
await expect(alice.call('com.example.error')).rejects.toThrow(
|
|
138
|
-
expect.objectContaining({
|
|
139
|
-
status: 502,
|
|
140
|
-
error: 'FooBar',
|
|
141
|
-
message: 'My message',
|
|
142
|
-
}),
|
|
143
|
-
)
|
|
144
|
-
})
|
|
145
|
-
|
|
146
|
-
it('handles cancelled downstream requests', async () => {
|
|
147
|
-
const ac = new AbortController()
|
|
148
|
-
|
|
149
|
-
setTimeout(() => ac.abort(), 20)
|
|
150
|
-
|
|
151
|
-
await expect(
|
|
152
|
-
alice.call('com.example.slow', {}, undefined, { signal: ac.signal }),
|
|
153
|
-
).rejects.toThrow('This operation was aborted')
|
|
154
|
-
|
|
155
|
-
await expect(alice.call('com.example.slow')).resolves.toMatchObject({
|
|
156
|
-
data: { foo: 'slow' },
|
|
157
|
-
success: true,
|
|
158
|
-
})
|
|
159
|
-
})
|
|
160
|
-
})
|
|
161
|
-
|
|
162
|
-
class ProxyServer {
|
|
163
|
-
private terminator: httpTerminator.HttpTerminator
|
|
164
|
-
|
|
165
|
-
constructor(
|
|
166
|
-
server: http.Server,
|
|
167
|
-
public did: string,
|
|
168
|
-
) {
|
|
169
|
-
this.terminator = httpTerminator.createHttpTerminator({ server })
|
|
170
|
-
}
|
|
171
|
-
|
|
172
|
-
static async create(
|
|
173
|
-
plcClient: plc.Client,
|
|
174
|
-
keypair: Keypair,
|
|
175
|
-
serviceId: string,
|
|
176
|
-
): Promise<ProxyServer> {
|
|
177
|
-
const app = express()
|
|
178
|
-
|
|
179
|
-
app.get('/xrpc/com.example.ok', (req, res) => {
|
|
180
|
-
res.status(200)
|
|
181
|
-
res.setHeader('content-type', 'application/json')
|
|
182
|
-
res.send('{"foo":"ok"}')
|
|
183
|
-
})
|
|
184
|
-
|
|
185
|
-
app.get('/xrpc/com.example.slow', async (req, res) => {
|
|
186
|
-
const wait = async (ms: number) => {
|
|
187
|
-
if (res.destroyed) return
|
|
188
|
-
const ac = new AbortController()
|
|
189
|
-
const abort = () => ac.abort()
|
|
190
|
-
res.on('close', abort)
|
|
191
|
-
try {
|
|
192
|
-
await sleep(ms, undefined, { signal: ac.signal })
|
|
193
|
-
} finally {
|
|
194
|
-
res.off('close', abort)
|
|
195
|
-
}
|
|
196
|
-
}
|
|
197
|
-
|
|
198
|
-
await wait(50)
|
|
199
|
-
|
|
200
|
-
res.status(200)
|
|
201
|
-
res.setHeader('content-type', 'application/json')
|
|
202
|
-
res.flushHeaders()
|
|
203
|
-
|
|
204
|
-
await wait(50)
|
|
205
|
-
|
|
206
|
-
for (const char of '{"foo":"slow"}') {
|
|
207
|
-
res.write(char)
|
|
208
|
-
await wait(10)
|
|
209
|
-
}
|
|
210
|
-
|
|
211
|
-
res.end()
|
|
212
|
-
})
|
|
213
|
-
|
|
214
|
-
app.get('/xrpc/com.example.abort', async (req, res) => {
|
|
215
|
-
res.status(200)
|
|
216
|
-
res.setHeader('content-type', 'application/json')
|
|
217
|
-
res.write('{"foo"')
|
|
218
|
-
await sleep(50)
|
|
219
|
-
res.destroy(new Error('abort'))
|
|
220
|
-
})
|
|
221
|
-
|
|
222
|
-
app.get('/xrpc/com.example.error', async (req, res) => {
|
|
223
|
-
res.status(500).json({ error: 'FooBar', message: 'My message' })
|
|
224
|
-
})
|
|
225
|
-
|
|
226
|
-
const server = app.listen(0)
|
|
227
|
-
server.keepAliveTimeout = 30 * 1000
|
|
228
|
-
server.headersTimeout = 35 * 1000
|
|
229
|
-
await once(server, 'listening')
|
|
230
|
-
const { port } = server.address() as AddressInfo
|
|
231
|
-
|
|
232
|
-
const plcOp = await plc.signOperation(
|
|
233
|
-
{
|
|
234
|
-
type: 'plc_operation',
|
|
235
|
-
rotationKeys: [keypair.did()],
|
|
236
|
-
alsoKnownAs: [],
|
|
237
|
-
verificationMethods: {},
|
|
238
|
-
services: {
|
|
239
|
-
[serviceId]: {
|
|
240
|
-
type: 'TestAtprotoService',
|
|
241
|
-
endpoint: `http://localhost:${port}`,
|
|
242
|
-
},
|
|
243
|
-
},
|
|
244
|
-
prev: null,
|
|
245
|
-
},
|
|
246
|
-
keypair,
|
|
247
|
-
)
|
|
248
|
-
const did = await plc.didForCreateOp(plcOp)
|
|
249
|
-
await plcClient.sendOperation(did, plcOp)
|
|
250
|
-
return new ProxyServer(server, did)
|
|
251
|
-
}
|
|
252
|
-
|
|
253
|
-
async close() {
|
|
254
|
-
await this.terminator.terminate()
|
|
255
|
-
}
|
|
256
|
-
}
|
|
@@ -1,239 +0,0 @@
|
|
|
1
|
-
import assert from 'node:assert'
|
|
2
|
-
import { once } from 'node:events'
|
|
3
|
-
import http from 'node:http'
|
|
4
|
-
import { AddressInfo } from 'node:net'
|
|
5
|
-
import * as plc from '@did-plc/lib'
|
|
6
|
-
import express from 'express'
|
|
7
|
-
// eslint-disable-next-line import/default
|
|
8
|
-
import httpTerminator from 'http-terminator'
|
|
9
|
-
import { Keypair } from '@atproto/crypto'
|
|
10
|
-
import { SeedClient, TestNetworkNoAppView, usersSeed } from '@atproto/dev-env'
|
|
11
|
-
import type { DidString } from '@atproto/syntax'
|
|
12
|
-
import { verifyJwt } from '@atproto/xrpc-server'
|
|
13
|
-
import { parseProxyHeader } from '../../src/pipethrough.js'
|
|
14
|
-
|
|
15
|
-
describe('proxy header', () => {
|
|
16
|
-
let network: TestNetworkNoAppView
|
|
17
|
-
let sc: SeedClient
|
|
18
|
-
|
|
19
|
-
let alice: DidString
|
|
20
|
-
|
|
21
|
-
let proxyServer: ProxyServer
|
|
22
|
-
|
|
23
|
-
beforeAll(async () => {
|
|
24
|
-
network = await TestNetworkNoAppView.create({
|
|
25
|
-
dbPostgresSchema: 'proxy_header',
|
|
26
|
-
})
|
|
27
|
-
sc = network.getSeedClient()
|
|
28
|
-
await usersSeed(sc)
|
|
29
|
-
|
|
30
|
-
proxyServer = await ProxyServer.create(
|
|
31
|
-
network.pds.ctx.plcClient,
|
|
32
|
-
network.pds.ctx.plcRotationKey,
|
|
33
|
-
'atproto_test',
|
|
34
|
-
)
|
|
35
|
-
|
|
36
|
-
alice = sc.dids.alice
|
|
37
|
-
await network.processAll()
|
|
38
|
-
}, 20_000) // @NOTE seeding can take a while
|
|
39
|
-
|
|
40
|
-
afterAll(async () => {
|
|
41
|
-
await proxyServer?.close()
|
|
42
|
-
await network?.close()
|
|
43
|
-
})
|
|
44
|
-
|
|
45
|
-
it('parses proxy header', async () => {
|
|
46
|
-
expect(parseProxyHeader(network.pds.ctx, `#atproto_test`)).rejects.toThrow(
|
|
47
|
-
'no did specified in proxy header',
|
|
48
|
-
)
|
|
49
|
-
|
|
50
|
-
expect(
|
|
51
|
-
parseProxyHeader(network.pds.ctx, `${proxyServer.did}#atproto_test#foo`),
|
|
52
|
-
).rejects.toThrow('invalid proxy header format')
|
|
53
|
-
|
|
54
|
-
expect(
|
|
55
|
-
parseProxyHeader(network.pds.ctx, `${proxyServer.did}#atproto_test `),
|
|
56
|
-
).rejects.toThrow('proxy header cannot contain spaces')
|
|
57
|
-
|
|
58
|
-
expect(
|
|
59
|
-
parseProxyHeader(network.pds.ctx, ` ${proxyServer.did}#atproto_test`),
|
|
60
|
-
).rejects.toThrow('proxy header cannot contain spaces')
|
|
61
|
-
|
|
62
|
-
expect(parseProxyHeader(network.pds.ctx, `did:foo#bar`)).rejects.toThrow(
|
|
63
|
-
'Poorly formatted DID: did:foo',
|
|
64
|
-
)
|
|
65
|
-
|
|
66
|
-
expect(
|
|
67
|
-
parseProxyHeader(network.pds.ctx, `did:foo:bar#baz`),
|
|
68
|
-
).rejects.toThrow('Unsupported DID method: did:foo:bar')
|
|
69
|
-
|
|
70
|
-
expect(
|
|
71
|
-
parseProxyHeader(network.pds.ctx, `did:toString:foo#bar`),
|
|
72
|
-
).rejects.toThrow('Unsupported DID method: did:toString:foo')
|
|
73
|
-
|
|
74
|
-
expect(parseProxyHeader(network.pds.ctx, `foo#bar`)).rejects.toThrow(
|
|
75
|
-
'Poorly formatted DID: foo',
|
|
76
|
-
)
|
|
77
|
-
|
|
78
|
-
expect(
|
|
79
|
-
parseProxyHeader(network.pds.ctx, `${proxyServer.did}#atproto_test`),
|
|
80
|
-
).resolves.toEqual({
|
|
81
|
-
did: proxyServer.did,
|
|
82
|
-
url: proxyServer.url,
|
|
83
|
-
serviceId: 'atproto_test',
|
|
84
|
-
})
|
|
85
|
-
})
|
|
86
|
-
|
|
87
|
-
it('proxies requests based on header', async () => {
|
|
88
|
-
const path = `/xrpc/app.bsky.actor.getProfile?actor=${alice}`
|
|
89
|
-
await fetch(`${network.pds.url}${path}`, {
|
|
90
|
-
headers: {
|
|
91
|
-
...sc.getHeaders(alice),
|
|
92
|
-
'atproto-proxy': `${proxyServer.did}#atproto_test`,
|
|
93
|
-
},
|
|
94
|
-
})
|
|
95
|
-
const req = proxyServer.requests.at(-1)
|
|
96
|
-
assert(req)
|
|
97
|
-
expect(req.url).toEqual(path)
|
|
98
|
-
assert(req.auth)
|
|
99
|
-
const verified = await verifyJwt(
|
|
100
|
-
req.auth.replace('Bearer ', ''),
|
|
101
|
-
proxyServer.did,
|
|
102
|
-
'app.bsky.actor.getProfile',
|
|
103
|
-
(iss) => network.pds.ctx.idResolver.did.resolveAtprotoKey(iss, true),
|
|
104
|
-
)
|
|
105
|
-
expect(verified.aud).toBe(proxyServer.did)
|
|
106
|
-
expect(verified.iss).toBe(alice)
|
|
107
|
-
})
|
|
108
|
-
|
|
109
|
-
it('fails on a non-existant did', async () => {
|
|
110
|
-
const path = `/xrpc/app.bsky.actor.getProfile?actor=${alice}`
|
|
111
|
-
const response = await fetch(`${network.pds.url}${path}`, {
|
|
112
|
-
headers: {
|
|
113
|
-
...sc.getHeaders(alice),
|
|
114
|
-
'atproto-proxy': `did:plc:12345678123456781234578#atproto_test`,
|
|
115
|
-
},
|
|
116
|
-
})
|
|
117
|
-
|
|
118
|
-
await expect(response.json()).resolves.toMatchObject({
|
|
119
|
-
message: 'could not resolve proxy did',
|
|
120
|
-
})
|
|
121
|
-
|
|
122
|
-
expect(proxyServer.requests.length).toBe(1)
|
|
123
|
-
})
|
|
124
|
-
|
|
125
|
-
it('fails when a service is not specified', async () => {
|
|
126
|
-
const path = `/xrpc/app.bsky.actor.getProfile?actor=${alice}`
|
|
127
|
-
const response = await fetch(`${network.pds.url}${path}`, {
|
|
128
|
-
headers: {
|
|
129
|
-
...sc.getHeaders(alice),
|
|
130
|
-
'atproto-proxy': proxyServer.did,
|
|
131
|
-
},
|
|
132
|
-
})
|
|
133
|
-
|
|
134
|
-
await expect(response.json()).resolves.toMatchObject({
|
|
135
|
-
message: 'no service id specified in proxy header',
|
|
136
|
-
})
|
|
137
|
-
|
|
138
|
-
expect(proxyServer.requests.length).toBe(1)
|
|
139
|
-
})
|
|
140
|
-
|
|
141
|
-
it('fails on a non-existant service', async () => {
|
|
142
|
-
const path = `/xrpc/app.bsky.actor.getProfile?actor=${alice}`
|
|
143
|
-
const response = await fetch(`${network.pds.url}${path}`, {
|
|
144
|
-
headers: {
|
|
145
|
-
...sc.getHeaders(alice),
|
|
146
|
-
'atproto-proxy': `${proxyServer.did}#atproto_bad`,
|
|
147
|
-
},
|
|
148
|
-
})
|
|
149
|
-
|
|
150
|
-
await expect(response.json()).resolves.toMatchObject({
|
|
151
|
-
message: 'could not resolve proxy did service url',
|
|
152
|
-
})
|
|
153
|
-
|
|
154
|
-
expect(proxyServer.requests.length).toBe(1)
|
|
155
|
-
})
|
|
156
|
-
|
|
157
|
-
it('handles failing manual pipethroughs', async () => {
|
|
158
|
-
// This is a PDS endpoint which uses a manual pipethrough() in its handler
|
|
159
|
-
const path = '/xrpc/app.bsky.actor.getPreferences'
|
|
160
|
-
const res = await fetch(`${network.pds.url}${path}`, {
|
|
161
|
-
headers: {
|
|
162
|
-
...sc.getHeaders(alice),
|
|
163
|
-
'atproto-proxy': `${proxyServer.did}#atproto_test`,
|
|
164
|
-
},
|
|
165
|
-
})
|
|
166
|
-
await res.arrayBuffer() // drain
|
|
167
|
-
expect(res.status).toBe(501)
|
|
168
|
-
})
|
|
169
|
-
})
|
|
170
|
-
|
|
171
|
-
type ProxyReq = {
|
|
172
|
-
url: string
|
|
173
|
-
auth: string | undefined
|
|
174
|
-
}
|
|
175
|
-
|
|
176
|
-
class ProxyServer {
|
|
177
|
-
private terminator: httpTerminator.HttpTerminator
|
|
178
|
-
|
|
179
|
-
constructor(
|
|
180
|
-
server: http.Server,
|
|
181
|
-
public url: string,
|
|
182
|
-
public did: string,
|
|
183
|
-
public requests: ProxyReq[],
|
|
184
|
-
) {
|
|
185
|
-
this.terminator = httpTerminator.createHttpTerminator({ server })
|
|
186
|
-
}
|
|
187
|
-
|
|
188
|
-
static async create(
|
|
189
|
-
plcClient: plc.Client,
|
|
190
|
-
keypair: Keypair,
|
|
191
|
-
serviceId: string,
|
|
192
|
-
): Promise<ProxyServer> {
|
|
193
|
-
const requests: ProxyReq[] = []
|
|
194
|
-
const app = express()
|
|
195
|
-
|
|
196
|
-
// This is a PDS endpoint which uses a manual pipethrough() in its handler
|
|
197
|
-
app.get('/xrpc/app.bsky.actor.getPreferences', (req, res) => {
|
|
198
|
-
res.sendStatus(501)
|
|
199
|
-
})
|
|
200
|
-
|
|
201
|
-
app.get('*', (req, res) => {
|
|
202
|
-
requests.push({
|
|
203
|
-
url: req.url,
|
|
204
|
-
auth: req.header('authorization'),
|
|
205
|
-
})
|
|
206
|
-
res.sendStatus(200)
|
|
207
|
-
})
|
|
208
|
-
|
|
209
|
-
const server = app.listen(0)
|
|
210
|
-
await once(server, 'listening')
|
|
211
|
-
|
|
212
|
-
const { port } = server.address() as AddressInfo
|
|
213
|
-
|
|
214
|
-
const url = `http://localhost:${port}`
|
|
215
|
-
const plcOp = await plc.signOperation(
|
|
216
|
-
{
|
|
217
|
-
type: 'plc_operation',
|
|
218
|
-
rotationKeys: [keypair.did()],
|
|
219
|
-
alsoKnownAs: [],
|
|
220
|
-
verificationMethods: {},
|
|
221
|
-
services: {
|
|
222
|
-
[serviceId]: {
|
|
223
|
-
type: 'TestAtprotoService',
|
|
224
|
-
endpoint: url,
|
|
225
|
-
},
|
|
226
|
-
},
|
|
227
|
-
prev: null,
|
|
228
|
-
},
|
|
229
|
-
keypair,
|
|
230
|
-
)
|
|
231
|
-
const did = await plc.didForCreateOp(plcOp)
|
|
232
|
-
await plcClient.sendOperation(did, plcOp)
|
|
233
|
-
return new ProxyServer(server, url, did, requests)
|
|
234
|
-
}
|
|
235
|
-
|
|
236
|
-
async close(): Promise<void> {
|
|
237
|
-
await this.terminator.terminate()
|
|
238
|
-
}
|
|
239
|
-
}
|
|
@@ -1,182 +0,0 @@
|
|
|
1
|
-
import { once } from 'node:events'
|
|
2
|
-
import http from 'node:http'
|
|
3
|
-
import { AddressInfo } from 'node:net'
|
|
4
|
-
import * as plc from '@did-plc/lib'
|
|
5
|
-
import express from 'express'
|
|
6
|
-
// eslint-disable-next-line import/default
|
|
7
|
-
import httpTerminator from 'http-terminator'
|
|
8
|
-
import { Keypair } from '@atproto/crypto'
|
|
9
|
-
import { SeedClient, TestNetworkNoAppView, usersSeed } from '@atproto/dev-env'
|
|
10
|
-
import { ScopePermissions } from '@atproto/oauth-scopes'
|
|
11
|
-
import { DidString } from '@atproto/syntax'
|
|
12
|
-
import { AppContext } from '../../src/context.js'
|
|
13
|
-
import { proxyHandler } from '../../src/pipethrough.js'
|
|
14
|
-
|
|
15
|
-
// Regression test for the OAuth service-proxying audience fix.
|
|
16
|
-
//
|
|
17
|
-
// Before the fix, proxyHandler passed a bare DID as `aud` to the rpc scope
|
|
18
|
-
// check. An OAuth caller granted `rpc:<lxm>?aud=<did>#<serviceId>` (the
|
|
19
|
-
// canonical scope shape used in atproto OAuth) had no way to match, so
|
|
20
|
-
// proxied calls failed at the scope check. The fix combines the proxied
|
|
21
|
-
// service id into the scope-check audience as `<did>#<serviceId>`.
|
|
22
|
-
//
|
|
23
|
-
// We use a real PDS AppContext (so every field is real-typed). Only the
|
|
24
|
-
// `authVerifier.authorization` method is replaced, with a thin stub that
|
|
25
|
-
// drives the OAuth path off an `x-test-scope` request header — letting us
|
|
26
|
-
// exercise the rpc scope check without minting a real OAuth token. A
|
|
27
|
-
// separate express app mounts a fresh proxyHandler against the real ctx
|
|
28
|
-
// and forwards to a real upstream ProxyServer.
|
|
29
|
-
|
|
30
|
-
describe('proxy oauth audience', () => {
|
|
31
|
-
let network: TestNetworkNoAppView
|
|
32
|
-
let sc: SeedClient
|
|
33
|
-
let alice: string
|
|
34
|
-
let upstream: ProxyServer
|
|
35
|
-
let terminator: httpTerminator.HttpTerminator
|
|
36
|
-
let serverUrl: string
|
|
37
|
-
|
|
38
|
-
beforeAll(async () => {
|
|
39
|
-
network = await TestNetworkNoAppView.create({
|
|
40
|
-
dbPostgresSchema: 'proxy_oauth_aud',
|
|
41
|
-
})
|
|
42
|
-
sc = network.getSeedClient()
|
|
43
|
-
await usersSeed(sc)
|
|
44
|
-
alice = sc.dids.alice
|
|
45
|
-
upstream = await ProxyServer.create(
|
|
46
|
-
network.pds.ctx.plcClient,
|
|
47
|
-
network.pds.ctx.plcRotationKey,
|
|
48
|
-
'atproto_test',
|
|
49
|
-
)
|
|
50
|
-
|
|
51
|
-
// Replace only the `authorization` method on the real AuthVerifier so
|
|
52
|
-
// every other ctx field stays real and real-typed. The override's
|
|
53
|
-
// signature is constrained by AuthVerifier['authorization']: an OAuth
|
|
54
|
-
// shape change in the real verifier breaks the body of this stub at
|
|
55
|
-
// compile time.
|
|
56
|
-
const stubAuthorization: typeof network.pds.ctx.authVerifier.authorization =
|
|
57
|
-
({ authorize }) => {
|
|
58
|
-
return async (ctx) => {
|
|
59
|
-
const scopeHeader = ctx.req.headers['x-test-scope'] as
|
|
60
|
-
| string
|
|
61
|
-
| undefined
|
|
62
|
-
const permissions = new ScopePermissions(
|
|
63
|
-
scopeHeader?.split(' ') ?? [],
|
|
64
|
-
)
|
|
65
|
-
await authorize(permissions, ctx)
|
|
66
|
-
return {
|
|
67
|
-
credentials: {
|
|
68
|
-
type: 'oauth',
|
|
69
|
-
did: alice as DidString,
|
|
70
|
-
permissions,
|
|
71
|
-
},
|
|
72
|
-
}
|
|
73
|
-
}
|
|
74
|
-
}
|
|
75
|
-
network.pds.ctx.authVerifier.authorization = stubAuthorization
|
|
76
|
-
|
|
77
|
-
const app = express()
|
|
78
|
-
// dev-env exports AppContext from its built dist/, while we import
|
|
79
|
-
// proxyHandler from src/. Cast at this boundary to bridge the two
|
|
80
|
-
// identical shapes; downstream behavior is real.
|
|
81
|
-
app.all('/xrpc/*', proxyHandler(network.pds.ctx as unknown as AppContext))
|
|
82
|
-
app.use(
|
|
83
|
-
(
|
|
84
|
-
err: Error & { status?: number; statusCode?: number },
|
|
85
|
-
_req: express.Request,
|
|
86
|
-
res: express.Response,
|
|
87
|
-
_next: express.NextFunction,
|
|
88
|
-
) => {
|
|
89
|
-
if (res.headersSent) return
|
|
90
|
-
res.status(err.status ?? err.statusCode ?? 500).end()
|
|
91
|
-
},
|
|
92
|
-
)
|
|
93
|
-
const server = app.listen(0)
|
|
94
|
-
await once(server, 'listening')
|
|
95
|
-
terminator = httpTerminator.createHttpTerminator({ server })
|
|
96
|
-
serverUrl = `http://localhost:${(server.address() as AddressInfo).port}`
|
|
97
|
-
})
|
|
98
|
-
|
|
99
|
-
afterAll(async () => {
|
|
100
|
-
await Promise.all([
|
|
101
|
-
terminator?.terminate(),
|
|
102
|
-
upstream?.close(),
|
|
103
|
-
network?.close(),
|
|
104
|
-
])
|
|
105
|
-
})
|
|
106
|
-
|
|
107
|
-
it('matches an OAuth rpc scope granted with combined did#serviceId aud', async () => {
|
|
108
|
-
// Pre-fix this would have rejected because the scope check received
|
|
109
|
-
// bare-DID aud and never matched the combined-form scope. A 200 here
|
|
110
|
-
// implies the scope check ran with combined-form aud.
|
|
111
|
-
const res = await fetch(`${serverUrl}/xrpc/app.bsky.feed.getFeed`, {
|
|
112
|
-
headers: {
|
|
113
|
-
'atproto-proxy': `${upstream.did}#atproto_test`,
|
|
114
|
-
'x-test-scope': `rpc:app.bsky.feed.getFeed?aud=${encodeURIComponent(`${upstream.did}#atproto_test`)}`,
|
|
115
|
-
},
|
|
116
|
-
})
|
|
117
|
-
expect(res.status).toBe(200)
|
|
118
|
-
})
|
|
119
|
-
|
|
120
|
-
it('rejects an OAuth rpc scope granted for a different service id', async () => {
|
|
121
|
-
// Same DID, different service id — both forms parse as valid scope
|
|
122
|
-
// audiences, but the runtime aud (`upstream.did#atproto_test`) doesn't
|
|
123
|
-
// match the granted aud (`upstream.did#atproto_other`).
|
|
124
|
-
const res = await fetch(`${serverUrl}/xrpc/app.bsky.feed.getFeed`, {
|
|
125
|
-
headers: {
|
|
126
|
-
'atproto-proxy': `${upstream.did}#atproto_test`,
|
|
127
|
-
'x-test-scope': `rpc:app.bsky.feed.getFeed?aud=${encodeURIComponent(`${upstream.did}#atproto_other`)}`,
|
|
128
|
-
},
|
|
129
|
-
})
|
|
130
|
-
expect([401, 403]).toContain(res.status)
|
|
131
|
-
})
|
|
132
|
-
})
|
|
133
|
-
|
|
134
|
-
class ProxyServer {
|
|
135
|
-
private terminator: httpTerminator.HttpTerminator
|
|
136
|
-
|
|
137
|
-
constructor(
|
|
138
|
-
server: http.Server,
|
|
139
|
-
public url: string,
|
|
140
|
-
public did: string,
|
|
141
|
-
) {
|
|
142
|
-
this.terminator = httpTerminator.createHttpTerminator({ server })
|
|
143
|
-
}
|
|
144
|
-
|
|
145
|
-
static async create(
|
|
146
|
-
plcClient: plc.Client,
|
|
147
|
-
keypair: Keypair,
|
|
148
|
-
serviceId: string,
|
|
149
|
-
): Promise<ProxyServer> {
|
|
150
|
-
const app = express()
|
|
151
|
-
app.all('*', (_req, res) => res.sendStatus(200))
|
|
152
|
-
|
|
153
|
-
const server = app.listen(0)
|
|
154
|
-
await once(server, 'listening')
|
|
155
|
-
|
|
156
|
-
const { port } = server.address() as AddressInfo
|
|
157
|
-
const url = `http://localhost:${port}`
|
|
158
|
-
const plcOp = await plc.signOperation(
|
|
159
|
-
{
|
|
160
|
-
type: 'plc_operation',
|
|
161
|
-
rotationKeys: [keypair.did()],
|
|
162
|
-
alsoKnownAs: [],
|
|
163
|
-
verificationMethods: {},
|
|
164
|
-
services: {
|
|
165
|
-
[serviceId]: {
|
|
166
|
-
type: 'TestAtprotoService',
|
|
167
|
-
endpoint: url,
|
|
168
|
-
},
|
|
169
|
-
},
|
|
170
|
-
prev: null,
|
|
171
|
-
},
|
|
172
|
-
keypair,
|
|
173
|
-
)
|
|
174
|
-
const did = await plc.didForCreateOp(plcOp)
|
|
175
|
-
await plcClient.sendOperation(did, plcOp)
|
|
176
|
-
return new ProxyServer(server, url, did)
|
|
177
|
-
}
|
|
178
|
-
|
|
179
|
-
close(): Promise<void> {
|
|
180
|
-
return this.terminator.terminate()
|
|
181
|
-
}
|
|
182
|
-
}
|