@atproto/pds 0.5.12 → 0.5.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (326) hide show
  1. package/CHANGELOG.md +53 -0
  2. package/dist/api/app/bsky/notification/index.d.ts.map +1 -1
  3. package/dist/api/app/bsky/notification/index.js +2 -0
  4. package/dist/api/app/bsky/notification/index.js.map +1 -1
  5. package/dist/api/app/bsky/notification/unregisterPush.d.ts +4 -0
  6. package/dist/api/app/bsky/notification/unregisterPush.d.ts.map +1 -0
  7. package/dist/api/app/bsky/notification/unregisterPush.js +48 -0
  8. package/dist/api/app/bsky/notification/unregisterPush.js.map +1 -0
  9. package/dist/lexicons/app/bsky/actor/defs.defs.d.ts +6 -0
  10. package/dist/lexicons/app/bsky/actor/defs.defs.d.ts.map +1 -1
  11. package/dist/lexicons/app/bsky/actor/defs.defs.js +1 -0
  12. package/dist/lexicons/app/bsky/actor/defs.defs.js.map +1 -1
  13. package/package.json +42 -38
  14. package/build.templates.cjs +0 -22
  15. package/example.env +0 -42
  16. package/jest.config.cjs +0 -27
  17. package/src/account-manager/account-manager.ts +0 -916
  18. package/src/account-manager/db/index.ts +0 -21
  19. package/src/account-manager/db/migrations/001-init.ts +0 -115
  20. package/src/account-manager/db/migrations/002-account-deactivation.ts +0 -17
  21. package/src/account-manager/db/migrations/003-privileged-app-passwords.ts +0 -12
  22. package/src/account-manager/db/migrations/004-oauth.ts +0 -122
  23. package/src/account-manager/db/migrations/005-oauth-account-management.ts +0 -136
  24. package/src/account-manager/db/migrations/006-oauth-permission-sets.ts +0 -20
  25. package/src/account-manager/db/migrations/007-lexicon-failures-index.ts +0 -14
  26. package/src/account-manager/db/migrations/index.ts +0 -17
  27. package/src/account-manager/db/schema/account-device.ts +0 -14
  28. package/src/account-manager/db/schema/account.ts +0 -16
  29. package/src/account-manager/db/schema/actor.ts +0 -17
  30. package/src/account-manager/db/schema/app-password.ts +0 -13
  31. package/src/account-manager/db/schema/authorization-request.ts +0 -30
  32. package/src/account-manager/db/schema/authorized-client.ts +0 -23
  33. package/src/account-manager/db/schema/device.ts +0 -18
  34. package/src/account-manager/db/schema/email-token.ts +0 -19
  35. package/src/account-manager/db/schema/index.ts +0 -43
  36. package/src/account-manager/db/schema/invite-code.ts +0 -24
  37. package/src/account-manager/db/schema/lexicon.ts +0 -15
  38. package/src/account-manager/db/schema/refresh-token.ts +0 -11
  39. package/src/account-manager/db/schema/repo-root.ts +0 -12
  40. package/src/account-manager/db/schema/token.ts +0 -38
  41. package/src/account-manager/db/schema/used-refresh-token.ts +0 -13
  42. package/src/account-manager/helpers/account-device.ts +0 -63
  43. package/src/account-manager/helpers/account.ts +0 -355
  44. package/src/account-manager/helpers/auth.ts +0 -222
  45. package/src/account-manager/helpers/authorization-request.ts +0 -90
  46. package/src/account-manager/helpers/authorized-client.ts +0 -75
  47. package/src/account-manager/helpers/device.ts +0 -47
  48. package/src/account-manager/helpers/email-token.ts +0 -87
  49. package/src/account-manager/helpers/invite.ts +0 -263
  50. package/src/account-manager/helpers/lexicon.ts +0 -67
  51. package/src/account-manager/helpers/password.ts +0 -136
  52. package/src/account-manager/helpers/repo.ts +0 -24
  53. package/src/account-manager/helpers/scrypt.ts +0 -53
  54. package/src/account-manager/helpers/token.ts +0 -158
  55. package/src/account-manager/helpers/used-refresh-token.ts +0 -30
  56. package/src/account-manager/oauth-store.ts +0 -880
  57. package/src/account-manager/scope-reference-getter.ts +0 -106
  58. package/src/actor-store/actor-store-reader.ts +0 -45
  59. package/src/actor-store/actor-store-resources.ts +0 -8
  60. package/src/actor-store/actor-store-transactor.ts +0 -31
  61. package/src/actor-store/actor-store-writer.ts +0 -17
  62. package/src/actor-store/actor-store.ts +0 -210
  63. package/src/actor-store/blob/reader.ts +0 -160
  64. package/src/actor-store/blob/transactor.ts +0 -383
  65. package/src/actor-store/db/index.ts +0 -20
  66. package/src/actor-store/db/migrations/001-init.ts +0 -105
  67. package/src/actor-store/db/migrations/index.ts +0 -5
  68. package/src/actor-store/db/schema/account-pref.ts +0 -11
  69. package/src/actor-store/db/schema/backlink.ts +0 -9
  70. package/src/actor-store/db/schema/blob.ts +0 -14
  71. package/src/actor-store/db/schema/index.ts +0 -23
  72. package/src/actor-store/db/schema/record-blob.ts +0 -8
  73. package/src/actor-store/db/schema/record.ts +0 -14
  74. package/src/actor-store/db/schema/repo-block.ts +0 -10
  75. package/src/actor-store/db/schema/repo-root.ts +0 -10
  76. package/src/actor-store/migrate.ts +0 -39
  77. package/src/actor-store/preference/reader.ts +0 -48
  78. package/src/actor-store/preference/transactor.ts +0 -55
  79. package/src/actor-store/preference/util.ts +0 -39
  80. package/src/actor-store/record/reader.ts +0 -374
  81. package/src/actor-store/record/transactor.ts +0 -111
  82. package/src/actor-store/repo/reader.ts +0 -31
  83. package/src/actor-store/repo/sql-repo-reader.ts +0 -150
  84. package/src/actor-store/repo/sql-repo-transactor.ts +0 -105
  85. package/src/actor-store/repo/transactor.ts +0 -227
  86. package/src/api/app/bsky/actor/getPreferences.ts +0 -57
  87. package/src/api/app/bsky/actor/getProfile.ts +0 -41
  88. package/src/api/app/bsky/actor/getProfiles.ts +0 -51
  89. package/src/api/app/bsky/actor/index.ts +0 -13
  90. package/src/api/app/bsky/actor/putPreferences.ts +0 -62
  91. package/src/api/app/bsky/feed/getActorLikes.ts +0 -63
  92. package/src/api/app/bsky/feed/getAuthorFeed.ts +0 -84
  93. package/src/api/app/bsky/feed/getFeed.ts +0 -47
  94. package/src/api/app/bsky/feed/getPostThread.ts +0 -251
  95. package/src/api/app/bsky/feed/getTimeline.ts +0 -50
  96. package/src/api/app/bsky/feed/index.ts +0 -15
  97. package/src/api/app/bsky/index.ts +0 -11
  98. package/src/api/app/bsky/notification/index.ts +0 -7
  99. package/src/api/app/bsky/notification/registerPush.ts +0 -71
  100. package/src/api/app/bsky/util/resolver.ts +0 -20
  101. package/src/api/com/atproto/admin/deleteAccount.ts +0 -22
  102. package/src/api/com/atproto/admin/disableAccountInvites.ts +0 -18
  103. package/src/api/com/atproto/admin/disableInviteCodes.ts +0 -21
  104. package/src/api/com/atproto/admin/enableAccountInvites.ts +0 -18
  105. package/src/api/com/atproto/admin/getAccountInfo.ts +0 -32
  106. package/src/api/com/atproto/admin/getAccountInfos.ts +0 -34
  107. package/src/api/com/atproto/admin/getInviteCodes.ts +0 -126
  108. package/src/api/com/atproto/admin/getSubjectStatus.ts +0 -76
  109. package/src/api/com/atproto/admin/index.ts +0 -31
  110. package/src/api/com/atproto/admin/sendEmail.ts +0 -47
  111. package/src/api/com/atproto/admin/updateAccountEmail.ts +0 -32
  112. package/src/api/com/atproto/admin/updateAccountHandle.ts +0 -47
  113. package/src/api/com/atproto/admin/updateAccountPassword.ts +0 -34
  114. package/src/api/com/atproto/admin/updateSubjectStatus.ts +0 -68
  115. package/src/api/com/atproto/admin/util.ts +0 -66
  116. package/src/api/com/atproto/identity/getRecommendedDidCredentials.ts +0 -50
  117. package/src/api/com/atproto/identity/index.ts +0 -17
  118. package/src/api/com/atproto/identity/requestPlcOperationSignature.ts +0 -59
  119. package/src/api/com/atproto/identity/resolveHandle.ts +0 -50
  120. package/src/api/com/atproto/identity/signPlcOperation.ts +0 -85
  121. package/src/api/com/atproto/identity/submitPlcOperation.ts +0 -65
  122. package/src/api/com/atproto/identity/updateHandle.ts +0 -66
  123. package/src/api/com/atproto/index.ts +0 -19
  124. package/src/api/com/atproto/moderation/createReport.ts +0 -41
  125. package/src/api/com/atproto/moderation/index.ts +0 -7
  126. package/src/api/com/atproto/repo/applyWrites.ts +0 -226
  127. package/src/api/com/atproto/repo/createRecord.ts +0 -143
  128. package/src/api/com/atproto/repo/deleteRecord.ts +0 -122
  129. package/src/api/com/atproto/repo/describeRepo.ts +0 -43
  130. package/src/api/com/atproto/repo/getRecord.ts +0 -40
  131. package/src/api/com/atproto/repo/importRepo.ts +0 -101
  132. package/src/api/com/atproto/repo/index.ts +0 -25
  133. package/src/api/com/atproto/repo/listMissingBlobs.ts +0 -29
  134. package/src/api/com/atproto/repo/listRecords.ts +0 -36
  135. package/src/api/com/atproto/repo/putRecord.ts +0 -211
  136. package/src/api/com/atproto/repo/uploadBlob.ts +0 -60
  137. package/src/api/com/atproto/server/activateAccount.ts +0 -37
  138. package/src/api/com/atproto/server/checkAccountStatus.ts +0 -51
  139. package/src/api/com/atproto/server/confirmEmail.ts +0 -39
  140. package/src/api/com/atproto/server/createAccount.ts +0 -327
  141. package/src/api/com/atproto/server/createAppPassword.ts +0 -53
  142. package/src/api/com/atproto/server/createInviteCode.ts +0 -38
  143. package/src/api/com/atproto/server/createInviteCodes.ts +0 -42
  144. package/src/api/com/atproto/server/createSession.ts +0 -97
  145. package/src/api/com/atproto/server/deactivateAccount.ts +0 -41
  146. package/src/api/com/atproto/server/deleteAccount.ts +0 -85
  147. package/src/api/com/atproto/server/deleteSession.ts +0 -23
  148. package/src/api/com/atproto/server/describeServer.ts +0 -29
  149. package/src/api/com/atproto/server/getAccountInviteCodes.ts +0 -142
  150. package/src/api/com/atproto/server/getServiceAuth.ts +0 -111
  151. package/src/api/com/atproto/server/getSession.ts +0 -80
  152. package/src/api/com/atproto/server/index.ts +0 -55
  153. package/src/api/com/atproto/server/listAppPasswords.ts +0 -45
  154. package/src/api/com/atproto/server/refreshSession.ts +0 -72
  155. package/src/api/com/atproto/server/requestAccountDelete.ts +0 -66
  156. package/src/api/com/atproto/server/requestEmailConfirmation.ts +0 -68
  157. package/src/api/com/atproto/server/requestEmailUpdate.ts +0 -86
  158. package/src/api/com/atproto/server/requestPasswordReset.ts +0 -52
  159. package/src/api/com/atproto/server/reserveSigningKey.ts +0 -15
  160. package/src/api/com/atproto/server/resetPassword.ts +0 -50
  161. package/src/api/com/atproto/server/revokeAppPassword.ts +0 -42
  162. package/src/api/com/atproto/server/updateEmail.ts +0 -52
  163. package/src/api/com/atproto/server/util.ts +0 -136
  164. package/src/api/com/atproto/sync/deprecated/getCheckout.ts +0 -27
  165. package/src/api/com/atproto/sync/deprecated/getHead.ts +0 -33
  166. package/src/api/com/atproto/sync/getBlob.ts +0 -61
  167. package/src/api/com/atproto/sync/getBlocks.ts +0 -37
  168. package/src/api/com/atproto/sync/getLatestCommit.ts +0 -33
  169. package/src/api/com/atproto/sync/getRecord.ts +0 -49
  170. package/src/api/com/atproto/sync/getRepo.ts +0 -75
  171. package/src/api/com/atproto/sync/getRepoStatus.ts +0 -34
  172. package/src/api/com/atproto/sync/index.ts +0 -27
  173. package/src/api/com/atproto/sync/listBlobs.ts +0 -33
  174. package/src/api/com/atproto/sync/listRepos.ts +0 -74
  175. package/src/api/com/atproto/sync/subscribeRepos.ts +0 -73
  176. package/src/api/com/atproto/sync/util.ts +0 -37
  177. package/src/api/com/atproto/temp/checkSignupQueue.ts +0 -34
  178. package/src/api/com/atproto/temp/index.ts +0 -7
  179. package/src/api/index.ts +0 -10
  180. package/src/api/proxy.ts +0 -44
  181. package/src/app-view.ts +0 -24
  182. package/src/auth-output.ts +0 -52
  183. package/src/auth-routes.ts +0 -64
  184. package/src/auth-scope.ts +0 -40
  185. package/src/auth-verifier.ts +0 -668
  186. package/src/background.ts +0 -65
  187. package/src/basic-routes.ts +0 -52
  188. package/src/bsky-app-view.ts +0 -33
  189. package/src/config/config.ts +0 -553
  190. package/src/config/env.ts +0 -167
  191. package/src/config/index.ts +0 -3
  192. package/src/config/secrets.ts +0 -54
  193. package/src/context.ts +0 -523
  194. package/src/crawlers.ts +0 -46
  195. package/src/db/cast.ts +0 -52
  196. package/src/db/db.ts +0 -140
  197. package/src/db/index.ts +0 -4
  198. package/src/db/migrator.ts +0 -40
  199. package/src/db/pagination.ts +0 -132
  200. package/src/db/tables/moderation.ts +0 -80
  201. package/src/db/util.ts +0 -108
  202. package/src/did-cache/db/index.ts +0 -21
  203. package/src/did-cache/db/migrations.ts +0 -17
  204. package/src/did-cache/db/schema.ts +0 -9
  205. package/src/did-cache/index.ts +0 -131
  206. package/src/disk-blobstore.ts +0 -172
  207. package/src/error.ts +0 -19
  208. package/src/handle/explicit-slurs.ts +0 -22
  209. package/src/handle/index.ts +0 -49
  210. package/src/handle/reserved.ts +0 -1059
  211. package/src/image/image-url-builder.ts +0 -16
  212. package/src/index.ts +0 -189
  213. package/src/lexicons.ts +0 -4
  214. package/src/logger.ts +0 -35
  215. package/src/mailer/index.ts +0 -111
  216. package/src/mailer/moderation.ts +0 -33
  217. package/src/mailer/templates/confirm-email.d.ts +0 -4
  218. package/src/mailer/templates/confirm-email.hbs +0 -158
  219. package/src/mailer/templates/delete-account.d.ts +0 -4
  220. package/src/mailer/templates/delete-account.hbs +0 -156
  221. package/src/mailer/templates/plc-operation.d.ts +0 -4
  222. package/src/mailer/templates/plc-operation.hbs +0 -153
  223. package/src/mailer/templates/reset-password.d.ts +0 -4
  224. package/src/mailer/templates/reset-password.hbs +0 -154
  225. package/src/mailer/templates/update-email.d.ts +0 -4
  226. package/src/mailer/templates/update-email.hbs +0 -153
  227. package/src/mailer/templates.ts +0 -17
  228. package/src/pipethrough.ts +0 -716
  229. package/src/rate-limits.ts +0 -59
  230. package/src/read-after-write/index.ts +0 -3
  231. package/src/read-after-write/types.ts +0 -35
  232. package/src/read-after-write/util.ts +0 -101
  233. package/src/read-after-write/viewer.ts +0 -290
  234. package/src/redis.ts +0 -25
  235. package/src/repo/index.ts +0 -2
  236. package/src/repo/prepare.ts +0 -266
  237. package/src/repo/types.ts +0 -65
  238. package/src/scripts/README.md +0 -40
  239. package/src/scripts/index.ts +0 -20
  240. package/src/scripts/publish-identity.ts +0 -60
  241. package/src/scripts/rebuild-repo.ts +0 -119
  242. package/src/scripts/rotate-keys.ts +0 -146
  243. package/src/scripts/sequencer-recovery/index.ts +0 -23
  244. package/src/scripts/sequencer-recovery/recoverer.ts +0 -297
  245. package/src/scripts/sequencer-recovery/recovery-db.ts +0 -65
  246. package/src/scripts/sequencer-recovery/repair-repos.ts +0 -49
  247. package/src/scripts/sequencer-recovery/user-queues.ts +0 -44
  248. package/src/scripts/util.ts +0 -7
  249. package/src/sequencer/db/index.ts +0 -21
  250. package/src/sequencer/db/migrations/001-init.ts +0 -35
  251. package/src/sequencer/db/migrations/index.ts +0 -5
  252. package/src/sequencer/db/schema.ts +0 -19
  253. package/src/sequencer/events.ts +0 -199
  254. package/src/sequencer/index.ts +0 -3
  255. package/src/sequencer/outbox.ts +0 -123
  256. package/src/sequencer/sequencer.ts +0 -290
  257. package/src/util/compression.ts +0 -16
  258. package/src/util/debug.ts +0 -10
  259. package/src/util/http.ts +0 -31
  260. package/src/util/types.ts +0 -7
  261. package/src/well-known.ts +0 -30
  262. package/test.env +0 -2
  263. package/tests/__snapshots__/takedown-appeal.test.ts.snap +0 -43
  264. package/tests/_oauth_client_assets_middleware.ts +0 -23
  265. package/tests/_puppeteer.ts +0 -147
  266. package/tests/_types.d.ts +0 -16
  267. package/tests/_util.ts +0 -191
  268. package/tests/account-deactivation.test.ts +0 -204
  269. package/tests/account-deletion.test.ts +0 -300
  270. package/tests/account-manager.test.ts +0 -462
  271. package/tests/account-migration.test.ts +0 -221
  272. package/tests/account-status.test.ts +0 -206
  273. package/tests/account.test.ts +0 -595
  274. package/tests/app-passwords.test.ts +0 -262
  275. package/tests/auth.test.ts +0 -405
  276. package/tests/blob-deletes.test.ts +0 -204
  277. package/tests/create-post.test.ts +0 -79
  278. package/tests/crud.test.ts +0 -1595
  279. package/tests/db.test.ts +0 -170
  280. package/tests/email-confirmation.test.ts +0 -227
  281. package/tests/entryway-mock.ts +0 -323
  282. package/tests/entryway.test.ts +0 -145
  283. package/tests/file-uploads.test.ts +0 -301
  284. package/tests/get-service-auth.test.ts +0 -81
  285. package/tests/handle-validation.test.ts +0 -56
  286. package/tests/handles.test.ts +0 -274
  287. package/tests/invite-codes.test.ts +0 -367
  288. package/tests/invites-admin.test.ts +0 -252
  289. package/tests/moderation.test.ts +0 -280
  290. package/tests/moderator-auth.test.ts +0 -177
  291. package/tests/oauth.test.ts +0 -334
  292. package/tests/plc-operations.test.ts +0 -239
  293. package/tests/preferences.test.ts +0 -352
  294. package/tests/proxied/__snapshots__/admin.test.ts.snap +0 -516
  295. package/tests/proxied/__snapshots__/feedgen.test.ts.snap +0 -215
  296. package/tests/proxied/__snapshots__/views.test.ts.snap +0 -4456
  297. package/tests/proxied/admin.test.ts +0 -340
  298. package/tests/proxied/feedgen.test.ts +0 -66
  299. package/tests/proxied/notif.test.ts +0 -85
  300. package/tests/proxied/procedures.test.ts +0 -175
  301. package/tests/proxied/proxy-catchall.test.ts +0 -256
  302. package/tests/proxied/proxy-header.test.ts +0 -239
  303. package/tests/proxied/proxy-oauth-aud.test.ts +0 -182
  304. package/tests/proxied/read-after-write.test.ts +0 -382
  305. package/tests/proxied/views.test.ts +0 -608
  306. package/tests/races.test.ts +0 -89
  307. package/tests/rate-limits.test.ts +0 -70
  308. package/tests/recovery.test.ts +0 -180
  309. package/tests/seeds/basic.ts +0 -165
  310. package/tests/seeds/follows.ts +0 -57
  311. package/tests/seeds/likes.ts +0 -14
  312. package/tests/seeds/reposts.ts +0 -18
  313. package/tests/seeds/thread.ts +0 -40
  314. package/tests/seeds/users-bulk.ts +0 -246
  315. package/tests/seeds/users.ts +0 -67
  316. package/tests/sequencer.test.ts +0 -251
  317. package/tests/server.test.ts +0 -151
  318. package/tests/sync/invertible-ops.test.ts +0 -99
  319. package/tests/sync/list.test.ts +0 -43
  320. package/tests/sync/subscribe-repos.test.ts +0 -672
  321. package/tests/sync/sync.test.ts +0 -316
  322. package/tests/takedown-appeal.test.ts +0 -166
  323. package/tsconfig.build.json +0 -9
  324. package/tsconfig.build.tsbuildinfo +0 -1
  325. package/tsconfig.json +0 -7
  326. package/tsconfig.tests.json +0 -8
@@ -1,222 +0,0 @@
1
- import assert from 'node:assert'
2
- import { KeyObject } from 'node:crypto'
3
- import * as jose from 'jose'
4
- import * as ui8 from 'uint8arrays'
5
- import * as crypto from '@atproto/crypto'
6
- import { AuthScope } from '../../auth-scope.js'
7
- import { AccountDb } from '../db/index.js'
8
- import { AppPassDescript } from './password.js'
9
-
10
- export type AuthToken = {
11
- scope: AuthScope
12
- sub: string
13
- exp: number
14
- }
15
-
16
- export type RefreshToken = AuthToken & { scope: AuthScope.Refresh; jti: string }
17
-
18
- export const createTokens = async (opts: {
19
- did: string
20
- jwtKey: KeyObject
21
- serviceDid: string
22
- scope?: AuthScope
23
- jti?: string
24
- expiresIn?: string | number
25
- }) => {
26
- const { did, jwtKey, serviceDid, scope, jti, expiresIn } = opts
27
- const [accessJwt, refreshJwt] = await Promise.all([
28
- createAccessToken({ did, jwtKey, serviceDid, scope, expiresIn }),
29
- createRefreshToken({ did, jwtKey, serviceDid, jti, expiresIn }),
30
- ])
31
- return { accessJwt, refreshJwt }
32
- }
33
-
34
- export const createAccessToken = (opts: {
35
- did: string
36
- jwtKey: KeyObject
37
- serviceDid: string
38
- scope?: AuthScope
39
- expiresIn?: string | number
40
- }): Promise<string> => {
41
- const {
42
- did,
43
- jwtKey,
44
- serviceDid,
45
- scope = AuthScope.Access,
46
- expiresIn = '120mins',
47
- } = opts
48
- const signer = new jose.SignJWT({ scope })
49
- .setProtectedHeader({
50
- typ: 'at+jwt', // https://www.rfc-editor.org/rfc/rfc9068.html
51
- alg: 'HS256', // only symmetric keys supported
52
- })
53
- .setAudience(serviceDid)
54
- .setSubject(did)
55
- .setIssuedAt()
56
- .setExpirationTime(expiresIn)
57
- return signer.sign(jwtKey)
58
- }
59
-
60
- export const createRefreshToken = (opts: {
61
- did: string
62
- jwtKey: KeyObject
63
- serviceDid: string
64
- jti?: string
65
- expiresIn?: string | number
66
- }): Promise<string> => {
67
- const {
68
- did,
69
- jwtKey,
70
- serviceDid,
71
- jti = getRefreshTokenId(),
72
- expiresIn = '90days',
73
- } = opts
74
- const signer = new jose.SignJWT({ scope: AuthScope.Refresh })
75
- .setProtectedHeader({
76
- typ: 'refresh+jwt',
77
- alg: 'HS256', // only symmetric keys supported
78
- })
79
- .setAudience(serviceDid)
80
- .setSubject(did)
81
- .setJti(jti)
82
- .setIssuedAt()
83
- .setExpirationTime(expiresIn)
84
- return signer.sign(jwtKey)
85
- }
86
-
87
- // @NOTE unsafe for verification, should only be used w/ direct output from createRefreshToken() or createTokens()
88
- export const decodeRefreshToken = (jwt: string) => {
89
- const token = jose.decodeJwt(jwt)
90
- assert.ok(token.scope === AuthScope.Refresh, 'not a refresh token')
91
- return token as RefreshToken
92
- }
93
-
94
- export const storeRefreshToken = async (
95
- db: AccountDb,
96
- payload: RefreshToken,
97
- appPassword: AppPassDescript | null,
98
- ) => {
99
- const [result] = await db.executeWithRetry(
100
- db.db
101
- .insertInto('refresh_token')
102
- .values({
103
- id: payload.jti,
104
- did: payload.sub,
105
- appPasswordName: appPassword?.name,
106
- expiresAt: new Date(payload.exp * 1000).toISOString(),
107
- })
108
- .onConflict((oc) => oc.doNothing()), // E.g. when re-granting during a refresh grace period
109
- )
110
- return result
111
- }
112
-
113
- export const getRefreshToken = async (db: AccountDb, id: string) => {
114
- const res = await db.db
115
- .selectFrom('refresh_token')
116
- .leftJoin('app_password', (join) =>
117
- join
118
- .onRef('app_password.did', '=', 'refresh_token.did')
119
- .onRef('app_password.name', '=', 'refresh_token.appPasswordName'),
120
- )
121
- .where('id', '=', id)
122
- .selectAll('refresh_token')
123
- .select('app_password.privileged')
124
- .executeTakeFirst()
125
- if (!res) return null
126
- const { did, expiresAt, appPasswordName, nextId, privileged } = res
127
- return {
128
- id,
129
- did,
130
- expiresAt,
131
- nextId,
132
- appPassword: appPasswordName
133
- ? {
134
- name: appPasswordName,
135
- privileged: privileged === 1 ? true : false,
136
- }
137
- : null,
138
- }
139
- }
140
-
141
- export const deleteExpiredRefreshTokens = async (
142
- db: AccountDb,
143
- did: string,
144
- now: string,
145
- ) => {
146
- await db.executeWithRetry(
147
- db.db
148
- .deleteFrom('refresh_token')
149
- .where('did', '=', did)
150
- .where('expiresAt', '<=', now),
151
- )
152
- }
153
-
154
- export const addRefreshGracePeriod = async (
155
- db: AccountDb,
156
- opts: {
157
- id: string
158
- expiresAt: string
159
- nextId: string
160
- },
161
- ) => {
162
- const { id, expiresAt, nextId } = opts
163
- const [res] = await db.executeWithRetry(
164
- db.db
165
- .updateTable('refresh_token')
166
- .where('id', '=', id)
167
- .where((eb) =>
168
- eb.or([eb('nextId', 'is', null), eb('nextId', '=', nextId)]),
169
- )
170
- .set({ expiresAt, nextId })
171
- .returningAll(),
172
- )
173
- if (!res) {
174
- throw new ConcurrentRefreshError()
175
- }
176
- }
177
-
178
- export const revokeRefreshToken = async (db: AccountDb, id: string) => {
179
- const [{ numDeletedRows }] = await db.executeWithRetry(
180
- db.db.deleteFrom('refresh_token').where('id', '=', id),
181
- )
182
- return numDeletedRows > 0
183
- }
184
-
185
- export const revokeRefreshTokensByDid = async (db: AccountDb, did: string) => {
186
- const [{ numDeletedRows }] = await db.executeWithRetry(
187
- db.db.deleteFrom('refresh_token').where('did', '=', did),
188
- )
189
- return numDeletedRows > 0
190
- }
191
-
192
- export const revokeAppPasswordRefreshToken = async (
193
- db: AccountDb,
194
- did: string,
195
- appPassName: string,
196
- ) => {
197
- const [{ numDeletedRows }] = await db.executeWithRetry(
198
- db.db
199
- .deleteFrom('refresh_token')
200
- .where('did', '=', did)
201
- .where('appPasswordName', '=', appPassName),
202
- )
203
-
204
- return numDeletedRows > 0
205
- }
206
-
207
- export const getRefreshTokenId = () => {
208
- return ui8.toString(crypto.randomBytes(32), 'base64')
209
- }
210
-
211
- export const formatScope = (
212
- appPassword: AppPassDescript | null,
213
- isSoftDeleted?: boolean,
214
- ): AuthScope => {
215
- if (isSoftDeleted) return AuthScope.Takendown
216
- if (!appPassword) return AuthScope.Access
217
- return appPassword.privileged
218
- ? AuthScope.AppPassPrivileged
219
- : AuthScope.AppPass
220
- }
221
-
222
- export class ConcurrentRefreshError extends Error {}
@@ -1,90 +0,0 @@
1
- import assert from 'node:assert'
2
- import { Insertable, Selectable } from 'kysely'
3
- import {
4
- Code,
5
- FoundRequestResult,
6
- RequestData,
7
- RequestId,
8
- UpdateRequestData,
9
- } from '@atproto/oauth-provider'
10
- import { fromDateISO, fromJson, toDateISO, toJson } from '../../db/index.js'
11
- import { AccountDb, AuthorizationRequest } from '../db/index.js'
12
-
13
- export const rowToRequestData = (
14
- row: Selectable<AuthorizationRequest>,
15
- ): RequestData => ({
16
- clientId: row.clientId,
17
- clientAuth: fromJson(row.clientAuth),
18
- parameters: fromJson(row.parameters),
19
- expiresAt: fromDateISO(row.expiresAt),
20
- deviceId: row.deviceId,
21
- did: row.did,
22
- code: row.code,
23
- })
24
-
25
- export const rowToFoundRequestResult = (
26
- row: Selectable<AuthorizationRequest>,
27
- ): FoundRequestResult => ({
28
- requestId: row.id,
29
- data: rowToRequestData(row),
30
- })
31
-
32
- const requestDataToRow = (
33
- id: RequestId,
34
- data: RequestData,
35
- ): Insertable<AuthorizationRequest> => ({
36
- id,
37
- did: data.did,
38
- deviceId: data.deviceId,
39
-
40
- clientId: data.clientId,
41
- clientAuth: toJson(data.clientAuth),
42
- parameters: toJson(data.parameters),
43
- expiresAt: toDateISO(data.expiresAt),
44
- code: data.code,
45
- })
46
-
47
- export const createQB = (db: AccountDb, id: RequestId, data: RequestData) =>
48
- db.db.insertInto('authorization_request').values(requestDataToRow(id, data))
49
-
50
- export const readQB = (db: AccountDb, id: RequestId) =>
51
- db.db.selectFrom('authorization_request').where('id', '=', id).selectAll()
52
-
53
- export const updateQB = (
54
- db: AccountDb,
55
- id: RequestId,
56
- { code, did, deviceId, expiresAt, parameters, ...rest }: UpdateRequestData,
57
- ) => {
58
- assert(!Object.keys(rest).length, 'Unexpected fields in UpdateRequestData')
59
- return db.db
60
- .updateTable('authorization_request')
61
- .$if(code !== undefined, (qb) => qb.set({ code }))
62
- .$if(did !== undefined, (qb) => qb.set({ did }))
63
- .$if(deviceId !== undefined, (qb) => qb.set({ deviceId }))
64
- .$if(expiresAt != null, (qb) =>
65
- qb.set({ expiresAt: toDateISO(expiresAt!) }),
66
- )
67
- .$if(parameters != null, (qb) =>
68
- qb.set({ parameters: toJson(parameters!) }),
69
- )
70
- .where('id', '=', id)
71
- }
72
-
73
- export const removeOldExpiredQB = (db: AccountDb, delay = 600e3) =>
74
- // We allow some delay for the expiration time so that expired requests
75
- // can still be returned to the OAuthProvider library for error handling.
76
- db.db
77
- .deleteFrom('authorization_request')
78
- // uses "authorization_request_expires_at_idx" index
79
- .where('expiresAt', '<', toDateISO(new Date(Date.now() - delay)))
80
-
81
- export const removeByIdQB = (db: AccountDb, id: RequestId) =>
82
- db.db.deleteFrom('authorization_request').where('id', '=', id)
83
-
84
- export const consumeByCodeQB = (db: AccountDb, code: Code) =>
85
- db.db
86
- .deleteFrom('authorization_request')
87
- // uses "authorization_request_code_idx" partial index (hence the null check)
88
- .where('code', '=', code)
89
- .where('code', 'is not', null)
90
- .returningAll()
@@ -1,75 +0,0 @@
1
- import {
2
- AuthorizedClientData,
3
- AuthorizedClients,
4
- ClientId,
5
- Did,
6
- } from '@atproto/oauth-provider'
7
- import { fromJson, toDateISO, toJson } from '../../db/index.js'
8
- import { AccountDb } from '../db/index.js'
9
-
10
- export async function upsert(
11
- db: AccountDb,
12
- did: Did,
13
- clientId: ClientId,
14
- data: AuthorizedClientData,
15
- ) {
16
- const now = new Date()
17
-
18
- return db.db
19
- .insertInto('authorized_client')
20
- .values({
21
- did,
22
- clientId,
23
- createdAt: toDateISO(now),
24
- updatedAt: toDateISO(now),
25
- data: toJson(data),
26
- })
27
- .onConflict((oc) =>
28
- // uses "authorized_client_pk" idx
29
- oc.columns(['did', 'clientId']).doUpdateSet({
30
- updatedAt: toDateISO(now),
31
- data: toJson(data),
32
- }),
33
- )
34
- .executeTakeFirst()
35
- }
36
-
37
- export async function getAuthorizedClients(
38
- db: AccountDb,
39
- did: Did,
40
- ): Promise<AuthorizedClients> {
41
- return (await getAuthorizedClientsMulti(db, [did])).get(did)!
42
- }
43
-
44
- export async function deleteAllAuthorizedClients(db: AccountDb, did: Did) {
45
- await db.executeWithRetry(
46
- db.db.deleteFrom('authorized_client').where('did', '=', did),
47
- )
48
- }
49
-
50
- export async function getAuthorizedClientsMulti(
51
- db: AccountDb,
52
- dids: Iterable<Did>,
53
- ): Promise<Map<Did, AuthorizedClients>> {
54
- // Using a Map will ensure unicity of dids (through unicity of keys)
55
- const map = new Map<Did, AuthorizedClients>(
56
- Array.from(dids, (did) => [did, new Map()]),
57
- )
58
-
59
- if (map.size) {
60
- const found = await db.db
61
- .selectFrom('authorized_client')
62
- .select('did')
63
- .select('clientId')
64
- .select('data')
65
- // uses "authorized_client_pk"
66
- .where('did', 'in', [...map.keys()])
67
- .execute()
68
-
69
- for (const { did, clientId, data } of found) {
70
- map.get(did)!.set(clientId, fromJson(data))
71
- }
72
- }
73
-
74
- return map
75
- }
@@ -1,47 +0,0 @@
1
- import { Selectable } from 'kysely'
2
- import { DeviceData, DeviceId } from '@atproto/oauth-provider'
3
- import { fromDateISO, toDateISO } from '../../db/index.js'
4
- import { AccountDb, Device } from '../db/index.js'
5
-
6
- export const rowToDeviceData = (
7
- row: Omit<Selectable<Device>, 'id'>,
8
- ): DeviceData => ({
9
- sessionId: row.sessionId,
10
- userAgent: row.userAgent,
11
- ipAddress: row.ipAddress,
12
- lastSeenAt: fromDateISO(row.lastSeenAt),
13
- })
14
-
15
- export const createQB = (
16
- db: AccountDb,
17
- deviceId: DeviceId,
18
- { sessionId, userAgent, ipAddress, lastSeenAt }: DeviceData,
19
- ) =>
20
- db.db.insertInto('device').values({
21
- id: deviceId,
22
- sessionId,
23
- userAgent,
24
- ipAddress,
25
- lastSeenAt: toDateISO(lastSeenAt),
26
- })
27
-
28
- export const readQB = (db: AccountDb, deviceId: DeviceId) =>
29
- db.db.selectFrom('device').where('id', '=', deviceId).selectAll()
30
-
31
- export const updateQB = (
32
- db: AccountDb,
33
- deviceId: DeviceId,
34
- { sessionId, userAgent, ipAddress, lastSeenAt }: Partial<DeviceData>,
35
- ) =>
36
- db.db
37
- .updateTable('device')
38
- .$if(sessionId != null, (qb) => qb.set({ sessionId }))
39
- .$if(userAgent != null, (qb) => qb.set({ userAgent }))
40
- .$if(ipAddress != null, (qb) => qb.set({ ipAddress }))
41
- .$if(lastSeenAt != null, (qb) =>
42
- qb.set({ lastSeenAt: toDateISO(lastSeenAt!) }),
43
- )
44
- .where('id', '=', deviceId)
45
-
46
- export const removeQB = (db: AccountDb, deviceId: DeviceId) =>
47
- db.db.deleteFrom('device').where('id', '=', deviceId)
@@ -1,87 +0,0 @@
1
- import { MINUTE, lessThanAgoMs } from '@atproto/common'
2
- import { DidString, currentDatetimeString } from '@atproto/lex'
3
- import { InvalidRequestError } from '@atproto/xrpc-server'
4
- import { getRandomToken } from '../../api/com/atproto/server/util.js'
5
- import { AccountDb, EmailTokenPurpose } from '../db/index.js'
6
-
7
- export const createEmailToken = async (
8
- db: AccountDb,
9
- did: DidString,
10
- purpose: EmailTokenPurpose,
11
- ): Promise<string> => {
12
- const token = getRandomToken().toUpperCase()
13
- const now = currentDatetimeString()
14
- await db.executeWithRetry(
15
- db.db
16
- .insertInto('email_token')
17
- .values({ purpose, did, token, requestedAt: now })
18
- .onConflict((oc) =>
19
- oc.columns(['purpose', 'did']).doUpdateSet({ token, requestedAt: now }),
20
- ),
21
- )
22
- return token
23
- }
24
-
25
- export const deleteEmailToken = async (
26
- db: AccountDb,
27
- did: DidString,
28
- purpose: EmailTokenPurpose,
29
- ) => {
30
- await db.executeWithRetry(
31
- db.db
32
- .deleteFrom('email_token')
33
- .where('did', '=', did)
34
- .where('purpose', '=', purpose),
35
- )
36
- }
37
-
38
- export const deleteAllEmailTokens = async (db: AccountDb, did: DidString) => {
39
- await db.executeWithRetry(
40
- db.db.deleteFrom('email_token').where('did', '=', did),
41
- )
42
- }
43
-
44
- export const assertValidToken = async (
45
- db: AccountDb,
46
- did: DidString,
47
- purpose: EmailTokenPurpose,
48
- token: string,
49
- expirationLen = 15 * MINUTE,
50
- ) => {
51
- const res = await db.db
52
- .selectFrom('email_token')
53
- .selectAll()
54
- .where('purpose', '=', purpose)
55
- .where('did', '=', did)
56
- .where('token', '=', token.toUpperCase())
57
- .executeTakeFirst()
58
- if (!res) {
59
- throw new InvalidRequestError('Token is invalid', 'InvalidToken')
60
- }
61
- const expired = !lessThanAgoMs(new Date(res.requestedAt), expirationLen)
62
- if (expired) {
63
- throw new InvalidRequestError('Token is expired', 'ExpiredToken')
64
- }
65
- }
66
-
67
- export const assertValidTokenAndFindDid = async (
68
- db: AccountDb,
69
- purpose: EmailTokenPurpose,
70
- token: string,
71
- expirationLen = 15 * MINUTE,
72
- ): Promise<DidString> => {
73
- const res = await db.db
74
- .selectFrom('email_token')
75
- .select(['did', 'requestedAt'])
76
- .where('purpose', '=', purpose)
77
- .where('token', '=', token.toUpperCase())
78
- .executeTakeFirst()
79
- if (!res) {
80
- throw new InvalidRequestError('Token is invalid', 'InvalidToken')
81
- }
82
- const expired = !lessThanAgoMs(new Date(res.requestedAt), expirationLen)
83
- if (expired) {
84
- throw new InvalidRequestError('Token is expired', 'ExpiredToken')
85
- }
86
- return res.did
87
- }