@clioplaylists/clio 0.1.0

package/dist/.env

@@ -0,0 +1,7 @@
+NODE_ENV='development'
+CLIO_VERSION=v0.0.1
+CLIO_PORT=8000
+DID_PLC_URL='https://plc.directory'
+LOG_ENABLED=true
+LOG_DESTINATION=
+LEG_LEVEL=debug

package/dist/api/com/clioplaylists/alpha/actor/getProfile.js

@@ -0,0 +1,37 @@
+"use strict";
+// import AppContext from '../../../../../context'
+// import { Server } from '../../../../../lexicons'
+// import { OutputSchema } from '../../../../../lexicons/types/com/clioplaylists/alpha/feed/getSongs'
+// import { Record as SongRecord } from '../../../../../lexicons/types/com/clioplaylists/alpha/feed/song'
+// import { parseRecord } from '../../../../../util'
+// import { resHeaders } from '../../../../util'
+// export default function (server: Server, ctx: AppContext) {
+//   server.com.clioplaylists.alpha.feed.getSongs({
+//     handler: async ({ params, auth, req }) => {
+//       const res = await ctx.dataplane.getSongRecords({})
+//       let results: OutputSchema = {
+//         songs: []
+//       }
+//       res.records.forEach((recordWrapper) => {
+//         const recordRes = parseRecord<SongRecord>(recordWrapper, false)
+//         if (!recordRes) {
+//           console.log("Could not deserialize SongRecord")
+//           return
+//         }
+//         results.songs.push({
+//           trackName: recordRes.record.trackName,
+//           trackMbId: recordRes.record.trackMbId,
+//           artistNames: recordRes.record.artistNames,
+//           artistMbIds: recordRes.record.artistMbIds,
+//           albumArtwork: recordRes.record.albumArtwork,
+//           createdAt: recordRes.record.createdAt
+//         })
+//       })
+//       return {
+//         encoding: 'application/json',
+//         body: results,
+//         headers: resHeaders({}),
+//       }
+//     }
+//   })
+// }

package/dist/api/com/clioplaylists/alpha/feed/getSongs.js

@@ -0,0 +1,37 @@
+"use strict";
+// import AppContext from '../../../../../context'
+// import { Server } from '../../../../../lexicons'
+// import { OutputSchema } from '../../../../../lexicons/types/com/clioplaylists/alpha/feed/getSongs'
+// import { Record as SongRecord } from '../../../../../lexicons/types/com/clioplaylists/alpha/feed/song'
+// import { parseRecord } from '../../../../../util'
+// import { resHeaders } from '../../../../util'
+// export default function (server: Server, ctx: AppContext) {
+//   server.com.clioplaylists.alpha.feed.getSongs({
+//     handler: async ({ params, auth, req }) => {
+//       const res = await ctx.dataplane.getSongRecords({})
+//       let results: OutputSchema = {
+//         songs: []
+//       }
+//       res.records.forEach((recordWrapper) => {
+//         const recordRes = parseRecord<SongRecord>(recordWrapper, false)
+//         if (!recordRes) {
+//           console.log("Could not deserialize SongRecord")
+//           return
+//         }
+//         results.songs.push({
+//           trackName: recordRes.record.trackName,
+//           trackMbId: recordRes.record.trackMbId,
+//           artistNames: recordRes.record.artistNames,
+//           artistMbIds: recordRes.record.artistMbIds,
+//           albumArtwork: recordRes.record.albumArtwork,
+//           createdAt: recordRes.record.createdAt
+//         })
+//       })
+//       return {
+//         encoding: 'application/json',
+//         body: results,
+//         headers: resHeaders({}),
+//       }
+//     }
+//   })
+// }

package/dist/api/health.js

@@ -0,0 +1,32 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createRouter = void 0;
+const express_1 = __importDefault(require("express"));
+const createRouter = (ctx) => {
+    const router = express_1.default.Router();
+    router.get('/', function (req, res) {
+        res.type('text/plain');
+        res.send(`
+  ___  __    ____  _____ 
+ / __)(  )  (_  _)(  _  )
+( (__  )(__  _)(_  )(_)( 
+ \___)(____)(____)(_____)
+
+This is an AT Protocol Application View (AppView) for the "clioplaylists.com" application.
+
+Most API routes are under /xrpc/
+
+      Code: https://github.com/Hoid/clio-api
+  Protocol: https://atproto.com
+`);
+    });
+    router.get('/xrpc/_health', async function (req, res) {
+        const { version } = ctx.cfg;
+        res.send({ version });
+    });
+    return router;
+};
+exports.createRouter = createRouter;

package/dist/api/index.js

@@ -0,0 +1,43 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.health = void 0;
+exports.default = default_1;
+// import getSongs from './com/clioplaylists/alpha/feed/getSongs'
+exports.health = __importStar(require("./health"));
+function default_1(server, ctx) {
+    // getSongs(server, ctx)
+    return server;
+}

package/dist/api/util.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resHeaders = exports.ATPROTO_REPO_REV = exports.ATPROTO_CONTENT_LABELERS = void 0;
+const util_1 = require("../util");
+exports.ATPROTO_CONTENT_LABELERS = 'Atproto-Content-Labelers';
+exports.ATPROTO_REPO_REV = 'Atproto-Repo-Rev';
+const resHeaders = (opts) => {
+    const headers = {};
+    if (opts.labelers) {
+        headers[exports.ATPROTO_CONTENT_LABELERS] = (0, util_1.formatLabelerHeader)(opts.labelers);
+    }
+    if (opts.repoRev) {
+        headers[exports.ATPROTO_REPO_REV] = opts.repoRev;
+    }
+    return headers;
+};
+exports.resHeaders = resHeaders;

package/dist/auth-verifier.js

@@ -0,0 +1,473 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifySignatureWithKey = exports.createPublicKeyObject = exports.buildBasicAuth = exports.parseBasicAuth = exports.AuthVerifier = exports.RoleStatus = void 0;
+const xrpc_server_1 = require("@atproto/xrpc-server");
+const jose = __importStar(require("jose"));
+const key_encoder_1 = __importDefault(require("key-encoder"));
+const node_crypto_1 = __importDefault(require("node:crypto"));
+const ui8 = __importStar(require("uint8arrays"));
+// import { GetIdentityByDidResponse } from './proto/bsky_pb'
+const crypto_1 = require("@atproto/crypto");
+var RoleStatus;
+(function (RoleStatus) {
+    RoleStatus[RoleStatus["Valid"] = 0] = "Valid";
+    RoleStatus[RoleStatus["Invalid"] = 1] = "Invalid";
+    RoleStatus[RoleStatus["Missing"] = 2] = "Missing";
+})(RoleStatus || (exports.RoleStatus = RoleStatus = {}));
+const ALLOWED_AUTH_SCOPES = new Set([
+    'com.atproto.access',
+    'com.atproto.appPass',
+    'com.atproto.appPassPrivileged',
+]);
+class AuthVerifier {
+    constructor(dataplane, opts) {
+        Object.defineProperty(this, "dataplane", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: dataplane
+        });
+        Object.defineProperty(this, "ownDid", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        Object.defineProperty(this, "standardAudienceDids", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        Object.defineProperty(this, "modServiceDid", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        Object.defineProperty(this, "adminPasses", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        Object.defineProperty(this, "entrywayJwtPublicKey", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        // verifiers (arrow fns to preserve scope)
+        Object.defineProperty(this, "standardOptionalParameterized", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: (opts) => async (ctx) => {
+                // @TODO remove! basic auth + did supported just for testing.
+                if (isBasicToken(ctx.req)) {
+                    const aud = this.ownDid;
+                    const iss = ctx.req.headers['appview-as-did'];
+                    if (typeof iss !== 'string' || !iss.startsWith('did:')) {
+                        throw new xrpc_server_1.AuthRequiredError('bad issuer');
+                    }
+                    if (!this.parseRoleCreds(ctx.req).admin) {
+                        throw new xrpc_server_1.AuthRequiredError('bad credentials');
+                    }
+                    return {
+                        credentials: { type: 'standard', iss, aud },
+                    };
+                }
+                else if (isBearerToken(ctx.req)) {
+                    // @NOTE temporarily accept entryway session tokens to shed load from PDS instances
+                    const token = bearerTokenFromReq(ctx.req);
+                    const header = token ? jose.decodeProtectedHeader(token) : undefined;
+                    if (header?.typ === 'at+jwt') {
+                        // we should never use entryway session tokens in the case of flexible auth audiences (namely in the case of getFeed)
+                        if (opts.skipAudCheck) {
+                            throw new xrpc_server_1.AuthRequiredError('Malformed token', 'InvalidToken');
+                        }
+                        return this.entrywaySession(ctx);
+                    }
+                    // const { iss, aud } = await this.verifyServiceJwt(ctx, {
+                    //   lxmCheck: opts.lxmCheck,
+                    //   iss: null,
+                    //   aud: null,
+                    // })
+                    const { aud } = {
+                        // iss: '',
+                        aud: '',
+                    };
+                    if (!opts.skipAudCheck && !this.standardAudienceDids.has(aud)) {
+                        throw new xrpc_server_1.AuthRequiredError('jwt audience does not match service did', 'BadJwtAudience');
+                    }
+                    return {
+                        credentials: {
+                            type: 'standard',
+                            iss: '',
+                            aud: '',
+                        },
+                    };
+                }
+                else {
+                    return this.nullCreds();
+                }
+            }
+        });
+        Object.defineProperty(this, "standardOptional", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: this.standardOptionalParameterized({})
+        });
+        Object.defineProperty(this, "standard", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: async (ctx) => {
+                const output = await this.standardOptional(ctx);
+                if (output.credentials.type === 'none') {
+                    throw new xrpc_server_1.AuthRequiredError(undefined, 'AuthMissing');
+                }
+                return output;
+            }
+        });
+        Object.defineProperty(this, "role", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: (ctx) => {
+                const creds = this.parseRoleCreds(ctx.req);
+                if (creds.status !== RoleStatus.Valid) {
+                    throw new xrpc_server_1.AuthRequiredError();
+                }
+                return {
+                    credentials: {
+                        ...creds,
+                        type: 'role',
+                    },
+                };
+            }
+        });
+        Object.defineProperty(this, "standardOrRole", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: async (ctx) => {
+                if (isBearerToken(ctx.req)) {
+                    return this.standard(ctx);
+                }
+                else {
+                    return this.role(ctx);
+                }
+            }
+        });
+        Object.defineProperty(this, "optionalStandardOrRole", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: async (ctx) => {
+                if (isBearerToken(ctx.req)) {
+                    return await this.standard(ctx);
+                }
+                else {
+                    const creds = this.parseRoleCreds(ctx.req);
+                    if (creds.status === RoleStatus.Valid) {
+                        return {
+                            credentials: {
+                                ...creds,
+                                type: 'role',
+                            },
+                        };
+                    }
+                    else if (creds.status === RoleStatus.Missing) {
+                        return this.nullCreds();
+                    }
+                    else {
+                        throw new xrpc_server_1.AuthRequiredError();
+                    }
+                }
+            }
+        });
+        // @NOTE this auth verifier method is not recommended to be implemented by most appviews
+        // this is a short term fix to remove proxy load from Bluesky's PDS and in line with possible
+        // future plans to have the client talk directly with the appview
+        Object.defineProperty(this, "entrywaySession", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: async (reqCtx) => {
+                const token = bearerTokenFromReq(reqCtx.req);
+                if (!token) {
+                    throw new xrpc_server_1.AuthRequiredError(undefined, 'AuthMissing');
+                }
+                // if entryway jwt key not configured then do not parsed these tokens
+                if (!this.entrywayJwtPublicKey) {
+                    throw new xrpc_server_1.AuthRequiredError('Malformed token', 'InvalidToken');
+                }
+                const res = await jose
+                    .jwtVerify(token, this.entrywayJwtPublicKey)
+                    .catch((err) => {
+                    if (err?.['code'] === 'ERR_JWT_EXPIRED') {
+                        throw new xrpc_server_1.AuthRequiredError('Token has expired', 'ExpiredToken');
+                    }
+                    throw new xrpc_server_1.AuthRequiredError('Token could not be verified', 'InvalidToken');
+                });
+                const { sub, aud, scope } = res.payload;
+                if (typeof sub !== 'string' || !sub.startsWith('did:')) {
+                    throw new xrpc_server_1.AuthRequiredError('Malformed token', 'InvalidToken');
+                }
+                else if (typeof aud !== 'string' ||
+                    !aud.startsWith('did:web:') ||
+                    !aud.endsWith('.bsky.network')) {
+                    throw new xrpc_server_1.AuthRequiredError('Bad token aud', 'InvalidToken');
+                }
+                else if (typeof scope !== 'string' || !ALLOWED_AUTH_SCOPES.has(scope)) {
+                    throw new xrpc_server_1.AuthRequiredError('Bad token scope', 'InvalidToken');
+                }
+                return {
+                    credentials: {
+                        type: 'standard',
+                        aud: this.ownDid,
+                        iss: sub,
+                    },
+                };
+            }
+        });
+        this.ownDid = opts.ownDid;
+        this.standardAudienceDids = new Set([
+            opts.ownDid,
+            ...opts.alternateAudienceDids,
+        ]);
+        this.modServiceDid = opts.modServiceDid;
+        this.adminPasses = new Set(opts.adminPasses);
+        this.entrywayJwtPublicKey = opts.entrywayJwtPublicKey;
+    }
+    // modService = async (reqCtx: ReqCtx): Promise<ModServiceOutput> => {
+    //   const { iss, aud } = await this.verifyServiceJwt(reqCtx, {
+    //     aud: this.ownDid,
+    //     iss: [this.modServiceDid, `${this.modServiceDid}#atproto_labeler`],
+    //   })
+    //   return { credentials: { type: 'mod_service', aud, iss } }
+    // }
+    // roleOrModService = async (
+    //   reqCtx: ReqCtx,
+    // ): Promise<RoleOutput | ModServiceOutput> => {
+    //   if (isBearerToken(reqCtx.req)) {
+    //     return this.modService(reqCtx)
+    //   } else {
+    //     return this.role(reqCtx)
+    //   }
+    // }
+    parseRoleCreds(req) {
+        const parsed = (0, exports.parseBasicAuth)(req.headers.authorization || '');
+        const { Missing, Valid, Invalid } = RoleStatus;
+        if (!parsed) {
+            return { status: Missing, admin: false, moderator: false, triage: false };
+        }
+        const { username, password } = parsed;
+        if (username === 'admin' && this.adminPasses.has(password)) {
+            return { status: Valid, admin: true };
+        }
+        return { status: Invalid, admin: false };
+    }
+    // async verifyServiceJwt(
+    //   reqCtx: ReqCtx,
+    //   opts: {
+    //     iss: string[] | null
+    //     aud: string | null
+    //     lxmCheck?: (method?: string) => boolean
+    //   },
+    // ) {
+    //   const getSigningKey = async (
+    //     iss: string,
+    //     _forceRefresh: boolean, // @TODO consider propagating to dataplane
+    //   ): Promise<string> => {
+    //     if (opts.iss !== null && !opts.iss.includes(iss)) {
+    //       throw new AuthRequiredError('Untrusted issuer', 'UntrustedIss')
+    //     }
+    //     const [did, serviceId] = iss.split('#')
+    //     const keyId =
+    //       serviceId === 'atproto_labeler' ? 'atproto_label' : 'atproto'
+    //     let identity: GetIdentityByDidResponse
+    //     try {
+    //       identity = await this.dataplane.getIdentityByDid({ did })
+    //     } catch (err) {
+    //       if (isDataplaneError(err, Code.NotFound)) {
+    //         throw new AuthRequiredError('identity unknown')
+    //       }
+    //       throw err
+    //     }
+    //     const keys = unpackIdentityKeys(identity.keys)
+    //     const didKey = getKeyAsDidKey(keys, { id: keyId })
+    //     if (!didKey) {
+    //       throw new AuthRequiredError('missing or bad key')
+    //     }
+    //     return didKey
+    //   }
+    //   const assertLxmCheck = () => {
+    //     const lxm = parseReqNsid(reqCtx.req)
+    //     if (
+    //       (opts.lxmCheck && !opts.lxmCheck(payload.lxm)) ||
+    //       (!opts.lxmCheck && payload.lxm !== lxm)
+    //     ) {
+    //       throw new AuthRequiredError(
+    //         payload.lxm !== undefined
+    //           ? `bad jwt lexicon method ("lxm"). must match: ${lxm}`
+    //           : `missing jwt lexicon method ("lxm"). must match: ${lxm}`,
+    //         'BadJwtLexiconMethod',
+    //       )
+    //     }
+    //   }
+    //   const jwtStr = bearerTokenFromReq(reqCtx.req)
+    //   if (!jwtStr) {
+    //     throw new AuthRequiredError('missing jwt', 'MissingJwt')
+    //   }
+    //   // if validating additional scopes, skip scope check in initial validation & follow up afterwards
+    //   const payload = await verifyServiceJwt(
+    //     jwtStr,
+    //     opts.aud,
+    //     null,
+    //     getSigningKey,
+    //     verifySignatureWithKey,
+    //   )
+    //   if (
+    //     !payload.iss.endsWith('#atproto_labeler') ||
+    //     payload.lxm !== undefined
+    //   ) {
+    //     // @TODO currently permissive of labelers who dont set lxm yet.
+    //     // we'll allow ozone self-hosters to upgrade before removing this condition.
+    //     assertLxmCheck()
+    //   }
+    //   return { iss: payload.iss, aud: payload.aud }
+    // }
+    isModService(iss) {
+        return [
+            this.modServiceDid,
+            `${this.modServiceDid}#atproto_labeler`,
+        ].includes(iss);
+    }
+    nullCreds() {
+        return {
+            credentials: {
+                type: 'none',
+                iss: null,
+            },
+        };
+    }
+    parseCreds(creds) {
+        const viewer = creds.credentials.type === 'standard' ? creds.credentials.iss : null;
+        const includeTakedownsAnd3pBlocks = (creds.credentials.type === 'role' && creds.credentials.admin) ||
+            creds.credentials.type === 'mod_service' ||
+            (creds.credentials.type === 'standard' &&
+                this.isModService(creds.credentials.iss));
+        const canPerformTakedown = (creds.credentials.type === 'role' && creds.credentials.admin) ||
+            creds.credentials.type === 'mod_service';
+        return {
+            viewer,
+            includeTakedowns: includeTakedownsAnd3pBlocks,
+            include3pBlocks: includeTakedownsAnd3pBlocks,
+            canPerformTakedown,
+        };
+    }
+}
+exports.AuthVerifier = AuthVerifier;
+// HELPERS
+// ---------
+const BEARER = 'Bearer ';
+const BASIC = 'Basic ';
+const isBearerToken = (req) => {
+    return req.headers.authorization?.startsWith(BEARER) ?? false;
+};
+const isBasicToken = (req) => {
+    return req.headers.authorization?.startsWith(BASIC) ?? false;
+};
+const bearerTokenFromReq = (req) => {
+    const header = req.headers.authorization || '';
+    if (!header.startsWith(BEARER))
+        return null;
+    return header.slice(BEARER.length).trim();
+};
+const parseBasicAuth = (token) => {
+    if (!token.startsWith(BASIC))
+        return null;
+    const b64 = token.slice(BASIC.length);
+    let parsed;
+    try {
+        parsed = ui8.toString(ui8.fromString(b64, 'base64pad'), 'utf8').split(':');
+    }
+    catch (err) {
+        return null;
+    }
+    const [username, password] = parsed;
+    if (!username || !password)
+        return null;
+    return { username, password };
+};
+exports.parseBasicAuth = parseBasicAuth;
+const buildBasicAuth = (username, password) => {
+    return (BASIC +
+        ui8.toString(ui8.fromString(`${username}:${password}`, 'utf8'), 'base64pad'));
+};
+exports.buildBasicAuth = buildBasicAuth;
+const keyEncoder = new key_encoder_1.default('secp256k1');
+const createPublicKeyObject = (publicKeyHex) => {
+    const key = keyEncoder.encodePublic(publicKeyHex, 'raw', 'pem');
+    return node_crypto_1.default.createPublicKey({ format: 'pem', key });
+};
+exports.createPublicKeyObject = createPublicKeyObject;
+const verifySig = (publicKey, data, sig) => {
+    const keyEncoder = new key_encoder_1.default('secp256k1');
+    const pemKey = keyEncoder.encodePublic(ui8.toString(publicKey, 'hex'), 'raw', 'pem');
+    const key = node_crypto_1.default.createPublicKey({ format: 'pem', key: pemKey });
+    return node_crypto_1.default.verify('sha256', data, {
+        key,
+        dsaEncoding: 'ieee-p1363',
+    }, sig);
+};
+const verifySignatureWithKey = async (didKey, msgBytes, sigBytes, alg) => {
+    if (alg === crypto_1.SECP256K1_JWT_ALG) {
+        const parsed = (0, crypto_1.parseDidKey)(didKey);
+        if (alg !== parsed.jwtAlg) {
+            throw new Error(`Expected key alg ${alg}, got ${parsed.jwtAlg}`);
+        }
+        return verifySig(parsed.keyBytes, msgBytes, sigBytes);
+    }
+    return (0, xrpc_server_1.cryptoVerifySignatureWithKey)(didKey, msgBytes, sigBytes, alg);
+};
+exports.verifySignatureWithKey = verifySignatureWithKey;