@clioplaylists/clio 0.1.2 → 0.1.3

package/dist/auth-verifier.js

@@ -1,473 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.verifySignatureWithKey = exports.createPublicKeyObject = exports.buildBasicAuth = exports.parseBasicAuth = exports.AuthVerifier = exports.RoleStatus = void 0;
-const xrpc_server_1 = require("@atproto/xrpc-server");
-const jose = __importStar(require("jose"));
-const key_encoder_1 = __importDefault(require("key-encoder"));
-const node_crypto_1 = __importDefault(require("node:crypto"));
-const ui8 = __importStar(require("uint8arrays"));
-// import { GetIdentityByDidResponse } from './proto/bsky_pb'
-const crypto_1 = require("@atproto/crypto");
-var RoleStatus;
-(function (RoleStatus) {
-    RoleStatus[RoleStatus["Valid"] = 0] = "Valid";
-    RoleStatus[RoleStatus["Invalid"] = 1] = "Invalid";
-    RoleStatus[RoleStatus["Missing"] = 2] = "Missing";
-})(RoleStatus || (exports.RoleStatus = RoleStatus = {}));
-const ALLOWED_AUTH_SCOPES = new Set([
-    'com.atproto.access',
-    'com.atproto.appPass',
-    'com.atproto.appPassPrivileged',
-]);
-class AuthVerifier {
-    constructor(dataplane, opts) {
-        Object.defineProperty(this, "dataplane", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: dataplane
-        });
-        Object.defineProperty(this, "ownDid", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: void 0
-        });
-        Object.defineProperty(this, "standardAudienceDids", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: void 0
-        });
-        Object.defineProperty(this, "modServiceDid", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: void 0
-        });
-        Object.defineProperty(this, "adminPasses", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: void 0
-        });
-        Object.defineProperty(this, "entrywayJwtPublicKey", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: void 0
-        });
-        // verifiers (arrow fns to preserve scope)
-        Object.defineProperty(this, "standardOptionalParameterized", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: (opts) => async (ctx) => {
-                // @TODO remove! basic auth + did supported just for testing.
-                if (isBasicToken(ctx.req)) {
-                    const aud = this.ownDid;
-                    const iss = ctx.req.headers['appview-as-did'];
-                    if (typeof iss !== 'string' || !iss.startsWith('did:')) {
-                        throw new xrpc_server_1.AuthRequiredError('bad issuer');
-                    }
-                    if (!this.parseRoleCreds(ctx.req).admin) {
-                        throw new xrpc_server_1.AuthRequiredError('bad credentials');
-                    }
-                    return {
-                        credentials: { type: 'standard', iss, aud },
-                    };
-                }
-                else if (isBearerToken(ctx.req)) {
-                    // @NOTE temporarily accept entryway session tokens to shed load from PDS instances
-                    const token = bearerTokenFromReq(ctx.req);
-                    const header = token ? jose.decodeProtectedHeader(token) : undefined;
-                    if (header?.typ === 'at+jwt') {
-                        // we should never use entryway session tokens in the case of flexible auth audiences (namely in the case of getFeed)
-                        if (opts.skipAudCheck) {
-                            throw new xrpc_server_1.AuthRequiredError('Malformed token', 'InvalidToken');
-                        }
-                        return this.entrywaySession(ctx);
-                    }
-                    // const { iss, aud } = await this.verifyServiceJwt(ctx, {
-                    //   lxmCheck: opts.lxmCheck,
-                    //   iss: null,
-                    //   aud: null,
-                    // })
-                    const { aud } = {
-                        // iss: '',
-                        aud: '',
-                    };
-                    if (!opts.skipAudCheck && !this.standardAudienceDids.has(aud)) {
-                        throw new xrpc_server_1.AuthRequiredError('jwt audience does not match service did', 'BadJwtAudience');
-                    }
-                    return {
-                        credentials: {
-                            type: 'standard',
-                            iss: '',
-                            aud: '',
-                        },
-                    };
-                }
-                else {
-                    return this.nullCreds();
-                }
-            }
-        });
-        Object.defineProperty(this, "standardOptional", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: this.standardOptionalParameterized({})
-        });
-        Object.defineProperty(this, "standard", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: async (ctx) => {
-                const output = await this.standardOptional(ctx);
-                if (output.credentials.type === 'none') {
-                    throw new xrpc_server_1.AuthRequiredError(undefined, 'AuthMissing');
-                }
-                return output;
-            }
-        });
-        Object.defineProperty(this, "role", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: (ctx) => {
-                const creds = this.parseRoleCreds(ctx.req);
-                if (creds.status !== RoleStatus.Valid) {
-                    throw new xrpc_server_1.AuthRequiredError();
-                }
-                return {
-                    credentials: {
-                        ...creds,
-                        type: 'role',
-                    },
-                };
-            }
-        });
-        Object.defineProperty(this, "standardOrRole", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: async (ctx) => {
-                if (isBearerToken(ctx.req)) {
-                    return this.standard(ctx);
-                }
-                else {
-                    return this.role(ctx);
-                }
-            }
-        });
-        Object.defineProperty(this, "optionalStandardOrRole", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: async (ctx) => {
-                if (isBearerToken(ctx.req)) {
-                    return await this.standard(ctx);
-                }
-                else {
-                    const creds = this.parseRoleCreds(ctx.req);
-                    if (creds.status === RoleStatus.Valid) {
-                        return {
-                            credentials: {
-                                ...creds,
-                                type: 'role',
-                            },
-                        };
-                    }
-                    else if (creds.status === RoleStatus.Missing) {
-                        return this.nullCreds();
-                    }
-                    else {
-                        throw new xrpc_server_1.AuthRequiredError();
-                    }
-                }
-            }
-        });
-        // @NOTE this auth verifier method is not recommended to be implemented by most appviews
-        // this is a short term fix to remove proxy load from Bluesky's PDS and in line with possible
-        // future plans to have the client talk directly with the appview
-        Object.defineProperty(this, "entrywaySession", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: async (reqCtx) => {
-                const token = bearerTokenFromReq(reqCtx.req);
-                if (!token) {
-                    throw new xrpc_server_1.AuthRequiredError(undefined, 'AuthMissing');
-                }
-                // if entryway jwt key not configured then do not parsed these tokens
-                if (!this.entrywayJwtPublicKey) {
-                    throw new xrpc_server_1.AuthRequiredError('Malformed token', 'InvalidToken');
-                }
-                const res = await jose
-                    .jwtVerify(token, this.entrywayJwtPublicKey)
-                    .catch((err) => {
-                    if (err?.['code'] === 'ERR_JWT_EXPIRED') {
-                        throw new xrpc_server_1.AuthRequiredError('Token has expired', 'ExpiredToken');
-                    }
-                    throw new xrpc_server_1.AuthRequiredError('Token could not be verified', 'InvalidToken');
-                });
-                const { sub, aud, scope } = res.payload;
-                if (typeof sub !== 'string' || !sub.startsWith('did:')) {
-                    throw new xrpc_server_1.AuthRequiredError('Malformed token', 'InvalidToken');
-                }
-                else if (typeof aud !== 'string' ||
-                    !aud.startsWith('did:web:') ||
-                    !aud.endsWith('.bsky.network')) {
-                    throw new xrpc_server_1.AuthRequiredError('Bad token aud', 'InvalidToken');
-                }
-                else if (typeof scope !== 'string' || !ALLOWED_AUTH_SCOPES.has(scope)) {
-                    throw new xrpc_server_1.AuthRequiredError('Bad token scope', 'InvalidToken');
-                }
-                return {
-                    credentials: {
-                        type: 'standard',
-                        aud: this.ownDid,
-                        iss: sub,
-                    },
-                };
-            }
-        });
-        this.ownDid = opts.ownDid;
-        this.standardAudienceDids = new Set([
-            opts.ownDid,
-            ...opts.alternateAudienceDids,
-        ]);
-        this.modServiceDid = opts.modServiceDid;
-        this.adminPasses = new Set(opts.adminPasses);
-        this.entrywayJwtPublicKey = opts.entrywayJwtPublicKey;
-    }
-    // modService = async (reqCtx: ReqCtx): Promise<ModServiceOutput> => {
-    //   const { iss, aud } = await this.verifyServiceJwt(reqCtx, {
-    //     aud: this.ownDid,
-    //     iss: [this.modServiceDid, `${this.modServiceDid}#atproto_labeler`],
-    //   })
-    //   return { credentials: { type: 'mod_service', aud, iss } }
-    // }
-    // roleOrModService = async (
-    //   reqCtx: ReqCtx,
-    // ): Promise<RoleOutput | ModServiceOutput> => {
-    //   if (isBearerToken(reqCtx.req)) {
-    //     return this.modService(reqCtx)
-    //   } else {
-    //     return this.role(reqCtx)
-    //   }
-    // }
-    parseRoleCreds(req) {
-        const parsed = (0, exports.parseBasicAuth)(req.headers.authorization || '');
-        const { Missing, Valid, Invalid } = RoleStatus;
-        if (!parsed) {
-            return { status: Missing, admin: false, moderator: false, triage: false };
-        }
-        const { username, password } = parsed;
-        if (username === 'admin' && this.adminPasses.has(password)) {
-            return { status: Valid, admin: true };
-        }
-        return { status: Invalid, admin: false };
-    }
-    // async verifyServiceJwt(
-    //   reqCtx: ReqCtx,
-    //   opts: {
-    //     iss: string[] | null
-    //     aud: string | null
-    //     lxmCheck?: (method?: string) => boolean
-    //   },
-    // ) {
-    //   const getSigningKey = async (
-    //     iss: string,
-    //     _forceRefresh: boolean, // @TODO consider propagating to dataplane
-    //   ): Promise<string> => {
-    //     if (opts.iss !== null && !opts.iss.includes(iss)) {
-    //       throw new AuthRequiredError('Untrusted issuer', 'UntrustedIss')
-    //     }
-    //     const [did, serviceId] = iss.split('#')
-    //     const keyId =
-    //       serviceId === 'atproto_labeler' ? 'atproto_label' : 'atproto'
-    //     let identity: GetIdentityByDidResponse
-    //     try {
-    //       identity = await this.dataplane.getIdentityByDid({ did })
-    //     } catch (err) {
-    //       if (isDataplaneError(err, Code.NotFound)) {
-    //         throw new AuthRequiredError('identity unknown')
-    //       }
-    //       throw err
-    //     }
-    //     const keys = unpackIdentityKeys(identity.keys)
-    //     const didKey = getKeyAsDidKey(keys, { id: keyId })
-    //     if (!didKey) {
-    //       throw new AuthRequiredError('missing or bad key')
-    //     }
-    //     return didKey
-    //   }
-    //   const assertLxmCheck = () => {
-    //     const lxm = parseReqNsid(reqCtx.req)
-    //     if (
-    //       (opts.lxmCheck && !opts.lxmCheck(payload.lxm)) ||
-    //       (!opts.lxmCheck && payload.lxm !== lxm)
-    //     ) {
-    //       throw new AuthRequiredError(
-    //         payload.lxm !== undefined
-    //           ? `bad jwt lexicon method ("lxm"). must match: ${lxm}`
-    //           : `missing jwt lexicon method ("lxm"). must match: ${lxm}`,
-    //         'BadJwtLexiconMethod',
-    //       )
-    //     }
-    //   }
-    //   const jwtStr = bearerTokenFromReq(reqCtx.req)
-    //   if (!jwtStr) {
-    //     throw new AuthRequiredError('missing jwt', 'MissingJwt')
-    //   }
-    //   // if validating additional scopes, skip scope check in initial validation & follow up afterwards
-    //   const payload = await verifyServiceJwt(
-    //     jwtStr,
-    //     opts.aud,
-    //     null,
-    //     getSigningKey,
-    //     verifySignatureWithKey,
-    //   )
-    //   if (
-    //     !payload.iss.endsWith('#atproto_labeler') ||
-    //     payload.lxm !== undefined
-    //   ) {
-    //     // @TODO currently permissive of labelers who dont set lxm yet.
-    //     // we'll allow ozone self-hosters to upgrade before removing this condition.
-    //     assertLxmCheck()
-    //   }
-    //   return { iss: payload.iss, aud: payload.aud }
-    // }
-    isModService(iss) {
-        return [
-            this.modServiceDid,
-            `${this.modServiceDid}#atproto_labeler`,
-        ].includes(iss);
-    }
-    nullCreds() {
-        return {
-            credentials: {
-                type: 'none',
-                iss: null,
-            },
-        };
-    }
-    parseCreds(creds) {
-        const viewer = creds.credentials.type === 'standard' ? creds.credentials.iss : null;
-        const includeTakedownsAnd3pBlocks = (creds.credentials.type === 'role' && creds.credentials.admin) ||
-            creds.credentials.type === 'mod_service' ||
-            (creds.credentials.type === 'standard' &&
-                this.isModService(creds.credentials.iss));
-        const canPerformTakedown = (creds.credentials.type === 'role' && creds.credentials.admin) ||
-            creds.credentials.type === 'mod_service';
-        return {
-            viewer,
-            includeTakedowns: includeTakedownsAnd3pBlocks,
-            include3pBlocks: includeTakedownsAnd3pBlocks,
-            canPerformTakedown,
-        };
-    }
-}
-exports.AuthVerifier = AuthVerifier;
-// HELPERS
-// ---------
-const BEARER = 'Bearer ';
-const BASIC = 'Basic ';
-const isBearerToken = (req) => {
-    return req.headers.authorization?.startsWith(BEARER) ?? false;
-};
-const isBasicToken = (req) => {
-    return req.headers.authorization?.startsWith(BASIC) ?? false;
-};
-const bearerTokenFromReq = (req) => {
-    const header = req.headers.authorization || '';
-    if (!header.startsWith(BEARER))
-        return null;
-    return header.slice(BEARER.length).trim();
-};
-const parseBasicAuth = (token) => {
-    if (!token.startsWith(BASIC))
-        return null;
-    const b64 = token.slice(BASIC.length);
-    let parsed;
-    try {
-        parsed = ui8.toString(ui8.fromString(b64, 'base64pad'), 'utf8').split(':');
-    }
-    catch (err) {
-        return null;
-    }
-    const [username, password] = parsed;
-    if (!username || !password)
-        return null;
-    return { username, password };
-};
-exports.parseBasicAuth = parseBasicAuth;
-const buildBasicAuth = (username, password) => {
-    return (BASIC +
-        ui8.toString(ui8.fromString(`${username}:${password}`, 'utf8'), 'base64pad'));
-};
-exports.buildBasicAuth = buildBasicAuth;
-const keyEncoder = new key_encoder_1.default('secp256k1');
-const createPublicKeyObject = (publicKeyHex) => {
-    const key = keyEncoder.encodePublic(publicKeyHex, 'raw', 'pem');
-    return node_crypto_1.default.createPublicKey({ format: 'pem', key });
-};
-exports.createPublicKeyObject = createPublicKeyObject;
-const verifySig = (publicKey, data, sig) => {
-    const keyEncoder = new key_encoder_1.default('secp256k1');
-    const pemKey = keyEncoder.encodePublic(ui8.toString(publicKey, 'hex'), 'raw', 'pem');
-    const key = node_crypto_1.default.createPublicKey({ format: 'pem', key: pemKey });
-    return node_crypto_1.default.verify('sha256', data, {
-        key,
-        dsaEncoding: 'ieee-p1363',
-    }, sig);
-};
-const verifySignatureWithKey = async (didKey, msgBytes, sigBytes, alg) => {
-    if (alg === crypto_1.SECP256K1_JWT_ALG) {
-        const parsed = (0, crypto_1.parseDidKey)(didKey);
-        if (alg !== parsed.jwtAlg) {
-            throw new Error(`Expected key alg ${alg}, got ${parsed.jwtAlg}`);
-        }
-        return verifySig(parsed.keyBytes, msgBytes, sigBytes);
-    }
-    return (0, xrpc_server_1.cryptoVerifySignatureWithKey)(didKey, msgBytes, sigBytes, alg);
-};
-exports.verifySignatureWithKey = verifySignatureWithKey;

package/dist/client.d.ts

@@ -1,9 +0,0 @@
-import { Client } from '@connectrpc/connect';
-import { ClioService } from './rpc/clio_connect';
-export type DataPlaneClient = Client<typeof ClioService>;
-type HttpVersion = '1.1' | '2';
-export declare const createBaseClient: (baseUrl: string, opts: {
-    httpVersion?: HttpVersion;
-    rejectUnauthorized?: boolean;
-}) => DataPlaneClient;
-export {};

package/dist/client.js

@@ -1,40 +0,0 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.createBaseClient = void 0;
-const connect_1 = require("@connectrpc/connect");
-const connect_node_1 = require("@connectrpc/connect-node");
-const node_assert_1 = __importDefault(require("node:assert"));
-const clio_connect_1 = require("./rpc/clio_connect");
-const createBaseClient = (baseUrl, opts) => {
-    const { httpVersion = '2', rejectUnauthorized = true } = opts;
-    const transport = (0, connect_node_1.createGrpcTransport)({
-        baseUrl,
-        acceptCompression: [],
-        httpVersion,
-        nodeOptions: { rejectUnauthorized },
-    });
-    (0, node_assert_1.default)(validateUrl(baseUrl));
-    return (0, connect_1.createClient)(clio_connect_1.ClioService, transport);
-};
-exports.createBaseClient = createBaseClient;
-const validateUrl = (urlStr) => {
-    let url;
-    try {
-        url = new URL(urlStr);
-    }
-    catch {
-        return undefined;
-    }
-    if (!['http:', 'https:'].includes(url.protocol)) {
-        return undefined;
-    }
-    else if (!url.hostname) {
-        return undefined;
-    }
-    else {
-        return urlStr;
-    }
-};

package/dist/config.d.ts

@@ -1,21 +0,0 @@
-export interface ServerConfigValues {
-    version?: string;
-    debugMode?: boolean;
-    port?: number;
-    serverDid: string;
-    didPlcUrl: string;
-    handleResolverNameservers?: string[];
-}
-export declare class ServerConfig {
-    private cfg;
-    private assignedPort?;
-    constructor(cfg: ServerConfigValues);
-    static readEnv(overrides?: Partial<ServerConfigValues>): ServerConfig;
-    assignPort(port: number): void;
-    get version(): string | undefined;
-    get debugMode(): boolean;
-    get port(): number | undefined;
-    get localUrl(): string;
-    get serverDid(): string;
-    get didPlcUrl(): string;
-}

package/dist/config.js

@@ -1,65 +0,0 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.ServerConfig = void 0;
-const node_assert_1 = __importDefault(require("node:assert"));
-class ServerConfig {
-    constructor(cfg) {
-        Object.defineProperty(this, "cfg", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: cfg
-        });
-        Object.defineProperty(this, "assignedPort", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: void 0
-        });
-    }
-    static readEnv(overrides) {
-        const version = overrides?.version || process.env.CLIO_VERSION || undefined;
-        const debugMode = overrides?.debugMode || process.env.NODE_ENV !== 'production';
-        const serverDid = overrides?.serverDid || process.env.CLIO_SERVER_DID || 'did:example:test';
-        const didPlcUrl = overrides?.didPlcUrl || process.env.DID_PLC_URL || 'http://localhost:2582';
-        // const handleResolverNameservers = process.env.BSKY_HANDLE_RESOLVER_NAMESERVERS
-        //   ? process.env.BSKY_HANDLE_RESOLVER_NAMESERVERS.split(',')
-        //   : []
-        const envPort = overrides?.port || parseInt(process.env.CLIO_PORT || '', 10);
-        const port = isNaN(envPort) ? 2635 : envPort;
-        return new ServerConfig({
-            version,
-            debugMode,
-            port,
-            serverDid,
-            didPlcUrl,
-        });
-    }
-    assignPort(port) {
-        (0, node_assert_1.default)(!this.cfg.port || this.cfg.port === port, 'Conflicting port in config');
-        this.assignedPort = port;
-    }
-    get version() {
-        return this.cfg.version;
-    }
-    get debugMode() {
-        return !!this.cfg.debugMode;
-    }
-    get port() {
-        return this.assignedPort || this.cfg.port;
-    }
-    get localUrl() {
-        (0, node_assert_1.default)(this.port, 'No port assigned');
-        return `http://localhost:${this.port}`;
-    }
-    get serverDid() {
-        return this.cfg.serverDid;
-    }
-    get didPlcUrl() {
-        return this.cfg.didPlcUrl;
-    }
-}
-exports.ServerConfig = ServerConfig;

package/dist/context.d.ts

@@ -1,11 +0,0 @@
-import { DataPlaneClient } from './client';
-import { ServerConfig } from './config';
-export default class AppContext {
-    private opts;
-    constructor(opts: {
-        cfg: ServerConfig;
-        dataplane: DataPlaneClient;
-    });
-    get cfg(): ServerConfig;
-    get dataplane(): DataPlaneClient;
-}

package/dist/context.js

@@ -1,19 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-class AppContext {
-    constructor(opts) {
-        Object.defineProperty(this, "opts", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: opts
-        });
-    }
-    get cfg() {
-        return this.opts.cfg;
-    }
-    get dataplane() {
-        return this.opts.dataplane;
-    }
-}
-exports.default = AppContext;