@clioplaylists/clio 0.1.8 → 0.1.9

package/dist/auth-verifier.js

@@ -1,22 +1,58 @@
-import { AuthRequiredError, cryptoVerifySignatureWithKey, } from '@atproto/xrpc-server';
-import * as jose from 'jose';
-import KeyEncoder from 'key-encoder';
-import crypto from 'node:crypto';
-import * as ui8 from 'uint8arrays';
-// import { GetIdentityByDidResponse } from './proto/bsky_pb'
-import { parseDidKey, SECP256K1_JWT_ALG } from '@atproto/crypto';
-export var RoleStatus;
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifySignatureWithKey = exports.createPublicKeyObject = exports.buildBasicAuth = exports.parseBasicAuth = exports.AuthVerifier = exports.RoleStatus = void 0;
+const crypto_1 = require("@atproto/crypto");
+const xrpc_server_1 = require("@atproto/xrpc-server");
+const connect_1 = require("@connectrpc/connect");
+const jose = __importStar(require("jose"));
+const key_encoder_1 = __importDefault(require("key-encoder"));
+const node_crypto_1 = __importDefault(require("node:crypto"));
+const ui8 = __importStar(require("uint8arrays"));
+const dataplane_1 = require("./dataplane");
+var RoleStatus;
 (function (RoleStatus) {
     RoleStatus[RoleStatus["Valid"] = 0] = "Valid";
     RoleStatus[RoleStatus["Invalid"] = 1] = "Invalid";
     RoleStatus[RoleStatus["Missing"] = 2] = "Missing";
-})(RoleStatus || (RoleStatus = {}));
-const ALLOWED_AUTH_SCOPES = new Set([
-    'com.atproto.access',
-    'com.atproto.appPass',
-    'com.atproto.appPassPrivileged',
-]);
-export class AuthVerifier {
+})(RoleStatus || (exports.RoleStatus = RoleStatus = {}));
+const ALLOWED_AUTH_SCOPES = new Set(['com.atproto.access', 'com.atproto.appPass', 'com.atproto.appPassPrivileged']);
+class AuthVerifier {
     dataplane;
     ownDid;
     standardAudienceDids;
@@ -26,10 +62,7 @@ export class AuthVerifier {
     constructor(dataplane, opts) {
         this.dataplane = dataplane;
         this.ownDid = opts.ownDid;
-        this.standardAudienceDids = new Set([
-            opts.ownDid,
-            ...opts.alternateAudienceDids,
-        ]);
+        this.standardAudienceDids = new Set([opts.ownDid, ...opts.alternateAudienceDids]);
         this.modServiceDid = opts.modServiceDid;
         this.adminPasses = new Set(opts.adminPasses);
         this.entrywayJwtPublicKey = opts.entrywayJwtPublicKey;
@@ -39,12 +72,12 @@ export class AuthVerifier {
         // @TODO remove! basic auth + did supported just for testing.
         if (isBasicToken(ctx.req)) {
             const aud = this.ownDid;
-            const iss = ctx.req.headers['appview-as-did'];
+            const iss = header(ctx.req, 'appview-as-did');
             if (typeof iss !== 'string' || !iss.startsWith('did:')) {
-                throw new AuthRequiredError('bad issuer');
+                throw new xrpc_server_1.AuthRequiredError('bad issuer');
             }
             if (!this.parseRoleCreds(ctx.req).admin) {
-                throw new AuthRequiredError('bad credentials');
+                throw new xrpc_server_1.AuthRequiredError('bad credentials');
             }
             return {
                 credentials: { type: 'standard', iss, aud },
@@ -57,27 +90,23 @@ export class AuthVerifier {
             if (header?.typ === 'at+jwt') {
                 // we should never use entryway session tokens in the case of flexible auth audiences (namely in the case of getFeed)
                 if (opts.skipAudCheck) {
-                    throw new AuthRequiredError('Malformed token', 'InvalidToken');
+                    throw new xrpc_server_1.AuthRequiredError('Malformed token', 'InvalidToken');
                 }
                 return this.entrywaySession(ctx);
             }
-            // const { iss, aud } = await this.verifyServiceJwt(ctx, {
-            //   lxmCheck: opts.lxmCheck,
-            //   iss: null,
-            //   aud: null,
-            // })
-            const { aud } = {
-                // iss: '',
-                aud: '',
-            };
+            const { iss, aud } = await this.verifyServiceJwt(ctx, {
+                lxmCheck: opts.lxmCheck,
+                iss: null,
+                aud: null,
+            });
             if (!opts.skipAudCheck && !this.standardAudienceDids.has(aud)) {
-                throw new AuthRequiredError('jwt audience does not match service did', 'BadJwtAudience');
+                throw new xrpc_server_1.AuthRequiredError('jwt audience does not match service did', 'BadJwtAudience');
             }
             return {
                 credentials: {
                     type: 'standard',
-                    iss: '',
-                    aud: '',
+                    iss: iss.split('#')[0] ?? iss,
+                    aud,
                 },
             };
         }
@@ -89,14 +118,14 @@ export class AuthVerifier {
     standard = async (ctx) => {
         const output = await this.standardOptional(ctx);
         if (output.credentials.type === 'none') {
-            throw new AuthRequiredError(undefined, 'AuthMissing');
+            throw new xrpc_server_1.AuthRequiredError(undefined, 'AuthMissing');
         }
         return output;
     };
     role = (ctx) => {
         const creds = this.parseRoleCreds(ctx.req);
         if (creds.status !== RoleStatus.Valid) {
-            throw new AuthRequiredError();
+            throw new xrpc_server_1.AuthRequiredError();
         }
         return {
             credentials: {
@@ -131,7 +160,7 @@ export class AuthVerifier {
                 return this.nullCreds();
             }
             else {
-                throw new AuthRequiredError();
+                throw new xrpc_server_1.AuthRequiredError();
             }
         }
     };
@@ -141,31 +170,27 @@ export class AuthVerifier {
     entrywaySession = async (reqCtx) => {
         const token = bearerTokenFromReq(reqCtx.req);
         if (!token) {
-            throw new AuthRequiredError(undefined, 'AuthMissing');
+            throw new xrpc_server_1.AuthRequiredError(undefined, 'AuthMissing');
         }
         // if entryway jwt key not configured then do not parsed these tokens
         if (!this.entrywayJwtPublicKey) {
-            throw new AuthRequiredError('Malformed token', 'InvalidToken');
+            throw new xrpc_server_1.AuthRequiredError('Malformed token', 'InvalidToken');
         }
-        const res = await jose
-            .jwtVerify(token, this.entrywayJwtPublicKey)
-            .catch((err) => {
+        const res = await jose.jwtVerify(token, this.entrywayJwtPublicKey).catch((err) => {
             if (err?.['code'] === 'ERR_JWT_EXPIRED') {
-                throw new AuthRequiredError('Token has expired', 'ExpiredToken');
+                throw new xrpc_server_1.AuthRequiredError('Token has expired', 'ExpiredToken');
             }
-            throw new AuthRequiredError('Token could not be verified', 'InvalidToken');
+            throw new xrpc_server_1.AuthRequiredError('Token could not be verified', 'InvalidToken');
         });
         const { sub, aud, scope } = res.payload;
         if (typeof sub !== 'string' || !sub.startsWith('did:')) {
-            throw new AuthRequiredError('Malformed token', 'InvalidToken');
+            throw new xrpc_server_1.AuthRequiredError('Malformed token', 'InvalidToken');
         }
-        else if (typeof aud !== 'string' ||
-            !aud.startsWith('did:web:') ||
-            !aud.endsWith('.bsky.network')) {
-            throw new AuthRequiredError('Bad token aud', 'InvalidToken');
+        else if (typeof aud !== 'string' || !aud.startsWith('did:web:') || !aud.endsWith('.bsky.network')) {
+            throw new xrpc_server_1.AuthRequiredError('Bad token aud', 'InvalidToken');
         }
         else if (typeof scope !== 'string' || !ALLOWED_AUTH_SCOPES.has(scope)) {
-            throw new AuthRequiredError('Bad token scope', 'InvalidToken');
+            throw new xrpc_server_1.AuthRequiredError('Bad token scope', 'InvalidToken');
         }
         return {
             credentials: {
@@ -175,24 +200,23 @@ export class AuthVerifier {
             },
         };
     };
-    // modService = async (reqCtx: ReqCtx): Promise<ModServiceOutput> => {
-    //   const { iss, aud } = await this.verifyServiceJwt(reqCtx, {
-    //     aud: this.ownDid,
-    //     iss: [this.modServiceDid, `${this.modServiceDid}#atproto_labeler`],
-    //   })
-    //   return { credentials: { type: 'mod_service', aud, iss } }
-    // }
-    // roleOrModService = async (
-    //   reqCtx: ReqCtx,
-    // ): Promise<RoleOutput | ModServiceOutput> => {
-    //   if (isBearerToken(reqCtx.req)) {
-    //     return this.modService(reqCtx)
-    //   } else {
-    //     return this.role(reqCtx)
-    //   }
-    // }
+    modService = async (reqCtx) => {
+        const { iss, aud } = await this.verifyServiceJwt(reqCtx, {
+            aud: this.ownDid,
+            iss: [this.modServiceDid, `${this.modServiceDid}#atproto_labeler`],
+        });
+        return { credentials: { type: 'mod_service', aud, iss } };
+    };
+    roleOrModService = async (reqCtx) => {
+        if (isBearerToken(reqCtx.req)) {
+            return this.modService(reqCtx);
+        }
+        else {
+            return this.role(reqCtx);
+        }
+    };
     parseRoleCreds(req) {
-        const parsed = parseBasicAuth(req.headers.authorization || '');
+        const parsed = (0, exports.parseBasicAuth)(header(req, 'authorization') || '');
         const { Missing, Valid, Invalid } = RoleStatus;
         if (!parsed) {
             return { status: Missing, admin: false, moderator: false, triage: false };
@@ -203,81 +227,53 @@ export class AuthVerifier {
         }
         return { status: Invalid, admin: false };
     }
-    // async verifyServiceJwt(
-    //   reqCtx: ReqCtx,
-    //   opts: {
-    //     iss: string[] | null
-    //     aud: string | null
-    //     lxmCheck?: (method?: string) => boolean
-    //   },
-    // ) {
-    //   const getSigningKey = async (
-    //     iss: string,
-    //     _forceRefresh: boolean, // @TODO consider propagating to dataplane
-    //   ): Promise<string> => {
-    //     if (opts.iss !== null && !opts.iss.includes(iss)) {
-    //       throw new AuthRequiredError('Untrusted issuer', 'UntrustedIss')
-    //     }
-    //     const [did, serviceId] = iss.split('#')
-    //     const keyId =
-    //       serviceId === 'atproto_labeler' ? 'atproto_label' : 'atproto'
-    //     let identity: GetIdentityByDidResponse
-    //     try {
-    //       identity = await this.dataplane.getIdentityByDid({ did })
-    //     } catch (err) {
-    //       if (isDataplaneError(err, Code.NotFound)) {
-    //         throw new AuthRequiredError('identity unknown')
-    //       }
-    //       throw err
-    //     }
-    //     const keys = unpackIdentityKeys(identity.keys)
-    //     const didKey = getKeyAsDidKey(keys, { id: keyId })
-    //     if (!didKey) {
-    //       throw new AuthRequiredError('missing or bad key')
-    //     }
-    //     return didKey
-    //   }
-    //   const assertLxmCheck = () => {
-    //     const lxm = parseReqNsid(reqCtx.req)
-    //     if (
-    //       (opts.lxmCheck && !opts.lxmCheck(payload.lxm)) ||
-    //       (!opts.lxmCheck && payload.lxm !== lxm)
-    //     ) {
-    //       throw new AuthRequiredError(
-    //         payload.lxm !== undefined
-    //           ? `bad jwt lexicon method ("lxm"). must match: ${lxm}`
-    //           : `missing jwt lexicon method ("lxm"). must match: ${lxm}`,
-    //         'BadJwtLexiconMethod',
-    //       )
-    //     }
-    //   }
-    //   const jwtStr = bearerTokenFromReq(reqCtx.req)
-    //   if (!jwtStr) {
-    //     throw new AuthRequiredError('missing jwt', 'MissingJwt')
-    //   }
-    //   // if validating additional scopes, skip scope check in initial validation & follow up afterwards
-    //   const payload = await verifyServiceJwt(
-    //     jwtStr,
-    //     opts.aud,
-    //     null,
-    //     getSigningKey,
-    //     verifySignatureWithKey,
-    //   )
-    //   if (
-    //     !payload.iss.endsWith('#atproto_labeler') ||
-    //     payload.lxm !== undefined
-    //   ) {
-    //     // @TODO currently permissive of labelers who dont set lxm yet.
-    //     // we'll allow ozone self-hosters to upgrade before removing this condition.
-    //     assertLxmCheck()
-    //   }
-    //   return { iss: payload.iss, aud: payload.aud }
-    // }
+    async verifyServiceJwt(reqCtx, opts) {
+        const getSigningKey = async (iss, _forceRefresh) => {
+            if (opts.iss !== null && !opts.iss.includes(iss)) {
+                throw new xrpc_server_1.AuthRequiredError('Untrusted issuer', 'UntrustedIss');
+            }
+            const [did, serviceId] = iss.split('#');
+            const keyId = serviceId === 'atproto_labeler' ? 'atproto_label' : 'atproto';
+            let identity;
+            try {
+                identity = await this.dataplane.getIdentityByDid({ did });
+            }
+            catch (err) {
+                if ((0, dataplane_1.isDataplaneError)(err, connect_1.Code.NotFound)) {
+                    throw new xrpc_server_1.AuthRequiredError('identity unknown');
+                }
+                throw err;
+            }
+            const keys = (0, dataplane_1.unpackIdentityKeys)(identity.keys);
+            const didKey = (0, dataplane_1.getKeyAsDidKey)(keys, { id: keyId });
+            if (!didKey) {
+                throw new xrpc_server_1.AuthRequiredError('missing or bad key');
+            }
+            return didKey;
+        };
+        const assertLxmCheck = () => {
+            const lxm = (0, xrpc_server_1.parseReqNsid)(reqCtx.req);
+            if ((opts.lxmCheck && !opts.lxmCheck(payload.lxm)) || (!opts.lxmCheck && payload.lxm !== lxm)) {
+                throw new xrpc_server_1.AuthRequiredError(payload.lxm !== undefined
+                    ? `bad jwt lexicon method ("lxm"). must match: ${lxm}`
+                    : `missing jwt lexicon method ("lxm"). must match: ${lxm}`, 'BadJwtLexiconMethod');
+            }
+        };
+        const jwtStr = bearerTokenFromReq(reqCtx.req);
+        if (!jwtStr) {
+            throw new xrpc_server_1.AuthRequiredError('missing jwt', 'MissingJwt');
+        }
+        // if validating additional scopes, skip scope check in initial validation & follow up afterwards
+        const payload = await (0, xrpc_server_1.verifyJwt)(jwtStr, opts.aud, null, getSigningKey, exports.verifySignatureWithKey);
+        if (!payload.iss.endsWith('#atproto_labeler') || payload.lxm !== undefined) {
+            // @TODO currently permissive of labelers who dont set lxm yet.
+            // we'll allow ozone self-hosters to upgrade before removing this condition.
+            assertLxmCheck();
+        }
+        return { iss: payload.iss, aud: payload.aud };
+    }
     isModService(iss) {
-        return [
-            this.modServiceDid,
-            `${this.modServiceDid}#atproto_labeler`,
-        ].includes(iss);
+        return [this.modServiceDid, `${this.modServiceDid}#atproto_labeler`].includes(iss);
     }
     nullCreds() {
         return {
@@ -291,10 +287,8 @@ export class AuthVerifier {
         const viewer = creds.credentials.type === 'standard' ? creds.credentials.iss : null;
         const includeTakedownsAnd3pBlocks = (creds.credentials.type === 'role' && creds.credentials.admin) ||
             creds.credentials.type === 'mod_service' ||
-            (creds.credentials.type === 'standard' &&
-                this.isModService(creds.credentials.iss));
-        const canPerformTakedown = (creds.credentials.type === 'role' && creds.credentials.admin) ||
-            creds.credentials.type === 'mod_service';
+            (creds.credentials.type === 'standard' && this.isModService(creds.credentials.iss));
+        const canPerformTakedown = (creds.credentials.type === 'role' && creds.credentials.admin) || creds.credentials.type === 'mod_service';
         return {
             viewer,
             includeTakedowns: includeTakedownsAnd3pBlocks,
@@ -303,23 +297,32 @@ export class AuthVerifier {
         };
     }
 }
+exports.AuthVerifier = AuthVerifier;
 // HELPERS
 // ---------
 const BEARER = 'Bearer ';
 const BASIC = 'Basic ';
 const isBearerToken = (req) => {
-    return req.headers.authorization?.startsWith(BEARER) ?? false;
+    const authHeader = header(req, 'authorization');
+    return authHeader?.startsWith(BEARER) ?? false;
 };
 const isBasicToken = (req) => {
-    return req.headers.authorization?.startsWith(BASIC) ?? false;
+    const authHeader = header(req, 'authorization');
+    return authHeader?.startsWith(BASIC) ?? false;
 };
 const bearerTokenFromReq = (req) => {
-    const header = req.headers.authorization || '';
-    if (!header.startsWith(BEARER))
+    const authHeader = header(req, 'authorization') || '';
+    if (!authHeader.startsWith(BEARER))
         return null;
-    return header.slice(BEARER.length).trim();
+    return authHeader.slice(BEARER.length).trim();
+};
+const header = (req, name) => {
+    const v = req.headers[name.toLowerCase()];
+    if (Array.isArray(v))
+        return v[0];
+    return v;
 };
-export const parseBasicAuth = (token) => {
+const parseBasicAuth = (token) => {
     if (!token.startsWith(BASIC))
         return null;
     const b64 = token.slice(BASIC.length);
@@ -335,31 +338,34 @@ export const parseBasicAuth = (token) => {
         return null;
     return { username, password };
 };
-export const buildBasicAuth = (username, password) => {
-    return (BASIC +
-        ui8.toString(ui8.fromString(`${username}:${password}`, 'utf8'), 'base64pad'));
+exports.parseBasicAuth = parseBasicAuth;
+const buildBasicAuth = (username, password) => {
+    return BASIC + ui8.toString(ui8.fromString(`${username}:${password}`, 'utf8'), 'base64pad');
 };
-const keyEncoder = new KeyEncoder('secp256k1');
-export const createPublicKeyObject = (publicKeyHex) => {
+exports.buildBasicAuth = buildBasicAuth;
+const keyEncoder = new key_encoder_1.default('secp256k1');
+const createPublicKeyObject = (publicKeyHex) => {
     const key = keyEncoder.encodePublic(publicKeyHex, 'raw', 'pem');
-    return crypto.createPublicKey({ format: 'pem', key });
+    return node_crypto_1.default.createPublicKey({ format: 'pem', key });
 };
+exports.createPublicKeyObject = createPublicKeyObject;
 const verifySig = (publicKey, data, sig) => {
-    const keyEncoder = new KeyEncoder('secp256k1');
+    const keyEncoder = new key_encoder_1.default('secp256k1');
     const pemKey = keyEncoder.encodePublic(ui8.toString(publicKey, 'hex'), 'raw', 'pem');
-    const key = crypto.createPublicKey({ format: 'pem', key: pemKey });
-    return crypto.verify('sha256', data, {
+    const key = node_crypto_1.default.createPublicKey({ format: 'pem', key: pemKey });
+    return node_crypto_1.default.verify('sha256', data, {
         key,
         dsaEncoding: 'ieee-p1363',
     }, sig);
 };
-export const verifySignatureWithKey = async (didKey, msgBytes, sigBytes, alg) => {
-    if (alg === SECP256K1_JWT_ALG) {
-        const parsed = parseDidKey(didKey);
+const verifySignatureWithKey = async (didKey, msgBytes, sigBytes, alg) => {
+    if (alg === crypto_1.SECP256K1_JWT_ALG) {
+        const parsed = (0, crypto_1.parseDidKey)(didKey);
         if (alg !== parsed.jwtAlg) {
             throw new Error(`Expected key alg ${alg}, got ${parsed.jwtAlg}`);
         }
         return verifySig(parsed.keyBytes, msgBytes, sigBytes);
     }
-    return cryptoVerifySignatureWithKey(didKey, msgBytes, sigBytes, alg);
+    return (0, xrpc_server_1.cryptoVerifySignatureWithKey)(didKey, msgBytes, sigBytes, alg);
 };
+exports.verifySignatureWithKey = verifySignatureWithKey;

package/dist/client.js

@@ -1,18 +1,25 @@
-import { createClient } from '@connectrpc/connect';
-import { createGrpcTransport } from '@connectrpc/connect-node';
-import assert from 'node:assert';
-import { ClioService } from './rpc/clio_connect';
-export const createBaseClient = (baseUrl, opts) => {
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createBaseClient = void 0;
+const connect_1 = require("@connectrpc/connect");
+const connect_node_1 = require("@connectrpc/connect-node");
+const node_assert_1 = __importDefault(require("node:assert"));
+const clio_connect_1 = require("./rpc/clio_connect");
+const createBaseClient = (baseUrl, opts) => {
     const { httpVersion = '2', rejectUnauthorized = true } = opts;
-    const transport = createGrpcTransport({
+    const transport = (0, connect_node_1.createGrpcTransport)({
         baseUrl,
         acceptCompression: [],
         httpVersion,
         nodeOptions: { rejectUnauthorized },
     });
-    assert(validateUrl(baseUrl));
-    return createClient(ClioService, transport);
+    (0, node_assert_1.default)(validateUrl(baseUrl));
+    return (0, connect_1.createClient)(clio_connect_1.ClioService, transport);
 };
+exports.createBaseClient = createBaseClient;
 const validateUrl = (urlStr) => {
     let url;
     try {

package/dist/config.d.ts

@@ -2,10 +2,20 @@ export interface ServerConfigValues {
     version?: string;
     debugMode?: boolean;
     port?: number;
+    publicUrl?: string;
     serverDid: string;
     didPlcUrl: string;
     handleResolverNameservers?: string[];
     dataplaneUrls: string[];
+    dbPostgresUrl?: string;
+    dbPostgresSchema?: string;
+    modServiceDid: string;
+    adminPasswords: string[];
+    oauthScope?: string;
+    oauthAllowHttp?: boolean;
+    proxyPreferCompressed?: boolean;
+    blobRateLimitBypassKey?: string;
+    blobRateLimitBypassHostname?: string;
 }
 export declare class ServerConfig {
     private cfg;
@@ -17,7 +27,18 @@ export declare class ServerConfig {
     get debugMode(): boolean;
     get port(): number | undefined;
     get localUrl(): string;
+    get publicUrl(): string;
     get serverDid(): string;
     get didPlcUrl(): string;
     get dataplaneUrls(): string[];
+    get dbPostgresUrl(): string | undefined;
+    get dbPostgresSchema(): string | undefined;
+    get modServiceDid(): string;
+    get adminPasswords(): string[];
+    get oauthScope(): string;
+    get oauthAllowHttp(): boolean;
+    get handleResolverNameservers(): string[] | undefined;
+    get proxyPreferCompressed(): boolean;
+    get blobRateLimitBypassKey(): string | undefined;
+    get blobRateLimitBypassHostname(): string | undefined;
 }