1996 Commits

Author SHA1 Message Date
d4133d4c37 Merge tag '@atproto/pds@0.4.180' into modify-pds
@atproto/pds@0.4.180
2025-09-24 06:04:44 -04:00
github-actions[bot]
4c4ee7208f
Version packages (#4218)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-09-23 08:30:58 +02:00
Matthieu Sieben
7351589a31
Add onResetPasswordRequest and onResetPasswordConfirm hooks (#4217) 2025-09-22 19:38:38 +02:00
github-actions[bot]
d91988fe79
Version packages (#4192)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-09-10 15:15:55 +02:00
Matthieu Sieben
cf4117966c
Fix call to onDecodeToken oauth verifier hook (#4191)
* Make `DpopProof` readonly

* Improve token verification error details

* Always log warnings when DPOP proof `htu` contains # or ?.

* Add missing initialization of `onDecodeToken` hook

* Add logging around scope dereferencing operations
2025-09-09 15:56:32 +02:00
github-actions[bot]
e10a020629
Version packages (#4190)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-09-09 14:48:22 +02:00
github-actions[bot]
0222378371
Version packages (#4188)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-09-09 14:22:53 +02:00
Foysal Ahamed
55cc15cdd6
Add ozone proxy for revokeCredentials endpoint (#4170)
*  Add ozone proxy for revokeCredentials endpoint

* 📝 Add changeset

*  Add mod event for revoke credentials

*  Add tests
2025-09-09 14:13:48 +02:00
github-actions[bot]
e216e87859
Version packages (#4167)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-09-09 12:29:10 +02:00
Matthieu Sieben
8914f9abde
Allow encoding scope claims of oauth access token JWT (#4149)
* Refactor token decoding

* Add scope decoder to pds

* tidy

* tidy

* tidy

* tidy

* review changes

* Add scope normzlization utility

* wording in lexicon

* Add specific error

* style

* tidy

* Update `AccessTokenMode` enum values to be more meaningful

* tidy

* Update .changeset/brown-boxes-bow.md

Co-authored-by: devin ivy <devinivy@gmail.com>

* Add retry strategy

* lint

* lint

---------

Co-authored-by: devin ivy <devinivy@gmail.com>
2025-09-09 12:13:34 +02:00
Matthieu Sieben
d570db43d6
Pr/3654 (#4186)
* add ja to links title and availableLocales

* japanese translation messages.po

* update translation

social-appの翻訳に寄せる

* update translate

* Update packages/oauth/oauth-provider-ui/src/locales/ja/messages.po

Co-authored-by: Takayuki KUSANO <65759+tkusano@users.noreply.github.com>

* Update packages/oauth/oauth-provider-ui/src/locales/ja/messages.po

Co-authored-by: Takayuki KUSANO <65759+tkusano@users.noreply.github.com>

* Update packages/oauth/oauth-provider-ui/src/locales/ja/messages.po

Co-authored-by: Takayuki KUSANO <65759+tkusano@users.noreply.github.com>

* Update packages/oauth/oauth-provider-ui/src/locales/ja/messages.po

Co-authored-by: Takayuki KUSANO <65759+tkusano@users.noreply.github.com>

* add translation

* Japanese translation message.po from oauth-provider-frontend

* add ja to links title

* Update packages/oauth/oauth-provider-ui/src/locales/ja/messages.po

Co-authored-by: Takayuki KUSANO <65759+tkusano@users.noreply.github.com>

* Update packages/oauth/oauth-provider-ui/src/locales/ja/messages.po

Co-authored-by: Takayuki KUSANO <65759+tkusano@users.noreply.github.com>

* Update translation "Avatar"

* Add missing translation

* Add missing translation frontend

* Add changeset

* Enable JA

---------

Co-authored-by: L-tan <3786294+dolciss@users.noreply.github.com>
Co-authored-by: Takayuki KUSANO <65759+tkusano@users.noreply.github.com>
2025-09-09 12:09:18 +02:00
Matthieu Sieben
055a413fba
InternalServerError when creating records (#4169)
* Various perf fixes

* add transaction assertions

* tidy

* changeset

* tidy

* Update packages/aws/src/s3.ts

* tidy

* Apply suggestions from code review

* tidy

* Update .changeset/chilled-shirts-ring.md

Co-authored-by: devin ivy <devinivy@gmail.com>

* Update .changeset/stale-rocks-press.md

* Update packages/pds/src/actor-store/blob/transactor.ts

Co-authored-by: devin ivy <devinivy@gmail.com>

* build

* revert blob upload logic

* tidy

* use `uploadTimeoutMs` as default for `requestTimeoutMs`

* review coments

* chngeset

* tidy

---------

Co-authored-by: devin ivy <devinivy@gmail.com>
Co-authored-by: David Buchanan <david@blueskyweb.xyz>
2025-09-08 18:40:56 +02:00
Matthieu Sieben
6d7bf4bffc
Remove old, never resolved, lexicons from the database (#4162) 2025-09-04 11:04:48 +02:00
Eric Bailey
a5b20f0218
Add expanded moderation report reasons (#3881)
* Integrate new reporting reasons

* Update bnn to BNR, prefix all with reason* to match previous

* Remap deprecations

* Update naming, add notes about Bluesky-only reasons

* Update reason

* Move new defs to tools.ozone namespace

* Add ozone lexicons to app view

* Copy known values to merge defs

* Update comments

* Add reasonAppeal to new ozone namespace defs

* Changeset

* ❇️ Support new reporting categories in ozone (#3974)

*  Validate report reason using labeler service profile

*  Rename test

* :rotating_lights: Fix lint issue

*  Use both appeal reason type for materialized views

*  Add old to new reason mapping for fallback

*  Update test snapshot

* :rotating_lights: Fix lint issue

* 🧹 Cleanup

* :rotating_lights: Fix lint issue

*  Adjust report reason tagging

* 📝 Additional comment for new migration

---------

Co-authored-by: Foysal Ahamed <foysal@blueskyweb.xyz>
2025-09-02 21:40:31 +02:00
github-actions[bot]
420f315493
Version packages (#4165)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-09-02 11:00:40 -03:00
rafael
64100a75b3
Bookmarks (#4163) 2025-09-02 10:28:34 -03:00
github-actions[bot]
39b319be94
Version packages (#4157)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-09-02 10:36:51 +02:00
Matthieu Sieben
d54d278abd
Allow unexpected error to go through when fetching permission sets (#4155)
* Allow unexpected error to go through when fetching permission sets

* Log `cid` as string after succesful lexicon resolution

* Log `cid` and `uri` as string on successful lexicon resolution
2025-08-30 15:26:28 +02:00
zhoujiaweii
a64bd4536b
chore: remove redundant word in comment (#4151)
Signed-off-by: zhoujiaweii <zjwustc@outlook.com>
2025-08-29 12:35:36 -07:00
github-actions[bot]
c2dc0ec11b
Version packages (#4154)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-08-29 16:05:17 +02:00
github-actions[bot]
920f895807
Version packages (#4152)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-08-29 12:54:51 +02:00
Matthieu Sieben
86c4699da8
Improve oauth client callback handling (#4150) 2025-08-29 12:45:35 +02:00
Matthieu Sieben
f9dc9aa4c9
Permission set (#4108)
* Export constants and type assertion utilities

* Add permission set support to oauth provider

* improve permission set parsing

* Rename `PermissionSet` to `ScopePermissions`

* Improve performance of NSID validation

* Add support for `permission-set` in lexicon document

* Validate NSID syntax using `@atproto/syntax`

* Export all types used in public interfaces (from `lexicon-resolver`)

* Small performance improvement

* Rework scope parsing utilities to work with Lexicon defined permissions

* file rename

* fixup! Rework scope parsing utilities to work with Lexicon defined permissions

* removed outdated comment

* removed outdated comment

* fix comment typo

* Improve `SimpleStore` api

* permission-set NSID auth scopes

* Remove dev dependency on dev-env

* fix build script

* pnpm-lock

* Improve fetch-node unicast protection

* Explicitly set the `redirect: "follow"` `fetch()` option

* Add delay when building oauth-provider-ui in watch mode

* Remove external dependencies from auth-scopes

* Add customizable lexicon authority to pds (for dev purposes)

* fix pds migration

* update permission-set icon

* Add support for `include:` syntax in scopes

* tidy

* Renaming of "resource" concept to better reflect the fact that not all oauth scope values are about resources

* changeset

* ui improvmeents

* i18n

* ui imporvements

* add `AtprotoAudience` type

* Enforce proper formatting of audience (atproto supported did + fragment part)

* tidy

* tidy

* tidy

* fix ci ?

* ci fix ?

* tidy ?

* Apply consistent outline around focusable items

* Use `inheritAud: true` to control `aud` inheritance

* Update packages/oauth/oauth-provider/src/lexicon/lexicon-manager.ts

Co-authored-by: devin ivy <devinivy@gmail.com>

* Review comments

* Add `nsid` property to `LexiconResolutionError`

* improve nsid validation

* i18n

* Improve oauth scope parsing

* Simplify lex scope parsing

* tidy

* docs

* tidy

* ci

* Code simplification

* tidy

* improve type safety

* improve deps graph

* naming

* Improve tests and package structure

* Improve error when resolving a non permission-set

* improve nsid parsing perfs

* benchmark

* Refactor ozone and lexicon into using a common service profile mechanism

* improve perfs

* ci fix (?)

* tidy

* Allow storage of valid lexicons in lexicon store

* Improve handling of lexicon resolution failures

* review comment

* Test both regexp and non regexp based nsid validation

* properly detect presence of port number in https did:web

* Re-enable logging of `safeFetch` requests

* tidy

---------

Co-authored-by: devin ivy <devinivy@gmail.com>
2025-08-29 12:19:19 +02:00
Matthieu Sieben
f65afa33f5
Support multiple redirect URIs for @atproto/oauth-client-browser #4144 (#4147)
* Support multiple redirect URIs for @atproto/oauth-client-browser

* For redirect_uri callback parameter type

* fix-type-error

* Do not fail if the client can't figure out which redirect uri was used (and only one is available)

---------

Co-authored-by: Emelia Smith <ThisIsMissEm@users.noreply.github.com>
2025-08-28 17:57:38 +02:00
github-actions[bot]
5aab697d9d
Version packages (#4148)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-08-28 10:35:45 -04:00
David Buchanan
66dbf8db6d
revokeAccountCredentials lexicon (#4142)
* lexicons: add com.atproto.temp.revokeAccountCredentials

* codegen

* changeset
2025-08-28 10:17:12 -04:00
github-actions[bot]
7b5b846aef
Version packages (#4146)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-08-27 15:12:41 -05:00
Eric Bailey
0f2944305f
Expose AppView DID in dev-env (#4145)
* Expose AppView DID in dev-env

* Changset
2025-08-27 15:03:25 -05:00
hailey
0a6a87891e
adjust notifications to filter thread hidden tags (#4140) 2025-08-27 11:55:28 -07:00
github-actions[bot]
768e81b232
Version packages (#4126)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-08-27 13:36:05 -04:00
devin ivy
e1967c1c2a
PDS: avoid extra lookup when configured with appview details (#4141)
* pds: avoid lookup if appview is configured

* changeset
2025-08-27 10:18:44 -04:00
Emelia Smith
6231c8730a
Fix #4136: Support multiple redirect URIs in @atproto/oauth-client (#4139)
* Fix #4136: Support multiple redirect URIs in @atproto/oauth-client

* Fix type error in exchangeCode
2025-08-27 14:42:25 +02:00
Matthieu Sieben
c0126f4a84
Improve error handling when destroying pipethrough stream (#4133)
* Improve error handling when destroying pipethrough stream

fixes #4129

* docs

* pds: add failing test for abort handling

---------

Co-authored-by: Devin Ivy <devinivy@gmail.com>
2025-08-26 14:33:34 -04:00
David Buchanan
2104d9033e
@atproto/lexicon: relax validation of lexicon documents (#4122)
* @atproto/lexicon: relax validation of lexicon documents to allow unknown fields

* changeset

* remove  field from lexiconDoc validation, no longer necessary
2025-08-22 16:58:59 +01:00
Matthieu Sieben
9d22305f71
Fix circular dev dependencies and build scripts (#4124)
* fix build script

* Remove dev dependency on dev-env

* pnpm-lock
2025-08-21 16:02:54 +02:00
github-actions[bot]
5188ef3b59
Version packages (#4116)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-08-20 21:48:51 +02:00
Foysal Ahamed
3156ddf615
Add batchId filter for queryEvents (#4109)
*  Add batchId filter for queryEvents

* 📝 Add changeset
2025-08-20 21:39:24 +02:00
devin ivy
331a356ce2
Lexicon resolver package (#4069)
* lexicon: doc validation compatibility with published lexicons

* lexicon-resolver: setup new package

* lexicon-resolver: implement record resolution

* lexicon-resolver: implement lexicon resolution

* lexicon-resolver: test record resolution

* repo: add option to verify CIDs found in CARs. tidy.

* lexicon-resolution: verify CIDs in proof CAR

* lexicon-resolution: tests and fixes

* tidy

* lexicon-resolution: add entrypoint

* lexicon-resolver: tidy errors

* lexicon-resolver: readme

* lexicon-resolver: changeset

* prettier

* eslint

* tidy

* tidy

* tidy

* enable CID-to-content verification within CARs by default

* lexicon-resolver: tidy types, application of defaults, gitattributes

* lexicon-resolver: add interface and builder fn for lexicon and record resolvers

* lexicon-resolver: update readme

* tidy

* lexicon-resolver: cover error cases in record resolution

---------

Co-authored-by: Matthieu Sieben <matthieu.sieben@gmail.com>
2025-08-17 22:45:51 -04:00
github-actions[bot]
649e5ad772
Version packages (#4105)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-08-15 17:27:00 +02:00
Matthieu Sieben
369a201161
Perf: Avoid fetching account data twice in putRecord (#4107)
* Perf: Avoid fetching account data twice in `putRecord`

* Apply same changes in `createRecord`/`deleteRecord`/`applyWrites`

* tidy

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* switch validation order

---------

Co-authored-by: devin ivy <devinivy@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2025-08-15 17:20:56 +02:00
David Buchanan
75162ffb9e
Fix putRecord auth check (#4104)
* Fix putRecord auth check

* changeset

* switch pds changeset to patch

* add test for putRecord via handle

* style fix

---------

Co-authored-by: devin ivy <devinivy@gmail.com>
2025-08-13 22:41:39 +01:00
github-actions[bot]
d02d43c05b
Version packages (#4102)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-08-13 15:22:03 +02:00
Matthieu Sieben
8a88e2c154
Add support for legacy JWKS validation in OAuth configuration (#4101)
* Remore requirement for JWK to define either `use` or `key_ops`

* Prevent inconsistent use of `use` and `key_ops` in JWK

* docs

* review comments

* comment
2025-08-13 15:15:54 +02:00
github-actions[bot]
f8667835db
Version packages (#4099)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-08-13 10:30:51 +02:00
Matthieu Sieben
832866c33b
Enforce stronger validation of jwks loaded through their own uri (#4100)
* Enforce stronger validation of jwks loaded through their own uri

* add some docs
2025-08-13 09:45:23 +02:00
Matthieu Sieben
396ab57ed0
Fix warnings during build (#4096)
* Fix warnings during build

* Update caniuse-lite
2025-08-12 17:15:23 +02:00
Matthieu Sieben
c274bd1b38
Fix permission bug with transition:email scope (#4097)
* Fix permission bug with `transition:email` scope

* fix tests
2025-08-12 17:14:51 +02:00
github-actions[bot]
174f86da5f
Version packages (#4094)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-08-12 14:45:00 +02:00
Matthieu Sieben
1dbc7750d2
Fix changeset and version numbers (#4095) 2025-08-12 13:22:51 +02:00
Matthieu Sieben
1899b1fc16
OAuth scopes (#3806)
* style: prefix `id` and `uri` with `request` where applicable

* Dynamically validate OAuth scopes

* Allow configuring trusted OAuth clients

* Improve client validation

* Rework authorization to work with permissions

* Review changes

* fix permissions

* tidy

* Drop authorization result

* unused code cleanup

* fix preferences auth

* remove redundant check in `applyWrites`

* style

* Remove need to specify "scopes" in authorized auth strategy

* fixup! Remove need to specify "scopes" in authorized auth strategy

* split authorized and oauth auth methods

* Require explicit opt-in for takendown

* fix tests

* rollback redundant permissions mechanism

* tidy

* Fix tests

* tidy

* tidy

* pr changes

* remove hack allowing access to full preferences

* always specify authorize method

* Add OAuth scope parsing & matching

* tidy

* add support for oauth scopes in client

* review changes

* Small xrpc-server optimizations

* pr comments

* Review comments

* refactor: move oauth scopes parser & checker in own package

* code simplification

* Allow multiple collections in `repo` scopes.
Allow wildcard action in `repo` scopes.
Require action in `repo` scopes.

* Rename `emailUpdate` to `email-update` in `account` scope params.
Add wildcard (`*`) in `account` and `identity` scopes.

* tidy

* add oauth-scopes package to PDS Dockerfile

* unit tests

* Syntax rework

* adapt to latest scope definition

* Add missing tests

* Render scopes in UI

* fix build

* fixes and tests

* improve ui

* tidy

* tidy

* ui improvements

* tidy

* fr messages

* tidy

* improve consent screen ui

* fix test

* tidy

* improve dx

* Remove `transition:` scopes from `scopes_supported` authorization server metadata

* Hide blob scope if no repo scope present

* changeset

* Remove the `action` param from the `identity` scope

* fix html syntax

* simplified wording

* Make `account:email` scope optional (#4089)

* Make `account:email` scope optional

* tidy

* tidy

* tidy

* tidy

* fix

* tidy

* review comments

* tidy

* refactor: remove redundant tests for identity scope parsing and matching

* minor ui fixes

* fix "back" label not translated

* ui improvements

* fix tests
2025-08-12 13:13:14 +02:00