17 Commits

Author SHA1 Message Date
github-actions[bot]
c2dc0ec11b
Version packages (#4154)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-08-29 16:05:17 +02:00
Matthieu Sieben
f9dc9aa4c9
Permission set (#4108)
* Export constants and type assertion utilities

* Add permission set support to oauth provider

* improve permission set parsing

* Rename `PermissionSet` to `ScopePermissions`

* Improve performance of NSID validation

* Add support for `permission-set` in lexicon document

* Validate NSID syntax using `@atproto/syntax`

* Export all types used in public interfaces (from `lexicon-resolver`)

* Small performance improvement

* Rework scope parsing utilities to work with Lexicon defined permissions

* file rename

* fixup! Rework scope parsing utilities to work with Lexicon defined permissions

* removed outdated comment

* removed outdated comment

* fix comment typo

* Improve `SimpleStore` api

* permission-set NSID auth scopes

* Remove dev dependency on dev-env

* fix build script

* pnpm-lock

* Improve fetch-node unicast protection

* Explicitly set the `redirect: "follow"` `fetch()` option

* Add delay when building oauth-provider-ui in watch mode

* Remove external dependencies from auth-scopes

* Add customizable lexicon authority to pds (for dev purposes)

* fix pds migration

* update permission-set icon

* Add support for `include:` syntax in scopes

* tidy

* Renaming of "resource" concept to better reflect the fact that not all oauth scope values are about resources

* changeset

* ui improvmeents

* i18n

* ui imporvements

* add `AtprotoAudience` type

* Enforce proper formatting of audience (atproto supported did + fragment part)

* tidy

* tidy

* tidy

* fix ci ?

* ci fix ?

* tidy ?

* Apply consistent outline around focusable items

* Use `inheritAud: true` to control `aud` inheritance

* Update packages/oauth/oauth-provider/src/lexicon/lexicon-manager.ts

Co-authored-by: devin ivy <devinivy@gmail.com>

* Review comments

* Add `nsid` property to `LexiconResolutionError`

* improve nsid validation

* i18n

* Improve oauth scope parsing

* Simplify lex scope parsing

* tidy

* docs

* tidy

* ci

* Code simplification

* tidy

* improve type safety

* improve deps graph

* naming

* Improve tests and package structure

* Improve error when resolving a non permission-set

* improve nsid parsing perfs

* benchmark

* Refactor ozone and lexicon into using a common service profile mechanism

* improve perfs

* ci fix (?)

* tidy

* Allow storage of valid lexicons in lexicon store

* Improve handling of lexicon resolution failures

* review comment

* Test both regexp and non regexp based nsid validation

* properly detect presence of port number in https did:web

* Re-enable logging of `safeFetch` requests

* tidy

---------

Co-authored-by: devin ivy <devinivy@gmail.com>
2025-08-29 12:19:19 +02:00
Matthieu Sieben
396ab57ed0
Fix warnings during build (#4096)
* Fix warnings during build

* Update caniuse-lite
2025-08-12 17:15:23 +02:00
Matthieu Sieben
1899b1fc16
OAuth scopes (#3806)
* style: prefix `id` and `uri` with `request` where applicable

* Dynamically validate OAuth scopes

* Allow configuring trusted OAuth clients

* Improve client validation

* Rework authorization to work with permissions

* Review changes

* fix permissions

* tidy

* Drop authorization result

* unused code cleanup

* fix preferences auth

* remove redundant check in `applyWrites`

* style

* Remove need to specify "scopes" in authorized auth strategy

* fixup! Remove need to specify "scopes" in authorized auth strategy

* split authorized and oauth auth methods

* Require explicit opt-in for takendown

* fix tests

* rollback redundant permissions mechanism

* tidy

* Fix tests

* tidy

* tidy

* pr changes

* remove hack allowing access to full preferences

* always specify authorize method

* Add OAuth scope parsing & matching

* tidy

* add support for oauth scopes in client

* review changes

* Small xrpc-server optimizations

* pr comments

* Review comments

* refactor: move oauth scopes parser & checker in own package

* code simplification

* Allow multiple collections in `repo` scopes.
Allow wildcard action in `repo` scopes.
Require action in `repo` scopes.

* Rename `emailUpdate` to `email-update` in `account` scope params.
Add wildcard (`*`) in `account` and `identity` scopes.

* tidy

* add oauth-scopes package to PDS Dockerfile

* unit tests

* Syntax rework

* adapt to latest scope definition

* Add missing tests

* Render scopes in UI

* fix build

* fixes and tests

* improve ui

* tidy

* tidy

* ui improvements

* tidy

* fr messages

* tidy

* improve consent screen ui

* fix test

* tidy

* improve dx

* Remove `transition:` scopes from `scopes_supported` authorization server metadata

* Hide blob scope if no repo scope present

* changeset

* Remove the `action` param from the `identity` scope

* fix html syntax

* simplified wording

* Make `account:email` scope optional (#4089)

* Make `account:email` scope optional

* tidy

* tidy

* tidy

* tidy

* fix

* tidy

* review comments

* tidy

* refactor: remove redundant tests for identity scope parsing and matching

* minor ui fixes

* fix "back" label not translated

* ui improvements

* fix tests
2025-08-12 13:13:14 +02:00
github-actions[bot]
b70f62c6b9
Version packages (#3988)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-06-24 06:17:02 -07:00
Matthieu Sieben
09d90ae486
Improve OAuth Example app (#3952)
* Improve OAuth Example app

* Improve style

* bsync: Accept NSID with fragment in operation ns (#3954)

* Add `match: MuteWordMatch` to `muted-word` mod decision `cause` (#2934)

* Return MuteWordMatch instead of simple boolean

* Return full mute word with match

* Add MuteWordMatch to decision cause, update a few tests

* Backwards compat

* Tighter types

* Return all mute word matches

* Clean up types

* Rename

* More cleanup of naming

* Remove unneeded changes

* Format

* Add predicate value to matches

* Better migration path

* Changeset

* Import sort

* Tighten up addMuteWord API

Co-authored-by: Matthieu Sieben <matthieusieben@users.noreply.github.com>

* Mute words: handle `Andor` and `and/or` case (#3948)

* Handle Andor case

* Remove useless escape

* Changeset

---------

Co-authored-by: Matthieu Sieben <matthieusieben@users.noreply.github.com>

* Version packages (#3947)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Update README.md to add some missing details in examples (#3254)

Update README.md

Improve code examples (some OAuth implementation details are missing in these examples)

* Increase oauth session & refresh token lifetimes (#3883)

* Allow HTTPS `redirect_uris` from any origin (#3811)

* bump MST key length from 256 to 1024 chars (#3956)

* bump MST key length from 256 to 1024 chars

* update MST key test

* add a changeset

* Version packages (#3959)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Rename `filter` -> `include` (#3966)

* rename filter -> include

* changeset

* fix tests

* Minor Fixes: Typo Correction and Comment Update (#3961)

* Update blob-resolver.ts

* Update index.ts

* Appview: sync up protos for notification prefs (#3970)

appview: sync up protos for notification prefs

* Version packages (#3969)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Fix invalid use of `invalid_client` (#3967)

* Replace slice() with subarray() in car file parsing (#3971)

* Replace slice() with subarray() in car file parsing

* changeset

---------

Co-authored-by: Devin Ivy <devinivy@gmail.com>

* Re-export all types & utilities needed to instantiate an OAuth client (#3976)

* Re-export all types & utilities needed to instantiate an OAuth client

* Add `jwkPrivateSchema` to ensure a key is private

* Return object instead of array as result of `findPrivateKey`

* Allow override of default `handleResolver` and `runtimeImplementation` options for NodeOAuthClient

* changeset

* Allow `OAuthClient` to be instantiated with custom `didResolver` instance

* Version packages (#3975)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Perform a bi-directional check when resolving identity from did (#3977)

* Perform a bi-directional check when resolving identity from did

* tidy

* Reject did documents containing invalid `alsoKnownAs` ATProto handles

* Use error classes

* tidy

* Improve identity resolution

* tidy

* Allow non-normalized handles in did document

* pnpm-lock

* Version packages (#3979)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* repo: MST should allow tilde in keys (#3981)

* repo: MST should allow tilde in keys

* add changeset

* fic ci

* tidy

* tidy

---------

Co-authored-by: rafael <rafael@blueskyweb.xyz>
Co-authored-by: Eric Bailey <git@esb.lol>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: James Futhey <kidGodzilla@users.noreply.github.com>
Co-authored-by: bnewbold <bnewbold@robocracy.org>
Co-authored-by: Samuel Newman <mozzius@protonmail.com>
Co-authored-by: leopardracer <136604165+leopardracer@users.noreply.github.com>
Co-authored-by: devin ivy <devinivy@gmail.com>
Co-authored-by: Paul Frazee <pfrazee@gmail.com>
2025-06-23 17:31:02 +02:00
Johannes Andersen
ba293da9fe
feat: password reset discovery and sign-in/up autofill (#3888)
* feat: password reset discovery and sign-in/up autofill

* chore: update translation files
2025-05-26 13:42:54 +02:00
github-actions[bot]
0a2c30dd97
Version packages (#3872)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-05-20 15:15:10 -07:00
Matthieu Sieben
8318c57187
Allow proxying of getSession using OAuth session (#3820)
* Allow proxying of dpop bound requests by using service auth instead, for the `getSession` endpoint.

* Show `getSession` data in example app

* Add  scope

* strings

* cleanup

* tidy

* tidy

* Add transition:email scope to example app

* strings

* changeset

* pr comments
2025-05-20 14:37:02 +02:00
github-actions[bot]
b36014dac5
Version packages (#3803)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-05-05 17:44:12 -03:00
Matthieu Sieben
a48b093f0b
Use more consistent UI regardless of profile completion (#3797)
* Expose `pdsAgent` as global constant

* Use more consistent UI regardless of profile completion

* strings

* Add `OidcUserinfo` type
2025-04-25 10:10:13 +02:00
Matthieu Sieben
371e04aad2
Account management page (#3659)
---------

Co-authored-by: Eric Bailey <git@esb.lol>
2025-04-15 17:15:27 +02:00
github-actions[bot]
f46554bcb8
Version packages (#3591)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2025-03-07 11:03:00 -05:00
Matthieu Sieben
850e39843c
OAuth: Reset password & Sign-up (#2945)
* Adds "password reset" during OAuth flows
* Adds "Sign up" during OAuth flows
* Adds support for multiple languages in the OAuth flow
* Adds "fr" translation for the OAuth flow

Co-authored-by: devin ivy <devinivy@gmail.com>
Co-authored-by: Eric Bailey <git@esb.lol>
2025-03-07 09:41:06 +01:00
github-actions[bot]
799dd925e9
Version packages (#3493)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2025-02-05 17:50:10 -06:00
Matthieu Sieben
61dc0d60e1
Add linting rule to sort imports (#3220)
* Add linting rule to sort imports

* remove spacing between import groups

* changeset

* changeset

* prettier config fine tuning

* forbid use of deprecated imports

* tidy
2025-02-05 15:06:58 +01:00
Matthieu Sieben
7f26b17652
Add OAuth tests (#2874)
* Improve error message when using invalid client_id during code exchange

* Extract SPA example OAuth client in own package

* wip

* remove dependency on get-port

* Properly configure jest to only transpile "get-port" from node_modules

https://jestjs.io/docs/configuration#transformignorepatterns-arraystring

* Use dynamically assigned port number during tests

* use puppeteer to run tests

* remove login input "id" attribute

* code style

* add missing declaration

* tidy

* headless

* remove get-port dependency

* fix tests/proxied/admin.test.ts

* fix tests

* Allow unsecure oauth providers through configuration

* transpile "lande" during ozone tests

* Cache Puppeteer browser binaries

* Use puppeteer cache during all workflow steps

* remove use of set-output

* use get-port in xrpc-server tests

* Renamed to allowHttp

* tidy

* tidy
2024-10-18 15:40:05 +02:00