* 🚧 WIP
* ✨ Make age assurance state queryable
* ✨ Split age assurance events into 2
* ✨ Implement admin and user state overrides
* ✨ Add blocked as a known value for age assurance state
* ✅ Update test snapshot
* ✅ Update test snapshot
* ✨ Cleanup
* xrpc-server: skip body parsing when input encoding is */*, fix json and text uploads
* changeset
* pds: add tests for text and json uploads
* tidy
* xrpc-server: only create body parser when it will be used
* ✨ Add userAgent tracking for events
* :rotating_lights: Fix lint issue
* ♻️ Refactor userAgent to modTool
* ✨ Rename extra to meta
* 📝 Add changeset
* ✨ Support modTools param in createReport
* ✨ Add support for mod tool in createReport
* Improve OAuth Example app
* Improve style
* bsync: Accept NSID with fragment in operation ns (#3954)
* Add `match: MuteWordMatch` to `muted-word` mod decision `cause` (#2934)
* Return MuteWordMatch instead of simple boolean
* Return full mute word with match
* Add MuteWordMatch to decision cause, update a few tests
* Backwards compat
* Tighter types
* Return all mute word matches
* Clean up types
* Rename
* More cleanup of naming
* Remove unneeded changes
* Format
* Add predicate value to matches
* Better migration path
* Changeset
* Import sort
* Tighten up addMuteWord API
Co-authored-by: Matthieu Sieben <matthieusieben@users.noreply.github.com>
* Mute words: handle `Andor` and `and/or` case (#3948)
* Handle Andor case
* Remove useless escape
* Changeset
---------
Co-authored-by: Matthieu Sieben <matthieusieben@users.noreply.github.com>
* Version packages (#3947)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* Update README.md to add some missing details in examples (#3254)
Update README.md
Improve code examples (some OAuth implementation details are missing in these examples)
* Increase oauth session & refresh token lifetimes (#3883)
* Allow HTTPS `redirect_uris` from any origin (#3811)
* bump MST key length from 256 to 1024 chars (#3956)
* bump MST key length from 256 to 1024 chars
* update MST key test
* add a changeset
* Version packages (#3959)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* Rename `filter` -> `include` (#3966)
* rename filter -> include
* changeset
* fix tests
* Minor Fixes: Typo Correction and Comment Update (#3961)
* Update blob-resolver.ts
* Update index.ts
* Appview: sync up protos for notification prefs (#3970)
appview: sync up protos for notification prefs
* Version packages (#3969)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* Fix invalid use of `invalid_client` (#3967)
* Replace slice() with subarray() in car file parsing (#3971)
* Replace slice() with subarray() in car file parsing
* changeset
---------
Co-authored-by: Devin Ivy <devinivy@gmail.com>
* Re-export all types & utilities needed to instantiate an OAuth client (#3976)
* Re-export all types & utilities needed to instantiate an OAuth client
* Add `jwkPrivateSchema` to ensure a key is private
* Return object instead of array as result of `findPrivateKey`
* Allow override of default `handleResolver` and `runtimeImplementation` options for NodeOAuthClient
* changeset
* Allow `OAuthClient` to be instantiated with custom `didResolver` instance
* Version packages (#3975)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* Perform a bi-directional check when resolving identity from did (#3977)
* Perform a bi-directional check when resolving identity from did
* tidy
* Reject did documents containing invalid `alsoKnownAs` ATProto handles
* Use error classes
* tidy
* Improve identity resolution
* tidy
* Allow non-normalized handles in did document
* pnpm-lock
* Version packages (#3979)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* repo: MST should allow tilde in keys (#3981)
* repo: MST should allow tilde in keys
* add changeset
* fic ci
* tidy
* tidy
---------
Co-authored-by: rafael <rafael@blueskyweb.xyz>
Co-authored-by: Eric Bailey <git@esb.lol>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: James Futhey <kidGodzilla@users.noreply.github.com>
Co-authored-by: bnewbold <bnewbold@robocracy.org>
Co-authored-by: Samuel Newman <mozzius@protonmail.com>
Co-authored-by: leopardracer <136604165+leopardracer@users.noreply.github.com>
Co-authored-by: devin ivy <devinivy@gmail.com>
Co-authored-by: Paul Frazee <pfrazee@gmail.com>
* Ensure that the credentials used during a refresh correspond to those used to create the OAuth tokens.
* tidy
* Bind the OAuth session to the kid that was used to authenticate the client (private_key_jwt)
* Store the whole authentication method in the client session store rather than the kid only
* tidy
* Improve error reporting in case an invalid `token_endpoint_auth_method` is used in the client metadata document.
* tidy
* tidy
* Improve JAR checks
* tidy
* changeset
* tidy
* Remove schema's `.optional()` modifier when a `.default()` is defined
* tidy
* verify client auth during code exchange
* tidy
* Minor naming improvement
* tidy
* Update .changeset/quiet-pans-fix.md
Co-authored-by: devin ivy <devinivy@gmail.com>
* Update packages/oauth/oauth-client/src/oauth-client-auth.ts
* Use `private_key_jwt` instead of incorrect `client_secret_jwt` as authentication method for confidential clients
* style
* code split
* dead code removal
* Represent missing client auth with a `null` instead of "none" when storing request data.
* Allow storing `null` in authorization_request's `clientAuth` json column
* document
* tidy
* Remove non-standard behavior that allowed client to authenticate through JAR
* Improved error messages
* Parse JSON encoded Authorization Request Parameters
* Use `application/x-www-form-urlencoded` content instead of JSON for OAuth requests
Fixes: #3723
* tidy
* tidy
* tidy
* tidy
* code style
* remove un-necessary checks
* tidy
* Pre-process number too
* improved type checking
* add missing exports
* fix merge conflict
* tidy
* Remove invalid default for `code_challenge_method` authorization request parameter
* tidy
* Delete inaccurate changeset
* PR comment
* tidy
* Update OAuth client credentials factory to return headers and payload separately.
* tidy
* Renamed `clientAuthCheck` to `validateClientAuth`
* Validate presence of DPoP proofs sooner when processing token requests.
Fixes: #3859
* Protect against concurrent use of request code
* tidy
* tidy
* Update packages/oauth/oauth-provider/src/client/client.ts
Co-authored-by: devin ivy <devinivy@gmail.com>
* Review comments
* Add missing `exp` claim in client attestation JWT
* fixup! Review comments
* Review comments
* Refactor: explicit optionality of unsigned JAR issuer & audience
* Use client attestation's `exp` claim to determine the life time of JWT's `jti` nonce.
* Fix PDS: consumeRequestCode should delete request data
* tidy
* tidy
* Unused code removal
* Restore "Native clients must authenticate using "none" method" check
* tidy
* tidy
* cleanup
* comment
* Allow missing DPoP header during PAR request if `dpop_jkt` is provided
* tidy
---------
Co-authored-by: devin ivy <devinivy@gmail.com>
* Refactor route rate limiter builder
* Refactor RouteRateLimiter handle method to improve bypass logic and return type
* Use `redis` as rate limit db when available
* Properly validate JWK `htu` claim by enforcing URL without query or fragment
* type fix
* Return DPoP validation result from `authenticateRequest`
* Log clients using invalid "htu" claim in DPoP proof
* review comments
* fix lint
* tidy
* rename dpop result to dpop proof
* 🐛 Fetch record from pds if appview fails to find it for ozone
* ✨ Resolve and etch from pds without auth
* ♻️ Refactor and cleanup
* ✅ Fix tests
* ✅ Fix tests
* 🚨 Fix linter issue
* 🧹 Cleanup
