128 Commits

Author SHA1 Message Date
github-actions[bot]
6bc8355c40
Version packages (#3710)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-04-02 18:38:47 -05:00
github-actions[bot]
a26813da21
Version packages (#3703)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-04-01 15:30:27 -05:00
github-actions[bot]
c777ba6d68
Version packages (#3631)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-03-20 15:21:15 +01:00
github-actions[bot]
f46554bcb8
Version packages (#3591)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2025-03-07 11:03:00 -05:00
github-actions[bot]
03351a5818
Version packages (#3529)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2025-02-13 15:27:09 +01:00
Matthieu Sieben
c53d943c8b
Improve codegen typings (#2999)
* Make codegen types stricter
* Add .js file extension to import statements in generated code
* Fixes a bug that would clear interests prefs when updating hidden posts prefs.
2025-02-13 15:21:00 +01:00
github-actions[bot]
799dd925e9
Version packages (#3493)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2025-02-05 17:50:10 -06:00
Matthieu Sieben
61dc0d60e1
Add linting rule to sort imports (#3220)
* Add linting rule to sort imports

* remove spacing between import groups

* changeset

* changeset

* prettier config fine tuning

* forbid use of deprecated imports

* tidy
2025-02-05 15:06:58 +01:00
github-actions[bot]
1c195a3845
Version packages (#3442)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2025-01-31 18:01:32 -06:00
Matthieu Sieben
4f2841efeb
Improve error reporting in case of failed PLC update operation (#3439)
* Improve error reporting in case of failed PLC update operation

* Improve error message

* convert all PlcClientError XRPCError

* changeset
2025-01-23 15:53:38 +01:00
github-actions[bot]
74ee108262
Version packages (#3425)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2025-01-21 10:55:50 -03:00
rafael
4ab7075fde
small rate-limit improvements (#3376) 2025-01-16 16:38:28 -03:00
github-actions[bot]
fa96a997ec
Version packages (#3372)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2025-01-15 13:58:19 -03:00
rafael
0832a377d2
Allow resetting a route's rate limits (#3348) 2025-01-15 13:43:16 -03:00
Matthieu Sieben
2889c76995
Improve type safety and compatibility with Bun (#2879)
* jwk: Improve type safety and compatibility with Bun
* improve type safety of jwk keys
* improve typing of verifyAccessToken
* update @types/http-errors
* Better report invalid content-encoding errors
* Mark jwk key fields as readonly
2025-01-09 14:26:07 +01:00
github-actions[bot]
5b6e0611d6
Version packages (#3336)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2025-01-07 12:06:16 -06:00
github-actions[bot]
7aecc57dbb
Version packages (#3331)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2025-01-07 09:29:57 -05:00
github-actions[bot]
51b0c48ce7
Version packages (#3188)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-12-11 14:11:08 -06:00
github-actions[bot]
3a5fc92a74
Version packages (#2962)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-11-13 17:00:25 -06:00
github-actions[bot]
b398276b36
Version packages (#2932)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-11-08 10:22:43 +01:00
rafael
1982693e3e
Use node:crypto instead of noble/curves (#2936)
* Extract verifySignatureWithKey out of verifyJwt

* Accept optional verifySignatureWithKey as param

* Impl. verifySignatureWithKey with native crypto

* Test key validation

* changesets

* build

* build (fix)

* Move verifySig out

* Trigger Build

* Move test

* Remove redundant check

---------

Co-authored-by: Devin Ivy <devinivy@gmail.com>
2024-11-07 13:29:42 -03:00
Matthieu Sieben
9d40ccbb69
Various OAuth related fixes (#2871)
* wip

* tidy

* tidy

* tidy

* Update packages/oauth/oauth-client/src/session-getter.ts

Co-authored-by: devin ivy <devinivy@gmail.com>

* fix combineSignals

* tidy

* tidy

* improve typing of atprotoScopeSchema

* stronger typings

* tidy

* ci

* Fix cors error

* downgrade ioredis dependency

* fix ioredis version

* tidy

---------

Co-authored-by: devin ivy <devinivy@gmail.com>
2024-10-18 20:23:33 +02:00
Matthieu Sieben
7f26b17652
Add OAuth tests (#2874)
* Improve error message when using invalid client_id during code exchange

* Extract SPA example OAuth client in own package

* wip

* remove dependency on get-port

* Properly configure jest to only transpile "get-port" from node_modules

https://jestjs.io/docs/configuration#transformignorepatterns-arraystring

* Use dynamically assigned port number during tests

* use puppeteer to run tests

* remove login input "id" attribute

* code style

* add missing declaration

* tidy

* headless

* remove get-port dependency

* fix tests/proxied/admin.test.ts

* fix tests

* Allow unsecure oauth providers through configuration

* transpile "lande" during ozone tests

* Cache Puppeteer browser binaries

* Use puppeteer cache during all workflow steps

* remove use of set-output

* use get-port in xrpc-server tests

* Renamed to allowHttp

* tidy

* tidy
2024-10-18 15:40:05 +02:00
Matthieu Sieben
fabc8a9381
Update typescript to version 5.6.2 (#2863) 2024-10-11 14:05:53 +02:00
github-actions[bot]
a611a5fe56
Version packages (#2846)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-10-01 20:13:26 +02:00
github-actions[bot]
6593fdc3f4
Version packages (#2812)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-09-27 13:04:34 -05:00
Matthieu Sieben
a07b21151f
PDS pipethrough optimizations (#2770)
* Micro optimization in request proxying

* Request NSID parsing optimization

* DID document parsing optimization

* remove un-necessary call to next()

* Allow HandlerPipeThrough to be used with streams

* Refactor pipethrough to work with streams

* Expose "unicastLookup" DNS lookup and "isUnicastIp" utilities

* Use a hardened, HTTP2 compatible, client to perform proxied requests

* changeset

* tidy

* Properly handle compressed streams

* tidy

* update @types/node

* refactor

* Improved error management

* Expose parseContentEncoding() util

* use pipeline from nodejs

* Avoid decoding in read-after-write (if possible)

* Various fixes

* Return Buffer instance from streamToBytes

* fixes

* Add omit() utility

* tidy

* lint

* typo

* Use Buffer instead of ArrayBuffer form pipe through handler result

* optimization

* tidy

* refactor

* increase highWaterMark

* remove un-necessary type check

* Use undici.request where more relevant

* Improve soc in fetch utils

* feedback

* fidy

* tidy

* test refactor

* safer fetch

* changeset

* expose and re-use extractUrl util

* small optimizations

* tidy

* optimization

* build branch

---------

Co-authored-by: dholms <dtholmgren@gmail.com>
2024-09-19 18:24:20 -05:00
github-actions[bot]
85c85350d1
Version packages (#2791)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-09-11 18:30:47 -05:00
Matthieu Sieben
98711a147a
fix(xrpc-server): properly parse & process content-encoding (#2464)
* fix(xrpc-server): properly parse & process content-encoding

* Minor optimization

* code style
2024-09-11 09:46:18 +02:00
github-actions[bot]
a1d8c77edd
Version packages (#2738)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-08-27 14:03:39 -04:00
Matthieu Sieben
ebb318325b
Improved control over JWT's typ claim (#2743)
* Add "jwtAlg" option to verifySignature() function

* Verify service JWT header values. Add iat claim to service JWT

* Allow missing 'typ' claim in service auth jwt

* Add, and verify, a "typ" header to access and refresh tokens

* tidy

* Properly identify JWT typ missmatch

* tidy

* exclude known invalid "typ" from service auth headers

* tidy

* tidy changeset

---------

Co-authored-by: devin ivy <devinivy@gmail.com>
2024-08-27 13:50:14 -04:00
github-actions[bot]
40c145fb16
Version packages (#2712)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-08-18 16:34:50 -04:00
Daniel Holmgren
50c0ec176c
Service auth method binding (lxm) (#2663)
* add scopes to service auth impl

* add error to getServiceAuth

* send scoped tokens from pds

* clean up privileged access scopes & allow simple service auth tokens for app passwords

* integration into ozone

* fix up bsky tests

* cleanup xrpc-server tests

* fix up tests & types

* one more test

* fix read after write tests

* fix mod auth test

* convert scopes to be a single method name

* add scope check callback for auth verifier

* pds changes only

* fix feed generation tests

* use scope for ozone service profile

* dont verify scopes on pds yet

* tidy

* tidy imports

* changeset

* add tests

* tidy

* another changeset

* scope -> lxm

* tidy

* clean up scope references

* update nonce size

* pr feedback

* trim trailing slash

* nonce -> jti

* fix xrpc-server test

* allow service auth on uploadBlob

* fix build error

* changeset

* build, tidy

* xrpc-server: update lxm claim check error

* appview: temporarily permit labeler service calls to omit lxm claim

* xrpc-server: fix test

* changeset

* fix merged tests

---------

Co-authored-by: Devin Ivy <devinivy@gmail.com>
2024-08-18 15:46:07 -04:00
Matthieu Sieben
acbacbbd56
Ensure presence of DPoP related response headers (#2711)
* fix(pds): ensure presence of DPoP related response headers

* Expose the request context for AuthVerifier and StreamAuthVerifier as distinct types

* Properly type ReqCtx for stream auth
2024-08-13 16:41:36 +02:00
github-actions[bot]
3940733bf0
Version packages (#2706)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-08-12 16:11:19 -04:00
Matthieu Sieben
b934b396b1
Client SDK rework (#2483)
* feat(api): support creation of oauth based AtpAgents

* oauth: misc fixes for confidential clients

* fix(xprc): remove ReadableStream.from polyfill

* OAuth docs tweaks (#2679)

* OAuth: clarification about client_name being shown

* OAuth: re-write handle resolution privacy concern

* avoid relying on ReadableStream.from in xrpc-server tests

* feat(oauth-types): expose "ALLOW_UNSECURE_ORIGINS" constant

* feat(handle-resolver): expose "AtprotoIdentityDidMethods" type

* fix(oauth-client): ensure that the oauth metadata document contains client_id_metadata_document_supported

* fix(oauth-types): prevent unknown query string in loopback client id

* fix(identity-resolver): check that handle is in did doc's "alsoKnownAs"

* feat(oauth-client:oauth-resolver): allow logging in using either the PDS URL or Entryway URL

* fix(oauth-client): return better error in case of invalid "oauth-protected-resource" status code

* refactor(did): group atproto specific checks in own

* feat(api): relax typing of "appLabelers" and "labelers" AtpClient properties

* allow any did as labeller (for tests mainly)

* fix(api): allow to override "atproto-proxy" on a per-request basis

* remove release candidate versions from changelog

* update changeset for api and xrpc packages

* Add missing changeset

* revert RC versions

* Proper wording in OAUTH.md api example

* remove "pre" changeset file

* xrpc: restore original behavior of setHEader and unsetHeader

* docs: add comment for XrpcClient 's constructor arg

* feat(api): expose "schemas" publicly

* feat(api): allow customizing the whatwg fetch function of the AtpAgent

* docs(api): improve migration docs

* docs: change reference to BskyAgent to AtpAgent

* docs: mention the breaking change regarding setSessionPersistHandler

* fix(api): better split AtpClient concerns

* fix(xrpc): remove unused import

* refactor(api): simplify class hierarchu by removeing AtpClient

* fix(api): mock proper method for facets detection

* restore ability to restore session asynchronously

* feat(api): allow instantiating Agent with same argument as super class

* docs(api): properly extend Agent class

* style(xrpc): var name

* docs(api): remove "async" to header getter

---------

Co-authored-by: Devin Ivy <devinivy@gmail.com>
Co-authored-by: bnewbold <bnewbold@robocracy.org>
Co-authored-by: Hailey <me@haileyok.com>
2024-08-12 19:57:21 +02:00
github-actions[bot]
b0a5fa3d70
Version packages (#2685)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-08-05 15:21:57 -05:00
Daniel Holmgren
dc471da267
Service auth method binding - PDS (#2668)
* pds changes only

* use scope for ozone service profile

* dont verify scopes on pds yet

* tidy

* tidy imports

* changeset

* add tests

* another changeset

* scope -> lxm

* tidy

* update nonce size

* pr feedback

* trim trailing slash

* nonce -> jti

* fix xrpc-server test

* allow service auth on uploadBlob
2024-08-05 15:09:50 -05:00
bnewbold
a95a902bba
minor typos in descriptions and comments (#2681)
* lex: typos in descriptions

* more minor typos

* codegen lexicon typos

* more comment typos
2024-08-05 09:49:25 -07:00
github-actions[bot]
f2f8de63b3
Version packages (#2639)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-07-12 17:34:56 +02:00
github-actions[bot]
e956ac06be
Version packages (#2600)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-06-24 21:52:50 -04:00
Matthieu Sieben
fc10881f76
Add exception for HTTP clients that set a content-type when there is no body (#2599)
* fix(xrpc-server): add exception for HTTP clients that set a content-type when there is no body

* feat(xrpc-server): allow empty body on endpoints not expecting any input

Co-authored-by: Devin Ivy <devinivy@gmail.com>

* fix(xrpc-server): properly test empty body requests

* tidy

---------

Co-authored-by: Devin Ivy <devinivy@gmail.com>
2024-06-24 16:39:29 -04:00
Matthieu Sieben
a8d6c11235
🚧 OAuth2 - Authorization Server (#2482)
* chore(deps): update zod

* chore(deps): update pino to match entryway version

* chore(tsconfig): remove truncation of types through noErrorTruncation

* add support for DPoP token type when logging

* fix(bsky): JSON.parse does not return value of type JSON

* fix(pds): add res property to ReqCtx

* fix(pds): properly type getPreferences return value

* chore(tsconfig): disable noFallthroughCasesInSwitch

* refactor(pds): move tracer config in own file

* feat(dev-env): start with "pnpm dev"

* feat(oauth): add oauth provider & client libs

* feat(pds): add oauth provider

* chore: changeset

* feat: various fixes and improvements

* chore(deps): update better-sqlite3 to version 10.0.0 for node 22 compatibility

* chore(deps): drop unused tslib

* fix(did): normalize service IDs before looking for duplicates

* fix(did): avoid minor type casting

* fix(did): improve argument validation

* fix(fetch): explicit use of negation around number comparison

* fix(oauth-provider): improve argument validation

* feat(did): add ATPROTO specific "isAtprotoDidWeb" method

* feat(rollup-plugin-bundle-manifest): add readme

* feat(lint): add eqeqeq rule (only allow == and != with null)

* fix(oauth-client-browser): typo in gitignore

* fix(oauth-provider): properly name error class file

* fix(oauth-provider): remove un-necessary useMemo

* fix(did-resolver): properly build did:web document url

* fix(did-resolver): remove unused types

* fix(fetch): remove unused utils

* fix(pds): remove unused script and dependency

* fix(oauth-provider): simplify isSubPath util

* fix(oauth-provider): add InvalidRedirectUriError static constructor

* fix(jwk): improve JWT validation to provide better error messages and distinguish between signed and unsigned tokens

* fix(pds): use "debug" log level for fetch method

* fix(pds): allow access tokens to contain an unknown "typ" claim (with the exception of "dpop+jwt")

* fix(jwk): remove un-necessary code

* fix(pds): account for whitespace chars when checking JSON

* fix(pds): remove oauth specific config

* fix(pds): run all write queries through transaction or executeWithRetry
fix(pds): remove outdated comments
fix(pds): rename used_refresh_token columns & added primary key
fix(pds): run cleanup task through backgroundQueue
fix(pds): add device.id foreign key to device_account
fix(pds): add comment on cleanup of used_refresh_token
fix(pds): add primary key on device_account

* fix(oauth-provider:time): simplify constantTime util

* fix(pds): rename disableSsrf into disableSsrfProtection

* fix(oauth-client-react-native): remove incomplete package

* refactor(pds): remove status & active from ActorAccount

* fix(pds): invalidate all oauth tokens on takedown

* fix(oauth-provider): enforce token expiry

* fix(pds): properly support deactivated accounts

* perf(pds:db): allow transaction function to be sync

* refactor(psq:account-manager): expose only query builders & data transformations utils from helpers

* fix(oauth-provider): imports from self

* fix(ci): add nested packages to build artifacts

* style(fetch): rename TODO into @TODO

* style(rollup-plugin-bundle-manifest): remove "TODO" from comment

* style(oauth-client): rename TODO into @TODO

* style(oauth-provider): rename TODO into @TODO

* refactor(oauth-client): remove "OAuth" prefix from types

* fix(oauth-client-browser): better type SessionListener

* style(oauth): rename TODO into @TODO

* fix(oauth-provider): enforce provider max session age

* fix(oauth-provider): check authentication parameters against all client metadata

* fix(api): tests

* fix(pds): remove .js from imports for tests

* fix(pds): change account status to match tests

* chore(deps): make all packages depend on the same zod version

* fix(common-web): remove un-necessary binding of Checkable to "zod"

* refactor(jwk): infer jwt schema from refinement definition

* fix(handle-resolver): allow resolution errors to propagate
docs(handle-resolver): better handling of DNS resolution errors
fix(handle-resolver): properly handle DOH responses

* fix(did): service endpoint arrays must contain "one or more" element

* refactor(pipe): simplify implementation

* fix(pds): add missing DB indexes

* feat(oauth): Resolve Authorization Server URI through Protected Resource Metadata

* style:(oauth-client): import order

* docs(oauth-provider:redirect-uri): add reference url

* feat(oauth): implement "OAuth Client ID Metadata Document" from draft-parecki-oauth-client-id-metadata-document-latest internet draft

* feat(oauth-client): backport changes from feat-oauth-client

* docs(simple-store): improve comments

* feat(lexicons): add iterable capabilities

* fix(pds): type error in dev mode

* feat(oauth-provider): improved error reporting

* fix(oauth-types): allow insecure issuer during tests

* fix(xrpc-server): allow upload of empty files

* fix: lint

* feat(fetch): keep request reference in errors
feat(fetch): utilities improvements

* fix(pds): allow more than one session token per user

* feat(ozone): improve env validation error messages

* fix(oauth-client): account for DPoP when checking for invalid_token errors

* fixup! feat(fetch): keep request reference in errors feat(fetch): utilities improvements

* fixup! feat(fetch): keep request reference in errors feat(fetch): utilities improvements

* fix(oauth): various validation fixes
feat(oauth): share client_id validation and parsing utilities between client & provider

* feat(dev-env): fix ozone port number

* fix(fetch-node): prevent fetch against invalid domain names

* fix(oauth-provider): add typings for psl dep

* feat(jwk): make type def compatible with TS 4.x

* fix(oauth): fixed various spec compliance
fix(oauth): return "sub" in refresh token response
fix(oauth): limit token validity for third party clients
fix(oauth): hide client image when not trusted

* fix(oauth): lint

* pds: switch changeset to patch, no breaking changes

* changeset and config for new oauth deps

---------

Co-authored-by: Devin Ivy <devinivy@gmail.com>
2024-06-18 15:11:37 -04:00
Daniel Holmgren
3016adf05e
Bugfixes for generic proxy rate limiting (#2475)
* fix error handling & scopes for generic proxy rate limits

* sp
2024-05-09 17:29:04 -05:00
Daniel Holmgren
c37b0e46ef
Generic PDS proxy (#2425)
* add proxy handler & remove old routes

* fwd content-type header

* use baseurl instead of path

* handle global ratelimits in catchall

* fix build

* base defaultService off req.originalUrl

* error handling around res.arrayBuffer()

* check & format url before doing auth verification
2024-05-09 16:18:23 -05:00
Matthieu Sieben
173ef27cf8
fix(xrpc-server): add missing runtime dependency (#2463) 2024-05-02 21:18:34 +02:00
github-actions[bot]
692d1b2cd8
Version packages (#2385)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-04-04 18:01:34 -05:00
Daniel Holmgren
cd4fcc709f
Configurable catchall on xrpc-server (#2384)
* allow configurable catchall on xrpc-server

* changeset
2024-04-04 17:58:16 -05:00
Matthieu Sieben
97482da17a
Update prettier & eslint (#2373)
* chore(deps): update linting tools

* style(lint): format code
2024-04-03 21:39:11 +02:00
github-actions[bot]
07ec9ea749
Version packages (#2339)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-03-18 18:24:07 -04:00