* Export constants and type assertion utilities
* Add permission set support to oauth provider
* improve permission set parsing
* Rename `PermissionSet` to `ScopePermissions`
* Improve performance of NSID validation
* Add support for `permission-set` in lexicon document
* Validate NSID syntax using `@atproto/syntax`
* Export all types used in public interfaces (from `lexicon-resolver`)
* Small performance improvement
* Rework scope parsing utilities to work with Lexicon defined permissions
* file rename
* fixup! Rework scope parsing utilities to work with Lexicon defined permissions
* removed outdated comment
* removed outdated comment
* fix comment typo
* Improve `SimpleStore` api
* permission-set NSID auth scopes
* Remove dev dependency on dev-env
* fix build script
* pnpm-lock
* Improve fetch-node unicast protection
* Explicitly set the `redirect: "follow"` `fetch()` option
* Add delay when building oauth-provider-ui in watch mode
* Remove external dependencies from auth-scopes
* Add customizable lexicon authority to pds (for dev purposes)
* fix pds migration
* update permission-set icon
* Add support for `include:` syntax in scopes
* tidy
* Renaming of "resource" concept to better reflect the fact that not all oauth scope values are about resources
* changeset
* ui improvmeents
* i18n
* ui imporvements
* add `AtprotoAudience` type
* Enforce proper formatting of audience (atproto supported did + fragment part)
* tidy
* tidy
* tidy
* fix ci ?
* ci fix ?
* tidy ?
* Apply consistent outline around focusable items
* Use `inheritAud: true` to control `aud` inheritance
* Update packages/oauth/oauth-provider/src/lexicon/lexicon-manager.ts
Co-authored-by: devin ivy <devinivy@gmail.com>
* Review comments
* Add `nsid` property to `LexiconResolutionError`
* improve nsid validation
* i18n
* Improve oauth scope parsing
* Simplify lex scope parsing
* tidy
* docs
* tidy
* ci
* Code simplification
* tidy
* improve type safety
* improve deps graph
* naming
* Improve tests and package structure
* Improve error when resolving a non permission-set
* improve nsid parsing perfs
* benchmark
* Refactor ozone and lexicon into using a common service profile mechanism
* improve perfs
* ci fix (?)
* tidy
* Allow storage of valid lexicons in lexicon store
* Improve handling of lexicon resolution failures
* review comment
* Test both regexp and non regexp based nsid validation
* properly detect presence of port number in https did:web
* Re-enable logging of `safeFetch` requests
* tidy
---------
Co-authored-by: devin ivy <devinivy@gmail.com>
* Return atproto handle in identity resolution result
* Use resolved handle or did instead of raw input as "login_hint"
* Normalize and validate `login_hint` in oauth request properties
* Properly validate JWK `htu` claim by enforcing URL without query or fragment
* type fix
* Return DPoP validation result from `authenticateRequest`
* Log clients using invalid "htu" claim in DPoP proof
* review comments
* fix lint
* tidy
* rename dpop result to dpop proof
* Allow proxying of dpop bound requests by using service auth instead, for the `getSession` endpoint.
* Show `getSession` data in example app
* Add scope
* strings
* cleanup
* tidy
* tidy
* Add transition:email scope to example app
* strings
* changeset
* pr comments
* First vouch implementation
* Remove unneeded endpoints
* wip
* ✨ wip
* ✨ Process jetstream events through p-queue and add tests
* ✅ Add test for cursor update
* 🐛 Use utc time to update updatedAt
* 🧹 Cleanup
* 🔨 Fix pnpm versioning issues
* ✨ Replace jetstream lib with manual implementation
* ✨ Remove unnecessary 3p dep
* ✨ Add e2e test for jetstream
* 🚨 Fix import
* 🧹 Remove unnecessary property
* ✨ Fix dev-env and add profile to verification view in ozone
* ✅ Add profile type
* ✨ Add backpressure handling to jetstream listener
* ✨ Use WebSocketKeepAlive from xrpc-server and replace partysocket
* ✨ Add a new verifier role to ozone team meber roles
* 📝 Run codegen
* 🐛 Fix auth check
* 🐛 Fix test failure check
* 🚨 Fix json formatting
* 🐛 Fix team role check
* 🚧 Checking failing test
* ✅ Fix tests
* ✨ Address review comments
* ✨ Add xrpc-server to version
* 🚨 Fix linter issue
* 🚨 Fix linter issue
* ✨ Resolve race condition in cursor update
* ✅ Add verification check on profile
* 🐛 Fix missing cid in test and firehose cursor
* ✨ Fix test
* ✨ Add record validation for verification and separate xrpc-server version
* ✨ Return error object for failed revocations
* ✨ Add re-login on expired session case
* 📝 Fix typo
---------
Co-authored-by: rafael <rafael@blueskyweb.xyz>
* Adds "password reset" during OAuth flows
* Adds "Sign up" during OAuth flows
* Adds support for multiple languages in the OAuth flow
* Adds "fr" translation for the OAuth flow
Co-authored-by: devin ivy <devinivy@gmail.com>
Co-authored-by: Eric Bailey <git@esb.lol>
* OAuthProvider: Update "trustProxy" options to allow function
* DeviceManager options can now be passed as argument to the OAuthProvider constructor
* Only trust one level of proxying when computing IP during OAuthFlows
* Prevent invalid use of trustProxy config
* tidy
* make the code compliant with legacy behavior
* Add linting rule to sort imports
* remove spacing between import groups
* changeset
* changeset
* prettier config fine tuning
* forbid use of deprecated imports
* tidy
* jwk: Improve type safety and compatibility with Bun
* improve type safety of jwk keys
* improve typing of verifyAccessToken
* update @types/http-errors
* Better report invalid content-encoding errors
* Mark jwk key fields as readonly
* Improve error message when using invalid client_id during code exchange
* Extract SPA example OAuth client in own package
* wip
* remove dependency on get-port
* Properly configure jest to only transpile "get-port" from node_modules
https://jestjs.io/docs/configuration#transformignorepatterns-arraystring
* Use dynamically assigned port number during tests
* use puppeteer to run tests
* remove login input "id" attribute
* code style
* add missing declaration
* tidy
* headless
* remove get-port dependency
* fix tests/proxied/admin.test.ts
* fix tests
* Allow unsecure oauth providers through configuration
* transpile "lande" during ozone tests
* Cache Puppeteer browser binaries
* Use puppeteer cache during all workflow steps
* remove use of set-output
* use get-port in xrpc-server tests
* Renamed to allowHttp
* tidy
* tidy
* ✨ Add getRepos and getRecords endpoints for bulk fetching
* ✨ Fix issues and add tests for get repos and get records
* ✨ Use the right lxm
* 🐛 Revert changes in lockfile
* ✨ Add getAccountInfos in PDS
* 🐛 Fix type def for repo and record view detail
* ✅ Update snapshots
* ✅ Update snapshots
* ✨ Consolidate error type for com.atproto and tools.ozone getRecord error type
* 🧹 Cleanup
* ✅ Update snapshots
* ✅ Update snapshots
* ✨ Changeset
* Codegen
* Explicitly add Zod (already a peer dep) and validation to api
* Add Nux methods
* Match naming convention
* Remove id, it won't be used
* Add tests
* Use id instead of name, little clearer
* Update API contracts
* Update tests
* Changeset
* Don't mutate
* Re-use code definition of oauthResponseTypeSchema
* Generate proper invalid_authorization_details
* Remove OpenID compatibility
* tidy
* properly verify presence of jti claim in client assertion
* Remove non-standard "sub" from OAuthTokenResponse
* Remove nonce from authorization request
* tidy
* Enforce uniqueness of code_challenge
* remove unused "atproto" scope
* Improve reporting of validation errors
* Allow empty set of scopes
* Do not remove scopes not advertised in the AS's "scopes_supported" when building the authorization request.
* Prevent empty scope string
* Remove invalid check from token response
* remove un-necessary session refresh
* Validate scopes characters according to OAuth 2.1 spec
* Mandate the use of "atproto" scope
* Disable ability to list app passwords when using an app password
* Use locally defined authPassthru in com.atproto.admin.* handlers
* provide proper production handle resolver in example
* properly compote login method
* feat(oauth-provider): always rotate session cookie on sign-in
* feat(oauth-provider): do not require consent from first party apps
* update request parameter's prompt before other param validation checks
* feat(oauth-provider): rework display of client name
* feat(oauth-client-browser:example): add token info introspection
* feat(oauth-client-browser:example): allow defining scope globally
* Display requested scopes during the auth flow
* Add, and verify, a "typ" header to access and refresh tokens
* Ignore case when checking for dpop auth scheme
* Add "jwtAlg" option to verifySignature() function
* Verify service JWT header values. Add iat claim to service JWT
* Add support for "transition:generic" and "transition:chat.bsky" oauth scopes in PDS
* oauth-client-browser(example): add scope request
* Add missing "atproto" scope
* Allow missing 'typ' claim in service auth jwt
* Improved 401 feedback
Co-authored-by: devin ivy <devinivy@gmail.com>
* Properly parse scopes upon verification
Co-authored-by: devin ivy <devinivy@gmail.com>
* Rename "atp" to "credential" auth in oauth-client-browser example
* add key to iteration items
* Make CORS protection stronger
* Allow OAuthProvider to define its own CORS policies
* Revert "Allow missing 'typ' claim in service auth jwt"
This reverts commit 15c6b9e2197064eb5de61a96de6497060edb824e.
* Revert "Verify service JWT header values. Add iat claim to service JWT"
This reverts commit 08df8df322a3f4b631c4a63a61d55b2c84c60c11.
* Revert "Add "jwtAlg" option to verifySignature() function"
This reverts commit d0f77354e6904678e7f5d76bb026f07537443ba9.
* Revert "Add, and verify, a "typ" header to access and refresh tokens"
This reverts commit 3e21be9e4b5875caa5e862c11f2196786fb2366d.
* pds: implement protected service auth methods
* Prevent app password management using sessions initiated from an app password.
* Alphabetically sort PROTECTED_METHODS
* Revert changes to app password management permissions
* tidy
---------
Co-authored-by: devin ivy <devinivy@gmail.com>
