* pinned posts lexicon
* codegen
* change lexicon, different approach
* codegen 2
* dataplane db migration
* move pinned post lexicon to right place
* add pinned posts optionally to getAuthorFeed
* remove type modification
* Clarify naming, add viewer state, add tests
* return pinnedPost with profileViewDetailed
* allow pinned replies in `posts_and_author_threads`
* clearer variable naming
* annotate type of `items`
* boolean --> varchar
* reuse authorDid in viewerPinned
* simplify test
* make pinned post not top post in test
* update snapshot
* changeset
---------
Co-authored-by: Eric Bailey <git@esb.lol>
Co-authored-by: dholms <dtholmgren@gmail.com>
* Improve reporting of metadata validation error
* Properly validate client metadata scope
* Allow loopback clients to define their scopes through client_id query parameters
* Require definition of "scope" in client metadata document
* Restrict the value used as code_challenge_methods_supported
* Remove `plain` from `code_challenge_methods_supported`
* Prevent use of empty string in unsupported oidc request parameters
* Centralize parsing of client metadata error
* Enfore code_challenge_method=S256 request parameter
* Improve error description in case of invalid loopback client_id
* Enfore single scope query param in loopback clients
* Disable request params scopes defaulting to client metadata scope
* Centralize loopback client validation logic
* add assertion utils for client ids
* Improve invalid client_id error messages from BrowserOAuthClient.from()
* Use scope from client metadata as default value
* Improve client side validation of client metadata
* Allow fetching of source maps files from browser debugger
* Use the clientId to configure the OAuth client
* Allow native clients to use https: redirect uris
* Explicitely forbid MTLS client auth method
* Improve error feedback in case of invalid client_id domain name
* Remove un-spec'ed restrictions on redirect_uris based on the client_uri
* Do not strip query string from URL after oauth redirect in fragment mode
* Add missing "expires_in" property to OAuthParResponse type definition
* Allow non canonical urls to be used as client ID
* Allow client metadata to contain other return type values than "code"
* Properly validate request_uri request parameter
* Improve parsing and validation of client_id's
* Return "invalid_client" on invalid client credentials
* improved error management & reporting
* performance improvement
* Allow loopback client ids to omit the (empty) path parameter
Co-authored-by: devin ivy <devinivy@gmail.com>
* uppercase email 2FA code
* use same validation logic as social-app
* use same regex for pattern as social-app
* rename check function
* spelling correction
Co-authored-by: surfdude29 <149612116+surfdude29@users.noreply.github.com>
---------
Co-authored-by: surfdude29 <149612116+surfdude29@users.noreply.github.com>
* Add isFallback to `getSuggestedFollowsByActor`
Inferred based on returned `relativeToDid` from the suggestions
response.
* Integrate new params
* Fix logic
* Update email templates
* Update PLC
* Update test with new email string
* Format
* One more test update
* Use handle instead of identifier to match entryway
* Changeset
* Codegen
* Explicitly add Zod (already a peer dep) and validation to api
* Add Nux methods
* Match naming convention
* Remove id, it won't be used
* Add tests
* Use id instead of name, little clearer
* Update API contracts
* Update tests
* Changeset
* Don't mutate
* ✨ Throw specific error for duplicate template name
* 🧹 Cleanup console
* ✨ Throw duplicate template name error from update too
* ✨ Add language to templates
* 📝 Add changeset
* ✨ Add missing event type
* ✨ Add language format in lexicon and error checker in util
* 🚨 fix linter issues
* ✨ Refactor subject tagging to facilitate video content tagging
* ♻️ Refactor tag check
* ✅ Fix tagging logic
* ♻️ Refactor content tagger and fix image content type check
* ✨ Add embed tag check for video and external
* ✨ Add tagging for both media and image embed
* lexicon: initial lexicons for video embeds in bsky app
* lexicon: fix video caption file size limit
* codegen
* appview: stub out video embed view logic
* api prerelease
* api prerelease
* lexicon: video upload/processing lexicons
* tidy
* lexicon: app.bsky.video lexicons for uploads
* codegen
* api prerelease
* appview: present video embeds on posts
* appview: snaps
* changeset
* appview: fix wiring of video url config
* Add "jwtAlg" option to verifySignature() function
* Verify service JWT header values. Add iat claim to service JWT
* Allow missing 'typ' claim in service auth jwt
* Add, and verify, a "typ" header to access and refresh tokens
* tidy
* Properly identify JWT typ missmatch
* tidy
* exclude known invalid "typ" from service auth headers
* tidy
* tidy changeset
---------
Co-authored-by: devin ivy <devinivy@gmail.com>
* Re-use code definition of oauthResponseTypeSchema
* Generate proper invalid_authorization_details
* Remove OpenID compatibility
* tidy
* properly verify presence of jti claim in client assertion
* Remove non-standard "sub" from OAuthTokenResponse
* Remove nonce from authorization request
* tidy
* Enforce uniqueness of code_challenge
* remove unused "atproto" scope
* Improve reporting of validation errors
* Allow empty set of scopes
* Do not remove scopes not advertised in the AS's "scopes_supported" when building the authorization request.
* Prevent empty scope string
* Remove invalid check from token response
* remove un-necessary session refresh
* Validate scopes characters according to OAuth 2.1 spec
* Mandate the use of "atproto" scope
* Disable ability to list app passwords when using an app password
* Use locally defined authPassthru in com.atproto.admin.* handlers
* provide proper production handle resolver in example
* properly compote login method
* feat(oauth-provider): always rotate session cookie on sign-in
* feat(oauth-provider): do not require consent from first party apps
* update request parameter's prompt before other param validation checks
* feat(oauth-provider): rework display of client name
* feat(oauth-client-browser:example): add token info introspection
* feat(oauth-client-browser:example): allow defining scope globally
* Display requested scopes during the auth flow
* Add, and verify, a "typ" header to access and refresh tokens
* Ignore case when checking for dpop auth scheme
* Add "jwtAlg" option to verifySignature() function
* Verify service JWT header values. Add iat claim to service JWT
* Add support for "transition:generic" and "transition:chat.bsky" oauth scopes in PDS
* oauth-client-browser(example): add scope request
* Add missing "atproto" scope
* Allow missing 'typ' claim in service auth jwt
* Improved 401 feedback
Co-authored-by: devin ivy <devinivy@gmail.com>
* Properly parse scopes upon verification
Co-authored-by: devin ivy <devinivy@gmail.com>
* Rename "atp" to "credential" auth in oauth-client-browser example
* add key to iteration items
* Make CORS protection stronger
* Allow OAuthProvider to define its own CORS policies
* Revert "Allow missing 'typ' claim in service auth jwt"
This reverts commit 15c6b9e2197064eb5de61a96de6497060edb824e.
* Revert "Verify service JWT header values. Add iat claim to service JWT"
This reverts commit 08df8df322a3f4b631c4a63a61d55b2c84c60c11.
* Revert "Add "jwtAlg" option to verifySignature() function"
This reverts commit d0f77354e6904678e7f5d76bb026f07537443ba9.
* Revert "Add, and verify, a "typ" header to access and refresh tokens"
This reverts commit 3e21be9e4b5875caa5e862c11f2196786fb2366d.
* pds: implement protected service auth methods
* Prevent app password management using sessions initiated from an app password.
* Alphabetically sort PROTECTED_METHODS
* Revert changes to app password management permissions
* tidy
---------
Co-authored-by: devin ivy <devinivy@gmail.com>
* use corepack, specify package manager, add nvmrc
* rm version in github action
---------
Co-authored-by: Samuel Newman <10959775+mozzius@users.noreply.github.com>
