🚧 OAuth2 - Authorization Server

.changeset/clever-monkeys-sparkle.md

@@ -0,0 +1,23 @@
+---
+"@atproto/pds": patch
+"@atproto-labs/rollup-plugin-bundle-manifest": minor
+"@atproto-labs/handle-resolver-node": minor
+"@atproto-labs/simple-store-memory": minor
+"@atproto-labs/identity-resolver": minor
+"@atproto/oauth-client-browser": minor
+"@atproto-labs/handle-resolver": minor
+"@atproto-labs/did-resolver": minor
+"@atproto-labs/simple-store": minor
+"@atproto/oauth-provider": minor
+"@atproto-labs/fetch-node": minor
+"@atproto/jwk-webcrypto": minor
+"@atproto/oauth-client": minor
+"@atproto/oauth-types": minor
+"@atproto-labs/fetch": minor
+"@atproto/jwk-jose": minor
+"@atproto-labs/pipe": minor
+"@atproto/jwk": minor
+"@atproto/did": minor
+---
+
+Add OAuth provider capability & support for DPoP signed tokens

.eslintrc

@@ -18,6 +18,7 @@
     "no-var": "error",
     "prefer-const": "warn",
     "no-misleading-character-class": "warn",
+    "eqeqeq": ["error", "always", { "null": "ignore" }],
     "@typescript-eslint/no-unused-vars": [
       "warn",
       { "argsIgnorePattern": "^_", "varsIgnorePattern": "^_" }

.github/workflows/repo.yaml

@@ -27,7 +27,9 @@ jobs:
       - uses: actions/upload-artifact@v4
         with:
           name: dist
-          path: packages/*/dist
+          path: |
+            packages/*/dist
+            packages/*/*/dist
           retention-days: 1
   test:
     name: Test

.gitignore

@@ -2,14 +2,14 @@ node_modules
 lerna-debug.log
 npm-debug.log
 yarn-error.log
-packages/*/dist
+packages/**/dist
 .idea
 packages/*/coverage
 .vscode/
 test.sqlite
 .DS_Store
 *.log
-tsconfig.build.tsbuildinfo
+*.tsbuildinfo
 .*.env
 .env
 \#*\#

package.json

@@ -19,7 +19,7 @@
     "verify:types": "tsc --build tsconfig.json",
     "format": "pnpm lint:fix && pnpm style:fix",
     "build": "pnpm --recursive --stream build",
-    "dev": "pnpm --stream '/^dev:.+$/'",
+    "dev": "NODE_ENV=development pnpm --stream '/^dev:.+$/'",
     "dev:tsc": "tsc --build tsconfig.json --watch",
     "dev:pkg": "pnpm --recursive --parallel --stream dev",
     "test": "LOG_ENABLED=false ./packages/dev-infra/with-test-redis-and-db.sh pnpm --stream -r test",
@@ -51,7 +51,9 @@
   },
   "workspaces": {
     "packages": [
-      "packages/*"
+      "packages/*",
+      "packages/oauth/*",
+      "packages/internal/*"
     ]
   }
 }

packages/README.md

@@ -13,6 +13,7 @@
 - [Crypto](./crypto): Atproto's common cryptographic operations.
 - [Syntax](./syntax): A library for identifier syntax: NSID, AT URI, handles, etc.
 - [Lexicon](./lexicon): A library for validating data using atproto's schema system.
+- [OAuth Provider](./oauth/oauth-provider): A library for supporting ATPROTO's OAuth.
 - [Repo](./repo): The "atproto repository" core implementation (a Merkle Search Tree).
 - [XRPC](./xrpc): An XRPC client implementation.
 - [XRPC Server](./xrpc-server): An XRPC server implementation.

packages/api/tests/agent.test.ts

@@ -355,7 +355,7 @@ describe('agent', () => {
 
     expect(events.length).toEqual(2)
     expect(events[0]).toEqual('create-failed')
-    expect(events[1]).toEqual('network-error')
+    expect(events[1]).toEqual('expired')
     expect(sessions.length).toEqual(2)
     expect(typeof sessions[0]).toEqual('undefined')
     expect(typeof sessions[1]).toEqual('undefined')

packages/bsky/package.json

@@ -51,7 +51,7 @@
     "multiformats": "^9.9.0",
     "p-queue": "^6.6.2",
     "pg": "^8.10.0",
-    "pino": "^8.15.0",
+    "pino": "^8.21.0",
     "pino-http": "^8.2.1",
     "sharp": "^0.32.6",
     "structured-headers": "^1.0.1",

packages/bsky/src/hydration/util.ts

@@ -67,9 +67,7 @@ export const parseRecordBytes = <T>(
   return parseJsonBytes(bytes) as T
 }
 
-export const parseJsonBytes = (
-  bytes: Uint8Array | undefined,
-): JSON | undefined => {
+export const parseJsonBytes = (bytes: Uint8Array | undefined): unknown => {
   if (!bytes || bytes.byteLength === 0) return
   const parsed = JSON.parse(ui8.toString(bytes, 'utf8'))
   return parsed ?? undefined

packages/bsky/src/logger.ts

@@ -1,8 +1,6 @@
-import pino from 'pino'
+import { stdSerializers } from 'pino'
 import pinoHttp from 'pino-http'
-import * as jose from 'jose'
 import { subsystemLogger } from '@atproto/common'
-import { parseBasicAuth } from './auth-verifier'
 
 export const dbLogger: ReturnType<typeof subsystemLogger> =
   subsystemLogger('bsky:db')
@@ -20,40 +18,85 @@ export const httpLogger: ReturnType<typeof subsystemLogger> =
 export const loggerMiddleware = pinoHttp({
   logger: httpLogger,
   serializers: {
-    err: (err) => {
-      return {
-        code: err?.code,
-        message: err?.message,
-      }
-    },
-    req: (req) => {
-      const serialized = pino.stdSerializers.req(req)
-      const authHeader = serialized.headers.authorization || ''
-      let auth: string | undefined = undefined
-      if (authHeader.startsWith('Bearer ')) {
-        const token = authHeader.slice('Bearer '.length)
-        const { iss } = jose.decodeJwt(token)
-        if (iss) {
-          auth = 'Bearer ' + iss
-        } else {
-          auth = 'Bearer Invalid'
-        }
-      }
-      if (authHeader.startsWith('Basic ')) {
-        const parsed = parseBasicAuth(authHeader)
-        if (!parsed) {
-          auth = 'Basic Invalid'
-        } else {
-          auth = 'Basic ' + parsed.username
-        }
-      }
-      return {
-        ...serialized,
-        headers: {
-          ...serialized.headers,
-          authorization: auth,
-        },
-      }
-    },
+    err: errSerializer,
+    req: reqSerializer,
   },
 })
+
+function errSerializer(err: any) {
+  return {
+    code: err?.code,
+    message: err?.message,
+  }
+}
+
+function reqSerializer(req: any) {
+  const serialized = stdSerializers.req(req)
+  serialized.headers = obfuscateHeaders(serialized.headers)
+  return serialized
+}
+
+function obfuscateHeaders(headers: Record<string, string>) {
+  const obfuscatedHeaders: Record<string, string> = {}
+  for (const key in headers) {
+    if (key.toLowerCase() === 'authorization') {
+      obfuscatedHeaders[key] = obfuscateAuthHeader(headers[key])
+    } else if (key.toLowerCase() === 'dpop') {
+      obfuscatedHeaders[key] = obfuscateJws(headers[key]) || 'Invalid'
+    } else {
+      obfuscatedHeaders[key] = headers[key]
+    }
+  }
+  return obfuscatedHeaders
+}
+
+function obfuscateAuthHeader(authHeader: string): string {
+  // This is a hot path (runs on every request). Avoid using split() or regex.
+
+  const spaceIdx = authHeader.indexOf(' ')
+  if (spaceIdx === -1) return 'Invalid'
+
+  const type = authHeader.slice(0, spaceIdx)
+  switch (type.toLowerCase()) {
+    case 'bearer':
+      return `${type} ${obfuscateBearer(authHeader.slice(spaceIdx + 1))}`
+    case 'dpop':
+      return `${type} ${obfuscateJws(authHeader.slice(spaceIdx + 1)) || 'Invalid'}`
+    case 'basic':
+      return `${type} ${obfuscateBasic(authHeader.slice(spaceIdx + 1)) || 'Invalid'}`
+    default:
+      return `Invalid`
+  }
+}
+
+function obfuscateBasic(token: string): null | string {
+  if (!token) return null
+  const buffer = Buffer.from(token, 'base64')
+  if (!buffer.length) return null // Buffer.from will silently ignore invalid base64 chars
+  const authHeader = buffer.toString('utf8')
+  const colIdx = authHeader.indexOf(':')
+  if (colIdx === -1) return null
+  const username = authHeader.slice(0, colIdx)
+  return `${username}:***`
+}
+
+function obfuscateBearer(token: string): string {
+  return obfuscateJws(token) || obfuscateToken(token)
+}
+
+function obfuscateToken(token: string): string {
+  return token ? '***' : ''
+}
+
+function obfuscateJws(token: string): null | string {
+  const firstDot = token.indexOf('.')
+  if (firstDot === -1) return null
+
+  const secondDot = token.indexOf('.', firstDot + 1)
+  if (secondDot === -1) return null
+
+  if (token.indexOf('.', secondDot + 1) !== -1) return null
+
+  // Strip the signature
+  return token.slice(0, secondDot) + '.obfuscated'
+}

packages/common-web/package.json

@@ -22,7 +22,7 @@
     "graphemer": "^1.4.0",
     "multiformats": "^9.9.0",
     "uint8arrays": "3.0.0",
-    "zod": "^3.21.4"
+    "zod": "^3.23.8"
   },
   "devDependencies": {
     "jest": "^28.1.2"

packages/common-web/src/check.ts

@@ -1,10 +1,11 @@
-import { ZodError } from 'zod'
+// Explicitly not using "zod" types here to avoid mismatching types due to
+// version differences.
 
 export interface Checkable<T> {
   parse: (obj: unknown) => T
   safeParse: (
     obj: unknown,
-  ) => { success: true; data: T } | { success: false; error: ZodError }
+  ) => { success: true; data: T } | { success: false; error: Error }
 }
 
 export interface Def<T> {

packages/common/package.json

@@ -24,7 +24,7 @@
     "cbor-x": "^1.5.1",
     "iso-datestring-validator": "^2.2.2",
     "multiformats": "^9.9.0",
-    "pino": "^8.15.0"
+    "pino": "^8.21.0"
   },
   "devDependencies": {
     "jest": "^28.1.2",

packages/dev-env/package.json

@@ -17,7 +17,8 @@
   "bin": "dist/bin.js",
   "scripts": {
     "build": "tsc --build tsconfig.build.json",
-    "start": "../dev-infra/with-test-redis-and-db.sh node dist/bin.js"
+    "start": "../dev-infra/with-test-redis-and-db.sh node dist/bin.js",
+    "dev": "../dev-infra/with-test-redis-and-db.sh node --watch dist/bin.js"
   },
   "dependencies": {
     "@atproto/api": "workspace:^",

packages/dev-env/src/bin.ts

@@ -27,6 +27,7 @@ const run = async () => {
     },
     plc: { port: 2582 },
     ozone: {
+      port: 2587,
       chatUrl: 'http://localhost:2590', // must run separate chat service
       chatDid: 'did:example:chat',
     },

packages/dev-env/src/pds.ts

@@ -45,6 +45,16 @@ export class TestPds {
       modServiceDid: 'did:example:invalid',
       plcRotationKeyK256PrivateKeyHex: plcRotationPriv,
       inviteRequired: false,
+      fetchDisableSsrfProtection: true,
+      serviceName: 'Development PDS',
+      primaryColor: '#ffcb1e',
+      errorColor: undefined,
+      logoUrl:
+        'https://uxwing.com/wp-content/themes/uxwing/download/animals-and-birds/bee-icon.png',
+      homeUrl: 'https://bsky.social/',
+      termsOfServiceUrl: 'https://bsky.social/about/support/tos',
+      privacyPolicyUrl: 'https://bsky.social/about/support/privacy-policy',
+      supportUrl: 'https://blueskyweb.zendesk.com/hc/en-us',
       ...config,
     }
     const cfg = pds.envToCfg(env)

packages/did/package.json

@@ -0,0 +1,36 @@
+{
+  "name": "@atproto/did",
+  "version": "0.0.1",
+  "license": "MIT",
+  "description": "DID resolution and verification library",
+  "keywords": [
+    "atproto",
+    "did",
+    "validation",
+    "types"
+  ],
+  "homepage": "https://atproto.com",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/bluesky-social/atproto",
+    "directory": "packages/did"
+  },
+  "type": "commonjs",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    }
+  },
+  "dependencies": {
+    "zod": "^3.23.8"
+  },
+  "devDependencies": {
+    "typescript": "^5.3.3"
+  },
+  "scripts": {
+    "build": "tsc --build tsconfig.build.json"
+  }
+}