Service auth method binding - PDS

.changeset/metal-cameras-give.md

@@ -0,0 +1,5 @@
+---
+"@atproto/api": patch
+---
+
+Add lxm and exp parameters to com.atproto.server.getServiceAuth

.changeset/selfish-emus-wink.md

@@ -0,0 +1,6 @@
+---
+"@atproto/xrpc-server": minor
+"@atproto/pds": patch
+---
+
+Add lxm and nonce to signed service auth tokens.

lexicons/com/atproto/server/getServiceAuth.json

@@ -13,6 +13,15 @@
             "type": "string",
             "format": "did",
             "description": "The DID of the service that the token will be used to authenticate with"
+          },
+          "exp": {
+            "type": "integer",
+            "description": "The time in Unix Epoch seconds that the JWT expires. Defaults to 60 seconds in the future. The service may enforce certain time bounds on tokens depending on the requested scope."
+          },
+          "lxm": {
+            "type": "string",
+            "format": "nsid",
+            "description": "Lexicon (XRPC) method to bind the requested token to"
           }
         }
       },
@@ -27,7 +36,13 @@
             }
           }
         }
-      }
+      },
+      "errors": [
+        {
+          "name": "BadExpiration",
+          "description": "Indicates that the requested expiration date is not a valid. May be in the past or may be reliant on the requested scopes."
+        }
+      ]
     }
   }
 }

packages/api/src/client/lexicons.ts

@@ -2607,6 +2607,17 @@ export const schemaDict = {
               description:
                 'The DID of the service that the token will be used to authenticate with',
             },
+            exp: {
+              type: 'integer',
+              description:
+                'The time in Unix Epoch seconds that the JWT expires. Defaults to 60 seconds in the future. The service may enforce certain time bounds on tokens depending on the requested scope.',
+            },
+            lxm: {
+              type: 'string',
+              format: 'nsid',
+              description:
+                'Lexicon (XRPC) method to bind the requested token to',
+            },
           },
         },
         output: {
@@ -2621,6 +2632,13 @@ export const schemaDict = {
             },
           },
         },
+        errors: [
+          {
+            name: 'BadExpiration',
+            description:
+              'Indicates that the requested expiration date is not a valid. May be in the past or may be reliant on the requested scopes.',
+          },
+        ],
       },
     },
   },

packages/api/src/client/types/com/atproto/server/getServiceAuth.ts

@@ -10,6 +10,10 @@ import { CID } from 'multiformats/cid'
 export interface QueryParams {
   /** The DID of the service that the token will be used to authenticate with */
   aud: string
+  /** The time in Unix Epoch seconds that the JWT expires. Defaults to 60 seconds in the future. The service may enforce certain time bounds on tokens depending on the requested scope. */
+  exp?: number
+  /** Lexicon (XRPC) method to bind the requested token to */
+  lxm?: string
 }
 
 export type InputSchema = undefined
@@ -29,8 +33,15 @@ export interface Response {
   data: OutputSchema
 }
 
+export class BadExpirationError extends XRPCError {
+  constructor(src: XRPCError) {
+    super(src.status, src.error, src.message, src.headers)
+  }
+}
+
 export function toKnownErr(e: any) {
   if (e instanceof XRPCError) {
+    if (e.error === 'BadExpiration') return new BadExpirationError(e)
   }
   return e
 }

packages/bsky/src/auth-verifier.ts

@@ -248,7 +248,12 @@ export class AuthVerifier {
     if (!jwtStr) {
       throw new AuthRequiredError('missing jwt', 'MissingJwt')
     }
-    const payload = await verifyServiceJwt(jwtStr, opts.aud, getSigningKey)
+    const payload = await verifyServiceJwt(
+      jwtStr,
+      opts.aud,
+      null,
+      getSigningKey,
+    )
     return { iss: payload.iss, aud: payload.aud }
   }
 

packages/bsky/src/context.ts

@@ -3,7 +3,6 @@ import * as plc from '@did-plc/lib'
 import { IdResolver } from '@atproto/identity'
 import AtpAgent from '@atproto/api'
 import { Keypair } from '@atproto/crypto'
-import { createServiceJwt } from '@atproto/xrpc-server'
 import { ServerConfig } from './config'
 import { DataPlaneClient } from './data-plane/client'
 import { Hydrator } from './hydration/hydrator'
@@ -89,15 +88,6 @@ export class AppContext {
     return this.opts.featureGates
   }
 
-  async serviceAuthJwt(aud: string) {
-    const iss = this.cfg.serverDid
-    return createServiceJwt({
-      iss,
-      aud,
-      keypair: this.signingKey,
-    })
-  }
-
   reqLabelers(req: express.Request): ParsedLabelers {
     const val = req.header('atproto-accept-labelers')
     let parsed: ParsedLabelers | null

packages/bsky/src/lexicon/lexicons.ts

@@ -2607,6 +2607,17 @@ export const schemaDict = {
               description:
                 'The DID of the service that the token will be used to authenticate with',
             },
+            exp: {
+              type: 'integer',
+              description:
+                'The time in Unix Epoch seconds that the JWT expires. Defaults to 60 seconds in the future. The service may enforce certain time bounds on tokens depending on the requested scope.',
+            },
+            lxm: {
+              type: 'string',
+              format: 'nsid',
+              description:
+                'Lexicon (XRPC) method to bind the requested token to',
+            },
           },
         },
         output: {
@@ -2621,6 +2632,13 @@ export const schemaDict = {
             },
           },
         },
+        errors: [
+          {
+            name: 'BadExpiration',
+            description:
+              'Indicates that the requested expiration date is not a valid. May be in the past or may be reliant on the requested scopes.',
+          },
+        ],
       },
     },
   },

packages/bsky/src/lexicon/types/com/atproto/server/getServiceAuth.ts

@@ -11,6 +11,10 @@ import { HandlerAuth, HandlerPipeThrough } from '@atproto/xrpc-server'
 export interface QueryParams {
   /** The DID of the service that the token will be used to authenticate with */
   aud: string
+  /** The time in Unix Epoch seconds that the JWT expires. Defaults to 60 seconds in the future. The service may enforce certain time bounds on tokens depending on the requested scope. */
+  exp?: number
+  /** Lexicon (XRPC) method to bind the requested token to */
+  lxm?: string
 }
 
 export type InputSchema = undefined
@@ -31,6 +35,7 @@ export interface HandlerSuccess {
 export interface HandlerError {
   status: number
   message?: string
+  error?: 'BadExpiration'
 }
 
 export type HandlerOutput = HandlerError | HandlerSuccess | HandlerPipeThrough

packages/bsky/tests/admin/admin-auth.test.ts

@@ -71,6 +71,7 @@ describe('admin auth', () => {
     const headers = await createServiceAuthHeaders({
       iss: modServiceDid,
       aud: bskyDid,
+      lxm: null,
       keypair: modServiceKey,
     })
     await agent.api.com.atproto.admin.updateSubjectStatus(
@@ -96,6 +97,7 @@ describe('admin auth', () => {
     const headers = await createServiceAuthHeaders({
       iss: altModDid,
       aud: bskyDid,
+      lxm: null,
       keypair: modServiceKey,
     })
     const attempt = agent.api.com.atproto.admin.updateSubjectStatus(
@@ -116,6 +118,7 @@ describe('admin auth', () => {
     const headers = await createServiceAuthHeaders({
       iss: sc.dids.alice,
       aud: bskyDid,
+      lxm: null,
       keypair: aliceKey,
     })
     const attempt = agent.api.com.atproto.admin.updateSubjectStatus(
@@ -136,6 +139,7 @@ describe('admin auth', () => {
     const headers = await createServiceAuthHeaders({
       iss: modServiceDid,
       aud: bskyDid,
+      lxm: null,
       keypair: badKey,
     })
     const attempt = agent.api.com.atproto.admin.updateSubjectStatus(
@@ -158,6 +162,7 @@ describe('admin auth', () => {
     const headers = await createServiceAuthHeaders({
       iss: modServiceDid,
       aud: sc.dids.alice,
+      lxm: null,
       keypair: modServiceKey,
     })
     const attempt = agent.api.com.atproto.admin.updateSubjectStatus(

packages/bsky/tests/auth.test.ts

@@ -29,6 +29,7 @@ describe('auth', () => {
       const jwt = await createServiceJwt({
         iss: issuer,
         aud: network.bsky.ctx.cfg.serverDid,
+        lxm: null,
         keypair,
       })
       return agent.api.app.bsky.actor.getProfile(

packages/dev-env/src/network.ts

@@ -162,6 +162,7 @@ export class TestNetwork extends TestNetworkNoAppView {
     const jwt = await createServiceJwt({
       iss: did,
       aud: aud ?? this.bsky.ctx.cfg.serverDid,
+      lxm: null,
       keypair,
     })
     return { authorization: `Bearer ${jwt}` }

packages/dev-env/src/ozone-service-profile.ts

@@ -47,6 +47,7 @@ export class OzoneServiceProfile {
     const serviceJwtRes =
       await this.thirdPartyPdsClient.com.atproto.server.getServiceAuth({
         aud: newServerDid,
+        lxm: 'com.atproto.server.createAccount',
       })
     const serviceJwt = serviceJwtRes.data.token
 

packages/dev-env/src/ozone.ts

@@ -151,6 +151,7 @@ export class TestOzone {
     const jwt = await createServiceJwt({
       iss: account.did,
       aud: this.ctx.cfg.service.did,
+      lxm: null,
       keypair: account.key,
     })
     return { authorization: `Bearer ${jwt}` }

packages/ozone/src/auth-verifier.ts

@@ -106,7 +106,12 @@ export class AuthVerifier {
     if (!jwtStr) {
       throw new AuthRequiredError('missing jwt', 'MissingJwt')
     }
-    const payload = await verifyJwt(jwtStr, this.serviceDid, getSigningKey)
+    const payload = await verifyJwt(
+      jwtStr,
+      this.serviceDid,
+      null,
+      getSigningKey,
+    )
     const iss = payload.iss
 
     const member = await this.teamService.getMember(iss)

packages/ozone/src/context.ts

@@ -88,6 +88,7 @@ export class AppContext {
       createServiceAuthHeaders({
         iss: `${cfg.service.did}#atproto_labeler`,
         aud,
+        lxm: null,
         keypair: signingKey,
       })
 
@@ -230,6 +231,7 @@ export class AppContext {
     return createServiceAuthHeaders({
       iss,
       aud,
+      lxm: null,
       keypair: this.signingKey,
     })
   }

packages/ozone/src/daemon/context.ts

@@ -43,6 +43,7 @@ export class DaemonContext {
       createServiceAuthHeaders({
         iss: `${cfg.service.did}#atproto_labeler`,
         aud,
+        lxm: null,
         keypair: signingKey,
       })
 

packages/ozone/src/lexicon/lexicons.ts

@@ -2607,6 +2607,17 @@ export const schemaDict = {
               description:
                 'The DID of the service that the token will be used to authenticate with',
             },
+            exp: {
+              type: 'integer',
+              description:
+                'The time in Unix Epoch seconds that the JWT expires. Defaults to 60 seconds in the future. The service may enforce certain time bounds on tokens depending on the requested scope.',
+            },
+            lxm: {
+              type: 'string',
+              format: 'nsid',
+              description:
+                'Lexicon (XRPC) method to bind the requested token to',
+            },
           },
         },
         output: {
@@ -2621,6 +2632,13 @@ export const schemaDict = {
             },
           },
         },
+        errors: [
+          {
+            name: 'BadExpiration',
+            description:
+              'Indicates that the requested expiration date is not a valid. May be in the past or may be reliant on the requested scopes.',
+          },
+        ],
       },
     },
   },

packages/ozone/src/lexicon/types/com/atproto/server/getServiceAuth.ts

@@ -11,6 +11,10 @@ import { HandlerAuth, HandlerPipeThrough } from '@atproto/xrpc-server'
 export interface QueryParams {
   /** The DID of the service that the token will be used to authenticate with */
   aud: string
+  /** The time in Unix Epoch seconds that the JWT expires. Defaults to 60 seconds in the future. The service may enforce certain time bounds on tokens depending on the requested scope. */
+  exp?: number
+  /** Lexicon (XRPC) method to bind the requested token to */
+  lxm?: string
 }
 
 export type InputSchema = undefined
@@ -31,6 +35,7 @@ export interface HandlerSuccess {
 export interface HandlerError {
   status: number
   message?: string
+  error?: 'BadExpiration'
 }
 
 export type HandlerOutput = HandlerError | HandlerSuccess | HandlerPipeThrough

packages/pds/src/api/app/bsky/feed/getFeed.ts

@@ -1,6 +1,7 @@
 import { Server } from '../../../../lexicon'
 import AppContext from '../../../../context'
 import { pipethrough } from '../../../../pipethrough'
+import { ids } from '../../../../lexicon/lexicons'
 
 export default function (server: Server, ctx: AppContext) {
   const { appViewAgent } = ctx
@@ -14,9 +15,18 @@ export default function (server: Server, ctx: AppContext) {
       const { data: feed } =
         await appViewAgent.api.app.bsky.feed.getFeedGenerator(
           { feed: params.feed },
-          await ctx.appviewAuthHeaders(requester),
+          await ctx.appviewAuthHeaders(
+            requester,
+            ids.AppBskyFeedGetFeedGenerator,
+          ),
         )
-      return pipethrough(ctx, req, requester, feed.view.did)
+      return pipethrough(
+        ctx,
+        req,
+        requester,
+        feed.view.did,
+        ids.AppBskyFeedGetFeedSkeleton,
+      )
     },
   })
 }

packages/pds/src/api/app/bsky/feed/getPostThread.ts

@@ -22,6 +22,7 @@ import {
   formatMungedResponse,
 } from '../../../../read-after-write'
 import { pipethrough } from '../../../../pipethrough'
+import { ids } from '../../../../lexicon/lexicons'
 
 const METHOD_NSID = 'app.bsky.feed.getPostThread'
 
@@ -189,7 +190,7 @@ const readAfterWriteNotFound = async (
       assert(ctx.appViewAgent)
       const parentsRes = await ctx.appViewAgent.api.app.bsky.feed.getPostThread(
         { uri: highestParent, parentHeight: params.parentHeight, depth: 0 },
-        await ctx.appviewAuthHeaders(requester),
+        await ctx.appviewAuthHeaders(requester, ids.AppBskyFeedGetPostThread),
       )
       thread.parent = parentsRes.data.thread
     } catch (err) {