+1

docs/TEST_AUDIT.md

reviewed

··· 56 56 - Remote `did:plc` DID docs should resolve through the PLC directory defaults even when `plc_url` is not explicitly configured; gating that path on local config silently breaks federated identity lookups. 57 57 - `com.atproto.repo.getRecord` must honor `cid` when present, and `putRecord` / `deleteRecord` must actually enforce `swapRecord`; those negative edges are now covered directly. 58 58 - `com.atproto.repo.createRecord` follows the reference runtime by ignoring a stray `swapRecord` field, and direct reference coverage now pins `putRecord` / `deleteRecord` `swapCommit` and `swapRecord` mismatch semantics explicitly. 59 59 + - App-password sessions follow the official runtime more closely than the older local assumptions did: access-token scopes use the `com.atproto.appPass` / `com.atproto.appPassPrivileged` names, standard app-password sessions may list app passwords, privileged-only `getServiceAuth` failures report `InvalidRequest`, and revoked refresh tokens on `refreshSession` fail with `400 ExpiredToken`. 59 60 - `com.atproto.server.requestPasswordReset` and `com.atproto.server.deleteAccount` now follow the reference form-token flow, with focused regression coverage for missing-account and bearerless deletion semantics. 60 61 - `com.atproto.server.createAccount` with an explicit `did` must behave like an authenticated migration flow: require auth from that same DID, keep the existing DID document, and start the new account deactivated until activation catches the DID document up to the new PDS. 61 62 - `com.atproto.server.checkAccountStatus` must validate the stored DID document against the PDS service endpoint and signing key, and `com.atproto.repo.describeRepo` must derive `didDoc` / `handleIsCorrect` from that document instead of hardcoding success.

+1 -1

lib/ATProto/PDS/API/Helpers.pm

reviewed

··· 70 70 if (verify_password($password, $salt, $hash)) { 71 71 return { 72 72 kind => 'app_password', 73 73 - scope => $app_password->{privileged} ? 'app_password_privileged' : 'app_password', 73 73 + scope => $app_password->{privileged} ? 'com.atproto.appPassPrivileged' : 'com.atproto.appPass', 74 74 app_password_name => $app_password->{name}, 75 75 }; 76 76 }

+19 -6

lib/ATProto/PDS/API/Server.pm

reviewed

··· 242 242 }); 243 243 244 244 $registry->register('com.atproto.server.refreshSession', sub ($c, $endpoint) { 245 245 - my (undef, $account, $session) = require_auth($c, audience => TOKEN_AUD_REFRESH); 245 245 + my (undef, $account, $session); 246 246 + my $ok = eval { 247 247 + (undef, $account, $session) = require_auth($c, audience => TOKEN_AUD_REFRESH); 248 248 + 1; 249 249 + }; 250 250 + if (!$ok) { 251 251 + my $err = $@; 252 252 + if (ref($err) eq 'HASH' && ($err->{error} // q()) eq 'ExpiredToken') { 253 253 + xrpc_error(400, 'ExpiredToken', $err->{message}); 254 254 + } 255 255 + die $err; 256 256 + } 246 257 assert_login_allowed($c, $account, allow_deactivated => 1); 247 258 my $rotated = $c->store->rotate_session($session->{id}); 248 248 - xrpc_error(401, 'ExpiredToken', 'Refresh session has already been revoked') unless $rotated; 259 259 + xrpc_error(400, 'ExpiredToken', 'Refresh session has already been revoked') unless $rotated; 249 260 return _session_response($c, $account, $rotated); 250 261 }); 251 262 ··· 311 322 my (undef, $account) = require_auth( 312 323 $c, 313 324 audience => TOKEN_AUD_ACCESS, 314 314 - required_scope => 'full', 325 325 + required_scope => 'standard', 315 326 disallow_oauth => 1, 316 327 ); 317 328 my $rows = $c->store->list_app_passwords_by_did($account->{did}); ··· 626 637 lxm => $rpc_lxm, 627 638 ); 628 639 } elsif (length($normalized_lxm) && _service_auth_method_requires_privileged_access($normalized_lxm) && !_scope_allows($scope, 'privileged')) { 629 629 - xrpc_error(400, 'InvalidToken', 'Bad token scope'); 640 640 + xrpc_error(400, 'InvalidRequest', 'Bad token scope'); 630 641 } 631 642 my $requested_exp = $c->param('exp'); 632 643 my $now = time; ··· 1044 1055 sub _canonical_access_scope ($scope = undef) { 1045 1056 return TOKEN_AUD_ACCESS unless defined $scope && length $scope; 1046 1057 return TOKEN_AUD_ACCESS if $scope eq 'atproto'; 1058 1058 + return 'com.atproto.appPass' if $scope eq 'app_password'; 1059 1059 + return 'com.atproto.appPassPrivileged' if $scope eq 'app_password_privileged'; 1047 1060 return $scope; 1048 1061 } 1049 1062 ··· 1066 1079 return 1 if !defined($required_scope) || !length($required_scope); 1067 1080 return $scope eq TOKEN_AUD_ACCESS 1068 1081 if $required_scope eq 'full'; 1069 1069 - return $scope eq TOKEN_AUD_ACCESS || $scope eq 'app_password_privileged' 1082 1082 + return $scope eq TOKEN_AUD_ACCESS || $scope eq 'com.atproto.appPassPrivileged' 1070 1083 if $required_scope eq 'privileged'; 1071 1071 - return $scope eq TOKEN_AUD_ACCESS || $scope eq 'app_password' || $scope eq 'app_password_privileged' 1084 1084 + return $scope eq TOKEN_AUD_ACCESS || $scope eq 'com.atproto.appPass' || $scope eq 'com.atproto.appPassPrivileged' 1072 1085 if $required_scope eq 'standard'; 1073 1086 return 0; 1074 1087 }

+162

script/differential-validate

reviewed

··· 682 682 'refreshSession grace and successor semantics match the official reference PDS', 683 683 ); 684 684 685 685 + note('Comparing app password semantics'); 686 686 + for my $name (sort keys %server) { 687 687 + my $create_phone = post_json( 688 688 + $server{$name}{origin}, 689 689 + 'com.atproto.server.createAppPassword', 690 690 + { name => 'phone' }, 691 691 + auth_header($server{$name}{access}), 692 692 + ); 693 693 + check($create_phone->is_success, "$name createAppPassword succeeds for a standard app password"); 694 694 + 695 695 + my $create_desktop = post_json( 696 696 + $server{$name}{origin}, 697 697 + 'com.atproto.server.createAppPassword', 698 698 + { 699 699 + name => 'desktop', 700 700 + privileged => true, 701 701 + }, 702 702 + auth_header($server{$name}{access}), 703 703 + ); 704 704 + check($create_desktop->is_success, "$name createAppPassword succeeds for a privileged app password"); 705 705 + next unless $create_phone->is_success && $create_desktop->is_success; 706 706 + 707 707 + my $phone_json = $create_phone->json || {}; 708 708 + my $desktop_json = $create_desktop->json || {}; 709 709 + 710 710 + my $list_before = get_json( 711 711 + $server{$name}{origin}, 712 712 + 'com.atproto.server.listAppPasswords', 713 713 + undef, 714 714 + auth_header($server{$name}{access}), 715 715 + ); 716 716 + check($list_before->is_success, "$name listAppPasswords succeeds after creation"); 717 717 + 718 718 + my $phone_session = post_json( 719 719 + $server{$name}{origin}, 720 720 + 'com.atproto.server.createSession', 721 721 + { 722 722 + identifier => $server{$name}{handle}, 723 723 + password => $phone_json->{password}, 724 724 + }, 725 725 + ); 726 726 + check($phone_session->is_success, "$name createSession succeeds with the standard app password"); 727 727 + 728 728 + my $desktop_session = post_json( 729 729 + $server{$name}{origin}, 730 730 + 'com.atproto.server.createSession', 731 731 + { 732 732 + identifier => $server{$name}{handle}, 733 733 + password => $desktop_json->{password}, 734 734 + }, 735 735 + ); 736 736 + check($desktop_session->is_success, "$name createSession succeeds with the privileged app password"); 737 737 + 738 738 + my $phone_access = ($phone_session->json || {})->{accessJwt}; 739 739 + my $phone_refresh = ($phone_session->json || {})->{refreshJwt}; 740 740 + my $desktop_access = ($desktop_session->json || {})->{accessJwt}; 741 741 + 742 742 + my $nested_create = post_json( 743 743 + $server{$name}{origin}, 744 744 + 'com.atproto.server.createAppPassword', 745 745 + { name => 'nested' }, 746 746 + auth_header($phone_access), 747 747 + ); 748 748 + my $phone_list = get_json( 749 749 + $server{$name}{origin}, 750 750 + 'com.atproto.server.listAppPasswords', 751 751 + undef, 752 752 + auth_header($phone_access), 753 753 + ); 754 754 + my $phone_service_auth = get_form( 755 755 + $server{$name}{origin}, 756 756 + 'com.atproto.server.getServiceAuth', 757 757 + { 758 758 + aud => 'did:web:api.bsky.app', 759 759 + lxm => 'com.atproto.server.createaccount', 760 760 + }, 761 761 + auth_header($phone_access), 762 762 + ); 763 763 + my $desktop_service_auth = get_form( 764 764 + $server{$name}{origin}, 765 765 + 'com.atproto.server.getServiceAuth', 766 766 + { 767 767 + aud => 'did:web:api.bsky.app', 768 768 + lxm => 'com.atproto.server.createaccount', 769 769 + }, 770 770 + auth_header($desktop_access), 771 771 + ); 772 772 + 773 773 + my $revoke_phone = post_json( 774 774 + $server{$name}{origin}, 775 775 + 'com.atproto.server.revokeAppPassword', 776 776 + { name => 'phone' }, 777 777 + auth_header($server{$name}{access}), 778 778 + ); 779 779 + check($revoke_phone->is_success, "$name revokeAppPassword succeeds for the standard app password"); 780 780 + 781 781 + my $revoked_refresh = post_empty( 782 782 + $server{$name}{origin}, 783 783 + 'com.atproto.server.refreshSession', 784 784 + auth_header($phone_refresh), 785 785 + ); 786 786 + my $list_after = get_json( 787 787 + $server{$name}{origin}, 788 788 + 'com.atproto.server.listAppPasswords', 789 789 + undef, 790 790 + auth_header($server{$name}{access}), 791 791 + ); 792 792 + 793 793 + my %before_passwords = map { 794 794 + ( 795 795 + ($_->{name} // q()) => { 796 796 + privileged => $_->{privileged} ? 1 : 0, 797 797 + } 798 798 + ) 799 799 + } @{ ($list_before->json || {})->{passwords} || [] }; 800 800 + 801 801 + my %after_passwords = map { 802 802 + ( 803 803 + ($_->{name} // q()) => { 804 804 + privileged => $_->{privileged} ? 1 : 0, 805 805 + } 806 806 + ) 807 807 + } @{ ($list_after->json || {})->{passwords} || [] }; 808 808 + 809 809 + $server{$name}{app_passwords} = { 810 810 + phone_create => { 811 811 + name => $phone_json->{name} // q(), 812 812 + has_password => length($phone_json->{password} // q()) ? 1 : 0, 813 813 + privileged => $phone_json->{privileged} ? 1 : 0, 814 814 + }, 815 815 + desktop_create => { 816 816 + name => $desktop_json->{name} // q(), 817 817 + has_password => length($desktop_json->{password} // q()) ? 1 : 0, 818 818 + privileged => $desktop_json->{privileged} ? 1 : 0, 819 819 + }, 820 820 + list_before => { 821 821 + passwords => \%before_passwords, 822 822 + }, 823 823 + phone_session_scope => jwt_claims($phone_access)->{scope} // q(), 824 824 + desktop_session_scope => jwt_claims($desktop_access)->{scope} // q(), 825 825 + nested_create_error => normalize_xrpc_error($nested_create), 826 826 + phone_list_error => normalize_xrpc_error($phone_list), 827 827 + phone_service_auth => normalize_xrpc_error($phone_service_auth), 828 828 + desktop_service_auth => { 829 829 + status => $desktop_service_auth->code, 830 830 + has_token => length((($desktop_service_auth->json || {})->{token}) // q()) ? 1 : 0, 831 831 + }, 832 832 + revoked_refresh_error => normalize_xrpc_error($revoked_refresh), 833 833 + list_after => { 834 834 + passwords => \%after_passwords, 835 835 + }, 836 836 + }; 837 837 + } 838 838 + 839 839 + if (!same_hash($server{reference}{app_passwords}, $server{perlsky}{app_passwords})) { 840 840 + note('reference app passwords: ' . encode_json($server{reference}{app_passwords})); 841 841 + note('perlsky app passwords: ' . encode_json($server{perlsky}{app_passwords})); 842 842 + fail_check('app password lifecycle semantics match the official reference PDS'); 843 843 + } else { 844 844 + pass('app password lifecycle semantics match the official reference PDS'); 845 845 + } 846 846 + 685 847 if ($diff_account_did_method eq 'did:plc') { 686 848 note('Comparing PLC identity semantics'); 687 849 for my $name (sort keys %server) {

+2 -2

t/auth-jwt.t

reviewed

··· 102 102 id => 'sess-app', 103 103 did => $account->{did}, 104 104 kind => 'app_password', 105 105 - scope => 'app_password', 105 105 + scope => 'com.atproto.appPass', 106 106 expires_at => 1_900_000_000, 107 107 ); 108 108 my $full_session = $store->create_session( ··· 118 118 iss => 'did:web:example.test', 119 119 sub => $account->{did}, 120 120 aud => TOKEN_AUD_ACCESS, 121 121 - scope => 'app_password', 121 121 + scope => 'com.atproto.appPass', 122 122 typ => TOKEN_AUD_ACCESS, 123 123 jti => $app_session->{id}, 124 124 exp => 1_900_000_000,

+11 -8

t/server-auth.t

reviewed

··· 126 126 my $app_session = $t->tx->res->json; 127 127 my (undef, $app_claims_b64, undef) = split /\./, $app_session->{accessJwt}, 3; 128 128 my $app_claims = decode_json(_b64url_decode($app_claims_b64)); 129 129 - is($app_claims->{scope}, 'app_password', 'app password login issues an app password-scoped access token'); 129 129 + is($app_claims->{scope}, 'com.atproto.appPass', 'app password login issues an app password-scoped access token'); 130 130 131 131 $t->post_ok('/xrpc/com.atproto.server.createSession' => json => { 132 132 identifier => 'alice.localhost', ··· 137 137 my $privileged_app_session = $t->tx->res->json; 138 138 is( 139 139 _jwt_claims($privileged_app_session->{accessJwt})->{scope}, 140 140 - 'app_password_privileged', 140 140 + 'com.atproto.appPassPrivileged', 141 141 'privileged app password login preserves privileged scope', 142 142 ); 143 143 ··· 145 145 ->status_is(200) 146 146 ->json_is('/did' => $did); 147 147 148 148 + $t->get_ok('/xrpc/com.atproto.server.listAppPasswords' => { Authorization => "Bearer $app_session->{accessJwt}" }) 149 149 + ->status_is(200); 150 150 + 151 151 + my %app_scoped_password = map { $_->{name} => $_ } @{ $t->tx->res->json->{passwords} || [] }; 152 152 + is($app_scoped_password{phone}{privileged}, 0, 'app-password sessions can list standard app passwords'); 153 153 + is($app_scoped_password{desktop}{privileged}, 1, 'app-password sessions can list privileged app passwords'); 154 154 + 148 155 $t->get_ok('/xrpc/com.atproto.server.getServiceAuth?aud=did:web:api.bsky.app&lxm=com.atproto.server.createaccount' => { 149 156 Authorization => "Bearer $app_session->{accessJwt}", 150 157 })->status_is(400) 151 151 - ->json_is('/error' => 'InvalidToken'); 158 158 + ->json_is('/error' => 'InvalidRequest'); 152 159 153 160 $t->get_ok('/xrpc/com.atproto.server.getServiceAuth?aud=did:web:api.bsky.app&lxm=com.atproto.server.createaccount' => { 154 161 Authorization => "Bearer $privileged_app_session->{accessJwt}", ··· 160 167 })->status_is(400) 161 168 ->json_is('/error' => 'InvalidToken'); 162 169 163 163 - $t->get_ok('/xrpc/com.atproto.server.listAppPasswords' => { Authorization => "Bearer $app_session->{accessJwt}" }) 164 164 - ->status_is(400) 165 165 - ->json_is('/error' => 'InvalidToken'); 166 166 - 167 170 $t->post_ok('/xrpc/com.atproto.server.revokeAppPassword' => { Authorization => "Bearer $app_session->{accessJwt}" } => json => { 168 171 name => 'desktop', 169 172 })->status_is(400) ··· 178 181 })->status_is(200); 179 182 180 183 $t->post_ok('/xrpc/com.atproto.server.refreshSession' => { Authorization => "Bearer $app_session->{refreshJwt}" } => json => {}) 181 181 - ->status_is(401) 184 184 + ->status_is(400) 182 185 ->json_is('/error' => 'ExpiredToken') 183 186 ->json_is('/message' => 'Token session has already been revoked'); 184 187