✨ Allow appeals on takendown account (#3251)

* ✨ Allow appeals on takendown account

* ✅ Update snapshot

* ✅ Remove duplicate test

* ✨ Respond with takendown token from createSession for takendown accounts

* 🧹 cleanup appeal account action stuff

* 📝 Add description to new field

* ♻️ Refactor authscope formatter and add test for create record with takendown token

* ✅ Update snapshot

* add createReport route

* changeset

---------

Co-authored-by: dholms <[email protected]>

.changeset/kind-meals-grab.md

@@ -0,0 +1,5 @@
+---
+"@atproto/pds": patch
+---
+
+Allow takendown account scope on access tokens. Allow takendown accounts to createReports at discretion of the moderation service

.changeset/large-laws-hang.md

@@ -0,0 +1,5 @@
+---
+"@atproto/api": patch
+---
+
+Allow createSession to request takendown account scope

lexicons/com/atproto/server/createSession.json

@@ -16,7 +16,11 @@
               "description": "Handle or other identifier supported by the server for the authenticating user."
             },
             "password": { "type": "string" },
-            "authFactorToken": { "type": "string" }
+            "authFactorToken": { "type": "string" },
+            "allowTakendown": {
+              "type": "boolean",
+              "description": "When true, instead of throwing error for takendown accounts, a valid response with a narrow scoped token will be returned"
+            }
           }
         }
       },

packages/api/src/client/lexicons.ts

@@ -2412,6 +2412,11 @@ export const schemaDict = {
               authFactorToken: {
                 type: 'string',
               },
+              allowTakendown: {
+                type: 'boolean',
+                description:
+                  'When true, instead of throwing error for takendown accounts, a valid response with a narrow scoped token will be returned',
+              },
             },
           },
         },

packages/api/src/client/types/com/atproto/server/createSession.ts

@@ -14,6 +14,8 @@ export interface InputSchema {
   identifier: string
   password: string
   authFactorToken?: string
+  /** When true, instead of throwing error for takendown accounts, a valid response with a narrow scoped token will be returned */
+  allowTakendown?: boolean
   [k: string]: unknown
 }
 

packages/bsky/src/lexicon/lexicons.ts

@@ -2412,6 +2412,11 @@ export const schemaDict = {
               authFactorToken: {
                 type: 'string',
               },
+              allowTakendown: {
+                type: 'boolean',
+                description:
+                  'When true, instead of throwing error for takendown accounts, a valid response with a narrow scoped token will be returned',
+              },
             },
           },
         },

packages/bsky/src/lexicon/types/com/atproto/server/createSession.ts

@@ -15,6 +15,8 @@ export interface InputSchema {
   identifier: string
   password: string
   authFactorToken?: string
+  /** When true, instead of throwing error for takendown accounts, a valid response with a narrow scoped token will be returned */
+  allowTakendown?: boolean
   [k: string]: unknown
 }
 

packages/ozone/src/api/report/createReport.ts

@@ -2,9 +2,13 @@ import { Server } from '../../lexicon'
 import AppContext from '../../context'
 import { getReasonType } from '../util'
 import { subjectFromInput } from '../../mod-service/subject'
-import { REASONAPPEAL } from '../../lexicon/types/com/atproto/moderation/defs'
+import {
+  REASONAPPEAL,
+  ReasonType,
+} from '../../lexicon/types/com/atproto/moderation/defs'
 import { ForbiddenError } from '@atproto/xrpc-server'
 import { TagService } from '../../tag-service'
+import { ModerationService } from '../../mod-service'
 import { getTagForReport } from '../../tag-service/util'
 
 export default function (server: Server, ctx: AppContext) {
@@ -22,6 +26,9 @@ export default function (server: Server, ctx: AppContext) {
       }
 
       const db = ctx.db
+
+      await assertValidReporter(ctx.modService(db), reasonType, requester)
+
       const report = await db.transaction(async (dbTxn) => {
         const moderationTxn = ctx.modService(dbTxn)
         const { event: reportEvent, subjectStatus } =
@@ -51,3 +58,37 @@ export default function (server: Server, ctx: AppContext) {
     },
   })
 }
+
+const assertValidReporter = async (
+  modService: ModerationService,
+  reasonType: ReasonType,
+  did: string,
+) => {
+  const reporterStatus = await modService.getCurrentStatus({ did })
+
+  // If we don't have a mod status for the reporter, no need to do further checks
+  if (!reporterStatus.length) {
+    return
+  }
+
+  // For appeals, we just need to make sure that the account does not have pending appeal
+  if (reasonType === REASONAPPEAL) {
+    if (reporterStatus[0]?.appealed) {
+      throw new ForbiddenError(
+        'Awaiting decision on previous appeal',
+        'AlreadyAppealed',
+      )
+    }
+    return
+  }
+
+  // For non appeals, we need to make sure the reporter account is not already in takendown status
+  // This is necessary because we allow takendown accounts call createReport but that's only meant for appeals
+  // and we need to make sure takendown accounts don't abuse this endpoint
+  if (reporterStatus[0]?.takendown) {
+    throw new ForbiddenError(
+      'Report not accepted from takendown account',
+      'AccountTakedown',
+    )
+  }
+}

packages/ozone/src/lexicon/lexicons.ts

@@ -2412,6 +2412,11 @@ export const schemaDict = {
               authFactorToken: {
                 type: 'string',
               },
+              allowTakendown: {
+                type: 'boolean',
+                description:
+                  'When true, instead of throwing error for takendown accounts, a valid response with a narrow scoped token will be returned',
+              },
             },
           },
         },

packages/ozone/src/lexicon/types/com/atproto/server/createSession.ts

@@ -15,6 +15,8 @@ export interface InputSchema {
   identifier: string
   password: string
   authFactorToken?: string
+  /** When true, instead of throwing error for takendown accounts, a valid response with a narrow scoped token will be returned */
+  allowTakendown?: boolean
   [k: string]: unknown
 }
 

packages/pds/src/account-manager/helpers/auth.ts

@@ -208,7 +208,11 @@ export const getRefreshTokenId = () => {
   return ui8.toString(crypto.randomBytes(32), 'base64')
 }
 
-export const formatScope = (appPassword: AppPassDescript | null): AuthScope => {
+export const formatScope = (
+  appPassword: AppPassDescript | null,
+  isSoftDeleted?: boolean,
+): AuthScope => {
+  if (isSoftDeleted) return AuthScope.Takendown
   if (!appPassword) return AuthScope.Access
   return appPassword.privileged
     ? AuthScope.AppPassPrivileged

packages/pds/src/account-manager/index.ts

@@ -211,15 +211,19 @@ export class AccountManager
   async createSession(
     did: string,
     appPassword: password.AppPassDescript | null,
+    isSoftDeleted = false,
   ) {
     const { accessJwt, refreshJwt } = await auth.createTokens({
       did,
       jwtKey: this.jwtKey,
       serviceDid: this.serviceDid,
-      scope: auth.formatScope(appPassword),
+      scope: auth.formatScope(appPassword, isSoftDeleted),
     })
-    const refreshPayload = auth.decodeRefreshToken(refreshJwt)
-    await auth.storeRefreshToken(this.db, refreshPayload, appPassword)
+    // For soft deleted accounts don't store refresh token so that it can't be rotated.
+    if (!isSoftDeleted) {
+      const refreshPayload = auth.decodeRefreshToken(refreshJwt)
+      await auth.storeRefreshToken(this.db, refreshPayload, appPassword)
+    }
     return { accessJwt, refreshJwt }
   }
 
@@ -295,6 +299,7 @@ export class AccountManager
   }): Promise<{
     user: ActorAccount
     appPassword: password.AppPassDescript | null
+    isSoftDeleted: boolean
   }> {
     const start = Date.now()
     try {
@@ -326,14 +331,7 @@ export class AccountManager
         }
       }
 
-      if (softDeleted(user)) {
-        throw new AuthRequiredError(
-          'Account has been taken down',
-          'AccountTakedown',
-        )
-      }
-
-      return { user, appPassword }
+      return { user, appPassword, isSoftDeleted: softDeleted(user) }
     } finally {
       // Mitigate timing attacks
       await wait(350 - (Date.now() - start))

packages/pds/src/api/com/atproto/index.ts

@@ -2,6 +2,7 @@ import AppContext from '../../../context'
 import { Server } from '../../../lexicon'
 import admin from './admin'
 import identity from './identity'
+import moderation from './moderation'
 import repo from './repo'
 import serverMethods from './server'
 import sync from './sync'
@@ -10,6 +11,7 @@ import temp from './temp'
 export default function (server: Server, ctx: AppContext) {
   admin(server, ctx)
   identity(server, ctx)
+  moderation(server, ctx)
   repo(server, ctx)
   serverMethods(server, ctx)
   sync(server, ctx)

packages/pds/src/api/com/atproto/moderation/createReport.ts

@@ -0,0 +1,36 @@
+import { Server } from '../../../../lexicon'
+import AppContext from '../../../../context'
+import { parseProxyInfo } from '../../../../pipethrough'
+import { ids } from '../../../../lexicon/lexicons'
+import { AtpAgent } from '@atproto/api'
+import { AuthScope } from '../../../../auth-verifier'
+
+export default function (server: Server, ctx: AppContext) {
+  server.com.atproto.moderation.createReport({
+    auth: ctx.authVerifier.accessStandard({
+      additional: [AuthScope.Takendown],
+    }),
+    handler: async ({ auth, input, req }) => {
+      const { url, did: aud } = await parseProxyInfo(
+        ctx,
+        req,
+        ids.ComAtprotoModerationCreateReport,
+      )
+      const agent = new AtpAgent({ service: url })
+      const serviceAuth = await ctx.serviceAuthHeaders(
+        auth.credentials.did,
+        aud,
+        ids.ComAtprotoModerationCreateReport,
+      )
+      const res = await agent.com.atproto.moderation.createReport(input.body, {
+        ...serviceAuth,
+        encoding: 'application/json',
+      })
+
+      return {
+        encoding: 'application/json',
+        body: res.data,
+      }
+    },
+  })
+}

packages/pds/src/api/com/atproto/moderation/index.ts

@@ -0,0 +1,7 @@
+import AppContext from '../../../../context'
+import { Server } from '../../../../lexicon'
+import createReport from './createReport'
+
+export default function (server: Server, ctx: AppContext) {
+  createReport(server, ctx)
+}

packages/pds/src/api/com/atproto/server/createSession.ts

@@ -1,5 +1,6 @@
 import { DAY, MINUTE } from '@atproto/common'
 import { INVALID_HANDLE } from '@atproto/syntax'
+import { AuthRequiredError } from '@atproto/xrpc-server'
 
 import { formatAccountStatus } from '../../../../account-manager'
 import AppContext from '../../../../context'
@@ -31,10 +32,18 @@ export default function (server: Server, ctx: AppContext) {
         )
       }
 
-      const { user, appPassword } = await ctx.accountManager.login(input.body)
+      const { user, isSoftDeleted, appPassword } =
+        await ctx.accountManager.login(input.body)
+
+      if (!input.body.allowTakendown && isSoftDeleted) {
+        throw new AuthRequiredError(
+          'Account has been taken down',
+          'AccountTakedown',
+        )
+      }
 
       const [{ accessJwt, refreshJwt }, didDoc] = await Promise.all([
-        ctx.accountManager.createSession(user.did, appPassword),
+        ctx.accountManager.createSession(user.did, appPassword, isSoftDeleted),
         didDocForSession(ctx, user.did),
       ])
 

packages/pds/src/auth-verifier.ts

@@ -32,6 +32,7 @@ export enum AuthScope {
   AppPass = 'com.atproto.appPass',
   AppPassPrivileged = 'com.atproto.appPassPrivileged',
   SignupQueued = 'com.atproto.signupQueued',
+  Takendown = 'com.atproto.takendown',
 }
 
 export type AccessOpts = {

packages/pds/src/lexicon/lexicons.ts

@@ -2412,6 +2412,11 @@ export const schemaDict = {
               authFactorToken: {
                 type: 'string',
               },
+              allowTakendown: {
+                type: 'boolean',
+                description:
+                  'When true, instead of throwing error for takendown accounts, a valid response with a narrow scoped token will be returned',
+              },
             },
           },
         },

packages/pds/src/lexicon/types/com/atproto/server/createSession.ts

@@ -15,6 +15,8 @@ export interface InputSchema {
   identifier: string
   password: string
   authFactorToken?: string
+  /** When true, instead of throwing error for takendown accounts, a valid response with a narrow scoped token will be returned */
+  allowTakendown?: boolean
   [k: string]: unknown
 }
 

packages/pds/src/pipethrough.ts

@@ -28,7 +28,6 @@ export const proxyHandler = (ctx: AppContext): CatchallHandler => {
   const accessStandard = ctx.authVerifier.accessStandard()
   return async (req, res, next) => {
     // /!\ Hot path
-
     try {
       if (
         req.method !== 'GET' &&
@@ -207,7 +206,7 @@ export async function pipethrough(
 // Request setup/formatting
 // -------------------
 
-async function parseProxyInfo(
+export async function parseProxyInfo(
   ctx: AppContext,
   req: express.Request,
   lxm: string,

packages/pds/tests/__snapshots__/takedown-appeal.test.ts.snap

@@ -0,0 +1,30 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`appeal account takedown actor takedown allows appeal request. 1`] = `
+Object {
+  "appealed": true,
+  "createdAt": "1970-01-01T00:00:00.000Z",
+  "hosting": Object {
+    "$type": "tools.ozone.moderation.defs#accountHosting",
+    "status": "unknown",
+  },
+  "id": 1,
+  "lastAppealedAt": "1970-01-01T00:00:00.000Z",
+  "lastReportedAt": "1970-01-01T00:00:00.000Z",
+  "lastReviewedAt": "1970-01-01T00:00:00.000Z",
+  "lastReviewedBy": "user(0)",
+  "reviewState": "tools.ozone.moderation.defs#reviewEscalated",
+  "subject": Object {
+    "$type": "com.atproto.admin.defs#repoRef",
+    "did": "user(1)",
+  },
+  "subjectBlobCids": Array [],
+  "subjectRepoHandle": "jeff.test",
+  "tags": Array [
+    "lang:und",
+    "report:appeal",
+  ],
+  "takendown": true,
+  "updatedAt": "1970-01-01T00:00:00.000Z",
+}
+`;