Merge branch 'pds-proxy-headers' into rm-basic-auth

bluesky-social · Mar 6, 2024 · f583ba9 · f583ba9
2 parents 9d5d762 + 5b6b9ee
commit f583ba9
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/packages/ozone/src/mod-service/index.ts b/packages/ozone/src/mod-service/index.ts
@@ -958,7 +958,7 @@ export class ModerationService {
 const isSafeUrl = (url: URL) => {
   if (url.protocol !== 'https:') return false
   if (!url.hostname || url.hostname === 'localhost') return false
-  if (net.isIP(url.hostname) === 0) return false
+  if (net.isIP(url.hostname) !== 0) return false
   return true
 }
 

diff --git a/packages/pds/src/auth-verifier.ts b/packages/pds/src/auth-verifier.ts
@@ -231,9 +231,18 @@ export class AuthVerifier {
       throw new AuthRequiredError('Untrusted issuer', 'UntrustedIss')
     }
     const payload = await this.verifyServiceJwt(reqCtx, {
-      aud: this.dids.entryway ?? this.dids.pds,
+      aud: null,
       iss: [this.dids.modService, `${this.dids.modService}#atproto_labeler`],
     })
+    if (
+      payload.aud !== this.dids.pds &&
+      (!this.dids.entryway || payload.aud !== this.dids.entryway)
+    ) {
+      throw new AuthRequiredError(
+        'jwt audience does not match service did',
+        'BadJwtAudience',
+      )
+    }
     return {
       credentials: {
         type: 'mod_service',