🚧 OAuth2 - Authorization Server

package.json

@@ -47,6 +47,7 @@
     "pino-pretty": "^9.1.0",
     "prettier": "^3.2.5",
     "prettier-config-standard": "^7.0.0",
+    "react-native": "^0.73.6",
     "typescript": "^5.4.4"
   },
   "workspaces": {

packages/b64/package.json

@@ -0,0 +1,28 @@
+{
+  "name": "@atproto/b64",
+  "version": "0.0.1",
+  "license": "MIT",
+  "description": "A library for encoding/decoding in base64-url",
+  "keywords": [
+    "atproto",
+    "base64",
+    "base64-url"
+  ],
+  "homepage": "https://atproto.com",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/bluesky-social/atproto",
+    "directory": "packages/b64"
+  },
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "dependencies": {
+    "base64-js": "^1.5.1"
+  },
+  "devDependencies": {
+    "typescript": "^5.3.3"
+  },
+  "scripts": {
+    "build": "tsc --build tsconfig.json"
+  }
+}

packages/b64/src/index.ts

@@ -0,0 +1,34 @@
+import { fromByteArray, toByteArray } from 'base64-js'
+
+// Old Node implementations do not support "base64url"
+const Buffer = ((Buffer) => {
+  if (typeof Buffer === 'function') {
+    try {
+      Buffer.from('', 'base64url')
+      return Buffer
+    } catch {
+      return undefined
+    }
+  }
+  return undefined
+})(globalThis.Buffer)
+
+export const b64uDecode: (b64u: string) => Uint8Array = Buffer
+  ? (b64u) => Buffer.from(b64u, 'base64url')
+  : (b64u) => {
+      // toByteArray requires padding but not to replace '-' and '_'
+      const pad = b64u.length % 4
+      const b64 = b64u.padEnd(b64u.length + (pad > 0 ? 4 - pad : 0), '=')
+      return toByteArray(b64)
+    }
+
+export const b64uEncode = Buffer
+  ? (bytes: Uint8Array) => {
+      const buffer = bytes instanceof Buffer ? bytes : Buffer.from(bytes)
+      return buffer.toString('base64url')
+    }
+  : (bytes: Uint8Array): string =>
+      fromByteArray(bytes)
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=+$/g, '')

packages/b64/tsconfig.json

@@ -0,0 +1,8 @@
+{
+  "extends": "../../tsconfig/isomorphic.json",
+  "compilerOptions": {
+    "outDir": "dist",
+    "rootDir": "src"
+  },
+  "include": ["src"]
+}

packages/bsky/src/logger.ts

@@ -26,32 +26,57 @@ export const loggerMiddleware = pinoHttp({
     },
     req: (req) => {
       const serialized = pino.stdSerializers.req(req)
-      const authHeader = serialized.headers.authorization || ''
-      let auth: string | undefined = undefined
-      if (authHeader.startsWith('Bearer ')) {
-        const token = authHeader.slice('Bearer '.length)
-        const { iss } = jose.decodeJwt(token)
-        if (iss) {
-          auth = 'Bearer ' + iss
-        } else {
-          auth = 'Bearer Invalid'
-        }
-      }
-      if (authHeader.startsWith('Basic ')) {
-        const parsed = parseBasicAuth(authHeader)
-        if (!parsed) {
-          auth = 'Basic Invalid'
-        } else {
-          auth = 'Basic ' + parsed.username
-        }
-      }
+      const authHeader = serialized.headers.authorization
+
+      if (authHeader == null) return serialized
+
       return {
         ...serialized,
         headers: {
           ...serialized.headers,
-          authorization: auth,
+          authorization: obfuscateAuthHeader(authHeader),
         },
       }
     },
   },
 })
+
+function obfuscateAuthHeader(authHeader: string): string {
+  const [type, token] = authHeader.split(' ', 2)
+  switch (type) {
+    case 'Basic':
+      return `${type} ${obfuscateBasic(authHeader!)}`
+    case 'Bearer':
+    case 'DPoP':
+      return `${type} ${obfuscateBearer(token)}`
+    default:
+      return `Invalid`
+  }
+}
+
+function obfuscateBasic(authHeader: string): string {
+  const parsed = parseBasicAuth(authHeader)
+  if (parsed) return parsed.username
+  return 'Invalid'
+}
+
+function obfuscateBearer(token?: string): string {
+  if (token) {
+    if (token.includes('.')) {
+      try {
+        const { sub } = jose.decodeJwt(token)
+        if (sub) return sub
+      } catch {
+        // Not a JWT
+      }
+    }
+
+    if (token.length > 10) {
+      // Log no more than half the token, up to 10 characters. tokens should be
+      // long enough to be secure even when half of them are exposed.
+      return `${token.slice(0, Math.min(10, token.length / 2))}...`
+    }
+  }
+
+  return 'Invalid'
+}

packages/caching/package.json

@@ -0,0 +1,24 @@
+{
+  "name": "@atproto/caching",
+  "version": "0.0.1",
+  "license": "MIT",
+  "description": "Small caching utilities",
+  "keywords": [
+    "caching",
+    "isomorphic"
+  ],
+  "homepage": "https://atproto.com",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/bluesky-social/atproto",
+    "directory": "packages/caching"
+  },
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "build": "tsc --build tsconfig.build.json"
+  },
+  "dependencies": {
+    "lru-cache": "^10.2.0"
+  }
+}

packages/caching/src/cached-getter.ts

@@ -0,0 +1,141 @@
+import { Awaitable, GenericStore, Key, Value } from './generic-store.js'
+import { MemoryStore } from './memory-store.js'
+
+export type GetOptions = {
+  signal?: AbortSignal
+  noCache?: boolean
+  allowStale?: boolean
+}
+
+export type Getter<K, V> = (
+  key: K,
+  options?: GetOptions,
+  storedValue?: V,
+) => Awaitable<V>
+
+export type PendingItem<V> = {
+  promise: Promise<V>
+  allowCached: boolean
+  signal?: AbortSignal
+}
+
+export type CachedGetterOptions<K, V> = {
+  isStale?: (key: K, value: V) => boolean | PromiseLike<boolean>
+  onStoreError?: (err: unknown, key: K, value: V) => void | PromiseLike<void>
+  deleteOnError?: (
+    err: unknown,
+    key: K,
+    value: V,
+  ) => boolean | PromiseLike<boolean>
+}
+
+/**
+ * Wrapper utility that uses a cache to speed up the retrieval of values from a
+ * getter function.
+ */
+export class CachedGetter<K extends Key = string, V extends Value = Value> {
+  private pending = new Map<K, PendingItem<V>>()
+
+  constructor(
+    readonly getter: Getter<K, V>,
+    readonly store: GenericStore<K, V> = new MemoryStore<K, V>({
+      max: 1000,
+      ttl: 600e3,
+    }),
+    readonly options?: CachedGetterOptions<K, V>,
+  ) {}
+
+  async get(key: K, options?: GetOptions): Promise<V> {
+    const allowCached = options?.noCache !== true
+    const allowStale =
+      this.options?.isStale == null ? true : options?.allowStale ?? false
+
+    const checkCached = async (value: V) =>
+      allowCached &&
+      (allowStale || (await this.options?.isStale?.(key, value)) !== true)
+
+    // As long as concurrent requests are made for the same key, only one
+    // request will be made to the cache & getter function. This works because
+    // there is no async operation between the while() loop and the
+    // pending.set() call. Because of the "single threaded" nature of
+    // JavaScript, the pending item will be set before the next iteration of the
+    // while loop.
+    let pending: undefined | PendingItem<V>
+    while ((pending = this.pending.get(key))) {
+      options?.signal?.throwIfAborted()
+
+      try {
+        const value = await pending.promise
+
+        const isFresh = !pending.allowCached
+        if (isFresh || (await checkCached(value))) {
+          return value
+        }
+      } catch {
+        // Ignore errors from pending promises.
+      }
+    }
+
+    options?.signal?.throwIfAborted()
+
+    try {
+      const promise = Promise.resolve().then(async () => {
+        const storedValue = await this.getStored(key, options)
+        if (storedValue !== undefined) {
+          if (await checkCached(storedValue)) {
+            return storedValue
+          }
+        }
+
+        return Promise.resolve()
+          .then(async () => this.getter(key, options, storedValue))
+          .catch(async (err) => {
+            if (storedValue !== undefined && this.options?.deleteOnError) {
+              if (await this.options.deleteOnError(err, key, storedValue)) {
+                await this.delStored(key)
+              }
+            }
+            throw err
+          })
+          .then(async (value) => {
+            await this.setStored(key, value)
+            return value
+          })
+      })
+
+      this.pending.set(key, {
+        promise,
+        signal: options?.signal,
+        allowCached,
+      })
+
+      return await promise
+    } finally {
+      this.pending.delete(key)
+    }
+  }
+
+  bind(key: K): (options?: GetOptions) => Promise<V> {
+    return async (options) => this.get(key, options)
+  }
+
+  async getStored(key: K, options?: GetOptions): Promise<V | undefined> {
+    try {
+      return await this.store.get(key, options)
+    } catch (err) {
+      return undefined
+    }
+  }
+
+  async setStored(key: K, value: V): Promise<void> {
+    try {
+      await this.store.set(key, value)
+    } catch (err) {
+      await this.options?.onStoreError?.(err, key, value)
+    }
+  }
+
+  async delStored(key: K): Promise<void> {
+    await this.store.del(key)
+  }
+}

packages/caching/src/generic-store.ts

@@ -0,0 +1,18 @@
+export type Awaitable<V> = V | PromiseLike<V>
+
+export type Key = string | number
+export type Value = NonNullable<unknown> | null
+
+export type StoreGetOptions = {
+  signal?: AbortSignal
+}
+
+export interface GenericStore<K extends Key, V extends Value = Value> {
+  /**
+   * @return undefined if the key is not in the cache.
+   */
+  get: (key: K, options?: StoreGetOptions) => Awaitable<undefined | V>
+  set: (key: K, value: V) => Awaitable<void | this>
+  del: (key: K) => Awaitable<void | this>
+  clear?: () => Awaitable<void | this>
+}

packages/caching/src/index.ts

@@ -0,0 +1,3 @@
+export * from './cached-getter.js'
+export * from './generic-store.js'
+export * from './memory-store.js'