Split out moderation backend

.eslintignore

@@ -1,3 +1,4 @@
 packages/api/src/client
 packages/bsky/src/lexicon
 packages/pds/src/lexicon
+packages/ozone/src/lexicon

.github/workflows/build-and-push-ozone-aws.yaml

@@ -0,0 +1,55 @@
+name: build-and-push-ozone-aws
+on:
+  push:
+    branches:
+      - main
+      - appeal-report
+env:
+  REGISTRY: ${{ secrets.AWS_ECR_REGISTRY_USEAST2_PACKAGES_REGISTRY }}
+  USERNAME: ${{ secrets.AWS_ECR_REGISTRY_USEAST2_PACKAGES_USERNAME }}
+  PASSWORD: ${{ secrets.AWS_ECR_REGISTRY_USEAST2_PACKAGES_PASSWORD }}
+  IMAGE_NAME: ozone
+
+jobs:
+  ozone-container-aws:
+    if: github.repository == 'bluesky-social/atproto'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Log into registry ${{ env.REGISTRY }}
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ env.USERNAME}}
+          password: ${{ env.PASSWORD }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=sha,enable=true,priority=100,prefix=,suffix=,format=long
+
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          file: ./services/ozone/Dockerfile
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.github/workflows/build-and-push-ozone-ghcr.yaml

@@ -0,0 +1,56 @@
+name: build-and-push-ozone-ghcr
+on:
+  push:
+    branches:
+      - main
+env:
+  REGISTRY: ghcr.io
+  USERNAME: ${{ github.actor }}
+  PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+
+  # github.repository as <account>/<repo>
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  ozone-container-ghcr:
+    if: github.repository == 'bluesky-social/atproto'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Log into registry ${{ env.REGISTRY }}
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ env.USERNAME }}
+          password: ${{ env.PASSWORD }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=sha,enable=true,priority=100,prefix=ozone:,suffix=,format=long
+
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          file: ./services/ozone/Dockerfile
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

Makefile

@@ -31,6 +31,7 @@ codegen: ## Re-generate packages from lexicon/ files
 	cd packages/api; pnpm run codegen
 	cd packages/pds; pnpm run codegen
 	cd packages/bsky; pnpm run codegen
+	cd packages/ozone; pnpm run codegen
 	# clean up codegen output
 	pnpm format
 

lexicons/com/atproto/admin/defs.json

@@ -294,6 +294,7 @@
         "did": { "type": "string", "format": "did" },
         "handle": { "type": "string", "format": "handle" },
         "email": { "type": "string" },
+        "relatedRecords": { "type": "array", "items": { "type": "unknown" } },
         "indexedAt": { "type": "string", "format": "datetime" },
         "invitedBy": {
           "type": "ref",

lexicons/com/atproto/admin/getAccountInfos.json

@@ -0,0 +1,36 @@
+{
+  "lexicon": 1,
+  "id": "com.atproto.admin.getAccountInfos",
+  "defs": {
+    "main": {
+      "type": "query",
+      "description": "Get details about some accounts.",
+      "parameters": {
+        "type": "params",
+        "required": ["dids"],
+        "properties": {
+          "dids": {
+            "type": "array",
+            "items": { "type": "string", "format": "did" }
+          }
+        }
+      },
+      "output": {
+        "encoding": "application/json",
+        "schema": {
+          "type": "object",
+          "required": ["infos"],
+          "properties": {
+            "infos": {
+              "type": "array",
+              "items": {
+                "type": "ref",
+                "ref": "com.atproto.admin.defs#accountView"
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}

packages/api/src/client/index.ts

@@ -14,6 +14,7 @@ import * as ComAtprotoAdminDisableInviteCodes from './types/com/atproto/admin/di
 import * as ComAtprotoAdminEmitModerationEvent from './types/com/atproto/admin/emitModerationEvent'
 import * as ComAtprotoAdminEnableAccountInvites from './types/com/atproto/admin/enableAccountInvites'
 import * as ComAtprotoAdminGetAccountInfo from './types/com/atproto/admin/getAccountInfo'
+import * as ComAtprotoAdminGetAccountInfos from './types/com/atproto/admin/getAccountInfos'
 import * as ComAtprotoAdminGetInviteCodes from './types/com/atproto/admin/getInviteCodes'
 import * as ComAtprotoAdminGetModerationEvent from './types/com/atproto/admin/getModerationEvent'
 import * as ComAtprotoAdminGetRecord from './types/com/atproto/admin/getRecord'
@@ -153,6 +154,7 @@ export * as ComAtprotoAdminDisableInviteCodes from './types/com/atproto/admin/di
 export * as ComAtprotoAdminEmitModerationEvent from './types/com/atproto/admin/emitModerationEvent'
 export * as ComAtprotoAdminEnableAccountInvites from './types/com/atproto/admin/enableAccountInvites'
 export * as ComAtprotoAdminGetAccountInfo from './types/com/atproto/admin/getAccountInfo'
+export * as ComAtprotoAdminGetAccountInfos from './types/com/atproto/admin/getAccountInfos'
 export * as ComAtprotoAdminGetInviteCodes from './types/com/atproto/admin/getInviteCodes'
 export * as ComAtprotoAdminGetModerationEvent from './types/com/atproto/admin/getModerationEvent'
 export * as ComAtprotoAdminGetRecord from './types/com/atproto/admin/getRecord'
@@ -441,6 +443,17 @@ export class AdminNS {
       })
   }
 
+  getAccountInfos(
+    params?: ComAtprotoAdminGetAccountInfos.QueryParams,
+    opts?: ComAtprotoAdminGetAccountInfos.CallOptions,
+  ): Promise<ComAtprotoAdminGetAccountInfos.Response> {
+    return this._service.xrpc
+      .call('com.atproto.admin.getAccountInfos', params, undefined, opts)
+      .catch((e) => {
+        throw ComAtprotoAdminGetAccountInfos.toKnownErr(e)
+      })
+  }
+
   getInviteCodes(
     params?: ComAtprotoAdminGetInviteCodes.QueryParams,
     opts?: ComAtprotoAdminGetInviteCodes.CallOptions,

packages/api/src/client/lexicons.ts

@@ -436,6 +436,12 @@ export const schemaDict = {
           email: {
             type: 'string',
           },
+          relatedRecords: {
+            type: 'array',
+            items: {
+              type: 'unknown',
+            },
+          },
           indexedAt: {
             type: 'string',
             format: 'datetime',
@@ -1046,6 +1052,45 @@ export const schemaDict = {
       },
     },
   },
+  ComAtprotoAdminGetAccountInfos: {
+    lexicon: 1,
+    id: 'com.atproto.admin.getAccountInfos',
+    defs: {
+      main: {
+        type: 'query',
+        description: 'Get details about some accounts.',
+        parameters: {
+          type: 'params',
+          required: ['dids'],
+          properties: {
+            dids: {
+              type: 'array',
+              items: {
+                type: 'string',
+                format: 'did',
+              },
+            },
+          },
+        },
+        output: {
+          encoding: 'application/json',
+          schema: {
+            type: 'object',
+            required: ['infos'],
+            properties: {
+              infos: {
+                type: 'array',
+                items: {
+                  type: 'ref',
+                  ref: 'lex:com.atproto.admin.defs#accountView',
+                },
+              },
+            },
+          },
+        },
+      },
+    },
+  },
   ComAtprotoAdminGetInviteCodes: {
     lexicon: 1,
     id: 'com.atproto.admin.getInviteCodes',
@@ -7875,6 +7920,7 @@ export const ids = {
   ComAtprotoAdminEmitModerationEvent: 'com.atproto.admin.emitModerationEvent',
   ComAtprotoAdminEnableAccountInvites: 'com.atproto.admin.enableAccountInvites',
   ComAtprotoAdminGetAccountInfo: 'com.atproto.admin.getAccountInfo',
+  ComAtprotoAdminGetAccountInfos: 'com.atproto.admin.getAccountInfos',
   ComAtprotoAdminGetInviteCodes: 'com.atproto.admin.getInviteCodes',
   ComAtprotoAdminGetModerationEvent: 'com.atproto.admin.getModerationEvent',
   ComAtprotoAdminGetRecord: 'com.atproto.admin.getRecord',

packages/api/src/client/types/com/atproto/admin/defs.ts

@@ -255,6 +255,7 @@ export interface AccountView {
   did: string
   handle: string
   email?: string
+  relatedRecords?: {}[]
   indexedAt: string
   invitedBy?: ComAtprotoServerDefs.InviteCode
   invites?: ComAtprotoServerDefs.InviteCode[]

packages/api/src/client/types/com/atproto/admin/getAccountInfos.ts

@@ -0,0 +1,36 @@
+/**
+ * GENERATED CODE - DO NOT MODIFY
+ */
+import { Headers, XRPCError } from '@atproto/xrpc'
+import { ValidationResult, BlobRef } from '@atproto/lexicon'
+import { isObj, hasProp } from '../../../../util'
+import { lexicons } from '../../../../lexicons'
+import { CID } from 'multiformats/cid'
+import * as ComAtprotoAdminDefs from './defs'
+
+export interface QueryParams {
+  dids: string[]
+}
+
+export type InputSchema = undefined
+
+export interface OutputSchema {
+  infos: ComAtprotoAdminDefs.AccountView[]
+  [k: string]: unknown
+}
+
+export interface CallOptions {
+  headers?: Headers
+}
+
+export interface Response {
+  success: boolean
+  headers: Headers
+  data: OutputSchema
+}
+
+export function toKnownErr(e: any) {
+  if (e instanceof XRPCError) {
+  }
+  return e
+}

packages/bsky/src/api/app/bsky/actor/getProfile.ts

@@ -16,18 +16,16 @@ import { ModerationService } from '../../../../services/moderation'
 export default function (server: Server, ctx: AppContext) {
   const getProfile = createPipeline(skeleton, hydration, noRules, presentation)
   server.app.bsky.actor.getProfile({
-    auth: ctx.authOptionalAccessOrRoleVerifier,
+    auth: ctx.authVerifier.optionalStandardOrRole,
     handler: async ({ auth, params, res }) => {
       const db = ctx.db.getReplica()
       const actorService = ctx.services.actor(db)
       const modService = ctx.services.moderation(ctx.db.getPrimary())
-      const viewer = 'did' in auth.credentials ? auth.credentials.did : null
-      const canViewTakendownProfile =
-        auth.credentials.type === 'role' && auth.credentials.triage
+      const { viewer, canViewTakedowns } = ctx.authVerifier.parseCreds(auth)
 
       const [result, repoRev] = await Promise.allSettled([
         getProfile(
-          { ...params, viewer, canViewTakendownProfile },
+          { ...params, viewer, canViewTakedowns },
           { db, actorService, modService },
         ),
         actorService.getRepoRev(viewer),
@@ -52,15 +50,14 @@ const skeleton = async (
   params: Params,
   ctx: Context,
 ): Promise<SkeletonState> => {
-  const { actorService, modService } = ctx
-  const { canViewTakendownProfile } = params
+  const { actorService } = ctx
+  const { canViewTakedowns } = params
   const actor = await actorService.getActor(params.actor, true)
   if (!actor) {
     throw new InvalidRequestError('Profile not found')
   }
-  if (!canViewTakendownProfile && softDeleted(actor)) {
-    const isSuspended = await modService.isSubjectSuspended(actor.did)
-    if (isSuspended) {
+  if (!canViewTakedowns && softDeleted(actor)) {
+    if (actor.takedownRef?.includes('SUSPEND')) {
       throw new InvalidRequestError(
         'Account has been temporarily suspended',
         'AccountTakedown',
@@ -78,10 +75,10 @@ const skeleton = async (
 const hydration = async (state: SkeletonState, ctx: Context) => {
   const { actorService } = ctx
   const { params, actor } = state
-  const { viewer, canViewTakendownProfile } = params
+  const { viewer, canViewTakedowns } = params
   const hydration = await actorService.views.profileDetailHydration(
     [actor.did],
-    { viewer, includeSoftDeleted: canViewTakendownProfile },
+    { viewer, includeSoftDeleted: canViewTakedowns },
   )
   return { ...state, ...hydration }
 }
@@ -110,7 +107,7 @@ type Context = {
 
 type Params = QueryParams & {
   viewer: string | null
-  canViewTakendownProfile: boolean
+  canViewTakedowns: boolean
 }
 
 type SkeletonState = { params: Params; actor: Actor }

packages/bsky/src/api/app/bsky/actor/getProfiles.ts

@@ -13,11 +13,11 @@ import { createPipeline, noRules } from '../../../../pipeline'
 export default function (server: Server, ctx: AppContext) {
   const getProfile = createPipeline(skeleton, hydration, noRules, presentation)
   server.app.bsky.actor.getProfiles({
-    auth: ctx.authOptionalVerifier,
+    auth: ctx.authVerifier.standardOptional,
     handler: async ({ auth, params, res }) => {
       const db = ctx.db.getReplica()
       const actorService = ctx.services.actor(db)
-      const viewer = auth.credentials.did
+      const viewer = auth.credentials.iss
 
       const [result, repoRev] = await Promise.all([
         getProfile({ ...params, viewer }, { db, actorService }),