Service auth method binding - PDS #2668
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
devinivy
reviewed
Aug 1, 2024
| @@ -0,0 +1,6 @@ | |||
| --- | |||
| "@atproto/xrpc-server": minor | |||
There was a problem hiding this comment.
Just confirming— this is a breaking change in xrpc-server?
devinivy
reviewed
Aug 1, 2024
Comment on lines
20
to
22
| } else if (diff > MINUTE) { | ||
| throw new InvalidRequestError( | ||
| 'cannot request a token with an expiration more than an hour in the future', |
There was a problem hiding this comment.
I expect the error text here is right and the check needs to be corrected:
Suggested change
| } else if (diff > MINUTE) { | |
| throw new InvalidRequestError( | |
| 'cannot request a token with an expiration more than an hour in the future', | |
| } else if (diff > HOUR) { | |
| throw new InvalidRequestError( | |
| 'cannot request a token with an expiration more than an hour in the future', |
devinivy
reviewed
Aug 1, 2024
devinivy
reviewed
Aug 1, 2024
devinivy
reviewed
Aug 1, 2024
Comment on lines
+14
to
+19
| const diff = exp - Date.now() | ||
| if (diff < 0) { | ||
| throw new InvalidRequestError( | ||
| 'expiration is in past', | ||
| 'BadExpiration', | ||
| ) |
There was a problem hiding this comment.
One trick about using exp versus something like a duration is that it gets another clock in the mix (our server plus the requester), plus whatever latency between the servers. I do like that it's a passthrough to the jwt claim, though. Not strong feels/suggestions here, just an observation.
devinivy
reviewed
Aug 1, 2024
devinivy
reviewed
Aug 1, 2024
devinivy
reviewed
Aug 1, 2024
devinivy
reviewed
Aug 1, 2024
packages/xrpc-server/src/util.ts
Outdated
Comment on lines
310
to
311
| export const parseReqNsid = (req: express.Request): string => { | ||
| return req.originalUrl.split('?')[0].replace('/xrpc/', '') |
There was a problem hiding this comment.
I wonder if a trailing slash might throw this off.
devinivy
reviewed
Aug 1, 2024
devinivy
reviewed
Aug 1, 2024
devinivy
approved these changes
Aug 1, 2024
Merged
estrattonbailey
added a commit
that referenced
this pull request
Aug 15, 2024
* origin/main: Provide a ponyfill for CustomEvent (#2710) Ensure presence of DPoP related response headers (#2711) prettier ignore changelogs, as changesets not resolving prettier config properly Version packages (#2709) Export `AtpAgentOptions` type from @atproto/api (#2708) tidy Version packages (#2706) Update changeset to better reflect changes (#2707) Client SDK rework (#2483) Allow aud of pds or entryway for service auth tokens on pds (#2694) Version packages (#2692) Lex-cli prettier changes changeset (#2691) Version packages (#2689) PDS - inspect bearer tokens (#2688) Version packages (#2685) Service auth method binding - PDS (#2668) minor typos in descriptions and comments (#2681) Fix run-dev-env-logged command (#2682) Version packages (#2677) Tweak some wording in `oauth-client-browser` readme (#2678)
haileyok
pushed a commit
that referenced
this pull request
Aug 16, 2024
* pds changes only * use scope for ozone service profile * dont verify scopes on pds yet * tidy * tidy imports * changeset * add tests * another changeset * scope -> lxm * tidy * update nonce size * pr feedback * trim trailing slash * nonce -> jti * fix xrpc-server test * allow service auth on uploadBlob
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Just the PDS implementation of #2663
This allows us to deploy our PDSs & publish a PDS distribution so that PDSs start emitting method-bound service auth tokens. Once the changes have had time to roll out, we can then deploy #2663 more broadly to start checking for methods on service auth tokens.
This PR does not lift the restriction that an app password is unable to call
server.getServiceAuth. This prevents a capability escalation attack where an app-password account could request a scoped service auth token that a sensitive service (such as chat) may not properly check.