Version packages #2738
Merged
Version packages #2738
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
github-actions
bot
force-pushed
the
changeset-release/main
branch
5 times, most recently
from
7269d62 to
f29d98c
Compare
github-actions
bot
force-pushed
the
changeset-release/main
branch
from
f29d98c to
f1fd0bc
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.
Releases
@atproto/oauth-client@0.2.0
Minor Changes
#2714
d9ffa3c46Thanks @matthieusieben! - TheOAuthClient(and runtime specific sub-classes) no longer return @atproto/apiAgentinstances. Instead, they returnOAuthSessioninstances that can be used to instantiate theAgentclass.#2734
dee817b6eThanks @matthieusieben! - Remove "nonce" from authorization request#2734
dee817b6eThanks @matthieusieben! - Mandate the use of "atproto" scope#2734
dee817b6eThanks @matthieusieben! - Remove "openid" compatibility. The reason is that although we were technically "openid" compatible, ATProto identifiers are distributed identifiers. When a client relies on OpenID to authenticate users, it will use the auth provider in combination with the identifier to uniquely identify the user. Since ATProto identifiers are meant to be able to move from one provider to the other, OpenID compatibility could break authentication after a user was migrated to a different provider.The way OpenID compliant clients would adapt to this particularity would typically be to remove the provider + identifier combination and use the identifier alone. While this is indeed the right way to handle ATProto identifiers, it requires more work to avoid impersonation. In particular, when obtaining a user identifier, the client must verify that the issuer of the identity token is indeed the server responsible for that user. This mechanism being not enforced by the OpenID standard, OpenID compatibility could lead to security issues. For this reason, we decided to remove OpenID compatibility from the OAuth provider.
Note that a trusted central authority could still offer OpenID compatibility by relying on ATProto's regular OAuth flow under the hood. This capability is out of the scope of this library.
#2714
d9ffa3c46Thanks @matthieusieben! - Rename OAuthAgent into OAuthSession#2714
d9ffa3c46Thanks @matthieusieben! - RenameOAuthSession'srequestmethod tofetchHandler. The goal of this change is to allowOAuthSessionto be used in order to instantiateXrpcClientby implementing theFetchHandlerObjectinterface.Patch Changes
#2714
d9ffa3c46Thanks @matthieusieben! - AddgetTokenInfo()method toOAuthSession.#2734
dee817b6eThanks @matthieusieben! - Do not remove scopes not advertised in the AS's "scopes_supported" when building the authorization request.#2714
d9ffa3c46Thanks @matthieusieben! - MakegetTokenSet()method public inOAuthSession.Updated dependencies [
d9ffa3c46,dee817b6e,dee817b6e,dee817b6e,d9ffa3c46,d9ffa3c46]:@atproto/oauth-client-browser@0.2.0
Minor Changes
#2714
d9ffa3c46Thanks @matthieusieben! - TheOAuthClient(and runtime specific sub-classes) no longer return @atproto/apiAgentinstances. Instead, they returnOAuthSessioninstances that can be used to instantiate theAgentclass.#2734
dee817b6eThanks @matthieusieben! - Remove "openid" compatibility. The reason is that although we were technically "openid" compatible, ATProto identifiers are distributed identifiers. When a client relies on OpenID to authenticate users, it will use the auth provider in combination with the identifier to uniquely identify the user. Since ATProto identifiers are meant to be able to move from one provider to the other, OpenID compatibility could break authentication after a user was migrated to a different provider.The way OpenID compliant clients would adapt to this particularity would typically be to remove the provider + identifier combination and use the identifier alone. While this is indeed the right way to handle ATProto identifiers, it requires more work to avoid impersonation. In particular, when obtaining a user identifier, the client must verify that the issuer of the identity token is indeed the server responsible for that user. This mechanism being not enforced by the OpenID standard, OpenID compatibility could lead to security issues. For this reason, we decided to remove OpenID compatibility from the OAuth provider.
Note that a trusted central authority could still offer OpenID compatibility by relying on ATProto's regular OAuth flow under the hood. This capability is out of the scope of this library.
Patch Changes
d9ffa3c46,dee817b6e,dee817b6e,dee817b6e,d9ffa3c46,dee817b6e,dee817b6e,dee817b6e,dee817b6e,d9ffa3c46,d9ffa3c46,d9ffa3c46]:@atproto/oauth-client-node@0.1.0
Minor Changes
#2714
d9ffa3c46Thanks @matthieusieben! - TheOAuthClient(and runtime specific sub-classes) no longer return @atproto/apiAgentinstances. Instead, they returnOAuthSessioninstances that can be used to instantiate theAgentclass.#2734
dee817b6eThanks @matthieusieben! - Remove "openid" compatibility. The reason is that although we were technically "openid" compatible, ATProto identifiers are distributed identifiers. When a client relies on OpenID to authenticate users, it will use the auth provider in combination with the identifier to uniquely identify the user. Since ATProto identifiers are meant to be able to move from one provider to the other, OpenID compatibility could break authentication after a user was migrated to a different provider.The way OpenID compliant clients would adapt to this particularity would typically be to remove the provider + identifier combination and use the identifier alone. While this is indeed the right way to handle ATProto identifiers, it requires more work to avoid impersonation. In particular, when obtaining a user identifier, the client must verify that the issuer of the identity token is indeed the server responsible for that user. This mechanism being not enforced by the OpenID standard, OpenID compatibility could lead to security issues. For this reason, we decided to remove OpenID compatibility from the OAuth provider.
Note that a trusted central authority could still offer OpenID compatibility by relying on ATProto's regular OAuth flow under the hood. This capability is out of the scope of this library.
Patch Changes
#2714
d9ffa3c46Thanks @matthieusieben! - Remove un-necessary dev dependencyUpdated dependencies [
d9ffa3c46,dee817b6e,dee817b6e,dee817b6e,d9ffa3c46,dee817b6e,dee817b6e,dee817b6e,dee817b6e,d9ffa3c46,d9ffa3c46,d9ffa3c46]:@atproto/oauth-provider@0.2.0
Minor Changes
#2734
dee817b6eThanks @matthieusieben! - Remove "nonce" from authorization request#2734
dee817b6eThanks @matthieusieben! - Mandate the use of "atproto" scope#2734
dee817b6eThanks @matthieusieben! - Remove "openid" compatibility. The reason is that although we were technically "openid" compatible, ATProto identifiers are distributed identifiers. When a client relies on OpenID to authenticate users, it will use the auth provider in combination with the identifier to uniquely identify the user. Since ATProto identifiers are meant to be able to move from one provider to the other, OpenID compatibility could break authentication after a user was migrated to a different provider.The way OpenID compliant clients would adapt to this particularity would typically be to remove the provider + identifier combination and use the identifier alone. While this is indeed the right way to handle ATProto identifiers, it requires more work to avoid impersonation. In particular, when obtaining a user identifier, the client must verify that the issuer of the identity token is indeed the server responsible for that user. This mechanism being not enforced by the OpenID standard, OpenID compatibility could lead to security issues. For this reason, we decided to remove OpenID compatibility from the OAuth provider.
Note that a trusted central authority could still offer OpenID compatibility by relying on ATProto's regular OAuth flow under the hood. This capability is out of the scope of this library.
Patch Changes
#2734
dee817b6eThanks @matthieusieben! - Display requested scopes during the auth flow#2734
dee817b6eThanks @matthieusieben! - Generate proper invalid_authorization_details#2734
dee817b6eThanks @matthieusieben! - Stronger CORS protections#2734
dee817b6eThanks @matthieusieben! - Do not require user consent during oauth flow for first party apps.#2734
dee817b6eThanks @matthieusieben! - Improve reporting of validation errorsUpdated dependencies [
dee817b6e,dee817b6e,dee817b6e]:@atproto/api@0.13.4
Patch Changes
#2714
d9ffa3c46Thanks @matthieusieben! - Drop use ofAtpBaseClientclass#2714
d9ffa3c46Thanks @matthieusieben! - Expose theCredentialSessionclass that can be used to instantiate bothAgentandXrpcClient, while internally managing credential based (username/password) sessions.bbca17bc5Thanks @matthieusieben! - Deprecate Agent.accountDid in favor of Agent.assertDid#2737
a8e1f9000Thanks @estrattonbailey! - Addthreadgate: ThreadgateViewto response fromgetPostThread#2714
d9ffa3c46Thanks @matthieusieben! -Agentis no longer an abstract class. Instead it can be instantiated using object implementing a newSessionManagerinterface. If your project extendsAgentand overrides the constructor or any method implementations, consider that you may want to call them fromsuper.Updated dependencies [
d9ffa3c46,d9ffa3c46,d9ffa3c46]:@atproto/aws@0.2.3
Patch Changes
ebb318325]:@atproto/bsky@0.0.79
Patch Changes
#2737
a8e1f9000Thanks @estrattonbailey! - Addthreadgate: ThreadgateViewto response fromgetPostThreadUpdated dependencies [
ebb318325,ebb318325,d9ffa3c46,d9ffa3c46,bbca17bc5,a8e1f9000,ebb318325,d9ffa3c46]:@atproto/crypto@0.4.1
Patch Changes
ebb318325Thanks @matthieusieben! - Add "jwtAlg" option toverifySignature()function@atproto/dev-env@0.3.45
Patch Changes
ebb318325,dee817b6e,ebb318325,dee817b6e,dee817b6e,ebb318325,d9ffa3c46,d9ffa3c46,bbca17bc5,a8e1f9000,ebb318325,d9ffa3c46,dee817b6e]:@atproto/identity@0.4.1
Patch Changes
ebb318325]:@atproto/oauth-types@0.1.4
Patch Changes
#2734
dee817b6eThanks @matthieusieben! - Validate scopes characters according to OAuth 2.1 spec#2734
dee817b6eThanks @matthieusieben! - Re-use code definition of oauthResponseTypeSchema#2734
dee817b6eThanks @matthieusieben! - Remove non-standard "sub" from OAuthTokenResponse@atproto/ozone@0.1.41
Patch Changes
ebb318325,ebb318325,d9ffa3c46,d9ffa3c46,d9ffa3c46,bbca17bc5,a8e1f9000,ebb318325,d9ffa3c46,d9ffa3c46,d9ffa3c46]:@atproto/pds@0.4.54
Patch Changes
#2734
dee817b6eThanks @matthieusieben! - Use locally defined authPassthru#2734
dee817b6eThanks @matthieusieben! - Add support for "transition:generic" and "transition:chat.bsky" oauth scopes#2734
dee817b6eThanks @matthieusieben! - Ignore case when checking for dpop auth scheme#2743
ebb318325Thanks @matthieusieben! - Add, and verify, a "typ" header to access and refresh tokens#2734
dee817b6eThanks @matthieusieben! - Allow OAuthProvider to define its own CORS policiesUpdated dependencies [
dee817b6e,ebb318325,ebb318325,dee817b6e,d9ffa3c46,dee817b6e,d9ffa3c46,dee817b6e,d9ffa3c46,bbca17bc5,a8e1f9000,dee817b6e,ebb318325,d9ffa3c46,dee817b6e,dee817b6e,d9ffa3c46,dee817b6e,d9ffa3c46]:@atproto/repo@0.4.3
Patch Changes
ebb318325]:@atproto/xrpc@0.6.1
Patch Changes
#2714
d9ffa3c46Thanks @matthieusieben! - Improve handling of fetchHandler errors when turning them intoXrpcError.#2714
d9ffa3c46Thanks @matthieusieben! - Add ability to instantiate XrpcClient from FetchHandlerObject type#2714
d9ffa3c46Thanks @matthieusieben! - Add global headers toXrpcClientinstances@atproto/xrpc-server@0.6.3
Patch Changes
#2743
ebb318325Thanks @matthieusieben! - Addiatclaim to service JWTs#2743
ebb318325Thanks @matthieusieben! - Ensure that service auth JWT headers contain analgclaim, and ensure thattyp, if present, is not an unexpected type (e.g. not an access or DPoP token).Updated dependencies [
d9ffa3c46,ebb318325,d9ffa3c46,d9ffa3c46]: