OAuth: 2FA (bluesky-social#2633)

* chore(ci): update setup-node & checkout actions to v4

* refactor(oauth): rename internal types to avoid conflicting types
fix(oauth): support building from parcel
feat(oauth): add runtime lock support to prevent concurrent session updates
feat(oauth): improve metadata validation
fix(oauth): allow use of handle as login hint
fix: proper parsing of authorization header
feat(oauth): add email 2fa support
feat(oauth): adapt auth UI to match app UI

* fix(oauth): improve parsing of digest algo

* fix(oauth-provider): dead code cleanup

* fix(oauth-provider): avoid inconsistent use of "id" prop in InputCheckbox

* style(oauth-provider): use if/else instead of switch

* feat(oauth-provider): stronger validation of customization data

Invalid oauth customization would cause the server to crash at startup.

* docs(oauth-client): explain why the abortRequest method is not mandatory

* fix(oauth-client): cancel fetch response body when not used

* docs: typo

Co-authored-by: devin ivy <[email protected]>

* feat(oauth-provider:metadata): add client_id_metadata_document_supported metadata

* fix(oauth-provider): require the content-type to be set on client metadata response

* feat(common): add obfuscation utilities
fix(pds): show user did in logs
fix(ozone): show user did in logs

* tidy

* fix(simple-store): avoid leaking context when calling hooks

* fix: use patch level changeset

* chore(oauth-types): add changeset regarding client_id_metadata_document_supported

* chore: add changeset for bsky & ozone

* unify loggerMiddleware instantiation

* tidy

---------

Co-authored-by: devin ivy <[email protected]>

.changeset/blue-cats-invite.md

@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-types": patch
+---
+
+Add client_id_metadata_document_supported in metadata

.changeset/eighty-bikes-guess.md

@@ -0,0 +1,6 @@
+---
+"@atproto/jwk-jose": patch
+"@atproto/jwk": patch
+---
+
+Allow build from Parcel

.changeset/good-buses-dream.md

@@ -0,0 +1,9 @@
+---
+"@atproto-labs/handle-resolver-node": patch
+"@atproto-labs/identity-resolver": patch
+"@atproto-labs/handle-resolver": patch
+"@atproto-labs/did-resolver": patch
+"@atproto-labs/simple-store": patch
+---
+
+Use distinct type names to prevent conflicts

.changeset/hungry-peas-matter.md

@@ -0,0 +1,5 @@
+---
+"@atproto/pds": patch
+---
+
+Use new version of @atproto/oauth-provider with improved UI.

.changeset/lazy-paws-accept.md

@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-client-node": patch
+---
+
+Create NodeJS OAuth SDK

.changeset/nervous-ghosts-fry.md

@@ -0,0 +1,8 @@
+---
+"@atproto/ozone": patch
+"@atproto/bsync": patch
+"@atproto/bsky": patch
+"@atproto/pds": patch
+---
+
+Obfuscate request headers in logs using utils from @atproto/common

.changeset/pretty-students-appear.md

@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-provider": patch
+---
+
+Add 2FA support

.changeset/slimy-oranges-yawn.md

@@ -0,0 +1,7 @@
+---
+"@atproto/oauth-client-browser": patch
+"@atproto/oauth-client-node": patch
+"@atproto/oauth-client": patch
+---
+
+Add event emitting capability to OAuthClient

.changeset/slow-pigs-rush.md

@@ -0,0 +1,5 @@
+---
+"@atproto/pds": patch
+---
+
+Improve parsing of Authorization header

.changeset/small-cups-rush.md

@@ -0,0 +1,5 @@
+---
+"@atproto/dev-env": patch
+---
+
+Adapt to changes from @atproto/oauth-provider

.changeset/tidy-months-tan.md

@@ -0,0 +1,5 @@
+---
+"@atproto-labs/simple-store": patch
+---
+
+Expose reason for deletion

.changeset/young-ligers-chew.md

@@ -0,0 +1,5 @@
+---
+"@atproto/common": patch
+---
+
+Add obfuscation utilities

.github/workflows/repo.yaml

@@ -14,11 +14,12 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: pnpm/action-setup@v4
         with:
           version: 8
-      - uses: actions/setup-node@v3
+          run_install: false
+      - uses: actions/setup-node@v4
         with:
           node-version: 18
           cache: 'pnpm'
@@ -39,11 +40,12 @@ jobs:
         shard: [1/8, 2/8, 3/8, 4/8, 5/8, 6/8, 7/8, 8/8]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: pnpm/action-setup@v4
         with:
           version: 8
-      - uses: actions/setup-node@v3
+          run_install: false
+      - uses: actions/setup-node@v4
         with:
           node-version: 18
           cache: 'pnpm'
@@ -58,15 +60,16 @@ jobs:
     needs: build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: pnpm/action-setup@v4
         with:
           version: 8
-      - uses: actions/setup-node@v3
+          run_install: false
+      - uses: actions/setup-node@v4
         with:
           node-version: 18
           cache: 'pnpm'
-      - run: pnpm install --frozen-lockfile
+      - run: pnpm i --frozen-lockfile
       - uses: actions/download-artifact@v4
         with:
           name: dist

packages/bsky/src/logger.ts

@@ -1,6 +1,7 @@
+import { IncomingMessage } from 'node:http'
 import { stdSerializers } from 'pino'
 import pinoHttp from 'pino-http'
-import { subsystemLogger } from '@atproto/common'
+import { obfuscateHeaders, subsystemLogger } from '@atproto/common'
 
 export const dbLogger: ReturnType<typeof subsystemLogger> =
   subsystemLogger('bsky:db')
@@ -20,85 +21,14 @@ export const httpLogger: ReturnType<typeof subsystemLogger> =
 export const loggerMiddleware = pinoHttp({
   logger: httpLogger,
   serializers: {
-    err: errSerializer,
-    req: reqSerializer,
+    err: (err: unknown) => ({
+      code: err?.['code'],
+      message: err?.['message'],
+    }),
+    req: (req: IncomingMessage) => {
+      const serialized = stdSerializers.req(req)
+      const headers = obfuscateHeaders(serialized.headers)
+      return { ...serialized, headers }
+    },
   },
 })
-
-function errSerializer(err: any) {
-  return {
-    code: err?.code,
-    message: err?.message,
-  }
-}
-
-function reqSerializer(req: any) {
-  const serialized = stdSerializers.req(req)
-  serialized.headers = obfuscateHeaders(serialized.headers)
-  return serialized
-}
-
-function obfuscateHeaders(headers: Record<string, string>) {
-  const obfuscatedHeaders: Record<string, string> = {}
-  for (const key in headers) {
-    if (key.toLowerCase() === 'authorization') {
-      obfuscatedHeaders[key] = obfuscateAuthHeader(headers[key])
-    } else if (key.toLowerCase() === 'dpop') {
-      obfuscatedHeaders[key] = obfuscateJws(headers[key]) || 'Invalid'
-    } else {
-      obfuscatedHeaders[key] = headers[key]
-    }
-  }
-  return obfuscatedHeaders
-}
-
-function obfuscateAuthHeader(authHeader: string): string {
-  // This is a hot path (runs on every request). Avoid using split() or regex.
-
-  const spaceIdx = authHeader.indexOf(' ')
-  if (spaceIdx === -1) return 'Invalid'
-
-  const type = authHeader.slice(0, spaceIdx)
-  switch (type.toLowerCase()) {
-    case 'bearer':
-      return `${type} ${obfuscateBearer(authHeader.slice(spaceIdx + 1))}`
-    case 'dpop':
-      return `${type} ${obfuscateJws(authHeader.slice(spaceIdx + 1)) || 'Invalid'}`
-    case 'basic':
-      return `${type} ${obfuscateBasic(authHeader.slice(spaceIdx + 1)) || 'Invalid'}`
-    default:
-      return `Invalid`
-  }
-}
-
-function obfuscateBasic(token: string): null | string {
-  if (!token) return null
-  const buffer = Buffer.from(token, 'base64')
-  if (!buffer.length) return null // Buffer.from will silently ignore invalid base64 chars
-  const authHeader = buffer.toString('utf8')
-  const colIdx = authHeader.indexOf(':')
-  if (colIdx === -1) return null
-  const username = authHeader.slice(0, colIdx)
-  return `${username}:***`
-}
-
-function obfuscateBearer(token: string): string {
-  return obfuscateJws(token) || obfuscateToken(token)
-}
-
-function obfuscateToken(token: string): string {
-  return token ? '***' : ''
-}
-
-function obfuscateJws(token: string): null | string {
-  const firstDot = token.indexOf('.')
-  if (firstDot === -1) return null
-
-  const secondDot = token.indexOf('.', firstDot + 1)
-  if (secondDot === -1) return null
-
-  if (token.indexOf('.', secondDot + 1) !== -1) return null
-
-  // Strip the signature
-  return token.slice(0, secondDot) + '.obfuscated'
-}

packages/bsync/src/logger.ts

@@ -1,5 +1,6 @@
-import pinoHttp from 'pino-http'
-import { subsystemLogger } from '@atproto/common'
+import { type IncomingMessage } from 'node:http'
+import pinoHttp, { stdSerializers } from 'pino-http'
+import { obfuscateHeaders, subsystemLogger } from '@atproto/common'
 
 export const dbLogger: ReturnType<typeof subsystemLogger> =
   subsystemLogger('bsync:db')
@@ -12,11 +13,14 @@ export const loggerMiddleware = pinoHttp({
     paths: ['req.headers.authorization'],
   },
   serializers: {
-    err: (err) => {
-      return {
-        code: err?.code,
-        message: err?.message,
-      }
+    err: (err: unknown) => ({
+      code: err?.['code'],
+      message: err?.['message'],
+    }),
+    req: (req: IncomingMessage) => {
+      const serialized = stdSerializers.req(req)
+      const headers = obfuscateHeaders(serialized.headers)
+      return { ...serialized, headers }
     },
   },
 })

packages/common/src/index.ts

@@ -1,9 +1,10 @@
 export * from '@atproto/common-web'
+export * from './buffers'
 export * from './dates'
 export * from './env'
 export * from './fs'
 export * from './ipld'
 export * from './ipld-multi'
 export * from './logger'
+export * from './obfuscate'
 export * from './streams'
-export * from './buffers'

packages/common/src/obfuscate.ts

@@ -0,0 +1,85 @@
+export function obfuscateEmail(email: string) {
+  const [local, domain] = email.split('@')
+  return `${obfuscateWord(local)}@${obfuscateWord(domain)}`
+}
+
+export function obfuscateWord(word: string) {
+  return `${word.charAt(0)}***${word.charAt(word.length - 1)}`
+}
+
+export function obfuscateHeaders(headers: Record<string, string>) {
+  const obfuscatedHeaders: Record<string, string> = {}
+  for (const key in headers) {
+    if (key.toLowerCase() === 'authorization') {
+      obfuscatedHeaders[key] = obfuscateAuthHeader(headers[key])
+    } else if (key.toLowerCase() === 'dpop') {
+      obfuscatedHeaders[key] = obfuscateJwt(headers[key]) || 'Invalid'
+    } else {
+      obfuscatedHeaders[key] = headers[key]
+    }
+  }
+  return obfuscatedHeaders
+}
+
+export function obfuscateAuthHeader(authHeader: string): string {
+  // This is a hot path (runs on every request). Avoid using split() or regex.
+
+  const spaceIdx = authHeader.indexOf(' ')
+  if (spaceIdx === -1) return 'Invalid'
+
+  const type = authHeader.slice(0, spaceIdx)
+  switch (type.toLowerCase()) {
+    case 'bearer':
+    case 'dpop':
+      return `${type} ${obfuscateBearer(authHeader.slice(spaceIdx + 1))}`
+    case 'basic':
+      return `${type} ${obfuscateBasic(authHeader.slice(spaceIdx + 1)) || 'Invalid'}`
+    default:
+      return `Invalid`
+  }
+}
+
+export function obfuscateBasic(token: string): null | string {
+  if (!token) return null
+  const buffer = Buffer.from(token, 'base64')
+  if (!buffer.length) return null // Buffer.from will silently ignore invalid base64 chars
+  const authHeader = buffer.toString('utf8')
+  const colIdx = authHeader.indexOf(':')
+  if (colIdx === -1) return null
+  const username = authHeader.slice(0, colIdx)
+  return `${username}:***`
+}
+
+export function obfuscateBearer(token: string): string {
+  return obfuscateJwt(token) || obfuscateToken(token)
+}
+
+export function obfuscateToken(token: string): string {
+  if (token.length >= 12) return obfuscateWord(token)
+  return token ? '***' : ''
+}
+
+export function obfuscateJwt(token: string): null | string {
+  const firstDot = token.indexOf('.')
+  if (firstDot === -1) return null
+
+  const secondDot = token.indexOf('.', firstDot + 1)
+  if (secondDot === -1) return null
+
+  // Expected to be missing
+  const thirdDot = token.indexOf('.', secondDot + 1)
+  if (thirdDot !== -1) return null
+
+  try {
+    const payloadEnc = token.slice(firstDot + 1, secondDot)
+    const payloadJson = Buffer.from(payloadEnc, 'base64').toString('utf8')
+    const payload = JSON.parse(payloadJson)
+    if (typeof payload.sub === 'string') return payload.sub
+  } catch {
+    // Invalid JWT
+    return null
+  }
+
+  // Strip the signature
+  return token.slice(0, secondDot) + '.obfuscated'
+}

packages/dev-env/src/pds.ts

@@ -47,7 +47,7 @@ export class TestPds {
       inviteRequired: false,
       fetchDisableSsrfProtection: true,
       serviceName: 'Development PDS',
-      primaryColor: '#ffcb1e',
+      brandColor: '#ffcb1e',
       errorColor: undefined,
       logoUrl:
         'https://uxwing.com/wp-content/themes/uxwing/download/animals-and-birds/bee-icon.png',

packages/internal/did-resolver/src/did-cache.ts

@@ -2,10 +2,10 @@ import { CachedGetter, SimpleStore } from '@atproto-labs/simple-store'
 import { Did, DidDocument } from '@atproto/did'
 
 import { DidCacheMemory } from './did-cache-memory.js'
-import { DidMethod, ResolveOptions } from './did-method.js'
+import { DidMethod, ResolveDidOptions } from './did-method.js'
 import { DidResolver, ResolvedDocument } from './did-resolver.js'
 
-export type { DidMethod, ResolveOptions, ResolvedDocument }
+export type { DidMethod, ResolvedDocument, ResolveDidOptions }
 
 export type DidCache = SimpleStore<Did, DidDocument>
 
@@ -25,7 +25,7 @@ export class DidResolverCached<M extends string = string>
     )
   }
 
-  public async resolve<D extends Did>(did: D, options?: ResolveOptions) {
+  public async resolve<D extends Did>(did: D, options?: ResolveDidOptions) {
     return this.getter.get(did, options) as Promise<ResolvedDocument<D, M>>
   }
 }