Skip to content

add more xrpc endpoints#218

Closed
uniphil wants to merge 13 commits into
alnkesq:mainfrom
uniphil:xrpc-repair
Closed

add more xrpc endpoints#218
uniphil wants to merge 13 commits into
alnkesq:mainfrom
uniphil:xrpc-repair

Conversation

@uniphil

@uniphil uniphil commented May 5, 2025

Copy link
Copy Markdown

trying to follow the errors i'm getting from deer to add enough xrpc to get things somewhat more working.

this builds on #215 since i need that on my prod deploy, but if you're interested in merging it without i can rebase it out!

so far this only adds one missing xrpc endpoint, app.bsky.actor.getProfiles xrpc endpoint. this is my first c# code so sorry if it's off the style from this repo -- happy to change it however is useful!

uniphil added 13 commits May 4, 2025 12:32
[Inter-Service Authentication (JWT)](https://atproto.com/specs/xrpc) from the XRPC doc specifies that the user's DID is passed in the `iss` (issuer) field. The JWT from the bearer token that the client receives from the PDS happens to put it in `sub` (subject) but this token is meant to be opaque to clients and confidential to the PDS. I don't think third-party appviews can ever use that token safely, since only the PDS can verify it.

This change makes AppViewLite look instead for `Issuer` which should make xrpc-proxied requests _work_, but note that it's still not verifying the JWT, so these tokens can be trivially forged.

Assuming this works, the token can be verified with the users's pubkey, and then this will be closer to being safe.
I'm not sure if I'm doing this the right way but it seems to work.
need to fix but hopefully this at least helps social-app render
this might have been more effort than actually implementing the list lookup...
it's going to need collection and rkey isn't it
confidence this stub will help anything: zero.
@alnkesq

alnkesq commented May 6, 2025

Copy link
Copy Markdown
Owner

I implemented the 3 methods that you needed and many others: 4af131f

@alnkesq alnkesq closed this May 6, 2025
@uniphil

uniphil commented May 6, 2025

Copy link
Copy Markdown
Author

wow amazing!!

just deployed and i'm getting a few errors

  • 415 unsupported media type on getFeedGenerators ([FromQuery]string[] feeds fixed this for me)
  • same with getProfiles

it didn't get far enough to fail at getTimeline but i think it would, unless i missed some things in your changes -- proxied XRPC has no cookie to look up the current session, and so LoggedInUser from RequestContext blew up for GetScorer.

seems a little tricky -- i started hacking on it but it might need more changes around XRPC support to make sense.

@alnkesq

alnkesq commented May 7, 2025

Copy link
Copy Markdown
Owner

getFeedGenerators, getProfiles, and getPosts should now be fixed.

it didn't get far enough to fail at getTimeline but i think it would, unless i missed some things in your changes -- proxied XRPC has no cookie to look up the current session, and so LoggedInUser from RequestContext blew up for GetScorer.

so the path followed by getTimeline is
Client -> PDS -> AppView
Does the AppView get the Authorization header? If not, how does it know for which user to populate the timeline?
If Authorization is set, then AppViewLite should recognize it and use it to populate RequestContext.

Note that my setup is different: Client -> AppView, so things might behave differently

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants