dollspace.gay
dollspacegay.tngl.sh
+6
-4
server/services/xrpc-api.ts
+6
-4
server/services/xrpc-api.ts
···
581
581
? req.path.slice('/xrpc/'.length)
582
582
: undefined;
583
583
584
-
// Skip aud check for app password tokens (scope=com.atproto.appPassPrivileged)
585
-
const isAppPassword =
586
-
anyPayload.scope === 'com.atproto.appPassPrivileged';
587
-
if (!isAppPassword && anyPayload.aud) {
584
+
// Skip aud check for PDS-issued tokens (com.atproto.access and com.atproto.appPassPrivileged)
585
+
// PDS tokens have aud=PDS_DID, not aud=AppView_DID
586
+
const isPdsToken =
587
+
anyPayload.scope === 'com.atproto.appPassPrivileged' ||
588
+
anyPayload.scope === 'com.atproto.access';
589
+
if (!isPdsToken && anyPayload.aud) {
588
590
// Accept both base AppView DID and service-specific DID (with #bsky_appview fragment)
589
591
const isBaseAppViewDid = anyPayload.aud === appviewDid;
590
592
const isServiceAppViewDid =
+6
-4
server/services/xrpc/utils/auth-helpers.ts
+6
-4
server/services/xrpc/utils/auth-helpers.ts
···
66
66
? req.path.slice('/xrpc/'.length)
67
67
: undefined;
68
68
69
-
// Skip aud check for app password tokens (scope=com.atproto.appPassPrivileged)
70
-
const isAppPassword =
71
-
anyPayload.scope === 'com.atproto.appPassPrivileged';
72
-
if (!isAppPassword && anyPayload.aud) {
69
+
// Skip aud check for PDS-issued tokens (com.atproto.access and com.atproto.appPassPrivileged)
70
+
// PDS tokens have aud=PDS_DID, not aud=AppView_DID
71
+
const isPdsToken =
72
+
anyPayload.scope === 'com.atproto.appPassPrivileged' ||
73
+
anyPayload.scope === 'com.atproto.access';
74
+
if (!isPdsToken && anyPayload.aud) {
73
75
// Accept both base AppView DID and service-specific DID (with #bsky_appview fragment)
74
76
const isBaseAppViewDid = anyPayload.aud === appviewDid;
75
77
const isServiceAppViewDid =