Clean up role-based auth

packages/pds/src/api/app/bsky/feed/getFeed.ts

@@ -14,7 +14,7 @@ export default function (server: Server, ctx: AppContext) {
       const { data: feed } =
         await appViewAgent.api.app.bsky.feed.getFeedGenerator(
           { feed: params.feed },
-          await ctx.appviewAuthHeaders(requester, req),
+          await ctx.appviewAuthHeaders(requester),
         )
       return pipethrough(ctx, req, requester, feed.view.did)
     },

packages/pds/src/api/app/bsky/feed/getPostThread.ts

@@ -190,7 +190,7 @@ const readAfterWriteNotFound = async (
       assert(ctx.appViewAgent)
       const parentsRes = await ctx.appViewAgent.api.app.bsky.feed.getPostThread(
         { uri: highestParent, parentHeight: params.parentHeight, depth: 0 },
-        await ctx.appviewAuthHeaders(requester, null),
+        await ctx.appviewAuthHeaders(requester),
       )
       thread.parent = parentsRes.data.thread
     } catch (err) {

packages/pds/src/api/app/bsky/labeler/getServices.ts

@@ -1,21 +1,13 @@
 import { Server } from '../../../../lexicon'
 import AppContext from '../../../../context'
+import { pipethrough } from '../../../../pipethrough'
 
 export default function (server: Server, ctx: AppContext) {
-  const { appViewAgent } = ctx
-  if (!appViewAgent) return
   server.app.bsky.labeler.getServices({
     auth: ctx.authVerifier.access,
-    handler: async ({ params, auth, req }) => {
+    handler: async ({ auth, req }) => {
       const requester = auth.credentials.did
-      const res = await appViewAgent.api.app.bsky.labeler.getServices(
-        params,
-        await ctx.appviewAuthHeaders(requester, req),
-      )
-      return {
-        encoding: 'application/json',
-        body: res.data,
-      }
+      return pipethrough(ctx, req, requester)
     },
   })
 }

packages/pds/src/api/app/bsky/notification/registerPush.ts

@@ -10,13 +10,13 @@ export default function (server: Server, ctx: AppContext) {
   if (!appViewAgent) return
   server.app.bsky.notification.registerPush({
     auth: ctx.authVerifier.accessDeactived,
-    handler: async ({ auth, input, req }) => {
+    handler: async ({ auth, input }) => {
       const { serviceDid } = input.body
       const {
         credentials: { did },
       } = auth
 
-      const authHeaders = await ctx.serviceAuthHeaders(did, serviceDid, req)
+      const authHeaders = await ctx.serviceAuthHeaders(did, serviceDid)
 
       if (ctx.cfg.bskyAppView?.did === serviceDid) {
         await appViewAgent.api.app.bsky.notification.registerPush(input.body, {

packages/pds/src/api/com/atproto/admin/sendEmail.ts

@@ -30,7 +30,6 @@ export default function (server: Server, ctx: AppContext) {
             ...(await ctx.serviceAuthHeaders(
               recipientDid,
               ctx.cfg.entryway?.did,
-              req,
             )),
           }),
         )

packages/pds/src/context.ts

@@ -1,5 +1,4 @@
 import assert from 'node:assert'
-import express from 'express'
 import * as nodemailer from 'nodemailer'
 import { Redis } from 'ioredis'
 import * as plc from '@did-plc/lib'
@@ -249,37 +248,18 @@ export class AppContext {
     })
   }
 
-  async appviewAuthHeaders(did: string, req: express.Request | null) {
+  async appviewAuthHeaders(did: string) {
     assert(this.cfg.bskyAppView)
-    return this.serviceAuthHeaders(did, this.cfg.bskyAppView.did, req)
+    return this.serviceAuthHeaders(did, this.cfg.bskyAppView.did)
   }
 
-  async moderationAuthHeaders(did: string) {
-    assert(this.cfg.modService)
-    return this.serviceAuthHeaders(did, this.cfg.modService.did, null)
-  }
-
-  async reportingAuthHeaders(did: string) {
-    assert(this.cfg.reportService)
-    return this.serviceAuthHeaders(did, this.cfg.reportService.did, null)
-  }
-
-  async serviceAuthHeaders(
-    did: string,
-    aud: string,
-    req: express.Request | null,
-  ) {
+  async serviceAuthHeaders(did: string, aud: string) {
     const keypair = await this.actorStore.keypair(did)
-    const authHeaders = await createServiceAuthHeaders({
+    return createServiceAuthHeaders({
       iss: did,
       aud,
       keypair,
     })
-    const labelerHeader = req?.header('atproto-labelers')
-    if (labelerHeader) {
-      authHeaders.headers['atproto-labelers'] = labelerHeader
-    }
-    return authHeaders
   }
 }
 

packages/pds/src/pipethrough.ts

@@ -118,6 +118,7 @@ export const createUrlAndHeaders = async (
   // forward accept-language header to upstream services
   headers['accept-language'] = req.headers['accept-language']
   headers['content-type'] = req.headers['content-type']
+  headers['atproto-labelers'] = req.headers['atproto-labelers']
   return { url, headers }
 }