Rename to tranquil PDS, sounds better than bullshit PDS

src/api/server/account_status.rs

@@ -157,9 +157,20 @@ pub async fn activate_account(
         .await;
     match result {
         Ok(_) => {
-            if let Some(h) = handle {
+            if let Some(ref h) = handle {
                 let _ = state.cache.delete(&format!("handle:{}", h)).await;
             }
+            if let Err(e) =
+                crate::api::repo::record::sequence_account_event(&state, &did, true, None).await
+            {
+                warn!("Failed to sequence account activation event: {}", e);
+            }
+            if let Err(e) =
+                crate::api::repo::record::sequence_identity_event(&state, &did, handle.as_deref())
+                    .await
+            {
+                warn!("Failed to sequence identity event for activation: {}", e);
+            }
             (StatusCode::OK, Json(json!({}))).into_response()
         }
         Err(e) => {
@@ -222,9 +233,14 @@ pub async fn deactivate_account(
     .await;
     match result {
         Ok(_) => {
-            if let Some(h) = handle {
+            if let Some(ref h) = handle {
                 let _ = state.cache.delete(&format!("handle:{}", h)).await;
             }
+            if let Err(e) =
+                crate::api::repo::record::sequence_account_event(&state, &did, false, Some("deactivated")).await
+            {
+                warn!("Failed to sequence account deactivation event: {}", e);
+            }
             (StatusCode::OK, Json(json!({}))).into_response()
         }
         Err(e) => {

src/api/server/service_auth.rs

@@ -10,6 +10,28 @@ use serde::{Deserialize, Serialize};
 use serde_json::json;
 use tracing::error;
 
+const HOUR_SECS: i64 = 3600;
+const MINUTE_SECS: i64 = 60;
+
+const PROTECTED_METHODS: &[&str] = &[
+    "com.atproto.admin.sendEmail",
+    "com.atproto.identity.requestPlcOperationSignature",
+    "com.atproto.identity.signPlcOperation",
+    "com.atproto.identity.updateHandle",
+    "com.atproto.server.activateAccount",
+    "com.atproto.server.confirmEmail",
+    "com.atproto.server.createAppPassword",
+    "com.atproto.server.deactivateAccount",
+    "com.atproto.server.getAccountInviteCodes",
+    "com.atproto.server.getSession",
+    "com.atproto.server.listAppPasswords",
+    "com.atproto.server.requestAccountDelete",
+    "com.atproto.server.requestEmailConfirmation",
+    "com.atproto.server.requestEmailUpdate",
+    "com.atproto.server.revokeAppPassword",
+    "com.atproto.server.updateEmail",
+];
+
 #[derive(Deserialize)]
 pub struct GetServiceAuthParams {
     pub aud: String,
@@ -33,7 +55,7 @@ pub async fn get_service_auth(
         Some(t) => t,
         None => return ApiError::AuthenticationRequired.into_response(),
     };
-    let auth_user = match crate::auth::validate_bearer_token(&state.db, &token).await {
+    let auth_user = match crate::auth::validate_bearer_token_for_service_auth(&state.db, &token).await {
         Ok(user) => user,
         Err(e) => return ApiError::from(e).into_response(),
     };
@@ -46,9 +68,86 @@ pub async fn get_service_auth(
             .into_response();
         }
     };
-    let lxm = params.lxm.as_deref().unwrap_or("*");
+
+    let lxm = params.lxm.as_deref();
+    let lxm_for_token = lxm.unwrap_or("*");
+
+    let user_status = sqlx::query!(
+        "SELECT takedown_ref FROM users WHERE did = $1",
+        auth_user.did
+    )
+    .fetch_optional(&state.db)
+    .await;
+
+    let is_takendown = match user_status {
+        Ok(Some(row)) => row.takedown_ref.is_some(),
+        _ => false,
+    };
+
+    if is_takendown && lxm != Some("com.atproto.server.createAccount") {
+        return (
+            StatusCode::BAD_REQUEST,
+            Json(json!({
+                "error": "InvalidToken",
+                "message": "Bad token scope"
+            })),
+        )
+            .into_response();
+    }
+
+    if let Some(method) = lxm {
+        if PROTECTED_METHODS.contains(&method) {
+            return (
+                StatusCode::BAD_REQUEST,
+                Json(json!({
+                    "error": "InvalidRequest",
+                    "message": format!("cannot request a service auth token for the following protected method: {}", method)
+                })),
+            )
+                .into_response();
+        }
+    }
+
+    if let Some(exp) = params.exp {
+        let now = chrono::Utc::now().timestamp();
+        let diff = exp - now;
+
+        if diff < 0 {
+            return (
+                StatusCode::BAD_REQUEST,
+                Json(json!({
+                    "error": "BadExpiration",
+                    "message": "expiration is in past"
+                })),
+            )
+                .into_response();
+        }
+
+        if diff > HOUR_SECS {
+            return (
+                StatusCode::BAD_REQUEST,
+                Json(json!({
+                    "error": "BadExpiration",
+                    "message": "cannot request a token with an expiration more than an hour in the future"
+                })),
+            )
+                .into_response();
+        }
+
+        if lxm.is_none() && diff > MINUTE_SECS {
+            return (
+                StatusCode::BAD_REQUEST,
+                Json(json!({
+                    "error": "BadExpiration",
+                    "message": "cannot request a method-less token with an expiration more than a minute in the future"
+                })),
+            )
+                .into_response();
+        }
+    }
+
     let service_token =
-        match crate::auth::create_service_token(&auth_user.did, &params.aud, lxm, &key_bytes) {
+        match crate::auth::create_service_token(&auth_user.did, &params.aud, lxm_for_token, &key_bytes) {
             Ok(t) => t,
             Err(e) => {
                 error!("Failed to create service token: {:?}", e);