Fix OAuth scope errors and handle change crash for non-Blacksky PDS users

- Add granular OAuth scopes (identity:handle, account:email?action=manage,
  account:status?action=manage) for proper permissions on newer PDSs
- Add isOauth && !isBskyPds guards for Update Email, Deactivate, and Delete
  which are hardcoded to reject OAuth at the PDS level
- Route Blacksky PDS OAuth users through gatekeeper for email update,
  deactivate, and delete (password-required operations)
- Fix ChangeHandleDialog crash: OauthBskyAppAgent extends Agent (not AtpAgent)
  so resumeSession does not exist, causing TypeError in onSuccess callback that
  TanStack Query catches and surfaces as a mutation error despite HTTP 200
- Add ScopeMissingError and OAuth error handling in error strings and
  useCleanError as safety net

Author: rudyfraser

bskyweb/static/oauth-client-metadata.json

@@ -5,7 +5,7 @@
 	"redirect_uris": [
 		"https://blacksky.community/auth/web/callback"
 	],
-	"scope": "atproto transition:generic transition:email transition:chat.bsky",
+	"scope": "atproto transition:generic transition:email transition:chat.bsky identity:handle account:email?action=manage account:status?action=manage",
 	"token_endpoint_auth_method": "none",
 	"response_types": [
 		"code"

src/components/dialogs/EmailDialog/screens/Update.tsx

@@ -1,11 +1,13 @@
 import {useReducer} from 'react'
-import {View} from 'react-native'
+import {Linking, View} from 'react-native'
 import {msg, Trans} from '@lingui/macro'
 import {useLingui} from '@lingui/react'
 import {validate as validateEmail} from 'email-validator'
 
+import {gateUpdateEmail} from '#/lib/api/gatekeeper'
 import {wait} from '#/lib/async/wait'
 import {useCleanError} from '#/lib/hooks/useCleanError'
+import {useIsBlackskyPds} from '#/lib/hooks/useIsBlackskyPds'
 import {logger} from '#/logger'
 import {useSession} from '#/state/session'
 import {atoms as a, useTheme} from '#/alf'
@@ -27,6 +29,7 @@ import {Divider} from '#/components/Divider'
 import * as TextField from '#/components/forms/TextField'
 import {CheckThick_Stroke2_Corner0_Rounded as Check} from '#/components/icons/Check'
 import {Envelope_Stroke2_Corner0_Rounded as Envelope} from '#/components/icons/Envelope'
+import {Lock_Stroke2_Corner2_Rounded as Lock} from '#/components/icons/Lock'
 import {Loader} from '#/components/Loader'
 import {Text} from '#/components/Typography'
 
@@ -37,6 +40,7 @@ type State = {
   emailValid: boolean
   email: string
   token: string
+  password: string
 }
 
 type Action =
@@ -60,6 +64,10 @@ type Action =
       type: 'setToken'
       value: string
     }
+  | {
+      type: 'setPassword'
+      value: string
+    }
 
 function reducer(state: State, action: Action): State {
   switch (action.type) {
@@ -100,6 +108,12 @@ function reducer(state: State, action: Action): State {
         token: action.value,
       }
     }
+    case 'setPassword': {
+      return {
+        ...state,
+        password: action.value,
+      }
+    }
   }
 }
 
@@ -115,12 +129,51 @@ export function Update(_props: ScreenProps<ScreenID.Update>) {
     email: '',
     emailValid: true,
     token: '',
+    password: '',
   })
 
   const {mutateAsync: updateEmail} = useUpdateEmail()
   const {mutateAsync: requestEmailUpdate} = useRequestEmailUpdate()
   const {mutateAsync: requestEmailVerification} = useRequestEmailVerification()
 
+  const isOauth = currentAccount?.isOauthSession === true
+  const isBskyPds = useIsBlackskyPds()
+  const useGatekeeper = isOauth && isBskyPds
+
+  if (isOauth && !isBskyPds) {
+    const pdsAccountUrl = currentAccount?.service
+      ? `${currentAccount.service}/account`
+      : undefined
+
+    return (
+      <View style={[a.gap_lg]}>
+        <Text style={[a.text_xl, a.font_bold]}>
+          <Trans>Update your email</Trans>
+        </Text>
+
+        <Admonition type="info">
+          <Trans>
+            Email updates are not available when signed in with OAuth. Please
+            manage your email through your hosting provider's website.
+          </Trans>
+        </Admonition>
+
+        {pdsAccountUrl && (
+          <Button
+            label={_(msg`Open account settings`)}
+            size="large"
+            variant="solid"
+            color="primary"
+            onPress={() => Linking.openURL(pdsAccountUrl)}>
+            <ButtonText>
+              <Trans>Open Account Settings</Trans>
+            </ButtonText>
+          </Button>
+        )}
+      </View>
+    )
+  }
+
   const handleEmailChange = (email: string) => {
     dispatch({
       type: 'setEmail',
@@ -159,33 +212,44 @@ export function Update(_props: ScreenProps<ScreenID.Update>) {
     }
 
     try {
-      const {status} = await wait(
-        1000,
-        updateEmail({
-          email: state.email,
-          token: state.token,
-        }),
-      )
+      if (useGatekeeper) {
+        const {status} = await wait(
+          1000,
+          gateUpdateEmail({
+            serviceUrl: currentAccount.service,
+            did: currentAccount.did,
+            password: state.password,
+            email: state.email,
+            token: state.token || undefined,
+          }),
+        )
 
-      if (status === 'tokenRequired') {
-        dispatch({
-          type: 'setStep',
-          step: 'token',
-        })
-        dispatch({
-          type: 'setMutationStatus',
-          status: 'default',
-        })
-      } else if (status === 'success') {
-        dispatch({
-          type: 'setMutationStatus',
-          status: 'success',
-        })
+        if (status === 'tokenRequired') {
+          dispatch({type: 'setStep', step: 'token'})
+          dispatch({type: 'setMutationStatus', status: 'default'})
+        } else if (status === 'success') {
+          dispatch({type: 'setMutationStatus', status: 'success'})
+        }
+      } else {
+        const {status} = await wait(
+          1000,
+          updateEmail({
+            email: state.email,
+            token: state.token,
+          }),
+        )
 
-        try {
-          // fire off a confirmation email immediately
-          await requestEmailVerification()
-        } catch {}
+        if (status === 'tokenRequired') {
+          dispatch({type: 'setStep', step: 'token'})
+          dispatch({type: 'setMutationStatus', status: 'default'})
+        } else if (status === 'success') {
+          dispatch({type: 'setMutationStatus', status: 'success'})
+
+          try {
+            // fire off a confirmation email immediately
+            await requestEmailVerification()
+          } catch {}
+        }
       }
     } catch (e) {
       logger.error('EmailDialog: update email failed', {safeMessage: e})
@@ -235,6 +299,31 @@ export function Update(_props: ScreenProps<ScreenID.Update>) {
           </TextField.Root>
         </View>
 
+        {useGatekeeper && (
+          <View>
+            <Text
+              style={[a.pb_sm, a.leading_snug, t.atoms.text_contrast_medium]}>
+              <Trans>Please enter your account password.</Trans>
+            </Text>
+            <TextField.Root>
+              <TextField.Icon icon={Lock} />
+              <TextField.Input
+                label={_(msg`Password`)}
+                placeholder={_(msg`Password`)}
+                defaultValue={state.password}
+                onChangeText={
+                  state.mutationStatus === 'success'
+                    ? undefined
+                    : (value: string) => dispatch({type: 'setPassword', value})
+                }
+                secureTextEntry
+                autoComplete="password"
+                autoCapitalize="none"
+              />
+            </TextField.Root>
+          </View>
+        )}
+
         {state.step === 'token' && (
           <>
             <Divider />
@@ -304,6 +393,7 @@ export function Update(_props: ScreenProps<ScreenID.Update>) {
           onPress={handleUpdateEmail}
           disabled={
             !state.email ||
+            (useGatekeeper && !state.password) ||
             (state.step === 'token' &&
               (!state.token || state.token.length !== 11)) ||
             state.mutationStatus === 'pending'

src/lib/hooks/useCleanError.ts

@@ -66,6 +66,15 @@ export function useCleanError() {
         }
       }
 
+      if (raw.includes('OAuth credentials are not supported')) {
+        return {
+          raw,
+          clean: _(
+            msg`This feature is not available when signed in with OAuth. Please manage your account through your hosting provider's website.`,
+          ),
+        }
+      }
+
       if (raw.includes('Rate Limit Exceeded')) {
         return {
           raw,

src/lib/strings/errors.ts

@@ -30,6 +30,15 @@ export function cleanError(str: any): string {
   if (str.includes('Bad token scope') || str.includes('Bad token method')) {
     return t`This feature is not available while using an App Password. Please sign in with your main password.`
   }
+  if (str.includes('OAuth credentials are not supported')) {
+    return t`This feature is not available when signed in with OAuth. Please manage your account through your hosting provider's website.`
+  }
+  if (
+    str.includes('ScopeMissingError') ||
+    str.includes('Missing required scope')
+  ) {
+    return t`This feature is not available with your current session. Please manage your account through your hosting provider's website, or sign out and sign back in to refresh your permissions.`
+  }
   if (str.includes('Account has been suspended')) {
     return t`Account has been suspended`
   }

src/screens/Settings/AccountSettings.tsx

@@ -1,7 +1,9 @@
+import {Linking} from 'react-native'
 import {msg, Trans} from '@lingui/macro'
 import {useLingui} from '@lingui/react'
 import {type NativeStackScreenProps} from '@react-navigation/native-stack'
 
+import {useIsBlackskyPds} from '#/lib/hooks/useIsBlackskyPds'
 import {type CommonNavigatorParams} from '#/lib/routes/types'
 import {useModalControls} from '#/state/modals'
 import {useSession} from '#/state/session'
@@ -41,6 +43,18 @@ export function AccountSettingsScreen({}: Props) {
   const exportCarControl = useDialogControl()
   const deactivateAccountControl = useDialogControl()
 
+  const isOauth = currentAccount?.isOauthSession === true
+  const isBskyPds = useIsBlackskyPds()
+  const pdsAccountUrl = currentAccount?.service
+    ? `${currentAccount.service}/account`
+    : undefined
+
+  const openPdsAccountPage = () => {
+    if (pdsAccountUrl) {
+      void Linking.openURL(pdsAccountUrl)
+    }
+  }
+
   return (
     <Layout.Screen>
       <Layout.Header.Outer>
@@ -105,9 +119,11 @@ export function AccountSettingsScreen({}: Props) {
           <SettingsList.PressableItem
             label={_(msg`Update email`)}
             onPress={() =>
-              emailDialogControl.open({
-                id: EmailDialogScreenID.Update,
-              })
+              isOauth && !isBskyPds
+                ? openPdsAccountPage()
+                : emailDialogControl.open({
+                    id: EmailDialogScreenID.Update,
+                  })
             }>
             <SettingsList.ItemIcon icon={PencilIcon} />
             <SettingsList.ItemText>
@@ -157,7 +173,11 @@ export function AccountSettingsScreen({}: Props) {
           </SettingsList.PressableItem>
           <SettingsList.PressableItem
             label={_(msg`Deactivate account`)}
-            onPress={() => deactivateAccountControl.open()}
+            onPress={() =>
+              isOauth && !isBskyPds
+                ? openPdsAccountPage()
+                : deactivateAccountControl.open()
+            }
             destructive>
             <SettingsList.ItemIcon icon={FreezeIcon} />
             <SettingsList.ItemText>
@@ -167,7 +187,11 @@ export function AccountSettingsScreen({}: Props) {
           </SettingsList.PressableItem>
           <SettingsList.PressableItem
             label={_(msg`Delete account`)}
-            onPress={() => openModal({name: 'delete-account'})}
+            onPress={() =>
+              isOauth && !isBskyPds
+                ? openPdsAccountPage()
+                : openModal({name: 'delete-account'})
+            }
             destructive>
             <SettingsList.ItemIcon icon={Trash_Stroke2_Corner2_Rounded} />
             <SettingsList.ItemText>

src/screens/Settings/components/ChangeHandleDialog.tsx

@@ -17,8 +17,11 @@ import {useMutation, useQueryClient} from '@tanstack/react-query'
 
 import {HITSLOP_10, urls} from '#/lib/constants'
 import {cleanError} from '#/lib/strings/errors'
-import {createFullHandle, validateServiceHandle} from '#/lib/strings/handles'
-import {sanitizeHandle} from '#/lib/strings/handles'
+import {
+  createFullHandle,
+  sanitizeHandle,
+  validateServiceHandle,
+} from '#/lib/strings/handles'
 import {useFetchDid, useUpdateHandleMutation} from '#/state/queries/handle'
 import {RQKEY as RQKEY_PROFILE} from '#/state/queries/profile'
 import {useServiceQuery} from '#/state/queries/service'
@@ -173,7 +176,11 @@ function ProvidedHandlePage({
           queryKey: RQKEY_PROFILE(currentAccount.did),
         })
       }
-      agent.resumeSession(agent.session!).then(() => control.close())
+      if ('resumeSession' in agent && agent.session) {
+        agent.resumeSession(agent.session).then(() => control.close())
+      } else {
+        control.close()
+      }
     },
   })
 
@@ -401,7 +408,11 @@ function OwnHandlePage({goToServiceHandle}: {goToServiceHandle: () => void}) {
           queryKey: RQKEY_PROFILE(currentAccount.did),
         })
       }
-      agent.resumeSession(agent.session!).then(() => control.close())
+      if ('resumeSession' in agent && agent.session) {
+        agent.resumeSession(agent.session).then(() => control.close())
+      } else {
+        control.close()
+      }
     },
   })