Merge branch 'connections' into 'main'
Add OAuth tokens See merge request soapbox-pub/ditto!325
This commit is contained in:
commit
1ad1808ee2
|
@ -24,6 +24,7 @@
|
|||
"@isaacs/ttlcache": "npm:@isaacs/ttlcache@^1.4.1",
|
||||
"@noble/secp256k1": "npm:@noble/secp256k1@^2.0.0",
|
||||
"@nostrify/nostrify": "jsr:@nostrify/nostrify@^0.22.4",
|
||||
"@scure/base": "npm:@scure/base@^1.1.6",
|
||||
"@sentry/deno": "https://deno.land/x/sentry@7.112.2/index.mjs",
|
||||
"@soapbox/kysely-deno-sqlite": "jsr:@soapbox/kysely-deno-sqlite@^2.1.0",
|
||||
"@soapbox/stickynotes": "jsr:@soapbox/stickynotes@^0.4.0",
|
||||
|
@ -51,7 +52,7 @@
|
|||
"linkifyjs": "npm:linkifyjs@^4.1.1",
|
||||
"lru-cache": "npm:lru-cache@^10.2.2",
|
||||
"nostr-relaypool": "npm:nostr-relaypool2@0.6.34",
|
||||
"nostr-tools": "npm:nostr-tools@^2.5.1",
|
||||
"nostr-tools": "npm:nostr-tools@2.5.1",
|
||||
"nostr-wasm": "npm:nostr-wasm@^0.1.0",
|
||||
"tldts": "npm:tldts@^6.0.14",
|
||||
"tseep": "npm:tseep@^1.2.1",
|
||||
|
|
|
@ -1,12 +1,14 @@
|
|||
import { encodeBase64 } from '@std/encoding/base64';
|
||||
import { NConnectSigner, NSchema as n, NSecSigner } from '@nostrify/nostrify';
|
||||
import { bech32 } from '@scure/base';
|
||||
import { escape } from 'entities';
|
||||
import { nip19 } from 'nostr-tools';
|
||||
import { generateSecretKey, getPublicKey } from 'nostr-tools';
|
||||
import { z } from 'zod';
|
||||
|
||||
import { AppController } from '@/app.ts';
|
||||
import { DittoDB } from '@/db/DittoDB.ts';
|
||||
import { nostrNow } from '@/utils.ts';
|
||||
import { parseBody } from '@/utils/api.ts';
|
||||
import { getClientConnectUri } from '@/utils/connect.ts';
|
||||
import { Storages } from '@/storages.ts';
|
||||
|
||||
const passwordGrantSchema = z.object({
|
||||
grant_type: z.literal('password'),
|
||||
|
@ -22,10 +24,18 @@ const credentialsGrantSchema = z.object({
|
|||
grant_type: z.literal('client_credentials'),
|
||||
});
|
||||
|
||||
const nostrGrantSchema = z.object({
|
||||
grant_type: z.literal('nostr_bunker'),
|
||||
pubkey: n.id(),
|
||||
relays: z.string().url().array().optional(),
|
||||
secret: z.string().optional(),
|
||||
});
|
||||
|
||||
const createTokenSchema = z.discriminatedUnion('grant_type', [
|
||||
passwordGrantSchema,
|
||||
codeGrantSchema,
|
||||
credentialsGrantSchema,
|
||||
nostrGrantSchema,
|
||||
]);
|
||||
|
||||
const createTokenController: AppController = async (c) => {
|
||||
|
@ -37,6 +47,13 @@ const createTokenController: AppController = async (c) => {
|
|||
}
|
||||
|
||||
switch (result.data.grant_type) {
|
||||
case 'nostr_bunker':
|
||||
return c.json({
|
||||
access_token: await getToken(result.data),
|
||||
token_type: 'Bearer',
|
||||
scope: 'read write follow push',
|
||||
created_at: nostrNow(),
|
||||
});
|
||||
case 'password':
|
||||
return c.json({
|
||||
access_token: result.data.password,
|
||||
|
@ -61,50 +78,63 @@ const createTokenController: AppController = async (c) => {
|
|||
}
|
||||
};
|
||||
|
||||
async function getToken(
|
||||
{ pubkey, secret, relays = [] }: { pubkey: string; secret?: string; relays?: string[] },
|
||||
): Promise<`token1${string}`> {
|
||||
const kysely = await DittoDB.getInstance();
|
||||
const token = generateToken();
|
||||
|
||||
const serverSeckey = generateSecretKey();
|
||||
const serverPubkey = getPublicKey(serverSeckey);
|
||||
|
||||
const signer = new NConnectSigner({
|
||||
pubkey,
|
||||
signer: new NSecSigner(serverSeckey),
|
||||
relay: await Storages.pubsub(), // TODO: Use the relays from the request.
|
||||
timeout: 60_000,
|
||||
});
|
||||
|
||||
await signer.connect(secret);
|
||||
|
||||
await kysely.insertInto('nip46_tokens').values({
|
||||
api_token: token,
|
||||
user_pubkey: pubkey,
|
||||
server_seckey: serverSeckey,
|
||||
server_pubkey: serverPubkey,
|
||||
relays: JSON.stringify(relays),
|
||||
connected_at: new Date(),
|
||||
}).execute();
|
||||
|
||||
return token;
|
||||
}
|
||||
|
||||
/** Generate a bech32 token for the API. */
|
||||
function generateToken(): `token1${string}` {
|
||||
const words = bech32.toWords(generateSecretKey());
|
||||
return bech32.encode('token', words);
|
||||
}
|
||||
|
||||
/** Display the OAuth form. */
|
||||
const oauthController: AppController = async (c) => {
|
||||
const oauthController: AppController = (c) => {
|
||||
const encodedUri = c.req.query('redirect_uri');
|
||||
if (!encodedUri) {
|
||||
return c.text('Missing `redirect_uri` query param.', 422);
|
||||
}
|
||||
|
||||
const redirectUri = maybeDecodeUri(encodedUri);
|
||||
const connectUri = await getClientConnectUri(c.req.raw.signal);
|
||||
|
||||
const script = `
|
||||
window.addEventListener('load', function() {
|
||||
if ('nostr' in window) {
|
||||
nostr.getPublicKey().then(function(pubkey) {
|
||||
document.getElementById('pubkey').value = pubkey;
|
||||
document.getElementById('oauth_form').submit();
|
||||
});
|
||||
}
|
||||
});
|
||||
`;
|
||||
|
||||
const hash = encodeBase64(await crypto.subtle.digest('SHA-256', new TextEncoder().encode(script)));
|
||||
|
||||
c.res.headers.set(
|
||||
'content-security-policy',
|
||||
`default-src 'self' 'sha256-${hash}'`,
|
||||
);
|
||||
|
||||
return c.html(`<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<title>Log in with Ditto</title>
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=no">
|
||||
<script>${script}</script>
|
||||
</head>
|
||||
<body>
|
||||
<form id="oauth_form" action="/oauth/authorize" method="post">
|
||||
<input type="text" placeholder="npub1... or nsec1..." name="nip19" autocomplete="off">
|
||||
<input type="hidden" name="pubkey" id="pubkey" value="">
|
||||
<input type="text" placeholder="bunker://..." name="bunker_uri" autocomplete="off" required>
|
||||
<input type="hidden" name="redirect_uri" id="redirect_uri" value="${escape(redirectUri)}">
|
||||
<button type="submit">Authorize</button>
|
||||
</form>
|
||||
<br>
|
||||
<a href="${escape(connectUri)}">Nostr Connect</a>
|
||||
</body>
|
||||
</html>
|
||||
`);
|
||||
|
@ -125,16 +155,8 @@ function maybeDecodeUri(uri: string): string {
|
|||
|
||||
/** Schema for FormData POSTed to the OAuthController. */
|
||||
const oauthAuthorizeSchema = z.object({
|
||||
pubkey: z.string().regex(/^[0-9a-f]{64}$/).optional().catch(undefined),
|
||||
nip19: z.string().regex(new RegExp(`^${nip19.BECH32_REGEX.source}$`)).optional().catch(undefined),
|
||||
bunker_uri: z.string().url().refine((v) => v.startsWith('bunker://')),
|
||||
redirect_uri: z.string().url(),
|
||||
}).superRefine((data, ctx) => {
|
||||
if (!data.pubkey && !data.nip19) {
|
||||
ctx.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: 'Missing `pubkey` or `nip19`.',
|
||||
});
|
||||
}
|
||||
});
|
||||
|
||||
/** Controller the OAuth form is POSTed to. */
|
||||
|
@ -147,18 +169,19 @@ const oauthAuthorizeController: AppController = async (c) => {
|
|||
}
|
||||
|
||||
// Parsed FormData values.
|
||||
const { pubkey, nip19: nip19id, redirect_uri: redirectUri } = result.data;
|
||||
const { bunker_uri, redirect_uri: redirectUri } = result.data;
|
||||
|
||||
if (pubkey) {
|
||||
const encoded = nip19.npubEncode(pubkey!);
|
||||
const url = addCodeToRedirectUri(redirectUri, encoded);
|
||||
return c.redirect(url);
|
||||
} else if (nip19id) {
|
||||
const url = addCodeToRedirectUri(redirectUri, nip19id);
|
||||
return c.redirect(url);
|
||||
}
|
||||
const bunker = new URL(bunker_uri);
|
||||
|
||||
return c.text('The Nostr ID was not provided or invalid.', 422);
|
||||
const token = await getToken({
|
||||
pubkey: bunker.hostname,
|
||||
secret: bunker.searchParams.get('secret') || undefined,
|
||||
relays: bunker.searchParams.getAll('relay'),
|
||||
});
|
||||
|
||||
const url = addCodeToRedirectUri(redirectUri, token);
|
||||
|
||||
return c.redirect(url);
|
||||
};
|
||||
|
||||
/** Append the given `code` as a query param to the `redirect_uri`. */
|
||||
|
|
|
@ -2,6 +2,7 @@ export interface DittoTables {
|
|||
nostr_events: EventRow;
|
||||
nostr_tags: TagRow;
|
||||
nostr_fts5: EventFTSRow;
|
||||
nip46_tokens: NIP46TokenRow;
|
||||
unattached_media: UnattachedMediaRow;
|
||||
author_stats: AuthorStatsRow;
|
||||
event_stats: EventStatsRow;
|
||||
|
@ -44,6 +45,15 @@ interface TagRow {
|
|||
value: string;
|
||||
}
|
||||
|
||||
interface NIP46TokenRow {
|
||||
api_token: string;
|
||||
user_pubkey: string;
|
||||
server_seckey: Uint8Array;
|
||||
server_pubkey: string;
|
||||
relays: string;
|
||||
connected_at: Date;
|
||||
}
|
||||
|
||||
interface UnattachedMediaRow {
|
||||
id: string;
|
||||
pubkey: string;
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
import { Kysely, sql } from 'kysely';
|
||||
|
||||
export async function up(db: Kysely<any>): Promise<void> {
|
||||
await db.schema
|
||||
.createTable('nip46_tokens')
|
||||
.addColumn('api_token', 'text', (col) => col.primaryKey().unique().notNull())
|
||||
.addColumn('user_pubkey', 'text', (col) => col.notNull())
|
||||
.addColumn('server_seckey', 'bytea', (col) => col.notNull())
|
||||
.addColumn('server_pubkey', 'text', (col) => col.notNull())
|
||||
.addColumn('relays', 'text', (col) => col.defaultTo('[]'))
|
||||
.addColumn('connected_at', 'timestamp', (col) => col.defaultTo(sql`CURRENT_TIMESTAMP`))
|
||||
.execute();
|
||||
}
|
||||
|
||||
export async function down(db: Kysely<any>): Promise<void> {
|
||||
await db.schema.dropTable('nip46_tokens').execute();
|
||||
}
|
|
@ -3,7 +3,7 @@ import { HTTPException } from 'hono';
|
|||
|
||||
import { type AppContext, type AppMiddleware } from '@/app.ts';
|
||||
import { findUser, User } from '@/db/users.ts';
|
||||
import { ConnectSigner } from '@/signers/ConnectSigner.ts';
|
||||
import { ReadOnlySigner } from '@/signers/ReadOnlySigner.ts';
|
||||
import { localRequest } from '@/utils/api.ts';
|
||||
import {
|
||||
buildAuthEventTemplate,
|
||||
|
@ -22,7 +22,7 @@ function auth98Middleware(opts: ParseAuthRequestOpts = {}): AppMiddleware {
|
|||
const result = await parseAuthRequest(req, opts);
|
||||
|
||||
if (result.success) {
|
||||
c.set('signer', new ConnectSigner(result.data.pubkey));
|
||||
c.set('signer', new ReadOnlySigner(result.data.pubkey));
|
||||
c.set('proof', result.data);
|
||||
}
|
||||
|
||||
|
@ -70,7 +70,8 @@ function withProof(
|
|||
opts?: ParseAuthRequestOpts,
|
||||
): AppMiddleware {
|
||||
return async (c, next) => {
|
||||
const pubkey = await c.get('signer')?.getPublicKey();
|
||||
const signer = c.get('signer');
|
||||
const pubkey = await signer?.getPublicKey();
|
||||
const proof = c.get('proof') || await obtainProof(c, opts);
|
||||
|
||||
// Prevent people from accidentally using the wrong account. This has no other security implications.
|
||||
|
@ -79,8 +80,12 @@ function withProof(
|
|||
}
|
||||
|
||||
if (proof) {
|
||||
c.set('signer', new ConnectSigner(proof.pubkey));
|
||||
c.set('proof', proof);
|
||||
|
||||
if (!signer) {
|
||||
c.set('signer', new ReadOnlySigner(proof.pubkey));
|
||||
}
|
||||
|
||||
await handler(c, proof, next);
|
||||
} else {
|
||||
throw new HTTPException(401, { message: 'No proof' });
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
import { NSecSigner } from '@nostrify/nostrify';
|
||||
import { Stickynotes } from '@soapbox/stickynotes';
|
||||
import { nip19 } from 'nostr-tools';
|
||||
|
||||
import { AppMiddleware } from '@/app.ts';
|
||||
import { ConnectSigner } from '@/signers/ConnectSigner.ts';
|
||||
|
||||
const console = new Stickynotes('ditto:signerMiddleware');
|
||||
import { ReadOnlySigner } from '@/signers/ReadOnlySigner.ts';
|
||||
import { HTTPException } from 'hono';
|
||||
import { DittoDB } from '@/db/DittoDB.ts';
|
||||
|
||||
/** We only accept "Bearer" type. */
|
||||
const BEARER_REGEX = new RegExp(`^Bearer (${nip19.BECH32_REGEX.source})$`);
|
||||
|
@ -18,22 +18,38 @@ export const signerMiddleware: AppMiddleware = async (c, next) => {
|
|||
if (match) {
|
||||
const [_, bech32] = match;
|
||||
|
||||
if (bech32.startsWith('token1')) {
|
||||
try {
|
||||
const kysely = await DittoDB.getInstance();
|
||||
|
||||
const { user_pubkey, server_seckey, relays } = await kysely
|
||||
.selectFrom('nip46_tokens')
|
||||
.select(['user_pubkey', 'server_seckey', 'relays'])
|
||||
.where('api_token', '=', bech32)
|
||||
.executeTakeFirstOrThrow();
|
||||
|
||||
c.set('signer', new ConnectSigner(user_pubkey, new NSecSigner(server_seckey), JSON.parse(relays)));
|
||||
} catch {
|
||||
throw new HTTPException(401);
|
||||
}
|
||||
} else {
|
||||
try {
|
||||
const decoded = nip19.decode(bech32!);
|
||||
|
||||
switch (decoded.type) {
|
||||
case 'npub':
|
||||
c.set('signer', new ConnectSigner(decoded.data));
|
||||
c.set('signer', new ReadOnlySigner(decoded.data));
|
||||
break;
|
||||
case 'nprofile':
|
||||
c.set('signer', new ConnectSigner(decoded.data.pubkey, decoded.data.relays));
|
||||
c.set('signer', new ReadOnlySigner(decoded.data.pubkey));
|
||||
break;
|
||||
case 'nsec':
|
||||
c.set('signer', new NSecSigner(decoded.data));
|
||||
break;
|
||||
}
|
||||
} catch {
|
||||
console.debug('The user is not logged in');
|
||||
throw new HTTPException(401);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
// deno-lint-ignore-file require-await
|
||||
import { NConnectSigner, NostrEvent, NostrSigner } from '@nostrify/nostrify';
|
||||
|
||||
import { AdminSigner } from '@/signers/AdminSigner.ts';
|
||||
import { Storages } from '@/storages.ts';
|
||||
|
||||
/**
|
||||
|
@ -12,17 +11,17 @@ import { Storages } from '@/storages.ts';
|
|||
export class ConnectSigner implements NostrSigner {
|
||||
private signer: Promise<NConnectSigner>;
|
||||
|
||||
constructor(private pubkey: string, private relays?: string[]) {
|
||||
this.signer = this.init();
|
||||
constructor(private pubkey: string, signer: NostrSigner, private relays?: string[]) {
|
||||
this.signer = this.init(signer);
|
||||
}
|
||||
|
||||
async init(): Promise<NConnectSigner> {
|
||||
async init(signer: NostrSigner): Promise<NConnectSigner> {
|
||||
return new NConnectSigner({
|
||||
pubkey: this.pubkey,
|
||||
// TODO: use a remote relay for `nprofile` signing (if present and `Conf.relay` isn't already in the list)
|
||||
relay: await Storages.pubsub(),
|
||||
signer: new AdminSigner(),
|
||||
timeout: 60000,
|
||||
signer,
|
||||
timeout: 60_000,
|
||||
});
|
||||
}
|
||||
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
// deno-lint-ignore-file require-await
|
||||
import { NostrEvent, NostrSigner } from '@nostrify/nostrify';
|
||||
import { HTTPException } from 'hono';
|
||||
|
||||
export class ReadOnlySigner implements NostrSigner {
|
||||
constructor(private pubkey: string) {}
|
||||
|
||||
async signEvent(): Promise<NostrEvent> {
|
||||
throw new HTTPException(401, {
|
||||
message: 'Log out and back in',
|
||||
});
|
||||
}
|
||||
|
||||
async getPublicKey(): Promise<string> {
|
||||
return this.pubkey;
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue