Merge branch 'admin' into 'develop'

Let users be admins

See merge request soapbox-pub/ditto!33
This commit is contained in:
Alex Gleason 2023-09-03 18:14:36 +00:00
commit 2f645920f5
No known key found for this signature in database
12 changed files with 168 additions and 91 deletions

View File

@ -72,14 +72,15 @@ const Conf = {
},
/** Merges the path with the localDomain. */
local(path: string): string {
if (path.startsWith('/')) {
// Path is a path.
return new URL(path, Conf.localDomain).toString();
} else {
// Path is possibly a full URL. Replace the domain.
const { pathname } = new URL(path);
return new URL(pathname, Conf.localDomain).toString();
const url = new URL(path.startsWith('/') ? path : new URL(path).pathname, Conf.localDomain);
if (!path.startsWith('/')) {
// Copy query parameters from the original URL to the new URL
const originalUrl = new URL(path);
url.search = originalUrl.search;
}
return url.toString();
},
};

View File

@ -2,11 +2,11 @@ import { AppController } from '@/app.ts';
import * as eventsDB from '@/db/events.ts';
import { type Event, type Filter, nip19, z } from '@/deps.ts';
import * as mixer from '@/mixer.ts';
import { lookupNip05Cached } from '@/nip05.ts';
import { booleanParamSchema } from '@/schema.ts';
import { nostrIdSchema } from '@/schemas/nostr.ts';
import { toAccount, toStatus } from '@/transformers/nostr-to-mastoapi.ts';
import { dedupeEvents, Time } from '@/utils.ts';
import { lookupNip05Cached } from '@/utils/nip05.ts';
/** Matches NIP-05 names with or without an @ in front. */
const ACCT_REGEX = /^@?(?:([\w.+-]+)@)?([\w.-]+)$/;

View File

@ -39,6 +39,7 @@ interface UserRow {
pubkey: string;
username: string;
inserted_at: Date;
admin: boolean;
}
interface RelayRow {

View File

@ -0,0 +1,12 @@
import { Kysely } from '@/deps.ts';
export async function up(db: Kysely<any>): Promise<void> {
await db.schema
.alterTable('users')
.addColumn('admin', 'boolean', (col) => col.defaultTo(false))
.execute();
}
export async function down(db: Kysely<any>): Promise<void> {
await db.schema.dropTable('relays').execute();
}

View File

@ -1,69 +1,48 @@
import { type AppMiddleware } from '@/app.ts';
import { Conf } from '@/config.ts';
import { type Event, HTTPException } from '@/deps.ts';
import { decode64Schema, jsonSchema } from '@/schema.ts';
import { signedEventSchema } from '@/schemas/nostr.ts';
import { eventAge, findTag, sha256, Time } from '@/utils.ts';
const decodeEventSchema = decode64Schema.pipe(jsonSchema).pipe(signedEventSchema);
interface Auth98Opts {
timeout?: number;
}
import { type AppContext, type AppMiddleware } from '@/app.ts';
import { HTTPException } from '@/deps.ts';
import { buildAuthEventTemplate, parseAuthRequest, type ParseAuthRequestOpts } from '@/utils/nip98.ts';
import { localRequest } from '@/utils/web.ts';
import { signNostrConnect } from '@/sign.ts';
import { findUser } from '@/db/users.ts';
/**
* NIP-98 auth.
* https://github.com/nostr-protocol/nips/blob/master/98.md
*/
function auth98(opts: Auth98Opts = {}): AppMiddleware {
function auth98(opts: ParseAuthRequestOpts = {}): AppMiddleware {
return async (c, next) => {
const authHeader = c.req.headers.get('authorization');
const base64 = authHeader?.match(/^Nostr (.+)$/)?.[1];
const { timeout = Time.minutes(1) } = opts;
const schema = decodeEventSchema
.refine((event) => event.kind === 27235)
.refine((event) => eventAge(event) < timeout)
.refine((event) => findTag(event.tags, 'method')?.[1] === c.req.method)
.refine((event) => {
const url = findTag(event.tags, 'u')?.[1];
try {
return url === Conf.local(c.req.url);
} catch (_e) {
return false;
}
})
.refine(async (event) => {
const body = await c.req.raw.clone().text();
if (!body) return true;
const hash = findTag(event.tags, 'payload')?.[1];
return hash === await sha256(body);
});
const result = await schema.safeParseAsync(base64);
const req = localRequest(c);
const result = await parseAuthRequest(req, opts);
if (result.success) {
c.set('pubkey', result.data.pubkey);
c.set('proof', result.data as Event<27235>);
c.set('proof', result.data);
}
await next();
};
}
const requireProof: AppMiddleware = async (c, next) => {
const pubkey = c.get('pubkey');
const proof = c.get('proof');
/** Require the user to prove they're an admin before invoking the controller. */
const requireAdmin: AppMiddleware = async (c, next) => {
const header = c.req.headers.get('x-nostr-sign');
const proof = c.get('proof') || header ? await obtainProof(c) : undefined;
const user = proof ? await findUser({ pubkey: proof.pubkey }) : undefined;
// if (!proof && hasWebsocket(c.req)) {
// // TODO: attempt to sign nip98 event through websocket
// }
if (!pubkey || !proof || proof.pubkey !== pubkey) {
if (proof && user?.admin) {
c.set('pubkey', proof.pubkey);
c.set('proof', proof);
await next();
} else {
throw new HTTPException(401);
}
await next();
};
export { auth98, requireProof };
/** Get the proof over Nostr Connect. */
async function obtainProof(c: AppContext) {
const req = localRequest(c);
const event = await buildAuthEventTemplate(req);
return signNostrConnect(event, c);
}
export { auth98, requireAdmin };

View File

@ -1,4 +1,4 @@
import { verifySignature, z } from '@/deps.ts';
import { getEventHash, verifySignature, z } from '@/deps.ts';
import { jsonSchema, safeUrlSchema } from '../schema.ts';
@ -19,7 +19,9 @@ const eventSchema = z.object({
});
/** Nostr event schema that also verifies the event's signature. */
const signedEventSchema = eventSchema.refine(verifySignature);
const signedEventSchema = eventSchema
.refine((event) => event.id === getEventHash(event), 'Event ID does not match hash')
.refine(verifySignature, 'Event signature is invalid');
/** Nostr relay filter schema. */
const filterSchema = z.object({

View File

@ -5,14 +5,14 @@ import { type Event, type EventTemplate, finishEvent, HTTPException } from '@/de
import { connectResponseSchema } from '@/schemas/nostr.ts';
import { jsonSchema } from '@/schema.ts';
import { Sub } from '@/subs.ts';
import { Time } from '@/utils.ts';
import { eventMatchesTemplate, Time } from '@/utils.ts';
import { createAdminEvent } from '@/utils/web.ts';
/**
* Sign Nostr event using the app context.
*
* - If a secret key is provided, it will be used to sign the event.
* - If `X-Nostr-Sign` is passed, it will use a NIP-46 to sign the event.
* - If `X-Nostr-Sign` is passed, it will use NIP-46 to sign the event.
*/
async function signEvent<K extends number = number>(event: EventTemplate<K>, c: AppContext): Promise<Event<K>> {
const seckey = c.get('seckey');
@ -54,13 +54,14 @@ async function signNostrConnect<K extends number = number>(event: EventTemplate<
tags: [['p', pubkey]],
}, c);
return awaitSignedEvent<K>(pubkey, messageId, c);
return awaitSignedEvent<K>(pubkey, messageId, event, c);
}
/** Wait for signed event to be sent through Nostr relay. */
function awaitSignedEvent<K extends number = number>(
async function awaitSignedEvent<K extends number = number>(
pubkey: string,
messageId: string,
template: EventTemplate<K>,
c: AppContext,
): Promise<Event<K>> {
const sub = Sub.sub(messageId, '1', [{ kinds: [24133], authors: [pubkey], '#p': [Conf.pubkey] }]);
@ -69,30 +70,26 @@ function awaitSignedEvent<K extends number = number>(
Sub.close(messageId);
}
return new Promise((resolve, reject) => {
const timeout = setTimeout(() => {
close();
reject(
new HTTPException(408, {
res: c.json({ id: 'ditto.timeout', error: 'Signing timeout' }),
}),
);
}, Time.minutes(1));
const timeout = setTimeout(close, Time.minutes(1));
(async () => {
for await (const event of sub) {
if (event.kind === 24133) {
const decrypted = await decryptAdmin(event.pubkey, event.content);
const msg = jsonSchema.pipe(connectResponseSchema).parse(decrypted);
if (msg.id === messageId) {
const result = jsonSchema
.pipe(connectResponseSchema)
.refine((msg) => msg.id === messageId, 'Message ID mismatch')
.refine((msg) => eventMatchesTemplate(msg.result, template), 'Event template mismatch')
.safeParse(decrypted);
if (result.success) {
close();
clearTimeout(timeout);
resolve(msg.result as Event<K>);
return result.data.result as Event<K>;
}
}
}
})();
throw new HTTPException(408, {
res: c.json({ id: 'ditto.timeout', error: 'Signing timeout' }),
});
}
@ -102,4 +99,4 @@ async function signAdminEvent<K extends number = number>(event: EventTemplate<K>
return finishEvent(event, Conf.seckey);
}
export { signAdminEvent, signEvent };
export { signAdminEvent, signEvent, signNostrConnect };

View File

@ -3,12 +3,12 @@ import { isCWTag } from 'https://gitlab.com/soapbox-pub/mostr/-/raw/c67064aee5ad
import { Conf } from '@/config.ts';
import * as eventsDB from '@/db/events.ts';
import { type Event, findReplyTag, lodash, nip19, sanitizeHtml, TTLCache, unfurl, z } from '@/deps.ts';
import { verifyNip05Cached } from '@/nip05.ts';
import { getMediaLinks, type MediaLink, parseNoteContent } from '@/note.ts';
import { getAuthor, getFollowedPubkeys, getFollows } from '@/queries.ts';
import { emojiTagSchema, filteredArray } from '@/schema.ts';
import { jsonMetaContentSchema } from '@/schemas/nostr.ts';
import { isFollowing, type Nip05, nostrDate, parseNip05, Time } from '@/utils.ts';
import { verifyNip05Cached } from '@/utils/nip05.ts';
const DEFAULT_AVATAR = 'https://gleasonator.com/images/avi.png';
const DEFAULT_BANNER = 'https://gleasonator.com/images/banner.png';

View File

@ -1,6 +1,6 @@
import { type Event, nip19, z } from '@/deps.ts';
import { lookupNip05Cached } from '@/nip05.ts';
import { type Event, type EventTemplate, getEventHash, nip19, z } from '@/deps.ts';
import { getAuthor } from '@/queries.ts';
import { lookupNip05Cached } from '@/utils/nip05.ts';
/** Get the current time in Nostr format. */
const nostrNow = (): number => Math.floor(Date.now() / 1000);
@ -67,7 +67,7 @@ async function lookupAccount(value: string): Promise<Event<0> | undefined> {
/** Return the event's age in milliseconds. */
function eventAge(event: Event): number {
return new Date().getTime() - nostrDate(event.created_at).getTime();
return Date.now() - nostrDate(event.created_at).getTime();
}
function findTag(tags: string[][], name: string): string[] | undefined {
@ -106,11 +106,17 @@ function dedupeEvents<K extends number>(events: Event<K>[]): Event<K>[] {
return [...new Map(events.map((event) => [event.id, event])).values()];
}
/** Ensure the template and event match on their shared keys. */
function eventMatchesTemplate(event: Event, template: EventTemplate): boolean {
return getEventHash(event) === getEventHash({ pubkey: event.pubkey, ...template });
}
export {
bech32ToPubkey,
dedupeEvents,
eventAge,
eventDateComparator,
eventMatchesTemplate,
findTag,
isFollowing,
isRelay,

63
src/utils/nip98.ts Normal file
View File

@ -0,0 +1,63 @@
import { type Event, type EventTemplate } from '@/deps.ts';
import { decode64Schema, jsonSchema } from '@/schema.ts';
import { signedEventSchema } from '@/schemas/nostr.ts';
import { eventAge, findTag, nostrNow, sha256 } from '@/utils.ts';
import { Time } from '@/utils/time.ts';
/** Decode a Nostr event from a base64 encoded string. */
const decode64EventSchema = decode64Schema.pipe(jsonSchema).pipe(signedEventSchema);
interface ParseAuthRequestOpts {
/** Max event age (in ms). */
maxAge?: number;
/** Whether to validate the request body of the request with the payload of the auth event. (default: `true`) */
validatePayload?: boolean;
}
/** Parse the auth event from a Request, returning a zod SafeParse type. */
function parseAuthRequest(req: Request, opts: ParseAuthRequestOpts = {}) {
const { maxAge = Time.minutes(1), validatePayload = true } = opts;
const header = req.headers.get('authorization');
const base64 = header?.match(/^Nostr (.+)$/)?.[1];
const schema = decode64EventSchema
.refine((event): event is Event<27235> => event.kind === 27235, 'Event must be kind 27235')
.refine((event) => eventAge(event) < maxAge, 'Event expired')
.refine((event) => tagValue(event, 'method') === req.method, 'Event method does not match HTTP request method')
.refine((event) => tagValue(event, 'u') === req.url, 'Event URL does not match request URL')
.refine(validateBody, 'Event payload does not match request body');
function validateBody(event: Event<27235>) {
if (!validatePayload) return true;
return req.clone().text()
.then(sha256)
.then((hash) => hash === tagValue(event, 'payload'));
}
return schema.safeParseAsync(base64);
}
/** Create an auth EventTemplate from a Request. */
async function buildAuthEventTemplate(req: Request): Promise<EventTemplate<27235>> {
const { method, url } = req;
const payload = await req.clone().text().then(sha256);
return {
kind: 27235,
content: '',
tags: [
['method', method],
['u', url],
['payload', payload],
],
created_at: nostrNow(),
};
}
/** Get the value for the first matching tag name in the event. */
function tagValue(event: Event, tagName: string): string | undefined {
return findTag(event.tags, tagName)?.[1];
}
export { buildAuthEventTemplate, parseAuthRequest, type ParseAuthRequestOpts };

View File

@ -123,4 +123,20 @@ function activityJson<T, P extends string>(c: Context<any, P>, object: T) {
return response;
}
export { activityJson, createAdminEvent, createEvent, paginated, type PaginationParams, paginationSchema, parseBody };
/** Rewrite the URL of the request object to use the local domain. */
function localRequest(c: Context): Request {
return Object.create(c.req.raw, {
url: { value: Conf.local(c.req.url) },
});
}
export {
activityJson,
createAdminEvent,
createEvent,
localRequest,
paginated,
type PaginationParams,
paginationSchema,
parseBody,
};