Have OAuth form accept a bunker URI
This commit is contained in:
parent
1aa2bafc44
commit
a6a74a16a8
|
@ -1,15 +1,13 @@
|
||||||
import { NConnectSigner, NSchema as n, NSecSigner } from '@nostrify/nostrify';
|
import { NConnectSigner, NSchema as n, NSecSigner } from '@nostrify/nostrify';
|
||||||
import { bech32 } from '@scure/base';
|
import { bech32 } from '@scure/base';
|
||||||
import { encodeBase64 } from '@std/encoding/base64';
|
|
||||||
import { escape } from 'entities';
|
import { escape } from 'entities';
|
||||||
import { generateSecretKey, getPublicKey, nip19 } from 'nostr-tools';
|
import { generateSecretKey, getPublicKey } from 'nostr-tools';
|
||||||
import { z } from 'zod';
|
import { z } from 'zod';
|
||||||
|
|
||||||
import { AppController } from '@/app.ts';
|
import { AppController } from '@/app.ts';
|
||||||
import { DittoDB } from '@/db/DittoDB.ts';
|
import { DittoDB } from '@/db/DittoDB.ts';
|
||||||
import { nostrNow } from '@/utils.ts';
|
import { nostrNow } from '@/utils.ts';
|
||||||
import { parseBody } from '@/utils/api.ts';
|
import { parseBody } from '@/utils/api.ts';
|
||||||
import { getClientConnectUri } from '@/utils/connect.ts';
|
|
||||||
import { Storages } from '@/storages.ts';
|
import { Storages } from '@/storages.ts';
|
||||||
|
|
||||||
const passwordGrantSchema = z.object({
|
const passwordGrantSchema = z.object({
|
||||||
|
@ -80,7 +78,9 @@ const createTokenController: AppController = async (c) => {
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
async function getToken({ pubkey, secret, relays = [] }: z.infer<typeof nostrGrantSchema>): Promise<`token1${string}`> {
|
async function getToken(
|
||||||
|
{ pubkey, secret, relays = [] }: { pubkey: string; secret?: string; relays?: string[] },
|
||||||
|
): Promise<`token1${string}`> {
|
||||||
const kysely = await DittoDB.getInstance();
|
const kysely = await DittoDB.getInstance();
|
||||||
const token = generateToken();
|
const token = generateToken();
|
||||||
|
|
||||||
|
@ -115,49 +115,26 @@ function generateToken(): `token1${string}` {
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Display the OAuth form. */
|
/** Display the OAuth form. */
|
||||||
const oauthController: AppController = async (c) => {
|
const oauthController: AppController = (c) => {
|
||||||
const encodedUri = c.req.query('redirect_uri');
|
const encodedUri = c.req.query('redirect_uri');
|
||||||
if (!encodedUri) {
|
if (!encodedUri) {
|
||||||
return c.text('Missing `redirect_uri` query param.', 422);
|
return c.text('Missing `redirect_uri` query param.', 422);
|
||||||
}
|
}
|
||||||
|
|
||||||
const redirectUri = maybeDecodeUri(encodedUri);
|
const redirectUri = maybeDecodeUri(encodedUri);
|
||||||
const connectUri = await getClientConnectUri(c.req.raw.signal);
|
|
||||||
|
|
||||||
const script = `
|
|
||||||
window.addEventListener('load', function() {
|
|
||||||
if ('nostr' in window) {
|
|
||||||
nostr.getPublicKey().then(function(pubkey) {
|
|
||||||
document.getElementById('pubkey').value = pubkey;
|
|
||||||
document.getElementById('oauth_form').submit();
|
|
||||||
});
|
|
||||||
}
|
|
||||||
});
|
|
||||||
`;
|
|
||||||
|
|
||||||
const hash = encodeBase64(await crypto.subtle.digest('SHA-256', new TextEncoder().encode(script)));
|
|
||||||
|
|
||||||
c.res.headers.set(
|
|
||||||
'content-security-policy',
|
|
||||||
`default-src 'self' 'sha256-${hash}'`,
|
|
||||||
);
|
|
||||||
|
|
||||||
return c.html(`<!DOCTYPE html>
|
return c.html(`<!DOCTYPE html>
|
||||||
<html lang="en">
|
<html lang="en">
|
||||||
<head>
|
<head>
|
||||||
<title>Log in with Ditto</title>
|
<title>Log in with Ditto</title>
|
||||||
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=no">
|
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=no">
|
||||||
<script>${script}</script>
|
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
<form id="oauth_form" action="/oauth/authorize" method="post">
|
<form id="oauth_form" action="/oauth/authorize" method="post">
|
||||||
<input type="text" placeholder="npub1... or nsec1..." name="nip19" autocomplete="off">
|
<input type="text" placeholder="bunker://..." name="bunker_uri" autocomplete="off" required>
|
||||||
<input type="hidden" name="pubkey" id="pubkey" value="">
|
|
||||||
<input type="hidden" name="redirect_uri" id="redirect_uri" value="${escape(redirectUri)}">
|
<input type="hidden" name="redirect_uri" id="redirect_uri" value="${escape(redirectUri)}">
|
||||||
<button type="submit">Authorize</button>
|
<button type="submit">Authorize</button>
|
||||||
</form>
|
</form>
|
||||||
<br>
|
|
||||||
<a href="${escape(connectUri)}">Nostr Connect</a>
|
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
`);
|
`);
|
||||||
|
@ -178,16 +155,8 @@ function maybeDecodeUri(uri: string): string {
|
||||||
|
|
||||||
/** Schema for FormData POSTed to the OAuthController. */
|
/** Schema for FormData POSTed to the OAuthController. */
|
||||||
const oauthAuthorizeSchema = z.object({
|
const oauthAuthorizeSchema = z.object({
|
||||||
pubkey: z.string().regex(/^[0-9a-f]{64}$/).optional().catch(undefined),
|
bunker_uri: z.string().url().refine((v) => v.startsWith('bunker://')),
|
||||||
nip19: z.string().regex(new RegExp(`^${nip19.BECH32_REGEX.source}$`)).optional().catch(undefined),
|
|
||||||
redirect_uri: z.string().url(),
|
redirect_uri: z.string().url(),
|
||||||
}).superRefine((data, ctx) => {
|
|
||||||
if (!data.pubkey && !data.nip19) {
|
|
||||||
ctx.addIssue({
|
|
||||||
code: z.ZodIssueCode.custom,
|
|
||||||
message: 'Missing `pubkey` or `nip19`.',
|
|
||||||
});
|
|
||||||
}
|
|
||||||
});
|
});
|
||||||
|
|
||||||
/** Controller the OAuth form is POSTed to. */
|
/** Controller the OAuth form is POSTed to. */
|
||||||
|
@ -200,18 +169,19 @@ const oauthAuthorizeController: AppController = async (c) => {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Parsed FormData values.
|
// Parsed FormData values.
|
||||||
const { pubkey, nip19: nip19id, redirect_uri: redirectUri } = result.data;
|
const { bunker_uri, redirect_uri: redirectUri } = result.data;
|
||||||
|
|
||||||
if (pubkey) {
|
const bunker = new URL(bunker_uri);
|
||||||
const encoded = nip19.npubEncode(pubkey!);
|
|
||||||
const url = addCodeToRedirectUri(redirectUri, encoded);
|
|
||||||
return c.redirect(url);
|
|
||||||
} else if (nip19id) {
|
|
||||||
const url = addCodeToRedirectUri(redirectUri, nip19id);
|
|
||||||
return c.redirect(url);
|
|
||||||
}
|
|
||||||
|
|
||||||
return c.text('The Nostr ID was not provided or invalid.', 422);
|
const token = await getToken({
|
||||||
|
pubkey: bunker.hostname,
|
||||||
|
secret: bunker.searchParams.get('secret') || undefined,
|
||||||
|
relays: bunker.searchParams.getAll('relay'),
|
||||||
|
});
|
||||||
|
|
||||||
|
const url = addCodeToRedirectUri(redirectUri, token);
|
||||||
|
|
||||||
|
return c.redirect(url);
|
||||||
};
|
};
|
||||||
|
|
||||||
/** Append the given `code` as a query param to the `redirect_uri`. */
|
/** Append the given `code` as a query param to the `redirect_uri`. */
|
||||||
|
|
Loading…
Reference in New Issue