diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index a80d993..69fbb6a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -14,10 +14,6 @@ lint: stage: test script: deno lint -check: - stage: test - script: deno task check - test: stage: test script: deno task test \ No newline at end of file diff --git a/public/.gitignore b/public/.gitignore new file mode 100644 index 0000000..c96a04f --- /dev/null +++ b/public/.gitignore @@ -0,0 +1,2 @@ +* +!.gitignore \ No newline at end of file diff --git a/src/app.ts b/src/app.ts index 7d9750a..d78c259 100644 --- a/src/app.ts +++ b/src/app.ts @@ -8,6 +8,7 @@ import { type HonoEnv, logger, type MiddlewareHandler, + serveStatic, } from '@/deps.ts'; import '@/firehose.ts'; @@ -27,7 +28,7 @@ import { verifyCredentialsController, } from './controllers/api/accounts.ts'; import { appCredentialsController, createAppController } from './controllers/api/apps.ts'; -import { emptyArrayController, emptyObjectController } from './controllers/api/fallback.ts'; +import { emptyArrayController, emptyObjectController, notImplementedController } from './controllers/api/fallback.ts'; import { instanceController } from './controllers/api/instance.ts'; import { mediaController } from './controllers/api/media.ts'; import { notificationsController } from './controllers/api/notifications.ts'; @@ -57,7 +58,8 @@ import { nodeInfoController, nodeInfoSchemaController } from './controllers/well import { nostrController } from './controllers/well-known/nostr.ts'; import { webfingerController } from './controllers/well-known/webfinger.ts'; import { auth19, requirePubkey } from './middleware/auth19.ts'; -import { auth98, requireRole } from './middleware/auth98.ts'; +import { auth98, requireProof, requireRole } from './middleware/auth98.ts'; +import { csp } from './middleware/csp.ts'; interface AppEnv extends HonoEnv { Variables: { @@ -82,7 +84,7 @@ app.get('/api/v1/streaming', streamingController); app.get('/api/v1/streaming/', streamingController); app.get('/relay', relayController); -app.use('*', cors({ origin: '*', exposeHeaders: ['link'] }), auth19, auth98()); +app.use('*', csp(), cors({ origin: '*', exposeHeaders: ['link'] }), auth19, auth98()); app.get('/.well-known/webfinger', webfingerController); app.get('/.well-known/host-meta', hostMetaController); @@ -103,7 +105,7 @@ app.post('/oauth/revoke', emptyObjectController); app.post('/oauth/authorize', oauthAuthorizeController); app.get('/oauth/authorize', oauthController); -app.post('/api/v1/acccounts', createAccountController); +app.post('/api/v1/accounts', requireProof(), createAccountController); app.get('/api/v1/accounts/verify_credentials', requirePubkey, verifyCredentialsController); app.patch('/api/v1/accounts/update_credentials', requirePubkey, updateCredentialsController); app.get('/api/v1/accounts/search', accountSearchController); @@ -146,7 +148,6 @@ app.post('/api/v1/pleroma/admin/config', requireRole('admin'), updateConfigContr // Not (yet) implemented. app.get('/api/v1/bookmarks', emptyArrayController); app.get('/api/v1/custom_emojis', emptyArrayController); -app.get('/api/v1/accounts/search', emptyArrayController); app.get('/api/v1/filters', emptyArrayController); app.get('/api/v1/blocks', emptyArrayController); app.get('/api/v1/mutes', emptyArrayController); @@ -155,6 +156,11 @@ app.get('/api/v1/markers', emptyObjectController); app.get('/api/v1/conversations', emptyArrayController); app.get('/api/v1/lists', emptyArrayController); +app.use('/api/*', notImplementedController); + +app.get('*', serveStatic({ root: './public/' })); +app.get('*', serveStatic({ path: './public/index.html' })); + app.get('/', indexController); export default app; diff --git a/src/config.ts b/src/config.ts index c92ad05..ba36898 100644 --- a/src/config.ts +++ b/src/config.ts @@ -115,6 +115,27 @@ const Conf = { get maxUploadSize() { return Number(Deno.env.get('MAX_UPLOAD_SIZE') || 100 * 1024 * 1024); }, + /** Usernames that regular users cannot sign up with. */ + get forbiddenUsernames() { + return Deno.env.get('FORBIDDEN_USERNAMES')?.split(',') || [ + '_', + 'admin', + 'administrator', + 'root', + 'sysadmin', + 'system', + ]; + }, + /** Whether registrations are open or closed. */ + get registrations() { + return optionalBooleanSchema.parse(Deno.env.get('DITTO_REGISTRATIONS')) ?? false; + }, + /** Proof-of-work configuration. */ + pow: { + get registrations() { + return Number(Deno.env.get('DITTO_POW_REGISTRATIONS') ?? 20); + }, + }, /** Domain of the Ditto server as a `URL` object, for easily grabbing the `hostname`, etc. */ get url() { return new URL(Conf.localDomain); diff --git a/src/controllers/api/accounts.ts b/src/controllers/api/accounts.ts index 1147c6c..211eb77 100644 --- a/src/controllers/api/accounts.ts +++ b/src/controllers/api/accounts.ts @@ -1,17 +1,55 @@ import { type AppController } from '@/app.ts'; -import { type Filter, findReplyTag, z } from '@/deps.ts'; +import { Conf } from '@/config.ts'; +import { type Filter, findReplyTag, nip19, z } from '@/deps.ts'; import * as mixer from '@/mixer.ts'; import { getAuthor, getFollowedPubkeys, getFollows, syncUser } from '@/queries.ts'; import { booleanParamSchema, fileSchema } from '@/schema.ts'; import { jsonMetaContentSchema } from '@/schemas/nostr.ts'; -import { toAccount, toRelationship, toStatus } from '@/transformers/nostr-to-mastoapi.ts'; -import { isFollowing, lookupAccount, Time } from '@/utils.ts'; +import { accountFromPubkey, toAccount, toRelationship, toStatus } from '@/transformers/nostr-to-mastoapi.ts'; +import { isFollowing, lookupAccount, nostrNow, Time } from '@/utils.ts'; import { paginated, paginationSchema, parseBody } from '@/utils/web.ts'; import { createEvent } from '@/utils/web.ts'; import { renderEventAccounts } from '@/views.ts'; +import { insertUser } from '@/db/users.ts'; -const createAccountController: AppController = (c) => { - return c.json({ error: 'Please log in with Nostr.' }, 405); +const usernameSchema = z + .string().min(1).max(30) + .regex(/^[a-z0-9_]+$/i) + .refine((username) => !Conf.forbiddenUsernames.includes(username), 'Username is reserved.'); + +const createAccountSchema = z.object({ + username: usernameSchema, +}); + +const createAccountController: AppController = async (c) => { + if (!Conf.registrations) { + return c.json({ error: 'Registrations are disabled.' }, 403); + } + + const pubkey = c.get('pubkey')!; + const result = createAccountSchema.safeParse(await c.req.json()); + + if (!result.success) { + return c.json({ error: 'Bad request', schema: result.error }, 400); + } + + try { + await insertUser({ + pubkey, + username: result.data.username, + inserted_at: new Date(), + admin: 0, + }); + + return c.json({ + access_token: nip19.npubEncode(pubkey), + token_type: 'Bearer', + scope: 'read write follow push', + created_at: nostrNow(), + }); + } catch (_e) { + return c.json({ error: 'Username already taken.' }, 422); + } }; const verifyCredentialsController: AppController = async (c) => { @@ -22,9 +60,9 @@ const verifyCredentialsController: AppController = async (c) => { const event = await getAuthor(pubkey); if (event) { return c.json(await toAccount(event, { withSource: true })); + } else { + return c.json(await accountFromPubkey(pubkey, { withSource: true })); } - - return c.json({ error: 'Could not find user.' }, 404); }; const accountController: AppController = async (c) => { diff --git a/src/controllers/api/fallback.ts b/src/controllers/api/fallback.ts index c57de7a..b46460e 100644 --- a/src/controllers/api/fallback.ts +++ b/src/controllers/api/fallback.ts @@ -2,5 +2,6 @@ import type { Context } from '@/deps.ts'; const emptyArrayController = (c: Context) => c.json([]); const emptyObjectController = (c: Context) => c.json({}); +const notImplementedController = (c: Context) => Promise.resolve(c.json({ error: 'Not implemented' }, 404)); -export { emptyArrayController, emptyObjectController }; +export { emptyArrayController, emptyObjectController, notImplementedController }; diff --git a/src/controllers/api/instance.ts b/src/controllers/api/instance.ts index b30c753..10b359b 100644 --- a/src/controllers/api/instance.ts +++ b/src/controllers/api/instance.ts @@ -12,7 +12,7 @@ const instanceController: AppController = (c) => { title: 'Ditto', description: 'An efficient and flexible social media server.', short_description: 'An efficient and flexible social media server.', - registrations: false, + registrations: Conf.registrations, max_toot_chars: Conf.postCharLimit, configuration: { media_attachments: { @@ -53,6 +53,9 @@ const instanceController: AppController = (c) => { nostr: { pubkey: Conf.pubkey, relay: `${wsProtocol}//${host}/relay`, + pow: { + registrations: Conf.pow.registrations, + }, }, rules: [], }); diff --git a/src/deps.ts b/src/deps.ts index 727bba1..35b4763 100644 --- a/src/deps.ts +++ b/src/deps.ts @@ -7,7 +7,7 @@ export { HTTPException, type MiddlewareHandler, } from 'https://deno.land/x/hono@v3.3.4/mod.ts'; -export { cors, logger } from 'https://deno.land/x/hono@v3.3.4/middleware.ts'; +export { cors, logger, serveStatic } from 'https://deno.land/x/hono@v3.3.4/middleware.ts'; export { z } from 'https://deno.land/x/zod@v3.21.4/mod.ts'; export { Author, RelayPool } from 'https://dev.jspm.io/nostr-relaypool@0.6.28'; export { @@ -21,8 +21,10 @@ export { matchFilters, nip04, nip05, + nip13, nip19, nip21, + type UnsignedEvent, verifySignature, } from 'npm:nostr-tools@^1.14.0'; export { findReplyTag } from 'https://gitlab.com/soapbox-pub/mostr/-/raw/c67064aee5ade5e01597c6d23e22e53c628ef0e2/src/nostr/tags.ts'; diff --git a/src/middleware/auth19.ts b/src/middleware/auth19.ts index f92f678..fec79ad 100644 --- a/src/middleware/auth19.ts +++ b/src/middleware/auth19.ts @@ -38,7 +38,7 @@ const auth19: AppMiddleware = async (c, next) => { /** Throw a 401 if the pubkey isn't set. */ const requirePubkey: AppMiddleware = async (c, next) => { if (!c.get('pubkey')) { - throw new HTTPException(401); + throw new HTTPException(401, { message: 'No pubkey provided' }); } await next(); diff --git a/src/middleware/auth98.ts b/src/middleware/auth98.ts index be97320..20787fe 100644 --- a/src/middleware/auth98.ts +++ b/src/middleware/auth98.ts @@ -1,5 +1,5 @@ import { type AppContext, type AppMiddleware } from '@/app.ts'; -import { HTTPException } from '@/deps.ts'; +import { type Event, HTTPException } from '@/deps.ts'; import { buildAuthEventTemplate, parseAuthRequest, @@ -32,19 +32,22 @@ type UserRole = 'user' | 'admin'; /** Require the user to prove their role before invoking the controller. */ function requireRole(role: UserRole, opts?: ParseAuthRequestOpts): AppMiddleware { - return async (c, next) => { - const header = c.req.headers.get('x-nostr-sign'); - const proof = c.get('proof') || header ? await obtainProof(c, opts) : undefined; - const user = proof ? await findUser({ pubkey: proof.pubkey }) : undefined; + return withProof(async (_c, proof, next) => { + const user = await findUser({ pubkey: proof.pubkey }); - if (proof && user && matchesRole(user, role)) { - c.set('pubkey', proof.pubkey); - c.set('proof', proof); + if (user && matchesRole(user, role)) { await next(); } else { throw new HTTPException(401); } - }; + }, opts); +} + +/** Require the user to demonstrate they own the pubkey by signing an event. */ +function requireProof(opts?: ParseAuthRequestOpts): AppMiddleware { + return withProof(async (_c, _proof, next) => { + await next(); + }, opts); } /** Check whether the user fulfills the role. */ @@ -59,6 +62,30 @@ function matchesRole(user: User, role: UserRole): boolean { } } +/** HOC to obtain proof in middleware. */ +function withProof( + handler: (c: AppContext, proof: Event<27235>, next: () => Promise) => Promise, + opts?: ParseAuthRequestOpts, +): AppMiddleware { + return async (c, next) => { + const pubkey = c.get('pubkey'); + const proof = c.get('proof') || await obtainProof(c, opts); + + // Prevent people from accidentally using the wrong account. This has no other security implications. + if (proof && pubkey && pubkey !== proof.pubkey) { + throw new HTTPException(401, { message: 'Pubkey mismatch' }); + } + + if (proof) { + c.set('pubkey', proof.pubkey); + c.set('proof', proof); + await handler(c, proof, next); + } else { + throw new HTTPException(401, { message: 'No proof' }); + } + }; +} + /** Get the proof over Nostr Connect. */ async function obtainProof(c: AppContext, opts?: ParseAuthRequestOpts) { const req = localRequest(c); @@ -71,4 +98,4 @@ async function obtainProof(c: AppContext, opts?: ParseAuthRequestOpts) { } } -export { auth98, requireRole }; +export { auth98, requireProof, requireRole }; diff --git a/src/middleware/csp.ts b/src/middleware/csp.ts new file mode 100644 index 0000000..f97fc9a --- /dev/null +++ b/src/middleware/csp.ts @@ -0,0 +1,30 @@ +import { AppMiddleware } from '@/app.ts'; +import { Conf } from '@/config.ts'; + +const csp = (): AppMiddleware => { + return async (c, next) => { + const { host, protocol } = Conf.url; + const wsProtocol = protocol === 'http:' ? 'ws:' : 'wss:'; + + const policies = [ + 'upgrade-insecure-requests', + `script-src 'self'`, + `connect-src 'self' blob: ${Conf.localDomain} ${wsProtocol}//${host}`, + `media-src 'self' ${Conf.mediaDomain}`, + `img-src 'self' data: blob: ${Conf.mediaDomain}`, + `default-src 'none'`, + `base-uri 'self'`, + `frame-ancestors 'none'`, + `style-src 'self' 'unsafe-inline'`, + `font-src 'self'`, + `manifest-src 'self'`, + `frame-src 'self' https:`, + ]; + + c.res.headers.set('content-security-policy', policies.join('; ')); + + await next(); + }; +}; + +export { csp }; diff --git a/src/sign.ts b/src/sign.ts index a97478a..14c192f 100644 --- a/src/sign.ts +++ b/src/sign.ts @@ -36,7 +36,7 @@ async function signNostrConnect(event: EventTemplate< const pubkey = c.get('pubkey'); if (!pubkey) { - throw new HTTPException(401); + throw new HTTPException(401, { message: 'Missing pubkey' }); } const messageId = crypto.randomUUID(); diff --git a/src/transformers/nostr-to-mastoapi.ts b/src/transformers/nostr-to-mastoapi.ts index 5fc02a8..b827df3 100644 --- a/src/transformers/nostr-to-mastoapi.ts +++ b/src/transformers/nostr-to-mastoapi.ts @@ -2,12 +2,12 @@ import { isCWTag } from 'https://gitlab.com/soapbox-pub/mostr/-/raw/c67064aee5ad import { Conf } from '@/config.ts'; import * as eventsDB from '@/db/events.ts'; -import { type Event, findReplyTag, lodash, nip19, sanitizeHtml, TTLCache, unfurl } from '@/deps.ts'; +import { type Event, findReplyTag, lodash, nip19, sanitizeHtml, TTLCache, unfurl, type UnsignedEvent } from '@/deps.ts'; import { getMediaLinks, parseNoteContent } from '@/note.ts'; import { getAuthor, getFollowedPubkeys, getFollows } from '@/queries.ts'; import { emojiTagSchema, filteredArray } from '@/schema.ts'; import { jsonMediaDataSchema, jsonMetaContentSchema } from '@/schemas/nostr.ts'; -import { isFollowing, type Nip05, nostrDate, parseNip05, Time } from '@/utils.ts'; +import { isFollowing, type Nip05, nostrDate, nostrNow, parseNip05, Time } from '@/utils.ts'; import { verifyNip05Cached } from '@/utils/nip05.ts'; import { findUser } from '@/db/users.ts'; import { DittoAttachment, renderAttachment } from '@/views/attachment.ts'; @@ -19,7 +19,7 @@ interface ToAccountOpts { withSource?: boolean; } -async function toAccount(event: Event<0>, opts: ToAccountOpts = {}) { +async function toAccount(event: UnsignedEvent<0>, opts: ToAccountOpts = {}) { const { withSource = false } = opts; const { pubkey } = event; @@ -75,6 +75,18 @@ async function toAccount(event: Event<0>, opts: ToAccountOpts = {}) { }; } +function accountFromPubkey(pubkey: string, opts: ToAccountOpts = {}) { + const event: UnsignedEvent<0> = { + kind: 0, + pubkey, + content: '', + tags: [], + created_at: nostrNow(), + }; + + return toAccount(event, opts); +} + async function parseAndVerifyNip05(nip05: string | undefined, pubkey: string): Promise { if (nip05 && await verifyNip05Cached(nip05, pubkey)) { return parseNip05(nip05); @@ -105,8 +117,7 @@ async function toMention(pubkey: string) { async function toStatus(event: Event<1>, viewerPubkey?: string) { const profile = await getAuthor(event.pubkey); - const account = profile ? await toAccount(profile) : undefined; - if (!account) return; + const account = profile ? await toAccount(profile) : await accountFromPubkey(event.pubkey); const replyTag = findReplyTag(event); @@ -257,7 +268,7 @@ function unfurlCardCached(url: string): Promise { return card; } -function toEmojis(event: Event) { +function toEmojis(event: UnsignedEvent) { const emojiTags = event.tags.filter((tag) => tag[0] === 'emoji'); return filteredArray(emojiTagSchema).parse(emojiTags) @@ -310,4 +321,4 @@ async function toNotificationMention(event: Event<1>, viewerPubkey?: string) { }; } -export { toAccount, toNotification, toRelationship, toStatus }; +export { accountFromPubkey, toAccount, toNotification, toRelationship, toStatus }; diff --git a/src/utils/nip98.ts b/src/utils/nip98.ts index 5606d8b..facc9af 100644 --- a/src/utils/nip98.ts +++ b/src/utils/nip98.ts @@ -1,4 +1,4 @@ -import { type Event, type EventTemplate } from '@/deps.ts'; +import { type Event, type EventTemplate, nip13 } from '@/deps.ts'; import { decode64Schema, jsonSchema } from '@/schema.ts'; import { signedEventSchema } from '@/schemas/nostr.ts'; import { eventAge, findTag, nostrNow, sha256 } from '@/utils.ts'; @@ -12,6 +12,8 @@ interface ParseAuthRequestOpts { maxAge?: number; /** Whether to validate the request body of the request with the payload of the auth event. (default: `true`) */ validatePayload?: boolean; + /** Difficulty of the proof of work. (default: `0`) */ + pow?: number; } /** Parse the auth event from a Request, returning a zod SafeParse type. */ @@ -27,13 +29,14 @@ async function parseAuthRequest(req: Request, opts: ParseAuthRequestOpts = {}) { /** Compare the auth event with the request, returning a zod SafeParse type. */ function validateAuthEvent(req: Request, event: Event, opts: ParseAuthRequestOpts = {}) { - const { maxAge = Time.minutes(1), validatePayload = true } = opts; + const { maxAge = Time.minutes(1), validatePayload = true, pow = 0 } = opts; const schema = signedEventSchema .refine((event): event is Event<27235> => event.kind === 27235, 'Event must be kind 27235') .refine((event) => eventAge(event) < maxAge, 'Event expired') .refine((event) => tagValue(event, 'method') === req.method, 'Event method does not match HTTP request method') .refine((event) => tagValue(event, 'u') === req.url, 'Event URL does not match request URL') + .refine((event) => pow ? nip13.getPow(event.id) >= pow : true, 'Insufficient proof of work') .refine(validateBody, 'Event payload does not match request body'); function validateBody(event: Event<27235>) {