Merge branch 'registrations' into 'develop'

Enable registrations, require proof-of-work

Closes #6

See merge request soapbox-pub/ditto!39

.gitlab-ci.yml

@@ -14,10 +14,6 @@ lint:
   stage: test
   script: deno lint
 
-check:
-  stage: test
-  script: deno task check
-
 test:
   stage: test
   script: deno task test

public/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

src/app.ts

@@ -8,6 +8,7 @@ import {
   type HonoEnv,
   logger,
   type MiddlewareHandler,
+  serveStatic,
 } from '@/deps.ts';
 import '@/firehose.ts';
 
@@ -27,7 +28,7 @@ import {
   verifyCredentialsController,
 } from './controllers/api/accounts.ts';
 import { appCredentialsController, createAppController } from './controllers/api/apps.ts';
-import { emptyArrayController, emptyObjectController } from './controllers/api/fallback.ts';
+import { emptyArrayController, emptyObjectController, notImplementedController } from './controllers/api/fallback.ts';
 import { instanceController } from './controllers/api/instance.ts';
 import { mediaController } from './controllers/api/media.ts';
 import { notificationsController } from './controllers/api/notifications.ts';
@@ -57,7 +58,8 @@ import { nodeInfoController, nodeInfoSchemaController } from './controllers/well
 import { nostrController } from './controllers/well-known/nostr.ts';
 import { webfingerController } from './controllers/well-known/webfinger.ts';
 import { auth19, requirePubkey } from './middleware/auth19.ts';
-import { auth98, requireRole } from './middleware/auth98.ts';
+import { auth98, requireProof, requireRole } from './middleware/auth98.ts';
+import { csp } from './middleware/csp.ts';
 
 interface AppEnv extends HonoEnv {
   Variables: {
@@ -82,7 +84,7 @@ app.get('/api/v1/streaming', streamingController);
 app.get('/api/v1/streaming/', streamingController);
 app.get('/relay', relayController);
 
-app.use('*', cors({ origin: '*', exposeHeaders: ['link'] }), auth19, auth98());
+app.use('*', csp(), cors({ origin: '*', exposeHeaders: ['link'] }), auth19, auth98());
 
 app.get('/.well-known/webfinger', webfingerController);
 app.get('/.well-known/host-meta', hostMetaController);
@@ -103,7 +105,7 @@ app.post('/oauth/revoke', emptyObjectController);
 app.post('/oauth/authorize', oauthAuthorizeController);
 app.get('/oauth/authorize', oauthController);
 
-app.post('/api/v1/acccounts', createAccountController);
+app.post('/api/v1/accounts', requireProof(), createAccountController);
 app.get('/api/v1/accounts/verify_credentials', requirePubkey, verifyCredentialsController);
 app.patch('/api/v1/accounts/update_credentials', requirePubkey, updateCredentialsController);
 app.get('/api/v1/accounts/search', accountSearchController);
@@ -146,7 +148,6 @@ app.post('/api/v1/pleroma/admin/config', requireRole('admin'), updateConfigContr
 // Not (yet) implemented.
 app.get('/api/v1/bookmarks', emptyArrayController);
 app.get('/api/v1/custom_emojis', emptyArrayController);
-app.get('/api/v1/accounts/search', emptyArrayController);
 app.get('/api/v1/filters', emptyArrayController);
 app.get('/api/v1/blocks', emptyArrayController);
 app.get('/api/v1/mutes', emptyArrayController);
@@ -155,6 +156,11 @@ app.get('/api/v1/markers', emptyObjectController);
 app.get('/api/v1/conversations', emptyArrayController);
 app.get('/api/v1/lists', emptyArrayController);
 
+app.use('/api/*', notImplementedController);
+
+app.get('*', serveStatic({ root: './public/' }));
+app.get('*', serveStatic({ path: './public/index.html' }));
+
 app.get('/', indexController);
 
 export default app;

src/config.ts

@@ -115,6 +115,27 @@ const Conf = {
   get maxUploadSize() {
     return Number(Deno.env.get('MAX_UPLOAD_SIZE') || 100 * 1024 * 1024);
   },
+  /** Usernames that regular users cannot sign up with. */
+  get forbiddenUsernames() {
+    return Deno.env.get('FORBIDDEN_USERNAMES')?.split(',') || [
+      '_',
+      'admin',
+      'administrator',
+      'root',
+      'sysadmin',
+      'system',
+    ];
+  },
+  /** Whether registrations are open or closed. */
+  get registrations() {
+    return optionalBooleanSchema.parse(Deno.env.get('DITTO_REGISTRATIONS')) ?? false;
+  },
+  /** Proof-of-work configuration. */
+  pow: {
+    get registrations() {
+      return Number(Deno.env.get('DITTO_POW_REGISTRATIONS') ?? 20);
+    },
+  },
   /** Domain of the Ditto server as a `URL` object, for easily grabbing the `hostname`, etc. */
   get url() {
     return new URL(Conf.localDomain);

src/controllers/api/accounts.ts

@@ -1,17 +1,55 @@
 import { type AppController } from '@/app.ts';
-import { type Filter, findReplyTag, z } from '@/deps.ts';
+import { Conf } from '@/config.ts';
+import { type Filter, findReplyTag, nip19, z } from '@/deps.ts';
 import * as mixer from '@/mixer.ts';
 import { getAuthor, getFollowedPubkeys, getFollows, syncUser } from '@/queries.ts';
 import { booleanParamSchema, fileSchema } from '@/schema.ts';
 import { jsonMetaContentSchema } from '@/schemas/nostr.ts';
-import { toAccount, toRelationship, toStatus } from '@/transformers/nostr-to-mastoapi.ts';
+import { accountFromPubkey, toAccount, toRelationship, toStatus } from '@/transformers/nostr-to-mastoapi.ts';
-import { isFollowing, lookupAccount, Time } from '@/utils.ts';
+import { isFollowing, lookupAccount, nostrNow, Time } from '@/utils.ts';
 import { paginated, paginationSchema, parseBody } from '@/utils/web.ts';
 import { createEvent } from '@/utils/web.ts';
 import { renderEventAccounts } from '@/views.ts';
+import { insertUser } from '@/db/users.ts';
 
-const createAccountController: AppController = (c) => {
+const usernameSchema = z
-  return c.json({ error: 'Please log in with Nostr.' }, 405);
+  .string().min(1).max(30)
+  .regex(/^[a-z0-9_]+$/i)
+  .refine((username) => !Conf.forbiddenUsernames.includes(username), 'Username is reserved.');
+
+const createAccountSchema = z.object({
+  username: usernameSchema,
+});
+
+const createAccountController: AppController = async (c) => {
+  if (!Conf.registrations) {
+    return c.json({ error: 'Registrations are disabled.' }, 403);
+  }
+
+  const pubkey = c.get('pubkey')!;
+  const result = createAccountSchema.safeParse(await c.req.json());
+
+  if (!result.success) {
+    return c.json({ error: 'Bad request', schema: result.error }, 400);
+  }
+
+  try {
+    await insertUser({
+      pubkey,
+      username: result.data.username,
+      inserted_at: new Date(),
+      admin: 0,
+    });
+
+    return c.json({
+      access_token: nip19.npubEncode(pubkey),
+      token_type: 'Bearer',
+      scope: 'read write follow push',
+      created_at: nostrNow(),
+    });
+  } catch (_e) {
+    return c.json({ error: 'Username already taken.' }, 422);
+  }
 };
 
 const verifyCredentialsController: AppController = async (c) => {
@@ -22,9 +60,9 @@ const verifyCredentialsController: AppController = async (c) => {
   const event = await getAuthor(pubkey);
   if (event) {
     return c.json(await toAccount(event, { withSource: true }));
+  } else {
+    return c.json(await accountFromPubkey(pubkey, { withSource: true }));
   }
-
-  return c.json({ error: 'Could not find user.' }, 404);
 };
 
 const accountController: AppController = async (c) => {

src/controllers/api/fallback.ts

@@ -2,5 +2,6 @@ import type { Context } from '@/deps.ts';
 
 const emptyArrayController = (c: Context) => c.json([]);
 const emptyObjectController = (c: Context) => c.json({});
+const notImplementedController = (c: Context) => Promise.resolve(c.json({ error: 'Not implemented' }, 404));
 
-export { emptyArrayController, emptyObjectController };
+export { emptyArrayController, emptyObjectController, notImplementedController };

src/controllers/api/instance.ts

@@ -12,7 +12,7 @@ const instanceController: AppController = (c) => {
     title: 'Ditto',
     description: 'An efficient and flexible social media server.',
     short_description: 'An efficient and flexible social media server.',
-    registrations: false,
+    registrations: Conf.registrations,
     max_toot_chars: Conf.postCharLimit,
     configuration: {
       media_attachments: {
@@ -53,6 +53,9 @@ const instanceController: AppController = (c) => {
     nostr: {
       pubkey: Conf.pubkey,
       relay: `${wsProtocol}//${host}/relay`,
+      pow: {
+        registrations: Conf.pow.registrations,
+      },
     },
     rules: [],
   });

src/deps.ts

@@ -7,7 +7,7 @@ export {
   HTTPException,
   type MiddlewareHandler,
 } from 'https://deno.land/x/hono@v3.3.4/mod.ts';
-export { cors, logger } from 'https://deno.land/x/hono@v3.3.4/middleware.ts';
+export { cors, logger, serveStatic } from 'https://deno.land/x/hono@v3.3.4/middleware.ts';
 export { z } from 'https://deno.land/x/zod@v3.21.4/mod.ts';
 export { Author, RelayPool } from 'https://dev.jspm.io/nostr-relaypool@0.6.28';
 export {
@@ -21,8 +21,10 @@ export {
   matchFilters,
   nip04,
   nip05,
+  nip13,
   nip19,
   nip21,
+  type UnsignedEvent,
   verifySignature,
 } from 'npm:nostr-tools@^1.14.0';
 export { findReplyTag } from 'https://gitlab.com/soapbox-pub/mostr/-/raw/c67064aee5ade5e01597c6d23e22e53c628ef0e2/src/nostr/tags.ts';

src/middleware/auth19.ts

@@ -38,7 +38,7 @@ const auth19: AppMiddleware = async (c, next) => {
 /** Throw a 401 if the pubkey isn't set. */
 const requirePubkey: AppMiddleware = async (c, next) => {
   if (!c.get('pubkey')) {
-    throw new HTTPException(401);
+    throw new HTTPException(401, { message: 'No pubkey provided' });
   }
 
   await next();

src/middleware/auth98.ts

@@ -1,5 +1,5 @@
 import { type AppContext, type AppMiddleware } from '@/app.ts';
-import { HTTPException } from '@/deps.ts';
+import { type Event, HTTPException } from '@/deps.ts';
 import {
   buildAuthEventTemplate,
   parseAuthRequest,
@@ -32,19 +32,22 @@ type UserRole = 'user' | 'admin';
 
 /** Require the user to prove their role before invoking the controller. */
 function requireRole(role: UserRole, opts?: ParseAuthRequestOpts): AppMiddleware {
-  return async (c, next) => {
+  return withProof(async (_c, proof, next) => {
-    const header = c.req.headers.get('x-nostr-sign');
+    const user = await findUser({ pubkey: proof.pubkey });
-    const proof = c.get('proof') || header ? await obtainProof(c, opts) : undefined;
-    const user = proof ? await findUser({ pubkey: proof.pubkey }) : undefined;
 
-    if (proof && user && matchesRole(user, role)) {
+    if (user && matchesRole(user, role)) {
-      c.set('pubkey', proof.pubkey);
-      c.set('proof', proof);
       await next();
     } else {
       throw new HTTPException(401);
     }
-  };
+  }, opts);
+}
+
+/** Require the user to demonstrate they own the pubkey by signing an event. */
+function requireProof(opts?: ParseAuthRequestOpts): AppMiddleware {
+  return withProof(async (_c, _proof, next) => {
+    await next();
+  }, opts);
 }
 
 /** Check whether the user fulfills the role. */
@@ -59,6 +62,30 @@ function matchesRole(user: User, role: UserRole): boolean {
   }
 }
 
+/** HOC to obtain proof in middleware. */
+function withProof(
+  handler: (c: AppContext, proof: Event<27235>, next: () => Promise<void>) => Promise<void>,
+  opts?: ParseAuthRequestOpts,
+): AppMiddleware {
+  return async (c, next) => {
+    const pubkey = c.get('pubkey');
+    const proof = c.get('proof') || await obtainProof(c, opts);
+
+    // Prevent people from accidentally using the wrong account. This has no other security implications.
+    if (proof && pubkey && pubkey !== proof.pubkey) {
+      throw new HTTPException(401, { message: 'Pubkey mismatch' });
+    }
+
+    if (proof) {
+      c.set('pubkey', proof.pubkey);
+      c.set('proof', proof);
+      await handler(c, proof, next);
+    } else {
+      throw new HTTPException(401, { message: 'No proof' });
+    }
+  };
+}
+
 /** Get the proof over Nostr Connect. */
 async function obtainProof(c: AppContext, opts?: ParseAuthRequestOpts) {
   const req = localRequest(c);
@@ -71,4 +98,4 @@ async function obtainProof(c: AppContext, opts?: ParseAuthRequestOpts) {
   }
 }
 
-export { auth98, requireRole };
+export { auth98, requireProof, requireRole };

src/middleware/csp.ts

@@ -0,0 +1,30 @@
+import { AppMiddleware } from '@/app.ts';
+import { Conf } from '@/config.ts';
+
+const csp = (): AppMiddleware => {
+  return async (c, next) => {
+    const { host, protocol } = Conf.url;
+    const wsProtocol = protocol === 'http:' ? 'ws:' : 'wss:';
+
+    const policies = [
+      'upgrade-insecure-requests',
+      `script-src 'self'`,
+      `connect-src 'self' blob: ${Conf.localDomain} ${wsProtocol}//${host}`,
+      `media-src 'self' ${Conf.mediaDomain}`,
+      `img-src 'self' data: blob: ${Conf.mediaDomain}`,
+      `default-src 'none'`,
+      `base-uri 'self'`,
+      `frame-ancestors 'none'`,
+      `style-src 'self' 'unsafe-inline'`,
+      `font-src 'self'`,
+      `manifest-src 'self'`,
+      `frame-src 'self' https:`,
+    ];
+
+    c.res.headers.set('content-security-policy', policies.join('; '));
+
+    await next();
+  };
+};
+
+export { csp };

src/sign.ts

@@ -36,7 +36,7 @@ async function signNostrConnect<K extends number = number>(event: EventTemplate<
   const pubkey = c.get('pubkey');
 
   if (!pubkey) {
-    throw new HTTPException(401);
+    throw new HTTPException(401, { message: 'Missing pubkey' });
   }
 
   const messageId = crypto.randomUUID();

src/transformers/nostr-to-mastoapi.ts

@@ -2,12 +2,12 @@ import { isCWTag } from 'https://gitlab.com/soapbox-pub/mostr/-/raw/c67064aee5ad
 
 import { Conf } from '@/config.ts';
 import * as eventsDB from '@/db/events.ts';
-import { type Event, findReplyTag, lodash, nip19, sanitizeHtml, TTLCache, unfurl } from '@/deps.ts';
+import { type Event, findReplyTag, lodash, nip19, sanitizeHtml, TTLCache, unfurl, type UnsignedEvent } from '@/deps.ts';
 import { getMediaLinks, parseNoteContent } from '@/note.ts';
 import { getAuthor, getFollowedPubkeys, getFollows } from '@/queries.ts';
 import { emojiTagSchema, filteredArray } from '@/schema.ts';
 import { jsonMediaDataSchema, jsonMetaContentSchema } from '@/schemas/nostr.ts';
-import { isFollowing, type Nip05, nostrDate, parseNip05, Time } from '@/utils.ts';
+import { isFollowing, type Nip05, nostrDate, nostrNow, parseNip05, Time } from '@/utils.ts';
 import { verifyNip05Cached } from '@/utils/nip05.ts';
 import { findUser } from '@/db/users.ts';
 import { DittoAttachment, renderAttachment } from '@/views/attachment.ts';
@@ -19,7 +19,7 @@ interface ToAccountOpts {
   withSource?: boolean;
 }
 
-async function toAccount(event: Event<0>, opts: ToAccountOpts = {}) {
+async function toAccount(event: UnsignedEvent<0>, opts: ToAccountOpts = {}) {
   const { withSource = false } = opts;
 
   const { pubkey } = event;
@@ -75,6 +75,18 @@ async function toAccount(event: Event<0>, opts: ToAccountOpts = {}) {
   };
 }
 
+function accountFromPubkey(pubkey: string, opts: ToAccountOpts = {}) {
+  const event: UnsignedEvent<0> = {
+    kind: 0,
+    pubkey,
+    content: '',
+    tags: [],
+    created_at: nostrNow(),
+  };
+
+  return toAccount(event, opts);
+}
+
 async function parseAndVerifyNip05(nip05: string | undefined, pubkey: string): Promise<Nip05 | undefined> {
   if (nip05 && await verifyNip05Cached(nip05, pubkey)) {
     return parseNip05(nip05);
@@ -105,8 +117,7 @@ async function toMention(pubkey: string) {
 
 async function toStatus(event: Event<1>, viewerPubkey?: string) {
   const profile = await getAuthor(event.pubkey);
-  const account = profile ? await toAccount(profile) : undefined;
+  const account = profile ? await toAccount(profile) : await accountFromPubkey(event.pubkey);
-  if (!account) return;
 
   const replyTag = findReplyTag(event);
 
@@ -257,7 +268,7 @@ function unfurlCardCached(url: string): Promise<PreviewCard | null> {
   return card;
 }
 
-function toEmojis(event: Event) {
+function toEmojis(event: UnsignedEvent) {
   const emojiTags = event.tags.filter((tag) => tag[0] === 'emoji');
 
   return filteredArray(emojiTagSchema).parse(emojiTags)
@@ -310,4 +321,4 @@ async function toNotificationMention(event: Event<1>, viewerPubkey?: string) {
   };
 }
 
-export { toAccount, toNotification, toRelationship, toStatus };
+export { accountFromPubkey, toAccount, toNotification, toRelationship, toStatus };

src/utils/nip98.ts

@@ -1,4 +1,4 @@
-import { type Event, type EventTemplate } from '@/deps.ts';
+import { type Event, type EventTemplate, nip13 } from '@/deps.ts';
 import { decode64Schema, jsonSchema } from '@/schema.ts';
 import { signedEventSchema } from '@/schemas/nostr.ts';
 import { eventAge, findTag, nostrNow, sha256 } from '@/utils.ts';
@@ -12,6 +12,8 @@ interface ParseAuthRequestOpts {
   maxAge?: number;
   /** Whether to validate the request body of the request with the payload of the auth event. (default: `true`) */
   validatePayload?: boolean;
+  /** Difficulty of the proof of work. (default: `0`) */
+  pow?: number;
 }
 
 /** Parse the auth event from a Request, returning a zod SafeParse type. */
@@ -27,13 +29,14 @@ async function parseAuthRequest(req: Request, opts: ParseAuthRequestOpts = {}) {
 
 /** Compare the auth event with the request, returning a zod SafeParse type. */
 function validateAuthEvent(req: Request, event: Event, opts: ParseAuthRequestOpts = {}) {
-  const { maxAge = Time.minutes(1), validatePayload = true } = opts;
+  const { maxAge = Time.minutes(1), validatePayload = true, pow = 0 } = opts;
 
   const schema = signedEventSchema
     .refine((event): event is Event<27235> => event.kind === 27235, 'Event must be kind 27235')
     .refine((event) => eventAge(event) < maxAge, 'Event expired')
     .refine((event) => tagValue(event, 'method') === req.method, 'Event method does not match HTTP request method')
     .refine((event) => tagValue(event, 'u') === req.url, 'Event URL does not match request URL')
+    .refine((event) => pow ? nip13.getPow(event.id) >= pow : true, 'Insufficient proof of work')
     .refine(validateBody, 'Event payload does not match request body');
 
   function validateBody(event: Event<27235>) {