From e8a7dfef2be6f47654e2e9295dae79b1bbe7dcef Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Mon, 28 Aug 2023 13:00:00 -0500 Subject: [PATCH] Remove uneeded session ID from auth token --- src/app.ts | 2 -- src/controllers/api/oauth.ts | 13 +++---------- src/controllers/api/streaming.ts | 7 +++---- src/middleware/auth19.ts | 9 +++------ 4 files changed, 9 insertions(+), 22 deletions(-) diff --git a/src/app.ts b/src/app.ts index cc99474..45c315d 100644 --- a/src/app.ts +++ b/src/app.ts @@ -53,8 +53,6 @@ interface AppEnv extends HonoEnv { pubkey?: string; /** Hex secret key for the current user. Optional, but easiest way to use legacy Mastodon apps. */ seckey?: string; - /** UUID from the access token. Used for WebSocket event signing. */ - session?: string; /** NIP-98 signed event proving the pubkey is owned by the user. */ proof?: Event<27235>; }; diff --git a/src/controllers/api/oauth.ts b/src/controllers/api/oauth.ts index 830f433..c76412e 100644 --- a/src/controllers/api/oauth.ts +++ b/src/controllers/api/oauth.ts @@ -88,7 +88,7 @@ const oauthController: AppController = (c) => {
- + @@ -137,19 +137,12 @@ const oauthAuthorizeController: AppController = async (c) => { // Parsed FormData values. const { pubkey, nip19: nip19id, redirect_uri: redirectUri } = result.data; - /** - * Normally the auth token is just an npub, which is public information. - * The sessionId helps us know that Request "B" and Request "A" came from the same person. - * Useful for sending websocket events to the correct client. - */ - const sessionId: string = uuid62.v4(); - if (pubkey) { const encoded = nip19.npubEncode(pubkey!); - const url = addCodeToRedirectUri(redirectUri, `${encoded}_${sessionId}`); + const url = addCodeToRedirectUri(redirectUri, encoded); return c.redirect(url); } else if (nip19id) { - const url = addCodeToRedirectUri(redirectUri, `${nip19id}_${sessionId}`); + const url = addCodeToRedirectUri(redirectUri, nip19id); return c.redirect(url); } diff --git a/src/controllers/api/streaming.ts b/src/controllers/api/streaming.ts index 6a0c274..2ea5844 100644 --- a/src/controllers/api/streaming.ts +++ b/src/controllers/api/streaming.ts @@ -1,7 +1,6 @@ -import { AppController } from '@/app.ts'; -import { z } from '@/deps.ts'; +import { type AppController } from '@/app.ts'; +import { nip19, z } from '@/deps.ts'; import { type DittoFilter } from '@/filter.ts'; -import { TOKEN_REGEX } from '@/middleware/auth19.ts'; import { Sub } from '@/subs.ts'; import { toStatus } from '@/transformers/nostr-to-mastoapi.ts'; @@ -39,7 +38,7 @@ const streamingController: AppController = (c) => { return c.json({ error: 'Missing access token' }, 401); } - const match = token.match(new RegExp(`^${TOKEN_REGEX.source}$`)); + const match = token.match(new RegExp(`^${nip19.BECH32_REGEX.source}$`)); if (!match) { return c.json({ error: 'Invalid access token' }, 401); } diff --git a/src/middleware/auth19.ts b/src/middleware/auth19.ts index 46f125f..45bf5bd 100644 --- a/src/middleware/auth19.ts +++ b/src/middleware/auth19.ts @@ -1,10 +1,8 @@ import { type AppMiddleware } from '@/app.ts'; import { getPublicKey, HTTPException, nip19 } from '@/deps.ts'; -/** The token includes a Bech32 Nostr ID (npub, nsec, etc) and an optional session ID. */ -const TOKEN_REGEX = new RegExp(`(${nip19.BECH32_REGEX.source})(?:_(\\w+))?`); /** We only accept "Bearer" type. */ -const BEARER_REGEX = new RegExp(`^Bearer (${TOKEN_REGEX.source})$`); +const BEARER_REGEX = new RegExp(`^Bearer (${nip19.BECH32_REGEX.source})$`); /** NIP-19 auth middleware. */ const auth19: AppMiddleware = async (c, next) => { @@ -12,8 +10,7 @@ const auth19: AppMiddleware = async (c, next) => { const match = authHeader?.match(BEARER_REGEX); if (match) { - const [_, _token, bech32, session] = match; - c.set('session', session); + const [_, bech32] = match; try { const decoded = nip19.decode(bech32!); @@ -47,4 +44,4 @@ const requireAuth: AppMiddleware = async (c, next) => { await next(); }; -export { auth19, requireAuth, TOKEN_REGEX }; +export { auth19, requireAuth };