Remove uneeded session ID from auth token

This commit is contained in:
Alex Gleason 2023-08-28 13:00:00 -05:00
parent f25284daa9
commit e8a7dfef2b
No known key found for this signature in database
GPG Key ID: 7211D1F99744FBB7
4 changed files with 9 additions and 22 deletions

View File

@ -53,8 +53,6 @@ interface AppEnv extends HonoEnv {
pubkey?: string; pubkey?: string;
/** Hex secret key for the current user. Optional, but easiest way to use legacy Mastodon apps. */ /** Hex secret key for the current user. Optional, but easiest way to use legacy Mastodon apps. */
seckey?: string; seckey?: string;
/** UUID from the access token. Used for WebSocket event signing. */
session?: string;
/** NIP-98 signed event proving the pubkey is owned by the user. */ /** NIP-98 signed event proving the pubkey is owned by the user. */
proof?: Event<27235>; proof?: Event<27235>;
}; };

View File

@ -137,19 +137,12 @@ const oauthAuthorizeController: AppController = async (c) => {
// Parsed FormData values. // Parsed FormData values.
const { pubkey, nip19: nip19id, redirect_uri: redirectUri } = result.data; const { pubkey, nip19: nip19id, redirect_uri: redirectUri } = result.data;
/**
* Normally the auth token is just an npub, which is public information.
* The sessionId helps us know that Request "B" and Request "A" came from the same person.
* Useful for sending websocket events to the correct client.
*/
const sessionId: string = uuid62.v4();
if (pubkey) { if (pubkey) {
const encoded = nip19.npubEncode(pubkey!); const encoded = nip19.npubEncode(pubkey!);
const url = addCodeToRedirectUri(redirectUri, `${encoded}_${sessionId}`); const url = addCodeToRedirectUri(redirectUri, encoded);
return c.redirect(url); return c.redirect(url);
} else if (nip19id) { } else if (nip19id) {
const url = addCodeToRedirectUri(redirectUri, `${nip19id}_${sessionId}`); const url = addCodeToRedirectUri(redirectUri, nip19id);
return c.redirect(url); return c.redirect(url);
} }

View File

@ -1,7 +1,6 @@
import { AppController } from '@/app.ts'; import { type AppController } from '@/app.ts';
import { z } from '@/deps.ts'; import { nip19, z } from '@/deps.ts';
import { type DittoFilter } from '@/filter.ts'; import { type DittoFilter } from '@/filter.ts';
import { TOKEN_REGEX } from '@/middleware/auth19.ts';
import { Sub } from '@/subs.ts'; import { Sub } from '@/subs.ts';
import { toStatus } from '@/transformers/nostr-to-mastoapi.ts'; import { toStatus } from '@/transformers/nostr-to-mastoapi.ts';
@ -39,7 +38,7 @@ const streamingController: AppController = (c) => {
return c.json({ error: 'Missing access token' }, 401); return c.json({ error: 'Missing access token' }, 401);
} }
const match = token.match(new RegExp(`^${TOKEN_REGEX.source}$`)); const match = token.match(new RegExp(`^${nip19.BECH32_REGEX.source}$`));
if (!match) { if (!match) {
return c.json({ error: 'Invalid access token' }, 401); return c.json({ error: 'Invalid access token' }, 401);
} }

View File

@ -1,10 +1,8 @@
import { type AppMiddleware } from '@/app.ts'; import { type AppMiddleware } from '@/app.ts';
import { getPublicKey, HTTPException, nip19 } from '@/deps.ts'; import { getPublicKey, HTTPException, nip19 } from '@/deps.ts';
/** The token includes a Bech32 Nostr ID (npub, nsec, etc) and an optional session ID. */
const TOKEN_REGEX = new RegExp(`(${nip19.BECH32_REGEX.source})(?:_(\\w+))?`);
/** We only accept "Bearer" type. */ /** We only accept "Bearer" type. */
const BEARER_REGEX = new RegExp(`^Bearer (${TOKEN_REGEX.source})$`); const BEARER_REGEX = new RegExp(`^Bearer (${nip19.BECH32_REGEX.source})$`);
/** NIP-19 auth middleware. */ /** NIP-19 auth middleware. */
const auth19: AppMiddleware = async (c, next) => { const auth19: AppMiddleware = async (c, next) => {
@ -12,8 +10,7 @@ const auth19: AppMiddleware = async (c, next) => {
const match = authHeader?.match(BEARER_REGEX); const match = authHeader?.match(BEARER_REGEX);
if (match) { if (match) {
const [_, _token, bech32, session] = match; const [_, bech32] = match;
c.set('session', session);
try { try {
const decoded = nip19.decode(bech32!); const decoded = nip19.decode(bech32!);
@ -47,4 +44,4 @@ const requireAuth: AppMiddleware = async (c, next) => {
await next(); await next();
}; };
export { auth19, requireAuth, TOKEN_REGEX }; export { auth19, requireAuth };