Remove uneeded session ID from auth token
This commit is contained in:
parent
f25284daa9
commit
e8a7dfef2b
|
@ -53,8 +53,6 @@ interface AppEnv extends HonoEnv {
|
||||||
pubkey?: string;
|
pubkey?: string;
|
||||||
/** Hex secret key for the current user. Optional, but easiest way to use legacy Mastodon apps. */
|
/** Hex secret key for the current user. Optional, but easiest way to use legacy Mastodon apps. */
|
||||||
seckey?: string;
|
seckey?: string;
|
||||||
/** UUID from the access token. Used for WebSocket event signing. */
|
|
||||||
session?: string;
|
|
||||||
/** NIP-98 signed event proving the pubkey is owned by the user. */
|
/** NIP-98 signed event proving the pubkey is owned by the user. */
|
||||||
proof?: Event<27235>;
|
proof?: Event<27235>;
|
||||||
};
|
};
|
||||||
|
|
|
@ -88,7 +88,7 @@ const oauthController: AppController = (c) => {
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
<form id="oauth_form" action="/oauth/authorize" method="post">
|
<form id="oauth_form" action="/oauth/authorize" method="post">
|
||||||
<input type="text" placeholder="npub1... or nsec1..." name="nip19" autocomplete="off">
|
<input type="text" placeholder="npub1... or nsec1..." name="nip19" autocomplete="off">
|
||||||
<input type="hidden" name="pubkey" id="pubkey" value="">
|
<input type="hidden" name="pubkey" id="pubkey" value="">
|
||||||
<input type="hidden" name="redirect_uri" id="redirect_uri" value="${lodash.escape(redirectUri)}">
|
<input type="hidden" name="redirect_uri" id="redirect_uri" value="${lodash.escape(redirectUri)}">
|
||||||
<button type="submit">Authorize</button>
|
<button type="submit">Authorize</button>
|
||||||
|
@ -137,19 +137,12 @@ const oauthAuthorizeController: AppController = async (c) => {
|
||||||
// Parsed FormData values.
|
// Parsed FormData values.
|
||||||
const { pubkey, nip19: nip19id, redirect_uri: redirectUri } = result.data;
|
const { pubkey, nip19: nip19id, redirect_uri: redirectUri } = result.data;
|
||||||
|
|
||||||
/**
|
|
||||||
* Normally the auth token is just an npub, which is public information.
|
|
||||||
* The sessionId helps us know that Request "B" and Request "A" came from the same person.
|
|
||||||
* Useful for sending websocket events to the correct client.
|
|
||||||
*/
|
|
||||||
const sessionId: string = uuid62.v4();
|
|
||||||
|
|
||||||
if (pubkey) {
|
if (pubkey) {
|
||||||
const encoded = nip19.npubEncode(pubkey!);
|
const encoded = nip19.npubEncode(pubkey!);
|
||||||
const url = addCodeToRedirectUri(redirectUri, `${encoded}_${sessionId}`);
|
const url = addCodeToRedirectUri(redirectUri, encoded);
|
||||||
return c.redirect(url);
|
return c.redirect(url);
|
||||||
} else if (nip19id) {
|
} else if (nip19id) {
|
||||||
const url = addCodeToRedirectUri(redirectUri, `${nip19id}_${sessionId}`);
|
const url = addCodeToRedirectUri(redirectUri, nip19id);
|
||||||
return c.redirect(url);
|
return c.redirect(url);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
import { AppController } from '@/app.ts';
|
import { type AppController } from '@/app.ts';
|
||||||
import { z } from '@/deps.ts';
|
import { nip19, z } from '@/deps.ts';
|
||||||
import { type DittoFilter } from '@/filter.ts';
|
import { type DittoFilter } from '@/filter.ts';
|
||||||
import { TOKEN_REGEX } from '@/middleware/auth19.ts';
|
|
||||||
import { Sub } from '@/subs.ts';
|
import { Sub } from '@/subs.ts';
|
||||||
import { toStatus } from '@/transformers/nostr-to-mastoapi.ts';
|
import { toStatus } from '@/transformers/nostr-to-mastoapi.ts';
|
||||||
|
|
||||||
|
@ -39,7 +38,7 @@ const streamingController: AppController = (c) => {
|
||||||
return c.json({ error: 'Missing access token' }, 401);
|
return c.json({ error: 'Missing access token' }, 401);
|
||||||
}
|
}
|
||||||
|
|
||||||
const match = token.match(new RegExp(`^${TOKEN_REGEX.source}$`));
|
const match = token.match(new RegExp(`^${nip19.BECH32_REGEX.source}$`));
|
||||||
if (!match) {
|
if (!match) {
|
||||||
return c.json({ error: 'Invalid access token' }, 401);
|
return c.json({ error: 'Invalid access token' }, 401);
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,10 +1,8 @@
|
||||||
import { type AppMiddleware } from '@/app.ts';
|
import { type AppMiddleware } from '@/app.ts';
|
||||||
import { getPublicKey, HTTPException, nip19 } from '@/deps.ts';
|
import { getPublicKey, HTTPException, nip19 } from '@/deps.ts';
|
||||||
|
|
||||||
/** The token includes a Bech32 Nostr ID (npub, nsec, etc) and an optional session ID. */
|
|
||||||
const TOKEN_REGEX = new RegExp(`(${nip19.BECH32_REGEX.source})(?:_(\\w+))?`);
|
|
||||||
/** We only accept "Bearer" type. */
|
/** We only accept "Bearer" type. */
|
||||||
const BEARER_REGEX = new RegExp(`^Bearer (${TOKEN_REGEX.source})$`);
|
const BEARER_REGEX = new RegExp(`^Bearer (${nip19.BECH32_REGEX.source})$`);
|
||||||
|
|
||||||
/** NIP-19 auth middleware. */
|
/** NIP-19 auth middleware. */
|
||||||
const auth19: AppMiddleware = async (c, next) => {
|
const auth19: AppMiddleware = async (c, next) => {
|
||||||
|
@ -12,8 +10,7 @@ const auth19: AppMiddleware = async (c, next) => {
|
||||||
const match = authHeader?.match(BEARER_REGEX);
|
const match = authHeader?.match(BEARER_REGEX);
|
||||||
|
|
||||||
if (match) {
|
if (match) {
|
||||||
const [_, _token, bech32, session] = match;
|
const [_, bech32] = match;
|
||||||
c.set('session', session);
|
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const decoded = nip19.decode(bech32!);
|
const decoded = nip19.decode(bech32!);
|
||||||
|
@ -47,4 +44,4 @@ const requireAuth: AppMiddleware = async (c, next) => {
|
||||||
await next();
|
await next();
|
||||||
};
|
};
|
||||||
|
|
||||||
export { auth19, requireAuth, TOKEN_REGEX };
|
export { auth19, requireAuth };
|
||||||
|
|
Loading…
Reference in New Issue