fix(token): claim now includes ProfileID

If there are any tokens in a request, we expect that token to contain a profile id that helps the receiving node establish the request's identity. `token.NewPrivKeyAuthToken` was creating a correctly signed token with the priv key and id, but did not include the `ProfileID`. In `inst.activeProfile()` we use `ProfileID` to determine identiy. Because there was no profile id, `profiles.GetProfile` was erroring with "path not found", which is now "profile not found"

auth/token/token.go

@@ -48,7 +48,7 @@ func Parse(tokenString string, tokens Source) (*Token, error) {
 
 // NewPrivKeyAuthToken creates a JWT token string suitable for making requests
 // authenticated as the given private key
-func NewPrivKeyAuthToken(pk crypto.PrivKey, ttl time.Duration) (string, error) {
+func NewPrivKeyAuthToken(pk crypto.PrivKey, profileID string, ttl time.Duration) (string, error) {
 	signingMethod, err := jwtSigningMethod(pk)
 	if err != nil {
 		return "", err
@@ -84,6 +84,7 @@ func NewPrivKeyAuthToken(pk crypto.PrivKey, ttl time.Duration) (string, error) {
 			// see http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4.1.4
 			ExpiresAt: exp,
 		},
+		ProfileID: profileID,
 	}
 
 	return t.SignedString(signKey)

auth/token/token_test.go

@@ -69,7 +69,7 @@ func TestTokenStore(t *testing.T) {
 func TestNewPrivKeyAuthToken(t *testing.T) {
 	// create a token from a private key
 	kd := testkeys.GetKeyData(0)
-	str, err := token.NewPrivKeyAuthToken(kd.PrivKey, 0)
+	str, err := token.NewPrivKeyAuthToken(kd.PrivKey, kd.KeyID.String(), 0)
 	if err != nil {
 		t.Fatal(err)
 	}

lib/access.go

@@ -89,5 +89,5 @@ func (accessImpl) CreateAuthToken(scp scope, p *CreateAuthTokenParams) (string,
 		return "", fmt.Errorf("cannot create token for %q (id: %s), private key is required", grantee.Peername, grantee.ID.String())
 	}
 
-	return token.NewPrivKeyAuthToken(pk, p.TTL)
+	return token.NewPrivKeyAuthToken(pk, grantee.ID.String(), p.TTL)
 }

lib/dispatch.go

@@ -72,7 +72,7 @@ func (inst *Instance) Dispatch(ctx context.Context, method string, param interfa
 			if err != nil {
 				return nil, nil, err
 			}
-			tokstr, err := token.NewPrivKeyAuthToken(p.PrivKey, time.Minute)
+			tokstr, err := token.NewPrivKeyAuthToken(p.PrivKey, p.ID.String(), time.Minute)
 			if err != nil {
 				return nil, nil, err
 			}

lib/lib.go

@@ -953,7 +953,11 @@ func (inst *Instance) activeProfile(ctx context.Context) (pro *profile.Profile,
 			// token. We either need ProfileID == KeyID, or we need a UCAN. we need to
 			// check for those, ideally in a method within the profile package that
 			// abstracts over profile & key agreement
-			return inst.profiles.GetProfile(profile.IDB58DecodeOrEmpty(claims.ProfileID))
+			pro, err := inst.profiles.GetProfile(profile.IDB58DecodeOrEmpty(claims.ProfileID))
+			if errors.Is(err, profile.ErrNotFound) {
+				return nil, fmt.Errorf("request profile not sent")
+			}
+			return pro, err
 		}
 	}
 

profile/store.go

@@ -11,7 +11,6 @@ import (
 	"sync"
 
 	"github.com/libp2p/go-libp2p-core/peer"
-	"github.com/qri-io/qfs"
 	"github.com/qri-io/qri/auth/key"
 	"github.com/qri-io/qri/config"
 	qerr "github.com/qri-io/qri/errors"
@@ -441,7 +440,7 @@ func (r *LocalStore) PeernameID(peername string) (ID, error) {
 			return IDB58Decode(id)
 		}
 	}
-	return "", qfs.ErrNotFound
+	return "", ErrNotFound
 }
 
 // GetProfile fetches a profile from the store
@@ -469,7 +468,7 @@ func (r *LocalStore) GetProfile(id ID) (*Profile, error) {
 		}
 	}
 
-	return nil, qfs.ErrNotFound
+	return nil, ErrNotFound
 }
 
 // ProfilesForUsername fetches all profile that match a username (Peername)
@@ -524,7 +523,7 @@ func (r *LocalStore) PeerProfile(id peer.ID) (*Profile, error) {
 		}
 	}
 
-	return nil, qfs.ErrNotFound
+	return nil, ErrNotFound
 }
 
 // DeleteProfile removes a profile from the store