broad strokes

cmd/server/main.go

@@ -244,6 +244,7 @@ func runroomsrv() error {
 			RoomID:     roomsrv.Whoami(),
 		},
 		roomsrv.StateManager,
+		roomsrv.Network,
 		handlers.Databases{
 			Aliases:       db.Aliases,
 			AuthWithSSB:   db.AuthWithSSB,

go.mod

@@ -27,7 +27,7 @@ require (
 	github.com/volatiletech/sqlboiler-sqlite3 v0.0.0-20210314195744-a1c697a68aef // indirect
 	github.com/volatiletech/sqlboiler/v4 v4.5.0
 	github.com/volatiletech/strmangle v0.0.1
-	go.cryptoscope.co/muxrpc/v2 v2.0.0-20210202162901-fe642d405dc6
+	go.cryptoscope.co/muxrpc/v2 v2.0.0-beta.1.0.20210308090127-5f1f5f9cbb59
 	go.cryptoscope.co/netwrap v0.1.1
 	go.cryptoscope.co/secretstream v1.2.2
 	go.mindeco.de v1.8.0

go.sum

@@ -463,6 +463,8 @@ go.cryptoscope.co/margaret v0.0.12-0.20190912103626-34323ad497f4 h1:gLSldWRujtUO
 go.cryptoscope.co/margaret v0.0.12-0.20190912103626-34323ad497f4/go.mod h1:3rt+RmZTFZEgfvFxz0ZPDBIWtLJOouWtzV6YbBl6sek=
 go.cryptoscope.co/muxrpc/v2 v2.0.0-20210202162901-fe642d405dc6 h1:p135TwijE3DbmklGygc7++MMRRVlujmjqed8kEOmwLs=
 go.cryptoscope.co/muxrpc/v2 v2.0.0-20210202162901-fe642d405dc6/go.mod h1:MgaeojIkWY3lLuoNw1mlMT3b3jiZwOj/fgsoGZp/VNA=
+go.cryptoscope.co/muxrpc/v2 v2.0.0-beta.1.0.20210308090127-5f1f5f9cbb59 h1:Gv5pKkvHYJNc12uRZ/jMCsR17G7v6oFLLCrGAUVxhvo=
+go.cryptoscope.co/muxrpc/v2 v2.0.0-beta.1.0.20210308090127-5f1f5f9cbb59/go.mod h1:MgaeojIkWY3lLuoNw1mlMT3b3jiZwOj/fgsoGZp/VNA=
 go.cryptoscope.co/netwrap v0.1.0/go.mod h1:7zcYswCa4CT+ct54e9uH9+IIbYYETEMHKDNpzl8Ukew=
 go.cryptoscope.co/netwrap v0.1.1 h1:JLzzGKEvrUrkKzu3iM0DhpHmt+L/gYqmpcf1lJMUyFs=
 go.cryptoscope.co/netwrap v0.1.1/go.mod h1:7zcYswCa4CT+ct54e9uH9+IIbYYETEMHKDNpzl8Ukew=

internal/network/interface.go

@@ -24,13 +24,19 @@ type EndpointStat struct {
 	Endpoint muxrpc.Endpoint
 }
 
+//go:generate counterfeiter -o mocked/endpoints.go . Endpoints
+
+type Endpoints interface {
+	GetEndpointFor(refs.FeedRef) (muxrpc.Endpoint, bool)
+}
+
 type Network interface {
 	Connect(ctx context.Context, addr net.Addr) error
 	Serve(context.Context, ...muxrpc.HandlerWrapper) error
 	GetListenAddr() net.Addr
 
 	GetAllEndpoints() []EndpointStat
-	GetEndpointFor(refs.FeedRef) (muxrpc.Endpoint, bool)
+	Endpoints
 
 	GetConnTracker() ConnTracker
 

internal/signinwithssb/challenges.go

@@ -0,0 +1,66 @@
+package signinwithssb
+
+import (
+	"bytes"
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
+
+	"golang.org/x/crypto/ed25519"
+
+	refs "go.mindeco.de/ssb-refs"
+)
+
+// sign-in with ssb uses 256-bit nonces
+const challengeLength = 32
+
+func DecodeChallengeString(c string) ([]byte, error) {
+	challangeBytes, err := base64.URLEncoding.DecodeString(c)
+	if err != nil {
+		return nil, fmt.Errorf("invalid challenge encoding: %w", err)
+	}
+
+	if n := len(challangeBytes); n != challengeLength {
+		return nil, fmt.Errorf("invalid challenge length: expected %d but got %d", challengeLength, n)
+	}
+
+	return challangeBytes, nil
+}
+
+func GenerateChallenge() string {
+	buf := make([]byte, challengeLength)
+	rand.Read(buf)
+	return base64.URLEncoding.EncodeToString(buf)
+}
+
+// this structure is used to verify an incoming client response
+type ClientRequest struct {
+	ClientID, ServerID refs.FeedRef
+
+	ClientChallange string
+	ServerChallange string
+}
+
+// recreate the signed message
+func (cr ClientRequest) createMessage() []byte {
+	var msg bytes.Buffer
+	msg.WriteString("=http-auth-sign-in:")
+	msg.WriteString(cr.ClientID.Ref())
+	msg.WriteString(":")
+	msg.WriteString(cr.ServerID.Ref())
+	msg.WriteString(":")
+	msg.WriteString(cr.ClientChallange)
+	msg.WriteString(":")
+	msg.WriteString(cr.ServerChallange)
+	return msg.Bytes()
+}
+
+func (cr ClientRequest) Sign(privateKey ed25519.PrivateKey) []byte {
+	msg := cr.createMessage()
+	return ed25519.Sign(privateKey, msg)
+}
+
+func (cr ClientRequest) Validate(signature []byte) bool {
+	msg := cr.createMessage()
+	return ed25519.Verify(cr.ClientID.PubKey(), msg, signature)
+}

web/errors/badrequest.go

@@ -23,3 +23,11 @@ type ErrBadRequest struct {
 func (br ErrBadRequest) Error() string {
 	return fmt.Sprintf("rooms/web: bad request error: %s", br.Details)
 }
+
+type ErrForbidden struct {
+	Details error
+}
+
+func (f ErrForbidden) Error() string {
+	return fmt.Sprintf("rooms/web: access denied: %s", f.Details)
+}

web/handlers/auth/handler.go

@@ -5,12 +5,14 @@ package auth
 import (
 	"net/http"
 
-	"github.com/go-kit/kit/log/level"
+	"github.com/ssb-ngi-pointer/go-ssb-room/internal/network"
+	"github.com/ssb-ngi-pointer/go-ssb-room/roomdb"
+
 	"github.com/gorilla/csrf"
 	"github.com/gorilla/mux"
 	"go.mindeco.de/http/auth"
 	"go.mindeco.de/http/render"
-	"go.mindeco.de/logging"
+	refs "go.mindeco.de/ssb-refs"
 
 	"github.com/ssb-ngi-pointer/go-ssb-room/web/router"
 )
@@ -20,26 +22,35 @@ var HTMLTemplates = []string{
 	"auth/withssb_sign_in.tmpl",
 }
 
-func Handler(m *mux.Router, r *render.Renderer, a *auth.Handler) http.Handler {
+func Handler(
+	m *mux.Router,
+	r *render.Renderer,
+	ah *auth.Handler,
+	roomID refs.FeedRef,
+	endpoints network.Endpoints,
+	aliasDB roomdb.AliasService,
+	allowListDB roomdb.AllowListService,
+) http.Handler {
 	if m == nil {
 		m = router.Auth(nil)
 	}
 
+	// just the form
 	m.Get(router.AuthFallbackSignInForm).Handler(r.HTML("auth/fallback_sign_in.tmpl", func(w http.ResponseWriter, req *http.Request) (interface{}, error) {
 		return map[string]interface{}{
 			csrf.TemplateTag: csrf.TemplateField(req),
 		}, nil
 	}))
 
-	m.Get(router.AuthFallbackSignIn).HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-		logger := logging.FromContext(req.Context())
-		level.Info(logger).Log("event", "authorize request")
-		a.Authorize(w, req)
-	})
-
-	m.Get(router.AuthFallbackSignOut).HandlerFunc(a.Logout)
+	// hook up the auth handler to the router
+	m.Get(router.AuthFallbackSignIn).HandlerFunc(ah.Authorize)
+	m.Get(router.AuthFallbackSignOut).HandlerFunc(ah.Logout)
 
 	var ssb withssbHandler
+	ssb.roomID = roomID
+	ssb.aliases = aliasDB
+	ssb.allowList = allowListDB
+	ssb.endpoints = endpoints
 	m.Get(router.AuthWithSSBSignIn).HandlerFunc(r.HTML("auth/withssb_sign_in.tmpl", ssb.login))
 
 	return m