bas.sh / tranquil-pds
forked from tranquil.farm/tranquil-pds
Our Personal Data Server from scratch!
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

fix(auth): keep lxm optional and dont default to * when no lxm is given in getServiceAuth

authored by

nelind and committed by tangled.org add1ff17 bdb200a3

+19 -9
+3 -2
crates/tranquil-api/src/moderation/mod.rs
··· 138 138 let service_token = match tranquil_pds::auth::create_service_token( 139 139 &auth_user.did, 140 140 service_did, 141 - "com.atproto.moderation.createReport", 141 + Some("com.atproto.moderation.createReport"), 142 142 &key_bytes, 143 143 ) { 144 144 Ok(t) => t, ··· 226 226 let subject_json = json!(input.subject); 227 227 228 228 if let Err(e) = state 229 - .repos.infra 229 + .repos 230 + .infra 230 231 .insert_report( 231 232 report_id, 232 233 input.reason_type.as_str(),
+1 -2
crates/tranquil-api/src/server/service_auth.rs
··· 112 112 }; 113 113 114 114 let lxm = params.lxm.as_ref(); 115 - let lxm_for_token = lxm.map_or("*", |v| v.as_str()); 116 115 117 116 if let Some(method) = lxm { 118 117 if let Err(e) = tranquil_pds::auth::scope_check::check_rpc_scope( ··· 173 172 let service_token = match tranquil_pds::auth::create_service_token( 174 173 &auth.did, 175 174 params.aud.as_str(), 176 - lxm_for_token, 175 + lxm.map(|v| v.as_str()), 177 176 &key_bytes, 178 177 ) { 179 178 Ok(t) => t,
+7 -2
crates/tranquil-auth/src/token.rs
··· 74 74 ) 75 75 } 76 76 77 - pub fn create_service_token(did: &str, aud: &str, lxm: &str, key_bytes: &[u8]) -> Result<String> { 77 + pub fn create_service_token( 78 + did: &str, 79 + aud: &str, 80 + lxm: Option<&str>, 81 + key_bytes: &[u8], 82 + ) -> Result<String> { 78 83 let signing_key = SigningKey::from_slice(key_bytes)?; 79 84 80 85 let expiration = Utc::now() ··· 89 94 exp: expiration, 90 95 iat: Utc::now().timestamp(), 91 96 scope: None, 92 - lxm: Some(lxm.to_string()), 97 + lxm: lxm.map(ToOwned::to_owned), 93 98 jti: uuid::Uuid::new_v4().to_string(), 94 99 act: None, 95 100 };
+1 -1
crates/tranquil-pds/src/api/proxy.rs
··· 290 290 match crate::auth::create_service_token( 291 291 &auth_user.did, 292 292 &resolved.did, 293 - method, 293 + Some(method), 294 294 &key_bytes, 295 295 ) { 296 296 Ok(new_token) => {
+7 -2
crates/tranquil-pds/tests/jwt_security.rs
··· 166 166 .contains("Invalid token type") 167 167 ); 168 168 169 - let service_token = 170 - create_service_token(did, "did:web:target", "com.example.method", &key_bytes).unwrap(); 169 + let service_token = create_service_token( 170 + did, 171 + "did:web:target", 172 + Some("com.example.method"), 173 + &key_bytes, 174 + ) 175 + .unwrap(); 171 176 assert!( 172 177 verify_access_token(&service_token, &key_bytes).is_err(), 173 178 "Service token as access must be rejected"