futur.blue / pegasus
objective categorical abstract machine language personal data server
65
fork

Configure Feed

Select the types of activity you want to include in your feed.

Fix using JWT privkey as pubkey

futurGH 05a9444d 604ab928

+22 -10
+5 -1
kleidos/kleidos.ml
··· 57 57 58 58 let normalize_pubkey_to_raw key : bytes = 59 59 match Bytes.length key with 60 - | 64 | 32 -> 60 + | 64 -> 61 61 key 62 62 | 65 -> ( 63 63 match K256.uncompressed_to_raw key with ··· 220 220 let pubkey_to_did_key pubkey : string = 221 221 let pubkey, (module Curve : CURVE) = pubkey in 222 222 Curve.pubkey_to_did_key pubkey 223 + 224 + let derive_pubkey privkey : key = 225 + let privkey, (module Curve : CURVE) = privkey in 226 + (Curve.derive_pubkey ~privkey, (module Curve : CURVE)) 223 227 224 228 let privkey_to_multikey privkey : string = 225 229 let privkey, (module Curve : CURVE) = privkey in
+12 -7
pegasus/lib/auth.ml
··· 189 189 | Error e -> 190 190 Lwt.return_error @@ Errors.invalid_request ("dpop error: " ^ e) 191 191 | Ok token -> ( 192 - match%lwt dpop {req; db} with 192 + match 193 + Oauth.Dpop.verify_dpop_proof 194 + ~mthd:(Dream.method_to_string @@ Dream.method_ req) 195 + ~url:(Dream.target req) ~dpop_header:(Dream.header req "DPoP") 196 + ~access_token:token () 197 + with 198 + | Error "use_dpop_nonce" -> 199 + Lwt.return_error @@ Errors.use_dpop_nonce () 193 200 | Error e -> 194 - Lwt.return_error e 195 - | Ok (DPoP {proof}) -> ( 196 - match Jwt.verify_jwt token Env.jwt_key with 201 + Lwt.return_error @@ Errors.invalid_request ("dpop error: " ^ e) 202 + | Ok proof -> ( 203 + match Jwt.verify_jwt token Env.jwt_pubkey with 197 204 | Error e -> 198 205 Lwt.return_error @@ Errors.auth_required e 199 206 | Ok (_header, claims) -> ( ··· 230 237 @@ Errors.auth_required "invalid credentials" 231 238 with _ -> 232 239 Lwt.return_error @@ Errors.auth_required "malformed JWT claims" ) 233 - ) 234 - | Ok _ -> 235 - Lwt.return_error @@ Errors.auth_required "invalid credentials" ) 240 + ) ) 236 241 237 242 let refresh : verifier = 238 243 fun {req; db} ->
+2
pegasus/lib/env.ml
··· 15 15 16 16 let jwt_key = getenv "JWK_MULTIBASE" |> Kleidos.parse_multikey_str 17 17 18 + let jwt_pubkey = Kleidos.derive_pubkey jwt_key 19 + 18 20 let admin_password = getenv "ADMIN_PASSWORD" 19 21 20 22 let dpop_nonce_secret =
+3 -2
pegasus/lib/oauth/dpop.ml
··· 175 175 else if iat - now > 5 then Error "dpop proof in future" 176 176 else if not (add_jti jti) then 177 177 Error "dpop proof replay detected" 178 - else if not (verify_signature jwt jwk) then 179 - Error "invalid dpop signature" 178 + else if 179 + not (try verify_signature jwt jwk with _ -> false) 180 + then Error "invalid dpop signature" 180 181 else 181 182 let jkt = compute_jwk_thumbprint jwk in 182 183 (* verify ath if access token is provided *)