objective categorical abstract machine language personal data server
Make auth consistent
+79
-82
+1
-1
pegasus/lib/api/actor/getPreferences.ml
+1
-1
pegasus/lib/api/actor/getPreferences.ml
+1
-1
pegasus/lib/api/actor/putPreferences.ml
+1
-1
pegasus/lib/api/actor/putPreferences.ml
+1
-1
pegasus/lib/api/identity/updateHandle.ml
+1
-1
pegasus/lib/api/identity/updateHandle.ml
+1
-1
pegasus/lib/api/repo/uploadBlob.ml
+1
-1
pegasus/lib/api/repo/uploadBlob.ml
···
1
1
type response = {blob: Mist.Blob_ref.typed_json_ref} [@@deriving yojson]
2
2
3
3
let handler =
4
-
Xrpc.handler ~auth:Auth.Verifiers.access (fun ctx ->
4
+
Xrpc.handler ~auth:Auth.Verifiers.authorization (fun ctx ->
5
5
let did = Auth.get_authed_did_exn ctx.auth in
6
6
let mime_type =
7
7
Option.value ~default:"application/octet-stream"
+1
-1
pegasus/lib/api/server/getServiceAuth.ml
+1
-1
pegasus/lib/api/server/getServiceAuth.ml
···
1
1
type response = {token: string} [@@deriving yojson {strict= false}]
2
2
3
3
let handler =
4
-
Xrpc.handler ~auth:Auth.Verifiers.access (fun {req; auth; db} ->
4
+
Xrpc.handler ~auth:Auth.Verifiers.authorization (fun {req; auth; db} ->
5
5
let did = Auth.get_authed_did_exn auth in
6
6
let aud, lxm =
7
7
match (Dream.query req "aud", Dream.query req "lxm") with
+1
-1
pegasus/lib/api/server/getSession.ml
+1
-1
pegasus/lib/api/server/getSession.ml
···
1
1
type response = Auth.session_info
2
2
3
3
let handler =
4
-
Xrpc.handler ~auth:Auth.Verifiers.access (fun {db; auth; _} ->
4
+
Xrpc.handler ~auth:Auth.Verifiers.authorization (fun {db; auth; _} ->
5
5
let did = Auth.get_authed_did_exn auth in
6
6
let%lwt session = Auth.get_session_info did db in
7
7
Dream.json @@ Yojson.Safe.to_string @@ Auth.session_info_to_yojson session )
+72
-75
pegasus/lib/auth.ml
+72
-75
pegasus/lib/auth.ml
···
179
179
180
180
type verifier = ctx -> (credentials, exn) Lwt_result.t
181
181
182
-
let unauthenticated : verifier = function
183
-
| {req; _} -> (
184
-
match Dream.header req "authorization" with
185
-
| Some _ ->
186
-
Lwt.return_error
187
-
@@ Errors.auth_required "Invalid authorization header"
188
-
| None ->
189
-
Lwt.return_ok Unauthenticated )
182
+
let unauthenticated : verifier =
183
+
fun {req; _} ->
184
+
match Dream.header req "authorization" with
185
+
| Some _ ->
186
+
Lwt.return_error @@ Errors.auth_required "Invalid authorization header"
187
+
| None ->
188
+
Lwt.return_ok Unauthenticated
189
+
190
+
let admin : verifier =
191
+
fun {req; _} ->
192
+
match parse_basic req with
193
+
| Ok (username, password) -> (
194
+
match (username, password) with
195
+
| "admin", p when p = Env.admin_password ->
196
+
Lwt.return_ok Admin
197
+
| _ ->
198
+
Lwt.return_error @@ Errors.auth_required "Invalid credentials" )
199
+
| Error _ ->
200
+
Lwt.return_error @@ Errors.auth_required "Invalid authorization header"
190
201
191
-
let admin : verifier = function
192
-
| {req; _} -> (
193
-
match parse_basic req with
194
-
| Ok (username, password) -> (
195
-
match (username, password) with
196
-
| "admin", p when p = Env.admin_password ->
197
-
Lwt.return_ok Admin
198
-
| _ ->
202
+
let access : verifier =
203
+
fun {req; db} ->
204
+
match parse_bearer req with
205
+
| Ok jwt -> (
206
+
match%lwt verify_bearer_jwt db jwt "com.atproto.access" with
207
+
| Ok {sub= did; _} -> (
208
+
match%lwt Data_store.get_actor_by_identifier did db with
209
+
| Some {deactivated_at= None; _} ->
210
+
Lwt.return_ok (Access {did})
211
+
| Some {deactivated_at= Some _; _} ->
212
+
Lwt.return_error
213
+
@@ Errors.auth_required ~name:"AccountDeactivated"
214
+
"Account is deactivated"
215
+
| None ->
216
+
Lwt.return_error @@ Errors.auth_required "Invalid credentials" )
217
+
| Error _ ->
199
218
Lwt.return_error @@ Errors.auth_required "Invalid credentials" )
200
-
| Error _ ->
201
-
Lwt.return_error
202
-
@@ Errors.auth_required "Invalid authorization header" )
219
+
| Error _ ->
220
+
Lwt.return_error @@ Errors.auth_required "Invalid authorization header"
203
221
204
-
let access : verifier = function
205
-
| {req; db} -> (
206
-
match parse_bearer req with
207
-
| Ok jwt -> (
208
-
match%lwt verify_bearer_jwt db jwt "com.atproto.access" with
209
-
| Ok {sub= did; _} -> (
210
-
match%lwt Data_store.get_actor_by_identifier did db with
211
-
| Some {deactivated_at= None; _} ->
212
-
Lwt.return_ok (Access {did})
213
-
| Some {deactivated_at= Some _; _} ->
214
-
Lwt.return_error
215
-
@@ Errors.auth_required ~name:"AccountDeactivated"
216
-
"Account is deactivated"
217
-
| None ->
218
-
Lwt.return_error @@ Errors.auth_required "Invalid credentials"
219
-
)
220
-
| Error _ ->
221
-
Lwt.return_error @@ Errors.auth_required "Invalid credentials" )
222
-
| Error _ ->
223
-
Lwt.return_error
224
-
@@ Errors.auth_required "Invalid authorization header" )
222
+
let refresh : verifier =
223
+
fun {req; db} ->
224
+
match parse_bearer req with
225
+
| Ok jwt -> (
226
+
match%lwt verify_bearer_jwt db jwt "com.atproto.refresh" with
227
+
| Ok {sub= did; jti; _} -> (
228
+
match%lwt Data_store.get_actor_by_identifier did db with
229
+
| Some {deactivated_at= None; _} ->
230
+
Lwt.return_ok (Refresh {did; jti})
231
+
| Some {deactivated_at= Some _; _} ->
232
+
Lwt.return_error
233
+
@@ Errors.auth_required ~name:"AccountDeactivated"
234
+
"Account is deactivated"
235
+
| None ->
236
+
Lwt.return_error @@ Errors.auth_required "Invalid credentials" )
237
+
| Error "" | Error _ ->
238
+
Lwt.return_error @@ Errors.auth_required "Invalid credentials" )
239
+
| Error _ ->
240
+
Lwt.return_error @@ Errors.auth_required "Invalid authorization header"
225
241
226
-
let refresh : verifier = function
227
-
| {req; db} -> (
228
-
match parse_bearer req with
229
-
| Ok jwt -> (
230
-
match%lwt verify_bearer_jwt db jwt "com.atproto.refresh" with
231
-
| Ok {sub= did; jti; _} -> (
232
-
match%lwt Data_store.get_actor_by_identifier did db with
233
-
| Some {deactivated_at= None; _} ->
234
-
Lwt.return_ok (Refresh {did; jti})
235
-
| Some {deactivated_at= Some _; _} ->
236
-
Lwt.return_error
237
-
@@ Errors.auth_required ~name:"AccountDeactivated"
238
-
"Account is deactivated"
239
-
| None ->
240
-
Lwt.return_error @@ Errors.auth_required "Invalid credentials"
241
-
)
242
-
| Error "" | Error _ ->
243
-
Lwt.return_error @@ Errors.auth_required "Invalid credentials" )
244
-
| Error _ ->
245
-
Lwt.return_error
246
-
@@ Errors.auth_required "Invalid authorization header" )
242
+
let authorization : verifier =
243
+
fun ctx ->
244
+
match
245
+
Dream.header ctx.req "Authorization"
246
+
|> Option.map @@ String.split_on_char ' '
247
+
with
248
+
| Some ("Basic" :: _) ->
249
+
admin ctx
250
+
| Some ("Bearer" :: _) ->
251
+
access ctx
252
+
| _ ->
253
+
Lwt.return_error
254
+
@@ Errors.auth_required ~name:"InvalidToken"
255
+
"Unexpected authorization type"
247
256
248
-
let authorization : verifier = function
249
-
| ctx -> (
250
-
match
251
-
Dream.header ctx.req "Authorization"
252
-
|> Option.map @@ String.split_on_char ' '
253
-
with
254
-
| Some ("Basic" :: _) ->
255
-
admin ctx
256
-
| Some ("Bearer" :: _) ->
257
-
access ctx
258
-
| _ ->
259
-
Lwt.return_error
260
-
@@ Errors.auth_required ~name:"InvalidToken"
261
-
"Unexpected authorization type" )
257
+
let any : verifier =
258
+
fun ctx -> try authorization ctx with _ -> unauthenticated ctx
262
259
end
+1
-1
pegasus/lib/xrpc.ml
+1
-1
pegasus/lib/xrpc.ml
···
7
7
8
8
type handler = context -> Dream.response Lwt.t
9
9
10
-
let handler ?(auth : Auth.Verifiers.verifier = Auth.Verifiers.unauthenticated)
10
+
let handler ?(auth : Auth.Verifiers.verifier = Auth.Verifiers.any)
11
11
(hdlr : handler) (init : init) =
12
12
let open Errors in
13
13
match%lwt auth init with