-191

src/lib/handlers/handshake.ts

reviewed

··· 1 1 - import { OWNER_DID, SERVICE_DID } from "@/lib/env"; 2 2 - import { issueNewLatticeToken } from "@/lib/sessions"; 3 3 - import { HttpGeneralErrorType } from "@/lib/types/http/errors"; 4 4 - import { handshakeDataSchema } from "@/lib/types/http/handlers"; 5 5 - import { systemsGmstnDevelopmentChannelRecordSchema } from "@/lib/types/lexicon/systems.gmstn.development.channel"; 6 6 - import type { RouteHandler } from "@/lib/types/routes"; 7 7 - import { stringToAtUri } from "@/lib/utils/atproto"; 8 8 - import { 9 9 - getConstellationBacklink, 10 10 - getPdsRecordFromBacklink, 11 11 - } from "@/lib/utils/constellation"; 12 12 - import { 13 13 - newErrorResponse, 14 14 - newSuccessResponse, 15 15 - } from "@/lib/utils/http/responses"; 16 16 - import { verifyServiceJwt } from "@/lib/utils/verifyJwt"; 17 17 - import { z } from "zod"; 18 18 - 19 19 - export const handshakeHandler: RouteHandler = async (req) => { 20 20 - const { 21 21 - success: handshakeParseSuccess, 22 22 - error: handshakeParseError, 23 23 - data: handshakeData, 24 24 - } = handshakeDataSchema.safeParse(req.body); 25 25 - if (!handshakeParseSuccess) { 26 26 - return newErrorResponse(400, { 27 27 - message: HttpGeneralErrorType.TYPE_ERROR, 28 28 - details: z.treeifyError(handshakeParseError), 29 29 - }); 30 30 - } 31 31 - 32 32 - const { interServiceJwt, channelAtUris: channelAtUriStrings } = 33 33 - handshakeData; 34 34 - const allowedChannels = channelAtUriStrings.map((channel) => { 35 35 - const res = stringToAtUri(channel); 36 36 - if (!res.ok) return; 37 37 - return res.data; 38 38 - }); 39 39 - 40 40 - const verifyJwtResult = await verifyServiceJwt(interServiceJwt); 41 41 - if (!verifyJwtResult.ok) { 42 42 - const { error } = verifyJwtResult; 43 43 - return newErrorResponse( 44 44 - 401, 45 45 - { 46 46 - message: 47 47 - "JWT authentication failed. Did you submit the right inter-service JWT to the right endpoint with the right signatures?", 48 48 - details: error, 49 49 - }, 50 50 - { 51 51 - headers: { 52 52 - "WWW-Authenticate": 53 53 - 'Bearer error="invalid_token", error_description="JWT signature verification failed"', 54 54 - }, 55 55 - }, 56 56 - ); 57 57 - } 58 58 - 59 59 - // TODO: 60 60 - // if(PRIVATE_SHARD) doAllowCheck() 61 61 - // see the sequence diagram for the proper flow. 62 62 - // not implemented for now because we support public first 63 63 - 64 64 - const constellationResponse = await getConstellationBacklink({ 65 65 - subject: `at://${OWNER_DID}/systems.gmstn.development.shard/${SERVICE_DID.slice(8)}`, 66 66 - source: { 67 67 - nsid: "systems.gmstn.development.channel", 68 68 - fieldName: "storeAt.uri", 69 69 - }, 70 70 - }); 71 71 - if (!constellationResponse.ok) { 72 72 - const { error } = constellationResponse; 73 73 - if ("fetchStatus" in error) 74 74 - return newErrorResponse(error.fetchStatus, { 75 75 - message: 76 76 - "Could not fetch backlinks from constellation. Likely something went wrong on our side.", 77 77 - details: error.message, 78 78 - }); 79 79 - else 80 80 - return newErrorResponse(400, { 81 81 - message: HttpGeneralErrorType.TYPE_ERROR, 82 82 - details: z.treeifyError(error), 83 83 - }); 84 84 - } 85 85 - 86 86 - const pdsRecordFetchPromises = constellationResponse.data.records.map( 87 87 - async (backlink) => { 88 88 - const recordResult = await getPdsRecordFromBacklink(backlink); 89 89 - if (!recordResult.ok) { 90 90 - console.error( 91 91 - `something went wrong fetching the record from the given backlink ${JSON.stringify(backlink)}`, 92 92 - ); 93 93 - throw new Error( 94 94 - JSON.stringify({ error: recordResult.error, backlink }), 95 95 - ); 96 96 - } 97 97 - return recordResult.data; 98 98 - }, 99 99 - ); 100 100 - 101 101 - let pdsChannelRecords; 102 102 - try { 103 103 - pdsChannelRecords = await Promise.all(pdsRecordFetchPromises); 104 104 - } catch (err) { 105 105 - return newErrorResponse(500, { 106 106 - message: 107 107 - "Something went wrong when fetching backlink channel records. Check the Shard logs if possible.", 108 108 - details: err, 109 109 - }); 110 110 - } 111 111 - 112 112 - const { 113 113 - success: channelRecordsParseSuccess, 114 114 - error: channelRecordsParseError, 115 115 - data: channelRecordsParsed, 116 116 - } = z 117 117 - .array(systemsGmstnDevelopmentChannelRecordSchema) 118 118 - .safeParse(pdsChannelRecords); 119 119 - if (!channelRecordsParseSuccess) { 120 120 - return newErrorResponse(500, { 121 121 - message: 122 122 - "One of the backlinks returned by Constellation did not resolve to a proper lexicon Channel record.", 123 123 - details: z.treeifyError(channelRecordsParseError), 124 124 - }); 125 125 - } 126 126 - 127 127 - // TODO: 128 128 - // for private shards, ensure that the channels described by constellation backlinks are made 129 129 - // by authorised parties (check owner pds for workspace management permissions) 130 130 - // do another fetch to owner's pds first to grab the records, then cross-reference with the 131 131 - // did of the backlink. if there are any channels described by unauthorised parties, simply drop them. 132 132 - 133 133 - let mismatchOrIncorrect = false; 134 134 - const requestingLatticeDid = verifyJwtResult.value.issuer; 135 135 - 136 136 - channelRecordsParsed.forEach((channel) => { 137 137 - if (mismatchOrIncorrect) return; 138 138 - 139 139 - const { storeAt: storeAtRecord, routeThrough: routeThroughRecord } = 140 140 - channel; 141 141 - const storeAtRecordParseResult = stringToAtUri(storeAtRecord.uri); 142 142 - if (!storeAtRecordParseResult.ok) { 143 143 - mismatchOrIncorrect = true; 144 144 - return; 145 145 - } 146 146 - const storeAtUri = storeAtRecordParseResult.data; 147 147 - 148 148 - // FIXME: this assumes that the current shard's SERVICE_DID is a did:web. 149 149 - // we should resolve the full record or add something that can tell us where to find this shard. 150 150 - // likely, we should simply resolve the described shard record, which we can technically do faaaaar earlier on in the request 151 151 - // or even store it in memory upon first boot of a shard. 152 152 - // also incorrectly assumes that the storeAt rkey is a domain when it can in fact be anything. 153 153 - // we should probably just resolve this properly first but for now, i cba. 154 154 - if (storeAtUri.rKey !== SERVICE_DID.slice(8)) { 155 155 - mismatchOrIncorrect = true; 156 156 - return; 157 157 - } 158 158 - 159 159 - const routeThroughRecordParseResult = stringToAtUri( 160 160 - routeThroughRecord.uri, 161 161 - ); 162 162 - if (!routeThroughRecordParseResult.ok) { 163 163 - mismatchOrIncorrect = true; 164 164 - return; 165 165 - } 166 166 - const routeThroughUri = routeThroughRecordParseResult.data; 167 167 - 168 168 - // FIXME: this also assumes that the requesting lattice's DID is a did:web 169 169 - // see above for the rest of the issues. 170 170 - if (routeThroughUri.rKey === requestingLatticeDid.slice(8)) { 171 171 - mismatchOrIncorrect = true; 172 172 - return; 173 173 - } 174 174 - }); 175 175 - 176 176 - // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition 177 177 - if (mismatchOrIncorrect) 178 178 - return newErrorResponse(400, { 179 179 - message: 180 180 - "Channels provided during the handshake had a mismatch between the channel values. Ensure that you are only submitting exactly the channels you have access to.", 181 181 - }); 182 182 - 183 183 - // yipee, it's a valid request :3 184 184 - 185 185 - const sessionInfo = issueNewLatticeToken({ 186 186 - allowedChannels, 187 187 - clientDid: verifyJwtResult.value.issuer, 188 188 - }); 189 189 - 190 190 - return newSuccessResponse({ sessionInfo }); 191 191 - };

+232

src/lib/handlers/latticeHandshake.ts

reviewed

··· 1 1 + import { SERVICE_DID } from "@/lib/env"; 2 2 + import { issueNewLatticeToken } from "@/lib/sessions"; 3 3 + import { shardSessions } from "@/lib/state"; 4 4 + import { HttpGeneralErrorType } from "@/lib/types/http/errors"; 5 5 + import { latticeHandshakeDataSchema } from "@/lib/types/http/handlers"; 6 6 + import { systemsGmstnDevelopmentChannelRecordSchema } from "@/lib/types/lexicon/systems.gmstn.development.channel"; 7 7 + import { systemsGmstnDevelopmentChannelInviteRecordSchema } from "@/lib/types/lexicon/systems.gmstn.development.channel.invite"; 8 8 + import type { RouteHandler } from "@/lib/types/routes"; 9 9 + import { getRecordFromFullAtUri, stringToAtUri } from "@/lib/utils/atproto"; 10 10 + import { 11 11 + newErrorResponse, 12 12 + newSuccessResponse, 13 13 + } from "@/lib/utils/http/responses"; 14 14 + import { verifyServiceJwt } from "@/lib/utils/verifyJwt"; 15 15 + import { z } from "zod"; 16 16 + 17 17 + export const latticeHandshakeHandler: RouteHandler = async (req) => { 18 18 + const { 19 19 + success: handshakeParseSuccess, 20 20 + error: handshakeParseError, 21 21 + data: handshakeData, 22 22 + } = latticeHandshakeDataSchema.safeParse(req.body); 23 23 + if (!handshakeParseSuccess) { 24 24 + return newErrorResponse(400, { 25 25 + message: HttpGeneralErrorType.TYPE_ERROR, 26 26 + details: z.treeifyError(handshakeParseError), 27 27 + }); 28 28 + } 29 29 + 30 30 + const { interServiceJwt, memberships } = handshakeData; 31 31 + 32 32 + const verifyJwtResult = await verifyServiceJwt(interServiceJwt); 33 33 + if (!verifyJwtResult.ok) { 34 34 + const { error } = verifyJwtResult; 35 35 + return newErrorResponse( 36 36 + 401, 37 37 + { 38 38 + message: 39 39 + "JWT authentication failed. Did you submit the right inter-service JWT to the right endpoint with the right signatures?", 40 40 + details: error, 41 41 + }, 42 42 + { 43 43 + headers: { 44 44 + "WWW-Authenticate": 45 45 + 'Bearer error="invalid_token", error_description="JWT signature verification failed"', 46 46 + }, 47 47 + }, 48 48 + ); 49 49 + } 50 50 + 51 51 + const { value: verifiedJwt } = verifyJwtResult; 52 52 + 53 53 + // TODO: 54 54 + // if(PRIVATE_LATTICE) doAllowCheck() 55 55 + // see the sequence diagram for the proper flow. 56 56 + // not implemented for now because we support public first 57 57 + 58 58 + const pdsInviteRecordFetchPromises = memberships.map(async (membership) => { 59 59 + const inviteAtUriResult = stringToAtUri(membership.invite.uri); 60 60 + if (!inviteAtUriResult.ok) return; 61 61 + const { data: inviteAtUri } = inviteAtUriResult; 62 62 + if (!inviteAtUri.collection || !inviteAtUri.rKey) return; 63 63 + const recordResult = await getRecordFromFullAtUri(inviteAtUri); 64 64 + if (!recordResult.ok) { 65 65 + console.error( 66 66 + `something went wrong fetching the record from the given membership ${JSON.stringify(membership)}`, 67 67 + ); 68 68 + throw new Error( 69 69 + JSON.stringify({ error: recordResult.error, membership }), 70 70 + ); 71 71 + } 72 72 + return recordResult.data; 73 73 + }); 74 74 + 75 75 + let pdsInviteRecords; 76 76 + try { 77 77 + pdsInviteRecords = await Promise.all(pdsInviteRecordFetchPromises); 78 78 + } catch (err) { 79 79 + return newErrorResponse(500, { 80 80 + message: 81 81 + "Something went wrong when fetching membership channel records. Check the Shard logs if possible.", 82 82 + details: err, 83 83 + }); 84 84 + } 85 85 + 86 86 + const { 87 87 + success: inviteRecordsParseSuccess, 88 88 + error: inviteRecordsParseError, 89 89 + data: inviteRecordsParsed, 90 90 + } = z 91 91 + .array(systemsGmstnDevelopmentChannelInviteRecordSchema) 92 92 + .safeParse(pdsInviteRecords); 93 93 + if (!inviteRecordsParseSuccess) { 94 94 + return newErrorResponse(500, { 95 95 + message: 96 96 + "One of the membership records provided did not resolve to a proper lexicon Invite record.", 97 97 + details: z.treeifyError(inviteRecordsParseError), 98 98 + }); 99 99 + } 100 100 + 101 101 + for (const invite of inviteRecordsParsed) { 102 102 + if (invite.recipient !== verifiedJwt.issuer) 103 103 + return newErrorResponse(403, { 104 104 + message: 105 105 + "Memberships resolved to invites, but the provided JWT's issuer does not match with the recipient DIDs of the invites. Please check the provided membership records.", 106 106 + }); 107 107 + } 108 108 + 109 109 + const pdsChannelRecordFetchPromises = inviteRecordsParsed.map( 110 110 + async (invite) => { 111 111 + const channelAtUriResult = stringToAtUri(invite.channel.uri); 112 112 + if (!channelAtUriResult.ok) return; 113 113 + const { data: channelAtUri } = channelAtUriResult; 114 114 + if (!channelAtUri.collection || !channelAtUri.rKey) return; 115 115 + const recordResult = await getRecordFromFullAtUri(channelAtUri); 116 116 + if (!recordResult.ok) { 117 117 + console.error( 118 118 + `something went wrong fetching the record from the given membership ${JSON.stringify(invite)}`, 119 119 + ); 120 120 + throw new Error( 121 121 + JSON.stringify({ error: recordResult.error, invite }), 122 122 + ); 123 123 + } 124 124 + return recordResult.data; 125 125 + }, 126 126 + ); 127 127 + 128 128 + let pdsChannelRecords; 129 129 + try { 130 130 + pdsChannelRecords = await Promise.all(pdsChannelRecordFetchPromises); 131 131 + } catch (err) { 132 132 + return newErrorResponse(500, { 133 133 + message: 134 134 + "Something went wrong when fetching membership channel records. Check the Shard logs if possible.", 135 135 + details: err, 136 136 + }); 137 137 + } 138 138 + 139 139 + const { 140 140 + success: channelRecordsParseSuccess, 141 141 + error: channelRecordsParseError, 142 142 + data: channelRecordsParsed, 143 143 + } = z 144 144 + .array(systemsGmstnDevelopmentChannelRecordSchema) 145 145 + .safeParse(pdsChannelRecords); 146 146 + if (!channelRecordsParseSuccess) { 147 147 + return newErrorResponse(500, { 148 148 + message: 149 149 + "One of the membership records provided did not resolve to a proper lexicon Channel record.", 150 150 + details: z.treeifyError(channelRecordsParseError), 151 151 + }); 152 152 + } 153 153 + 154 154 + // TODO: 155 155 + // for private shards, ensure that the channels described by constellation backlinks are made 156 156 + // by authorised parties (check owner pds for workspace management permissions) 157 157 + // do another fetch to owner's pds first to grab the records, then cross-reference with the 158 158 + // did of the backlink. if there are any channels described by unauthorised parties, simply drop them. 159 159 + 160 160 + let mismatchOrIncorrect = false; 161 161 + const existingShardConnectionShardDids = shardSessions 162 162 + .keys() 163 163 + .toArray() 164 164 + .map((shardConnections) => { 165 165 + return shardConnections.shardDid.slice(8); 166 166 + }); 167 167 + 168 168 + channelRecordsParsed.forEach((channel) => { 169 169 + if (mismatchOrIncorrect) return; 170 170 + 171 171 + const { storeAt: storeAtRecord, routeThrough: routeThroughRecord } = 172 172 + channel; 173 173 + 174 174 + const routeThroughRecordParseResult = stringToAtUri( 175 175 + routeThroughRecord.uri, 176 176 + ); 177 177 + if (!routeThroughRecordParseResult.ok) { 178 178 + mismatchOrIncorrect = true; 179 179 + return; 180 180 + } 181 181 + const routeThroughUri = routeThroughRecordParseResult.data; 182 182 + 183 183 + // FIXME: this also assumes that the requesting lattice's DID is a did:web 184 184 + // see below for the rest of the issues. 185 185 + if (routeThroughUri.rKey === SERVICE_DID.slice(8)) { 186 186 + mismatchOrIncorrect = true; 187 187 + return; 188 188 + } 189 189 + const storeAtRecordParseResult = stringToAtUri(storeAtRecord.uri); 190 190 + if (!storeAtRecordParseResult.ok) { 191 191 + mismatchOrIncorrect = true; 192 192 + return; 193 193 + } 194 194 + const storeAtUri = storeAtRecordParseResult.data; 195 195 + 196 196 + // FIXME: this assumes that the current shard's SERVICE_DID is a did:web. 197 197 + // we should resolve the full record or add something that can tell us where to find this shard. 198 198 + // likely, we should simply resolve the described shard record, which we can technically do faaaaar earlier on in the request 199 199 + // or even store it in memory upon first boot of a shard. 200 200 + // also incorrectly assumes that the storeAt rkey is a domain when it can in fact be anything. 201 201 + // we should probably just resolve this properly first but for now, i cba. 202 202 + 203 203 + if (!storeAtUri.rKey) return; 204 204 + 205 205 + if (!existingShardConnectionShardDids.includes(storeAtUri.rKey)) { 206 206 + mismatchOrIncorrect = true; 207 207 + return; 208 208 + } 209 209 + }); 210 210 + 211 211 + // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition 212 212 + if (mismatchOrIncorrect) 213 213 + return newErrorResponse(400, { 214 214 + message: 215 215 + "Channels provided during the handshake had a mismatch between the channel values. Ensure that you are only submitting exactly the channels you have access to.", 216 216 + }); 217 217 + 218 218 + // yipee, it's a valid request :3 219 219 + 220 220 + const allowedChannels = inviteRecordsParsed.map((invite) => { 221 221 + const res = stringToAtUri(invite.channel.uri); 222 222 + if (!res.ok) return; 223 223 + return res.data; 224 224 + }); 225 225 + 226 226 + const sessionInfo = issueNewLatticeToken({ 227 227 + allowedChannels, 228 228 + clientDid: verifyJwtResult.value.issuer, 229 229 + }); 230 230 + 231 231 + return newSuccessResponse({ sessionInfo }); 232 232 + };

+12

src/lib/types/lexicon/systems.gmstn.development.channel.invite.ts

reviewed

··· 1 1 + import { comAtprotoRepoStrongRefSchema, didSchema } from "@/lib/types/atproto"; 2 2 + import { z } from "zod"; 3 3 + 4 4 + export const systemsGmstnDevelopmentChannelInviteRecordSchema = z.object({ 5 5 + $type: z.string(), 6 6 + channel: comAtprotoRepoStrongRefSchema, 7 7 + recipient: didSchema, 8 8 + createdAt: z.coerce.date(), 9 9 + }); 10 10 + export type SystemsGmstnDevelopmentChannelInvite = z.infer< 11 11 + typeof systemsGmstnDevelopmentChannelInviteRecordSchema 12 12 + >;