···
···
"github.com/labstack/echo/v4"
"github.com/labstack/echo/v4/middleware"
slogecho "github.com/samber/slog-echo"
50
+
"gitlab.com/yawning/secp256k1-voi"
51
+
secp256k1secec "gitlab.com/yawning/secp256k1-voi/secec"
···
return helpers.ServerError(e, nil)
227
+
// move on to oauth session middleware if this is a dpop token
233
+
token, _, err := new(jwt.Parser).ParseUnverified(tokenstr, jwt.MapClaims{})
234
+
claims, ok := token.Claims.(jwt.MapClaims)
236
+
return helpers.InputError(e, to.StringPtr("InvalidToken"))
240
+
var repo *models.RepoActor
229
-
token, err := new(jwt.Parser).Parse(tokenstr, func(t *jwt.Token) (any, error) {
230
-
if _, ok := t.Method.(*jwt.SigningMethodECDSA); !ok {
231
-
return nil, fmt.Errorf("unsupported signing method: %v", t.Header["alg"])
242
+
// service auth tokens
243
+
lxm, hasLxm := claims["lxm"]
245
+
pts := strings.Split(e.Request().URL.String(), "/")
246
+
if lxm != pts[len(pts)-1] {
247
+
s.logger.Error("service auth lxm incorrect", "lxm", lxm, "expected", pts[len(pts)-1], "error", err)
248
+
return helpers.InputError(e, nil)
234
-
return s.privateKey.Public(), nil
237
-
s.logger.Error("error parsing jwt", "error", err)
238
-
// NOTE: https://github.com/bluesky-social/atproto/discussions/3319
239
-
return e.JSON(400, map[string]string{"error": "ExpiredToken", "message": "token has expired"})
251
+
maybeDid, ok := claims["iss"].(string)
253
+
s.logger.Error("no iss in service auth token", "error", err)
254
+
return helpers.InputError(e, nil)
258
+
maybeRepo, err := s.getRepoActorByDid(did)
260
+
s.logger.Error("error fetching repo", "error", err)
261
+
return helpers.ServerError(e, nil)
242
-
claims, ok := token.Claims.(jwt.MapClaims)
243
-
if !ok || !token.Valid {
244
-
return helpers.InputError(e, to.StringPtr("InvalidToken"))
266
+
if token.Header["alg"] != "ES256K" {
267
+
token, err = new(jwt.Parser).Parse(tokenstr, func(t *jwt.Token) (any, error) {
268
+
if _, ok := t.Method.(*jwt.SigningMethodECDSA); !ok {
269
+
return nil, fmt.Errorf("unsupported signing method: %v", t.Header["alg"])
271
+
return s.privateKey.Public(), nil
274
+
s.logger.Error("error parsing jwt", "error", err)
275
+
// NOTE: https://github.com/bluesky-social/atproto/discussions/3319
276
+
return e.JSON(400, map[string]string{"error": "ExpiredToken", "message": "token has expired"})
280
+
return helpers.InputError(e, to.StringPtr("InvalidToken"))
283
+
kpts := strings.Split(tokenstr, ".")
284
+
signingInput := kpts[0] + "." + kpts[1]
285
+
hash := sha256.Sum256([]byte(signingInput))
286
+
sigBytes, err := base64.RawURLEncoding.DecodeString(kpts[2])
288
+
s.logger.Error("error decoding signature bytes", "error", err)
289
+
return helpers.ServerError(e, nil)
292
+
if len(sigBytes) != 64 {
293
+
s.logger.Error("incorrect sigbytes length", "length", len(sigBytes))
294
+
return helpers.ServerError(e, nil)
297
+
rBytes := sigBytes[:32]
298
+
sBytes := sigBytes[32:]
299
+
rr, _ := secp256k1.NewScalarFromBytes((*[32]byte)(rBytes))
300
+
ss, _ := secp256k1.NewScalarFromBytes((*[32]byte)(sBytes))
302
+
sk, err := secp256k1secec.NewPrivateKey(repo.SigningKey)
304
+
s.logger.Error("can't load private key", "error", err)
308
+
pubKey, ok := sk.Public().(*secp256k1secec.PublicKey)
310
+
s.logger.Error("error getting public key from sk")
311
+
return helpers.ServerError(e, nil)
314
+
verified := pubKey.VerifyRaw(hash[:], rr, ss)
316
+
s.logger.Error("error verifying", "error", err)
317
+
return helpers.ServerError(e, nil)
isRefresh := e.Request().URL.Path == "/xrpc/com.atproto.server.refreshSession"
248
-
scope := claims["scope"].(string)
322
+
scope, _ := claims["scope"].(string)
if isRefresh && scope != "com.atproto.refresh" {
return helpers.InputError(e, to.StringPtr("InvalidToken"))
252
-
} else if !isRefresh && scope != "com.atproto.access" {
326
+
} else if !hasLxm && !isRefresh && scope != "com.atproto.access" {
return helpers.InputError(e, to.StringPtr("InvalidToken"))
···
261
-
type Result struct {
265
-
if err := s.db.Raw("SELECT EXISTS(SELECT 1 FROM "+table+" WHERE token = ?) AS found", nil, tokenstr).Scan(&result).Error; err != nil {
266
-
if err == gorm.ErrRecordNotFound {
267
-
return helpers.InputError(e, to.StringPtr("InvalidToken"))
336
+
type Result struct {
340
+
if err := s.db.Raw("SELECT EXISTS(SELECT 1 FROM "+table+" WHERE token = ?) AS found", nil, tokenstr).Scan(&result).Error; err != nil {
341
+
if err == gorm.ErrRecordNotFound {
342
+
return helpers.InputError(e, to.StringPtr("InvalidToken"))
270
-
s.logger.Error("error getting token from db", "error", err)
271
-
return helpers.ServerError(e, nil)
345
+
s.logger.Error("error getting token from db", "error", err)
346
+
return helpers.ServerError(e, nil)
275
-
return helpers.InputError(e, to.StringPtr("InvalidToken"))
350
+
return helpers.InputError(e, to.StringPtr("InvalidToken"))
exp, ok := claims["exp"].(float64)
···
return helpers.InputError(e, to.StringPtr("ExpiredToken"))
288
-
repo, err := s.getRepoActorByDid(claims["sub"].(string))
290
-
s.logger.Error("error fetching repo", "error", err)
291
-
return helpers.ServerError(e, nil)
365
+
maybeRepo, err := s.getRepoActorByDid(claims["sub"].(string))
367
+
s.logger.Error("error fetching repo", "error", err)
368
+
return helpers.ServerError(e, nil)
371
+
did = repo.Repo.Did
295
-
e.Set("did", claims["sub"])
if err := next(e); err != nil {
hailey.at