commit 2b3a4515b60e94f49fafc52836b570280099b5e6 · nekomimi.pet/microcosm-rs

+1 -1

.github/workflows/checks.yml

···

       28
        
             - name: get nightly toolchain for jetstream fmt

     

       29
        
               run: rustup toolchain install nightly --allow-downgrade -c rustfmt

     

       30
        
             - name: fmt

     

       31
       -
               run: cargo fmt --package links --package constellation --package ufos --package spacedust --package who-am-i --package slingshot -- --check

     

       32
        
             - name: fmt jetstream (nightly)

     

       33
        
               run: cargo +nightly fmt --package jetstream -- --check

     

       34
        
             - name: clippy

···

       28
        
             - name: get nightly toolchain for jetstream fmt

     

       29
        
               run: rustup toolchain install nightly --allow-downgrade -c rustfmt

     

       30
        
             - name: fmt

     

       31
       +
               run: cargo fmt --package links --package constellation --package ufos --package spacedust --package who-am-i --package slingshot --package pocket -- --check

     

       32
        
             - name: fmt jetstream (nightly)

     

       33
        
               run: cargo +nightly fmt --package jetstream -- --check

     

       34
        
             - name: clippy

+1 -1

Makefile

···

       5
        
       	cargo test --all-features

     

       6
        
       

     

       7
        
       fmt:

     

       8
       -
       	cargo fmt --package links --package constellation --package ufos --package spacedust --package who-am-i --package slingshot

     

       9
        
       	cargo +nightly fmt --package jetstream

     

       10
        
       

     

       11
        
       clippy:

···

       5
        
       	cargo test --all-features

     

       6
        
       

     

       7
        
       fmt:

     

       8
       +
       	cargo fmt --package links --package constellation --package ufos --package spacedust --package who-am-i --package slingshot --package pocket

     

       9
        
       	cargo +nightly fmt --package jetstream

     

       10
        
       

     

       11
        
       clippy:

+17

pocket/api-description.md

···

       1
       +
       _A pocket dimension to stash a bit of non-public user data._

     

       2
       +
       

     

       3
       +
       

     

       4
       +
       # Pocket: user preference storage

     

       5
       +
       

     

       6
       +
       This API leverages atproto service proxying to offer a bit of per-user per-app non-public data storage.

     

       7
       +
       Perfect for things like application preferences that might be better left out of the public PDS data.

     

       8
       +
       

     

       9
       +
       The intent is to use oauth scopes to isolate storage on a per-application basis, and to allow easy data migration from a community hosted instance to your own if you end up needing that.

     

       10
       +
       

     

       11
       +
       

     

       12
       +
       ### Current status

     

       13
       +
       

     

       14
       +
       > [!important]

     

       15
       +
       > Pocket is currently in a **v0, pre-release state**. There is one production instance and you can use it! Expect short downtimes for restarts as development progresses and occaisional data loss until it's stable.

     

       16
       +
       

     

       17
       +
       ATProto might end up adding a similar feature to [PDSs](https://atproto.com/guides/glossary#pds-personal-data-server). If/when that happens, you should use it instead of this!

+1 -1

pocket/src/lib.rs

···

       2
        
       mod token;

     

       3
        
       

     

       4
        
       pub use server::serve;

     

       5
       -
       pub use token::verify;

···

       2
        
       mod token;

     

       3
        
       

     

       4
        
       pub use server::serve;

     

       5
       +
       pub use token::TokenVerifier;

-1

pocket/src/main.rs

···

       6
        
           println!("Hello, world!");

     

       7
        
           serve("mac.cinnebar-tet.ts.net").await

     

       8
        
       }

     

       9
       -

···

       6
        
           println!("Hello, world!");

     

       7
        
           serve("mac.cinnebar-tet.ts.net").await

     

       8
        
       }

     

       0

+72 -78

pocket/src/server.rs

···

       0
        
       
     

       1
        
       use poem::{

     

       2
       -
           endpoint::make_sync,

     

       3
       -
           Endpoint,

     

       4
       -
           Route,

     

       5
       -
           Server,

     

       6
       -
           EndpointExt,

     

       7
       -
           http::{Method, HeaderMap},

     

       8
        
           middleware::{CatchPanic, Cors, Tracing},

     

       9
       -
           listener::TcpListener,

     

       10
        
       };

     

       11
        
       use poem_openapi::{

     

       12
       -
           ContactObject,

     

       13
       -
           ExternalDocumentObject,

     

       14
       -
           OpenApi,

     

       15
       -
           OpenApiService,

     

       16
       -
           Tags,

     

       17
       -
           Object,

     

       18
       -
           ApiResponse,

     

       19
        
           types::Example,

     

       20
       -
           auth::Bearer,

     

       21
       -
           payload::Json,

     

       22
       -
           SecurityScheme,

     

       23
        
       };

     

       24
       -
       use crate::verify;

     

       25
        
       use serde::Serialize;

     

       26
        
       use serde_json::{Value, json};

     

       27
       -
       

     

       28
        
       

     

       29
        
       #[derive(Debug, SecurityScheme)]

     

       30
        
       #[oai(ty = "bearer")]

     

       31
       -
       struct BlahAuth(Bearer);

     

       32
       -
       

     

       33
        
       

     

       34
        
       #[derive(Tags)]

     

       35
        
       enum ApiTags {

     

       36
       -
           /// Bluesky-compatible APIs.

     

       37
       -
           #[oai(rename = "app.bsky.* queries")]

     

       38
       -
           AppBsky,

     

       39
        
       }

     

       40
        
       

     

       41
        
       #[derive(Object)]

     
···

       86
        
           /// Bad request or no preferences to return

     

       87
        
           #[oai(status = 400)]

     

       88
        
           BadRequest(XrpcError),

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       89
        
           // /// Server errors

     

       90
        
           // #[oai(status = 500)]

     

       91
        
           // ServerError(XrpcError),

     

       92
        
       }

     

       93
        
       

     

       94
        
       struct Xrpc {

     

       95
       -
           domain: String,

     

       96
        
       }

     

       97
        
       

     

       98
        
       #[OpenApi]

     

       99
        
       impl Xrpc {

     

       100
       -
           /// app.bsky.actor.getPreferences

     

       101
        
           ///

     

       102
        
           /// get stored bluesky prefs

     

       103
        
           #[oai(

     

       104
       -
               path = "/app.bsky.actor.getPreferences",

     

       105
        
               method = "get",

     

       106
       -
               tag = "ApiTags::AppBsky"

     

       107
        
           )]

     

       108
       -
           async fn app_bsky_get_prefs(

     

       109
       -
               &self,

     

       110
       -
               BlahAuth(auth): BlahAuth,

     

       111
       -
               m: &HeaderMap,

     

       112
       -
           ) -> GetBskyPrefsResponse {

     

       113
       -
               log::warn!("hm: {m:?}");

     

       114
       -
               match verify(

     

       115
       -
                   &format!("did:web:{}#bsky_appview", self.domain),

     

       116
       -
                   "app.bsky.actor.getPreferences",

     

       117
       -
                   &auth.token,

     

       118
       -
               ).await {

     

       119
       -
                   Ok(did) => log::info!("wooo! {did}"),

     

       120
       -
                   Err(err) => return GetBskyPrefsResponse::BadRequest(xrpc_error("booo", err)),

     

       121
        
               };

     

       122
       -
               log::warn!("got bearer: {:?}", auth.token);

     

       0
        
       
     

       123
        
               GetBskyPrefsResponse::Ok(Json(GetBskyPrefsResponseObject::example()))

     

       124
        
           }

     

       125
        
       

     

       126
       -
           /// app.bsky.actor.putPreferences

     

       127
        
           ///

     

       128
        
           /// store bluesky prefs

     

       129
        
           #[oai(

     

       130
       -
               path = "/app.bsky.actor.putPreferences",

     

       131
        
               method = "post",

     

       132
       -
               tag = "ApiTags::AppBsky"

     

       133
        
           )]

     

       134
        
           async fn app_bsky_put_prefs(

     

       135
        
               &self,

     

       0
        
       
     

       136
        
               Json(prefs): Json<Value>,

     

       137
       -
           ) -> () {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       138
        
               log::warn!("received prefs: {prefs:?}");

     

       139
       -
               ()

     

       0
        
       
     

       140
        
           }

     

       141
        
       }

     

       142
        
       

     
···

       157
        
           let doc = poem::web::Json(AppViewDoc {

     

       158
        
               id: format!("did:web:{domain}"),

     

       159
        
               service: [AppViewService {

     

       160
       -
                   id: "#bsky_appview".to_string(),

     

       161
       -
                   r#type: "PocketBlueskyPreferences".to_string(),

     

       162
        
                   service_endpoint: format!("https://{domain}"),

     

       163
        
               }],

     

       164
        
           });

     

       165
        
           make_sync(move |_| doc.clone())

     

       166
        
       }

     

       167
        
       

     

       168
       -
       pub async fn serve(

     

       169
       -
           domain: &str,

     

       170
       -
       ) -> () {

     

       171
       -
           let api_service = OpenApiService::new(

     

       172
       -
               Xrpc { domain: domain.to_string() },

     

       173
       -
               "Pocket",

     

       174
       -
               env!("CARGO_PKG_VERSION"),

     

       175
       -
           )

     

       176
       -
           .server(domain)

     

       177
       -
           .url_prefix("/xrpc")

     

       178
       -
           .contact(

     

       179
       -
               ContactObject::new()

     

       180
       -
                   .name("@microcosm.blue")

     

       181
       -
                   .url("https://bsky.app/profile/microcosm.blue"),

     

       182
       -
           )

     

       183
       -
           // .description(include_str!("../api-description.md"))

     

       184
       -
           .external_document(ExternalDocumentObject::new(

     

       185
       -
               "https://microcosm.blue/pocket",

     

       186
       -
           ));

     

       187
        
       

     

       188
        
           let app = Route::new()

     

       189
       -
               .at("/.well-known/did.json", get_did_doc(&domain))

     

       190
        
               .nest("/xrpc/", api_service)

     

       191
       -
               // .at("/", StaticFileEndpoint::new("./static/index.html"))

     

       192
       -
               // .nest("/openapi", api_service.spec_endpoint())

     

       193
        
               .with(

     

       194
        
                   Cors::new()

     

       195
        
                       .allow_method(Method::GET)

     

       196
       -
                       .allow_method(Method::POST)

     

       197
        
               )

     

       198
        
               .with(CatchPanic::new())

     

       199
        
               .with(Tracing);

     

       200
        
       

     

       201
        
           let listener = TcpListener::bind("127.0.0.1:3000");

     

       202
       -
           Server::new(listener)

     

       203
       -
               .name("pocket")

     

       204
       -
               .run(app)

     

       205
       -
               .await

     

       206
       -
               .unwrap();

     

       207
       -
       

     

       208
        
       }

···

       1
       +
       use crate::TokenVerifier;

     

       2
        
       use poem::{

     

       3
       +
           Endpoint, EndpointExt, Route, Server,

     

       4
       +
           endpoint::{StaticFileEndpoint, make_sync},

     

       5
       +
           http::Method,

     

       6
       +
           listener::TcpListener,

     

       0
        
       
     

       0
        
       
     

       7
        
           middleware::{CatchPanic, Cors, Tracing},

     

       0
        
       
     

       8
        
       };

     

       9
        
       use poem_openapi::{

     

       10
       +
           ApiResponse, ContactObject, ExternalDocumentObject, Object, OpenApi, OpenApiService,

     

       11
       +
           SecurityScheme, Tags,

     

       12
       +
           auth::Bearer,

     

       13
       +
           payload::{Json, PlainText},

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       14
        
           types::Example,

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       15
        
       };

     

       0
        
       
     

       16
        
       use serde::Serialize;

     

       17
        
       use serde_json::{Value, json};

     

       0
        
       
     

       18
        
       

     

       19
        
       #[derive(Debug, SecurityScheme)]

     

       20
        
       #[oai(ty = "bearer")]

     

       21
       +
       struct XrpcAuth(Bearer);

     

       0
        
       
     

       22
        
       

     

       23
        
       #[derive(Tags)]

     

       24
        
       enum ApiTags {

     

       25
       +
           /// Custom pocket APIs

     

       26
       +
           #[oai(rename = "Pocket APIs")]

     

       27
       +
           Pocket,

     

       28
        
       }

     

       29
        
       

     

       30
        
       #[derive(Object)]

     
···

       75
        
           /// Bad request or no preferences to return

     

       76
        
           #[oai(status = 400)]

     

       77
        
           BadRequest(XrpcError),

     

       78
       +
       }

     

       79
       +
       

     

       80
       +
       #[derive(ApiResponse)]

     

       81
       +
       enum PutBskyPrefsResponse {

     

       82
       +
           /// Record found

     

       83
       +
           #[oai(status = 200)]

     

       84
       +
           Ok(PlainText<String>),

     

       85
       +
           /// Bad request or no preferences to return

     

       86
       +
           #[oai(status = 400)]

     

       87
       +
           BadRequest(XrpcError),

     

       88
        
           // /// Server errors

     

       89
        
           // #[oai(status = 500)]

     

       90
        
           // ServerError(XrpcError),

     

       91
        
       }

     

       92
        
       

     

       93
        
       struct Xrpc {

     

       94
       +
           verifier: TokenVerifier,

     

       95
        
       }

     

       96
        
       

     

       97
        
       #[OpenApi]

     

       98
        
       impl Xrpc {

     

       99
       +
           /// com.bad-example.pocket.getPreferences

     

       100
        
           ///

     

       101
        
           /// get stored bluesky prefs

     

       102
        
           #[oai(

     

       103
       +
               path = "/com.bad-example.pocket.getPreferences",

     

       104
        
               method = "get",

     

       105
       +
               tag = "ApiTags::Pocket"

     

       106
        
           )]

     

       107
       +
           async fn app_bsky_get_prefs(&self, XrpcAuth(auth): XrpcAuth) -> GetBskyPrefsResponse {

     

       108
       +
               let did = match self

     

       109
       +
                   .verifier

     

       110
       +
                   .verify("app.bsky.actor.getPreferences", &auth.token)

     

       111
       +
                   .await

     

       112
       +
               {

     

       113
       +
                   Ok(d) => d,

     

       114
       +
                   Err(e) => return GetBskyPrefsResponse::BadRequest(xrpc_error("boooo", e.to_string())),

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       115
        
               };

     

       116
       +
               log::info!("verified did: {did}");

     

       117
       +
               // TODO: fetch from storage

     

       118
        
               GetBskyPrefsResponse::Ok(Json(GetBskyPrefsResponseObject::example()))

     

       119
        
           }

     

       120
        
       

     

       121
       +
           /// com.bad-example.pocket.putPreferences

     

       122
        
           ///

     

       123
        
           /// store bluesky prefs

     

       124
        
           #[oai(

     

       125
       +
               path = "/com.bad-example.pocket.putPreferences",

     

       126
        
               method = "post",

     

       127
       +
               tag = "ApiTags::Pocket"

     

       128
        
           )]

     

       129
        
           async fn app_bsky_put_prefs(

     

       130
        
               &self,

     

       131
       +
               XrpcAuth(auth): XrpcAuth,

     

       132
        
               Json(prefs): Json<Value>,

     

       133
       +
           ) -> PutBskyPrefsResponse {

     

       134
       +
               let did = match self

     

       135
       +
                   .verifier

     

       136
       +
                   .verify("app.bsky.actor.getPreferences", &auth.token)

     

       137
       +
                   .await

     

       138
       +
               {

     

       139
       +
                   Ok(d) => d,

     

       140
       +
                   Err(e) => return PutBskyPrefsResponse::BadRequest(xrpc_error("boooo", e.to_string())),

     

       141
       +
               };

     

       142
       +
               log::info!("verified did: {did}");

     

       143
        
               log::warn!("received prefs: {prefs:?}");

     

       144
       +
               // TODO: put prefs into storage

     

       145
       +
               PutBskyPrefsResponse::Ok(PlainText("hiiiiii".to_string()))

     

       146
        
           }

     

       147
        
       }

     

       148
        
       

     
···

       163
        
           let doc = poem::web::Json(AppViewDoc {

     

       164
        
               id: format!("did:web:{domain}"),

     

       165
        
               service: [AppViewService {

     

       166
       +
                   id: "#pocket_prefs".to_string(),

     

       167
       +
                   r#type: "PocketPreferences".to_string(),

     

       168
        
                   service_endpoint: format!("https://{domain}"),

     

       169
        
               }],

     

       170
        
           });

     

       171
        
           make_sync(move |_| doc.clone())

     

       172
        
       }

     

       173
        
       

     

       174
       +
       pub async fn serve(domain: &str) -> () {

     

       175
       +
           let verifier = TokenVerifier::new(domain);

     

       176
       +
           let api_service = OpenApiService::new(Xrpc { verifier }, "Pocket", env!("CARGO_PKG_VERSION"))

     

       177
       +
               .server(domain)

     

       178
       +
               .url_prefix("/xrpc")

     

       179
       +
               .contact(

     

       180
       +
                   ContactObject::new()

     

       181
       +
                       .name("@microcosm.blue")

     

       182
       +
                       .url("https://bsky.app/profile/microcosm.blue"),

     

       183
       +
               )

     

       184
       +
               .description(include_str!("../api-description.md"))

     

       185
       +
               .external_document(ExternalDocumentObject::new("https://microcosm.blue/pocket"));

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       186
        
       

     

       187
        
           let app = Route::new()

     

       188
       +
               .nest("/openapi", api_service.spec_endpoint())

     

       189
        
               .nest("/xrpc/", api_service)

     

       190
       +
               .at("/.well-known/did.json", get_did_doc(domain))

     

       191
       +
               .at("/", StaticFileEndpoint::new("./static/index.html"))

     

       192
        
               .with(

     

       193
        
                   Cors::new()

     

       194
        
                       .allow_method(Method::GET)

     

       195
       +
                       .allow_method(Method::POST),

     

       196
        
               )

     

       197
        
               .with(CatchPanic::new())

     

       198
        
               .with(Tracing);

     

       199
        
       

     

       200
        
           let listener = TcpListener::bind("127.0.0.1:3000");

     

       201
       +
           Server::new(listener).name("pocket").run(app).await.unwrap();

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       202
        
       }

+113 -52

pocket/src/token.rs

···

       1
       -
       use jwt_compact::{Claims, UntrustedToken};

     

       2
        
       use atrium_crypto::did::parse_multikey;

     

       3
        
       use atrium_crypto::verify::Verifier;

     

       4
       -
       use std::collections::HashMap;

     

       5
        
       use serde::Deserialize;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       6
        
       

     

       7
        
       #[derive(Debug, Deserialize)]

     

       8
        
       struct MiniDoc {

     

       9
        
           signing_key: String,

     

       0
        
       
     

       10
        
       }

     

       11
        
       

     

       12
       -
       pub async fn verify(

     

       13
       -
           expected_aud: &str,

     

       14
       -
           expected_lxm: &str,

     

       15
       -
           token: &str,

     

       16
       -
       ) -> Result<String, &'static str> {

     

       17
       -
           let untrusted = UntrustedToken::new(token).unwrap();

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       18
        
       

     

       19
       -
           let claims: Claims<HashMap<String, String>> = untrusted.deserialize_claims_unchecked().unwrap();

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       20
        
       

     

       21
       -
           let Some(did) = claims.custom.get("iss") else {

     

       22
       -
               return Err("jwt must include the user's did in `iss`");

     

       23
       -
           };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       24
        
       

     

       25
       -
           if !did.starts_with("did:") {

     

       26
       -
               return Err("iss should be a did");

     

       27
       -
           }

     

       28
       -
           if did.contains("#") {

     

       29
       -
               return Err("iss should be a user did without a service identifier");

     

       30
       -
           }

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       31
        
       

     

       32
       -
           println!("Claims: {claims:#?}");

     

       33
       -
           println!("did: {did:#?}");

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       34
        
       

     

       35
       -
           let endpoint = "https://slingshot.microcosm.blue/xrpc/com.bad-example.identity.resolveMiniDoc";

     

       36
       -
           let doc: MiniDoc = reqwest::get(format!("{endpoint}?identifier={did}"))

     

       37
       -
               .await

     

       38
       -
               .unwrap()

     

       39
       -
               .error_for_status()

     

       40
       -
               .unwrap()

     

       41
       -
               .json()

     

       42
       -
               .await

     

       43
       -
               .unwrap();

     

       44
        
       

     

       45
       -
           log::info!("got minidoc response: {doc:?}");

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       46
        
       

     

       47
       -
           let (alg, public_key) = parse_multikey(&doc.signing_key).unwrap();

     

       48
       -
           log::info!("parsed key: {public_key:?}");

     

       0
        
       
     

       49
        
       

     

       50
       -
           Verifier::default().verify(

     

       51
       -
               alg,

     

       52
       -
               &public_key,

     

       53
       -
               &untrusted.signed_data,

     

       54
       -
               untrusted.signature_bytes(),

     

       55
       -
           ).unwrap();

     

       56
       -
           // if this passes, then our claims were trustworthy after all(??)

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       57
        
       

     

       58
       -
           let Some(aud) = claims.custom.get("aud") else {

     

       59
       -
               return Err("missing aud");

     

       60
       -
           };

     

       61
       -
           if aud != expected_aud {

     

       62
       -
               return Err("wrong aud");

     

       63
       -
           }

     

       64
       -
           let Some(lxm) = claims.custom.get("lxm") else {

     

       65
       -
               return Err("missing lxm");

     

       66
       -
           };

     

       67
       -
           if lxm != expected_lxm {

     

       68
       -
               return Err("wrong lxm");

     

       69
        
           }

     

       70
       -
       

     

       71
       -
           Ok(did.to_string())

     

       72
        
       }

···

       0
        
       
     

       1
        
       use atrium_crypto::did::parse_multikey;

     

       2
        
       use atrium_crypto::verify::Verifier;

     

       3
       +
       use jwt_compact::UntrustedToken;

     

       4
        
       use serde::Deserialize;

     

       5
       +
       use std::collections::HashMap;

     

       6
       +
       use std::time::Duration;

     

       7
       +
       use thiserror::Error;

     

       8
        
       

     

       9
        
       #[derive(Debug, Deserialize)]

     

       10
        
       struct MiniDoc {

     

       11
        
           signing_key: String,

     

       12
       +
           did: String,

     

       13
        
       }

     

       14
        
       

     

       15
       +
       #[derive(Error, Debug)]

     

       16
       +
       pub enum VerifyError {

     

       17
       +
           #[error("The cross-service authorization token failed verification: {0}")]

     

       18
       +
           VerificationFailed(&'static str),

     

       19
       +
           #[error("Error trying to resolve the DID to a signing key, retry in a moment: {0}")]

     

       20
       +
           ResolutionFailed(&'static str),

     

       21
       +
       }

     

       22
       +
       

     

       23
       +
       pub struct TokenVerifier {

     

       24
       +
           domain: String,

     

       25
       +
           client: reqwest::Client,

     

       26
       +
       }

     

       27
       +
       

     

       28
       +
       impl TokenVerifier {

     

       29
       +
           pub fn new(domain: &str) -> Self {

     

       30
       +
               let client = reqwest::Client::builder()

     

       31
       +
                   .user_agent(format!(

     

       32
       +
                       "microcosm pocket v{} (dev: @bad-example.com)",

     

       33
       +
                       env!("CARGO_PKG_VERSION")

     

       34
       +
                   ))

     

       35
       +
                   .no_proxy()

     

       36
       +
                   .timeout(Duration::from_secs(12)) // slingshot timeout is 10s

     

       37
       +
                   .build()

     

       38
       +
                   .unwrap();

     

       39
       +
               Self {

     

       40
       +
                   client,

     

       41
       +
                   domain: domain.to_string(),

     

       42
       +
               }

     

       43
       +
           }

     

       44
       +
       

     

       45
       +
           pub async fn verify(&self, expected_lxm: &str, token: &str) -> Result<String, VerifyError> {

     

       46
       +
               let untrusted = UntrustedToken::new(token).unwrap();

     

       47
       +
       

     

       48
       +
               // danger! unfortunately we need to decode the DID from the jwt body before we have a public key to verify the jwt with

     

       49
       +
               let Ok(untrusted_claims) =

     

       50
       +
                   untrusted.deserialize_claims_unchecked::<HashMap<String, String>>()

     

       51
       +
               else {

     

       52
       +
                   return Err(VerifyError::VerificationFailed(

     

       53
       +
                       "could not deserialize jtw claims",

     

       54
       +
                   ));

     

       55
       +
               };

     

       56
        
       

     

       57
       +
               // get the (untrusted!) claimed DID

     

       58
       +
               let Some(untrusted_did) = untrusted_claims.custom.get("iss") else {

     

       59
       +
                   return Err(VerifyError::VerificationFailed(

     

       60
       +
                       "jwt must include the user's did in `iss`",

     

       61
       +
                   ));

     

       62
       +
               };

     

       63
        
       

     

       64
       +
               // bail if it's not even a user-ish did

     

       65
       +
               if !untrusted_did.starts_with("did:") {

     

       66
       +
                   return Err(VerifyError::VerificationFailed("iss should be a did"));

     

       67
       +
               }

     

       68
       +
               if untrusted_did.contains("#") {

     

       69
       +
                   return Err(VerifyError::VerificationFailed(

     

       70
       +
                       "iss should be a user did without a service identifier",

     

       71
       +
                   ));

     

       72
       +
               }

     

       73
        
       

     

       74
       +
               let endpoint =

     

       75
       +
                   "https://slingshot.microcosm.blue/xrpc/com.bad-example.identity.resolveMiniDoc";

     

       76
       +
               let doc: MiniDoc = self

     

       77
       +
                   .client

     

       78
       +
                   .get(format!("{endpoint}?identifier={untrusted_did}"))

     

       79
       +
                   .send()

     

       80
       +
                   .await

     

       81
       +
                   .map_err(|_| VerifyError::ResolutionFailed("failed to fetch minidoc"))?

     

       82
       +
                   .error_for_status()

     

       83
       +
                   .map_err(|_| VerifyError::ResolutionFailed("non-ok response for minidoc"))?

     

       84
       +
                   .json()

     

       85
       +
                   .await

     

       86
       +
                   .map_err(|_| VerifyError::ResolutionFailed("failed to parse json to minidoc"))?;

     

       87
        
       

     

       88
       +
               // sanity check before we go ahead with this signing key

     

       89
       +
               if doc.did != *untrusted_did {

     

       90
       +
                   return Err(VerifyError::VerificationFailed(

     

       91
       +
                       "wtf, resolveMiniDoc returned a doc for a different DID, slingshot bug",

     

       92
       +
                   ));

     

       93
       +
               }

     

       94
        
       

     

       95
       +
               let Ok((alg, public_key)) = parse_multikey(&doc.signing_key) else {

     

       96
       +
                   return Err(VerifyError::VerificationFailed(

     

       97
       +
                       "could not parse signing key form minidoc",

     

       98
       +
                   ));

     

       99
       +
               };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       100
        
       

     

       101
       +
               // i _guess_ we've successfully bootstrapped the verification of the jwt unless this fails

     

       102
       +
               if let Err(e) = Verifier::default().verify(

     

       103
       +
                   alg,

     

       104
       +
                   &public_key,

     

       105
       +
                   &untrusted.signed_data,

     

       106
       +
                   untrusted.signature_bytes(),

     

       107
       +
               ) {

     

       108
       +
                   log::warn!("jwt verification failed: {e}");

     

       109
       +
                   return Err(VerifyError::VerificationFailed(

     

       110
       +
                       "jwt signature verification failed",

     

       111
       +
                   ));

     

       112
       +
               }

     

       113
        
       

     

       114
       +
               // past this point we're should have established trust. crossing ts and dotting is.

     

       115
       +
               let did = &untrusted_did;

     

       116
       +
               let claims = &untrusted_claims;

     

       117
        
       

     

       118
       +
               let Some(aud) = claims.custom.get("aud") else {

     

       119
       +
                   return Err(VerifyError::VerificationFailed("missing aud"));

     

       120
       +
               };

     

       121
       +
               if *aud != format!("did:web:{}#bsky_appview", self.domain) {

     

       122
       +
                   return Err(VerifyError::VerificationFailed("wrong aud"));

     

       123
       +
               }

     

       124
       +
               let Some(lxm) = claims.custom.get("lxm") else {

     

       125
       +
                   return Err(VerifyError::VerificationFailed("missing lxm"));

     

       126
       +
               };

     

       127
       +
               if lxm != expected_lxm {

     

       128
       +
                   return Err(VerifyError::VerificationFailed("wrong lxm"));

     

       129
       +
               }

     

       130
        
       

     

       131
       +
               Ok(did.to_string())

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       132
        
           }

     

       0
        
       
     

       0
        
       
     

       133
        
       }

+67

pocket/static/index.html

···

       1
       +
       <!doctype html>

     

       2
       +
       <html lang="en">

     

       3
       +
         <head>

     

       4
       +
           <meta charset="utf-8" />

     

       5
       +
           <title>Pocket: atproto user preference storage</title>

     

       6
       +
           <meta name="viewport" content="width=device-width, initial-scale=1" />

     

       7
       +
           <meta name="description" content="API Documentation for Pocket, a simple user-preference storage system for atproto" />

     

       8
       +
           <style>

     

       9
       +
             :root {

     

       10
       +
               --scalar-small: 13px;

     

       11
       +
             }

     

       12
       +
             .scalar-app .markdown .markdown-alert {

     

       13
       +
               font-size: var(--scalar-small);

     

       14
       +
             }

     

       15
       +
             .sidebar-heading-link-title {

     

       16
       +
               line-height: 1.2;

     

       17
       +
             }

     

       18
       +
             .custom-header {

     

       19
       +
               height: 42px;

     

       20
       +
               background-color: #221828;

     

       21
       +
               box-shadow: inset 0 -1px 0 var(--scalar-border-color);

     

       22
       +
               color: var(--scalar-color-1);

     

       23
       +
               font-size: var(--scalar-font-size-3);

     

       24
       +
               font-family: 'Iowan Old Style', 'Palatino Linotype', 'URW Palladio L', P052, serif;

     

       25
       +
               padding: 0 18px;

     

       26
       +
               justify-content: space-between;

     

       27
       +
             }

     

       28
       +
             .custom-header,

     

       29
       +
             .custom-header nav {

     

       30
       +
               display: flex;

     

       31
       +
               align-items: center;

     

       32
       +
               gap: 18px;

     

       33
       +
             }

     

       34
       +
             .custom-header a:hover {

     

       35
       +
               color: var(--scalar-color-2);

     

       36
       +
             }

     

       37
       +
       

     

       38
       +
             .light-mode .custom-header {

     

       39
       +
               background-color: thistle;

     

       40
       +
             }

     

       41
       +
           </style>

     

       42
       +
         </head>

     

       43
       +
         <body>

     

       44
       +
           <header class="custom-header scalar-app">

     

       45
       +
             <p>

     

       46
       +
               TODO: thing

     

       47
       +
             </p>

     

       48
       +
             <nav>

     

       49
       +
               <b>a <a href="https://microcosm.blue">microcosm</a> project</b>

     

       50
       +
               <a href="https://bsky.app/profile/microcosm.blue">@microcosm.blue</a>

     

       51
       +
               <a href="https://github.com/at-microcosm">github</a>

     

       52
       +
             </nav>

     

       53
       +
           </header>

     

       54
       +
       

     

       55
       +
           <script id="api-reference" type="application/json" data-url="/openapi"></script>

     

       56
       +
       

     

       57
       +
           <script>

     

       58
       +
             var configuration = {

     

       59
       +
               theme: 'purple',

     

       60
       +
               hideModels: true,

     

       61
       +
             }

     

       62
       +
             document.getElementById('api-reference').dataset.configuration = JSON.stringify(configuration)

     

       63
       +
           </script>

     

       64
       +
       

     

       65
       +
           <script src="https://cdn.jsdelivr.net/npm/@scalar/api-reference"></script>

     

       66
       +
         </body>

     

       67
       +
       </html>

quasar/src/lib.rs

···

       1
        
       mod storage;

     

       0
        
       
     

       0

···

       1
        
       mod storage;

     

       2
       +
       

     

       3
       +
       pub use storage::Storage;

+1 -1

quasar/src/storage.rs

···

       1
        
       

     

       2
       -
       trait Storage {

     

       3
        
           

     

       4
        
       }

···

       1
        
       

     

       2
       +
       pub trait Storage {

     

       3
        
           

     

       4
        
       }