comparing 414e350548035878f7f4cdf375587d80cdc014a2 and main on veryroundbird.house/smallbird-social

+80 -82

index.php

···

       19
       19
        
       use Matrix\Async;

     

       20
       20
        
       use GuzzleHttp\Psr7\HttpFactory;

     

       21
       21
        
       use chillerlan\OAuth\OAuthOptions;

     

       22
       22
       +
       use chillerlan\OAuth\Storage\SessionStorage;

     

       22
       23
        
       use DateTimeImmutable;

     

       23
       24
        
       use Lcobucci\JWT\Token\Builder;

     

       24
       25
        
       use Lcobucci\JWT\Encoding\ChainedFormatter;

     
···

       27
       28
        
       use Lcobucci\JWT\Signer\Ecdsa\Sha256;

     

       28
       29
        
       use Smallnest\Bsky\BskyProvider;

     

       29
       30
        
       

     

       31
       31
       +
       session_start();

     

       30
       32
        
       $bskyToucher = new BskyToucher();

     

       31
       33
        
       

     

       32
       34
        
       $favoriteFeeds = array_map(function ($feed) use ($bskyToucher) {

     
···

       65
       67
        
       Flight::set('publicApi', PUBLIC_API);

     

       66
       68
        
       Flight::set('frontpageFeed', FRONTPAGE_FEED);

     

       67
       69
        
       Flight::set('defaultRelay', DEFAULT_RELAY);

     

       68
       68
       -
       Flight::set('userAuth', null);

     

       70
       70
       +
       Flight::set('userAuth', array_key_exists('sbs_'.SITE_DOMAIN, $_SESSION) ? $_SESSION['sbs_'.SITE_DOMAIN] : null);

     

       71
       71
       +
       Flight::set('userPds', array_key_exists('sbs_'.SITE_DOMAIN.'_pds', $_SESSION) ? $_SESSION['sbs_'.SITE_DOMAIN.'_pds'] : null);

     

       72
       72
       +
       Flight::set('userInfo', array_key_exists('sbs_'.SITE_DOMAIN.'_userinfo', $_SESSION) ? $_SESSION['sbs_'.SITE_DOMAIN.'_userinfo'] : null);

     

       69
       73
        
       Flight::set('flight.log_errors', false);

     

       70
       74
        
       Flight::set('flight.handle_errors', false);

     

       71
       75
        
       Flight::set('flight.content_length', false);

     
···

       77
       81
        
         'setTheme' => array_key_exists('sbs_theme', $_COOKIE) ? $_COOKIE['sbs_theme'] : DEFAULT_THEME,

     

       78
       82
        
         'setFont' => array_key_exists('sbs_font', $_COOKIE) ? $_COOKIE['sbs_font'] : DEFAULT_FONT,

     

       79
       83
        
         'userAuth' => Flight::get('userAuth'),

     

       84
       84
       +
         'userPds' => Flight::get('userPds'),

     

       85
       85
       +
         'userInfo' => Flight::Get('userInfo'),

     

       80
       86
        
         'favFeeds' => $favoriteFeeds,

     

       81
       87
        
         'pages' => PAGES,

     

       82
       88
        
         'links' => LINKS,

     
···

       176
       182
        
       });

     

       177
       183
        
       

     

       178
       184
        
       Flight::route('/login', function(): void {

     

       179
       179
       -
         $options = new OAuthOptions([

     

       180
       180
       -
         	'key'          => 'https://'.SITE_DOMAIN.CLIENT_ID,

     

       181
       181
       -
         	'secret'       => CLIENT_SECRET,

     

       182
       182
       -
         	'callbackURL'  => 'http://127.0.0.1/login',

     

       183
       183
       -
         	'sessionStart' => true,

     

       184
       184
       -
         ]);

     

       185
       185
       -
         $connector = new React\Socket\Connector([

     

       186
       186
       -
           'dns' => '1.1.1.1'

     

       187
       187
       -
         ]);

     

       188
       188
       -
         $http = new React\Http\Browser($connector);

     

       189
       189
       -
         $httpFactory = new HttpFactory();

     

       190
       190
       -
         $client = new GuzzleHttp\Client([

     

       191
       191
       -
           'verify' => true,

     

       192
       192
       -
           'headers' => [

     

       193
       193
       -
             'User-Agent' => USER_AGENT_STR

     

       194
       194
       -
           ]

     

       195
       195
       -
         ]);

     

       196
       196
       -
         $provider = new BskyProvider($options, $client, $httpFactory, $httpFactory, $httpFactory);

     

       197
       197
       -
         $name = $provider->getName();

     

       185
       185
       +
         if (isset($_GET['username'])) {

     

       198
       186
        
         $username = $_GET['username'];

     

       199
       199
       -
         $bskyToucher = new BskyToucher();

     

       200
       200
       -
         $userInfo = $bskyToucher->getUserInfo($username);

     

       201
       201
       -
         if (!$userInfo) die(1);

     

       202
       202
       -
         $pds = $userInfo->pds;

     

       203
       203
       -
         $provider->setPds($pds);

     

       204
       204
       -
         $token_builder = Builder::new(new JoseEncoder(), ChainedFormatter::default());

     

       205
       205
       -
         $algorithm    = new Sha256();

     

       206
       206
       -
         $signing_key   = InMemory::plainText(CLIENT_SECRET);

     

       207
       207
       -
         print_r($signing_key);

     

       208
       208
       -
         $now   = new DateTimeImmutable();

     

       209
       209
       -
         $token = $token_builder

     

       210
       210
       -
           ->withHeader('alg', 'ES256')

     

       211
       211
       -
           ->withHeader('typ', 'JWT')

     

       212
       212
       -
           ->issuedBy($userInfo->did)

     

       213
       213
       -
           ->relatedTo('https://'.SITE_DOMAIN.CLIENT_ID)

     

       214
       214
       -
           ->permittedFor('did:web:'.str_replace("/", "", str_replace("https://", "", $pds)))

     

       215
       215
       -
           ->issuedAt($now)

     

       216
       216
       -
           ->getToken($algorithm, $signing_key);

     

       217
       217
       -
           print_r($token->toString());

     

       218
       218
       -
           

     

       219
       219
       -
         /*$jwt_header = base64_encode(json_encode([

     

       220
       220
       -
           'alg' => 'ES256',

     

       221
       221
       -
           'typ' => 'JWT'

     

       222
       222
       -
         ]));

     

       223
       223
       -
         $jwt_body = base64_encode(json_encode([

     

       224
       224
       -
           'iss' => $userInfo->did,

     

       225
       225
       -
           'sub' => 'https://'.SITE_DOMAIN.CLIENT_ID,

     

       226
       226
       -
           'aud' => 'did:web:'.str_replace("/", str_replace("https://", $pds)),

     

       227
       227
       -
           'jti' => hash('sha512', bin2hex(random_bytes(256 / 2))),

     

       228
       228
       -
           'iat' => strtotime('now')

     

       229
       229
       -
         ]));

     

       230
       230
       -
         $jwt = $jwt_header.$jwt_body.base64_encode(CERT);*/

     

       231
       231
       -
         $client->setDefaultOption('headers', [

     

       232
       232
       -
           'User-Agent' => USER_AGENT_STR,

     

       233
       233
       -
           'Authorization' => 'Bearer: '.$token->toString()

     

       234
       234
       -
         ]);

     

       235
       235
       -
         if (isset($_GET['login']) && $_GET['login'] === $name) {

     

       236
       236
       -
           $auth_url = $provider->getAuthorizationUrl();

     

       237
       237
       -
           header('Location: '.$auth_url);

     

       238
       238
       -
           die(1);

     

       239
       239
       -
         } else if (isset($_GET['code'], $_GET['state'])) {

     

       240
       240
       -
           $token = $provider->getAccessToken($_GET['code'], $_GET['state']);

     

       241
       241
       -
       

     

       242
       242
       -
         	// save the token in a permanent storage

     

       243
       243
       -
         	// [...]

     

       244
       244
       -
       

     

       245
       245
       -
         	// access granted, redirect

     

       246
       246
       -
         	header('Location: ?granted='.$name);

     

       247
       247
       -
           die(1);

     

       248
       248
       -
         } else if (isset($_GET['granted']) && $_GET['granted'] === $name) {

     

       249
       249
       -
           die(1);

     

       250
       250
       -
         } else if (isset($_GET['error'])) {

     

       251
       251
       -
           die(1);

     

       187
       187
       +
           $bskyToucher = new BskyToucher();

     

       188
       188
       +
           $userInfo = $bskyToucher->getUserInfo($username);

     

       189
       189
       +
           if (!$userInfo) die(1);

     

       190
       190
       +
           $pds = $userInfo->pds;

     

       191
       191
       +
           $options = new OAuthOptions([

     

       192
       192
       +
             'key'          => 'https://'.SITE_DOMAIN.CLIENT_ID,

     

       193
       193
       +
             'secret'       => CLIENT_SECRET,

     

       194
       194
       +
             'callbackURL'  => 'https://'.SITE_DOMAIN.'/login',

     

       195
       195
       +
             'sessionStart' => true,

     

       196
       196
       +
             'sessionStorageVar' => 'sbs_'.SITE_DOMAIN

     

       197
       197
       +
           ]);

     

       198
       198
       +
           $storage = new SessionStorage($options);

     

       199
       199
       +
           $connector = new React\Socket\Connector([

     

       200
       200
       +
             'dns' => '1.1.1.1'

     

       201
       201
       +
           ]);

     

       202
       202
       +
           $http = new React\Http\Browser($connector);

     

       203
       203
       +
           $httpFactory = new HttpFactory();

     

       204
       204
       +
           $token_builder = Builder::new(new JoseEncoder(), ChainedFormatter::default());

     

       205
       205
       +
           $algorithm    = new Sha256();

     

       206
       206
       +
           $signing_key   = InMemory::file(CERT_PATH);

     

       207
       207
       +
           $now   = new DateTimeImmutable();

     

       208
       208
       +
           $token = $token_builder

     

       209
       209
       +
             ->withHeader('alg', 'ES256')

     

       210
       210
       +
             ->withHeader('typ', 'JWT')

     

       211
       211
       +
             ->withHeader('kid', 'ocwgKj_O7H9at1sL6yWf9ZZ82NOM7D0xlN8HGIyWH6M')

     

       212
       212
       +
             ->issuedBy('https://'.SITE_DOMAIN.CLIENT_ID)

     

       213
       213
       +
             ->identifiedBy(uniqid())

     

       214
       214
       +
             ->relatedTo('https://'.SITE_DOMAIN.CLIENT_ID)

     

       215
       215
       +
             ->permittedFor($pds)

     

       216
       216
       +
             ->issuedAt($now->modify('-5 seconds'))

     

       217
       217
       +
             ->getToken($algorithm, $signing_key);

     

       218
       218
       +
           $client = new GuzzleHttp\Client([

     

       219
       219
       +
             'verify' => true,

     

       220
       220
       +
             'headers' => [

     

       221
       221
       +
               'User-Agent' => USER_AGENT_STR,

     

       222
       222
       +
               'Authorization' => 'Bearer: '.$token->toString()

     

       223
       223
       +
             ]

     

       224
       224
       +
           ]);

     

       225
       225
       +
           $provider = new BskyProvider($options, $client, $httpFactory, $httpFactory, $httpFactory);

     

       226
       226
       +
           $provider->setPds($pds);

     

       227
       227
       +
           $name = $provider->getName();

     

       228
       228
       +
           if (isset($_GET['login']) && $_GET['login'] === $name) {

     

       229
       229
       +
             $auth_url = $provider->getAuthorizationUrl([

     

       230
       230
       +
               'client_assertion_type' => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',

     

       231
       231
       +
               'client_assertion' => $token->toString()

     

       232
       232
       +
             ]);

     

       233
       233
       +
             Flight::redirect($auth_url);

     

       234
       234
       +
             die(1);

     

       235
       235
       +
           } else if (isset($_GET['code'], $_GET['iss'])) {

     

       236
       236
       +
             $storage->storeAccessToken($_GET['code'], $name);

     

       237
       237
       +
             $_SESSION['sbs_'.SITE_DOMAIN.'_pds'] = $_GET['iss'];

     

       238
       238
       +
             $_SESSION['sbs_'.SITE_DOMAIN.'_userinfo'] = $bskyToucher->getUserInfo();

     

       239
       239
       +
             Flight::redirect('/');

     

       240
       240
       +
             die(1);

     

       241
       241
       +
           } else if (isset($_GET['error'])) {

     

       242
       242
       +
             die(1);

     

       243
       243
       +
           }

     

       244
       244
       +
         } else {

     

       245
       245
       +
           $latte = new Latte\Engine;

     

       246
       246
       +
           $latte->render('./templates/login.latte', array_merge(Flight::get('standardParams'), [

     

       247
       247
       +
             'mainClass' => 'form',

     

       248
       248
       +
             'ogtitle' => SITE_TITLE." | login",

     

       249
       249
       +
             'ogdesc' => SITE_DESC,

     

       250
       250
       +
             'ogimage' => '',

     

       251
       251
       +
             'ogurl' => 'https://'.SITE_DOMAIN.'/login'

     

       252
       252
       +
           ]));

     

       252
       253
        
         }

     

       253
       253
       -
         $latte = new Latte\Engine;

     

       254
       254
       -
         $latte->render('./templates/login.latte', array_merge(Flight::get('standardParams'), [

     

       255
       255
       -
           'mainClass' => 'form',

     

       256
       256
       -
           'ogtitle' => SITE_TITLE." | login",

     

       257
       257
       -
           'ogdesc' => SITE_DESC,

     

       258
       258
       -
           'ogimage' => '',

     

       259
       259
       -
           'ogurl' => 'https://'.SITE_DOMAIN.'/login'

     

       260
       260
       -
         ]));

     

       261
       254
        
       });

     

       262
       255
        
       

     

       263
       263
       -
       // https://shimaenaga.veryroundbird.house/oauth/authorize?client_id=https%3A%2F%2Ftangled.org%2Foauth%2Fclient-metadata.json&request_uri=urn%3Aietf%3Aparams%3Aoauth%3Arequest_uri%3Areq-2399ff42af66498132ebf8de809254b7

     

       256
       256
       +
       Flight::route('/logout', function(): void {

     

       257
       257
       +
         unset($_SESSION['sbs_'.SITE_DOMAIN]);

     

       258
       258
       +
         unset($_SESSION['sbs_'.SITE_DOMAIN.'_pds']);

     

       259
       259
       +
         unset($_SESSION['sbs_'.SITE_DOMAIN.'_userinfo']);

     

       260
       260
       +
         Flight::redirect('/');

     

       261
       261
       +
       });

     

       264
       262
        
       

     

       265
       263
        
       Flight::route('/createaccount', function(): void {

     

       266
       264
        
         $latte = new Latte\Engine;

+40 -2

lib/bskyProvider.php

···

       6
       6
        
       

     

       7
       7
        
       use chillerlan\OAuth\Core\OAuth2Interface;

     

       8
       8
        
       use chillerlan\OAuth\Core\OAuth2Provider;

     

       9
       9
       -
       use chillerlan\OAuth\Core\PARTrait;

     

       10
       9
        
       use chillerlan\OAuth\Core\PKCETrait;

     

       11
       10
        
       use chillerlan\OAuth\OAuthOptions;

     

       12
       11
        
       use chillerlan\OAuth\Storage\SessionStorage;

     

       12
       12
       +
       use chillerlan\HTTP\Utils\MessageUtil;

     

       13
       13
       +
       use chillerlan\HTTP\Utils\QueryUtil;

     

       14
       14
       +
       use chillerlan\OAuth\Providers\ProviderException;

     

       13
       15
        
       use GuzzleHttp\Client;

     

       14
       16
        
       use GuzzleHttp\Psr7\HttpFactory;

     

       17
       17
       +
       use Psr\Http\Message\UriInterface;

     

       18
       18
       +
       use function sprintf;

     

       15
       19
        
       

     

       16
       20
        
       class BskyProvider extends OAuth2Provider implements \chillerlan\OAuth\Core\PAR, \chillerlan\OAuth\Core\PKCE {

     

       17
       17
       -
         use \chillerlan\OAuth\Core\PARTrait;

     

       18
       21
        
         use \chillerlan\OAuth\Core\PKCETrait;

     

       19
       22
        
         

     

       20
       23
        
       	public const IDENTIFIER               = 'BSKYPROVIDER';

     
···

       52
       55
        
           $this->parAuthorizationURL = (string)$pds->withPath('/oauth/par');

     

       53
       56
        
           

     

       54
       57
        
       		return $this;

     

       58
       58
       +
       	}

     

       59
       59
       +
         

     

       60
       60
       +
       	public function getParRequestUri(array $body):UriInterface{

     

       61
       61
       +
       		// send the request with the same method and parameters as the token requests

     

       62
       62
       +
       		// @link https://datatracker.ietf.org/doc/html/rfc9126#name-request

     

       63
       63
       +
       		$response = $this->sendAccessTokenRequest($this->parAuthorizationURL, $body);

     

       64
       64
       +
       		$status   = $response->getStatusCode();

     

       65
       65
       +
       		$json     = MessageUtil::decodeJSON($response, true);

     

       66
       66
       +
       

     

       67
       67
       +
       		// something went horribly wrong

     

       68
       68
       +
       		if($status !== 201){

     

       69
       69
       +
       

     

       70
       70
       +
       			// @link https://datatracker.ietf.org/doc/html/rfc9126#section-2.3

     

       71
       71
       +
       			if(isset($json['error'], $json['error_description'])){

     

       72
       72
       +
       				throw new ProviderException(sprintf('PAR error: "%s" (%s)', $json['error'], $json['error_description']));

     

       73
       73
       +
       			}

     

       74
       74
       +
       

     

       75
       75
       +
       			throw new ProviderException(sprintf('PAR request error: (HTTP/%s)', $status)); // @codeCoverageIgnore

     

       76
       76
       +
       		}

     

       77
       77
       +
       

     

       78
       78
       +
       		$url = QueryUtil::merge($this->authorizationURL, $this->getParAuthorizationURLRequestParams($json));

     

       79
       79
       +
       

     

       80
       80
       +
       		return $this->uriFactory->createUri($url);

     

       81
       81
       +
       	}

     

       82
       82
       +
         

     

       83
       83
       +
       	protected function getParAuthorizationURLRequestParams(array $response):array{

     

       84
       84
       +
       

     

       85
       85
       +
       		if(!isset($response['request_uri'])){

     

       86
       86
       +
       			throw new ProviderException('PAR response error: "request_uri" missing');

     

       87
       87
       +
       		}

     

       88
       88
       +
       

     

       89
       89
       +
       		return [

     

       90
       90
       +
       			'client_id'   => $this->options->key,

     

       91
       91
       +
       			'request_uri' => $response['request_uri'],

     

       92
       92
       +
       		];

     

       55
       93
        
       	}

     

       56
       94
        
       }

     

       57
       95
        
       ?>

lib/bskyToucher.php

···

       25
       25
        
       use Psr\Http\Message\RequestInterface;

     

       26
       26
        
       use Psr\Http\Message\ResponseInterface;

     

       27
       27
        
       use Fusonic\OpenGraph\Consumer;

     

       28
       28
       +
       use chillerlan\OAuth\Storage\SessionStorage;

     

       28
       29
        
       

     

       29
       30
        
       class BskyToucher {

     

       30
       31
        
         private $bskyApiBase = 'https://public.api.bsky.app/xrpc/';

pages/privacy.md

···

       2
       2
        
       

     

       3
       3
        
       smallbird social is meant to run as lightweight as possible and stores no data on its own server. if you are using a veryroundbird.house pds, your data and activity is on *that* server, but it only stores what's necessary to, you know, interact with the atproto ecosystem. so, user ID information, your posts, follows, likes, etc.

     

       4
       4
        
       

     

       5
       5
       +
       the server also caches publicly-available post and user data to speed up requests. none of this data is kept longer than, like, a few days unless it's requested again.

     

       6
       6
       +
       

     

       5
       7
        
       there is some minimal tracking via goatcounter, but your data will never touch advertisers and it doesn't track individual users; i mostly just want to know what the site usage numbers are and where people found it from.

     

       6
       8
        
         

     

       7
       9
        
       i have never been asked to or required to turn over data to any law enforcement agency.

pages/terms.md

···

       1
       1
       +
       ## terms of use

     

       2
       2
       +
       

     

       3
       3
       +
       i reserve the right to block any IPs that are hitting the site too hard. i also reserve the right to end service at any time if for some reason it gets too hard to maintain or something like that. some features may be jank, broken, or missing due to the limitations of my approach and time.

     

       4
       4
       +
       

     

       5
       5
       +
       just be normal, ok. use the site like a normal person. that's what it's for.

+2 -1

templates/_partials/nav.latte

···

       1
       1
        
       <nav>

     

       2
       2
        
         <ul>

     

       3
       3
        
           {if $userAuth}

     

       4
       4
       +
             <li><a href="/u/{$userInfo->handle}">profile</a></li>

     

       4
       5
        
             <li><a href="/settings">settings</a></li>

     

       5
       5
       -
             <li><a href="#">log out</a></li>

     

       6
       6
       +
             <li><a href="/logout">log out</a></li>

     

       6
       7
        
           {else}

     

       7
       8
        
             <li><a href="/createaccount">create</a></li>

     

       8
       9
        
             <li><a href="/login">log in</a></li>

templates/layout.latte

···

       24
       24
        
           data-theme="{$setTheme}"

     

       25
       25
        
           data-font="{$setFont}"

     

       26
       26
        
         >

     

       27
       27
       +
           <!--

     

       28
       28
       +
             {print_r($_SESSION)}

     

       29
       29
       +
             {print_r(PHP_SESSION_DISABLED)}

     

       30
       30
       +
           -->

     

       27
       31
        
           <div id="page">

     

       28
       32
        
             <header>

     

       29
       33
        
               <h1><a href="/">{include '_partials/logo.latte'}{$siteTitle}</a></h1>

+1 -3

vendor/chillerlan/php-oauth/src/Core/PARTrait.php

···

       35
       35
        
       	public function getParRequestUri(array $body):UriInterface{

     

       36
       36
        
       		// send the request with the same method and parameters as the token requests

     

       37
       37
        
       		// @link https://datatracker.ietf.org/doc/html/rfc9126#name-request

     

       38
       38
       -
           print_r($this->parAuthorizationURL);

     

       39
       38
        
       		$response = $this->sendAccessTokenRequest($this->parAuthorizationURL, $body);

     

       40
       39
        
       		$status   = $response->getStatusCode();

     

       41
       40
        
       		$json     = MessageUtil::decodeJSON($response, true);

     

       42
       42
       -
           print_r($body);

     

       43
       43
       -
           print_r($json);

     

       44
       41
        
       

     

       45
       42
        
       		// something went horribly wrong

     

       46
       43
        
       		if($status !== 200){

     

       44
       44
       +
             print_r($json);

     

       47
       45
        
       

     

       48
       46
        
       			// @link https://datatracker.ietf.org/doc/html/rfc9126#section-2.3

     

       49
       47
        
       			if(isset($json['error'], $json['error_description'])){

Compare changes