Start work on auth fetch middleware

activitypub/import.go

@@ -77,7 +77,7 @@ func ImportRemoteAccount(targetName string) (string, error) {
 	}
 	defer response.Body.Close()
 	body, _ := io.ReadAll(response.Body)
-	log.Trace().
+	log.Debug().
 		Int("status", response.StatusCode).
 		Bytes("body", body).
 		Any("headers", response.Header).
@@ -394,7 +394,7 @@ func ImportRemoteServer(host string) (uint, error) {
 			}
 		}
 	}
-	if nodeAdmins, ok := data.Metadata["nodeAdmins"].([]map[string]any); ok {
+	if nodeAdmins, ok := data.Metadata["nodeAdmins"].([]map[string]any); ok && len(nodeAdmins) > 0 {
 		log.Debug().Msg("Node admins url found")
 		targets := sliceutils.Filter(
 			existingEntry.Metadata,
@@ -530,7 +530,7 @@ func ImportRemoteServer(host string) (uint, error) {
 			}
 		}
 	}
-	if staffAccounts, ok := data.Metadata["nodeAdmins"].([]any); ok {
+	if staffAccounts, ok := data.Metadata["nodeAdmins"].([]any); ok && len(staffAccounts) > 0 {
 		log.Debug().Msg("Node admins url found")
 		targets := sliceutils.Filter(
 			existingEntry.Metadata,

shared/constants.go

@@ -8,5 +8,6 @@ const (
 	// where multiple releases in a day are required
 	Version = "0.0.1 pre-alpha"
 	// Username for the server actor
-	ServerActorName = "server.actor"
+	ServerActorName    = "server.actor"
+	FeedUsernameSuffix = "-feed"
 )

shared/validation.go

@@ -0,0 +1,25 @@
+package shared
+
+import (
+	"strings"
+
+	"git.mstar.dev/mstar/goutils/sliceutils"
+)
+
+var forbiddenUsernames = []string{
+	"server.actor",
+	"feed",
+}
+
+// Reports whether a given user name is valid (for non-internal systems)
+//
+// TODO: Include compat check for Mastodon?
+func ValidateUsername(username string) bool {
+	if strings.HasSuffix(username, FeedUsernameSuffix) {
+		return false
+	}
+	if sliceutils.Contains(forbiddenUsernames, username) {
+		return false
+	}
+	return true
+}

storage-new/migrations.go

@@ -6,6 +6,7 @@ import (
 
 	"git.mstar.dev/mstar/goutils/other"
 	"git.mstar.dev/mstar/goutils/sliceutils"
+	"github.com/rs/zerolog"
 	"gorm.io/gorm"
 
 	"git.mstar.dev/mstar/linstrom/storage-new/models"
@@ -13,6 +14,11 @@ import (
 
 // Auto-migrate all tables and types used
 func Migrate(db *gorm.DB) error {
+	// Shut up gorm's queries during automigrate by setting log level to info during migration
+	// and then back to the previous value on exit
+	currentLogLevel := zerolog.GlobalLevel()
+	zerolog.SetGlobalLevel(zerolog.InfoLevel)
+	defer zerolog.SetGlobalLevel(currentLogLevel)
 	if err := createAccountAuthMethodType(db); err != nil {
 		return other.Error("storage", "Failed to create Auth Method type", err)
 	}

storage-new/self.go

@@ -169,21 +169,27 @@ func insertUserPronoun(user *models.User) error {
 }
 
 func attachUserToRole(user *models.User) error {
-	_, err := dbgen.UserToRole.Where(dbgen.UserToRole.UserId.Eq(user.ID)).
-		Where(dbgen.UserToRole.RoleId.Eq(models.FullAdminRole.ID)).
-		First()
-	switch err {
-	case nil:
-		return nil
-	case gorm.ErrRecordNotFound:
-		u2r := models.UserToRole{
-			User:   *user,
-			UserId: user.ID,
-			Role:   models.FullAdminRole,
-			RoleId: models.FullAdminRole.ID,
+	roles := []models.Role{models.DefaultUserRole, models.ServerActorRole, models.FullAdminRole}
+	for _, role := range roles {
+		_, err := dbgen.UserToRole.Where(dbgen.UserToRole.UserId.Eq(user.ID)).
+			Where(dbgen.UserToRole.RoleId.Eq(role.ID)).
+			First()
+		switch err {
+		case nil:
+			continue
+		case gorm.ErrRecordNotFound:
+			u2r := models.UserToRole{
+				User:   *user,
+				UserId: user.ID,
+				Role:   role,
+				RoleId: role.ID,
+			}
+			if err = dbgen.UserToRole.Save(&u2r); err != nil {
+				return err
+			}
+		default:
+			return err
 		}
-		return dbgen.UserToRole.Save(&u2r)
-	default:
-		return err
 	}
+	return nil
 }

temp.toml

@@ -1,7 +1,7 @@
 [general]
   protocol = "https"
   domain = "lhr.life"
-  subdomain = "47565bb39100de"
+  subdomain = "3e4af10addc7d0"
   private_port = 8080
   public_port = 443
 

web/public/api/webfinger.go

@@ -18,7 +18,7 @@ import (
 	webshared "git.mstar.dev/mstar/linstrom/web/shared"
 )
 
-var webfingerResourceRegex = regexp.MustCompile(`acct:(?P<username>[\w-]+)@(?<domain>[\w\.-]+)`)
+var webfingerResourceRegex = regexp.MustCompile(`acct:(?P<username>[\w\.-]+)@(?<domain>[\w\.-]+)`)
 
 func WellKnownWebfinger(w http.ResponseWriter, r *http.Request) {
 	type OutboundLink struct {

web/public/errorpages.go

@@ -12,12 +12,14 @@ var errorDescriptions = map[string]string{
 	"db-failure":             "The database query for this request failed for an undisclosed reason. This is often caused by bad input data conflicting with existing information. Try to submit different data or wait for some time",
 	"bad-request-data":       "The data provided in the request doesn't match the requirements, see problem details' detail field for more information",
 	"bad-page":               "The provided page number was not valid. See response details for more information",
+	"bad-accept-mime-type":   "The requested mime type is not supported for the target url",
+	"invalid-auth-signature": "The requested URL requires verification via authorized fetch. See https://swicg.github.io/activitypub-http-signature/ and https://datatracker.ietf.org/doc/html/rfc9421 (not implemented yet) for details on how to verify your request",
 }
 
 func errorTypeHandler(w http.ResponseWriter, r *http.Request) {
 	errName := r.PathValue("name")
 	if description, ok := errorDescriptions[errName]; ok {
-		fmt.Fprint(w, description)
+		_, _ = fmt.Fprint(w, description)
 	} else {
 		webutils.ProblemDetailsStatusOnly(w, 404)
 	}

web/public/middleware/authFetchCheck.go

@@ -0,0 +1,104 @@
+package webmiddleware
+
+import (
+	"net/http"
+	"net/url"
+	"regexp"
+
+	webutils "git.mstar.dev/mstar/goutils/http"
+	"git.mstar.dev/mstar/goutils/other"
+)
+
+const signatureRegexString = `keyId=([a-zA-Z0-9_\-\.:@/\?&=#%\+\[\]!$\(\)\*,;]+),headers="([a-z0-9-_\(\) ]+)",(?:algorithm="([a-z0-9-])+",)?signature="(.+)"`
+
+var publicPaths = []*regexp.Regexp{
+	regexp.MustCompile(`/\.well-known/.+^`),
+	// regexp.MustCompile(``),
+}
+
+var signatureRegex = regexp.MustCompile(signatureRegexString)
+
+// Builder for the authorized fetch check middleware.
+// forNonGet determines whether the check should happen for non-GET requests.
+// forGet determines whether the check should also happen for GET requests.
+// forGet being true implicitly sets forNonGet true too.
+// Requests to the server actor and other, required public resources
+// will never be checked
+func BuildAuthorizedFetchCheck(forNonGet bool, forGet bool) webutils.HandlerBuilder {
+	return func(h http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			path := r.URL.Path
+			// Check always open path first
+			for _, re := range publicPaths {
+				if re.Match([]byte(path)) {
+					h.ServeHTTP(w, r)
+					return
+				}
+			}
+			// Not an always open path, check methods
+			if r.Method == "GET" && !forGet {
+				h.ServeHTTP(w, r)
+				return
+			} else if !forGet && !forNonGet {
+				h.ServeHTTP(w, r)
+				return
+			}
+			// TODO: Perform check here
+			signatureHeader := r.Header.Get("Signature")
+			if signatureHeader == "" {
+				webutils.ProblemDetails(
+					w,
+					http.StatusUnauthorized,
+					"/errors/invalid-auth-signature",
+					"invalid authorization signature",
+					other.IntoPointer("Missing Signature header for authorization"),
+					nil,
+				)
+				return
+			}
+			match := signatureRegex.FindStringSubmatch(signatureHeader)
+			if len(match) <= 1 {
+				webutils.ProblemDetails(
+					w,
+					http.StatusUnauthorized,
+					"/errors/invalid-auth-signature",
+					"invalid authorization signature",
+					other.IntoPointer("Invalid signature header format"),
+					map[string]any{
+						"used signature regex": signatureRegexString,
+						"signature format":     `keyId="<url to actor with used key>",headers="<list of headers used, including pseudo header (request-target)>",(optional: algorithm="<one of rsa-sha256, hs2019>", (defaults to rsa-sha256 if not set))signature="signed message"`,
+					},
+				)
+				return
+			}
+			// fullMatch = match[0]
+			rawKeyId := match[1]
+			rawHeaders := match[2]
+			rawAlgorithm := match[3]
+			signature := match[4]
+
+			_, err := url.Parse(rawKeyId)
+			if err != nil {
+				webutils.ProblemDetails(
+					w,
+					http.StatusUnauthorized,
+					"/errors/invalid-auth-signature",
+					"invalid authorization signature",
+					other.IntoPointer("keyId must be a valid url"),
+					nil,
+				)
+				return
+			}
+
+			if rawAlgorithm == "" {
+				rawAlgorithm = "hs2019"
+				// w.Header().Add("X-Algorithm-Hint", "")
+			}
+
+			_ = rawHeaders
+			_ = signature
+			_ = rawAlgorithm
+			panic("not implemented")
+		})
+	}
+}

web/public/middleware/mimeTypeCheck.go

@@ -0,0 +1,36 @@
+package webmiddleware
+
+import (
+	"net/http"
+	"strings"
+
+	webutils "git.mstar.dev/mstar/goutils/http"
+	"git.mstar.dev/mstar/goutils/other"
+)
+
+func BuildMimetypeCheck(acceptedMimetypes []string) webutils.HandlerBuilder {
+	return func(h http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			acceptHeader := r.Header.Get("Accept")
+			for _, couldBe := range acceptedMimetypes {
+				if strings.Contains(acceptHeader, couldBe) {
+					h.ServeHTTP(w, r)
+					return
+				}
+			}
+			// Requested mimtype not in list of accepted ones, failing request with note
+			webutils.ProblemDetails(
+				w,
+				http.StatusUnsupportedMediaType,
+				"/errors/bad-accept-mime-type",
+				"unsupported mime type",
+				other.IntoPointer(
+					"The requested mime type is not supported. Please check extras for a list of supported mime types",
+				),
+				map[string]any{
+					"supported-mime-types": acceptedMimetypes,
+				},
+			)
+		})
+	}
+}