mirror of
https://gitlab.com/soapbox-pub/ditto.git
synced 2025-12-06 11:29:46 +00:00
103 lines
2.9 KiB
TypeScript
103 lines
2.9 KiB
TypeScript
import { NostrEvent } from '@nostrify/nostrify';
|
|
import { type AppContext, type AppMiddleware } from '@/app.ts';
|
|
import { HTTPException } from '@/deps.ts';
|
|
import {
|
|
buildAuthEventTemplate,
|
|
parseAuthRequest,
|
|
type ParseAuthRequestOpts,
|
|
validateAuthEvent,
|
|
} from '@/utils/nip98.ts';
|
|
import { localRequest } from '@/utils/api.ts';
|
|
import { APISigner } from '@/signers/APISigner.ts';
|
|
import { findUser, User } from '@/db/users.ts';
|
|
|
|
/**
|
|
* NIP-98 auth.
|
|
* https://github.com/nostr-protocol/nips/blob/master/98.md
|
|
*/
|
|
function auth98(opts: ParseAuthRequestOpts = {}): AppMiddleware {
|
|
return async (c, next) => {
|
|
const req = localRequest(c);
|
|
const result = await parseAuthRequest(req, opts);
|
|
|
|
if (result.success) {
|
|
c.set('pubkey', result.data.pubkey);
|
|
c.set('proof', result.data);
|
|
}
|
|
|
|
await next();
|
|
};
|
|
}
|
|
|
|
type UserRole = 'user' | 'admin';
|
|
|
|
/** Require the user to prove their role before invoking the controller. */
|
|
function requireRole(role: UserRole, opts?: ParseAuthRequestOpts): AppMiddleware {
|
|
return withProof(async (c, proof, next) => {
|
|
const user = await findUser({ pubkey: proof.pubkey });
|
|
c.set('user', user);
|
|
|
|
if (user && matchesRole(user, role)) {
|
|
await next();
|
|
} else {
|
|
throw new HTTPException(401);
|
|
}
|
|
}, opts);
|
|
}
|
|
|
|
/** Require the user to demonstrate they own the pubkey by signing an event. */
|
|
function requireProof(opts?: ParseAuthRequestOpts): AppMiddleware {
|
|
return withProof(async (_c, _proof, next) => {
|
|
await next();
|
|
}, opts);
|
|
}
|
|
|
|
/** Check whether the user fulfills the role. */
|
|
function matchesRole(user: User, role: UserRole): boolean {
|
|
switch (role) {
|
|
case 'user':
|
|
return true;
|
|
case 'admin':
|
|
return user.admin;
|
|
default:
|
|
return false;
|
|
}
|
|
}
|
|
|
|
/** HOC to obtain proof in middleware. */
|
|
function withProof(
|
|
handler: (c: AppContext, proof: NostrEvent, next: () => Promise<void>) => Promise<void>,
|
|
opts?: ParseAuthRequestOpts,
|
|
): AppMiddleware {
|
|
return async (c, next) => {
|
|
const pubkey = c.get('pubkey');
|
|
const proof = c.get('proof') || await obtainProof(c, opts);
|
|
|
|
// Prevent people from accidentally using the wrong account. This has no other security implications.
|
|
if (proof && pubkey && pubkey !== proof.pubkey) {
|
|
throw new HTTPException(401, { message: 'Pubkey mismatch' });
|
|
}
|
|
|
|
if (proof) {
|
|
c.set('pubkey', proof.pubkey);
|
|
c.set('proof', proof);
|
|
await handler(c, proof, next);
|
|
} else {
|
|
throw new HTTPException(401, { message: 'No proof' });
|
|
}
|
|
};
|
|
}
|
|
|
|
/** Get the proof over Nostr Connect. */
|
|
async function obtainProof(c: AppContext, opts?: ParseAuthRequestOpts) {
|
|
const req = localRequest(c);
|
|
const reqEvent = await buildAuthEventTemplate(req, opts);
|
|
const resEvent = await new APISigner(c).signEvent(reqEvent);
|
|
const result = await validateAuthEvent(req, resEvent, opts);
|
|
|
|
if (result.success) {
|
|
return result.data;
|
|
}
|
|
}
|
|
|
|
export { auth98, requireProof, requireRole };
|