wip: ready new-account for email and google verification
This commit is contained in:
parent
9608a7429b
commit
23822cdf09
1
go.mod
1
go.mod
|
@ -3,6 +3,7 @@ module git.coolaj86.com/coolaj86/go-mockid
|
|||
go 1.13
|
||||
|
||||
require (
|
||||
git.rootprojects.org/root/hashcash v1.0.1
|
||||
git.rootprojects.org/root/keypairs v0.5.2
|
||||
github.com/google/uuid v1.1.1
|
||||
github.com/joho/godotenv v1.3.0
|
||||
|
|
2
go.sum
2
go.sum
|
@ -1,3 +1,5 @@
|
|||
git.rootprojects.org/root/hashcash v1.0.1 h1:PkzwZu4CR5q/hwAntJdvcmNhmP0ONhetMo7rYhIZhZ0=
|
||||
git.rootprojects.org/root/hashcash v1.0.1/go.mod h1:HdoULUe94o1NVMES5K6aP3p8QGQiIia73F1HNZ1+FkQ=
|
||||
git.rootprojects.org/root/keypairs v0.5.2 h1:jr+drUUm/REaCDJTl5gT3kF2PwlXygcLsBZlqoKTZZw=
|
||||
git.rootprojects.org/root/keypairs v0.5.2/go.mod h1:WGI8PadOp+4LjUuI+wNlSwcJwFtY8L9XuNjuO3213HA=
|
||||
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
|
||||
|
|
|
@ -19,7 +19,7 @@ func Verify(w http.ResponseWriter, r *http.Request) {
|
|||
return
|
||||
}
|
||||
|
||||
var jws *xkeypairs.JWS
|
||||
jws := &xkeypairs.JWS{}
|
||||
|
||||
authzParts := strings.Split(r.Header.Get("Authorization"), " ")
|
||||
lenAuthz := len(authzParts)
|
||||
|
@ -27,11 +27,9 @@ func Verify(w http.ResponseWriter, r *http.Request) {
|
|||
jwt := authzParts[1]
|
||||
jwsParts := strings.Split(jwt, ".")
|
||||
if 3 == len(jwsParts) {
|
||||
jws = &xkeypairs.JWS{
|
||||
Protected: jwsParts[0],
|
||||
Payload: jwsParts[1],
|
||||
Signature: jwsParts[2],
|
||||
}
|
||||
jws.Protected = jwsParts[0]
|
||||
jws.Payload = jwsParts[1]
|
||||
jws.Signature = jwsParts[2]
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -41,7 +39,7 @@ func Verify(w http.ResponseWriter, r *http.Request) {
|
|||
return
|
||||
}
|
||||
decoder := json.NewDecoder(r.Body)
|
||||
err := decoder.Decode(&jws)
|
||||
err := decoder.Decode(jws)
|
||||
if nil != err && io.EOF != err {
|
||||
log.Printf("json decode error: %s", err)
|
||||
http.Error(w, "Bad Request: invalid JWS body", http.StatusBadRequest)
|
||||
|
|
|
@ -0,0 +1,101 @@
|
|||
package mockid
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"net/http"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"git.rootprojects.org/root/hashcash"
|
||||
)
|
||||
|
||||
var hashcashes = &hashcashDB{
|
||||
db: sync.Map{},
|
||||
}
|
||||
|
||||
func NewHashcash(sub string, exp time.Time) *hashcash.Hashcash {
|
||||
|
||||
h := hashcash.New(hashcash.Hashcash{
|
||||
Subject: sub,
|
||||
ExpiresAt: exp,
|
||||
})
|
||||
|
||||
// ignoring the error because this implementation is backed by an in-memory map
|
||||
_ = hashcashes.Store(h.Nonce, h)
|
||||
|
||||
return h
|
||||
}
|
||||
|
||||
var ErrNotFound = errors.New("not found")
|
||||
|
||||
func UseHashcash(hc string) error {
|
||||
phony, err := hashcash.Parse(hc)
|
||||
if nil != err {
|
||||
return err
|
||||
}
|
||||
|
||||
hi, ok, _ := hashcashes.Load(phony.Nonce)
|
||||
if !ok {
|
||||
return ErrNotFound
|
||||
}
|
||||
mccoy := hi.(*hashcash.Hashcash)
|
||||
mccopy := *mccoy
|
||||
|
||||
mccopy.Solution = phony.Solution
|
||||
if err := mccopy.Verify("*"); nil != err {
|
||||
return err
|
||||
}
|
||||
|
||||
_ = hashcashes.Delete(mccoy.Nonce)
|
||||
return nil
|
||||
}
|
||||
|
||||
func issueHashcash(w http.ResponseWriter, r *http.Request) *hashcash.Hashcash {
|
||||
h := NewHashcash(r.Host, time.Now().Add(5*time.Minute))
|
||||
w.Header().Set("Hashcash-Challenge", h.String())
|
||||
return h
|
||||
}
|
||||
|
||||
func requireHashcash(next http.HandlerFunc) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
hc := r.Header.Get("Hashcash")
|
||||
_ = issueHashcash(w, r)
|
||||
if err := UseHashcash(hc); nil != err {
|
||||
http.Error(w, "Bad Request", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
next(w, r)
|
||||
}
|
||||
}
|
||||
|
||||
type hashcashDB struct {
|
||||
db sync.Map
|
||||
}
|
||||
|
||||
func (h *hashcashDB) Load(key interface{}) (value interface{}, ok bool, err error) {
|
||||
v, ok := h.db.Load(key)
|
||||
return v, ok, nil
|
||||
}
|
||||
|
||||
func (h *hashcashDB) Store(key interface{}, value interface{}) (err error) {
|
||||
h.db.Store(key, value)
|
||||
return nil
|
||||
}
|
||||
|
||||
func (h *hashcashDB) Delete(key interface{}) (err error) {
|
||||
h.db.Delete(key)
|
||||
return nil
|
||||
}
|
||||
|
||||
func (h *hashcashDB) vacuum() (err error) {
|
||||
now := time.Now().UTC()
|
||||
h.db.Range(func(key interface{}, val interface{}) bool {
|
||||
v := val.(*hashcash.Hashcash)
|
||||
if v.ExpiresAt.Sub(now) < 0 {
|
||||
h.db.Delete(key)
|
||||
}
|
||||
return true
|
||||
})
|
||||
return nil
|
||||
}
|
|
@ -11,11 +11,9 @@ import (
|
|||
"fmt"
|
||||
"io"
|
||||
"math/big"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"os"
|
||||
"strconv"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"git.coolaj86.com/coolaj86/go-mockid/xkeypairs"
|
||||
|
@ -34,6 +32,13 @@ type PublicJWK struct {
|
|||
Y string `json:"y"`
|
||||
}
|
||||
|
||||
type KVDB interface {
|
||||
Load(key interface{}) (value interface{}, ok bool, err error)
|
||||
Store(key interface{}) (value interface{}, err error)
|
||||
Delete(key interface{}) (err error)
|
||||
vacuum() (err error)
|
||||
}
|
||||
|
||||
type InspectableToken struct {
|
||||
Public keypairs.PublicKey `json:"jwk"`
|
||||
Protected map[string]interface{} `json:"protected"`
|
||||
|
@ -57,9 +62,6 @@ func (t *InspectableToken) MarshalJSON() ([]byte, error) {
|
|||
var defaultFrom string
|
||||
var defaultReplyTo string
|
||||
|
||||
//var nonces map[string]int64
|
||||
//var nonCh chan string
|
||||
var nonces sync.Map
|
||||
var salt []byte
|
||||
|
||||
func Init() {
|
||||
|
@ -82,6 +84,13 @@ func Init() {
|
|||
}
|
||||
}()
|
||||
*/
|
||||
|
||||
go func() {
|
||||
for {
|
||||
time.Sleep(15 * time.Second)
|
||||
hashcashes.vacuum()
|
||||
}
|
||||
}()
|
||||
}
|
||||
|
||||
func GenToken(host string, privkey keypairs.PrivateKey, query url.Values) (string, string, string) {
|
||||
|
@ -164,40 +173,3 @@ func JOSEVerify(pubkey keypairs.PublicKey, hash []byte, sig []byte) bool {
|
|||
return false
|
||||
}
|
||||
}
|
||||
|
||||
func issueNonce(w http.ResponseWriter, r *http.Request) {
|
||||
b := make([]byte, 16)
|
||||
_, _ = rand.Read(b)
|
||||
nonce := base64.RawURLEncoding.EncodeToString(b)
|
||||
//nonCh <- nonce
|
||||
nonces.Store(nonce, time.Now())
|
||||
|
||||
w.Header().Set("Replay-Nonce", nonce)
|
||||
}
|
||||
|
||||
func requireNonce(next http.HandlerFunc) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
nonce := r.Header.Get("Replay-Nonce")
|
||||
// TODO expire nonces every so often
|
||||
//t := nonces[nonce]
|
||||
var t time.Time
|
||||
tmp, ok := nonces.Load(nonce)
|
||||
if ok {
|
||||
t = tmp.(time.Time)
|
||||
}
|
||||
if !ok || time.Now().Sub(t) > 15*time.Minute {
|
||||
http.Error(
|
||||
w,
|
||||
`{ "error": "invalid or expired nonce", "error_code": "ENONCE" }`,
|
||||
http.StatusBadRequest,
|
||||
)
|
||||
return
|
||||
}
|
||||
|
||||
//delete(nonces, nonce)
|
||||
nonces.Delete(nonce)
|
||||
issueNonce(w, r)
|
||||
|
||||
next(w, r)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,64 @@
|
|||
package mockid
|
||||
|
||||
import (
|
||||
"crypto/rand"
|
||||
"encoding/base64"
|
||||
"net/http"
|
||||
"sync"
|
||||
"time"
|
||||
)
|
||||
|
||||
//var nonces map[string]int64
|
||||
//var nonCh chan string
|
||||
var nonces sync.Map
|
||||
|
||||
func issueNonce(w http.ResponseWriter, r *http.Request) {
|
||||
b := make([]byte, 16)
|
||||
_, _ = rand.Read(b)
|
||||
nonce := base64.RawURLEncoding.EncodeToString(b)
|
||||
//nonCh <- nonce
|
||||
nonces.Store(nonce, time.Now())
|
||||
|
||||
w.Header().Set("Replay-Nonce", nonce)
|
||||
}
|
||||
|
||||
func requireNonce(next http.HandlerFunc) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
nonce := r.Header.Get("Replay-Nonce")
|
||||
// TODO expire nonces every so often
|
||||
//t := nonces[nonce]
|
||||
|
||||
if !useNonce(nonce) {
|
||||
http.Error(
|
||||
w,
|
||||
`{ "error": "invalid or expired nonce", "error_code": "ENONCE" }`,
|
||||
http.StatusBadRequest,
|
||||
)
|
||||
return
|
||||
}
|
||||
|
||||
issueNonce(w, r)
|
||||
next(w, r)
|
||||
}
|
||||
}
|
||||
|
||||
func checkNonce(nonce string) bool {
|
||||
var t time.Time
|
||||
tmp, ok := nonces.Load(nonce)
|
||||
if ok {
|
||||
t = tmp.(time.Time)
|
||||
}
|
||||
if ok && time.Now().Sub(t) <= 15*time.Minute {
|
||||
return true
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func useNonce(nonce string) bool {
|
||||
if checkNonce(nonce) {
|
||||
//delete(nonces, nonce)
|
||||
nonces.Delete(nonce)
|
||||
return true
|
||||
}
|
||||
return false
|
||||
}
|
273
mockid/route.go
273
mockid/route.go
|
@ -6,6 +6,7 @@ import (
|
|||
"crypto/sha512"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"log"
|
||||
|
@ -23,94 +24,150 @@ import (
|
|||
"github.com/google/uuid"
|
||||
)
|
||||
|
||||
type HTTPResponse struct {
|
||||
Error string `json:"error"`
|
||||
Success bool `json:"success"`
|
||||
}
|
||||
|
||||
// Route returns an HTTP Mux containing the full API
|
||||
func Route(jwksPrefix string, privkey keypairs.PrivateKey) http.Handler {
|
||||
Init()
|
||||
|
||||
// TODO get from main()
|
||||
tokPrefix := jwksPrefix
|
||||
tokenPrefix = jwksPrefix
|
||||
pubkey := keypairs.NewPublicKey(privkey.Public())
|
||||
|
||||
http.HandleFunc("/api/new-nonce", func(w http.ResponseWriter, r *http.Request) {
|
||||
baseURL := getBaseURL(r)
|
||||
/*
|
||||
res.statusCode = 200;
|
||||
res.setHeader("Cache-Control", "max-age=0, no-cache, no-store");
|
||||
// TODO
|
||||
//res.setHeader("Date", "Sun, 10 Mar 2019 08:04:45 GMT");
|
||||
// is this the expiration of the nonce itself? methinks maybe so
|
||||
//res.setHeader("Expires", "Sun, 10 Mar 2019 08:04:45 GMT");
|
||||
// TODO use one of the registered domains
|
||||
//var indexURL = "https://acme-staging-v02.api.letsencrypt.org/index"
|
||||
*/
|
||||
//var port = (state.config.ipc && state.config.ipc.port || state._ipc.port || undefined);
|
||||
//var indexURL = "http://localhost:" + port + "/index";
|
||||
indexURL := baseURL + "/index"
|
||||
http.HandleFunc("/api/new-hashcash", func(w http.ResponseWriter, r *http.Request) {
|
||||
if "POST" != r.Method {
|
||||
http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed)
|
||||
return
|
||||
}
|
||||
|
||||
indexURL := getBaseURL(r) + "/api/directory"
|
||||
w.Header().Set("Link", "<"+indexURL+">;rel=\"index\"")
|
||||
|
||||
w.Header().Set("Date", time.Now().Format(http.TimeFormat))
|
||||
// disable caching in every possible way
|
||||
w.Header().Set("Expires", time.Now().Format(http.TimeFormat))
|
||||
w.Header().Set("Cache-Control", "max-age=0, no-cache, no-store")
|
||||
w.Header().Set("Pragma", "no-cache")
|
||||
//res.setHeader("Strict-Transport-Security", "max-age=604800");
|
||||
w.Header().Set("Strict-Transport-Security", "max-age=604800")
|
||||
|
||||
w.Header().Set("X-Frame-Options", "DENY")
|
||||
issueNonce(w, r)
|
||||
|
||||
h := issueHashcash(w, r)
|
||||
b, _ := json.Marshal(h)
|
||||
w.Write(b)
|
||||
})
|
||||
|
||||
http.HandleFunc("/api/new-account", requireNonce(func(w http.ResponseWriter, r *http.Request) {
|
||||
// Try to decode the request body into the struct. If there is an error,
|
||||
// respond to the client with the error message and a 400 status code.
|
||||
data := map[string]string{}
|
||||
err := json.NewDecoder(r.Body).Decode(&data)
|
||||
if nil != err {
|
||||
http.Error(w, err.Error(), http.StatusBadRequest)
|
||||
http.HandleFunc("/api/new-nonce", requireHashcash(func(w http.ResponseWriter, r *http.Request) {
|
||||
indexURL := getBaseURL(r) + "/api/directory"
|
||||
w.Header().Set("Link", "<"+indexURL+">;rel=\"index\"")
|
||||
|
||||
w.Header().Set("Date", time.Now().Format(http.TimeFormat))
|
||||
// disable caching in every possible way
|
||||
w.Header().Set("Expires", time.Now().Format(http.TimeFormat))
|
||||
w.Header().Set("Cache-Control", "max-age=0, no-cache, no-store")
|
||||
w.Header().Set("Pragma", "no-cache")
|
||||
w.Header().Set("Strict-Transport-Security", "max-age=604800")
|
||||
|
||||
w.Header().Set("X-Frame-Options", "DENY")
|
||||
|
||||
issueNonce(w, r)
|
||||
}))
|
||||
|
||||
http.HandleFunc("/api/test-hashcash", func(w http.ResponseWriter, r *http.Request) {
|
||||
if err := UseHashcash(r.Header.Get("Hashcash")); nil != err {
|
||||
b, _ := json.Marshal(&HTTPResponse{
|
||||
Error: err.Error(),
|
||||
})
|
||||
w.Write(b)
|
||||
return
|
||||
}
|
||||
|
||||
// TODO check DNS for MX records
|
||||
parts := strings.Split(data["to"], ", <>\n\r\t")
|
||||
to := parts[0]
|
||||
if len(parts) > 1 || !strings.Contains(to, "@") {
|
||||
http.Error(w, "invalid email address", http.StatusBadRequest)
|
||||
b, _ := json.Marshal(&HTTPResponse{
|
||||
Success: true,
|
||||
})
|
||||
w.Write(b)
|
||||
})
|
||||
|
||||
type NewAccount struct {
|
||||
Contact []string `json:"contact"`
|
||||
TermsOfServiceAgreed bool `json:"termsOfServiceAgreed"`
|
||||
}
|
||||
|
||||
http.HandleFunc("/api/new-account", func(w http.ResponseWriter, r *http.Request) {
|
||||
myURL := getBaseURL(r) + r.URL.Path
|
||||
|
||||
jws := &xkeypairs.JWS{}
|
||||
|
||||
decoder := json.NewDecoder(r.Body)
|
||||
if err := decoder.Decode(jws); nil != err {
|
||||
http.Error(w, "Bad Request", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
defer r.Body.Close()
|
||||
|
||||
if err := jws.DecodeComponents(); nil != err {
|
||||
http.Error(w, "Bad Request", http.StatusBadRequest)
|
||||
fmt.Fprintf(w, `{"error":%q}`+"\n", err)
|
||||
return
|
||||
}
|
||||
|
||||
// TODO expect JWK in JWS/JWT
|
||||
// TODO place validated JWK into file with token
|
||||
|
||||
token, err := uuid.NewRandom()
|
||||
if nil != err {
|
||||
// nothing else to do if we run out of random
|
||||
// or are on a platform that doesn't support random
|
||||
panic(fmt.Errorf("random bytes read failure: %w", err))
|
||||
}
|
||||
token64 := base64.RawURLEncoding.EncodeToString([]byte(token[:]))
|
||||
// hash token to prevent fs read timing attacks
|
||||
hash := sha1.Sum(append(token[:], salt...))
|
||||
tokname := base64.RawURLEncoding.EncodeToString(hash[:])
|
||||
if err := ioutil.WriteFile(
|
||||
filepath.Join(tokPrefix, tokname+".tok.txt"),
|
||||
[]byte(`{"comment":"I have no idea..."}`),
|
||||
os.FileMode(0600),
|
||||
); nil != err {
|
||||
http.Error(w, "database connection failed when writing verification token", http.StatusInternalServerError)
|
||||
kid, _ := jws.Header["kid"].(string)
|
||||
if "" != kid {
|
||||
http.Error(w, "Bad Request", http.StatusBadRequest)
|
||||
fmt.Fprintf(w, `{"error":"jws must include protected jwk, which is mutually exclusive from kid"}`+"\n")
|
||||
return
|
||||
}
|
||||
subject := "Verify New Account"
|
||||
// TODO go tpl
|
||||
// TODO determine OS and Browser from user agent
|
||||
|
||||
alg, _ := jws.Header["alg"].(string)
|
||||
if !strings.HasSuffix(alg, "256") {
|
||||
http.Error(w, "Bad Request", http.StatusBadRequest)
|
||||
fmt.Fprintf(w, `{"error":"invalid jws protected algorithm"}`+"\n")
|
||||
return
|
||||
}
|
||||
|
||||
nonce, _ := jws.Header["nonce"].(string)
|
||||
if !useNonce(nonce) {
|
||||
http.Error(w, "Bad Request", http.StatusBadRequest)
|
||||
fmt.Fprintf(w, `{"error":"invalid jws protected nonce"}`+"\n")
|
||||
return
|
||||
}
|
||||
|
||||
jwsURL, _ := jws.Header["url"].(string)
|
||||
if myURL != jwsURL {
|
||||
http.Error(w, "Bad Request", http.StatusBadRequest)
|
||||
fmt.Fprintf(w, `{"error":"invalid jws protected target URL"}`+"\n")
|
||||
return
|
||||
}
|
||||
|
||||
ok, err := xkeypairs.VerifyClaims(nil, jws)
|
||||
if nil != err || !ok {
|
||||
if nil != err {
|
||||
log.Printf("jws verify error: %s", err)
|
||||
}
|
||||
http.Error(w, "Bad Request", http.StatusBadRequest)
|
||||
fmt.Fprintf(w, `{"error":"could not verify JWS claims"}`+"\n")
|
||||
return
|
||||
}
|
||||
|
||||
contacts, _ := jws.Claims["contact"].([]string)
|
||||
contact := ""
|
||||
if 1 == len(contacts) {
|
||||
contact = contacts[0]
|
||||
}
|
||||
|
||||
baseURL := getBaseURL(r)
|
||||
text := fmt.Sprintf(
|
||||
"It looks like you just tried to register a new Pocket ID account.\n\n Verify account: %s/verify/%s\n\nNot you? Just ignore this message.",
|
||||
baseURL, token64,
|
||||
)
|
||||
_, err = SendSimpleMessage(to, defaultFrom, subject, text, defaultReplyTo)
|
||||
if nil != err {
|
||||
// TODO neuter mailgun output
|
||||
http.Error(w, err.Error(), http.StatusBadRequest)
|
||||
if err := startVerification(baseURL, contact); nil != err {
|
||||
http.Error(w, "Bad Request", http.StatusBadRequest)
|
||||
msg, _ := json.Marshal(err.Error())
|
||||
fmt.Fprintf(w, `{"error":%s}`+"\n", msg)
|
||||
return
|
||||
}
|
||||
|
||||
fmt.Fprintf(w, `{ "success": true, "error": "" }%s`, "\n")
|
||||
}))
|
||||
})
|
||||
|
||||
// TODO use chi
|
||||
http.HandleFunc("/verify/", requireNonce(func(w http.ResponseWriter, r *http.Request) {
|
||||
|
@ -119,24 +176,13 @@ func Route(jwksPrefix string, privkey keypairs.PrivateKey) http.Handler {
|
|||
http.Error(w, "invalid url path", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
token64 := parts[2]
|
||||
token, err := base64.RawURLEncoding.DecodeString(token64)
|
||||
if err != nil || 0 == len(token) {
|
||||
http.Error(w, "invalid url path", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
// hash token to prevent fs read timing attacks
|
||||
hash := sha1.Sum(append(token, salt...))
|
||||
tokname := base64.RawURLEncoding.EncodeToString(hash[:])
|
||||
tokfile := filepath.Join(tokPrefix, tokname+".tok.txt")
|
||||
_, err = ioutil.ReadFile(tokfile)
|
||||
if nil != err {
|
||||
http.Error(w, "database connection failed when reading verification token", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
token := parts[2]
|
||||
|
||||
// TODO promote JWK to public... and related to an ID or email??
|
||||
os.Remove(tokfile)
|
||||
if err := checkOTP(token); nil != err {
|
||||
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
|
||||
fmt.Fprintf(w, "%s", err)
|
||||
return
|
||||
}
|
||||
|
||||
fmt.Fprintf(w, `{ "success": true, "error": "" }%s`, "\n")
|
||||
}))
|
||||
|
@ -374,6 +420,77 @@ func Route(jwksPrefix string, privkey keypairs.PrivateKey) http.Handler {
|
|||
return http.DefaultServeMux
|
||||
}
|
||||
|
||||
var tokenPrefix string
|
||||
|
||||
func newOTP() (string, error) {
|
||||
rnd, err := uuid.NewRandom()
|
||||
if nil != err {
|
||||
// nothing else to do if we run out of random
|
||||
// or are on a platform that doesn't support random
|
||||
panic(fmt.Errorf("random bytes read failure: %w", err))
|
||||
}
|
||||
token := base64.RawURLEncoding.EncodeToString(rnd[:])
|
||||
|
||||
// We hash the random value to prevent DB / FS / compare timing attacks
|
||||
tokenID := sha1.Sum([]byte(token))
|
||||
tokenName := base64.RawURLEncoding.EncodeToString(tokenID[:])
|
||||
if err := ioutil.WriteFile(
|
||||
filepath.Join(tokenPrefix, tokenName+".tok.txt"),
|
||||
[]byte(`{"comment":"TODO: metadata goes here"}`),
|
||||
// keep it secret, keep it safe
|
||||
os.FileMode(0600),
|
||||
); nil != err {
|
||||
return "", errors.New("database connection failed when writing verification token")
|
||||
}
|
||||
return token, nil
|
||||
}
|
||||
|
||||
func checkOTP(token string) error {
|
||||
// We hash the random value to prevent DB / FS / compare timing attacks
|
||||
tokenID := sha1.Sum([]byte(token))
|
||||
tokenName := base64.RawURLEncoding.EncodeToString(tokenID[:])
|
||||
tokfile := filepath.Join(tokenPrefix, tokenName+".tok.txt")
|
||||
if _, err := ioutil.ReadFile(tokfile); nil != err {
|
||||
return errors.New("database connection failed when reading verification token")
|
||||
}
|
||||
|
||||
// TODO promote JWK to public... and related to an ID or email??
|
||||
_ = os.Remove(tokfile)
|
||||
return nil
|
||||
}
|
||||
|
||||
func startVerification(baseURL, contact string) error {
|
||||
email := strings.Replace(contact, "mailto:", "", -1)
|
||||
if "" == email {
|
||||
return errors.New("missing contact:[\"mailto:me@example.com\"]")
|
||||
}
|
||||
|
||||
// TODO check DNS for MX records
|
||||
if !strings.Contains(email, "@") || strings.Contains(email, " \t\n") {
|
||||
return errors.New("invalid email address")
|
||||
}
|
||||
|
||||
// TODO expect JWK in JWS/JWT
|
||||
// TODO place validated JWK into file with token
|
||||
|
||||
token, err := newOTP()
|
||||
if nil != err {
|
||||
return err
|
||||
}
|
||||
subject := "Verify New Account"
|
||||
// TODO go tpl
|
||||
// TODO determine OS and Browser from user agent
|
||||
text := fmt.Sprintf(
|
||||
"It looks like you just tried to register a new Pocket ID account.\n\n Verify account: %s/verify/%s\n\nNot you? Just ignore this message.",
|
||||
baseURL, token,
|
||||
)
|
||||
if _, err = SendSimpleMessage(email, defaultFrom, subject, text, defaultReplyTo); nil != err {
|
||||
return err
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func getBaseURL(r *http.Request) string {
|
||||
var scheme string
|
||||
if nil != r.TLS || "https" == r.Header.Get("X-Forwarded-Proto") {
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
cmd/hashcash/hashcash
|
||||
|
||||
# ---> Go
|
||||
# Binaries for programs and plugins
|
||||
*.exe
|
||||
*.exe~
|
||||
*.dll
|
||||
*.so
|
||||
*.dylib
|
||||
|
||||
# Test binary, built with `go test -c`
|
||||
*.test
|
||||
|
||||
# Output of the go coverage tool, specifically when used with LiteIDE
|
||||
*.out
|
||||
|
||||
# Dependency directories (remove the comment below to include it)
|
||||
# vendor/
|
||||
|
|
@ -0,0 +1,312 @@
|
|||
Mozilla Public License Version 2.0
|
||||
|
||||
1. Definitions
|
||||
|
||||
1.1. "Contributor" means each individual or legal entity that creates, contributes
|
||||
to the creation of, or owns Covered Software.
|
||||
|
||||
1.2. "Contributor Version" means the combination of the Contributions of others
|
||||
(if any) used by a Contributor and that particular Contributor's Contribution.
|
||||
|
||||
1.3. "Contribution" means Covered Software of a particular Contributor.
|
||||
|
||||
1.4. "Covered Software" means Source Code Form to which the initial Contributor
|
||||
has attached the notice in Exhibit A, the Executable Form of such Source Code
|
||||
Form, and Modifications of such Source Code Form, in each case including portions
|
||||
thereof.
|
||||
|
||||
1.5. "Incompatible With Secondary Licenses" means
|
||||
|
||||
(a) that the initial Contributor has attached the notice described in Exhibit
|
||||
B to the Covered Software; or
|
||||
|
||||
(b) that the Covered Software was made available under the terms of version
|
||||
1.1 or earlier of the License, but not also under the terms of a Secondary
|
||||
License.
|
||||
|
||||
1.6. "Executable Form" means any form of the work other than Source Code Form.
|
||||
|
||||
1.7. "Larger Work" means a work that combines Covered Software with other
|
||||
material, in a separate file or files, that is not Covered Software.
|
||||
|
||||
1.8. "License" means this document.
|
||||
|
||||
1.9. "Licensable" means having the right to grant, to the maximum extent possible,
|
||||
whether at the time of the initial grant or subsequently, any and all of the
|
||||
rights conveyed by this License.
|
||||
|
||||
1.10. "Modifications" means any of the following:
|
||||
|
||||
(a) any file in Source Code Form that results from an addition to, deletion
|
||||
from, or modification of the contents of Covered Software; or
|
||||
|
||||
(b) any new file in Source Code Form that contains any Covered Software.
|
||||
|
||||
1.11. "Patent Claims" of a Contributor means any patent claim(s), including
|
||||
without limitation, method, process, and apparatus claims, in any patent Licensable
|
||||
by such Contributor that would be infringed, but for the grant of the License,
|
||||
by the making, using, selling, offering for sale, having made, import, or
|
||||
transfer of either its Contributions or its Contributor Version.
|
||||
|
||||
1.12. "Secondary License" means either the GNU General Public License, Version
|
||||
2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General
|
||||
Public License, Version 3.0, or any later versions of those licenses.
|
||||
|
||||
1.13. "Source Code Form" means the form of the work preferred for making modifications.
|
||||
|
||||
1.14. "You" (or "Your") means an individual or a legal entity exercising rights
|
||||
under this License. For legal entities, "You" includes any entity that controls,
|
||||
is controlled by, or is under common control with You. For purposes of this
|
||||
definition, "control" means (a) the power, direct or indirect, to cause the
|
||||
direction or management of such entity, whether by contract or otherwise,
|
||||
or (b) ownership of more than fifty percent (50%) of the outstanding shares
|
||||
or beneficial ownership of such entity.
|
||||
|
||||
2. License Grants and Conditions
|
||||
|
||||
2.1. Grants
|
||||
|
||||
Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive
|
||||
license:
|
||||
|
||||
(a) under intellectual property rights (other than patent or trademark) Licensable
|
||||
by such Contributor to use, reproduce, make available, modify, display, perform,
|
||||
distribute, and otherwise exploit its Contributions, either on an unmodified
|
||||
basis, with Modifications, or as part of a Larger Work; and
|
||||
|
||||
(b) under Patent Claims of such Contributor to make, use, sell, offer for
|
||||
sale, have made, import, and otherwise transfer either its Contributions or
|
||||
its Contributor Version.
|
||||
|
||||
2.2. Effective Date
|
||||
|
||||
The licenses granted in Section 2.1 with respect to any Contribution become
|
||||
effective for each Contribution on the date the Contributor first distributes
|
||||
such Contribution.
|
||||
|
||||
2.3. Limitations on Grant Scope
|
||||
|
||||
The licenses granted in this Section 2 are the only rights granted under this
|
||||
License. No additional rights or licenses will be implied from the distribution
|
||||
or licensing of Covered Software under this License. Notwithstanding Section
|
||||
2.1(b) above, no patent license is granted by a Contributor:
|
||||
|
||||
(a) for any code that a Contributor has removed from Covered Software; or
|
||||
|
||||
(b) for infringements caused by: (i) Your and any other third party's modifications
|
||||
of Covered Software, or (ii) the combination of its Contributions with other
|
||||
software (except as part of its Contributor Version); or
|
||||
|
||||
(c) under Patent Claims infringed by Covered Software in the absence of its
|
||||
Contributions.
|
||||
|
||||
This License does not grant any rights in the trademarks, service marks, or
|
||||
logos of any Contributor (except as may be necessary to comply with the notice
|
||||
requirements in Section 3.4).
|
||||
|
||||
2.4. Subsequent Licenses
|
||||
|
||||
No Contributor makes additional grants as a result of Your choice to distribute
|
||||
the Covered Software under a subsequent version of this License (see Section
|
||||
10.2) or under the terms of a Secondary License (if permitted under the terms
|
||||
of Section 3.3).
|
||||
|
||||
2.5. Representation
|
||||
|
||||
Each Contributor represents that the Contributor believes its Contributions
|
||||
are its original creation(s) or it has sufficient rights to grant the rights
|
||||
to its Contributions conveyed by this License.
|
||||
|
||||
2.6. Fair Use
|
||||
|
||||
This License is not intended to limit any rights You have under applicable
|
||||
copyright doctrines of fair use, fair dealing, or other equivalents.
|
||||
|
||||
2.7. Conditions
|
||||
|
||||
Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in
|
||||
Section 2.1.
|
||||
|
||||
3. Responsibilities
|
||||
|
||||
3.1. Distribution of Source Form
|
||||
|
||||
All distribution of Covered Software in Source Code Form, including any Modifications
|
||||
that You create or to which You contribute, must be under the terms of this
|
||||
License. You must inform recipients that the Source Code Form of the Covered
|
||||
Software is governed by the terms of this License, and how they can obtain
|
||||
a copy of this License. You may not attempt to alter or restrict the recipients'
|
||||
rights in the Source Code Form.
|
||||
|
||||
3.2. Distribution of Executable Form
|
||||
|
||||
If You distribute Covered Software in Executable Form then:
|
||||
|
||||
(a) such Covered Software must also be made available in Source Code Form,
|
||||
as described in Section 3.1, and You must inform recipients of the Executable
|
||||
Form how they can obtain a copy of such Source Code Form by reasonable means
|
||||
in a timely manner, at a charge no more than the cost of distribution to the
|
||||
recipient; and
|
||||
|
||||
(b) You may distribute such Executable Form under the terms of this License,
|
||||
or sublicense it under different terms, provided that the license for the
|
||||
Executable Form does not attempt to limit or alter the recipients' rights
|
||||
in the Source Code Form under this License.
|
||||
|
||||
3.3. Distribution of a Larger Work
|
||||
|
||||
You may create and distribute a Larger Work under terms of Your choice, provided
|
||||
that You also comply with the requirements of this License for the Covered
|
||||
Software. If the Larger Work is a combination of Covered Software with a work
|
||||
governed by one or more Secondary Licenses, and the Covered Software is not
|
||||
Incompatible With Secondary Licenses, this License permits You to additionally
|
||||
distribute such Covered Software under the terms of such Secondary License(s),
|
||||
so that the recipient of the Larger Work may, at their option, further distribute
|
||||
the Covered Software under the terms of either this License or such Secondary
|
||||
License(s).
|
||||
|
||||
3.4. Notices
|
||||
|
||||
You may not remove or alter the substance of any license notices (including
|
||||
copyright notices, patent notices, disclaimers of warranty, or limitations
|
||||
of liability) contained within the Source Code Form of the Covered Software,
|
||||
except that You may alter any license notices to the extent required to remedy
|
||||
known factual inaccuracies.
|
||||
|
||||
3.5. Application of Additional Terms
|
||||
|
||||
You may choose to offer, and to charge a fee for, warranty, support, indemnity
|
||||
or liability obligations to one or more recipients of Covered Software. However,
|
||||
You may do so only on Your own behalf, and not on behalf of any Contributor.
|
||||
You must make it absolutely clear that any such warranty, support, indemnity,
|
||||
or liability obligation is offered by You alone, and You hereby agree to indemnify
|
||||
every Contributor for any liability incurred by such Contributor as a result
|
||||
of warranty, support, indemnity or liability terms You offer. You may include
|
||||
additional disclaimers of warranty and limitations of liability specific to
|
||||
any jurisdiction.
|
||||
|
||||
4. Inability to Comply Due to Statute or Regulation
|
||||
|
||||
If it is impossible for You to comply with any of the terms of this License
|
||||
with respect to some or all of the Covered Software due to statute, judicial
|
||||
order, or regulation then You must: (a) comply with the terms of this License
|
||||
to the maximum extent possible; and (b) describe the limitations and the code
|
||||
they affect. Such description must be placed in a text file included with
|
||||
all distributions of the Covered Software under this License. Except to the
|
||||
extent prohibited by statute or regulation, such description must be sufficiently
|
||||
detailed for a recipient of ordinary skill to be able to understand it.
|
||||
|
||||
5. Termination
|
||||
|
||||
5.1. The rights granted under this License will terminate automatically if
|
||||
You fail to comply with any of its terms. However, if You become compliant,
|
||||
then the rights granted under this License from a particular Contributor are
|
||||
reinstated (a) provisionally, unless and until such Contributor explicitly
|
||||
and finally terminates Your grants, and (b) on an ongoing basis, if such Contributor
|
||||
fails to notify You of the non-compliance by some reasonable means prior to
|
||||
60 days after You have come back into compliance. Moreover, Your grants from
|
||||
a particular Contributor are reinstated on an ongoing basis if such Contributor
|
||||
notifies You of the non-compliance by some reasonable means, this is the first
|
||||
time You have received notice of non-compliance with this License from such
|
||||
Contributor, and You become compliant prior to 30 days after Your receipt
|
||||
of the notice.
|
||||
|
||||
5.2. If You initiate litigation against any entity by asserting a patent infringement
|
||||
claim (excluding declaratory judgment actions, counter-claims, and cross-claims)
|
||||
alleging that a Contributor Version directly or indirectly infringes any patent,
|
||||
then the rights granted to You by any and all Contributors for the Covered
|
||||
Software under Section 2.1 of this License shall terminate.
|
||||
|
||||
5.3. In the event of termination under Sections 5.1 or 5.2 above, all end
|
||||
user license agreements (excluding distributors and resellers) which have
|
||||
been validly granted by You or Your distributors under this License prior
|
||||
to termination shall survive termination.
|
||||
|
||||
6. Disclaimer of Warranty
|
||||
|
||||
Covered Software is provided under this License on an "as is" basis, without
|
||||
warranty of any kind, either expressed, implied, or statutory, including,
|
||||
without limitation, warranties that the Covered Software is free of defects,
|
||||
merchantable, fit for a particular purpose or non-infringing. The entire risk
|
||||
as to the quality and performance of the Covered Software is with You. Should
|
||||
any Covered Software prove defective in any respect, You (not any Contributor)
|
||||
assume the cost of any necessary servicing, repair, or correction. This disclaimer
|
||||
of warranty constitutes an essential part of this License. No use of any Covered
|
||||
Software is authorized under this License except under this disclaimer.
|
||||
|
||||
7. Limitation of Liability
|
||||
|
||||
Under no circumstances and under no legal theory, whether tort (including
|
||||
negligence), contract, or otherwise, shall any Contributor, or anyone who
|
||||
distributes Covered Software as permitted above, be liable to You for any
|
||||
direct, indirect, special, incidental, or consequential damages of any character
|
||||
including, without limitation, damages for lost profits, loss of goodwill,
|
||||
work stoppage, computer failure or malfunction, or any and all other commercial
|
||||
damages or losses, even if such party shall have been informed of the possibility
|
||||
of such damages. This limitation of liability shall not apply to liability
|
||||
for death or personal injury resulting from such party's negligence to the
|
||||
extent applicable law prohibits such limitation. Some jurisdictions do not
|
||||
allow the exclusion or limitation of incidental or consequential damages,
|
||||
so this exclusion and limitation may not apply to You.
|
||||
|
||||
8. Litigation
|
||||
|
||||
Any litigation relating to this License may be brought only in the courts
|
||||
of a jurisdiction where the defendant maintains its principal place of business
|
||||
and such litigation shall be governed by laws of that jurisdiction, without
|
||||
reference to its conflict-of-law provisions. Nothing in this Section shall
|
||||
prevent a party's ability to bring cross-claims or counter-claims.
|
||||
|
||||
9. Miscellaneous
|
||||
|
||||
This License represents the complete agreement concerning the subject matter
|
||||
hereof. If any provision of this License is held to be unenforceable, such
|
||||
provision shall be reformed only to the extent necessary to make it enforceable.
|
||||
Any law or regulation which provides that the language of a contract shall
|
||||
be construed against the drafter shall not be used to construe this License
|
||||
against a Contributor.
|
||||
|
||||
10. Versions of the License
|
||||
|
||||
10.1. New Versions
|
||||
|
||||
Mozilla Foundation is the license steward. Except as provided in Section 10.3,
|
||||
no one other than the license steward has the right to modify or publish new
|
||||
versions of this License. Each version will be given a distinguishing version
|
||||
number.
|
||||
|
||||
10.2. Effect of New Versions
|
||||
|
||||
You may distribute the Covered Software under the terms of the version of
|
||||
the License under which You originally received the Covered Software, or under
|
||||
the terms of any subsequent version published by the license steward.
|
||||
|
||||
10.3. Modified Versions
|
||||
|
||||
If you create software not governed by this License, and you want to create
|
||||
a new license for such software, you may create and use a modified version
|
||||
of this License if you rename the license and remove any references to the
|
||||
name of the license steward (except to note that such modified license differs
|
||||
from this License).
|
||||
|
||||
10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses
|
||||
|
||||
If You choose to distribute Source Code Form that is Incompatible With Secondary
|
||||
Licenses under the terms of this version of the License, the notice described
|
||||
in Exhibit B of this License must be attached. Exhibit A - Source Code Form
|
||||
License Notice
|
||||
|
||||
This Source Code Form is subject to the terms of the Mozilla Public License,
|
||||
v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain
|
||||
one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
If it is not possible or desirable to put the notice in a particular file,
|
||||
then You may include the notice in a location (such as a LICENSE file in a
|
||||
relevant directory) where a recipient would be likely to look for such a notice.
|
||||
|
||||
You may add additional accurate notices of copyright ownership.
|
||||
|
||||
Exhibit B - "Incompatible With Secondary Licenses" Notice
|
||||
|
||||
This Source Code Form is "Incompatible With Secondary Licenses", as defined
|
||||
by the Mozilla Public License, v. 2.0.
|
|
@ -0,0 +1,41 @@
|
|||
# hashcash
|
||||
|
||||
HTTP Hashcash implemented in Go.
|
||||
|
||||
Explanation at https://therootcompany.com/blog/http-hashcash/
|
||||
|
||||
Go docs at https://godoc.org/git.rootprojects.org/root/hashcash
|
||||
|
||||
# CLI Usage
|
||||
|
||||
Install:
|
||||
|
||||
```bash
|
||||
go get git.rootprojects.org/root/hashcash/cmd/hashcash
|
||||
```
|
||||
|
||||
Usage:
|
||||
|
||||
```txt
|
||||
Usage:
|
||||
hashcash new [subject *] [expires in 5m] [difficulty 10]
|
||||
hashcash parse <hashcash>
|
||||
hashcash solve <hashcash>
|
||||
hashcash verify <hashcash> [subject *]
|
||||
```
|
||||
|
||||
Example:
|
||||
|
||||
```bash
|
||||
my_hc=$(hashcash new)
|
||||
echo New: $my_hc
|
||||
hashcash parse "$my_hc"
|
||||
echo ""
|
||||
|
||||
my_hc=$(hashcash solve "$my_hc")
|
||||
echo Solved: $my_hc
|
||||
hashcash parse "$my_hc"
|
||||
echo ""
|
||||
|
||||
hashcash verify "$my_hc"
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
module git.rootprojects.org/root/hashcash
|
||||
|
||||
go 1.15
|
|
@ -0,0 +1,284 @@
|
|||
package hashcash
|
||||
|
||||
import (
|
||||
"crypto/rand"
|
||||
"crypto/sha256"
|
||||
"encoding/base64"
|
||||
"encoding/binary"
|
||||
"errors"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
||||
// ErrParse is returned when fewer than 6 or more than 7 segments are split
|
||||
var ErrParse = errors.New("could not split the hashcash parts")
|
||||
|
||||
// ErrInvalidTag is returned when the Hashcash version is unsupported
|
||||
var ErrInvalidTag = errors.New("expected tag to be 'H'")
|
||||
|
||||
// ErrInvalidDifficulty is returned when the difficulty is outside of the acceptable range
|
||||
var ErrInvalidDifficulty = errors.New("the number of bits of difficulty is too low or too high")
|
||||
|
||||
// ErrInvalidDate is returned when the date cannot be parsed as a positive int64
|
||||
var ErrInvalidDate = errors.New("invalid date")
|
||||
|
||||
// ErrExpired is returned when the current time is past that of ExpiresAt
|
||||
var ErrExpired = errors.New("expired hashcash")
|
||||
|
||||
// ErrInvalidSubject is returned when the subject is invalid or does not match that passed to Verify()
|
||||
var ErrInvalidSubject = errors.New("the subject is invalid or rejected")
|
||||
|
||||
// ErrInvalidNonce is returned when the nonce
|
||||
//var ErrInvalidNonce = errors.New("the nonce has been used or is invalid")
|
||||
|
||||
// ErrUnsupportedAlgorithm is returned when the given algorithm is not supported
|
||||
var ErrUnsupportedAlgorithm = errors.New("the given algorithm is invalid or not supported")
|
||||
|
||||
// ErrInvalidSolution is returned when the given hashcash is not properly solved
|
||||
var ErrInvalidSolution = errors.New("the given solution is not valid")
|
||||
|
||||
// MaxDifficulty is the upper bound for all Solve() operations
|
||||
var MaxDifficulty = 26
|
||||
|
||||
// Sep is the separator character to use
|
||||
var Sep = ":"
|
||||
|
||||
// no milliseconds
|
||||
//var isoTS = "2006-01-02T15:04:05Z"
|
||||
|
||||
// Hashcash represents a parsed Hashcash string
|
||||
type Hashcash struct {
|
||||
Tag string `json:"tag"` // Always "H" for "HTTP"
|
||||
Difficulty int `json:"difficulty"` // Number of "partial pre-image" (zero) bits in the hashed code
|
||||
ExpiresAt time.Time `json:"exp"` // The timestamp that the hashcash expires, as seconds since the Unix epoch
|
||||
Subject string `json:"sub"` // Resource data string being transmitted, e.g., a domain or URL
|
||||
Nonce string `json:"nonce"` // Unique string of random characters, encoded as url-safe base-64
|
||||
Alg string `json:"alg"` // always SHA-256 for now
|
||||
Solution string `json:"solution"` // Binary counter, encoded as url-safe base-64
|
||||
}
|
||||
|
||||
// New returns a Hashcash with reasonable defaults
|
||||
func New(h Hashcash) *Hashcash {
|
||||
h.Tag = "H"
|
||||
|
||||
if 0 == h.Difficulty {
|
||||
// safe for WebCrypto
|
||||
h.Difficulty = 10
|
||||
}
|
||||
|
||||
if h.ExpiresAt.IsZero() {
|
||||
h.ExpiresAt = time.Now().Add(5 * time.Minute)
|
||||
}
|
||||
h.ExpiresAt = h.ExpiresAt.UTC().Truncate(time.Second)
|
||||
|
||||
if "" == h.Subject {
|
||||
h.Subject = "*"
|
||||
}
|
||||
|
||||
if "" == h.Nonce {
|
||||
nonce := make([]byte, 16)
|
||||
if _, err := rand.Read(nonce); nil != err {
|
||||
panic(err)
|
||||
return nil
|
||||
}
|
||||
h.Nonce = base64.RawURLEncoding.EncodeToString(nonce)
|
||||
}
|
||||
|
||||
if "" == h.Alg {
|
||||
h.Alg = "SHA-256"
|
||||
}
|
||||
/*
|
||||
if "SHA-256" != h.Alg {
|
||||
// TODO error
|
||||
}
|
||||
*/
|
||||
|
||||
return &h
|
||||
}
|
||||
|
||||
// Parse will (obviously) parse the hashcash string, without verifying any
|
||||
// of the parameters.
|
||||
func Parse(hc string) (*Hashcash, error) {
|
||||
parts := strings.Split(hc, Sep)
|
||||
n := len(parts)
|
||||
if n < 6 || n > 7 {
|
||||
return nil, ErrParse
|
||||
}
|
||||
|
||||
tag := parts[0]
|
||||
if "H" != tag {
|
||||
return nil, ErrInvalidTag
|
||||
}
|
||||
|
||||
bits, err := strconv.Atoi(parts[1])
|
||||
if nil != err || bits < 0 {
|
||||
return nil, ErrInvalidDifficulty
|
||||
}
|
||||
|
||||
// Allow empty ExpiresAt
|
||||
var exp time.Time
|
||||
if "" != parts[2] {
|
||||
expAt, err := strconv.ParseInt(parts[2], 10, 64)
|
||||
if nil != err || expAt < 0 {
|
||||
return nil, ErrInvalidDate
|
||||
}
|
||||
exp = time.Unix(int64(expAt), 0).UTC()
|
||||
}
|
||||
|
||||
/*
|
||||
exp, err := time.ParseInLocation(isoTS, parts[2], time.UTC)
|
||||
if nil != err {
|
||||
return nil, ErrInvalidDate
|
||||
}
|
||||
*/
|
||||
|
||||
sub := parts[3]
|
||||
|
||||
nonce := parts[4]
|
||||
|
||||
alg := parts[5]
|
||||
|
||||
var solution string
|
||||
if n > 6 {
|
||||
solution = parts[6]
|
||||
}
|
||||
|
||||
h := &Hashcash{
|
||||
Tag: tag,
|
||||
Difficulty: bits,
|
||||
ExpiresAt: exp.UTC().Truncate(time.Second),
|
||||
Subject: sub,
|
||||
Nonce: nonce,
|
||||
Alg: alg,
|
||||
Solution: solution,
|
||||
}
|
||||
|
||||
return h, nil
|
||||
}
|
||||
|
||||
// String will return the formatted Hashcash, omitting the solution if it has not be solved.
|
||||
func (h *Hashcash) String() string {
|
||||
var solution string
|
||||
if "" != h.Solution {
|
||||
solution = Sep + h.Solution
|
||||
}
|
||||
|
||||
var expAt string
|
||||
if !h.ExpiresAt.IsZero() {
|
||||
expAt = strconv.FormatInt(h.ExpiresAt.UTC().Truncate(time.Second).Unix(), 10)
|
||||
}
|
||||
return strings.Join(
|
||||
[]string{
|
||||
"H",
|
||||
strconv.Itoa(h.Difficulty),
|
||||
//h.ExpiresAt.UTC().Format(isoTS),
|
||||
expAt,
|
||||
h.Subject,
|
||||
h.Nonce,
|
||||
h.Alg,
|
||||
},
|
||||
Sep,
|
||||
) + solution
|
||||
}
|
||||
|
||||
// Verify the Hashcash based on Difficulty, Algorithm, ExpiresAt, Subject and,
|
||||
// of course, the Solution and hash.
|
||||
func (h *Hashcash) Verify(subject string) error {
|
||||
if h.Difficulty < 0 {
|
||||
return ErrInvalidDifficulty
|
||||
}
|
||||
|
||||
if "SHA-256" != h.Alg {
|
||||
return ErrUnsupportedAlgorithm
|
||||
}
|
||||
|
||||
if !h.ExpiresAt.IsZero() && h.ExpiresAt.Sub(time.Now()) < 0 {
|
||||
return ErrExpired
|
||||
}
|
||||
|
||||
if subject != h.Subject {
|
||||
return ErrInvalidSubject
|
||||
}
|
||||
|
||||
bits := h.Difficulty
|
||||
hash := sha256.Sum256([]byte(h.String()))
|
||||
n := bits / 8 // 10 / 8 = 1
|
||||
m := bits % 8 // 10 % 8 = 2
|
||||
if m > 0 {
|
||||
n++ // 10 bits = 2 bytes
|
||||
}
|
||||
|
||||
if !verifyBits(hash[:n], bits, n) {
|
||||
return ErrInvalidSolution
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func verifyBits(hash []byte, bits, n int) bool {
|
||||
for i := 0; i < n; i++ {
|
||||
if bits > 8 {
|
||||
bits -= 8
|
||||
if 0 != hash[i] {
|
||||
return false
|
||||
}
|
||||
continue
|
||||
}
|
||||
|
||||
// (bits % 8) == bits
|
||||
pad := 8 - bits
|
||||
if 0 != hash[i]>>pad {
|
||||
return false
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
// 0 == bits
|
||||
return true
|
||||
}
|
||||
|
||||
// Solve will search for a solution, returning an error if the difficulty is
|
||||
// above the local or global MaxDifficulty, the Algorithm is unsupported.
|
||||
func (h *Hashcash) Solve(maxDifficulty int) error {
|
||||
if "SHA-256" != h.Alg {
|
||||
return ErrUnsupportedAlgorithm
|
||||
}
|
||||
|
||||
if h.Difficulty < 0 {
|
||||
return ErrInvalidDifficulty
|
||||
}
|
||||
|
||||
if h.Difficulty > maxDifficulty || h.Difficulty > MaxDifficulty {
|
||||
return ErrInvalidDifficulty
|
||||
}
|
||||
|
||||
if "" != h.Solution {
|
||||
if nil == h.Verify(h.Subject) {
|
||||
return nil
|
||||
}
|
||||
h.Solution = ""
|
||||
}
|
||||
|
||||
hashcash := h.String()
|
||||
bits := h.Difficulty
|
||||
n := bits / 8 // 10 / 8 = 1
|
||||
m := bits % 8 // 10 % 8 = 2
|
||||
if m > 0 {
|
||||
n++ // 10 bits = 2 bytes
|
||||
}
|
||||
|
||||
var solution uint32 = 0
|
||||
sb := make([]byte, 4)
|
||||
for {
|
||||
// Note: it's not actually important what method of change or encoding is used
|
||||
// but incrementing by 1 on an int32 is good enough, and makes for a small base64 encoding
|
||||
binary.LittleEndian.PutUint32(sb, solution)
|
||||
h.Solution = base64.RawURLEncoding.EncodeToString(sb)
|
||||
hash := sha256.Sum256([]byte(hashcash + Sep + h.Solution))
|
||||
if verifyBits(hash[:n], bits, n) {
|
||||
return nil
|
||||
}
|
||||
solution++
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
# git.rootprojects.org/root/hashcash v1.0.1
|
||||
git.rootprojects.org/root/hashcash
|
||||
# git.rootprojects.org/root/keypairs v0.5.2
|
||||
git.rootprojects.org/root/keypairs
|
||||
git.rootprojects.org/root/keypairs/keyfetch
|
||||
|
|
|
@ -0,0 +1,46 @@
|
|||
package xkeypairs
|
||||
|
||||
import (
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
)
|
||||
|
||||
func (jws *JWS) DecodeComponents() error {
|
||||
protected, err := base64.RawURLEncoding.DecodeString(jws.Protected)
|
||||
if nil != err {
|
||||
return errors.New("invalid JWS header base64Url encoding")
|
||||
}
|
||||
if err := json.Unmarshal([]byte(protected), &jws.Header); nil != err {
|
||||
return errors.New("invalid JWS header")
|
||||
}
|
||||
|
||||
payload, err := base64.RawURLEncoding.DecodeString(jws.Payload)
|
||||
if nil != err {
|
||||
return errors.New("invalid JWS payload base64Url encoding")
|
||||
}
|
||||
if err := json.Unmarshal([]byte(payload), &jws.Claims); nil != err {
|
||||
return errors.New("invalid JWS claims")
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
/*
|
||||
func Decode(msg string) (*JWS, error) {
|
||||
jws := &JWS{}
|
||||
|
||||
decoder := json.NewDecoder(r.Body)
|
||||
err := decoder.Decode(jws)
|
||||
return jws, err
|
||||
}
|
||||
|
||||
func Unmarshal(msg string) (*JWS, error) {
|
||||
jws := &JWS{}
|
||||
|
||||
if err := json.Unmarshal([]byte(msg), jws); nil != err {
|
||||
return nil, err
|
||||
}
|
||||
return jws, nil
|
||||
}
|
||||
*/
|
Loading…
Reference in New Issue