wip: ready new-account for email and google verification
This commit is contained in:
parent
9608a7429b
commit
23822cdf09
1
go.mod
1
go.mod
|
@ -3,6 +3,7 @@ module git.coolaj86.com/coolaj86/go-mockid
|
||||||
go 1.13
|
go 1.13
|
||||||
|
|
||||||
require (
|
require (
|
||||||
|
git.rootprojects.org/root/hashcash v1.0.1
|
||||||
git.rootprojects.org/root/keypairs v0.5.2
|
git.rootprojects.org/root/keypairs v0.5.2
|
||||||
github.com/google/uuid v1.1.1
|
github.com/google/uuid v1.1.1
|
||||||
github.com/joho/godotenv v1.3.0
|
github.com/joho/godotenv v1.3.0
|
||||||
|
|
2
go.sum
2
go.sum
|
@ -1,3 +1,5 @@
|
||||||
|
git.rootprojects.org/root/hashcash v1.0.1 h1:PkzwZu4CR5q/hwAntJdvcmNhmP0ONhetMo7rYhIZhZ0=
|
||||||
|
git.rootprojects.org/root/hashcash v1.0.1/go.mod h1:HdoULUe94o1NVMES5K6aP3p8QGQiIia73F1HNZ1+FkQ=
|
||||||
git.rootprojects.org/root/keypairs v0.5.2 h1:jr+drUUm/REaCDJTl5gT3kF2PwlXygcLsBZlqoKTZZw=
|
git.rootprojects.org/root/keypairs v0.5.2 h1:jr+drUUm/REaCDJTl5gT3kF2PwlXygcLsBZlqoKTZZw=
|
||||||
git.rootprojects.org/root/keypairs v0.5.2/go.mod h1:WGI8PadOp+4LjUuI+wNlSwcJwFtY8L9XuNjuO3213HA=
|
git.rootprojects.org/root/keypairs v0.5.2/go.mod h1:WGI8PadOp+4LjUuI+wNlSwcJwFtY8L9XuNjuO3213HA=
|
||||||
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
|
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
|
||||||
|
|
|
@ -19,7 +19,7 @@ func Verify(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
var jws *xkeypairs.JWS
|
jws := &xkeypairs.JWS{}
|
||||||
|
|
||||||
authzParts := strings.Split(r.Header.Get("Authorization"), " ")
|
authzParts := strings.Split(r.Header.Get("Authorization"), " ")
|
||||||
lenAuthz := len(authzParts)
|
lenAuthz := len(authzParts)
|
||||||
|
@ -27,11 +27,9 @@ func Verify(w http.ResponseWriter, r *http.Request) {
|
||||||
jwt := authzParts[1]
|
jwt := authzParts[1]
|
||||||
jwsParts := strings.Split(jwt, ".")
|
jwsParts := strings.Split(jwt, ".")
|
||||||
if 3 == len(jwsParts) {
|
if 3 == len(jwsParts) {
|
||||||
jws = &xkeypairs.JWS{
|
jws.Protected = jwsParts[0]
|
||||||
Protected: jwsParts[0],
|
jws.Payload = jwsParts[1]
|
||||||
Payload: jwsParts[1],
|
jws.Signature = jwsParts[2]
|
||||||
Signature: jwsParts[2],
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -41,7 +39,7 @@ func Verify(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
decoder := json.NewDecoder(r.Body)
|
decoder := json.NewDecoder(r.Body)
|
||||||
err := decoder.Decode(&jws)
|
err := decoder.Decode(jws)
|
||||||
if nil != err && io.EOF != err {
|
if nil != err && io.EOF != err {
|
||||||
log.Printf("json decode error: %s", err)
|
log.Printf("json decode error: %s", err)
|
||||||
http.Error(w, "Bad Request: invalid JWS body", http.StatusBadRequest)
|
http.Error(w, "Bad Request: invalid JWS body", http.StatusBadRequest)
|
||||||
|
|
|
@ -0,0 +1,101 @@
|
||||||
|
package mockid
|
||||||
|
|
||||||
|
import (
|
||||||
|
"errors"
|
||||||
|
"net/http"
|
||||||
|
"sync"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"git.rootprojects.org/root/hashcash"
|
||||||
|
)
|
||||||
|
|
||||||
|
var hashcashes = &hashcashDB{
|
||||||
|
db: sync.Map{},
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewHashcash(sub string, exp time.Time) *hashcash.Hashcash {
|
||||||
|
|
||||||
|
h := hashcash.New(hashcash.Hashcash{
|
||||||
|
Subject: sub,
|
||||||
|
ExpiresAt: exp,
|
||||||
|
})
|
||||||
|
|
||||||
|
// ignoring the error because this implementation is backed by an in-memory map
|
||||||
|
_ = hashcashes.Store(h.Nonce, h)
|
||||||
|
|
||||||
|
return h
|
||||||
|
}
|
||||||
|
|
||||||
|
var ErrNotFound = errors.New("not found")
|
||||||
|
|
||||||
|
func UseHashcash(hc string) error {
|
||||||
|
phony, err := hashcash.Parse(hc)
|
||||||
|
if nil != err {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
hi, ok, _ := hashcashes.Load(phony.Nonce)
|
||||||
|
if !ok {
|
||||||
|
return ErrNotFound
|
||||||
|
}
|
||||||
|
mccoy := hi.(*hashcash.Hashcash)
|
||||||
|
mccopy := *mccoy
|
||||||
|
|
||||||
|
mccopy.Solution = phony.Solution
|
||||||
|
if err := mccopy.Verify("*"); nil != err {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
_ = hashcashes.Delete(mccoy.Nonce)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func issueHashcash(w http.ResponseWriter, r *http.Request) *hashcash.Hashcash {
|
||||||
|
h := NewHashcash(r.Host, time.Now().Add(5*time.Minute))
|
||||||
|
w.Header().Set("Hashcash-Challenge", h.String())
|
||||||
|
return h
|
||||||
|
}
|
||||||
|
|
||||||
|
func requireHashcash(next http.HandlerFunc) http.HandlerFunc {
|
||||||
|
return func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
hc := r.Header.Get("Hashcash")
|
||||||
|
_ = issueHashcash(w, r)
|
||||||
|
if err := UseHashcash(hc); nil != err {
|
||||||
|
http.Error(w, "Bad Request", http.StatusBadRequest)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
next(w, r)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
type hashcashDB struct {
|
||||||
|
db sync.Map
|
||||||
|
}
|
||||||
|
|
||||||
|
func (h *hashcashDB) Load(key interface{}) (value interface{}, ok bool, err error) {
|
||||||
|
v, ok := h.db.Load(key)
|
||||||
|
return v, ok, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (h *hashcashDB) Store(key interface{}, value interface{}) (err error) {
|
||||||
|
h.db.Store(key, value)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (h *hashcashDB) Delete(key interface{}) (err error) {
|
||||||
|
h.db.Delete(key)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (h *hashcashDB) vacuum() (err error) {
|
||||||
|
now := time.Now().UTC()
|
||||||
|
h.db.Range(func(key interface{}, val interface{}) bool {
|
||||||
|
v := val.(*hashcash.Hashcash)
|
||||||
|
if v.ExpiresAt.Sub(now) < 0 {
|
||||||
|
h.db.Delete(key)
|
||||||
|
}
|
||||||
|
return true
|
||||||
|
})
|
||||||
|
return nil
|
||||||
|
}
|
|
@ -11,11 +11,9 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"math/big"
|
"math/big"
|
||||||
"net/http"
|
|
||||||
"net/url"
|
"net/url"
|
||||||
"os"
|
"os"
|
||||||
"strconv"
|
"strconv"
|
||||||
"sync"
|
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"git.coolaj86.com/coolaj86/go-mockid/xkeypairs"
|
"git.coolaj86.com/coolaj86/go-mockid/xkeypairs"
|
||||||
|
@ -34,6 +32,13 @@ type PublicJWK struct {
|
||||||
Y string `json:"y"`
|
Y string `json:"y"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type KVDB interface {
|
||||||
|
Load(key interface{}) (value interface{}, ok bool, err error)
|
||||||
|
Store(key interface{}) (value interface{}, err error)
|
||||||
|
Delete(key interface{}) (err error)
|
||||||
|
vacuum() (err error)
|
||||||
|
}
|
||||||
|
|
||||||
type InspectableToken struct {
|
type InspectableToken struct {
|
||||||
Public keypairs.PublicKey `json:"jwk"`
|
Public keypairs.PublicKey `json:"jwk"`
|
||||||
Protected map[string]interface{} `json:"protected"`
|
Protected map[string]interface{} `json:"protected"`
|
||||||
|
@ -57,9 +62,6 @@ func (t *InspectableToken) MarshalJSON() ([]byte, error) {
|
||||||
var defaultFrom string
|
var defaultFrom string
|
||||||
var defaultReplyTo string
|
var defaultReplyTo string
|
||||||
|
|
||||||
//var nonces map[string]int64
|
|
||||||
//var nonCh chan string
|
|
||||||
var nonces sync.Map
|
|
||||||
var salt []byte
|
var salt []byte
|
||||||
|
|
||||||
func Init() {
|
func Init() {
|
||||||
|
@ -82,6 +84,13 @@ func Init() {
|
||||||
}
|
}
|
||||||
}()
|
}()
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
go func() {
|
||||||
|
for {
|
||||||
|
time.Sleep(15 * time.Second)
|
||||||
|
hashcashes.vacuum()
|
||||||
|
}
|
||||||
|
}()
|
||||||
}
|
}
|
||||||
|
|
||||||
func GenToken(host string, privkey keypairs.PrivateKey, query url.Values) (string, string, string) {
|
func GenToken(host string, privkey keypairs.PrivateKey, query url.Values) (string, string, string) {
|
||||||
|
@ -164,40 +173,3 @@ func JOSEVerify(pubkey keypairs.PublicKey, hash []byte, sig []byte) bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func issueNonce(w http.ResponseWriter, r *http.Request) {
|
|
||||||
b := make([]byte, 16)
|
|
||||||
_, _ = rand.Read(b)
|
|
||||||
nonce := base64.RawURLEncoding.EncodeToString(b)
|
|
||||||
//nonCh <- nonce
|
|
||||||
nonces.Store(nonce, time.Now())
|
|
||||||
|
|
||||||
w.Header().Set("Replay-Nonce", nonce)
|
|
||||||
}
|
|
||||||
|
|
||||||
func requireNonce(next http.HandlerFunc) http.HandlerFunc {
|
|
||||||
return func(w http.ResponseWriter, r *http.Request) {
|
|
||||||
nonce := r.Header.Get("Replay-Nonce")
|
|
||||||
// TODO expire nonces every so often
|
|
||||||
//t := nonces[nonce]
|
|
||||||
var t time.Time
|
|
||||||
tmp, ok := nonces.Load(nonce)
|
|
||||||
if ok {
|
|
||||||
t = tmp.(time.Time)
|
|
||||||
}
|
|
||||||
if !ok || time.Now().Sub(t) > 15*time.Minute {
|
|
||||||
http.Error(
|
|
||||||
w,
|
|
||||||
`{ "error": "invalid or expired nonce", "error_code": "ENONCE" }`,
|
|
||||||
http.StatusBadRequest,
|
|
||||||
)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
//delete(nonces, nonce)
|
|
||||||
nonces.Delete(nonce)
|
|
||||||
issueNonce(w, r)
|
|
||||||
|
|
||||||
next(w, r)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
|
@ -0,0 +1,64 @@
|
||||||
|
package mockid
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/rand"
|
||||||
|
"encoding/base64"
|
||||||
|
"net/http"
|
||||||
|
"sync"
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
|
//var nonces map[string]int64
|
||||||
|
//var nonCh chan string
|
||||||
|
var nonces sync.Map
|
||||||
|
|
||||||
|
func issueNonce(w http.ResponseWriter, r *http.Request) {
|
||||||
|
b := make([]byte, 16)
|
||||||
|
_, _ = rand.Read(b)
|
||||||
|
nonce := base64.RawURLEncoding.EncodeToString(b)
|
||||||
|
//nonCh <- nonce
|
||||||
|
nonces.Store(nonce, time.Now())
|
||||||
|
|
||||||
|
w.Header().Set("Replay-Nonce", nonce)
|
||||||
|
}
|
||||||
|
|
||||||
|
func requireNonce(next http.HandlerFunc) http.HandlerFunc {
|
||||||
|
return func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
nonce := r.Header.Get("Replay-Nonce")
|
||||||
|
// TODO expire nonces every so often
|
||||||
|
//t := nonces[nonce]
|
||||||
|
|
||||||
|
if !useNonce(nonce) {
|
||||||
|
http.Error(
|
||||||
|
w,
|
||||||
|
`{ "error": "invalid or expired nonce", "error_code": "ENONCE" }`,
|
||||||
|
http.StatusBadRequest,
|
||||||
|
)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
issueNonce(w, r)
|
||||||
|
next(w, r)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func checkNonce(nonce string) bool {
|
||||||
|
var t time.Time
|
||||||
|
tmp, ok := nonces.Load(nonce)
|
||||||
|
if ok {
|
||||||
|
t = tmp.(time.Time)
|
||||||
|
}
|
||||||
|
if ok && time.Now().Sub(t) <= 15*time.Minute {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
func useNonce(nonce string) bool {
|
||||||
|
if checkNonce(nonce) {
|
||||||
|
//delete(nonces, nonce)
|
||||||
|
nonces.Delete(nonce)
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
273
mockid/route.go
273
mockid/route.go
|
@ -6,6 +6,7 @@ import (
|
||||||
"crypto/sha512"
|
"crypto/sha512"
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"log"
|
"log"
|
||||||
|
@ -23,94 +24,150 @@ import (
|
||||||
"github.com/google/uuid"
|
"github.com/google/uuid"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
type HTTPResponse struct {
|
||||||
|
Error string `json:"error"`
|
||||||
|
Success bool `json:"success"`
|
||||||
|
}
|
||||||
|
|
||||||
// Route returns an HTTP Mux containing the full API
|
// Route returns an HTTP Mux containing the full API
|
||||||
func Route(jwksPrefix string, privkey keypairs.PrivateKey) http.Handler {
|
func Route(jwksPrefix string, privkey keypairs.PrivateKey) http.Handler {
|
||||||
Init()
|
Init()
|
||||||
|
|
||||||
// TODO get from main()
|
// TODO get from main()
|
||||||
tokPrefix := jwksPrefix
|
tokenPrefix = jwksPrefix
|
||||||
pubkey := keypairs.NewPublicKey(privkey.Public())
|
pubkey := keypairs.NewPublicKey(privkey.Public())
|
||||||
|
|
||||||
http.HandleFunc("/api/new-nonce", func(w http.ResponseWriter, r *http.Request) {
|
http.HandleFunc("/api/new-hashcash", func(w http.ResponseWriter, r *http.Request) {
|
||||||
baseURL := getBaseURL(r)
|
if "POST" != r.Method {
|
||||||
/*
|
http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed)
|
||||||
res.statusCode = 200;
|
return
|
||||||
res.setHeader("Cache-Control", "max-age=0, no-cache, no-store");
|
}
|
||||||
// TODO
|
|
||||||
//res.setHeader("Date", "Sun, 10 Mar 2019 08:04:45 GMT");
|
indexURL := getBaseURL(r) + "/api/directory"
|
||||||
// is this the expiration of the nonce itself? methinks maybe so
|
|
||||||
//res.setHeader("Expires", "Sun, 10 Mar 2019 08:04:45 GMT");
|
|
||||||
// TODO use one of the registered domains
|
|
||||||
//var indexURL = "https://acme-staging-v02.api.letsencrypt.org/index"
|
|
||||||
*/
|
|
||||||
//var port = (state.config.ipc && state.config.ipc.port || state._ipc.port || undefined);
|
|
||||||
//var indexURL = "http://localhost:" + port + "/index";
|
|
||||||
indexURL := baseURL + "/index"
|
|
||||||
w.Header().Set("Link", "<"+indexURL+">;rel=\"index\"")
|
w.Header().Set("Link", "<"+indexURL+">;rel=\"index\"")
|
||||||
|
|
||||||
|
w.Header().Set("Date", time.Now().Format(http.TimeFormat))
|
||||||
|
// disable caching in every possible way
|
||||||
|
w.Header().Set("Expires", time.Now().Format(http.TimeFormat))
|
||||||
w.Header().Set("Cache-Control", "max-age=0, no-cache, no-store")
|
w.Header().Set("Cache-Control", "max-age=0, no-cache, no-store")
|
||||||
w.Header().Set("Pragma", "no-cache")
|
w.Header().Set("Pragma", "no-cache")
|
||||||
//res.setHeader("Strict-Transport-Security", "max-age=604800");
|
w.Header().Set("Strict-Transport-Security", "max-age=604800")
|
||||||
|
|
||||||
w.Header().Set("X-Frame-Options", "DENY")
|
w.Header().Set("X-Frame-Options", "DENY")
|
||||||
issueNonce(w, r)
|
|
||||||
|
h := issueHashcash(w, r)
|
||||||
|
b, _ := json.Marshal(h)
|
||||||
|
w.Write(b)
|
||||||
})
|
})
|
||||||
|
|
||||||
http.HandleFunc("/api/new-account", requireNonce(func(w http.ResponseWriter, r *http.Request) {
|
http.HandleFunc("/api/new-nonce", requireHashcash(func(w http.ResponseWriter, r *http.Request) {
|
||||||
// Try to decode the request body into the struct. If there is an error,
|
indexURL := getBaseURL(r) + "/api/directory"
|
||||||
// respond to the client with the error message and a 400 status code.
|
w.Header().Set("Link", "<"+indexURL+">;rel=\"index\"")
|
||||||
data := map[string]string{}
|
|
||||||
err := json.NewDecoder(r.Body).Decode(&data)
|
w.Header().Set("Date", time.Now().Format(http.TimeFormat))
|
||||||
if nil != err {
|
// disable caching in every possible way
|
||||||
http.Error(w, err.Error(), http.StatusBadRequest)
|
w.Header().Set("Expires", time.Now().Format(http.TimeFormat))
|
||||||
|
w.Header().Set("Cache-Control", "max-age=0, no-cache, no-store")
|
||||||
|
w.Header().Set("Pragma", "no-cache")
|
||||||
|
w.Header().Set("Strict-Transport-Security", "max-age=604800")
|
||||||
|
|
||||||
|
w.Header().Set("X-Frame-Options", "DENY")
|
||||||
|
|
||||||
|
issueNonce(w, r)
|
||||||
|
}))
|
||||||
|
|
||||||
|
http.HandleFunc("/api/test-hashcash", func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
if err := UseHashcash(r.Header.Get("Hashcash")); nil != err {
|
||||||
|
b, _ := json.Marshal(&HTTPResponse{
|
||||||
|
Error: err.Error(),
|
||||||
|
})
|
||||||
|
w.Write(b)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO check DNS for MX records
|
b, _ := json.Marshal(&HTTPResponse{
|
||||||
parts := strings.Split(data["to"], ", <>\n\r\t")
|
Success: true,
|
||||||
to := parts[0]
|
})
|
||||||
if len(parts) > 1 || !strings.Contains(to, "@") {
|
w.Write(b)
|
||||||
http.Error(w, "invalid email address", http.StatusBadRequest)
|
})
|
||||||
|
|
||||||
|
type NewAccount struct {
|
||||||
|
Contact []string `json:"contact"`
|
||||||
|
TermsOfServiceAgreed bool `json:"termsOfServiceAgreed"`
|
||||||
|
}
|
||||||
|
|
||||||
|
http.HandleFunc("/api/new-account", func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
myURL := getBaseURL(r) + r.URL.Path
|
||||||
|
|
||||||
|
jws := &xkeypairs.JWS{}
|
||||||
|
|
||||||
|
decoder := json.NewDecoder(r.Body)
|
||||||
|
if err := decoder.Decode(jws); nil != err {
|
||||||
|
http.Error(w, "Bad Request", http.StatusBadRequest)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
defer r.Body.Close()
|
||||||
|
|
||||||
|
if err := jws.DecodeComponents(); nil != err {
|
||||||
|
http.Error(w, "Bad Request", http.StatusBadRequest)
|
||||||
|
fmt.Fprintf(w, `{"error":%q}`+"\n", err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO expect JWK in JWS/JWT
|
kid, _ := jws.Header["kid"].(string)
|
||||||
// TODO place validated JWK into file with token
|
if "" != kid {
|
||||||
|
http.Error(w, "Bad Request", http.StatusBadRequest)
|
||||||
token, err := uuid.NewRandom()
|
fmt.Fprintf(w, `{"error":"jws must include protected jwk, which is mutually exclusive from kid"}`+"\n")
|
||||||
if nil != err {
|
|
||||||
// nothing else to do if we run out of random
|
|
||||||
// or are on a platform that doesn't support random
|
|
||||||
panic(fmt.Errorf("random bytes read failure: %w", err))
|
|
||||||
}
|
|
||||||
token64 := base64.RawURLEncoding.EncodeToString([]byte(token[:]))
|
|
||||||
// hash token to prevent fs read timing attacks
|
|
||||||
hash := sha1.Sum(append(token[:], salt...))
|
|
||||||
tokname := base64.RawURLEncoding.EncodeToString(hash[:])
|
|
||||||
if err := ioutil.WriteFile(
|
|
||||||
filepath.Join(tokPrefix, tokname+".tok.txt"),
|
|
||||||
[]byte(`{"comment":"I have no idea..."}`),
|
|
||||||
os.FileMode(0600),
|
|
||||||
); nil != err {
|
|
||||||
http.Error(w, "database connection failed when writing verification token", http.StatusInternalServerError)
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
subject := "Verify New Account"
|
|
||||||
// TODO go tpl
|
alg, _ := jws.Header["alg"].(string)
|
||||||
// TODO determine OS and Browser from user agent
|
if !strings.HasSuffix(alg, "256") {
|
||||||
|
http.Error(w, "Bad Request", http.StatusBadRequest)
|
||||||
|
fmt.Fprintf(w, `{"error":"invalid jws protected algorithm"}`+"\n")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
nonce, _ := jws.Header["nonce"].(string)
|
||||||
|
if !useNonce(nonce) {
|
||||||
|
http.Error(w, "Bad Request", http.StatusBadRequest)
|
||||||
|
fmt.Fprintf(w, `{"error":"invalid jws protected nonce"}`+"\n")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
jwsURL, _ := jws.Header["url"].(string)
|
||||||
|
if myURL != jwsURL {
|
||||||
|
http.Error(w, "Bad Request", http.StatusBadRequest)
|
||||||
|
fmt.Fprintf(w, `{"error":"invalid jws protected target URL"}`+"\n")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
ok, err := xkeypairs.VerifyClaims(nil, jws)
|
||||||
|
if nil != err || !ok {
|
||||||
|
if nil != err {
|
||||||
|
log.Printf("jws verify error: %s", err)
|
||||||
|
}
|
||||||
|
http.Error(w, "Bad Request", http.StatusBadRequest)
|
||||||
|
fmt.Fprintf(w, `{"error":"could not verify JWS claims"}`+"\n")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
contacts, _ := jws.Claims["contact"].([]string)
|
||||||
|
contact := ""
|
||||||
|
if 1 == len(contacts) {
|
||||||
|
contact = contacts[0]
|
||||||
|
}
|
||||||
|
|
||||||
baseURL := getBaseURL(r)
|
baseURL := getBaseURL(r)
|
||||||
text := fmt.Sprintf(
|
if err := startVerification(baseURL, contact); nil != err {
|
||||||
"It looks like you just tried to register a new Pocket ID account.\n\n Verify account: %s/verify/%s\n\nNot you? Just ignore this message.",
|
http.Error(w, "Bad Request", http.StatusBadRequest)
|
||||||
baseURL, token64,
|
msg, _ := json.Marshal(err.Error())
|
||||||
)
|
fmt.Fprintf(w, `{"error":%s}`+"\n", msg)
|
||||||
_, err = SendSimpleMessage(to, defaultFrom, subject, text, defaultReplyTo)
|
|
||||||
if nil != err {
|
|
||||||
// TODO neuter mailgun output
|
|
||||||
http.Error(w, err.Error(), http.StatusBadRequest)
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
fmt.Fprintf(w, `{ "success": true, "error": "" }%s`, "\n")
|
fmt.Fprintf(w, `{ "success": true, "error": "" }%s`, "\n")
|
||||||
}))
|
})
|
||||||
|
|
||||||
// TODO use chi
|
// TODO use chi
|
||||||
http.HandleFunc("/verify/", requireNonce(func(w http.ResponseWriter, r *http.Request) {
|
http.HandleFunc("/verify/", requireNonce(func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
@ -119,24 +176,13 @@ func Route(jwksPrefix string, privkey keypairs.PrivateKey) http.Handler {
|
||||||
http.Error(w, "invalid url path", http.StatusBadRequest)
|
http.Error(w, "invalid url path", http.StatusBadRequest)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
token64 := parts[2]
|
token := parts[2]
|
||||||
token, err := base64.RawURLEncoding.DecodeString(token64)
|
|
||||||
if err != nil || 0 == len(token) {
|
|
||||||
http.Error(w, "invalid url path", http.StatusBadRequest)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
// hash token to prevent fs read timing attacks
|
|
||||||
hash := sha1.Sum(append(token, salt...))
|
|
||||||
tokname := base64.RawURLEncoding.EncodeToString(hash[:])
|
|
||||||
tokfile := filepath.Join(tokPrefix, tokname+".tok.txt")
|
|
||||||
_, err = ioutil.ReadFile(tokfile)
|
|
||||||
if nil != err {
|
|
||||||
http.Error(w, "database connection failed when reading verification token", http.StatusInternalServerError)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// TODO promote JWK to public... and related to an ID or email??
|
if err := checkOTP(token); nil != err {
|
||||||
os.Remove(tokfile)
|
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
|
||||||
|
fmt.Fprintf(w, "%s", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
fmt.Fprintf(w, `{ "success": true, "error": "" }%s`, "\n")
|
fmt.Fprintf(w, `{ "success": true, "error": "" }%s`, "\n")
|
||||||
}))
|
}))
|
||||||
|
@ -374,6 +420,77 @@ func Route(jwksPrefix string, privkey keypairs.PrivateKey) http.Handler {
|
||||||
return http.DefaultServeMux
|
return http.DefaultServeMux
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var tokenPrefix string
|
||||||
|
|
||||||
|
func newOTP() (string, error) {
|
||||||
|
rnd, err := uuid.NewRandom()
|
||||||
|
if nil != err {
|
||||||
|
// nothing else to do if we run out of random
|
||||||
|
// or are on a platform that doesn't support random
|
||||||
|
panic(fmt.Errorf("random bytes read failure: %w", err))
|
||||||
|
}
|
||||||
|
token := base64.RawURLEncoding.EncodeToString(rnd[:])
|
||||||
|
|
||||||
|
// We hash the random value to prevent DB / FS / compare timing attacks
|
||||||
|
tokenID := sha1.Sum([]byte(token))
|
||||||
|
tokenName := base64.RawURLEncoding.EncodeToString(tokenID[:])
|
||||||
|
if err := ioutil.WriteFile(
|
||||||
|
filepath.Join(tokenPrefix, tokenName+".tok.txt"),
|
||||||
|
[]byte(`{"comment":"TODO: metadata goes here"}`),
|
||||||
|
// keep it secret, keep it safe
|
||||||
|
os.FileMode(0600),
|
||||||
|
); nil != err {
|
||||||
|
return "", errors.New("database connection failed when writing verification token")
|
||||||
|
}
|
||||||
|
return token, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func checkOTP(token string) error {
|
||||||
|
// We hash the random value to prevent DB / FS / compare timing attacks
|
||||||
|
tokenID := sha1.Sum([]byte(token))
|
||||||
|
tokenName := base64.RawURLEncoding.EncodeToString(tokenID[:])
|
||||||
|
tokfile := filepath.Join(tokenPrefix, tokenName+".tok.txt")
|
||||||
|
if _, err := ioutil.ReadFile(tokfile); nil != err {
|
||||||
|
return errors.New("database connection failed when reading verification token")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TODO promote JWK to public... and related to an ID or email??
|
||||||
|
_ = os.Remove(tokfile)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func startVerification(baseURL, contact string) error {
|
||||||
|
email := strings.Replace(contact, "mailto:", "", -1)
|
||||||
|
if "" == email {
|
||||||
|
return errors.New("missing contact:[\"mailto:me@example.com\"]")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TODO check DNS for MX records
|
||||||
|
if !strings.Contains(email, "@") || strings.Contains(email, " \t\n") {
|
||||||
|
return errors.New("invalid email address")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TODO expect JWK in JWS/JWT
|
||||||
|
// TODO place validated JWK into file with token
|
||||||
|
|
||||||
|
token, err := newOTP()
|
||||||
|
if nil != err {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
subject := "Verify New Account"
|
||||||
|
// TODO go tpl
|
||||||
|
// TODO determine OS and Browser from user agent
|
||||||
|
text := fmt.Sprintf(
|
||||||
|
"It looks like you just tried to register a new Pocket ID account.\n\n Verify account: %s/verify/%s\n\nNot you? Just ignore this message.",
|
||||||
|
baseURL, token,
|
||||||
|
)
|
||||||
|
if _, err = SendSimpleMessage(email, defaultFrom, subject, text, defaultReplyTo); nil != err {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
func getBaseURL(r *http.Request) string {
|
func getBaseURL(r *http.Request) string {
|
||||||
var scheme string
|
var scheme string
|
||||||
if nil != r.TLS || "https" == r.Header.Get("X-Forwarded-Proto") {
|
if nil != r.TLS || "https" == r.Header.Get("X-Forwarded-Proto") {
|
||||||
|
|
|
@ -0,0 +1,19 @@
|
||||||
|
cmd/hashcash/hashcash
|
||||||
|
|
||||||
|
# ---> Go
|
||||||
|
# Binaries for programs and plugins
|
||||||
|
*.exe
|
||||||
|
*.exe~
|
||||||
|
*.dll
|
||||||
|
*.so
|
||||||
|
*.dylib
|
||||||
|
|
||||||
|
# Test binary, built with `go test -c`
|
||||||
|
*.test
|
||||||
|
|
||||||
|
# Output of the go coverage tool, specifically when used with LiteIDE
|
||||||
|
*.out
|
||||||
|
|
||||||
|
# Dependency directories (remove the comment below to include it)
|
||||||
|
# vendor/
|
||||||
|
|
|
@ -0,0 +1,312 @@
|
||||||
|
Mozilla Public License Version 2.0
|
||||||
|
|
||||||
|
1. Definitions
|
||||||
|
|
||||||
|
1.1. "Contributor" means each individual or legal entity that creates, contributes
|
||||||
|
to the creation of, or owns Covered Software.
|
||||||
|
|
||||||
|
1.2. "Contributor Version" means the combination of the Contributions of others
|
||||||
|
(if any) used by a Contributor and that particular Contributor's Contribution.
|
||||||
|
|
||||||
|
1.3. "Contribution" means Covered Software of a particular Contributor.
|
||||||
|
|
||||||
|
1.4. "Covered Software" means Source Code Form to which the initial Contributor
|
||||||
|
has attached the notice in Exhibit A, the Executable Form of such Source Code
|
||||||
|
Form, and Modifications of such Source Code Form, in each case including portions
|
||||||
|
thereof.
|
||||||
|
|
||||||
|
1.5. "Incompatible With Secondary Licenses" means
|
||||||
|
|
||||||
|
(a) that the initial Contributor has attached the notice described in Exhibit
|
||||||
|
B to the Covered Software; or
|
||||||
|
|
||||||
|
(b) that the Covered Software was made available under the terms of version
|
||||||
|
1.1 or earlier of the License, but not also under the terms of a Secondary
|
||||||
|
License.
|
||||||
|
|
||||||
|
1.6. "Executable Form" means any form of the work other than Source Code Form.
|
||||||
|
|
||||||
|
1.7. "Larger Work" means a work that combines Covered Software with other
|
||||||
|
material, in a separate file or files, that is not Covered Software.
|
||||||
|
|
||||||
|
1.8. "License" means this document.
|
||||||
|
|
||||||
|
1.9. "Licensable" means having the right to grant, to the maximum extent possible,
|
||||||
|
whether at the time of the initial grant or subsequently, any and all of the
|
||||||
|
rights conveyed by this License.
|
||||||
|
|
||||||
|
1.10. "Modifications" means any of the following:
|
||||||
|
|
||||||
|
(a) any file in Source Code Form that results from an addition to, deletion
|
||||||
|
from, or modification of the contents of Covered Software; or
|
||||||
|
|
||||||
|
(b) any new file in Source Code Form that contains any Covered Software.
|
||||||
|
|
||||||
|
1.11. "Patent Claims" of a Contributor means any patent claim(s), including
|
||||||
|
without limitation, method, process, and apparatus claims, in any patent Licensable
|
||||||
|
by such Contributor that would be infringed, but for the grant of the License,
|
||||||
|
by the making, using, selling, offering for sale, having made, import, or
|
||||||
|
transfer of either its Contributions or its Contributor Version.
|
||||||
|
|
||||||
|
1.12. "Secondary License" means either the GNU General Public License, Version
|
||||||
|
2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General
|
||||||
|
Public License, Version 3.0, or any later versions of those licenses.
|
||||||
|
|
||||||
|
1.13. "Source Code Form" means the form of the work preferred for making modifications.
|
||||||
|
|
||||||
|
1.14. "You" (or "Your") means an individual or a legal entity exercising rights
|
||||||
|
under this License. For legal entities, "You" includes any entity that controls,
|
||||||
|
is controlled by, or is under common control with You. For purposes of this
|
||||||
|
definition, "control" means (a) the power, direct or indirect, to cause the
|
||||||
|
direction or management of such entity, whether by contract or otherwise,
|
||||||
|
or (b) ownership of more than fifty percent (50%) of the outstanding shares
|
||||||
|
or beneficial ownership of such entity.
|
||||||
|
|
||||||
|
2. License Grants and Conditions
|
||||||
|
|
||||||
|
2.1. Grants
|
||||||
|
|
||||||
|
Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive
|
||||||
|
license:
|
||||||
|
|
||||||
|
(a) under intellectual property rights (other than patent or trademark) Licensable
|
||||||
|
by such Contributor to use, reproduce, make available, modify, display, perform,
|
||||||
|
distribute, and otherwise exploit its Contributions, either on an unmodified
|
||||||
|
basis, with Modifications, or as part of a Larger Work; and
|
||||||
|
|
||||||
|
(b) under Patent Claims of such Contributor to make, use, sell, offer for
|
||||||
|
sale, have made, import, and otherwise transfer either its Contributions or
|
||||||
|
its Contributor Version.
|
||||||
|
|
||||||
|
2.2. Effective Date
|
||||||
|
|
||||||
|
The licenses granted in Section 2.1 with respect to any Contribution become
|
||||||
|
effective for each Contribution on the date the Contributor first distributes
|
||||||
|
such Contribution.
|
||||||
|
|
||||||
|
2.3. Limitations on Grant Scope
|
||||||
|
|
||||||
|
The licenses granted in this Section 2 are the only rights granted under this
|
||||||
|
License. No additional rights or licenses will be implied from the distribution
|
||||||
|
or licensing of Covered Software under this License. Notwithstanding Section
|
||||||
|
2.1(b) above, no patent license is granted by a Contributor:
|
||||||
|
|
||||||
|
(a) for any code that a Contributor has removed from Covered Software; or
|
||||||
|
|
||||||
|
(b) for infringements caused by: (i) Your and any other third party's modifications
|
||||||
|
of Covered Software, or (ii) the combination of its Contributions with other
|
||||||
|
software (except as part of its Contributor Version); or
|
||||||
|
|
||||||
|
(c) under Patent Claims infringed by Covered Software in the absence of its
|
||||||
|
Contributions.
|
||||||
|
|
||||||
|
This License does not grant any rights in the trademarks, service marks, or
|
||||||
|
logos of any Contributor (except as may be necessary to comply with the notice
|
||||||
|
requirements in Section 3.4).
|
||||||
|
|
||||||
|
2.4. Subsequent Licenses
|
||||||
|
|
||||||
|
No Contributor makes additional grants as a result of Your choice to distribute
|
||||||
|
the Covered Software under a subsequent version of this License (see Section
|
||||||
|
10.2) or under the terms of a Secondary License (if permitted under the terms
|
||||||
|
of Section 3.3).
|
||||||
|
|
||||||
|
2.5. Representation
|
||||||
|
|
||||||
|
Each Contributor represents that the Contributor believes its Contributions
|
||||||
|
are its original creation(s) or it has sufficient rights to grant the rights
|
||||||
|
to its Contributions conveyed by this License.
|
||||||
|
|
||||||
|
2.6. Fair Use
|
||||||
|
|
||||||
|
This License is not intended to limit any rights You have under applicable
|
||||||
|
copyright doctrines of fair use, fair dealing, or other equivalents.
|
||||||
|
|
||||||
|
2.7. Conditions
|
||||||
|
|
||||||
|
Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in
|
||||||
|
Section 2.1.
|
||||||
|
|
||||||
|
3. Responsibilities
|
||||||
|
|
||||||
|
3.1. Distribution of Source Form
|
||||||
|
|
||||||
|
All distribution of Covered Software in Source Code Form, including any Modifications
|
||||||
|
that You create or to which You contribute, must be under the terms of this
|
||||||
|
License. You must inform recipients that the Source Code Form of the Covered
|
||||||
|
Software is governed by the terms of this License, and how they can obtain
|
||||||
|
a copy of this License. You may not attempt to alter or restrict the recipients'
|
||||||
|
rights in the Source Code Form.
|
||||||
|
|
||||||
|
3.2. Distribution of Executable Form
|
||||||
|
|
||||||
|
If You distribute Covered Software in Executable Form then:
|
||||||
|
|
||||||
|
(a) such Covered Software must also be made available in Source Code Form,
|
||||||
|
as described in Section 3.1, and You must inform recipients of the Executable
|
||||||
|
Form how they can obtain a copy of such Source Code Form by reasonable means
|
||||||
|
in a timely manner, at a charge no more than the cost of distribution to the
|
||||||
|
recipient; and
|
||||||
|
|
||||||
|
(b) You may distribute such Executable Form under the terms of this License,
|
||||||
|
or sublicense it under different terms, provided that the license for the
|
||||||
|
Executable Form does not attempt to limit or alter the recipients' rights
|
||||||
|
in the Source Code Form under this License.
|
||||||
|
|
||||||
|
3.3. Distribution of a Larger Work
|
||||||
|
|
||||||
|
You may create and distribute a Larger Work under terms of Your choice, provided
|
||||||
|
that You also comply with the requirements of this License for the Covered
|
||||||
|
Software. If the Larger Work is a combination of Covered Software with a work
|
||||||
|
governed by one or more Secondary Licenses, and the Covered Software is not
|
||||||
|
Incompatible With Secondary Licenses, this License permits You to additionally
|
||||||
|
distribute such Covered Software under the terms of such Secondary License(s),
|
||||||
|
so that the recipient of the Larger Work may, at their option, further distribute
|
||||||
|
the Covered Software under the terms of either this License or such Secondary
|
||||||
|
License(s).
|
||||||
|
|
||||||
|
3.4. Notices
|
||||||
|
|
||||||
|
You may not remove or alter the substance of any license notices (including
|
||||||
|
copyright notices, patent notices, disclaimers of warranty, or limitations
|
||||||
|
of liability) contained within the Source Code Form of the Covered Software,
|
||||||
|
except that You may alter any license notices to the extent required to remedy
|
||||||
|
known factual inaccuracies.
|
||||||
|
|
||||||
|
3.5. Application of Additional Terms
|
||||||
|
|
||||||
|
You may choose to offer, and to charge a fee for, warranty, support, indemnity
|
||||||
|
or liability obligations to one or more recipients of Covered Software. However,
|
||||||
|
You may do so only on Your own behalf, and not on behalf of any Contributor.
|
||||||
|
You must make it absolutely clear that any such warranty, support, indemnity,
|
||||||
|
or liability obligation is offered by You alone, and You hereby agree to indemnify
|
||||||
|
every Contributor for any liability incurred by such Contributor as a result
|
||||||
|
of warranty, support, indemnity or liability terms You offer. You may include
|
||||||
|
additional disclaimers of warranty and limitations of liability specific to
|
||||||
|
any jurisdiction.
|
||||||
|
|
||||||
|
4. Inability to Comply Due to Statute or Regulation
|
||||||
|
|
||||||
|
If it is impossible for You to comply with any of the terms of this License
|
||||||
|
with respect to some or all of the Covered Software due to statute, judicial
|
||||||
|
order, or regulation then You must: (a) comply with the terms of this License
|
||||||
|
to the maximum extent possible; and (b) describe the limitations and the code
|
||||||
|
they affect. Such description must be placed in a text file included with
|
||||||
|
all distributions of the Covered Software under this License. Except to the
|
||||||
|
extent prohibited by statute or regulation, such description must be sufficiently
|
||||||
|
detailed for a recipient of ordinary skill to be able to understand it.
|
||||||
|
|
||||||
|
5. Termination
|
||||||
|
|
||||||
|
5.1. The rights granted under this License will terminate automatically if
|
||||||
|
You fail to comply with any of its terms. However, if You become compliant,
|
||||||
|
then the rights granted under this License from a particular Contributor are
|
||||||
|
reinstated (a) provisionally, unless and until such Contributor explicitly
|
||||||
|
and finally terminates Your grants, and (b) on an ongoing basis, if such Contributor
|
||||||
|
fails to notify You of the non-compliance by some reasonable means prior to
|
||||||
|
60 days after You have come back into compliance. Moreover, Your grants from
|
||||||
|
a particular Contributor are reinstated on an ongoing basis if such Contributor
|
||||||
|
notifies You of the non-compliance by some reasonable means, this is the first
|
||||||
|
time You have received notice of non-compliance with this License from such
|
||||||
|
Contributor, and You become compliant prior to 30 days after Your receipt
|
||||||
|
of the notice.
|
||||||
|
|
||||||
|
5.2. If You initiate litigation against any entity by asserting a patent infringement
|
||||||
|
claim (excluding declaratory judgment actions, counter-claims, and cross-claims)
|
||||||
|
alleging that a Contributor Version directly or indirectly infringes any patent,
|
||||||
|
then the rights granted to You by any and all Contributors for the Covered
|
||||||
|
Software under Section 2.1 of this License shall terminate.
|
||||||
|
|
||||||
|
5.3. In the event of termination under Sections 5.1 or 5.2 above, all end
|
||||||
|
user license agreements (excluding distributors and resellers) which have
|
||||||
|
been validly granted by You or Your distributors under this License prior
|
||||||
|
to termination shall survive termination.
|
||||||
|
|
||||||
|
6. Disclaimer of Warranty
|
||||||
|
|
||||||
|
Covered Software is provided under this License on an "as is" basis, without
|
||||||
|
warranty of any kind, either expressed, implied, or statutory, including,
|
||||||
|
without limitation, warranties that the Covered Software is free of defects,
|
||||||
|
merchantable, fit for a particular purpose or non-infringing. The entire risk
|
||||||
|
as to the quality and performance of the Covered Software is with You. Should
|
||||||
|
any Covered Software prove defective in any respect, You (not any Contributor)
|
||||||
|
assume the cost of any necessary servicing, repair, or correction. This disclaimer
|
||||||
|
of warranty constitutes an essential part of this License. No use of any Covered
|
||||||
|
Software is authorized under this License except under this disclaimer.
|
||||||
|
|
||||||
|
7. Limitation of Liability
|
||||||
|
|
||||||
|
Under no circumstances and under no legal theory, whether tort (including
|
||||||
|
negligence), contract, or otherwise, shall any Contributor, or anyone who
|
||||||
|
distributes Covered Software as permitted above, be liable to You for any
|
||||||
|
direct, indirect, special, incidental, or consequential damages of any character
|
||||||
|
including, without limitation, damages for lost profits, loss of goodwill,
|
||||||
|
work stoppage, computer failure or malfunction, or any and all other commercial
|
||||||
|
damages or losses, even if such party shall have been informed of the possibility
|
||||||
|
of such damages. This limitation of liability shall not apply to liability
|
||||||
|
for death or personal injury resulting from such party's negligence to the
|
||||||
|
extent applicable law prohibits such limitation. Some jurisdictions do not
|
||||||
|
allow the exclusion or limitation of incidental or consequential damages,
|
||||||
|
so this exclusion and limitation may not apply to You.
|
||||||
|
|
||||||
|
8. Litigation
|
||||||
|
|
||||||
|
Any litigation relating to this License may be brought only in the courts
|
||||||
|
of a jurisdiction where the defendant maintains its principal place of business
|
||||||
|
and such litigation shall be governed by laws of that jurisdiction, without
|
||||||
|
reference to its conflict-of-law provisions. Nothing in this Section shall
|
||||||
|
prevent a party's ability to bring cross-claims or counter-claims.
|
||||||
|
|
||||||
|
9. Miscellaneous
|
||||||
|
|
||||||
|
This License represents the complete agreement concerning the subject matter
|
||||||
|
hereof. If any provision of this License is held to be unenforceable, such
|
||||||
|
provision shall be reformed only to the extent necessary to make it enforceable.
|
||||||
|
Any law or regulation which provides that the language of a contract shall
|
||||||
|
be construed against the drafter shall not be used to construe this License
|
||||||
|
against a Contributor.
|
||||||
|
|
||||||
|
10. Versions of the License
|
||||||
|
|
||||||
|
10.1. New Versions
|
||||||
|
|
||||||
|
Mozilla Foundation is the license steward. Except as provided in Section 10.3,
|
||||||
|
no one other than the license steward has the right to modify or publish new
|
||||||
|
versions of this License. Each version will be given a distinguishing version
|
||||||
|
number.
|
||||||
|
|
||||||
|
10.2. Effect of New Versions
|
||||||
|
|
||||||
|
You may distribute the Covered Software under the terms of the version of
|
||||||
|
the License under which You originally received the Covered Software, or under
|
||||||
|
the terms of any subsequent version published by the license steward.
|
||||||
|
|
||||||
|
10.3. Modified Versions
|
||||||
|
|
||||||
|
If you create software not governed by this License, and you want to create
|
||||||
|
a new license for such software, you may create and use a modified version
|
||||||
|
of this License if you rename the license and remove any references to the
|
||||||
|
name of the license steward (except to note that such modified license differs
|
||||||
|
from this License).
|
||||||
|
|
||||||
|
10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses
|
||||||
|
|
||||||
|
If You choose to distribute Source Code Form that is Incompatible With Secondary
|
||||||
|
Licenses under the terms of this version of the License, the notice described
|
||||||
|
in Exhibit B of this License must be attached. Exhibit A - Source Code Form
|
||||||
|
License Notice
|
||||||
|
|
||||||
|
This Source Code Form is subject to the terms of the Mozilla Public License,
|
||||||
|
v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain
|
||||||
|
one at http://mozilla.org/MPL/2.0/.
|
||||||
|
|
||||||
|
If it is not possible or desirable to put the notice in a particular file,
|
||||||
|
then You may include the notice in a location (such as a LICENSE file in a
|
||||||
|
relevant directory) where a recipient would be likely to look for such a notice.
|
||||||
|
|
||||||
|
You may add additional accurate notices of copyright ownership.
|
||||||
|
|
||||||
|
Exhibit B - "Incompatible With Secondary Licenses" Notice
|
||||||
|
|
||||||
|
This Source Code Form is "Incompatible With Secondary Licenses", as defined
|
||||||
|
by the Mozilla Public License, v. 2.0.
|
|
@ -0,0 +1,41 @@
|
||||||
|
# hashcash
|
||||||
|
|
||||||
|
HTTP Hashcash implemented in Go.
|
||||||
|
|
||||||
|
Explanation at https://therootcompany.com/blog/http-hashcash/
|
||||||
|
|
||||||
|
Go docs at https://godoc.org/git.rootprojects.org/root/hashcash
|
||||||
|
|
||||||
|
# CLI Usage
|
||||||
|
|
||||||
|
Install:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
go get git.rootprojects.org/root/hashcash/cmd/hashcash
|
||||||
|
```
|
||||||
|
|
||||||
|
Usage:
|
||||||
|
|
||||||
|
```txt
|
||||||
|
Usage:
|
||||||
|
hashcash new [subject *] [expires in 5m] [difficulty 10]
|
||||||
|
hashcash parse <hashcash>
|
||||||
|
hashcash solve <hashcash>
|
||||||
|
hashcash verify <hashcash> [subject *]
|
||||||
|
```
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
my_hc=$(hashcash new)
|
||||||
|
echo New: $my_hc
|
||||||
|
hashcash parse "$my_hc"
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
my_hc=$(hashcash solve "$my_hc")
|
||||||
|
echo Solved: $my_hc
|
||||||
|
hashcash parse "$my_hc"
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
hashcash verify "$my_hc"
|
||||||
|
```
|
|
@ -0,0 +1,3 @@
|
||||||
|
module git.rootprojects.org/root/hashcash
|
||||||
|
|
||||||
|
go 1.15
|
|
@ -0,0 +1,284 @@
|
||||||
|
package hashcash
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/rand"
|
||||||
|
"crypto/sha256"
|
||||||
|
"encoding/base64"
|
||||||
|
"encoding/binary"
|
||||||
|
"errors"
|
||||||
|
"strconv"
|
||||||
|
"strings"
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
|
// ErrParse is returned when fewer than 6 or more than 7 segments are split
|
||||||
|
var ErrParse = errors.New("could not split the hashcash parts")
|
||||||
|
|
||||||
|
// ErrInvalidTag is returned when the Hashcash version is unsupported
|
||||||
|
var ErrInvalidTag = errors.New("expected tag to be 'H'")
|
||||||
|
|
||||||
|
// ErrInvalidDifficulty is returned when the difficulty is outside of the acceptable range
|
||||||
|
var ErrInvalidDifficulty = errors.New("the number of bits of difficulty is too low or too high")
|
||||||
|
|
||||||
|
// ErrInvalidDate is returned when the date cannot be parsed as a positive int64
|
||||||
|
var ErrInvalidDate = errors.New("invalid date")
|
||||||
|
|
||||||
|
// ErrExpired is returned when the current time is past that of ExpiresAt
|
||||||
|
var ErrExpired = errors.New("expired hashcash")
|
||||||
|
|
||||||
|
// ErrInvalidSubject is returned when the subject is invalid or does not match that passed to Verify()
|
||||||
|
var ErrInvalidSubject = errors.New("the subject is invalid or rejected")
|
||||||
|
|
||||||
|
// ErrInvalidNonce is returned when the nonce
|
||||||
|
//var ErrInvalidNonce = errors.New("the nonce has been used or is invalid")
|
||||||
|
|
||||||
|
// ErrUnsupportedAlgorithm is returned when the given algorithm is not supported
|
||||||
|
var ErrUnsupportedAlgorithm = errors.New("the given algorithm is invalid or not supported")
|
||||||
|
|
||||||
|
// ErrInvalidSolution is returned when the given hashcash is not properly solved
|
||||||
|
var ErrInvalidSolution = errors.New("the given solution is not valid")
|
||||||
|
|
||||||
|
// MaxDifficulty is the upper bound for all Solve() operations
|
||||||
|
var MaxDifficulty = 26
|
||||||
|
|
||||||
|
// Sep is the separator character to use
|
||||||
|
var Sep = ":"
|
||||||
|
|
||||||
|
// no milliseconds
|
||||||
|
//var isoTS = "2006-01-02T15:04:05Z"
|
||||||
|
|
||||||
|
// Hashcash represents a parsed Hashcash string
|
||||||
|
type Hashcash struct {
|
||||||
|
Tag string `json:"tag"` // Always "H" for "HTTP"
|
||||||
|
Difficulty int `json:"difficulty"` // Number of "partial pre-image" (zero) bits in the hashed code
|
||||||
|
ExpiresAt time.Time `json:"exp"` // The timestamp that the hashcash expires, as seconds since the Unix epoch
|
||||||
|
Subject string `json:"sub"` // Resource data string being transmitted, e.g., a domain or URL
|
||||||
|
Nonce string `json:"nonce"` // Unique string of random characters, encoded as url-safe base-64
|
||||||
|
Alg string `json:"alg"` // always SHA-256 for now
|
||||||
|
Solution string `json:"solution"` // Binary counter, encoded as url-safe base-64
|
||||||
|
}
|
||||||
|
|
||||||
|
// New returns a Hashcash with reasonable defaults
|
||||||
|
func New(h Hashcash) *Hashcash {
|
||||||
|
h.Tag = "H"
|
||||||
|
|
||||||
|
if 0 == h.Difficulty {
|
||||||
|
// safe for WebCrypto
|
||||||
|
h.Difficulty = 10
|
||||||
|
}
|
||||||
|
|
||||||
|
if h.ExpiresAt.IsZero() {
|
||||||
|
h.ExpiresAt = time.Now().Add(5 * time.Minute)
|
||||||
|
}
|
||||||
|
h.ExpiresAt = h.ExpiresAt.UTC().Truncate(time.Second)
|
||||||
|
|
||||||
|
if "" == h.Subject {
|
||||||
|
h.Subject = "*"
|
||||||
|
}
|
||||||
|
|
||||||
|
if "" == h.Nonce {
|
||||||
|
nonce := make([]byte, 16)
|
||||||
|
if _, err := rand.Read(nonce); nil != err {
|
||||||
|
panic(err)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
h.Nonce = base64.RawURLEncoding.EncodeToString(nonce)
|
||||||
|
}
|
||||||
|
|
||||||
|
if "" == h.Alg {
|
||||||
|
h.Alg = "SHA-256"
|
||||||
|
}
|
||||||
|
/*
|
||||||
|
if "SHA-256" != h.Alg {
|
||||||
|
// TODO error
|
||||||
|
}
|
||||||
|
*/
|
||||||
|
|
||||||
|
return &h
|
||||||
|
}
|
||||||
|
|
||||||
|
// Parse will (obviously) parse the hashcash string, without verifying any
|
||||||
|
// of the parameters.
|
||||||
|
func Parse(hc string) (*Hashcash, error) {
|
||||||
|
parts := strings.Split(hc, Sep)
|
||||||
|
n := len(parts)
|
||||||
|
if n < 6 || n > 7 {
|
||||||
|
return nil, ErrParse
|
||||||
|
}
|
||||||
|
|
||||||
|
tag := parts[0]
|
||||||
|
if "H" != tag {
|
||||||
|
return nil, ErrInvalidTag
|
||||||
|
}
|
||||||
|
|
||||||
|
bits, err := strconv.Atoi(parts[1])
|
||||||
|
if nil != err || bits < 0 {
|
||||||
|
return nil, ErrInvalidDifficulty
|
||||||
|
}
|
||||||
|
|
||||||
|
// Allow empty ExpiresAt
|
||||||
|
var exp time.Time
|
||||||
|
if "" != parts[2] {
|
||||||
|
expAt, err := strconv.ParseInt(parts[2], 10, 64)
|
||||||
|
if nil != err || expAt < 0 {
|
||||||
|
return nil, ErrInvalidDate
|
||||||
|
}
|
||||||
|
exp = time.Unix(int64(expAt), 0).UTC()
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
exp, err := time.ParseInLocation(isoTS, parts[2], time.UTC)
|
||||||
|
if nil != err {
|
||||||
|
return nil, ErrInvalidDate
|
||||||
|
}
|
||||||
|
*/
|
||||||
|
|
||||||
|
sub := parts[3]
|
||||||
|
|
||||||
|
nonce := parts[4]
|
||||||
|
|
||||||
|
alg := parts[5]
|
||||||
|
|
||||||
|
var solution string
|
||||||
|
if n > 6 {
|
||||||
|
solution = parts[6]
|
||||||
|
}
|
||||||
|
|
||||||
|
h := &Hashcash{
|
||||||
|
Tag: tag,
|
||||||
|
Difficulty: bits,
|
||||||
|
ExpiresAt: exp.UTC().Truncate(time.Second),
|
||||||
|
Subject: sub,
|
||||||
|
Nonce: nonce,
|
||||||
|
Alg: alg,
|
||||||
|
Solution: solution,
|
||||||
|
}
|
||||||
|
|
||||||
|
return h, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// String will return the formatted Hashcash, omitting the solution if it has not be solved.
|
||||||
|
func (h *Hashcash) String() string {
|
||||||
|
var solution string
|
||||||
|
if "" != h.Solution {
|
||||||
|
solution = Sep + h.Solution
|
||||||
|
}
|
||||||
|
|
||||||
|
var expAt string
|
||||||
|
if !h.ExpiresAt.IsZero() {
|
||||||
|
expAt = strconv.FormatInt(h.ExpiresAt.UTC().Truncate(time.Second).Unix(), 10)
|
||||||
|
}
|
||||||
|
return strings.Join(
|
||||||
|
[]string{
|
||||||
|
"H",
|
||||||
|
strconv.Itoa(h.Difficulty),
|
||||||
|
//h.ExpiresAt.UTC().Format(isoTS),
|
||||||
|
expAt,
|
||||||
|
h.Subject,
|
||||||
|
h.Nonce,
|
||||||
|
h.Alg,
|
||||||
|
},
|
||||||
|
Sep,
|
||||||
|
) + solution
|
||||||
|
}
|
||||||
|
|
||||||
|
// Verify the Hashcash based on Difficulty, Algorithm, ExpiresAt, Subject and,
|
||||||
|
// of course, the Solution and hash.
|
||||||
|
func (h *Hashcash) Verify(subject string) error {
|
||||||
|
if h.Difficulty < 0 {
|
||||||
|
return ErrInvalidDifficulty
|
||||||
|
}
|
||||||
|
|
||||||
|
if "SHA-256" != h.Alg {
|
||||||
|
return ErrUnsupportedAlgorithm
|
||||||
|
}
|
||||||
|
|
||||||
|
if !h.ExpiresAt.IsZero() && h.ExpiresAt.Sub(time.Now()) < 0 {
|
||||||
|
return ErrExpired
|
||||||
|
}
|
||||||
|
|
||||||
|
if subject != h.Subject {
|
||||||
|
return ErrInvalidSubject
|
||||||
|
}
|
||||||
|
|
||||||
|
bits := h.Difficulty
|
||||||
|
hash := sha256.Sum256([]byte(h.String()))
|
||||||
|
n := bits / 8 // 10 / 8 = 1
|
||||||
|
m := bits % 8 // 10 % 8 = 2
|
||||||
|
if m > 0 {
|
||||||
|
n++ // 10 bits = 2 bytes
|
||||||
|
}
|
||||||
|
|
||||||
|
if !verifyBits(hash[:n], bits, n) {
|
||||||
|
return ErrInvalidSolution
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func verifyBits(hash []byte, bits, n int) bool {
|
||||||
|
for i := 0; i < n; i++ {
|
||||||
|
if bits > 8 {
|
||||||
|
bits -= 8
|
||||||
|
if 0 != hash[i] {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// (bits % 8) == bits
|
||||||
|
pad := 8 - bits
|
||||||
|
if 0 != hash[i]>>pad {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
// 0 == bits
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
// Solve will search for a solution, returning an error if the difficulty is
|
||||||
|
// above the local or global MaxDifficulty, the Algorithm is unsupported.
|
||||||
|
func (h *Hashcash) Solve(maxDifficulty int) error {
|
||||||
|
if "SHA-256" != h.Alg {
|
||||||
|
return ErrUnsupportedAlgorithm
|
||||||
|
}
|
||||||
|
|
||||||
|
if h.Difficulty < 0 {
|
||||||
|
return ErrInvalidDifficulty
|
||||||
|
}
|
||||||
|
|
||||||
|
if h.Difficulty > maxDifficulty || h.Difficulty > MaxDifficulty {
|
||||||
|
return ErrInvalidDifficulty
|
||||||
|
}
|
||||||
|
|
||||||
|
if "" != h.Solution {
|
||||||
|
if nil == h.Verify(h.Subject) {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
h.Solution = ""
|
||||||
|
}
|
||||||
|
|
||||||
|
hashcash := h.String()
|
||||||
|
bits := h.Difficulty
|
||||||
|
n := bits / 8 // 10 / 8 = 1
|
||||||
|
m := bits % 8 // 10 % 8 = 2
|
||||||
|
if m > 0 {
|
||||||
|
n++ // 10 bits = 2 bytes
|
||||||
|
}
|
||||||
|
|
||||||
|
var solution uint32 = 0
|
||||||
|
sb := make([]byte, 4)
|
||||||
|
for {
|
||||||
|
// Note: it's not actually important what method of change or encoding is used
|
||||||
|
// but incrementing by 1 on an int32 is good enough, and makes for a small base64 encoding
|
||||||
|
binary.LittleEndian.PutUint32(sb, solution)
|
||||||
|
h.Solution = base64.RawURLEncoding.EncodeToString(sb)
|
||||||
|
hash := sha256.Sum256([]byte(hashcash + Sep + h.Solution))
|
||||||
|
if verifyBits(hash[:n], bits, n) {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
solution++
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,3 +1,5 @@
|
||||||
|
# git.rootprojects.org/root/hashcash v1.0.1
|
||||||
|
git.rootprojects.org/root/hashcash
|
||||||
# git.rootprojects.org/root/keypairs v0.5.2
|
# git.rootprojects.org/root/keypairs v0.5.2
|
||||||
git.rootprojects.org/root/keypairs
|
git.rootprojects.org/root/keypairs
|
||||||
git.rootprojects.org/root/keypairs/keyfetch
|
git.rootprojects.org/root/keypairs/keyfetch
|
||||||
|
|
|
@ -0,0 +1,46 @@
|
||||||
|
package xkeypairs
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/base64"
|
||||||
|
"encoding/json"
|
||||||
|
"errors"
|
||||||
|
)
|
||||||
|
|
||||||
|
func (jws *JWS) DecodeComponents() error {
|
||||||
|
protected, err := base64.RawURLEncoding.DecodeString(jws.Protected)
|
||||||
|
if nil != err {
|
||||||
|
return errors.New("invalid JWS header base64Url encoding")
|
||||||
|
}
|
||||||
|
if err := json.Unmarshal([]byte(protected), &jws.Header); nil != err {
|
||||||
|
return errors.New("invalid JWS header")
|
||||||
|
}
|
||||||
|
|
||||||
|
payload, err := base64.RawURLEncoding.DecodeString(jws.Payload)
|
||||||
|
if nil != err {
|
||||||
|
return errors.New("invalid JWS payload base64Url encoding")
|
||||||
|
}
|
||||||
|
if err := json.Unmarshal([]byte(payload), &jws.Claims); nil != err {
|
||||||
|
return errors.New("invalid JWS claims")
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
func Decode(msg string) (*JWS, error) {
|
||||||
|
jws := &JWS{}
|
||||||
|
|
||||||
|
decoder := json.NewDecoder(r.Body)
|
||||||
|
err := decoder.Decode(jws)
|
||||||
|
return jws, err
|
||||||
|
}
|
||||||
|
|
||||||
|
func Unmarshal(msg string) (*JWS, error) {
|
||||||
|
jws := &JWS{}
|
||||||
|
|
||||||
|
if err := json.Unmarshal([]byte(msg), jws); nil != err {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return jws, nil
|
||||||
|
}
|
||||||
|
*/
|
Loading…
Reference in New Issue