From 7a0ed55c64ad85db9a42205b115114d374f41d45 Mon Sep 17 00:00:00 2001 From: Nuh Date: Sat, 16 Nov 2024 11:26:12 +0300 Subject: [PATCH 1/4] docs: Fix formatting in auth.md --- docs/src/spec/auth.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/docs/src/spec/auth.md b/docs/src/spec/auth.md index 92a3041..48b5582 100644 --- a/docs/src/spec/auth.md +++ b/docs/src/spec/auth.md @@ -62,17 +62,18 @@ pubkyauth:/// &secret=mAa8kGmlrynGzQLteDVW6-WeUGnfvHTpEmbNerbWfPI ``` and finally show that URL as a QR code to the user. + 4. The `Authenticator` app scans that QR code, parse the URL, and show a consent form for the user.. 5. The user decides whether or not to grant these capabilities to the `3rd Party App`. -6. If the user approves, the `Authenticator` then uses their Keypair, to sign an [AuthToken](#authtoken), then encrypt that token with the `client_secret`, then calculate the `channel_id` by hashing that secret, and send that encrypted token to the callback url, which is the `relay` + `channel_id`. -7. `HTTP Relay` forwards the encrypted AuthToken to the `3rd Party App` frontend. -8. And confirms the delivery with the `Authenticator` -9. `3rd Party App` decrypts the AuthToken using its `client_secret`, read the `pubky` in it, and send it to their `homeserver` to obtain a session. -10. `Homeserver` verifies the session and stores the corresponding `capabilities`. -11. `Homeserver` returns a session Id to the frontend to use in subsequent requests. -12. `3rd Party App` uses the session Id to access some resource at the Homeserver. -13. `Homeserver` checks the session capabilities to see if it is allowed to access that resource. -14. `Homeserver` responds to the `3rd Party App` with the resource. +7. If the user approves, the `Authenticator` then uses their Keypair, to sign an [AuthToken](#authtoken), then encrypt that token with the `client_secret`, then calculate the `channel_id` by hashing that secret, and send that encrypted token to the callback url, which is the `relay` + `channel_id`. +8. `HTTP Relay` forwards the encrypted AuthToken to the `3rd Party App` frontend. +9. And confirms the delivery with the `Authenticator` +10. `3rd Party App` decrypts the AuthToken using its `client_secret`, read the `pubky` in it, and send it to their `homeserver` to obtain a session. +11. `Homeserver` verifies the session and stores the corresponding `capabilities`. +12. `Homeserver` returns a session Id to the frontend to use in subsequent requests. +13. `3rd Party App` uses the session Id to access some resource at the Homeserver. +14. `Homeserver` checks the session capabilities to see if it is allowed to access that resource. +15. `Homeserver` responds to the `3rd Party App` with the resource. ## AuthToken encoding ```abnf From 1a8dc0ab919d7dbe68825bf97cecc5f0c0ab65bb Mon Sep 17 00:00:00 2001 From: James <74595920+catch-21@users.noreply.github.com> Date: Mon, 18 Nov 2024 11:48:19 +0000 Subject: [PATCH 2/4] Update Dockerfile Fix binary name in Dockerfile --- Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 62da9c6..9954b94 100644 --- a/Dockerfile +++ b/Dockerfile @@ -30,10 +30,10 @@ COPY Cargo.toml Cargo.lock ./ COPY . . # Build the project in release mode for the MUSL target -RUN cargo build --release --bin pubky_homeserver --target x86_64-unknown-linux-musl +RUN cargo build --release --bin pubky-homeserver --target x86_64-unknown-linux-musl # Strip the binary to reduce size -RUN strip target/x86_64-unknown-linux-musl/release/pubky_homeserver +RUN strip target/x86_64-unknown-linux-musl/release/pubky-homeserver # ======================== # Runtime Stage @@ -44,7 +44,7 @@ FROM alpine:3.20 RUN apk add --no-cache ca-certificates # Copy the compiled binary from the builder stage -COPY --from=builder /usr/src/app/target/x86_64-unknown-linux-musl/release/pubky_homeserver /usr/local/bin/homeserver +COPY --from=builder /usr/src/app/target/x86_64-unknown-linux-musl/release/pubky-homeserver /usr/local/bin/homeserver # Set the working directory WORKDIR /usr/local/bin From bfc18502ce35af33338083332e08a1af22481aa5 Mon Sep 17 00:00:00 2001 From: coreyphillips Date: Wed, 11 Dec 2024 15:50:28 -0500 Subject: [PATCH 3/4] fix: return an error for non-2xx responses using error_for_status() Previously, the request function returned Ok(()) even if the HTTP response status was an error (4xx/5xx). By adding `response.error_for_status()?`, we correctly propagate HTTP errors rather than masking them, ensuring that timeouts and other non-2xx status codes produce an error as expected. --- pubky/src/shared/auth.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pubky/src/shared/auth.rs b/pubky/src/shared/auth.rs index 0dff599..8754b5a 100644 --- a/pubky/src/shared/auth.rs +++ b/pubky/src/shared/auth.rs @@ -143,11 +143,13 @@ impl PubkyClient { path_segments.push(&channel_id); drop(path_segments); - self.request(Method::POST, callback) + let response = self.request(Method::POST, callback) .body(encrypted_token) .send() .await?; + response.error_for_status()?; + Ok(()) } From 980bee20410c59a6842ba2010691cad212b07fff Mon Sep 17 00:00:00 2001 From: coreyphillips Date: Wed, 11 Dec 2024 16:09:34 -0500 Subject: [PATCH 4/4] style: fix indentation in inner_send_auth_token --- pubky/src/shared/auth.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pubky/src/shared/auth.rs b/pubky/src/shared/auth.rs index 8754b5a..5c37f48 100644 --- a/pubky/src/shared/auth.rs +++ b/pubky/src/shared/auth.rs @@ -143,7 +143,8 @@ impl PubkyClient { path_segments.push(&channel_id); drop(path_segments); - let response = self.request(Method::POST, callback) + let response = self + .request(Method::POST, callback) .body(encrypted_token) .send() .await?;