wip: ready new-account for email and google verification
This commit is contained in:
		
							parent
							
								
									9608a7429b
								
							
						
					
					
						commit
						23822cdf09
					
				
							
								
								
									
										1
									
								
								go.mod
									
									
									
									
									
								
							
							
						
						
									
										1
									
								
								go.mod
									
									
									
									
									
								
							| @ -3,6 +3,7 @@ module git.coolaj86.com/coolaj86/go-mockid | ||||
| go 1.13 | ||||
| 
 | ||||
| require ( | ||||
| 	git.rootprojects.org/root/hashcash v1.0.1 | ||||
| 	git.rootprojects.org/root/keypairs v0.5.2 | ||||
| 	github.com/google/uuid v1.1.1 | ||||
| 	github.com/joho/godotenv v1.3.0 | ||||
|  | ||||
							
								
								
									
										2
									
								
								go.sum
									
									
									
									
									
								
							
							
						
						
									
										2
									
								
								go.sum
									
									
									
									
									
								
							| @ -1,3 +1,5 @@ | ||||
| git.rootprojects.org/root/hashcash v1.0.1 h1:PkzwZu4CR5q/hwAntJdvcmNhmP0ONhetMo7rYhIZhZ0= | ||||
| git.rootprojects.org/root/hashcash v1.0.1/go.mod h1:HdoULUe94o1NVMES5K6aP3p8QGQiIia73F1HNZ1+FkQ= | ||||
| git.rootprojects.org/root/keypairs v0.5.2 h1:jr+drUUm/REaCDJTl5gT3kF2PwlXygcLsBZlqoKTZZw= | ||||
| git.rootprojects.org/root/keypairs v0.5.2/go.mod h1:WGI8PadOp+4LjUuI+wNlSwcJwFtY8L9XuNjuO3213HA= | ||||
| github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= | ||||
|  | ||||
| @ -19,7 +19,7 @@ func Verify(w http.ResponseWriter, r *http.Request) { | ||||
| 		return | ||||
| 	} | ||||
| 
 | ||||
| 	var jws *xkeypairs.JWS | ||||
| 	jws := &xkeypairs.JWS{} | ||||
| 
 | ||||
| 	authzParts := strings.Split(r.Header.Get("Authorization"), " ") | ||||
| 	lenAuthz := len(authzParts) | ||||
| @ -27,11 +27,9 @@ func Verify(w http.ResponseWriter, r *http.Request) { | ||||
| 		jwt := authzParts[1] | ||||
| 		jwsParts := strings.Split(jwt, ".") | ||||
| 		if 3 == len(jwsParts) { | ||||
| 			jws = &xkeypairs.JWS{ | ||||
| 				Protected: jwsParts[0], | ||||
| 				Payload:   jwsParts[1], | ||||
| 				Signature: jwsParts[2], | ||||
| 			} | ||||
| 			jws.Protected = jwsParts[0] | ||||
| 			jws.Payload = jwsParts[1] | ||||
| 			jws.Signature = jwsParts[2] | ||||
| 		} | ||||
| 	} | ||||
| 
 | ||||
| @ -41,7 +39,7 @@ func Verify(w http.ResponseWriter, r *http.Request) { | ||||
| 			return | ||||
| 		} | ||||
| 		decoder := json.NewDecoder(r.Body) | ||||
| 		err := decoder.Decode(&jws) | ||||
| 		err := decoder.Decode(jws) | ||||
| 		if nil != err && io.EOF != err { | ||||
| 			log.Printf("json decode error: %s", err) | ||||
| 			http.Error(w, "Bad Request: invalid JWS body", http.StatusBadRequest) | ||||
|  | ||||
							
								
								
									
										101
									
								
								mockid/hashcash.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										101
									
								
								mockid/hashcash.go
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,101 @@ | ||||
| package mockid | ||||
| 
 | ||||
| import ( | ||||
| 	"errors" | ||||
| 	"net/http" | ||||
| 	"sync" | ||||
| 	"time" | ||||
| 
 | ||||
| 	"git.rootprojects.org/root/hashcash" | ||||
| ) | ||||
| 
 | ||||
| var hashcashes = &hashcashDB{ | ||||
| 	db: sync.Map{}, | ||||
| } | ||||
| 
 | ||||
| func NewHashcash(sub string, exp time.Time) *hashcash.Hashcash { | ||||
| 
 | ||||
| 	h := hashcash.New(hashcash.Hashcash{ | ||||
| 		Subject:   sub, | ||||
| 		ExpiresAt: exp, | ||||
| 	}) | ||||
| 
 | ||||
| 	// ignoring the error because this implementation is backed by an in-memory map | ||||
| 	_ = hashcashes.Store(h.Nonce, h) | ||||
| 
 | ||||
| 	return h | ||||
| } | ||||
| 
 | ||||
| var ErrNotFound = errors.New("not found") | ||||
| 
 | ||||
| func UseHashcash(hc string) error { | ||||
| 	phony, err := hashcash.Parse(hc) | ||||
| 	if nil != err { | ||||
| 		return err | ||||
| 	} | ||||
| 
 | ||||
| 	hi, ok, _ := hashcashes.Load(phony.Nonce) | ||||
| 	if !ok { | ||||
| 		return ErrNotFound | ||||
| 	} | ||||
| 	mccoy := hi.(*hashcash.Hashcash) | ||||
| 	mccopy := *mccoy | ||||
| 
 | ||||
| 	mccopy.Solution = phony.Solution | ||||
| 	if err := mccopy.Verify("*"); nil != err { | ||||
| 		return err | ||||
| 	} | ||||
| 
 | ||||
| 	_ = hashcashes.Delete(mccoy.Nonce) | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| func issueHashcash(w http.ResponseWriter, r *http.Request) *hashcash.Hashcash { | ||||
| 	h := NewHashcash(r.Host, time.Now().Add(5*time.Minute)) | ||||
| 	w.Header().Set("Hashcash-Challenge", h.String()) | ||||
| 	return h | ||||
| } | ||||
| 
 | ||||
| func requireHashcash(next http.HandlerFunc) http.HandlerFunc { | ||||
| 	return func(w http.ResponseWriter, r *http.Request) { | ||||
| 		hc := r.Header.Get("Hashcash") | ||||
| 		_ = issueHashcash(w, r) | ||||
| 		if err := UseHashcash(hc); nil != err { | ||||
| 			http.Error(w, "Bad Request", http.StatusBadRequest) | ||||
| 			return | ||||
| 		} | ||||
| 
 | ||||
| 		next(w, r) | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| type hashcashDB struct { | ||||
| 	db sync.Map | ||||
| } | ||||
| 
 | ||||
| func (h *hashcashDB) Load(key interface{}) (value interface{}, ok bool, err error) { | ||||
| 	v, ok := h.db.Load(key) | ||||
| 	return v, ok, nil | ||||
| } | ||||
| 
 | ||||
| func (h *hashcashDB) Store(key interface{}, value interface{}) (err error) { | ||||
| 	h.db.Store(key, value) | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| func (h *hashcashDB) Delete(key interface{}) (err error) { | ||||
| 	h.db.Delete(key) | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| func (h *hashcashDB) vacuum() (err error) { | ||||
| 	now := time.Now().UTC() | ||||
| 	h.db.Range(func(key interface{}, val interface{}) bool { | ||||
| 		v := val.(*hashcash.Hashcash) | ||||
| 		if v.ExpiresAt.Sub(now) < 0 { | ||||
| 			h.db.Delete(key) | ||||
| 		} | ||||
| 		return true | ||||
| 	}) | ||||
| 	return nil | ||||
| } | ||||
| @ -11,11 +11,9 @@ import ( | ||||
| 	"fmt" | ||||
| 	"io" | ||||
| 	"math/big" | ||||
| 	"net/http" | ||||
| 	"net/url" | ||||
| 	"os" | ||||
| 	"strconv" | ||||
| 	"sync" | ||||
| 	"time" | ||||
| 
 | ||||
| 	"git.coolaj86.com/coolaj86/go-mockid/xkeypairs" | ||||
| @ -34,6 +32,13 @@ type PublicJWK struct { | ||||
| 	Y     string `json:"y"` | ||||
| } | ||||
| 
 | ||||
| type KVDB interface { | ||||
| 	Load(key interface{}) (value interface{}, ok bool, err error) | ||||
| 	Store(key interface{}) (value interface{}, err error) | ||||
| 	Delete(key interface{}) (err error) | ||||
| 	vacuum() (err error) | ||||
| } | ||||
| 
 | ||||
| type InspectableToken struct { | ||||
| 	Public    keypairs.PublicKey     `json:"jwk"` | ||||
| 	Protected map[string]interface{} `json:"protected"` | ||||
| @ -57,9 +62,6 @@ func (t *InspectableToken) MarshalJSON() ([]byte, error) { | ||||
| var defaultFrom string | ||||
| var defaultReplyTo string | ||||
| 
 | ||||
| //var nonces map[string]int64 | ||||
| //var nonCh chan string | ||||
| var nonces sync.Map | ||||
| var salt []byte | ||||
| 
 | ||||
| func Init() { | ||||
| @ -82,6 +84,13 @@ func Init() { | ||||
| 		    } | ||||
| 		  }() | ||||
| 	*/ | ||||
| 
 | ||||
| 	go func() { | ||||
| 		for { | ||||
| 			time.Sleep(15 * time.Second) | ||||
| 			hashcashes.vacuum() | ||||
| 		} | ||||
| 	}() | ||||
| } | ||||
| 
 | ||||
| func GenToken(host string, privkey keypairs.PrivateKey, query url.Values) (string, string, string) { | ||||
| @ -164,40 +173,3 @@ func JOSEVerify(pubkey keypairs.PublicKey, hash []byte, sig []byte) bool { | ||||
| 		return false | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| func issueNonce(w http.ResponseWriter, r *http.Request) { | ||||
| 	b := make([]byte, 16) | ||||
| 	_, _ = rand.Read(b) | ||||
| 	nonce := base64.RawURLEncoding.EncodeToString(b) | ||||
| 	//nonCh <- nonce | ||||
| 	nonces.Store(nonce, time.Now()) | ||||
| 
 | ||||
| 	w.Header().Set("Replay-Nonce", nonce) | ||||
| } | ||||
| 
 | ||||
| func requireNonce(next http.HandlerFunc) http.HandlerFunc { | ||||
| 	return func(w http.ResponseWriter, r *http.Request) { | ||||
| 		nonce := r.Header.Get("Replay-Nonce") | ||||
| 		// TODO expire nonces every so often | ||||
| 		//t := nonces[nonce] | ||||
| 		var t time.Time | ||||
| 		tmp, ok := nonces.Load(nonce) | ||||
| 		if ok { | ||||
| 			t = tmp.(time.Time) | ||||
| 		} | ||||
| 		if !ok || time.Now().Sub(t) > 15*time.Minute { | ||||
| 			http.Error( | ||||
| 				w, | ||||
| 				`{ "error": "invalid or expired nonce", "error_code": "ENONCE" }`, | ||||
| 				http.StatusBadRequest, | ||||
| 			) | ||||
| 			return | ||||
| 		} | ||||
| 
 | ||||
| 		//delete(nonces, nonce) | ||||
| 		nonces.Delete(nonce) | ||||
| 		issueNonce(w, r) | ||||
| 
 | ||||
| 		next(w, r) | ||||
| 	} | ||||
| } | ||||
|  | ||||
							
								
								
									
										64
									
								
								mockid/nonce.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										64
									
								
								mockid/nonce.go
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,64 @@ | ||||
| package mockid | ||||
| 
 | ||||
| import ( | ||||
| 	"crypto/rand" | ||||
| 	"encoding/base64" | ||||
| 	"net/http" | ||||
| 	"sync" | ||||
| 	"time" | ||||
| ) | ||||
| 
 | ||||
| //var nonces map[string]int64 | ||||
| //var nonCh chan string | ||||
| var nonces sync.Map | ||||
| 
 | ||||
| func issueNonce(w http.ResponseWriter, r *http.Request) { | ||||
| 	b := make([]byte, 16) | ||||
| 	_, _ = rand.Read(b) | ||||
| 	nonce := base64.RawURLEncoding.EncodeToString(b) | ||||
| 	//nonCh <- nonce | ||||
| 	nonces.Store(nonce, time.Now()) | ||||
| 
 | ||||
| 	w.Header().Set("Replay-Nonce", nonce) | ||||
| } | ||||
| 
 | ||||
| func requireNonce(next http.HandlerFunc) http.HandlerFunc { | ||||
| 	return func(w http.ResponseWriter, r *http.Request) { | ||||
| 		nonce := r.Header.Get("Replay-Nonce") | ||||
| 		// TODO expire nonces every so often | ||||
| 		//t := nonces[nonce] | ||||
| 
 | ||||
| 		if !useNonce(nonce) { | ||||
| 			http.Error( | ||||
| 				w, | ||||
| 				`{ "error": "invalid or expired nonce", "error_code": "ENONCE" }`, | ||||
| 				http.StatusBadRequest, | ||||
| 			) | ||||
| 			return | ||||
| 		} | ||||
| 
 | ||||
| 		issueNonce(w, r) | ||||
| 		next(w, r) | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| func checkNonce(nonce string) bool { | ||||
| 	var t time.Time | ||||
| 	tmp, ok := nonces.Load(nonce) | ||||
| 	if ok { | ||||
| 		t = tmp.(time.Time) | ||||
| 	} | ||||
| 	if ok && time.Now().Sub(t) <= 15*time.Minute { | ||||
| 		return true | ||||
| 	} | ||||
| 	return false | ||||
| } | ||||
| 
 | ||||
| func useNonce(nonce string) bool { | ||||
| 	if checkNonce(nonce) { | ||||
| 		//delete(nonces, nonce) | ||||
| 		nonces.Delete(nonce) | ||||
| 		return true | ||||
| 	} | ||||
| 	return false | ||||
| } | ||||
							
								
								
									
										273
									
								
								mockid/route.go
									
									
									
									
									
								
							
							
						
						
									
										273
									
								
								mockid/route.go
									
									
									
									
									
								
							| @ -6,6 +6,7 @@ import ( | ||||
| 	"crypto/sha512" | ||||
| 	"encoding/base64" | ||||
| 	"encoding/json" | ||||
| 	"errors" | ||||
| 	"fmt" | ||||
| 	"io/ioutil" | ||||
| 	"log" | ||||
| @ -23,94 +24,150 @@ import ( | ||||
| 	"github.com/google/uuid" | ||||
| ) | ||||
| 
 | ||||
| type HTTPResponse struct { | ||||
| 	Error   string `json:"error"` | ||||
| 	Success bool   `json:"success"` | ||||
| } | ||||
| 
 | ||||
| // Route returns an HTTP Mux containing the full API | ||||
| func Route(jwksPrefix string, privkey keypairs.PrivateKey) http.Handler { | ||||
| 	Init() | ||||
| 
 | ||||
| 	// TODO get from main() | ||||
| 	tokPrefix := jwksPrefix | ||||
| 	tokenPrefix = jwksPrefix | ||||
| 	pubkey := keypairs.NewPublicKey(privkey.Public()) | ||||
| 
 | ||||
| 	http.HandleFunc("/api/new-nonce", func(w http.ResponseWriter, r *http.Request) { | ||||
| 		baseURL := getBaseURL(r) | ||||
| 		/* | ||||
| 			res.statusCode = 200; | ||||
| 			res.setHeader("Cache-Control", "max-age=0, no-cache, no-store"); | ||||
| 			// TODO | ||||
| 			//res.setHeader("Date", "Sun, 10 Mar 2019 08:04:45 GMT"); | ||||
| 			// is this the expiration of the nonce itself? methinks maybe so | ||||
| 			//res.setHeader("Expires", "Sun, 10 Mar 2019 08:04:45 GMT"); | ||||
| 			// TODO use one of the registered domains | ||||
| 			//var indexURL = "https://acme-staging-v02.api.letsencrypt.org/index" | ||||
| 		*/ | ||||
| 		//var port = (state.config.ipc && state.config.ipc.port || state._ipc.port || undefined); | ||||
| 		//var indexURL = "http://localhost:" + port + "/index"; | ||||
| 		indexURL := baseURL + "/index" | ||||
| 	http.HandleFunc("/api/new-hashcash", func(w http.ResponseWriter, r *http.Request) { | ||||
| 		if "POST" != r.Method { | ||||
| 			http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed) | ||||
| 			return | ||||
| 		} | ||||
| 
 | ||||
| 		indexURL := getBaseURL(r) + "/api/directory" | ||||
| 		w.Header().Set("Link", "<"+indexURL+">;rel=\"index\"") | ||||
| 
 | ||||
| 		w.Header().Set("Date", time.Now().Format(http.TimeFormat)) | ||||
| 		// disable caching in every possible way | ||||
| 		w.Header().Set("Expires", time.Now().Format(http.TimeFormat)) | ||||
| 		w.Header().Set("Cache-Control", "max-age=0, no-cache, no-store") | ||||
| 		w.Header().Set("Pragma", "no-cache") | ||||
| 		//res.setHeader("Strict-Transport-Security", "max-age=604800"); | ||||
| 		w.Header().Set("Strict-Transport-Security", "max-age=604800") | ||||
| 
 | ||||
| 		w.Header().Set("X-Frame-Options", "DENY") | ||||
| 		issueNonce(w, r) | ||||
| 
 | ||||
| 		h := issueHashcash(w, r) | ||||
| 		b, _ := json.Marshal(h) | ||||
| 		w.Write(b) | ||||
| 	}) | ||||
| 
 | ||||
| 	http.HandleFunc("/api/new-account", requireNonce(func(w http.ResponseWriter, r *http.Request) { | ||||
| 		// Try to decode the request body into the struct. If there is an error, | ||||
| 		// respond to the client with the error message and a 400 status code. | ||||
| 		data := map[string]string{} | ||||
| 		err := json.NewDecoder(r.Body).Decode(&data) | ||||
| 		if nil != err { | ||||
| 			http.Error(w, err.Error(), http.StatusBadRequest) | ||||
| 	http.HandleFunc("/api/new-nonce", requireHashcash(func(w http.ResponseWriter, r *http.Request) { | ||||
| 		indexURL := getBaseURL(r) + "/api/directory" | ||||
| 		w.Header().Set("Link", "<"+indexURL+">;rel=\"index\"") | ||||
| 
 | ||||
| 		w.Header().Set("Date", time.Now().Format(http.TimeFormat)) | ||||
| 		// disable caching in every possible way | ||||
| 		w.Header().Set("Expires", time.Now().Format(http.TimeFormat)) | ||||
| 		w.Header().Set("Cache-Control", "max-age=0, no-cache, no-store") | ||||
| 		w.Header().Set("Pragma", "no-cache") | ||||
| 		w.Header().Set("Strict-Transport-Security", "max-age=604800") | ||||
| 
 | ||||
| 		w.Header().Set("X-Frame-Options", "DENY") | ||||
| 
 | ||||
| 		issueNonce(w, r) | ||||
| 	})) | ||||
| 
 | ||||
| 	http.HandleFunc("/api/test-hashcash", func(w http.ResponseWriter, r *http.Request) { | ||||
| 		if err := UseHashcash(r.Header.Get("Hashcash")); nil != err { | ||||
| 			b, _ := json.Marshal(&HTTPResponse{ | ||||
| 				Error: err.Error(), | ||||
| 			}) | ||||
| 			w.Write(b) | ||||
| 			return | ||||
| 		} | ||||
| 
 | ||||
| 		// TODO check DNS for MX records | ||||
| 		parts := strings.Split(data["to"], ", <>\n\r\t") | ||||
| 		to := parts[0] | ||||
| 		if len(parts) > 1 || !strings.Contains(to, "@") { | ||||
| 			http.Error(w, "invalid email address", http.StatusBadRequest) | ||||
| 		b, _ := json.Marshal(&HTTPResponse{ | ||||
| 			Success: true, | ||||
| 		}) | ||||
| 		w.Write(b) | ||||
| 	}) | ||||
| 
 | ||||
| 	type NewAccount struct { | ||||
| 		Contact              []string `json:"contact"` | ||||
| 		TermsOfServiceAgreed bool     `json:"termsOfServiceAgreed"` | ||||
| 	} | ||||
| 
 | ||||
| 	http.HandleFunc("/api/new-account", func(w http.ResponseWriter, r *http.Request) { | ||||
| 		myURL := getBaseURL(r) + r.URL.Path | ||||
| 
 | ||||
| 		jws := &xkeypairs.JWS{} | ||||
| 
 | ||||
| 		decoder := json.NewDecoder(r.Body) | ||||
| 		if err := decoder.Decode(jws); nil != err { | ||||
| 			http.Error(w, "Bad Request", http.StatusBadRequest) | ||||
| 			return | ||||
| 		} | ||||
| 		defer r.Body.Close() | ||||
| 
 | ||||
| 		if err := jws.DecodeComponents(); nil != err { | ||||
| 			http.Error(w, "Bad Request", http.StatusBadRequest) | ||||
| 			fmt.Fprintf(w, `{"error":%q}`+"\n", err) | ||||
| 			return | ||||
| 		} | ||||
| 
 | ||||
| 		// TODO expect JWK in JWS/JWT | ||||
| 		// TODO place validated JWK into file with token | ||||
| 
 | ||||
| 		token, err := uuid.NewRandom() | ||||
| 		if nil != err { | ||||
| 			// nothing else to do if we run out of random | ||||
| 			// or are on a platform that doesn't support random | ||||
| 			panic(fmt.Errorf("random bytes read failure: %w", err)) | ||||
| 		} | ||||
| 		token64 := base64.RawURLEncoding.EncodeToString([]byte(token[:])) | ||||
| 		// hash token to prevent fs read timing attacks | ||||
| 		hash := sha1.Sum(append(token[:], salt...)) | ||||
| 		tokname := base64.RawURLEncoding.EncodeToString(hash[:]) | ||||
| 		if err := ioutil.WriteFile( | ||||
| 			filepath.Join(tokPrefix, tokname+".tok.txt"), | ||||
| 			[]byte(`{"comment":"I have no idea..."}`), | ||||
| 			os.FileMode(0600), | ||||
| 		); nil != err { | ||||
| 			http.Error(w, "database connection failed when writing verification token", http.StatusInternalServerError) | ||||
| 		kid, _ := jws.Header["kid"].(string) | ||||
| 		if "" != kid { | ||||
| 			http.Error(w, "Bad Request", http.StatusBadRequest) | ||||
| 			fmt.Fprintf(w, `{"error":"jws must include protected jwk, which is mutually exclusive from kid"}`+"\n") | ||||
| 			return | ||||
| 		} | ||||
| 		subject := "Verify New Account" | ||||
| 		// TODO go tpl | ||||
| 		// TODO determine OS and Browser from user agent | ||||
| 
 | ||||
| 		alg, _ := jws.Header["alg"].(string) | ||||
| 		if !strings.HasSuffix(alg, "256") { | ||||
| 			http.Error(w, "Bad Request", http.StatusBadRequest) | ||||
| 			fmt.Fprintf(w, `{"error":"invalid jws protected algorithm"}`+"\n") | ||||
| 			return | ||||
| 		} | ||||
| 
 | ||||
| 		nonce, _ := jws.Header["nonce"].(string) | ||||
| 		if !useNonce(nonce) { | ||||
| 			http.Error(w, "Bad Request", http.StatusBadRequest) | ||||
| 			fmt.Fprintf(w, `{"error":"invalid jws protected nonce"}`+"\n") | ||||
| 			return | ||||
| 		} | ||||
| 
 | ||||
| 		jwsURL, _ := jws.Header["url"].(string) | ||||
| 		if myURL != jwsURL { | ||||
| 			http.Error(w, "Bad Request", http.StatusBadRequest) | ||||
| 			fmt.Fprintf(w, `{"error":"invalid jws protected target URL"}`+"\n") | ||||
| 			return | ||||
| 		} | ||||
| 
 | ||||
| 		ok, err := xkeypairs.VerifyClaims(nil, jws) | ||||
| 		if nil != err || !ok { | ||||
| 			if nil != err { | ||||
| 				log.Printf("jws verify error: %s", err) | ||||
| 			} | ||||
| 			http.Error(w, "Bad Request", http.StatusBadRequest) | ||||
| 			fmt.Fprintf(w, `{"error":"could not verify JWS claims"}`+"\n") | ||||
| 			return | ||||
| 		} | ||||
| 
 | ||||
| 		contacts, _ := jws.Claims["contact"].([]string) | ||||
| 		contact := "" | ||||
| 		if 1 == len(contacts) { | ||||
| 			contact = contacts[0] | ||||
| 		} | ||||
| 
 | ||||
| 		baseURL := getBaseURL(r) | ||||
| 		text := fmt.Sprintf( | ||||
| 			"It looks like you just tried to register a new Pocket ID account.\n\n    Verify account: %s/verify/%s\n\nNot you? Just ignore this message.", | ||||
| 			baseURL, token64, | ||||
| 		) | ||||
| 		_, err = SendSimpleMessage(to, defaultFrom, subject, text, defaultReplyTo) | ||||
| 		if nil != err { | ||||
| 			// TODO neuter mailgun output | ||||
| 			http.Error(w, err.Error(), http.StatusBadRequest) | ||||
| 		if err := startVerification(baseURL, contact); nil != err { | ||||
| 			http.Error(w, "Bad Request", http.StatusBadRequest) | ||||
| 			msg, _ := json.Marshal(err.Error()) | ||||
| 			fmt.Fprintf(w, `{"error":%s}`+"\n", msg) | ||||
| 			return | ||||
| 		} | ||||
| 
 | ||||
| 		fmt.Fprintf(w, `{ "success": true, "error": "" }%s`, "\n") | ||||
| 	})) | ||||
| 	}) | ||||
| 
 | ||||
| 	// TODO use chi | ||||
| 	http.HandleFunc("/verify/", requireNonce(func(w http.ResponseWriter, r *http.Request) { | ||||
| @ -119,24 +176,13 @@ func Route(jwksPrefix string, privkey keypairs.PrivateKey) http.Handler { | ||||
| 			http.Error(w, "invalid url path", http.StatusBadRequest) | ||||
| 			return | ||||
| 		} | ||||
| 		token64 := parts[2] | ||||
| 		token, err := base64.RawURLEncoding.DecodeString(token64) | ||||
| 		if err != nil || 0 == len(token) { | ||||
| 			http.Error(w, "invalid url path", http.StatusBadRequest) | ||||
| 			return | ||||
| 		} | ||||
| 		// hash token to prevent fs read timing attacks | ||||
| 		hash := sha1.Sum(append(token, salt...)) | ||||
| 		tokname := base64.RawURLEncoding.EncodeToString(hash[:]) | ||||
| 		tokfile := filepath.Join(tokPrefix, tokname+".tok.txt") | ||||
| 		_, err = ioutil.ReadFile(tokfile) | ||||
| 		if nil != err { | ||||
| 			http.Error(w, "database connection failed when reading verification token", http.StatusInternalServerError) | ||||
| 			return | ||||
| 		} | ||||
| 		token := parts[2] | ||||
| 
 | ||||
| 		// TODO promote JWK to public... and related to an ID or email?? | ||||
| 		os.Remove(tokfile) | ||||
| 		if err := checkOTP(token); nil != err { | ||||
| 			http.Error(w, "Internal Server Error", http.StatusInternalServerError) | ||||
| 			fmt.Fprintf(w, "%s", err) | ||||
| 			return | ||||
| 		} | ||||
| 
 | ||||
| 		fmt.Fprintf(w, `{ "success": true, "error": "" }%s`, "\n") | ||||
| 	})) | ||||
| @ -374,6 +420,77 @@ func Route(jwksPrefix string, privkey keypairs.PrivateKey) http.Handler { | ||||
| 	return http.DefaultServeMux | ||||
| } | ||||
| 
 | ||||
| var tokenPrefix string | ||||
| 
 | ||||
| func newOTP() (string, error) { | ||||
| 	rnd, err := uuid.NewRandom() | ||||
| 	if nil != err { | ||||
| 		// nothing else to do if we run out of random | ||||
| 		// or are on a platform that doesn't support random | ||||
| 		panic(fmt.Errorf("random bytes read failure: %w", err)) | ||||
| 	} | ||||
| 	token := base64.RawURLEncoding.EncodeToString(rnd[:]) | ||||
| 
 | ||||
| 	// We hash the random value to prevent DB / FS / compare timing attacks | ||||
| 	tokenID := sha1.Sum([]byte(token)) | ||||
| 	tokenName := base64.RawURLEncoding.EncodeToString(tokenID[:]) | ||||
| 	if err := ioutil.WriteFile( | ||||
| 		filepath.Join(tokenPrefix, tokenName+".tok.txt"), | ||||
| 		[]byte(`{"comment":"TODO: metadata goes here"}`), | ||||
| 		// keep it secret, keep it safe | ||||
| 		os.FileMode(0600), | ||||
| 	); nil != err { | ||||
| 		return "", errors.New("database connection failed when writing verification token") | ||||
| 	} | ||||
| 	return token, nil | ||||
| } | ||||
| 
 | ||||
| func checkOTP(token string) error { | ||||
| 	// We hash the random value to prevent DB / FS / compare timing attacks | ||||
| 	tokenID := sha1.Sum([]byte(token)) | ||||
| 	tokenName := base64.RawURLEncoding.EncodeToString(tokenID[:]) | ||||
| 	tokfile := filepath.Join(tokenPrefix, tokenName+".tok.txt") | ||||
| 	if _, err := ioutil.ReadFile(tokfile); nil != err { | ||||
| 		return errors.New("database connection failed when reading verification token") | ||||
| 	} | ||||
| 
 | ||||
| 	// TODO promote JWK to public... and related to an ID or email?? | ||||
| 	_ = os.Remove(tokfile) | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| func startVerification(baseURL, contact string) error { | ||||
| 	email := strings.Replace(contact, "mailto:", "", -1) | ||||
| 	if "" == email { | ||||
| 		return errors.New("missing contact:[\"mailto:me@example.com\"]") | ||||
| 	} | ||||
| 
 | ||||
| 	// TODO check DNS for MX records | ||||
| 	if !strings.Contains(email, "@") || strings.Contains(email, " \t\n") { | ||||
| 		return errors.New("invalid email address") | ||||
| 	} | ||||
| 
 | ||||
| 	// TODO expect JWK in JWS/JWT | ||||
| 	// TODO place validated JWK into file with token | ||||
| 
 | ||||
| 	token, err := newOTP() | ||||
| 	if nil != err { | ||||
| 		return err | ||||
| 	} | ||||
| 	subject := "Verify New Account" | ||||
| 	// TODO go tpl | ||||
| 	// TODO determine OS and Browser from user agent | ||||
| 	text := fmt.Sprintf( | ||||
| 		"It looks like you just tried to register a new Pocket ID account.\n\n    Verify account: %s/verify/%s\n\nNot you? Just ignore this message.", | ||||
| 		baseURL, token, | ||||
| 	) | ||||
| 	if _, err = SendSimpleMessage(email, defaultFrom, subject, text, defaultReplyTo); nil != err { | ||||
| 		return err | ||||
| 	} | ||||
| 
 | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| func getBaseURL(r *http.Request) string { | ||||
| 	var scheme string | ||||
| 	if nil != r.TLS || "https" == r.Header.Get("X-Forwarded-Proto") { | ||||
|  | ||||
							
								
								
									
										19
									
								
								vendor/git.rootprojects.org/root/hashcash/.gitignore
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										19
									
								
								vendor/git.rootprojects.org/root/hashcash/.gitignore
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							| @ -0,0 +1,19 @@ | ||||
| cmd/hashcash/hashcash | ||||
| 
 | ||||
| # ---> Go | ||||
| # Binaries for programs and plugins | ||||
| *.exe | ||||
| *.exe~ | ||||
| *.dll | ||||
| *.so | ||||
| *.dylib | ||||
| 
 | ||||
| # Test binary, built with `go test -c` | ||||
| *.test | ||||
| 
 | ||||
| # Output of the go coverage tool, specifically when used with LiteIDE | ||||
| *.out | ||||
| 
 | ||||
| # Dependency directories (remove the comment below to include it) | ||||
| # vendor/ | ||||
| 
 | ||||
							
								
								
									
										312
									
								
								vendor/git.rootprojects.org/root/hashcash/LICENSE
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										312
									
								
								vendor/git.rootprojects.org/root/hashcash/LICENSE
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							| @ -0,0 +1,312 @@ | ||||
| Mozilla Public License Version 2.0 | ||||
| 
 | ||||
|    1. Definitions | ||||
| 
 | ||||
| 1.1. "Contributor" means each individual or legal entity that creates, contributes | ||||
| to the creation of, or owns Covered Software. | ||||
| 
 | ||||
| 1.2. "Contributor Version" means the combination of the Contributions of others | ||||
| (if any) used by a Contributor and that particular Contributor's Contribution. | ||||
| 
 | ||||
|       1.3. "Contribution" means Covered Software of a particular Contributor. | ||||
| 
 | ||||
| 1.4. "Covered Software" means Source Code Form to which the initial Contributor | ||||
| has attached the notice in Exhibit A, the Executable Form of such Source Code | ||||
| Form, and Modifications of such Source Code Form, in each case including portions | ||||
| thereof. | ||||
| 
 | ||||
|       1.5. "Incompatible With Secondary Licenses" means | ||||
| 
 | ||||
| (a) that the initial Contributor has attached the notice described in Exhibit | ||||
| B to the Covered Software; or | ||||
| 
 | ||||
| (b) that the Covered Software was made available under the terms of version | ||||
| 1.1 or earlier of the License, but not also under the terms of a Secondary | ||||
| License. | ||||
| 
 | ||||
| 1.6. "Executable Form" means any form of the work other than Source Code Form. | ||||
| 
 | ||||
| 1.7. "Larger Work" means a work that combines Covered Software with other | ||||
| material, in a separate file or files, that is not Covered Software. | ||||
| 
 | ||||
|       1.8. "License" means this document. | ||||
| 
 | ||||
| 1.9. "Licensable" means having the right to grant, to the maximum extent possible, | ||||
| whether at the time of the initial grant or subsequently, any and all of the | ||||
| rights conveyed by this License. | ||||
| 
 | ||||
|       1.10. "Modifications" means any of the following: | ||||
| 
 | ||||
| (a) any file in Source Code Form that results from an addition to, deletion | ||||
| from, or modification of the contents of Covered Software; or | ||||
| 
 | ||||
| (b) any new file in Source Code Form that contains any Covered Software. | ||||
| 
 | ||||
| 1.11. "Patent Claims" of a Contributor means any patent claim(s), including | ||||
| without limitation, method, process, and apparatus claims, in any patent Licensable | ||||
| by such Contributor that would be infringed, but for the grant of the License, | ||||
| by the making, using, selling, offering for sale, having made, import, or | ||||
| transfer of either its Contributions or its Contributor Version. | ||||
| 
 | ||||
| 1.12. "Secondary License" means either the GNU General Public License, Version | ||||
| 2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General | ||||
| Public License, Version 3.0, or any later versions of those licenses. | ||||
| 
 | ||||
| 1.13. "Source Code Form" means the form of the work preferred for making modifications. | ||||
| 
 | ||||
| 1.14. "You" (or "Your") means an individual or a legal entity exercising rights | ||||
| under this License. For legal entities, "You" includes any entity that controls, | ||||
| is controlled by, or is under common control with You. For purposes of this | ||||
| definition, "control" means (a) the power, direct or indirect, to cause the | ||||
| direction or management of such entity, whether by contract or otherwise, | ||||
| or (b) ownership of more than fifty percent (50%) of the outstanding shares | ||||
| or beneficial ownership of such entity. | ||||
| 
 | ||||
|    2. License Grants and Conditions | ||||
| 
 | ||||
|       2.1. Grants | ||||
| 
 | ||||
| Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive | ||||
| license: | ||||
| 
 | ||||
| (a) under intellectual property rights (other than patent or trademark) Licensable | ||||
| by such Contributor to use, reproduce, make available, modify, display, perform, | ||||
| distribute, and otherwise exploit its Contributions, either on an unmodified | ||||
| basis, with Modifications, or as part of a Larger Work; and | ||||
| 
 | ||||
| (b) under Patent Claims of such Contributor to make, use, sell, offer for | ||||
| sale, have made, import, and otherwise transfer either its Contributions or | ||||
| its Contributor Version. | ||||
| 
 | ||||
|       2.2. Effective Date | ||||
| 
 | ||||
| The licenses granted in Section 2.1 with respect to any Contribution become | ||||
| effective for each Contribution on the date the Contributor first distributes | ||||
| such Contribution. | ||||
| 
 | ||||
|       2.3. Limitations on Grant Scope | ||||
| 
 | ||||
| The licenses granted in this Section 2 are the only rights granted under this | ||||
| License. No additional rights or licenses will be implied from the distribution | ||||
| or licensing of Covered Software under this License. Notwithstanding Section | ||||
| 2.1(b) above, no patent license is granted by a Contributor: | ||||
| 
 | ||||
| (a) for any code that a Contributor has removed from Covered Software; or | ||||
| 
 | ||||
| (b) for infringements caused by: (i) Your and any other third party's modifications | ||||
| of Covered Software, or (ii) the combination of its Contributions with other | ||||
| software (except as part of its Contributor Version); or | ||||
| 
 | ||||
| (c) under Patent Claims infringed by Covered Software in the absence of its | ||||
| Contributions. | ||||
| 
 | ||||
| This License does not grant any rights in the trademarks, service marks, or | ||||
| logos of any Contributor (except as may be necessary to comply with the notice | ||||
| requirements in Section 3.4). | ||||
| 
 | ||||
|       2.4. Subsequent Licenses | ||||
| 
 | ||||
| No Contributor makes additional grants as a result of Your choice to distribute | ||||
| the Covered Software under a subsequent version of this License (see Section | ||||
| 10.2) or under the terms of a Secondary License (if permitted under the terms | ||||
| of Section 3.3). | ||||
| 
 | ||||
|       2.5. Representation | ||||
| 
 | ||||
| Each Contributor represents that the Contributor believes its Contributions | ||||
| are its original creation(s) or it has sufficient rights to grant the rights | ||||
| to its Contributions conveyed by this License. | ||||
| 
 | ||||
|       2.6. Fair Use | ||||
| 
 | ||||
| This License is not intended to limit any rights You have under applicable | ||||
| copyright doctrines of fair use, fair dealing, or other equivalents. | ||||
| 
 | ||||
|       2.7. Conditions | ||||
| 
 | ||||
| Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in | ||||
| Section 2.1. | ||||
| 
 | ||||
|    3. Responsibilities | ||||
| 
 | ||||
|       3.1. Distribution of Source Form | ||||
| 
 | ||||
| All distribution of Covered Software in Source Code Form, including any Modifications | ||||
| that You create or to which You contribute, must be under the terms of this | ||||
| License. You must inform recipients that the Source Code Form of the Covered | ||||
| Software is governed by the terms of this License, and how they can obtain | ||||
| a copy of this License. You may not attempt to alter or restrict the recipients' | ||||
| rights in the Source Code Form. | ||||
| 
 | ||||
|       3.2. Distribution of Executable Form | ||||
| 
 | ||||
|       If You distribute Covered Software in Executable Form then: | ||||
| 
 | ||||
| (a) such Covered Software must also be made available in Source Code Form, | ||||
| as described in Section 3.1, and You must inform recipients of the Executable | ||||
| Form how they can obtain a copy of such Source Code Form by reasonable means | ||||
| in a timely manner, at a charge no more than the cost of distribution to the | ||||
| recipient; and | ||||
| 
 | ||||
| (b) You may distribute such Executable Form under the terms of this License, | ||||
| or sublicense it under different terms, provided that the license for the | ||||
| Executable Form does not attempt to limit or alter the recipients' rights | ||||
| in the Source Code Form under this License. | ||||
| 
 | ||||
|       3.3. Distribution of a Larger Work | ||||
| 
 | ||||
| You may create and distribute a Larger Work under terms of Your choice, provided | ||||
| that You also comply with the requirements of this License for the Covered | ||||
| Software. If the Larger Work is a combination of Covered Software with a work | ||||
| governed by one or more Secondary Licenses, and the Covered Software is not | ||||
| Incompatible With Secondary Licenses, this License permits You to additionally | ||||
| distribute such Covered Software under the terms of such Secondary License(s), | ||||
| so that the recipient of the Larger Work may, at their option, further distribute | ||||
| the Covered Software under the terms of either this License or such Secondary | ||||
| License(s). | ||||
| 
 | ||||
|       3.4. Notices | ||||
| 
 | ||||
| You may not remove or alter the substance of any license notices (including | ||||
| copyright notices, patent notices, disclaimers of warranty, or limitations | ||||
| of liability) contained within the Source Code Form of the Covered Software, | ||||
| except that You may alter any license notices to the extent required to remedy | ||||
| known factual inaccuracies. | ||||
| 
 | ||||
|       3.5. Application of Additional Terms | ||||
| 
 | ||||
| You may choose to offer, and to charge a fee for, warranty, support, indemnity | ||||
| or liability obligations to one or more recipients of Covered Software. However, | ||||
| You may do so only on Your own behalf, and not on behalf of any Contributor. | ||||
| You must make it absolutely clear that any such warranty, support, indemnity, | ||||
| or liability obligation is offered by You alone, and You hereby agree to indemnify | ||||
| every Contributor for any liability incurred by such Contributor as a result | ||||
| of warranty, support, indemnity or liability terms You offer. You may include | ||||
| additional disclaimers of warranty and limitations of liability specific to | ||||
| any jurisdiction. | ||||
| 
 | ||||
|    4. Inability to Comply Due to Statute or Regulation | ||||
| 
 | ||||
| If it is impossible for You to comply with any of the terms of this License | ||||
| with respect to some or all of the Covered Software due to statute, judicial | ||||
| order, or regulation then You must: (a) comply with the terms of this License | ||||
| to the maximum extent possible; and (b) describe the limitations and the code | ||||
| they affect. Such description must be placed in a text file included with | ||||
| all distributions of the Covered Software under this License. Except to the | ||||
| extent prohibited by statute or regulation, such description must be sufficiently | ||||
| detailed for a recipient of ordinary skill to be able to understand it. | ||||
| 
 | ||||
|    5. Termination | ||||
| 
 | ||||
| 5.1. The rights granted under this License will terminate automatically if | ||||
| You fail to comply with any of its terms. However, if You become compliant, | ||||
| then the rights granted under this License from a particular Contributor are | ||||
| reinstated (a) provisionally, unless and until such Contributor explicitly | ||||
| and finally terminates Your grants, and (b) on an ongoing basis, if such Contributor | ||||
| fails to notify You of the non-compliance by some reasonable means prior to | ||||
| 60 days after You have come back into compliance. Moreover, Your grants from | ||||
| a particular Contributor are reinstated on an ongoing basis if such Contributor | ||||
| notifies You of the non-compliance by some reasonable means, this is the first | ||||
| time You have received notice of non-compliance with this License from such | ||||
| Contributor, and You become compliant prior to 30 days after Your receipt | ||||
| of the notice. | ||||
| 
 | ||||
| 5.2. If You initiate litigation against any entity by asserting a patent infringement | ||||
| claim (excluding declaratory judgment actions, counter-claims, and cross-claims) | ||||
| alleging that a Contributor Version directly or indirectly infringes any patent, | ||||
| then the rights granted to You by any and all Contributors for the Covered | ||||
| Software under Section 2.1 of this License shall terminate. | ||||
| 
 | ||||
| 5.3. In the event of termination under Sections 5.1 or 5.2 above, all end | ||||
| user license agreements (excluding distributors and resellers) which have | ||||
| been validly granted by You or Your distributors under this License prior | ||||
| to termination shall survive termination. | ||||
| 
 | ||||
|    6. Disclaimer of Warranty | ||||
| 
 | ||||
| Covered Software is provided under this License on an "as is" basis, without | ||||
| warranty of any kind, either expressed, implied, or statutory, including, | ||||
| without limitation, warranties that the Covered Software is free of defects, | ||||
| merchantable, fit for a particular purpose or non-infringing. The entire risk | ||||
| as to the quality and performance of the Covered Software is with You. Should | ||||
| any Covered Software prove defective in any respect, You (not any Contributor) | ||||
| assume the cost of any necessary servicing, repair, or correction. This disclaimer | ||||
| of warranty constitutes an essential part of this License. No use of any Covered | ||||
| Software is authorized under this License except under this disclaimer. | ||||
| 
 | ||||
|    7. Limitation of Liability | ||||
| 
 | ||||
| Under no circumstances and under no legal theory, whether tort (including | ||||
| negligence), contract, or otherwise, shall any Contributor, or anyone who | ||||
| distributes Covered Software as permitted above, be liable to You for any | ||||
| direct, indirect, special, incidental, or consequential damages of any character | ||||
| including, without limitation, damages for lost profits, loss of goodwill, | ||||
| work stoppage, computer failure or malfunction, or any and all other commercial | ||||
| damages or losses, even if such party shall have been informed of the possibility | ||||
| of such damages. This limitation of liability shall not apply to liability | ||||
| for death or personal injury resulting from such party's negligence to the | ||||
| extent applicable law prohibits such limitation. Some jurisdictions do not | ||||
| allow the exclusion or limitation of incidental or consequential damages, | ||||
| so this exclusion and limitation may not apply to You. | ||||
| 
 | ||||
|    8. Litigation | ||||
| 
 | ||||
| Any litigation relating to this License may be brought only in the courts | ||||
| of a jurisdiction where the defendant maintains its principal place of business | ||||
| and such litigation shall be governed by laws of that jurisdiction, without | ||||
| reference to its conflict-of-law provisions. Nothing in this Section shall | ||||
| prevent a party's ability to bring cross-claims or counter-claims. | ||||
| 
 | ||||
|    9. Miscellaneous | ||||
| 
 | ||||
| This License represents the complete agreement concerning the subject matter | ||||
| hereof. If any provision of this License is held to be unenforceable, such | ||||
| provision shall be reformed only to the extent necessary to make it enforceable. | ||||
| Any law or regulation which provides that the language of a contract shall | ||||
| be construed against the drafter shall not be used to construe this License | ||||
| against a Contributor. | ||||
| 
 | ||||
|    10. Versions of the License | ||||
| 
 | ||||
|       10.1. New Versions | ||||
| 
 | ||||
| Mozilla Foundation is the license steward. Except as provided in Section 10.3, | ||||
| no one other than the license steward has the right to modify or publish new | ||||
| versions of this License. Each version will be given a distinguishing version | ||||
| number. | ||||
| 
 | ||||
|       10.2. Effect of New Versions | ||||
| 
 | ||||
| You may distribute the Covered Software under the terms of the version of | ||||
| the License under which You originally received the Covered Software, or under | ||||
| the terms of any subsequent version published by the license steward. | ||||
| 
 | ||||
|       10.3. Modified Versions | ||||
| 
 | ||||
| If you create software not governed by this License, and you want to create | ||||
| a new license for such software, you may create and use a modified version | ||||
| of this License if you rename the license and remove any references to the | ||||
| name of the license steward (except to note that such modified license differs | ||||
| from this License). | ||||
| 
 | ||||
| 10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses | ||||
| 
 | ||||
| If You choose to distribute Source Code Form that is Incompatible With Secondary | ||||
| Licenses under the terms of this version of the License, the notice described | ||||
| in Exhibit B of this License must be attached. Exhibit A - Source Code Form | ||||
| License Notice | ||||
| 
 | ||||
| This Source Code Form is subject to the terms of the Mozilla Public License, | ||||
| v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain | ||||
| one at http://mozilla.org/MPL/2.0/. | ||||
| 
 | ||||
| If it is not possible or desirable to put the notice in a particular file, | ||||
| then You may include the notice in a location (such as a LICENSE file in a | ||||
| relevant directory) where a recipient would be likely to look for such a notice. | ||||
| 
 | ||||
| You may add additional accurate notices of copyright ownership. | ||||
| 
 | ||||
| Exhibit B - "Incompatible With Secondary Licenses" Notice | ||||
| 
 | ||||
| This Source Code Form is "Incompatible With Secondary Licenses", as defined | ||||
| by the Mozilla Public License, v. 2.0. | ||||
							
								
								
									
										41
									
								
								vendor/git.rootprojects.org/root/hashcash/README.md
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										41
									
								
								vendor/git.rootprojects.org/root/hashcash/README.md
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							| @ -0,0 +1,41 @@ | ||||
| # hashcash | ||||
| 
 | ||||
| HTTP Hashcash implemented in Go. | ||||
| 
 | ||||
| Explanation at https://therootcompany.com/blog/http-hashcash/ | ||||
| 
 | ||||
| Go docs at https://godoc.org/git.rootprojects.org/root/hashcash | ||||
| 
 | ||||
| # CLI Usage | ||||
| 
 | ||||
| Install: | ||||
| 
 | ||||
| ```bash | ||||
| go get git.rootprojects.org/root/hashcash/cmd/hashcash | ||||
| ``` | ||||
| 
 | ||||
| Usage: | ||||
| 
 | ||||
| ```txt | ||||
| Usage: | ||||
| 	hashcash new [subject *] [expires in 5m] [difficulty 10] | ||||
| 	hashcash parse <hashcash> | ||||
| 	hashcash solve <hashcash> | ||||
| 	hashcash verify <hashcash> [subject *] | ||||
| ``` | ||||
| 
 | ||||
| Example: | ||||
| 
 | ||||
| ```bash | ||||
| my_hc=$(hashcash new) | ||||
| echo New: $my_hc | ||||
| hashcash parse "$my_hc" | ||||
| echo "" | ||||
| 
 | ||||
| my_hc=$(hashcash solve "$my_hc") | ||||
| echo Solved: $my_hc | ||||
| hashcash parse "$my_hc" | ||||
| echo "" | ||||
| 
 | ||||
| hashcash verify "$my_hc" | ||||
| ``` | ||||
							
								
								
									
										3
									
								
								vendor/git.rootprojects.org/root/hashcash/go.mod
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										3
									
								
								vendor/git.rootprojects.org/root/hashcash/go.mod
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							| @ -0,0 +1,3 @@ | ||||
| module git.rootprojects.org/root/hashcash | ||||
| 
 | ||||
| go 1.15 | ||||
							
								
								
									
										284
									
								
								vendor/git.rootprojects.org/root/hashcash/hashcash.go
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										284
									
								
								vendor/git.rootprojects.org/root/hashcash/hashcash.go
									
									
									
										generated
									
									
										vendored
									
									
										Normal file
									
								
							| @ -0,0 +1,284 @@ | ||||
| package hashcash | ||||
| 
 | ||||
| import ( | ||||
| 	"crypto/rand" | ||||
| 	"crypto/sha256" | ||||
| 	"encoding/base64" | ||||
| 	"encoding/binary" | ||||
| 	"errors" | ||||
| 	"strconv" | ||||
| 	"strings" | ||||
| 	"time" | ||||
| ) | ||||
| 
 | ||||
| // ErrParse is returned when fewer than 6 or more than 7 segments are split | ||||
| var ErrParse = errors.New("could not split the hashcash parts") | ||||
| 
 | ||||
| // ErrInvalidTag is returned when the Hashcash version is unsupported | ||||
| var ErrInvalidTag = errors.New("expected tag to be 'H'") | ||||
| 
 | ||||
| // ErrInvalidDifficulty is returned when the difficulty is outside of the acceptable range | ||||
| var ErrInvalidDifficulty = errors.New("the number of bits of difficulty is too low or too high") | ||||
| 
 | ||||
| // ErrInvalidDate is returned when the date cannot be parsed as a positive int64 | ||||
| var ErrInvalidDate = errors.New("invalid date") | ||||
| 
 | ||||
| // ErrExpired is returned when the current time is past that of ExpiresAt | ||||
| var ErrExpired = errors.New("expired hashcash") | ||||
| 
 | ||||
| // ErrInvalidSubject is returned when the subject is invalid or does not match that passed to Verify() | ||||
| var ErrInvalidSubject = errors.New("the subject is invalid or rejected") | ||||
| 
 | ||||
| // ErrInvalidNonce is returned when the nonce | ||||
| //var ErrInvalidNonce = errors.New("the nonce has been used or is invalid") | ||||
| 
 | ||||
| // ErrUnsupportedAlgorithm is returned when the given algorithm is not supported | ||||
| var ErrUnsupportedAlgorithm = errors.New("the given algorithm is invalid or not supported") | ||||
| 
 | ||||
| // ErrInvalidSolution is returned when the given hashcash is not properly solved | ||||
| var ErrInvalidSolution = errors.New("the given solution is not valid") | ||||
| 
 | ||||
| // MaxDifficulty is the upper bound for all Solve() operations | ||||
| var MaxDifficulty = 26 | ||||
| 
 | ||||
| // Sep is the separator character to use | ||||
| var Sep = ":" | ||||
| 
 | ||||
| // no milliseconds | ||||
| //var isoTS = "2006-01-02T15:04:05Z" | ||||
| 
 | ||||
| // Hashcash represents a parsed Hashcash string | ||||
| type Hashcash struct { | ||||
| 	Tag        string    `json:"tag"`        // Always "H" for "HTTP" | ||||
| 	Difficulty int       `json:"difficulty"` // Number of "partial pre-image" (zero) bits in the hashed code | ||||
| 	ExpiresAt  time.Time `json:"exp"`        // The timestamp that the hashcash expires, as seconds since the Unix epoch | ||||
| 	Subject    string    `json:"sub"`        // Resource data string being transmitted, e.g., a domain or URL | ||||
| 	Nonce      string    `json:"nonce"`      // Unique string of random characters, encoded as url-safe base-64 | ||||
| 	Alg        string    `json:"alg"`        // always SHA-256 for now | ||||
| 	Solution   string    `json:"solution"`   // Binary counter, encoded as url-safe base-64 | ||||
| } | ||||
| 
 | ||||
| // New returns a Hashcash with reasonable defaults | ||||
| func New(h Hashcash) *Hashcash { | ||||
| 	h.Tag = "H" | ||||
| 
 | ||||
| 	if 0 == h.Difficulty { | ||||
| 		// safe for WebCrypto | ||||
| 		h.Difficulty = 10 | ||||
| 	} | ||||
| 
 | ||||
| 	if h.ExpiresAt.IsZero() { | ||||
| 		h.ExpiresAt = time.Now().Add(5 * time.Minute) | ||||
| 	} | ||||
| 	h.ExpiresAt = h.ExpiresAt.UTC().Truncate(time.Second) | ||||
| 
 | ||||
| 	if "" == h.Subject { | ||||
| 		h.Subject = "*" | ||||
| 	} | ||||
| 
 | ||||
| 	if "" == h.Nonce { | ||||
| 		nonce := make([]byte, 16) | ||||
| 		if _, err := rand.Read(nonce); nil != err { | ||||
| 			panic(err) | ||||
| 			return nil | ||||
| 		} | ||||
| 		h.Nonce = base64.RawURLEncoding.EncodeToString(nonce) | ||||
| 	} | ||||
| 
 | ||||
| 	if "" == h.Alg { | ||||
| 		h.Alg = "SHA-256" | ||||
| 	} | ||||
| 	/* | ||||
| 		if "SHA-256" != h.Alg { | ||||
| 			// TODO error | ||||
| 		} | ||||
| 	*/ | ||||
| 
 | ||||
| 	return &h | ||||
| } | ||||
| 
 | ||||
| // Parse will (obviously) parse the hashcash string, without verifying any | ||||
| // of the parameters. | ||||
| func Parse(hc string) (*Hashcash, error) { | ||||
| 	parts := strings.Split(hc, Sep) | ||||
| 	n := len(parts) | ||||
| 	if n < 6 || n > 7 { | ||||
| 		return nil, ErrParse | ||||
| 	} | ||||
| 
 | ||||
| 	tag := parts[0] | ||||
| 	if "H" != tag { | ||||
| 		return nil, ErrInvalidTag | ||||
| 	} | ||||
| 
 | ||||
| 	bits, err := strconv.Atoi(parts[1]) | ||||
| 	if nil != err || bits < 0 { | ||||
| 		return nil, ErrInvalidDifficulty | ||||
| 	} | ||||
| 
 | ||||
| 	// Allow empty ExpiresAt | ||||
| 	var exp time.Time | ||||
| 	if "" != parts[2] { | ||||
| 		expAt, err := strconv.ParseInt(parts[2], 10, 64) | ||||
| 		if nil != err || expAt < 0 { | ||||
| 			return nil, ErrInvalidDate | ||||
| 		} | ||||
| 		exp = time.Unix(int64(expAt), 0).UTC() | ||||
| 	} | ||||
| 
 | ||||
| 	/* | ||||
| 		exp, err := time.ParseInLocation(isoTS, parts[2], time.UTC) | ||||
| 		if nil != err { | ||||
| 			return nil, ErrInvalidDate | ||||
| 		} | ||||
| 	*/ | ||||
| 
 | ||||
| 	sub := parts[3] | ||||
| 
 | ||||
| 	nonce := parts[4] | ||||
| 
 | ||||
| 	alg := parts[5] | ||||
| 
 | ||||
| 	var solution string | ||||
| 	if n > 6 { | ||||
| 		solution = parts[6] | ||||
| 	} | ||||
| 
 | ||||
| 	h := &Hashcash{ | ||||
| 		Tag:        tag, | ||||
| 		Difficulty: bits, | ||||
| 		ExpiresAt:  exp.UTC().Truncate(time.Second), | ||||
| 		Subject:    sub, | ||||
| 		Nonce:      nonce, | ||||
| 		Alg:        alg, | ||||
| 		Solution:   solution, | ||||
| 	} | ||||
| 
 | ||||
| 	return h, nil | ||||
| } | ||||
| 
 | ||||
| // String will return the formatted Hashcash, omitting the solution if it has not be solved. | ||||
| func (h *Hashcash) String() string { | ||||
| 	var solution string | ||||
| 	if "" != h.Solution { | ||||
| 		solution = Sep + h.Solution | ||||
| 	} | ||||
| 
 | ||||
| 	var expAt string | ||||
| 	if !h.ExpiresAt.IsZero() { | ||||
| 		expAt = strconv.FormatInt(h.ExpiresAt.UTC().Truncate(time.Second).Unix(), 10) | ||||
| 	} | ||||
| 	return strings.Join( | ||||
| 		[]string{ | ||||
| 			"H", | ||||
| 			strconv.Itoa(h.Difficulty), | ||||
| 			//h.ExpiresAt.UTC().Format(isoTS), | ||||
| 			expAt, | ||||
| 			h.Subject, | ||||
| 			h.Nonce, | ||||
| 			h.Alg, | ||||
| 		}, | ||||
| 		Sep, | ||||
| 	) + solution | ||||
| } | ||||
| 
 | ||||
| // Verify the Hashcash based on Difficulty, Algorithm, ExpiresAt, Subject and, | ||||
| // of course, the Solution and hash. | ||||
| func (h *Hashcash) Verify(subject string) error { | ||||
| 	if h.Difficulty < 0 { | ||||
| 		return ErrInvalidDifficulty | ||||
| 	} | ||||
| 
 | ||||
| 	if "SHA-256" != h.Alg { | ||||
| 		return ErrUnsupportedAlgorithm | ||||
| 	} | ||||
| 
 | ||||
| 	if !h.ExpiresAt.IsZero() && h.ExpiresAt.Sub(time.Now()) < 0 { | ||||
| 		return ErrExpired | ||||
| 	} | ||||
| 
 | ||||
| 	if subject != h.Subject { | ||||
| 		return ErrInvalidSubject | ||||
| 	} | ||||
| 
 | ||||
| 	bits := h.Difficulty | ||||
| 	hash := sha256.Sum256([]byte(h.String())) | ||||
| 	n := bits / 8 // 10 / 8 = 1 | ||||
| 	m := bits % 8 // 10 % 8 = 2 | ||||
| 	if m > 0 { | ||||
| 		n++ // 10 bits = 2 bytes | ||||
| 	} | ||||
| 
 | ||||
| 	if !verifyBits(hash[:n], bits, n) { | ||||
| 		return ErrInvalidSolution | ||||
| 	} | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| func verifyBits(hash []byte, bits, n int) bool { | ||||
| 	for i := 0; i < n; i++ { | ||||
| 		if bits > 8 { | ||||
| 			bits -= 8 | ||||
| 			if 0 != hash[i] { | ||||
| 				return false | ||||
| 			} | ||||
| 			continue | ||||
| 		} | ||||
| 
 | ||||
| 		// (bits % 8) == bits | ||||
| 		pad := 8 - bits | ||||
| 		if 0 != hash[i]>>pad { | ||||
| 			return false | ||||
| 		} | ||||
| 
 | ||||
| 		return true | ||||
| 	} | ||||
| 
 | ||||
| 	// 0 == bits | ||||
| 	return true | ||||
| } | ||||
| 
 | ||||
| // Solve will search for a solution, returning an error if the difficulty is | ||||
| // above the local or global MaxDifficulty, the Algorithm is unsupported. | ||||
| func (h *Hashcash) Solve(maxDifficulty int) error { | ||||
| 	if "SHA-256" != h.Alg { | ||||
| 		return ErrUnsupportedAlgorithm | ||||
| 	} | ||||
| 
 | ||||
| 	if h.Difficulty < 0 { | ||||
| 		return ErrInvalidDifficulty | ||||
| 	} | ||||
| 
 | ||||
| 	if h.Difficulty > maxDifficulty || h.Difficulty > MaxDifficulty { | ||||
| 		return ErrInvalidDifficulty | ||||
| 	} | ||||
| 
 | ||||
| 	if "" != h.Solution { | ||||
| 		if nil == h.Verify(h.Subject) { | ||||
| 			return nil | ||||
| 		} | ||||
| 		h.Solution = "" | ||||
| 	} | ||||
| 
 | ||||
| 	hashcash := h.String() | ||||
| 	bits := h.Difficulty | ||||
| 	n := bits / 8 // 10 / 8 = 1 | ||||
| 	m := bits % 8 // 10 % 8 = 2 | ||||
| 	if m > 0 { | ||||
| 		n++ // 10 bits = 2 bytes | ||||
| 	} | ||||
| 
 | ||||
| 	var solution uint32 = 0 | ||||
| 	sb := make([]byte, 4) | ||||
| 	for { | ||||
| 		// Note: it's not actually important what method of change or encoding is used | ||||
| 		// but incrementing by 1 on an int32 is good enough, and makes for a small base64 encoding | ||||
| 		binary.LittleEndian.PutUint32(sb, solution) | ||||
| 		h.Solution = base64.RawURLEncoding.EncodeToString(sb) | ||||
| 		hash := sha256.Sum256([]byte(hashcash + Sep + h.Solution)) | ||||
| 		if verifyBits(hash[:n], bits, n) { | ||||
| 			return nil | ||||
| 		} | ||||
| 		solution++ | ||||
| 	} | ||||
| } | ||||
							
								
								
									
										2
									
								
								vendor/modules.txt
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								vendor/modules.txt
									
									
									
									
										vendored
									
									
								
							| @ -1,3 +1,5 @@ | ||||
| # git.rootprojects.org/root/hashcash v1.0.1 | ||||
| git.rootprojects.org/root/hashcash | ||||
| # git.rootprojects.org/root/keypairs v0.5.2 | ||||
| git.rootprojects.org/root/keypairs | ||||
| git.rootprojects.org/root/keypairs/keyfetch | ||||
|  | ||||
							
								
								
									
										46
									
								
								xkeypairs/jose.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										46
									
								
								xkeypairs/jose.go
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,46 @@ | ||||
| package xkeypairs | ||||
| 
 | ||||
| import ( | ||||
| 	"encoding/base64" | ||||
| 	"encoding/json" | ||||
| 	"errors" | ||||
| ) | ||||
| 
 | ||||
| func (jws *JWS) DecodeComponents() error { | ||||
| 	protected, err := base64.RawURLEncoding.DecodeString(jws.Protected) | ||||
| 	if nil != err { | ||||
| 		return errors.New("invalid JWS header base64Url encoding") | ||||
| 	} | ||||
| 	if err := json.Unmarshal([]byte(protected), &jws.Header); nil != err { | ||||
| 		return errors.New("invalid JWS header") | ||||
| 	} | ||||
| 
 | ||||
| 	payload, err := base64.RawURLEncoding.DecodeString(jws.Payload) | ||||
| 	if nil != err { | ||||
| 		return errors.New("invalid JWS payload base64Url encoding") | ||||
| 	} | ||||
| 	if err := json.Unmarshal([]byte(payload), &jws.Claims); nil != err { | ||||
| 		return errors.New("invalid JWS claims") | ||||
| 	} | ||||
| 
 | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| /* | ||||
| func Decode(msg string) (*JWS, error) { | ||||
| 	jws := &JWS{} | ||||
| 
 | ||||
| 	decoder := json.NewDecoder(r.Body) | ||||
| 	err := decoder.Decode(jws) | ||||
| 	return jws, err | ||||
| } | ||||
| 
 | ||||
| func Unmarshal(msg string) (*JWS, error) { | ||||
| 	jws := &JWS{} | ||||
| 
 | ||||
| 	if err := json.Unmarshal([]byte(msg), jws); nil != err { | ||||
| 		return nil, err | ||||
| 	} | ||||
| 	return jws, nil | ||||
| } | ||||
| */ | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user