futur.blue
objective categorical abstract machine language personal data server
Use more accurate auth error names
+77
-59
pegasus/lib/auth.ml
+77
-59
pegasus/lib/auth.ml
···
34
34
else if jwt.sub = "" then Lwt.return_error "missing sub"
35
35
else if now_s < jwt.iat then
36
36
Lwt.return_error "token issued in the future"
37
-
else if now_s > jwt.exp then Lwt.return_error "expired token"
37
+
else if now_s > jwt.exp then Lwt.return_error "ExpiredToken"
38
38
else if jwt.scope <> expected_scope then
39
39
Lwt.return_error "invalid scope"
40
40
else if jwt.jti = "" then Lwt.return_error "missing jti"
···
42
42
let%lwt revoked_at =
43
43
Data_store.is_token_revoked t ~did:jwt.sub ~jti:jwt.jti
44
44
in
45
-
if revoked_at <> None then Lwt.return_error "token revoked"
45
+
if revoked_at <> None then Lwt.return_error "ExpiredToken"
46
46
else Lwt.return_ok jwt
47
47
with _ -> Lwt.return_error "invalid token format" )
48
48
···
219
219
| "admin", p when p = Env.admin_password ->
220
220
Lwt.return_ok Admin
221
221
| _ ->
222
-
Lwt.return_error @@ Errors.auth_required "invalid credentials" )
222
+
Lwt.return_error @@ Errors.invalid_request "invalid credentials" )
223
223
| Error _ ->
224
224
Lwt.return_error @@ Errors.auth_required "invalid authorization header"
225
225
···
234
234
Lwt.return_ok (Access {did})
235
235
| Some {deactivated_at= Some _; _} ->
236
236
Lwt.return_error
237
-
@@ Errors.auth_required ~name:"AccountDeactivated"
237
+
@@ Errors.invalid_request ~name:"AccountDeactivated"
238
238
"account is deactivated"
239
239
| None ->
240
-
Lwt.return_error @@ Errors.auth_required "invalid credentials" )
240
+
Lwt.return_error
241
+
@@ Errors.internal_error ~msg:"invalid credentials" () )
242
+
| Error "ExpiredToken" ->
243
+
Lwt.return_error
244
+
@@ Errors.invalid_request ~name:"ExpiredToken" "token expired"
241
245
| Error _ ->
242
-
Lwt.return_error @@ Errors.auth_required "invalid credentials" )
246
+
Lwt.return_error
247
+
@@ Errors.invalid_request ~name:"InvalidToken" "invalid credentials" )
243
248
| Error _ ->
244
249
Lwt.return_error @@ Errors.auth_required "invalid authorization header"
245
250
···
297
302
let scopes = Oauth.Scopes.of_string scope_str in
298
303
let now = int_of_float (Unix.gettimeofday ()) in
299
304
if jkt_claim <> proof.jkt then
300
-
Lwt.return_error @@ Errors.auth_required "dpop key mismatch"
305
+
Lwt.return_error @@ Errors.invalid_request "dpop key mismatch"
301
306
else if exp < now then
302
-
Lwt.return_error @@ Errors.auth_required "token expired"
307
+
Lwt.return_error
308
+
@@ Errors.invalid_request ~name:"ExpiredToken" "token expired"
303
309
else if not (Oauth.Scopes.has_atproto scopes) then
304
310
Lwt.return_error
305
-
@@ Errors.auth_required ~name:"InvalidToken"
311
+
@@ Errors.invalid_request ~name:"InvalidToken"
306
312
"oauth token missing 'atproto' scope"
307
313
else
308
314
let%lwt session =
···
311
317
Lwt.return_ok sess
312
318
with _ ->
313
319
Lwt.return_error
314
-
@@ Errors.auth_required "invalid credentials"
320
+
@@ Errors.internal_error ~msg:"invalid credentials" ()
315
321
in
316
322
match session with
317
323
| Ok {active= Some true; _} ->
318
324
Lwt.return_ok (OAuth {did; proof; scopes})
319
325
| Ok _ ->
320
326
Lwt.return_error
321
-
@@ Errors.auth_required ~name:"AccountDeactivated"
327
+
@@ Errors.invalid_request ~name:"AccountDeactivated"
322
328
"account is deactivated"
323
329
| Error _ ->
324
330
Lwt.return_error
325
-
@@ Errors.auth_required "invalid credentials"
331
+
@@ Errors.internal_error ~msg:"invalid credentials" ()
326
332
with _ ->
327
333
Lwt.return_error @@ Errors.auth_required "malformed JWT claims" )
328
334
) )
···
341
347
raise (Errors.Redirect "/account")
342
348
| Some {deactivated_at= Some _; _} ->
343
349
Lwt.return_error
344
-
@@ Errors.auth_required ~name:"AccountDeactivated"
350
+
@@ Errors.invalid_request ~name:"AccountDeactivated"
345
351
"account is deactivated"
346
352
| None ->
347
353
let%lwt () = Session.Raw.clear_session req in
348
-
Lwt.return_error @@ Errors.auth_required "no active session" )
354
+
Lwt.return_error @@ Errors.internal_error ~msg:"no active session" ()
355
+
)
349
356
| None ->
350
357
Lwt.return_error @@ Errors.auth_required "no active session"
351
358
···
360
367
Lwt.return_ok (Refresh {did; jti})
361
368
| Some {deactivated_at= Some _; _} ->
362
369
Lwt.return_error
363
-
@@ Errors.auth_required ~name:"AccountDeactivated"
370
+
@@ Errors.invalid_request ~name:"AccountDeactivated"
364
371
"account is deactivated"
365
372
| None ->
366
-
Lwt.return_error @@ Errors.auth_required "invalid credentials" )
367
-
| Error "" | Error _ ->
368
-
Lwt.return_error @@ Errors.auth_required "invalid credentials" )
373
+
Lwt.return_error
374
+
@@ Errors.internal_error ~msg:"invalid credentials" () )
375
+
| Error "ExpiredToken" ->
376
+
Lwt.return_error
377
+
@@ Errors.invalid_request ~name:"ExpiredToken" "token expired"
378
+
| Error _ ->
379
+
Lwt.return_error
380
+
@@ Errors.invalid_request ~name:"InvalidToken" "invalid credentials" )
369
381
| Error _ ->
370
382
Lwt.return_error @@ Errors.auth_required "invalid authorization header"
371
383
···
376
388
Lwt.return_ok (Access {did})
377
389
| Some {deactivated_at= Some _; _} ->
378
390
Lwt.return_error
379
-
@@ Errors.auth_required ~name:"AccountDeactivated"
391
+
@@ Errors.invalid_request ~name:"AccountDeactivated"
380
392
"account is deactivated"
381
393
| None ->
382
-
Lwt.return_error @@ Errors.auth_required "invalid credentials"
394
+
Lwt.return_error
395
+
@@ Errors.internal_error ~msg:"invalid credentials" ()
383
396
in
384
397
let verify_with_key token pubkey_multibase did db =
385
-
let pubkey =
386
-
Kleidos.parse_multikey_str pubkey_multibase
387
-
in
398
+
let pubkey = Kleidos.parse_multikey_str pubkey_multibase in
388
399
match Jwt.verify_jwt token ~pubkey with
389
400
| Ok _ ->
390
401
check_actor_status did db
391
402
| Error e ->
392
403
Dream.debug (fun log -> log "service jwt verification failed: %s" e) ;
393
404
Lwt.return_error
394
-
@@ Errors.auth_required "jwt signature does not match jwt issuer"
405
+
@@ Errors.invalid_request ~name:"InvalidToken"
406
+
"jwt signature does not match jwt issuer"
395
407
in
396
408
fun {req; db} ->
397
409
match parse_bearer req with
···
410
422
let lxm = payload |> member "lxm" |> to_string_option in
411
423
let now = int_of_float (Unix.gettimeofday ()) in
412
424
if exp < now then
413
-
Lwt.return_error @@ Errors.auth_required "jwt expired"
425
+
Lwt.return_error
426
+
@@ Errors.invalid_request ~name:"ExpiredToken" "token expired"
414
427
else if aud <> Env.did then
415
428
Lwt.return_error
416
-
@@ Errors.auth_required "jwt audience does not match service did"
429
+
@@ Errors.invalid_request ~name:"InvalidToken"
430
+
"jwt audience does not match service did"
417
431
else
418
432
let nsid =
419
433
(Dream.path [@warning "-3"]) req |> List.rev |> List.hd
420
434
in
421
-
( match lxm with
435
+
match lxm with
422
436
| Some l when l <> nsid && l <> "*" ->
423
437
Lwt.return_error
424
-
@@ Errors.auth_required
438
+
@@ Errors.invalid_request ~name:"InvalidToken"
425
439
("jwt lxm " ^ l ^ " does not match " ^ nsid)
426
-
| _ ->
440
+
| _ -> (
427
441
let did =
428
442
match String.split_on_char '#' iss with
429
443
| did :: _ ->
···
431
445
| [] ->
432
446
iss
433
447
in
434
-
( match%lwt Id_resolver.Did.resolve did with
448
+
match%lwt Id_resolver.Did.resolve did with
435
449
| Error e ->
436
450
Dream.debug (fun log ->
437
451
log "failed to resolve did %s: %s" did e ) ;
438
452
Lwt.return_error
439
-
@@ Errors.auth_required "could not resolve issuer did"
453
+
@@ Errors.internal_error
454
+
~msg:"could not resolve jwt issuer did" ()
440
455
| Ok did_doc -> (
441
456
match
442
457
Id_resolver.Did.Document.get_verification_key did_doc
···
444
459
with
445
460
| None ->
446
461
Lwt.return_error
447
-
@@ Errors.auth_required
448
-
"missing or bad key in issuer did doc"
462
+
@@ Errors.internal_error
463
+
~msg:"missing or bad key in issuer did doc" ()
449
464
| Some pubkey_multibase -> (
450
-
match%lwt verify_with_key token pubkey_multibase did db with
465
+
match%lwt
466
+
verify_with_key token pubkey_multibase did db
467
+
with
451
468
| Ok creds ->
452
469
Lwt.return_ok creds
453
-
| Error _ ->
454
-
(* try again, skipping cache in case of key rotation *)
455
-
( match%lwt
456
-
Id_resolver.Did.resolve ~skip_cache:true did
457
-
with
458
-
| Error _ ->
470
+
| Error _ -> (
471
+
(* try again, skipping cache in case of key rotation *)
472
+
match%lwt
473
+
Id_resolver.Did.resolve ~skip_cache:true did
474
+
with
475
+
| Error _ ->
476
+
Lwt.return_error
477
+
@@ Errors.invalid_request ~name:"InvalidToken"
478
+
"jwt signature does not match jwt issuer"
479
+
| Ok fresh_doc -> (
480
+
match
481
+
Id_resolver.Did.Document.get_verification_key
482
+
fresh_doc "#atproto"
483
+
with
484
+
| None ->
459
485
Lwt.return_error
460
-
@@ Errors.auth_required
486
+
@@ Errors.invalid_request ~name:"InvalidToken"
461
487
"jwt signature does not match jwt issuer"
462
-
| Ok fresh_doc -> (
463
-
match
464
-
Id_resolver.Did.Document.get_verification_key
465
-
fresh_doc "#atproto"
466
-
with
467
-
| None ->
468
-
Lwt.return_error
469
-
@@ Errors.auth_required
470
-
"jwt signature does not match jwt issuer"
471
-
| Some fresh_pubkey_multibase
472
-
when fresh_pubkey_multibase = pubkey_multibase ->
473
-
Lwt.return_error
474
-
@@ Errors.auth_required
475
-
"jwt signature does not match jwt issuer"
476
-
| Some fresh_pubkey_multibase ->
477
-
verify_with_key token fresh_pubkey_multibase did
478
-
db ) ) ) ) ) )
488
+
| Some fresh_pubkey_multibase
489
+
when fresh_pubkey_multibase = pubkey_multibase ->
490
+
Lwt.return_error
491
+
@@ Errors.invalid_request ~name:"InvalidToken"
492
+
"jwt signature does not match jwt issuer"
493
+
| Some fresh_pubkey_multibase ->
494
+
verify_with_key token fresh_pubkey_multibase did
495
+
db ) ) ) ) )
479
496
with _ ->
480
-
Lwt.return_error @@ Errors.auth_required "malformed service jwt" ) )
497
+
Lwt.return_error @@ Errors.invalid_request "malformed service jwt" )
498
+
)
481
499
482
500
let authorization : verifier =
483
501
fun ctx ->