hailey.at
1package server
2
3import (
4 "fmt"
5 "strings"
6
7 "github.com/Azure/go-autorest/autorest/to"
8 "github.com/haileyok/cocoon/internal/helpers"
9 "github.com/labstack/echo/v4"
10 "gorm.io/gorm"
11)
12
13var (
14 CocoonSupportedScopes = []string{
15 "atproto",
16 "transition:email",
17 "transition:generic",
18 "transition:chat.bsky",
19 }
20)
21
22type OauthAuthorizationMetadata struct {
23 Issuer string `json:"issuer"`
24 RequestParameterSupported bool `json:"request_parameter_supported"`
25 RequestUriParameterSupported bool `json:"request_uri_parameter_supported"`
26 RequireRequestUriRegistration *bool `json:"require_request_uri_registration,omitempty"`
27 ScopesSupported []string `json:"scopes_supported"`
28 SubjectTypesSupported []string `json:"subject_types_supported"`
29 ResponseTypesSupported []string `json:"response_types_supported"`
30 ResponseModesSupported []string `json:"response_modes_supported"`
31 GrantTypesSupported []string `json:"grant_types_supported"`
32 CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"`
33 UILocalesSupported []string `json:"ui_locales_supported"`
34 DisplayValuesSupported []string `json:"display_values_supported"`
35 RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported"`
36 AuthorizationResponseISSParameterSupported bool `json:"authorization_response_iss_parameter_supported"`
37 RequestObjectEncryptionAlgValuesSupported []string `json:"request_object_encryption_alg_values_supported"`
38 RequestObjectEncryptionEncValuesSupported []string `json:"request_object_encryption_enc_values_supported"`
39 JwksUri string `json:"jwks_uri"`
40 AuthorizationEndpoint string `json:"authorization_endpoint"`
41 TokenEndpoint string `json:"token_endpoint"`
42 TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"`
43 TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported"`
44 RevocationEndpoint string `json:"revocation_endpoint"`
45 IntrospectionEndpoint string `json:"introspection_endpoint"`
46 PushedAuthorizationRequestEndpoint string `json:"pushed_authorization_request_endpoint"`
47 RequirePushedAuthorizationRequests bool `json:"require_pushed_authorization_requests"`
48 DpopSigningAlgValuesSupported []string `json:"dpop_signing_alg_values_supported"`
49 ProtectedResources []string `json:"protected_resources"`
50 ClientIDMetadataDocumentSupported bool `json:"client_id_metadata_document_supported"`
51}
52
53func (s *Server) handleWellKnown(e echo.Context) error {
54 return e.JSON(200, map[string]any{
55 "@context": []string{
56 "https://www.w3.org/ns/did/v1",
57 },
58 "id": s.config.Did,
59 "service": []map[string]string{
60 {
61 "id": "#atproto_pds",
62 "type": "AtprotoPersonalDataServer",
63 "serviceEndpoint": "https://" + s.config.Hostname,
64 },
65 },
66 })
67}
68
69func (s *Server) handleAtprotoDid(e echo.Context) error {
70 ctx := e.Request().Context()
71
72 host := e.Request().Host
73 if host == "" {
74 return helpers.InputError(e, to.StringPtr("Invalid handle."))
75 }
76
77 host = strings.Split(host, ":")[0]
78 host = strings.ToLower(strings.TrimSpace(host))
79
80 if host == s.config.Hostname {
81 return e.String(200, s.config.Did)
82 }
83
84 suffix := "." + s.config.Hostname
85 if !strings.HasSuffix(host, suffix) {
86 return e.NoContent(404)
87 }
88
89 actor, err := s.getActorByHandle(ctx, host)
90 if err != nil {
91 if err == gorm.ErrRecordNotFound {
92 return e.NoContent(404)
93 }
94 s.logger.Error("error looking up actor by handle", "error", err)
95 return helpers.ServerError(e, nil)
96 }
97
98 return e.String(200, actor.Did)
99}
100
101func (s *Server) handleOauthProtectedResource(e echo.Context) error {
102 return e.JSON(200, map[string]any{
103 "resource": "https://" + s.config.Hostname,
104 "authorization_servers": []string{
105 "https://" + s.config.Hostname,
106 },
107 "scopes_supported": []string{},
108 "bearer_methods_supported": []string{"header"},
109 "resource_documentation": "https://atproto.com",
110 })
111}
112
113func (s *Server) handleOauthAuthorizationServer(e echo.Context) error {
114 return e.JSON(200, OauthAuthorizationMetadata{
115 Issuer: "https://" + s.config.Hostname,
116 RequestParameterSupported: true,
117 RequestUriParameterSupported: true,
118 RequireRequestUriRegistration: to.BoolPtr(true),
119 ScopesSupported: CocoonSupportedScopes,
120 SubjectTypesSupported: []string{"public"},
121 ResponseTypesSupported: []string{"code"},
122 ResponseModesSupported: []string{"query", "fragment", "form_post"},
123 GrantTypesSupported: []string{"authorization_code", "refresh_token"},
124 CodeChallengeMethodsSupported: []string{"S256"},
125 UILocalesSupported: []string{"en-US"},
126 DisplayValuesSupported: []string{"page", "popup", "touch"},
127 RequestObjectSigningAlgValuesSupported: []string{"ES256"}, // only es256 for now...
128 AuthorizationResponseISSParameterSupported: true,
129 RequestObjectEncryptionAlgValuesSupported: []string{},
130 RequestObjectEncryptionEncValuesSupported: []string{},
131 JwksUri: fmt.Sprintf("https://%s/oauth/jwks", s.config.Hostname),
132 AuthorizationEndpoint: fmt.Sprintf("https://%s/oauth/authorize", s.config.Hostname),
133 TokenEndpoint: fmt.Sprintf("https://%s/oauth/token", s.config.Hostname),
134 TokenEndpointAuthMethodsSupported: []string{"none", "private_key_jwt"},
135 TokenEndpointAuthSigningAlgValuesSupported: []string{"ES256"}, // Same as above, just es256
136 RevocationEndpoint: fmt.Sprintf("https://%s/oauth/revoke", s.config.Hostname),
137 IntrospectionEndpoint: fmt.Sprintf("https://%s/oauth/introspect", s.config.Hostname),
138 PushedAuthorizationRequestEndpoint: fmt.Sprintf("https://%s/oauth/par", s.config.Hostname),
139 RequirePushedAuthorizationRequests: true,
140 DpopSigningAlgValuesSupported: []string{"ES256"}, // again same as above
141 ProtectedResources: []string{"https://" + s.config.Hostname},
142 ClientIDMetadataDocumentSupported: true,
143 })
144}