From b43c1ad2fdbec80449d8abc823ed718a8e44543a Mon Sep 17 00:00:00 2001 From: flashwave Date: Fri, 16 Aug 2024 19:30:24 +0000 Subject: [PATCH] Replaced Misuzu interop stuff with RPC library. --- composer.json | 3 +- composer.lock | 41 ++++++++++++- src/HanyuuContext.php | 14 ++--- src/MisuzuAuthBanInfo.php | 44 ++++++++++++++ src/MisuzuAuthGuiseInfo.php | 15 +++++ src/MisuzuAuthInfo.php | 51 ++++++++++++++++ src/MisuzuAuthSessionInfo.php | 29 +++++++++ src/MisuzuAuthUserInfo.php | 70 +++++++++++++++++++++ src/MisuzuInterop.php | 111 ---------------------------------- src/MisuzuRpcClient.php | 39 ++++++++++++ src/OAuth2/OAuth2Routes.php | 85 +++++++++++++++----------- templates/oauth2/login.twig | 2 +- 12 files changed, 347 insertions(+), 157 deletions(-) create mode 100644 src/MisuzuAuthBanInfo.php create mode 100644 src/MisuzuAuthGuiseInfo.php create mode 100644 src/MisuzuAuthInfo.php create mode 100644 src/MisuzuAuthSessionInfo.php create mode 100644 src/MisuzuAuthUserInfo.php delete mode 100644 src/MisuzuInterop.php create mode 100644 src/MisuzuRpcClient.php diff --git a/composer.json b/composer.json index 2331f77..4e3f5eb 100644 --- a/composer.json +++ b/composer.json @@ -8,7 +8,8 @@ "matomo/device-detector": "^6.1", "sentry/sdk": "^4.0", "phpseclib/phpseclib": "~3.0", - "nesbot/carbon": "^3.7" + "nesbot/carbon": "^3.7", + "flashwave/aiwass": "^1.0" }, "autoload": { "classmap": [ diff --git a/composer.lock b/composer.lock index f9d97aa..063c8d1 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "16b27dc9d1837e8435dc95cecc4eeea2", + "content-hash": "8cfa8c2738ab51aba3efea42afb68771", "packages": [ { "name": "carbonphp/carbon-doctrine-types", @@ -366,6 +366,45 @@ ], "time": "2023-10-06T06:47:41+00:00" }, + { + "name": "flashwave/aiwass", + "version": "v1.0.0", + "source": { + "type": "git", + "url": "https://patchii.net/flashii/aiwass.git", + "reference": "de27da54b603f0fdc06dab89341908e73ea7a880" + }, + "require": { + "ext-msgpack": ">=2.2", + "flashwave/index": "^0.2408.40014", + "php": ">=8.3" + }, + "require-dev": { + "phpstan/phpstan": "^1.11", + "phpunit/phpunit": "^11.2" + }, + "type": "library", + "autoload": { + "psr-4": { + "Aiwass\\": "src" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "bsd-3-clause-clear" + ], + "authors": [ + { + "name": "flashwave", + "email": "packagist@flash.moe", + "homepage": "https://flash.moe", + "role": "mom" + } + ], + "description": "Shared HTTP RPC client/server library.", + "homepage": "https://railgun.sh/aiwass", + "time": "2024-08-16T15:59:19+00:00" + }, { "name": "flashwave/index", "version": "v0.2408.40014", diff --git a/src/HanyuuContext.php b/src/HanyuuContext.php index 31484af..9069c66 100644 --- a/src/HanyuuContext.php +++ b/src/HanyuuContext.php @@ -14,8 +14,8 @@ class HanyuuContext { private SasaeEnvironment $templating; private SiteInfo $siteInfo; - private MisuzuInterop $misuzuInterop; - private object $authInfo; + private MisuzuRpcClient $misuzuRpc; + private MisuzuAuthInfo $authInfo; private Apps\AppsContext $appsCtx; private OAuth2\OAuth2Context $oauth2Ctx; @@ -24,7 +24,7 @@ class HanyuuContext { $this->config = $config; $this->dbConn = $dbConn; $this->siteInfo = new SiteInfo($config->scopeTo('site')); - $this->misuzuInterop = new MisuzuInterop($config->scopeTo('misuzu')); + $this->misuzuRpc = new MisuzuRpcClient($config->scopeTo('misuzu')); $this->appsCtx = new Apps\AppsContext($dbConn); $this->oauth2Ctx = new OAuth2\OAuth2Context($dbConn); @@ -41,8 +41,8 @@ class HanyuuContext { ]); } - public function getMisuzu(): MisuzuInterop { - return $this->misuzuInterop; + public function getMisuzuRpc(): MisuzuRpcClient { + return $this->misuzuRpc; } public function getDatabase(): IDbConnection { @@ -62,7 +62,7 @@ class HanyuuContext { return new FsDbMigrationRepo(HAU_DIR_MIGRATIONS); } - public function getAuthInfo(): object { + public function getAuthInfo(): MisuzuAuthInfo { return $this->authInfo; } @@ -83,7 +83,7 @@ class HanyuuContext { $routingCtx = new RoutingContext($this->getTemplating()); $routingCtx->getRouter()->use('/', function($response, $request) { - $this->authInfo = $this->misuzuInterop->authCheck( + $this->authInfo = $this->misuzuRpc->authCheck( 'Misuzu', (string)$request->getCookie('msz_auth'), $_SERVER['REMOTE_ADDR'], diff --git a/src/MisuzuAuthBanInfo.php b/src/MisuzuAuthBanInfo.php new file mode 100644 index 0000000..2dc3ac9 --- /dev/null +++ b/src/MisuzuAuthBanInfo.php @@ -0,0 +1,44 @@ +info) && is_int($this->info['severity']) + ? $this->info['severity'] : 0; + } + + public function getReason(): string { + return array_key_exists('reason', $this->info) && is_string($this->info['reason']) + ? $this->info['reason'] : ''; + } + + public function getCreatedAt(): int { + return array_key_exists('created_at', $this->info) && is_int($this->info['created_at']) + ? $this->info['created_at'] : 0; + } + + public function isPermanent(): bool { + return array_key_exists('is_permanent', $this->info) + && is_bool($this->info['is_permanent']) + && $this->info['is_permanent']; + } + + public function getExpiresAt(): int { + return array_key_exists('expires_at', $this->info) && is_int($this->info['expires_at']) + ? $this->info['expires_at'] : 0; + } + + public function getDurationString(): string { + return array_key_exists('duration_str', $this->info) && is_string($this->info['duration_str']) + ? $this->info['duration_str'] : ''; + } + + public function getRemainingString(): string { + return array_key_exists('remaining_str', $this->info) && is_string($this->info['remaining_str']) + ? $this->info['remaining_str'] : ''; + } +} diff --git a/src/MisuzuAuthGuiseInfo.php b/src/MisuzuAuthGuiseInfo.php new file mode 100644 index 0000000..3904dc4 --- /dev/null +++ b/src/MisuzuAuthGuiseInfo.php @@ -0,0 +1,15 @@ +info) && is_string($this->info['revert_url']) + ? $this->info['revert_url'] : ''; + } +} diff --git a/src/MisuzuAuthInfo.php b/src/MisuzuAuthInfo.php new file mode 100644 index 0000000..b704aad --- /dev/null +++ b/src/MisuzuAuthInfo.php @@ -0,0 +1,51 @@ +info); + } + + public function getFailureReason(): string { + return array_key_exists('reason', $this->info) && is_string($this->info['reason']) + ? $this->info['reason'] : ''; + } + + public function getLoginUrl(): string { + return array_key_exists('login_url', $this->info) && is_string($this->info['login_url']) + ? $this->info['login_url'] : ''; + } + + public function getRegisterUrl(): string { + return array_key_exists('register_url', $this->info) && is_string($this->info['register_url']) + ? $this->info['register_url'] : ''; + } + + public function getSessionInfo(): MisuzuAuthSessionInfo { + return new MisuzuAuthSessionInfo($this->info['session'] ?? []); + } + + public function isBanned(): bool { + return array_key_exists('ban', $this->info); + } + + public function getBanInfo(): MisuzuAuthBanInfo { + return new MisuzuAuthBanInfo($this->info['ban'] ?? []); + } + + public function getUserInfo(): MisuzuAuthUserInfo { + return new MisuzuAuthUserInfo($this->info['user'] ?? []); + } + + public function isGuise(): bool { + return array_key_exists('guise', $this->info); + } + + public function getGuiseInfo(): MisuzuAuthGuiseInfo { + return new MisuzuAuthGuiseInfo($this->info['guise'] ?? []); + } +} diff --git a/src/MisuzuAuthSessionInfo.php b/src/MisuzuAuthSessionInfo.php new file mode 100644 index 0000000..a6bf343 --- /dev/null +++ b/src/MisuzuAuthSessionInfo.php @@ -0,0 +1,29 @@ +info) && is_string($this->info['token']) + ? $this->info['token'] : ''; + } + + public function getCreatedAt(): int { + return array_key_exists('created_at', $this->info) && is_int($this->info['created_at']) + ? $this->info['created_at'] : 0; + } + + public function getExpiresAt(): int { + return array_key_exists('expires_at', $this->info) && is_int($this->info['expires_at']) + ? $this->info['expires_at'] : 0; + } + + public function doesLifetimeExtend(): bool { + return array_key_exists('lifetime_extends', $this->info) + && is_bool($this->info['lifetime_extends']) + && $this->info['lifetime_extends']; + } +} diff --git a/src/MisuzuAuthUserInfo.php b/src/MisuzuAuthUserInfo.php new file mode 100644 index 0000000..b8903f6 --- /dev/null +++ b/src/MisuzuAuthUserInfo.php @@ -0,0 +1,70 @@ +info) && is_string($this->info['id']) + ? $this->info['id'] : ''; + } + + public function getName(): string { + return array_key_exists('name', $this->info) && is_string($this->info['name']) + ? $this->info['name'] : ''; + } + + public function getColour(): string { + return array_key_exists('colour', $this->info) && is_string($this->info['colour']) + ? $this->info['colour'] : 'inherit'; + } + + public function getRank(): int { + return array_key_exists('rank', $this->info) && is_int($this->info['rank']) + ? $this->info['rank'] : 0; + } + + public function isSuper(): bool { + return array_key_exists('is_super', $this->info) + && is_bool($this->info['is_super']) + && $this->info['is_super']; + } + + public function getCountryCode(): string { + return array_key_exists('country_code', $this->info) && is_string($this->info['country_code']) + ? $this->info['country_code'] : ''; + } + + public function isDeleted(): bool { + return array_key_exists('is_deleted', $this->info) + && is_bool($this->info['is_deleted']) + && $this->info['is_deleted']; + } + + public function has2fa(): bool { + return array_key_exists('has_totp', $this->info) + && is_bool($this->info['has_totp']) + && $this->info['has_totp']; + } + + public function getProfileUrl(): string { + return array_key_exists('profile_url', $this->info) && is_string($this->info['profile_url']) + ? $this->info['profile_url'] : ''; + } + + public function getAvatars(): array { + return array_key_exists('avatars', $this->info) && is_array($this->info['avatars']) + ? $this->info['avatars'] : []; + } + + public function getAvatar(string $variant): string { + $avatars = $this->getAvatars(); + if(array_key_exists($variant, $avatars)) + return $avatars[$variant]; + if(array_key_exists('original', $avatars)) + return $avatars['original']; + return ''; + } +} diff --git a/src/MisuzuInterop.php b/src/MisuzuInterop.php deleted file mode 100644 index 4b8c73b..0000000 --- a/src/MisuzuInterop.php +++ /dev/null @@ -1,111 +0,0 @@ -config->getString('endpoint'); - } - - private function getSecret(): string { - return $this->config->getString('secret'); - } - - public function authCheck(string $method, string $token, string $remoteAddr, array $avatars = []): object { - $result = $this->callRpc('auth-check', body: [ - 'method' => $method, - 'token' => $token, - 'remote_addr' => $remoteAddr, - 'avatars' => implode(',', $avatars), - ]); - - if(!str_starts_with($result->name, 'auth:check:')) - return new stdClass; - - return $result->attrs; - } - - private function callRpc(string $action, array $params = [], array $body = []): object { - $time = time(); - - $url = sprintf('%s/_hanyuu/%s', $this->getEndpoint(), $action); - if(empty($params)) - $params = ''; - else { - $params = http_build_query($params, '', '&', PHP_QUERY_RFC3986); - $url .= sprintf('?%s', $params); - } - - $hasBody = !empty($body); - $body = $hasBody ? http_build_query($body, '', '&', PHP_QUERY_RFC3986) : ''; - - $signature = UriBase64::encode(hash_hmac( - 'sha256', - sprintf('[%s|%s|%s]', $time, $url, $body), - $this->getSecret(), - true - )); - $headers = [ - sprintf('X-Hanyuu-Timestamp: %s', $time), - sprintf('X-Hanyuu-Signature: %s', $signature), - ]; - - if($hasBody) - $headers[] = 'Content-Type: application/x-www-form-urlencoded'; - - $req = curl_init($url); - try { - curl_setopt_array($req, [ - CURLOPT_AUTOREFERER => false, - CURLOPT_FAILONERROR => false, - CURLOPT_FOLLOWLOCATION => false, - CURLOPT_HEADER => false, - CURLOPT_RETURNTRANSFER => true, - CURLOPT_TCP_FASTOPEN => true, - CURLOPT_CONNECTTIMEOUT => 2, - CURLOPT_MAXREDIRS => 2, - CURLOPT_PROTOCOLS => CURLPROTO_HTTPS, - CURLOPT_TIMEOUT => 5, - CURLOPT_USERAGENT => 'Hanyuu', - CURLOPT_HTTPHEADER => $headers, - ]); - - if($hasBody) - curl_setopt_array($req, [ - CURLOPT_POST => true, - CURLOPT_POSTFIELDS => $body, - ]); - - $response = curl_exec($req); - if($response === false) - throw new RuntimeException(curl_error($req)); - } finally { - curl_close($req); - } - - $decoded = json_decode($response); - if($decoded === null) - throw new RuntimeException($response); - - if(empty($decoded->name) || !isset($decoded->attrs)) - throw new RuntimeException('Missing name or attrs attribute in response body.'); - - if($decoded->name === 'error') { - $line = $decoded->attrs->code ?? 'unknown'; - if(!empty($decoded->attrs->text)) - $line = sprintf('[%s] %s', $line, $decoded->attrs->text); - - throw new RuntimeException($line); - } - - return $decoded; - } -} diff --git a/src/MisuzuRpcClient.php b/src/MisuzuRpcClient.php new file mode 100644 index 0000000..95a3d68 --- /dev/null +++ b/src/MisuzuRpcClient.php @@ -0,0 +1,39 @@ +client = RpcClient::createHmac( + sprintf('%s/_hanyuu', $config->getString('endpoint')), + fn() => $config->getString('secret') + ); + } + + public function getRpcClient(): RpcClient { + return $this->client; + } + + public function authCheck(string $method, string $token, string $remoteAddr, array $avatars = []): MisuzuAuthInfo { + $result = $this->client->procedure('mszhau:authCheck', [ + 'method' => $method, + 'token' => $token, + 'remoteAddr' => $remoteAddr, + 'avatars' => implode(',', $avatars), + ]); + + if(empty($result['name'])) + throw new RuntimeException('Unexpected response from Misuzu.'); + if(!str_starts_with($result['name'], 'auth:check:')) + throw new RuntimeException($result['name']); + + return new MisuzuAuthInfo($result['attrs']); + } +} diff --git a/src/OAuth2/OAuth2Routes.php b/src/OAuth2/OAuth2Routes.php index 43a4edd..293b4ac 100644 --- a/src/OAuth2/OAuth2Routes.php +++ b/src/OAuth2/OAuth2Routes.php @@ -66,10 +66,13 @@ final class OAuth2Routes extends RouteHandler { #[HttpGet('/oauth2/authorise')] public function getAuthorise($response, $request) { $authInfo = ($this->getAuthInfo)(); - if(!isset($authInfo->user)) - return $this->templating->render('oauth2/login', ['auth' => $authInfo]); + if($authInfo->isFailure()) + return $this->templating->render('oauth2/login', [ + 'login_url' => $authInfo->getLoginUrl(), + 'register_url' => $authInfo->getRegisterUrl(), + ]); - $csrfp = new CSRFP(($this->getCSRFPSecret)(), $authInfo->session->token); + $csrfp = new CSRFP(($this->getCSRFPSecret)(), $authInfo->getSessionInfo()->getToken()); return $this->templating->render('oauth2/authorise', [ 'csrfp_token' => $csrfp->createToken(), @@ -84,12 +87,12 @@ final class OAuth2Routes extends RouteHandler { // TODO: RATE LIMITING $authInfo = ($this->getAuthInfo)(); - if(!isset($authInfo->user)) + if($authInfo->isFailure()) return ['error' => 'auth']; $content = $request->getContent(); - $csrfp = new CSRFP(($this->getCSRFPSecret)(), $authInfo->session->token); + $csrfp = new CSRFP(($this->getCSRFPSecret)(), $authInfo->getSessionInfo()->getToken()); if(!$csrfp->verifyToken((string)$content->getParam('_csrfp'))) return ['error' => 'csrf']; @@ -145,7 +148,7 @@ final class OAuth2Routes extends RouteHandler { try { $authsInfo = $authsData->createAuthorisation( $appInfo, - $authInfo->user->id, + $authInfo->getUserInfo()->getId(), $redirectUriId, $codeChallenge, $codeChallengeMethod, @@ -166,10 +169,11 @@ final class OAuth2Routes extends RouteHandler { // TODO: RATE LIMITING $authInfo = ($this->getAuthInfo)(); - if(!isset($authInfo->user)) + if($authInfo->isFailure()) return ['error' => 'auth']; - $csrfp = new CSRFP(($this->getCSRFPSecret)(), $authInfo->session->token); + $sessionInfo = $authInfo->getSessionInfo(); + $csrfp = new CSRFP(($this->getCSRFPSecret)(), $sessionInfo->getToken()); if(!$csrfp->verifyToken((string)$request->getParam('csrfp'))) return ['error' => 'csrf']; @@ -196,6 +200,7 @@ final class OAuth2Routes extends RouteHandler { return ['error' => 'scope']; } + $userInfo = $authInfo->getUserInfo(); $result = [ 'app' => [ 'name' => $appInfo->getName(), @@ -206,21 +211,23 @@ final class OAuth2Routes extends RouteHandler { ], ], 'user' => [ - 'name' => $authInfo->user->name, - 'colour' => $authInfo->user->colour, - 'profile_uri' => $authInfo->user->profile_url, - 'avatar_uri' => $authInfo->user->avatars->x120, + 'name' => $userInfo->getName(), + 'colour' => $userInfo->getColour(), + 'profile_uri' => $userInfo->getProfileUrl(), + 'avatar_uri' => $userInfo->getAvatar('x120'), ], ]; - if(isset($authInfo->guise)) + if($authInfo->isGuise()) { + $guiseInfo = $authInfo->getGuiseInfo(); $result['user']['guise'] = [ - 'name' => $authInfo->guise->name, - 'colour' => $authInfo->guise->colour, - 'profile_uri' => $authInfo->guise->profile_url, - 'revert_uri' => $authInfo->guise->revert_url, - 'avatar_uri' => $authInfo->guise->avatars->x60, + 'name' => $guiseInfo->getName(), + 'colour' => $guiseInfo->getColour(), + 'profile_uri' => $guiseInfo->getProfileUrl(), + 'revert_uri' => $guiseInfo->getRevertUrl(), + 'avatar_uri' => $guiseInfo->getAvatar('x60'), ]; + } return $result; } @@ -228,10 +235,13 @@ final class OAuth2Routes extends RouteHandler { #[HttpGet('/oauth2/verify')] public function getVerify($response, $request) { $authInfo = ($this->getAuthInfo)(); - if(!isset($authInfo->user)) - return $this->templating->render('oauth2/login', ['auth' => $authInfo]); + if($authInfo->isFailure()) + return $this->templating->render('oauth2/login', [ + 'login_url' => $authInfo->getLoginUrl(), + 'register_url' => $authInfo->getRegisterUrl(), + ]); - $csrfp = new CSRFP(($this->getCSRFPSecret)(), $authInfo->session->token); + $csrfp = new CSRFP(($this->getCSRFPSecret)(), $authInfo->getSessionInfo()->getToken()); return $this->templating->render('oauth2/verify', [ 'csrfp_token' => $csrfp->createToken(), @@ -246,12 +256,12 @@ final class OAuth2Routes extends RouteHandler { // TODO: RATE LIMITING $authInfo = ($this->getAuthInfo)(); - if(!isset($authInfo->user)) + if($authInfo->isFailure()) return ['error' => 'auth']; $content = $request->getContent(); - $csrfp = new CSRFP(($this->getCSRFPSecret)(), $authInfo->session->token); + $csrfp = new CSRFP(($this->getCSRFPSecret)(), $authInfo->getSessionInfo()->getToken()); if(!$csrfp->verifyToken((string)$content->getParam('_csrfp'))) return ['error' => 'csrf']; @@ -270,7 +280,7 @@ final class OAuth2Routes extends RouteHandler { return ['error' => 'invalid']; $approved = $approve === 'yes'; - $devicesData->setDeviceApproval($deviceInfo, $approved, $authInfo->user->id); + $devicesData->setDeviceApproval($deviceInfo, $approved, $authInfo->getUserInfo()->getId()); return [ 'approval' => $approved ? 'approved' : 'denied', @@ -282,10 +292,10 @@ final class OAuth2Routes extends RouteHandler { // TODO: RATE LIMITING $authInfo = ($this->getAuthInfo)(); - if(!isset($authInfo->user)) + if($authInfo->isFailure()) return ['error' => 'auth']; - $csrfp = new CSRFP(($this->getCSRFPSecret)(), $authInfo->session->token); + $csrfp = new CSRFP(($this->getCSRFPSecret)(), $authInfo->getSessionInfo()->getToken()); if(!$csrfp->verifyToken((string)$request->getParam('csrfp'))) return ['error' => 'csrf']; @@ -306,6 +316,7 @@ final class OAuth2Routes extends RouteHandler { return ['error' => 'code']; } + $userInfo = $authInfo->getUserInfo(); $result = [ 'req' => [ 'code' => $deviceInfo->getUserCode(), @@ -319,21 +330,23 @@ final class OAuth2Routes extends RouteHandler { ], ], 'user' => [ - 'name' => $authInfo->user->name, - 'colour' => $authInfo->user->colour, - 'profile_uri' => $authInfo->user->profile_url, - 'avatar_uri' => $authInfo->user->avatars->x120, + 'name' => $userInfo->getName(), + 'colour' => $userInfo->getColour(), + 'profile_uri' => $userInfo->getProfileUrl(), + 'avatar_uri' => $userInfo->getAvatar('x120'), ], ]; - if(isset($authInfo->guise)) + if($authInfo->isGuise()) { + $guiseInfo = $authInfo->getGuiseInfo(); $result['user']['guise'] = [ - 'name' => $authInfo->guise->name, - 'colour' => $authInfo->guise->colour, - 'profile_uri' => $authInfo->guise->profile_url, - 'revert_uri' => $authInfo->guise->revert_url, - 'avatar_uri' => $authInfo->guise->avatars->x60, + 'name' => $guiseInfo->getName(), + 'colour' => $guiseInfo->getColour(), + 'profile_uri' => $guiseInfo->getProfileUrl(), + 'revert_uri' => $guiseInfo->getRevertUrl(), + 'avatar_uri' => $guiseInfo->getAvatar('x60'), ]; + } return $result; } diff --git a/templates/oauth2/login.twig b/templates/oauth2/login.twig index 04da046..2faa8f1 100644 --- a/templates/oauth2/login.twig +++ b/templates/oauth2/login.twig @@ -10,7 +10,7 @@

A third-party application is requesting permission to access your account.

{% endif %} -

You must be logged in to authorise applications. Log in or create an account and reload this page to try again.

+

You must be logged in to authorise applications. Log in or create an account and reload this page to try again.

{% if app is defined and app.isTrusted %}

You will be redirected to the following application after logging in.