Working impl

.vscode/launch.json

@@ -15,8 +15,9 @@
                 "--issuer",
                 "http://localhost:8080/",
                 "--authorizeEndpoint",
-                "http://localhost:4321/login"
-                // "https://federated.nexus/login"
+                "http://localhost:4321/login",
+                "--serviceDomain",
+                "federated.nexus"
             ],
             "request": "launch",
             "type": "dart"

analysis_options.yaml

@@ -1,13 +1,13 @@
 # This file configures the static analysis results for your project (errors,
 # warnings, and lints).
 #
-# This enables the 'recommended' set of lints from `package:lints`.
+# This enables the "recommended" set of lints from `package:lints`.
 # This set helps identify many issues that may lead to problems when running
 # or consuming Dart code, and enforces writing Dart using a single, idiomatic
 # style and format.
 #
 # If you want a smaller set of lints you can change this to specify
-# 'package:lints/core.yaml'. These are just the most critical lints
+# "package:lints/core.yaml". These are just the most critical lints
 # (the recommended set includes the core lints).
 # The core lints are also what is used by pub.dev for scoring packages.
 

bin/matrixgate.dart

@@ -10,8 +10,9 @@ import "package:shelf_router/shelf_router.dart";
 void main(List<String> argsRaw) async {
   final parser = ArgParser()
     ..addOption("socket", abbr: "s")
-    ..addOption("address", abbr: "a", defaultsTo: "127.0.0.1")
+    ..addOption("serviceDomain", abbr: "d")
     ..addOption("port", abbr: "p", defaultsTo: "8080")
+    ..addOption("address", abbr: "a", defaultsTo: "127.0.0.1")
     ..addOption("issuer", abbr: "i", mandatory: true)
     ..addOption("homeserver", abbr: "h", mandatory: true)
     ..addOption("jwtSecretFile", abbr: "j", mandatory: true)

lib/helpers/api_helper.dart

@@ -25,7 +25,6 @@ class ApiHelper {
     final scope = data["scope"];
     final nonce = data["nonce"];
 
-    // Basic validation
     if ([
       username,
       password,
@@ -33,13 +32,16 @@ class ApiHelper {
       clientId,
       nonce,
       scope,
-    ].any((v) => v == null)) {
+    ].any((f) => f == null)) {
       return Response(400, body: "Missing required field(s)");
     }
 
-    // Matrix login
+    if (!Uri.parse(redirectUri!).host.endsWith(settings.serviceDomain)) {
+      return Response(403, body: "Redirect URI not allowed");
+    }
+
     final loginRes = await http.post(
-      Uri.https(settings.homeserver, "_matrix/client/v3/login"),
+      Uri.parse("${settings.homeserver}/_matrix/client/v3/login"),
       headers: {"Content-Type": "application/json"},
       body: json.encode({
         "type": "m.login.password",
@@ -56,11 +58,9 @@ class ApiHelper {
     final userId = loginData["user_id"];
     final accessToken = loginData["access_token"];
 
-    // Request OpenID token from Matrix
     final openidRes = await http.post(
-      Uri.https(
-        settings.homeserver,
-        "_matrix/client/v3/user/${Uri.encodeComponent(userId)}/openid/request",
+      Uri.parse(
+        "${settings.homeserver}/_matrix/client/v3/user/${Uri.encodeComponent(userId)}/openid/request_token",
       ),
       headers: {"Authorization": "Bearer $accessToken"},
     );
@@ -73,7 +73,6 @@ class ApiHelper {
 
     final openidToken = json.decode(openidRes.body)["access_token"];
 
-    // Generate and store authorization code
     final code = base64Url.encode(
       List<int>.generate(16, (_) => DateTime.now().millisecond % 256),
     );
@@ -85,7 +84,6 @@ class ApiHelper {
           MatrixUser(userId: userId, matrixToken: openidToken, nonce: nonce!),
         );
 
-    // Redirect back to client
     return Response.found("$redirectUri?code=$code&state=$state");
   }
 
@@ -93,34 +91,38 @@ class ApiHelper {
     final settings = ref.read(SettingsController.provider)!;
     final body = Uri.splitQueryString(await request.readAsString());
     final code = body["code"];
+    final clientId = body["client_id"];
+
+    if (code == null || clientId == null) {
+      return Response(400, body: "Missing code or client_id");
+    }
 
     final codes = ref.read(AuthCodeController.provider);
-
-    if (code == null || !codes.containsKey(code)) {
+    if (!codes.containsKey(code)) {
       return Response(400, body: "Invalid code");
     }
 
     final user = codes[code]!;
     ref.read(AuthCodeController.provider.notifier).remove(code);
 
+    final secret = await File.fromUri(
+      Uri.file(settings.jwtSecretFile),
+    ).readAsString();
+
     final jwt = JWT(
       {
+        "nonce": user.nonce,
         "exp":
-            DateTime.now().add(Duration(minutes: 10)).millisecondsSinceEpoch ~/
+            DateTime.now().add(Duration(days: 7)).millisecondsSinceEpoch ~/
             1000,
         "iat": DateTime.now().millisecondsSinceEpoch ~/ 1000,
       },
       subject: user.userId,
-      issuer: ref.read(SettingsController.provider)!.issuer,
-      audience: Audience([body["client_id"]!]),
+      issuer: settings.issuer,
+      audience: Audience([clientId]),
     );
 
-    final token = jwt.sign(
-      SecretKey(
-        await File.fromUri(Uri.file(settings.jwtSecretFile)).readAsString(),
-      ),
-      algorithm: JWTAlgorithm.HS256,
-    );
+    final token = jwt.sign(SecretKey(secret), algorithm: JWTAlgorithm.HS256);
 
     return Response.ok(
       json.encode({
@@ -143,9 +145,8 @@ class ApiHelper {
 
     final token = auth.substring(7);
     final matrixResp = await http.get(
-      Uri.https(
-        ref.read(SettingsController.provider)!.homeserver,
-        "_matrix/federation/v1/openid/userinfo",
+      Uri.parse(
+        "${ref.read(SettingsController.provider)!.homeserver}/_matrix/federation/v1/openid/userinfo",
       ),
       headers: {"Authorization": "Bearer $token"},
     );

lib/models/matrix_user.freezed.dart

@@ -4,7 +4,7 @@
 // ignore_for_file: type=lint
 // ignore_for_file: unused_element, deprecated_member_use, deprecated_member_use_from_same_package, use_function_type_syntax_for_parameters, unnecessary_const, avoid_init_to_null, invalid_override_different_default_values_named, prefer_expression_function_bodies, annotate_overrides, invalid_annotation_target, unnecessary_question_mark
 
-part of 'matrix_user.dart';
+part of "matrix_user.dart";
 
 // **************************************************************************
 // FreezedGenerator
@@ -20,7 +20,7 @@ mixin _$MatrixUser {
 /// Create a copy of MatrixUser
 /// with the given fields replaced by the non-null parameter values.
 @JsonKey(includeFromJson: false, includeToJson: false)
-@pragma('vm:prefer-inline')
+@pragma("vm:prefer-inline")
 $MatrixUserCopyWith<MatrixUser> get copyWith => _$MatrixUserCopyWithImpl<MatrixUser>(this as MatrixUser, _$identity);
 
   /// Serializes this MatrixUser to a JSON map.
@@ -38,7 +38,7 @@ int get hashCode => Object.hash(runtimeType,userId,matrixToken,nonce);
 
 @override
 String toString() {
-  return 'MatrixUser(userId: $userId, matrixToken: $matrixToken, nonce: $nonce)';
+  return "MatrixUser(userId: $userId, matrixToken: $matrixToken, nonce: $nonce)";
 }
 
 
@@ -66,7 +66,7 @@ class _$MatrixUserCopyWithImpl<$Res>
 
 /// Create a copy of MatrixUser
 /// with the given fields replaced by the non-null parameter values.
-@pragma('vm:prefer-inline') @override $Res call({Object? userId = null,Object? matrixToken = null,Object? nonce = null,}) {
+@pragma("vm:prefer-inline") @override $Res call({Object? userId = null,Object? matrixToken = null,Object? nonce = null,}) {
   return _then(_self.copyWith(
 userId: null == userId ? _self.userId : userId // ignore: cast_nullable_to_non_nullable
 as String,matrixToken: null == matrixToken ? _self.matrixToken : matrixToken // ignore: cast_nullable_to_non_nullable
@@ -92,7 +92,7 @@ class _MatrixUser implements MatrixUser {
 /// Create a copy of MatrixUser
 /// with the given fields replaced by the non-null parameter values.
 @override @JsonKey(includeFromJson: false, includeToJson: false)
-@pragma('vm:prefer-inline')
+@pragma("vm:prefer-inline")
 _$MatrixUserCopyWith<_MatrixUser> get copyWith => __$MatrixUserCopyWithImpl<_MatrixUser>(this, _$identity);
 
 @override
@@ -111,7 +111,7 @@ int get hashCode => Object.hash(runtimeType,userId,matrixToken,nonce);
 
 @override
 String toString() {
-  return 'MatrixUser(userId: $userId, matrixToken: $matrixToken, nonce: $nonce)';
+  return "MatrixUser(userId: $userId, matrixToken: $matrixToken, nonce: $nonce)";
 }
 
 
@@ -139,7 +139,7 @@ class __$MatrixUserCopyWithImpl<$Res>
 
 /// Create a copy of MatrixUser
 /// with the given fields replaced by the non-null parameter values.
-@override @pragma('vm:prefer-inline') $Res call({Object? userId = null,Object? matrixToken = null,Object? nonce = null,}) {
+@override @pragma("vm:prefer-inline") $Res call({Object? userId = null,Object? matrixToken = null,Object? nonce = null,}) {
   return _then(_MatrixUser(
 userId: null == userId ? _self.userId : userId // ignore: cast_nullable_to_non_nullable
 as String,matrixToken: null == matrixToken ? _self.matrixToken : matrixToken // ignore: cast_nullable_to_non_nullable

lib/models/matrix_user.g.dart

@@ -1,20 +1,20 @@
 // GENERATED CODE - DO NOT MODIFY BY HAND
 
-part of 'matrix_user.dart';
+part of "matrix_user.dart";
 
 // **************************************************************************
 // JsonSerializableGenerator
 // **************************************************************************
 
 _MatrixUser _$MatrixUserFromJson(Map<String, dynamic> json) => _MatrixUser(
-  userId: json['userId'] as String,
-  matrixToken: json['matrixToken'] as String,
-  nonce: json['nonce'] as String,
+  userId: json["userId"] as String,
+  matrixToken: json["matrixToken"] as String,
+  nonce: json["nonce"] as String,
 );
 
 Map<String, dynamic> _$MatrixUserToJson(_MatrixUser instance) =>
     <String, dynamic>{
-      'userId': instance.userId,
-      'matrixToken': instance.matrixToken,
-      'nonce': instance.nonce,
+      "userId": instance.userId,
+      "matrixToken": instance.matrixToken,
+      "nonce": instance.nonce,
     };

lib/models/settings.dart

@@ -11,6 +11,7 @@ abstract class Settings with _$Settings {
     required String port,
     required String homeserver,
     required String issuer,
+    required String serviceDomain,
     required String jwtSecretFile,
     required String authorizeEndpoint,
   }) = _Settings;

lib/models/settings.freezed.dart

@@ -16,7 +16,7 @@ T _$identity<T>(T value) => value;
 /// @nodoc
 mixin _$Settings {
 
- String? get socket; String get address; String get port; String get homeserver; String get issuer; String get jwtSecretFile; String get authorizeEndpoint;
+ String? get socket; String get address; String get port; String get homeserver; String get issuer; String get serviceDomain; String get jwtSecretFile; String get authorizeEndpoint;
 /// Create a copy of Settings
 /// with the given fields replaced by the non-null parameter values.
 @JsonKey(includeFromJson: false, includeToJson: false)
@@ -29,16 +29,16 @@ $SettingsCopyWith<Settings> get copyWith => _$SettingsCopyWithImpl<Settings>(thi
 
 @override
 bool operator ==(Object other) {
-  return identical(this, other) || (other.runtimeType == runtimeType&&other is Settings&&(identical(other.socket, socket) || other.socket == socket)&&(identical(other.address, address) || other.address == address)&&(identical(other.port, port) || other.port == port)&&(identical(other.homeserver, homeserver) || other.homeserver == homeserver)&&(identical(other.issuer, issuer) || other.issuer == issuer)&&(identical(other.jwtSecretFile, jwtSecretFile) || other.jwtSecretFile == jwtSecretFile)&&(identical(other.authorizeEndpoint, authorizeEndpoint) || other.authorizeEndpoint == authorizeEndpoint));
+  return identical(this, other) || (other.runtimeType == runtimeType&&other is Settings&&(identical(other.socket, socket) || other.socket == socket)&&(identical(other.address, address) || other.address == address)&&(identical(other.port, port) || other.port == port)&&(identical(other.homeserver, homeserver) || other.homeserver == homeserver)&&(identical(other.issuer, issuer) || other.issuer == issuer)&&(identical(other.serviceDomain, serviceDomain) || other.serviceDomain == serviceDomain)&&(identical(other.jwtSecretFile, jwtSecretFile) || other.jwtSecretFile == jwtSecretFile)&&(identical(other.authorizeEndpoint, authorizeEndpoint) || other.authorizeEndpoint == authorizeEndpoint));
 }
 
 @JsonKey(includeFromJson: false, includeToJson: false)
 @override
-int get hashCode => Object.hash(runtimeType,socket,address,port,homeserver,issuer,jwtSecretFile,authorizeEndpoint);
+int get hashCode => Object.hash(runtimeType,socket,address,port,homeserver,issuer,serviceDomain,jwtSecretFile,authorizeEndpoint);
 
 @override
 String toString() {
-  return 'Settings(socket: $socket, address: $address, port: $port, homeserver: $homeserver, issuer: $issuer, jwtSecretFile: $jwtSecretFile, authorizeEndpoint: $authorizeEndpoint)';
+  return 'Settings(socket: $socket, address: $address, port: $port, homeserver: $homeserver, issuer: $issuer, serviceDomain: $serviceDomain, jwtSecretFile: $jwtSecretFile, authorizeEndpoint: $authorizeEndpoint)';
 }
 
 
@@ -49,7 +49,7 @@ abstract mixin class $SettingsCopyWith<$Res>  {
   factory $SettingsCopyWith(Settings value, $Res Function(Settings) _then) = _$SettingsCopyWithImpl;
 @useResult
 $Res call({
- String? socket, String address, String port, String homeserver, String issuer, String jwtSecretFile, String authorizeEndpoint
+ String? socket, String address, String port, String homeserver, String issuer, String serviceDomain, String jwtSecretFile, String authorizeEndpoint
 });
 
 
@@ -66,13 +66,14 @@ class _$SettingsCopyWithImpl<$Res>
 
 /// Create a copy of Settings
 /// with the given fields replaced by the non-null parameter values.
-@pragma('vm:prefer-inline') @override $Res call({Object? socket = freezed,Object? address = null,Object? port = null,Object? homeserver = null,Object? issuer = null,Object? jwtSecretFile = null,Object? authorizeEndpoint = null,}) {
+@pragma('vm:prefer-inline') @override $Res call({Object? socket = freezed,Object? address = null,Object? port = null,Object? homeserver = null,Object? issuer = null,Object? serviceDomain = null,Object? jwtSecretFile = null,Object? authorizeEndpoint = null,}) {
   return _then(_self.copyWith(
 socket: freezed == socket ? _self.socket : socket // ignore: cast_nullable_to_non_nullable
 as String?,address: null == address ? _self.address : address // ignore: cast_nullable_to_non_nullable
 as String,port: null == port ? _self.port : port // ignore: cast_nullable_to_non_nullable
 as String,homeserver: null == homeserver ? _self.homeserver : homeserver // ignore: cast_nullable_to_non_nullable
 as String,issuer: null == issuer ? _self.issuer : issuer // ignore: cast_nullable_to_non_nullable
+as String,serviceDomain: null == serviceDomain ? _self.serviceDomain : serviceDomain // ignore: cast_nullable_to_non_nullable
 as String,jwtSecretFile: null == jwtSecretFile ? _self.jwtSecretFile : jwtSecretFile // ignore: cast_nullable_to_non_nullable
 as String,authorizeEndpoint: null == authorizeEndpoint ? _self.authorizeEndpoint : authorizeEndpoint // ignore: cast_nullable_to_non_nullable
 as String,
@@ -86,7 +87,7 @@ as String,
 @JsonSerializable()
 
 class _Settings implements Settings {
-  const _Settings({required this.socket, required this.address, required this.port, required this.homeserver, required this.issuer, required this.jwtSecretFile, required this.authorizeEndpoint});
+  const _Settings({required this.socket, required this.address, required this.port, required this.homeserver, required this.issuer, required this.serviceDomain, required this.jwtSecretFile, required this.authorizeEndpoint});
   factory _Settings.fromJson(Map<String, dynamic> json) => _$SettingsFromJson(json);
 
 @override final  String? socket;
@@ -94,6 +95,7 @@ class _Settings implements Settings {
 @override final  String port;
 @override final  String homeserver;
 @override final  String issuer;
+@override final  String serviceDomain;
 @override final  String jwtSecretFile;
 @override final  String authorizeEndpoint;
 
@@ -110,16 +112,16 @@ Map<String, dynamic> toJson() {
 
 @override
 bool operator ==(Object other) {
-  return identical(this, other) || (other.runtimeType == runtimeType&&other is _Settings&&(identical(other.socket, socket) || other.socket == socket)&&(identical(other.address, address) || other.address == address)&&(identical(other.port, port) || other.port == port)&&(identical(other.homeserver, homeserver) || other.homeserver == homeserver)&&(identical(other.issuer, issuer) || other.issuer == issuer)&&(identical(other.jwtSecretFile, jwtSecretFile) || other.jwtSecretFile == jwtSecretFile)&&(identical(other.authorizeEndpoint, authorizeEndpoint) || other.authorizeEndpoint == authorizeEndpoint));
+  return identical(this, other) || (other.runtimeType == runtimeType&&other is _Settings&&(identical(other.socket, socket) || other.socket == socket)&&(identical(other.address, address) || other.address == address)&&(identical(other.port, port) || other.port == port)&&(identical(other.homeserver, homeserver) || other.homeserver == homeserver)&&(identical(other.issuer, issuer) || other.issuer == issuer)&&(identical(other.serviceDomain, serviceDomain) || other.serviceDomain == serviceDomain)&&(identical(other.jwtSecretFile, jwtSecretFile) || other.jwtSecretFile == jwtSecretFile)&&(identical(other.authorizeEndpoint, authorizeEndpoint) || other.authorizeEndpoint == authorizeEndpoint));
 }
 
 @JsonKey(includeFromJson: false, includeToJson: false)
 @override
-int get hashCode => Object.hash(runtimeType,socket,address,port,homeserver,issuer,jwtSecretFile,authorizeEndpoint);
+int get hashCode => Object.hash(runtimeType,socket,address,port,homeserver,issuer,serviceDomain,jwtSecretFile,authorizeEndpoint);
 
 @override
 String toString() {
-  return 'Settings(socket: $socket, address: $address, port: $port, homeserver: $homeserver, issuer: $issuer, jwtSecretFile: $jwtSecretFile, authorizeEndpoint: $authorizeEndpoint)';
+  return 'Settings(socket: $socket, address: $address, port: $port, homeserver: $homeserver, issuer: $issuer, serviceDomain: $serviceDomain, jwtSecretFile: $jwtSecretFile, authorizeEndpoint: $authorizeEndpoint)';
 }
 
 
@@ -130,7 +132,7 @@ abstract mixin class _$SettingsCopyWith<$Res> implements $SettingsCopyWith<$Res>
   factory _$SettingsCopyWith(_Settings value, $Res Function(_Settings) _then) = __$SettingsCopyWithImpl;
 @override @useResult
 $Res call({
- String? socket, String address, String port, String homeserver, String issuer, String jwtSecretFile, String authorizeEndpoint
+ String? socket, String address, String port, String homeserver, String issuer, String serviceDomain, String jwtSecretFile, String authorizeEndpoint
 });
 
 
@@ -147,13 +149,14 @@ class __$SettingsCopyWithImpl<$Res>
 
 /// Create a copy of Settings
 /// with the given fields replaced by the non-null parameter values.
-@override @pragma('vm:prefer-inline') $Res call({Object? socket = freezed,Object? address = null,Object? port = null,Object? homeserver = null,Object? issuer = null,Object? jwtSecretFile = null,Object? authorizeEndpoint = null,}) {
+@override @pragma('vm:prefer-inline') $Res call({Object? socket = freezed,Object? address = null,Object? port = null,Object? homeserver = null,Object? issuer = null,Object? serviceDomain = null,Object? jwtSecretFile = null,Object? authorizeEndpoint = null,}) {
   return _then(_Settings(
 socket: freezed == socket ? _self.socket : socket // ignore: cast_nullable_to_non_nullable
 as String?,address: null == address ? _self.address : address // ignore: cast_nullable_to_non_nullable
 as String,port: null == port ? _self.port : port // ignore: cast_nullable_to_non_nullable
 as String,homeserver: null == homeserver ? _self.homeserver : homeserver // ignore: cast_nullable_to_non_nullable
 as String,issuer: null == issuer ? _self.issuer : issuer // ignore: cast_nullable_to_non_nullable
+as String,serviceDomain: null == serviceDomain ? _self.serviceDomain : serviceDomain // ignore: cast_nullable_to_non_nullable
 as String,jwtSecretFile: null == jwtSecretFile ? _self.jwtSecretFile : jwtSecretFile // ignore: cast_nullable_to_non_nullable
 as String,authorizeEndpoint: null == authorizeEndpoint ? _self.authorizeEndpoint : authorizeEndpoint // ignore: cast_nullable_to_non_nullable
 as String,

lib/models/settings.g.dart

@@ -12,6 +12,7 @@ _Settings _$SettingsFromJson(Map<String, dynamic> json) => _Settings(
   port: json['port'] as String,
   homeserver: json['homeserver'] as String,
   issuer: json['issuer'] as String,
+  serviceDomain: json['serviceDomain'] as String,
   jwtSecretFile: json['jwtSecretFile'] as String,
   authorizeEndpoint: json['authorizeEndpoint'] as String,
 );
@@ -22,6 +23,7 @@ Map<String, dynamic> _$SettingsToJson(_Settings instance) => <String, dynamic>{
   'port': instance.port,
   'homeserver': instance.homeserver,
   'issuer': instance.issuer,
+  'serviceDomain': instance.serviceDomain,
   'jwtSecretFile': instance.jwtSecretFile,
   'authorizeEndpoint': instance.authorizeEndpoint,
 };