From 386f7fffd6fd07655c5b54dc2af274c899520333 Mon Sep 17 00:00:00 2001 From: Henry-Hiles Date: Thu, 19 Jun 2025 13:39:52 -0400 Subject: [PATCH] Working impl --- .vscode/launch.json | 5 +-- analysis_options.yaml | 4 +-- bin/matrixgate.dart | 3 +- lib/helpers/api_helper.dart | 49 +++++++++++++++-------------- lib/models/matrix_user.freezed.dart | 14 ++++----- lib/models/matrix_user.g.dart | 14 ++++----- lib/models/settings.dart | 1 + lib/models/settings.freezed.dart | 27 +++++++++------- lib/models/settings.g.dart | 2 ++ 9 files changed, 64 insertions(+), 55 deletions(-) diff --git a/.vscode/launch.json b/.vscode/launch.json index 9d2c1f2..6d69bbd 100644 --- a/.vscode/launch.json +++ b/.vscode/launch.json @@ -15,8 +15,9 @@ "--issuer", "http://localhost:8080/", "--authorizeEndpoint", - "http://localhost:4321/login" - // "https://federated.nexus/login" + "http://localhost:4321/login", + "--serviceDomain", + "federated.nexus" ], "request": "launch", "type": "dart" diff --git a/analysis_options.yaml b/analysis_options.yaml index dee8927..98042bd 100644 --- a/analysis_options.yaml +++ b/analysis_options.yaml @@ -1,13 +1,13 @@ # This file configures the static analysis results for your project (errors, # warnings, and lints). # -# This enables the 'recommended' set of lints from `package:lints`. +# This enables the "recommended" set of lints from `package:lints`. # This set helps identify many issues that may lead to problems when running # or consuming Dart code, and enforces writing Dart using a single, idiomatic # style and format. # # If you want a smaller set of lints you can change this to specify -# 'package:lints/core.yaml'. These are just the most critical lints +# "package:lints/core.yaml". These are just the most critical lints # (the recommended set includes the core lints). # The core lints are also what is used by pub.dev for scoring packages. diff --git a/bin/matrixgate.dart b/bin/matrixgate.dart index de501ee..3f4fbb9 100644 --- a/bin/matrixgate.dart +++ b/bin/matrixgate.dart @@ -10,8 +10,9 @@ import "package:shelf_router/shelf_router.dart"; void main(List argsRaw) async { final parser = ArgParser() ..addOption("socket", abbr: "s") - ..addOption("address", abbr: "a", defaultsTo: "127.0.0.1") + ..addOption("serviceDomain", abbr: "d") ..addOption("port", abbr: "p", defaultsTo: "8080") + ..addOption("address", abbr: "a", defaultsTo: "127.0.0.1") ..addOption("issuer", abbr: "i", mandatory: true) ..addOption("homeserver", abbr: "h", mandatory: true) ..addOption("jwtSecretFile", abbr: "j", mandatory: true) diff --git a/lib/helpers/api_helper.dart b/lib/helpers/api_helper.dart index 6493dae..62ee31b 100644 --- a/lib/helpers/api_helper.dart +++ b/lib/helpers/api_helper.dart @@ -25,7 +25,6 @@ class ApiHelper { final scope = data["scope"]; final nonce = data["nonce"]; - // Basic validation if ([ username, password, @@ -33,13 +32,16 @@ class ApiHelper { clientId, nonce, scope, - ].any((v) => v == null)) { + ].any((f) => f == null)) { return Response(400, body: "Missing required field(s)"); } - // Matrix login + if (!Uri.parse(redirectUri!).host.endsWith(settings.serviceDomain)) { + return Response(403, body: "Redirect URI not allowed"); + } + final loginRes = await http.post( - Uri.https(settings.homeserver, "_matrix/client/v3/login"), + Uri.parse("${settings.homeserver}/_matrix/client/v3/login"), headers: {"Content-Type": "application/json"}, body: json.encode({ "type": "m.login.password", @@ -56,11 +58,9 @@ class ApiHelper { final userId = loginData["user_id"]; final accessToken = loginData["access_token"]; - // Request OpenID token from Matrix final openidRes = await http.post( - Uri.https( - settings.homeserver, - "_matrix/client/v3/user/${Uri.encodeComponent(userId)}/openid/request", + Uri.parse( + "${settings.homeserver}/_matrix/client/v3/user/${Uri.encodeComponent(userId)}/openid/request_token", ), headers: {"Authorization": "Bearer $accessToken"}, ); @@ -73,7 +73,6 @@ class ApiHelper { final openidToken = json.decode(openidRes.body)["access_token"]; - // Generate and store authorization code final code = base64Url.encode( List.generate(16, (_) => DateTime.now().millisecond % 256), ); @@ -85,7 +84,6 @@ class ApiHelper { MatrixUser(userId: userId, matrixToken: openidToken, nonce: nonce!), ); - // Redirect back to client return Response.found("$redirectUri?code=$code&state=$state"); } @@ -93,34 +91,38 @@ class ApiHelper { final settings = ref.read(SettingsController.provider)!; final body = Uri.splitQueryString(await request.readAsString()); final code = body["code"]; + final clientId = body["client_id"]; + + if (code == null || clientId == null) { + return Response(400, body: "Missing code or client_id"); + } final codes = ref.read(AuthCodeController.provider); - - if (code == null || !codes.containsKey(code)) { + if (!codes.containsKey(code)) { return Response(400, body: "Invalid code"); } final user = codes[code]!; ref.read(AuthCodeController.provider.notifier).remove(code); + final secret = await File.fromUri( + Uri.file(settings.jwtSecretFile), + ).readAsString(); + final jwt = JWT( { + "nonce": user.nonce, "exp": - DateTime.now().add(Duration(minutes: 10)).millisecondsSinceEpoch ~/ + DateTime.now().add(Duration(days: 7)).millisecondsSinceEpoch ~/ 1000, "iat": DateTime.now().millisecondsSinceEpoch ~/ 1000, }, subject: user.userId, - issuer: ref.read(SettingsController.provider)!.issuer, - audience: Audience([body["client_id"]!]), + issuer: settings.issuer, + audience: Audience([clientId]), ); - final token = jwt.sign( - SecretKey( - await File.fromUri(Uri.file(settings.jwtSecretFile)).readAsString(), - ), - algorithm: JWTAlgorithm.HS256, - ); + final token = jwt.sign(SecretKey(secret), algorithm: JWTAlgorithm.HS256); return Response.ok( json.encode({ @@ -143,9 +145,8 @@ class ApiHelper { final token = auth.substring(7); final matrixResp = await http.get( - Uri.https( - ref.read(SettingsController.provider)!.homeserver, - "_matrix/federation/v1/openid/userinfo", + Uri.parse( + "${ref.read(SettingsController.provider)!.homeserver}/_matrix/federation/v1/openid/userinfo", ), headers: {"Authorization": "Bearer $token"}, ); diff --git a/lib/models/matrix_user.freezed.dart b/lib/models/matrix_user.freezed.dart index 5b73067..953ea7e 100644 --- a/lib/models/matrix_user.freezed.dart +++ b/lib/models/matrix_user.freezed.dart @@ -4,7 +4,7 @@ // ignore_for_file: type=lint // ignore_for_file: unused_element, deprecated_member_use, deprecated_member_use_from_same_package, use_function_type_syntax_for_parameters, unnecessary_const, avoid_init_to_null, invalid_override_different_default_values_named, prefer_expression_function_bodies, annotate_overrides, invalid_annotation_target, unnecessary_question_mark -part of 'matrix_user.dart'; +part of "matrix_user.dart"; // ************************************************************************** // FreezedGenerator @@ -20,7 +20,7 @@ mixin _$MatrixUser { /// Create a copy of MatrixUser /// with the given fields replaced by the non-null parameter values. @JsonKey(includeFromJson: false, includeToJson: false) -@pragma('vm:prefer-inline') +@pragma("vm:prefer-inline") $MatrixUserCopyWith get copyWith => _$MatrixUserCopyWithImpl(this as MatrixUser, _$identity); /// Serializes this MatrixUser to a JSON map. @@ -38,7 +38,7 @@ int get hashCode => Object.hash(runtimeType,userId,matrixToken,nonce); @override String toString() { - return 'MatrixUser(userId: $userId, matrixToken: $matrixToken, nonce: $nonce)'; + return "MatrixUser(userId: $userId, matrixToken: $matrixToken, nonce: $nonce)"; } @@ -66,7 +66,7 @@ class _$MatrixUserCopyWithImpl<$Res> /// Create a copy of MatrixUser /// with the given fields replaced by the non-null parameter values. -@pragma('vm:prefer-inline') @override $Res call({Object? userId = null,Object? matrixToken = null,Object? nonce = null,}) { +@pragma("vm:prefer-inline") @override $Res call({Object? userId = null,Object? matrixToken = null,Object? nonce = null,}) { return _then(_self.copyWith( userId: null == userId ? _self.userId : userId // ignore: cast_nullable_to_non_nullable as String,matrixToken: null == matrixToken ? _self.matrixToken : matrixToken // ignore: cast_nullable_to_non_nullable @@ -92,7 +92,7 @@ class _MatrixUser implements MatrixUser { /// Create a copy of MatrixUser /// with the given fields replaced by the non-null parameter values. @override @JsonKey(includeFromJson: false, includeToJson: false) -@pragma('vm:prefer-inline') +@pragma("vm:prefer-inline") _$MatrixUserCopyWith<_MatrixUser> get copyWith => __$MatrixUserCopyWithImpl<_MatrixUser>(this, _$identity); @override @@ -111,7 +111,7 @@ int get hashCode => Object.hash(runtimeType,userId,matrixToken,nonce); @override String toString() { - return 'MatrixUser(userId: $userId, matrixToken: $matrixToken, nonce: $nonce)'; + return "MatrixUser(userId: $userId, matrixToken: $matrixToken, nonce: $nonce)"; } @@ -139,7 +139,7 @@ class __$MatrixUserCopyWithImpl<$Res> /// Create a copy of MatrixUser /// with the given fields replaced by the non-null parameter values. -@override @pragma('vm:prefer-inline') $Res call({Object? userId = null,Object? matrixToken = null,Object? nonce = null,}) { +@override @pragma("vm:prefer-inline") $Res call({Object? userId = null,Object? matrixToken = null,Object? nonce = null,}) { return _then(_MatrixUser( userId: null == userId ? _self.userId : userId // ignore: cast_nullable_to_non_nullable as String,matrixToken: null == matrixToken ? _self.matrixToken : matrixToken // ignore: cast_nullable_to_non_nullable diff --git a/lib/models/matrix_user.g.dart b/lib/models/matrix_user.g.dart index 76d8459..5384062 100644 --- a/lib/models/matrix_user.g.dart +++ b/lib/models/matrix_user.g.dart @@ -1,20 +1,20 @@ // GENERATED CODE - DO NOT MODIFY BY HAND -part of 'matrix_user.dart'; +part of "matrix_user.dart"; // ************************************************************************** // JsonSerializableGenerator // ************************************************************************** _MatrixUser _$MatrixUserFromJson(Map json) => _MatrixUser( - userId: json['userId'] as String, - matrixToken: json['matrixToken'] as String, - nonce: json['nonce'] as String, + userId: json["userId"] as String, + matrixToken: json["matrixToken"] as String, + nonce: json["nonce"] as String, ); Map _$MatrixUserToJson(_MatrixUser instance) => { - 'userId': instance.userId, - 'matrixToken': instance.matrixToken, - 'nonce': instance.nonce, + "userId": instance.userId, + "matrixToken": instance.matrixToken, + "nonce": instance.nonce, }; diff --git a/lib/models/settings.dart b/lib/models/settings.dart index 3fa8820..6d7a895 100644 --- a/lib/models/settings.dart +++ b/lib/models/settings.dart @@ -11,6 +11,7 @@ abstract class Settings with _$Settings { required String port, required String homeserver, required String issuer, + required String serviceDomain, required String jwtSecretFile, required String authorizeEndpoint, }) = _Settings; diff --git a/lib/models/settings.freezed.dart b/lib/models/settings.freezed.dart index 81dc77c..7a858e1 100644 --- a/lib/models/settings.freezed.dart +++ b/lib/models/settings.freezed.dart @@ -16,7 +16,7 @@ T _$identity(T value) => value; /// @nodoc mixin _$Settings { - String? get socket; String get address; String get port; String get homeserver; String get issuer; String get jwtSecretFile; String get authorizeEndpoint; + String? get socket; String get address; String get port; String get homeserver; String get issuer; String get serviceDomain; String get jwtSecretFile; String get authorizeEndpoint; /// Create a copy of Settings /// with the given fields replaced by the non-null parameter values. @JsonKey(includeFromJson: false, includeToJson: false) @@ -29,16 +29,16 @@ $SettingsCopyWith get copyWith => _$SettingsCopyWithImpl(thi @override bool operator ==(Object other) { - return identical(this, other) || (other.runtimeType == runtimeType&&other is Settings&&(identical(other.socket, socket) || other.socket == socket)&&(identical(other.address, address) || other.address == address)&&(identical(other.port, port) || other.port == port)&&(identical(other.homeserver, homeserver) || other.homeserver == homeserver)&&(identical(other.issuer, issuer) || other.issuer == issuer)&&(identical(other.jwtSecretFile, jwtSecretFile) || other.jwtSecretFile == jwtSecretFile)&&(identical(other.authorizeEndpoint, authorizeEndpoint) || other.authorizeEndpoint == authorizeEndpoint)); + return identical(this, other) || (other.runtimeType == runtimeType&&other is Settings&&(identical(other.socket, socket) || other.socket == socket)&&(identical(other.address, address) || other.address == address)&&(identical(other.port, port) || other.port == port)&&(identical(other.homeserver, homeserver) || other.homeserver == homeserver)&&(identical(other.issuer, issuer) || other.issuer == issuer)&&(identical(other.serviceDomain, serviceDomain) || other.serviceDomain == serviceDomain)&&(identical(other.jwtSecretFile, jwtSecretFile) || other.jwtSecretFile == jwtSecretFile)&&(identical(other.authorizeEndpoint, authorizeEndpoint) || other.authorizeEndpoint == authorizeEndpoint)); } @JsonKey(includeFromJson: false, includeToJson: false) @override -int get hashCode => Object.hash(runtimeType,socket,address,port,homeserver,issuer,jwtSecretFile,authorizeEndpoint); +int get hashCode => Object.hash(runtimeType,socket,address,port,homeserver,issuer,serviceDomain,jwtSecretFile,authorizeEndpoint); @override String toString() { - return 'Settings(socket: $socket, address: $address, port: $port, homeserver: $homeserver, issuer: $issuer, jwtSecretFile: $jwtSecretFile, authorizeEndpoint: $authorizeEndpoint)'; + return 'Settings(socket: $socket, address: $address, port: $port, homeserver: $homeserver, issuer: $issuer, serviceDomain: $serviceDomain, jwtSecretFile: $jwtSecretFile, authorizeEndpoint: $authorizeEndpoint)'; } @@ -49,7 +49,7 @@ abstract mixin class $SettingsCopyWith<$Res> { factory $SettingsCopyWith(Settings value, $Res Function(Settings) _then) = _$SettingsCopyWithImpl; @useResult $Res call({ - String? socket, String address, String port, String homeserver, String issuer, String jwtSecretFile, String authorizeEndpoint + String? socket, String address, String port, String homeserver, String issuer, String serviceDomain, String jwtSecretFile, String authorizeEndpoint }); @@ -66,13 +66,14 @@ class _$SettingsCopyWithImpl<$Res> /// Create a copy of Settings /// with the given fields replaced by the non-null parameter values. -@pragma('vm:prefer-inline') @override $Res call({Object? socket = freezed,Object? address = null,Object? port = null,Object? homeserver = null,Object? issuer = null,Object? jwtSecretFile = null,Object? authorizeEndpoint = null,}) { +@pragma('vm:prefer-inline') @override $Res call({Object? socket = freezed,Object? address = null,Object? port = null,Object? homeserver = null,Object? issuer = null,Object? serviceDomain = null,Object? jwtSecretFile = null,Object? authorizeEndpoint = null,}) { return _then(_self.copyWith( socket: freezed == socket ? _self.socket : socket // ignore: cast_nullable_to_non_nullable as String?,address: null == address ? _self.address : address // ignore: cast_nullable_to_non_nullable as String,port: null == port ? _self.port : port // ignore: cast_nullable_to_non_nullable as String,homeserver: null == homeserver ? _self.homeserver : homeserver // ignore: cast_nullable_to_non_nullable as String,issuer: null == issuer ? _self.issuer : issuer // ignore: cast_nullable_to_non_nullable +as String,serviceDomain: null == serviceDomain ? _self.serviceDomain : serviceDomain // ignore: cast_nullable_to_non_nullable as String,jwtSecretFile: null == jwtSecretFile ? _self.jwtSecretFile : jwtSecretFile // ignore: cast_nullable_to_non_nullable as String,authorizeEndpoint: null == authorizeEndpoint ? _self.authorizeEndpoint : authorizeEndpoint // ignore: cast_nullable_to_non_nullable as String, @@ -86,7 +87,7 @@ as String, @JsonSerializable() class _Settings implements Settings { - const _Settings({required this.socket, required this.address, required this.port, required this.homeserver, required this.issuer, required this.jwtSecretFile, required this.authorizeEndpoint}); + const _Settings({required this.socket, required this.address, required this.port, required this.homeserver, required this.issuer, required this.serviceDomain, required this.jwtSecretFile, required this.authorizeEndpoint}); factory _Settings.fromJson(Map json) => _$SettingsFromJson(json); @override final String? socket; @@ -94,6 +95,7 @@ class _Settings implements Settings { @override final String port; @override final String homeserver; @override final String issuer; +@override final String serviceDomain; @override final String jwtSecretFile; @override final String authorizeEndpoint; @@ -110,16 +112,16 @@ Map toJson() { @override bool operator ==(Object other) { - return identical(this, other) || (other.runtimeType == runtimeType&&other is _Settings&&(identical(other.socket, socket) || other.socket == socket)&&(identical(other.address, address) || other.address == address)&&(identical(other.port, port) || other.port == port)&&(identical(other.homeserver, homeserver) || other.homeserver == homeserver)&&(identical(other.issuer, issuer) || other.issuer == issuer)&&(identical(other.jwtSecretFile, jwtSecretFile) || other.jwtSecretFile == jwtSecretFile)&&(identical(other.authorizeEndpoint, authorizeEndpoint) || other.authorizeEndpoint == authorizeEndpoint)); + return identical(this, other) || (other.runtimeType == runtimeType&&other is _Settings&&(identical(other.socket, socket) || other.socket == socket)&&(identical(other.address, address) || other.address == address)&&(identical(other.port, port) || other.port == port)&&(identical(other.homeserver, homeserver) || other.homeserver == homeserver)&&(identical(other.issuer, issuer) || other.issuer == issuer)&&(identical(other.serviceDomain, serviceDomain) || other.serviceDomain == serviceDomain)&&(identical(other.jwtSecretFile, jwtSecretFile) || other.jwtSecretFile == jwtSecretFile)&&(identical(other.authorizeEndpoint, authorizeEndpoint) || other.authorizeEndpoint == authorizeEndpoint)); } @JsonKey(includeFromJson: false, includeToJson: false) @override -int get hashCode => Object.hash(runtimeType,socket,address,port,homeserver,issuer,jwtSecretFile,authorizeEndpoint); +int get hashCode => Object.hash(runtimeType,socket,address,port,homeserver,issuer,serviceDomain,jwtSecretFile,authorizeEndpoint); @override String toString() { - return 'Settings(socket: $socket, address: $address, port: $port, homeserver: $homeserver, issuer: $issuer, jwtSecretFile: $jwtSecretFile, authorizeEndpoint: $authorizeEndpoint)'; + return 'Settings(socket: $socket, address: $address, port: $port, homeserver: $homeserver, issuer: $issuer, serviceDomain: $serviceDomain, jwtSecretFile: $jwtSecretFile, authorizeEndpoint: $authorizeEndpoint)'; } @@ -130,7 +132,7 @@ abstract mixin class _$SettingsCopyWith<$Res> implements $SettingsCopyWith<$Res> factory _$SettingsCopyWith(_Settings value, $Res Function(_Settings) _then) = __$SettingsCopyWithImpl; @override @useResult $Res call({ - String? socket, String address, String port, String homeserver, String issuer, String jwtSecretFile, String authorizeEndpoint + String? socket, String address, String port, String homeserver, String issuer, String serviceDomain, String jwtSecretFile, String authorizeEndpoint }); @@ -147,13 +149,14 @@ class __$SettingsCopyWithImpl<$Res> /// Create a copy of Settings /// with the given fields replaced by the non-null parameter values. -@override @pragma('vm:prefer-inline') $Res call({Object? socket = freezed,Object? address = null,Object? port = null,Object? homeserver = null,Object? issuer = null,Object? jwtSecretFile = null,Object? authorizeEndpoint = null,}) { +@override @pragma('vm:prefer-inline') $Res call({Object? socket = freezed,Object? address = null,Object? port = null,Object? homeserver = null,Object? issuer = null,Object? serviceDomain = null,Object? jwtSecretFile = null,Object? authorizeEndpoint = null,}) { return _then(_Settings( socket: freezed == socket ? _self.socket : socket // ignore: cast_nullable_to_non_nullable as String?,address: null == address ? _self.address : address // ignore: cast_nullable_to_non_nullable as String,port: null == port ? _self.port : port // ignore: cast_nullable_to_non_nullable as String,homeserver: null == homeserver ? _self.homeserver : homeserver // ignore: cast_nullable_to_non_nullable as String,issuer: null == issuer ? _self.issuer : issuer // ignore: cast_nullable_to_non_nullable +as String,serviceDomain: null == serviceDomain ? _self.serviceDomain : serviceDomain // ignore: cast_nullable_to_non_nullable as String,jwtSecretFile: null == jwtSecretFile ? _self.jwtSecretFile : jwtSecretFile // ignore: cast_nullable_to_non_nullable as String,authorizeEndpoint: null == authorizeEndpoint ? _self.authorizeEndpoint : authorizeEndpoint // ignore: cast_nullable_to_non_nullable as String, diff --git a/lib/models/settings.g.dart b/lib/models/settings.g.dart index c5f7f94..2b35689 100644 --- a/lib/models/settings.g.dart +++ b/lib/models/settings.g.dart @@ -12,6 +12,7 @@ _Settings _$SettingsFromJson(Map json) => _Settings( port: json['port'] as String, homeserver: json['homeserver'] as String, issuer: json['issuer'] as String, + serviceDomain: json['serviceDomain'] as String, jwtSecretFile: json['jwtSecretFile'] as String, authorizeEndpoint: json['authorizeEndpoint'] as String, ); @@ -22,6 +23,7 @@ Map _$SettingsToJson(_Settings instance) => { 'port': instance.port, 'homeserver': instance.homeserver, 'issuer': instance.issuer, + 'serviceDomain': instance.serviceDomain, 'jwtSecretFile': instance.jwtSecretFile, 'authorizeEndpoint': instance.authorizeEndpoint, };