blue_factory 0.1.3 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c1a078159ccaad626c030e20a9ad18e1a408cc8897c27cddb9773c1bd1a6295c
-  data.tar.gz: b7c45df10d3419f21745b760b586fe21e1eb262e9a12c72a5282e3ca0616eace
+  metadata.gz: a7f8f8505228a075534b74c48c3011441aca5f8710bb1dc6fd769fd62cb60d71
+  data.tar.gz: 303454ba19fee635367049603810cb1ebb7662665ccc05ce99c035b063c94b2c
 SHA512:
-  metadata.gz: 3347004aff37324480e13d2c1a21b85f737a9ab8898d874ecf26dad6f1b8f74ffa621ca24d4d76098be1479e145c08745d8c86a5cfcab68e66c8148bd6f76a8c
-  data.tar.gz: 15fd3de8b85ecb2175c3d3ede61b73257bac08e849935ad42aad6b428d70c1fbe1fbec970887db354a6fea8f36fa93851f2909452497cc33f50419bff4cd1bea
+  metadata.gz: 17b3606d68a5bc89557e78fc85478319499e84ce903fdc2f4e56a8221f923435f0c5a55b43a1a64fc974dc843b38d6d9a672480e56fe12c3f5eb6e26fbb5cff6
+  data.tar.gz: b53d4ac56b668b15f256bf5a87abd8f8195d0a91e3f7308b78f24454be9d436a05c539fb31b14fd6febe3b6a7621b7e151ef2c90b3963c64d52c743bd30bb7c6

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## [0.1.4] - 2023-08-19
+
+- implemented partial authentication, without signature verification (`enable_unsafe_auth` option)
+
 ## [0.1.3] - 2023-07-27
 
 - fixed incorrect response when reaching the end of the feed

data/README.md

@@ -40,7 +40,8 @@ BlueFactory.add_feed 'starwars', StarWarsFeed.new
 
 The `get_posts` method of the feed object should:
 
-- accept a single `params` argument which is a hash with fields: `:feed`, `:cursor` and `:limit` (the last two are optional)
+- accept a `params` argument which is a hash with fields: `:feed`, `:cursor` and `:limit` (the last two are optional)
+- optionally, accept a second `current_user` argument which is a string with the authenticated user's DID (depends on authentication config - [see below](#authentication))
 - return a hash with two fields: `:cursor` and `:posts`
 
 The `:feed` is the `at://` URI of the feed. The `:cursor` param, if included, should be a cursor returned by your feed from one of the previous requests, so it should be in the format used by the same function - but anyone can call the endpoint with any params, so you should validate it. The cursor is used for pagination to provide more pages further down in the feed (the first request to load the top of the feed doesn't include a cursor).
@@ -59,7 +60,7 @@ An example implementation could look like this:
 require 'time'
 
 class StarWarsFeed
-  def get_posts(params)
+  def get_posts(params, current_user = nil)
     limit = check_query_limit(params)
     query = Post.select('uri, time').order('time DESC').limit(limit)
 
@@ -122,7 +123,54 @@ server {
 }
 ```
 
-### Additional configuration & customizing
+## Authentication
+
+Feeds are authenticated using [JSON Web Tokens](https://jwt.io). When a user opens, refreshes or scrolls down a feed in their app, a request is made to the feed service from the Bluesky network's IP address with user's authentication token in the `Authorization` HTTP header.
+
+At the moment, Blue Factory handles authentication in a very simplified way - it extracts the user's DID from the authentication header, but it does not verify the signature. This means that anyone can trivially prepare a fake token and make requests to the `getFeedSkeleton` endpoint as a different user.
+
+As such, this authentication should not be used for anything critical. It may be used for things like logging, analytics, or as "security by obscurity" to just discourage others from accessing the feed in the app.
+
+To use this simple authentication, set the `enable_unsafe_auth` option:
+
+```rb
+BlueFactory.set :enable_unsafe_auth, true
+```
+
+The user's DID extracted from the token is passed as a second argument to `#get_posts`. You may, for example, return an empty list when the user is not authorized to use it:
+
+```rb
+class HiddenFeed
+  def get_posts(params, current_user)
+    if AUTHORIZED_USERS.include?(current_user)
+      # ...
+    else
+      { posts: [] }
+    end
+  end
+end
+```
+
+Alternatively, you can raise a `BlueFactory::AuthorizationError` with an optional custom message. This will return a 401 status response to the Bluesky app, which will make it display the pink error banner in the app:
+
+```rb
+class HiddenFeed
+  def get_posts(params, current_user)
+    if AUTHORIZED_USERS.include?(current_user)
+      # ...
+    else
+      raise BlueFactory::AuthorizationError, "You shall not pass!"
+    end
+  end
+end
+```
+
+<p><img width="400" src="https://github.com/mackuba/blue_factory/assets/28465/9197c0ec-9302-4ca0-b06c-3fce2e0fa4f4"></p>
+
+Note: the `current_user` may be `nil` if the authentication header is not set at all (which may happen if you access the endpoint e.g. with `curl` or in a browser).
+
+
+## Additional configuration & customizing
 
 You can use the [Sinatra API](https://sinatrarb.com/intro.html#configuration) to do any additional configuration, like changing the server port, enabling/disabling logging and so on.
 

data/lib/blue_factory/configuration.rb

@@ -13,7 +13,7 @@ module BlueFactory
     (ENV['APP_ENV'] || ENV['RACK_ENV'] || :development).to_sym
   end
 
-  configurable :publisher_did, :hostname, :validate_responses
+  configurable :publisher_did, :hostname, :validate_responses, :enable_unsafe_auth
 
   set :validate_responses, (environment != :production)
 end

data/lib/blue_factory/errors.rb

@@ -1,4 +1,13 @@
 module BlueFactory
+  class AuthorizationError < StandardError
+    attr_reader :error_type
+
+    def initialize(message = "Authentication required", error_type = nil)
+      super(message)
+      @error_type = error_type
+    end
+  end
+
   class InvalidKeyError < StandardError
   end
 
@@ -13,4 +22,7 @@ module BlueFactory
 
   class InvalidResponseError < StandardError
   end
+
+  class UnsupportedAlgorithmError < StandardError
+  end
 end

data/lib/blue_factory/server.rb

@@ -1,3 +1,4 @@
+require 'base64'
 require 'json'
 require 'sinatra/base'
 
@@ -33,6 +34,48 @@ module BlueFactory
         [status, JSON.generate({ error: name, message: message })]
       end
 
+      def get_feed
+        if params[:feed].to_s.empty?
+          raise InvalidResponseError, "Error: Params must have the property \"feed\""
+        end
+
+        if params[:feed] !~ %r(^at://[\w\-\.\:]+/[\w\.]+/[\w\.\-]+$)
+          raise InvalidResponseError, "Error: feed must be a valid at-uri"
+        end
+
+        feed_key = params[:feed].split('/').last
+        feed = config.get_feed(feed_key)
+
+        if feed.nil? || feed_uri(feed_key) != params[:feed]
+          raise UnsupportedAlgorithmError, "Unsupported algorithm"
+        end
+
+        feed
+      end
+
+      def parse_did_from_token
+        auth = env['HTTP_AUTHORIZATION']
+
+        if auth.to_s.strip.empty?
+          return nil
+        end
+
+        if !auth.start_with?('Bearer ')
+          raise AuthorizationError, "Unsupported authorization method"
+        end
+
+        token = auth.gsub(/^Bearer /, '')
+        parts = token.split('.')
+        raise AuthorizationError.new("Invalid JWT format", "BadJwt") unless parts.length == 3
+
+        begin
+          payload = JSON.parse(Base64.decode64(parts[1]))
+          payload['iss']
+        rescue StandardError => e
+          raise AuthorizationError.new("Invalid JWT format", "BadJwt")
+        end
+      end
+
       def validate_response(response)
         cursor = response[:cursor]
         raise InvalidResponseError, ":cursor key is missing" unless response.has_key?(:cursor)
@@ -50,23 +93,17 @@ module BlueFactory
     end
 
     get '/xrpc/app.bsky.feed.getFeedSkeleton' do
-      if params[:feed].to_s.empty?
-        return json_error("InvalidRequest", "Error: Params must have the property \"feed\"")
-      end
-
-      if params[:feed] !~ %r(^at://[\w\-\.\:]+/[\w\.]+/[\w\.\-]+$)
-        return json_error("InvalidRequest", "Error: feed must be a valid at-uri")
-      end
-
-      feed_key = params[:feed].split('/').last
-      feed = config.get_feed(feed_key)
-
-      if feed.nil? || feed_uri(feed_key) != params[:feed]
-        return json_error("UnsupportedAlgorithm", "Unsupported algorithm")
-      end
-
       begin
-        response = feed.get_posts(params.slice(:feed, :cursor, :limit))
+        feed = get_feed
+        args = params.slice(:feed, :cursor, :limit)
+
+        if config.enable_unsafe_auth
+          did = parse_did_from_token
+          response = feed.get_posts(args, did)
+        else
+          response = feed.get_posts(args)
+        end
+
         validate_response(response) if config.validate_responses
 
         output = {}
@@ -76,6 +113,10 @@ module BlueFactory
         return json(output)
       rescue InvalidRequestError => e
         return json_error(e.error_type || "InvalidRequest", e.message)
+      rescue AuthorizationError => e
+        return json_error(e.error_type || "AuthenticationRequired", e.message, status: 401)
+      rescue UnsupportedAlgorithmError => e
+        return json_error("UnsupportedAlgorithm", e.message)
       rescue InvalidResponseError => e
         return json_error("InvalidResponse", e.message)
       end

data/lib/blue_factory/version.rb

@@ -1,3 +1,3 @@
 module BlueFactory
-  VERSION = "0.1.3"
+  VERSION = "0.1.4"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: blue_factory
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.4
 platform: ruby
 authors:
 - Kuba Suder
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-07-27 00:00:00.000000000 Z
+date: 2023-08-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sinatra