npm - vestauth - Versions diffs - 0.3.2 → 0.3.3 - Mend

vestauth 0.3.2 → 0.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/package.json +2 -2
package/src/cli/actions/provider/verify.js +5 -17
package/src/cli/commands/primitives.js +0 -7
package/src/cli/commands/provider.js +0 -7
package/src/lib/helpers/agentHeaders.js +1 -11
package/src/lib/helpers/authorityMessage.js +11 -0
package/src/lib/helpers/edPublicKeyObject.js +7 -0
package/src/lib/helpers/headers.js +6 -12
package/src/lib/helpers/parseSignatureInputHeader.js +22 -0
package/src/lib/helpers/providerVerify.js +36 -0
package/src/lib/helpers/providerVerifyWebBotAuth.js +25 -0
package/src/lib/helpers/stripDictionaryKey.js +7 -0
package/src/lib/helpers/verifyAuthorizationHeader.js +1 -1
package/src/lib/helpers/{verify.js → verifyOld.js} +2 -2
package/src/lib/helpers/webBotAuthSignature.js +2 -7
package/src/lib/primitives.js +2 -2
package/src/lib/provider.js +4 -2
package/src/cli/actions/primitives/challenge.js +0 -23
package/src/cli/actions/provider/challenge.js +0 -19

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "vestauth",
-  "version": "0.3.2",
+  "version": "0.3.3",
   "description": "auth for agents–from the creator of dotenvx",
   "keywords": [
     "vestauth"
@@ -43,7 +43,7 @@
     "commander": "^11.1.0",
     "eciesjs": "^0.4.16",
     "execa": "^5.1.1",
-    "http-message-sig": "^0.2.0",
+    "structured-headers": "^2.0.2",
     "undici": "7.11.0",
     "web-bot-auth": "^0.1.2"
   },

package/src/cli/actions/provider/verify.js CHANGED Viewed

@@ -1,9 +1,8 @@
 const { logger } = require('./../../../shared/logger')
-const { verify } = require('web-bot-auth')
-const { verifierFromJWK } = require('web-bot-auth/crypto')
+const provider = require('./../../../lib/provider')
-async function _verify (httpMethod, uri, signatureHeader, signatureInputHeader, publicKey) {
+async function verify (httpMethod, uri, signatureHeader, signatureInputHeader, publicKey) {
   logger.debug(`httpMethod: ${httpMethod}`)
   logger.debug(`uri: ${uri}`)
   logger.debug(`signatureHeader: ${signatureHeader}`)
@@ -13,19 +12,8 @@ async function _verify (httpMethod, uri, signatureHeader, signatureInputHeader,
   const options = this.opts()
   logger.debug(`options: ${JSON.stringify(options)}`)
-  const verifier = await verifierFromJWK(JSON.parse(publicKey))
-  const headers = {
-    Signature: signatureHeader,
-    'Signature-Input': signatureInputHeader
-  }
-  const signedRequest = new Request(uri, { headers: headers })
-  const r = await verify(signedRequest, verifier)
-  console.log(r)
-  const output = {
-    implement: 'todo'
-  }
+  const output = await provider.verify(httpMethod, uri, signatureHeader, signatureInputHeader, JSON.parse(publicKey))
+  // const output = await provider.verifyWebBotAuth(httpMethod, uri, signatureHeader, signatureInputHeader, JSON.parse(publicKey))
   let space = 0
   if (options.prettyPrint) {
@@ -35,4 +23,4 @@ async function _verify (httpMethod, uri, signatureHeader, signatureInputHeader,
   console.log(JSON.stringify(output, null, space))
 }
-module.exports = _verify
+module.exports = verify

package/src/cli/commands/primitives.js CHANGED Viewed

@@ -6,13 +6,6 @@ primitives
   .description('🔩 primitives')
   .allowUnknownOption()
-// vestauth primitives challenge
-const challengeAction = require('./../actions/primitives/challenge')
-primitives.command('challenge')
-  .description('generate challenge')
-  .option('-pp, --pretty-print', 'pretty print output')
-  .action(challengeAction)
 // vestauth primitives hash [message]
 const hashAction = require('./../actions/primitives/hash')
 primitives.command('hash')

package/src/cli/commands/provider.js CHANGED Viewed

@@ -18,11 +18,4 @@ provider.command('verify')
   .option('-pp, --pretty-print', 'pretty print output')
   .action(verifyAction)
-// vestauth provider challenge
-const challengeAction = require('./../actions/provider/challenge')
-provider.command('challenge')
-  .description('generate challenge')
-  .option('-pp, --pretty-print', 'pretty print output')
-  .action(challengeAction)
 module.exports = provider

package/src/lib/helpers/agentHeaders.js CHANGED Viewed

@@ -1,7 +1,5 @@
 const headers = require('./headers')
 const dotenvx = require('@dotenvx/dotenvx')
-const { verify } = require('web-bot-auth')
-const { verifierFromJWK } = require('web-bot-auth/crypto')
 async function agentHeaders (httpMethod, uri, tag = 'vestauth', nonce = null) {
   let publicKey = null
@@ -11,15 +9,7 @@ async function agentHeaders (httpMethod, uri, tag = 'vestauth', nonce = null) {
   if (!publicKey && !privateKey) throw new Error('missing AGENT_PUBLIC_KEY and AGENT_PRIVATE_KEY. Run [vestauth agent init]')
-  const _headers = await headers(httpMethod, uri, privateKey, tag, nonce)
-  // verification (temp testing)
-  const verifier = await verifierFromJWK(JSON.parse(publicKey))
-  const signedRequest = new Request(uri, { headers: _headers })
-  const r = await verify(signedRequest, verifier)
-  console.log(r)
-  return _headers
+  return await headers(httpMethod, uri, privateKey, tag, nonce)
 }
 module.exports = agentHeaders

package/src/lib/helpers/authorityMessage.js ADDED Viewed

@@ -0,0 +1,11 @@
+function authorityMessage (uri, signatureParams) {
+  const u = new URL(uri)
+  const authority = u.host // includes port if present
+  return [
+    `"@authority": ${authority}`,
+    `"@signature-params": ${signatureParams}`
+  ].join('\n')
+}
+module.exports = authorityMessage

package/src/lib/helpers/edPublicKeyObject.js ADDED Viewed

@@ -0,0 +1,7 @@
+const crypto = require('crypto')
+function edPublicKeyObject (keyJson) {
+  return crypto.createPublicKey({ key: keyJson, format: 'jwk' })
+}
+module.exports = edPublicKeyObject

package/src/lib/helpers/headers.js CHANGED Viewed

@@ -2,11 +2,7 @@ const thumbprint = require('./thumbprint')
 const signatureParams = require('./signatureParams')
 const webBotAuthSignature = require('./webBotAuthSignature')
-// const { signatureHeaders } = require('web-bot-auth')
-// const { signerFromJWK } = require('web-bot-auth/crypto')
 async function headers (httpMethod, uri, privateKeyString, tag = 'vestauth', nonce = null) {
-  // shared
   const privateKey = JSON.parse(privateKeyString)
   const kid = thumbprint(privateKey)
   privateKey.kid = kid
@@ -14,7 +10,7 @@ async function headers (httpMethod, uri, privateKeyString, tag = 'vestauth', non
   // // theirs
   // const request = new Request(uri)
   // const now = new Date()
-  // const headersTheirs = await signatureHeaders(
+  // return await signatureHeaders(
   //   request,
   //   await signerFromJWK(JSON.parse(privateKeyString)),
   //   {
@@ -24,15 +20,13 @@ async function headers (httpMethod, uri, privateKeyString, tag = 'vestauth', non
   // )
   // ours
-  const signature = signatureParams(privateKey.kid, tag, nonce)
-  const sig1 = webBotAuthSignature(httpMethod, uri, signature, privateKey)
+  const signatureInput = signatureParams(privateKey.kid, tag, nonce)
+  const signature = webBotAuthSignature(httpMethod, uri, signatureInput, privateKey)
-  const headersOurs = {
-    Signature: `sig1=:${sig1}:`,
-    'Signature-Input': `sig1=${signature}`
+  return {
+    Signature: `sig1=:${signature}:`,
+    'Signature-Input': `sig1=${signatureInput}`
   }
-  return headersOurs
 }
 module.exports = headers

package/src/lib/helpers/parseSignatureInputHeader.js ADDED Viewed

@@ -0,0 +1,22 @@
+const { parseDictionary } = require('structured-headers')
+// example: sig1=(\"@authority\");created=1769707366;keyid=\"xWuYtVgVV_ZQcfEWexUoln9ynA56PmfF4tAvWQ_Bf_o\";alg=\"ed25519\";expires=1769707666;nonce=\"RtdaKawQVJxEAJwCfI_5-7oVTmfjFkz-rGGifYZ2o2MdAMwJF2nYG3713rL1f9FJmPp8T2j4Sqcmh8H8p8TkRA\";tag=\"web-bot-auth\"
+function parseSignatureInputHeader (signatureInputHeader) {
+  const dictionary = parseDictionary(signatureInputHeader)
+  const entry = dictionary.entries().next()
+  const [key, innerlist] = entry.value
+  const [cwp, params] = innerlist
+  const values = Object.fromEntries(params)
+  const components = []
+  for (const entry of cwp) {
+    components.push(entry[0])
+  }
+  return {
+    key,
+    values,
+    components
+  }
+}
+module.exports = parseSignatureInputHeader

package/src/lib/helpers/providerVerify.js ADDED Viewed

@@ -0,0 +1,36 @@
+const crypto = require('crypto')
+const parseSignatureInputHeader = require('./parseSignatureInputHeader')
+const stripDictionaryKey = require('./stripDictionaryKey')
+const authorityMessage = require('./authorityMessage')
+const edPublicKeyObject = require('./edPublicKeyObject')
+const epoch = require('./epoch')
+function providerVerify (httpMetod, uri, signatureHeader, signatureInputHeader, publicKey) {
+  const { values } = parseSignatureInputHeader(signatureInputHeader)
+  // return early false, since expired
+  if (values.expires && values.expires < epoch(new Date())) {
+    return {
+      success: false
+    }
+  }
+  const signatureParams = stripDictionaryKey(signatureInputHeader)
+  const signature = stripDictionaryKey(signatureHeader)
+  const message = authorityMessage(uri, signatureParams)
+  const publicKeyObject = edPublicKeyObject(publicKey)
+  const success = crypto.verify(
+    null,
+    Buffer.from(message, 'utf8'),
+    publicKeyObject,
+    Buffer.from(signature, 'base64')
+  )
+  return {
+    success
+  }
+}
+module.exports = providerVerify

package/src/lib/helpers/providerVerifyWebBotAuth.js ADDED Viewed

@@ -0,0 +1,25 @@
+const { verify } = require('web-bot-auth')
+const { verifierFromJWK } = require('web-bot-auth/crypto')
+async function providerVerifyWebBotAuth (httpMetod, uri, signatureHeader, signatureInputHeader, publicKey) {
+  let success = false
+  const verifier = await verifierFromJWK(publicKey)
+  const signedRequest = new Request(uri, {
+    headers: {
+      Signature: signatureHeader,
+      'Signature-Input': signatureInputHeader
+    }
+  })
+  try {
+    await verify(signedRequest, verifier)
+    success = true
+  } catch (_e) {}
+  return {
+    success
+  }
+}
+module.exports = providerVerifyWebBotAuth

package/src/lib/helpers/stripDictionaryKey.js ADDED Viewed

@@ -0,0 +1,7 @@
+function stripDictionaryKey (signatureInputHeader) {
+  // sig1=("@authority");created=1769;keyid="abc";alg="ed25519"
+  // strip sig1=
+  return signatureInputHeader.toString().replace(/^[^=]+=/, '')
+}
+module.exports = stripDictionaryKey

package/src/lib/helpers/verifyAuthorizationHeader.js CHANGED Viewed

@@ -1,4 +1,4 @@
-const verify = require('./verify')
+const verify = require('./verifyOld')
 function verifyAuthorizationHeader (challenge, authorizationHeader) {
   const raw = authorizationHeader.replace(/^Agent\s+/i, '').trim() // remove 'Agent ' prefix

package/src/lib/helpers/{verify.js → verifyOld.js} RENAMED Viewed

@@ -2,7 +2,7 @@ const secp = require('@noble/secp256k1')
 const hash = require('./hash')
 const stripFormatting = require('./stripFormatting')
-function verify (challenge, signatureBase64, publicKeyHexPossiblyFormatted) {
+function verifyOld (challenge, signatureBase64, publicKeyHexPossiblyFormatted) {
   const publicKeyHex = stripFormatting(publicKeyHexPossiblyFormatted)
   const hashChallenge = hash(challenge)
   const signature = Buffer.from(signatureBase64, 'base64url')
@@ -11,4 +11,4 @@ function verify (challenge, signatureBase64, publicKeyHexPossiblyFormatted) {
   return secp.verify(signature, hashChallenge, publicKeyBytes)
 }
-module.exports = verify
+module.exports = verifyOld

package/src/lib/helpers/webBotAuthSignature.js CHANGED Viewed

@@ -1,14 +1,9 @@
 const crypto = require('crypto')
 const edPrivateKeyObject = require('./edPrivateKeyObject')
+const authorityMessage = require('./authorityMessage')
 function webBotAuthSignature (method = 'GET', uri = '', signatureParams, privateKey) {
-  const u = new URL(uri)
-  const authority = u.host // includes port if present
-  const message = [
-    `"@authority": ${authority}`,
-    `"@signature-params": ${signatureParams}`
-  ].join('\n')
+  const message = authorityMessage(uri, signatureParams)
   // const message = [
   //   `"@method": ${method.toUpperCase()}`,

package/src/lib/primitives.js CHANGED Viewed

@@ -4,7 +4,7 @@ const keypair = require('./helpers/keypair')
 const keypairOld = require('./helpers/keypairOld')
 const headers = require('./helpers/headers')
 const sign = require('./helpers/sign')
-const verify = require('./helpers/verify')
+const verifyOld = require('./helpers/verifyOld')
 module.exports = {
   challenge,
@@ -13,5 +13,5 @@ module.exports = {
   keypairOld,
   headers,
   sign,
-  verify
+  verifyOld
 }

package/src/lib/provider.js CHANGED Viewed

@@ -1,5 +1,7 @@
-const providerChallenge = require('./helpers/providerChallenge')
+const providerVerify = require('./helpers/providerVerify')
+const providerVerifyWebBotAuth = require('./helpers/providerVerifyWebBotAuth')
 module.exports = {
-  challenge: providerChallenge
+  verify: providerVerify,
+  verifyWebBotAuth: providerVerifyWebBotAuth
 }

package/src/cli/actions/primitives/challenge.js DELETED Viewed

@@ -1,23 +0,0 @@
-const { logger } = require('./../../../shared/logger')
-const primitives = require('./../../../lib/primitives')
-function challenge () {
-  const options = this.opts()
-  logger.debug(`options: ${JSON.stringify(options)}`)
-  const chal = primitives.challenge()
-  const output = {
-    challenge: chal
-  }
-  let space = 0
-  if (options.prettyPrint) {
-    space = 2
-  }
-  console.log(JSON.stringify(output, null, space))
-}
-module.exports = challenge

package/src/cli/actions/provider/challenge.js DELETED Viewed

@@ -1,19 +0,0 @@
-const { logger } = require('./../../../shared/logger')
-const prov = require('./../../../lib/provider')
-async function provider (website) {
-  const options = this.opts()
-  logger.debug(`options: ${JSON.stringify(options)}`)
-  const output = await prov.challenge()
-  let space = 0
-  if (options.prettyPrint) {
-    space = 2
-  }
-  console.log(JSON.stringify(output, null, space))
-}
-module.exports = provider