wiki-security-sessionless 0.0.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Zach
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,65 @@
+# Federated Wiki - Security Plug-in: Sessionless
+
+-------------
+
+This module lets wiki owners supply public keys for use with the [Sessionless][sessionless] protocol. 
+The tl;dr of that here is that you can utilize a private key stored locally on your machine, to create a signature, which logs you into your wiki instance. 
+The public key for this signature is stored on the server, and can be shared or reused however you'd like, and thus no third party identity provider or shared personal information needs to be used. 
+
+-------------
+
+## Configuration
+
+-------------
+
+This plugin expects an owner file that looks like this:
+
+```json
+{
+  "name": "owner's name",
+  "keys": {
+    "pubKey": "028a2a944b5bcd93fb130d94abd22bd51569a3fcf17117521f37a7c5466c1baf96"
+  }
+}
+```
+
+Multiple key support will be added in a future update. 
+
+There are many ways to get sessionless keys. 
+This repo contains a simple `generate-keys.js` script that can be run to get a key pair, but anything that can generate keys on the secp256k1 curve can be used including openssl, and various other cryptographic libraries.
+
+--------------
+
+## Usage
+
+--------------
+
+### Server 
+
+Launch the wiki server with at least the following args:
+
+`wiki --security_type=sessionless --id /path/to/.wiki/status/owner.json --security=./security --cookieSecret=biglongstring --session_duration=10`
+
+* `cookieSecret` needs to be consistent across server starts to maintain existing sessions. Alternatively, if you'd like to burn all sessions just change the secret.  
+
+* `session_duration` is the number in days that you'd like your sessions to be valid for. Fractional days should work, but are untested by the author of this plugin.
+
+### Client
+
+There is no need for a UI to login, instead a timestamp and signature is passed as query parameters to the login route of your wiki. 
+To get the signature this repo provides a `generate-signature.js` helper script, which can be run as follows:
+
+`PRIVATE_KEY=<put your key here> OWNER_NAME=planetnineisaspaceship node generate-signature.js`
+
+You can of course use any other method of getting a signature. 
+The server will check a message that is the timestamp that is passed in the query params, and the owner's name on the server. 
+In the future the timestamp will only be valid for a small amount of time, but that is left for a future version.
+
+Once you have your signature you'll want to construct this kind of url:
+
+`http://<domain.wiki>/login?timestamp=1739658960170&signature=c9220aaec64bbb61bf66928e4fca546e0cfe64ce3637b69d16025e6968cfc99e3ccf32a73a9536da7cb2b74ba7670a24bf8c5c4d0b3210a7fc6c142d5de7b215`
+
+Pasting that into your browser will log you in, and you'll be all set.
+
+
+[sessionless]: https://github.com/planet-nine-app/sessionless

package/generate-keys.js

@@ -0,0 +1,3 @@
+const sessionless = require('sessionless-node');
+
+sessionless.generateKeys(() => {}, () => {}).then(console.log).catch(console.error);

package/generate-signature.js

@@ -0,0 +1,21 @@
+const sessionless = require('sessionless-node');
+
+if(!process.env.PRIVATE_KEY || !process.env.OWNER_NAME) {
+  console.error('please provide a PRIVATE_KEY and OWNER_NAME');
+  process.exit();
+}
+
+sessionless.getKeys = () => {
+  return {
+    privateKey: process.env.PRIVATE_KEY,
+    pubKey: ''
+  };
+};
+
+const timestamp = new Date().getTime() + '';
+const message = timestamp + process.env.OWNER_NAME;
+
+sessionless.sign(message)
+  .then(signature => console.log(`?timestamp=${timestamp}&signature=${signature}`))
+  .catch(console.error);
+

package/index.js

@@ -0,0 +1 @@
+module.exports = require('./server/sessionless');

package/package.json

@@ -0,0 +1,19 @@
+{
+  "name": "wiki-security-sessionless",
+  "version": "0.0.1",
+  "description": "A sessionless security module for the federated wiki",
+  "keywords": [
+    "federated",
+    "wiki"
+  ],
+  "license": "MIT",
+  "author": "planetnineisaspaceship",
+  "type": "commonjs",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "dependencies": {
+    "sessionless-node": "^0.11.0"
+  }
+}

package/server/sessionless.js

@@ -0,0 +1,90 @@
+const fs = require('fs');
+const sessionless = require('sessionless-node');
+
+console.log('sessionless server starting');
+
+let keys;
+const saveKeys = (_keys) => keys = _keys;
+const getKeys = () => keys;
+
+module.exports = (log, loga, argv) => {
+  const security = {};
+
+  const idFile = argv.id;
+
+  let owner = '';
+  let ownerName = '';
+  
+  security.retrieveOwner = (callback) => {
+    fs.readFile(idFile, (err, data) => {
+      if(err) {
+        return callback(err);
+      }
+      owner = JSON.parse(data);
+      callback();
+    });
+  };
+
+  security.getOwner = () => {
+    if(!owner || !owner.name) {
+      ownerName = '';
+    } else {
+      ownerName = owner.name;
+    }
+    return ownerName;
+  };
+
+  security.setOwner = (id, callback) => {
+    // I don't think there is a reason to set owner during runtime so this is left as a noop for now
+  };
+
+  security.getUser = (req) => {
+    // TODO: This may be relevant if we add joan for PAP
+  };
+
+  security.isAuthorized = async (req) => {
+    if(req.session.key) {
+       const keys = await sessionless.getKeys();
+       const signature = await sessionless.sign(req.path);
+       try {
+         const isVerified = sessionless.verifySignature(signature, req.path, keys.pubKey);
+         return isVerified;
+       } catch(err) {
+         return false;
+       }
+    }
+    return false;
+  }
+
+  security.login = async (req, res) => {
+    const timestamp = req.query.timestamp;
+    const signature = req.query.signature;
+    const name = owner.name;
+    const message = timestamp + name;    
+    
+    try {
+      if(sessionless.verifySignature(signature, message, owner.keys.pubKey)) {
+	const keys = await sessionless.generateKeys(saveKeys, getKeys);
+
+	req.session.key = keys.privateKey;
+	return res.redirect('/view/welcome-visitors');
+      } 
+    } catch(err) {}
+    
+    
+    res.status(403);
+    return res.send('unauthorized');
+  };
+
+  security.logout = async (req, res) => {
+    req.session.reset();
+    res.send("OK");
+  };
+
+  security.defineRoutes = (app, cors, updateOwner) => {
+    app.get('/login', cors, security.login);
+    app.get('/logout', cors, security.logout);
+  };
+
+  return security;
+};