From 66049566ae865e1a4bd049257d6afc0abded16e9 Mon Sep 17 00:00:00 2001
From: Vika <vika@fireburn.ru>
Date: Mon, 19 Sep 2022 17:30:38 +0300
Subject: feat: indieauth support

Working:
 - Tokens and codes
 - Authenticating with a password

Not working:
 - Setting the password (need to patch onboarding)
 - WebAuthn (the JavaScript is too complicated)
---
 kittybox-rs/src/indieauth/backend.rs | 92 +++++++++++++++++++++++++++++++++---
 1 file changed, 85 insertions(+), 7 deletions(-)

(limited to 'kittybox-rs/src/indieauth/backend.rs')

diff --git a/kittybox-rs/src/indieauth/backend.rs b/kittybox-rs/src/indieauth/backend.rs
index f420db9..8b0c10a 100644
--- a/kittybox-rs/src/indieauth/backend.rs
+++ b/kittybox-rs/src/indieauth/backend.rs
@@ -1,21 +1,99 @@
 use std::collections::HashMap;
-
 use kittybox_indieauth::{
     AuthorizationRequest, TokenData
 };
+pub use kittybox_util::auth::EnrolledCredential;
 
 type Result<T> = std::io::Result<T>;
 
+pub mod fs;
+pub use fs::FileBackend;
+
+
 #[async_trait::async_trait]
 pub trait AuthBackend: Clone + Send + Sync + 'static {
+    // Authorization code management.
+    /// Create a one-time OAuth2 authorization code for the passed
+    /// authorization request, and save it for later retrieval.
+    ///
+    /// Note for implementors: the [`AuthorizationRequest::me`] value
+    /// is guaranteed to be [`Some(url::Url)`][Option::Some] and can
+    /// be trusted to be correct and non-malicious.
     async fn create_code(&self, data: AuthorizationRequest) -> Result<String>;
+    /// Retreive an authorization request using the one-time
+    /// code. Implementations must sanitize the `code` field to
+    /// prevent exploits, and must check if the code should still be
+    /// valid at this point in time (validity interval is left up to
+    /// the implementation, but is recommended to be no more than 10
+    /// minutes).
     async fn get_code(&self, code: &str) -> Result<Option<AuthorizationRequest>>;
+    // Token management.
     async fn create_token(&self, data: TokenData) -> Result<String>;
-    async fn get_token(&self, token: &str) -> Result<Option<TokenData>>;
-    async fn list_tokens(&self, website: url::Url) -> Result<HashMap<String, TokenData>>;
-    async fn revoke_token(&self, token: &str) -> Result<()>;
+    async fn get_token(&self, website: &url::Url, token: &str) -> Result<Option<TokenData>>;
+    async fn list_tokens(&self, website: &url::Url) -> Result<HashMap<String, TokenData>>;
+    async fn revoke_token(&self, website: &url::Url, token: &str) -> Result<()>;
+    // Refresh token management.
     async fn create_refresh_token(&self, data: TokenData) -> Result<String>;
-    async fn get_refresh_token(&self, token: &str) -> Result<Option<TokenData>>;
-    async fn list_refresh_tokens(&self, website: url::Url) -> Result<HashMap<String, TokenData>>;
-    async fn revoke_refresh_token(&self, token: &str) -> Result<()>;
+    async fn get_refresh_token(&self, website: &url::Url, token: &str) -> Result<Option<TokenData>>;
+    async fn list_refresh_tokens(&self, website: &url::Url) -> Result<HashMap<String, TokenData>>;
+    async fn revoke_refresh_token(&self, website: &url::Url, token: &str) -> Result<()>;
+    // Password management.
+    /// Verify a password.
+    #[must_use]
+    async fn verify_password(&self, website: &url::Url, password: String) -> Result<bool>;
+    /// Enroll a password credential for a user. Only one password
+    /// credential must exist for a given user.
+    async fn enroll_password(&self, website: &url::Url, password: String) -> Result<()>;
+    // WebAuthn credential management.
+    /// Enroll a WebAuthn authenticator public key for this user.
+    /// Multiple public keys may be saved for one user, corresponding
+    /// to different authenticators used by them.
+    ///
+    /// This function can also be used to overwrite a passkey with an
+    /// updated version after using
+    /// [webauthn::prelude::Passkey::update_credential()].
+    async fn enroll_webauthn(&self, website: &url::Url, credential: webauthn::prelude::Passkey) -> Result<()>;
+    /// List currently enrolled WebAuthn authenticators for a given user.
+    async fn list_webauthn_pubkeys(&self, website: &url::Url) -> Result<Vec<webauthn::prelude::Passkey>>;
+    /// Persist registration challenge state for a little while so it
+    /// can be used later.
+    ///
+    /// Challenges saved in this manner MUST expire after a little
+    /// while. 10 minutes is recommended.
+    async fn persist_registration_challenge(
+        &self,
+        website: &url::Url,
+        state: webauthn::prelude::PasskeyRegistration
+    ) -> Result<String>;
+    /// Retrieve a persisted registration challenge.
+    ///
+    /// The challenge should be deleted after retrieval.
+    async fn retrieve_registration_challenge(
+        &self,
+        website: &url::Url,
+        challenge_id: &str
+    ) -> Result<webauthn::prelude::PasskeyRegistration>;
+    /// Persist authentication challenge state for a little while so
+    /// it can be used later.
+    ///
+    /// Challenges saved in this manner MUST expire after a little
+    /// while. 10 minutes is recommended.
+    ///
+    /// To support multiple authentication options, this can return an
+    /// opaque token that should be set as a cookie.
+    async fn persist_authentication_challenge(
+        &self,
+        website: &url::Url,
+        state: webauthn::prelude::PasskeyAuthentication
+    ) -> Result<String>;
+    /// Retrieve a persisted authentication challenge.
+    ///
+    /// The challenge should be deleted after retrieval.
+    async fn retrieve_authentication_challenge(
+        &self,
+        website: &url::Url,
+        challenge_id: &str
+    ) -> Result<webauthn::prelude::PasskeyAuthentication>;
+    /// List currently enrolled credential types for a given user.
+    async fn list_user_credential_types(&self, website: &url::Url) -> Result<Vec<EnrolledCredential>>;
 }
-- 
cgit 1.4.1