2020-03-03 01:04:36 +09:00
|
|
|
require "crypto/subtle"
|
|
|
|
|
2021-12-07 06:28:16 +09:00
|
|
|
def generate_token(email, scopes, expire, key)
|
2019-04-19 06:23:50 +09:00
|
|
|
session = "v1:#{Base64.urlsafe_encode(Random::Secure.random_bytes(32))}"
|
2021-12-03 07:57:13 +09:00
|
|
|
Invidious::Database::SessionIDs.insert(session, email)
|
2019-04-19 06:23:50 +09:00
|
|
|
|
|
|
|
token = {
|
|
|
|
"session" => session,
|
|
|
|
"scopes" => scopes,
|
|
|
|
"expire" => expire,
|
|
|
|
}
|
|
|
|
|
|
|
|
if !expire
|
|
|
|
token.delete("expire")
|
|
|
|
end
|
|
|
|
|
|
|
|
token["signature"] = sign_token(key, token)
|
|
|
|
|
|
|
|
return token.to_json
|
|
|
|
end
|
|
|
|
|
2021-12-07 06:28:16 +09:00
|
|
|
def generate_response(session, scopes, key, expire = 6.hours, use_nonce = false)
|
2019-06-08 09:56:41 +09:00
|
|
|
expire = Time.utc + expire
|
2019-04-19 06:23:50 +09:00
|
|
|
|
|
|
|
token = {
|
|
|
|
"session" => session,
|
|
|
|
"expire" => expire.to_unix,
|
|
|
|
"scopes" => scopes,
|
|
|
|
}
|
|
|
|
|
|
|
|
if use_nonce
|
|
|
|
nonce = Random::Secure.hex(16)
|
2021-12-03 07:57:13 +09:00
|
|
|
Invidious::Database::Nonces.insert(nonce, expire)
|
2019-04-19 06:23:50 +09:00
|
|
|
token["nonce"] = nonce
|
|
|
|
end
|
|
|
|
|
|
|
|
token["signature"] = sign_token(key, token)
|
|
|
|
|
|
|
|
return token.to_json
|
|
|
|
end
|
|
|
|
|
|
|
|
def sign_token(key, hash)
|
|
|
|
string_to_sign = [] of String
|
|
|
|
|
2022-01-21 01:17:22 +09:00
|
|
|
# TODO: figure out which "key" variable is used
|
|
|
|
# Ameba reports a warning for "Lint/ShadowingOuterLocalVar" on this
|
2022-02-07 21:57:14 +09:00
|
|
|
# variable, but it's preferable to not touch that (works fine atm).
|
2019-04-19 06:23:50 +09:00
|
|
|
hash.each do |key, value|
|
2020-04-10 02:18:09 +09:00
|
|
|
next if key == "signature"
|
2019-04-19 06:23:50 +09:00
|
|
|
|
2020-04-10 02:18:09 +09:00
|
|
|
if value.is_a?(JSON::Any) && value.as_a?
|
2021-09-25 11:42:43 +09:00
|
|
|
value = value.as_a.map(&.as_s)
|
2019-04-19 06:23:50 +09:00
|
|
|
end
|
|
|
|
|
|
|
|
case value
|
|
|
|
when Array
|
|
|
|
string_to_sign << "#{key}=#{value.sort.join(",")}"
|
|
|
|
when Tuple
|
|
|
|
string_to_sign << "#{key}=#{value.to_a.sort.join(",")}"
|
|
|
|
else
|
|
|
|
string_to_sign << "#{key}=#{value}"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
string_to_sign = string_to_sign.sort.join("\n")
|
|
|
|
return Base64.urlsafe_encode(OpenSSL::HMAC.digest(:sha256, key, string_to_sign)).strip
|
|
|
|
end
|
|
|
|
|
2021-12-07 06:28:16 +09:00
|
|
|
def validate_request(token, session, request, key, locale = nil)
|
2019-04-19 06:23:50 +09:00
|
|
|
case token
|
|
|
|
when String
|
2019-09-25 02:31:33 +09:00
|
|
|
token = JSON.parse(URI.decode_www_form(token)).as_h
|
2019-04-19 06:23:50 +09:00
|
|
|
when JSON::Any
|
|
|
|
token = token.as_h
|
|
|
|
when Nil
|
2020-11-30 18:59:21 +09:00
|
|
|
raise InfoException.new("Hidden field \"token\" is a required field")
|
2019-04-19 06:23:50 +09:00
|
|
|
end
|
|
|
|
|
2020-03-03 01:04:36 +09:00
|
|
|
expire = token["expire"]?.try &.as_i
|
|
|
|
if expire.try &.< Time.utc.to_unix
|
2020-11-30 18:59:21 +09:00
|
|
|
raise InfoException.new("Token is expired, please try again")
|
2019-04-19 06:23:50 +09:00
|
|
|
end
|
|
|
|
|
|
|
|
if token["session"] != session
|
2020-11-30 18:59:21 +09:00
|
|
|
raise InfoException.new("Erroneous token")
|
2019-04-19 06:23:50 +09:00
|
|
|
end
|
|
|
|
|
2021-09-25 11:42:43 +09:00
|
|
|
scopes = token["scopes"].as_a.map(&.as_s)
|
2019-04-19 06:23:50 +09:00
|
|
|
scope = "#{request.method}:#{request.path.lchop("/api/v1/auth/").lstrip("/")}"
|
|
|
|
if !scopes_include_scope(scopes, scope)
|
2020-11-30 18:59:21 +09:00
|
|
|
raise InfoException.new("Invalid scope")
|
2019-04-19 06:23:50 +09:00
|
|
|
end
|
|
|
|
|
2020-03-03 01:04:36 +09:00
|
|
|
if !Crypto::Subtle.constant_time_compare(token["signature"].to_s, sign_token(key, token))
|
2020-11-30 18:59:21 +09:00
|
|
|
raise InfoException.new("Invalid signature")
|
2020-03-03 01:04:36 +09:00
|
|
|
end
|
|
|
|
|
2021-12-03 07:57:13 +09:00
|
|
|
if token["nonce"]? && (nonce = Invidious::Database::Nonces.select(token["nonce"].as_s))
|
2020-03-03 01:04:36 +09:00
|
|
|
if nonce[1] > Time.utc
|
2021-12-03 07:57:13 +09:00
|
|
|
Invidious::Database::Nonces.update_set_expired(nonce[0])
|
2020-03-03 01:04:36 +09:00
|
|
|
else
|
2020-11-30 18:59:21 +09:00
|
|
|
raise InfoException.new("Erroneous token")
|
2020-03-03 01:04:36 +09:00
|
|
|
end
|
2019-04-19 06:23:50 +09:00
|
|
|
end
|
|
|
|
|
|
|
|
return {scopes, expire, token["signature"].as_s}
|
|
|
|
end
|
|
|
|
|
|
|
|
def scope_includes_scope(scope, subset)
|
|
|
|
methods, endpoint = scope.split(":")
|
2021-09-25 11:50:56 +09:00
|
|
|
methods = methods.split(";").map(&.upcase).reject(&.empty?).sort!
|
2019-04-19 06:23:50 +09:00
|
|
|
endpoint = endpoint.downcase
|
|
|
|
|
|
|
|
subset_methods, subset_endpoint = subset.split(":")
|
2021-09-25 11:50:56 +09:00
|
|
|
subset_methods = subset_methods.split(";").map(&.upcase).sort!
|
2019-04-19 06:23:50 +09:00
|
|
|
subset_endpoint = subset_endpoint.downcase
|
|
|
|
|
|
|
|
if methods.empty?
|
|
|
|
methods = %w(GET POST PUT HEAD DELETE PATCH OPTIONS)
|
|
|
|
end
|
|
|
|
|
|
|
|
if methods & subset_methods != subset_methods
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
|
|
|
|
if endpoint.ends_with?("*") && !subset_endpoint.starts_with? endpoint.rchop("*")
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
|
|
|
|
if !endpoint.ends_with?("*") && subset_endpoint != endpoint
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
|
|
|
|
return true
|
|
|
|
end
|
|
|
|
|
|
|
|
def scopes_include_scope(scopes, subset)
|
|
|
|
scopes.each do |scope|
|
|
|
|
if scope_includes_scope(scope, subset)
|
|
|
|
return true
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
return false
|
|
|
|
end
|