mystiatech/GreenCoast
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixed the device sign

Browse Source
This commit is contained in:
Dani
2025-08-22 18:24:24 -04:00
parent b9fad16fa2
commit 5067913c21
8 changed files with 738 additions and 905 deletions
Download Patch File Download Diff File Expand all files Collapse all files

219
client/app.js
View File

@@ -13,119 +13,80 @@ const els = {
publishStatus: document.getElementById("publishStatus"),
posts: document.getElementById("posts"),
discordStart: document.getElementById("discordStart"),
signinDevice: document.getElementById("signinDevice"),
};
const LS_KEY = "gc_client_config_v1";
const POSTS_KEY = "gc_posts_index_v1";
const DEVKEY_KEY = "gc_device_key_v1"; // stores p256 private/public (pkcs8/spki b64)
const DEVKEY_KEY = "gc_device_key_v1"; // pkcs8/spki (p256) base64url
function defaultApiBase() {
try {
const qs = new URLSearchParams(window.location.search);
const qApi = qs.get("api");
if (qApi) return qApi.replace(/\/+$/, "");
} catch {}
const m = document.querySelector('meta[name="gc-api-base"]');
if (m && m.content) return m.content.replace(/\/+$/, "");
try { const qs = new URLSearchParams(window.location.search); const qApi = qs.get("api"); if (qApi) return qApi.replace(/\/+$/,""); } catch {}
const m = document.querySelector('meta[name="gc-api-base"]'); if (m && m.content) return m.content.replace(/\/+$/,"");
try {
const u = new URL(window.location.href);
const proto = u.protocol;
const host = u.hostname;
const portStr = u.port;
const proto = u.protocol; const host = u.hostname; const portStr = u.port;
const bracketHost = host.includes(":") ? `[${host}]` : host;
const port = portStr ? parseInt(portStr, 10) : null;
const port = portStr ? parseInt(portStr,10) : null;
let apiPort = port;
if (port === 8082) apiPort = 8080;
else if (port === 9082) apiPort = 9080;
else if (port) apiPort = Math.max(1, port - 2);
if (port === 8082) apiPort = 8080; else if (port === 9082) apiPort = 9080; else if (port) apiPort = Math.max(1, port - 2);
return apiPort ? `${proto}//${bracketHost}:${apiPort}` : `${proto}//${bracketHost}`;
} catch {
return window.location.origin.replace(/\/+$/, "");
}
} catch { return window.location.origin.replace(/\/+$/,""); }
}
const cfg = loadConfig(); applyConfig(); (async () => {
await ensureDeviceKey();
await checkHealth(); await syncIndex(); sse();
})();
els.saveConn.onclick = async () => {
const c = { url: norm(els.shardUrl.value), bearer: els.bearer.value.trim(), passphrase: els.passphrase.value };
saveConfig(c);
await checkHealth(); await syncIndex(); sse(true);
};
els.publish.onclick = publish;
els.discordStart.onclick = discordStart;
// -------- local state helpers --------
function loadConfig(){ try { return JSON.parse(localStorage.getItem(LS_KEY)) ?? {}; } catch { return {}; } }
function saveConfig(c){ localStorage.setItem(LS_KEY, JSON.stringify(c)); Object.assign(cfg, c); }
function getPosts(){ try { return JSON.parse(localStorage.getItem(POSTS_KEY)) ?? []; } catch { return []; } }
function setPosts(v){ localStorage.setItem(POSTS_KEY, JSON.stringify(v)); renderPosts(); }
function norm(u){ return (u||"").replace(/\/+$/,""); }
function applyConfig(){ els.shardUrl.value = cfg.url ?? defaultApiBase(); els.bearer.value = cfg.bearer ?? ""; els.passphrase.value = cfg.passphrase ?? ""; }
function msg(t, err=false){ els.publishStatus.textContent=t; els.publishStatus.style.color = err ? "#ff6b6b" : "#8b949e"; }
function getBearer(){ return sessionStorage.getItem("gc_bearer") || cfg.bearer || ""; }
// Prefer session bearer
function getBearer() { return sessionStorage.getItem("gc_bearer") || cfg.bearer || ""; }
// -------- device key (P-256) + PoP --------
const cfg = loadConfig(); applyConfig();
// ---- Device key management (P-256) ----
async function ensureDeviceKey() {
try {
const stored = JSON.parse(localStorage.getItem(DEVKEY_KEY) || "null");
if (stored && stored.priv && stored.pub) return;
} catch {}
const kp = await crypto.subtle.generateKey({ name: "ECDSA", namedCurve: "P-256" }, true, ["sign", "verify"]);
const stored = JSON.parse(localStorage.getItem(DEVKEY_KEY) || "null");
if (stored && stored.priv && stored.pub) return;
const kp = await crypto.subtle.generateKey({ name:"ECDSA", namedCurve:"P-256" }, true, ["sign","verify"]);
const pkcs8 = await crypto.subtle.exportKey("pkcs8", kp.privateKey);
const rawPub = await crypto.subtle.exportKey("raw", kp.publicKey); // 65-byte uncompressed
const b64pk = b64(rawPub);
const b64sk = b64(pkcs8);
localStorage.setItem(DEVKEY_KEY, JSON.stringify({ priv: b64sk, pub: b64pk, alg: "p256" }));
const rawPub = await crypto.subtle.exportKey("raw", kp.publicKey); // 65B uncompressed
localStorage.setItem(DEVKEY_KEY, JSON.stringify({ alg:"p256", priv: b64(rawPub ? pkcs8 : pkcs8), pub: b64(rawPub) }));
}
async function getDevicePriv() {
async function getDevicePriv(){
const s = JSON.parse(localStorage.getItem(DEVKEY_KEY) || "{}");
if (s.alg !== "p256") throw new Error("unsupported alg");
const pkcs8 = ub64(s.priv);
return crypto.subtle.importKey("pkcs8", pkcs8, { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"]);
return crypto.subtle.importKey("pkcs8", ub64(s.priv), { name:"ECDSA", namedCurve:"P-256" }, false, ["sign"]);
}
function getDevicePubHdr() {
function getDevicePubHdr(){
const s = JSON.parse(localStorage.getItem(DEVKEY_KEY) || "{}");
if (!s.pub) return "";
return s.alg === "p256" ? ("p256:" + s.pub) : "";
return s && s.pub ? "p256:" + s.pub : "";
}
async function popHeaders(method, url, body) {
// ---- DPoP-style proof headers (sign path, not absolute URL) ----
async function popHeaders(method, pathOnly, bodyBytes){
const ts = Math.floor(Date.now()/1000).toString();
const pub = getDevicePubHdr();
const digest = await sha256Hex(body || new Uint8Array());
const msg = (method.toUpperCase()+"\n"+url+"\n"+ts+"\n"+digest);
const digest = await sha256Hex(bodyBytes || new Uint8Array());
const msg = (method.toUpperCase()+"\n"+pathOnly+"\n"+ts+"\n"+digest);
const priv = await getDevicePriv();
const sig = await crypto.subtle.sign({ name: "ECDSA", hash: "SHA-256" }, priv, new TextEncoder().encode(msg));
const sig = await crypto.subtle.sign({ name:"ECDSA", hash:"SHA-256" }, priv, new TextEncoder().encode(msg));
return { "X-GC-Key": pub, "X-GC-TS": ts, "X-GC-Proof": b64(new Uint8Array(sig)) };
}
async function fetchAPI(path, opts = {}, bodyBytes) {
async function fetchAPI(path, opts = {}, bodyBytes){
if (!cfg.url) throw new Error("Set shard URL first.");
const url = cfg.url + path;
const method = (opts.method || "GET").toUpperCase();
const headers = Object.assign({}, opts.headers || {});
const bearer = getBearer();
if (bearer) headers["Authorization"] = "Bearer " + bearer;
const pop = await popHeaders(method, url, bodyBytes);
const bearer = getBearer(); if (bearer) headers["Authorization"] = "Bearer " + bearer;
const pop = await popHeaders(method, path, bodyBytes);
Object.assign(headers, pop);
const init = Object.assign({}, opts, { method, headers, body: opts.body });
const r = await fetch(url, init);
const r = await fetch(cfg.url + path, Object.assign({}, opts, { method, headers }));
return r;
}
// -------- health, index, sse --------
// ---- Health / Index / SSE ----
async function checkHealth() {
if (!cfg.url) return; els.health.textContent = "Checking…";
try {
@@ -145,17 +106,15 @@ async function syncIndex() {
}
let sseCtrl;
function sse(restart){
async function sse(){
if (!cfg.url) return;
if (sseCtrl) { sseCtrl.abort(); sseCtrl = undefined; }
sseCtrl = new AbortController();
const url = cfg.url + "/v1/index/stream";
const path = "/v1/index/stream";
const headers = {};
const b = getBearer(); if (b) headers["Authorization"] = "Bearer " + b;
headers["X-GC-Key"] = getDevicePubHdr();
headers["X-GC-TS"] = Math.floor(Date.now()/1000).toString();
headers["X-GC-Proof"] = "dummy"; // server ignores body hash for GET; proof not required for initial request in this demo SSE; if required, switch to EventSource polyfill
fetch(url, { headers, signal: sseCtrl.signal }).then(async resp => {
Object.assign(headers, await popHeaders("GET", path, new Uint8Array()));
fetch(cfg.url + path, { headers, signal: sseCtrl.signal }).then(async resp => {
if (!resp.ok) return;
const reader = resp.body.getReader(); const decoder = new TextDecoder();
let buf = "";
@@ -185,32 +144,32 @@ function sse(restart){
}).catch(()=>{});
}
// -------- actions --------
// ---- Actions ----
async function publish() {
if (!cfg.url) return msg("Set shard URL first.", true);
const title = els.title.value.trim(); const body = els.body.value; const vis = els.visibility.value;
try {
let blob, enc=false;
if (vis === "private") {
if (!cfg.passphrase) return msg("Set a passphrase for private posts.", true);
if (!cfg.passphrase) return msg("Set a passphrase (community key) for encrypted posts.", true);
const payload = await encryptString(JSON.stringify({ title, body }), cfg.passphrase);
blob = toBlob(payload); enc=true;
} else { blob = toBlob(JSON.stringify({ title, body })); }
} else {
blob = toBlob(JSON.stringify({ title, body }));
}
const tz = Intl.DateTimeFormat().resolvedOptions().timeZone || "";
const headers = { "Content-Type":"application/octet-stream", "X-GC-TZ": tz };
const bearer = getBearer(); if (bearer) headers["Authorization"] = "Bearer " + bearer;
if (enc) headers["X-GC-Private"] = "1";
const bodyBytes = new Uint8Array(await blob.arrayBuffer());
const pop = await popHeaders("PUT", cfg.url + "/v1/object", bodyBytes);
Object.assign(headers, pop);
Object.assign(headers, await popHeaders("PUT", "/v1/object", bodyBytes));
const r = await fetch(cfg.url + "/v1/object", { method:"PUT", headers, body: blob });
if (!r.ok) throw new Error(await r.text());
const j = await r.json();
const posts = getPosts();
posts.unshift({ hash:j.hash, title: title || "(untitled)", bytes:j.bytes, ts:j.stored_at, enc:j.private, tz:j.creator_tz });
setPosts(posts);
els.body.value = ""; msg(`Published ${enc?"private":"public"} post. Hash: ${j.hash}`);
els.body.value = ""; msg(`Published ${enc?"encrypted":"plaintext"} post. Hash: ${j.hash}`);
} catch(e){ msg("Publish failed: " + (e?.message||e), true); }
}
@@ -256,29 +215,57 @@ async function discordStart() {
location.href = j.url;
}
// Optional: Key-based login (no OAuth)
async function signInWithDeviceKey(){
if (!cfg.url) { alert("Set shard URL first."); return; }
const c = await fetch(cfg.url + "/v1/auth/key/challenge", { method:"POST" }).then(r=>r.json());
const msg = "key-verify\n" + c.nonce;
const priv = await getDevicePriv();
const sig = await crypto.subtle.sign({ name:"ECDSA", hash:"SHA-256" }, priv, new TextEncoder().encode(msg));
const body = JSON.stringify({ nonce:c.nonce, alg:"p256", pub: getDevicePubHdr().slice("p256:".length), sig: b64(new Uint8Array(sig)) });
const r = await fetch(cfg.url + "/v1/auth/key/verify", { method:"POST", headers:{ "Content-Type":"application/json" }, body });
if (!r.ok) { alert("Key sign-in failed"); return; }
const j = await r.json();
sessionStorage.setItem("gc_bearer", j.bearer);
const k = "gc_client_config_v1"; const cfg0 = JSON.parse(localStorage.getItem(k) || "{}"); cfg0.bearer = j.bearer; localStorage.setItem(k, JSON.stringify(cfg0));
alert("Signed in");
try {
if (!cfg.url) { alert("Set shard URL first."); return; }
// 1) challenge
const cResp = await fetch(cfg.url + "/v1/auth/key/challenge", { method:"POST" });
const cTxt = await cResp.text();
if (!cResp.ok) { alert("Challenge failed: " + cTxt); return; }
const c = JSON.parse(cTxt);
if (!c.nonce) { alert("Challenge bad JSON: " + cTxt); return; }
// 2) sign "key-verify\n<nonce>"
const msg = "key-verify\n" + c.nonce;
const priv = await getDevicePriv();
const sig = await crypto.subtle.sign({ name:"ECDSA", hash:"SHA-256" }, priv, new TextEncoder().encode(msg));
// 3) send verify
const body = JSON.stringify({
nonce: c.nonce,
alg: "p256",
pub: (getDevicePubHdr()||"").slice("p256:".length),
sig: b64(new Uint8Array(sig))
});
const vResp = await fetch(cfg.url + "/v1/auth/key/verify", {
method:"POST",
headers:{ "Content-Type":"application/json" },
body
});
const vTxt = await vResp.text();
if (!vResp.ok) { alert("Verify failed: " + vTxt); return; }
const j = JSON.parse(vTxt);
if (!j.bearer) { alert("Verify returned no bearer: " + vTxt); return; }
sessionStorage.setItem("gc_bearer", j.bearer);
const k = "gc_client_config_v1"; const cfg0 = JSON.parse(localStorage.getItem(k) || "{}"); cfg0.bearer = j.bearer; localStorage.setItem(k, JSON.stringify(cfg0));
els.bearer.value = j.bearer;
alert("Signed in ✔");
} catch (e) {
alert("Key sign-in exception: " + (e?.message || e));
}
}
// -------- render --------
// ---- Render ----
function renderPosts() {
const posts = getPosts(); els.posts.innerHTML = "";
for (const p of posts) {
const div = document.createElement("div"); div.className = "post";
const badge = p.enc ? `<span class="badge">private</span>` : `<span class="badge">public</span>`;
const badge = p.enc ? `<span class="badge">encrypted</span>` : `<span class="badge">plaintext</span>`;
const tsLocal = new Date(p.ts).toLocaleString();
const tz = p.tz ? ` · author TZ: ${p.tz}` : "";
div.innerHTML = `
@@ -299,26 +286,22 @@ function renderPosts() {
}
}
// -------- utils --------
// ---- Boot ----
(async () => {
await ensureDeviceKey();
await checkHealth(); await syncIndex(); await sse();
})();
function b64(buf){ return base64url(buf); }
function ub64(s){ return base64urlDecode(s); }
async function sha256Hex(bytes){
const d = await crypto.subtle.digest("SHA-256", bytes);
return Array.from(new Uint8Array(d)).map(b=>b.toString(16).padStart(2,"0")).join("");
}
els.saveConn.onclick = async () => {
const c = { url: norm(els.shardUrl.value), bearer: els.bearer.value.trim(), passphrase: els.passphrase.value };
saveConfig(c);
await checkHealth(); await syncIndex(); await sse();
};
els.publish.onclick = publish;
els.discordStart.onclick = discordStart;
els.signinDevice.onclick = signInWithDeviceKey;
// minimal base64url helpers
function base64url(buf){
let b = (buf instanceof Uint8Array) ? buf : new Uint8Array(buf);
let str = "";
for (let i=0; i<b.length; i++) str += String.fromCharCode(b[i]);
return btoa(str).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/,"");
}
function base64urlDecode(s){
s = s.replace(/-/g,"+").replace(/_/g,"/");
while (s.length % 4) s += "=";
const bin = atob(s); const b = new Uint8Array(bin.length);
for (let i=0;i<bin.length;i++) b[i] = bin.charCodeAt(i);
return b;
}
// ---- utils ----
function b64(buf){ const b = buf instanceof Uint8Array ? buf : new Uint8Array(buf); let s=""; for (let i=0;i<b.length;i++) s+=String.fromCharCode(b[i]); return btoa(s).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/,""); }
function ub64(s){ s=s.replace(/-/g,"+").replace(/_/g,"/"); while (s.length%4) s+="="; const bin=atob(s); const b=new Uint8Array(bin.length); for (let i=0;i<bin.length;i++) b[i]=bin.charCodeAt(i); return b.buffer; }
async function sha256Hex(bytes){ const d = await crypto.subtle.digest("SHA-256", bytes); return Array.from(new Uint8Array(d)).map(b=>b.toString(16).padStart(2,"0")).join(""); }

26
client/index.html
View File

@@ -4,9 +4,9 @@
<meta charset="utf-8"/>
<title>GreenCoast — Client</title>
<meta name="viewport" content="width=device-width,initial-scale=1"/>
<!-- Force API base for Cloudflare tunneled API -->
<meta name="gc-api-base" content="https://api-gc.fullmooncyberworks.com">
<link rel="stylesheet" href="./styles.css"/>
<!-- Optional: set API base explicitly -->
<meta name="gc-api-base" content="https://api-gc.fullmooncyberworks.com">
</head>
<body>
<div class="container">
@@ -16,25 +16,28 @@
<h2>Connect</h2>
<div class="row">
<label>Shard URL</label>
<input id="shardUrl" placeholder="https://api-gc.fullmooncyberworks.com" />
<input id="shardUrl" placeholder="http://localhost:9080" />
</div>
<div class="row">
<label>Bearer (optional)</label>
<input id="bearer" placeholder="dev-local-token" />
<label>Bearer (auto after sign-in)</label>
<input id="bearer" placeholder="(auto)" />
</div>
<div class="row">
<label>Passphrase (private posts)</label>
<label>Passphrase (community key)</label>
<input id="passphrase" type="password" placeholder="••••••••" />
</div>
<div class="row">
<label>3rd-party SSO</label>
<label>Auth</label>
<div>
<button id="signinDevice">Sign in (device key)</button>
<button id="discordStart">Sign in with Discord</button>
<div class="muted" style="margin-top:.4rem;">
We use external providers only if you choose to. We cannot vouch for their security.
Using third-party SSO is optional; we cannot vouch for their security.
</div>
</div>
</div>
<button id="saveConn">Save</button>
<div id="health" class="muted"></div>
</section>
@@ -44,8 +47,8 @@
<div class="row">
<label>Visibility</label>
<select id="visibility">
<option value="public">Public (plaintext)</option>
<option value="private">Private (E2EE via passphrase)</option>
<option value="private">Community-encrypted (recommended)</option>
<option value="public">Plaintext (discouraged; may be disabled by server)</option>
</select>
</div>
<div class="row">
@@ -56,9 +59,6 @@
<label>Body</label>
<textarea id="body" rows="6" placeholder="Write your post..."></textarea>
</div>
<div class="row">
<label><input type="checkbox" id="shareTZ" checked> Include my time zone on this post</label>
</div>
<button id="publish">Publish</button>
<div id="publishStatus" class="muted"></div>
</section>

84
cmd/shard/main.go
View File

@@ -1,3 +1,4 @@
// cmd/shard/main.go
package main
import (
@@ -26,7 +27,7 @@ func getenvBool(key string, def bool) bool {
func staticHeaders(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Security posture for static client
// Security headers
w.Header().Set("Referrer-Policy", "no-referrer")
w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
w.Header().Set("Cross-Origin-Resource-Policy", "same-site")
@@ -35,10 +36,7 @@ func staticHeaders(next http.Handler) http.Handler {
w.Header().Set("X-Content-Type-Options", "nosniff")
w.Header().Set("Strict-Transport-Security", "max-age=15552000; includeSubDomains; preload")
// Strong CSP to block XSS/token theft (enumerate your API host)
w.Header().Set("Content-Security-Policy", "default-src 'self'; base-uri 'none'; object-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' data:; connect-src 'self' https://api-gc.fullmooncyberworks.com; frame-ancestors 'none'")
// CORS for assets
// Basic CORS for static (GET only effectively)
w.Header().Set("Access-Control-Allow-Origin", "*")
if r.Method == http.MethodOptions {
w.Header().Set("Access-Control-Allow-Methods", "GET, OPTIONS")
@@ -51,6 +49,7 @@ func staticHeaders(next http.Handler) http.Handler {
}
func main() {
// ---- Config ----
httpAddr := os.Getenv("GC_HTTP_ADDR")
if httpAddr == "" {
httpAddr = ":9080"
@@ -59,52 +58,52 @@ func main() {
certFile := os.Getenv("GC_TLS_CERT")
keyFile := os.Getenv("GC_TLS_KEY")
staticAddr := os.Getenv("GC_STATIC_ADDR")
if staticAddr == "" {
staticAddr = ":9082"
}
staticDir := os.Getenv("GC_STATIC_DIR")
if staticDir == "" {
staticDir = "/opt/greencoast/client"
}
dataDir := os.Getenv("GC_DATA_DIR")
if dataDir == "" {
dataDir = "/var/lib/greencoast"
}
staticDir := os.Getenv("GC_STATIC_DIR")
if staticDir == "" {
staticDir = "/opt/greencoast/client"
}
staticAddr := os.Getenv("GC_STATIC_ADDR")
if staticAddr == "" {
staticAddr = ":9082"
}
coarseTS := getenvBool("GC_COARSE_TS", false)
zeroTrust := getenvBool("GC_ZERO_TRUST", true)
encRequired := getenvBool("GC_ENCRYPTION_REQUIRED", true) // operator-blind by default
requirePOP := getenvBool("GC_REQUIRE_POP", true) // for logging only; API defaults to true internally
signingSecretHex := os.Getenv("GC_SIGNING_SECRET_HEX")
discID := os.Getenv("GC_DISCORD_CLIENT_ID")
discSecret := os.Getenv("GC_DISCORD_CLIENT_SECRET")
discRedirect := os.Getenv("GC_DISCORD_REDIRECT_URI")
// ---- Storage & Index ----
store, err := storage.NewFS(dataDir)
if err != nil {
log.Fatalf("storage init: %v", err)
}
ix := index.New()
// Auto-reindex on boot if possible
if w, ok := any(store).(interface {
Walk(func(hash string, size int64, mod time.Time) error) error
}); ok {
if err := w.Walk(func(hash string, size int64, mod time.Time) error {
return ix.Put(index.Entry{
Hash: hash,
Bytes: size,
StoredAt: mod.UTC().Format(time.RFC3339Nano),
Private: false,
})
}); err != nil {
log.Printf("reindex on boot: %v", err)
}
// Reindex on boot from whatever files exist on disk
if err := store.Walk(func(hash string, size int64, mod time.Time) error {
return ix.Put(index.Entry{
Hash: hash,
Bytes: size,
StoredAt: mod.UTC().Format(time.RFC3339Nano),
Private: false, // unknown here; safe default
})
}); err != nil {
log.Printf("reindex on boot: %v", err)
}
ap := api.AuthProviders{
// ---- Auth providers ----
providers := api.AuthProviders{
SigningSecretHex: signingSecretHex,
Discord: api.DiscordProvider{
Enabled: discID != "" && discSecret != "" && discRedirect != "",
@@ -114,35 +113,28 @@ func main() {
},
}
srv := api.New(store, ix, coarseTS, zeroTrust, ap)
// ---- API server ----
srv := api.New(store, ix, coarseTS, zeroTrust, providers, encRequired)
// Static client server (9082)
// ---- Static file server (separate listener) ----
go func() {
if st, err := os.Stat(staticDir); err != nil || !st.IsDir() {
log.Printf("WARN: GC_STATIC_DIR %q not found or not a dir; client may 404", staticDir)
}
mux := http.NewServeMux()
// Optional: forward API paths to API host to avoid 404 if user hits wrong host
mux.Handle("/v1/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
http.Redirect(w, r, "https://api-gc.fullmooncyberworks.com"+r.URL.Path, http.StatusTemporaryRedirect)
}))
mux.Handle("/", http.FileServer(http.Dir(staticDir)))
fs := http.FileServer(http.Dir(staticDir))
h := staticHeaders(fs)
log.Printf("static listening on %s (dir=%s)", staticAddr, staticDir)
if err := http.ListenAndServe(staticAddr, staticHeaders(mux)); err != nil {
if err := http.ListenAndServe(staticAddr, h); err != nil {
log.Fatalf("static server: %v", err)
}
}()
// ---- Start API (HTTP or HTTPS) ----
if httpsAddr != "" && certFile != "" && keyFile != "" {
log.Printf("starting HTTPS API on %s", httpsAddr)
log.Printf("API HTTPS %s POP:%v ENC_REQUIRED:%v", httpsAddr, requirePOP, encRequired)
if err := srv.ListenHTTPS(httpsAddr, certFile, keyFile); err != nil {
log.Fatal(err)
}
return
}
log.Printf("starting HTTP API on %s", httpAddr)
log.Printf("API HTTP %s POP:%v ENC_REQUIRED:%v", httpAddr, requirePOP, encRequired)
if err := srv.ListenHTTP(httpAddr); err != nil {
log.Fatal(err)
}

1
docker-compose.test.yml
View File

@@ -12,6 +12,7 @@ services:
- "9082:9082" # Frontend
environment:
- GC_DEV_ALLOW_UNAUTH=true
- GC_SIGNING_SECRET_HEX=92650f92d67d55368c852713a5007b90d933bff507bc77c980de7bf5442844ca
volumes:
- ./testdata:/var/lib/greencoast
- ./configs/shard.test.yaml:/app/shard.yaml:ro

1
docker-compose.yml
View File

@@ -11,6 +11,7 @@ services:
- "8081:8081"
environment:
- GC_DEV_ALLOW_UNAUTH=false
- GC_SIGNING_SECRET_HEX=92650f92d67d55368c852713a5007b90d933bff507bc77c980de7bf5442844ca
volumes:
- gc_data:/var/lib/greencoast
- ./configs/shard.sample.yaml:/app/shard.yaml:ro

1124
internal/api/http.go
View File

File diff suppressed because it is too large Load Diff

97
internal/api/static.go
View File

@@ -1,86 +1,29 @@
package api
import (
"log"
"mime"
"net/http"
"os"
"path/filepath"
"strings"
"time"
)
func init() {
// Ensure common types are known (some distros are sparse by default)
_ = mime.AddExtensionType(".js", "application/javascript; charset=utf-8")
_ = mime.AddExtensionType(".css", "text/css; charset=utf-8")
_ = mime.AddExtensionType(".html", "text/html; charset=utf-8")
_ = mime.AddExtensionType(".map", "application/json; charset=utf-8")
}
func (s *Server) MountStatic(dir string, baseURL string) {
if dir == "" {
return
}
if baseURL == "" {
baseURL = "/"
}
s.mux.Handle(baseURL, s.staticHandler(dir, baseURL))
if !strings.HasSuffix(baseURL, "/") {
s.mux.Handle(baseURL+"/", s.staticHandler(dir, baseURL))
}
}
func (s *Server) ListenFrontendHTTP(addr, dir, baseURL string) error {
if dir == "" || addr == "" {
return nil
}
log.Printf("frontend listening on %s (dir=%s base=%s)", addr, dir, baseURL)
mx := http.NewServeMux()
mx.Handle(baseURL, s.staticHandler(dir, baseURL))
if !strings.HasSuffix(baseURL, "/") {
mx.Handle(baseURL+"/", s.staticHandler(dir, baseURL))
}
server := &http.Server{
Addr: addr,
Handler: mx,
ReadHeaderTimeout: 5 * time.Second,
}
return server.ListenAndServe()
}
func (s *Server) staticHandler(dir, baseURL string) http.Handler {
if baseURL == "" {
baseURL = "/"
}
// secureHeaders adds strict, privacy-preserving headers to static responses.
func (s *Server) secureHeaders(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
s.secureHeaders(w)
up := strings.TrimPrefix(r.URL.Path, baseURL)
if up == "" || strings.HasSuffix(r.URL.Path, "/") {
up = "index.html"
}
full := filepath.Join(dir, filepath.FromSlash(up))
if !strings.HasPrefix(filepath.Clean(full), filepath.Clean(dir)) {
http.NotFound(w, r)
return
}
// Serve file if it exists, else SPA-fallback to index.html
if st, err := os.Stat(full); err == nil && !st.IsDir() {
// Set Content-Type explicitly based on extension
if ctype := mime.TypeByExtension(filepath.Ext(full)); ctype != "" {
w.Header().Set("Content-Type", ctype)
}
http.ServeFile(w, r, full)
return
}
fallback := filepath.Join(dir, "index.html")
if _, err := os.Stat(fallback); err == nil {
w.Header().Set("Content-Type", "text/html; charset=utf-8")
http.ServeFile(w, r, fallback)
return
}
http.NotFound(w, r)
w.Header().Set("Referrer-Policy", "no-referrer")
w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
w.Header().Set("Cross-Origin-Resource-Policy", "same-site")
w.Header().Set("Permissions-Policy", "camera=(), microphone=(), geolocation=(), interest-cohort=(), browsing-topics=()")
w.Header().Set("X-Frame-Options", "DENY")
w.Header().Set("X-Content-Type-Options", "nosniff")
w.Header().Set("Strict-Transport-Security", "max-age=15552000; includeSubDomains; preload")
next.ServeHTTP(w, r)
})
}
// MountStatic mounts a static file server under a prefix onto the provided mux.
// Usage (from main): s.MountStatic(mux, "/", http.Dir(staticDir))
func (s *Server) MountStatic(mux *http.ServeMux, prefix string, fs http.FileSystem) {
if prefix == "" {
prefix = "/"
}
h := http.StripPrefix(prefix, http.FileServer(fs))
mux.Handle(prefix, s.secureHeaders(h))
}

91
internal/index/index.go
View File

@@ -1,88 +1,63 @@
package index
import (
"sort"
"errors"
"sync"
"time"
)
// Entry is the minimal metadata we expose to clients.
type Entry struct {
Hash string `json:"hash"`
Bytes int64 `json:"bytes"`
StoredAt string `json:"stored_at"`
Private bool `json:"private"`
CreatorTZ string `json:"creator_tz,omitempty"`
}
type rec struct {
Hash string
Bytes int64
StoredAt time.Time
Private bool
CreatorTZ string
StoredAt string `json:"stored_at"` // RFC3339Nano
Private bool `json:"private"` // true if client marked encrypted
CreatorTZ string `json:"creator_tz,omitempty"` // optional IANA TZ from client
}
// Index is an in-memory map from hash -> Entry, safe for concurrent use.
type Index struct {
mu sync.RWMutex
hash map[string]rec
mu sync.RWMutex
m map[string]Entry
}
func New() *Index { return &Index{hash: make(map[string]rec)} }
func New() *Index {
return &Index{m: make(map[string]Entry)}
}
func (ix *Index) Put(e Entry) error {
if e.Hash == "" {
return errors.New("empty hash")
}
ix.mu.Lock()
defer ix.mu.Unlock()
t := parseWhen(e.StoredAt)
if t.IsZero() {
t = time.Now().UTC()
}
ix.hash[e.Hash] = rec{
Hash: e.Hash,
Bytes: e.Bytes,
StoredAt: t,
Private: e.Private,
CreatorTZ: e.CreatorTZ,
}
ix.m[e.Hash] = e
ix.mu.Unlock()
return nil
}
func (ix *Index) Delete(hash string) error {
if hash == "" {
return errors.New("empty hash")
}
ix.mu.Lock()
defer ix.mu.Unlock()
delete(ix.hash, hash)
delete(ix.m, hash)
ix.mu.Unlock()
return nil
}
func (ix *Index) List() ([]Entry, error) {
func (ix *Index) Get(hash string) (Entry, bool) {
ix.mu.RLock()
defer ix.mu.RUnlock()
tmp := make([]rec, 0, len(ix.hash))
for _, r := range ix.hash {
tmp = append(tmp, r)
}
sort.Slice(tmp, func(i, j int) bool { return tmp[i].StoredAt.After(tmp[j].StoredAt) })
out := make([]Entry, len(tmp))
for i, r := range tmp {
out[i] = Entry{
Hash: r.Hash,
Bytes: r.Bytes,
StoredAt: r.StoredAt.UTC().Format(time.RFC3339Nano),
Private: r.Private,
CreatorTZ: r.CreatorTZ,
}
}
return out, nil
e, ok := ix.m[hash]
ix.mu.RUnlock()
return e, ok
}
func parseWhen(s string) time.Time {
if s == "" {
return time.Time{}
// All returns an unsorted copy of all entries.
func (ix *Index) All() []Entry {
ix.mu.RLock()
out := make([]Entry, 0, len(ix.m))
for _, v := range ix.m {
out = append(out, v)
}
if t, err := time.Parse(time.RFC3339Nano, s); err == nil {
return t
}
if t, err := time.Parse(time.RFC3339, s); err == nil {
return t
}
return time.Time{}
ix.mu.RUnlock()
return out
}