Fixed the device sign
This commit is contained in:
219
client/app.js
219
client/app.js
@@ -13,119 +13,80 @@ const els = {
|
||||
publishStatus: document.getElementById("publishStatus"),
|
||||
posts: document.getElementById("posts"),
|
||||
discordStart: document.getElementById("discordStart"),
|
||||
signinDevice: document.getElementById("signinDevice"),
|
||||
};
|
||||
|
||||
const LS_KEY = "gc_client_config_v1";
|
||||
const POSTS_KEY = "gc_posts_index_v1";
|
||||
const DEVKEY_KEY = "gc_device_key_v1"; // stores p256 private/public (pkcs8/spki b64)
|
||||
const DEVKEY_KEY = "gc_device_key_v1"; // pkcs8/spki (p256) base64url
|
||||
|
||||
function defaultApiBase() {
|
||||
try {
|
||||
const qs = new URLSearchParams(window.location.search);
|
||||
const qApi = qs.get("api");
|
||||
if (qApi) return qApi.replace(/\/+$/, "");
|
||||
} catch {}
|
||||
const m = document.querySelector('meta[name="gc-api-base"]');
|
||||
if (m && m.content) return m.content.replace(/\/+$/, "");
|
||||
try { const qs = new URLSearchParams(window.location.search); const qApi = qs.get("api"); if (qApi) return qApi.replace(/\/+$/,""); } catch {}
|
||||
const m = document.querySelector('meta[name="gc-api-base"]'); if (m && m.content) return m.content.replace(/\/+$/,"");
|
||||
try {
|
||||
const u = new URL(window.location.href);
|
||||
const proto = u.protocol;
|
||||
const host = u.hostname;
|
||||
const portStr = u.port;
|
||||
const proto = u.protocol; const host = u.hostname; const portStr = u.port;
|
||||
const bracketHost = host.includes(":") ? `[${host}]` : host;
|
||||
const port = portStr ? parseInt(portStr, 10) : null;
|
||||
const port = portStr ? parseInt(portStr,10) : null;
|
||||
let apiPort = port;
|
||||
if (port === 8082) apiPort = 8080;
|
||||
else if (port === 9082) apiPort = 9080;
|
||||
else if (port) apiPort = Math.max(1, port - 2);
|
||||
if (port === 8082) apiPort = 8080; else if (port === 9082) apiPort = 9080; else if (port) apiPort = Math.max(1, port - 2);
|
||||
return apiPort ? `${proto}//${bracketHost}:${apiPort}` : `${proto}//${bracketHost}`;
|
||||
} catch {
|
||||
return window.location.origin.replace(/\/+$/, "");
|
||||
}
|
||||
} catch { return window.location.origin.replace(/\/+$/,""); }
|
||||
}
|
||||
|
||||
const cfg = loadConfig(); applyConfig(); (async () => {
|
||||
await ensureDeviceKey();
|
||||
await checkHealth(); await syncIndex(); sse();
|
||||
})();
|
||||
|
||||
els.saveConn.onclick = async () => {
|
||||
const c = { url: norm(els.shardUrl.value), bearer: els.bearer.value.trim(), passphrase: els.passphrase.value };
|
||||
saveConfig(c);
|
||||
await checkHealth(); await syncIndex(); sse(true);
|
||||
};
|
||||
|
||||
els.publish.onclick = publish;
|
||||
els.discordStart.onclick = discordStart;
|
||||
|
||||
// -------- local state helpers --------
|
||||
|
||||
function loadConfig(){ try { return JSON.parse(localStorage.getItem(LS_KEY)) ?? {}; } catch { return {}; } }
|
||||
function saveConfig(c){ localStorage.setItem(LS_KEY, JSON.stringify(c)); Object.assign(cfg, c); }
|
||||
function getPosts(){ try { return JSON.parse(localStorage.getItem(POSTS_KEY)) ?? []; } catch { return []; } }
|
||||
function setPosts(v){ localStorage.setItem(POSTS_KEY, JSON.stringify(v)); renderPosts(); }
|
||||
function norm(u){ return (u||"").replace(/\/+$/,""); }
|
||||
function applyConfig(){ els.shardUrl.value = cfg.url ?? defaultApiBase(); els.bearer.value = cfg.bearer ?? ""; els.passphrase.value = cfg.passphrase ?? ""; }
|
||||
|
||||
function msg(t, err=false){ els.publishStatus.textContent=t; els.publishStatus.style.color = err ? "#ff6b6b" : "#8b949e"; }
|
||||
function getBearer(){ return sessionStorage.getItem("gc_bearer") || cfg.bearer || ""; }
|
||||
|
||||
// Prefer session bearer
|
||||
function getBearer() { return sessionStorage.getItem("gc_bearer") || cfg.bearer || ""; }
|
||||
|
||||
// -------- device key (P-256) + PoP --------
|
||||
const cfg = loadConfig(); applyConfig();
|
||||
|
||||
// ---- Device key management (P-256) ----
|
||||
async function ensureDeviceKey() {
|
||||
try {
|
||||
const stored = JSON.parse(localStorage.getItem(DEVKEY_KEY) || "null");
|
||||
if (stored && stored.priv && stored.pub) return;
|
||||
} catch {}
|
||||
const kp = await crypto.subtle.generateKey({ name: "ECDSA", namedCurve: "P-256" }, true, ["sign", "verify"]);
|
||||
const stored = JSON.parse(localStorage.getItem(DEVKEY_KEY) || "null");
|
||||
if (stored && stored.priv && stored.pub) return;
|
||||
const kp = await crypto.subtle.generateKey({ name:"ECDSA", namedCurve:"P-256" }, true, ["sign","verify"]);
|
||||
const pkcs8 = await crypto.subtle.exportKey("pkcs8", kp.privateKey);
|
||||
const rawPub = await crypto.subtle.exportKey("raw", kp.publicKey); // 65-byte uncompressed
|
||||
const b64pk = b64(rawPub);
|
||||
const b64sk = b64(pkcs8);
|
||||
localStorage.setItem(DEVKEY_KEY, JSON.stringify({ priv: b64sk, pub: b64pk, alg: "p256" }));
|
||||
const rawPub = await crypto.subtle.exportKey("raw", kp.publicKey); // 65B uncompressed
|
||||
localStorage.setItem(DEVKEY_KEY, JSON.stringify({ alg:"p256", priv: b64(rawPub ? pkcs8 : pkcs8), pub: b64(rawPub) }));
|
||||
}
|
||||
|
||||
async function getDevicePriv() {
|
||||
async function getDevicePriv(){
|
||||
const s = JSON.parse(localStorage.getItem(DEVKEY_KEY) || "{}");
|
||||
if (s.alg !== "p256") throw new Error("unsupported alg");
|
||||
const pkcs8 = ub64(s.priv);
|
||||
return crypto.subtle.importKey("pkcs8", pkcs8, { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"]);
|
||||
return crypto.subtle.importKey("pkcs8", ub64(s.priv), { name:"ECDSA", namedCurve:"P-256" }, false, ["sign"]);
|
||||
}
|
||||
|
||||
function getDevicePubHdr() {
|
||||
function getDevicePubHdr(){
|
||||
const s = JSON.parse(localStorage.getItem(DEVKEY_KEY) || "{}");
|
||||
if (!s.pub) return "";
|
||||
return s.alg === "p256" ? ("p256:" + s.pub) : "";
|
||||
return s && s.pub ? "p256:" + s.pub : "";
|
||||
}
|
||||
|
||||
async function popHeaders(method, url, body) {
|
||||
// ---- DPoP-style proof headers (sign path, not absolute URL) ----
|
||||
async function popHeaders(method, pathOnly, bodyBytes){
|
||||
const ts = Math.floor(Date.now()/1000).toString();
|
||||
const pub = getDevicePubHdr();
|
||||
const digest = await sha256Hex(body || new Uint8Array());
|
||||
const msg = (method.toUpperCase()+"\n"+url+"\n"+ts+"\n"+digest);
|
||||
const digest = await sha256Hex(bodyBytes || new Uint8Array());
|
||||
const msg = (method.toUpperCase()+"\n"+pathOnly+"\n"+ts+"\n"+digest);
|
||||
const priv = await getDevicePriv();
|
||||
const sig = await crypto.subtle.sign({ name: "ECDSA", hash: "SHA-256" }, priv, new TextEncoder().encode(msg));
|
||||
const sig = await crypto.subtle.sign({ name:"ECDSA", hash:"SHA-256" }, priv, new TextEncoder().encode(msg));
|
||||
return { "X-GC-Key": pub, "X-GC-TS": ts, "X-GC-Proof": b64(new Uint8Array(sig)) };
|
||||
}
|
||||
|
||||
async function fetchAPI(path, opts = {}, bodyBytes) {
|
||||
async function fetchAPI(path, opts = {}, bodyBytes){
|
||||
if (!cfg.url) throw new Error("Set shard URL first.");
|
||||
const url = cfg.url + path;
|
||||
const method = (opts.method || "GET").toUpperCase();
|
||||
const headers = Object.assign({}, opts.headers || {});
|
||||
const bearer = getBearer();
|
||||
if (bearer) headers["Authorization"] = "Bearer " + bearer;
|
||||
const pop = await popHeaders(method, url, bodyBytes);
|
||||
const bearer = getBearer(); if (bearer) headers["Authorization"] = "Bearer " + bearer;
|
||||
const pop = await popHeaders(method, path, bodyBytes);
|
||||
Object.assign(headers, pop);
|
||||
const init = Object.assign({}, opts, { method, headers, body: opts.body });
|
||||
const r = await fetch(url, init);
|
||||
const r = await fetch(cfg.url + path, Object.assign({}, opts, { method, headers }));
|
||||
return r;
|
||||
}
|
||||
|
||||
// -------- health, index, sse --------
|
||||
|
||||
// ---- Health / Index / SSE ----
|
||||
async function checkHealth() {
|
||||
if (!cfg.url) return; els.health.textContent = "Checking…";
|
||||
try {
|
||||
@@ -145,17 +106,15 @@ async function syncIndex() {
|
||||
}
|
||||
|
||||
let sseCtrl;
|
||||
function sse(restart){
|
||||
async function sse(){
|
||||
if (!cfg.url) return;
|
||||
if (sseCtrl) { sseCtrl.abort(); sseCtrl = undefined; }
|
||||
sseCtrl = new AbortController();
|
||||
const url = cfg.url + "/v1/index/stream";
|
||||
const path = "/v1/index/stream";
|
||||
const headers = {};
|
||||
const b = getBearer(); if (b) headers["Authorization"] = "Bearer " + b;
|
||||
headers["X-GC-Key"] = getDevicePubHdr();
|
||||
headers["X-GC-TS"] = Math.floor(Date.now()/1000).toString();
|
||||
headers["X-GC-Proof"] = "dummy"; // server ignores body hash for GET; proof not required for initial request in this demo SSE; if required, switch to EventSource polyfill
|
||||
fetch(url, { headers, signal: sseCtrl.signal }).then(async resp => {
|
||||
Object.assign(headers, await popHeaders("GET", path, new Uint8Array()));
|
||||
fetch(cfg.url + path, { headers, signal: sseCtrl.signal }).then(async resp => {
|
||||
if (!resp.ok) return;
|
||||
const reader = resp.body.getReader(); const decoder = new TextDecoder();
|
||||
let buf = "";
|
||||
@@ -185,32 +144,32 @@ function sse(restart){
|
||||
}).catch(()=>{});
|
||||
}
|
||||
|
||||
// -------- actions --------
|
||||
|
||||
// ---- Actions ----
|
||||
async function publish() {
|
||||
if (!cfg.url) return msg("Set shard URL first.", true);
|
||||
const title = els.title.value.trim(); const body = els.body.value; const vis = els.visibility.value;
|
||||
try {
|
||||
let blob, enc=false;
|
||||
if (vis === "private") {
|
||||
if (!cfg.passphrase) return msg("Set a passphrase for private posts.", true);
|
||||
if (!cfg.passphrase) return msg("Set a passphrase (community key) for encrypted posts.", true);
|
||||
const payload = await encryptString(JSON.stringify({ title, body }), cfg.passphrase);
|
||||
blob = toBlob(payload); enc=true;
|
||||
} else { blob = toBlob(JSON.stringify({ title, body })); }
|
||||
} else {
|
||||
blob = toBlob(JSON.stringify({ title, body }));
|
||||
}
|
||||
const tz = Intl.DateTimeFormat().resolvedOptions().timeZone || "";
|
||||
const headers = { "Content-Type":"application/octet-stream", "X-GC-TZ": tz };
|
||||
const bearer = getBearer(); if (bearer) headers["Authorization"] = "Bearer " + bearer;
|
||||
if (enc) headers["X-GC-Private"] = "1";
|
||||
const bodyBytes = new Uint8Array(await blob.arrayBuffer());
|
||||
const pop = await popHeaders("PUT", cfg.url + "/v1/object", bodyBytes);
|
||||
Object.assign(headers, pop);
|
||||
Object.assign(headers, await popHeaders("PUT", "/v1/object", bodyBytes));
|
||||
const r = await fetch(cfg.url + "/v1/object", { method:"PUT", headers, body: blob });
|
||||
if (!r.ok) throw new Error(await r.text());
|
||||
const j = await r.json();
|
||||
const posts = getPosts();
|
||||
posts.unshift({ hash:j.hash, title: title || "(untitled)", bytes:j.bytes, ts:j.stored_at, enc:j.private, tz:j.creator_tz });
|
||||
setPosts(posts);
|
||||
els.body.value = ""; msg(`Published ${enc?"private":"public"} post. Hash: ${j.hash}`);
|
||||
els.body.value = ""; msg(`Published ${enc?"encrypted":"plaintext"} post. Hash: ${j.hash}`);
|
||||
} catch(e){ msg("Publish failed: " + (e?.message||e), true); }
|
||||
}
|
||||
|
||||
@@ -256,29 +215,57 @@ async function discordStart() {
|
||||
location.href = j.url;
|
||||
}
|
||||
|
||||
// Optional: Key-based login (no OAuth)
|
||||
async function signInWithDeviceKey(){
|
||||
if (!cfg.url) { alert("Set shard URL first."); return; }
|
||||
const c = await fetch(cfg.url + "/v1/auth/key/challenge", { method:"POST" }).then(r=>r.json());
|
||||
const msg = "key-verify\n" + c.nonce;
|
||||
const priv = await getDevicePriv();
|
||||
const sig = await crypto.subtle.sign({ name:"ECDSA", hash:"SHA-256" }, priv, new TextEncoder().encode(msg));
|
||||
const body = JSON.stringify({ nonce:c.nonce, alg:"p256", pub: getDevicePubHdr().slice("p256:".length), sig: b64(new Uint8Array(sig)) });
|
||||
const r = await fetch(cfg.url + "/v1/auth/key/verify", { method:"POST", headers:{ "Content-Type":"application/json" }, body });
|
||||
if (!r.ok) { alert("Key sign-in failed"); return; }
|
||||
const j = await r.json();
|
||||
sessionStorage.setItem("gc_bearer", j.bearer);
|
||||
const k = "gc_client_config_v1"; const cfg0 = JSON.parse(localStorage.getItem(k) || "{}"); cfg0.bearer = j.bearer; localStorage.setItem(k, JSON.stringify(cfg0));
|
||||
alert("Signed in");
|
||||
try {
|
||||
if (!cfg.url) { alert("Set shard URL first."); return; }
|
||||
|
||||
// 1) challenge
|
||||
const cResp = await fetch(cfg.url + "/v1/auth/key/challenge", { method:"POST" });
|
||||
const cTxt = await cResp.text();
|
||||
if (!cResp.ok) { alert("Challenge failed: " + cTxt); return; }
|
||||
const c = JSON.parse(cTxt);
|
||||
if (!c.nonce) { alert("Challenge bad JSON: " + cTxt); return; }
|
||||
|
||||
// 2) sign "key-verify\n<nonce>"
|
||||
const msg = "key-verify\n" + c.nonce;
|
||||
const priv = await getDevicePriv();
|
||||
const sig = await crypto.subtle.sign({ name:"ECDSA", hash:"SHA-256" }, priv, new TextEncoder().encode(msg));
|
||||
|
||||
// 3) send verify
|
||||
const body = JSON.stringify({
|
||||
nonce: c.nonce,
|
||||
alg: "p256",
|
||||
pub: (getDevicePubHdr()||"").slice("p256:".length),
|
||||
sig: b64(new Uint8Array(sig))
|
||||
});
|
||||
|
||||
const vResp = await fetch(cfg.url + "/v1/auth/key/verify", {
|
||||
method:"POST",
|
||||
headers:{ "Content-Type":"application/json" },
|
||||
body
|
||||
});
|
||||
const vTxt = await vResp.text();
|
||||
if (!vResp.ok) { alert("Verify failed: " + vTxt); return; }
|
||||
|
||||
const j = JSON.parse(vTxt);
|
||||
if (!j.bearer) { alert("Verify returned no bearer: " + vTxt); return; }
|
||||
|
||||
sessionStorage.setItem("gc_bearer", j.bearer);
|
||||
const k = "gc_client_config_v1"; const cfg0 = JSON.parse(localStorage.getItem(k) || "{}"); cfg0.bearer = j.bearer; localStorage.setItem(k, JSON.stringify(cfg0));
|
||||
els.bearer.value = j.bearer;
|
||||
alert("Signed in ✔");
|
||||
} catch (e) {
|
||||
alert("Key sign-in exception: " + (e?.message || e));
|
||||
}
|
||||
}
|
||||
|
||||
// -------- render --------
|
||||
|
||||
// ---- Render ----
|
||||
function renderPosts() {
|
||||
const posts = getPosts(); els.posts.innerHTML = "";
|
||||
for (const p of posts) {
|
||||
const div = document.createElement("div"); div.className = "post";
|
||||
const badge = p.enc ? `<span class="badge">private</span>` : `<span class="badge">public</span>`;
|
||||
const badge = p.enc ? `<span class="badge">encrypted</span>` : `<span class="badge">plaintext</span>`;
|
||||
const tsLocal = new Date(p.ts).toLocaleString();
|
||||
const tz = p.tz ? ` · author TZ: ${p.tz}` : "";
|
||||
div.innerHTML = `
|
||||
@@ -299,26 +286,22 @@ function renderPosts() {
|
||||
}
|
||||
}
|
||||
|
||||
// -------- utils --------
|
||||
// ---- Boot ----
|
||||
(async () => {
|
||||
await ensureDeviceKey();
|
||||
await checkHealth(); await syncIndex(); await sse();
|
||||
})();
|
||||
|
||||
function b64(buf){ return base64url(buf); }
|
||||
function ub64(s){ return base64urlDecode(s); }
|
||||
async function sha256Hex(bytes){
|
||||
const d = await crypto.subtle.digest("SHA-256", bytes);
|
||||
return Array.from(new Uint8Array(d)).map(b=>b.toString(16).padStart(2,"0")).join("");
|
||||
}
|
||||
els.saveConn.onclick = async () => {
|
||||
const c = { url: norm(els.shardUrl.value), bearer: els.bearer.value.trim(), passphrase: els.passphrase.value };
|
||||
saveConfig(c);
|
||||
await checkHealth(); await syncIndex(); await sse();
|
||||
};
|
||||
els.publish.onclick = publish;
|
||||
els.discordStart.onclick = discordStart;
|
||||
els.signinDevice.onclick = signInWithDeviceKey;
|
||||
|
||||
// minimal base64url helpers
|
||||
function base64url(buf){
|
||||
let b = (buf instanceof Uint8Array) ? buf : new Uint8Array(buf);
|
||||
let str = "";
|
||||
for (let i=0; i<b.length; i++) str += String.fromCharCode(b[i]);
|
||||
return btoa(str).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/,"");
|
||||
}
|
||||
function base64urlDecode(s){
|
||||
s = s.replace(/-/g,"+").replace(/_/g,"/");
|
||||
while (s.length % 4) s += "=";
|
||||
const bin = atob(s); const b = new Uint8Array(bin.length);
|
||||
for (let i=0;i<bin.length;i++) b[i] = bin.charCodeAt(i);
|
||||
return b;
|
||||
}
|
||||
// ---- utils ----
|
||||
function b64(buf){ const b = buf instanceof Uint8Array ? buf : new Uint8Array(buf); let s=""; for (let i=0;i<b.length;i++) s+=String.fromCharCode(b[i]); return btoa(s).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/,""); }
|
||||
function ub64(s){ s=s.replace(/-/g,"+").replace(/_/g,"/"); while (s.length%4) s+="="; const bin=atob(s); const b=new Uint8Array(bin.length); for (let i=0;i<bin.length;i++) b[i]=bin.charCodeAt(i); return b.buffer; }
|
||||
async function sha256Hex(bytes){ const d = await crypto.subtle.digest("SHA-256", bytes); return Array.from(new Uint8Array(d)).map(b=>b.toString(16).padStart(2,"0")).join(""); }
|
||||
|
||||
@@ -4,9 +4,9 @@
|
||||
<meta charset="utf-8"/>
|
||||
<title>GreenCoast — Client</title>
|
||||
<meta name="viewport" content="width=device-width,initial-scale=1"/>
|
||||
<!-- Force API base for Cloudflare tunneled API -->
|
||||
<meta name="gc-api-base" content="https://api-gc.fullmooncyberworks.com">
|
||||
<link rel="stylesheet" href="./styles.css"/>
|
||||
<!-- Optional: set API base explicitly -->
|
||||
<meta name="gc-api-base" content="https://api-gc.fullmooncyberworks.com">
|
||||
</head>
|
||||
<body>
|
||||
<div class="container">
|
||||
@@ -16,25 +16,28 @@
|
||||
<h2>Connect</h2>
|
||||
<div class="row">
|
||||
<label>Shard URL</label>
|
||||
<input id="shardUrl" placeholder="https://api-gc.fullmooncyberworks.com" />
|
||||
<input id="shardUrl" placeholder="http://localhost:9080" />
|
||||
</div>
|
||||
<div class="row">
|
||||
<label>Bearer (optional)</label>
|
||||
<input id="bearer" placeholder="dev-local-token" />
|
||||
<label>Bearer (auto after sign-in)</label>
|
||||
<input id="bearer" placeholder="(auto)" />
|
||||
</div>
|
||||
<div class="row">
|
||||
<label>Passphrase (private posts)</label>
|
||||
<label>Passphrase (community key)</label>
|
||||
<input id="passphrase" type="password" placeholder="••••••••" />
|
||||
</div>
|
||||
|
||||
<div class="row">
|
||||
<label>3rd-party SSO</label>
|
||||
<label>Auth</label>
|
||||
<div>
|
||||
<button id="signinDevice">Sign in (device key)</button>
|
||||
<button id="discordStart">Sign in with Discord</button>
|
||||
<div class="muted" style="margin-top:.4rem;">
|
||||
We use external providers only if you choose to. We cannot vouch for their security.
|
||||
Using third-party SSO is optional; we cannot vouch for their security.
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<button id="saveConn">Save</button>
|
||||
<div id="health" class="muted"></div>
|
||||
</section>
|
||||
@@ -44,8 +47,8 @@
|
||||
<div class="row">
|
||||
<label>Visibility</label>
|
||||
<select id="visibility">
|
||||
<option value="public">Public (plaintext)</option>
|
||||
<option value="private">Private (E2EE via passphrase)</option>
|
||||
<option value="private">Community-encrypted (recommended)</option>
|
||||
<option value="public">Plaintext (discouraged; may be disabled by server)</option>
|
||||
</select>
|
||||
</div>
|
||||
<div class="row">
|
||||
@@ -56,9 +59,6 @@
|
||||
<label>Body</label>
|
||||
<textarea id="body" rows="6" placeholder="Write your post..."></textarea>
|
||||
</div>
|
||||
<div class="row">
|
||||
<label><input type="checkbox" id="shareTZ" checked> Include my time zone on this post</label>
|
||||
</div>
|
||||
<button id="publish">Publish</button>
|
||||
<div id="publishStatus" class="muted"></div>
|
||||
</section>
|
||||
|
||||
Reference in New Issue
Block a user