merge: galactic supermassive rewrites

Author: chase-moskal

changelog.md

@@ -7,7 +7,20 @@
 
 <br/>
 
---------
+## v0.2
+
+### v0.2.0
+- 🧐 authduo doesn't have any users yet so i'm still in a mode of breaking things with impunity
+- 🟥 tokens reworked, we now have `Keys`, `Proof`, and `Claim` tokens
+- 🟥 auth.login has a new Login type with a somewhat different signature
+- 🟥 breaking changes to the fed api (api between the popup and your app)
+  - all calls are now namespaced under v1
+  - this will make it easier to avoid breaking changes in the future
+  - i also changed the names of the LoginTokens that get returned
+- 🟥 moved the passport's `name` from Keys to Proof
+- 🔶 tweaked authfile format, but its versioned and so should not cause breakage
+- 🍏 renamed `JsonWebToken` facility to simply `Token`
+- 🍏 on the passport edit page, i added a text input for copying the thumbprint
 
 ## v0.1
 

package-lock.json

@@ -8,14 +8,6 @@
 		"x",
 		"s"
 	],
-	"exports": {
-		".": {
-			"node": "./x/server.js",
-			"deno": "./x/server.js",
-			"browser": "./x/index.js",
-			"default": "./x/index.js"
-		}
-	},
 	"scripts": {
 		"build": "rm -rf x && run-s build-code build-ssg links",
 		"build-code": "turtle build --out=x",
@@ -26,11 +18,12 @@
 		"links": "run-s links-s links-assets",
 		"links-s": "ln -s \"$(realpath s)\" x/s",
 		"links-assets": "ln -s \"$(realpath assets)\" x/assets",
+		"devlinks-slate": "rm -rf node_modules/@benev/slate && ln -s \"$(realpath ../../@benev/slate)\" node_modules/@benev/slate",
 		"test": "cynic node x/tests.test.js"
 	},
 	"dependencies": {
-		"@benev/slate": "^0.2.8",
-		"renraku": "^0.3.0-0"
+		"@benev/slate": "^0.2.17",
+		"renraku": "^0.4.2"
 	},
 	"devDependencies": {
 		"@benev/turtle": "^0.6.3",

package.json

@@ -45,9 +45,9 @@ Try out the login button at the [Federated Test Page](https://authduo.org/federa
     - Customize that second script to handle logins/logouts your way.
     - When the user logs in, the `login` object looks like this:
       ```js
-      login.name // Kaylim Bojrumaj
-      login.thumbprint // "4e77bccf..."
-      login.expiry // 1729381451374
+      login.name // Cetdok Pizafoaba
+      login.thumbprint // "0d196fc3..."
+      login.expiry // 1731740481065
       ```
     - When the user logs out, `login` is `null`.
 1. **Put this button in your `<body>`:**
@@ -67,10 +67,12 @@ Try out the login button at the [Federated Test Page](https://authduo.org/federa
     ```
 1. **Register components and listen for auth changes.** `main.ts`
     ```ts
-    import {auth, components, register_to_dom} from "@authduo/authduo"
+    import {Auth, components, register_to_dom} from "@authduo/authduo"
 
     register_to_dom(components)
 
+    const auth = Auth.get()
+
     auth.onChange(login => {
       if (login) console.log("logged in", login)
       else console.log("logged out")
@@ -124,62 +126,66 @@ Try out the login button at the [Federated Test Page](https://authduo.org/federa
 
 ### Understanding the Authduo flow and tokens
 
-![](https://i.imgur.com/eLa130k.png)
+![](https://i.imgur.com/18xwaeU.png)
+
+- When a user on your app clicks to login, this opens an Authduo.org popup for them to login.
+- The authduo signs some tokens with your user's passport keypair, and sends them back to your application.
+- Your app receives a `Login` object, which has some useful things:
+  - `login.proof.token` -- this is a `Proof` token and it's public, so you can send it around anywhere so your user can prove their identity
+  - `login.keys.signClaimToken(~)` -- you can use this to sign arbitrary data into a token, which is verifiably signed on behalf of the user's passport
 
-- When your user logs in, you receive a *Login* object (a verified *login token*).
-  - Don't pass this around, anybody with the login token can impersonate your user.
-  - Instead of passing the login token around, you can use the login object to *sign* your own *challenge tokens*.
-- Let's consider an example: you're making a player-hosted multiplayer game.
-  - Your user logs in, and you get a *Login* object.
-  - You want to send your user's identity to the host of the game, so they can verify it, and nobody can impersonate your user.
-  - So you use your *Login* object to sign a fresh *challenge token* containing your user's name and other info.
-  - You send this *challenge token* along with your *login.proof.token* to the game host.
-  - The game host receives your `challengeToken` and `proofToken`, and now can verify that your challenge was authentically signed on behalf of the user's passport.
+#### Example of signing and verifying claim tokens
 
-### `Login`, `Proof`, and `Challenge` tokens
-- **Sign a fresh challenge token.**
+- **Sign a fresh claim token.**
   ```js
-  import {FromNow} from "@authduo/authduo"
+  import {Future} from "@authduo/authduo"
 
-  const challengeToken = await login.signChallengeToken({
-    expiry: FromNow.hours(24),
+  const idToken = await login.keys.signClaimToken({
+    expiresAt: Future.hours(24),
 
     // you can pack any abitrary data you want into this token
     data: {
       username: "Rec Doamge",
+      avatarId: "d15aea1a",
 
-      // we've scoped this token to this game session,
-      // so that it cannot be stolen and reused in other game sessions.
+      // perhaps we want to scope this claim to a specific game session,
+      // so that it cannot be stolen by other users and reused in other
+      // game sessions.
       gameSessionId: "9c22b17e",
     },
   })
   ```
-- **Send the *challengeToken* along with a *proofToken.***
+- **Send this *idToken* along with the user's *proofToken.***
   ```js
-  await sendElsewhere({
-    proofToken: login.proof.token,
-    challengeToken,
-  })
+  await sendElsewhere(login.proof.token, idToken)
   ```
-  - Each `login` object comes with a `proofToken` that is required to verify a challenge token.
-- **Verify the proof and challenge**
+  - Each `login` object comes with a proof token that is required to verify any claim tokens.
+- **Verify the proof and claim**
   ```js
-  import {Proof, Challenge} from "@authduo/authduo"
+  import {Proof, Claim} from "@authduo/authduo"
+
+  receiveElsewhere(async(proofToken, idToken) => {
+
+    // the origin of your site that triggered the authduo popup
+    const allowedAudiences = ["https://example.benev.gg"]
+
+    // verifying the proof
+    const proof = await Proof.verify(proofToken, {allowedAudiences})
 
-  receiveElsewhere(async(proofToken, challengeToken) => {
-    const proof = await Proof.verify(proofToken)
-    const challenge = await Challenge.verify(proof, challengeToken)
+    // proving the claim
+    const claim = await Claim.verify(proof, idToken)
 
-    // here's that data you packed into the challenge
-    console.log(challenge.data.username) // "Rec Doamge"
-    console.log(challenge.data.gameSessionId) // "9c22b17e"
+    // here's that data you packed into the claim
+    console.log(claim.data.username) // "Rec Doamge"
+    console.log(claim.data.avatarId) // "d15aea1a"
+    console.log(claim.data.gameSessionId) // "9c22b17e"
 
     // user passport public thumbprint, the true user identifier
-    console.log(challenge.thumbprint) // "a32e638e..."
+    console.log(claim.thumbprint) // "a32e638e..."
     console.log(proof.thumbprint) // "a32e638e..."
   })
   ```
-  - The same proof can be used to verify multiple challenges from the same login.
+  - The same proof can be used to verify multiple claims from the same login.
 
 <br/>
 

readme.md

@@ -1,10 +1,10 @@
 
+import {Hex} from "@benev/slate"
+
 import {Pubkey} from "./pubkey.js"
-import {hex} from "../tools/hex.js"
-import {KeypairJson} from "./types.js"
-import {getCrypto} from "./utils/get-crypto.js"
+import {KeypairData} from "./types.js"
+import {Token, Payload} from "./tokens/token.js"
 import {CryptoConstants} from "./crypto-constants.js"
-import {JsonWebToken, Payload} from "./utils/json-web-token.js"
 
 export class Keypair extends Pubkey {
 	constructor(
@@ -16,27 +16,25 @@ export class Keypair extends Pubkey {
 	}
 
 	static async generate() {
-		const crypto = await getCrypto()
-
 		const keys = await crypto.subtle
 			.generateKey(CryptoConstants.algos.generate, true, ["sign", "verify"])
 
 		const publicBuffer = await crypto.subtle
 			.exportKey(CryptoConstants.formats.public, keys.publicKey)
 
-		const thumbprint = hex.from.buffer(
-			await crypto.subtle.digest(CryptoConstants.algos.thumbprint, publicBuffer)
+		const thumbprint = Hex.string(
+			new Uint8Array(
+				await crypto.subtle.digest(CryptoConstants.algos.thumbprint, publicBuffer)
+			)
 		)
 
 		return new this(thumbprint, keys.publicKey, keys.privateKey)
 	}
 
-	static async fromJson(json: KeypairJson) {
-		const crypto = await getCrypto()
-
-		const pubkey = await Pubkey.fromJson(json)
+	static async fromData(data: KeypairData) {
+		const pubkey = await Pubkey.fromData(data)
 		const extractable = true
-		const privateBuffer = hex.to.buffer(json.privateKey)
+		const privateBuffer = Hex.bytes(data.privateKey).buffer
 
 		const privateKey = await crypto.subtle.importKey(
 			CryptoConstants.formats.private,
@@ -49,17 +47,16 @@ export class Keypair extends Pubkey {
 		return new this(pubkey.thumbprint, pubkey.publicKey, privateKey)
 	}
 
-	async toJson(): Promise<KeypairJson> {
-		const crypto = await getCrypto()
-		const pubkey = await super.toJson()
+	async toData(): Promise<KeypairData> {
+		const pubkey = await super.toData()
 
 		const privateBuffer = await crypto.subtle
 			.exportKey(CryptoConstants.formats.private, this.privateKey)
 
 		return {
 			thumbprint: pubkey.thumbprint,
 			publicKey: pubkey.publicKey,
-			privateKey: hex.from.buffer(privateBuffer),
+			privateKey: Hex.string(new Uint8Array(privateBuffer)),
 		}
 	}
 
@@ -68,7 +65,7 @@ export class Keypair extends Pubkey {
 	}
 
 	async sign<P extends Payload>(payload: P) {
-		return await JsonWebToken.sign<P>(this.privateKey, payload)
+		return await Token.sign<P>(this.privateKey, payload)
 	}
 }