invidious-mod-JP/src/invidious/helpers/tokens.cr

require "crypto/subtle"

def generate_token(email, scopes, expire, key, db)
  session = "v1:#{Base64.urlsafe_encode(Random::Secure.random_bytes(32))}"
  PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", session, email, Time.utc)

  token = {
    "session" => session,
    "scopes"  => scopes,
    "expire"  => expire,
  }

  if !expire
    token.delete("expire")
  end

  token["signature"] = sign_token(key, token)

  return token.to_json
end

def generate_response(session, scopes, key, db, expire = 6.hours, use_nonce = false)
  expire = Time.utc + expire

  token = {
    "session" => session,
    "expire"  => expire.to_unix,
    "scopes"  => scopes,
  }

  if use_nonce
    nonce = Random::Secure.hex(16)
    db.exec("INSERT INTO nonces VALUES ($1, $2) ON CONFLICT DO NOTHING", nonce, expire)
    token["nonce"] = nonce
  end

  token["signature"] = sign_token(key, token)

  return token.to_json
end

def sign_token(key, hash)
  string_to_sign = [] of String

  hash.each do |key, value|
    next if key == "signature"

    if value.is_a?(JSON::Any) && value.as_a?
      value = value.as_a.map { |i| i.as_s }
    end

    case value
    when Array
      string_to_sign << "#{key}=#{value.sort.join(",")}"
    when Tuple
      string_to_sign << "#{key}=#{value.to_a.sort.join(",")}"
    else
      string_to_sign << "#{key}=#{value}"
    end
  end

  string_to_sign = string_to_sign.sort.join("\n")
  return Base64.urlsafe_encode(OpenSSL::HMAC.digest(:sha256, key, string_to_sign)).strip
end

def validate_request(token, session, request, key, db, locale = nil)
  case token
  when String
    token = JSON.parse(URI.decode_www_form(token)).as_h
  when JSON::Any
    token = token.as_h
  when Nil
    raise InfoException.new("Hidden field \"token\" is a required field")
  end

  expire = token["expire"]?.try &.as_i
  if expire.try &.< Time.utc.to_unix
    raise InfoException.new("Token is expired, please try again")
  end

  if token["session"] != session
    raise InfoException.new("Erroneous token")
  end

  scopes = token["scopes"].as_a.map { |v| v.as_s }
  scope = "#{request.method}:#{request.path.lchop("/api/v1/auth/").lstrip("/")}"
  if !scopes_include_scope(scopes, scope)
    raise InfoException.new("Invalid scope")
  end

  if !Crypto::Subtle.constant_time_compare(token["signature"].to_s, sign_token(key, token))
    raise InfoException.new("Invalid signature")
  end

  if token["nonce"]? && (nonce = db.query_one?("SELECT * FROM nonces WHERE nonce = $1", token["nonce"], as: {String, Time}))
    if nonce[1] > Time.utc
      db.exec("UPDATE nonces SET expire = $1 WHERE nonce = $2", Time.utc(1990, 1, 1), nonce[0])
    else
      raise InfoException.new("Erroneous token")
    end
  end

  return {scopes, expire, token["signature"].as_s}
end

def scope_includes_scope(scope, subset)
  methods, endpoint = scope.split(":")
  methods = methods.split(";").map { |method| method.upcase }.reject { |method| method.empty? }.sort
  endpoint = endpoint.downcase

  subset_methods, subset_endpoint = subset.split(":")
  subset_methods = subset_methods.split(";").map { |method| method.upcase }.sort
  subset_endpoint = subset_endpoint.downcase

  if methods.empty?
    methods = %w(GET POST PUT HEAD DELETE PATCH OPTIONS)
  end

  if methods & subset_methods != subset_methods
    return false
  end

  if endpoint.ends_with?("*") && !subset_endpoint.starts_with? endpoint.rchop("*")
    return false
  end

  if !endpoint.ends_with?("*") && subset_endpoint != endpoint
    return false
  end

  return true
end

def scopes_include_scope(scopes, subset)
  scopes.each do |scope|
    if scope_includes_scope(scope, subset)
      return true
    end
  end

  return false
end
Verify token signature in constant time, Run cheap checks first in token validation process (#1032) * Verify token signature in constant time To prevent timing side channel attacks * Run cheap checks first in token validation process Expensive checks such as the nonce lookup on the database or the signature check can be run after cheap/fast checks. 2020-03-02 16:04:36 +00:00			`require "crypto/subtle"`

Add authentication API 2019-04-18 21:23:50 +00:00			`def generate_token(email, scopes, expire, key, db)`
			`session = "v1:#{Base64.urlsafe_encode(Random::Secure.random_bytes(32))}"`
Minor refactor 2019-06-08 00:56:41 +00:00			`PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", session, email, Time.utc)`
Add authentication API 2019-04-18 21:23:50 +00:00
			`token = {`
			`"session" => session,`
			`"scopes" => scopes,`
			`"expire" => expire,`
			`}`

			`if !expire`
			`token.delete("expire")`
			`end`

			`token["signature"] = sign_token(key, token)`

			`return token.to_json`
			`end`

			`def generate_response(session, scopes, key, db, expire = 6.hours, use_nonce = false)`
Minor refactor 2019-06-08 00:56:41 +00:00			`expire = Time.utc + expire`
Add authentication API 2019-04-18 21:23:50 +00:00
			`token = {`
			`"session" => session,`
			`"expire" => expire.to_unix,`
			`"scopes" => scopes,`
			`}`

			`if use_nonce`
			`nonce = Random::Secure.hex(16)`
			`db.exec("INSERT INTO nonces VALUES ($1, $2) ON CONFLICT DO NOTHING", nonce, expire)`
			`token["nonce"] = nonce`
			`end`

			`token["signature"] = sign_token(key, token)`

			`return token.to_json`
			`end`

			`def sign_token(key, hash)`
			`string_to_sign = [] of String`

			`hash.each do \|key, value\|`
Fix warnings in latest version of Crystal 2020-04-09 17:18:09 +00:00			`next if key == "signature"`
Add authentication API 2019-04-18 21:23:50 +00:00
Fix warnings in latest version of Crystal 2020-04-09 17:18:09 +00:00			`if value.is_a?(JSON::Any) && value.as_a?`
			`value = value.as_a.map { \|i\| i.as_s }`
Add authentication API 2019-04-18 21:23:50 +00:00			`end`

			`case value`
			`when Array`
			`string_to_sign << "#{key}=#{value.sort.join(",")}"`
			`when Tuple`
			`string_to_sign << "#{key}=#{value.to_a.sort.join(",")}"`
			`else`
			`string_to_sign << "#{key}=#{value}"`
			`end`
			`end`

			`string_to_sign = string_to_sign.sort.join("\n")`
			`return Base64.urlsafe_encode(OpenSSL::HMAC.digest(:sha256, key, string_to_sign)).strip`
			`end`

			`def validate_request(token, session, request, key, db, locale = nil)`
			`case token`
			`when String`
Update to Crystal 0.31.0, resolve compiler deprecation warnings, update dependencies (#764) * shard: update to crystal 0.31.0 Additionally, no longer use the Crystal "markdown" library which has been removed from the Crystal stdlib in version 0.31.0. See https://github.com/crystal-lang/crystal/pull/8115. Also fix some deprecation warnings using the following commands: find . \( -type d -name .git -prune \) -o -type f -exec sed -i 's/URI\.escape/URI\.encode_www_form/g' "{}" \; find . \( -type d -name .git -prune \) -o -type f -exec sed -i 's/URI\.unescape/URI\.decode_www_form/g' "{}" \; sed -i 's/while \%pull\.kind \!\= \:end_object/until \%pull\.kind\.end_object\?/g' src/invidious/helpers/patch_mapping.cr 2019-09-24 17:31:33 +00:00			`token = JSON.parse(URI.decode_www_form(token)).as_h`
Add authentication API 2019-04-18 21:23:50 +00:00			`when JSON::Any`
			`token = token.as_h`
			`when Nil`
Add backtraces to errors (#1498) Error handling has been reworked to always go through the new `error_template`, `error_json` and `error_atom` macros. They all accept a status code followed by a string message or an exception object. `error_json` accepts a hash with additional fields as third argument. If the second argument is an exception a backtrace will be printed, if it is a string only the string is printed. Since up till now only the exception message was printed a new `InfoException` class was added for situations where no backtrace is intended but a string cannot be used. `error_template` with a string message automatically localizes the message. Missing error translations have been collected in https://github.com/iv-org/invidious/issues/1497 `error_json` with a string message does not localize the message. This is the same as previous behavior. If translations are desired for `error_json` they can be added easily but those error messages have not been collected yet. Uncaught exceptions previously only printed a generic message ("Looks like you've found a bug in Invidious. [...]"). They still print that message but now also include a backtrace. 2020-11-30 09:59:21 +00:00			`raise InfoException.new("Hidden field \"token\" is a required field")`
Add authentication API 2019-04-18 21:23:50 +00:00			`end`

Verify token signature in constant time, Run cheap checks first in token validation process (#1032) * Verify token signature in constant time To prevent timing side channel attacks * Run cheap checks first in token validation process Expensive checks such as the nonce lookup on the database or the signature check can be run after cheap/fast checks. 2020-03-02 16:04:36 +00:00			`expire = token["expire"]?.try &.as_i`
			`if expire.try &.< Time.utc.to_unix`
Add backtraces to errors (#1498) Error handling has been reworked to always go through the new `error_template`, `error_json` and `error_atom` macros. They all accept a status code followed by a string message or an exception object. `error_json` accepts a hash with additional fields as third argument. If the second argument is an exception a backtrace will be printed, if it is a string only the string is printed. Since up till now only the exception message was printed a new `InfoException` class was added for situations where no backtrace is intended but a string cannot be used. `error_template` with a string message automatically localizes the message. Missing error translations have been collected in https://github.com/iv-org/invidious/issues/1497 `error_json` with a string message does not localize the message. This is the same as previous behavior. If translations are desired for `error_json` they can be added easily but those error messages have not been collected yet. Uncaught exceptions previously only printed a generic message ("Looks like you've found a bug in Invidious. [...]"). They still print that message but now also include a backtrace. 2020-11-30 09:59:21 +00:00			`raise InfoException.new("Token is expired, please try again")`
Add authentication API 2019-04-18 21:23:50 +00:00			`end`

			`if token["session"] != session`
Add backtraces to errors (#1498) Error handling has been reworked to always go through the new `error_template`, `error_json` and `error_atom` macros. They all accept a status code followed by a string message or an exception object. `error_json` accepts a hash with additional fields as third argument. If the second argument is an exception a backtrace will be printed, if it is a string only the string is printed. Since up till now only the exception message was printed a new `InfoException` class was added for situations where no backtrace is intended but a string cannot be used. `error_template` with a string message automatically localizes the message. Missing error translations have been collected in https://github.com/iv-org/invidious/issues/1497 `error_json` with a string message does not localize the message. This is the same as previous behavior. If translations are desired for `error_json` they can be added easily but those error messages have not been collected yet. Uncaught exceptions previously only printed a generic message ("Looks like you've found a bug in Invidious. [...]"). They still print that message but now also include a backtrace. 2020-11-30 09:59:21 +00:00			`raise InfoException.new("Erroneous token")`
Add authentication API 2019-04-18 21:23:50 +00:00			`end`

			`scopes = token["scopes"].as_a.map { \|v\| v.as_s }`
			`scope = "#{request.method}:#{request.path.lchop("/api/v1/auth/").lstrip("/")}"`
			`if !scopes_include_scope(scopes, scope)`
Add backtraces to errors (#1498) Error handling has been reworked to always go through the new `error_template`, `error_json` and `error_atom` macros. They all accept a status code followed by a string message or an exception object. `error_json` accepts a hash with additional fields as third argument. If the second argument is an exception a backtrace will be printed, if it is a string only the string is printed. Since up till now only the exception message was printed a new `InfoException` class was added for situations where no backtrace is intended but a string cannot be used. `error_template` with a string message automatically localizes the message. Missing error translations have been collected in https://github.com/iv-org/invidious/issues/1497 `error_json` with a string message does not localize the message. This is the same as previous behavior. If translations are desired for `error_json` they can be added easily but those error messages have not been collected yet. Uncaught exceptions previously only printed a generic message ("Looks like you've found a bug in Invidious. [...]"). They still print that message but now also include a backtrace. 2020-11-30 09:59:21 +00:00			`raise InfoException.new("Invalid scope")`
Add authentication API 2019-04-18 21:23:50 +00:00			`end`

Verify token signature in constant time, Run cheap checks first in token validation process (#1032) * Verify token signature in constant time To prevent timing side channel attacks * Run cheap checks first in token validation process Expensive checks such as the nonce lookup on the database or the signature check can be run after cheap/fast checks. 2020-03-02 16:04:36 +00:00			`if !Crypto::Subtle.constant_time_compare(token["signature"].to_s, sign_token(key, token))`
Add backtraces to errors (#1498) Error handling has been reworked to always go through the new `error_template`, `error_json` and `error_atom` macros. They all accept a status code followed by a string message or an exception object. `error_json` accepts a hash with additional fields as third argument. If the second argument is an exception a backtrace will be printed, if it is a string only the string is printed. Since up till now only the exception message was printed a new `InfoException` class was added for situations where no backtrace is intended but a string cannot be used. `error_template` with a string message automatically localizes the message. Missing error translations have been collected in https://github.com/iv-org/invidious/issues/1497 `error_json` with a string message does not localize the message. This is the same as previous behavior. If translations are desired for `error_json` they can be added easily but those error messages have not been collected yet. Uncaught exceptions previously only printed a generic message ("Looks like you've found a bug in Invidious. [...]"). They still print that message but now also include a backtrace. 2020-11-30 09:59:21 +00:00			`raise InfoException.new("Invalid signature")`
Verify token signature in constant time, Run cheap checks first in token validation process (#1032) * Verify token signature in constant time To prevent timing side channel attacks * Run cheap checks first in token validation process Expensive checks such as the nonce lookup on the database or the signature check can be run after cheap/fast checks. 2020-03-02 16:04:36 +00:00			`end`

			`if token["nonce"]? && (nonce = db.query_one?("SELECT * FROM nonces WHERE nonce = $1", token["nonce"], as: {String, Time}))`
			`if nonce[1] > Time.utc`
			`db.exec("UPDATE nonces SET expire = $1 WHERE nonce = $2", Time.utc(1990, 1, 1), nonce[0])`
			`else`
Add backtraces to errors (#1498) Error handling has been reworked to always go through the new `error_template`, `error_json` and `error_atom` macros. They all accept a status code followed by a string message or an exception object. `error_json` accepts a hash with additional fields as third argument. If the second argument is an exception a backtrace will be printed, if it is a string only the string is printed. Since up till now only the exception message was printed a new `InfoException` class was added for situations where no backtrace is intended but a string cannot be used. `error_template` with a string message automatically localizes the message. Missing error translations have been collected in https://github.com/iv-org/invidious/issues/1497 `error_json` with a string message does not localize the message. This is the same as previous behavior. If translations are desired for `error_json` they can be added easily but those error messages have not been collected yet. Uncaught exceptions previously only printed a generic message ("Looks like you've found a bug in Invidious. [...]"). They still print that message but now also include a backtrace. 2020-11-30 09:59:21 +00:00			`raise InfoException.new("Erroneous token")`
Verify token signature in constant time, Run cheap checks first in token validation process (#1032) * Verify token signature in constant time To prevent timing side channel attacks * Run cheap checks first in token validation process Expensive checks such as the nonce lookup on the database or the signature check can be run after cheap/fast checks. 2020-03-02 16:04:36 +00:00			`end`
Add authentication API 2019-04-18 21:23:50 +00:00			`end`

			`return {scopes, expire, token["signature"].as_s}`
			`end`

			`def scope_includes_scope(scope, subset)`
			`methods, endpoint = scope.split(":")`
			`methods = methods.split(";").map { \|method\| method.upcase }.reject { \|method\| method.empty? }.sort`
			`endpoint = endpoint.downcase`

			`subset_methods, subset_endpoint = subset.split(":")`
			`subset_methods = subset_methods.split(";").map { \|method\| method.upcase }.sort`
			`subset_endpoint = subset_endpoint.downcase`

			`if methods.empty?`
			`methods = %w(GET POST PUT HEAD DELETE PATCH OPTIONS)`
			`end`

			`if methods & subset_methods != subset_methods`
			`return false`
			`end`

			`if endpoint.ends_with?("") && !subset_endpoint.starts_with? endpoint.rchop("")`
			`return false`
			`end`

			`if !endpoint.ends_with?("*") && subset_endpoint != endpoint`
			`return false`
			`end`

			`return true`
			`end`

			`def scopes_include_scope(scopes, subset)`
			`scopes.each do \|scope\|`
			`if scope_includes_scope(scope, subset)`
			`return true`
			`end`
			`end`

			`return false`
			`end`