hacdias / indielib Goto Github PK

Add an independent function, or inside the authorization server, that fetches client information.

Also update the example to show information.

Ref.: https://indieauth.spec.indieweb.org/#client-information-discovery

• Only return error on authentication if cannot find authorisation endpoint.

• Post list query: indieweb/micropub-extensions#4
• Visibility config

cc @jlelse: anything else?

Closes hacdias/eagle#193.

• Move IndieAuth package into indieauth/ and ensure current package works
• Import Micropub code from Eagle
  • Cleanup parser.go and add tests
  • Cleanup router.go and add tests
• Import Microformats code from Eagle
  • Cleanup discovery.go and add tests
• Improve README
  • List the functionalities of what you can do with this package
  • Link other useful packages (willnorris.com/go/microformats, willnorris.com/go/webmention, etc)
  • Examples under usage
  • Remove "An IndieWeb toolkit in Go."? and make more cohesive paragraph
• Improve examples
  • Make server be a micropub server too (maybe token can be base64 encoded json object - jwt ... ?)
  • Likely use UpdateProperties in example
• Rename indielib or libindie to avoid name conflict with: https://getindiekit.com/ (might need to re-setup Codecov)

Then: release 0.1.0 and ask for feedback (@jlelse for example).

After Release

• Cleanup mentions of go.hacdias.com/indieauth in https://indieweb.org
• Mention this package in https://indieweb.org/Micropub/Servers
• Mention this package in https://indieweb.org/post-type-discovery
• Update https://github.com/hacdias/indieauth to call this package directly, mark as deprecated (linters will warn users)
• Archive https://github.com/hacdias/indieauth

A lot of functions that perform HTTP requests and so one don't pass the context down the stream.

(Hello! It's really cool to find a Go implementation for the IndieAuth spec! I've also implemented one; see shurcooL/home#34 and shurcooL/home#43. When trying to sign in to your site which I understand uses this package, I found a problem and wanted to report it.)

I believe there's a small bug in the PKCE verification as currently implemented in the latest version of this package, to do with padding used in base64 encoding.

The IndieAuth spec defers to RFC 7636 for PKCE details:

All IndieAuth clients MUST use PKCE ([RFC7636]) to protect against authorization code injection and CSRF attacks. A non-canonical description of the PKCE mechanism is described below, but implementers should refer to [RFC7636] for details.

(Source: https://indieauth.spec.indieweb.org/#authorization-request.)

RFC 7636 section 4.6 (https://datatracker.ietf.org/doc/html/rfc7636#section-4.6) details how the code challenge method verification is done:

If the "code_challenge_method" from Section 4.3 was "S256", the received "code_verifier" is hashed by SHA-256, base64url-encoded, and then compared to the "code_challenge", i.e.:

BASE64URL-ENCODE(SHA256(ASCII(code_verifier))) == code_challenge

[...] If the values are not equal, an error response indicating "invalid_grant" as described in Section 5.2 of [RFC6749] MUST be returned.

In https://datatracker.ietf.org/doc/html/rfc7636#section-3 it is defined that "Base64url Encoding" refers to URL encoding without padding:

Base64 encoding using the URL- and filename-safe character set defined in Section 5 of [RFC4648], with all trailing '=' characters omitted ([...]) and without the inclusion of any line breaks, whitespace, or other additional characters. (See Appendix A for notes on implementing base64url encoding without padding.)

(Emphasis mine.)

Go's base64.RawURLEncoding implements URL base64 encoding without padding, and can be used instead of base64.URLEncoding.

I'll send a PR that fixes this issue in case you find it helpful.

https://datatracker.ietf.org/doc/html/rfc7636#section-4.1 defines code_verifier to be a "high-entropy cryptographic random STRING", and notes:

NOTE: The code verifier SHOULD have enough entropy to make it
impractical to guess the value. It is RECOMMENDED that the output of
a suitable random number generator be used to create a 32-octet
sequence. The octet sequence is then base64url-encoded to produce a
43-octet URL safe string to use as the code verifier.

(Emphasis mine.)

The math/rand Go package isn't suitable for that purpose; the crypto/rand package can be used in its place.

I'll send a PR that fixes this issue in case you find it helpful.

I want to move to go.hacdias.com/indieauth, which is a breaking change. At the same time, I want to get rid of the major module versions. I really dislike the way Go handles it with the different import path, and I want to leverage the fact that this repository has few users and just make a PR to everyone.

• Rewrite history and remove major versions (breaking, never do this)
• Move to go.hacdias.com/indieauth
• Release 0.6.0 with breaking changes.
• Make PRs to users: https://github.com/hacdias/indieauth/network/dependents

Note: this is something I would never do, but since it's a small repo with few users, better break it now than later.