Giter Club home page Giter Club logo

cloudfinger's Introduction

CloudFinger

A WebFinger Responder

This is a webfinger service, intended to run locally or as a Cloudflare Worker, consumes a list of mappings from an web identity to another identity as used by services like Mastodon.

The mappings are store in a Cloudflare KV Store and should be manipulated via the Cloudflare Dashboard (for now).

This service exposes a very simple (read-only) API and lacks a frontend. I will be adding the rest of the API next.

Features

  • Stores mappings as KV pairs, where the key the web identity like [email protected] and the value is the destination identity like @[email protected]. Example
  • Exposes a public endpoint at /.well-known/webfinger/ that acts like a normal webfinger server and responds to the normal ?resource=acct:identity parameter.
  • Returns a webidentity like any normal Mastodon Identity server without the entire infrastructure of a Mastondon install.
  • Exposes a public health endpoint at /.well-known/webfinger/hello that returns the worker name and version number
  • Exposes a public status endpoint at /.well-known/webfinger/status that returns the number of mappings in the KV store
  • Exposes a secured (via preshared auth token) API at /api/ that current only allows listing of the mappings API to come

Setup

  • Clone this repository
  • npm install to get all the packages installed
  • Login to the CloudFlare Dashboard
  • Do a wrangler whomai to ensure that wrangler has access to your CloudFlare account
  • Create a cloudfinger Worker (whether you intend to run locally or not)
  • Randomly generate some Bearer token to secure the API, perhaps with something like openssl rand -base64 32. Make sure you keep this value somewhere safe as we need to pass it as a Bearer token for any API-secured calls
  • wrangler secret put AUTH_TOKEN and paste in that freshly generated token
  • wrangler kv:namespace create webfinger to create the KV namespace for the webfinger
  • Update the wrangler.toml file to have your namespace mapping's ID and replace what's there with the id shown in the previous step (Note: this isn't super secret, the ID is useless without the account ID)
  • Lookup your CloudFlare account ID (this is account-level, NOT domain-level) from the Dashboard
  • wrangler secret put CF_ACCT_ID and paste in the ID from above to store the CloudFlare account id for the API
  • Provision a Cloudflare API token to write to it
    • On the dashboard right side, just below the account number, click API Tokens or just https://dash.cloudflare.com/profile/api-tokens
    • Create a token:
      • Either Quick start this this URL to prefill the form this far (thanks to James Ross @Cherry for this URL generator tool.)
      • Or By hand
        • Click Create Token
        • Scroll down to the Custom token section and click Get started
        • Fill in the Create Custom Token form:
          • Enter a name (for example cloudfinger)
          • In Permissions section
            • Choose Account
            • Choose Workers KV Storage
            • Choose Edit to allow the API to update values
      • continue either way
      • In the Account Resources section
        • Choose Include
        • Choose either All Accounts or the specific account you're building this worker for
      • In the Client IP Address Filter section, just leave things blank (would be nice if CloudFlare would allow you to lock it down to only your IPs and the CloudFlare Worker IPs... but not yet)
      • Leave the TTL section alone, we want the Token to last until revoked
    • Click Continue to summary to advance to the review screen
    • Click Create token to generte the token
    • Click Copy to get the token value on your clipboard (Note: you can copy/paste the curl command shown to validate your token, but remember that shell histories will record that token in the clear, make sure you elide it from your ~/.zsh_history or ~/.bash_history or you're risking leaking the token)
  • wrangler secret put CF_API_TOKEN and the paste in the token from above
  • That's the Wrangler Secrets, verify they have been setup with the right names (you won't be able to see the values, they're secret) with a wrangler secret list and you should see AUTH_TOKEN, CF_ACCT_ID, and CF_API_TOKEN
  • Confirm in wrangler.toml that the default values are acceptable for: CF_API_ENDDPOINT, you can get the current version from the Cloudflare API page, which was https://api.cloudflare.com/client/v4 at the time this worker was developed
  • Do a trial build with npm run build
  • Deploy cloudfinger to Workers with npm run deploy or use npm run start to run it locally.

Usage

  • Start with npm run start which will run the local version
  • Press b to start a local browser against the wrangler-host (typically http://127.0.0.1:8787 which will respond with a 404 NO FOUND message)
  • Request /.well-known/webfinger/hello to get the current worker version
  • Request /.well-known/webfinger/status to confirm that the CloudFlare API values are correct
  • Request /.well-known/webfinger/?resource=acct:foo to verify webfinger requests are being accepted
  • Request /.well-known/webfinger/?resource=acct:[email protected] (where you can replace with any KV value entered in either the CloudFlare web interface or via `wrangler kv:)
  • Request /api/list to see the current list of key-value pairs in the bound KV namespace

Setting up production routes

  • Go to the Dashboard
  • Select Workers / Overview on the left menu
  • Select your cloudfinger worker in the right panel
  • Click Routes View in the cloudfinger info panel
  • Click the Add Route above the routes list (you may have to scroll up a bit)
  • Fill in the form with the domain(s) CloudFlare is handling
    • Fill in the Route domain portion, for example github365.com
    • Append the /.well-known/webfinger/* suffix as required by the webfinger protocol
    • In the Zone, select the specific zone you want this route applied to (typically matches the domain prefix above)
    • Click the Add Route
  • Repeat above steps if you want to bind the same worker to multiple domains.

Known Limitations

  • This ONLY provides the endpoint needed to handle the webfinger protocol using the standard protocol, it does NOT do anything or provide any actual Mastodon functionality
  • There's no frontend
  • I need to document how to setup the KV values from the command line and/or dashboard

Troubleshooting

  • You may need to purge routes from CDN cache if a webfinger result does not take immediate effect.
  • If you get an CloudFlare error, you can check the worker logs
  • The examples in the documentation are for my actual live deploy so feel free to finger this

cloudfinger's People

Contributors

dependabot[bot] avatar idisposable avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

huslage

cloudfinger's Issues

Add an API to allow inserting / updating / deleting mappings

Need a simple API that allows for programmatic updating of the mappings. This will initially be used from the command line (e.g. curl, and be secured by the same pre-shared-key AUTH_TOKEN that the current /api/list uses.

How

Add the following operations:

  • /api/get/:from - GET the single mapping from a specific id (e.g. the mapping for [email protected])
  • /api/add - POST a new mapping with both a from and to in the POST body*
  • /api/update/:from - PUT an updated mapping with the new values for both the from and to in the PUT body*
  • /api/delete/:from - DELETE an existing mapping of the specified from value

Notes

POST for the add operation

URI: /api/add - no additional parameters needed

Body:

{
  "from": "[email protected]",
  "to": "@[email protected]"
}

Result:

{
  "success": true,
  "errors": [ ]
}

Note: Will return false with appropriate HTTP Status Code and an explanation in the errors attribute. A 400-Bad Request will be returned if either the from or the to are blank or both have the same value. A 409-Conflict will be returned if the from already has an existing mapping that doesn't match the requested to value. If both the from and to values match a 200-OK response will be returned (as this is likely a repeated request).

PUT for the update operation

URI: /api/update/:from where the from value is the from value of an existing mapping. This allow changing a mapping's from or to value at will. An example would be /api/update/[email protected].

Body:

{
  "from": "[email protected]",
  "to": "@[email protected]"
}

Result:

{
  "success": true
  "errors": [ ]
}

Note: Will return false with appropriate HTTP Status Code and an explanation in the errors attribute. 404-Not Found status code means the URI from value was not in the existing mappings. 409-Conflict status code means the post-body supplied from value already exists but is NOT the value supplied in the URI (e.g. you tried to change [email protected]'s from to [email protected] and that already has a mapping). If the existing mapping matches what was requested in the PUT, a 200-OK status code will be returned (as this is likely a repeated request).

DELETE for the delete operation

URI: /api/delete/:from where the from value is the from value of an existing mapping. An example would be /api/update/[email protected]. There is no DELETE body content

Result:

{
  "success": true
  "errors": [ ]
}

Note: Will return false with appropriate HTTP Status Code and an explanation in the errors attribute. 410 GONE means the URI from value was not in the existing mappings (as this is likely a repeated request).

HTTP Status Codes

Status Code Description List Add Update Delete
200 OK Indicates that the request has succeeded. X X X
201 Created Indicates that the request has succeeded and a new resource has been created as a result. X
204 No Content The server has fulfilled the request but does not need to return a response body. The server may return the updated meta information. X
400 Bad Request The request could not be understood by the server due to incorrect syntax. The client SHOULD NOT repeat the request without modifications. X X X X
404 Not Found The server can not find the requested resource. X X
409 Conflict The request could not be completed due to a conflict with the current state of the resource. X X
410 Gone The requested resource is no longer available at the server. X X

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.