From e6a9c0494460b7769b7d724dc863baebdfb45eeb Mon Sep 17 00:00:00 2001 From: CatAClock Date: Mon, 28 Apr 2025 16:51:00 -0700 Subject: [PATCH] my understanding hardens --- JS/BlueskyAPI.js | 41 +++++++++++++++++++++++++++-------------- JS/mail.js | 21 ++++++++------------- 2 files changed, 35 insertions(+), 27 deletions(-) diff --git a/JS/BlueskyAPI.js b/JS/BlueskyAPI.js index 20c6464..4db456a 100644 --- a/JS/BlueskyAPI.js +++ b/JS/BlueskyAPI.js @@ -38,22 +38,25 @@ export async function CreatePKCECodeChallenge(CodeVerifier) { // Component 3/4 export async function PARrequest(PAREndpoint, State, ChallengeCode) { return await fetch(PAREndpoint, {method: "POST", body: new URLSearchParams({ response_type: "code", code_challenge_method: "S256", scope: "atproto transition:generic", client_id: "https://fedi.crowdedgames.group/oauth/client-metadata.json", redirect_uri: "https://fedi.crowdedgames.group/HTML/mail.html", code_challenge: ChallengeCode, state: State, login_hint: "crowdedgames.group" }), "Content-Type": "application/x-www-form-urlencoded"}) - .then((response) => response.json()); + .then(function(response) { + console.log(response.headers.get("dpop-nonce")); + return response.json(); + }); } // Component 4/4 -export async function ClientDPoP() { +export async function ClientDPoP(POSTorGET, RequestURL, DPoPNonce) { let KeyPair = await crypto.subtle.generateKey({name: "ECDSA", namedCurve: "P-256"}, true, ["sign", "verify"]); // Header var Header = {alg: "HS256", typ: "dpop+jwt", jwk: await crypto.subtle.exportKey("jwk", KeyPair.publicKey).then(function(response) {return response})}; // Payload var Payload = {}; - // Payload.jti - // Payload.htm - // Payload.htu + Payload.jti = GenerateToken(64); + Payload.htm = POSTorGET; + Payload.htu = RequestURL; Payload.iat = Math.floor(new Date(Date.now()).getTime() / 1000); - // Payload.nonce + Payload.nonce = DPoPNonce; var sHeader = JSON.stringify(Header); var sPayload = JSON.stringify(Payload); @@ -62,11 +65,8 @@ export async function ClientDPoP() { return JWT; } -export async function ServerDPoP() { - -} - -export async function AssertionJWT(BlueskyClientID) { +// So far does nothing? Don't touch :3 +export async function AssertionJWT() { let KeyPair = await crypto.subtle.generateKey({name: "ECDSA", namedCurve: "P-256"}, true, ["sign", "verify"]); // Header @@ -74,16 +74,18 @@ export async function AssertionJWT(BlueskyClientID) { // Payload var Payload = {}; - Payload.iss = BlueskyClientID; - Payload.sub = BlueskyClientID; + Payload.iss = "https://fedi.crowdedgames.group/oauth/client-metadata.json"; + Payload.sub = "https://fedi.crowdedgames.group/oauth/client-metadata.json"; // Payload.aud - // Payload.jti + Payload.jti = GenerateToken(64); Payload.iat = Math.floor(new Date(Date.now()).getTime() / 1000); var sHeader = JSON.stringify(Header); var sPayload = JSON.stringify(Payload); var JWT = KJUR.jws.JWS.sign("HS256", sHeader, sPayload, "838383"); console.log(JWT); + console.log(KeyPair.publicKey); + console.log(KeyPair.privateKey); } // Stolen from elsewhere. @@ -106,3 +108,14 @@ async function sha256(message) { return string; } + +// Stolen from Search +// TODO: implement my own function. +export function GenerateToken(length) { + var chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; + var token = ''; + for(var i = 0; i < length; i++) { + token += chars[Math.floor(Math.random() * chars.length)]; + } + return token; +} diff --git a/JS/mail.js b/JS/mail.js index 968d1cb..c81f9a1 100644 --- a/JS/mail.js +++ b/JS/mail.js @@ -19,6 +19,11 @@ let MastodonTokenType = "mastodon_token_type"; // Bluesky (TODO: use these variables). let BlueskyApp = "https://bsky.app"; let BlueskyPDS = "https://bsky.social"; +let BlueskyPKCEverifer = "bluesky_pkce_verifier"; +let BlueskyPKCEchallenge = "bluesky_pkce_challenge"; +let BlueskyPrivateKey = "bluesky_private_key"; +let BlueskyPublicKey = "bluesky_public_key"; +let BlueskyNonce = "bluesky_nonce"; // Tumblr let TumblrWebsite = "https://www.tumblr.com"; @@ -112,13 +117,14 @@ function getRandomArbitrary(min, max) { // The next section is dedicated to testing. // WARNING: I don't know what I am doing. +await BlueskyAPI.AssertionJWT(); async function BlueskyTestingAuthorization() { // Declare Variables let WellKnown = await BlueskyAPI.GetPDSWellKnown(); let PAREndpoint = WellKnown.pushed_authorization_request_endpoint; - let State = generateToken(64); + let State = BlueskyAPI.GenerateToken(64); let PKCEverifier = await BlueskyAPI.CreatePKCECodeVerifier(); let PKCEchallenge = await BlueskyAPI.CreatePKCECodeChallenge(PKCEverifier); @@ -126,16 +132,5 @@ async function BlueskyTestingAuthorization() { let PAR = await BlueskyAPI.PARrequest(WellKnown.pushed_authorization_request_endpoint, State, PKCEchallenge); console.log(PAR); // Now we need to authenticate. Make sure the State stays the same throughout this whole process :] - document.location.href = "https://bsky.social/oauth/authorize?client_id=https://fedi.crowdedgames.group/oauth/client-metadata.json&request_uri=" + PAR.request_uri; -} - -// Stolen from Search -// TODO: implement my own function. -function generateToken(length) { - var chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; - var token = ''; - for(var i = 0; i < length; i++) { - token += chars[Math.floor(Math.random() * chars.length)]; - } - return token; + // document.location.href = "https://bsky.social/oauth/authorize?client_id=https://fedi.crowdedgames.group/oauth/client-metadata.json&request_uri=" + PAR.request_uri; }