159 lines
5.0 KiB
JavaScript
159 lines
5.0 KiB
JavaScript
import crypto from 'crypto';
|
|
import fs from 'fs';
|
|
import path from 'path';
|
|
import { fileURLToPath } from 'url';
|
|
|
|
const __filename = fileURLToPath(import.meta.url);
|
|
const __dirname = path.dirname(__filename);
|
|
|
|
const FEDERATION_DOMAIN = process.env.FEDERATION_DOMAIN || '';
|
|
let privateKeyPem = process.env.FEDERATION_PRIVATE_KEY || '';
|
|
let publicKeyPem = '';
|
|
|
|
// Load or generate RSA keys
|
|
if (FEDERATION_DOMAIN) {
|
|
const keyPath = path.join(__dirname, 'federation_key.pem');
|
|
|
|
if (!privateKeyPem && fs.existsSync(keyPath)) {
|
|
privateKeyPem = fs.readFileSync(keyPath, 'utf8');
|
|
}
|
|
|
|
if (!privateKeyPem) {
|
|
console.log('Generating new RSA federation key pair...');
|
|
const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', {
|
|
modulusLength: 2048,
|
|
publicKeyEncoding: { type: 'spki', format: 'pem' },
|
|
privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
|
|
});
|
|
privateKeyPem = privateKey;
|
|
fs.writeFileSync(keyPath, privateKeyPem, 'utf8');
|
|
console.log(`Saved new federation private key to ${keyPath}`);
|
|
}
|
|
|
|
// Derive public key from the loaded private key
|
|
const currentPrivateKey = crypto.createPrivateKey(privateKeyPem);
|
|
publicKeyPem = crypto.createPublicKey(currentPrivateKey).export({ type: 'spki', format: 'pem' });
|
|
}
|
|
|
|
// Instance discovery cache (domain → { baseUrl, publicKey })
|
|
const discoveryCache = new Map();
|
|
|
|
/**
|
|
* Get this instance's federation domain.
|
|
*/
|
|
export function getFederationDomain() {
|
|
return FEDERATION_DOMAIN;
|
|
}
|
|
|
|
/**
|
|
* Get this instance's RSA public key (PEM format).
|
|
*/
|
|
export function getPublicKey() {
|
|
return publicKeyPem;
|
|
}
|
|
|
|
/**
|
|
* Check if federation is configured on this instance.
|
|
*/
|
|
export function isFederationEnabled() {
|
|
return !!(FEDERATION_DOMAIN && privateKeyPem);
|
|
}
|
|
|
|
/**
|
|
* RSA sign a JSON payload.
|
|
* @param {object} payload
|
|
* @returns {string} base64 signature
|
|
*/
|
|
export function signPayload(payload) {
|
|
if (!privateKeyPem) throw new Error("Federation private key not available");
|
|
const data = Buffer.from(JSON.stringify(payload));
|
|
const sign = crypto.createSign('SHA256');
|
|
sign.update(data);
|
|
sign.end();
|
|
return sign.sign(privateKeyPem, 'base64');
|
|
}
|
|
|
|
/**
|
|
* Verify an RSA signature against a JSON payload using a remote public key.
|
|
* @param {object} payload
|
|
* @param {string} signature base64 signature
|
|
* @param {string} remotePublicKeyPem
|
|
* @returns {boolean}
|
|
*/
|
|
export function verifyPayload(payload, signature, remotePublicKeyPem) {
|
|
if (!remotePublicKeyPem || !signature) return false;
|
|
try {
|
|
const data = Buffer.from(JSON.stringify(payload));
|
|
const verify = crypto.createVerify('SHA256');
|
|
verify.update(data);
|
|
verify.end();
|
|
return verify.verify(remotePublicKeyPem, signature, 'base64');
|
|
} catch (e) {
|
|
console.error('Signature verification error:', e.message);
|
|
return false;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Discover a remote Redlight instance's federation API base URL.
|
|
* Fetches https://{domain}/.well-known/redlight and caches the result.
|
|
* @param {string} domain
|
|
* @returns {Promise<{ baseUrl: string, publicKey: string }>}
|
|
*/
|
|
export async function discoverInstance(domain) {
|
|
if (discoveryCache.has(domain)) {
|
|
return discoveryCache.get(domain);
|
|
}
|
|
|
|
const wellKnownUrl = `https://${domain}/.well-known/redlight`;
|
|
try {
|
|
// Since we test locally, allow http fallback if the request fails (optional but good for testing)
|
|
let response;
|
|
try {
|
|
response = await fetch(wellKnownUrl);
|
|
} catch (e) {
|
|
if (e.message.includes('fetch') && wellKnownUrl.startsWith('https://localhost')) {
|
|
response = await fetch(`http://${domain}/.well-known/redlight`);
|
|
} else throw e;
|
|
}
|
|
|
|
if (!response.ok) {
|
|
throw new Error(`Discovery failed: HTTP ${response.status}`);
|
|
}
|
|
const data = await response.json();
|
|
|
|
if (!data.public_key) {
|
|
throw new Error(`Remote instance at ${domain} did not provide a public key`);
|
|
}
|
|
|
|
const baseUrl = `https://${domain}${data.federation_api || '/api/federation'}`;
|
|
// Optionally handle local testing gracefully for baseUrl
|
|
const result = {
|
|
baseUrl: baseUrl.replace('https://localhost', 'http://localhost'),
|
|
publicKey: data.public_key
|
|
};
|
|
|
|
discoveryCache.set(domain, result);
|
|
return result;
|
|
} catch (error) {
|
|
console.error(`Federation discovery failed for ${domain}:`, error.message);
|
|
throw new Error(`Could not discover Redlight instance at ${domain}`);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Parse a federated address like "username@domain.com".
|
|
* @param {string} address
|
|
* @returns {{ username: string, domain: string | null }}
|
|
*/
|
|
export function parseAddress(address) {
|
|
if (!address || !address.includes('@')) {
|
|
return { username: address, domain: null };
|
|
}
|
|
const atIndex = address.lastIndexOf('@');
|
|
return {
|
|
username: address.substring(0, atIndex),
|
|
domain: address.substring(atIndex + 1),
|
|
};
|
|
}
|