ability to fetch client certs for p2p

2025-11-13 16:22:39 +10:00 · 2024-10-21 10:14:13 +11:00
parent 395219d0cb
commit 0a715fef08
5 changed files with 601 additions and 562 deletions
--- a/server/api/v1/auth/signup/simple.post.ts
+++ b/server/api/v1/auth/signup/simple.post.ts
@ -32,7 +32,7 @@ export default defineEventHandler(async (h3) => {
        responseType: "stream",
      }),
    {},
-    [`anonymous:read`, `${userId}:write`]
+    [`anonymous:read`, `${userId}:write`],
  );
  const user = await prisma.user.create({
    data: {
--- a/server/api/v1/client/http/fetch.get.ts
+++ b/server/api/v1/client/http/fetch.get.ts
@ -0,0 +1,24 @@
+import { defineClientEventHandler } from "~/server/internal/clients/event-handler";
+
+export default defineClientEventHandler(async (h3) => {
+  const query = getQuery(h3);
+  const clientId = query.id?.toString();
+  if (!clientId)
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Missing id in query",
+    });
+
+  const certificate = await h3.context.ca.fetchClientCertificate(clientId);
+  if (!certificate) {
+    // Either it doesn't exist or it's blacklisted
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Invalid or blacklisted clientId",
+    });
+  }
+
+  return {
+    certificate: certificate.cert,
+  };
+});
--- a/server/internal/clients/ca.ts
+++ b/server/internal/clients/ca.ts
@ -39,7 +39,7 @@ export class CertificateAuthority {
      clientId,
      clientName,
      caCertificate.cert,
-      caCertificate.priv
+      caCertificate.priv,
    );
    const certBundle: CertificateBundle = {
      priv,
@ -53,6 +53,13 @@ export class CertificateAuthority {
  }

  async fetchClientCertificate(clientId: string) {
+    const isBlacklist =
+      await this.certificateStore.checkBlacklistCertificate(clientId);
+    if (isBlacklist) return undefined;
    return await this.certificateStore.fetch(`client:${clientId}`);
  }
+
+  async blacklistClient(clientId: string) {
+    await this.certificateStore.blacklistCertificate(clientId);
+  }
 }
--- a/server/internal/clients/store.ts
+++ b/server/internal/clients/store.ts
@ -5,9 +5,13 @@ import { CertificateBundle } from "./ca";
 export type CertificateStore = {
  store(name: string, data: CertificateBundle): Promise<void>;
  fetch(name: string): Promise<CertificateBundle | undefined>;
+  blacklistCertificate(name: string): Promise<void>;
+  checkBlacklistCertificate(name: string): Promise<boolean>;
 };

 export const fsCertificateStore = (base: string) => {
+  const blacklist = path.join(base, ".blacklist");
+  fs.mkdirSync(blacklist, { recursive: true });
  const store: CertificateStore = {
    async store(name: string, data: CertificateBundle) {
      const filepath = path.join(base, name);
@ -18,6 +22,14 @@ export const fsCertificateStore = (base: string) => {
      if (!fs.existsSync(filepath)) return undefined;
      return JSON.parse(fs.readFileSync(filepath, "utf-8"));
    },
+    async blacklistCertificate(name: string) {
+      const filepath = path.join(blacklist, name);
+      fs.writeFileSync(filepath, Buffer.from([]));
+    },
+    async checkBlacklistCertificate(name: string): Promise<boolean> {
+      const filepath = path.join(blacklist, name);
+      return fs.existsSync(filepath);
+    },
  };
  return store;
 };
--- a/yarn.lock
+++ b/yarn.lock