handshakes

2025-11-13 08:12:40 +10:00 · 2024-10-08 18:08:34 +11:00
parent 7523e536b5
commit 2b4382d013
8 changed files with 130 additions and 13 deletions
--- a/prisma/migrations/20241008062519_remove_shared_token_and_add_last_connected/migration.sql
+++ b/prisma/migrations/20241008062519_remove_shared_token_and_add_last_connected/migration.sql
@ -0,0 +1,19 @@
+/*
+  Warnings:
+
+  - The primary key for the `Client` table will be changed. If it partially fails, the table could be left without primary key constraint.
+  - You are about to drop the column `sharedToken` on the `Client` table. All the data in the column will be lost.
+  - The required column `id` was added to the `Client` table with a prisma-level default value. This is not possible if the table is not empty. Please add this column as optional, then populate it before making it required.
+  - Added the required column `lastConnected` to the `Client` table without a default value. This is not possible if the table is not empty.
+  - Added the required column `name` to the `Client` table without a default value. This is not possible if the table is not empty.
+  - Added the required column `platform` to the `Client` table without a default value. This is not possible if the table is not empty.
+
+*/
+-- AlterTable
+ALTER TABLE "Client" DROP CONSTRAINT "Client_pkey",
+DROP COLUMN "sharedToken",
+ADD COLUMN     "id" TEXT NOT NULL,
+ADD COLUMN     "lastConnected" TIMESTAMP(3) NOT NULL,
+ADD COLUMN     "name" TEXT NOT NULL,
+ADD COLUMN     "platform" TEXT NOT NULL,
+ADD CONSTRAINT "Client_pkey" PRIMARY KEY ("id");
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@ -43,15 +43,16 @@ enum ClientCapabilities {

 // References a device
 model Client {
-  sharedToken String @id @default(uuid())
-  userId      String
-  user        User   @relation(fields: [userId], references: [id])
+  id     String @id @default(uuid())
+  userId String
+  user   User   @relation(fields: [userId], references: [id])

  endpoint     String
  capabilities ClientCapabilities[]

-  name     String
-  platform String
+  name          String
+  platform      String
+  lastConnected DateTime
 }

 enum MetadataSource {
--- a/server/api/v1/client/callback/index.get.ts
+++ b/server/api/v1/client/callback/index.get.ts
@ -12,7 +12,7 @@ export default defineEventHandler(async (h3) => {
      statusMessage: "Provide client ID in request params as 'id'",
    });

-  const data = await clientHandler.fetchInitiateClientMetadata(
+  const data = await clientHandler.fetchClientMetadata(
    providedClientId
  );
  if (!data)
--- a/server/api/v1/client/callback/index.post.ts
+++ b/server/api/v1/client/callback/index.post.ts
@ -7,7 +7,7 @@ export default defineEventHandler(async (h3) => {
  const body = await readBody(h3);
  const clientId = await body.id;

-  const data = await clientHandler.fetchInitiateClientMetadata(clientId);
+  const data = await clientHandler.fetchClientMetadata(clientId);
  if (!data)
    throw createError({
      statusCode: 400,
--- a/server/api/v1/client/handshake.post.ts
+++ b/server/api/v1/client/handshake.post.ts
@ -1,3 +1,46 @@
-export default defineEventHandler((h3) => {
-    
-})
+import clientHandler from "~/server/internal/clients/handler";
+import { useGlobalCertificateAuthority } from "~/server/plugins/ca";
+
+export default defineEventHandler(async (h3) => {
+  const body = await readBody(h3);
+  const clientId = body.clientId;
+  const token = body.token;
+  if (!clientId || !token)
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Missing token or client ID from body",
+    });
+
+  const metadata = await clientHandler.fetchClient(clientId);
+  if (!metadata)
+    throw createError({
+      statusCode: 403,
+      statusMessage: "Invalid client ID",
+    });
+  if (!metadata.authToken || !metadata.userId)
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Un-authorized client ID",
+    });
+  if (metadata.authToken !== token)
+    throw createError({
+      statusCode: 403,
+      statusMessage: "Invalid token",
+    });
+
+  const ca = useGlobalCertificateAuthority();
+  const bundle = await ca.generateClientCertificate(
+    clientId,
+    metadata.data.name
+  );
+
+  const client = await clientHandler.finialiseClient(clientId);
+  await ca.storeClientCertificate(clientId, bundle);
+
+  return {
+    private: bundle.priv,
+    public: bundle.pub,
+    certificate: bundle.cert,
+    id: client.id,
+  };
+});
--- a/server/internal/clients/README.md
+++ b/server/internal/clients/README.md
@ -17,7 +17,7 @@ Client makes request: `POST /api/v1/client/handshake` with the token recieved in

 The server uses it's CA to generate a public-private key pair, the CN of the client ID. It then sends that pair, plus the CA's public key, to the client, which stores it all. 

-The certificate lasts for a year, and is rotated when it has 3 months or less left on it's expiry. 
+*The certificate lasts for a year, and is rotated when it has 3 months or less left on it's expiry.*

 ## 4.a Client requests one-time device endpoint
 The client generates a nonce and signs it with their private key. This is then attached to any device-related request.
--- a/server/internal/clients/ca.ts
+++ b/server/internal/clients/ca.ts
@ -31,4 +31,26 @@ export class CertificateAuthority {
    }
    return new CertificateAuthority(store, root);
  }
+
+  async generateClientCertificate(clientId: string, clientName: string) {
+    const caCertificate = await this.certificateStore.fetch("ca");
+    if (!caCertificate)
+      throw new Error("Certificate authority not initialised");
+    const [priv, pub, cert] = droplet.generateClientCertificate(
+      clientId,
+      clientName,
+      caCertificate.cert,
+      caCertificate.priv
+    );
+    const certBundle: CertificateBundle = {
+      priv,
+      pub,
+      cert,
+    };
+    return certBundle;
+  }
+
+  async storeClientCertificate(clientId: string, bundle: CertificateBundle) {
+    await this.certificateStore.store(`client:${clientId}`, bundle);
+  }
 }
--- a/server/internal/clients/handler.ts
+++ b/server/internal/clients/handler.ts
@ -1,4 +1,6 @@
 import { v4 as uuidv4 } from "uuid";
+import { CertificateBundle } from "./ca";
+import prisma from "../db/database";

 export interface ClientMetadata {
  name: string;
@ -29,10 +31,14 @@ export class ClientHandler {
    return clientId;
  }

-  async fetchInitiateClientMetadata(clientId: string) {
+  async fetchClientMetadata(clientId: string) {
+    return (await this.fetchClient(clientId))?.data;
+  }
+
+  async fetchClient(clientId: string) {
    const entry = this.temporaryClientTable[clientId];
    if (!entry) return undefined;
-    return entry.data;
+    return entry;
  }

  async attachUserId(clientId: string, userId: string) {
@ -50,6 +56,32 @@ export class ClientHandler {

    return token;
  }
+
+  async fetchClientMetadataByToken(token: string) {
+    return Object.entries(this.temporaryClientTable)
+      .map((e) => Object.assign(e[1], { id: e[0] }))
+      .find((e) => e.authToken === token);
+  }
+
+  async finialiseClient(id: string) {
+    const metadata = this.temporaryClientTable[id];
+    if (!metadata) throw new Error("Invalid client ID");
+    if (!metadata.userId) throw new Error("Un-authorized client ID");
+
+    return await prisma.client.create({
+      data: {
+        id: id,
+        userId: metadata.userId,
+
+        endpoint: "",
+        capabilities: [],
+
+        name: metadata.data.name,
+        platform: metadata.data.platform,
+        lastConnected: new Date(),
+      },
+    });
+  }
 }

 export const clientHandler = new ClientHandler();