grantcodes / indieauth-helper Goto Github PK

👋🏻 I have been making some progress with my Micropub server. I am in the process of splitting it up in to different packages… and undecided if moving to a mono repo was actually that smart of an idea! But this hopefully means I can more easily share portions of the project with everyone in the wider GitHub repo/discussion soon. However, before I get to that, I would like to add authentication to my server’s UI so you can log in and configure various aspects of it, and perhaps later add an interface for sharing links, etc…

I was trying to build some (additional) IndieAuth middleware so that I can accomplish the above, but then I came across this project, which appears to achieve this in a smarter way than I could ever hope to come up with. But! I’m confused as to how it fits in to my use case.

This Express routes file is a fair summation of what I have so far

Adding some good ol’ fashioned console logging to your package, I tend to get 404 errors, or ’Invalid code provided’ responses. It seems the code returned from IndieLogin is causing errors. If you could let me know if I’m on the right track, I’d be enormously grateful… and happy to add examples to the documentation once I’ve got it all working :-)

an example change here on glitch:

https://glitch.com/edit/#!/veil-mirror?path=lib/indieauth-authentication.js:139:0

updates getEndpointsFromUrl to accept extra_rels, an Object mapping the rel value to the resulting key that should go in the Object that gets returned (currently that contains auth, and token).

example usage:

await indieAuth.getEndpointsFromUrl(me,{
      'micropub':'micropub', 'microsub':'microsub',
});

Definitely open to other options, like taking extra_rels as an array, or storing all rels somewhere in options.

Proof-Key for Code Exchange protects against intercepted authorization codes during the OAuth flow.

I was able to add it to the indieauth helper WIP by:

• generating a random string code_verifier and storing it in the session for the user
• computing the sha256 hash of code_verifier to generate code_challenge
• got the auth redirect URL via getAuthUrl(), then adding &code_challenge=...&code_challenge_method=S256 to the string before redirecting.
• when exchanging the code for a token, you need to pass along the original value of code_verifier, so I updated getToken() to accept an extra_args = {} Object.

you can see the changes here:

https://glitch.com/edit/#!/veil-mirror?path=lib/indieauth-authentication.js:198:1

and the usage of it to add code_challenge to the auth url:

https://glitch.com/edit/#!/veil-mirror?path=server.js:198:1

and the extra args to getToken:

https://glitch.com/edit/#!/veil-mirror?path=server.js:235:1

Any plans to update the dependencies of this package? A few, namely axios are reporting security vulnerabilities.

• Follows permanent redirect
• Follows temporary redirect
• Follows multiple redirects
• Respects elements
• Generate and validate state
• Generates auth url correctly
• Handles urls with query parameters correctly
• Can retrieve token
• Can verify token
• Throws errors when missing parameters
• Can retrieve extra rels when requested
• Handles both headers & tags

An easy way would be to just cache them all in this.cachedRels or something