Eventually-decentralized project hosting and management platform

[[ 🗃 ^WvWbo vervis ]] :: [📥 Inbox] [📤 Outbox] [🐤 Followers] [🤝 Collaborators] [🛠 Changes]

Clone

HTTPS: darcs clone https://vervis.peers.community/repos/WvWbo

SSH: darcs clone USERNAME@vervis.peers.community:WvWbo

Tags

TODO

src / Web /

ActivityAccess.hs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

{- This file is part of Vervis.
 -
 - Written in 2019 by fr33domlover <fr33domlover@riseup.net>.
 -
 - ♡ Copying is an act of love. Please copy, reuse and share.
 -
 - The author(s) have dedicated all copyright and related and neighboring
 - rights to this software to the public domain worldwide. This software is
 - distributed without any warranty.
 -
 - You should have received a copy of the CC0 Public Domain Dedication along
 - with this software. If not, see
 - <http://creativecommons.org/publicdomain/zero/1.0/>.
 -}

module Web.ActivityAccess
    ( SignedAccessToken ()
    , AccessTokenSecretKey ()
    , encodeSignedAccessToken
    , decodeSignedAccessToken
    , signAccessToken
    , verifyAccessToken
    )
where

import Crypto.Hash
import Crypto.MAC.HMAC
import Crypto.Random
import Data.ByteString (ByteString)
import Data.KeyFile

import qualified Data.ByteArray as BA
import qualified Data.ByteString as B
import qualified Data.ByteString.Base64 as B64
import qualified Data.ByteString.Char8 as BC

data SignedAccessToken = SignedAccessToken
    { _accessTokenMsg  :: ByteString
    , _accessTokenHMAC :: HMAC SHA256
    }

newtype AccessTokenSecretKey = AccessTokenSecretKey ByteString

instance KeyFile AccessTokenSecretKey where
    generateKey = AccessTokenSecretKey <$> getRandomBytes 32
    parseKey b =
        if B.length b == 32
            then return $ AccessTokenSecretKey b
            else fail "AccessTokenSigningKey parseKey invalid length"
    renderKey (AccessTokenSecretKey b) = b

encodeSignedAccessToken :: SignedAccessToken -> ByteString
encodeSignedAccessToken (SignedAccessToken msg sig) = B.concat
    [ msg
    , "-"
    , B64.encode $ BA.convert sig
    ]

decodeSignedAccessToken :: ByteString -> Either String SignedAccessToken
decodeSignedAccessToken token = do
    let (msg, rest) = BC.break (== '-') token
    sigB64 <-
        case B.stripPrefix "-" rest of
            Nothing -> err "Invalid format, separator not found"
            Just rest' -> return rest'
    sigBin <-
        case B64.decode sigB64 of
            Left s -> err $ "Base64 decoding sig failed: " ++ s
            Right b -> return b
    digest <-
        case digestFromByteString sigBin of
            Nothing -> err "Decoding sig hash failed, invalid length"
            Just d -> return d
    return $ SignedAccessToken msg $ HMAC digest
    where
    err s = Left $ "decodeSignedAccessToken: " ++ s

signAccessToken :: AccessTokenSecretKey -> ByteString -> SignedAccessToken
signAccessToken (AccessTokenSecretKey key) msg =
    SignedAccessToken msg $ hmac key msg

verifyAccessToken
    :: AccessTokenSecretKey -> SignedAccessToken -> Maybe ByteString
verifyAccessToken (AccessTokenSecretKey key) (SignedAccessToken msg sig) =
    if hmac key msg == sig
        then Just msg
        else Nothing
[See repo JSON]