feat: added token verification and signing for login

Author: aryanjassal

.gitignore

@@ -130,3 +130,4 @@ dist
 # editor
 .vscode/
 .idea/
+.prettierrc

src/client/callers/authSignToken.ts

@@ -0,0 +1,12 @@
+import type { HandlerTypes } from '@matrixai/rpc';
+import type AuthSignToken from '../handlers/AgentLockAll.js';
+import { UnaryCaller } from '@matrixai/rpc';
+
+type CallerTypes = HandlerTypes<AuthSignToken>;
+
+const authSignToken = new UnaryCaller<
+  CallerTypes['input'],
+  CallerTypes['output']
+>();
+
+export default authSignToken;

src/client/errors.ts

@@ -50,6 +50,13 @@ class ErrorClientVerificationFailed<T> extends ErrorClientService<T> {
   exitCode = sysexits.USAGE;
 }
 
+class ErrorAuthentication<T> extends ErrorPolykey<T> { }
+
+class ErrorAuthenticationInvalidToken<T> extends ErrorAuthentication<T> {
+  static description = 'Incoming token does not match its signature';
+  exitCode = sysexits.PROTOCOL;
+}
+
 export {
   ErrorClient,
   ErrorClientAuthMissing,
@@ -62,4 +69,6 @@ export {
   ErrorClientServiceNotRunning,
   ErrorClientServiceDestroyed,
   ErrorClientVerificationFailed,
+  ErrorAuthentication,
+  ErrorAuthenticationInvalidToken,
 };

src/client/handlers/AuthSignToken.ts

@@ -0,0 +1,51 @@
+import type {
+  ClientRPCRequestParams,
+  ClientRPCResponseResult,
+  IdentityRequestData,
+  IdentityResponseData,
+  TokenIdentityRequest,
+  TokenIdentityResponse,
+} from '../types.js';
+import type KeyRing from '../../keys/KeyRing.js';
+import type { PublicKey } from '../../keys/types.js';
+import { UnaryHandler } from '@matrixai/rpc';
+import Token from '../../tokens/Token.js';
+import * as clientErrors from '../errors.js';
+import * as nodesUtils from '../../nodes/utils.js';
+
+class AuthSignToken extends UnaryHandler<
+  {
+    keyRing: KeyRing;
+  },
+  ClientRPCRequestParams<TokenIdentityRequest>,
+  ClientRPCResponseResult<TokenIdentityResponse>
+> {
+  public handle = async (
+    input: ClientRPCRequestParams<TokenIdentityRequest>,
+  ): Promise<TokenIdentityResponse> => {
+    const { keyRing }: { keyRing: KeyRing } = this.container;
+
+    // Get and verify incoming node
+    const inputToken = { payload: input.payload, signatures: input.signatures };
+    const incomingToken = Token.fromEncoded<IdentityRequestData>(inputToken);
+    const incomingPublicKey = Buffer.from(
+      incomingToken.payload.publicKey,
+    ) as PublicKey;
+    if (!incomingToken.verifyWithPublicKey(incomingPublicKey)) {
+      throw new clientErrors.ErrorAuthenticationInvalidToken();
+    }
+
+    // Create the outgoing token with the incoming token integrated into the
+    // payload.
+    const outgoingTokenPayload: IdentityResponseData = {
+      requestToken: inputToken,
+      nodeId: nodesUtils.encodeNodeId(keyRing.getNodeId()),
+    };
+    const outgoingToken =
+      Token.fromPayload<IdentityResponseData>(outgoingTokenPayload);
+    outgoingToken.signWithPrivateKey(keyRing.keyPair);
+    return outgoingToken.toEncoded();
+  };
+}
+
+export default AuthSignToken;

src/client/types.ts

@@ -19,6 +19,7 @@ import type {
   JWKEncrypted,
   PublicKeyJWK,
 } from '../keys/types.js';
+import type Token from '../tokens/Token.js';
 import type { Notification } from '../notifications/types.js';
 import type { ProviderToken } from '../identities/types.js';
 import type { AuditMetricGetTypeOverride } from './callers/auditMetricGet.js';
@@ -28,6 +29,7 @@ import type {
   NodeContactAddressData,
 } from '../nodes/types.js';
 import type { AuditEventsGetTypeOverride } from './callers/auditEventsGet.js';
+import { TokenPayload, SignedTokenJSON, SignedTokenEncoded, TokenPayloadEncoded } from '#src/types.js';
 
 type ClientRPCRequestParams<T extends JSONObject = JSONObject> =
   JSONRPCResponseResult<
@@ -107,6 +109,22 @@ type TokenMessage = {
   token: ProviderToken;
 };
 
+// Return URL must be present on the token, otherwise token contents is decided
+// by the client.
+type IdentityRequestData = TokenPayload & {
+  returnUrl: string;
+  publicKey: string;
+};
+
+type TokenIdentityRequest = SignedTokenEncoded;
+
+type IdentityResponseData = TokenPayload & {
+  requestToken: TokenIdentityRequest;
+  nodeId: NodeIdEncoded;
+};
+
+type TokenIdentityResponse = SignedTokenEncoded;
+
 // Nodes messages
 
 type NodeIdMessage = {
@@ -405,6 +423,10 @@ export type {
   ClaimIdMessage,
   ClaimNodeMessage,
   TokenMessage,
+  IdentityRequestData,
+  IdentityResponseData,
+  TokenIdentityRequest,
+  TokenIdentityResponse,
   NodeIdMessage,
   AddressMessage,
   NodeAddressMessage,