more magic

asset-api/index.js

@@ -1,11 +1,19 @@
-import { readFileSync } from "node:fs"
+import { readFile } from "node:fs/promises"
+import { readFileSync } from "node:fs";
 import { createSign } from "node:crypto";
 import Fastify from "fastify";
+import { join } from "node:path";
+import mime from "mime"
+import { assert } from "node:console";
 
-const { private: M2M_PRIVATE_KEY, public: M2M_PUBLIC_KEY } = loadM2MKeys()
 const M2M_ALGORITHM = "RSA-SHA512"
+const { private: M2M_PRIVATE_KEY, public: M2M_PUBLIC_KEY } = loadM2MKeys()
+if (M2M_PRIVATE_KEY == null || M2M_PUBLIC_KEY == null) {
+    console.error("Couldn't load keys")
+    process.exit(1)
+}
 
-const ASSETS_FOLDER = "~/.assets/"
+const ASSETS_FOLDER = "../.assets/"
 const ASSET_API_LANDING_MESSAGE = "asset-api v1.0.0"
 
 const IDENTITY_API_ENDPOINT = "http://localhost:3000"
@@ -26,28 +34,45 @@ fastify.get("/crypto/algo", (request, reply) => {
     return M2M_ALGORITHM
 })
 
-fastify.get("/asset", {
+fastify.put("/asset", {
     async handler(request, reply) {
-        let url = new URL(IDENTITY_API_ENDPOINT)
+        let user = await userFromSessionKey(request.query.session_key)
-        url.pathname = "/auth/account/fromkey"
 
-        let res = await fetch(url, {
+        // continue working onmthis
-            method: "POST",
+        console.log(typeof request.body)
-            body: signString(JSON.stringify({
-                session_key: request.query.session_key,
-            }))
-        })
-
-        return await res.text()
     },
     schema: {
         query: {
             type: "object",
             properties: {
-                id: { type: "string" },
                 session_key: { type: "string" },
             },
-            required: ["id", "session_key"],
+            required: ["session_key"],
+        },
+    },
+})
+
+fastify.get("/asset", {
+    async handler(request, reply) {
+        let user = await userFromSessionKey(request.query.session_key)
+
+        if (user.assets.includes(request.query.asset_id)) {
+            let path = join(ASSETS_FOLDER, request.query.asset_id)
+
+            reply.type(mime.getType(path))
+            reply.send(await readFile(path))
+        } else {
+            return "Not authorized"
+        }
+    },
+    schema: {
+        query: {
+            type: "object",
+            properties: {
+                asset_id: { type: "string" },
+                session_key: { type: "string" },
+            },
+            required: ["asset_id", "session_key"],
         },
     },
 })
@@ -66,3 +91,21 @@ function signString(content) {
     sign.update(content)
     return `-----BEGIN SIGNED MESSAGE-----\n\n${content}\n\n-----BEGIN SIGNATURE-----\n\n${sign.sign(M2M_PRIVATE_KEY, "base64")}\n-----END SIGNATURE-----`
 }
+
+function signObject(content) {
+    return signString(JSON.stringify(content))
+}
+
+async function userFromSessionKey(session_key) {
+    let url = new URL(IDENTITY_API_ENDPOINT)
+    url.pathname = "/m2m/account"
+
+    let res1 = await fetch(url, {
+        method: "POST",
+        body: signObject({
+            session_key: request.query.session_key,
+        })
+    })
+
+    return await res1.json()
+}

asset-api/package.json

@@ -5,6 +5,7 @@
   "packageManager": "yarn@4.3.0",
   "dependencies": {
     "fastify": "^4.28.0",
+    "mime": "^4.0.3",
     "uuid": "^10.0.0"
   },
   "scripts": {

asset-api/yarn.lock

@@ -102,6 +102,7 @@ __metadata:
   resolution: "asset-api@workspace:."
   dependencies:
     fastify: "npm:^4.28.0"
+    mime: "npm:^4.0.3"
     uuid: "npm:^10.0.0"
   languageName: unknown
   linkType: soft
@@ -312,6 +313,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"mime@npm:^4.0.3":
+  version: 4.0.3
+  resolution: "mime@npm:4.0.3"
+  bin:
+    mime: bin/cli.js
+  checksum: 10c0/4be1d06813a581eb9634748919eadab9785857dcfe2af4acca8e4bc340b4b74ff7452c7d3cd76169d0f6b77d7f1ab3434bde8a72ca4291fd150b4205c756c36b
+  languageName: node
+  linkType: hard
+
 "on-exit-leak-free@npm:^2.1.0":
   version: 2.1.2
   resolution: "on-exit-leak-free@npm:2.1.2"

identity-api/index.js

@@ -24,6 +24,7 @@ let users = {
         uid: '005d6417-a23c-48bd-b348-eafeae649b94',
         password: '12345678901234567890',
         name: 'Jane Doe',
+        assets: ["f9d040d6-598c-4483-952f-08e7d35d5420.jpg"],
     }
 }
 
@@ -35,10 +36,28 @@ fastify.get('/', async (request, reply) => {
     return IDENTITY_API_LANDING_MESSAGE;
 })
 
-fastify.post("/auth/account/fromkey", {
+fastify.put("/m2m/asset", {
     async handler(request, reply) {
         if (!verifySignature(request.body, ASSET_API_PUBKEY)) {
             reply.statusCode(401)
+            return
+        }
+
+        let body = JSON.parse(getContentFromSigned(request.body))
+
+        let uid = session_keys[`key:${body.session_key}`]
+        let user = Object.values(users).filter(v => v.uid === uid)
+        assert(user.length === 1)
+
+        users[user[0].email].assets.push(body.asset_id)
+    }
+})
+
+fastify.post("/m2m/account", {
+    async handler(request, reply) {
+        if (!verifySignature(request.body, ASSET_API_PUBKEY)) {
+            reply.statusCode(401)
+            return
         }
 
         let body = JSON.parse(getContentFromSigned(request.body))
@@ -137,6 +156,7 @@ fastify.post('/auth/register', {
                 uid: uuidv4(),
                 password: request.body.password,
                 name: request.body.name,
+                assets: [],
             }
 
             let user = users[request.body.email]