Robosats/robosats
1
0
Fork 0
mirror of https://github.com/RoboSats/robosats.git synced 2025-07-19 17:23:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

ensure nostr pubkey is present in auth when creating robot

Browse Source
This commit is contained in:
jerryfletcher21
2025-06-02 18:14:29 +02:00
parent 54cd6bd860
commit 6f728a4437
1 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
robosats/middleware.py
View File

@ -30,11 +30,12 @@ class DisableCSRFMiddleware(object):
class SplitAuthorizationHeaderMiddleware(MiddlewareMixin): class SplitAuthorizationHeaderMiddleware(MiddlewareMixin):
""" """
This middleware splits the HTTP_AUTHORIZATION, leaves on it only the `Token ` and creates This middleware splits the HTTP_AUTHORIZATION, leaves on it only the `Token ` and creates
two new META headers for both PGP keys. two new META headers for both PGP keys and one for the nostr pubkey.
Given that API calls to a RoboSats API might be made from other host origin, Given that API calls to a RoboSats API might be made from other host origin,
there is a high chance browsers will not attach cookies and other sensitive information. there is a high chance browsers will not attach cookies and other sensitive information.
Therefore, we are using the `HTTP_AUTHORIZATION` header to also embed the needed robot Therefore, we are using the `HTTP_AUTHORIZATION` header to also embed the needed robot
pubKey and encPrivKey to create a new robot in the coordinator on the first request. pubKey, encPrivKey and nostr pubkey to create a new robot in the coordinator on the
first request.
""" """
def process_request(self, request): def process_request(self, request):
@ -110,8 +111,8 @@ class RobotTokenSHA256AuthenticationMiddleWare:
# If we get here the user does not have a robot on this coordinator # If we get here the user does not have a robot on this coordinator
# Let's create a new user & robot on-the-fly. # Let's create a new user & robot on-the-fly.
# The first ever request to a coordinator must public key (and encrypted priv key as of now). Either on the # The first ever request to a coordinator must provide a public key, the encrypted
# Authorization header or in the Cookies. # private key (as of now), and a nostr pubkey in the Authorization header.
public_key = "" public_key = ""
encrypted_private_key = "" encrypted_private_key = ""
nostr_pubkey = "" nostr_pubkey = ""
@ -127,13 +128,14 @@ class RobotTokenSHA256AuthenticationMiddleWare:
public_key = request.COOKIES.get("public_key") public_key = request.COOKIES.get("public_key")
encrypted_private_key = request.COOKIES.get("encrypted_private_key", "") encrypted_private_key = request.COOKIES.get("encrypted_private_key", "")
if not public_key or not encrypted_private_key: if not public_key or not encrypted_private_key or not nostr_pubkey:
return JsonResponse( return JsonResponse(
{ {
"bad_request": "On the first request to a RoboSats coordinator, you must provide as well a valid public and encrypted private PGP keys" "bad_request": "On the first request to a RoboSats coordinator, you must provide as well a valid public and encrypted private PGP keys and a nostr pubkey"
}, },
status=400, status=400,
) )
( (
valid, valid,
bad_keys_context, bad_keys_context,