auth: Put auth methods in API

api/api.go

@@ -33,6 +33,10 @@ type MsgWait struct {
 
 // API is a low-level interface to the Filecoin network
 type API interface {
+	// Auth
+	AuthVerify(ctx context.Context, token string) ([]string, error)
+	AuthNew(ctx context.Context, perms []string) ([]byte, error)
+
 	// chain
 
 	ChainHead(context.Context) (*chain.TipSet, error)                // TODO: check serialization

api/permissioned.go

@@ -17,6 +17,7 @@ const (
 	// todo: more perms once needed (network / sign / call/invoke / miner / etc)
 )
 
+var AllPermissions = []string{PermRead, PermWrite}
 var defaultPerms = []string{PermRead}
 
 func WithPerm(ctx context.Context, perms []string) context.Context {

api/struct.go

@@ -14,6 +14,9 @@ import (
 // Struct implements API passing calls to user-provided function values.
 type Struct struct {
 	Internal struct {
+		AuthVerify func(ctx context.Context, token string) ([]string, error)
+		AuthNew    func(ctx context.Context, perms []string) ([]byte, error) `perm:"write"`
+
 		ID      func(context.Context) (peer.ID, error)
 		Version func(context.Context) (Version, error)
 
@@ -46,6 +49,14 @@ type Struct struct {
 	}
 }
 
+func (c *Struct) AuthVerify(ctx context.Context, token string) ([]string, error) {
+	return c.Internal.AuthVerify(ctx, token)
+}
+
+func (c *Struct) AuthNew(ctx context.Context, perms []string) ([]byte, error) {
+	return c.Internal.AuthNew(ctx, perms)
+}
+
 func (c *Struct) ClientListImports(ctx context.Context) ([]Import, error) {
 	return c.Internal.ClientListImports(ctx)
 }

chain/types/keystore.go

@@ -1,16 +1,16 @@
 package types
 
-// KeyInfo is used for storying keys in KeyStore
+// KeyInfo is used for storing keys in KeyStore
 type KeyInfo struct {
 	Type       string
 	PrivateKey []byte
 }
 
-// KeyStore is used for storying secret keys
+// KeyStore is used for storing secret keys
 type KeyStore interface {
 	// List lists all the keys stored in the KeyStore
 	List() ([]string, error)
-	// Get gets a key out of keystore and returns KeyInfo coresponding to named key
+	// Get gets a key out of keystore and returns KeyInfo corresponding to named key
 	Get(string) (KeyInfo, error)
 	// Put saves a key info under given name
 	Put(string, KeyInfo) error

daemon/cmd.go

@@ -6,7 +6,6 @@ import (
 	"context"
 
 	"github.com/multiformats/go-multiaddr"
-	"go.uber.org/fx"
 	"gopkg.in/urfave/cli.v2"
 
 	"github.com/filecoin-project/go-lotus/node"
@@ -45,16 +44,12 @@ var Cmd = &cli.Command{
 				}
 				return lr.SetAPIEndpoint(apima)
 			}),
-
-			node.Override(node.ServeRPCKey, func(lc fx.Lifecycle) error {
-
-			}),
 		)
 		if err != nil {
 			return err
 		}
 
 		// TODO: properly parse api endpoint (or make it a URL)
-		return serveRPC(api, "127.0.0.1:"+cctx.String("api"))
+		return serveRPC(api, "127.0.0.1:"+cctx.String("api"), api.AuthVerify)
 	},
 }

daemon/rpc.go

@@ -1,20 +1,20 @@
 package daemon
 
 import (
+	"context"
 	"github.com/filecoin-project/go-lotus/lib/auth"
-	"github.com/gbrlsnchs/jwt/v3"
 	"net/http"
 
 	"github.com/filecoin-project/go-lotus/api"
 	"github.com/filecoin-project/go-lotus/lib/jsonrpc"
 )
 
-func serveRPC(a api.API, addr string, authSecret []byte) error {
+func serveRPC(a api.API, addr string, verify func(ctx context.Context, token string) ([]string, error)) error {
 	rpcServer := jsonrpc.NewServer()
 	rpcServer.Register("Filecoin", api.Permissioned(a))
 
 	authHandler := &auth.Handler{
-		Secret: jwt.NewHS256(authSecret),
+		Verify: verify,
 		Next:   rpcServer.ServeHTTP,
 	}
 

lib/auth/handler.go

@@ -1,18 +1,18 @@
 package auth
 
 import (
+	"context"
 	"net/http"
 	"strings"
 
 	"github.com/filecoin-project/go-lotus/api"
-	"github.com/gbrlsnchs/jwt/v3"
 	logging "github.com/ipfs/go-log"
 )
 
 var log = logging.Logger("auth")
 
 type Handler struct {
-	Secret *jwt.HMACSHA
+	Verify func(ctx context.Context, token string) ([]string, error)
 	Next http.HandlerFunc
 }
 
@@ -28,28 +28,15 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		}
 		token = token[len("Bearer "):]
 
-		var payload jwtPayload
+		allow, err := h.Verify(ctx, token)
-		if _, err := jwt.Verify([]byte(token), h.Secret, &payload); err != nil {
+		if err != nil {
 			log.Warnf("JWT Verification failed: %s", err)
 			w.WriteHeader(401)
 			return
 		}
 
-		ctx = api.WithPerm(ctx, payload.Allow)
+		ctx = api.WithPerm(ctx, allow)
 	}
 
 	h.Next(w, r.WithContext(ctx))
 }
-
-type jwtPayload struct {
-	Allow []string
-}
-
-/*func init() {
-	p := jwtPayload{
-		Allow: []string{"read", "write"},
-	}
-	r, _ := jwt.Sign(&p, secret)
-	log.Infof("WRITE TOKEN: %s", string(r))
-}
-*/

node/api.go

@@ -11,13 +11,18 @@ import (
 	"github.com/filecoin-project/go-lotus/miner"
 	"github.com/filecoin-project/go-lotus/node/client"
 
+	"github.com/gbrlsnchs/jwt/v3"
 	"github.com/ipfs/go-cid"
+	logging "github.com/ipfs/go-log"
 	"github.com/libp2p/go-libp2p-core/host"
 	"github.com/libp2p/go-libp2p-core/peer"
 	pubsub "github.com/libp2p/go-libp2p-pubsub"
 	ma "github.com/multiformats/go-multiaddr"
+	"golang.org/x/xerrors"
 )
 
+var log = logging.Logger("node")
+
 type API struct {
 	client.LocalStorage
 
@@ -26,6 +31,51 @@ type API struct {
 	PubSub *pubsub.PubSub
 	Mpool  *chain.MessagePool
 	Wallet *chain.Wallet
+	Keystore types.KeyStore
+}
+
+const JWTSecretName = "auth-jwt-private"
+
+type jwtPayload struct {
+	Allow []string
+}
+
+func (a *API) AuthVerify(ctx context.Context, token string) ([]string, error) {
+	key, err := a.Keystore.Get(JWTSecretName)
+	if err != nil {
+		return nil, xerrors.Errorf("couldn't get JWT secret: %w", err)
+	}
+
+	var payload jwtPayload
+	if _, err := jwt.Verify([]byte(token), jwt.NewHS256(key.PrivateKey), &payload); err != nil {
+		return nil, xerrors.Errorf("JWT Verification failed: %w", err)
+	}
+
+	return payload.Allow, nil
+}
+
+func (a *API) AuthNew(ctx context.Context, perms []string) ([]byte, error) {
+	key, err := a.Keystore.Get(JWTSecretName)
+	if err != nil {
+		log.Warn("Generating new API secret")
+
+		key = types.KeyInfo{
+			Type:       "jwt-hmac-secret",
+			PrivateKey: make([]byte, 32),
+		}
+
+		if err := a.Keystore.Put(JWTSecretName, key); err != nil {
+			return nil, xerrors.Errorf("writing API secret: %w", err)
+		}
+
+		// TODO: put cli token in repo
+	}
+
+	p := jwtPayload{
+		Allow: perms, // TODO: consider checking validity
+	}
+
+	return jwt.Sign(&p, jwt.NewHS256(key.PrivateKey))
 }
 
 func (a *API) ChainSubmitBlock(ctx context.Context, blk *chain.BlockMsg) error {

node/builder.go

@@ -72,7 +72,6 @@ const (
 
 	// daemon
 	SetApiEndpointKey
-	ServeRPCKey
 
 	_nInvokes // keep this last
 )