oppi.li
+84
-1
cmd/goat/account.go
+84
-1
cmd/goat/account.go
···
8
8
"time"
9
9
10
10
comatproto "github.com/bluesky-social/indigo/api/atproto"
11
+
"github.com/bluesky-social/indigo/atproto/auth"
12
+
"github.com/bluesky-social/indigo/atproto/crypto"
11
13
"github.com/bluesky-social/indigo/atproto/syntax"
12
14
"github.com/bluesky-social/indigo/xrpc"
13
15
···
89
91
},
90
92
&cli.Command{
91
93
Name: "service-auth",
92
-
Usage: "create service auth token",
94
+
Usage: "ask the PDS to create a service auth token",
93
95
Flags: []cli.Flag{
94
96
&cli.StringFlag{
95
97
Name: "endpoint",
···
109
111
},
110
112
},
111
113
Action: runAccountServiceAuth,
114
+
},
115
+
&cli.Command{
116
+
Name: "service-auth-offline",
117
+
Usage: "create service auth token via locally-held signing key",
118
+
Flags: []cli.Flag{
119
+
&cli.StringFlag{
120
+
Name: "atproto-signing-key",
121
+
Required: true,
122
+
Usage: "private key used to sign the token (multibase syntax)",
123
+
EnvVars: []string{"ATPROTO_SIGNING_KEY"},
124
+
},
125
+
&cli.StringFlag{
126
+
Name: "iss",
127
+
Required: true,
128
+
Usage: "the DID of the account issuing the token",
129
+
},
130
+
&cli.StringFlag{
131
+
Name: "endpoint",
132
+
Aliases: []string{"lxm"},
133
+
Usage: "restrict token to API endpoint (NSID, optional)",
134
+
},
135
+
&cli.StringFlag{
136
+
Name: "audience",
137
+
Aliases: []string{"aud"},
138
+
Required: true,
139
+
Usage: "DID of service that will receive and validate token",
140
+
},
141
+
&cli.IntFlag{
142
+
Name: "duration-sec",
143
+
Value: 60,
144
+
Usage: "validity time window of token (seconds)",
145
+
},
146
+
},
147
+
Action: runAccountServiceAuthOffline,
112
148
},
113
149
&cli.Command{
114
150
Name: "create",
···
365
401
}
366
402
367
403
fmt.Println(resp.Token)
404
+
405
+
return nil
406
+
}
407
+
408
+
func runAccountServiceAuthOffline(cctx *cli.Context) error {
409
+
privStr := cctx.String("atproto-signing-key")
410
+
if privStr == "" {
411
+
return fmt.Errorf("private key must be provided")
412
+
}
413
+
privkey, err := crypto.ParsePrivateMultibase(privStr)
414
+
if err != nil {
415
+
return fmt.Errorf("failed parsing private key: %w", err)
416
+
}
417
+
418
+
issString := cctx.String("iss")
419
+
// TODO: support fragment identifiers
420
+
iss, err := syntax.ParseDID(issString)
421
+
if err != nil {
422
+
return fmt.Errorf("iss argument must be a valid DID: %w", err)
423
+
}
424
+
425
+
lxmString := cctx.String("endpoint")
426
+
var lxm *syntax.NSID = nil
427
+
if lxmString != "" {
428
+
lxmTmp, err := syntax.ParseNSID(lxmString)
429
+
if err != nil {
430
+
return fmt.Errorf("lxm argument must be a valid NSID: %w", err)
431
+
}
432
+
lxm = &lxmTmp
433
+
}
434
+
435
+
aud := cctx.String("audience")
436
+
// TODO: can aud DID have a fragment?
437
+
_, err = syntax.ParseDID(aud)
438
+
if err != nil {
439
+
return fmt.Errorf("aud argument must be a valid DID: %w", err)
440
+
}
441
+
442
+
durSec := cctx.Int("duration-sec")
443
+
duration := time.Duration(durSec * int(time.Second))
444
+
445
+
token, err := auth.SignServiceAuth(iss, aud, duration, lxm, privkey)
446
+
if err != nil {
447
+
return fmt.Errorf("failed signing token: %w", err)
448
+
}
449
+
450
+
fmt.Println(token)
368
451
369
452
return nil
370
453
}