+read-at-tako was checking for the zero tako, but had the conditional
inverted. Here, we correct the conditional, and fold the
+may-read check into the whole.
This shaves off 1000 lines of testing code while maintaining the same
tests. It reduces boilerplate by introducing "mare", a monad for
testing Eyre. It's very simple (just maintains the current state of
Eyre and the current time), but it's easier to build helper functions in
this form, and that reduces the immense quantities of copy-and-paste
that were in the old tests. What's there now could surely be improved
further, but I think this is a good start.
The underlying mare machinery is not really specific to Eyre, so it
would be straightforward to apply this strategy to other vanes. The
work is in creating appropriate helper functions for each vane. Eyre is
undergoing work, so that's the only one I've changed here. Further,
it's not clear that this is the ultimate solution to unit testing vanes.
The resulting code is IMO clearer than before, but I wouldn't say it's
*clear*.
Unauthenticated requests now also create sessions. This affects most
HTTP request handling tests.
The situation here is not ideal, and worsening over time. Worth spending
some time to think about how to best refactor the Eyre tests to make
them more manageable and easier to maintain.
This condition got incorrectly inverted during 0fee4ce. Of course, the
logic here is still subtly incorrect: if a session gets deleted before
the timer fires, then we set a second one. Unfortunately, we are now
here to fix the bug right now.
Include and render identities associated with requests, channels, and
login sessions. Provide the ability to kick identities and their
sessions, logging them out.
It is no longer guaranteed that the src.bowl for incoming HTTP-related
events is equal to our.bowl. Instead, it will reflect the identity
associated with the request, our or otherwise.
When serving publicly-accessible endpoints, the assertion never made
much sense, but with recent changes actively prevents guests from
accessing the endpoints. Here, we correct all such cases.
%name now returns the identity of the session associated with the
request. %host will always return the @p of the ship *handling* the
request.
The latter becomes especially important for guest sessions, who can only
interact with agents on the local ship, but will still need to specify
who that ship is.
Now that sessions with non-local identities can exist, the host/local
identity should be empowered to forcefully log off any session it hosts.
Additionally, we augment the logout logic with redirect functionality:
it now respects the "redirect" query parameter in the same way the login
page does. Still defaults to redirecting to the login page.
We previously had no mechanism for giving error responses, if a client
submitted an invalid request into a channel. Guest access makes this
important, because guests cannot interact with remote ships. Attempting
to do so will cause a gall crash.
Here, we add error handling logic to channel request processing. We
catch the invalid cases described above and invalidate the entire batch
of channel requests if they occur. We make sure to drop the moves and
revert the state we changed, and give a 400 to the client that
informally describes the problem(s).
aka "the open eyre" aka "universal basic identity"
Urbit already supports presence on the clearnet, but fails to expose any
of its interactive affordances to unauthenticated users. Here, we
improve this situation by granting "guest identity" @ps to every
unauthenticated HTTP request, and extending the channels functionality
to them.
Sessions no longer represent only the local identity. Instead, each
session has either the local identity, or a fake guest identity
associated with it.
Every request that does not provide a session key/cookie gets assigned
a fresh one with a guest identity on the spot. As a result, every
single request has an identity associated with it.
The identity of a request gets propagated into userspace, if the request
ends up there.
For normal HTTP requests, this means the src.bowl gets set to that
identity for both the watch and poke of the request. For backwards
compatibility, the authenticated flag on the request noun gets set at
normal: only true if the request came from the local identity.
For channel requests, this means the src.bowl gets set to that identity
for any pokes and watches it sends, and it can only send those to agents
running on the local ship.
The scry endpoint remains unchanged in its behavior: only available to
the local identity.
Notable implementation detail changes in this diff include:
- Factored all gall interactions out into +deal-as.
- Sessions no longer represent exclusively the local identity. This
matters a lot to +give-session-tokens, %code-changed, and logout
handling.
- Session management got factored out into explicit +start-session and
+close-session arms.
Previously, if an incoming request caused a crash, we would just drop it
on the floor. We should at least have the decency to serve the client a
quick 500 and let them get on with their day.
We make sure not to touch state here. The connection is guaranteed-fresh
because of the task's semantics, and we're handling it in-line in one go.
Notably we only give a simple "crud!" for the body, instead of the full
error trace. We don't know whether the request is authenticated or not
(and who knows if checking was the cause of the crash!), and the crud
might leak sensitive details about the ship it occurred on. For the
owner, the trace still gets printed into the terminal.
