We weren't handling these at all. Now we make them enter the same
codepath that %done nacks go into: deleting the attempt and maybe
telling the user if we can.
Note that Eyre will not receive %lost for %boons it crashes on until
Previously, if we noticed %boon handling had caused a crash, we would
transform any existing %boons into %losts, but still emit a new %boon
for the message we ostensibly crashed on.
Now, we make sure to just directly send a %lost if sending the %boon
caused a crash. We drop the existing-moves transformation entirely,
assuming it to vestigial.
For the server case, we add tests for http-first finalization, incorrect
eauth tokens, attempt expiration, client abort signalling, and client
deletion requests.
For the client case, we add a test for approving eauth attempts without
being locally authenticated.
To this end, we refactor the layout of the eauth tests. The +eauth core
now contains the tasks/gifts to be handled by the client/server, but no
longer does move checking. This happens within the test arms only. This
way, we may trivially re-run parts of the eauth flow under different
conditions.
This will make it easier to access for tests. The change to its
interface is also nice: in pretty much all scenarios in which we call
it, we already know whether we have redirect deets available to us, so
just provide those as arguments instead of having the function
re-derive.
Brief prompt describing the login attempt's target, properly styled
buttons.
Pulls the CSS code for login pages out into its own arm for cleaner
sharing.
We had naively changed the status code to a 403 "forbidden" response,
which is technically correct, but the "Location" header isn't respected
for that status code, leaving the user with a blank page instead of a
login prompt.
We improve the styling on the login mode switching "tabs", ensure
elements shared between the two modes are visually aligned, do loose
input validation on the name field, and simply don't render the eauth
option at all if the local ship does not yet have an +eauth-url.
aka "mirage" aka "eyre oauth"
With Eyre now supporting both local identity authentication, and fake
guest identities, the logical next step is to support authentication
with real non-local identities. Here, we implement that, building on top
of the groundwork laid by #6561.
The primary change is adding a %real case to Eyre's $identity type, and
implementing an http<->ames<->ames handshaking protocol into Eyre for
negotiating approval of login attempts made by unauthenticated HTTP
clients.
The authentication flow, where a "visitor" logs into a "~host" as their
own "~client" identity can be described in brief as follows:
1) Visitor makes an HTTP request saying they are ~client.
2) ~host tells ~client, over Ames, about its own public-facing hostname.
3) ~client responds with its own public-facing hostname.
4) ~host forwards the visitor to ~client's eauth page.
5) Visitor, there already logged in as ~client, approves the login
attempt.
6) ~client shares a secret with ~host over Ames, and forwards the
visitor to ~host's eauth page, including the secret in the request.
7) ~host sees that the secrets received over Ames and HTTP match, and
gives the visitor a new session token, identifying them as ~client.
The negotiating of hostnames/URLs via Ames is crucial to keeping this
handshake sequence secure.
Discovering a ship's public-facing hostname happens when successful
local logins are made by reading out the Host header from the request.
Users may hard-code a value to override this.
Each eauth login attempt comes with a unique nonce. Both the host and
client track the lifetime of these. The corresponding Ames flow (which
goes from ~host -> ~client) is corked when the login attempt gets
aborted, or its associated session expires.
The logout functionality has been updated to let clients ask to be
logged out of sessions on other ships.
