Previously, if we noticed %boon handling had caused a crash, we would
transform any existing %boons into %losts, but still emit a new %boon
for the message we ostensibly crashed on.
Now, we make sure to just directly send a %lost if sending the %boon
caused a crash. We drop the existing-moves transformation entirely,
assuming it to vestigial.
aka "mirage" aka "eyre oauth"
With Eyre now supporting both local identity authentication, and fake
guest identities, the logical next step is to support authentication
with real non-local identities. Here, we implement that, building on top
of the groundwork laid by #6561.
The primary change is adding a %real case to Eyre's $identity type, and
implementing an http<->ames<->ames handshaking protocol into Eyre for
negotiating approval of login attempts made by unauthenticated HTTP
clients.
The authentication flow, where a "visitor" logs into a "~host" as their
own "~client" identity can be described in brief as follows:
1) Visitor makes an HTTP request saying they are ~client.
2) ~host tells ~client, over Ames, about its own public-facing hostname.
3) ~client responds with its own public-facing hostname.
4) ~host forwards the visitor to ~client's eauth page.
5) Visitor, there already logged in as ~client, approves the login
attempt.
6) ~client shares a secret with ~host over Ames, and forwards the
visitor to ~host's eauth page, including the secret in the request.
7) ~host sees that the secrets received over Ames and HTTP match, and
gives the visitor a new session token, identifying them as ~client.
The negotiating of hostnames/URLs via Ames is crucial to keeping this
handshake sequence secure.
Discovering a ship's public-facing hostname happens when successful
local logins are made by reading out the Host header from the request.
Users may hard-code a value to override this.
Each eauth login attempt comes with a unique nonce. Both the host and
client track the lifetime of these. The corresponding Ames flow (which
goes from ~host -> ~client) is corked when the login attempt gets
aborted, or its associated session expires.
The logout functionality has been updated to let clients ask to be
logged out of sessions on other ships.
|pump and |sink call into each other in three places
related to nacks and naxplanations (sending a nack,
notifying the |pump of a naxplanation, or dropping a
nack from the |sink). This intra calls are making implicit
updates to more parts of the state than the core should
manage. To avoid that we emit a move to %arvo, encoded
as an %ames plea, to handle that in the next event.
%spider will send a %yawn task to ames if a thread fails
or stops. if the thread is done, it will delete the scry
from its state without notifying %ames
If the publisher can't produce a case for a given path,
it nacks the plea sent by the requester, that will then
produce a %miss to the vane that initiated the scry
if all=& in |yawn, it will delete all listeners ducts,
without notifying them about it, which seems bad,
so we migh adress that separatedly.
Also, it might be cleaner to have a separate task instead of
a flag, to have two paths for "remove me" and "remove all",
this way there won't be an option for a listener to remove all
others, and that will have to be handled explicitly.
Sending a %pine plea to an old publisher will result in
a crash because it:
- (pre remote-scry) handles only %cork pleas with %$ as the vane
- (pre GRQF) it doesn't handle %$ as the recipient vane
