diff options
| author | Owen Jacobson <owen@grimoire.ca> | 2025-08-30 00:50:24 -0400 |
|---|---|---|
| committer | Owen Jacobson <owen@grimoire.ca> | 2025-08-30 01:58:22 -0400 |
| commit | 3bd63e20777126216777b392615dc8144f21bb9a (patch) | |
| tree | 678aeea801a84d61943a15048986e58badae8e49 | |
| parent | 342d4720576369f83d88b0dbde6ca5d58aebd252 (diff) | |
Generate, store, and deliver a VAPID key.
VAPID is used to authenticate applications to push brokers, as part of the [Web Push] specification. It's notionally optional, but we believe [Apple requires it][apple], and in any case making it impossible to use subscription URLs without the corresponding private key available, and thus harder to impersonate the server, seems like a good security practice regardless.
[Web Push]: https://developer.mozilla.org/en-US/docs/Web/API/Push_API
[apple]: https://developer.apple.com/documentation/usernotifications/sending-web-push-notifications-in-web-apps-and-browsers
There are several implementations of VAPID for Rust:
* [web_push](https://docs.rs/web-push/latest/web_push/) includes an implementation of VAPID but requires callers to provision their own keys. We will likely use this crate for Web Push fulfilment, but we cannot use it for key generation.
* [vapid](https://docs.rs/vapid/latest/vapid/) includes an implementation of VAPID key generation. It delegates to `openssl` to handle cryptographic operations.
* [p256](https://docs.rs/p256/latest/p256/) implements NIST P-256 in Rust. It's maintained by the RustCrypto team, though as of this writing it is largely written by a single contributor. It isn't specifically designed for use with VAPID.
I opted to use p256 for this, as I believe the RustCrypto team are the most likely to produce a correct and secure implementation, and because openssl has consistently left a bad taste in my mouth for years. Because it's a general implementation of the algorithm, I expect that it will require more work for us to adapt it for use with VAPID specifically; I'm willing to chance it and we can swap it out for the vapid crate if it sucks.
This has left me with one area of uncertainty: I'm not actually sure I'm using the right parts of p256. The choice of `ecdsa::SigningKey` over `p256::SecretKey` is based on [the MDN docs] using phrases like "This value is part of a signing key pair generated by your application server, and usable with elliptic curve digital signature (ECDSA), over the P-256 curve." and on [RFC 8292]'s "The 'k' parameter includes an ECDSA public key in uncompressed form that is encoded using base64url encoding. However, we won't be able to test my implementation until we implement some other key parts of Web Push, which are out of scope of this commit.
[the MDN docs]: https://developer.mozilla.org/en-US/docs/Web/API/PushSubscription/options
[RFC 8292]: https://datatracker.ietf.org/doc/html/rfc8292#section-3.2
Following the design used for storing logins and users, VAPID keys are split into a non-synchronized part (consisting of the private key), whose exposure would allow others to impersonate the Pilcrow server, and a synchronized part (consisting of event coordinates and, notionally, the public key), which is non-sensitive and can be safely shared with any user. However, the public key is derived from the stored private key, rather than being stored directly, to minimize redundancy in the stored data.
Following the design used for expiring stale entities, the app checks for and creates, or rotates, its VAPID key using middleware that runs before most API requests. If, at that point, the key is either absent, or more than 30 days old, it is replaced. This imposes a small tax on API request latency, which is used to fund prompt and automatic key rotation without the need for an operator-facing key management interface.
VAPID keys are delivered to clients via the event stream, as laid out in `docs/api/events.md`. There are a few reasons for this, but the big one is that changing the VAPID key would immediately invalidate push subscriptions: we throw away the private key, so we wouldn't be able to publish to them any longer. Clients must replace their push subscriptions in order to resume delivery, and doing so promptly when notified that the key has changed will minimize the gap.
This design is intended to allow for manual key rotation. The key can be rotated "immedately" by emptying the `vapid_key` and `vapid_signing_key` tables (which destroys the rotated kye); the server will generate a new one before it is needed, and will notify clients that the key has been invalidated.
This change includes client support for tracking the current VAPID key. The client doesn't _use_ this information anywhere, yet, but it has it.
27 files changed, 906 insertions, 3 deletions
diff --git a/.sqlx/query-3f1bf6aaceb140ae03262bed1fb39fb9cb5e89b67861fb384e6238eb9553e6e7.json b/.sqlx/query-3f1bf6aaceb140ae03262bed1fb39fb9cb5e89b67861fb384e6238eb9553e6e7.json new file mode 100644 index 0000000..ad505b5 --- /dev/null +++ b/.sqlx/query-3f1bf6aaceb140ae03262bed1fb39fb9cb5e89b67861fb384e6238eb9553e6e7.json @@ -0,0 +1,12 @@ +{ + "db_name": "SQLite", + "query": "\n delete from vapid_signing_key\n ", + "describe": { + "columns": [], + "parameters": { + "Right": 0 + }, + "nullable": [] + }, + "hash": "3f1bf6aaceb140ae03262bed1fb39fb9cb5e89b67861fb384e6238eb9553e6e7" +} diff --git a/.sqlx/query-cf9bc5c02ff22b98b8eec670070aeaf22811cf4e1527624c615a88eb29e6c9df.json b/.sqlx/query-cf9bc5c02ff22b98b8eec670070aeaf22811cf4e1527624c615a88eb29e6c9df.json new file mode 100644 index 0000000..ca62f63 --- /dev/null +++ b/.sqlx/query-cf9bc5c02ff22b98b8eec670070aeaf22811cf4e1527624c615a88eb29e6c9df.json @@ -0,0 +1,12 @@ +{ + "db_name": "SQLite", + "query": "\n delete from vapid_key\n ", + "describe": { + "columns": [], + "parameters": { + "Right": 0 + }, + "nullable": [] + }, + "hash": "cf9bc5c02ff22b98b8eec670070aeaf22811cf4e1527624c615a88eb29e6c9df" +} diff --git a/.sqlx/query-edd16f1507f3b40270d652c7c204a4b9a518af418cc7e7fce9a6f0a106a6d66e.json b/.sqlx/query-edd16f1507f3b40270d652c7c204a4b9a518af418cc7e7fce9a6f0a106a6d66e.json new file mode 100644 index 0000000..2481fa9 --- /dev/null +++ b/.sqlx/query-edd16f1507f3b40270d652c7c204a4b9a518af418cc7e7fce9a6f0a106a6d66e.json @@ -0,0 +1,32 @@ +{ + "db_name": "SQLite", + "query": "\n select\n key.changed_at as \"changed_at: DateTime\",\n key.changed_sequence as \"changed_sequence: Sequence\",\n signing.key as \"key: Vec<u8>\"\n from vapid_key as key\n join vapid_signing_key as signing\n ", + "describe": { + "columns": [ + { + "name": "changed_at: DateTime", + "ordinal": 0, + "type_info": "Text" + }, + { + "name": "changed_sequence: Sequence", + "ordinal": 1, + "type_info": "Integer" + }, + { + "name": "key: Vec<u8>", + "ordinal": 2, + "type_info": "Blob" + } + ], + "parameters": { + "Right": 0 + }, + "nullable": [ + false, + false, + false + ] + }, + "hash": "edd16f1507f3b40270d652c7c204a4b9a518af418cc7e7fce9a6f0a106a6d66e" +} diff --git a/.sqlx/query-f2218170662ff7450a9a9b18b38e92d740f4f715f39944774a9e8392e0267123.json b/.sqlx/query-f2218170662ff7450a9a9b18b38e92d740f4f715f39944774a9e8392e0267123.json new file mode 100644 index 0000000..a5880c1 --- /dev/null +++ b/.sqlx/query-f2218170662ff7450a9a9b18b38e92d740f4f715f39944774a9e8392e0267123.json @@ -0,0 +1,12 @@ +{ + "db_name": "SQLite", + "query": "\n insert into vapid_key (changed_at, changed_sequence)\n values ($1, $2)\n ", + "describe": { + "columns": [], + "parameters": { + "Right": 2 + }, + "nullable": [] + }, + "hash": "f2218170662ff7450a9a9b18b38e92d740f4f715f39944774a9e8392e0267123" +} diff --git a/.sqlx/query-f31071e0c069c2e33b3e44fc2524d2b93ff8af35c4978a467a1c7b1331750cac.json b/.sqlx/query-f31071e0c069c2e33b3e44fc2524d2b93ff8af35c4978a467a1c7b1331750cac.json new file mode 100644 index 0000000..6827441 --- /dev/null +++ b/.sqlx/query-f31071e0c069c2e33b3e44fc2524d2b93ff8af35c4978a467a1c7b1331750cac.json @@ -0,0 +1,12 @@ +{ + "db_name": "SQLite", + "query": "\n insert into vapid_signing_key (key)\n values ($1)\n ", + "describe": { + "columns": [], + "parameters": { + "Right": 1 + }, + "nullable": [] + }, + "hash": "f31071e0c069c2e33b3e44fc2524d2b93ff8af35c4978a467a1c7b1331750cac" +} @@ -223,6 +223,12 @@ dependencies = [ ] [[package]] +name = "base16ct" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4c7f02d4ea65f2c1853089ffd8d2787bdbc63de2f0d29dedbcf8ccdfa0ccd4cf" + +[[package]] name = "base64" version = "0.21.7" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -439,6 +445,18 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28" [[package]] +name = "crypto-bigint" +version = "0.5.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0dc92fb57ca44df6db8059111ab3af99a63d5d0f8375d9972e319a379c6bab76" +dependencies = [ + "generic-array", + "rand_core", + "subtle", + "zeroize", +] + +[[package]] name = "crypto-common" version = "0.1.6" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -567,6 +585,20 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d0881ea181b1df73ff77ffaaf9c7544ecc11e82fba9b5f27b262a3c73a332555" [[package]] +name = "ecdsa" +version = "0.16.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ee27f32b5c5292967d2d4a9d7f1e0b0aed2c15daded5a60300e4abb9d8020bca" +dependencies = [ + "der", + "digest", + "elliptic-curve", + "rfc6979", + "signature", + "spki", +] + +[[package]] name = "either" version = "1.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -576,6 +608,26 @@ dependencies = [ ] [[package]] +name = "elliptic-curve" +version = "0.13.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b5e6043086bf7973472e0c7dff2142ea0b680d30e18d9cc40f267efbf222bd47" +dependencies = [ + "base16ct", + "crypto-bigint", + "digest", + "ff", + "generic-array", + "group", + "pem-rfc7468", + "pkcs8", + "rand_core", + "sec1", + "subtle", + "zeroize", +] + +[[package]] name = "equivalent" version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -643,6 +695,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "37909eebbb50d72f9059c3b6d82c0463f2ff062c9e95845c43a6c9c0355411be" [[package]] +name = "ff" +version = "0.13.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c0b50bfb653653f9ca9095b427bed08ab8d75a137839d9ad64eb11810d5b6393" +dependencies = [ + "rand_core", + "subtle", +] + +[[package]] name = "flume" version = "0.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -782,6 +844,7 @@ checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a" dependencies = [ "typenum", "version_check", + "zeroize", ] [[package]] @@ -814,6 +877,17 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "07e28edb80900c19c28f1072f2e8aeca7fa06b23cd4169cefe1af5aa3260783f" [[package]] +name = "group" +version = "0.13.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f0f9ef7462f7c099f518d754361858f86d8a07af53ba9af0fe635bbccb151a63" +dependencies = [ + "ff", + "rand_core", + "subtle", +] + +[[package]] name = "hashbrown" version = "0.12.3" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -1433,6 +1507,18 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "04744f49eae99ab78e0d5c0b603ab218f515ea8cfe5a456d7629ad883a3b6e7d" [[package]] +name = "p256" +version = "0.13.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c9863ad85fa8f4460f9c48cb909d38a0d689dba1f6f6988a5e3e0d31071bcd4b" +dependencies = [ + "ecdsa", + "elliptic-curve", + "primeorder", + "sha2", +] + +[[package]] name = "parking" version = "2.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -1494,6 +1580,7 @@ dependencies = [ "argon2", "axum", "axum-extra", + "base64 0.22.1", "chrono", "clap", "faker_rand", @@ -1503,6 +1590,7 @@ dependencies = [ "itertools", "mime", "nix", + "p256", "password-hash", "pin-project", "rand", @@ -1599,6 +1687,15 @@ dependencies = [ ] [[package]] +name = "primeorder" +version = "0.13.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "353e1ca18966c16d9deb1c69278edbc5f194139612772bd9537af60ac231e1e6" +dependencies = [ + "elliptic-curve", +] + +[[package]] name = "proc-macro2" version = "1.0.93" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -1687,6 +1784,16 @@ dependencies = [ ] [[package]] +name = "rfc6979" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8dd2a808d456c4a54e300a23e9f5a67e122c3024119acbfd73e3bf664491cb2" +dependencies = [ + "hmac", + "subtle", +] + +[[package]] name = "rsa" version = "0.9.7" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -1826,6 +1933,20 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" [[package]] +name = "sec1" +version = "0.7.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d3e97a565f76233a6003f9f5c54be1d9c5bdfa3eccfb189469f11ec4901c47dc" +dependencies = [ + "base16ct", + "der", + "generic-array", + "pkcs8", + "subtle", + "zeroize", +] + +[[package]] name = "serde" version = "1.0.217" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -25,6 +25,7 @@ assets = [ argon2 = "0.5.3" axum = { version = "0.8.1", features = ["form"] } axum-extra = { version = "0.10.0", features = ["cookie", "query", "typed-header"] } +base64 = "0.22.1" chrono = { version = "0.4.39", features = ["serde"] } clap = { version = "4.5.30", features = ["derive", "env"] } futures = "0.3.31" @@ -33,6 +34,7 @@ hex-literal = "0.4.1" itertools = "0.14.0" mime = "0.3.17" nix = { version = "0.30.1", features = ["fs"] } +p256 = { version = "0.13.2", features = ["ecdsa"] } password-hash = { version = "0.5.0", features = ["std"] } rand = "0.8.5" rand_core = { version = "0.6.4", features = ["getrandom"] } diff --git a/docs/api/events.md b/docs/api/events.md index e692f82..9db4613 100644 --- a/docs/api/events.md +++ b/docs/api/events.md @@ -237,3 +237,33 @@ These events have the `event` field set to `"deleted"`. They include the followi | :---- | :-------- | :---------------------------------- | | `at` | timestamp | The moment the message was deleted. | | `id` | string | The deleted message's ID. | + +## VAPID key events + +The following events describe changes to Pilcrow's [VAPID key](https://developer.mozilla.org/en-US/docs/Web/API/PushManager/subscribe#applicationserverkey). + +These events have the `type` field set to `"vapid"`. + +### VAPID key changed + +```json +{ + "type": "vapid", + "event": "changed", + "at": "2025-08-30T05:44:58.100206Z", + "key": "BKILjh0SzTiHOZ5P_sfduv-iqtOg_S18nR7ePcjnDivJaOY6nOG1L3OmvjXjNnthlRDdVnawl1_owfdPCvmDt5U=" +} +``` + +Sent whenever the server's VAPID key changes. + +These events have the `event` field set to `"changed"`. They include the following additional fields: + +| Field | Type | Description | +| :---- | :-------- | :----------------------------------------------------------------------------------------------- | +| `at` | timestamp | The moment the key was changed. | +| `key` | string | A URL-safe Base64 encoding of the VAPID public key, usable to create new Web Push subscriptions. | + +The server may change its VAPID key at any time, and will do so periodically to manage the risk of the private key being leaked. When the key is changed, old keys are immediately destroyed, and the corresponding change events are removed from the event stream. + +Clients must use the most recent VAPID key when creating Web Push subscriptions. If the key changes, clients must invalidate or recreate existing subscriptions - the previous key is no longer valid and will no longer be used, and push subscriptions using that key will not be fulfilled. diff --git a/migrations/20250829220738_vapid_keys.sql b/migrations/20250829220738_vapid_keys.sql new file mode 100644 index 0000000..64f4295 --- /dev/null +++ b/migrations/20250829220738_vapid_keys.sql @@ -0,0 +1,17 @@ +create table vapid_signing_key ( + key blob + not null +); + +create unique index vapid_signing_key_singleton + on vapid_signing_key (0); + +create table vapid_key ( + changed_at text + not null, + changed_sequence bigint + not null +); + +create unique index vapid_key_singleton + on vapid_key (0); @@ -11,6 +11,7 @@ use crate::{ message::app::Messages, setup::app::Setup, token::{self, app::Tokens}, + vapid::app::Vapid, }; #[derive(Clone)] @@ -69,4 +70,8 @@ impl App { pub const fn users(&self) -> Users<'_> { Users::new(&self.db, &self.events) } + + pub const fn vapid(&self) -> Vapid<'_> { + Vapid::new(&self.db, &self.events) + } } diff --git a/src/boot/app.rs b/src/boot/app.rs index 0ed5d1b..543429f 100644 --- a/src/boot/app.rs +++ b/src/boot/app.rs @@ -4,10 +4,12 @@ use sqlx::sqlite::SqlitePool; use super::Snapshot; use crate::{ conversation::{self, repo::Provider as _}, + db::NotFound, event::{Event, Sequence, repo::Provider as _}, message::{self, repo::Provider as _}, name, user::{self, repo::Provider as _}, + vapid::{self, repo::Provider as _}, }; pub struct Boot<'a> { @@ -26,6 +28,7 @@ impl<'a> Boot<'a> { let users = tx.users().all(resume_point).await?; let conversations = tx.conversations().all(resume_point).await?; let messages = tx.messages().all(resume_point).await?; + let vapid = tx.vapid().current().await.optional()?; tx.commit().await?; @@ -50,9 +53,16 @@ impl<'a> Boot<'a> { .filter(Sequence::up_to(resume_point)) .map(Event::from); + let vapid_events = vapid + .iter() + .flat_map(vapid::History::events) + .filter(Sequence::up_to(resume_point)) + .map(Event::from); + let events = user_events .merge_by(conversation_events, Sequence::merge) .merge_by(message_events, Sequence::merge) + .merge_by(vapid_events, Sequence::merge) .collect(); Ok(Snapshot { @@ -65,8 +75,9 @@ impl<'a> Boot<'a> { #[derive(Debug, thiserror::Error)] #[error(transparent)] pub enum Error { - Name(#[from] name::Error), Database(#[from] sqlx::Error), + Name(#[from] name::Error), + Ecdsa(#[from] p256::ecdsa::Error), } impl From<user::repo::LoadError> for Error { @@ -88,3 +99,13 @@ impl From<conversation::repo::LoadError> for Error { } } } + +impl From<vapid::repo::Error> for Error { + fn from(error: vapid::repo::Error) -> Self { + use vapid::repo::Error; + match error { + Error::Database(error) => error.into(), + Error::Ecdsa(error) => error.into(), + } + } +} diff --git a/src/boot/handlers/boot/test.rs b/src/boot/handlers/boot/test.rs index cb50442..3c09b0f 100644 --- a/src/boot/handlers/boot/test.rs +++ b/src/boot/handlers/boot/test.rs @@ -81,6 +81,74 @@ async fn includes_messages() { } #[tokio::test] +async fn includes_vapid_key() { + let app = fixtures::scratch_app().await; + + app.vapid() + .refresh_key(&fixtures::now()) + .await + .expect("key rotation always succeeds"); + + let viewer = fixtures::identity::fictitious(); + let response = super::handler(State(app), viewer) + .await + .expect("boot always succeeds"); + + response + .snapshot + .events + .into_iter() + .filter_map(fixtures::event::vapid) + .filter_map(fixtures::event::vapid::changed) + .exactly_one() + .expect("only one vapid key has been created"); +} + +#[tokio::test] +async fn includes_only_latest_vapid_key() { + let app = fixtures::scratch_app().await; + + app.vapid() + .refresh_key(&fixtures::ancient()) + .await + .expect("key rotation always succeeds"); + + let viewer = fixtures::identity::fictitious(); + let response = super::handler(State(app.clone()), viewer.clone()) + .await + .expect("boot always succeeds"); + + let original_key = response + .snapshot + .events + .into_iter() + .filter_map(fixtures::event::vapid) + .filter_map(fixtures::event::vapid::changed) + .exactly_one() + .expect("only one vapid key has been created"); + + app.vapid() + .refresh_key(&fixtures::now()) + .await + .expect("key rotation always succeeds"); + + let response = super::handler(State(app), viewer) + .await + .expect("boot always succeeds"); + + let rotated_key = response + .snapshot + .events + .into_iter() + .filter_map(fixtures::event::vapid) + .filter_map(fixtures::event::vapid::changed) + .exactly_one() + .expect("only one vapid key should be returned"); + + assert_ne!(original_key, rotated_key); +} + +#[tokio::test] async fn includes_expired_messages() { let app = fixtures::scratch_app().await; let sender = fixtures::user::create(&app, &fixtures::ancient()).await; diff --git a/src/event/app.rs b/src/event/app.rs index 7359bfb..fe90465 100644 --- a/src/event/app.rs +++ b/src/event/app.rs @@ -8,9 +8,12 @@ use sqlx::sqlite::SqlitePool; use super::{Event, Sequence, Sequenced, broadcaster::Broadcaster}; use crate::{ conversation::{self, repo::Provider as _}, + db::NotFound, message::{self, repo::Provider as _}, name, user::{self, repo::Provider as _}, + vapid, + vapid::repo::Provider as _, }; pub struct Events<'a> { @@ -57,9 +60,17 @@ impl<'a> Events<'a> { .filter(Sequence::after(resume_at)) .map(Event::from); + let vapid = tx.vapid().current().await.optional()?; + let vapid_events = vapid + .iter() + .flat_map(vapid::History::events) + .filter(Sequence::after(resume_at)) + .map(Event::from); + let replay_events = user_events .merge_by(conversation_events, Sequence::merge) .merge_by(message_events, Sequence::merge) + .merge_by(vapid_events, Sequence::merge) .collect::<Vec<_>>(); let resume_live_at = replay_events.last().map_or(resume_at, Sequenced::sequence); @@ -86,6 +97,7 @@ impl<'a> Events<'a> { pub enum Error { Database(#[from] sqlx::Error), Name(#[from] name::Error), + Ecdsa(#[from] p256::ecdsa::Error), } impl From<user::repo::LoadError> for Error { @@ -107,3 +119,13 @@ impl From<conversation::repo::LoadError> for Error { } } } + +impl From<vapid::repo::Error> for Error { + fn from(error: vapid::repo::Error) -> Self { + use vapid::repo::Error; + match error { + Error::Database(error) => error.into(), + Error::Ecdsa(error) => error.into(), + } + } +} diff --git a/src/event/handlers/stream/test/mod.rs b/src/event/handlers/stream/test/mod.rs index 3bc634f..c3a6ce6 100644 --- a/src/event/handlers/stream/test/mod.rs +++ b/src/event/handlers/stream/test/mod.rs @@ -4,5 +4,6 @@ mod message; mod resume; mod setup; mod token; +mod vapid; use super::{QueryParams, Response, handler}; diff --git a/src/event/handlers/stream/test/vapid.rs b/src/event/handlers/stream/test/vapid.rs new file mode 100644 index 0000000..dbc3929 --- /dev/null +++ b/src/event/handlers/stream/test/vapid.rs @@ -0,0 +1,111 @@ +use axum::extract::State; +use axum_extra::extract::Query; +use futures::StreamExt as _; + +use crate::test::{fixtures, fixtures::future::Expect as _}; + +#[tokio::test] +async fn live_vapid_key_changes() { + // Set up the context + let app = fixtures::scratch_app().await; + let resume_point = fixtures::boot::resume_point(&app).await; + + // Subscribe to events + + let subscriber = fixtures::identity::create(&app, &fixtures::now()).await; + let super::Response(events) = super::handler( + State(app.clone()), + subscriber, + None, + Query(super::QueryParams { resume_point }), + ) + .await + .expect("subscribe never fails"); + + // Rotate the VAPID key + + app.vapid() + .refresh_key(&fixtures::now()) + .await + .expect("refreshing the vapid key always succeeds"); + + // Verify that there's a key rotation event + + events + .filter_map(fixtures::event::stream::vapid) + .filter_map(fixtures::event::stream::vapid::changed) + .next() + .expect_some("a vapid key change event is sent") + .await; +} + +#[tokio::test] +async fn stored_vapid_key_changes() { + // Set up the context + let app = fixtures::scratch_app().await; + let resume_point = fixtures::boot::resume_point(&app).await; + + // Rotate the VAPID key + + app.vapid() + .refresh_key(&fixtures::now()) + .await + .expect("refreshing the vapid key always succeeds"); + + // Subscribe to events + + let subscriber = fixtures::identity::create(&app, &fixtures::now()).await; + let super::Response(events) = super::handler( + State(app.clone()), + subscriber, + None, + Query(super::QueryParams { resume_point }), + ) + .await + .expect("subscribe never fails"); + + // Verify that there's a key rotation event + + events + .filter_map(fixtures::event::stream::vapid) + .filter_map(fixtures::event::stream::vapid::changed) + .next() + .expect_some("a vapid key change event is sent") + .await; +} + +#[tokio::test] +async fn no_past_vapid_key_changes() { + // Set up the context + let app = fixtures::scratch_app().await; + + // Rotate the VAPID key + + app.vapid() + .refresh_key(&fixtures::now()) + .await + .expect("refreshing the vapid key always succeeds"); + + // Subscribe to events + + let resume_point = fixtures::boot::resume_point(&app).await; + + let subscriber = fixtures::identity::create(&app, &fixtures::now()).await; + let super::Response(events) = super::handler( + State(app.clone()), + subscriber, + None, + Query(super::QueryParams { resume_point }), + ) + .await + .expect("subscribe never fails"); + + // Verify that there's a key rotation event + + events + .filter_map(fixtures::event::stream::vapid) + .filter_map(fixtures::event::stream::vapid::changed) + .next() + .expect_wait("a vapid key change event is not sent") + .await; +} diff --git a/src/event/mod.rs b/src/event/mod.rs index f41dc9c..83b0ce7 100644 --- a/src/event/mod.rs +++ b/src/event/mod.rs @@ -2,7 +2,7 @@ use std::time::Duration; use axum::response::sse::{self, KeepAlive}; -use crate::{conversation, message, user}; +use crate::{conversation, message, user, vapid}; pub mod app; mod broadcaster; @@ -22,6 +22,7 @@ pub enum Event { User(user::Event), Conversation(conversation::Event), Message(message::Event), + Vapid(vapid::Event), } // Serialized representation is intended to look like the serialized representation of `Event`, @@ -40,6 +41,7 @@ impl Sequenced for Event { Self::User(event) => event.instant(), Self::Conversation(event) => event.instant(), Self::Message(event) => event.instant(), + Self::Vapid(event) => event.instant(), } } } @@ -62,6 +64,12 @@ impl From<message::Event> for Event { } } +impl From<vapid::Event> for Event { + fn from(event: vapid::Event) -> Self { + Self::Vapid(event) + } +} + impl Heartbeat { // The following values are a first-rough-guess attempt to balance noticing connection problems // quickly with managing the (modest) costs of delivering and processing heartbeats. Feel @@ -28,3 +28,4 @@ mod token; mod ui; mod umask; mod user; +mod vapid; diff --git a/src/routes.rs b/src/routes.rs index b848afb..2979abe 100644 --- a/src/routes.rs +++ b/src/routes.rs @@ -4,7 +4,9 @@ use axum::{ routing::{delete, get, post}, }; -use crate::{app::App, boot, conversation, event, expire, invite, login, message, setup, ui}; +use crate::{ + app::App, boot, conversation, event, expire, invite, login, message, setup, ui, vapid, +}; pub fn routes(app: &App) -> Router<App> { // UI routes that can be accessed before the administrator completes setup. @@ -56,6 +58,10 @@ pub fn routes(app: &App) -> Router<App> { app.clone(), expire::middleware, )) + .route_layer(middleware::from_fn_with_state( + app.clone(), + vapid::middleware, + )) .route_layer(setup::Required(app.clone())); [ diff --git a/src/test/fixtures/event/mod.rs b/src/test/fixtures/event/mod.rs index 08b17e7..f8651ba 100644 --- a/src/test/fixtures/event/mod.rs +++ b/src/test/fixtures/event/mod.rs @@ -23,6 +23,13 @@ pub fn user(event: Event) -> Option<crate::user::Event> { } } +pub fn vapid(event: Event) -> Option<crate::vapid::Event> { + match event { + Event::Vapid(event) => Some(event), + _ => None, + } +} + pub mod conversation { use crate::conversation::{Event, event}; @@ -72,3 +79,17 @@ pub mod user { } } } + +pub mod vapid { + use crate::vapid::{Event, event}; + + // This could be defined as `-> event::Changed`. However, I want the interface to be consistent + // with the event stream transformers for other types, and we'd have to refactor the return type + // to `-> Option<event::Changed>` the instant VAPID keys sprout a second event. + #[allow(clippy::unnecessary_wraps)] + pub fn changed(event: Event) -> Option<event::Changed> { + match event { + Event::Changed(changed) => Some(changed), + } + } +} diff --git a/src/test/fixtures/event/stream.rs b/src/test/fixtures/event/stream.rs index 5b3621d..bb83d0d 100644 --- a/src/test/fixtures/event/stream.rs +++ b/src/test/fixtures/event/stream.rs @@ -14,6 +14,10 @@ pub fn user(event: Event) -> Ready<Option<crate::user::Event>> { future::ready(event::user(event)) } +pub fn vapid(event: Event) -> Ready<Option<crate::vapid::Event>> { + future::ready(event::vapid(event)) +} + pub mod conversation { use std::future::{self, Ready}; @@ -60,3 +64,16 @@ pub mod user { future::ready(user::created(event)) } } + +pub mod vapid { + use std::future::{self, Ready}; + + use crate::{ + test::fixtures::event::vapid, + vapid::{Event, event}, + }; + + pub fn changed(event: Event) -> Ready<Option<event::Changed>> { + future::ready(vapid::changed(event)) + } +} diff --git a/src/vapid/app.rs b/src/vapid/app.rs new file mode 100644 index 0000000..8886c9f --- /dev/null +++ b/src/vapid/app.rs @@ -0,0 +1,89 @@ +use chrono::TimeDelta; +use sqlx::SqlitePool; + +use super::{History, repo, repo::Provider as _}; +use crate::{ + clock::DateTime, + db::NotFound as _, + event::{Broadcaster, Sequence, repo::Provider}, +}; + +pub struct Vapid<'a> { + db: &'a SqlitePool, + events: &'a Broadcaster, +} + +impl<'a> Vapid<'a> { + pub const fn new(db: &'a SqlitePool, events: &'a Broadcaster) -> Self { + Self { db, events } + } + + pub async fn refresh_key(&self, ensure_at: &DateTime) -> Result<(), Error> { + let mut tx = self.db.begin().await?; + let key = tx.vapid().current().await.optional()?; + if key.is_none() { + let changed_at = tx.sequence().next(ensure_at).await?; + let (key, secret) = History::begin(&changed_at); + + tx.vapid().clear().await?; + tx.vapid().store_signing_key(&secret).await?; + + let events = key.events().filter(Sequence::start_from(changed_at)); + tx.vapid().record_events(events.clone()).await?; + + tx.commit().await?; + + self.events.broadcast_from(events); + } else if let Some(key) = key + // Somewhat arbitrarily, rotate keys every 30 days. + && key.older_than(ensure_at.to_owned() - TimeDelta::days(30)) + { + // If you can think of a way to factor out this duplication, be my guest. I tried. + // The only approach I could think of mirrors `crate::user::create::Create`, encoding + // the process in a state machine made of types, and that's a very complex solution + // to a problem that doesn't seem to merit it. -o + let changed_at = tx.sequence().next(ensure_at).await?; + let (key, secret) = key.rotate(&changed_at); + + tx.vapid().clear().await?; + tx.vapid().store_signing_key(&secret).await?; + + // Refactoring constraint: this `events` iterator borrows `key`. Anything that moves + // `key` has to give it back, but it can't give both `key` back and an event iterator + // borrowing from `key` because Rust doesn't support types that borrow from other + // parts of themselves. + let events = key.events().filter(Sequence::start_from(changed_at)); + tx.vapid().record_events(events.clone()).await?; + + // Refactoring constraint: we _really_ want to commit the transaction before we send + // out events, so that anything acting on those events is guaranteed to see the state + // of the service at some point at or after the side effects of this. I'd also prefer + // to keep the commit in the same method that the transaction is begun in, for clarity. + tx.commit().await?; + + self.events.broadcast_from(events); + } + // else, the key exists and is not stale. Don't bother allocating a sequence number, and + // in fact throw away the whole transaction. + + Ok(()) + } +} + +#[derive(Debug, thiserror::Error)] +pub enum Error { + #[error(transparent)] + Database(#[from] sqlx::Error), + #[error(transparent)] + Ecdsa(#[from] p256::ecdsa::Error), +} + +impl From<repo::Error> for Error { + fn from(error: repo::Error) -> Self { + use repo::Error; + match error { + Error::Database(error) => error.into(), + Error::Ecdsa(error) => error.into(), + } + } +} diff --git a/src/vapid/event.rs b/src/vapid/event.rs new file mode 100644 index 0000000..af70ac2 --- /dev/null +++ b/src/vapid/event.rs @@ -0,0 +1,48 @@ +use base64::{Engine, engine::general_purpose::URL_SAFE}; +use p256::ecdsa::VerifyingKey; +use serde::Serialize; + +use crate::event::{Instant, Sequenced}; + +#[derive(Clone, Debug, Eq, PartialEq, serde::Serialize)] +#[serde(tag = "event", rename_all = "snake_case")] +pub enum Event { + Changed(Changed), +} + +impl Sequenced for Event { + fn instant(&self) -> Instant { + match self { + Self::Changed(event) => event.instant(), + } + } +} + +#[derive(Clone, Debug, Eq, PartialEq, serde::Serialize)] +pub struct Changed { + #[serde(flatten)] + pub instant: Instant, + #[serde(serialize_with = "as_vapid_key")] + pub key: VerifyingKey, +} + +impl From<Changed> for Event { + fn from(event: Changed) -> Self { + Self::Changed(event) + } +} + +impl Sequenced for Changed { + fn instant(&self) -> Instant { + self.instant + } +} + +fn as_vapid_key<S>(key: &VerifyingKey, serializer: S) -> Result<S::Ok, S::Error> +where + S: serde::Serializer, +{ + let key = key.to_sec1_bytes(); + let key = URL_SAFE.encode(key); + key.serialize(serializer) +} diff --git a/src/vapid/history.rs b/src/vapid/history.rs new file mode 100644 index 0000000..42f062b --- /dev/null +++ b/src/vapid/history.rs @@ -0,0 +1,55 @@ +use p256::ecdsa::{SigningKey, VerifyingKey}; +use rand::thread_rng; + +use super::event::{Changed, Event}; +use crate::{clock::DateTime, event::Instant}; + +#[derive(Debug)] +pub struct History { + pub key: VerifyingKey, + pub changed: Instant, +} + +// Lifecycle interface +impl History { + pub fn begin(changed: &Instant) -> (Self, SigningKey) { + let key = SigningKey::random(&mut thread_rng()); + ( + Self { + key: VerifyingKey::from(&key), + changed: *changed, + }, + key, + ) + } + + // `self` _is_ unused here, clippy is right about that. This choice is deliberate, however - it + // makes it harder to inadvertently reuse a rotated key via its history, and it makes the + // lifecycle interface more obviously consistent between this and other History types. + #[allow(clippy::unused_self)] + pub fn rotate(self, changed: &Instant) -> (Self, SigningKey) { + Self::begin(changed) + } +} + +// State interface +impl History { + pub fn older_than(&self, when: DateTime) -> bool { + self.changed.at < when + } +} + +// Events interface +impl History { + pub fn events(&self) -> impl Iterator<Item = Event> + Clone { + [self.changed()].into_iter() + } + + fn changed(&self) -> Event { + Changed { + key: self.key, + instant: self.changed, + } + .into() + } +} diff --git a/src/vapid/middleware.rs b/src/vapid/middleware.rs new file mode 100644 index 0000000..02951ba --- /dev/null +++ b/src/vapid/middleware.rs @@ -0,0 +1,17 @@ +use axum::{ + extract::{Request, State}, + middleware::Next, + response::Response, +}; + +use crate::{app::App, clock::RequestedAt, error::Internal}; + +pub async fn middleware( + State(app): State<App>, + RequestedAt(now): RequestedAt, + request: Request, + next: Next, +) -> Result<Response, Internal> { + app.vapid().refresh_key(&now).await?; + Ok(next.run(request).await) +} diff --git a/src/vapid/mod.rs b/src/vapid/mod.rs new file mode 100644 index 0000000..9798654 --- /dev/null +++ b/src/vapid/mod.rs @@ -0,0 +1,9 @@ +pub mod app; +pub mod event; +mod history; +mod middleware; +pub mod repo; + +pub use event::Event; +pub use history::History; +pub use middleware::middleware; diff --git a/src/vapid/repo.rs b/src/vapid/repo.rs new file mode 100644 index 0000000..4ac5286 --- /dev/null +++ b/src/vapid/repo.rs @@ -0,0 +1,139 @@ +use p256::{NistP256, ecdsa::SigningKey, elliptic_curve::FieldBytes}; +use sqlx::{Sqlite, SqliteConnection, Transaction}; + +use super::{ + History, + event::{Changed, Event}, +}; +use crate::{ + clock::DateTime, + db::NotFound, + event::{Instant, Sequence}, +}; + +pub trait Provider { + fn vapid(&mut self) -> Vapid<'_>; +} + +impl Provider for Transaction<'_, Sqlite> { + fn vapid(&mut self) -> Vapid<'_> { + Vapid(self) + } +} + +pub struct Vapid<'a>(&'a mut SqliteConnection); + +impl Vapid<'_> { + pub async fn record_events( + &mut self, + events: impl IntoIterator<Item = Event>, + ) -> Result<(), sqlx::Error> { + for event in events { + self.record_event(&event).await?; + } + Ok(()) + } + + pub async fn record_event(&mut self, event: &Event) -> Result<(), sqlx::Error> { + match event { + Event::Changed(changed) => self.record_changed(changed).await, + } + } + + async fn record_changed(&mut self, changed: &Changed) -> Result<(), sqlx::Error> { + sqlx::query!( + r#" + insert into vapid_key (changed_at, changed_sequence) + values ($1, $2) + "#, + changed.instant.at, + changed.instant.sequence, + ) + .execute(&mut *self.0) + .await?; + + Ok(()) + } + + pub async fn clear(&mut self) -> Result<(), sqlx::Error> { + sqlx::query!( + r#" + delete from vapid_key + "# + ) + .execute(&mut *self.0) + .await?; + + sqlx::query!( + r#" + delete from vapid_signing_key + "# + ) + .execute(&mut *self.0) + .await?; + + Ok(()) + } + + pub async fn store_signing_key(&mut self, key: &SigningKey) -> Result<(), Error> { + let key = key.to_bytes(); + let key = key.as_slice(); + sqlx::query!( + r#" + insert into vapid_signing_key (key) + values ($1) + "#, + key, + ) + .execute(&mut *self.0) + .await?; + + Ok(()) + } + + pub async fn current(&mut self) -> Result<History, Error> { + let key = sqlx::query!( + r#" + select + key.changed_at as "changed_at: DateTime", + key.changed_sequence as "changed_sequence: Sequence", + signing.key as "key: Vec<u8>" + from vapid_key as key + join vapid_signing_key as signing + "# + ) + .map(|row| { + let key = FieldBytes::<NistP256>::from_slice(&row.key); + let key = SigningKey::from_bytes(key)?; + let key = key.verifying_key().to_owned(); + + let changed = Instant::new(row.changed_at, row.changed_sequence); + + Ok::<_, Error>(History { key, changed }) + }) + .fetch_one(&mut *self.0) + .await??; + + Ok(key) + } +} + +#[derive(Debug, thiserror::Error)] +#[error(transparent)] +pub enum Error { + Ecdsa(#[from] p256::ecdsa::Error), + Database(#[from] sqlx::Error), +} + +impl<T> NotFound for Result<T, Error> { + type Ok = T; + type Error = Error; + + fn optional(self) -> Result<Option<T>, Error> { + match self { + Ok(value) => Ok(Some(value)), + Err(Error::Database(sqlx::Error::RowNotFound)) => Ok(None), + Err(other) => Err(other), + } + } +} diff --git a/ui/lib/state/remote/state.svelte.js b/ui/lib/state/remote/state.svelte.js index 3d65e4a..8845e02 100644 --- a/ui/lib/state/remote/state.svelte.js +++ b/ui/lib/state/remote/state.svelte.js @@ -7,6 +7,7 @@ export class State { users = $state(new Users()); conversations = $state(new Conversations()); messages = $state(new Messages()); + vapid_key = $state(null); static boot({ currentUser, heartbeat, resumePoint, events }) { const state = new State({ @@ -36,6 +37,8 @@ export class State { return this.onUserEvent(event); case 'message': return this.onMessageEvent(event); + case 'vapid': + return this.onVapidEvent(event); } } @@ -88,4 +91,16 @@ export class State { const { id } = event; this.messages.remove(id); } + + onVapidEvent(event) { + switch (event.event) { + case 'changed': + return this.onVapidChanged(event); + } + } + + onVapidChanged(event) { + let { key } = event; + this.vapid_key = key; + } } |