mirror of
https://github.com/signalapp/Signal-Server
synced 2026-04-21 07:38:06 +01:00
Create call link credential endpoint
This commit is contained in:
Katherine Yen
GitHub
@@ -1,56 +1,74 @@
|
||||
package org.whispersystems.textsecuregcm.controllers;
|
||||
|
||||
import com.codahale.metrics.annotation.Timed;
|
||||
import com.google.common.annotations.VisibleForTesting;
|
||||
import io.dropwizard.auth.Auth;
|
||||
import io.swagger.v3.oas.annotations.Operation;
|
||||
import io.swagger.v3.oas.annotations.responses.ApiResponse;
|
||||
import org.signal.libsignal.zkgroup.GenericServerSecretParams;
|
||||
import org.signal.libsignal.zkgroup.InvalidInputException;
|
||||
import org.signal.libsignal.zkgroup.calllinks.CreateCallLinkCredentialRequest;
|
||||
import org.whispersystems.textsecuregcm.auth.AuthenticatedAccount;
|
||||
import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentials;
|
||||
import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentialsGenerator;
|
||||
import org.whispersystems.textsecuregcm.configuration.CallLinkConfiguration;
|
||||
import javax.ws.rs.GET;
|
||||
import org.whispersystems.textsecuregcm.entities.CreateCallLinkCredential;
|
||||
import org.whispersystems.textsecuregcm.entities.GetCreateCallLinkCredentialsRequest;
|
||||
import org.whispersystems.textsecuregcm.limits.RateLimiters;
|
||||
import javax.validation.constraints.NotNull;
|
||||
import javax.ws.rs.BadRequestException;
|
||||
import javax.ws.rs.POST;
|
||||
import javax.ws.rs.Path;
|
||||
import javax.ws.rs.Produces;
|
||||
import javax.ws.rs.core.MediaType;
|
||||
import java.time.Clock;
|
||||
import java.time.Instant;
|
||||
import java.time.temporal.ChronoUnit;
|
||||
import java.util.Optional;
|
||||
|
||||
@Path("/v1/call-link")
|
||||
@io.swagger.v3.oas.annotations.tags.Tag(name = "CallLink")
|
||||
public class CallLinkController {
|
||||
@VisibleForTesting
|
||||
public static final String ANONYMOUS_CREDENTIAL_PREFIX = "anon";
|
||||
|
||||
private final ExternalServiceCredentialsGenerator callingFrontendServiceCredentialGenerator;
|
||||
private final RateLimiters rateLimiters;
|
||||
private final GenericServerSecretParams genericServerSecretParams;
|
||||
|
||||
public CallLinkController(
|
||||
ExternalServiceCredentialsGenerator callingFrontendServiceCredentialGenerator
|
||||
final RateLimiters rateLimiters,
|
||||
final GenericServerSecretParams genericServerSecretParams
|
||||
) {
|
||||
this.callingFrontendServiceCredentialGenerator = callingFrontendServiceCredentialGenerator;
|
||||
this.rateLimiters = rateLimiters;
|
||||
this.genericServerSecretParams = genericServerSecretParams;
|
||||
}
|
||||
|
||||
public static ExternalServiceCredentialsGenerator credentialsGenerator(final CallLinkConfiguration cfg) {
|
||||
return ExternalServiceCredentialsGenerator
|
||||
.builder(cfg.userAuthenticationTokenSharedSecret())
|
||||
.withUsernameTimestampTruncatorAndPrefix(timestamp -> timestamp.truncatedTo(ChronoUnit.DAYS), ANONYMOUS_CREDENTIAL_PREFIX)
|
||||
.build();
|
||||
}
|
||||
@Timed
|
||||
@GET
|
||||
@Path("/auth")
|
||||
@POST
|
||||
@Path("/create-auth")
|
||||
@Produces(MediaType.APPLICATION_JSON)
|
||||
@Operation(
|
||||
summary = "Generate credentials for calling frontend",
|
||||
summary = "Generate a credential for creating call links",
|
||||
description = """
|
||||
These credentials enable clients to prove to calling frontend that they were a Signal user within the last day.
|
||||
For client privacy, timestamps are truncated to 1 day granularity and the token does not include or derive from an ACI.
|
||||
Generate a credential over a truncated timestamp, room ID, and account UUID. With zero knowledge
|
||||
group infrastructure, the server does not know the room ID.
|
||||
"""
|
||||
)
|
||||
@ApiResponse(responseCode = "200", description = "`JSON` with generated credentials.", useReturnTypeSchema = true)
|
||||
@ApiResponse(responseCode = "400", description = "Invalid create call link credential request.")
|
||||
@ApiResponse(responseCode = "401", description = "Account authentication check failed.")
|
||||
public ExternalServiceCredentials getAuth(@Auth AuthenticatedAccount auth) {
|
||||
return callingFrontendServiceCredentialGenerator.generateWithTimestampAsUsername();
|
||||
@ApiResponse(responseCode = "422", description = "Invalid request format.")
|
||||
@ApiResponse(responseCode = "429", description = "Ratelimited.")
|
||||
public CreateCallLinkCredential getCreateAuth(
|
||||
final @Auth AuthenticatedAccount auth,
|
||||
final @NotNull GetCreateCallLinkCredentialsRequest request
|
||||
) throws RateLimitExceededException {
|
||||
|
||||
rateLimiters.getCreateCallLinkLimiter().validate(auth.getAccount().getUuid());
|
||||
|
||||
final Instant truncatedDayTimestamp = Instant.now().truncatedTo(ChronoUnit.DAYS);
|
||||
|
||||
CreateCallLinkCredentialRequest createCallLinkCredentialRequest;
|
||||
try {
|
||||
createCallLinkCredentialRequest = new CreateCallLinkCredentialRequest(request.createCallLinkCredentialRequest());
|
||||
} catch (InvalidInputException e) {
|
||||
throw new BadRequestException("Invalid create call link credential request", e);
|
||||
}
|
||||
|
||||
return new CreateCallLinkCredential(
|
||||
createCallLinkCredentialRequest.issueCredential(auth.getAccount().getUuid(), truncatedDayTimestamp, genericServerSecretParams).serialize(),
|
||||
truncatedDayTimestamp.getEpochSecond()
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user