SkynetLabs · ro-tex · Feb 23, 2021 · Feb 17, 2021 · Feb 12, 2021 · Feb 12, 2021
@@ -4,19 +4,18 @@
 
 ### ORY, Kratos, Oathkeeper, and JWx
 
-While `skynet-accounts` handles account information in the context of a Skynet 
-portal, the baseline account management (account CRUD, email verification, 
-password resets, etc.) is handled by [ORY](https://www.ory.sh/) 
-([Kratos](https://www.ory.sh/kratos/) and [Oathkeeper](https://www.ory.sh/oathkeeper/)) 
-to which we often refer to as "Kratos". This also covers the login/logout 
-process and the issuance of JTW tokens. When we talk about JWT (or JWK, or JWKS)
+While `skynet-accounts` handles account information in the context of a Skynet portal, the baseline account management (
+account CRUD, email verification, password resets, etc.) is handled by [ORY](https://www.ory.sh/)
+([Kratos](https://www.ory.sh/kratos/) and [Oathkeeper](https://www.ory.sh/oathkeeper/))
+to which we often refer to as "Kratos". This also covers the login/logout process and the issuance of JTW tokens. When
+we talk about JWT (or JWK, or JWKS)
 we mean the tokens issued by ORY.
 
 The workflow of verification follows a simple pattern:
- * Oathkeeper exposes a public link on which it shares the public keys with 
-   which anyone can verify the validity of the JWT tokens it issues.
- * `skynet-accounts` fetches those keys and uses them to validate the JWTs it
-  receives in requests.
+
+* Oathkeeper exposes a public link on which it shares the public keys with which anyone can verify the validity of the
+  JWT tokens it issues.
+* `skynet-accounts` fetches those keys and uses them to validate the JWTs it receives in requests.
 
 ### User tiers
 
@@ -28,89 +27,137 @@ The tiers communicated by the API are numeric. This is the mapping:
 3. Premium 20.
 4. Premium 80.
 
+## Auth endpoints
+
+### POST `/login`
+
+Sets the `skynet-jwt` cookie.
+
+* Requires valid JWT: `true`
+* GET params: none
+* POST params: none
+* Returns:
+  - 204
+  - 400
+  - 401 (missing JWT)
+  - 500
+
+### POST `/logout`
+
+Removes the `skynet-jwt` cookie.
+
+* Requires valid JWT: `true`
+* GET params: none
+* POST params: none
+* Returns:
+  - 204
+  - 400
+  - 401 (missing JWT)
+  - 500
+
 ## User endpoints
 
 ### GET `/user`
 
-This request combines the "get user data" and "create user" requests - if the 
-users exists in the DB, their data will be returned. If they don't exist in the 
-DB, an account will be created on the Free tier.
+This request combines the "get user data" and "create user" requests - if the users exists in the DB, their data will be
+returned. If they don't exist in the DB, an account will be created on the Free tier.
 
 * Requires valid JWT: `true`
 * Returns:
-  - 200 JSON object
+    - 200 JSON object
   ```json
   {
     "tier": 1
   }
   ```
-  - 401 (missing JWT)
-  - 424 (when there is no such user, and we fail to create it)
-  - 500 (on any other error)
+    - 401 (missing JWT)
+    - 424 (when there is no such user, and we fail to create it)
+    - 500 (on any other error)
 
 ### PUT `/user` (TODO)
 
-This endpoint allows us to update the user's tier, membership expiration dates, 
-etc.
+This endpoint allows us to update the user's tier, membership expiration dates, etc.
 
 * Requires valid JWT: `true`
 * POST params:
     - TBD
 * Returns:
-  - 200 JSON object
+    - 200 JSON object
   ```json
   {
     "tier": 1
   }
   ```
-  - 400
-  - 401 (missing JWT)
-  - 500
+    - 400
+    - 401 (missing JWT)
+    - 500
 
 ### GET `/user/uploads`
 
 Returns a list of all skylinks uploaded by the user.
 
 * Requires valid JWT: `true`
 * Returns:
-  - 200 JSON Array (TBD)
-  - 401 (missing JWT)
-  - 424 (when there is no such user, and we fail to create it)
-  - 500 (on any other error)
+    - 200 JSON Array (TBD)
+    - 401 (missing JWT)
+    - 424 (when there is no such user, and we fail to create it)
+    - 500 (on any other error)
 
 ### GET `/user/downloads`
 
 Returns a list of all skylinks downloads by the user.
 
 * Requires valid JWT: `true`
 * Returns:
-  - 200 JSON Array (TBD)
-  - 401 (missing JWT)
-  - 424 (when there is no such user, and we fail to create it)
-  - 500 (on any other error)
+    - 200 JSON Array (TBD)
+    - 401 (missing JWT)
+    - 424 (when there is no such user, and we fail to create it)
+    - 500 (on any other error)
 
 ## Reports endpoints
 
 ### POST `/track/upload/:skylink`
 
 * Requires valid JWT: `true`
 * GET params:
-  - skylink: just the skylink hash, no path, no protocol
+    - skylink: just the skylink hash, no path, no protocol
 * POST params: none
 * Returns:
-  - 204 
-  - 400
-  - 401 (missing JWT)
-  - 500
+    - 204
+    - 400
+    - 401 (missing JWT)
+    - 500
 
 ### POST `/track/download/:skylink`
 
 * Requires valid JWT: `true`
 * GET params:
-  - skylink: just the skylink hash, no path, no protocol
+    - skylink: just the skylink hash, no path, no protocol
 * POST params: none
-* Returns: 
-  - 204
-  - 400
-  - 401 (missing JWT)
-  - 500
+* Returns:
+    - 204
+    - 400
+    - 401 (missing JWT)
+    - 500
+
+### POST `/track/registry/read`
+
+* Requires valid JWT: `true`
+* GET params: none
+* POST params: none
+* Returns:
+    - 204
+    - 400
+    - 401 (missing JWT)
+    - 500
+
+### POST `/track/registry/write`
+
+* Requires valid JWT: `true`
+* GET params: none
+* POST params: none
+* Returns:
+    - 204
+    - 400
+    - 401 (missing JWT)
+    - 500
@@ -64,7 +64,7 @@ start-mongo:
      --rm \
      --detach \
      --name skynet-accounts-mongo-test-db \
-     -p 127.0.0.1:27017:27017 \
+     -p 127.0.0.1:17017:27017 \
      -e MONGO_INITDB_ROOT_USERNAME=admin \
      -e MONGO_INITDB_ROOT_PASSWORD=aO4tV5tC1oU3oQ7u \
      mongo

@@ -1,6 +1,7 @@
 # skynet-accounts
 
-`skynet-accounts` is a service that stores [Skynet](https://siasky.net) user account data. It uses MongoDB for data storage. It uses ORY Kratos for the actual account management.
+`skynet-accounts` is a service that stores [Skynet](https://siasky.net) user account data. It uses MongoDB for data
+storage. It uses ORY Kratos for the actual account management.
 
 ## Setup steps
 
@@ -9,6 +10,7 @@
 All local secrets are loaded from a `.env` file in the root directory of the project.
 
 Those are (example values):
+
 ```.env
 SKYNET_DB_HOST="localhost"
 SKYNET_DB_PORT="27017"
@@ -21,5 +23,6 @@ COOKIE_ENC_KEY=""
 ```
 
 ## Recommended reading
+
 - [JSON and BSON](https://www.mongodb.com/json-and-bson)
 - [Using the official MongoDB Go driver](https://vkt.sh/go-mongodb-driver-cookbook/)
@@ -4,14 +4,12 @@ import (
 	"encoding/json"
 	"net/http"
 
-	"github.com/NebulousLabs/skynet-accounts/metafetcher"
-
-	"github.com/sirupsen/logrus"
-
 	"github.com/NebulousLabs/skynet-accounts/build"
 	"github.com/NebulousLabs/skynet-accounts/database"
+	"github.com/NebulousLabs/skynet-accounts/metafetcher"
 
 	"github.com/julienschmidt/httprouter"
+	"github.com/sirupsen/logrus"
 	"gitlab.com/NebulousLabs/errors"
 )
 

@@ -6,13 +6,12 @@ import (
 	"time"
 
 	"github.com/gorilla/securecookie"
+	"github.com/joho/godotenv"
 )
 
 const (
 	// CookieName is the name of the cookie where we store the user's JWT token.
 	CookieName = "skynet-jwt"
-	// cookieValidity specifies for how long the cookie is valid. In seconds.
-	cookieValidity = 604800 // one week
 
 	// envCookieDomain holds the name of the environment variable for the
 	// domain name of the portal
@@ -27,14 +26,17 @@ const (
 
 var (
 	secureCookie = func() *securecookie.SecureCookie {
-		var hashKey = []byte(os.Getenv(envCookieHashKey))
-		var blockKey = []byte(os.Getenv(envCookieEncKey))
+		_ = godotenv.Load()
+		// These keys need to be *exactly* 16 or 32 bytes long.
+		var hashKey = []byte(os.Getenv(envCookieHashKey))[:32]
+		var blockKey = []byte(os.Getenv(envCookieEncKey))[:32]
 		return securecookie.New(hashKey, blockKey)
 	}()
 )
 
 // writeCookie is a helper function that writes the given JWT token as a
 // secure cookie.
+// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
 func writeCookie(w http.ResponseWriter, token string, exp int64) error {
 	encodedValue, err := secureCookie.Encode(CookieName, token)
 	if err != nil {
@@ -51,8 +53,7 @@ func writeCookie(w http.ResponseWriter, token string, exp int64) error {
 		HttpOnly: true,
 		Path:     "/",
 		Domain:   domain,
-		Expires:  time.Unix(exp, 0),
-		MaxAge:   cookieValidity,
+		MaxAge:   int(exp - time.Now().UTC().Unix()),
 		Secure:   true, // do not send over insecure channels, e.g. HTTP
 		SameSite: 1,    // https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00
 	}