hirosystems · hstove · Sep 25, 2018 · Oct 24, 2018 · Nov 1, 2018 · Nov 1, 2018
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,7 +4,12 @@ All notable changes to the project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [18.1.0] - 2018-10-024
+## [18.1.1] - 2018-11-01
+
+### Added
+- Support for scoped authentication tokens. This allows a Gaia auth token to only be valid for certain 'scopes' of a user's gaia hub.
+
+## [18.1.0] - 2018-10-24
 
 ### Added
 - The `BlockstackWallet` class in `blockstack.js` supports generating

diff --git a/package.json b/package.json
@@ -7,7 +7,9 @@
     "browserify": "./node_modules/.bin/browserify lib/index.js --standalone blockstack -o ./dist/blockstack.js",
     "browserify-tests": "./node_modules/.bin/browserify lib/index.js --standalone blockstack -o ./tests/browserTests/bundle.js",
     "compile": "rm -rf lib; babel src -d lib",
+    "compile-watch": "rm -rf lib; babel src -d lib --watch",
     "compile-tests": "rm -rf tests/unitTests/lib; rm -rf tests/authTests/lib; rm -rf test/operationsTests/lib; babel tests/unitTests/src -d tests/unitTests/lib; babel tests/authTests/src -d tests/authTests/lib; babel tests/operationsTests/src -d tests/operationsTests/lib;",
+    "compile-tests-watch": "rm -rf tests/unitTests/lib; rm -rf tests/authTests/lib; rm -rf test/operationsTests/lib; babel tests/unitTests/src -d tests/unitTests/lib --watch; babel tests/authTests/src -d tests/authTests/lib --watch; babel tests/operationsTests/src -d tests/operationsTests/lib --watch;",
     "prepare": "npm run compile",
     "prepublishOnly": "npm run build",
     "dev-auth": "npm run compile; npm run browserify; node ./tests/browserTests/auth-server.js",

diff --git a/src/storage/hub.js b/src/storage/hub.js
@@ -18,6 +18,11 @@ export type GaiaHubConfig = {
   server: string
 }
 
+type AuthScopeType = {
+  scope: string,
+  domain: string
+}
+
 export function uploadToGaiaHub(filename: string, contents: any,
                                 hubConfig: GaiaHubConfig,
                                 contentType: string = 'application/octet-stream'): Promise<*> {
@@ -65,10 +70,11 @@ function makeLegacyAuthToken(challengeText: string, signerKeyHex: string): strin
   }
 }
 
-function makeV1GaiaAuthToken(hubInfo: Object,
-                             signerKeyHex: string,
-                             hubUrl: string, 
-                             associationToken?: string): string {
+export function makeV1GaiaAuthToken(hubInfo: Object,
+                                    signerKeyHex: string,
+                                    hubUrl: string, 
+                                    associationToken?: string,
+                                    scopes?: Array<AuthScopeType>): string {
   const challengeText = hubInfo.challenge_text
   const handlesV1Auth = (hubInfo.latest_auth_version
                          && parseInt(hubInfo.latest_auth_version.slice(1), 10) >= 1)
@@ -84,15 +90,26 @@ function makeV1GaiaAuthToken(hubInfo: Object,
     hubUrl,
     iss,
     salt,
-    associationToken
+    associationToken,
+    scopes
   }
   const token = new TokenSigner('ES256K', signerKeyHex).sign(payload)
   return `v1:${token}`
 }
 
+/**
+ * 
+ * @param {string} gaiaHubUrl - the Gaia hub URL you want to connect to
+ * @param {string} challengeSignerHex - a private key used for signing an auth token
+ * @param {string} associationToken - an optional association token to add to your auth token
+ * @param {string} scopes - an optional array of scopes to include which will only allow
+ * this auth token to be used under your specified scopes
+ * @return {Promise} a promise that resolves to a gaia hub config object
+ */
 export function connectToGaiaHub(gaiaHubUrl: string,
                                  challengeSignerHex: string,
-                                 associationToken?: string): Promise<GaiaHubConfig> {
+                                 associationToken?: string,
+                                 scopes?: Array<AuthScopeType>): Promise<GaiaHubConfig> {
   if (!associationToken) {
     // maybe given in local storage?
     try {
@@ -111,7 +128,11 @@ export function connectToGaiaHub(gaiaHubUrl: string,
     .then(response => response.json())
     .then((hubInfo) => {
       const readURL = hubInfo.read_url_prefix
-      const token = makeV1GaiaAuthToken(hubInfo, challengeSignerHex, gaiaHubUrl, associationToken)
+      const token = makeV1GaiaAuthToken(hubInfo, 
+                                        challengeSignerHex, 
+                                        gaiaHubUrl, 
+                                        associationToken, 
+                                        scopes)
       const address = ecPairToAddress(hexStringToECPair(challengeSignerHex
                                         + (challengeSignerHex.length === 64 ? '01' : '')))
       return {

diff --git a/tests/unitTests/src/unitTestsHub.js b/tests/unitTests/src/unitTestsHub.js
@@ -0,0 +1,40 @@
+import test from 'tape'
+import { decodeToken } from 'jsontokens'
+
+import { makeV1GaiaAuthToken } from '../../../lib/storage/hub'
+
+const hubInfo = {
+  challenge_text: 'challenge',
+  latest_auth_version: 'v1'
+}
+const privateKey = 'a5c61c6ca7b3e7e55edee68566aeab22e4da26baa285c7bd10e8d2218aa3b229'
+
+export function runHubTests() {
+  test('adding scopes to auth token', (t) => {
+    t.plan(4)
+    const scopes = [
+      {
+        scope: 'putFilePrefix',
+        domain: 'testingScoped'
+      }
+    ]
+    const token = makeV1GaiaAuthToken(hubInfo, privateKey, 'http://localhost:4000', null, scopes)
+    t.assert(token.indexOf('v1:') === 0, 'Token starts with v1:')
+    const decodedToken = decodeToken(token.slice('v1:'.length))
+    const { payload } = decodedToken
+    t.assert(payload.scopes[0].scope === scopes[0].scope, 'scope should match')
+    t.assert(payload.scopes[0].domain === scopes[0].domain, 'domain should match')
+    t.assert(payload.scopes.length === scopes.length, 'number of scopes should match')
+    // console.log(decodedToken)
+  })
+
+  test('using association tokens in a token', async (t) => {
+    t.plan(1)
+    const associationToken = 'myAssociationToken'
+    const token = makeV1GaiaAuthToken(hubInfo, privateKey, 'http://localhost:4000', associationToken)
+    const decodedToken = decodeToken(token.slice('v1:'.length))
+    t.assert(decodedToken.payload.associationToken === associationToken, 'association token must be included')
+  })
+}
+
+runHubTests()