refactor(db-worker,wip): remove <invoke-main-thread (1)

Author: RCmerci

docs/agent-guide/074-db-worker-node-invoke-main-thread-refactor.md

@@ -452,7 +452,9 @@
          (state/<invoke-db-worker :thread-api/set-db-sync-config
                                   {:enabled? true
                                    :ws-url config/db-sync-ws-url
-                                   :http-base config/db-sync-http-base})
+                                   :http-base config/db-sync-http-base
+                                   :oauth-domain config/OAUTH-DOMAIN
+                                   :oauth-client-id config/COGNITO-CLIENT-ID})
          (p/let [rsa-key-pair (state/<invoke-db-worker :thread-api/db-sync-ensure-user-rsa-keys)]
            (set-e2ee-rsa-key-ensured? (some? rsa-key-pair))))
         (p/catch (fn [e]

src/main/frontend/components/repo.cljs

@@ -332,7 +332,9 @@
          (state/<invoke-db-worker :thread-api/set-db-sync-config
                                   {:enabled? true
                                    :ws-url config/db-sync-ws-url
-                                   :http-base config/db-sync-http-base})
+                                   :http-base config/db-sync-http-base
+                                   :oauth-domain config/OAUTH-DOMAIN
+                                   :oauth-client-id config/COGNITO-CLIENT-ID})
          (state/<invoke-db-worker :thread-api/db-sync-ensure-user-rsa-keys))
         (p/catch (fn [error]
                    (log/error :db-sync/ensure-user-rsa-keys-failed error)

src/main/frontend/handler/events/ui.cljs

@@ -143,7 +143,9 @@
                    _ (state/<invoke-db-worker :thread-api/set-db-sync-config
                                               {:enabled? true
                                                :ws-url config/db-sync-ws-url
-                                               :http-base config/db-sync-http-base})
+                                               :http-base config/db-sync-http-base
+                                               :oauth-domain config/OAUTH-DOMAIN
+                                               :oauth-client-id config/COGNITO-CLIENT-ID})
                    _ (state/pub-event! [:rtc/sync-app-state])
                    _ (log/info "init worker spent" (str (- (util/time-ms) t1) "ms"))
                    _ (sync-ui-state!)

src/main/frontend/persist_db/browser.cljs

@@ -75,6 +75,24 @@
     (f path text)
     (throw (ex-info "platform storage/write-text! missing" {:path path}))))
 
+(defn save-secret-text!
+  [platform key text]
+  (if-let [f (get-in platform [:crypto :save-secret-text!])]
+    (f key text)
+    (throw (ex-info "platform crypto/save-secret-text! missing" {:key key}))))
+
+(defn read-secret-text
+  [platform key]
+  (if-let [f (get-in platform [:crypto :read-secret-text])]
+    (f key)
+    (throw (ex-info "platform crypto/read-secret-text missing" {:key key}))))
+
+(defn delete-secret-text!
+  [platform key]
+  (if-let [f (get-in platform [:crypto :delete-secret-text!])]
+    (f key)
+    (throw (ex-info "platform crypto/delete-secret-text! missing" {:key key}))))
+
 (defn websocket-connect
   [platform url]
   (if-let [f (get-in platform [:websocket :connect])]

src/main/frontend/worker/platform.cljs

@@ -60,6 +60,24 @@
   [k value]
   (idb-keyval/set k value @kv-store))
 
+(def ^:private secret-prefix "worker-secret###")
+
+(defn- secret-key
+  [key]
+  (str secret-prefix key))
+
+(defn- save-secret-text!
+  [key text]
+  (kv-set! (secret-key key) text))
+
+(defn- read-secret-text
+  [key]
+  (kv-get (secret-key key)))
+
+(defn- delete-secret-text!
+  [key]
+  (kv-set! (secret-key key) nil))
+
 (defn- install-opfs-pool
   [sqlite pool-name]
   (.installOpfsSAHPoolVfs ^js sqlite #js {:name pool-name
@@ -126,5 +144,7 @@
             :close-db (fn [db] (.close db))
             :exec (fn [db sql-or-opts] (.exec db sql-or-opts))
             :transaction (fn [db f] (.transaction db f))}
-   :crypto {}
+   :crypto {:save-secret-text! save-secret-text!
+            :read-secret-text read-secret-text
+            :delete-secret-text! delete-secret-text!}
    :timers {:set-interval! (fn [f ms] (js/setInterval f ms))}})

src/main/frontend/worker/platform/browser.cljs

@@ -298,6 +298,12 @@
   [state]
   (transit/write kv-transit-writer state))
 
+(def ^:private secret-prefix "worker-secret###")
+
+(defn- secret-key
+  [key]
+  (str secret-prefix key))
+
 (defn- kv-store
   [data-dir]
   (let [kv-path (node-path/join data-dir "kv-store.json")
@@ -359,5 +365,10 @@
                :backup-db (fn [db path]
                             (let [backup-fn (gobj/get db "backup")]
                               (backup-fn path)))}
-      :crypto {}
+      :crypto {:save-secret-text! (fn [key text]
+                                    ((:set! kv) (secret-key key) text))
+               :read-secret-text (fn [key]
+                                   ((:get kv) (secret-key key)))
+               :delete-secret-text! (fn [key]
+                                      ((:set! kv) (secret-key key) nil))}
       :timers {:set-interval! (fn [f ms] (js/setInterval f ms))}})))

src/main/frontend/worker/platform/node.cljs

@@ -2,10 +2,10 @@
   "Auth and endpoint helpers for db sync."
   (:require [clojure.string :as string]
             [frontend.worker-common.util :as worker-util]
-            [logseq.common.util :as common-util]
-            [promesa.core :as p]
+            [frontend.worker.state :as worker-state]
             [frontend.worker.sync.util :as sync-util]
-            [frontend.worker.state :as worker-state]))
+            [logseq.common.util :as common-util]
+            [promesa.core :as p]))
 
 (defn ws-base-url
   [db-sync-config]
@@ -36,16 +36,59 @@
       (catch :default _
         true))))
 
+(defn oauth-token-url
+  [db-sync-config]
+  (or (:oauth-token-url db-sync-config)
+      (when-let [domain (not-empty (:oauth-domain db-sync-config))]
+        (str "https://" domain "/oauth2/token"))))
+
+(defn <refresh-id&access-token
+  []
+  (let [refresh-token (:auth/refresh-token @worker-state/*state)
+        db-sync-config @worker-state/*db-sync-config
+        token-url (oauth-token-url db-sync-config)
+        oauth-client-id (:oauth-client-id db-sync-config)]
+    (when-not (seq refresh-token)
+      (throw (ex-info "worker auth refresh requires refresh token"
+                      {:code :missing-refresh-token})))
+    (when-not (seq token-url)
+      (throw (ex-info "worker auth refresh requires oauth token url"
+                      {:code :missing-oauth-token-url})))
+    (when-not (seq oauth-client-id)
+      (throw (ex-info "worker auth refresh requires oauth client id"
+                      {:code :missing-oauth-client-id})))
+    (let [form-data (js/URLSearchParams.)]
+      (.set form-data "grant_type" "refresh_token")
+      (.set form-data "client_id" oauth-client-id)
+      (.set form-data "refresh_token" refresh-token)
+      (p/let [resp (js/fetch token-url #js {:method "POST"
+                                            :headers #js {"content-type" "application/x-www-form-urlencoded"}
+                                            :body (.toString form-data)})
+              text (.text resp)
+              data (when (seq text)
+                     (js->clj (js/JSON.parse text) :keywordize-keys true))]
+        (if (.-ok resp)
+          {:id-token (:id_token data)
+           :access-token (:access_token data)}
+          (throw (ex-info "worker auth refresh failed"
+                          {:code :auth-refresh-failed
+                           :status (.-status resp)
+                           :token-url token-url
+                           :body data})))))))
+
 (defn <resolve-ws-token
   []
-  (let [token (sync-util/auth-token)]
-    (if (and (not (sync-util/cli-node-owner?))
-             (id-token-expired? token))
-      (p/let [resp (worker-state/<invoke-main-thread :thread-api/ensure-id&access-token)
-              refreshed-token (:id-token resp)]
-        (when (string? refreshed-token)
-          (worker-state/set-new-state! {:auth/id-token refreshed-token})
-          refreshed-token))
+  (let [token (sync-util/auth-token)
+        token-expired? (id-token-expired? token)]
+    (if (and (not (sync-util/cli-node-owner?)) token-expired?)
+      (p/let [{:keys [id-token access-token]} (<refresh-id&access-token)]
+        (when-not (seq id-token)
+          (throw (ex-info "worker auth refresh returned empty id-token"
+                          {:code :auth-refresh-empty-id-token})))
+        (worker-state/set-new-state!
+         (cond-> {:auth/id-token id-token}
+           (seq access-token) (assoc :auth/access-token access-token)))
+        id-token)
       (p/resolved token))))
 
 (defn get-user-uuid

src/main/frontend/worker/sync/auth.cljs

@@ -16,6 +16,7 @@
 (defonce ^:private *graph->aes-key (atom {}))
 (defonce ^:private *user-rsa-key-pair-inflight (atom {}))
 (defonce ^:private e2ee-password-file "e2ee-password")
+(defonce ^:private e2ee-password-secret-key "logseq-encrypted-password")
 (defonce ^:private native-env?
   (let [href (try (.. js/self -location -href)
                   (catch :default _ nil))]
@@ -31,15 +32,15 @@
 
 (defn <native-save-password-text!
   [encrypted-text]
-  (worker-state/<invoke-main-thread :thread-api/native-save-e2ee-password encrypted-text))
+  (platform/save-secret-text! (platform/current) e2ee-password-secret-key encrypted-text))
 
 (defn- <native-read-password-text
   []
-  (worker-state/<invoke-main-thread :thread-api/native-get-e2ee-password))
+  (platform/read-secret-text (platform/current) e2ee-password-secret-key))
 
 (defn- <native-delete-password-text!
   []
-  (worker-state/<invoke-main-thread :thread-api/native-delete-e2ee-password))
+  (platform/delete-secret-text! (platform/current) e2ee-password-secret-key))
 
 (defn- <save-e2ee-password
   [refresh-token password]
@@ -55,9 +56,16 @@
 
 (defn- <read-e2ee-password
   [refresh-token]
-  (p/let [text (if (native-worker?)
-                 (<native-read-password-text)
-                 (platform/read-text! (platform/current) e2ee-password-file))
+  (p/let [platform' (platform/current)
+          text (if (native-worker?)
+                 (-> (p/let [native-text (<native-read-password-text)]
+                       (if (seq native-text)
+                         native-text
+                         (platform/read-text! platform' e2ee-password-file)))
+                     (p/catch (fn [e]
+                                (log/error :native-get-e2ee-password {:error e})
+                                (platform/read-text! platform' e2ee-password-file))))
+                 (platform/read-text! platform' e2ee-password-file))
           data (ldb/read-transit-str text)
           password (crypt/<decrypt-text-by-text-password refresh-token data)]
     password))

src/main/frontend/worker/sync/crypt.cljs

@@ -386,7 +386,7 @@
                (p/then (fn [_]
                          (is (= 1 (count @worker-calls)))
                          (let [[op graph graph-uuid graph-e2ee?] (first @worker-calls)]
-                           (is (= :thread-api/db-sync-download-graph op))
+                           (is (= :thread-api/db-sync-download-graph-by-id op))
                            (is (string/ends-with? graph "demo-graph"))
                            (is (= "graph-1" graph-uuid))
                            (is (= false graph-e2ee?)))