From 3e4c8ab56bd7ee50fd1a34ca4168d0397bb671d4 Mon Sep 17 00:00:00 2001
From: KernelDeimos <eric.alex.dube@gmail.com>
Date: Thu, 2 Jan 2025 12:45:52 -0500
Subject: [PATCH] dev: add wisp auth endpoints

---
 src/backend/src/CoreModule.js           |  3 ++
 src/backend/src/services/WispService.js | 69 +++++++++++++++++++++++++
 2 files changed, 72 insertions(+)
 create mode 100644 src/backend/src/services/WispService.js

diff --git a/src/backend/src/CoreModule.js b/src/backend/src/CoreModule.js
index d085625b..c132451a 100644
--- a/src/backend/src/CoreModule.js
+++ b/src/backend/src/CoreModule.js
@@ -358,6 +358,9 @@ const install = async ({ services, app, useapi, modapi }) => {
 
     const { PerformanceMonitor } = require('./monitor/PerformanceMonitor');
     services.registerService('performance-monitor', PerformanceMonitor);
+    
+    const { WispService } = require('./services/WispService');
+    services.registerService('wisp', WispService);    
 }
 
 const install_legacy = async ({ services }) => {
diff --git a/src/backend/src/services/WispService.js b/src/backend/src/services/WispService.js
new file mode 100644
index 00000000..1e2ca44a
--- /dev/null
+++ b/src/backend/src/services/WispService.js
@@ -0,0 +1,69 @@
+const configurable_auth = require("../middleware/configurable_auth");
+const { Endpoint } = require("../util/expressutil");
+const BaseService = require("./BaseService");
+
+class WispService extends BaseService {
+    ['__on_install.routes'] (_, { app }) {
+        const r_wisp = (() => {
+            const require = this.require;
+            const express = require('express');
+            return express.Router();
+        })();
+
+        app.use('/wisp', r_wisp);
+
+        Endpoint({
+            route: '/relay-token/create',
+            methods: ['POST'],
+            mw: [configurable_auth()],
+            handler: async (req, res) => {
+                const svc_token = this.services.get('token');
+                const actor = req.actor;
+                const token = svc_token.sign('wisp', {
+                    $: 'token:wisp',
+                    $v: '0.0.0',
+                    user_uid: actor.type.user.uuid,
+                }, {
+                    expiresIn: '1d',
+                });
+                res.json({ token });
+            }
+        }).attach(r_wisp);
+
+        Endpoint({
+            route: '/relay-token/verify',
+            methods: ['POST'],
+            handler: async (req, res) => {
+                const svc_token = this.services.get('token');
+                const svc_apiError = this.services.get('api-error');
+                const svc_event = this.services.get('event');
+
+                const decoded = svc_token.verify('wisp', req.body.token);
+                if ( decoded.$ !== 'token:wisp' ) {
+                    throw svc_apiError.create('invalid_token');
+                }
+                
+                const svc_getUser = this.services.get('get-user');
+
+                const event = {
+                    allow: true,
+                    policy: {},
+                    user: await svc_getUser.get_user({
+                        uuid: decoded.user_uid,
+                    }),
+                };
+                await svc_event.emit('wisp.get-policy', event);
+                if ( ! event.allow ) {
+                    this.log.noticeme('here')
+                    throw svc_apiError.create('forbidden');
+                }
+
+                res.json(event.policy);
+            }
+        }).attach(r_wisp);
+    }
+}
+
+module.exports = {
+    WispService,
+};