feat: support cookies between requests

.aegir.js

@@ -0,0 +1,8 @@
+/** @type {import('aegir').PartialOptions} */
+export default {
+  dependencyCheck: {
+    ignore: [
+      'undici' // required by http-cookie-agent
+    ]
+  }
+}

package.json

@@ -174,10 +174,13 @@
     "@multiformats/multiaddr": "^12.3.0",
     "@multiformats/multiaddr-to-uri": "^11.0.0",
     "@perseveranza-pets/milo": "^0.2.1",
+    "http-cookie-agent": "^6.0.7",
     "p-defer": "^4.0.1",
+    "tough-cookie": "^5.0.0",
     "uint8-varint": "^2.0.4",
     "uint8arraylist": "^2.4.8",
-    "uint8arrays": "^5.1.0"
+    "uint8arrays": "^5.1.0",
+    "undici": "^6.21.0"
   },
   "devDependencies": {
     "@libp2p/interface-compliance-tests": "^6.1.8",
@@ -187,5 +190,8 @@
     "libp2p": "^2.2.1",
     "sinon-ts": "^2.0.0"
   },
+  "browser": {
+    "./dist/src/auth/agent.js": "./dist/src/auth/agent.browser.js"
+  },
   "sideEffects": false
 }

src/auth/agent.browser.ts

@@ -0,0 +1,11 @@
+/**
+ * Returns nothing as browsers handle cookies for us
+ */
+export function getAgent (): any {
+  return {
+    agent: undefined,
+    jar: {
+      getCookies: () => []
+    }
+  }
+}

src/auth/agent.ts

@@ -0,0 +1,18 @@
+import { CookieAgent } from 'http-cookie-agent/undici'
+import { CookieJar } from 'tough-cookie'
+
+/**
+ * Returns an HTTP Agent that handles cookies over multiple requests
+ */
+export function getAgent (): { agent: CookieAgent, jar: CookieJar } {
+  const jar = new CookieJar()
+
+  return {
+    agent: new CookieAgent({
+      cookies: {
+        jar
+      }
+    }),
+    jar
+  }
+}

src/auth/client.ts

@@ -1,15 +1,20 @@
 import { publicKeyFromProtobuf, publicKeyToProtobuf } from '@libp2p/crypto/keys'
 import { peerIdFromPublicKey } from '@libp2p/peer-id'
 import { toString as uint8ArrayToString, fromString as uint8ArrayFromString } from 'uint8arrays'
+import { getAgent } from './agent.js'
 import { parseHeader, PeerIDAuthScheme, sign, verify } from './common.js'
 import { BadResponseError, InvalidPeerError, InvalidSignatureError, MissingAuthHeaderError } from './errors.js'
 import type { PeerId, PrivateKey } from '@libp2p/interface'
 import type { AbortOptions } from '@multiformats/multiaddr'
+import type { CookieAgent } from 'http-cookie-agent/undici'
+import type { CookieJar } from 'tough-cookie'
 
 export interface TokenInfo {
   creationTime: Date
   bearer: string
   peer: PeerId
+  agent: CookieAgent
+  jar: CookieJar
 }
 
 export interface AuthenticatedFetchOptions extends RequestInit {
@@ -79,7 +84,7 @@
     return `${PeerIDAuthScheme} ${encodedParams}`
   }
 
-  public bearerAuthHeaderWithPeer (hostname: string): { 'authorization': string, peer: PeerId } | undefined {
+  public bearerAuthHeaderWithPeer (hostname: string): { 'authorization': string, peer: PeerId, agent: CookieAgent, jar: CookieJar } | undefined {
     const token = this.tokens.get(hostname)
     if (token == null) {
       return undefined
@@ -88,7 +93,12 @@
       this.tokens.delete(hostname)
       return undefined
     }
-    return { authorization: `${PeerIDAuthScheme} bearer="${token.bearer}"`, peer: token.peer }
+    return {
+      authorization: `${PeerIDAuthScheme} bearer="${token.bearer}"`,
+      peer: token.peer,
+      agent: token.agent,
+      jar: token.jar
+    }
   }
 
   public bearerAuthHeader (hostname: string): string | undefined {
@@ -128,7 +138,12 @@
     if (this.tokens.has(hostname)) {
       const token = this.bearerAuthHeaderWithPeer(hostname)
       if (token !== undefined) {
+        // @ts-expect-error not in types
+        request.dispatcher = token.agent
         request.headers.set('Authorization', token.authorization)
+
+        await addCookiesToRequest(request, token.jar)
+
         return { peer: token.peer, response: await fetch(request) }
       } else {
         this.tokens.delete(hostname)
@@ -146,9 +161,15 @@
       })
     }
 
+    const { agent, jar } = getAgent()
+
     const resp = await fetch(authEndpointURI, {
+      method: 'OPTIONS',
       headers,
-      signal: request.signal
+      signal: request.signal,
+
+      // @ts-expect-error not in types
+      dispatcher: agent
     })
 
     // Verify the server's challenge
@@ -185,7 +206,12 @@
       sig: uint8ArrayToString(sig, 'base64urlpad')
     })
 
+    // @ts-expect-error not in types
+    request.dispatcher = agent
     request.headers.set('Authorization', authenticateSelfHeaders)
+
+    await addCookiesToRequest(request, jar)
+
     const resp2 = await fetch(request)
 
     if (!resp2.ok) {
@@ -201,7 +227,9 @@
     this.tokens.set(hostname, {
       peer: serverID,
       creationTime: new Date(),
-      bearer: serverAuthFields.bearer
+      bearer: serverAuthFields.bearer,
+      agent,
+      jar
     })
 
     return { peer: serverID, response: resp2 }
@@ -212,3 +240,11 @@
     return (await this.authenticatedFetch(req, options)).peer
   }
 }
+
+async function addCookiesToRequest (request: Request, jar: CookieJar): Promise<void> {
+  const cookies = await jar.getCookies(request.url.toString())
+
+  cookies.forEach(cookie => {
+    request.headers.append('Cookie', cookie.cookieString())
+  })
+}

src/auth/server.ts

@@ -3,6 +3,7 @@
 import { toString as uint8ArrayToString, fromString as uint8ArrayFromString } from 'uint8arrays'
 import { encodeAuthParams, parseHeader, PeerIDAuthScheme, sign, verify } from './common.js'
 import type { PeerId, PrivateKey, PublicKey, Logger } from '@libp2p/interface'
+import type http from 'node:http'
 
 export interface HttpHandler { (req: Request): Promise<Response> }
 
@@ -32,7 +33,7 @@
 
   withAuth (httpAuthedHandler: (peer: PeerId, req: Request) => Promise<Response>): HttpHandler {
     return async (req: Request): Promise<Response> => {
-      const authResp = await this.authenticateRequest(req)
+      const authResp = await this.authenticateRequest(this.readHostname(req), req.headers.get('Authorization') ?? undefined)
       if (authResp.status !== 200 || authResp.peer === undefined) {
         return new Response('', { status: authResp.status, headers: authResp.headers })
       }
@@ -55,17 +56,37 @@
     }
   }
 
+  requestListener (httpAuthedHandler: (peer: PeerId, req: http.IncomingMessage, res: http.ServerResponse) => void): http.RequestListener {
+    return (req: http.IncomingMessage, res: http.ServerResponse): void => {
+      Promise.resolve()
+        .then(async () => {
+          const authResp = await this.authenticateRequest(req.headers.host ?? '', req.headers.authorization)
+
+          for (const [key, value] of Object.entries(authResp.headers ?? {})) {
+            res.setHeader(key, value)
+          }
+
+          if (authResp.status !== 200 || authResp.peer === undefined) {
+            res.statusCode = authResp.status
+            res.end()
+
+            return
+          }
+
+          httpAuthedHandler(authResp.peer, req, res)
+        })
+        .catch(err => {
+          this.logger?.error('error handling request - %e', err)
+        })
+    }
+  }
+
   /* eslint-disable-next-line complexity */
-  private async authenticateRequest (req: Request): Promise<AuthenticationResponse> {
-    const hostname = this.readHostname(req)
+  private async authenticateRequest (hostname: string, authHeader?: string): Promise<AuthenticationResponse> {
     if (!this.validHostname(hostname)) {
       return { status: 400 }
     }
 
-    if (req.headers === undefined) {
-      return this.returnChallenge(hostname, null, {})
-    }
-    const authHeader = req.headers.get('Authorization')
     if (authHeader === null || authHeader === undefined || authHeader === '') {
       return this.returnChallenge(hostname, null, {})
     }

test/index.spec.ts

@@ -58,7 +58,7 @@ describe('whatwg-fetch', () => {
       return streams[1]
     })
 
-    clientComponents.connectionManager.openConnection.callsFake(async (peer: PeerId | Multiaddr | Multiaddr[], options?: any) => {
+    clientComponents.connectionManager.openConnection.callsFake(async (peer: PeerId | Multiaddr | Multiaddr[]) => {
       if (Array.isArray(peer)) {
         peer = peer[0]
       }

test/node.ts

@@ -0,0 +1,99 @@
+import http from 'node:http'
+import { generateKeyPair } from '@libp2p/crypto/keys'
+import { peerIdFromPrivateKey } from '@libp2p/peer-id'
+import { expect } from 'aegir/chai'
+import pDefer from 'p-defer'
+import { ClientAuth, ServerAuth } from '../src/auth/index.js'
+import type { PeerId, PrivateKey } from '@libp2p/interface'
+
+describe('@libp2p/http-fetch', () => {
+  describe('client auth', () => {
+    let clientKey: PrivateKey
+    let serverKey: PrivateKey
+    let server: http.Server
+
+    beforeEach(async () => {
+      clientKey = await generateKeyPair('Ed25519')
+      serverKey = await generateKeyPair('Ed25519')
+    })
+
+    afterEach(async () => {
+      server?.close()
+      server?.closeAllConnections()
+    })
+
+    it('should perform auth from client', async () => {
+      const clientAuth = new ClientAuth(clientKey)
+      const serverAuth = new ServerAuth(serverKey, h => h.startsWith('127.0.0.1'))
+      const clientPeer = pDefer<PeerId>()
+      const echoListener = serverAuth.requestListener((clientId, req, res) => {
+        clientPeer.resolve(clientId)
+        req.pipe(res)
+      })
+
+      server = http.createServer(echoListener)
+
+      const port = await new Promise<number>((resolve, reject) => {
+        const listener = server.listen(0, () => {
+          const address = listener.address()
+
+          if (address == null || typeof address === 'string') {
+            reject(new Error('Could not listen on port'))
+            return
+          }
+
+          resolve(address.port)
+        })
+      })
+
+      await expect(clientAuth.authenticateServer(`http://127.0.0.1:${port}`)).to.eventually.deep.equal(peerIdFromPrivateKey(serverKey))
+      await expect(clientPeer.promise).to.eventually.deep.equal(peerIdFromPrivateKey(clientKey))
+    })
+
+    it('should respect cookies during auth', async () => {
+      const clientAuth = new ClientAuth(clientKey)
+      const serverAuth = new ServerAuth(serverKey, h => h.startsWith('127.0.0.1'))
+      const cookie = pDefer<string>()
+      const echoListener = serverAuth.requestListener((clientId, req, res) => {
+        req.pipe(res)
+      })
+      const cookieName = 'test-cookie-name'
+      const cookieValue = 'test-cookie-value'
+      let requests = 0
+
+      server = http.createServer((req, res) => {
+        requests++
+
+        const cookieHeader = req.headers.cookie
+
+        if (cookieHeader == null) {
+          if (requests === 2) {
+            cookie.reject(new Error('No cookie header found on second request'))
+          }
+
+          res.setHeader('set-cookie', `${cookieName}=${cookieValue}; Expires=${new Date(Date.now() + 86_400_000).toString()}; HttpOnly`)
+        } else {
+          cookie.resolve(cookieHeader)
+        }
+
+        echoListener(req, res)
+      })
+
+      const port = await new Promise<number>((resolve, reject) => {
+        const listener = server.listen(0, () => {
+          const address = listener.address()
+
+          if (address == null || typeof address === 'string') {
+            reject(new Error('Could not listen on port'))
+            return
+          }
+
+          resolve(address.port)
+        })
+      })
+
+      await expect(clientAuth.authenticateServer(`http://127.0.0.1:${port}`)).to.eventually.deep.equal(peerIdFromPrivateKey(serverKey))
+      await expect(cookie.promise).to.eventually.equal(`${cookieName}=${cookieValue}`)
+    })
+  })
+})