Ilia Denisov
22b0710d04
Implements ui/PLAN.md Phase 7 end-to-end: - /login two-step form (email -> code) over the gateway public REST surface; /lobby placeholder issues the first authenticated user.account.get and renders the decoded display name. - SessionStore (Svelte 5 runes) with loading / unsupported / anonymous / authenticated states; layout-level route guard, browser-not-supported blocker, and a minimal SubscribeEvents revocation watcher that closes the active client within 1s on a clean stream end or Unauthenticated. - VITE_GATEWAY_BASE_URL + VITE_GATEWAY_RESPONSE_PUBLIC_KEY config plus AuthError taxonomy in api/auth.ts. - Vitest (auth-api, session-store, login-page) and Playwright e2e (auth-flow.spec.ts) on the four configured projects, with a fixture Ed25519 keypair forging Connect-Web JSON responses. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
84 lines
2.5 KiB
TypeScript
84 lines
2.5 KiB
TypeScript
// Helper used by `auth-flow.spec.ts` to forge a Connect-Web-shaped
|
|
// `ExecuteCommandResponse` signed with the fixture gateway response
|
|
// key. Lives next to the keypair fixture so the e2e file stays
|
|
// focused on the UI flow. Connect-Web's default transport uses
|
|
// JSON over HTTP/1.1, so the helper emits JSON bytes; the canonical
|
|
// signing input is still the binary form defined in
|
|
// `ui/core/canon/response.go`.
|
|
|
|
import { create, toJson, toJsonString } from "@bufbuild/protobuf";
|
|
import { webcrypto } from "node:crypto";
|
|
import { ExecuteCommandResponseSchema } from "../../../src/proto/galaxy/gateway/v1/edge_gateway_pb";
|
|
import {
|
|
FIXTURE_PRIVATE_KEY_PKCS8_BASE64,
|
|
decodeBase64,
|
|
} from "./gateway-key";
|
|
import { buildResponseSigningInput } from "./canon";
|
|
|
|
const PROTOCOL_VERSION = "v1";
|
|
|
|
export interface ForgedResponseInput {
|
|
requestId: string;
|
|
timestampMs: bigint;
|
|
resultCode: string;
|
|
payloadBytes: Uint8Array;
|
|
}
|
|
|
|
let cachedPrivateKey: CryptoKey | null = null;
|
|
|
|
async function privateKey(): Promise<CryptoKey> {
|
|
if (cachedPrivateKey !== null) {
|
|
return cachedPrivateKey;
|
|
}
|
|
const pkcs8 = decodeBase64(FIXTURE_PRIVATE_KEY_PKCS8_BASE64);
|
|
cachedPrivateKey = await webcrypto.subtle.importKey(
|
|
"pkcs8",
|
|
pkcs8,
|
|
{ name: "Ed25519" },
|
|
false,
|
|
["sign"],
|
|
);
|
|
return cachedPrivateKey;
|
|
}
|
|
|
|
async function sha256(payload: Uint8Array): Promise<Uint8Array> {
|
|
const digest = await webcrypto.subtle.digest("SHA-256", payload);
|
|
return new Uint8Array(digest);
|
|
}
|
|
|
|
/**
|
|
* forgeExecuteCommandResponseJson produces the JSON body of a
|
|
* gateway response that `GalaxyClient.executeCommand` will accept
|
|
* under the fixture public key, encoded the way Connect-Web's
|
|
* default JSON transport expects to receive it.
|
|
*/
|
|
export async function forgeExecuteCommandResponseJson(
|
|
input: ForgedResponseInput,
|
|
): Promise<string> {
|
|
const payloadHash = await sha256(input.payloadBytes);
|
|
const canonical = buildResponseSigningInput({
|
|
protocolVersion: PROTOCOL_VERSION,
|
|
requestId: input.requestId,
|
|
timestampMs: input.timestampMs,
|
|
resultCode: input.resultCode,
|
|
payloadHash,
|
|
});
|
|
const sig = await webcrypto.subtle.sign(
|
|
{ name: "Ed25519" },
|
|
await privateKey(),
|
|
canonical,
|
|
);
|
|
const message = create(ExecuteCommandResponseSchema, {
|
|
protocolVersion: PROTOCOL_VERSION,
|
|
requestId: input.requestId,
|
|
timestampMs: input.timestampMs,
|
|
resultCode: input.resultCode,
|
|
payloadBytes: input.payloadBytes,
|
|
payloadHash,
|
|
signature: new Uint8Array(sig),
|
|
});
|
|
return toJsonString(ExecuteCommandResponseSchema, message);
|
|
}
|
|
|
|
export { toJson };
|