libp2phttp: HTTP Peer ID Authentication #2854

MarcoPolo · 2024-06-29T19:25:08Z

This enables HTTP peers to authenticate each other's peer ID. This would allow users to use an http transport that has a peer id component (e.g. /dns/example.com/http/p2p/12Foo). I think it's nice to have this for completeness so that an http transport has the same semantics as a libp2p stream transport when doing HTTP with regard to Peer IDs.

There's more testing I want to do here, but I think this is more or less ready for a review.

For a high level overview of the authentication protocol refer to the overview in the spec: https://github.com/libp2p/specs/blob/45006f17d2fa0cede50b2db2311a55061011a3fc/http/peer-id-auth.md#mutual-client-and-server-peer-id-authentication-overview

p2p/http/auth/client.go

p2p/http/auth/auth.go

p2p/http/auth/client.go

p2p/http/auth/server.go

MarcoPolo · 2024-08-28T01:03:35Z

I've completely refactored this. The handshake logic is now neatly in internal/handshake. The Client API is simpler, and the Server API changed a little bit (in a way that makes it hopefully easier to use). The server uses HMAC to authenticate the opaque and the token. And it's also close to 10x faster (still could be improved, but this might be good enough for now).

~~The main missing thing is the test that generates the examples for the spec. I'll work on that next, but otherwise I think this is ready.~~ Done.

when you get a chance, could I get a review here and in the spec libp2p/specs#564 @sukunrt .

p2p/http/auth/auth.go

p2p/http/auth/client.go

sukunrt · 2024-09-08T09:52:28Z

p2p/http/auth/client.go

+	}
+	resp.Body.Close()
+
+	err = handshake.ParseHeader(resp.Header)


Do we need to set the status code first?

On the client? Or do you mean assert the status code is 401?

p2p/http/auth/internal/handshake/client.go

p2p/http/auth/client.go

sukunrt · 2024-09-08T11:11:04Z

The new spec is much nicer! Thanks @MarcoPolo

p2p/http/auth/client.go

Because otherwise the body is not copied.

This comment was marked as outdated.

Sign in to view

sukunrt reviewed Jul 9, 2024

View reviewed changes

MarcoPolo force-pushed the marco/http-peer-id-auth branch from c2d12e7 to 2a55ceb Compare August 28, 2024 00:45

MarcoPolo mentioned this pull request Aug 30, 2024

feat: initial implementation ipshipyard/p2p-forge#1

Merged

MarcoPolo force-pushed the marco/http-peer-id-auth branch from fccc2d5 to fbcede2 Compare September 3, 2024 22:50

sukunrt approved these changes Sep 8, 2024

View reviewed changes

aschmahmann reviewed Sep 9, 2024

View reviewed changes

p2p/http/auth/client.go Outdated Show resolved Hide resolved

lidel mentioned this pull request Sep 18, 2024

feat(AutoTLS): opt-in WSS certs from p2p-forge at libp2p.direct ipfs/kubo#10521

Merged

12 tasks

MarcoPolo added 20 commits October 7, 2024 15:13

Initial implementation of http peer id auth

18b77b5

export client mutual auth

3600784

Add test vectors

2f30269

Add test walkthrough for spec

ef91911

Don't bother decoding challenges

425fd92

Backport AppendEncode/AppendDecode

7bf466c

Rename origin to hostname

9f1d418

Read hostname from tls session

cda858d

Add protocol ID constant

00ad283

Add marshalled zero key in test

e2e85c0

Rename PeerIDAuth to ServerPeerIDAuth

1dcf866

PR comments

6e7f554

WIP

3e4198c

Refactor handshake

cffbec4

Implement public API

d166a0b

Nits

80feebc

Error if challenge is too short

7ecc2a1

nit

2d8a24f

Mod tidy

6d8c28c

nit

8e18916

MarcoPolo added 15 commits October 7, 2024 15:13

Use a newRequest function rather than shallow clone

8e3f98e

Because otherwise the body is not copied.

Add tests to generate examples for specs

6bd3799

Rename InsecureNoTLS. Update comment

2fd3b24

Add support for client-initiated handshake

0da88ec

Change handshake api a bit

376128b

Add Client Initiated handshake to API

aafa743

Use ValidHostnameFn even with TLS set

1b1163e

Couple of improvments in internal handshake package

5c01497

Clear GetBody as well; simply running handshake

68c0253

Handle case where server refuses client-initiated handshake

ce5529e

Fix reference in test

50a65d0

PR comments

889ad26

Add example for client initated handshake

f5495ad

Export ProtocolID

a341297

Small nits

37cb110

MarcoPolo force-pushed the marco/http-peer-id-auth branch from dbd59dc to 37cb110 Compare October 8, 2024 00:27

MarcoPolo added 2 commits October 7, 2024 19:18

Check for ErrFinalToken

dbca6a3

Tweak

a1aef28

MarcoPolo merged commit b198a51 into master Oct 8, 2024
11 checks passed

This was referenced Oct 8, 2024

HTTP: Peer ID Authentication libp2p/specs#564

Merged

v0.37 #2901

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

libp2phttp: HTTP Peer ID Authentication #2854

libp2phttp: HTTP Peer ID Authentication #2854

MarcoPolo commented Jun 29, 2024

This comment was marked as outdated.

MarcoPolo commented Aug 28, 2024 •

edited

Loading

sukunrt Sep 8, 2024

MarcoPolo Sep 10, 2024

sukunrt commented Sep 8, 2024

libp2phttp: HTTP Peer ID Authentication #2854

libp2phttp: HTTP Peer ID Authentication #2854

Conversation

MarcoPolo commented Jun 29, 2024

This comment was marked as outdated.

MarcoPolo commented Aug 28, 2024 • edited Loading

sukunrt Sep 8, 2024

Choose a reason for hiding this comment

MarcoPolo Sep 10, 2024

Choose a reason for hiding this comment

sukunrt commented Sep 8, 2024

MarcoPolo commented Aug 28, 2024 •

edited

Loading