willdot.net / distributed-pds
forked from willdot.net/cocoon
A fork of the Cocoon PDS but being made more distributed.
0
Fork 0

Configure Feed

Select the types of activity you want to include in your feed.

oauth (#15)

author
hailey committer
GitHub date (Jun 17, 2025, 10:58 PM -0700) commit 5967b43b parent 6cf863b3
+2742 -81
+2
.env.example
··· 6 6 COCOON_RELAYS=https://bsky.network 7 7 # Generate with `openssl rand -hex 16` 8 8 COCOON_ADMIN_PASSWORD= 9 + # openssl rand -hex 32 10 + COCOON_SESSION_SECRET=
+1
.gitignore
··· 2 2 .env 3 3 /cocoon 4 4 *.key 5 + *.secret
+21
LICENSE
··· 1 + MIT License 2 + 3 + Copyright (c) 2025 me@haileyok.com 4 + 5 + Permission is hereby granted, free of charge, to any person obtaining a copy 6 + of this software and associated documentation files (the "Software"), to deal 7 + in the Software without restriction, including without limitation the rights 8 + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 + copies of the Software, and to permit persons to whom the Software is 10 + furnished to do so, subject to the following conditions: 11 + 12 + The above copyright notice and this permission notice shall be included in all 13 + copies or substantial portions of the Software. 14 + 15 + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 + SOFTWARE.
+5
README.md
··· 71 71 - [ ] com.atproto.moderation.createReport 72 72 - [x] app.bsky.actor.getPreferences 73 73 - [x] app.bsky.actor.putPreferences 74 + 75 + 76 + ## License 77 + 78 + This project is licensed under MIT license. `server/static/pico.css` is also licensed under MIT license, available at [https://github.com/picocss/pico/](https://github.com/picocss/pico/).
+5
cmd/cocoon/main.go
··· 115 115 Name: "s3-secret-key", 116 116 EnvVars: []string{"COCOON_S3_SECRET_KEY"}, 117 117 }, 118 + &cli.StringFlag{ 119 + Name: "session-secret", 120 + EnvVars: []string{"COCOON_SESSION_SECRET"}, 121 + }, 118 122 }, 119 123 Commands: []*cli.Command{ 120 124 run, ··· 158 162 AccessKey: cmd.String("s3-access-key"), 159 163 SecretKey: cmd.String("s3-secret-key"), 160 164 }, 165 + SessionSecret: cmd.String("session-secret"), 161 166 }) 162 167 if err != nil { 163 168 fmt.Printf("error creating cocoon: %v", err)
+19 -14
go.mod
··· 8 8 github.com/bluesky-social/indigo v0.0.0-20250414202759-826fcdeaa36b 9 9 github.com/btcsuite/websocket v0.0.0-20150119174127-31079b680792 10 10 github.com/domodwyer/mailyak/v3 v3.6.2 11 + github.com/go-pkgz/expirable-cache/v3 v3.0.0 11 12 github.com/go-playground/validator v9.31.0+incompatible 12 13 github.com/golang-jwt/jwt/v4 v4.5.2 13 14 github.com/google/uuid v1.4.0 15 + github.com/gorilla/sessions v1.4.0 14 16 github.com/gorilla/websocket v1.5.1 15 17 github.com/hashicorp/golang-lru/v2 v2.0.7 16 18 github.com/ipfs/go-block-format v0.2.0 ··· 18 20 github.com/ipfs/go-ipld-cbor v0.1.0 19 21 github.com/ipld/go-car v0.6.1-0.20230509095817-92d28eb23ba4 20 22 github.com/joho/godotenv v1.5.1 23 + github.com/labstack/echo-contrib v0.17.4 21 24 github.com/labstack/echo/v4 v4.13.3 22 25 github.com/lestrrat-go/jwx/v2 v2.0.12 23 26 github.com/multiformats/go-multihash v0.2.3 ··· 25 28 github.com/urfave/cli/v2 v2.27.6 26 29 github.com/whyrusleeping/cbor-gen v0.2.1-0.20241030202151-b7a6831be65e 27 30 gitlab.com/yawning/secp256k1-voi v0.0.0-20230925100816-f2616030848b 28 - golang.org/x/crypto v0.36.0 31 + golang.org/x/crypto v0.38.0 29 32 gorm.io/driver/sqlite v1.5.7 30 33 gorm.io/gorm v1.25.12 31 34 ) ··· 35 38 github.com/RussellLuo/slidingwindow v0.0.0-20200528002341-535bb99d338b // indirect 36 39 github.com/beorn7/perks v1.0.1 // indirect 37 40 github.com/carlmjohnson/versioninfo v0.22.5 // indirect 38 - github.com/cespare/xxhash/v2 v2.2.0 // indirect 41 + github.com/cespare/xxhash/v2 v2.3.0 // indirect 39 42 github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect 40 43 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect 41 44 github.com/felixge/httpsnoop v1.0.4 // indirect ··· 47 50 github.com/gocql/gocql v1.7.0 // indirect 48 51 github.com/gogo/protobuf v1.3.2 // indirect 49 52 github.com/golang/snappy v0.0.4 // indirect 53 + github.com/gorilla/context v1.1.2 // indirect 54 + github.com/gorilla/securecookie v1.1.2 // indirect 50 55 github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed // indirect 51 56 github.com/hashicorp/go-cleanhttp v0.5.2 // indirect 52 57 github.com/hashicorp/go-retryablehttp v0.7.5 // indirect ··· 84 89 github.com/lestrrat-go/httprc v1.0.4 // indirect 85 90 github.com/lestrrat-go/iter v1.0.2 // indirect 86 91 github.com/lestrrat-go/option v1.0.1 // indirect 87 - github.com/mattn/go-colorable v0.1.13 // indirect 92 + github.com/mattn/go-colorable v0.1.14 // indirect 88 93 github.com/mattn/go-isatty v0.0.20 // indirect 89 94 github.com/mattn/go-sqlite3 v1.14.22 // indirect 90 - github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect 91 95 github.com/minio/sha256-simd v1.0.1 // indirect 92 96 github.com/mr-tron/base58 v1.2.0 // indirect 93 97 github.com/multiformats/go-base32 v0.1.0 // indirect 94 98 github.com/multiformats/go-base36 v0.2.0 // indirect 95 99 github.com/multiformats/go-multibase v0.2.0 // indirect 96 100 github.com/multiformats/go-varint v0.0.7 // indirect 101 + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect 97 102 github.com/opentracing/opentracing-go v1.2.0 // indirect 98 103 github.com/polydawn/refmt v0.89.1-0.20221221234430-40501e09de1f // indirect 99 - github.com/prometheus/client_golang v1.17.0 // indirect 100 - github.com/prometheus/client_model v0.5.0 // indirect 101 - github.com/prometheus/common v0.45.0 // indirect 102 - github.com/prometheus/procfs v0.12.0 // indirect 104 + github.com/prometheus/client_golang v1.22.0 // indirect 105 + github.com/prometheus/client_model v0.6.2 // indirect 106 + github.com/prometheus/common v0.63.0 // indirect 107 + github.com/prometheus/procfs v0.16.1 // indirect 103 108 github.com/russross/blackfriday/v2 v2.1.0 // indirect 104 109 github.com/samber/lo v1.49.1 // indirect 105 110 github.com/segmentio/asm v1.2.0 // indirect ··· 115 120 go.uber.org/atomic v1.11.0 // indirect 116 121 go.uber.org/multierr v1.11.0 // indirect 117 122 go.uber.org/zap v1.26.0 // indirect 118 - golang.org/x/net v0.33.0 // indirect 119 - golang.org/x/sync v0.12.0 // indirect 120 - golang.org/x/sys v0.31.0 // indirect 121 - golang.org/x/text v0.23.0 // indirect 122 - golang.org/x/time v0.8.0 // indirect 123 + golang.org/x/net v0.40.0 // indirect 124 + golang.org/x/sync v0.14.0 // indirect 125 + golang.org/x/sys v0.33.0 // indirect 126 + golang.org/x/text v0.25.0 // indirect 127 + golang.org/x/time v0.11.0 // indirect 123 128 golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect 124 - google.golang.org/protobuf v1.33.0 // indirect 129 + google.golang.org/protobuf v1.36.6 // indirect 125 130 gopkg.in/go-playground/assert.v1 v1.2.1 // indirect 126 131 gopkg.in/inf.v0 v0.9.1 // indirect 127 132 gorm.io/driver/postgres v1.5.7 // indirect
+42 -32
go.sum
··· 24 24 github.com/btcsuite/websocket v0.0.0-20150119174127-31079b680792/go.mod h1:ghJtEyQwv5/p4Mg4C0fgbePVuGr935/5ddU9Z3TmDRY= 25 25 github.com/carlmjohnson/versioninfo v0.22.5 h1:O00sjOLUAFxYQjlN/bzYTuZiS0y6fWDQjMRvwtKgwwc= 26 26 github.com/carlmjohnson/versioninfo v0.22.5/go.mod h1:QT9mph3wcVfISUKd0i9sZfVrPviHuSF+cUtLjm2WSf8= 27 - github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= 28 - github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= 27 + github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= 28 + github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= 29 29 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= 30 30 github.com/cpuguy83/go-md2man/v2 v2.0.5 h1:ZtcqGrnekaHpVLArFSe4HK5DoKx1T0rq2DwVB0alcyc= 31 31 github.com/cpuguy83/go-md2man/v2 v2.0.5/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= ··· 48 48 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= 49 49 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= 50 50 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= 51 + github.com/go-pkgz/expirable-cache/v3 v3.0.0 h1:u3/gcu3sabLYiTCevoRKv+WzjIn5oo7P8XtiXBeRDLw= 52 + github.com/go-pkgz/expirable-cache/v3 v3.0.0/go.mod h1:2OQiDyEGQalYecLWmXprm3maPXeVb5/6/X7yRPYTzec= 51 53 github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA= 52 54 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY= 53 55 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY= ··· 68 70 github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= 69 71 github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= 70 72 github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= 71 - github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= 72 - github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= 73 + github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= 74 + github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= 75 + github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= 76 + github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= 73 77 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8= 74 78 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo= 75 79 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= ··· 77 81 github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= 78 82 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8= 79 83 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= 84 + github.com/gorilla/context v1.1.2 h1:WRkNAv2uoa03QNIc1A6u4O7DAGMUVoopZhkiXWA2V1o= 85 + github.com/gorilla/context v1.1.2/go.mod h1:KDPwT9i/MeWHiLl90fuTgrt4/wPcv75vFAZLaOOcbxM= 86 + github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA= 87 + github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo= 88 + github.com/gorilla/sessions v1.4.0 h1:kpIYOp/oi6MG/p5PgxApU8srsSw9tuFbt46Lt7auzqQ= 89 + github.com/gorilla/sessions v1.4.0/go.mod h1:FLWm50oby91+hl7p/wRxDth9bWSuk0qVL2emc7lT5ik= 80 90 github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY= 81 91 github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY= 82 92 github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed h1:5upAirOpQc1Q53c0bnx2ufif5kANL7bfZWcc6VJWJd8= ··· 196 206 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= 197 207 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= 198 208 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= 209 + github.com/labstack/echo-contrib v0.17.4 h1:g5mfsrJfJTKv+F5uNKCyrjLK7js+ZW6HTjg4FnDxxgk= 210 + github.com/labstack/echo-contrib v0.17.4/go.mod h1:9O7ZPAHUeMGTOAfg80YqQduHzt0CzLak36PZRldYrZ0= 199 211 github.com/labstack/echo/v4 v4.13.3 h1:pwhpCPrTl5qry5HRdM5FwdXnhXSLSY+WE+YQSeCaafY= 200 212 github.com/labstack/echo/v4 v4.13.3/go.mod h1:o90YNEeQWjDozo584l7AwhJMHN0bOC4tAfg+Xox9q5g= 201 213 github.com/labstack/gommon v0.4.2 h1:F8qTUNXgG1+6WQmqoUWnz8WiEU60mXVVw0P4ht1WRA0= ··· 233 245 github.com/libp2p/go-nat v0.1.0/go.mod h1:X7teVkwRHNInVNWQiO/tAiAVRwSr5zoRz4YSTC3uRBM= 234 246 github.com/libp2p/go-netroute v0.2.1 h1:V8kVrpD8GK0Riv15/7VN6RbUQ3URNZVosw7H2v9tksU= 235 247 github.com/libp2p/go-netroute v0.2.1/go.mod h1:hraioZr0fhBjG0ZRXJJ6Zj2IVEVNx6tDTFQfSmcq7mQ= 236 - github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= 237 - github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= 248 + github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE= 249 + github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8= 238 250 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= 239 - github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= 240 251 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= 241 252 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= 242 253 github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU= 243 254 github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= 244 - github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg= 245 - github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k= 246 255 github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA= 247 256 github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME= 248 257 github.com/minio/sha256-simd v1.0.1 h1:6kaan5IFmwTNynnKKpDHe6FWHohJOHhCPchzK49dzMM= ··· 269 278 github.com/multiformats/go-multistream v0.4.1/go.mod h1:Mz5eykRVAjJWckE2U78c6xqdtyNUEhKSM0Lwar2p77Q= 270 279 github.com/multiformats/go-varint v0.0.7 h1:sWSGR+f/eu5ABZA2ZpYKBILXTTs9JWpdEM/nEGOHFS8= 271 280 github.com/multiformats/go-varint v0.0.7/go.mod h1:r8PUYw/fD/SjBCiKOoDlGF6QawOELpZAu9eioSos/OU= 281 + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= 282 + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= 272 283 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs= 273 284 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc= 274 285 github.com/petar/GoLLRB v0.0.0-20210522233825-ae3b015fd3e9 h1:1/WtZae0yGtPq+TI6+Tv1WTxkukpXeMlviSxvL7SRgk= ··· 278 289 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 279 290 github.com/polydawn/refmt v0.89.1-0.20221221234430-40501e09de1f h1:VXTQfuJj9vKR4TCkEuWIckKvdHFeJH/huIFJ9/cXOB0= 280 291 github.com/polydawn/refmt v0.89.1-0.20221221234430-40501e09de1f/go.mod h1:/zvteZs/GwLtCgZ4BL6CBsk9IKIlexP43ObX9AxTqTw= 281 - github.com/prometheus/client_golang v1.17.0 h1:rl2sfwZMtSthVU752MqfjQozy7blglC+1SOtjMAMh+Q= 282 - github.com/prometheus/client_golang v1.17.0/go.mod h1:VeL+gMmOAxkS2IqfCq0ZmHSL+LjWfWDUmp1mBz9JgUY= 283 - github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= 284 - github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= 285 - github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM= 286 - github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY= 287 - github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= 288 - github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= 292 + github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q= 293 + github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0= 294 + github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk= 295 + github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE= 296 + github.com/prometheus/common v0.63.0 h1:YR/EIY1o3mEFP/kZCD7iDMnLPlGyuU2Gb3HIcXnA98k= 297 + github.com/prometheus/common v0.63.0/go.mod h1:VVFF/fBIoToEnWRVkYoXEkq3R3paCoxG9PXP74SnV18= 298 + github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg= 299 + github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is= 289 300 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= 290 301 github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= 291 302 github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= ··· 373 384 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= 374 385 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= 375 386 golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw= 376 - golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34= 377 - golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc= 387 + golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8= 388 + golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw= 378 389 golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa h1:FRnLl4eNAQl8hwxVVC17teOw8kdjVDVAiFMtgUdTSRQ= 379 390 golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa/go.mod h1:zk2irFbV9DP96SEBUUAy67IdHUaZuSnrz1n472HUCLE= 380 391 golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= ··· 396 407 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= 397 408 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= 398 409 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= 399 - golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= 400 - golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= 410 + golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY= 411 + golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds= 401 412 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 402 413 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 403 414 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 404 415 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 405 416 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 406 417 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 407 - golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw= 408 - golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= 418 + golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ= 419 + golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= 409 420 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 410 421 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 411 422 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= ··· 417 428 golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 418 429 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 419 430 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 420 - golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 421 431 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 422 432 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 423 433 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 424 434 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 425 - golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik= 426 - golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= 435 + golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= 436 + golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= 427 437 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= 428 438 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= 429 439 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= ··· 435 445 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= 436 446 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= 437 447 golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= 438 - golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY= 439 - golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4= 440 - golang.org/x/time v0.8.0 h1:9i3RxcPv3PZnitoVGMPDKZSq1xW1gK1Xy3ArNOGZfEg= 441 - golang.org/x/time v0.8.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= 448 + golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4= 449 + golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA= 450 + golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0= 451 + golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg= 442 452 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 443 453 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= 444 454 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= ··· 459 469 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 460 470 golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 h1:+cNy6SZtPcJQH3LJVLOSmiC7MMxXNOb3PU/VUEz+EhU= 461 471 golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90= 462 - google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= 463 - google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= 472 + google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY= 473 + google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY= 464 474 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 465 475 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 466 476 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+47
internal/helpers/helpers.go
··· 1 1 package helpers 2 2 3 3 import ( 4 + crand "crypto/rand" 5 + "encoding/hex" 6 + "errors" 4 7 "math/rand" 8 + "net/url" 5 9 6 10 "github.com/labstack/echo/v4" 11 + "github.com/lestrrat-go/jwx/v2/jwk" 7 12 ) 8 13 9 14 // This will confirm to the regex in the application if 5 chars are used for each side of the - ··· 39 44 } 40 45 return string(b) 41 46 } 47 + 48 + func RandomHex(n int) (string, error) { 49 + bytes := make([]byte, n) 50 + if _, err := crand.Read(bytes); err != nil { 51 + return "", err 52 + } 53 + return hex.EncodeToString(bytes), nil 54 + } 55 + 56 + func RandomBytes(n int) []byte { 57 + bs := make([]byte, n) 58 + crand.Read(bs) 59 + return bs 60 + } 61 + 62 + func ParseJWKFromBytes(b []byte) (jwk.Key, error) { 63 + return jwk.ParseKey(b) 64 + } 65 + 66 + func OauthParseHtu(htu string) (string, error) { 67 + u, err := url.Parse(htu) 68 + if err != nil { 69 + return "", errors.New("`htu` is not a valid URL") 70 + } 71 + 72 + if u.User != nil { 73 + _, containsPass := u.User.Password() 74 + if u.User.Username() != "" || containsPass { 75 + return "", errors.New("`htu` must not contain credentials") 76 + } 77 + } 78 + 79 + if u.Scheme != "http" && u.Scheme != "https" { 80 + return "", errors.New("`htu` must be http or https") 81 + } 82 + 83 + return OauthNormalizeHtu(u), nil 84 + } 85 + 86 + func OauthNormalizeHtu(u *url.URL) string { 87 + return u.Scheme + "://" + u.Host + u.RawPath 88 + }
+8
oauth/client.go
··· 1 + package oauth 2 + 3 + import "github.com/lestrrat-go/jwx/v2/jwk" 4 + 5 + type Client struct { 6 + Metadata *ClientMetadata 7 + JWKS jwk.Key 8 + }
+390
oauth/client_manager/client_manager.go
··· 1 + package client_manager 2 + 3 + import ( 4 + "context" 5 + "encoding/json" 6 + "errors" 7 + "fmt" 8 + "io" 9 + "log/slog" 10 + "net/http" 11 + "net/url" 12 + "slices" 13 + "strings" 14 + "time" 15 + 16 + cache "github.com/go-pkgz/expirable-cache/v3" 17 + "github.com/haileyok/cocoon/internal/helpers" 18 + "github.com/haileyok/cocoon/oauth" 19 + "github.com/lestrrat-go/jwx/v2/jwk" 20 + ) 21 + 22 + type ClientManager struct { 23 + cli *http.Client 24 + logger *slog.Logger 25 + jwksCache cache.Cache[string, jwk.Key] 26 + metadataCache cache.Cache[string, oauth.ClientMetadata] 27 + } 28 + 29 + type Args struct { 30 + Cli *http.Client 31 + Logger *slog.Logger 32 + } 33 + 34 + func New(args Args) *ClientManager { 35 + if args.Logger == nil { 36 + args.Logger = slog.Default() 37 + } 38 + 39 + if args.Cli == nil { 40 + args.Cli = http.DefaultClient 41 + } 42 + 43 + jwksCache := cache.NewCache[string, jwk.Key]().WithLRU().WithMaxKeys(500).WithTTL(5 * time.Minute) 44 + metadataCache := cache.NewCache[string, oauth.ClientMetadata]().WithLRU().WithMaxKeys(500).WithTTL(5 * time.Minute) 45 + 46 + return &ClientManager{ 47 + cli: args.Cli, 48 + logger: args.Logger, 49 + jwksCache: jwksCache, 50 + metadataCache: metadataCache, 51 + } 52 + } 53 + 54 + func (cm *ClientManager) GetClient(ctx context.Context, clientId string) (*oauth.Client, error) { 55 + metadata, err := cm.getClientMetadata(ctx, clientId) 56 + if err != nil { 57 + return nil, err 58 + } 59 + 60 + var jwks jwk.Key 61 + if metadata.JWKS != nil { 62 + // TODO: this is kinda bad but whatever for now. there could obviously be more than one jwk, and we need to 63 + // make sure we use the right one 64 + k, err := helpers.ParseJWKFromBytes((*metadata.JWKS)[0]) 65 + if err != nil { 66 + return nil, err 67 + } 68 + jwks = k 69 + } else if metadata.JWKSURI != nil { 70 + maybeJwks, err := cm.getClientJwks(ctx, clientId, *metadata.JWKSURI) 71 + if err != nil { 72 + return nil, err 73 + } 74 + 75 + jwks = maybeJwks 76 + } 77 + 78 + return &oauth.Client{ 79 + Metadata: metadata, 80 + JWKS: jwks, 81 + }, nil 82 + } 83 + 84 + func (cm *ClientManager) getClientMetadata(ctx context.Context, clientId string) (*oauth.ClientMetadata, error) { 85 + metadataCached, ok := cm.metadataCache.Get(clientId) 86 + if !ok { 87 + req, err := http.NewRequestWithContext(ctx, "GET", clientId, nil) 88 + if err != nil { 89 + return nil, err 90 + } 91 + 92 + resp, err := cm.cli.Do(req) 93 + if err != nil { 94 + return nil, err 95 + } 96 + defer resp.Body.Close() 97 + 98 + if resp.StatusCode != http.StatusOK { 99 + io.Copy(io.Discard, resp.Body) 100 + return nil, fmt.Errorf("fetching client metadata returned response code %d", resp.StatusCode) 101 + } 102 + 103 + b, err := io.ReadAll(resp.Body) 104 + if err != nil { 105 + return nil, fmt.Errorf("error reading bytes from client response: %w", err) 106 + } 107 + 108 + validated, err := validateAndParseMetadata(clientId, b) 109 + if err != nil { 110 + return nil, err 111 + } 112 + 113 + return validated, nil 114 + } else { 115 + return &metadataCached, nil 116 + } 117 + } 118 + 119 + func (cm *ClientManager) getClientJwks(ctx context.Context, clientId, jwksUri string) (jwk.Key, error) { 120 + jwks, ok := cm.jwksCache.Get(clientId) 121 + if !ok { 122 + req, err := http.NewRequestWithContext(ctx, "GET", jwksUri, nil) 123 + if err != nil { 124 + return nil, err 125 + } 126 + 127 + resp, err := cm.cli.Do(req) 128 + if err != nil { 129 + return nil, err 130 + } 131 + defer resp.Body.Close() 132 + 133 + if resp.StatusCode != http.StatusOK { 134 + io.Copy(io.Discard, resp.Body) 135 + return nil, fmt.Errorf("fetching client jwks returned response code %d", resp.StatusCode) 136 + } 137 + 138 + type Keys struct { 139 + Keys []map[string]any `json:"keys"` 140 + } 141 + 142 + var keys Keys 143 + if err := json.NewDecoder(resp.Body).Decode(&keys); err != nil { 144 + return nil, fmt.Errorf("error unmarshaling keys response: %w", err) 145 + } 146 + 147 + if len(keys.Keys) == 0 { 148 + return nil, errors.New("no keys in jwks response") 149 + } 150 + 151 + // TODO: this is again bad, we should be figuring out which one we need to use... 152 + b, err := json.Marshal(keys.Keys[0]) 153 + if err != nil { 154 + return nil, fmt.Errorf("could not marshal key: %w", err) 155 + } 156 + 157 + k, err := helpers.ParseJWKFromBytes(b) 158 + if err != nil { 159 + return nil, err 160 + } 161 + 162 + jwks = k 163 + } 164 + 165 + return jwks, nil 166 + } 167 + 168 + func validateAndParseMetadata(clientId string, b []byte) (*oauth.ClientMetadata, error) { 169 + var metadataMap map[string]any 170 + if err := json.Unmarshal(b, &metadataMap); err != nil { 171 + return nil, fmt.Errorf("error unmarshaling metadata: %w", err) 172 + } 173 + 174 + _, jwksOk := metadataMap["jwks"].(string) 175 + _, jwksUriOk := metadataMap["jwks_uri"].(string) 176 + if jwksOk && jwksUriOk { 177 + return nil, errors.New("jwks_uri and jwks are mutually exclusive") 178 + } 179 + 180 + for _, k := range []string{ 181 + "default_max_age", 182 + "userinfo_signed_response_alg", 183 + "id_token_signed_response_alg", 184 + "userinfo_encryhpted_response_alg", 185 + "authorization_encrypted_response_enc", 186 + "authorization_encrypted_response_alg", 187 + "tls_client_certificate_bound_access_tokens", 188 + } { 189 + _, kOk := metadataMap[k] 190 + if kOk { 191 + return nil, fmt.Errorf("unsupported `%s` parameter", k) 192 + } 193 + } 194 + 195 + var metadata oauth.ClientMetadata 196 + if err := json.Unmarshal(b, &metadata); err != nil { 197 + return nil, fmt.Errorf("error unmarshaling metadata: %w", err) 198 + } 199 + 200 + u, err := url.Parse(metadata.ClientURI) 201 + if err != nil { 202 + return nil, fmt.Errorf("unable to parse client uri: %w", err) 203 + } 204 + 205 + if isLocalHostname(u.Hostname()) { 206 + return nil, errors.New("`client_uri` hostname is invalid") 207 + } 208 + 209 + if metadata.Scope == "" { 210 + return nil, errors.New("missing `scopes` scope") 211 + } 212 + 213 + scopes := strings.Split(metadata.Scope, " ") 214 + if !slices.Contains(scopes, "atproto") { 215 + return nil, errors.New("missing `atproto` scope") 216 + } 217 + 218 + scopesMap := map[string]bool{} 219 + for _, scope := range scopes { 220 + if scopesMap[scope] { 221 + return nil, fmt.Errorf("duplicate scope `%s`", scope) 222 + } 223 + 224 + // TODO: check for unsupported scopes 225 + 226 + scopesMap[scope] = true 227 + } 228 + 229 + grantTypesMap := map[string]bool{} 230 + for _, gt := range metadata.GrantTypes { 231 + if grantTypesMap[gt] { 232 + return nil, fmt.Errorf("duplicate grant type `%s`", gt) 233 + } 234 + 235 + switch gt { 236 + case "implicit": 237 + return nil, errors.New("grantg type `implicit` is not allowed") 238 + case "authorization_code", "refresh_token": 239 + // TODO check if this grant type is supported 240 + default: 241 + return nil, fmt.Errorf("grant tyhpe `%s` is not supported", gt) 242 + } 243 + 244 + grantTypesMap[gt] = true 245 + } 246 + 247 + if metadata.ClientID != clientId { 248 + return nil, errors.New("`client_id` does not match") 249 + } 250 + 251 + subjectType, subjectTypeOk := metadataMap["subject_type"].(string) 252 + if subjectTypeOk && subjectType != "public" { 253 + return nil, errors.New("only public `subject_type` is supported") 254 + } 255 + 256 + switch metadata.TokenEndpointAuthMethod { 257 + case "none": 258 + if metadata.TokenEndpointAuthSigningAlg != "" { 259 + return nil, errors.New("token_endpoint_auth_method `none` must not have token_endpoint_auth_signing_alg") 260 + } 261 + case "private_key_jwt": 262 + if metadata.JWKS == nil && metadata.JWKSURI == nil { 263 + return nil, errors.New("private_key_jwt auth method requires jwks or jwks_uri") 264 + } 265 + 266 + if metadata.JWKS != nil && len(*metadata.JWKS) == 0 { 267 + return nil, errors.New("private_key_jwt auth method requires atleast one key in jwks") 268 + } 269 + 270 + if metadata.TokenEndpointAuthSigningAlg == "" { 271 + return nil, errors.New("missing token_endpoint_auth_signing_alg in client metadata") 272 + } 273 + default: 274 + return nil, fmt.Errorf("unsupported client authentication method `%s`", metadata.TokenEndpointAuthMethod) 275 + } 276 + 277 + if !metadata.DpopBoundAccessTokens { 278 + return nil, errors.New("dpop_bound_access_tokens must be true") 279 + } 280 + 281 + if !slices.Contains(metadata.ResponseTypes, "code") { 282 + return nil, errors.New("response_types must inclue `code`") 283 + } 284 + 285 + if !slices.Contains(metadata.GrantTypes, "authorization_code") { 286 + return nil, errors.New("the `code` response type requires that `grant_types` contains `authorization_code`") 287 + } 288 + 289 + if len(metadata.RedirectURIs) == 0 { 290 + return nil, errors.New("at least one `redirect_uri` is required") 291 + } 292 + 293 + if metadata.ApplicationType == "native" && metadata.TokenEndpointAuthMethod == "none" { 294 + return nil, errors.New("native clients must authenticate using `none` method") 295 + } 296 + 297 + if metadata.ApplicationType == "web" && slices.Contains(metadata.GrantTypes, "implicit") { 298 + for _, ruri := range metadata.RedirectURIs { 299 + u, err := url.Parse(ruri) 300 + if err != nil { 301 + return nil, fmt.Errorf("error parsing redirect uri: %w", err) 302 + } 303 + 304 + if u.Scheme != "https" { 305 + return nil, errors.New("web clients must use https redirect uris") 306 + } 307 + 308 + if u.Hostname() == "localhost" { 309 + return nil, errors.New("web clients must not use localhost as the hostname") 310 + } 311 + } 312 + } 313 + 314 + for _, ruri := range metadata.RedirectURIs { 315 + u, err := url.Parse(ruri) 316 + if err != nil { 317 + return nil, fmt.Errorf("error parsing redirect uri: %w", err) 318 + } 319 + 320 + if u.User != nil { 321 + if u.User.Username() != "" { 322 + return nil, fmt.Errorf("redirect uri %s must not contain credentials", ruri) 323 + } 324 + 325 + if _, hasPass := u.User.Password(); hasPass { 326 + return nil, fmt.Errorf("redirect uri %s must not contain credentials", ruri) 327 + } 328 + } 329 + 330 + switch true { 331 + case u.Hostname() == "localhost": 332 + return nil, errors.New("loopback redirect uri is not allowed (use explicit ips instead)") 333 + case u.Hostname() == "127.0.0.1", u.Hostname() == "[::1]": 334 + if metadata.ApplicationType != "native" { 335 + return nil, errors.New("loopback redirect uris are only allowed for native apps") 336 + } 337 + 338 + if u.Port() != "" { 339 + // reference impl doesn't do anything with this? 340 + } 341 + 342 + if u.Scheme != "http" { 343 + return nil, fmt.Errorf("loopback redirect uri %s must use http", ruri) 344 + } 345 + 346 + break 347 + case u.Scheme == "http": 348 + return nil, errors.New("only loopbvack redirect uris are allowed to use the `http` scheme") 349 + case u.Scheme == "https": 350 + if isLocalHostname(u.Hostname()) { 351 + return nil, fmt.Errorf("redirect uri %s's domain must not be a local hostname", ruri) 352 + } 353 + break 354 + case strings.Contains(u.Scheme, "."): 355 + if metadata.ApplicationType != "native" { 356 + return nil, errors.New("private-use uri scheme redirect uris are only allowed for native apps") 357 + } 358 + 359 + revdomain := reverseDomain(u.Scheme) 360 + 361 + if isLocalHostname(revdomain) { 362 + return nil, errors.New("private use uri scheme redirect uris must not be local hostnames") 363 + } 364 + 365 + if strings.HasPrefix(u.String(), fmt.Sprintf("%s://", u.Scheme)) || u.Hostname() != "" || u.Port() != "" { 366 + return nil, fmt.Errorf("private use uri scheme must be in the form ") 367 + } 368 + default: 369 + return nil, fmt.Errorf("invalid redirect uri scheme `%s`", u.Scheme) 370 + } 371 + } 372 + 373 + return &metadata, nil 374 + } 375 + 376 + func isLocalHostname(hostname string) bool { 377 + pts := strings.Split(hostname, ".") 378 + if len(pts) < 2 { 379 + return true 380 + } 381 + 382 + tld := strings.ToLower(pts[len(pts)-1]) 383 + return tld == "test" || tld == "local" || tld == "localhost" || tld == "invalid" || tld == "example" 384 + } 385 + 386 + func reverseDomain(domain string) string { 387 + pts := strings.Split(domain, ".") 388 + slices.Reverse(pts) 389 + return strings.Join(pts, ".") 390 + }
+20
oauth/client_metadata.go
··· 1 + package oauth 2 + 3 + type ClientMetadata struct { 4 + ClientID string `json:"client_id"` 5 + ClientName string `json:"client_name"` 6 + ClientURI string `json:"client_uri"` 7 + LogoURI string `json:"logo_uri"` 8 + TOSURI string `json:"tos_uri"` 9 + PolicyURI string `json:"policy_uri"` 10 + RedirectURIs []string `json:"redirect_uris"` 11 + GrantTypes []string `json:"grant_types"` 12 + ResponseTypes []string `json:"response_types"` 13 + ApplicationType string `json:"application_type"` 14 + DpopBoundAccessTokens bool `json:"dpop_bound_access_tokens"` 15 + JWKSURI *string `json:"jwks_uri,omitempty"` 16 + JWKS *[][]byte `json:"jwks,omitempty"` 17 + Scope string `json:"scope"` 18 + TokenEndpointAuthMethod string `json:"token_endpoint_auth_method"` 19 + TokenEndpointAuthSigningAlg string `json:"token_endpoint_auth_signing_alg"` 20 + }
+52
oauth/constants/constants.go
··· 1 + package constants 2 + 3 + import "time" 4 + 5 + const ( 6 + MaxDpopAge = 10 * time.Second 7 + DpopCheckTolerance = 5 * time.Second 8 + 9 + NonceSecretByteLength = 32 10 + 11 + NonceMaxRotationInterval = DpopNonceMaxAge / 3 12 + NonceMinRotationInterval = 1 * time.Second 13 + 14 + JTICacheSize = 100_000 15 + JTITtl = 24 * time.Hour 16 + 17 + ClientAssertionTypeJwtBearer = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" 18 + ParExpiresIn = 5 * time.Minute 19 + 20 + ClientAssertionMaxAge = 1 * time.Minute 21 + 22 + DeviceIdPrefix = "dev-" 23 + DeviceIdBytesLength = 16 24 + 25 + SessionIdPrefix = "ses-" 26 + SessionIdBytesLength = 16 27 + 28 + RefreshTokenPrefix = "ref-" 29 + RefreshTokenBytesLength = 32 30 + 31 + RequestIdPrefix = "req-" 32 + RequestIdBytesLength = 16 33 + RequestUriPrefix = "urn:ietf:params:oauth:request_uri:" 34 + 35 + CodePrefix = "cod-" 36 + CodeBytesLength = 32 37 + 38 + TokenIdPrefix = "tok-" 39 + TokenIdBytesLength = 16 40 + 41 + TokenMaxAge = 60 * time.Minute 42 + 43 + AuthorizationInactivityTimeout = 5 * time.Minute 44 + 45 + DpopNonceMaxAge = 3 * time.Minute 46 + 47 + ConfidentialClientSessionLifetime = 2 * 365 * 24 * time.Hour // 2 years 48 + ConfidentialClientRefreshLifetime = 3 * 30 * 24 * time.Hour // 3 months 49 + 50 + PublicClientSessionLifetime = 2 * 7 * 24 * time.Hour // 2 weeks 51 + PublicClientRefreshLifetime = PublicClientSessionLifetime 52 + )
+251
oauth/dpop/dpop_manager/dpop_manager.go
··· 1 + package dpop_manager 2 + 3 + import ( 4 + "crypto" 5 + "crypto/sha256" 6 + "encoding/base64" 7 + "encoding/json" 8 + "errors" 9 + "fmt" 10 + "log/slog" 11 + "net/http" 12 + "net/url" 13 + "strings" 14 + "time" 15 + 16 + "github.com/golang-jwt/jwt/v4" 17 + "github.com/haileyok/cocoon/internal/helpers" 18 + "github.com/haileyok/cocoon/oauth/constants" 19 + "github.com/haileyok/cocoon/oauth/dpop" 20 + "github.com/haileyok/cocoon/oauth/dpop/nonce" 21 + "github.com/lestrrat-go/jwx/v2/jwa" 22 + "github.com/lestrrat-go/jwx/v2/jwk" 23 + ) 24 + 25 + type DpopManager struct { 26 + nonce *nonce.Nonce 27 + jtiCache *jtiCache 28 + logger *slog.Logger 29 + hostname string 30 + } 31 + 32 + type Args struct { 33 + NonceSecret []byte 34 + NonceRotationInterval time.Duration 35 + OnNonceSecretCreated func([]byte) 36 + JTICacheSize int 37 + Logger *slog.Logger 38 + Hostname string 39 + } 40 + 41 + func New(args Args) *DpopManager { 42 + if args.Logger == nil { 43 + args.Logger = slog.Default() 44 + } 45 + 46 + if args.JTICacheSize == 0 { 47 + args.JTICacheSize = 100_000 48 + } 49 + 50 + if args.NonceSecret == nil { 51 + args.Logger.Warn("nonce secret passed to dpop manager was nil. existing sessions may break. consider saving and restoring your nonce.") 52 + } 53 + 54 + return &DpopManager{ 55 + nonce: nonce.NewNonce(nonce.Args{ 56 + RotationInterval: args.NonceRotationInterval, 57 + Secret: args.NonceSecret, 58 + OnSecretCreated: args.OnNonceSecretCreated, 59 + }), 60 + jtiCache: newJTICache(args.JTICacheSize), 61 + logger: args.Logger, 62 + hostname: args.Hostname, 63 + } 64 + } 65 + 66 + func (dm *DpopManager) CheckProof(reqMethod, reqUrl string, headers http.Header, accessToken *string) (*dpop.Proof, error) { 67 + if reqMethod == "" { 68 + return nil, errors.New("HTTP method is required") 69 + } 70 + 71 + if !strings.HasPrefix(reqUrl, "https://") { 72 + reqUrl = "https://" + dm.hostname + reqUrl 73 + } 74 + 75 + proof := extractProof(headers) 76 + 77 + if proof == "" { 78 + return nil, nil 79 + } 80 + 81 + parser := jwt.NewParser(jwt.WithoutClaimsValidation()) 82 + var token *jwt.Token 83 + 84 + token, _, err := parser.ParseUnverified(proof, jwt.MapClaims{}) 85 + if err != nil { 86 + return nil, fmt.Errorf("could not parse dpop proof jwt: %w", err) 87 + } 88 + 89 + typ, _ := token.Header["typ"].(string) 90 + if typ != "dpop+jwt" { 91 + return nil, errors.New(`invalid dpop proof jwt: "typ" must be 'dpop+jwt'`) 92 + } 93 + 94 + dpopJwk, jwkOk := token.Header["jwk"].(map[string]any) 95 + if !jwkOk { 96 + return nil, errors.New(`invalid dpop proof jwt: "jwk" is missing in header`) 97 + } 98 + 99 + jwkb, err := json.Marshal(dpopJwk) 100 + if err != nil { 101 + return nil, fmt.Errorf("failed to marshal jwk: %w", err) 102 + } 103 + 104 + key, err := jwk.ParseKey(jwkb) 105 + if err != nil { 106 + return nil, fmt.Errorf("failed to parse jwk: %w", err) 107 + } 108 + 109 + var pubKey any 110 + if err := key.Raw(&pubKey); err != nil { 111 + return nil, fmt.Errorf("failed to get raw public key: %w", err) 112 + } 113 + 114 + token, err = jwt.Parse(proof, func(t *jwt.Token) (any, error) { 115 + alg := t.Header["alg"].(string) 116 + 117 + switch key.KeyType() { 118 + case jwa.EC: 119 + if !strings.HasPrefix(alg, "ES") { 120 + return nil, fmt.Errorf("algorithm %s doesn't match EC key type", alg) 121 + } 122 + case jwa.RSA: 123 + if !strings.HasPrefix(alg, "RS") && !strings.HasPrefix(alg, "PS") { 124 + return nil, fmt.Errorf("algorithm %s doesn't match RSA key type", alg) 125 + } 126 + case jwa.OKP: 127 + if alg != "EdDSA" { 128 + return nil, fmt.Errorf("algorithm %s doesn't match OKP key type", alg) 129 + } 130 + } 131 + 132 + return pubKey, nil 133 + }, jwt.WithValidMethods([]string{"ES256", "ES384", "ES512", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "EdDSA"})) 134 + if err != nil { 135 + return nil, fmt.Errorf("could not verify dpop proof jwt: %w", err) 136 + } 137 + 138 + if !token.Valid { 139 + return nil, errors.New("dpop proof jwt is invalid") 140 + } 141 + 142 + claims, ok := token.Claims.(jwt.MapClaims) 143 + if !ok { 144 + return nil, errors.New("no claims in dpop proof jwt") 145 + } 146 + 147 + iat, iatOk := claims["iat"].(float64) 148 + if !iatOk { 149 + return nil, errors.New(`invalid dpop proof jwt: "iat" is missing`) 150 + } 151 + 152 + iatTime := time.Unix(int64(iat), 0) 153 + now := time.Now() 154 + 155 + if now.Sub(iatTime) > constants.DpopNonceMaxAge+constants.DpopCheckTolerance { 156 + return nil, errors.New("dpop proof too old") 157 + } 158 + 159 + if iatTime.Sub(now) > constants.DpopCheckTolerance { 160 + return nil, errors.New("dpop proof iat is in the future") 161 + } 162 + 163 + jti, _ := claims["jti"].(string) 164 + if jti == "" { 165 + return nil, errors.New(`invalid dpop proof jwt: "jti" is missing`) 166 + } 167 + 168 + if dm.jtiCache.add(jti) { 169 + return nil, errors.New("dpop proof replay detected") 170 + } 171 + 172 + htm, _ := claims["htm"].(string) 173 + if htm == "" { 174 + return nil, errors.New(`invalid dpop proof jwt: "htm" is missing`) 175 + } 176 + 177 + if htm != reqMethod { 178 + return nil, errors.New(`invalid dpop proof jwt: "htm" mismatch`) 179 + } 180 + 181 + htu, _ := claims["htu"].(string) 182 + if htu == "" { 183 + return nil, errors.New(`invalid dpop proof jwt: "htu" is missing`) 184 + } 185 + 186 + parsedHtu, err := helpers.OauthParseHtu(htu) 187 + if err != nil { 188 + return nil, errors.New(`invalid dpop proof jwt: "htu" could not be parsed`) 189 + } 190 + 191 + u, _ := url.Parse(reqUrl) 192 + if parsedHtu != helpers.OauthNormalizeHtu(u) { 193 + return nil, fmt.Errorf(`invalid dpop proof jwt: "htu" mismatch. reqUrl: %s, parsed: %s, normalized: %s`, reqUrl, parsedHtu, helpers.OauthNormalizeHtu(u)) 194 + } 195 + 196 + nonce, _ := claims["nonce"].(string) 197 + if nonce == "" { 198 + // WARN: this _must_ be `use_dpop_nonce` for clients know they should make another request 199 + return nil, errors.New("use_dpop_nonce") 200 + } 201 + 202 + if nonce != "" && !dm.nonce.Check(nonce) { 203 + // WARN: this _must_ be `use_dpop_nonce` so that clients will fetch a new nonce 204 + return nil, errors.New("use_dpop_nonce") 205 + } 206 + 207 + ath, _ := claims["ath"].(string) 208 + 209 + if accessToken != nil && *accessToken != "" { 210 + if ath == "" { 211 + return nil, errors.New(`invalid dpop proof jwt: "ath" is required with access token`) 212 + } 213 + 214 + hash := sha256.Sum256([]byte(*accessToken)) 215 + if ath != base64.RawURLEncoding.EncodeToString(hash[:]) { 216 + return nil, errors.New(`invalid dpop proof jwt: "ath" mismatch`) 217 + } 218 + } else if ath != "" { 219 + return nil, errors.New(`invalid dpop proof jwt: "ath" claim not allowed`) 220 + } 221 + 222 + thumbBytes, err := key.Thumbprint(crypto.SHA256) 223 + if err != nil { 224 + return nil, fmt.Errorf("failed to calculate thumbprint: %w", err) 225 + } 226 + 227 + thumb := base64.RawURLEncoding.EncodeToString(thumbBytes) 228 + 229 + return &dpop.Proof{ 230 + JTI: jti, 231 + JKT: thumb, 232 + HTM: htm, 233 + HTU: htu, 234 + }, nil 235 + } 236 + 237 + func extractProof(headers http.Header) string { 238 + dpopHeaders := headers["Dpop"] 239 + switch len(dpopHeaders) { 240 + case 0: 241 + return "" 242 + case 1: 243 + return dpopHeaders[0] 244 + default: 245 + return "" 246 + } 247 + } 248 + 249 + func (dm *DpopManager) NextNonce() string { 250 + return dm.nonce.NextNonce() 251 + }
+28
oauth/dpop/dpop_manager/jti_cache.go
··· 1 + package dpop_manager 2 + 3 + import ( 4 + "sync" 5 + "time" 6 + 7 + cache "github.com/go-pkgz/expirable-cache/v3" 8 + "github.com/haileyok/cocoon/oauth/constants" 9 + ) 10 + 11 + type jtiCache struct { 12 + mu sync.Mutex 13 + cache cache.Cache[string, bool] 14 + } 15 + 16 + func newJTICache(size int) *jtiCache { 17 + cache := cache.NewCache[string, bool]().WithTTL(24 * time.Hour).WithLRU().WithTTL(constants.JTITtl) 18 + return &jtiCache{ 19 + cache: cache, 20 + mu: sync.Mutex{}, 21 + } 22 + } 23 + 24 + func (c *jtiCache) add(jti string) bool { 25 + c.mu.Lock() 26 + defer c.mu.Unlock() 27 + return c.cache.Add(jti, true) 28 + }
+108
oauth/dpop/nonce/nonce.go
··· 1 + package nonce 2 + 3 + import ( 4 + "crypto/hmac" 5 + "crypto/sha256" 6 + "encoding/base64" 7 + "encoding/binary" 8 + "sync" 9 + "time" 10 + 11 + "github.com/haileyok/cocoon/internal/helpers" 12 + "github.com/haileyok/cocoon/oauth/constants" 13 + ) 14 + 15 + type Nonce struct { 16 + rotationInterval time.Duration 17 + secret []byte 18 + 19 + mu sync.RWMutex 20 + 21 + counter int64 22 + prev string 23 + curr string 24 + next string 25 + } 26 + 27 + type Args struct { 28 + RotationInterval time.Duration 29 + Secret []byte 30 + OnSecretCreated func([]byte) 31 + } 32 + 33 + func NewNonce(args Args) *Nonce { 34 + if args.RotationInterval == 0 { 35 + args.RotationInterval = constants.NonceMaxRotationInterval / 3 36 + } 37 + 38 + if args.RotationInterval > constants.NonceMaxRotationInterval { 39 + args.RotationInterval = constants.NonceMaxRotationInterval 40 + } 41 + 42 + if args.Secret == nil { 43 + args.Secret = helpers.RandomBytes(constants.NonceSecretByteLength) 44 + args.OnSecretCreated(args.Secret) 45 + } 46 + 47 + n := &Nonce{ 48 + rotationInterval: args.RotationInterval, 49 + secret: args.Secret, 50 + mu: sync.RWMutex{}, 51 + } 52 + 53 + n.counter = n.currentCounter() 54 + n.prev = n.compute(n.counter - 1) 55 + n.curr = n.compute(n.counter) 56 + n.next = n.compute(n.counter + 1) 57 + 58 + return n 59 + } 60 + 61 + func (n *Nonce) currentCounter() int64 { 62 + return time.Now().UnixNano() / int64(n.rotationInterval) 63 + } 64 + 65 + func (n *Nonce) compute(counter int64) string { 66 + h := hmac.New(sha256.New, n.secret) 67 + counterBytes := make([]byte, 8) 68 + binary.BigEndian.PutUint64(counterBytes, uint64(counter)) 69 + h.Write(counterBytes) 70 + return base64.RawURLEncoding.EncodeToString(h.Sum(nil)) 71 + } 72 + 73 + func (n *Nonce) rotate() { 74 + counter := n.currentCounter() 75 + diff := counter - n.counter 76 + 77 + switch diff { 78 + case 0: 79 + // counter == n.counter, do nothing 80 + case 1: 81 + n.prev = n.curr 82 + n.curr = n.next 83 + n.next = n.compute(counter + 1) 84 + case 2: 85 + n.prev = n.next 86 + n.curr = n.compute(counter) 87 + n.next = n.compute(counter + 1) 88 + default: 89 + n.prev = n.compute(counter - 1) 90 + n.curr = n.compute(counter) 91 + n.next = n.compute(counter + 1) 92 + } 93 + 94 + n.counter = counter 95 + } 96 + 97 + func (n *Nonce) NextNonce() string { 98 + n.mu.Lock() 99 + defer n.mu.Unlock() 100 + n.rotate() 101 + return n.next 102 + } 103 + 104 + func (n *Nonce) Check(nonce string) bool { 105 + n.mu.RLock() 106 + defer n.mu.RUnlock() 107 + return nonce == n.prev || nonce == n.curr || nonce == n.next 108 + }
+8
oauth/dpop/proof.go
··· 1 + package dpop 2 + 3 + type Proof struct { 4 + JTI string 5 + JKT string 6 + HTM string 7 + HTU string 8 + }
+48
oauth/helpers.go
··· 1 + package oauth 2 + 3 + import ( 4 + "errors" 5 + "fmt" 6 + "net/url" 7 + 8 + "github.com/haileyok/cocoon/internal/helpers" 9 + "github.com/haileyok/cocoon/oauth/constants" 10 + ) 11 + 12 + func GenerateCode() string { 13 + h, _ := helpers.RandomHex(constants.CodeBytesLength) 14 + return constants.CodePrefix + h 15 + } 16 + 17 + func GenerateTokenId() string { 18 + h, _ := helpers.RandomHex(constants.TokenIdBytesLength) 19 + return constants.TokenIdPrefix + h 20 + } 21 + 22 + func GenerateRefreshToken() string { 23 + h, _ := helpers.RandomHex(constants.RefreshTokenBytesLength) 24 + return constants.RefreshTokenPrefix + h 25 + } 26 + 27 + func GenerateRequestId() string { 28 + h, _ := helpers.RandomHex(constants.RequestIdBytesLength) 29 + return constants.RequestIdPrefix + h 30 + } 31 + 32 + func EncodeRequestUri(reqId string) string { 33 + return constants.RequestUriPrefix + url.QueryEscape(reqId) 34 + } 35 + 36 + func DecodeRequestUri(reqUri string) (string, error) { 37 + if len(reqUri) < len(constants.RequestUriPrefix) { 38 + return "", errors.New("invalid request uri") 39 + } 40 + 41 + reqIdEnc := reqUri[len(constants.RequestUriPrefix):] 42 + reqId, err := url.QueryUnescape(reqIdEnc) 43 + if err != nil { 44 + return "", fmt.Errorf("could not unescape request id: %w", err) 45 + } 46 + 47 + return reqId, nil 48 + }
+175
oauth/provider/client_auth.go
··· 1 + package provider 2 + 3 + import ( 4 + "context" 5 + "crypto" 6 + "database/sql/driver" 7 + "encoding/base64" 8 + "encoding/json" 9 + "errors" 10 + "fmt" 11 + "time" 12 + 13 + "github.com/golang-jwt/jwt/v4" 14 + "github.com/haileyok/cocoon/oauth" 15 + "github.com/haileyok/cocoon/oauth/constants" 16 + "github.com/haileyok/cocoon/oauth/dpop" 17 + ) 18 + 19 + type ClientAuth struct { 20 + Method string 21 + Alg string 22 + Kid string 23 + Jkt string 24 + Jti string 25 + Exp *float64 26 + } 27 + 28 + func (ca *ClientAuth) Scan(value any) error { 29 + b, ok := value.([]byte) 30 + if !ok { 31 + return fmt.Errorf("failed to unmarshal OauthParRequest value") 32 + } 33 + return json.Unmarshal(b, ca) 34 + } 35 + 36 + func (ca ClientAuth) Value() (driver.Value, error) { 37 + return json.Marshal(ca) 38 + } 39 + 40 + type AuthenticateClientOptions struct { 41 + AllowMissingDpopProof bool 42 + } 43 + 44 + type AuthenticateClientRequestBase struct { 45 + ClientID string `form:"client_id" json:"client_id" validate:"required"` 46 + ClientAssertionType *string `form:"client_assertion_type" json:"client_assertion_type,omitempty"` 47 + ClientAssertion *string `form:"client_assertion" json:"client_assertion,omitempty"` 48 + } 49 + 50 + func (p *Provider) AuthenticateClient(ctx context.Context, req AuthenticateClientRequestBase, proof *dpop.Proof, opts *AuthenticateClientOptions) (*oauth.Client, *ClientAuth, error) { 51 + client, err := p.ClientManager.GetClient(ctx, req.ClientID) 52 + if err != nil { 53 + return nil, nil, fmt.Errorf("failed to get client: %w", err) 54 + } 55 + 56 + if client.Metadata.DpopBoundAccessTokens && proof == nil && (opts == nil || !opts.AllowMissingDpopProof) { 57 + return nil, nil, errors.New("dpop proof required") 58 + } 59 + 60 + if proof != nil && !client.Metadata.DpopBoundAccessTokens { 61 + return nil, nil, errors.New("dpop proof not allowed for this client") 62 + } 63 + 64 + clientAuth, err := p.Authenticate(ctx, req, client) 65 + if err != nil { 66 + return nil, nil, err 67 + } 68 + 69 + return client, clientAuth, nil 70 + } 71 + 72 + func (p *Provider) Authenticate(_ context.Context, req AuthenticateClientRequestBase, client *oauth.Client) (*ClientAuth, error) { 73 + metadata := client.Metadata 74 + 75 + if metadata.TokenEndpointAuthMethod == "none" { 76 + return &ClientAuth{ 77 + Method: "none", 78 + }, nil 79 + } 80 + 81 + if metadata.TokenEndpointAuthMethod == "private_key_jwt" { 82 + if req.ClientAssertion == nil { 83 + return nil, errors.New(`client authentication method "private_key_jwt" requires a "client_assertion`) 84 + } 85 + 86 + if req.ClientAssertionType == nil || *req.ClientAssertionType != constants.ClientAssertionTypeJwtBearer { 87 + return nil, fmt.Errorf("unsupported client_assertion_type %s", *req.ClientAssertionType) 88 + } 89 + 90 + token, _, err := jwt.NewParser().ParseUnverified(*req.ClientAssertion, jwt.MapClaims{}) 91 + if err != nil { 92 + return nil, fmt.Errorf("error parsing client assertion: %w", err) 93 + } 94 + 95 + kid, ok := token.Header["kid"].(string) 96 + if !ok || kid == "" { 97 + return nil, errors.New(`"kid" required in client_assertion`) 98 + } 99 + 100 + var rawKey any 101 + if err := client.JWKS.Raw(&rawKey); err != nil { 102 + return nil, fmt.Errorf("failed to extract raw key: %w", err) 103 + } 104 + 105 + token, err = jwt.Parse(*req.ClientAssertion, func(token *jwt.Token) (any, error) { 106 + if token.Method.Alg() != jwt.SigningMethodES256.Alg() { 107 + return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"]) 108 + } 109 + 110 + return rawKey, nil 111 + }) 112 + if err != nil { 113 + return nil, fmt.Errorf(`unable to verify "client_assertion" jwt: %w`, err) 114 + } 115 + 116 + if !token.Valid { 117 + return nil, errors.New("client_assertion jwt is invalid") 118 + } 119 + 120 + claims, ok := token.Claims.(jwt.MapClaims) 121 + if !ok { 122 + return nil, errors.New("no claims in client_assertion jwt") 123 + } 124 + 125 + sub, _ := claims["sub"].(string) 126 + if sub != metadata.ClientID { 127 + return nil, errors.New("subject must be client_id") 128 + } 129 + 130 + aud, _ := claims["aud"].(string) 131 + if aud != "" && aud != "https://"+p.hostname { 132 + return nil, fmt.Errorf("audience must be %s, got %s", "https://"+p.hostname, aud) 133 + } 134 + 135 + iat, iatOk := claims["iat"].(float64) 136 + if !iatOk { 137 + return nil, errors.New(`invalid client_assertion jwt: "iat" is missing`) 138 + } 139 + 140 + iatTime := time.Unix(int64(iat), 0) 141 + if time.Since(iatTime) > constants.ClientAssertionMaxAge { 142 + return nil, errors.New("client_assertion jwt too old") 143 + } 144 + 145 + jti, _ := claims["jti"].(string) 146 + if jti == "" { 147 + return nil, errors.New(`invalid client_assertion jwt: "jti" is missing`) 148 + } 149 + 150 + var exp *float64 151 + if maybeExp, ok := claims["exp"].(float64); ok { 152 + exp = &maybeExp 153 + } 154 + 155 + alg := token.Header["alg"].(string) 156 + 157 + thumbBytes, err := client.JWKS.Thumbprint(crypto.SHA256) 158 + if err != nil { 159 + return nil, fmt.Errorf("failed to calculate thumbprint: %w", err) 160 + } 161 + 162 + thumb := base64.RawURLEncoding.EncodeToString(thumbBytes) 163 + 164 + return &ClientAuth{ 165 + Method: "private_key_jwt", 166 + Jti: jti, 167 + Exp: exp, 168 + Jkt: thumb, 169 + Alg: alg, 170 + Kid: kid, 171 + }, nil 172 + } 173 + 174 + return nil, fmt.Errorf("auth method %s is not implemented in this pds", metadata.TokenEndpointAuthMethod) 175 + }
+20
oauth/provider/middleware.go
··· 1 + package provider 2 + 3 + import ( 4 + "github.com/labstack/echo/v4" 5 + ) 6 + 7 + func (p *Provider) BaseMiddleware(next echo.HandlerFunc) echo.HandlerFunc { 8 + return func(e echo.Context) error { 9 + e.Response().Header().Set("cache-control", "no-store") 10 + e.Response().Header().Set("pragma", "no-cache") 11 + 12 + nonce := p.NextNonce() 13 + if nonce != "" { 14 + e.Response().Header().Set("DPoP-Nonce", nonce) 15 + e.Response().Header().Add("access-control-expose-headers", "DPoP-Nonce") 16 + } 17 + 18 + return next(e) 19 + } 20 + }
+87
oauth/provider/provider.go
··· 1 + package provider 2 + 3 + import ( 4 + "database/sql/driver" 5 + "encoding/json" 6 + "fmt" 7 + "time" 8 + 9 + "github.com/haileyok/cocoon/oauth/client_manager" 10 + "github.com/haileyok/cocoon/oauth/dpop/dpop_manager" 11 + "gorm.io/gorm" 12 + ) 13 + 14 + type Provider struct { 15 + ClientManager *client_manager.ClientManager 16 + DpopManager *dpop_manager.DpopManager 17 + 18 + hostname string 19 + } 20 + 21 + type Args struct { 22 + Hostname string 23 + ClientManagerArgs client_manager.Args 24 + DpopManagerArgs dpop_manager.Args 25 + } 26 + 27 + func NewProvider(args Args) *Provider { 28 + return &Provider{ 29 + ClientManager: client_manager.New(args.ClientManagerArgs), 30 + DpopManager: dpop_manager.New(args.DpopManagerArgs), 31 + hostname: args.Hostname, 32 + } 33 + } 34 + 35 + func (p *Provider) NextNonce() string { 36 + return p.DpopManager.NextNonce() 37 + } 38 + 39 + type ParRequest struct { 40 + AuthenticateClientRequestBase 41 + ResponseType string `form:"response_type" json:"response_type" validate:"required"` 42 + CodeChallenge *string `form:"code_challenge" json:"code_challenge" validate:"required"` 43 + CodeChallengeMethod string `form:"code_challenge_method" json:"code_challenge_method" validate:"required"` 44 + State string `form:"state" json:"state" validate:"required"` 45 + RedirectURI string `form:"redirect_uri" json:"redirect_uri" validate:"required"` 46 + Scope string `form:"scope" json:"scope" validate:"required"` 47 + LoginHint *string `form:"login_hint" json:"login_hint,omitempty"` 48 + DpopJkt *string `form:"dpop_jkt" json:"dpop_jkt,omitempty"` 49 + } 50 + 51 + func (opr *ParRequest) Scan(value any) error { 52 + b, ok := value.([]byte) 53 + if !ok { 54 + return fmt.Errorf("failed to unmarshal OauthParRequest value") 55 + } 56 + return json.Unmarshal(b, opr) 57 + } 58 + 59 + func (opr ParRequest) Value() (driver.Value, error) { 60 + return json.Marshal(opr) 61 + } 62 + 63 + type OauthToken struct { 64 + gorm.Model 65 + ClientId string `gorm:"index"` 66 + ClientAuth ClientAuth `gorm:"type:json"` 67 + Parameters ParRequest `gorm:"type:json"` 68 + ExpiresAt time.Time `gorm:"index"` 69 + DeviceId string 70 + Sub string `gorm:"index"` 71 + Code string `gorm:"index"` 72 + Token string `gorm:"uniqueIndex"` 73 + RefreshToken string `gorm:"uniqueIndex"` 74 + } 75 + 76 + type OauthAuthorizationRequest struct { 77 + gorm.Model 78 + RequestId string `gorm:"primaryKey"` 79 + ClientId string `gorm:"index"` 80 + ClientAuth ClientAuth `gorm:"type:json"` 81 + Parameters ParRequest `gorm:"type:json"` 82 + ExpiresAt time.Time `gorm:"index"` 83 + DeviceId *string 84 + Sub *string 85 + Code *string 86 + Accepted *bool 87 + }
+44
server/handle_account.go
··· 1 + package server 2 + 3 + import ( 4 + "time" 5 + 6 + "github.com/haileyok/cocoon/oauth/provider" 7 + "github.com/labstack/echo/v4" 8 + ) 9 + 10 + func (s *Server) handleAccount(e echo.Context) error { 11 + repo, sess, err := s.getSessionRepoOrErr(e) 12 + if err != nil { 13 + return e.Redirect(303, "/account/signin") 14 + } 15 + 16 + now := time.Now() 17 + 18 + var tokens []provider.OauthToken 19 + if err := s.db.Raw("SELECT * FROM oauth_tokens WHERE sub = ? AND expires_at >= ? ORDER BY created_at ASC", nil, repo.Repo.Did, now).Scan(&tokens).Error; err != nil { 20 + s.logger.Error("couldnt fetch oauth sessions for account", "did", repo.Repo.Did, "error", err) 21 + sess.AddFlash("Unable to fetch sessions. See server logs for more details.", "error") 22 + sess.Save(e.Request(), e.Response()) 23 + return e.Render(200, "account.html", map[string]any{ 24 + "flashes": getFlashesFromSession(e, sess), 25 + }) 26 + } 27 + 28 + tokenInfo := []map[string]string{} 29 + for _, t := range tokens { 30 + tokenInfo = append(tokenInfo, map[string]string{ 31 + "ClientId": t.ClientId, 32 + "CreatedAt": t.CreatedAt.Format("02 Jan 06 15:04 MST"), 33 + "UpdatedAt": t.CreatedAt.Format("02 Jan 06 15:04 MST"), 34 + "ExpiresAt": t.CreatedAt.Format("02 Jan 06 15:04 MST"), 35 + "Token": t.Token, 36 + }) 37 + } 38 + 39 + return e.Render(200, "account.html", map[string]any{ 40 + "Repo": repo, 41 + "Tokens": tokenInfo, 42 + "flashes": getFlashesFromSession(e, sess), 43 + }) 44 + }
+34
server/handle_account_revoke.go
··· 1 + package server 2 + 3 + import ( 4 + "github.com/haileyok/cocoon/internal/helpers" 5 + "github.com/labstack/echo/v4" 6 + ) 7 + 8 + type AccountRevokeRequest struct { 9 + Token string `form:"token"` 10 + } 11 + 12 + func (s *Server) handleAccountRevoke(e echo.Context) error { 13 + var req AccountRevokeRequest 14 + if err := e.Bind(&req); err != nil { 15 + s.logger.Error("could not bind account revoke request", "error", err) 16 + return helpers.ServerError(e, nil) 17 + } 18 + 19 + repo, sess, err := s.getSessionRepoOrErr(e) 20 + if err != nil { 21 + return e.Redirect(303, "/account/signin") 22 + } 23 + 24 + if err := s.db.Exec("DELETE FROM oauth_tokens WHERE sub = ? AND token = ?", nil, repo.Repo.Did, req.Token).Error; err != nil { 25 + s.logger.Error("couldnt delete oauth session for account", "did", repo.Repo.Did, "token", req.Token, "error", err) 26 + sess.AddFlash("Unable to revoke session. See server logs for more details.", "error") 27 + sess.Save(e.Request(), e.Response()) 28 + return e.Redirect(303, "/account") 29 + } 30 + 31 + sess.AddFlash("Session successfully revoked!", "success") 32 + sess.Save(e.Request(), e.Response()) 33 + return e.Redirect(303, "/account") 34 + }
+130
server/handle_account_signin.go
··· 1 + package server 2 + 3 + import ( 4 + "errors" 5 + "strings" 6 + 7 + "github.com/bluesky-social/indigo/atproto/syntax" 8 + "github.com/gorilla/sessions" 9 + "github.com/haileyok/cocoon/internal/helpers" 10 + "github.com/haileyok/cocoon/models" 11 + "github.com/labstack/echo-contrib/session" 12 + "github.com/labstack/echo/v4" 13 + "golang.org/x/crypto/bcrypt" 14 + "gorm.io/gorm" 15 + ) 16 + 17 + type OauthSigninRequest struct { 18 + Username string `form:"username"` 19 + Password string `form:"password"` 20 + QueryParams string `form:"query_params"` 21 + } 22 + 23 + func (s *Server) getSessionRepoOrErr(e echo.Context) (*models.RepoActor, *sessions.Session, error) { 24 + sess, err := session.Get("session", e) 25 + if err != nil { 26 + return nil, nil, err 27 + } 28 + 29 + did, ok := sess.Values["did"].(string) 30 + if !ok { 31 + return nil, sess, errors.New("did was not set in session") 32 + } 33 + 34 + repo, err := s.getRepoActorByDid(did) 35 + if err != nil { 36 + return nil, sess, err 37 + } 38 + 39 + return repo, sess, nil 40 + } 41 + 42 + func getFlashesFromSession(e echo.Context, sess *sessions.Session) map[string]any { 43 + defer sess.Save(e.Request(), e.Response()) 44 + return map[string]any{ 45 + "errors": sess.Flashes("error"), 46 + "successes": sess.Flashes("success"), 47 + } 48 + } 49 + 50 + func (s *Server) handleAccountSigninGet(e echo.Context) error { 51 + _, sess, err := s.getSessionRepoOrErr(e) 52 + if err == nil { 53 + return e.Redirect(303, "/account") 54 + } 55 + 56 + return e.Render(200, "signin.html", map[string]any{ 57 + "flashes": getFlashesFromSession(e, sess), 58 + "QueryParams": e.QueryParams().Encode(), 59 + }) 60 + } 61 + 62 + func (s *Server) handleAccountSigninPost(e echo.Context) error { 63 + var req OauthSigninRequest 64 + if err := e.Bind(&req); err != nil { 65 + s.logger.Error("error binding sign in req", "error", err) 66 + return helpers.ServerError(e, nil) 67 + } 68 + 69 + sess, _ := session.Get("session", e) 70 + 71 + req.Username = strings.ToLower(req.Username) 72 + var idtype string 73 + if _, err := syntax.ParseDID(req.Username); err == nil { 74 + idtype = "did" 75 + } else if _, err := syntax.ParseHandle(req.Username); err == nil { 76 + idtype = "handle" 77 + } else { 78 + idtype = "email" 79 + } 80 + 81 + // TODO: we should make this a helper since we do it for the base create_session as well 82 + var repo models.RepoActor 83 + var err error 84 + switch idtype { 85 + case "did": 86 + err = s.db.Raw("SELECT r.*, a.* FROM repos r LEFT JOIN actors a ON r.did = a.did WHERE r.did = ?", nil, req.Username).Scan(&repo).Error 87 + case "handle": 88 + err = s.db.Raw("SELECT r.*, a.* FROM actors a LEFT JOIN repos r ON a.did = r.did WHERE a.handle = ?", nil, req.Username).Scan(&repo).Error 89 + case "email": 90 + err = s.db.Raw("SELECT r.*, a.* FROM repos r LEFT JOIN actors a ON r.did = a.did WHERE r.email = ?", nil, req.Username).Scan(&repo).Error 91 + } 92 + if err != nil { 93 + if err == gorm.ErrRecordNotFound { 94 + sess.AddFlash("Handle or password is incorrect", "error") 95 + } else { 96 + sess.AddFlash("Something went wrong!", "error") 97 + } 98 + sess.Save(e.Request(), e.Response()) 99 + return e.Redirect(303, "/account/signin") 100 + } 101 + 102 + if err := bcrypt.CompareHashAndPassword([]byte(repo.Password), []byte(req.Password)); err != nil { 103 + if err != bcrypt.ErrMismatchedHashAndPassword { 104 + sess.AddFlash("Handle or password is incorrect", "error") 105 + } else { 106 + sess.AddFlash("Something went wrong!", "error") 107 + } 108 + sess.Save(e.Request(), e.Response()) 109 + return e.Redirect(303, "/account/signin") 110 + } 111 + 112 + sess.Options = &sessions.Options{ 113 + Path: "/", 114 + MaxAge: int(AccountSessionMaxAge.Seconds()), 115 + HttpOnly: true, 116 + } 117 + 118 + sess.Values = map[any]any{} 119 + sess.Values["did"] = repo.Repo.Did 120 + 121 + if err := sess.Save(e.Request(), e.Response()); err != nil { 122 + return err 123 + } 124 + 125 + if req.QueryParams != "" { 126 + return e.Redirect(303, "/oauth/authorize?"+req.QueryParams) 127 + } else { 128 + return e.Redirect(303, "/account") 129 + } 130 + }
+35
server/handle_account_signout.go
··· 1 + package server 2 + 3 + import ( 4 + "github.com/gorilla/sessions" 5 + "github.com/labstack/echo-contrib/session" 6 + "github.com/labstack/echo/v4" 7 + ) 8 + 9 + func (s *Server) handleAccountSignout(e echo.Context) error { 10 + sess, err := session.Get("session", e) 11 + if err != nil { 12 + return err 13 + } 14 + 15 + sess.Options = &sessions.Options{ 16 + Path: "/", 17 + MaxAge: -1, 18 + HttpOnly: true, 19 + } 20 + 21 + sess.Values = map[any]any{} 22 + 23 + if err := sess.Save(e.Request(), e.Response()); err != nil { 24 + return err 25 + } 26 + 27 + reqUri := e.QueryParam("request_uri") 28 + 29 + redirect := "/account/signin" 30 + if reqUri != "" { 31 + redirect += "?" + e.QueryParams().Encode() 32 + } 33 + 34 + return e.Redirect(303, redirect) 35 + }
+132
server/handle_oauth_authorize.go
··· 1 + package server 2 + 3 + import ( 4 + "net/url" 5 + "strings" 6 + "time" 7 + 8 + "github.com/Azure/go-autorest/autorest/to" 9 + "github.com/haileyok/cocoon/internal/helpers" 10 + "github.com/haileyok/cocoon/oauth" 11 + "github.com/haileyok/cocoon/oauth/provider" 12 + "github.com/labstack/echo/v4" 13 + ) 14 + 15 + func (s *Server) handleOauthAuthorizeGet(e echo.Context) error { 16 + reqUri := e.QueryParam("request_uri") 17 + if reqUri == "" { 18 + // render page for logged out dev 19 + if s.config.Version == "dev" { 20 + return e.Render(200, "authorize.html", map[string]any{ 21 + "Scopes": []string{"atproto", "transition:generic"}, 22 + "AppName": "DEV MODE AUTHORIZATION PAGE", 23 + "Handle": "paula.cocoon.social", 24 + "RequestUri": "", 25 + }) 26 + } 27 + return helpers.InputError(e, to.StringPtr("no request uri")) 28 + } 29 + 30 + repo, _, err := s.getSessionRepoOrErr(e) 31 + if err != nil { 32 + return e.Redirect(303, "/account/signin?"+e.QueryParams().Encode()) 33 + } 34 + 35 + reqId, err := oauth.DecodeRequestUri(reqUri) 36 + if err != nil { 37 + return helpers.InputError(e, to.StringPtr(err.Error())) 38 + } 39 + 40 + var req provider.OauthAuthorizationRequest 41 + if err := s.db.Raw("SELECT * FROM oauth_authorization_requests WHERE request_id = ?", nil, reqId).Scan(&req).Error; err != nil { 42 + return helpers.ServerError(e, to.StringPtr(err.Error())) 43 + } 44 + 45 + clientId := e.QueryParam("client_id") 46 + if clientId != req.ClientId { 47 + return helpers.InputError(e, to.StringPtr("client id does not match the client id for the supplied request")) 48 + } 49 + 50 + client, err := s.oauthProvider.ClientManager.GetClient(e.Request().Context(), req.ClientId) 51 + if err != nil { 52 + return helpers.ServerError(e, to.StringPtr(err.Error())) 53 + } 54 + 55 + scopes := strings.Split(req.Parameters.Scope, " ") 56 + appName := client.Metadata.ClientName 57 + 58 + data := map[string]any{ 59 + "Scopes": scopes, 60 + "AppName": appName, 61 + "RequestUri": reqUri, 62 + "QueryParams": e.QueryParams().Encode(), 63 + "Handle": repo.Actor.Handle, 64 + } 65 + 66 + return e.Render(200, "authorize.html", data) 67 + } 68 + 69 + type OauthAuthorizePostRequest struct { 70 + RequestUri string `form:"request_uri"` 71 + AcceptOrRejct string `form:"accept_or_reject"` 72 + } 73 + 74 + func (s *Server) handleOauthAuthorizePost(e echo.Context) error { 75 + repo, _, err := s.getSessionRepoOrErr(e) 76 + if err != nil { 77 + return e.Redirect(303, "/account/signin") 78 + } 79 + 80 + var req OauthAuthorizePostRequest 81 + if err := e.Bind(&req); err != nil { 82 + s.logger.Error("error binding authorize post request", "error", err) 83 + return helpers.InputError(e, nil) 84 + } 85 + 86 + reqId, err := oauth.DecodeRequestUri(req.RequestUri) 87 + if err != nil { 88 + return helpers.InputError(e, to.StringPtr(err.Error())) 89 + } 90 + 91 + var authReq provider.OauthAuthorizationRequest 92 + if err := s.db.Raw("SELECT * FROM oauth_authorization_requests WHERE request_id = ?", nil, reqId).Scan(&authReq).Error; err != nil { 93 + return helpers.ServerError(e, to.StringPtr(err.Error())) 94 + } 95 + 96 + client, err := s.oauthProvider.ClientManager.GetClient(e.Request().Context(), authReq.ClientId) 97 + if err != nil { 98 + return helpers.ServerError(e, to.StringPtr(err.Error())) 99 + } 100 + 101 + // TODO: figure out how im supposed to actually redirect 102 + if req.AcceptOrRejct == "reject" { 103 + return e.Redirect(303, client.Metadata.ClientURI) 104 + } 105 + 106 + if time.Now().After(authReq.ExpiresAt) { 107 + return helpers.InputError(e, to.StringPtr("the request has expired")) 108 + } 109 + 110 + if authReq.Sub != nil || authReq.Code != nil { 111 + return helpers.InputError(e, to.StringPtr("this request was already authorized")) 112 + } 113 + 114 + code := oauth.GenerateCode() 115 + 116 + if err := s.db.Exec("UPDATE oauth_authorization_requests SET sub = ?, code = ?, accepted = ? WHERE request_id = ?", nil, repo.Repo.Did, code, true, reqId).Error; err != nil { 117 + s.logger.Error("error updating authorization request", "error", err) 118 + return helpers.ServerError(e, nil) 119 + } 120 + 121 + q := url.Values{} 122 + q.Set("state", authReq.Parameters.State) 123 + q.Set("iss", "https://"+s.config.Hostname) 124 + q.Set("code", code) 125 + 126 + hashOrQuestion := "?" 127 + if authReq.ClientAuth.Method != "private_key_jwt" { 128 + hashOrQuestion = "#" 129 + } 130 + 131 + return e.Redirect(303, authReq.Parameters.RedirectURI+hashOrQuestion+q.Encode()) 132 + }
+12
server/handle_oauth_jwks.go
··· 1 + package server 2 + 3 + import "github.com/labstack/echo/v4" 4 + 5 + type OauthJwksResponse struct { 6 + Keys []any `json:"keys"` 7 + } 8 + 9 + // TODO: ? 10 + func (s *Server) handleOauthJwks(e echo.Context) error { 11 + return e.JSON(200, OauthJwksResponse{Keys: []any{}}) 12 + }
+88
server/handle_oauth_par.go
··· 1 + package server 2 + 3 + import ( 4 + "time" 5 + 6 + "github.com/Azure/go-autorest/autorest/to" 7 + "github.com/haileyok/cocoon/internal/helpers" 8 + "github.com/haileyok/cocoon/oauth" 9 + "github.com/haileyok/cocoon/oauth/constants" 10 + "github.com/haileyok/cocoon/oauth/provider" 11 + "github.com/labstack/echo/v4" 12 + ) 13 + 14 + type OauthParResponse struct { 15 + ExpiresIn int64 `json:"expires_in"` 16 + RequestURI string `json:"request_uri"` 17 + } 18 + 19 + func (s *Server) handleOauthPar(e echo.Context) error { 20 + var parRequest provider.ParRequest 21 + if err := e.Bind(&parRequest); err != nil { 22 + s.logger.Error("error binding for par request", "error", err) 23 + return helpers.ServerError(e, nil) 24 + } 25 + 26 + if err := e.Validate(parRequest); err != nil { 27 + s.logger.Error("missing parameters for par request", "error", err) 28 + return helpers.InputError(e, nil) 29 + } 30 + 31 + // TODO: this seems wrong. should be a way to get the entire request url i believe, but this will work for now 32 + dpopProof, err := s.oauthProvider.DpopManager.CheckProof(e.Request().Method, "https://"+s.config.Hostname+e.Request().URL.String(), e.Request().Header, nil) 33 + if err != nil { 34 + s.logger.Error("error getting dpop proof", "error", err) 35 + return helpers.InputError(e, to.StringPtr(err.Error())) 36 + } 37 + 38 + client, clientAuth, err := s.oauthProvider.AuthenticateClient(e.Request().Context(), parRequest.AuthenticateClientRequestBase, dpopProof, &provider.AuthenticateClientOptions{ 39 + // rfc9449 40 + // https://github.com/bluesky-social/atproto/blob/main/packages/oauth/oauth-provider/src/oauth-provider.ts#L473 41 + AllowMissingDpopProof: true, 42 + }) 43 + if err != nil { 44 + s.logger.Error("error authenticating client", "error", err) 45 + return helpers.InputError(e, to.StringPtr(err.Error())) 46 + } 47 + 48 + if parRequest.DpopJkt == nil { 49 + if client.Metadata.DpopBoundAccessTokens { 50 + parRequest.DpopJkt = to.StringPtr(dpopProof.JKT) 51 + } 52 + } else { 53 + if !client.Metadata.DpopBoundAccessTokens { 54 + msg := "dpop bound access tokens are not enabled for this client" 55 + s.logger.Error(msg) 56 + return helpers.InputError(e, &msg) 57 + } 58 + 59 + if dpopProof.JKT != *parRequest.DpopJkt { 60 + msg := "supplied dpop jkt does not match header dpop jkt" 61 + s.logger.Error(msg) 62 + return helpers.InputError(e, &msg) 63 + } 64 + } 65 + 66 + eat := time.Now().Add(constants.ParExpiresIn) 67 + id := oauth.GenerateRequestId() 68 + 69 + authRequest := &provider.OauthAuthorizationRequest{ 70 + RequestId: id, 71 + ClientId: client.Metadata.ClientID, 72 + ClientAuth: *clientAuth, 73 + Parameters: parRequest, 74 + ExpiresAt: eat, 75 + } 76 + 77 + if err := s.db.Create(authRequest, nil).Error; err != nil { 78 + s.logger.Error("error creating auth request in db", "error", err) 79 + return helpers.ServerError(e, nil) 80 + } 81 + 82 + uri := oauth.EncodeRequestUri(id) 83 + 84 + return e.JSON(201, OauthParResponse{ 85 + ExpiresIn: int64(constants.ParExpiresIn.Seconds()), 86 + RequestURI: uri, 87 + }) 88 + }
+276
server/handle_oauth_token.go
··· 1 + package server 2 + 3 + import ( 4 + "bytes" 5 + "crypto/sha256" 6 + "encoding/base64" 7 + "fmt" 8 + "slices" 9 + "time" 10 + 11 + "github.com/Azure/go-autorest/autorest/to" 12 + "github.com/golang-jwt/jwt/v4" 13 + "github.com/haileyok/cocoon/internal/helpers" 14 + "github.com/haileyok/cocoon/oauth" 15 + "github.com/haileyok/cocoon/oauth/constants" 16 + "github.com/haileyok/cocoon/oauth/provider" 17 + "github.com/labstack/echo/v4" 18 + ) 19 + 20 + type OauthTokenRequest struct { 21 + provider.AuthenticateClientRequestBase 22 + GrantType string `form:"grant_type" json:"grant_type"` 23 + Code *string `form:"code" json:"code,omitempty"` 24 + CodeVerifier *string `form:"code_verifier" json:"code_verifier,omitempty"` 25 + RedirectURI *string `form:"redirect_uri" json:"redirect_uri,omitempty"` 26 + RefreshToken *string `form:"refresh_token" json:"refresh_token,omitempty"` 27 + } 28 + 29 + type OauthTokenResponse struct { 30 + AccessToken string `json:"access_token"` 31 + TokenType string `json:"token_type"` 32 + RefreshToken string `json:"refresh_token"` 33 + Scope string `json:"scope"` 34 + ExpiresIn int64 `json:"expires_in"` 35 + Sub string `json:"sub"` 36 + } 37 + 38 + func (s *Server) handleOauthToken(e echo.Context) error { 39 + var req OauthTokenRequest 40 + if err := e.Bind(&req); err != nil { 41 + s.logger.Error("error binding token request", "error", err) 42 + return helpers.ServerError(e, nil) 43 + } 44 + 45 + proof, err := s.oauthProvider.DpopManager.CheckProof(e.Request().Method, e.Request().URL.String(), e.Request().Header, nil) 46 + if err != nil { 47 + s.logger.Error("error getting dpop proof", "error", err) 48 + return helpers.InputError(e, to.StringPtr(err.Error())) 49 + } 50 + 51 + client, clientAuth, err := s.oauthProvider.AuthenticateClient(e.Request().Context(), req.AuthenticateClientRequestBase, proof, &provider.AuthenticateClientOptions{ 52 + AllowMissingDpopProof: true, 53 + }) 54 + if err != nil { 55 + s.logger.Error("error authenticating client", "error", err) 56 + return helpers.InputError(e, to.StringPtr(err.Error())) 57 + } 58 + 59 + // TODO: this should come from an oauth provier config 60 + if !slices.Contains([]string{"authorization_code", "refresh_token"}, req.GrantType) { 61 + return helpers.InputError(e, to.StringPtr(fmt.Sprintf(`"%s" grant type is not supported by the server`, req.GrantType))) 62 + } 63 + 64 + if !slices.Contains(client.Metadata.GrantTypes, req.GrantType) { 65 + return helpers.InputError(e, to.StringPtr(fmt.Sprintf(`"%s" grant type is not supported by the client`, req.GrantType))) 66 + } 67 + 68 + if req.GrantType == "authorization_code" { 69 + if req.Code == nil { 70 + return helpers.InputError(e, to.StringPtr(`"code" is required"`)) 71 + } 72 + 73 + var authReq provider.OauthAuthorizationRequest 74 + // get the lil guy and delete him 75 + if err := s.db.Raw("DELETE FROM oauth_authorization_requests WHERE code = ? RETURNING *", nil, *req.Code).Scan(&authReq).Error; err != nil { 76 + s.logger.Error("error finding authorization request", "error", err) 77 + return helpers.ServerError(e, nil) 78 + } 79 + 80 + if req.RedirectURI == nil || *req.RedirectURI != authReq.Parameters.RedirectURI { 81 + return helpers.InputError(e, to.StringPtr(`"redirect_uri" mismatch`)) 82 + } 83 + 84 + if authReq.Parameters.CodeChallenge != nil { 85 + if req.CodeVerifier == nil { 86 + return helpers.InputError(e, to.StringPtr(`"code_verifier" is required`)) 87 + } 88 + 89 + if len(*req.CodeVerifier) < 43 { 90 + return helpers.InputError(e, to.StringPtr(`"code_verifier" is too short`)) 91 + } 92 + 93 + switch *&authReq.Parameters.CodeChallengeMethod { 94 + case "", "plain": 95 + if authReq.Parameters.CodeChallenge != req.CodeVerifier { 96 + return helpers.InputError(e, to.StringPtr("invalid code_verifier")) 97 + } 98 + case "S256": 99 + inputChal, err := base64.RawURLEncoding.DecodeString(*authReq.Parameters.CodeChallenge) 100 + if err != nil { 101 + s.logger.Error("error decoding code challenge", "error", err) 102 + return helpers.ServerError(e, nil) 103 + } 104 + 105 + h := sha256.New() 106 + h.Write([]byte(*req.CodeVerifier)) 107 + compdChal := h.Sum(nil) 108 + 109 + if !bytes.Equal(inputChal, compdChal) { 110 + return helpers.InputError(e, to.StringPtr("invalid code_verifier")) 111 + } 112 + default: 113 + return helpers.InputError(e, to.StringPtr("unsupported code_challenge_method "+*&authReq.Parameters.CodeChallengeMethod)) 114 + } 115 + } else if req.CodeVerifier != nil { 116 + return helpers.InputError(e, to.StringPtr("code_challenge parameter wasn't provided")) 117 + } 118 + 119 + repo, err := s.getRepoActorByDid(*authReq.Sub) 120 + if err != nil { 121 + helpers.InputError(e, to.StringPtr("unable to find actor")) 122 + } 123 + 124 + now := time.Now() 125 + eat := now.Add(constants.TokenMaxAge) 126 + id := oauth.GenerateTokenId() 127 + 128 + refreshToken := oauth.GenerateRefreshToken() 129 + 130 + accessClaims := jwt.MapClaims{ 131 + "scope": authReq.Parameters.Scope, 132 + "aud": s.config.Did, 133 + "sub": repo.Repo.Did, 134 + "iat": now.Unix(), 135 + "exp": eat.Unix(), 136 + "jti": id, 137 + "client_id": authReq.ClientId, 138 + } 139 + 140 + if authReq.Parameters.DpopJkt != nil { 141 + accessClaims["cnf"] = *authReq.Parameters.DpopJkt 142 + } 143 + 144 + accessToken := jwt.NewWithClaims(jwt.SigningMethodES256, accessClaims) 145 + accessString, err := accessToken.SignedString(s.privateKey) 146 + if err != nil { 147 + return err 148 + } 149 + 150 + if err := s.db.Create(&provider.OauthToken{ 151 + ClientId: authReq.ClientId, 152 + ClientAuth: *clientAuth, 153 + Parameters: authReq.Parameters, 154 + ExpiresAt: eat, 155 + DeviceId: "", 156 + Sub: repo.Repo.Did, 157 + Code: *authReq.Code, 158 + Token: accessString, 159 + RefreshToken: refreshToken, 160 + }, nil).Error; err != nil { 161 + s.logger.Error("error creating token in db", "error", err) 162 + return helpers.ServerError(e, nil) 163 + } 164 + 165 + // prob not needed 166 + tokenType := "Bearer" 167 + if authReq.Parameters.DpopJkt != nil { 168 + tokenType = "DPoP" 169 + } 170 + 171 + e.Response().Header().Set("content-type", "application/json") 172 + 173 + return e.JSON(200, OauthTokenResponse{ 174 + AccessToken: accessString, 175 + RefreshToken: refreshToken, 176 + TokenType: tokenType, 177 + Scope: authReq.Parameters.Scope, 178 + ExpiresIn: int64(eat.Sub(time.Now()).Seconds()), 179 + Sub: repo.Repo.Did, 180 + }) 181 + } 182 + 183 + if req.GrantType == "refresh_token" { 184 + if req.RefreshToken == nil { 185 + return helpers.InputError(e, to.StringPtr(`"refresh_token" is required`)) 186 + } 187 + 188 + var oauthToken provider.OauthToken 189 + if err := s.db.Raw("SELECT * FROM oauth_tokens WHERE refresh_token = ?", nil, req.RefreshToken).Scan(&oauthToken).Error; err != nil { 190 + s.logger.Error("error finding oauth token by refresh token", "error", err, "refresh_token", req.RefreshToken) 191 + return helpers.ServerError(e, nil) 192 + } 193 + 194 + if client.Metadata.ClientID != oauthToken.ClientId { 195 + return helpers.InputError(e, to.StringPtr(`"client_id" mismatch`)) 196 + } 197 + 198 + if clientAuth.Method != oauthToken.ClientAuth.Method { 199 + return helpers.InputError(e, to.StringPtr(`"client authentication method mismatch`)) 200 + } 201 + 202 + if *oauthToken.Parameters.DpopJkt != proof.JKT { 203 + return helpers.InputError(e, to.StringPtr("dpop proof does not match expected jkt")) 204 + } 205 + 206 + sessionLifetime := constants.PublicClientSessionLifetime 207 + refreshLifetime := constants.PublicClientRefreshLifetime 208 + if clientAuth.Method != "none" { 209 + sessionLifetime = constants.ConfidentialClientSessionLifetime 210 + refreshLifetime = constants.ConfidentialClientRefreshLifetime 211 + } 212 + 213 + sessionAge := time.Since(oauthToken.CreatedAt) 214 + if sessionAge > sessionLifetime { 215 + return helpers.InputError(e, to.StringPtr("Session expired")) 216 + } 217 + 218 + refreshAge := time.Since(oauthToken.UpdatedAt) 219 + if refreshAge > refreshLifetime { 220 + return helpers.InputError(e, to.StringPtr("Refresh token expired")) 221 + } 222 + 223 + if client.Metadata.DpopBoundAccessTokens && oauthToken.Parameters.DpopJkt == nil { 224 + // why? ref impl 225 + return helpers.InputError(e, to.StringPtr("dpop jkt is required for dpop bound access tokens")) 226 + } 227 + 228 + nextTokenId := oauth.GenerateTokenId() 229 + nextRefreshToken := oauth.GenerateRefreshToken() 230 + 231 + now := time.Now() 232 + eat := now.Add(constants.TokenMaxAge) 233 + 234 + accessClaims := jwt.MapClaims{ 235 + "scope": oauthToken.Parameters.Scope, 236 + "aud": s.config.Did, 237 + "sub": oauthToken.Sub, 238 + "iat": now.Unix(), 239 + "exp": eat.Unix(), 240 + "jti": nextTokenId, 241 + "client_id": oauthToken.ClientId, 242 + } 243 + 244 + if oauthToken.Parameters.DpopJkt != nil { 245 + accessClaims["cnf"] = *&oauthToken.Parameters.DpopJkt 246 + } 247 + 248 + accessToken := jwt.NewWithClaims(jwt.SigningMethodES256, accessClaims) 249 + accessString, err := accessToken.SignedString(s.privateKey) 250 + if err != nil { 251 + return err 252 + } 253 + 254 + if err := s.db.Exec("UPDATE oauth_tokens SET token = ?, refresh_token = ?, expires_at = ?, updated_at = ? WHERE refresh_token = ?", nil, accessString, nextRefreshToken, eat, now, *req.RefreshToken).Error; err != nil { 255 + s.logger.Error("error updating token", "error", err) 256 + return helpers.ServerError(e, nil) 257 + } 258 + 259 + // prob not needed 260 + tokenType := "Bearer" 261 + if oauthToken.Parameters.DpopJkt != nil { 262 + tokenType = "DPoP" 263 + } 264 + 265 + return e.JSON(200, OauthTokenResponse{ 266 + AccessToken: accessString, 267 + RefreshToken: nextRefreshToken, 268 + TokenType: tokenType, 269 + Scope: oauthToken.Parameters.Scope, 270 + ExpiresIn: int64(eat.Sub(time.Now()).Seconds()), 271 + Sub: oauthToken.Sub, 272 + }) 273 + } 274 + 275 + return helpers.InputError(e, to.StringPtr(fmt.Sprintf(`grant type "%s" is not supported`, req.GrantType))) 276 + }
+112
server/handle_server_get_service_auth.go
··· 1 + package server 2 + 3 + import ( 4 + "crypto/rand" 5 + "crypto/sha256" 6 + "encoding/base64" 7 + "encoding/json" 8 + "fmt" 9 + "strings" 10 + "time" 11 + 12 + "github.com/Azure/go-autorest/autorest/to" 13 + "github.com/google/uuid" 14 + "github.com/haileyok/cocoon/internal/helpers" 15 + "github.com/haileyok/cocoon/models" 16 + "github.com/labstack/echo/v4" 17 + secp256k1secec "gitlab.com/yawning/secp256k1-voi/secec" 18 + ) 19 + 20 + type ServerGetServiceAuthRequest struct { 21 + Aud string `query:"aud" validate:"required,atproto-did"` 22 + Exp int64 `query:"exp"` 23 + Lxm string `query:"lxm" validate:"required,atproto-nsid"` 24 + } 25 + 26 + func (s *Server) handleServerGetServiceAuth(e echo.Context) error { 27 + var req ServerGetServiceAuthRequest 28 + if err := e.Bind(&req); err != nil { 29 + s.logger.Error("could not bind service auth request", "error", err) 30 + return helpers.ServerError(e, nil) 31 + } 32 + 33 + if err := e.Validate(req); err != nil { 34 + return helpers.InputError(e, nil) 35 + } 36 + 37 + now := time.Now().Unix() 38 + if req.Exp == 0 { 39 + req.Exp = now + 60 // default 40 + } 41 + 42 + if req.Lxm == "com.atproto.server.getServiceAuth" { 43 + return helpers.InputError(e, to.StringPtr("may not generate auth tokens recursively")) 44 + } 45 + 46 + maxExp := now + (60 * 30) 47 + if req.Exp > maxExp { 48 + return helpers.InputError(e, to.StringPtr("expiration too big. smoller please")) 49 + } 50 + 51 + repo := e.Get("repo").(*models.RepoActor) 52 + 53 + header := map[string]string{ 54 + "alg": "ES256K", 55 + "crv": "secp256k1", 56 + "typ": "JWT", 57 + } 58 + hj, err := json.Marshal(header) 59 + if err != nil { 60 + s.logger.Error("error marshaling header", "error", err) 61 + return helpers.ServerError(e, nil) 62 + } 63 + 64 + encheader := strings.TrimRight(base64.RawURLEncoding.EncodeToString(hj), "=") 65 + 66 + payload := map[string]any{ 67 + "iss": repo.Repo.Did, 68 + "aud": req.Aud, 69 + "lxm": req.Lxm, 70 + "jti": uuid.NewString(), 71 + "exp": req.Exp, 72 + "iat": now, 73 + } 74 + pj, err := json.Marshal(payload) 75 + if err != nil { 76 + s.logger.Error("error marashaling payload", "error", err) 77 + return helpers.ServerError(e, nil) 78 + } 79 + 80 + encpayload := strings.TrimRight(base64.RawURLEncoding.EncodeToString(pj), "=") 81 + 82 + input := fmt.Sprintf("%s.%s", encheader, encpayload) 83 + hash := sha256.Sum256([]byte(input)) 84 + 85 + sk, err := secp256k1secec.NewPrivateKey(repo.SigningKey) 86 + if err != nil { 87 + s.logger.Error("can't load private key", "error", err) 88 + return err 89 + } 90 + 91 + R, S, _, err := sk.SignRaw(rand.Reader, hash[:]) 92 + if err != nil { 93 + s.logger.Error("error signing", "error", err) 94 + return helpers.ServerError(e, nil) 95 + } 96 + 97 + rBytes := R.Bytes() 98 + sBytes := S.Bytes() 99 + 100 + rPadded := make([]byte, 32) 101 + sPadded := make([]byte, 32) 102 + copy(rPadded[32-len(rBytes):], rBytes) 103 + copy(sPadded[32-len(sBytes):], sBytes) 104 + 105 + rawsig := append(rPadded, sPadded...) 106 + encsig := strings.TrimRight(base64.RawURLEncoding.EncodeToString(rawsig), "=") 107 + token := fmt.Sprintf("%s.%s", input, encsig) 108 + 109 + return e.JSON(200, map[string]string{ 110 + "token": token, 111 + }) 112 + }
+88
server/handle_well_known.go
··· 1 1 package server 2 2 3 3 import ( 4 + "fmt" 5 + 6 + "github.com/Azure/go-autorest/autorest/to" 4 7 "github.com/labstack/echo/v4" 5 8 ) 6 9 10 + var ( 11 + CocoonSupportedScopes = []string{ 12 + "atproto", 13 + "transition:email", 14 + "transition:generic", 15 + "transition:chat.bsky", 16 + } 17 + ) 18 + 19 + type OauthAuthorizationMetadata struct { 20 + Issuer string `json:"issuer"` 21 + RequestParameterSupported bool `json:"request_parameter_supported"` 22 + RequestUriParameterSupported bool `json:"request_uri_parameter_supported"` 23 + RequireRequestUriRegistration *bool `json:"require_request_uri_registration,omitempty"` 24 + ScopesSupported []string `json:"scopes_supported"` 25 + SubjectTypesSupported []string `json:"subject_types_supported"` 26 + ResponseTypesSupported []string `json:"response_types_supported"` 27 + ResponseModesSupported []string `json:"response_modes_supported"` 28 + GrantTypesSupported []string `json:"grant_types_supported"` 29 + CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"` 30 + UILocalesSupported []string `json:"ui_locales_supported"` 31 + DisplayValuesSupported []string `json:"display_values_supported"` 32 + RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported"` 33 + AuthorizationResponseISSParameterSupported bool `json:"authorization_response_iss_parameter_supported"` 34 + RequestObjectEncryptionAlgValuesSupported []string `json:"request_object_encryption_alg_values_supported"` 35 + RequestObjectEncryptionEncValuesSupported []string `json:"request_object_encryption_enc_values_supported"` 36 + JwksUri string `json:"jwks_uri"` 37 + AuthorizationEndpoint string `json:"authorization_endpoint"` 38 + TokenEndpoint string `json:"token_endpoint"` 39 + TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"` 40 + TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported"` 41 + RevocationEndpoint string `json:"revocation_endpoint"` 42 + IntrospectionEndpoint string `json:"introspection_endpoint"` 43 + PushedAuthorizationRequestEndpoint string `json:"pushed_authorization_request_endpoint"` 44 + RequirePushedAuthorizationRequests bool `json:"require_pushed_authorization_requests"` 45 + DpopSigningAlgValuesSupported []string `json:"dpop_signing_alg_values_supported"` 46 + ProtectedResources []string `json:"protected_resources"` 47 + ClientIDMetadataDocumentSupported bool `json:"client_id_metadata_document_supported"` 48 + } 49 + 7 50 func (s *Server) handleWellKnown(e echo.Context) error { 8 51 return e.JSON(200, map[string]any{ 9 52 "@context": []string{ ··· 19 62 }, 20 63 }) 21 64 } 65 + 66 + func (s *Server) handleOauthProtectedResource(e echo.Context) error { 67 + return e.JSON(200, map[string]any{ 68 + "resource": "https://" + s.config.Hostname, 69 + "authorization_servers": []string{ 70 + "https://" + s.config.Hostname, 71 + }, 72 + "scopes_supported": []string{}, 73 + "bearer_methods_supported": []string{"header"}, 74 + "resource_documentation": "https://atproto.com", 75 + }) 76 + } 77 + 78 + func (s *Server) handleOauthAuthorizationServer(e echo.Context) error { 79 + return e.JSON(200, OauthAuthorizationMetadata{ 80 + Issuer: "https://" + s.config.Hostname, 81 + RequestParameterSupported: true, 82 + RequestUriParameterSupported: true, 83 + RequireRequestUriRegistration: to.BoolPtr(true), 84 + ScopesSupported: CocoonSupportedScopes, 85 + SubjectTypesSupported: []string{"public"}, 86 + ResponseTypesSupported: []string{"code"}, 87 + ResponseModesSupported: []string{"query", "fragment", "form_post"}, 88 + GrantTypesSupported: []string{"authorization_code", "refresh_token"}, 89 + CodeChallengeMethodsSupported: []string{"S256"}, 90 + UILocalesSupported: []string{"en-US"}, 91 + DisplayValuesSupported: []string{"page", "popup", "touch"}, 92 + RequestObjectSigningAlgValuesSupported: []string{"ES256"}, // only es256 for now... 93 + AuthorizationResponseISSParameterSupported: true, 94 + RequestObjectEncryptionAlgValuesSupported: []string{}, 95 + RequestObjectEncryptionEncValuesSupported: []string{}, 96 + JwksUri: fmt.Sprintf("https://%s/oauth/jwks", s.config.Hostname), 97 + AuthorizationEndpoint: fmt.Sprintf("https://%s/oauth/authorize", s.config.Hostname), 98 + TokenEndpoint: fmt.Sprintf("https://%s/oauth/token", s.config.Hostname), 99 + TokenEndpointAuthMethodsSupported: []string{"none", "private_key_jwt"}, 100 + TokenEndpointAuthSigningAlgValuesSupported: []string{"ES256"}, // Same as above, just es256 101 + RevocationEndpoint: fmt.Sprintf("https://%s/oauth/revoke", s.config.Hostname), 102 + IntrospectionEndpoint: fmt.Sprintf("https://%s/oauth/introspect", s.config.Hostname), 103 + PushedAuthorizationRequestEndpoint: fmt.Sprintf("https://%s/oauth/par", s.config.Hostname), 104 + RequirePushedAuthorizationRequests: true, 105 + DpopSigningAlgValuesSupported: []string{"ES256"}, // again same as above 106 + ProtectedResources: []string{"https://" + s.config.Hostname}, 107 + ClientIDMetadataDocumentSupported: true, 108 + }) 109 + }
+16
server/mail.go
··· 3 3 import "fmt" 4 4 5 5 func (s *Server) sendWelcomeMail(email, handle string) error { 6 + if s.mail == nil { 7 + return nil 8 + } 9 + 6 10 s.mailLk.Lock() 7 11 defer s.mailLk.Unlock() 8 12 ··· 18 22 } 19 23 20 24 func (s *Server) sendPasswordReset(email, handle, code string) error { 25 + if s.mail == nil { 26 + return nil 27 + } 28 + 21 29 s.mailLk.Lock() 22 30 defer s.mailLk.Unlock() 23 31 ··· 33 41 } 34 42 35 43 func (s *Server) sendEmailUpdate(email, handle, code string) error { 44 + if s.mail == nil { 45 + return nil 46 + } 47 + 36 48 s.mailLk.Lock() 37 49 defer s.mailLk.Unlock() 38 50 ··· 48 60 } 49 61 50 62 func (s *Server) sendEmailVerification(email, handle, code string) error { 63 + if s.mail == nil { 64 + return nil 65 + } 66 + 51 67 s.mailLk.Lock() 52 68 defer s.mailLk.Unlock() 53 69
+230 -35
server/server.go
··· 4 4 "bytes" 5 5 "context" 6 6 "crypto/ecdsa" 7 + "embed" 7 8 "errors" 8 9 "fmt" 9 10 "io" ··· 11 12 "net/http" 12 13 "net/smtp" 13 14 "os" 15 + "path/filepath" 14 16 "strings" 15 17 "sync" 18 + "text/template" 16 19 "time" 17 20 18 21 "github.com/Azure/go-autorest/autorest/to" ··· 28 31 "github.com/domodwyer/mailyak/v3" 29 32 "github.com/go-playground/validator" 30 33 "github.com/golang-jwt/jwt/v4" 34 + "github.com/gorilla/sessions" 31 35 "github.com/haileyok/cocoon/identity" 32 36 "github.com/haileyok/cocoon/internal/db" 33 37 "github.com/haileyok/cocoon/internal/helpers" 34 38 "github.com/haileyok/cocoon/models" 39 + "github.com/haileyok/cocoon/oauth/client_manager" 40 + "github.com/haileyok/cocoon/oauth/constants" 41 + "github.com/haileyok/cocoon/oauth/dpop/dpop_manager" 42 + "github.com/haileyok/cocoon/oauth/provider" 35 43 "github.com/haileyok/cocoon/plc" 44 + echo_session "github.com/labstack/echo-contrib/session" 36 45 "github.com/labstack/echo/v4" 37 46 "github.com/labstack/echo/v4/middleware" 38 - "github.com/lestrrat-go/jwx/v2/jwk" 39 47 slogecho "github.com/samber/slog-echo" 40 48 "gorm.io/driver/sqlite" 41 49 "gorm.io/gorm" 50 + ) 51 + 52 + const ( 53 + AccountSessionMaxAge = 30 * 24 * time.Hour // one week 42 54 ) 43 55 44 56 type S3Config struct { ··· 51 63 } 52 64 53 65 type Server struct { 54 - http *http.Client 55 - httpd *http.Server 56 - mail *mailyak.MailYak 57 - mailLk *sync.Mutex 58 - echo *echo.Echo 59 - db *db.DB 60 - plcClient *plc.Client 61 - logger *slog.Logger 62 - config *config 63 - privateKey *ecdsa.PrivateKey 64 - repoman *RepoMan 65 - evtman *events.EventManager 66 - passport *identity.Passport 66 + http *http.Client 67 + httpd *http.Server 68 + mail *mailyak.MailYak 69 + mailLk *sync.Mutex 70 + echo *echo.Echo 71 + db *db.DB 72 + plcClient *plc.Client 73 + logger *slog.Logger 74 + config *config 75 + privateKey *ecdsa.PrivateKey 76 + repoman *RepoMan 77 + oauthProvider *provider.Provider 78 + evtman *events.EventManager 79 + passport *identity.Passport 67 80 68 81 dbName string 69 82 s3Config *S3Config ··· 90 103 SmtpName string 91 104 92 105 S3Config *S3Config 106 + 107 + SessionSecret string 93 108 } 94 109 95 110 type config struct { ··· 132 147 return nil 133 148 } 134 149 150 + //go:embed templates/* 151 + var templateFS embed.FS 152 + 153 + //go:embed static/* 154 + var staticFS embed.FS 155 + 156 + type TemplateRenderer struct { 157 + templates *template.Template 158 + isDev bool 159 + templatePath string 160 + } 161 + 162 + func (s *Server) loadTemplates() { 163 + absPath, _ := filepath.Abs("server/templates/*.html") 164 + if s.config.Version == "dev" { 165 + tmpl := template.Must(template.ParseGlob(absPath)) 166 + s.echo.Renderer = &TemplateRenderer{ 167 + templates: tmpl, 168 + isDev: true, 169 + templatePath: absPath, 170 + } 171 + } else { 172 + tmpl := template.Must(template.ParseFS(templateFS, "templates/*.html")) 173 + s.echo.Renderer = &TemplateRenderer{ 174 + templates: tmpl, 175 + isDev: false, 176 + } 177 + } 178 + } 179 + 180 + func (t *TemplateRenderer) Render(w io.Writer, name string, data any, c echo.Context) error { 181 + if t.isDev { 182 + tmpl, err := template.ParseGlob(t.templatePath) 183 + if err != nil { 184 + return err 185 + } 186 + t.templates = tmpl 187 + } 188 + 189 + if viewContext, isMap := data.(map[string]any); isMap { 190 + viewContext["reverse"] = c.Echo().Reverse 191 + } 192 + 193 + return t.templates.ExecuteTemplate(w, name, data) 194 + } 195 + 135 196 func (s *Server) handleAdminMiddleware(next echo.HandlerFunc) echo.HandlerFunc { 136 197 return func(e echo.Context) error { 137 198 username, password, ok := e.Request().BasicAuth() ··· 147 208 } 148 209 } 149 210 150 - func (s *Server) handleSessionMiddleware(next echo.HandlerFunc) echo.HandlerFunc { 211 + func (s *Server) handleLegacySessionMiddleware(next echo.HandlerFunc) echo.HandlerFunc { 151 212 return func(e echo.Context) error { 152 213 authheader := e.Request().Header.Get("authorization") 153 214 if authheader == "" { ··· 157 218 pts := strings.Split(authheader, " ") 158 219 if len(pts) != 2 { 159 220 return helpers.ServerError(e, nil) 221 + } 222 + 223 + if pts[0] == "DPoP" { 224 + return next(e) 160 225 } 161 226 162 227 tokenstr := pts[1] ··· 238 303 } 239 304 } 240 305 306 + func (s *Server) handleOauthSessionMiddleware(next echo.HandlerFunc) echo.HandlerFunc { 307 + return func(e echo.Context) error { 308 + authheader := e.Request().Header.Get("authorization") 309 + if authheader == "" { 310 + return e.JSON(401, map[string]string{"error": "Unauthorized"}) 311 + } 312 + 313 + pts := strings.Split(authheader, " ") 314 + if len(pts) != 2 { 315 + return helpers.ServerError(e, nil) 316 + } 317 + 318 + if pts[0] != "DPoP" { 319 + return next(e) 320 + } 321 + 322 + accessToken := pts[1] 323 + 324 + proof, err := s.oauthProvider.DpopManager.CheckProof(e.Request().Method, "https://"+s.config.Hostname+e.Request().URL.String(), e.Request().Header, to.StringPtr(accessToken)) 325 + if err != nil { 326 + s.logger.Error("invalid dpop proof", "error", err) 327 + return helpers.InputError(e, to.StringPtr(err.Error())) 328 + } 329 + 330 + var oauthToken provider.OauthToken 331 + if err := s.db.Raw("SELECT * FROM oauth_tokens WHERE token = ?", nil, accessToken).Scan(&oauthToken).Error; err != nil { 332 + s.logger.Error("error finding access token in db", "error", err) 333 + return helpers.InputError(e, nil) 334 + } 335 + 336 + if oauthToken.Token == "" { 337 + return helpers.InputError(e, to.StringPtr("InvalidToken")) 338 + } 339 + 340 + if *oauthToken.Parameters.DpopJkt != proof.JKT { 341 + s.logger.Error("jkt mismatch", "token", oauthToken.Parameters.DpopJkt, "proof", proof.JKT) 342 + return helpers.InputError(e, to.StringPtr("dpop jkt mismatch")) 343 + } 344 + 345 + if time.Now().After(oauthToken.ExpiresAt) { 346 + return e.JSON(400, map[string]string{"error": "ExpiredToken", "message": "token has expired"}) 347 + } 348 + 349 + repo, err := s.getRepoActorByDid(oauthToken.Sub) 350 + if err != nil { 351 + s.logger.Error("could not find actor in db", "error", err) 352 + return helpers.ServerError(e, nil) 353 + } 354 + 355 + nonce := s.oauthProvider.NextNonce() 356 + if nonce != "" { 357 + e.Response().Header().Set("DPoP-Nonce", nonce) 358 + e.Response().Header().Add("access-control-expose-headers", "DPoP-Nonce") 359 + } 360 + 361 + e.Set("repo", repo) 362 + e.Set("did", repo.Repo.Did) 363 + e.Set("token", accessToken) 364 + e.Set("scopes", strings.Split(oauthToken.Parameters.Scope, " ")) 365 + 366 + return next(e) 367 + } 368 + } 369 + 241 370 func New(args *Args) (*Server, error) { 242 371 if args.Addr == "" { 243 372 return nil, fmt.Errorf("addr must be set") ··· 271 400 args.Logger = slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{})) 272 401 } 273 402 403 + if args.SessionSecret == "" { 404 + panic("SESSION SECRET WAS NOT SET. THIS IS REQUIRED. ") 405 + } 406 + 274 407 e := echo.New() 275 408 276 409 e.Pre(middleware.RemoveTrailingSlash()) 277 410 e.Pre(slogecho.New(args.Logger)) 411 + e.Use(echo_session.Middleware(sessions.NewCookieStore([]byte(args.SessionSecret)))) 278 412 e.Use(middleware.CORSWithConfig(middleware.CORSConfig{ 279 413 AllowOrigins: []string{"*"}, 280 414 AllowHeaders: []string{"*"}, ··· 348 482 return nil, err 349 483 } 350 484 351 - key, err := jwk.ParseKey(jwkbytes) 485 + key, err := helpers.ParseJWKFromBytes(jwkbytes) 352 486 if err != nil { 353 487 return nil, err 354 488 } ··· 358 492 return nil, err 359 493 } 360 494 495 + oauthCli := &http.Client{ 496 + Timeout: 10 * time.Second, 497 + } 498 + 499 + var nonceSecret []byte 500 + maybeSecret, err := os.ReadFile("nonce.secret") 501 + if err != nil && !os.IsNotExist(err) { 502 + args.Logger.Error("error attempting to read nonce secret", "error", err) 503 + } else { 504 + nonceSecret = maybeSecret 505 + } 506 + 361 507 s := &Server{ 362 508 http: h, 363 509 httpd: httpd, ··· 382 528 383 529 dbName: args.DbName, 384 530 s3Config: args.S3Config, 531 + 532 + oauthProvider: provider.NewProvider(provider.Args{ 533 + Hostname: args.Hostname, 534 + ClientManagerArgs: client_manager.Args{ 535 + Cli: oauthCli, 536 + Logger: args.Logger, 537 + }, 538 + DpopManagerArgs: dpop_manager.Args{ 539 + NonceSecret: nonceSecret, 540 + NonceRotationInterval: constants.NonceMaxRotationInterval / 3, 541 + OnNonceSecretCreated: func(newNonce []byte) { 542 + if err := os.WriteFile("nonce.secret", newNonce, 0644); err != nil { 543 + args.Logger.Error("error writing new nonce secret", "error", err) 544 + } 545 + }, 546 + Logger: args.Logger, 547 + Hostname: args.Hostname, 548 + }, 549 + }), 385 550 } 551 + 552 + s.loadTemplates() 386 553 387 554 s.repoman = NewRepoMan(s) // TODO: this is way too lazy, stop it 388 555 ··· 402 569 } 403 570 404 571 func (s *Server) addRoutes() { 572 + // static 573 + if s.config.Version == "dev" { 574 + s.echo.Static("/static", "server/static") 575 + } else { 576 + s.echo.GET("/static/*", echo.WrapHandler(http.FileServer(http.FS(staticFS)))) 577 + } 578 + 405 579 // random stuff 406 580 s.echo.GET("/", s.handleRoot) 407 581 s.echo.GET("/xrpc/_health", s.handleHealth) 408 582 s.echo.GET("/.well-known/did.json", s.handleWellKnown) 583 + s.echo.GET("/.well-known/oauth-protected-resource", s.handleOauthProtectedResource) 584 + s.echo.GET("/.well-known/oauth-authorization-server", s.handleOauthAuthorizationServer) 409 585 s.echo.GET("/robots.txt", s.handleRobots) 410 586 411 587 // public ··· 428 604 s.echo.GET("/xrpc/com.atproto.sync.listBlobs", s.handleSyncListBlobs) 429 605 s.echo.GET("/xrpc/com.atproto.sync.getBlob", s.handleSyncGetBlob) 430 606 607 + // account 608 + s.echo.GET("/account", s.handleAccount) 609 + s.echo.POST("/account/revoke", s.handleAccountRevoke) 610 + s.echo.GET("/account/signin", s.handleAccountSigninGet) 611 + s.echo.POST("/account/signin", s.handleAccountSigninPost) 612 + s.echo.GET("/account/signout", s.handleAccountSignout) 613 + 614 + // oauth account 615 + s.echo.GET("/oauth/jwks", s.handleOauthJwks) 616 + s.echo.GET("/oauth/authorize", s.handleOauthAuthorizeGet) 617 + s.echo.POST("/oauth/authorize", s.handleOauthAuthorizePost) 618 + 619 + // oauth authorization 620 + s.echo.POST("/oauth/par", s.handleOauthPar, s.oauthProvider.BaseMiddleware) 621 + s.echo.POST("/oauth/token", s.handleOauthToken, s.oauthProvider.BaseMiddleware) 622 + 431 623 // authed 432 - s.echo.GET("/xrpc/com.atproto.server.getSession", s.handleGetSession, s.handleSessionMiddleware) 433 - s.echo.POST("/xrpc/com.atproto.server.refreshSession", s.handleRefreshSession, s.handleSessionMiddleware) 434 - s.echo.POST("/xrpc/com.atproto.server.deleteSession", s.handleDeleteSession, s.handleSessionMiddleware) 435 - s.echo.POST("/xrpc/com.atproto.identity.updateHandle", s.handleIdentityUpdateHandle, s.handleSessionMiddleware) 436 - s.echo.POST("/xrpc/com.atproto.server.confirmEmail", s.handleServerConfirmEmail, s.handleSessionMiddleware) 437 - s.echo.POST("/xrpc/com.atproto.server.requestEmailConfirmation", s.handleServerRequestEmailConfirmation, s.handleSessionMiddleware) 624 + s.echo.GET("/xrpc/com.atproto.server.getSession", s.handleGetSession, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware) 625 + s.echo.POST("/xrpc/com.atproto.server.refreshSession", s.handleRefreshSession, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware) 626 + s.echo.POST("/xrpc/com.atproto.server.deleteSession", s.handleDeleteSession, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware) 627 + s.echo.POST("/xrpc/com.atproto.identity.updateHandle", s.handleIdentityUpdateHandle, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware) 628 + s.echo.POST("/xrpc/com.atproto.server.confirmEmail", s.handleServerConfirmEmail, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware) 629 + s.echo.POST("/xrpc/com.atproto.server.requestEmailConfirmation", s.handleServerRequestEmailConfirmation, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware) 438 630 s.echo.POST("/xrpc/com.atproto.server.requestPasswordReset", s.handleServerRequestPasswordReset) // AUTH NOT REQUIRED FOR THIS ONE 439 - s.echo.POST("/xrpc/com.atproto.server.requestEmailUpdate", s.handleServerRequestEmailUpdate, s.handleSessionMiddleware) 440 - s.echo.POST("/xrpc/com.atproto.server.resetPassword", s.handleServerResetPassword, s.handleSessionMiddleware) 441 - s.echo.POST("/xrpc/com.atproto.server.updateEmail", s.handleServerUpdateEmail, s.handleSessionMiddleware) 631 + s.echo.POST("/xrpc/com.atproto.server.requestEmailUpdate", s.handleServerRequestEmailUpdate, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware) 632 + s.echo.POST("/xrpc/com.atproto.server.resetPassword", s.handleServerResetPassword, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware) 633 + s.echo.POST("/xrpc/com.atproto.server.updateEmail", s.handleServerUpdateEmail, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware) 634 + s.echo.GET("/xrpc/com.atproto.server.getServiceAuth", s.handleServerGetServiceAuth, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware) 442 635 443 636 // repo 444 - s.echo.POST("/xrpc/com.atproto.repo.createRecord", s.handleCreateRecord, s.handleSessionMiddleware) 445 - s.echo.POST("/xrpc/com.atproto.repo.putRecord", s.handlePutRecord, s.handleSessionMiddleware) 446 - s.echo.POST("/xrpc/com.atproto.repo.deleteRecord", s.handleDeleteRecord, s.handleSessionMiddleware) 447 - s.echo.POST("/xrpc/com.atproto.repo.applyWrites", s.handleApplyWrites, s.handleSessionMiddleware) 448 - s.echo.POST("/xrpc/com.atproto.repo.uploadBlob", s.handleRepoUploadBlob, s.handleSessionMiddleware) 449 - s.echo.POST("/xrpc/com.atproto.repo.importRepo", s.handleRepoImportRepo, s.handleSessionMiddleware) 637 + s.echo.POST("/xrpc/com.atproto.repo.createRecord", s.handleCreateRecord, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware) 638 + s.echo.POST("/xrpc/com.atproto.repo.putRecord", s.handlePutRecord, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware) 639 + s.echo.POST("/xrpc/com.atproto.repo.deleteRecord", s.handleDeleteRecord, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware) 640 + s.echo.POST("/xrpc/com.atproto.repo.applyWrites", s.handleApplyWrites, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware) 641 + s.echo.POST("/xrpc/com.atproto.repo.uploadBlob", s.handleRepoUploadBlob, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware) 642 + s.echo.POST("/xrpc/com.atproto.repo.importRepo", s.handleRepoImportRepo, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware) 450 643 451 644 // stupid silly endpoints 452 - s.echo.GET("/xrpc/app.bsky.actor.getPreferences", s.handleActorGetPreferences, s.handleSessionMiddleware) 453 - s.echo.POST("/xrpc/app.bsky.actor.putPreferences", s.handleActorPutPreferences, s.handleSessionMiddleware) 645 + s.echo.GET("/xrpc/app.bsky.actor.getPreferences", s.handleActorGetPreferences, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware) 646 + s.echo.POST("/xrpc/app.bsky.actor.putPreferences", s.handleActorPutPreferences, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware) 454 647 455 648 // are there any routes that we should be allowing without auth? i dont think so but idk 456 - s.echo.GET("/xrpc/*", s.handleProxy, s.handleSessionMiddleware) 457 - s.echo.POST("/xrpc/*", s.handleProxy, s.handleSessionMiddleware) 649 + s.echo.GET("/xrpc/*", s.handleProxy, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware) 650 + s.echo.POST("/xrpc/*", s.handleProxy, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware) 458 651 459 652 // admin routes 460 653 s.echo.POST("/xrpc/com.atproto.server.createInviteCode", s.handleCreateInviteCode, s.handleAdminMiddleware) ··· 476 669 &models.Record{}, 477 670 &models.Blob{}, 478 671 &models.BlobPart{}, 672 + &provider.OauthToken{}, 673 + &provider.OauthAuthorizationRequest{}, 479 674 ) 480 675 481 676 s.logger.Info("starting cocoon")
+4
server/static/pico.css
··· 1 + @charset "UTF-8";/*! 2 + * Pico CSS ✨ v2.1.1 (https://picocss.com) 3 + * Copyright 2019-2025 - Licensed under MIT 4 + */:host,:root{--pico-font-family-emoji:"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";--pico-font-family-sans-serif:system-ui,"Segoe UI",Roboto,Oxygen,Ubuntu,Cantarell,Helvetica,Arial,"Helvetica Neue",sans-serif,var(--pico-font-family-emoji);--pico-font-family-monospace:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,"Liberation Mono",monospace,var(--pico-font-family-emoji);--pico-font-family:var(--pico-font-family-sans-serif);--pico-line-height:1.5;--pico-font-weight:400;--pico-font-size:100%;--pico-text-underline-offset:0.1rem;--pico-border-radius:0.25rem;--pico-border-width:0.0625rem;--pico-outline-width:0.125rem;--pico-transition:0.2s ease-in-out;--pico-spacing:1rem;--pico-typography-spacing-vertical:1rem;--pico-block-spacing-vertical:var(--pico-spacing);--pico-block-spacing-horizontal:var(--pico-spacing);--pico-grid-column-gap:var(--pico-spacing);--pico-grid-row-gap:var(--pico-spacing);--pico-form-element-spacing-vertical:0.75rem;--pico-form-element-spacing-horizontal:1rem;--pico-group-box-shadow:0 0 0 rgba(0, 0, 0, 0);--pico-group-box-shadow-focus-with-button:0 0 0 var(--pico-outline-width) var(--pico-primary-focus);--pico-group-box-shadow-focus-with-input:0 0 0 0.0625rem var(--pico-form-element-border-color);--pico-modal-overlay-backdrop-filter:blur(0.375rem);--pico-nav-element-spacing-vertical:1rem;--pico-nav-element-spacing-horizontal:0.5rem;--pico-nav-link-spacing-vertical:0.5rem;--pico-nav-link-spacing-horizontal:0.5rem;--pico-nav-breadcrumb-divider:">";--pico-icon-checkbox:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='rgb(255, 255, 255)' stroke-width='4' stroke-linecap='round' stroke-linejoin='round'%3E%3Cpolyline points='20 6 9 17 4 12'%3E%3C/polyline%3E%3C/svg%3E");--pico-icon-minus:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='rgb(255, 255, 255)' stroke-width='4' stroke-linecap='round' stroke-linejoin='round'%3E%3Cline x1='5' y1='12' x2='19' y2='12'%3E%3C/line%3E%3C/svg%3E");--pico-icon-chevron:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='rgb(136, 145, 164)' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'%3E%3Cpolyline points='6 9 12 15 18 9'%3E%3C/polyline%3E%3C/svg%3E");--pico-icon-date:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='rgb(136, 145, 164)' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'%3E%3Crect x='3' y='4' width='18' height='18' rx='2' ry='2'%3E%3C/rect%3E%3Cline x1='16' y1='2' x2='16' y2='6'%3E%3C/line%3E%3Cline x1='8' y1='2' x2='8' y2='6'%3E%3C/line%3E%3Cline x1='3' y1='10' x2='21' y2='10'%3E%3C/line%3E%3C/svg%3E");--pico-icon-time:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='rgb(136, 145, 164)' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'%3E%3Ccircle cx='12' cy='12' r='10'%3E%3C/circle%3E%3Cpolyline points='12 6 12 12 16 14'%3E%3C/polyline%3E%3C/svg%3E");--pico-icon-search:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='rgb(136, 145, 164)' stroke-width='1.5' stroke-linecap='round' stroke-linejoin='round'%3E%3Ccircle cx='11' cy='11' r='8'%3E%3C/circle%3E%3Cline x1='21' y1='21' x2='16.65' y2='16.65'%3E%3C/line%3E%3C/svg%3E");--pico-icon-close:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='rgb(136, 145, 164)' stroke-width='3' stroke-linecap='round' stroke-linejoin='round'%3E%3Cline x1='18' y1='6' x2='6' y2='18'%3E%3C/line%3E%3Cline x1='6' y1='6' x2='18' y2='18'%3E%3C/line%3E%3C/svg%3E");--pico-icon-loading:url("data:image/svg+xml,%3Csvg fill='none' height='24' width='24' viewBox='0 0 24 24' xmlns='http://www.w3.org/2000/svg' %3E%3Cstyle%3E g %7B animation: rotate 2s linear infinite; transform-origin: center center; %7D circle %7B stroke-dasharray: 75,100; stroke-dashoffset: -5; animation: dash 1.5s ease-in-out infinite; stroke-linecap: round; %7D @keyframes rotate %7B 0%25 %7B transform: rotate(0deg); %7D 100%25 %7B transform: rotate(360deg); %7D %7D @keyframes dash %7B 0%25 %7B stroke-dasharray: 1,100; stroke-dashoffset: 0; %7D 50%25 %7B stroke-dasharray: 44.5,100; stroke-dashoffset: -17.5; %7D 100%25 %7B stroke-dasharray: 44.5,100; stroke-dashoffset: -62; %7D %7D %3C/style%3E%3Cg%3E%3Ccircle cx='12' cy='12' r='10' fill='none' stroke='rgb(136, 145, 164)' stroke-width='4' /%3E%3C/g%3E%3C/svg%3E")}@media (min-width:576px){:host,:root{--pico-font-size:106.25%}}@media (min-width:768px){:host,:root{--pico-font-size:112.5%}}@media (min-width:1024px){:host,:root{--pico-font-size:118.75%}}@media (min-width:1280px){:host,:root{--pico-font-size:125%}}@media (min-width:1536px){:host,:root{--pico-font-size:131.25%}}a{--pico-text-decoration:underline}a.contrast,a.secondary{--pico-text-decoration:underline}small{--pico-font-size:0.875em}h1,h2,h3,h4,h5,h6{--pico-font-weight:700}h1{--pico-font-size:2rem;--pico-line-height:1.125;--pico-typography-spacing-top:3rem}h2{--pico-font-size:1.75rem;--pico-line-height:1.15;--pico-typography-spacing-top:2.625rem}h3{--pico-font-size:1.5rem;--pico-line-height:1.175;--pico-typography-spacing-top:2.25rem}h4{--pico-font-size:1.25rem;--pico-line-height:1.2;--pico-typography-spacing-top:1.874rem}h5{--pico-font-size:1.125rem;--pico-line-height:1.225;--pico-typography-spacing-top:1.6875rem}h6{--pico-font-size:1rem;--pico-line-height:1.25;--pico-typography-spacing-top:1.5rem}tfoot td,tfoot th,thead td,thead th{--pico-font-weight:600;--pico-border-width:0.1875rem}code,kbd,pre,samp{--pico-font-family:var(--pico-font-family-monospace)}kbd{--pico-font-weight:bolder}:where(select,textarea),input:not([type=submit],[type=button],[type=reset],[type=checkbox],[type=radio],[type=file]){--pico-outline-width:0.0625rem}[type=search]{--pico-border-radius:5rem}[type=checkbox],[type=radio]{--pico-border-width:0.125rem}[type=checkbox][role=switch]{--pico-border-width:0.1875rem}details.dropdown summary:not([role=button]){--pico-outline-width:0.0625rem}nav details.dropdown summary:focus-visible{--pico-outline-width:0.125rem}[role=search]{--pico-border-radius:5rem}[role=group]:has(button.secondary:focus,[type=submit].secondary:focus,[type=button].secondary:focus,[role=button].secondary:focus),[role=search]:has(button.secondary:focus,[type=submit].secondary:focus,[type=button].secondary:focus,[role=button].secondary:focus){--pico-group-box-shadow-focus-with-button:0 0 0 var(--pico-outline-width) var(--pico-secondary-focus)}[role=group]:has(button.contrast:focus,[type=submit].contrast:focus,[type=button].contrast:focus,[role=button].contrast:focus),[role=search]:has(button.contrast:focus,[type=submit].contrast:focus,[type=button].contrast:focus,[role=button].contrast:focus){--pico-group-box-shadow-focus-with-button:0 0 0 var(--pico-outline-width) var(--pico-contrast-focus)}[role=group] [role=button],[role=group] [type=button],[role=group] [type=submit],[role=group] button,[role=search] [role=button],[role=search] [type=button],[role=search] [type=submit],[role=search] button{--pico-form-element-spacing-horizontal:2rem}details summary[role=button]:not(.outline)::after{filter:brightness(0) invert(1)}[aria-busy=true]:not(input,select,textarea):is(button,[type=submit],[type=button],[type=reset],[role=button]):not(.outline)::before{filter:brightness(0) invert(1)}:host(:not([data-theme=dark])),:root:not([data-theme=dark]),[data-theme=light]{color-scheme:light;--pico-background-color:#fff;--pico-color:#373c44;--pico-text-selection-color:rgba(116, 139, 248, 0.25);--pico-muted-color:#646b79;--pico-muted-border-color:rgb(231, 234, 239.5);--pico-primary:#2060df;--pico-primary-background:#2060df;--pico-primary-border:var(--pico-primary-background);--pico-primary-underline:rgba(32, 96, 223, 0.5);--pico-primary-hover:#184eb8;--pico-primary-hover-background:#1d59d0;--pico-primary-hover-border:var(--pico-primary-hover-background);--pico-primary-hover-underline:var(--pico-primary-hover);--pico-primary-focus:rgba(116, 139, 248, 0.5);--pico-primary-inverse:#fff;--pico-secondary:#5d6b89;--pico-secondary-background:#525f7a;--pico-secondary-border:var(--pico-secondary-background);--pico-secondary-underline:rgba(93, 107, 137, 0.5);--pico-secondary-hover:#48536b;--pico-secondary-hover-background:#48536b;--pico-secondary-hover-border:var(--pico-secondary-hover-background);--pico-secondary-hover-underline:var(--pico-secondary-hover);--pico-secondary-focus:rgba(93, 107, 137, 0.25);--pico-secondary-inverse:#fff;--pico-contrast:#181c25;--pico-contrast-background:#181c25;--pico-contrast-border:var(--pico-contrast-background);--pico-contrast-underline:rgba(24, 28, 37, 0.5);--pico-contrast-hover:#000;--pico-contrast-hover-background:#000;--pico-contrast-hover-border:var(--pico-contrast-hover-background);--pico-contrast-hover-underline:var(--pico-secondary-hover);--pico-contrast-focus:rgba(93, 107, 137, 0.25);--pico-contrast-inverse:#fff;--pico-box-shadow:0.0145rem 0.029rem 0.174rem rgba(129, 145, 181, 0.01698),0.0335rem 0.067rem 0.402rem rgba(129, 145, 181, 0.024),0.0625rem 0.125rem 0.75rem rgba(129, 145, 181, 0.03),0.1125rem 0.225rem 1.35rem rgba(129, 145, 181, 0.036),0.2085rem 0.417rem 2.502rem rgba(129, 145, 181, 0.04302),0.5rem 1rem 6rem rgba(129, 145, 181, 0.06),0 0 0 0.0625rem rgba(129, 145, 181, 0.015);--pico-h1-color:#2d3138;--pico-h2-color:#373c44;--pico-h3-color:#424751;--pico-h4-color:#4d535e;--pico-h5-color:#5c6370;--pico-h6-color:#646b79;--pico-mark-background-color:rgb(252.5, 230.5, 191.5);--pico-mark-color:#0f1114;--pico-ins-color:rgb(28.5, 105.5, 84);--pico-del-color:rgb(136, 56.5, 53);--pico-blockquote-border-color:var(--pico-muted-border-color);--pico-blockquote-footer-color:var(--pico-muted-color);--pico-button-box-shadow:0 0 0 rgba(0, 0, 0, 0);--pico-button-hover-box-shadow:0 0 0 rgba(0, 0, 0, 0);--pico-table-border-color:var(--pico-muted-border-color);--pico-table-row-stripped-background-color:rgba(111, 120, 135, 0.0375);--pico-code-background-color:rgb(243, 244.5, 246.75);--pico-code-color:#646b79;--pico-code-kbd-background-color:var(--pico-color);--pico-code-kbd-color:var(--pico-background-color);--pico-form-element-background-color:rgb(251, 251.5, 252.25);--pico-form-element-selected-background-color:#dfe3eb;--pico-form-element-border-color:#cfd5e2;--pico-form-element-color:#23262c;--pico-form-element-placeholder-color:var(--pico-muted-color);--pico-form-element-active-background-color:#fff;--pico-form-element-active-border-color:var(--pico-primary-border);--pico-form-element-focus-color:var(--pico-primary-border);--pico-form-element-disabled-opacity:0.5;--pico-form-element-invalid-border-color:rgb(183.5, 105.5, 106.5);--pico-form-element-invalid-active-border-color:rgb(200.25, 79.25, 72.25);--pico-form-element-invalid-focus-color:var(--pico-form-element-invalid-active-border-color);--pico-form-element-valid-border-color:rgb(76, 154.5, 137.5);--pico-form-element-valid-active-border-color:rgb(39, 152.75, 118.75);--pico-form-element-valid-focus-color:var(--pico-form-element-valid-active-border-color);--pico-switch-background-color:#bfc7d9;--pico-switch-checked-background-color:var(--pico-primary-background);--pico-switch-color:#fff;--pico-switch-thumb-box-shadow:0 0 0 rgba(0, 0, 0, 0);--pico-range-border-color:#dfe3eb;--pico-range-active-border-color:#bfc7d9;--pico-range-thumb-border-color:var(--pico-background-color);--pico-range-thumb-color:var(--pico-secondary-background);--pico-range-thumb-active-color:var(--pico-primary-background);--pico-accordion-border-color:var(--pico-muted-border-color);--pico-accordion-active-summary-color:var(--pico-primary-hover);--pico-accordion-close-summary-color:var(--pico-color);--pico-accordion-open-summary-color:var(--pico-muted-color);--pico-card-background-color:var(--pico-background-color);--pico-card-border-color:var(--pico-muted-border-color);--pico-card-box-shadow:var(--pico-box-shadow);--pico-card-sectioning-background-color:rgb(251, 251.5, 252.25);--pico-dropdown-background-color:#fff;--pico-dropdown-border-color:#eff1f4;--pico-dropdown-box-shadow:var(--pico-box-shadow);--pico-dropdown-color:var(--pico-color);--pico-dropdown-hover-background-color:#eff1f4;--pico-loading-spinner-opacity:0.5;--pico-modal-overlay-background-color:rgba(232, 234, 237, 0.75);--pico-progress-background-color:#dfe3eb;--pico-progress-color:var(--pico-primary-background);--pico-tooltip-background-color:var(--pico-contrast-background);--pico-tooltip-color:var(--pico-contrast-inverse);--pico-icon-valid:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='rgb(76, 154.5, 137.5)' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'%3E%3Cpolyline points='20 6 9 17 4 12'%3E%3C/polyline%3E%3C/svg%3E");--pico-icon-invalid:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='rgb(200.25, 79.25, 72.25)' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'%3E%3Ccircle cx='12' cy='12' r='10'%3E%3C/circle%3E%3Cline x1='12' y1='8' x2='12' y2='12'%3E%3C/line%3E%3Cline x1='12' y1='16' x2='12.01' y2='16'%3E%3C/line%3E%3C/svg%3E")}:host(:not([data-theme=dark])) input:is([type=submit],[type=button],[type=reset],[type=checkbox],[type=radio],[type=file]),:root:not([data-theme=dark]) input:is([type=submit],[type=button],[type=reset],[type=checkbox],[type=radio],[type=file]),[data-theme=light] input:is([type=submit],[type=button],[type=reset],[type=checkbox],[type=radio],[type=file]){--pico-form-element-focus-color:var(--pico-primary-focus)}@media only screen and (prefers-color-scheme:dark){:host(:not([data-theme])),:root:not([data-theme]){color-scheme:dark;--pico-background-color:rgb(19, 22.5, 30.5);--pico-color:#c2c7d0;--pico-text-selection-color:rgba(137, 153, 249, 0.1875);--pico-muted-color:#7b8495;--pico-muted-border-color:#202632;--pico-primary:#8999f9;--pico-primary-background:#2060df;--pico-primary-border:var(--pico-primary-background);--pico-primary-underline:rgba(137, 153, 249, 0.5);--pico-primary-hover:#aeb5fb;--pico-primary-hover-background:#3c71f7;--pico-primary-hover-border:var(--pico-primary-hover-background);--pico-primary-hover-underline:var(--pico-primary-hover);--pico-primary-focus:rgba(137, 153, 249, 0.375);--pico-primary-inverse:#fff;--pico-secondary:#969eaf;--pico-secondary-background:#525f7a;--pico-secondary-border:var(--pico-secondary-background);--pico-secondary-underline:rgba(150, 158, 175, 0.5);--pico-secondary-hover:#b3b9c5;--pico-secondary-hover-background:#5d6b89;--pico-secondary-hover-border:var(--pico-secondary-hover-background);--pico-secondary-hover-underline:var(--pico-secondary-hover);--pico-secondary-focus:rgba(144, 158, 190, 0.25);--pico-secondary-inverse:#fff;--pico-contrast:#dfe3eb;--pico-contrast-background:#eff1f4;--pico-contrast-border:var(--pico-contrast-background);--pico-contrast-underline:rgba(223, 227, 235, 0.5);--pico-contrast-hover:#fff;--pico-contrast-hover-background:#fff;--pico-contrast-hover-border:var(--pico-contrast-hover-background);--pico-contrast-hover-underline:var(--pico-contrast-hover);--pico-contrast-focus:rgba(207, 213, 226, 0.25);--pico-contrast-inverse:#000;--pico-box-shadow:0.0145rem 0.029rem 0.174rem rgba(7, 8.5, 12, 0.01698),0.0335rem 0.067rem 0.402rem rgba(7, 8.5, 12, 0.024),0.0625rem 0.125rem 0.75rem rgba(7, 8.5, 12, 0.03),0.1125rem 0.225rem 1.35rem rgba(7, 8.5, 12, 0.036),0.2085rem 0.417rem 2.502rem rgba(7, 8.5, 12, 0.04302),0.5rem 1rem 6rem rgba(7, 8.5, 12, 0.06),0 0 0 0.0625rem rgba(7, 8.5, 12, 0.015);--pico-h1-color:#f0f1f3;--pico-h2-color:#e0e3e7;--pico-h3-color:#c2c7d0;--pico-h4-color:#b3b9c5;--pico-h5-color:#a4acba;--pico-h6-color:#8891a4;--pico-mark-background-color:#014063;--pico-mark-color:#fff;--pico-ins-color:#62af9a;--pico-del-color:rgb(205.5, 126, 123);--pico-blockquote-border-color:var(--pico-muted-border-color);--pico-blockquote-footer-color:var(--pico-muted-color);--pico-button-box-shadow:0 0 0 rgba(0, 0, 0, 0);--pico-button-hover-box-shadow:0 0 0 rgba(0, 0, 0, 0);--pico-table-border-color:var(--pico-muted-border-color);--pico-table-row-stripped-background-color:rgba(111, 120, 135, 0.0375);--pico-code-background-color:rgb(26, 30.5, 40.25);--pico-code-color:#8891a4;--pico-code-kbd-background-color:var(--pico-color);--pico-code-kbd-color:var(--pico-background-color);--pico-form-element-background-color:rgb(28, 33, 43.5);--pico-form-element-selected-background-color:#2a3140;--pico-form-element-border-color:#2a3140;--pico-form-element-color:#e0e3e7;--pico-form-element-placeholder-color:#8891a4;--pico-form-element-active-background-color:rgb(26, 30.5, 40.25);--pico-form-element-active-border-color:var(--pico-primary-border);--pico-form-element-focus-color:var(--pico-primary-border);--pico-form-element-disabled-opacity:0.5;--pico-form-element-invalid-border-color:rgb(149.5, 74, 80);--pico-form-element-invalid-active-border-color:rgb(183.25, 63.5, 59);--pico-form-element-invalid-focus-color:var(--pico-form-element-invalid-active-border-color);--pico-form-element-valid-border-color:#2a7b6f;--pico-form-element-valid-active-border-color:rgb(22, 137, 105.5);--pico-form-element-valid-focus-color:var(--pico-form-element-valid-active-border-color);--pico-switch-background-color:#333c4e;--pico-switch-checked-background-color:var(--pico-primary-background);--pico-switch-color:#fff;--pico-switch-thumb-box-shadow:0 0 0 rgba(0, 0, 0, 0);--pico-range-border-color:#202632;--pico-range-active-border-color:#2a3140;--pico-range-thumb-border-color:var(--pico-background-color);--pico-range-thumb-color:var(--pico-secondary-background);--pico-range-thumb-active-color:var(--pico-primary-background);--pico-accordion-border-color:var(--pico-muted-border-color);--pico-accordion-active-summary-color:var(--pico-primary-hover);--pico-accordion-close-summary-color:var(--pico-color);--pico-accordion-open-summary-color:var(--pico-muted-color);--pico-card-background-color:#181c25;--pico-card-border-color:var(--pico-card-background-color);--pico-card-box-shadow:var(--pico-box-shadow);--pico-card-sectioning-background-color:rgb(26, 30.5, 40.25);--pico-dropdown-background-color:#181c25;--pico-dropdown-border-color:#202632;--pico-dropdown-box-shadow:var(--pico-box-shadow);--pico-dropdown-color:var(--pico-color);--pico-dropdown-hover-background-color:#202632;--pico-loading-spinner-opacity:0.5;--pico-modal-overlay-background-color:rgba(7.5, 8.5, 10, 0.75);--pico-progress-background-color:#202632;--pico-progress-color:var(--pico-primary-background);--pico-tooltip-background-color:var(--pico-contrast-background);--pico-tooltip-color:var(--pico-contrast-inverse);--pico-icon-valid:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='rgb(42, 123, 111)' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'%3E%3Cpolyline points='20 6 9 17 4 12'%3E%3C/polyline%3E%3C/svg%3E");--pico-icon-invalid:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='rgb(149.5, 74, 80)' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'%3E%3Ccircle cx='12' cy='12' r='10'%3E%3C/circle%3E%3Cline x1='12' y1='8' x2='12' y2='12'%3E%3C/line%3E%3Cline x1='12' y1='16' x2='12.01' y2='16'%3E%3C/line%3E%3C/svg%3E")}:host(:not([data-theme])) input:is([type=submit],[type=button],[type=reset],[type=checkbox],[type=radio],[type=file]),:root:not([data-theme]) input:is([type=submit],[type=button],[type=reset],[type=checkbox],[type=radio],[type=file]){--pico-form-element-focus-color:var(--pico-primary-focus)}:host(:not([data-theme])) details summary[role=button].contrast:not(.outline)::after,:root:not([data-theme]) details summary[role=button].contrast:not(.outline)::after{filter:brightness(0)}:host(:not([data-theme])) [aria-busy=true]:not(input,select,textarea).contrast:is(button,[type=submit],[type=button],[type=reset],[role=button]):not(.outline)::before,:root:not([data-theme]) [aria-busy=true]:not(input,select,textarea).contrast:is(button,[type=submit],[type=button],[type=reset],[role=button]):not(.outline)::before{filter:brightness(0)}}[data-theme=dark]{color-scheme:dark;--pico-background-color:rgb(19, 22.5, 30.5);--pico-color:#c2c7d0;--pico-text-selection-color:rgba(137, 153, 249, 0.1875);--pico-muted-color:#7b8495;--pico-muted-border-color:#202632;--pico-primary:#8999f9;--pico-primary-background:#2060df;--pico-primary-border:var(--pico-primary-background);--pico-primary-underline:rgba(137, 153, 249, 0.5);--pico-primary-hover:#aeb5fb;--pico-primary-hover-background:#3c71f7;--pico-primary-hover-border:var(--pico-primary-hover-background);--pico-primary-hover-underline:var(--pico-primary-hover);--pico-primary-focus:rgba(137, 153, 249, 0.375);--pico-primary-inverse:#fff;--pico-secondary:#969eaf;--pico-secondary-background:#525f7a;--pico-secondary-border:var(--pico-secondary-background);--pico-secondary-underline:rgba(150, 158, 175, 0.5);--pico-secondary-hover:#b3b9c5;--pico-secondary-hover-background:#5d6b89;--pico-secondary-hover-border:var(--pico-secondary-hover-background);--pico-secondary-hover-underline:var(--pico-secondary-hover);--pico-secondary-focus:rgba(144, 158, 190, 0.25);--pico-secondary-inverse:#fff;--pico-contrast:#dfe3eb;--pico-contrast-background:#eff1f4;--pico-contrast-border:var(--pico-contrast-background);--pico-contrast-underline:rgba(223, 227, 235, 0.5);--pico-contrast-hover:#fff;--pico-contrast-hover-background:#fff;--pico-contrast-hover-border:var(--pico-contrast-hover-background);--pico-contrast-hover-underline:var(--pico-contrast-hover);--pico-contrast-focus:rgba(207, 213, 226, 0.25);--pico-contrast-inverse:#000;--pico-box-shadow:0.0145rem 0.029rem 0.174rem rgba(7, 8.5, 12, 0.01698),0.0335rem 0.067rem 0.402rem rgba(7, 8.5, 12, 0.024),0.0625rem 0.125rem 0.75rem rgba(7, 8.5, 12, 0.03),0.1125rem 0.225rem 1.35rem rgba(7, 8.5, 12, 0.036),0.2085rem 0.417rem 2.502rem rgba(7, 8.5, 12, 0.04302),0.5rem 1rem 6rem rgba(7, 8.5, 12, 0.06),0 0 0 0.0625rem rgba(7, 8.5, 12, 0.015);--pico-h1-color:#f0f1f3;--pico-h2-color:#e0e3e7;--pico-h3-color:#c2c7d0;--pico-h4-color:#b3b9c5;--pico-h5-color:#a4acba;--pico-h6-color:#8891a4;--pico-mark-background-color:#014063;--pico-mark-color:#fff;--pico-ins-color:#62af9a;--pico-del-color:rgb(205.5, 126, 123);--pico-blockquote-border-color:var(--pico-muted-border-color);--pico-blockquote-footer-color:var(--pico-muted-color);--pico-button-box-shadow:0 0 0 rgba(0, 0, 0, 0);--pico-button-hover-box-shadow:0 0 0 rgba(0, 0, 0, 0);--pico-table-border-color:var(--pico-muted-border-color);--pico-table-row-stripped-background-color:rgba(111, 120, 135, 0.0375);--pico-code-background-color:rgb(26, 30.5, 40.25);--pico-code-color:#8891a4;--pico-code-kbd-background-color:var(--pico-color);--pico-code-kbd-color:var(--pico-background-color);--pico-form-element-background-color:rgb(28, 33, 43.5);--pico-form-element-selected-background-color:#2a3140;--pico-form-element-border-color:#2a3140;--pico-form-element-color:#e0e3e7;--pico-form-element-placeholder-color:#8891a4;--pico-form-element-active-background-color:rgb(26, 30.5, 40.25);--pico-form-element-active-border-color:var(--pico-primary-border);--pico-form-element-focus-color:var(--pico-primary-border);--pico-form-element-disabled-opacity:0.5;--pico-form-element-invalid-border-color:rgb(149.5, 74, 80);--pico-form-element-invalid-active-border-color:rgb(183.25, 63.5, 59);--pico-form-element-invalid-focus-color:var(--pico-form-element-invalid-active-border-color);--pico-form-element-valid-border-color:#2a7b6f;--pico-form-element-valid-active-border-color:rgb(22, 137, 105.5);--pico-form-element-valid-focus-color:var(--pico-form-element-valid-active-border-color);--pico-switch-background-color:#333c4e;--pico-switch-checked-background-color:var(--pico-primary-background);--pico-switch-color:#fff;--pico-switch-thumb-box-shadow:0 0 0 rgba(0, 0, 0, 0);--pico-range-border-color:#202632;--pico-range-active-border-color:#2a3140;--pico-range-thumb-border-color:var(--pico-background-color);--pico-range-thumb-color:var(--pico-secondary-background);--pico-range-thumb-active-color:var(--pico-primary-background);--pico-accordion-border-color:var(--pico-muted-border-color);--pico-accordion-active-summary-color:var(--pico-primary-hover);--pico-accordion-close-summary-color:var(--pico-color);--pico-accordion-open-summary-color:var(--pico-muted-color);--pico-card-background-color:#181c25;--pico-card-border-color:var(--pico-card-background-color);--pico-card-box-shadow:var(--pico-box-shadow);--pico-card-sectioning-background-color:rgb(26, 30.5, 40.25);--pico-dropdown-background-color:#181c25;--pico-dropdown-border-color:#202632;--pico-dropdown-box-shadow:var(--pico-box-shadow);--pico-dropdown-color:var(--pico-color);--pico-dropdown-hover-background-color:#202632;--pico-loading-spinner-opacity:0.5;--pico-modal-overlay-background-color:rgba(7.5, 8.5, 10, 0.75);--pico-progress-background-color:#202632;--pico-progress-color:var(--pico-primary-background);--pico-tooltip-background-color:var(--pico-contrast-background);--pico-tooltip-color:var(--pico-contrast-inverse);--pico-icon-valid:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='rgb(42, 123, 111)' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'%3E%3Cpolyline points='20 6 9 17 4 12'%3E%3C/polyline%3E%3C/svg%3E");--pico-icon-invalid:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='rgb(149.5, 74, 80)' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'%3E%3Ccircle cx='12' cy='12' r='10'%3E%3C/circle%3E%3Cline x1='12' y1='8' x2='12' y2='12'%3E%3C/line%3E%3Cline x1='12' y1='16' x2='12.01' y2='16'%3E%3C/line%3E%3C/svg%3E")}[data-theme=dark] input:is([type=submit],[type=button],[type=reset],[type=checkbox],[type=radio],[type=file]){--pico-form-element-focus-color:var(--pico-primary-focus)}[data-theme=dark] details summary[role=button].contrast:not(.outline)::after{filter:brightness(0)}[data-theme=dark] [aria-busy=true]:not(input,select,textarea).contrast:is(button,[type=submit],[type=button],[type=reset],[role=button]):not(.outline)::before{filter:brightness(0)}[type=checkbox],[type=radio],[type=range],progress{accent-color:var(--pico-primary)}*,::after,::before{box-sizing:border-box;background-repeat:no-repeat}::after,::before{text-decoration:inherit;vertical-align:inherit}:where(:host),:where(:root){-webkit-tap-highlight-color:transparent;-webkit-text-size-adjust:100%;-moz-text-size-adjust:100%;text-size-adjust:100%;background-color:var(--pico-background-color);color:var(--pico-color);font-weight:var(--pico-font-weight);font-size:var(--pico-font-size);line-height:var(--pico-line-height);font-family:var(--pico-font-family);text-underline-offset:var(--pico-text-underline-offset);text-rendering:optimizeLegibility;overflow-wrap:break-word;-moz-tab-size:4;-o-tab-size:4;tab-size:4}body{width:100%;margin:0}main{display:block}body>footer,body>header,body>main{padding-block:var(--pico-block-spacing-vertical)}section{margin-bottom:var(--pico-block-spacing-vertical)}.container,.container-fluid{width:100%;margin-right:auto;margin-left:auto;padding-right:var(--pico-spacing);padding-left:var(--pico-spacing)}@media (min-width:576px){.container{max-width:510px;padding-right:0;padding-left:0}}@media (min-width:768px){.container{max-width:700px}}@media (min-width:1024px){.container{max-width:950px}}@media (min-width:1280px){.container{max-width:1200px}}@media (min-width:1536px){.container{max-width:1450px}}.grid{grid-column-gap:var(--pico-grid-column-gap);grid-row-gap:var(--pico-grid-row-gap);display:grid;grid-template-columns:1fr}@media (min-width:768px){.grid{grid-template-columns:repeat(auto-fit,minmax(0%,1fr))}}.grid>*{min-width:0}.overflow-auto{overflow:auto}b,strong{font-weight:bolder}sub,sup{position:relative;font-size:.75em;line-height:0;vertical-align:baseline}sub{bottom:-.25em}sup{top:-.5em}address,blockquote,dl,ol,p,pre,table,ul{margin-top:0;margin-bottom:var(--pico-typography-spacing-vertical);color:var(--pico-color);font-style:normal;font-weight:var(--pico-font-weight)}h1,h2,h3,h4,h5,h6{margin-top:0;margin-bottom:var(--pico-typography-spacing-vertical);color:var(--pico-color);font-weight:var(--pico-font-weight);font-size:var(--pico-font-size);line-height:var(--pico-line-height);font-family:var(--pico-font-family)}h1{--pico-color:var(--pico-h1-color)}h2{--pico-color:var(--pico-h2-color)}h3{--pico-color:var(--pico-h3-color)}h4{--pico-color:var(--pico-h4-color)}h5{--pico-color:var(--pico-h5-color)}h6{--pico-color:var(--pico-h6-color)}:where(article,address,blockquote,dl,figure,form,ol,p,pre,table,ul)~:is(h1,h2,h3,h4,h5,h6){margin-top:var(--pico-typography-spacing-top)}p{margin-bottom:var(--pico-typography-spacing-vertical)}hgroup{margin-bottom:var(--pico-typography-spacing-vertical)}hgroup>*{margin-top:0;margin-bottom:0}hgroup>:not(:first-child):last-child{--pico-color:var(--pico-muted-color);--pico-font-weight:unset;font-size:1rem}:where(ol,ul) li{margin-bottom:calc(var(--pico-typography-spacing-vertical) * .25)}:where(dl,ol,ul) :where(dl,ol,ul){margin:0;margin-top:calc(var(--pico-typography-spacing-vertical) * .25)}ul li{list-style:square}mark{padding:.125rem .25rem;background-color:var(--pico-mark-background-color);color:var(--pico-mark-color);vertical-align:baseline}blockquote{display:block;margin:var(--pico-typography-spacing-vertical) 0;padding:var(--pico-spacing);border-right:none;border-left:.25rem solid var(--pico-blockquote-border-color);border-inline-start:0.25rem solid var(--pico-blockquote-border-color);border-inline-end:none}blockquote footer{margin-top:calc(var(--pico-typography-spacing-vertical) * .5);color:var(--pico-blockquote-footer-color)}abbr[title]{border-bottom:1px dotted;text-decoration:none;cursor:help}ins{color:var(--pico-ins-color);text-decoration:none}del{color:var(--pico-del-color)}::-moz-selection{background-color:var(--pico-text-selection-color)}::selection{background-color:var(--pico-text-selection-color)}:where(a:not([role=button])),[role=link]{--pico-color:var(--pico-primary);--pico-background-color:transparent;--pico-underline:var(--pico-primary-underline);outline:0;background-color:var(--pico-background-color);color:var(--pico-color);-webkit-text-decoration:var(--pico-text-decoration);text-decoration:var(--pico-text-decoration);text-decoration-color:var(--pico-underline);text-underline-offset:0.125em;transition:background-color var(--pico-transition),color var(--pico-transition),box-shadow var(--pico-transition),-webkit-text-decoration var(--pico-transition);transition:background-color var(--pico-transition),color var(--pico-transition),text-decoration var(--pico-transition),box-shadow var(--pico-transition);transition:background-color var(--pico-transition),color var(--pico-transition),text-decoration var(--pico-transition),box-shadow var(--pico-transition),-webkit-text-decoration var(--pico-transition)}:where(a:not([role=button])):is([aria-current]:not([aria-current=false]),:hover,:active,:focus),[role=link]:is([aria-current]:not([aria-current=false]),:hover,:active,:focus){--pico-color:var(--pico-primary-hover);--pico-underline:var(--pico-primary-hover-underline);--pico-text-decoration:underline}:where(a:not([role=button])):focus-visible,[role=link]:focus-visible{box-shadow:0 0 0 var(--pico-outline-width) var(--pico-primary-focus)}:where(a:not([role=button])).secondary,[role=link].secondary{--pico-color:var(--pico-secondary);--pico-underline:var(--pico-secondary-underline)}:where(a:not([role=button])).secondary:is([aria-current]:not([aria-current=false]),:hover,:active,:focus),[role=link].secondary:is([aria-current]:not([aria-current=false]),:hover,:active,:focus){--pico-color:var(--pico-secondary-hover);--pico-underline:var(--pico-secondary-hover-underline)}:where(a:not([role=button])).contrast,[role=link].contrast{--pico-color:var(--pico-contrast);--pico-underline:var(--pico-contrast-underline)}:where(a:not([role=button])).contrast:is([aria-current]:not([aria-current=false]),:hover,:active,:focus),[role=link].contrast:is([aria-current]:not([aria-current=false]),:hover,:active,:focus){--pico-color:var(--pico-contrast-hover);--pico-underline:var(--pico-contrast-hover-underline)}a[role=button]{display:inline-block}button{margin:0;overflow:visible;font-family:inherit;text-transform:none}[type=button],[type=reset],[type=submit],button{-webkit-appearance:button}[role=button],[type=button],[type=file]::file-selector-button,[type=reset],[type=submit],button{--pico-background-color:var(--pico-primary-background);--pico-border-color:var(--pico-primary-border);--pico-color:var(--pico-primary-inverse);--pico-box-shadow:var(--pico-button-box-shadow, 0 0 0 rgba(0, 0, 0, 0));padding:var(--pico-form-element-spacing-vertical) var(--pico-form-element-spacing-horizontal);border:var(--pico-border-width) solid var(--pico-border-color);border-radius:var(--pico-border-radius);outline:0;background-color:var(--pico-background-color);box-shadow:var(--pico-box-shadow);color:var(--pico-color);font-weight:var(--pico-font-weight);font-size:1rem;line-height:var(--pico-line-height);text-align:center;text-decoration:none;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;user-select:none;transition:background-color var(--pico-transition),border-color var(--pico-transition),color var(--pico-transition),box-shadow var(--pico-transition)}[role=button]:is(:hover,:active,:focus),[role=button]:is([aria-current]:not([aria-current=false])),[type=button]:is(:hover,:active,:focus),[type=button]:is([aria-current]:not([aria-current=false])),[type=file]::file-selector-button:is(:hover,:active,:focus),[type=file]::file-selector-button:is([aria-current]:not([aria-current=false])),[type=reset]:is(:hover,:active,:focus),[type=reset]:is([aria-current]:not([aria-current=false])),[type=submit]:is(:hover,:active,:focus),[type=submit]:is([aria-current]:not([aria-current=false])),button:is(:hover,:active,:focus),button:is([aria-current]:not([aria-current=false])){--pico-background-color:var(--pico-primary-hover-background);--pico-border-color:var(--pico-primary-hover-border);--pico-box-shadow:var(--pico-button-hover-box-shadow, 0 0 0 rgba(0, 0, 0, 0));--pico-color:var(--pico-primary-inverse)}[role=button]:focus,[role=button]:is([aria-current]:not([aria-current=false])):focus,[type=button]:focus,[type=button]:is([aria-current]:not([aria-current=false])):focus,[type=file]::file-selector-button:focus,[type=file]::file-selector-button:is([aria-current]:not([aria-current=false])):focus,[type=reset]:focus,[type=reset]:is([aria-current]:not([aria-current=false])):focus,[type=submit]:focus,[type=submit]:is([aria-current]:not([aria-current=false])):focus,button:focus,button:is([aria-current]:not([aria-current=false])):focus{--pico-box-shadow:var(--pico-button-hover-box-shadow, 0 0 0 rgba(0, 0, 0, 0)),0 0 0 var(--pico-outline-width) var(--pico-primary-focus)}[type=button],[type=reset],[type=submit]{margin-bottom:var(--pico-spacing)}:is(button,[type=submit],[type=button],[role=button]).secondary,[type=file]::file-selector-button,[type=reset]{--pico-background-color:var(--pico-secondary-background);--pico-border-color:var(--pico-secondary-border);--pico-color:var(--pico-secondary-inverse);cursor:pointer}:is(button,[type=submit],[type=button],[role=button]).secondary:is([aria-current]:not([aria-current=false]),:hover,:active,:focus),[type=file]::file-selector-button:is([aria-current]:not([aria-current=false]),:hover,:active,:focus),[type=reset]:is([aria-current]:not([aria-current=false]),:hover,:active,:focus){--pico-background-color:var(--pico-secondary-hover-background);--pico-border-color:var(--pico-secondary-hover-border);--pico-color:var(--pico-secondary-inverse)}:is(button,[type=submit],[type=button],[role=button]).secondary:focus,:is(button,[type=submit],[type=button],[role=button]).secondary:is([aria-current]:not([aria-current=false])):focus,[type=file]::file-selector-button:focus,[type=file]::file-selector-button:is([aria-current]:not([aria-current=false])):focus,[type=reset]:focus,[type=reset]:is([aria-current]:not([aria-current=false])):focus{--pico-box-shadow:var(--pico-button-hover-box-shadow, 0 0 0 rgba(0, 0, 0, 0)),0 0 0 var(--pico-outline-width) var(--pico-secondary-focus)}:is(button,[type=submit],[type=button],[role=button]).contrast{--pico-background-color:var(--pico-contrast-background);--pico-border-color:var(--pico-contrast-border);--pico-color:var(--pico-contrast-inverse)}:is(button,[type=submit],[type=button],[role=button]).contrast:is([aria-current]:not([aria-current=false]),:hover,:active,:focus){--pico-background-color:var(--pico-contrast-hover-background);--pico-border-color:var(--pico-contrast-hover-border);--pico-color:var(--pico-contrast-inverse)}:is(button,[type=submit],[type=button],[role=button]).contrast:focus,:is(button,[type=submit],[type=button],[role=button]).contrast:is([aria-current]:not([aria-current=false])):focus{--pico-box-shadow:var(--pico-button-hover-box-shadow, 0 0 0 rgba(0, 0, 0, 0)),0 0 0 var(--pico-outline-width) var(--pico-contrast-focus)}:is(button,[type=submit],[type=button],[role=button]).outline,[type=reset].outline{--pico-background-color:transparent;--pico-color:var(--pico-primary);--pico-border-color:var(--pico-primary)}:is(button,[type=submit],[type=button],[role=button]).outline:is([aria-current]:not([aria-current=false]),:hover,:active,:focus),[type=reset].outline:is([aria-current]:not([aria-current=false]),:hover,:active,:focus){--pico-background-color:transparent;--pico-color:var(--pico-primary-hover);--pico-border-color:var(--pico-primary-hover)}:is(button,[type=submit],[type=button],[role=button]).outline.secondary,[type=reset].outline{--pico-color:var(--pico-secondary);--pico-border-color:var(--pico-secondary)}:is(button,[type=submit],[type=button],[role=button]).outline.secondary:is([aria-current]:not([aria-current=false]),:hover,:active,:focus),[type=reset].outline:is([aria-current]:not([aria-current=false]),:hover,:active,:focus){--pico-color:var(--pico-secondary-hover);--pico-border-color:var(--pico-secondary-hover)}:is(button,[type=submit],[type=button],[role=button]).outline.contrast{--pico-color:var(--pico-contrast);--pico-border-color:var(--pico-contrast)}:is(button,[type=submit],[type=button],[role=button]).outline.contrast:is([aria-current]:not([aria-current=false]),:hover,:active,:focus){--pico-color:var(--pico-contrast-hover);--pico-border-color:var(--pico-contrast-hover)}:where(button,[type=submit],[type=reset],[type=button],[role=button])[disabled],:where(fieldset[disabled]) :is(button,[type=submit],[type=button],[type=reset],[role=button]){opacity:.5;pointer-events:none}:where(table){width:100%;border-collapse:collapse;border-spacing:0;text-indent:0}td,th{padding:calc(var(--pico-spacing)/ 2) var(--pico-spacing);border-bottom:var(--pico-border-width) solid var(--pico-table-border-color);background-color:var(--pico-background-color);color:var(--pico-color);font-weight:var(--pico-font-weight);text-align:left;text-align:start}tfoot td,tfoot th{border-top:var(--pico-border-width) solid var(--pico-table-border-color);border-bottom:0}table.striped tbody tr:nth-child(odd) td,table.striped tbody tr:nth-child(odd) th{background-color:var(--pico-table-row-stripped-background-color)}:where(audio,canvas,iframe,img,svg,video){vertical-align:middle}audio,video{display:inline-block}audio:not([controls]){display:none;height:0}:where(iframe){border-style:none}img{max-width:100%;height:auto;border-style:none}:where(svg:not([fill])){fill:currentColor}svg:not(:host),svg:not(:root){overflow:hidden}code,kbd,pre,samp{font-size:.875em;font-family:var(--pico-font-family)}pre code,pre samp{font-size:inherit;font-family:inherit}pre{-ms-overflow-style:scrollbar;overflow:auto}code,kbd,pre,samp{border-radius:var(--pico-border-radius);background:var(--pico-code-background-color);color:var(--pico-code-color);font-weight:var(--pico-font-weight);line-height:initial}code,kbd,samp{display:inline-block;padding:.375rem}pre{display:block;margin-bottom:var(--pico-spacing);overflow-x:auto}pre>code,pre>samp{display:block;padding:var(--pico-spacing);background:0 0;line-height:var(--pico-line-height)}kbd{background-color:var(--pico-code-kbd-background-color);color:var(--pico-code-kbd-color);vertical-align:baseline}figure{display:block;margin:0;padding:0}figure figcaption{padding:calc(var(--pico-spacing) * .5) 0;color:var(--pico-muted-color)}hr{height:0;margin:var(--pico-typography-spacing-vertical) 0;border:0;border-top:1px solid var(--pico-muted-border-color);color:inherit}[hidden],template{display:none!important}canvas{display:inline-block}input,optgroup,select,textarea{margin:0;font-size:1rem;line-height:var(--pico-line-height);font-family:inherit;letter-spacing:inherit}input{overflow:visible}select{text-transform:none}legend{max-width:100%;padding:0;color:inherit;white-space:normal}textarea{overflow:auto}[type=checkbox],[type=radio]{padding:0}::-webkit-inner-spin-button,::-webkit-outer-spin-button{height:auto}[type=search]{-webkit-appearance:textfield;outline-offset:-2px}[type=search]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}::-moz-focus-inner{padding:0;border-style:none}:-moz-focusring{outline:0}:-moz-ui-invalid{box-shadow:none}::-ms-expand{display:none}[type=file],[type=range]{padding:0;border-width:0}input:not([type=checkbox],[type=radio],[type=range]){height:calc(1rem * var(--pico-line-height) + var(--pico-form-element-spacing-vertical) * 2 + var(--pico-border-width) * 2)}fieldset{width:100%;margin:0;margin-bottom:var(--pico-spacing);padding:0;border:0}fieldset legend,label{display:block;margin-bottom:calc(var(--pico-spacing) * .375);color:var(--pico-color);font-weight:var(--pico-form-label-font-weight,var(--pico-font-weight))}fieldset legend{margin-bottom:calc(var(--pico-spacing) * .5)}button[type=submit],input:not([type=checkbox],[type=radio]),select,textarea{width:100%}input:not([type=checkbox],[type=radio],[type=range],[type=file]),select,textarea{-webkit-appearance:none;-moz-appearance:none;appearance:none;padding:var(--pico-form-element-spacing-vertical) var(--pico-form-element-spacing-horizontal)}input,select,textarea{--pico-background-color:var(--pico-form-element-background-color);--pico-border-color:var(--pico-form-element-border-color);--pico-color:var(--pico-form-element-color);--pico-box-shadow:none;border:var(--pico-border-width) solid var(--pico-border-color);border-radius:var(--pico-border-radius);outline:0;background-color:var(--pico-background-color);box-shadow:var(--pico-box-shadow);color:var(--pico-color);font-weight:var(--pico-font-weight);transition:background-color var(--pico-transition),border-color var(--pico-transition),color var(--pico-transition),box-shadow var(--pico-transition)}:where(select,textarea):not([readonly]):is(:active,:focus),input:not([type=submit],[type=button],[type=reset],[type=checkbox],[type=radio],[readonly]):is(:active,:focus){--pico-background-color:var(--pico-form-element-active-background-color)}:where(select,textarea):not([readonly]):is(:active,:focus),input:not([type=submit],[type=button],[type=reset],[role=switch],[readonly]):is(:active,:focus){--pico-border-color:var(--pico-form-element-active-border-color)}:where(select,textarea):not([readonly]):focus,input:not([type=submit],[type=button],[type=reset],[type=range],[type=file],[readonly]):focus{--pico-box-shadow:0 0 0 var(--pico-outline-width) var(--pico-form-element-focus-color)}:where(fieldset[disabled]) :is(input:not([type=submit],[type=button],[type=reset]),select,textarea),input:not([type=submit],[type=button],[type=reset])[disabled],label[aria-disabled=true],select[disabled],textarea[disabled]{opacity:var(--pico-form-element-disabled-opacity);pointer-events:none}label[aria-disabled=true] input[disabled]{opacity:1}:where(input,select,textarea):not([type=checkbox],[type=radio],[type=date],[type=datetime-local],[type=month],[type=time],[type=week],[type=range])[aria-invalid]{padding-right:calc(var(--pico-form-element-spacing-horizontal) + 1.5rem)!important;padding-left:var(--pico-form-element-spacing-horizontal);padding-inline-start:var(--pico-form-element-spacing-horizontal)!important;padding-inline-end:calc(var(--pico-form-element-spacing-horizontal) + 1.5rem)!important;background-position:center right .75rem;background-size:1rem auto;background-repeat:no-repeat}:where(input,select,textarea):not([type=checkbox],[type=radio],[type=date],[type=datetime-local],[type=month],[type=time],[type=week],[type=range])[aria-invalid=false]:not(select){background-image:var(--pico-icon-valid)}:where(input,select,textarea):not([type=checkbox],[type=radio],[type=date],[type=datetime-local],[type=month],[type=time],[type=week],[type=range])[aria-invalid=true]:not(select){background-image:var(--pico-icon-invalid)}:where(input,select,textarea)[aria-invalid=false]{--pico-border-color:var(--pico-form-element-valid-border-color)}:where(input,select,textarea)[aria-invalid=false]:is(:active,:focus){--pico-border-color:var(--pico-form-element-valid-active-border-color)!important}:where(input,select,textarea)[aria-invalid=false]:is(:active,:focus):not([type=checkbox],[type=radio]){--pico-box-shadow:0 0 0 var(--pico-outline-width) var(--pico-form-element-valid-focus-color)!important}:where(input,select,textarea)[aria-invalid=true]{--pico-border-color:var(--pico-form-element-invalid-border-color)}:where(input,select,textarea)[aria-invalid=true]:is(:active,:focus){--pico-border-color:var(--pico-form-element-invalid-active-border-color)!important}:where(input,select,textarea)[aria-invalid=true]:is(:active,:focus):not([type=checkbox],[type=radio]){--pico-box-shadow:0 0 0 var(--pico-outline-width) var(--pico-form-element-invalid-focus-color)!important}[dir=rtl] :where(input,select,textarea):not([type=checkbox],[type=radio]):is([aria-invalid],[aria-invalid=true],[aria-invalid=false]){background-position:center left .75rem}input::-webkit-input-placeholder,input::placeholder,select:invalid,textarea::-webkit-input-placeholder,textarea::placeholder{color:var(--pico-form-element-placeholder-color);opacity:1}input:not([type=checkbox],[type=radio]),select,textarea{margin-bottom:var(--pico-spacing)}select::-ms-expand{border:0;background-color:transparent}select:not([multiple],[size]){padding-right:calc(var(--pico-form-element-spacing-horizontal) + 1.5rem);padding-left:var(--pico-form-element-spacing-horizontal);padding-inline-start:var(--pico-form-element-spacing-horizontal);padding-inline-end:calc(var(--pico-form-element-spacing-horizontal) + 1.5rem);background-image:var(--pico-icon-chevron);background-position:center right .75rem;background-size:1rem auto;background-repeat:no-repeat}select[multiple] option:checked{background:var(--pico-form-element-selected-background-color);color:var(--pico-form-element-color)}[dir=rtl] select:not([multiple],[size]){background-position:center left .75rem}textarea{display:block;resize:vertical}textarea[aria-invalid]{--pico-icon-height:calc(1rem * var(--pico-line-height) + var(--pico-form-element-spacing-vertical) * 2 + var(--pico-border-width) * 2);background-position:top right .75rem!important;background-size:1rem var(--pico-icon-height)!important}:where(input,select,textarea,fieldset,.grid)+small{display:block;width:100%;margin-top:calc(var(--pico-spacing) * -.75);margin-bottom:var(--pico-spacing);color:var(--pico-muted-color)}:where(input,select,textarea,fieldset,.grid)[aria-invalid=false]+small{color:var(--pico-ins-color)}:where(input,select,textarea,fieldset,.grid)[aria-invalid=true]+small{color:var(--pico-del-color)}label>:where(input,select,textarea){margin-top:calc(var(--pico-spacing) * .25)}label:has([type=checkbox],[type=radio]){width:-moz-fit-content;width:fit-content;cursor:pointer}[type=checkbox],[type=radio]{-webkit-appearance:none;-moz-appearance:none;appearance:none;width:1.25em;height:1.25em;margin-top:-.125em;margin-inline-end:.5em;border-width:var(--pico-border-width);vertical-align:middle;cursor:pointer}[type=checkbox]::-ms-check,[type=radio]::-ms-check{display:none}[type=checkbox]:checked,[type=checkbox]:checked:active,[type=checkbox]:checked:focus,[type=radio]:checked,[type=radio]:checked:active,[type=radio]:checked:focus{--pico-background-color:var(--pico-primary-background);--pico-border-color:var(--pico-primary-border);background-image:var(--pico-icon-checkbox);background-position:center;background-size:.75em auto;background-repeat:no-repeat}[type=checkbox]~label,[type=radio]~label{display:inline-block;margin-bottom:0;cursor:pointer}[type=checkbox]~label:not(:last-of-type),[type=radio]~label:not(:last-of-type){margin-inline-end:1em}[type=checkbox]:indeterminate{--pico-background-color:var(--pico-primary-background);--pico-border-color:var(--pico-primary-border);background-image:var(--pico-icon-minus);background-position:center;background-size:.75em auto;background-repeat:no-repeat}[type=radio]{border-radius:50%}[type=radio]:checked,[type=radio]:checked:active,[type=radio]:checked:focus{--pico-background-color:var(--pico-primary-inverse);border-width:.35em;background-image:none}[type=checkbox][role=switch]{--pico-background-color:var(--pico-switch-background-color);--pico-color:var(--pico-switch-color);width:2.25em;height:1.25em;border:var(--pico-border-width) solid var(--pico-border-color);border-radius:1.25em;background-color:var(--pico-background-color);line-height:1.25em}[type=checkbox][role=switch]:not([aria-invalid]){--pico-border-color:var(--pico-switch-background-color)}[type=checkbox][role=switch]:before{display:block;aspect-ratio:1;height:100%;border-radius:50%;background-color:var(--pico-color);box-shadow:var(--pico-switch-thumb-box-shadow);content:"";transition:margin .1s ease-in-out}[type=checkbox][role=switch]:focus{--pico-background-color:var(--pico-switch-background-color);--pico-border-color:var(--pico-switch-background-color)}[type=checkbox][role=switch]:checked{--pico-background-color:var(--pico-switch-checked-background-color);--pico-border-color:var(--pico-switch-checked-background-color);background-image:none}[type=checkbox][role=switch]:checked::before{margin-inline-start:calc(2.25em - 1.25em)}[type=checkbox][role=switch][disabled]{--pico-background-color:var(--pico-border-color)}[type=checkbox][aria-invalid=false]:checked,[type=checkbox][aria-invalid=false]:checked:active,[type=checkbox][aria-invalid=false]:checked:focus,[type=checkbox][role=switch][aria-invalid=false]:checked,[type=checkbox][role=switch][aria-invalid=false]:checked:active,[type=checkbox][role=switch][aria-invalid=false]:checked:focus{--pico-background-color:var(--pico-form-element-valid-border-color)}[type=checkbox]:checked:active[aria-invalid=true],[type=checkbox]:checked:focus[aria-invalid=true],[type=checkbox]:checked[aria-invalid=true],[type=checkbox][role=switch]:checked:active[aria-invalid=true],[type=checkbox][role=switch]:checked:focus[aria-invalid=true],[type=checkbox][role=switch]:checked[aria-invalid=true]{--pico-background-color:var(--pico-form-element-invalid-border-color)}[type=checkbox][aria-invalid=false]:checked,[type=checkbox][aria-invalid=false]:checked:active,[type=checkbox][aria-invalid=false]:checked:focus,[type=checkbox][role=switch][aria-invalid=false]:checked,[type=checkbox][role=switch][aria-invalid=false]:checked:active,[type=checkbox][role=switch][aria-invalid=false]:checked:focus,[type=radio][aria-invalid=false]:checked,[type=radio][aria-invalid=false]:checked:active,[type=radio][aria-invalid=false]:checked:focus{--pico-border-color:var(--pico-form-element-valid-border-color)}[type=checkbox]:checked:active[aria-invalid=true],[type=checkbox]:checked:focus[aria-invalid=true],[type=checkbox]:checked[aria-invalid=true],[type=checkbox][role=switch]:checked:active[aria-invalid=true],[type=checkbox][role=switch]:checked:focus[aria-invalid=true],[type=checkbox][role=switch]:checked[aria-invalid=true],[type=radio]:checked:active[aria-invalid=true],[type=radio]:checked:focus[aria-invalid=true],[type=radio]:checked[aria-invalid=true]{--pico-border-color:var(--pico-form-element-invalid-border-color)}[type=color]::-webkit-color-swatch-wrapper{padding:0}[type=color]::-moz-focus-inner{padding:0}[type=color]::-webkit-color-swatch{border:0;border-radius:calc(var(--pico-border-radius) * .5)}[type=color]::-moz-color-swatch{border:0;border-radius:calc(var(--pico-border-radius) * .5)}input:not([type=checkbox],[type=radio],[type=range],[type=file]):is([type=date],[type=datetime-local],[type=month],[type=time],[type=week]){--pico-icon-position:0.75rem;--pico-icon-width:1rem;padding-right:calc(var(--pico-icon-width) + var(--pico-icon-position));background-image:var(--pico-icon-date);background-position:center right var(--pico-icon-position);background-size:var(--pico-icon-width) auto;background-repeat:no-repeat}input:not([type=checkbox],[type=radio],[type=range],[type=file])[type=time]{background-image:var(--pico-icon-time)}[type=date]::-webkit-calendar-picker-indicator,[type=datetime-local]::-webkit-calendar-picker-indicator,[type=month]::-webkit-calendar-picker-indicator,[type=time]::-webkit-calendar-picker-indicator,[type=week]::-webkit-calendar-picker-indicator{width:var(--pico-icon-width);margin-right:calc(var(--pico-icon-width) * -1);margin-left:var(--pico-icon-position);opacity:0}@-moz-document url-prefix(){[type=date],[type=datetime-local],[type=month],[type=time],[type=week]{padding-right:var(--pico-form-element-spacing-horizontal)!important;background-image:none!important}}[dir=rtl] :is([type=date],[type=datetime-local],[type=month],[type=time],[type=week]){text-align:right}[type=file]{--pico-color:var(--pico-muted-color);margin-left:calc(var(--pico-outline-width) * -1);padding:calc(var(--pico-form-element-spacing-vertical) * .5) 0;padding-left:var(--pico-outline-width);border:0;border-radius:0;background:0 0}[type=file]::file-selector-button{margin-right:calc(var(--pico-spacing)/ 2);padding:calc(var(--pico-form-element-spacing-vertical) * .5) var(--pico-form-element-spacing-horizontal)}[type=file]:is(:hover,:active,:focus)::file-selector-button{--pico-background-color:var(--pico-secondary-hover-background);--pico-border-color:var(--pico-secondary-hover-border)}[type=file]:focus::file-selector-button{--pico-box-shadow:var(--pico-button-hover-box-shadow, 0 0 0 rgba(0, 0, 0, 0)),0 0 0 var(--pico-outline-width) var(--pico-secondary-focus)}[type=range]{-webkit-appearance:none;-moz-appearance:none;appearance:none;width:100%;height:1.25rem;background:0 0}[type=range]::-webkit-slider-runnable-track{width:100%;height:.375rem;border-radius:var(--pico-border-radius);background-color:var(--pico-range-border-color);-webkit-transition:background-color var(--pico-transition),box-shadow var(--pico-transition);transition:background-color var(--pico-transition),box-shadow var(--pico-transition)}[type=range]::-moz-range-track{width:100%;height:.375rem;border-radius:var(--pico-border-radius);background-color:var(--pico-range-border-color);-moz-transition:background-color var(--pico-transition),box-shadow var(--pico-transition);transition:background-color var(--pico-transition),box-shadow var(--pico-transition)}[type=range]::-ms-track{width:100%;height:.375rem;border-radius:var(--pico-border-radius);background-color:var(--pico-range-border-color);-ms-transition:background-color var(--pico-transition),box-shadow var(--pico-transition);transition:background-color var(--pico-transition),box-shadow var(--pico-transition)}[type=range]::-webkit-slider-thumb{-webkit-appearance:none;width:1.25rem;height:1.25rem;margin-top:-.4375rem;border:2px solid var(--pico-range-thumb-border-color);border-radius:50%;background-color:var(--pico-range-thumb-color);cursor:pointer;-webkit-transition:background-color var(--pico-transition),transform var(--pico-transition);transition:background-color var(--pico-transition),transform var(--pico-transition)}[type=range]::-moz-range-thumb{-webkit-appearance:none;width:1.25rem;height:1.25rem;margin-top:-.4375rem;border:2px solid var(--pico-range-thumb-border-color);border-radius:50%;background-color:var(--pico-range-thumb-color);cursor:pointer;-moz-transition:background-color var(--pico-transition),transform var(--pico-transition);transition:background-color var(--pico-transition),transform var(--pico-transition)}[type=range]::-ms-thumb{-webkit-appearance:none;width:1.25rem;height:1.25rem;margin-top:-.4375rem;border:2px solid var(--pico-range-thumb-border-color);border-radius:50%;background-color:var(--pico-range-thumb-color);cursor:pointer;-ms-transition:background-color var(--pico-transition),transform var(--pico-transition);transition:background-color var(--pico-transition),transform var(--pico-transition)}[type=range]:active,[type=range]:focus-within{--pico-range-border-color:var(--pico-range-active-border-color);--pico-range-thumb-color:var(--pico-range-thumb-active-color)}[type=range]:active::-webkit-slider-thumb{transform:scale(1.25)}[type=range]:active::-moz-range-thumb{transform:scale(1.25)}[type=range]:active::-ms-thumb{transform:scale(1.25)}input:not([type=checkbox],[type=radio],[type=range],[type=file])[type=search]{padding-inline-start:calc(var(--pico-form-element-spacing-horizontal) + 1.75rem);background-image:var(--pico-icon-search);background-position:center left calc(var(--pico-form-element-spacing-horizontal) + .125rem);background-size:1rem auto;background-repeat:no-repeat}input:not([type=checkbox],[type=radio],[type=range],[type=file])[type=search][aria-invalid]{padding-inline-start:calc(var(--pico-form-element-spacing-horizontal) + 1.75rem)!important;background-position:center left 1.125rem,center right .75rem}input:not([type=checkbox],[type=radio],[type=range],[type=file])[type=search][aria-invalid=false]{background-image:var(--pico-icon-search),var(--pico-icon-valid)}input:not([type=checkbox],[type=radio],[type=range],[type=file])[type=search][aria-invalid=true]{background-image:var(--pico-icon-search),var(--pico-icon-invalid)}[dir=rtl] :where(input):not([type=checkbox],[type=radio],[type=range],[type=file])[type=search]{background-position:center right 1.125rem}[dir=rtl] :where(input):not([type=checkbox],[type=radio],[type=range],[type=file])[type=search][aria-invalid]{background-position:center right 1.125rem,center left .75rem}details{display:block;margin-bottom:var(--pico-spacing)}details summary{line-height:1rem;list-style-type:none;cursor:pointer;transition:color var(--pico-transition)}details summary:not([role]){color:var(--pico-accordion-close-summary-color)}details summary::-webkit-details-marker{display:none}details summary::marker{display:none}details summary::-moz-list-bullet{list-style-type:none}details summary::after{display:block;width:1rem;height:1rem;margin-inline-start:calc(var(--pico-spacing,1rem) * .5);float:right;transform:rotate(-90deg);background-image:var(--pico-icon-chevron);background-position:right center;background-size:1rem auto;background-repeat:no-repeat;content:"";transition:transform var(--pico-transition)}details summary:focus{outline:0}details summary:focus:not([role]){color:var(--pico-accordion-active-summary-color)}details summary:focus-visible:not([role]){outline:var(--pico-outline-width) solid var(--pico-primary-focus);outline-offset:calc(var(--pico-spacing,1rem) * 0.5);color:var(--pico-primary)}details summary[role=button]{width:100%;text-align:left}details summary[role=button]::after{height:calc(1rem * var(--pico-line-height,1.5))}details[open]>summary{margin-bottom:var(--pico-spacing)}details[open]>summary:not([role]):not(:focus){color:var(--pico-accordion-open-summary-color)}details[open]>summary::after{transform:rotate(0)}[dir=rtl] details summary{text-align:right}[dir=rtl] details summary::after{float:left;background-position:left center}article{margin-bottom:var(--pico-block-spacing-vertical);padding:var(--pico-block-spacing-vertical) var(--pico-block-spacing-horizontal);border-radius:var(--pico-border-radius);background:var(--pico-card-background-color);box-shadow:var(--pico-card-box-shadow)}article>footer,article>header{margin-right:calc(var(--pico-block-spacing-horizontal) * -1);margin-left:calc(var(--pico-block-spacing-horizontal) * -1);padding:calc(var(--pico-block-spacing-vertical) * .66) var(--pico-block-spacing-horizontal);background-color:var(--pico-card-sectioning-background-color)}article>header{margin-top:calc(var(--pico-block-spacing-vertical) * -1);margin-bottom:var(--pico-block-spacing-vertical);border-bottom:var(--pico-border-width) solid var(--pico-card-border-color);border-top-right-radius:var(--pico-border-radius);border-top-left-radius:var(--pico-border-radius)}article>footer{margin-top:var(--pico-block-spacing-vertical);margin-bottom:calc(var(--pico-block-spacing-vertical) * -1);border-top:var(--pico-border-width) solid var(--pico-card-border-color);border-bottom-right-radius:var(--pico-border-radius);border-bottom-left-radius:var(--pico-border-radius)}details.dropdown{position:relative;border-bottom:none}details.dropdown>a::after,details.dropdown>button::after,details.dropdown>summary::after{display:block;width:1rem;height:calc(1rem * var(--pico-line-height,1.5));margin-inline-start:.25rem;float:right;transform:rotate(0) translateX(.2rem);background-image:var(--pico-icon-chevron);background-position:right center;background-size:1rem auto;background-repeat:no-repeat;content:""}nav details.dropdown{margin-bottom:0}details.dropdown>summary:not([role]){height:calc(1rem * var(--pico-line-height) + var(--pico-form-element-spacing-vertical) * 2 + var(--pico-border-width) * 2);padding:var(--pico-form-element-spacing-vertical) var(--pico-form-element-spacing-horizontal);border:var(--pico-border-width) solid var(--pico-form-element-border-color);border-radius:var(--pico-border-radius);background-color:var(--pico-form-element-background-color);color:var(--pico-form-element-placeholder-color);line-height:inherit;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;user-select:none;transition:background-color var(--pico-transition),border-color var(--pico-transition),color var(--pico-transition),box-shadow var(--pico-transition)}details.dropdown>summary:not([role]):active,details.dropdown>summary:not([role]):focus{border-color:var(--pico-form-element-active-border-color);background-color:var(--pico-form-element-active-background-color)}details.dropdown>summary:not([role]):focus{box-shadow:0 0 0 var(--pico-outline-width) var(--pico-form-element-focus-color)}details.dropdown>summary:not([role]):focus-visible{outline:0}details.dropdown>summary:not([role])[aria-invalid=false]{--pico-form-element-border-color:var(--pico-form-element-valid-border-color);--pico-form-element-active-border-color:var(--pico-form-element-valid-focus-color);--pico-form-element-focus-color:var(--pico-form-element-valid-focus-color)}details.dropdown>summary:not([role])[aria-invalid=true]{--pico-form-element-border-color:var(--pico-form-element-invalid-border-color);--pico-form-element-active-border-color:var(--pico-form-element-invalid-focus-color);--pico-form-element-focus-color:var(--pico-form-element-invalid-focus-color)}nav details.dropdown{display:inline;margin:calc(var(--pico-nav-element-spacing-vertical) * -1) 0}nav details.dropdown>summary::after{transform:rotate(0) translateX(0)}nav details.dropdown>summary:not([role]){height:calc(1rem * var(--pico-line-height) + var(--pico-nav-link-spacing-vertical) * 2);padding:calc(var(--pico-nav-link-spacing-vertical) - var(--pico-border-width) * 2) var(--pico-nav-link-spacing-horizontal)}nav details.dropdown>summary:not([role]):focus-visible{box-shadow:0 0 0 var(--pico-outline-width) var(--pico-primary-focus)}details.dropdown>summary+ul{display:flex;z-index:99;position:absolute;left:0;flex-direction:column;width:100%;min-width:-moz-fit-content;min-width:fit-content;margin:0;margin-top:var(--pico-outline-width);padding:0;border:var(--pico-border-width) solid var(--pico-dropdown-border-color);border-radius:var(--pico-border-radius);background-color:var(--pico-dropdown-background-color);box-shadow:var(--pico-dropdown-box-shadow);color:var(--pico-dropdown-color);white-space:nowrap;opacity:0;transition:opacity var(--pico-transition),transform 0s ease-in-out 1s}details.dropdown>summary+ul[dir=rtl]{right:0;left:auto}details.dropdown>summary+ul li{width:100%;margin-bottom:0;padding:calc(var(--pico-form-element-spacing-vertical) * .5) var(--pico-form-element-spacing-horizontal);list-style:none}details.dropdown>summary+ul li:first-of-type{margin-top:calc(var(--pico-form-element-spacing-vertical) * .5)}details.dropdown>summary+ul li:last-of-type{margin-bottom:calc(var(--pico-form-element-spacing-vertical) * .5)}details.dropdown>summary+ul li a{display:block;margin:calc(var(--pico-form-element-spacing-vertical) * -.5) calc(var(--pico-form-element-spacing-horizontal) * -1);padding:calc(var(--pico-form-element-spacing-vertical) * .5) var(--pico-form-element-spacing-horizontal);overflow:hidden;border-radius:0;color:var(--pico-dropdown-color);text-decoration:none;text-overflow:ellipsis}details.dropdown>summary+ul li a:active,details.dropdown>summary+ul li a:focus,details.dropdown>summary+ul li a:focus-visible,details.dropdown>summary+ul li a:hover,details.dropdown>summary+ul li a[aria-current]:not([aria-current=false]){background-color:var(--pico-dropdown-hover-background-color)}details.dropdown>summary+ul li label{width:100%}details.dropdown>summary+ul li:has(label):hover{background-color:var(--pico-dropdown-hover-background-color)}details.dropdown[open]>summary{margin-bottom:0}details.dropdown[open]>summary+ul{transform:scaleY(1);opacity:1;transition:opacity var(--pico-transition),transform 0s ease-in-out 0s}details.dropdown[open]>summary::before{display:block;z-index:1;position:fixed;width:100vw;height:100vh;inset:0;background:0 0;content:"";cursor:default}label>details.dropdown{margin-top:calc(var(--pico-spacing) * .25)}[role=group],[role=search]{display:inline-flex;position:relative;width:100%;margin-bottom:var(--pico-spacing);border-radius:var(--pico-border-radius);box-shadow:var(--pico-group-box-shadow,0 0 0 transparent);vertical-align:middle;transition:box-shadow var(--pico-transition)}[role=group] input:not([type=checkbox],[type=radio]),[role=group] select,[role=group]>*,[role=search] input:not([type=checkbox],[type=radio]),[role=search] select,[role=search]>*{position:relative;flex:1 1 auto;margin-bottom:0}[role=group] input:not([type=checkbox],[type=radio]):not(:first-child),[role=group] select:not(:first-child),[role=group]>:not(:first-child),[role=search] input:not([type=checkbox],[type=radio]):not(:first-child),[role=search] select:not(:first-child),[role=search]>:not(:first-child){margin-left:0;border-top-left-radius:0;border-bottom-left-radius:0}[role=group] input:not([type=checkbox],[type=radio]):not(:last-child),[role=group] select:not(:last-child),[role=group]>:not(:last-child),[role=search] input:not([type=checkbox],[type=radio]):not(:last-child),[role=search] select:not(:last-child),[role=search]>:not(:last-child){border-top-right-radius:0;border-bottom-right-radius:0}[role=group] input:not([type=checkbox],[type=radio]):focus,[role=group] select:focus,[role=group]>:focus,[role=search] input:not([type=checkbox],[type=radio]):focus,[role=search] select:focus,[role=search]>:focus{z-index:2}[role=group] [role=button]:not(:first-child),[role=group] [type=button]:not(:first-child),[role=group] [type=reset]:not(:first-child),[role=group] [type=submit]:not(:first-child),[role=group] button:not(:first-child),[role=group] input:not([type=checkbox],[type=radio]):not(:first-child),[role=group] select:not(:first-child),[role=search] [role=button]:not(:first-child),[role=search] [type=button]:not(:first-child),[role=search] [type=reset]:not(:first-child),[role=search] [type=submit]:not(:first-child),[role=search] button:not(:first-child),[role=search] input:not([type=checkbox],[type=radio]):not(:first-child),[role=search] select:not(:first-child){margin-left:calc(var(--pico-border-width) * -1)}[role=group] [role=button],[role=group] [type=button],[role=group] [type=reset],[role=group] [type=submit],[role=group] button,[role=search] [role=button],[role=search] [type=button],[role=search] [type=reset],[role=search] [type=submit],[role=search] button{width:auto}@supports selector(:has(*)){[role=group]:has(button:focus,[type=submit]:focus,[type=button]:focus,[role=button]:focus),[role=search]:has(button:focus,[type=submit]:focus,[type=button]:focus,[role=button]:focus){--pico-group-box-shadow:var(--pico-group-box-shadow-focus-with-button)}[role=group]:has(button:focus,[type=submit]:focus,[type=button]:focus,[role=button]:focus) input:not([type=checkbox],[type=radio]),[role=group]:has(button:focus,[type=submit]:focus,[type=button]:focus,[role=button]:focus) select,[role=search]:has(button:focus,[type=submit]:focus,[type=button]:focus,[role=button]:focus) input:not([type=checkbox],[type=radio]),[role=search]:has(button:focus,[type=submit]:focus,[type=button]:focus,[role=button]:focus) select{border-color:transparent}[role=group]:has(input:not([type=submit],[type=button]):focus,select:focus),[role=search]:has(input:not([type=submit],[type=button]):focus,select:focus){--pico-group-box-shadow:var(--pico-group-box-shadow-focus-with-input)}[role=group]:has(input:not([type=submit],[type=button]):focus,select:focus) [role=button],[role=group]:has(input:not([type=submit],[type=button]):focus,select:focus) [type=button],[role=group]:has(input:not([type=submit],[type=button]):focus,select:focus) [type=submit],[role=group]:has(input:not([type=submit],[type=button]):focus,select:focus) button,[role=search]:has(input:not([type=submit],[type=button]):focus,select:focus) [role=button],[role=search]:has(input:not([type=submit],[type=button]):focus,select:focus) [type=button],[role=search]:has(input:not([type=submit],[type=button]):focus,select:focus) [type=submit],[role=search]:has(input:not([type=submit],[type=button]):focus,select:focus) button{--pico-button-box-shadow:0 0 0 var(--pico-border-width) var(--pico-primary-border);--pico-button-hover-box-shadow:0 0 0 var(--pico-border-width) var(--pico-primary-hover-border)}[role=group] [role=button]:focus,[role=group] [type=button]:focus,[role=group] [type=reset]:focus,[role=group] [type=submit]:focus,[role=group] button:focus,[role=search] [role=button]:focus,[role=search] [type=button]:focus,[role=search] [type=reset]:focus,[role=search] [type=submit]:focus,[role=search] button:focus{box-shadow:none}}[role=search]>:first-child{border-top-left-radius:5rem;border-bottom-left-radius:5rem}[role=search]>:last-child{border-top-right-radius:5rem;border-bottom-right-radius:5rem}[aria-busy=true]:not(input,select,textarea,html,form){white-space:nowrap}[aria-busy=true]:not(input,select,textarea,html,form)::before{display:inline-block;width:1em;height:1em;background-image:var(--pico-icon-loading);background-size:1em auto;background-repeat:no-repeat;content:"";vertical-align:-.125em}[aria-busy=true]:not(input,select,textarea,html,form):not(:empty)::before{margin-inline-end:calc(var(--pico-spacing) * .5)}[aria-busy=true]:not(input,select,textarea,html,form):empty{text-align:center}[role=button][aria-busy=true],[type=button][aria-busy=true],[type=reset][aria-busy=true],[type=submit][aria-busy=true],a[aria-busy=true],button[aria-busy=true]{pointer-events:none}:host,:root{--pico-scrollbar-width:0px}dialog{display:flex;z-index:999;position:fixed;top:0;right:0;bottom:0;left:0;align-items:center;justify-content:center;width:inherit;min-width:100%;height:inherit;min-height:100%;padding:0;border:0;-webkit-backdrop-filter:var(--pico-modal-overlay-backdrop-filter);backdrop-filter:var(--pico-modal-overlay-backdrop-filter);background-color:var(--pico-modal-overlay-background-color);color:var(--pico-color)}dialog>article{width:100%;max-height:calc(100vh - var(--pico-spacing) * 2);margin:var(--pico-spacing);overflow:auto}@media (min-width:576px){dialog>article{max-width:510px}}@media (min-width:768px){dialog>article{max-width:700px}}dialog>article>header>*{margin-bottom:0}dialog>article>header .close,dialog>article>header :is(a,button)[rel=prev]{margin:0;margin-left:var(--pico-spacing);padding:0;float:right}dialog>article>footer{text-align:right}dialog>article>footer [role=button],dialog>article>footer button{margin-bottom:0}dialog>article>footer [role=button]:not(:first-of-type),dialog>article>footer button:not(:first-of-type){margin-left:calc(var(--pico-spacing) * .5)}dialog>article .close,dialog>article :is(a,button)[rel=prev]{display:block;width:1rem;height:1rem;margin-top:calc(var(--pico-spacing) * -1);margin-bottom:var(--pico-spacing);margin-left:auto;border:none;background-image:var(--pico-icon-close);background-position:center;background-size:auto 1rem;background-repeat:no-repeat;background-color:transparent;opacity:.5;transition:opacity var(--pico-transition)}dialog>article .close:is([aria-current]:not([aria-current=false]),:hover,:active,:focus),dialog>article :is(a,button)[rel=prev]:is([aria-current]:not([aria-current=false]),:hover,:active,:focus){opacity:1}dialog:not([open]),dialog[open=false]{display:none}.modal-is-open{padding-right:var(--pico-scrollbar-width,0);overflow:hidden;pointer-events:none;touch-action:none}.modal-is-open dialog{pointer-events:auto;touch-action:auto}:where(.modal-is-opening,.modal-is-closing) dialog,:where(.modal-is-opening,.modal-is-closing) dialog>article{animation-duration:.2s;animation-timing-function:ease-in-out;animation-fill-mode:both}:where(.modal-is-opening,.modal-is-closing) dialog{animation-duration:.8s;animation-name:modal-overlay}:where(.modal-is-opening,.modal-is-closing) dialog>article{animation-delay:.2s;animation-name:modal}.modal-is-closing dialog,.modal-is-closing dialog>article{animation-delay:0s;animation-direction:reverse}@keyframes modal-overlay{from{-webkit-backdrop-filter:none;backdrop-filter:none;background-color:transparent}}@keyframes modal{from{transform:translateY(-100%);opacity:0}}:where(nav li)::before{float:left;content:"​"}nav,nav ul{display:flex}nav{justify-content:space-between;overflow:visible}nav ol,nav ul{align-items:center;margin-bottom:0;padding:0;list-style:none}nav ol:first-of-type,nav ul:first-of-type{margin-left:calc(var(--pico-nav-element-spacing-horizontal) * -1)}nav ol:last-of-type,nav ul:last-of-type{margin-right:calc(var(--pico-nav-element-spacing-horizontal) * -1)}nav li{display:inline-block;margin:0;padding:var(--pico-nav-element-spacing-vertical) var(--pico-nav-element-spacing-horizontal)}nav li :where(a,[role=link]){display:inline-block;margin:calc(var(--pico-nav-link-spacing-vertical) * -1) calc(var(--pico-nav-link-spacing-horizontal) * -1);padding:var(--pico-nav-link-spacing-vertical) var(--pico-nav-link-spacing-horizontal);border-radius:var(--pico-border-radius)}nav li :where(a,[role=link]):not(:hover){text-decoration:none}nav li [role=button],nav li [type=button],nav li button,nav li input:not([type=checkbox],[type=radio],[type=range],[type=file]),nav li select{height:auto;margin-right:inherit;margin-bottom:0;margin-left:inherit;padding:calc(var(--pico-nav-link-spacing-vertical) - var(--pico-border-width) * 2) var(--pico-nav-link-spacing-horizontal)}nav[aria-label=breadcrumb]{align-items:center;justify-content:start}nav[aria-label=breadcrumb] ul li:not(:first-child){margin-inline-start:var(--pico-nav-link-spacing-horizontal)}nav[aria-label=breadcrumb] ul li a{margin:calc(var(--pico-nav-link-spacing-vertical) * -1) 0;margin-inline-start:calc(var(--pico-nav-link-spacing-horizontal) * -1)}nav[aria-label=breadcrumb] ul li:not(:last-child)::after{display:inline-block;position:absolute;width:calc(var(--pico-nav-link-spacing-horizontal) * 4);margin:0 calc(var(--pico-nav-link-spacing-horizontal) * -1);content:var(--pico-nav-breadcrumb-divider);color:var(--pico-muted-color);text-align:center;text-decoration:none;white-space:nowrap}nav[aria-label=breadcrumb] a[aria-current]:not([aria-current=false]){background-color:transparent;color:inherit;text-decoration:none;pointer-events:none}aside li,aside nav,aside ol,aside ul{display:block}aside li{padding:calc(var(--pico-nav-element-spacing-vertical) * .5) var(--pico-nav-element-spacing-horizontal)}aside li a{display:block}aside li [role=button]{margin:inherit}[dir=rtl] nav[aria-label=breadcrumb] ul li:not(:last-child) ::after{content:"\\"}progress{display:inline-block;vertical-align:baseline}progress{-webkit-appearance:none;-moz-appearance:none;display:inline-block;appearance:none;width:100%;height:.5rem;margin-bottom:calc(var(--pico-spacing) * .5);overflow:hidden;border:0;border-radius:var(--pico-border-radius);background-color:var(--pico-progress-background-color);color:var(--pico-progress-color)}progress::-webkit-progress-bar{border-radius:var(--pico-border-radius);background:0 0}progress[value]::-webkit-progress-value{background-color:var(--pico-progress-color);-webkit-transition:inline-size var(--pico-transition);transition:inline-size var(--pico-transition)}progress::-moz-progress-bar{background-color:var(--pico-progress-color)}@media (prefers-reduced-motion:no-preference){progress:indeterminate{background:var(--pico-progress-background-color) linear-gradient(to right,var(--pico-progress-color) 30%,var(--pico-progress-background-color) 30%) top left/150% 150% no-repeat;animation:progress-indeterminate 1s linear infinite}progress:indeterminate[value]::-webkit-progress-value{background-color:transparent}progress:indeterminate::-moz-progress-bar{background-color:transparent}}@media (prefers-reduced-motion:no-preference){[dir=rtl] progress:indeterminate{animation-direction:reverse}}@keyframes progress-indeterminate{0%{background-position:200% 0}100%{background-position:-200% 0}}[data-tooltip]{position:relative}[data-tooltip]:not(a,button,input,[role=button]){border-bottom:1px dotted;text-decoration:none;cursor:help}[data-tooltip]::after,[data-tooltip]::before,[data-tooltip][data-placement=top]::after,[data-tooltip][data-placement=top]::before{display:block;z-index:99;position:absolute;bottom:100%;left:50%;padding:.25rem .5rem;overflow:hidden;transform:translate(-50%,-.25rem);border-radius:var(--pico-border-radius);background:var(--pico-tooltip-background-color);content:attr(data-tooltip);color:var(--pico-tooltip-color);font-style:normal;font-weight:var(--pico-font-weight);font-size:.875rem;text-decoration:none;text-overflow:ellipsis;white-space:nowrap;opacity:0;pointer-events:none}[data-tooltip]::after,[data-tooltip][data-placement=top]::after{padding:0;transform:translate(-50%,0);border-top:.3rem solid;border-right:.3rem solid transparent;border-left:.3rem solid transparent;border-radius:0;background-color:transparent;content:"";color:var(--pico-tooltip-background-color)}[data-tooltip][data-placement=bottom]::after,[data-tooltip][data-placement=bottom]::before{top:100%;bottom:auto;transform:translate(-50%,.25rem)}[data-tooltip][data-placement=bottom]:after{transform:translate(-50%,-.3rem);border:.3rem solid transparent;border-bottom:.3rem solid}[data-tooltip][data-placement=left]::after,[data-tooltip][data-placement=left]::before{top:50%;right:100%;bottom:auto;left:auto;transform:translate(-.25rem,-50%)}[data-tooltip][data-placement=left]:after{transform:translate(.3rem,-50%);border:.3rem solid transparent;border-left:.3rem solid}[data-tooltip][data-placement=right]::after,[data-tooltip][data-placement=right]::before{top:50%;right:auto;bottom:auto;left:100%;transform:translate(.25rem,-50%)}[data-tooltip][data-placement=right]:after{transform:translate(-.3rem,-50%);border:.3rem solid transparent;border-right:.3rem solid}[data-tooltip]:focus::after,[data-tooltip]:focus::before,[data-tooltip]:hover::after,[data-tooltip]:hover::before{opacity:1}@media (hover:hover) and (pointer:fine){[data-tooltip]:focus::after,[data-tooltip]:focus::before,[data-tooltip]:hover::after,[data-tooltip]:hover::before{--pico-tooltip-slide-to:translate(-50%, -0.25rem);transform:translate(-50%,.75rem);animation-duration:.2s;animation-fill-mode:forwards;animation-name:tooltip-slide;opacity:0}[data-tooltip]:focus::after,[data-tooltip]:hover::after{--pico-tooltip-caret-slide-to:translate(-50%, 0rem);transform:translate(-50%,-.25rem);animation-name:tooltip-caret-slide}[data-tooltip][data-placement=bottom]:focus::after,[data-tooltip][data-placement=bottom]:focus::before,[data-tooltip][data-placement=bottom]:hover::after,[data-tooltip][data-placement=bottom]:hover::before{--pico-tooltip-slide-to:translate(-50%, 0.25rem);transform:translate(-50%,-.75rem);animation-name:tooltip-slide}[data-tooltip][data-placement=bottom]:focus::after,[data-tooltip][data-placement=bottom]:hover::after{--pico-tooltip-caret-slide-to:translate(-50%, -0.3rem);transform:translate(-50%,-.5rem);animation-name:tooltip-caret-slide}[data-tooltip][data-placement=left]:focus::after,[data-tooltip][data-placement=left]:focus::before,[data-tooltip][data-placement=left]:hover::after,[data-tooltip][data-placement=left]:hover::before{--pico-tooltip-slide-to:translate(-0.25rem, -50%);transform:translate(.75rem,-50%);animation-name:tooltip-slide}[data-tooltip][data-placement=left]:focus::after,[data-tooltip][data-placement=left]:hover::after{--pico-tooltip-caret-slide-to:translate(0.3rem, -50%);transform:translate(.05rem,-50%);animation-name:tooltip-caret-slide}[data-tooltip][data-placement=right]:focus::after,[data-tooltip][data-placement=right]:focus::before,[data-tooltip][data-placement=right]:hover::after,[data-tooltip][data-placement=right]:hover::before{--pico-tooltip-slide-to:translate(0.25rem, -50%);transform:translate(-.75rem,-50%);animation-name:tooltip-slide}[data-tooltip][data-placement=right]:focus::after,[data-tooltip][data-placement=right]:hover::after{--pico-tooltip-caret-slide-to:translate(-0.3rem, -50%);transform:translate(-.05rem,-50%);animation-name:tooltip-caret-slide}}@keyframes tooltip-slide{to{transform:var(--pico-tooltip-slide-to);opacity:1}}@keyframes tooltip-caret-slide{50%{opacity:0}to{transform:var(--pico-tooltip-caret-slide-to);opacity:1}}[aria-controls]{cursor:pointer}[aria-disabled=true],[disabled]{cursor:not-allowed}[aria-hidden=false][hidden]{display:initial}[aria-hidden=false][hidden]:not(:focus){clip:rect(0,0,0,0);position:absolute}[tabindex],a,area,button,input,label,select,summary,textarea{-ms-touch-action:manipulation}[dir=rtl]{direction:rtl}@media (prefers-reduced-motion:reduce){:not([aria-busy=true]),:not([aria-busy=true])::after,:not([aria-busy=true])::before{background-attachment:initial!important;animation-duration:1ms!important;animation-delay:-1ms!important;animation-iteration-count:1!important;scroll-behavior:auto!important;transition-delay:0s!important;transition-duration:0s!important}}
+83
server/static/style.css
··· 1 + :root { 2 + --zinc-700: rgb(66, 71, 81); 3 + --success: rgb(0, 166, 110); 4 + --danger: rgb(155, 35, 24); 5 + } 6 + 7 + body { 8 + display: flex; 9 + flex-direction: column; 10 + } 11 + 12 + main { 13 + } 14 + 15 + .margin-top-sm { 16 + margin-top: 2em; 17 + } 18 + 19 + .margin-top-md { 20 + margin-top: 2.5em; 21 + } 22 + 23 + .margin-bottom-xs { 24 + margin-bottom: 1.5em; 25 + } 26 + 27 + .centered-body { 28 + min-height: 100vh; 29 + justify-content: center; 30 + } 31 + 32 + .base-container { 33 + border: 1px solid var(--zinc-700); 34 + border-radius: 10px; 35 + padding: 1.75em 1.2em; 36 + } 37 + 38 + .box-shadow-container { 39 + box-shadow: 1px 1px 52px 2px rgba(0, 0, 0, 0.42); 40 + } 41 + 42 + .login-container { 43 + max-width: 50ch; 44 + form :last-child { 45 + margin-bottom: 0; 46 + } 47 + form button { 48 + float: right; 49 + } 50 + } 51 + 52 + .authorize-container { 53 + max-width: 100ch; 54 + } 55 + 56 + button { 57 + width: unset; 58 + min-width: 16ch; 59 + } 60 + 61 + .button-row { 62 + display: flex; 63 + gap: 1ch; 64 + justify-content: end; 65 + } 66 + 67 + .alert { 68 + border: 1px solid var(--zinc-700); 69 + border-radius: 10px; 70 + padding: 1em 1em; 71 + p { 72 + color: white; 73 + margin-bottom: unset; 74 + } 75 + } 76 + 77 + .alert-success { 78 + background-color: var(--success); 79 + } 80 + 81 + .alert-danger { 82 + background-color: var(--danger); 83 + }
+39
server/templates/account.html
··· 1 + <!doctype html> 2 + <html lang="en"> 3 + <head> 4 + <meta charset="utf-8" /> 5 + <meta name="viewport" content="width=device-width, initial-scale=1" /> 6 + <meta name="color-scheme" content="light dark" /> 7 + <link rel="stylesheet" href="/static/pico.css" /> 8 + <link rel="stylesheet" href="/static/style.css" /> 9 + <title>Your Account</title> 10 + </head> 11 + <body class="margin-top-md"> 12 + <main class="container base-container authorize-container margin-top-xl"> 13 + <h2>Welcome, {{ .Repo.Handle }}</h2> 14 + <ul> 15 + <li><a href="/account/signout">Sign Out</a></li> 16 + </ul> 17 + {{ if .flashes.successes }} 18 + <div class="alert alert-success margin-bottom-xs"> 19 + <p>{{ index .flashes.successes 0 }}</p> 20 + </div> 21 + {{ end }} {{ if eq (len .Tokens) 0 }} 22 + <div class="alert alert-success" role="alert"> 23 + <p class="alert-message">You do not have any active OAuth sessions!</p> 24 + </div> 25 + {{ else }} {{ range .Tokens }} 26 + <div class="base-container"> 27 + <h4>{{ .ClientId }}</h4> 28 + <p>Created: {{ .CreatedAt }}</p> 29 + <p>Updated: {{ .UpdatedAt }}</p> 30 + <p>Expires: {{ .ExpiresAt }}</p> 31 + <form action="/account/revoke" method="post"> 32 + <input type="hidden" name="token" value="{{ .Token }}" /> 33 + <button type="submit" value="">Revoke</button> 34 + </form> 35 + </div> 36 + {{ end }} {{ end }} 37 + </main> 38 + </body> 39 + </html>
+4
server/templates/alert.html
··· 1 + <!doctype html> 2 + <div class="alert alert-success" role="alert"> 3 + <p class="alert-message"></p> 4 + </div>
+44
server/templates/authorize.html
··· 1 + <!doctype html> 2 + <html lang="en"> 3 + <head> 4 + <meta charset="utf-8" /> 5 + <meta name="viewport" content="width=device-width, initial-scale=1" /> 6 + <meta name="color-scheme" content="light dark" /> 7 + <link rel="stylesheet" href="/static/pico.css" /> 8 + <link rel="stylesheet" href="/static/style.css" /> 9 + <title>Application Authorization</title> 10 + </head> 11 + <body class="centered-body"> 12 + <main 13 + class="container base-container box-shadow-container authorizer-container" 14 + > 15 + <h2>Authorizing with {{ .AppName }}</h2> 16 + <p> 17 + You are signed in as <b>{{ .Handle }}</b>. 18 + <a href="/account/signout?{{ .QueryParams }}">Switch Account</a> 19 + </p> 20 + <p><b>{{ .AppName }}</b> is asking for you to grant it these scopes:</p> 21 + <ul> 22 + {{ range .Scopes }} 23 + <li><b>{{.}}</b></li> 24 + {{ end }} 25 + </ul> 26 + <p> 27 + If you press Accept, the application will be granted permissions for 28 + these scopes with your account <b>{{ .Handle }}</b>. If you reject, you 29 + will be sent back to the application. 30 + </p> 31 + <form action="/oauth/authorize" method="post"> 32 + <div class="button-row"> 33 + <input type="hidden" name="request_uri" value="{{ .RequestUri }}" /> 34 + <button class="secondary" name="accept_or_reject" value="reject"> 35 + Reject 36 + </button> 37 + <button class="primary" name="accept_or_reject" value="accept"> 38 + Accept 39 + </button> 40 + </div> 41 + </form> 42 + </main> 43 + </body> 44 + </html>
+34
server/templates/signin.html
··· 1 + <!doctype html> 2 + <html lang="en"> 3 + <head> 4 + <meta charset="utf-8" /> 5 + <meta name="viewport" content="width=device-width, initial-scale=1" /> 6 + <meta name="color-scheme" content="light dark" /> 7 + <link rel="stylesheet" href="/static/pico.css" /> 8 + <link rel="stylesheet" href="/static/style.css" /> 9 + <title>PDS Authentication</title> 10 + </head> 11 + <body class="centered-body"> 12 + <main class="container base-container box-shadow-container login-container"> 13 + <h2>Sign into your account</h2> 14 + <p>Enter your handle and password below.</p> 15 + {{ if .flashes.errors }} 16 + <div class="alert alert-danger margin-bottom-xs"> 17 + <p>{{ index .flashes.errors 0 }}</p> 18 + </div> 19 + {{ end }} 20 + <form action="/account/signin" method="post"> 21 + <input name="username" id="username" placeholder="Handle" /> 22 + <br /> 23 + <input 24 + name="password" 25 + id="password" 26 + type="password" 27 + placeholder="Password" 28 + /> 29 + <input name="query_params" type="hidden" value="{{ .QueryParams }}" /> 30 + <button class="primary" type="submit" value="Login">Login</button> 31 + </form> 32 + </main> 33 + </body> 34 + </html>