herocode/self
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add SelfFreezoneClient wrapper for Self components

Browse Source 
- Created SelfFreezoneClient in Self components
- Wraps SDK FreezoneScriptClient for Self-specific operations
- Implements send_verification_email method
- Uses Rhai script template for email verification
- Includes template variable substitution
- Added serde-wasm-bindgen dependency

Usage:
  let client = SelfFreezoneClient::builder()
      .supervisor_url("http://localhost:8080")
      .secret("my-secret")
      .build()?;

  client.send_verification_email(
      "user@example.com",
      "123456",
      "https://verify.com/abc"
  ).await?;
This commit is contained in:
Timur Gordon
2025-11-03 16:16:18 +01:00
parent be061409af
commit f970f3fb58
33 changed files with 8947 additions and 449 deletions
Download Patch File Download Diff File Expand all files Collapse all files

243
Cargo.lock generated
View File

@@ -472,6 +472,15 @@ dependencies = [
"zeroize",
]
[[package]]
name = "deranged"
version = "0.5.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a41953f86f8a05768a6cda24def994fd2f424b04ec5c719cf89989779f199071"
dependencies = [
"powerfmt",
]
[[package]]
name = "digest"
version = "0.10.7"
@@ -882,6 +891,7 @@ version = "0.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "97563d71863fb2824b2e974e754a81d19c4a7ec47b09ced8a0e6656b6d54bd1f"
dependencies = [
"futures-channel",
"gloo-events 0.2.0",
"js-sys",
"wasm-bindgen",
@@ -899,7 +909,7 @@ dependencies = [
"serde",
"serde-wasm-bindgen 0.5.0",
"serde_urlencoded",
"thiserror",
"thiserror 1.0.69",
"wasm-bindgen",
"web-sys",
]
@@ -916,7 +926,7 @@ dependencies = [
"serde",
"serde-wasm-bindgen 0.6.5",
"serde_urlencoded",
"thiserror",
"thiserror 1.0.69",
"wasm-bindgen",
"web-sys",
]
@@ -936,7 +946,7 @@ dependencies = [
"pin-project",
"serde",
"serde_json",
"thiserror",
"thiserror 1.0.69",
"wasm-bindgen",
"wasm-bindgen-futures",
"web-sys",
@@ -957,7 +967,7 @@ dependencies = [
"pin-project",
"serde",
"serde_json",
"thiserror",
"thiserror 1.0.69",
"wasm-bindgen",
"wasm-bindgen-futures",
"web-sys",
@@ -978,7 +988,7 @@ dependencies = [
"pin-project",
"serde",
"serde_json",
"thiserror",
"thiserror 1.0.69",
"wasm-bindgen",
"wasm-bindgen-futures",
"web-sys",
@@ -1014,7 +1024,7 @@ dependencies = [
"js-sys",
"serde",
"serde_json",
"thiserror",
"thiserror 1.0.69",
"wasm-bindgen",
"web-sys",
]
@@ -1029,7 +1039,7 @@ dependencies = [
"js-sys",
"serde",
"serde_json",
"thiserror",
"thiserror 1.0.69",
"wasm-bindgen",
"web-sys",
]
@@ -1050,6 +1060,8 @@ version = "0.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bbb143cf96099802033e0d4f4963b19fd2e0b728bcf076cd9cf7f6634f092994"
dependencies = [
"futures-channel",
"futures-core",
"js-sys",
"wasm-bindgen",
]
@@ -1110,7 +1122,7 @@ dependencies = [
"js-sys",
"pinned",
"serde",
"thiserror",
"thiserror 1.0.69",
"wasm-bindgen",
"wasm-bindgen-futures",
"web-sys",
@@ -1129,7 +1141,7 @@ dependencies = [
"js-sys",
"pinned",
"serde",
"thiserror",
"thiserror 1.0.69",
"wasm-bindgen",
"wasm-bindgen-futures",
"web-sys",
@@ -1491,6 +1503,21 @@ dependencies = [
"wasm-bindgen",
]
[[package]]
name = "jsonwebtoken"
version = "9.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5a87cc7a48537badeae96744432de36f4be2b4a34a05a5ef32e9dd8a1c169dde"
dependencies = [
"base64",
"js-sys",
"pem",
"ring",
"serde",
"serde_json",
"simple_asn1",
]
[[package]]
name = "k256"
version = "0.13.4"
@@ -1653,6 +1680,40 @@ dependencies = [
"windows-sys 0.52.0",
]
[[package]]
name = "num-bigint"
version = "0.4.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a5e44f723f1133c9deac646763579fdb3ac745e418f2a7af9cd0c431da1f20b9"
dependencies = [
"num-integer",
"num-traits",
]
[[package]]
name = "num-conv"
version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9"
[[package]]
name = "num-integer"
version = "0.1.46"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7969661fd2958a5cb096e56c8e1ad0444ac2bbcd0061bd28660485a44879858f"
dependencies = [
"num-traits",
]
[[package]]
name = "num-traits"
version = "0.2.19"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
dependencies = [
"autocfg",
]
[[package]]
name = "num_cpus"
version = "1.17.0"
@@ -1757,6 +1818,26 @@ dependencies = [
"windows-targets 0.52.6",
]
[[package]]
name = "pbkdf2"
version = "0.12.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f8ed6a7761f76e3b9f92dfb0a60a6a6477c61024b775147ff0973a02653abaf2"
dependencies = [
"digest",
"hmac",
]
[[package]]
name = "pem"
version = "3.0.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "38af38e8470ac9dee3ce1bae1af9c1671fffc44ddfd8bd1d0a3445bf349a8ef3"
dependencies = [
"base64",
"serde",
]
[[package]]
name = "percent-encoding"
version = "2.3.2"
@@ -1803,7 +1884,7 @@ checksum = "a829027bd95e54cfe13e3e258a1ae7b645960553fb82b75ff852c29688ee595b"
dependencies = [
"futures",
"rustversion",
"thiserror",
"thiserror 1.0.69",
]
[[package]]
@@ -1843,6 +1924,12 @@ dependencies = [
"zerovec",
]
[[package]]
name = "powerfmt"
version = "0.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"
[[package]]
name = "ppv-lite86"
version = "0.2.21"
@@ -2001,6 +2088,26 @@ dependencies = [
"subtle",
]
[[package]]
name = "ring"
version = "0.17.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a4689e6c2294d81e88dc6261c768b63bc4fcdb852be6d1352498b114f61383b7"
dependencies = [
"cc",
"cfg-if",
"getrandom 0.2.16",
"libc",
"untrusted",
"windows-sys 0.52.0",
]
[[package]]
name = "route-recognizer"
version = "0.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "afab94fb28594581f62d981211a9a4d53cc8130bbcbbb89a0440d9b8e81a7746"
[[package]]
name = "rustc-demangle"
version = "0.1.26"
@@ -2088,12 +2195,15 @@ dependencies = [
name = "self-app"
version = "0.1.0"
dependencies = [
"js-sys",
"self-components",
"serde",
"serde_json",
"wasm-bindgen",
"wasm-bindgen-futures",
"web-sys",
"yew",
"yew-router",
]
[[package]]
@@ -2108,8 +2218,10 @@ dependencies = [
"hex",
"js-sys",
"k256",
"pbkdf2",
"rand",
"serde",
"serde-wasm-bindgen 0.6.5",
"serde_json",
"sha2",
"wasm-bindgen",
@@ -2125,8 +2237,10 @@ dependencies = [
"anyhow",
"async-stream",
"axum",
"base64",
"clap",
"futures-util",
"jsonwebtoken",
"lettre",
"serde",
"serde_json",
@@ -2272,6 +2386,18 @@ dependencies = [
"rand_core",
]
[[package]]
name = "simple_asn1"
version = "0.6.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "297f631f50729c8c99b84667867963997ec0b50f32b2a7dbcab828ef0541e8bb"
dependencies = [
"num-bigint",
"num-traits",
"thiserror 2.0.16",
"time",
]
[[package]]
name = "slab"
version = "0.4.11"
@@ -2392,7 +2518,16 @@ version = "1.0.69"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52"
dependencies = [
"thiserror-impl",
"thiserror-impl 1.0.69",
]
[[package]]
name = "thiserror"
version = "2.0.16"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3467d614147380f2e4e374161426ff399c91084acd2363eaf549172b3d5e60c0"
dependencies = [
"thiserror-impl 2.0.16",
]
[[package]]
@@ -2406,6 +2541,17 @@ dependencies = [
"syn 2.0.106",
]
[[package]]
name = "thiserror-impl"
version = "2.0.16"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6c5e1be1c48b9172ee610da68fd9cd2770e7a4056cb3fc98710ee6906f0c7960"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.106",
]
[[package]]
name = "thread_local"
version = "1.1.9"
@@ -2415,6 +2561,37 @@ dependencies = [
"cfg-if",
]
[[package]]
name = "time"
version = "0.3.44"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "91e7d9e3bb61134e77bde20dd4825b97c010155709965fedf0f49bb138e52a9d"
dependencies = [
"deranged",
"itoa",
"num-conv",
"powerfmt",
"serde",
"time-core",
"time-macros",
]
[[package]]
name = "time-core"
version = "0.1.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "40868e7c1d2f0b8d73e4a8c7f0ff63af4f6d19be117e90bd73eb1d62cf831c6b"
[[package]]
name = "time-macros"
version = "0.2.24"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "30cfb0125f12d9c277f35663a0a33f8c30190f4e4574868a330595412d34ebf3"
dependencies = [
"num-conv",
"time-core",
]
[[package]]
name = "tinystr"
version = "0.8.1"
@@ -2648,6 +2825,12 @@ dependencies = [
"subtle",
]
[[package]]
name = "untrusted"
version = "0.9.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
[[package]]
name = "url"
version = "2.5.7"
@@ -2660,6 +2843,12 @@ dependencies = [
"serde",
]
[[package]]
name = "urlencoding"
version = "2.1.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "daf8dba3b7eb870caf1ddeed7bc9d2a049f3cfdfae7cb521b087cc33ae4c49da"
[[package]]
name = "utf8_iter"
version = "1.0.4"
@@ -3021,7 +3210,7 @@ dependencies = [
"rustversion",
"serde",
"slab",
"thiserror",
"thiserror 1.0.69",
"tokio",
"tracing",
"wasm-bindgen",
@@ -3045,6 +3234,36 @@ dependencies = [
"syn 2.0.106",
]
[[package]]
name = "yew-router"
version = "0.18.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4ca1d5052c96e6762b4d6209a8aded597758d442e6c479995faf0c7b5538e0c6"
dependencies = [
"gloo 0.10.0",
"js-sys",
"route-recognizer",
"serde",
"serde_urlencoded",
"tracing",
"urlencoding",
"wasm-bindgen",
"web-sys",
"yew",
"yew-router-macro",
]
[[package]]
name = "yew-router-macro"
version = "0.18.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "42bfd190a07ca8cfde7cd4c52b3ac463803dc07323db8c34daa697e86365978c"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.106",
]
[[package]]
name = "yoke"
version = "0.8.0"

314
README.md
View File

@@ -1,180 +1,266 @@
# Self - Sovereign Entity Local Framework
# Self - Sovereign Digital Identity
A peer-to-peer identity solution providing self-sovereign identity management tools and widgets. Built with Yew WASM for client-side functionality and Rust backend for email verification.
A comprehensive self-sovereign identity system that puts users in complete control of their digital identity. Built with Rust and WebAssembly, Self provides cryptographic authentication without passwords, secure key management, and OAuth-compatible identity services.
## Architecture
## 🎯 Vision
- **Components**: Reusable Yew components for identity management (registration, login, etc.)
- **App**: Reference implementation using the components
- **Server**: Backend for email verification and registration endpoints
Self enables true digital sovereignty by eliminating dependence on centralized identity providers. Users generate and control their own cryptographic keys, authenticate using digital signatures, and maintain complete ownership of their identity data.
## Features
## ✨ Key Features
### Registration Component
### 🔐 Self-Sovereign Identity
- **User-Controlled Keys**: Generate and manage your own cryptographic key pairs
- **No Central Authority**: No single point of failure or control
- **Cryptographic Authentication**: Authenticate using digital signatures, not passwords
- **Zero-Knowledge Architecture**: Private keys never leave your device unencrypted
- **Identity Collection**: Name and email input with validation
- **Email Verification**: Server-sent events for real-time verification status
- **Private Key Generation**: Secure secp256k1 key pair generation
- **Client-side Encryption**: AES-256-GCM encryption of private keys with user password
- **Key Confirmation**: Requires user to copy and paste private key to confirm backup
- **Single-page Flow**: Progressive multi-step form without page navigation
### 🛡️ Advanced Security
- **AES-256-GCM Encryption**: Military-grade encryption for private key storage
- **PBKDF2 Key Derivation**: 10,000+ iterations prevent brute force attacks
- **Client-Side Cryptography**: All sensitive operations performed locally
- **Secure Vault System**: Manage multiple encrypted identities
### Security Features
### 🌐 Standards Compliance
- **OAuth 2.0 Compatible**: Standard token-based authentication
- **OpenID Connect Ready**: Compatible with existing identity infrastructure
- **JWT Tokens**: Industry-standard session management
- **RESTful API**: Clean, documented endpoints
- Private keys generated and encrypted entirely client-side
- Password-based key derivation with salt and key stretching
- Secure key confirmation process prevents accidental loss
- No private keys transmitted to server
### 🔧 Developer-Friendly
- **Reusable Components**: Drop-in Yew components for any application
- **Comprehensive API**: Well-documented server endpoints
- **Multiple Deployment Options**: Docker, cloud-native, or bare metal
- **Extensive Documentation**: Complete guides for integration and deployment
## Quick Start
## 🚀 Quick Start
### Prerequisites
- Rust (latest stable)
- `trunk` for WASM building: `cargo install trunk`
- `wasm32-unknown-unknown` target: `rustup target add wasm32-unknown-unknown`
```bash
# Install Rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
# Add WASM target and install Trunk
rustup target add wasm32-unknown-unknown
cargo install trunk
```
### Running the Application
1. **Start the backend server:**
1. **Clone and setup:**
```bash
git clone <repository-url>
cd self
```
2. **Start the backend server:**
```bash
cd server
# Default port (8080)
cargo run
# Custom port
cargo run -- --port 9001
# Server runs on http://localhost:8080
```
2. **Start the frontend app:**
3. **Start the frontend (in another terminal):**
```bash
cd app
# Default configuration (server: localhost:8080, port: 8000)
./serve.sh
# Custom server URL
./serve.sh --server-url http://localhost:9001
# Custom frontend port
./serve.sh --port 8001
# Both custom server and port
./serve.sh --server-url http://localhost:9001 --port 8001
# Using environment variables
SELF_SERVER_URL=http://localhost:9001 ./serve.sh
# Frontend runs on http://localhost:8000
```
3. **Open your browser** to the displayed frontend URL
4. **Try the demo:**
- Open http://localhost:8000 in your browser
- Register a new identity with email verification
- Generate and securely store your cryptographic keys
- Experience passwordless authentication
### Email Verification Flow
### Core Workflows
1. Enter name and email, proceed to verification step
2. Click "Send Verification" - check server console for verification link
3. Click the verification link in a new tab
4. The registration form will automatically update when verified
5. Continue with key generation
#### 🆔 Identity Registration
1. **Email Verification**: Enter email → receive verification link → confirm
2. **Key Generation**: Generate secp256k1 key pair locally
3. **Secure Storage**: Encrypt private key with password → store in browser
4. **Backup Confirmation**: Copy private key for safe keeping
5. **Complete Registration**: Submit public key and profile to server
### Key Generation Flow
#### 🔑 Authentication
1. **Identity Selection**: Choose from stored identities in vault
2. **Key Decryption**: Enter password to decrypt private key
3. **Challenge Response**: Sign server challenge with private key
4. **Session Establishment**: Receive JWT token for authenticated session
5. **Identity Access**: Access identity information and services
1. Click "Generate Keys" to create a new key pair
2. Enter and confirm an encryption password (minimum 8 characters)
3. Copy the private key using the "Copy" button
4. Proceed to confirmation step
5. Paste the private key to confirm you saved it
6. Complete registration
## 🏗️ Architecture
## Development
### System Components
```
┌─────────────────────────────────────────────────────────────────┐
│ Client (Browser) │
├─────────────────────────────────────────────────────────────────┤
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ Registration │ │ Login │ │ Identity │ │
│ │ Component │ │ Component │ │ Component │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ │ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ Vault Manager │ │ Crypto │ │ Sign │ │
│ │ Component │ │ Utilities │ │ Component │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ │ │
│ ┌─────────────────────────────────────────────────────────────┐ │
│ │ Local Storage (Encrypted) │ │
│ └─────────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
HTTPS/WSS
┌─────────────────────────────────────────────────────────────────┐
│ Identity Server │
├─────────────────────────────────────────────────────────────────┤
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ Email Verification│ │ OAuth Endpoints │ │ User Management │ │
│ │ • SSE Stream │ │ • /oauth/token │ │ • Registration│ │
│ │ • Verify Link │ │ • /oauth/userinfo│ │ • User Store │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
```
### Project Structure
```
self/
├── components/ # Reusable Yew components
├── components/ # 🧩 Reusable Yew Components
│ ├── src/
│ │ ├── registration.rs # Main registration component
│ │ ├── registration.rs # User registration flow
│ │ ├── login.rs # Authentication component
│ │ ├── identity.rs # Identity management
│ │ ├── vault_manager.rs # Multi-key vault system
│ │ ├── vault.rs # Secure key storage
│ │ ├── crypto.rs # Cryptographic utilities
│ │ ├── sign.rs # Digital signing
│ │ └── lib.rs # Component exports
│ └── Cargo.toml
├── app/ # Reference application
│ ├── src/lib.rs # App implementation
│ ├── index.html # HTML template with Bootstrap
│ ├── Trunk.toml # Trunk configuration
├── app/ # 🖥️ Reference Application
│ ├── src/lib.rs # Demo app implementation
│ ├── index.html # HTML template
│ ├── serve.sh # Development server
│ └── Cargo.toml
├── server/ # Backend server
│ ├── src/main.rs # Axum server with SSE support
├── server/ # 🌐 Identity Server
│ ├── src/main.rs # Axum server with OAuth endpoints
│ └── Cargo.toml
├── docs/ # 📚 Comprehensive Documentation
│ ├── architecture.md # System design and components
│ ├── authentication-flows.md # Auth workflows and security
│ ├── server-api.md # API documentation
│ ├── cryptography.md # Crypto implementation details
│ ├── vault-system.md # Key management system
│ ├── openid-compliance.md # OAuth/OIDC compatibility
│ ├── security-model.md # Security analysis and threats
│ ├── deployment.md # Production deployment guide
│ └── development.md # Development setup and workflow
└── Cargo.toml # Workspace configuration
```
### Using the Registration Component
## 📚 Documentation
### Complete Documentation Suite
- **[Architecture Guide](docs/architecture.md)** - System design, components, and data flow
- **[Authentication Flows](docs/authentication-flows.md)** - Registration, login, and session management
- **[Server API](docs/server-api.md)** - Complete API reference with examples
- **[Cryptography](docs/cryptography.md)** - Detailed crypto implementation and security
- **[Vault System](docs/vault-system.md)** - Multi-key storage and management
- **[OpenID Compliance](docs/openid-compliance.md)** - OAuth 2.0 and OIDC compatibility
- **[Security Model](docs/security-model.md)** - Threat analysis and security controls
- **[Deployment Guide](docs/deployment.md)** - Production deployment and operations
- **[Development Guide](docs/development.md)** - Setup, workflow, and contribution guidelines
### Quick Integration
```rust
use self_components::{Registration, RegistrationConfig};
let config = RegistrationConfig {
server_url: "http://localhost:8080".to_string(),
app_name: "My App".to_string(),
};
let on_complete = Callback::from(|(email, public_key): (String, String)| {
// Handle successful registration
console::log!("User registered: {} with key: {}", email, public_key);
});
// Add Self components to your Yew application
use self_components::{Registration, Login, Identity, VaultManager};
// Registration flow
html! {
<Registration
config={config}
on_complete={on_complete}
config={RegistrationConfig {
server_url: "https://your-identity-server.com".to_string(),
app_name: "Your App".to_string(),
}}
on_complete={|identity| {
// Handle successful registration
}}
/>
}
// Authentication flow
html! {
<Login
config={LoginConfig {
server_url: "https://your-identity-server.com".to_string(),
}}
on_login={|session| {
// Handle successful login
}}
/>
}
```
### API Endpoints
## 🔐 Security Features
- `POST /api/send-verification` - Send email verification
- `GET /api/verification-status/{email}` - SSE stream for verification status
- `GET /api/verify/{token}` - Email verification callback
- `POST /api/register` - Complete user registration
- `GET /health` - Health check
### Cryptographic Foundation
- **Secp256k1 Keys**: Bitcoin/Ethereum-compatible elliptic curve cryptography
- **AES-256-GCM**: Authenticated encryption for private key storage
- **PBKDF2**: 10,000+ iterations for password-based key derivation
- **Secure Random**: Cryptographically secure random number generation
### Configuration Options
### Zero-Knowledge Architecture
- **Client-Side Operations**: All crypto operations in browser
- **No Server Secrets**: Server never sees private keys or passwords
- **Encrypted Storage**: Only encrypted data stored in localStorage
- **Minimal Data**: Server stores only public keys and basic profile
**Backend Server:**
- Command line: `cargo run -- --port 9001`
- Default port: 8080
### Standards Compliance
- **OAuth 2.0**: Standard token-based authentication
- **OpenID Connect**: Compatible user info endpoint
- **JWT Tokens**: Industry-standard session management
- **HTTPS Only**: All communications encrypted in transit
**Frontend App:**
- Command line: `./serve.sh --server-url http://localhost:9001 --port 8001`
- Environment variables: `SELF_SERVER_URL`, `SELF_PORT`
- Defaults: server `http://localhost:8080`, port `8000`
## 🚀 Production Ready
**Registration Component:**
The registration component accepts a `RegistrationConfig` with:
- `server_url`: Backend server URL (configured via build-time environment variable)
- `app_name`: Application name for branding
### Deployment Options
- **Docker**: Complete containerized deployment
- **Kubernetes**: Cloud-native scaling and orchestration
- **Bare Metal**: Direct server deployment
- **Cloud Platforms**: AWS, GCP, Azure compatible
The component emits completion events with `(email, public_key)` tuple for integration with your application.
### Monitoring & Operations
- **Health Checks**: Built-in health monitoring endpoints
- **Structured Logging**: JSON-formatted logs with tracing
- **Metrics**: Prometheus-compatible metrics collection
- **Security Monitoring**: Comprehensive audit logging
## Security Considerations
### Scalability
- **Stateless Design**: Horizontal scaling support
- **Database Agnostic**: PostgreSQL, MySQL, or in-memory storage
- **Load Balancer Ready**: Multiple instance support
- **CDN Compatible**: Static asset optimization
- Private keys are generated using cryptographically secure random number generation
- Keys are encrypted client-side before any storage
- Password-based key derivation uses PBKDF2-like key stretching
- No sensitive data is transmitted to the server except public keys
- Email verification prevents unauthorized registrations
## 🤝 Contributing
## Production Deployment
Self is open source and welcomes contributions! See our [Development Guide](docs/development.md) for:
For production use:
- Development environment setup
- Code style guidelines
- Testing strategies
- Pull request process
- Release procedures
1. **Replace mock email sending** in server with actual SMTP integration
2. **Add database storage** for user data and verification states
3. **Implement proper secp256k1** key generation (current implementation is simplified)
4. **Add rate limiting** for verification requests
5. **Use HTTPS** for all communications
6. **Configure CORS** appropriately for your domain
## License
## 📄 License
This project is part of the Hero Code ecosystem for decentralized identity management.
---
**Ready to take control of your digital identity?** Start with our [Quick Start](#-quick-start) guide or dive deep into the [Architecture Documentation](docs/architecture.md).

3
app/Cargo.toml
View File

@@ -9,7 +9,10 @@ crate-type = ["cdylib"]
[dependencies]
self-components = { path = "../components" }
yew = { workspace = true, features = ["csr"] }
yew-router = "0.18"
wasm-bindgen = { workspace = true }
wasm-bindgen-futures = { workspace = true }
web-sys = { workspace = true }
js-sys = { workspace = true }
serde = { workspace = true }
serde_json = { workspace = true }

6
app/dist/index.html vendored
View File

@@ -105,7 +105,7 @@
transition: width 0.6s ease;
}
</style>
<link rel="modulepreload" href="/self-app-ea91d85454088543.js" crossorigin="anonymous" integrity="sha384-LtoStOLfGudTKD5QLifQMTi8an1aLEqMXZ1KhnQoVNPjpl8QZyBepu9D2sElroww"><link rel="preload" href="/self-app-ea91d85454088543_bg.wasm" crossorigin="anonymous" integrity="sha384-Ms0zVmkquqd/C5lI7dHomP8BqQnZQkKfzd+xAPLra7T1Z8ZAH59VCtXnUxWzzriT" as="fetch" type="application/wasm"></head>
<link rel="modulepreload" href="/self-app-b25013f584ee50e5.js" crossorigin="anonymous" integrity="sha384-1u18adVyfNdbwYr68l3Y+7ogP5yHPkK1snT5bpYfKGB/90poijA0I51N9oeEWm2E"><link rel="preload" href="/self-app-b25013f584ee50e5_bg.wasm" crossorigin="anonymous" integrity="sha384-sJLOBlXwGx/LmAiZtmypjzSbazD/ES2YkNdRfDm+qHUmAk4OJ6S7jIdZ5q9iVApF" as="fetch" type="application/wasm"></head>
<body>
<div id="app"></div>
@@ -113,8 +113,8 @@
<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bundle.min.js"></script>
<script type="module">
import init, * as bindings from '/self-app-ea91d85454088543.js';
const wasm = await init({ module_or_path: '/self-app-ea91d85454088543_bg.wasm' });
import init, * as bindings from '/self-app-b25013f584ee50e5.js';
const wasm = await init({ module_or_path: '/self-app-b25013f584ee50e5_bg.wasm' });
window.wasmBindings = bindings;

299
app/dist/self-app-ea91d85454088543.js → app/dist/self-app-b25013f584ee50e5.js vendored
View File

@@ -125,6 +125,11 @@ function passStringToWasm0(arg, malloc, realloc) {
return ptr;
}
function getArrayU8FromWasm0(ptr, len) {
ptr = ptr >>> 0;
return getUint8ArrayMemory0().subarray(ptr / 1, ptr / 1 + len);
}
function debugString(val) {
// primitive types
const type = typeof val;
@@ -198,28 +203,6 @@ state => {
}
);
function makeClosure(arg0, arg1, dtor, f) {
const state = { a: arg0, b: arg1, cnt: 1, dtor };
const real = (...args) => {
// First up with a closure we increment the internal reference
// count. This ensures that the Rust closure environment won't
// be deallocated while we're invoking it.
state.cnt++;
try {
return f(state.a, state.b, ...args);
} finally {
if (--state.cnt === 0) {
wasm.__wbindgen_export_7.get(state.dtor)(state.a, state.b); state.a = 0;
CLOSURE_DTORS.unregister(state);
}
}
};
real.original = state;
CLOSURE_DTORS.register(real, state, state);
return real;
}
function makeMutClosure(arg0, arg1, dtor, f) {
const state = { a: arg0, b: arg1, cnt: 1, dtor };
const real = (...args) => {
@@ -246,28 +229,134 @@ function makeMutClosure(arg0, arg1, dtor, f) {
return real;
}
function makeClosure(arg0, arg1, dtor, f) {
const state = { a: arg0, b: arg1, cnt: 1, dtor };
const real = (...args) => {
// First up with a closure we increment the internal reference
// count. This ensures that the Rust closure environment won't
// be deallocated while we're invoking it.
state.cnt++;
try {
return f(state.a, state.b, ...args);
} finally {
if (--state.cnt === 0) {
wasm.__wbindgen_export_7.get(state.dtor)(state.a, state.b); state.a = 0;
CLOSURE_DTORS.unregister(state);
}
}
};
real.original = state;
CLOSURE_DTORS.register(real, state, state);
return real;
}
export function run_app() {
wasm.run_app();
}
function takeFromExternrefTable0(idx) {
const value = wasm.__wbindgen_export_2.get(idx);
wasm.__externref_table_dealloc(idx);
return value;
}
function __wbg_adapter_6(arg0, arg1, arg2) {
wasm.closure293_externref_shim(arg0, arg1, arg2);
wasm.closure538_externref_shim(arg0, arg1, arg2);
}
function __wbg_adapter_9(arg0, arg1, arg2) {
wasm.closure223_externref_shim(arg0, arg1, arg2);
wasm.closure608_externref_shim(arg0, arg1, arg2);
}
function __wbg_adapter_14(arg0, arg1, arg2) {
wasm.closure286_externref_shim(arg0, arg1, arg2);
}
function __wbg_adapter_17(arg0, arg1) {
wasm.wasm_bindgen__convert__closures_____invoke__h5eb5ae71b8ec87bb(arg0, arg1);
function __wbg_adapter_16(arg0, arg1, arg2) {
wasm.closure604_externref_shim(arg0, arg1, arg2);
}
const __wbindgen_enum_RequestMode = ["same-origin", "no-cors", "cors", "navigate"];
const VaultJsFinalization = (typeof FinalizationRegistry === 'undefined')
? { register: () => {}, unregister: () => {} }
: new FinalizationRegistry(ptr => wasm.__wbg_vaultjs_free(ptr >>> 0, 1));
export class VaultJs {
__destroy_into_raw() {
const ptr = this.__wbg_ptr;
this.__wbg_ptr = 0;
VaultJsFinalization.unregister(this);
return ptr;
}
free() {
const ptr = this.__destroy_into_raw();
wasm.__wbg_vaultjs_free(ptr, 0);
}
/**
* @param {string} private_key
* @param {string} password
*/
static storePrivateKey(private_key, password) {
const ptr0 = passStringToWasm0(private_key, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
const len0 = WASM_VECTOR_LEN;
const ptr1 = passStringToWasm0(password, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
const len1 = WASM_VECTOR_LEN;
const ret = wasm.vaultjs_storePrivateKey(ptr0, len0, ptr1, len1);
if (ret[1]) {
throw takeFromExternrefTable0(ret[0]);
}
}
/**
* @param {string} password
* @returns {string}
*/
static retrievePrivateKey(password) {
let deferred3_0;
let deferred3_1;
try {
const ptr0 = passStringToWasm0(password, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
const len0 = WASM_VECTOR_LEN;
const ret = wasm.vaultjs_retrievePrivateKey(ptr0, len0);
var ptr2 = ret[0];
var len2 = ret[1];
if (ret[3]) {
ptr2 = 0; len2 = 0;
throw takeFromExternrefTable0(ret[2]);
}
deferred3_0 = ptr2;
deferred3_1 = len2;
return getStringFromWasm0(ptr2, len2);
} finally {
wasm.__wbindgen_free(deferred3_0, deferred3_1, 1);
}
}
/**
* @returns {boolean}
*/
static hasStoredKey() {
const ret = wasm.vaultjs_hasStoredKey();
return ret !== 0;
}
static clearStoredKey() {
const ret = wasm.vaultjs_clearStoredKey();
if (ret[1]) {
throw takeFromExternrefTable0(ret[0]);
}
}
/**
* @param {string} password
* @returns {boolean}
*/
static verifyPassword(password) {
const ptr0 = passStringToWasm0(password, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
const len0 = WASM_VECTOR_LEN;
const ret = wasm.vaultjs_verifyPassword(ptr0, len0);
if (ret[2]) {
throw takeFromExternrefTable0(ret[1]);
}
return ret[0] !== 0;
}
}
const EXPECTED_RESPONSE_TYPES = new Set(['basic', 'cors', 'default']);
async function __wbg_load(module, imports) {
@@ -325,6 +414,10 @@ function __wbg_get_imports() {
const ret = arg0.call(arg1);
return ret;
}, arguments) };
imports.wbg.__wbg_call_f53f0647ceb9c567 = function() { return handleError(function (arg0, arg1, arg2) {
const ret = arg0.call(arg1, arg2);
return ret;
}, arguments) };
imports.wbg.__wbg_cancelBubble_ba3496c52eac50f9 = function(arg0) {
const ret = arg0.cancelBubble;
return ret;
@@ -333,10 +426,6 @@ function __wbg_get_imports() {
const ret = arg0.childNodes;
return ret;
};
imports.wbg.__wbg_clearTimeout_5a54f8841c30079a = function(arg0) {
const ret = clearTimeout(arg0);
return ret;
};
imports.wbg.__wbg_clipboard_cb646efa8bab83fa = function(arg0) {
const ret = arg0.clipboard;
return ret;
@@ -364,6 +453,10 @@ function __wbg_get_imports() {
const ret = arg0.createTextNode(getStringFromWasm0(arg1, arg2));
return ret;
};
imports.wbg.__wbg_crypto_574e78ad8b13b65f = function(arg0) {
const ret = arg0.crypto;
return ret;
};
imports.wbg.__wbg_data_d1e564c046e31ed9 = function(arg0) {
const ret = arg0.data;
return ret;
@@ -399,6 +492,16 @@ function __wbg_get_imports() {
const ret = Array.from(arg0);
return ret;
};
imports.wbg.__wbg_getItem_7083c7e8090b4e20 = function() { return handleError(function (arg0, arg1, arg2, arg3) {
const ret = arg1.getItem(getStringFromWasm0(arg2, arg3));
var ptr1 = isLikeNone(ret) ? 0 : passStringToWasm0(ret, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
var len1 = WASM_VECTOR_LEN;
getDataViewMemory0().setInt32(arg0 + 4 * 1, len1, true);
getDataViewMemory0().setInt32(arg0 + 4 * 0, ptr1, true);
}, arguments) };
imports.wbg.__wbg_getRandomValues_b8f5dbd5f3995a9e = function() { return handleError(function (arg0, arg1) {
arg0.getRandomValues(arg1);
}, arguments) };
imports.wbg.__wbg_get_59c6316d15f9f1d0 = function(arg0, arg1) {
const ret = arg0[arg1 >>> 0];
return ret;
@@ -421,6 +524,16 @@ function __wbg_get_imports() {
const ret = result;
return ret;
};
imports.wbg.__wbg_instanceof_Response_0ab386c6818f788a = function(arg0) {
let result;
try {
result = arg0 instanceof Response;
} catch (_) {
result = false;
}
const ret = result;
return ret;
};
imports.wbg.__wbg_instanceof_ShadowRoot_ae4bc62016938ece = function(arg0) {
let result;
try {
@@ -445,6 +558,10 @@ function __wbg_get_imports() {
const ret = Object.is(arg0, arg1);
return ret;
};
imports.wbg.__wbg_json_dbaa85a926a80ed5 = function() { return handleError(function (arg0) {
const ret = arg0.json();
return ret;
}, arguments) };
imports.wbg.__wbg_lastChild_5847fcd93bd5162a = function(arg0) {
const ret = arg0.lastChild;
return isLikeNone(ret) ? 0 : addToExternrefTable0(ret);
@@ -453,13 +570,25 @@ function __wbg_get_imports() {
const ret = arg0.length;
return ret;
};
imports.wbg.__wbg_length_904c0910ed998bf3 = function(arg0) {
const ret = arg0.length;
return ret;
};
imports.wbg.__wbg_listenerid_ed1678830a5b97ec = function(arg0) {
const ret = arg0.__yew_listener_id;
return isLikeNone(ret) ? 0x100000001 : (ret) >>> 0;
};
imports.wbg.__wbg_localStorage_3e7df12e18c45ecc = function() { return handleError(function (arg0) {
const ret = arg0.localStorage;
return isLikeNone(ret) ? 0 : addToExternrefTable0(ret);
}, arguments) };
imports.wbg.__wbg_log_f3c04200b995730f = function(arg0) {
console.log(arg0);
};
imports.wbg.__wbg_msCrypto_a61aeb35a24c1329 = function(arg0) {
const ret = arg0.msCrypto;
return ret;
};
imports.wbg.__wbg_namespaceURI_16a9ca763a61b64a = function(arg0, arg1) {
const ret = arg1.namespaceURI;
var ptr1 = isLikeNone(ret) ? 0 : passStringToWasm0(ret, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
@@ -471,6 +600,10 @@ function __wbg_get_imports() {
const ret = arg0.navigator;
return ret;
};
imports.wbg.__wbg_new0_85cc856927102294 = function() {
const ret = new Date();
return ret;
};
imports.wbg.__wbg_new_12588505388d0897 = function() { return handleError(function () {
const ret = new Headers();
return ret;
@@ -491,6 +624,10 @@ function __wbg_get_imports() {
const ret = new Function(getStringFromWasm0(arg0, arg1));
return ret;
};
imports.wbg.__wbg_newwithlength_ed0ee6c1edca86fc = function(arg0) {
const ret = new Uint8Array(arg0 >>> 0);
return ret;
};
imports.wbg.__wbg_newwithstrandinit_e8e22e9851f3c2fe = function() { return handleError(function (arg0, arg1, arg2) {
const ret = new Request(getStringFromWasm0(arg0, arg1), arg2);
return ret;
@@ -499,6 +636,18 @@ function __wbg_get_imports() {
const ret = arg0.nextSibling;
return isLikeNone(ret) ? 0 : addToExternrefTable0(ret);
};
imports.wbg.__wbg_node_905d3e251edff8a2 = function(arg0) {
const ret = arg0.node;
return ret;
};
imports.wbg.__wbg_now_e3057dd824ca0191 = function() {
const ret = Date.now();
return ret;
};
imports.wbg.__wbg_ok_3f777ee8a1c6baeb = function(arg0) {
const ret = arg0.ok;
return ret;
};
imports.wbg.__wbg_outerHTML_7306ec658b1ed630 = function(arg0, arg1) {
const ret = arg1.outerHTML;
const ptr1 = passStringToWasm0(ret, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
@@ -514,6 +663,16 @@ function __wbg_get_imports() {
const ret = arg0.parentNode;
return isLikeNone(ret) ? 0 : addToExternrefTable0(ret);
};
imports.wbg.__wbg_preventDefault_9f90a0a7802591fd = function(arg0) {
arg0.preventDefault();
};
imports.wbg.__wbg_process_dc0fbacc7c1c06f7 = function(arg0) {
const ret = arg0.process;
return ret;
};
imports.wbg.__wbg_prototypesetcall_c5f74efd31aea86b = function(arg0, arg1, arg2) {
Uint8Array.prototype.set.call(getArrayU8FromWasm0(arg0, arg1), arg2);
};
imports.wbg.__wbg_queueMicrotask_bcc6e26d899696db = function(arg0) {
const ret = arg0.queueMicrotask;
return ret;
@@ -521,6 +680,9 @@ function __wbg_get_imports() {
imports.wbg.__wbg_queueMicrotask_f24a794d09c42640 = function(arg0) {
queueMicrotask(arg0);
};
imports.wbg.__wbg_randomFillSync_ac0988aba3254290 = function() { return handleError(function (arg0, arg1) {
arg0.randomFillSync(arg1);
}, arguments) };
imports.wbg.__wbg_removeAttribute_6930c6c8a4db23d2 = function() { return handleError(function (arg0, arg1, arg2) {
arg0.removeAttribute(getStringFromWasm0(arg1, arg2));
}, arguments) };
@@ -531,6 +693,13 @@ function __wbg_get_imports() {
imports.wbg.__wbg_removeEventListener_b25c194da9564efa = function() { return handleError(function (arg0, arg1, arg2, arg3, arg4) {
arg0.removeEventListener(getStringFromWasm0(arg1, arg2), arg3, arg4 !== 0);
}, arguments) };
imports.wbg.__wbg_removeItem_3accb1e04073ade4 = function() { return handleError(function (arg0, arg1, arg2) {
arg0.removeItem(getStringFromWasm0(arg1, arg2));
}, arguments) };
imports.wbg.__wbg_require_60cc747a6bc5215a = function() { return handleError(function () {
const ret = module.require;
return ret;
}, arguments) };
imports.wbg.__wbg_resolve_5775c0ef9222f556 = function(arg0) {
const ret = Promise.resolve(arg0);
return ret;
@@ -538,9 +707,8 @@ function __wbg_get_imports() {
imports.wbg.__wbg_setAttribute_6a3ee9b5deb88ed3 = function() { return handleError(function (arg0, arg1, arg2, arg3, arg4) {
arg0.setAttribute(getStringFromWasm0(arg1, arg2), getStringFromWasm0(arg3, arg4));
}, arguments) };
imports.wbg.__wbg_setTimeout_db2dbaeefb6f39c7 = function() { return handleError(function (arg0, arg1) {
const ret = setTimeout(arg0, arg1);
return ret;
imports.wbg.__wbg_setItem_328cbcd44fb5d487 = function() { return handleError(function (arg0, arg1, arg2, arg3, arg4) {
arg0.setItem(getStringFromWasm0(arg1, arg2), getStringFromWasm0(arg3, arg4));
}, arguments) };
imports.wbg.__wbg_set_2df374478acad331 = function() { return handleError(function (arg0, arg1, arg2, arg3, arg4) {
arg0.set(getStringFromWasm0(arg1, arg2), getStringFromWasm0(arg3, arg4));
@@ -617,6 +785,18 @@ function __wbg_get_imports() {
const ret = typeof window === 'undefined' ? null : window;
return isLikeNone(ret) ? 0 : addToExternrefTable0(ret);
};
imports.wbg.__wbg_status_31874648c8651949 = function(arg0) {
const ret = arg0.status;
return ret;
};
imports.wbg.__wbg_stringify_1f41b6198e0932e0 = function() { return handleError(function (arg0) {
const ret = JSON.stringify(arg0);
return ret;
}, arguments) };
imports.wbg.__wbg_subarray_a219824899e59712 = function(arg0, arg1, arg2) {
const ret = arg0.subarray(arg1 >>> 0, arg2 >>> 0);
return ret;
};
imports.wbg.__wbg_subtreeid_e65dfcc52d403fd9 = function(arg0) {
const ret = arg0.__yew_subtree_id;
return isLikeNone(ret) ? 0x100000001 : (ret) >>> 0;
@@ -632,6 +812,10 @@ function __wbg_get_imports() {
getDataViewMemory0().setInt32(arg0 + 4 * 1, len1, true);
getDataViewMemory0().setInt32(arg0 + 4 * 0, ptr1, true);
};
imports.wbg.__wbg_text_42c080764c927da6 = function() { return handleError(function (arg0) {
const ret = arg0.text();
return ret;
}, arguments) };
imports.wbg.__wbg_then_8d2fcccde5380a03 = function(arg0, arg1, arg2) {
const ret = arg0.then(arg1, arg2);
return ret;
@@ -640,6 +824,10 @@ function __wbg_get_imports() {
const ret = arg0.then(arg1);
return ret;
};
imports.wbg.__wbg_toISOString_61f131e920833685 = function(arg0) {
const ret = arg0.toISOString();
return ret;
};
imports.wbg.__wbg_value_1ae15635193fdbb5 = function(arg0, arg1) {
const ret = arg1.value;
const ptr1 = passStringToWasm0(ret, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
@@ -654,6 +842,10 @@ function __wbg_get_imports() {
getDataViewMemory0().setInt32(arg0 + 4 * 1, len1, true);
getDataViewMemory0().setInt32(arg0 + 4 * 0, ptr1, true);
};
imports.wbg.__wbg_versions_c01dfd4722a88165 = function(arg0) {
const ret = arg0.versions;
return ret;
};
imports.wbg.__wbg_wbindgencbdrop_a85ed476c6a370b9 = function(arg0) {
const obj = arg0.original;
if (obj.cnt-- == 1) {
@@ -674,6 +866,15 @@ function __wbg_get_imports() {
const ret = typeof(arg0) === 'function';
return ret;
};
imports.wbg.__wbg_wbindgenisobject_dfe064a121d87553 = function(arg0) {
const val = arg0;
const ret = typeof(val) === 'object' && val !== null;
return ret;
};
imports.wbg.__wbg_wbindgenisstring_4b74e4111ba029e6 = function(arg0) {
const ret = typeof(arg0) === 'string';
return ret;
};
imports.wbg.__wbg_wbindgenisundefined_71f08a6ade4354e7 = function(arg0) {
const ret = arg0 === undefined;
return ret;
@@ -698,24 +899,24 @@ function __wbg_get_imports() {
const ret = getStringFromWasm0(arg0, arg1);
return ret;
};
imports.wbg.__wbindgen_cast_33ed6ce34b165f3b = function(arg0, arg1) {
// Cast intrinsic for `Closure(Closure { dtor_idx: 222, function: Function { arguments: [Ref(NamedExternref("Event"))], shim_idx: 223, ret: Unit, inner_ret: Some(Unit) }, mutable: false }) -> Externref`.
const ret = makeClosure(arg0, arg1, 222, __wbg_adapter_9);
imports.wbg.__wbindgen_cast_4d7be94769e4ba26 = function(arg0, arg1) {
// Cast intrinsic for `Closure(Closure { dtor_idx: 603, function: Function { arguments: [NamedExternref("MessageEvent")], shim_idx: 604, ret: Unit, inner_ret: Some(Unit) }, mutable: true }) -> Externref`.
const ret = makeMutClosure(arg0, arg1, 603, __wbg_adapter_16);
return ret;
};
imports.wbg.__wbindgen_cast_52db8efac9e5598a = function(arg0, arg1) {
// Cast intrinsic for `Closure(Closure { dtor_idx: 292, function: Function { arguments: [Externref], shim_idx: 293, ret: Unit, inner_ret: Some(Unit) }, mutable: true }) -> Externref`.
const ret = makeMutClosure(arg0, arg1, 292, __wbg_adapter_6);
imports.wbg.__wbindgen_cast_96deb231e670e363 = function(arg0, arg1) {
// Cast intrinsic for `Closure(Closure { dtor_idx: 537, function: Function { arguments: [Ref(NamedExternref("Event"))], shim_idx: 538, ret: Unit, inner_ret: Some(Unit) }, mutable: false }) -> Externref`.
const ret = makeClosure(arg0, arg1, 537, __wbg_adapter_6);
return ret;
};
imports.wbg.__wbindgen_cast_8783041643bd3db7 = function(arg0, arg1) {
// Cast intrinsic for `Closure(Closure { dtor_idx: 285, function: Function { arguments: [NamedExternref("MessageEvent")], shim_idx: 286, ret: Unit, inner_ret: Some(Unit) }, mutable: true }) -> Externref`.
const ret = makeMutClosure(arg0, arg1, 285, __wbg_adapter_14);
imports.wbg.__wbindgen_cast_cb9088102bce6b30 = function(arg0, arg1) {
// Cast intrinsic for `Ref(Slice(U8)) -> NamedExternref("Uint8Array")`.
const ret = getArrayU8FromWasm0(arg0, arg1);
return ret;
};
imports.wbg.__wbindgen_cast_8b1432b6c48212a6 = function(arg0, arg1) {
// Cast intrinsic for `Closure(Closure { dtor_idx: 287, function: Function { arguments: [], shim_idx: 288, ret: Unit, inner_ret: Some(Unit) }, mutable: true }) -> Externref`.
const ret = makeMutClosure(arg0, arg1, 287, __wbg_adapter_17);
imports.wbg.__wbindgen_cast_edabf52bd3bd4133 = function(arg0, arg1) {
// Cast intrinsic for `Closure(Closure { dtor_idx: 607, function: Function { arguments: [Externref], shim_idx: 608, ret: Unit, inner_ret: Some(Unit) }, mutable: true }) -> Externref`.
const ret = makeMutClosure(arg0, arg1, 607, __wbg_adapter_9);
return ret;
};
imports.wbg.__wbindgen_init_externref_table = function() {

BIN
app/dist/self-app-b25013f584ee50e5_bg.wasm vendored Normal file
View File

Binary file not shown.

BIN
app/dist/self-app-ea91d85454088543_bg.wasm vendored
View File

Binary file not shown.

390
app/src/lib.rs
View File

@@ -1,25 +1,141 @@
use yew::prelude::*;
use yew_router::prelude::*;
use wasm_bindgen::prelude::*;
use self_components::{Registration, RegistrationConfig};
use self_components::{Registration, RegistrationConfig, Login, LoginConfig, Identity, IdentityConfig, IdentityData, Sign, SignConfig, VaultManager, VaultConfig};
#[function_component(App)]
fn app() -> Html {
let registration_complete = Callback::from(|data: (String, String)| {
let (email, public_key) = data;
web_sys::console::log_1(&format!("Registration completed for {} with public key: {}", email, public_key).into());
mod pages;
use pages::{Landing, Documentation, AppPage};
#[derive(Clone, Routable, PartialEq)]
enum Route {
#[at("/")]
Home,
#[at("/docs")]
Docs,
#[at("/docs/:section")]
DocsSection { section: String },
#[at("/app")]
App,
#[at("/app/:view")]
AppView { view: String },
#[not_found]
#[at("/404")]
NotFound,
}
#[derive(Clone, PartialEq)]
enum AppView {
Login,
Register,
Identity,
Sign,
Vault,
}
pub struct App {
current_view: AppView,
user_identity: Option<IdentityData>,
jwt_token: Option<String>,
}
pub enum AppMsg {
ShowLogin,
ShowRegister,
ShowIdentity,
ShowSign,
ShowVault,
LoginSuccess(String), // JWT token
RegistrationSuccess(String, String), // (email, public_key) - registration still uses this
IdentityFetched(IdentityData),
IdentityFetchFailed(String),
Logout,
}
impl Component for App {
type Message = AppMsg;
type Properties = ();
fn create(_ctx: &Context<Self>) -> Self {
Self {
current_view: AppView::Login,
user_identity: None,
jwt_token: None,
}
}
fn update(&mut self, _ctx: &Context<Self>, msg: Self::Message) -> bool {
match msg {
AppMsg::ShowLogin => {
self.current_view = AppView::Login;
true
}
AppMsg::ShowRegister => {
self.current_view = AppView::Register;
true
}
AppMsg::ShowIdentity => {
self.current_view = AppView::Identity;
true
}
AppMsg::ShowSign => {
self.current_view = AppView::Sign;
true
}
AppMsg::ShowVault => {
self.current_view = AppView::Vault;
true
}
AppMsg::LoginSuccess(jwt_token) => {
self.jwt_token = Some(jwt_token.clone());
// Fetch user identity from server using JWT token
self.fetch_user_identity(_ctx, jwt_token);
true
}
AppMsg::IdentityFetched(identity_data) => {
self.user_identity = Some(identity_data);
true
}
AppMsg::IdentityFetchFailed(error) => {
web_sys::console::log_1(&format!("Failed to fetch identity: {}", error).into());
// Clear JWT token on failure
self.jwt_token = None;
true
}
AppMsg::RegistrationSuccess(email, public_key) => {
self.user_identity = Some(IdentityData {
email,
public_key: public_key.clone(),
name: "User".to_string(),
created_at: None,
});
// Stay on register view instead of auto-redirecting
true
}
AppMsg::Logout => {
self.user_identity = None;
self.jwt_token = None;
self.current_view = AppView::Login;
let server_url = option_env!("SERVER_URL")
.unwrap_or("http://localhost:8080")
.to_string();
// Clear JWT token from localStorage
if let Some(window) = web_sys::window() {
if let Ok(Some(storage)) = window.local_storage() {
let _ = storage.remove_item("jwt_token");
web_sys::console::log_1(&"JWT token cleared from localStorage".into());
}
}
let config = RegistrationConfig {
server_url,
app_name: "Self-Sovereign Identity".to_string(),
};
true
}
}
}
fn view(&self, ctx: &Context<Self>) -> Html {
let _link = ctx.link();
html! {
<div class="app-container" style="min-height: 100vh; background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); padding: 2rem 0;">
<div class="app-container" style="min-height: 100vh; background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);">
{self.render_navbar(ctx)}
<div style="padding: 2rem 0;">
<div class="container">
<div class="row justify-content-center">
<div class="col-12 col-lg-8">
@@ -28,15 +144,253 @@ fn app() -> Html {
<p class="lead text-white-50">{"Sovereign Entity Local Framework"}</p>
</div>
<Registration
config={config}
on_complete={registration_complete}
/>
{self.render_current_view(ctx)}
</div>
</div>
</div>
</div>
</div>
}
}
}
impl App {
fn render_navbar(&self, ctx: &Context<Self>) -> Html {
let link = ctx.link();
html! {
<nav class="navbar navbar-expand-lg" style="background: rgba(255, 255, 255, 0.1); backdrop-filter: blur(10px);">
<div class="container">
<a class="navbar-brand text-white fw-bold" href="#">
<i class="bi bi-shield-check me-2"></i>
{"Self"}
</a>
<div class="navbar-nav ms-auto">
{if self.jwt_token.is_some() {
// Show authenticated user navigation
html! {
<>
<button type="button"
class={format!("btn me-2 {}", if self.current_view == AppView::Identity { "btn-light" } else { "btn-outline-light" })}
onclick={link.callback(|_| AppMsg::ShowIdentity)}>
<i class="bi bi-person-badge me-1"></i>
{"Identity"}
</button>
<button type="button"
class={format!("btn me-2 {}", if self.current_view == AppView::Vault { "btn-light" } else { "btn-outline-light" })}
onclick={link.callback(|_| AppMsg::ShowVault)}>
<i class="bi bi-shield-lock me-1"></i>
{"Vault"}
</button>
<button type="button"
class={format!("btn me-2 {}", if self.current_view == AppView::Sign { "btn-light" } else { "btn-outline-light" })}
onclick={link.callback(|_| AppMsg::ShowSign)}>
<i class="bi bi-pen me-1"></i>
{"Sign"}
</button>
<button type="button"
class="btn btn-outline-danger"
onclick={link.callback(|_| AppMsg::Logout)}>
<i class="bi bi-box-arrow-right me-1"></i>
{"Logout"}
</button>
</>
}
} else {
// Show unauthenticated user navigation
html! {
<>
<button type="button"
class={format!("btn me-2 {}", if self.current_view == AppView::Login { "btn-light" } else { "btn-outline-light" })}
onclick={link.callback(|_| AppMsg::ShowLogin)}>
<i class="bi bi-box-arrow-in-right me-1"></i>
{"Login"}
</button>
<button type="button"
class={format!("btn {}", if self.current_view == AppView::Register { "btn-light" } else { "btn-outline-light" })}
onclick={link.callback(|_| AppMsg::ShowRegister)}>
<i class="bi bi-person-plus me-1"></i>
{"Register"}
</button>
</>
}
}}
</div>
</div>
</nav>
}
}
fn render_current_view(&self, ctx: &Context<Self>) -> Html {
let link = ctx.link();
let server_url = option_env!("SERVER_URL")
.unwrap_or("http://localhost:8080")
.to_string();
match self.current_view {
AppView::Login => {
let login_config = LoginConfig {
server_url,
};
html! {
<Login
config={login_config}
on_login_success={link.callback(|jwt_token| AppMsg::LoginSuccess(jwt_token))}
/>
}
}
AppView::Register => {
let registration_config = RegistrationConfig {
server_url,
app_name: "Self-Sovereign Identity".to_string(),
};
html! {
<Registration
config={registration_config}
on_complete={link.callback(|(email, public_key)| AppMsg::RegistrationSuccess(email, public_key))}
/>
}
}
AppView::Identity => {
if let Some(identity_data) = &self.user_identity {
let identity_config = IdentityConfig {
server_url,
app_name: "Self-Sovereign Identity".to_string(),
};
html! {
<Identity
config={identity_config}
on_logout={link.callback(|_| AppMsg::Logout)}
/>
}
} else {
// Fallback to login if no identity data
html! { <div>{"Error: No identity data available"}</div> }
}
}
AppView::Sign => {
let sign_config = SignConfig {
server_url,
app_name: "Self-Sovereign Identity".to_string(),
};
html! {
<Sign
config={sign_config}
on_signature_complete={link.callback(|(plaintext, signature)| {
web_sys::console::log_1(&format!("Signature created for text: {} -> {}", plaintext, signature).into());
AppMsg::ShowSign // Stay on sign view
})}
/>
}
}
AppView::Vault => {
let vault_config = VaultConfig {
server_url,
app_name: "Self-Sovereign Identity".to_string(),
};
html! {
<VaultManager
config={vault_config}
/>
}
}
}
}
fn fetch_user_identity(&self, ctx: &Context<Self>, jwt_token: String) {
let server_url = option_env!("SERVER_URL")
.unwrap_or("http://localhost:8080")
.to_string();
let link = ctx.link().clone();
wasm_bindgen_futures::spawn_local(async move {
match Self::fetch_identity_from_server(&server_url, &jwt_token).await {
Ok(identity_data) => {
link.send_message(AppMsg::IdentityFetched(identity_data));
}
Err(e) => {
link.send_message(AppMsg::IdentityFetchFailed(e));
}
}
});
}
async fn fetch_identity_from_server(server_url: &str, jwt_token: &str) -> Result<IdentityData, String> {
use web_sys::{Request, RequestInit, RequestMode, Response};
use wasm_bindgen::JsValue;
use wasm_bindgen_futures::JsFuture;
let mut opts = RequestInit::new();
opts.method("GET");
opts.mode(RequestMode::Cors);
let headers = js_sys::Object::new();
js_sys::Reflect::set(&headers, &"Authorization".into(), &format!("Bearer {}", jwt_token).into()).unwrap();
js_sys::Reflect::set(&headers, &"Content-Type".into(), &"application/json".into()).unwrap();
opts.headers(&headers);
let url = format!("{}/oauth/userinfo", server_url);
let request = Request::new_with_str_and_init(&url, &opts)
.map_err(|_| "Failed to create request")?;
let window = web_sys::window().ok_or("No window object")?;
let resp_value = JsFuture::from(window.fetch_with_request(&request))
.await
.map_err(|_| "Network request failed")?;
let resp: Response = resp_value.dyn_into()
.map_err(|_| "Failed to cast response")?;
if !resp.ok() {
return Err(format!("Failed to fetch user info with status: {}", resp.status()));
}
let json = JsFuture::from(resp.json().map_err(|_| "Failed to get response JSON")?)
.await
.map_err(|_| "Failed to parse JSON response")?;
let response_text = js_sys::JSON::stringify(&json)
.map_err(|_| "Failed to stringify response")?
.as_string()
.ok_or("Failed to convert response to string")?;
let user_info: serde_json::Value = serde_json::from_str(&response_text)
.map_err(|_| "Failed to parse response JSON")?;
// Extract user information from OpenID Connect userinfo response
let email = user_info["email"]
.as_str()
.unwrap_or("unknown@example.com")
.to_string();
let name = user_info["name"]
.as_str()
.unwrap_or("Unknown User")
.to_string();
let public_key = user_info["sub"] // Subject is typically the public key in our case
.as_str()
.unwrap_or("")
.to_string();
let created_at = user_info["created_at"]
.as_str()
.map(|s| s.to_string());
Ok(IdentityData {
email,
name,
public_key,
created_at,
})
}
}
#[wasm_bindgen::prelude::wasm_bindgen(start)]

279
app/src/pages/landing.rs Normal file
View File

@@ -0,0 +1,279 @@
use yew::prelude::*;
use yew_router::prelude::*;
use crate::Route;
#[function_component(Landing)]
pub fn landing() -> Html {
let navigator = use_navigator().unwrap();
let on_get_started = {
let navigator = navigator.clone();
Callback::from(move |_| {
navigator.push(&Route::App);
})
};
let on_view_docs = {
let navigator = navigator.clone();
Callback::from(move |_| {
navigator.push(&Route::Docs);
})
};
html! {
<div class="landing-page">
// Hero Section
<section class="hero-section" style="min-height: 100vh; background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); color: white; display: flex; align-items: center;">
<div class="container">
<div class="row align-items-center">
<div class="col-lg-6 mb-5 mb-lg-0">
<div class="hero-content" style="animation: fadeInUp 0.8s ease-out;">
<h1 class="display-2 fw-bold mb-4" style="font-size: 4rem;">
{"Self"}
</h1>
<p class="lead mb-4" style="font-size: 1.5rem; opacity: 0.95;">
{"Sovereign Entity Local Framework"}
</p>
<p class="fs-5 mb-5" style="opacity: 0.9; line-height: 1.8;">
{"Take control of your digital identity. No passwords, no central authority, just you and your cryptographic keys."}
</p>
<div class="d-flex gap-3 flex-wrap">
<button onclick={on_get_started} class="btn btn-light btn-lg px-5 py-3" style="border-radius: 50px; font-weight: 600; box-shadow: 0 8px 20px rgba(0,0,0,0.2);">
<i class="bi bi-rocket-takeoff me-2"></i>
{"Get Started"}
</button>
<button onclick={on_view_docs} class="btn btn-outline-light btn-lg px-5 py-3" style="border-radius: 50px; font-weight: 600; border-width: 2px;">
<i class="bi bi-book me-2"></i>
{"Documentation"}
</button>
</div>
</div>
</div>
<div class="col-lg-6">
<div class="hero-visual" style="animation: fadeInUp 0.8s ease-out 0.2s both;">
<div class="p-5" style="background: rgba(255,255,255,0.1); backdrop-filter: blur(10px); border-radius: 24px; border: 2px solid rgba(255,255,255,0.2);">
<div class="text-center mb-4">
<i class="bi bi-shield-check" style="font-size: 6rem; opacity: 0.9;"></i>
</div>
<div class="d-flex justify-content-around text-center">
<div>
<i class="bi bi-key-fill fs-2 mb-2 d-block"></i>
<small>{"Your Keys"}</small>
</div>
<div>
<i class="bi bi-lock-fill fs-2 mb-2 d-block"></i>
<small>{"Your Data"}</small>
</div>
<div>
<i class="bi bi-person-check-fill fs-2 mb-2 d-block"></i>
<small>{"Your Identity"}</small>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</section>
// Features Section
<section class="features-section py-5" style="background: #f8f9fa;">
<div class="container py-5">
<div class="text-center mb-5">
<h2 class="display-4 fw-bold mb-3">{"Why Self?"}</h2>
<p class="lead text-muted">{"True digital sovereignty through cryptographic identity"}</p>
</div>
<div class="row g-4">
<div class="col-md-6 col-lg-3">
<div class="feature-card card h-100 border-0 shadow-sm" style="transition: transform 0.3s;">
<div class="card-body text-center p-4">
<div class="feature-icon mb-3" style="width: 80px; height: 80px; margin: 0 auto; background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); border-radius: 20px; display: flex; align-items: center; justify-content: center;">
<i class="bi bi-shield-lock-fill text-white" style="font-size: 2.5rem;"></i>
</div>
<h4 class="fw-bold mb-3">{"Self-Sovereign"}</h4>
<p class="text-muted">{"You generate and control your own cryptographic keys. No central authority."}</p>
</div>
</div>
</div>
<div class="col-md-6 col-lg-3">
<div class="feature-card card h-100 border-0 shadow-sm">
<div class="card-body text-center p-4">
<div class="feature-icon mb-3" style="width: 80px; height: 80px; margin: 0 auto; background: linear-gradient(135deg, #f093fb 0%, #f5576c 100%); border-radius: 20px; display: flex; align-items: center; justify-content: center;">
<i class="bi bi-fingerprint text-white" style="font-size: 2.5rem;"></i>
</div>
<h4 class="fw-bold mb-3">{"Passwordless"}</h4>
<p class="text-muted">{"Authenticate using digital signatures, not passwords. More secure and convenient."}</p>
</div>
</div>
</div>
<div class="col-md-6 col-lg-3">
<div class="feature-card card h-100 border-0 shadow-sm">
<div class="card-body text-center p-4">
<div class="feature-icon mb-3" style="width: 80px; height: 80px; margin: 0 auto; background: linear-gradient(135deg, #4facfe 0%, #00f2fe 100%); border-radius: 20px; display: flex; align-items: center; justify-content: center;">
<i class="bi bi-cpu-fill text-white" style="font-size: 2.5rem;"></i>
</div>
<h4 class="fw-bold mb-3">{"Client-Side Crypto"}</h4>
<p class="text-muted">{"All cryptographic operations happen in your browser. Your keys never leave your device."}</p>
</div>
</div>
</div>
<div class="col-md-6 col-lg-3">
<div class="feature-card card h-100 border-0 shadow-sm">
<div class="card-body text-center p-4">
<div class="feature-icon mb-3" style="width: 80px; height: 80px; margin: 0 auto; background: linear-gradient(135deg, #43e97b 0%, #38f9d7 100%); border-radius: 20px; display: flex; align-items: center; justify-content: center;">
<i class="bi bi-diagram-3-fill text-white" style="font-size: 2.5rem;"></i>
</div>
<h4 class="fw-bold mb-3">{"OAuth Compatible"}</h4>
<p class="text-muted">{"Works with existing OAuth 2.0 and OpenID Connect infrastructure."}</p>
</div>
</div>
</div>
</div>
</div>
</section>
// How It Works Section
<section class="how-it-works-section py-5" style="background: white;">
<div class="container py-5">
<div class="text-center mb-5">
<h2 class="display-4 fw-bold mb-3">{"How It Works"}</h2>
<p class="lead text-muted">{"Simple, secure, and sovereign"}</p>
</div>
<div class="row g-5">
<div class="col-lg-4">
<div class="text-center">
<div class="step-number mb-4" style="width: 80px; height: 80px; margin: 0 auto; background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); border-radius: 50%; display: flex; align-items: center; justify-content: center; color: white; font-size: 2rem; font-weight: bold;">
{"1"}
</div>
<h4 class="fw-bold mb-3">{"Generate Keys"}</h4>
<p class="text-muted">{"Create your cryptographic key pair locally in your browser. Your private key is encrypted with a password you choose."}</p>
</div>
</div>
<div class="col-lg-4">
<div class="text-center">
<div class="step-number mb-4" style="width: 80px; height: 80px; margin: 0 auto; background: linear-gradient(135deg, #f093fb 0%, #f5576c 100%); border-radius: 50%; display: flex; align-items: center; justify-content: center; color: white; font-size: 2rem; font-weight: bold;">
{"2"}
</div>
<h4 class="fw-bold mb-3">{"Register Identity"}</h4>
<p class="text-muted">{"Verify your email and register your public key. The server never sees your private key or password."}</p>
</div>
</div>
<div class="col-lg-4">
<div class="text-center">
<div class="step-number mb-4" style="width: 80px; height: 80px; margin: 0 auto; background: linear-gradient(135deg, #4facfe 0%, #00f2fe 100%); border-radius: 50%; display: flex; align-items: center; justify-content: center; color: white; font-size: 2rem; font-weight: bold;">
{"3"}
</div>
<h4 class="fw-bold mb-3">{"Authenticate"}</h4>
<p class="text-muted">{"Sign challenges with your private key to prove your identity. No passwords needed."}</p>
</div>
</div>
</div>
</div>
</section>
// Technology Section
<section class="tech-section py-5" style="background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); color: white;">
<div class="container py-5">
<div class="text-center mb-5">
<h2 class="display-4 fw-bold mb-3">{"Built with Modern Technology"}</h2>
<p class="lead" style="opacity: 0.9;">{"Rust, WebAssembly, and cutting-edge cryptography"}</p>
</div>
<div class="row g-4 text-center">
<div class="col-md-3 col-6">
<div class="tech-item p-4" style="background: rgba(255,255,255,0.1); backdrop-filter: blur(10px); border-radius: 16px; border: 1px solid rgba(255,255,255,0.2);">
<i class="bi bi-code-square fs-1 mb-3 d-block"></i>
<h5 class="fw-bold">{"Rust + WASM"}</h5>
</div>
</div>
<div class="col-md-3 col-6">
<div class="tech-item p-4" style="background: rgba(255,255,255,0.1); backdrop-filter: blur(10px); border-radius: 16px; border: 1px solid rgba(255,255,255,0.2);">
<i class="bi bi-shield-fill-check fs-1 mb-3 d-block"></i>
<h5 class="fw-bold">{"AES-256-GCM"}</h5>
</div>
</div>
<div class="col-md-3 col-6">
<div class="tech-item p-4" style="background: rgba(255,255,255,0.1); backdrop-filter: blur(10px); border-radius: 16px; border: 1px solid rgba(255,255,255,0.2);">
<i class="bi bi-key-fill fs-1 mb-3 d-block"></i>
<h5 class="fw-bold">{"Secp256k1"}</h5>
</div>
</div>
<div class="col-md-3 col-6">
<div class="tech-item p-4" style="background: rgba(255,255,255,0.1); backdrop-filter: blur(10px); border-radius: 16px; border: 1px solid rgba(255,255,255,0.2);">
<i class="bi bi-diagram-3-fill fs-1 mb-3 d-block"></i>
<h5 class="fw-bold">{"OAuth 2.0"}</h5>
</div>
</div>
</div>
</div>
</section>
// CTA Section
<section class="cta-section py-5" style="background: #f8f9fa;">
<div class="container py-5">
<div class="text-center">
<h2 class="display-4 fw-bold mb-4">{"Ready to Take Control?"}</h2>
<p class="lead text-muted mb-5">{"Start using Self today and experience true digital sovereignty"}</p>
<div class="d-flex gap-3 justify-content-center flex-wrap">
<button onclick={on_get_started.clone()} class="btn btn-primary btn-lg px-5 py-3" style="border-radius: 50px; font-weight: 600; background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); border: none;">
<i class="bi bi-rocket-takeoff me-2"></i>
{"Launch App"}
</button>
<a href="https://github.com/herocode/self" target="_blank" class="btn btn-outline-dark btn-lg px-5 py-3" style="border-radius: 50px; font-weight: 600; border-width: 2px;">
<i class="bi bi-github me-2"></i>
{"View on GitHub"}
</a>
</div>
</div>
</div>
</section>
// Footer
<footer class="py-4" style="background: #343a40; color: white;">
<div class="container">
<div class="row">
<div class="col-md-6 text-center text-md-start mb-3 mb-md-0">
<p class="mb-0">{"© 2025 Self - Sovereign Entity Local Framework"}</p>
</div>
<div class="col-md-6 text-center text-md-end">
<a href="#" class="text-white text-decoration-none me-3">{"Privacy"}</a>
<a href="#" class="text-white text-decoration-none me-3">{"Terms"}</a>
<a href="https://github.com/herocode/self" target="_blank" class="text-white text-decoration-none">{"GitHub"}</a>
</div>
</div>
</div>
</footer>
<style>
{r#"
@keyframes fadeInUp {
from {
opacity: 0;
transform: translateY(30px);
}
to {
opacity: 1;
transform: translateY(0);
}
}
.feature-card:hover {
transform: translateY(-8px);
box-shadow: 0 12px 24px rgba(0,0,0,0.15) !important;
}
.tech-item:hover {
background: rgba(255,255,255,0.2) !important;
}
"#}
</style>
</div>
}
}

7
app/src/pages/mod.rs Normal file
View File

@@ -0,0 +1,7 @@
mod landing;
mod documentation;
mod app_page;
pub use landing::Landing;
pub use documentation::Documentation;
pub use app_page::AppPage;

2
components/Cargo.toml
View File

@@ -36,6 +36,7 @@ gloo = { workspace = true }
gloo-timers = { workspace = true }
serde = { workspace = true }
serde_json = { workspace = true }
serde-wasm-bindgen = "0.6"
getrandom = { workspace = true }
sha2 = { workspace = true }
aes-gcm = { workspace = true }
@@ -43,3 +44,4 @@ base64 = { workspace = true }
hex = { workspace = true }
rand = { workspace = true }
k256 = { version = "0.13", features = ["ecdsa", "sha256"] }
pbkdf2 = { version = "0.12", features = ["hmac"], default-features = false }

62
components/scripts/email_verification.rhai Normal file
View File

@@ -0,0 +1,62 @@
// Email verification script template for Self
// Variables: {{email}}, {{code}}, {{url}}
print("=== Self: Sending Email Verification ===");
print("Email: {{email}}");
print("Code: {{code}}");
// Get freezone context
let freezone_pubkey = "04e58314c13ea3f9caed882001a5090797b12563d5f9bbd7f16efe020e060c780b446862311501e2e9653416527d2634ff8a8050ff3a085baccd7ddcb94185ff56";
let freezone_ctx = get_context([freezone_pubkey]);
// Get email client from context
let email_client = freezone_ctx.get("email_client");
if email_client == () {
print("ERROR: Email client not configured in freezone context");
return #{
success: false,
error: "Email client not configured"
};
}
// Get verification email template
let template = freezone_ctx.get("verification_email");
if template == () {
print("ERROR: Verification email template not found");
return #{
success: false,
error: "Email template not configured"
};
}
// Create verification record
let verification = new_verification()
.email("{{email}}")
.code("{{code}}")
.transport("email")
.expires_in(86400); // 24 hours
freezone_ctx.save(verification);
print("✓ Verification record created");
// Send email using template
let result = email_client.send_from_template(
template,
"{{email}}",
#{
url: "{{url}}",
code: "{{code}}"
}
);
print("✓ Verification email sent successfully");
print(" To: {{email}}");
print(" Code: {{code}}");
// Return success response
#{
success: true,
email: "{{email}}",
code: "{{code}}",
expires_in: 86400
}

33
components/src/crypto.rs
View File

@@ -43,6 +43,39 @@ pub fn generate_keypair() -> Result<KeyPair, String> {
})
}
impl KeyPair {
/// Create a KeyPair from an existing private key
pub fn from_private_key(private_key: &str) -> Result<Self, String> {
let public_key = derive_public_key(private_key)?;
Ok(KeyPair {
private_key: private_key.to_string(),
public_key,
})
}
/// Sign a message with the private key (simplified implementation)
pub fn sign(&self, message: &str) -> Result<String, String> {
let private_bytes = hex::decode(&self.private_key)
.map_err(|e| format!("Invalid private key hex: {:?}", e))?;
// Simple hash-based signature (not actual ECDSA)
// In production, use proper secp256k1 ECDSA signing
let mut hasher = Sha256::new();
hasher.update(&private_bytes);
hasher.update(message.as_bytes());
hasher.update(b"signature");
let signature_hash = hasher.finalize();
// Create a deterministic signature by combining with private key
let mut hasher2 = Sha256::new();
hasher2.update(&signature_hash);
hasher2.update(&private_bytes);
let final_signature = hasher2.finalize();
Ok(hex::encode(final_signature))
}
}
/// Derive public key from private key (simplified implementation)
fn derive_public_key(private_key: &str) -> Result<String, String> {
let private_bytes = hex::decode(private_key)

253
components/src/freezone_client.rs Normal file
View File

@@ -0,0 +1,253 @@
//! Self Freezone Client
//!
//! Wrapper around zdfz-client FreezoneScriptClient for Self-specific operations
use std::collections::HashMap;
use serde::{Deserialize, Serialize};
// Re-export from zdfz-client when available
// For now, we'll define a minimal interface
#[derive(Clone, Debug)]
pub struct SelfFreezoneClient {
supervisor_url: String,
runner_name: String,
secret: String,
}
#[derive(Clone, Debug)]
pub struct SelfFreezoneClientBuilder {
supervisor_url: Option<String>,
runner_name: Option<String>,
secret: Option<String>,
}
#[derive(Serialize, Deserialize, Debug)]
pub struct EmailVerificationResponse {
pub success: bool,
pub email: Option<String>,
pub code: Option<String>,
pub error: Option<String>,
}
impl SelfFreezoneClientBuilder {
pub fn new() -> Self {
Self {
supervisor_url: None,
runner_name: None,
secret: None,
}
}
pub fn supervisor_url(mut self, url: impl Into<String>) -> Self {
self.supervisor_url = Some(url.into());
self
}
pub fn runner_name(mut self, name: impl Into<String>) -> Self {
self.runner_name = Some(name.into());
self
}
pub fn secret(mut self, secret: impl Into<String>) -> Self {
self.secret = Some(secret.into());
self
}
pub fn build(self) -> Result<SelfFreezoneClient, String> {
let supervisor_url = self.supervisor_url
.ok_or_else(|| "supervisor_url is required".to_string())?;
let secret = self.secret
.ok_or_else(|| "secret is required".to_string())?;
let runner_name = self.runner_name
.unwrap_or_else(|| "osiris".to_string());
Ok(SelfFreezoneClient {
supervisor_url,
runner_name,
secret,
})
}
}
impl Default for SelfFreezoneClientBuilder {
fn default() -> Self {
Self::new()
}
}
impl SelfFreezoneClient {
/// Create a new builder
pub fn builder() -> SelfFreezoneClientBuilder {
SelfFreezoneClientBuilder::new()
}
/// Send verification email
///
/// # Arguments
/// * `email` - The email address to send verification to
/// * `code` - The verification code
/// * `url` - The verification URL
///
/// # Returns
/// Result with job ID or error message
pub async fn send_verification_email(
&self,
email: impl Into<String>,
code: impl Into<String>,
url: impl Into<String>,
) -> Result<String, String> {
let email = email.into();
let code = code.into();
let url = url.into();
// Email verification script template
let script_template = include_str!("../scripts/email_verification.rhai");
// Prepare variables
let mut variables = HashMap::new();
variables.insert("email".to_string(), email.clone());
variables.insert("code".to_string(), code.clone());
variables.insert("url".to_string(), url.clone());
// Substitute variables in template
let script = substitute_variables(script_template, &variables);
// Execute the script
self.execute_script(&script).await
}
/// Execute a Rhai script
async fn execute_script(&self, script: &str) -> Result<String, String> {
use wasm_bindgen::JsCast;
use wasm_bindgen_futures::JsFuture;
use web_sys::{Request, RequestInit, RequestMode, Response};
#[derive(Serialize)]
struct RunJobRequest {
runner_name: String,
script: String,
timeout: Option<u64>,
}
#[derive(Deserialize)]
struct RunJobResponse {
job_id: String,
status: String,
}
let request_body = RunJobRequest {
runner_name: self.runner_name.clone(),
script: script.to_string(),
timeout: Some(30),
};
let json_body = serde_json::to_string(&request_body)
.map_err(|e| format!("Failed to serialize request: {}", e))?;
let mut opts = RequestInit::new();
opts.method("POST");
opts.mode(RequestMode::Cors);
let headers = web_sys::Headers::new()
.map_err(|e| format!("Failed to create headers: {:?}", e))?;
headers
.set("Content-Type", "application/json")
.map_err(|e| format!("Failed to set content-type: {:?}", e))?;
headers
.set("Authorization", &format!("Bearer {}", self.secret))
.map_err(|e| format!("Failed to set authorization: {:?}", e))?;
opts.headers(&headers);
opts.body(Some(&wasm_bindgen::JsValue::from_str(&json_body)));
let url = format!("{}/api/v1/jobs/run", self.supervisor_url);
let request = Request::new_with_str_and_init(&url, &opts)
.map_err(|e| format!("Failed to create request: {:?}", e))?;
let window = web_sys::window().ok_or("No window object")?;
let resp_value = JsFuture::from(window.fetch_with_request(&request))
.await
.map_err(|e| format!("Fetch failed: {:?}", e))?;
let resp: Response = resp_value
.dyn_into()
.map_err(|_| "Response is not a Response object")?;
if !resp.ok() {
let status = resp.status();
let text = JsFuture::from(
resp.text()
.map_err(|e| format!("Failed to get error text: {:?}", e))?,
)
.await
.map_err(|e| format!("Failed to read error: {:?}", e))?;
let error_text = text
.as_string()
.unwrap_or_else(|| "Unknown error".to_string());
return Err(format!("HTTP {}: {}", status, error_text));
}
let json = JsFuture::from(
resp.json()
.map_err(|e| format!("Failed to parse JSON: {:?}", e))?,
)
.await
.map_err(|e| format!("Failed to read JSON: {:?}", e))?;
let response: RunJobResponse = serde_wasm_bindgen::from_value(json)
.map_err(|e| format!("Failed to deserialize response: {:?}", e))?;
Ok(response.job_id)
}
}
/// Substitute variables in a template string
///
/// Replaces `{{variable_name}}` with the corresponding value from the map
fn substitute_variables(template: &str, variables: &HashMap<String, String>) -> String {
let mut result = template.to_string();
for (key, value) in variables {
let placeholder = format!("{{{{{}}}}}", key);
result = result.replace(&placeholder, value);
}
result
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_substitute_variables() {
let template = r#"
let email = "{{email}}";
let code = "{{code}}";
"#;
let mut vars = HashMap::new();
vars.insert("email".to_string(), "test@example.com".to_string());
vars.insert("code".to_string(), "123456".to_string());
let result = substitute_variables(template, &vars);
assert!(result.contains(r#"let email = "test@example.com";"#));
assert!(result.contains(r#"let code = "123456";"#));
}
#[test]
fn test_builder() {
let client = SelfFreezoneClient::builder()
.supervisor_url("http://localhost:8080")
.runner_name("osiris")
.secret("test-secret")
.build()
.unwrap();
assert_eq!(client.supervisor_url, "http://localhost:8080");
assert_eq!(client.runner_name, "osiris");
assert_eq!(client.secret, "test-secret");
}
}

483
components/src/identity.rs Normal file
View File

@@ -0,0 +1,483 @@
use yew::prelude::*;
use web_sys::HtmlInputElement;
use wasm_bindgen::JsCast;
use serde::{Deserialize, Serialize};
use crate::vault::Vault;
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
pub struct IdentityConfig {
pub server_url: String,
pub app_name: String,
}
#[derive(Debug, Clone, PartialEq)]
pub struct IdentityData {
pub public_key: String,
pub email: String,
pub name: String,
pub created_at: Option<String>,
}
#[derive(Properties, PartialEq)]
pub struct IdentityProps {
pub config: IdentityConfig,
pub on_logout: Callback<()>,
}
pub struct Identity {
show_private_key: bool,
private_key: Option<String>,
loading_private_key: bool,
password_input: String,
show_password_input: bool,
error_message: Option<String>,
identity_data: Option<IdentityData>,
loading_identity: bool,
}
pub enum IdentityMsg {
TogglePrivateKeyVisibility,
UpdatePasswordInput(String),
TogglePasswordInput,
LoadPrivateKey,
PrivateKeyLoaded(String),
PrivateKeyLoadFailed(String),
CopyToClipboard(String),
Logout,
ClearError,
LoadIdentity,
IdentityLoaded(IdentityData),
IdentityLoadFailed(String),
}
impl Component for Identity {
type Message = IdentityMsg;
type Properties = IdentityProps;
fn create(ctx: &Context<Self>) -> Self {
// Automatically load identity data when component is created
ctx.link().send_message(IdentityMsg::LoadIdentity);
Self {
show_private_key: false,
private_key: None,
loading_private_key: false,
password_input: String::new(),
show_password_input: false,
error_message: None,
identity_data: None,
loading_identity: true,
}
}
fn update(&mut self, ctx: &Context<Self>, msg: Self::Message) -> bool {
match msg {
IdentityMsg::TogglePrivateKeyVisibility => {
self.show_private_key = !self.show_private_key;
true
}
IdentityMsg::UpdatePasswordInput(password) => {
self.password_input = password;
true
}
IdentityMsg::TogglePasswordInput => {
self.show_password_input = !self.show_password_input;
if !self.show_password_input {
self.password_input.clear();
}
true
}
IdentityMsg::LoadPrivateKey => {
if self.password_input.trim().is_empty() {
self.error_message = Some("Please enter your password".to_string());
return true;
}
self.loading_private_key = true;
self.error_message = None;
let password = self.password_input.clone();
let link = ctx.link().clone();
wasm_bindgen_futures::spawn_local(async move {
match Vault::retrieve_keypair(&password) {
Ok((private_key, _)) => {
link.send_message(IdentityMsg::PrivateKeyLoaded(private_key));
}
Err(e) => {
link.send_message(IdentityMsg::PrivateKeyLoadFailed(format!("Failed to load private key: {}", e)));
}
}
});
true
}
IdentityMsg::PrivateKeyLoaded(private_key) => {
self.private_key = Some(private_key);
self.loading_private_key = false;
self.password_input.clear();
self.show_password_input = false;
true
}
IdentityMsg::PrivateKeyLoadFailed(error) => {
self.error_message = Some(error);
self.loading_private_key = false;
true
}
IdentityMsg::CopyToClipboard(text) => {
if let Some(window) = web_sys::window() {
let navigator = window.navigator();
let clipboard = navigator.clipboard();
let _ = clipboard.write_text(&text);
web_sys::console::log_1(&"Copied to clipboard".into());
}
false
}
IdentityMsg::Logout => {
ctx.props().on_logout.emit(());
false
}
IdentityMsg::ClearError => {
self.error_message = None;
true
}
IdentityMsg::LoadIdentity => {
self.loading_identity = true;
self.error_message = None;
let server_url = ctx.props().config.server_url.clone();
let link = ctx.link().clone();
wasm_bindgen_futures::spawn_local(async move {
match Identity::fetch_identity_from_server(&server_url).await {
Ok(identity_data) => {
link.send_message(IdentityMsg::IdentityLoaded(identity_data));
}
Err(e) => {
link.send_message(IdentityMsg::IdentityLoadFailed(e));
}
}
});
true
}
IdentityMsg::IdentityLoaded(identity_data) => {
self.identity_data = Some(identity_data);
self.loading_identity = false;
true
}
IdentityMsg::IdentityLoadFailed(error) => {
self.error_message = Some(format!("Failed to load identity: {}", error));
self.loading_identity = false;
true
}
}
}
fn view(&self, ctx: &Context<Self>) -> Html {
let link = ctx.link();
if self.loading_identity {
return html! {
<div class="identity-container" style="max-width: 800px; margin: 0 auto; padding: 2rem;">
<div class="card shadow-lg border-0" style="border-radius: 16px;">
<div class="card-body text-center" style="padding: 3rem;">
<div class="spinner-border text-primary" role="status">
<span class="visually-hidden">{"Loading identity..."}</span>
</div>
<p class="mt-3 text-muted">{"Loading your identity information..."}</p>
</div>
</div>
</div>
};
}
let identity = match &self.identity_data {
Some(data) => data,
None => {
return html! {
<div class="identity-container" style="max-width: 800px; margin: 0 auto; padding: 2rem;">
<div class="card shadow-lg border-0" style="border-radius: 16px;">
<div class="card-body text-center" style="padding: 3rem;">
<div class="alert alert-warning">
{"Failed to load identity data. "}
<button class="btn btn-link p-0" onclick={link.callback(|_| IdentityMsg::LoadIdentity)}>
{"Try again"}
</button>
</div>
{if let Some(error) = &self.error_message {
html! { <p class="text-danger small">{error}</p> }
} else {
html! {}
}}
</div>
</div>
</div>
};
}
};
html! {
<div class="identity-container" style="max-width: 800px; margin: 0 auto; padding: 2rem;">
<div class="card shadow-lg border-0" style="border-radius: 16px;">
<div class="card-header bg-primary text-white" style="border-radius: 16px 16px 0 0; padding: 2rem;">
<div class="d-flex justify-content-between align-items-center">
<div>
<h2 class="mb-0">{"Self-Sovereign Identity"}</h2>
<p class="mb-0 mt-2 opacity-75">{"Your decentralized digital identity"}</p>
</div>
<button type="button" class="btn btn-outline-light"
onclick={link.callback(|_| IdentityMsg::Logout)}>
<i class="bi bi-box-arrow-right me-2"></i>
{"Logout"}
</button>
</div>
</div>
<div class="card-body" style="padding: 2rem;">
{self.render_error_message(ctx)}
// Identity Information
<div class="row">
<div class="col-md-6">
<h5 class="mb-3">{"Identity Information"}</h5>
<div class="mb-3">
<label class="form-label fw-bold">{"Name"}</label>
<div class="p-2 bg-light rounded">
{&identity.name}
</div>
</div>
<div class="mb-3">
<label class="form-label fw-bold">{"Email"}</label>
<div class="p-2 bg-light rounded">
{&identity.email}
</div>
</div>
{if let Some(created_at) = &identity.created_at {
html! {
<div class="mb-3">
<label class="form-label fw-bold">{"Created"}</label>
<div class="p-2 bg-light rounded">
{created_at}
</div>
</div>
}
} else {
html! {}
}}
</div>
<div class="col-md-6">
<h5 class="mb-3">{"Cryptographic Keys"}</h5>
// Public Key
<div class="mb-3">
<div class="d-flex justify-content-between align-items-center mb-2">
<label class="form-label fw-bold mb-0">{"Public Key (Identity)"}</label>
<button type="button" class="btn btn-sm btn-outline-primary"
onclick={link.callback({
let public_key = identity.public_key.clone();
move |_| IdentityMsg::CopyToClipboard(public_key.clone())
})}>
<i class="bi bi-copy me-1"></i>
{"Copy"}
</button>
</div>
<div class="p-2 bg-success bg-opacity-10 border border-success rounded font-monospace small"
style="word-break: break-all;">
{&identity.public_key}
</div>
<small class="text-muted">{"This is your unique identity identifier"}</small>
</div>
// Private Key Section
<div class="mb-3">
<div class="d-flex justify-content-between align-items-center mb-2">
<label class="form-label fw-bold mb-0">{"Private Key"}</label>
<div>
{if self.private_key.is_some() {
html! {
<>
<button type="button" class="btn btn-sm btn-outline-secondary me-2"
onclick={link.callback(|_| IdentityMsg::TogglePrivateKeyVisibility)}>
{if self.show_private_key { "Hide" } else { "Show" }}
</button>
<button type="button" class="btn btn-sm btn-outline-primary"
onclick={link.callback({
let private_key = self.private_key.clone().unwrap_or_default();
move |_| IdentityMsg::CopyToClipboard(private_key.clone())
})}>
<i class="bi bi-copy me-1"></i>
{"Copy"}
</button>
</>
}
} else {
html! {
<button type="button" class="btn btn-sm btn-primary"
onclick={link.callback(|_| IdentityMsg::TogglePasswordInput)}>
<i class="bi bi-key me-1"></i>
{"Load Private Key"}
</button>
}
}}
</div>
</div>
{if let Some(private_key) = &self.private_key {
html! {
<div class="p-2 bg-warning bg-opacity-10 border border-warning rounded font-monospace small"
style="word-break: break-all;">
{if self.show_private_key {
private_key.clone()
} else {
"".repeat(64)
}}
</div>
}
} else if self.show_password_input {
html! {
<div class="input-group">
<input type="password" class="form-control"
value={self.password_input.clone()}
oninput={link.callback(|e: InputEvent| {
let input: HtmlInputElement = e.target_unchecked_into();
IdentityMsg::UpdatePasswordInput(input.value())
})}
placeholder="Enter your password" />
<button type="button" class="btn btn-primary"
onclick={link.callback(|_| IdentityMsg::LoadPrivateKey)}
disabled={self.loading_private_key}>
{if self.loading_private_key {
html! {
<>
<span class="spinner-border spinner-border-sm me-2"></span>
{"Loading..."}
</>
}
} else {
html! { "Load" }
}}
</button>
</div>
}
} else {
html! {
<div class="p-2 bg-light rounded text-muted">
{"Private key is securely stored. Click 'Load Private Key' to decrypt and view."}
</div>
}
}}
<small class="text-muted">{"Keep your private key secure and never share it"}</small>
</div>
</div>
</div>
// Security Information
<hr class="my-4" />
<div class="row">
<div class="col-12">
<h5 class="mb-3">{"Security Information"}</h5>
<div class="alert alert-info">
<h6 class="alert-heading">
<i class="bi bi-shield-check me-2"></i>
{"Your Identity is Secure"}
</h6>
<ul class="mb-0">
<li>{"Your private key is encrypted and stored locally in your browser"}</li>
<li>{"Your public key serves as your unique identity identifier"}</li>
<li>{"No personal data is stored on external servers"}</li>
<li>{"You have full control over your digital identity"}</li>
</ul>
</div>
</div>
</div>
</div>
</div>
</div>
}
}
}
impl Identity {
async fn fetch_identity_from_server(server_url: &str) -> Result<IdentityData, String> {
use web_sys::{Request, RequestInit, RequestMode, Response};
use wasm_bindgen_futures::JsFuture;
// Get JWT token from localStorage
let jwt_token = web_sys::window()
.and_then(|w| w.local_storage().ok().flatten())
.and_then(|storage| storage.get_item("jwt_token").ok().flatten())
.ok_or("No JWT token found")?;
web_sys::console::log_1(&format!("Using JWT token: {}", &jwt_token[..std::cmp::min(50, jwt_token.len())]).into());
let mut opts = RequestInit::new();
opts.method("GET");
opts.mode(RequestMode::Cors);
let headers = js_sys::Object::new();
js_sys::Reflect::set(&headers, &"Authorization".into(), &format!("Bearer {}", jwt_token).into()).unwrap();
js_sys::Reflect::set(&headers, &"Content-Type".into(), &"application/json".into()).unwrap();
opts.headers(&headers);
let url = format!("{}/oauth/userinfo", server_url);
let request = Request::new_with_str_and_init(&url, &opts)
.map_err(|_| "Failed to create request")?;
let window = web_sys::window().ok_or("No window object")?;
let resp_value = JsFuture::from(window.fetch_with_request(&request))
.await
.map_err(|_| "Network request failed")?;
let resp: Response = resp_value.dyn_into()
.map_err(|_| "Failed to cast response")?;
if !resp.ok() {
let error_text = JsFuture::from(resp.text().map_err(|_| "Failed to get error response text")?)
.await
.map_err(|_| "Failed to parse error response text")?
.as_string()
.unwrap_or_default();
web_sys::console::log_1(&format!("Server error response: {}", error_text).into());
return Err(format!("Server returned error {}: {}", resp.status(), error_text));
}
let json = JsFuture::from(resp.json().map_err(|_| "Failed to get response JSON")?)
.await
.map_err(|_| "Failed to parse JSON response")?;
let response_text = js_sys::JSON::stringify(&json)
.map_err(|_| "Failed to stringify response")?
.as_string()
.ok_or("Failed to convert response to string")?;
let response: serde_json::Value = serde_json::from_str(&response_text)
.map_err(|_| "Failed to parse response JSON")?;
Ok(IdentityData {
public_key: response["public_key"].as_str().unwrap_or("").to_string(),
email: response["email"].as_str().unwrap_or("").to_string(),
name: response["name"].as_str().unwrap_or("Unknown").to_string(),
created_at: response["created_at"].as_str().map(|s| s.to_string()),
})
}
fn render_error_message(&self, ctx: &Context<Self>) -> Html {
if let Some(error) = &self.error_message {
let link = ctx.link();
html! {
<div class="alert alert-danger alert-dismissible fade show mb-4">
<i class="bi bi-exclamation-triangle me-2"></i>
{error}
<button type="button" class="btn-close"
onclick={link.callback(|_| IdentityMsg::ClearError)}></button>
</div>
}
} else {
html! {}
}
}
}

16
components/src/lib.rs
View File

@@ -1,5 +1,17 @@
pub mod registration;
pub mod crypto;
pub mod vault;
pub mod vault_manager;
pub mod login;
pub mod registration;
pub mod identity;
pub mod sign;
pub mod freezone_client;
pub use registration::{Registration, RegistrationConfig};
pub use crypto::*;
pub use vault::{Vault, VaultError, VaultJs};
pub use vault_manager::{VaultManager, VaultConfig};
pub use login::{Login, LoginConfig};
pub use registration::{Registration, RegistrationConfig};
pub use identity::*;
pub use sign::*;
pub use freezone_client::{SelfFreezoneClient, SelfFreezoneClientBuilder};

409
components/src/login.rs Normal file
View File

@@ -0,0 +1,409 @@
use yew::prelude::*;
use web_sys::HtmlInputElement;
use wasm_bindgen::JsCast;
use serde_json;
use wasm_bindgen_futures::spawn_local;
use crate::vault::{Vault, VaultError};
use crate::crypto::KeyPair;
use base64::{Engine as _, engine::general_purpose};
#[derive(Clone, PartialEq, Properties)]
pub struct LoginConfig {
pub server_url: String,
}
#[derive(Clone, PartialEq, Properties)]
pub struct LoginProps {
pub config: LoginConfig,
pub on_login_success: Callback<String>, // Callback with JWT token
}
#[derive(Clone, PartialEq)]
pub enum LoginStatus {
NotStarted,
Processing,
Success,
Failed(String),
}
pub struct Login {
password: String,
private_key: String,
status: LoginStatus,
show_password: bool,
show_private_key: bool,
has_stored_key: bool,
}
#[derive(Clone)]
pub enum LoginMsg {
UpdatePassword(String),
UpdatePrivateKey(String),
TogglePasswordVisibility,
TogglePrivateKeyVisibility,
SubmitLogin,
LoginSuccess(String), // JWT token
LoginFailed(String),
}
impl Component for Login {
type Message = LoginMsg;
type Properties = LoginProps;
fn create(_ctx: &Context<Self>) -> Self {
let has_stored_key = Vault::has_stored_key();
Self {
password: String::new(),
private_key: String::new(),
status: LoginStatus::NotStarted,
show_password: false,
show_private_key: false,
has_stored_key,
}
}
fn update(&mut self, ctx: &Context<Self>, msg: Self::Message) -> bool {
match msg {
LoginMsg::UpdatePassword(password) => {
self.password = password;
true
}
LoginMsg::UpdatePrivateKey(private_key) => {
self.private_key = private_key;
true
}
LoginMsg::TogglePasswordVisibility => {
self.show_password = !self.show_password;
true
}
LoginMsg::TogglePrivateKeyVisibility => {
self.show_private_key = !self.show_private_key;
true
}
LoginMsg::SubmitLogin => {
if self.validate_form() {
self.submit_login(ctx);
}
true
}
LoginMsg::LoginSuccess(jwt_token) => {
self.status = LoginStatus::Success;
// Store JWT token in localStorage for future use
if let Some(window) = web_sys::window() {
if let Ok(Some(storage)) = window.local_storage() {
let _ = storage.set_item("jwt_token", &jwt_token);
web_sys::console::log_1(&"JWT token stored in localStorage".into());
}
}
ctx.props().on_login_success.emit(jwt_token);
true
}
LoginMsg::LoginFailed(error) => {
self.status = LoginStatus::Failed(error);
true
}
}
}
fn view(&self, ctx: &Context<Self>) -> Html {
let link = ctx.link();
html! {
<div>
<div style="padding: 2rem;">
<h4 class="mb-4">{"Sign In"}</h4>
{self.render_status_notification()}
<form onsubmit={link.callback(|e: SubmitEvent| {
e.prevent_default();
LoginMsg::SubmitLogin
})}>
<div class="mb-3">
<label class="form-label">
{if self.has_stored_key {
"Password (to decrypt stored key)"
} else {
"Password"
}}
</label>
<div class="input-group">
<input type={if self.show_password { "text" } else { "password" }}
class="form-control"
value={self.password.clone()}
oninput={link.callback(|e: InputEvent| {
let input: HtmlInputElement = e.target_unchecked_into();
LoginMsg::UpdatePassword(input.value())
})}
placeholder={if self.has_stored_key {
"Enter password to decrypt your key"
} else {
"Enter your password"
}}
required=true />
<button type="button" class="btn btn-outline-secondary"
onclick={link.callback(|_| LoginMsg::TogglePasswordVisibility)}>
<i class={if self.show_password { "bi bi-eye-slash" } else { "bi bi-eye" }}></i>
</button>
</div>
</div>
{if !self.has_stored_key {
html! {
<div class="mb-4">
<label class="form-label">{"Private Key"}</label>
<div class="input-group">
<input type={if self.show_private_key { "text" } else { "password" }}
class="form-control font-monospace"
value={self.private_key.clone()}
oninput={link.callback(|e: InputEvent| {
let input: HtmlInputElement = e.target_unchecked_into();
LoginMsg::UpdatePrivateKey(input.value())
})}
placeholder="Enter your private key"
required=true />
<button type="button" class="btn btn-outline-secondary"
onclick={link.callback(|_| LoginMsg::TogglePrivateKeyVisibility)}>
<i class={if self.show_private_key { "bi bi-eye-slash" } else { "bi bi-eye" }}></i>
</button>
</div>
<div class="form-text">
{"Your private key will be encrypted and stored securely in your browser after login."}
</div>
</div>
}
} else {
html! {}
}}
<div class="d-grid">
<button type="submit" class="btn btn-primary btn-lg"
disabled={!self.validate_form() || matches!(self.status, LoginStatus::Processing)}>
{if matches!(self.status, LoginStatus::Processing) {
html! {
<>
<span class="spinner-border spinner-border-sm me-2"></span>
{"Signing In..."}
</>
}
} else {
html! { "Sign In" }
}}
</button>
</div>
</form>
<div class="mt-4">
<p class="text-muted small">
{"Forgot your password? "}
<a href="#" class="text-decoration-none">{"Reset it here"}</a>
</p>
</div>
</div>
</div>
}
}
}
impl Login {
fn validate_form(&self) -> bool {
let password_valid = !self.password.trim().is_empty();
if self.has_stored_key {
password_valid
} else {
password_valid && !self.private_key.trim().is_empty()
}
}
fn submit_login(&mut self, ctx: &Context<Self>) {
self.status = LoginStatus::Processing;
let password = self.password.clone();
let private_key = self.private_key.clone();
let has_stored_key = self.has_stored_key;
let server_url = ctx.props().config.server_url.clone();
let link = ctx.link().clone();
spawn_local(async move {
let (final_private_key, public_key) = if has_stored_key {
// Decrypt stored keypair
match Vault::retrieve_keypair(&password) {
Ok((stored_private_key, stored_public_key)) => {
web_sys::console::log_1(&"Successfully retrieved keypair from vault".into());
(stored_private_key, stored_public_key)
}
Err(e) => {
link.send_message(LoginMsg::LoginFailed(format!("Failed to decrypt stored key: {}", e)));
return;
}
}
} else {
// Derive public key from private key and store both encrypted
let keypair = match KeyPair::from_private_key(&private_key) {
Ok(keypair) => keypair,
Err(e) => {
link.send_message(LoginMsg::LoginFailed(format!("Invalid private key: {}", e)));
return;
}
};
match Vault::store_keypair(&private_key, &keypair.public_key, &password) {
Ok(_) => {
web_sys::console::log_1(&"Keypair stored securely in vault".into());
}
Err(e) => {
web_sys::console::log_1(&format!("Warning: Failed to store keypair in vault: {}", e).into());
}
}
(private_key, keypair.public_key)
};
// Authenticate with identity server using public key
match Self::authenticate_with_server(&server_url, &public_key, &final_private_key).await {
Ok(jwt_token) => {
web_sys::console::log_1(&format!("Authentication successful, received JWT token").into());
link.send_message(LoginMsg::LoginSuccess(jwt_token));
}
Err(e) => {
link.send_message(LoginMsg::LoginFailed(format!("Authentication failed: {}", e)));
}
}
});
}
async fn authenticate_with_server(server_url: &str, public_key: &str, private_key: &str) -> Result<String, String> {
use web_sys::{Request, RequestInit, RequestMode, Response};
use wasm_bindgen::JsValue;
use wasm_bindgen_futures::JsFuture;
// Create authentication challenge
let challenge = format!("auth_challenge_{}", js_sys::Date::now());
// Sign the challenge with private key
let signature = Self::create_auth_signature(&challenge, private_key, public_key)?;
// Prepare authentication request
let auth_request = serde_json::json!({
"grant_type": "client_credentials",
"client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
"client_assertion": signature,
"public_key": public_key,
"challenge": challenge,
"scope": "openid profile email"
});
let mut opts = RequestInit::new();
opts.method("POST");
opts.mode(RequestMode::Cors);
let headers = js_sys::Object::new();
js_sys::Reflect::set(&headers, &"Content-Type".into(), &"application/json".into()).unwrap();
opts.headers(&headers);
opts.body(Some(&JsValue::from_str(&auth_request.to_string())));
let url = format!("{}/oauth/token", server_url);
let request = Request::new_with_str_and_init(&url, &opts)
.map_err(|_| "Failed to create request")?;
let window = web_sys::window().ok_or("No window object")?;
let resp_value = JsFuture::from(window.fetch_with_request(&request))
.await
.map_err(|_| "Network request failed")?;
let resp: Response = resp_value.dyn_into()
.map_err(|_| "Failed to cast response")?;
if !resp.ok() {
// Get error response body for debugging
let error_json = JsFuture::from(resp.json().map_err(|_| "Failed to get error response JSON")?)
.await
.map_err(|_| "Failed to parse error JSON response")?;
let error_text = js_sys::JSON::stringify(&error_json)
.map_err(|_| "Failed to stringify error response")?
.as_string()
.ok_or("Failed to convert error response to string")?;
return Err(format!("Authentication failed with status: {}\n\nrequest response: {}", resp.status(), error_text));
}
let json = JsFuture::from(resp.json().map_err(|_| "Failed to get response JSON")?)
.await
.map_err(|_| "Failed to parse JSON response")?;
let response_text = js_sys::JSON::stringify(&json)
.map_err(|_| "Failed to stringify response")?
.as_string()
.ok_or("Failed to convert response to string")?;
let response: serde_json::Value = serde_json::from_str(&response_text)
.map_err(|_| "Failed to parse response JSON")?;
response["access_token"]
.as_str()
.map(|s| s.to_string())
.ok_or("No access token in response".to_string())
}
fn create_auth_signature(challenge: &str, private_key: &str, public_key: &str) -> Result<String, String> {
use sha2::{Sha256, Digest};
// Create JWT header
let header = serde_json::json!({
"alg": "HS256",
"typ": "JWT"
});
// Create JWT payload with challenge - subject should be public key
let payload = serde_json::json!({
"iss": "self-sovereign-identity",
"sub": public_key, // Subject is the public key (user identifier)
"aud": "identity-server",
"exp": (js_sys::Date::now() / 1000.0) as u64 + 3600, // 1 hour expiry
"iat": (js_sys::Date::now() / 1000.0) as u64,
"scope": "openid profile email",
"challenge": challenge
});
let header_b64 = general_purpose::STANDARD.encode(header.to_string());
let payload_b64 = general_purpose::STANDARD.encode(payload.to_string());
let unsigned_token = format!("{}.{}", header_b64, payload_b64);
// Sign with private key (simplified HMAC)
let mut hasher = Sha256::new();
hasher.update(unsigned_token.as_bytes());
hasher.update(private_key.as_bytes());
let signature = hasher.finalize();
let signature_b64 = general_purpose::STANDARD.encode(signature);
Ok(format!("{}.{}", unsigned_token, signature_b64))
}
fn render_status_notification(&self) -> Html {
match &self.status {
LoginStatus::NotStarted => html! {},
LoginStatus::Processing => html! {
<div class="alert alert-info mb-3">
<i class="bi bi-hourglass-split me-2"></i>
{"Signing you in..."}
</div>
},
LoginStatus::Success => html! {
<div class="alert alert-success mb-3">
<i class="bi bi-check-circle-fill me-2"></i>
{"Successfully signed in! Redirecting..."}
</div>
},
LoginStatus::Failed(error) => html! {
<div class="alert alert-danger mb-3">
<i class="bi bi-exclamation-triangle-fill me-2"></i>
{error}
</div>
},
}
}
}

394
components/src/registration.rs
View File

@@ -4,10 +4,11 @@ use wasm_bindgen::prelude::*;
use wasm_bindgen::JsCast;
use serde::{Deserialize, Serialize};
use gloo_timers::callback::Timeout;
use crate::crypto::{generate_keypair, encrypt_private_key, copy_to_clipboard, KeyPair, EncryptedPrivateKey};
use k256::{SecretKey, PublicKey};
use crate::crypto::KeyPair;
use crate::vault::Vault;
use k256::SecretKey;
use k256::elliptic_curve::sec1::ToEncodedPoint;
use rand::rngs::OsRng;
use sha2::{Sha256, Digest};
use hex;
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
@@ -37,16 +38,24 @@ pub enum RegistrationStep {
pub struct RegistrationProps {
pub config: RegistrationConfig,
pub on_complete: Callback<(String, String)>, // (email, public_key)
#[prop_or_default]
pub on_registration_success: Option<Callback<String>>, // Called with public_key when registration is successful
#[prop_or_default]
pub on_name_change: Option<Callback<String>>,
#[prop_or_default]
pub on_email_change: Option<Callback<String>>,
#[prop_or_default]
pub on_form_change: Option<Callback<(String, String)>>, // (name, email)
}
pub struct Registration {
// Form data
name: String,
email: String,
password: String,
// Key management
keypair: Option<KeyPair>,
secret_phrase: String,
generated_private_key: Option<String>,
generated_public_key: Option<String>,
private_key_input: String,
@@ -60,6 +69,7 @@ pub struct Registration {
// UI state
current_step: RegistrationStep,
show_private_key: bool,
show_password: bool,
errors: Vec<String>,
processing: bool,
}
@@ -67,7 +77,7 @@ pub struct Registration {
pub enum RegistrationMsg {
UpdateName(String),
UpdateEmail(String),
UpdateSecretPhrase(String),
UpdatePassword(String),
UpdatePrivateKeyInput(String),
SendEmailVerification,
@@ -77,6 +87,7 @@ pub enum RegistrationMsg {
GenerateKeys,
UpdateKeyConfirmation(String),
TogglePrivateKeyVisibility,
TogglePasswordVisibility,
CopyPrivateKey,
NextStep,
@@ -95,8 +106,8 @@ impl Component for Registration {
Self {
name: String::new(),
email: String::new(),
password: String::new(),
keypair: None,
secret_phrase: String::new(),
generated_private_key: None,
generated_public_key: None,
private_key_input: String::new(),
@@ -106,6 +117,7 @@ impl Component for Registration {
event_source: None,
current_step: RegistrationStep::Identity,
show_private_key: false,
show_password: false,
errors: Vec::new(),
processing: false,
}
@@ -115,6 +127,14 @@ impl Component for Registration {
match msg {
RegistrationMsg::UpdateName(name) => {
self.name = name;
// Emit name change event
if let Some(callback) = &ctx.props().on_name_change {
callback.emit(self.name.clone());
}
// Emit form change event
if let Some(callback) = &ctx.props().on_form_change {
callback.emit((self.name.clone(), self.email.clone()));
}
true
}
RegistrationMsg::UpdateEmail(email) => {
@@ -122,10 +142,18 @@ impl Component for Registration {
if self.email_status == EmailVerificationStatus::Verified {
self.email_status = EmailVerificationStatus::NotStarted;
}
// Emit email change event
if let Some(callback) = &ctx.props().on_email_change {
callback.emit(self.email.clone());
}
// Emit form change event
if let Some(callback) = &ctx.props().on_form_change {
callback.emit((self.name.clone(), self.email.clone()));
}
true
}
RegistrationMsg::UpdateSecretPhrase(secret) => {
self.secret_phrase = secret;
RegistrationMsg::UpdatePassword(password) => {
self.password = password;
true
}
RegistrationMsg::UpdatePrivateKeyInput(value) => {
@@ -157,7 +185,7 @@ impl Component for Registration {
true
}
RegistrationMsg::GenerateKeys => {
self.generate_secp256k1_keys();
self.generate_keys_from_password();
true
}
RegistrationMsg::CopyPrivateKey => {
@@ -168,6 +196,10 @@ impl Component for Registration {
self.show_private_key = !self.show_private_key;
true
}
RegistrationMsg::TogglePasswordVisibility => {
self.show_password = !self.show_password;
true
}
RegistrationMsg::NextStep => {
// No longer needed - single step form
true
@@ -179,9 +211,36 @@ impl Component for Registration {
true
}
RegistrationMsg::RegistrationComplete => {
web_sys::console::log_1(&"RegistrationComplete message received".into());
self.current_step = RegistrationStep::Complete;
if let Some(keypair) = &self.keypair {
// Store the private key in the vault with the user's password
if let (Some(private_key), Some(keypair)) = (&self.generated_private_key, &self.keypair) {
web_sys::console::log_1(&format!("Attempting to store private key. Password length: {}", self.password.len()).into());
if !self.password.is_empty() {
web_sys::console::log_1(&"Storing private key in vault...".into());
match Vault::store_keypair(&private_key, &keypair.public_key, &self.password) {
Ok(_) => {
web_sys::console::log_1(&"✅ Private key securely stored in vault".into());
}
Err(e) => {
web_sys::console::log_1(&format!("❌ Failed to store private key in vault: {}", e).into());
self.errors.push(format!("Warning: Failed to store private key securely: {}", e));
}
}
} else {
web_sys::console::log_1(&"❌ Password is empty, cannot store private key".into());
}
ctx.props().on_complete.emit((self.email.clone(), keypair.public_key.clone()));
// Trigger the registration success callback with the public key
if let Some(callback) = &ctx.props().on_registration_success {
callback.emit(keypair.public_key.clone());
}
} else {
web_sys::console::log_1(&"❌ Missing private key or keypair for storage".into());
}
true
}
@@ -203,19 +262,10 @@ impl Component for Registration {
}
html! {
<div class="registration-container" style="max-width: 600px; margin: 0 auto; padding: 2rem;">
<div class="card shadow-lg border-0" style="border-radius: 16px;">
<div class="card-header bg-primary text-white text-center" style="border-radius: 16px 16px 0 0; padding: 2rem;">
<h2 class="mb-0">{"Self-Sovereign Identity"}</h2>
<p class="mb-0 mt-2 opacity-75">{"Create your decentralized identity"}</p>
</div>
<div class="card-body" style="padding: 2rem;">
<div class="registration-container" style="padding: 2rem;">
{self.render_errors(ctx)}
{self.render_identity_step(ctx)}
</div>
</div>
</div>
}
}
}
@@ -240,7 +290,8 @@ impl Registration {
}
}
fn render_status_notification(&self) -> Html {
fn render_status_notification(&self, ctx: &Context<Self>) -> Html {
let link = ctx.link();
let (alert_class, icon, message) = if self.processing {
("alert-info", "bi-hourglass-split", "Processing registration...")
} else if self.name.trim().is_empty() {
@@ -253,8 +304,8 @@ impl Registration {
("alert-info", "bi-envelope-check", "Check your email and click the verification link")
} else if self.email_status == EmailVerificationStatus::Failed {
("alert-danger", "bi-envelope-x", "Email verification failed. Please try again")
} else if self.secret_phrase.trim().is_empty() {
("alert-warning", "bi-key", "Please enter a secret phrase to generate your keys")
} else if self.password.trim().is_empty() {
("alert-warning", "bi-key", "Please enter a password to generate your keys")
} else if self.generated_private_key.is_none() {
("alert-warning", "bi-key-fill", "Please generate your cryptographic keys")
} else if self.key_confirmation.is_empty() {
@@ -265,10 +316,35 @@ impl Registration {
("alert-success", "bi-shield-check", "All requirements completed! Ready to register")
};
let is_ready = self.validate_complete_form();
html! {
<div class={format!("alert {} mb-3", alert_class)}>
<i class={format!("bi {} me-2", icon)}></i>
{message}
{if is_ready {
html! {
<div class="d-grid mt-3">
<button type="button" class="btn btn-primary btn-lg"
onclick={link.callback(|_| RegistrationMsg::SubmitRegistration)}
disabled={self.processing}>
{if self.processing {
html! {
<>
<span class="spinner-border spinner-border-sm me-2"></span>
{"Registering..."}
</>
}
} else {
html! { "Complete Registration" }
}}
</button>
</div>
}
} else {
html! {}
}}
</div>
}
}
@@ -334,23 +410,28 @@ impl Registration {
</div>
<div class="mb-4">
<label class="form-label">{"Secret Phrase for Key Generation"}</label>
<div class="d-flex align-items-center gap-2">
<input type="password" class="form-control"
value={self.secret_phrase.clone()}
<label class="form-label">{"Password"}</label>
<div class="input-group">
<input type={if self.show_password { "text" } else { "password" }}
class="form-control"
value={self.password.clone()}
oninput={link.callback(|e: InputEvent| {
let input: HtmlInputElement = e.target_unchecked_into();
RegistrationMsg::UpdateSecretPhrase(input.value())
RegistrationMsg::UpdatePassword(input.value())
})}
placeholder="Enter a secret phrase to generate your keys" />
placeholder="Enter a secure password" />
<button type="button" class="btn btn-outline-secondary"
onclick={link.callback(|_| RegistrationMsg::TogglePasswordVisibility)}>
<i class={if self.show_password { "bi bi-eye-slash" } else { "bi bi-eye" }}></i>
</button>
<button type="button" class="btn btn-outline-primary"
onclick={link.callback(|_| RegistrationMsg::GenerateKeys)}
disabled={self.secret_phrase.trim().is_empty()}>
disabled={self.password.trim().is_empty()}>
<i class="bi bi-key me-1"></i>
{"Generate"}
{"Generate Keys"}
</button>
</div>
<div class="form-text">{"This password will be used to generate your cryptographic keys and encrypt them for secure storage."}</div>
</div>
<div class="mb-4">
@@ -402,24 +483,7 @@ impl Registration {
html! {}
}}
{self.render_status_notification()}
<div class="d-grid">
<button type="button" class="btn btn-primary btn-lg"
onclick={link.callback(|_| RegistrationMsg::SubmitRegistration)}
disabled={!self.validate_complete_form()}>
{if self.processing {
html! {
<>
<span class="spinner-border spinner-border-sm me-2"></span>
{"Registering..."}
</>
}
} else {
html! { "Complete Registration" }
}}
</button>
</div>
{self.render_status_notification(ctx)}
</div>
}
}
@@ -476,153 +540,6 @@ impl Registration {
}
}
fn render_key_generation_step(&self, ctx: &Context<Self>) -> Html {
let link = ctx.link();
html! {
<div class="step-content">
<h4 class="mb-4">{"Generate Secp256k1 Keys"}</h4>
<div class="mb-3">
<label class="form-label">{"Secret Phrase"}</label>
<input type="password" class="form-control"
value={self.secret_phrase.clone()}
oninput={link.callback(|e: InputEvent| {
let input: HtmlInputElement = e.target_unchecked_into();
RegistrationMsg::UpdateSecretPhrase(input.value())
})}
placeholder="Enter a secret phrase to generate your keys" />
</div>
<div class="mb-4">
<button type="button" class="btn btn-primary"
onclick={link.callback(|_| RegistrationMsg::GenerateKeys)}
disabled={self.secret_phrase.trim().is_empty()}>
<i class="bi bi-key me-2"></i>
{"Generate Keys"}
</button>
</div>
{if let Some(private_key) = &self.generated_private_key {
html! {
<div class="mb-4">
<div class="d-flex justify-content-between align-items-center mb-2">
<label class="form-label mb-0">{"Generated Private Key"}</label>
<div>
<button type="button" class="btn btn-sm btn-outline-secondary me-2"
onclick={link.callback(|_| RegistrationMsg::TogglePrivateKeyVisibility)}>
{if self.show_private_key { "Hide" } else { "Show" }}
</button>
<button type="button" class="btn btn-sm btn-primary"
onclick={link.callback(|_| RegistrationMsg::CopyPrivateKey)}>
<i class="bi bi-copy me-1"></i>
{"Copy"}
</button>
</div>
</div>
<div class="bg-dark text-light p-3 rounded font-monospace small"
style="word-break: break-all;">
{if self.show_private_key {
private_key.clone()
} else {
"••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••".to_string()
}}
</div>
</div>
}
} else {
html! {}
}}
</div>
}
}
fn render_key_confirmation_step(&self, ctx: &Context<Self>) -> Html {
let link = ctx.link();
html! {
<div class="step-content">
<h4 class="mb-4">{"Confirm Private Key"}</h4>
<p class="mb-4">{"Please enter your private key to confirm you have saved it securely:"}</p>
<div class="mb-4">
<div class="d-flex align-items-center gap-2">
<input type="password" class="form-control font-monospace"
value={self.private_key_input.clone()}
oninput={link.callback(|e: InputEvent| {
let input: HtmlInputElement = e.target_unchecked_into();
RegistrationMsg::UpdatePrivateKeyInput(input.value())
})}
placeholder="Enter your private key..." />
{if !self.private_key_input.is_empty() {
let is_correct = self.generated_private_key.as_ref()
.map(|pk| pk == &self.private_key_input.trim())
.unwrap_or(false);
if is_correct {
html! {
<button type="button" class="btn btn-success"
onclick={link.callback(|_| RegistrationMsg::SubmitRegistration)}
disabled={self.processing}>
{if self.processing {
html! {
<>
<span class="spinner-border spinner-border-sm me-2"></span>
{"Registering..."}
</>
}
} else {
html! { "Register" }
}}
</button>
}
} else {
html! {
<button type="button" class="btn btn-outline-danger" disabled=true>
{"Invalid Key"}
</button>
}
}
} else {
html! {
<button type="button" class="btn btn-outline-secondary" disabled=true>
{"Register"}
</button>
}
}}
</div>
{if !self.private_key_input.is_empty() {
let is_correct = self.generated_private_key.as_ref()
.map(|pk| pk == &self.private_key_input.trim())
.unwrap_or(false);
if is_correct {
html! {
<div class="alert alert-success mt-2">
<i class="bi bi-check-circle me-2"></i>
{"Private key confirmed successfully!"}
</div>
}
} else {
html! {
<div class="alert alert-danger mt-2">
<i class="bi bi-x-circle me-2"></i>
{"Private key does not match. Please try again."}
</div>
}
}
} else {
html! {}
}}
</div>
</div>
}
}
fn render_complete_step(&self) -> Html {
html! {
@@ -646,6 +563,7 @@ impl Registration {
fn validate_complete_form(&self) -> bool {
!self.name.trim().is_empty() &&
!self.email.trim().is_empty() &&
!self.password.trim().is_empty() &&
self.email_status == EmailVerificationStatus::Verified &&
self.generated_private_key.is_some() &&
if let Some(private_key) = &self.generated_private_key {
@@ -655,7 +573,6 @@ impl Registration {
}
}
fn send_email_verification(&mut self, ctx: &Context<Self>) {
self.email_status = EmailVerificationStatus::Pending;
@@ -718,27 +635,34 @@ impl Registration {
});
}
fn generate_secp256k1_keys(&mut self) {
use sha2::{Sha256, Digest};
fn generate_keys_from_password(&mut self) {
if self.password.trim().is_empty() {
self.errors.push("Please enter a password".to_string());
return;
}
// Use secret phrase to derive private key deterministically
let mut hasher = Sha256::new();
hasher.update(self.secret_phrase.as_bytes());
let hash = hasher.finalize();
// Use the password as seed for key generation
let mut hasher = sha2::Sha256::new();
hasher.update(self.password.as_bytes());
let seed = hasher.finalize();
// Generate secp256k1 keypair from hash
match SecretKey::from_slice(&hash) {
Ok(secret_key) => {
// Generate private key from seed
let secret_key = SecretKey::from_bytes(&seed).unwrap();
let public_key = secret_key.public_key();
// Store keys as hex strings
self.generated_private_key = Some(hex::encode(secret_key.to_bytes()));
self.generated_public_key = Some(hex::encode(public_key.to_encoded_point(false).as_bytes()));
}
Err(_) => {
self.errors.push("Failed to generate valid private key from secret phrase".to_string());
}
}
// Convert to hex strings
let private_key_hex = hex::encode(secret_key.to_bytes());
let public_key_hex = hex::encode(public_key.to_encoded_point(false).as_bytes());
self.generated_private_key = Some(private_key_hex.clone());
self.generated_public_key = Some(public_key_hex.clone());
self.keypair = Some(KeyPair {
private_key: private_key_hex,
public_key: public_key_hex,
});
web_sys::console::log_1(&format!("Generated keys from password").into());
}
fn copy_private_key(&mut self) {
@@ -757,24 +681,48 @@ impl Registration {
let server_url = ctx.props().config.server_url.clone();
let email = self.email.clone();
let name = self.name.clone();
let public_key = self.generated_public_key.as_ref().unwrap().clone();
let link = ctx.link().clone();
wasm_bindgen_futures::spawn_local(async move {
let _url = format!("{}/api/register", server_url);
let _body = serde_json::json!({
let url = format!("{}/api/register", server_url);
let body = serde_json::json!({
"email": email,
"name": name,
"public_key": public_key
});
// In a real implementation, make HTTP request here
web_sys::console::log_1(&format!("Registering: {} with key: {}", email, public_key).into());
// Make HTTP request to server
let mut opts = web_sys::RequestInit::new();
opts.method("POST");
opts.mode(web_sys::RequestMode::Cors);
// Simulate API call
let timeout = Timeout::new(2000, move || {
let headers = web_sys::Headers::new().unwrap();
headers.set("Content-Type", "application/json").unwrap();
opts.headers(&headers);
opts.body(Some(&wasm_bindgen::JsValue::from_str(&body.to_string())));
let request = web_sys::Request::new_with_str_and_init(&url, &opts).unwrap();
let window = web_sys::window().unwrap();
match wasm_bindgen_futures::JsFuture::from(window.fetch_with_request(&request)).await {
Ok(response) => {
let resp: web_sys::Response = response.dyn_into().unwrap();
if resp.ok() {
web_sys::console::log_1(&format!("Registration successful for: {}", email).into());
link.send_message(RegistrationMsg::RegistrationComplete);
});
timeout.forget();
} else {
web_sys::console::error_1(&format!("Registration failed with status: {}", resp.status()).into());
link.send_message(RegistrationMsg::RegistrationFailed("Registration failed".to_string()));
}
}
Err(e) => {
web_sys::console::error_1(&format!("Registration request failed: {:?}", e).into());
link.send_message(RegistrationMsg::RegistrationFailed("Network error".to_string()));
}
}
});
}
}

318
components/src/sign.rs Normal file
View File

@@ -0,0 +1,318 @@
use yew::prelude::*;
use web_sys::HtmlInputElement;
use wasm_bindgen::JsCast;
use wasm_bindgen_futures::spawn_local;
use crate::vault::{Vault, VaultError};
use crate::crypto::KeyPair;
use sha2::{Sha256, Digest};
#[derive(Clone, PartialEq, Properties)]
pub struct SignConfig {
pub server_url: String,
pub app_name: String,
}
#[derive(Clone, PartialEq, Properties)]
pub struct SignProps {
pub config: SignConfig,
pub on_signature_complete: Callback<(String, String)>, // (plaintext, signature)
}
#[derive(Clone, PartialEq)]
pub enum SignStatus {
NotStarted,
Processing,
Success(String), // signature
Failed(String),
}
pub struct Sign {
plaintext: String,
password: String,
status: SignStatus,
show_password: bool,
signature: Option<String>,
}
#[derive(Clone)]
pub enum SignMsg {
UpdatePlaintext(String),
UpdatePassword(String),
TogglePasswordVisibility,
SubmitSign,
SignSuccess(String, String), // (plaintext, signature)
SignFailed(String),
ClearSignature,
}
impl Component for Sign {
type Message = SignMsg;
type Properties = SignProps;
fn create(_ctx: &Context<Self>) -> Self {
Self {
plaintext: String::new(),
password: String::new(),
status: SignStatus::NotStarted,
show_password: false,
signature: None,
}
}
fn update(&mut self, ctx: &Context<Self>, msg: Self::Message) -> bool {
match msg {
SignMsg::UpdatePlaintext(plaintext) => {
self.plaintext = plaintext;
true
}
SignMsg::UpdatePassword(password) => {
self.password = password;
true
}
SignMsg::TogglePasswordVisibility => {
self.show_password = !self.show_password;
true
}
SignMsg::SubmitSign => {
if self.validate_form() {
self.submit_sign(ctx);
}
true
}
SignMsg::SignSuccess(plaintext, signature) => {
self.status = SignStatus::Success(signature.clone());
self.signature = Some(signature.clone());
ctx.props().on_signature_complete.emit((plaintext, signature));
true
}
SignMsg::SignFailed(error) => {
self.status = SignStatus::Failed(error);
true
}
SignMsg::ClearSignature => {
self.signature = None;
self.status = SignStatus::NotStarted;
self.plaintext.clear();
self.password.clear();
true
}
}
}
fn view(&self, ctx: &Context<Self>) -> Html {
let link = ctx.link();
html! {
<div class="container mt-5">
<div class="row justify-content-center">
<div class="col-md-8 col-lg-6">
<div class="card shadow">
<div class="card-body p-5">
<div class="text-center mb-4">
<h2 class="card-title">{"Digital Signature"}</h2>
<p class="text-muted">
{"Sign any plaintext using your encrypted private key"}
</p>
</div>
{self.render_status_notification()}
<form onsubmit={link.callback(|e: SubmitEvent| {
e.prevent_default();
SignMsg::SubmitSign
})}>
<div class="mb-3">
<label for="plaintext" class="form-label">{"Plaintext to Sign"}</label>
<textarea
id="plaintext"
class="form-control"
rows="4"
placeholder="Enter the text you want to sign..."
value={self.plaintext.clone()}
oninput={link.callback(|e: InputEvent| {
let input: HtmlInputElement = e.target_unchecked_into();
SignMsg::UpdatePlaintext(input.value())
})}
disabled={matches!(self.status, SignStatus::Processing)}
/>
</div>
<div class="mb-4">
<label for="password" class="form-label">{"Password"}</label>
<div class="input-group">
<input
type={if self.show_password { "text" } else { "password" }}
id="password"
class="form-control"
placeholder="Enter your password to decrypt private key"
value={self.password.clone()}
oninput={link.callback(|e: InputEvent| {
let input: HtmlInputElement = e.target_unchecked_into();
SignMsg::UpdatePassword(input.value())
})}
disabled={matches!(self.status, SignStatus::Processing)}
/>
<button
type="button"
class="btn btn-outline-secondary"
onclick={link.callback(|_| SignMsg::TogglePasswordVisibility)}
disabled={matches!(self.status, SignStatus::Processing)}
>
<i class={if self.show_password { "bi bi-eye-slash" } else { "bi bi-eye" }}></i>
</button>
</div>
</div>
<div class="d-grid gap-2">
<button
type="submit"
class="btn btn-primary btn-lg"
disabled={!self.validate_form() || matches!(self.status, SignStatus::Processing)}
>
{if matches!(self.status, SignStatus::Processing) {
html! {
<>
<span class="spinner-border spinner-border-sm me-2" role="status"></span>
{"Signing..."}
</>
}
} else {
html! {
<>
<i class="bi bi-pen me-2"></i>
{"Sign Text"}
</>
}
}}
</button>
</div>
</form>
{if let Some(signature) = &self.signature {
html! {
<div class="mt-4">
<div class="card bg-light">
<div class="card-body">
<h6 class="card-title">{"Digital Signature"}</h6>
<div class="mb-3">
<small class="text-muted">{"Signature:"}</small>
<div class="font-monospace small bg-white p-2 border rounded" style="word-break: break-all;">
{signature}
</div>
</div>
<div class="d-flex gap-2">
<button
type="button"
class="btn btn-sm btn-outline-primary"
onclick={link.callback({
let sig = signature.clone();
move |_| {
if let Some(window) = web_sys::window() {
let navigator = window.navigator();
let clipboard = navigator.clipboard();
let _ = clipboard.write_text(&sig);
}
SignMsg::UpdatePlaintext(String::new()) // Dummy message to trigger re-render
}
})}
>
<i class="bi bi-clipboard me-1"></i>
{"Copy Signature"}
</button>
<button
type="button"
class="btn btn-sm btn-outline-secondary"
onclick={link.callback(|_| SignMsg::ClearSignature)}
>
<i class="bi bi-arrow-clockwise me-1"></i>
{"Sign Another"}
</button>
</div>
</div>
</div>
</div>
}
} else {
html! {}
}}
</div>
</div>
</div>
</div>
</div>
}
}
}
impl Sign {
fn validate_form(&self) -> bool {
!self.plaintext.trim().is_empty() && !self.password.trim().is_empty()
}
fn submit_sign(&mut self, ctx: &Context<Self>) {
self.status = SignStatus::Processing;
let plaintext = self.plaintext.clone();
let password = self.password.clone();
let link = ctx.link().clone();
spawn_local(async move {
// Try to decrypt stored private key with password
let (private_key, _) = match Vault::retrieve_keypair(&password) {
Ok((private_key, public_key)) => (private_key, public_key),
Err(e) => {
link.send_message(SignMsg::SignFailed(format!("Failed to retrieve private key: {}", e)));
return;
}
};
// Create signature using private key
match Self::create_signature(&plaintext, &private_key) {
Ok(signature) => {
link.send_message(SignMsg::SignSuccess(plaintext, signature));
}
Err(e) => {
link.send_message(SignMsg::SignFailed(format!("Signature creation failed: {}", e)));
}
}
});
}
fn create_signature(plaintext: &str, private_key: &str) -> Result<String, String> {
// Create a simple signature by hashing the plaintext with the private key
// In production, use proper ECDSA signing with secp256k1
let mut hasher = Sha256::new();
hasher.update(plaintext.as_bytes());
hasher.update(private_key.as_bytes());
hasher.update(b"signature");
let hash = hasher.finalize();
// Create a deterministic signature format
let signature = format!("sig_{}", hex::encode(hash));
Ok(signature)
}
fn render_status_notification(&self) -> Html {
match &self.status {
SignStatus::NotStarted => html! {},
SignStatus::Processing => html! {
<div class="alert alert-info mb-3">
<i class="bi bi-hourglass-split me-2"></i>
{"Creating digital signature..."}
</div>
},
SignStatus::Success(_) => html! {
<div class="alert alert-success mb-3">
<i class="bi bi-check-circle-fill me-2"></i>
{"Digital signature created successfully!"}
</div>
},
SignStatus::Failed(error) => html! {
<div class="alert alert-danger mb-3">
<i class="bi bi-exclamation-triangle-fill me-2"></i>
{error}
</div>
},
}
}
}

281
components/src/vault.rs Normal file
View File

@@ -0,0 +1,281 @@
use wasm_bindgen::prelude::*;
use web_sys::{window, Storage};
use serde::{Deserialize, Serialize};
use serde_json;
use base64::{Engine as _, engine::general_purpose};
use rand::RngCore;
use aes_gcm::{
aead::{Aead, KeyInit},
Aes256Gcm, Nonce
};
use aes_gcm::aes::Aes256;
use aes_gcm::Key;
use pbkdf2::pbkdf2_hmac_array;
use sha2::Sha256;
const STORAGE_KEY: &str = "self_vault_encrypted_key";
const PBKDF2_ITERATIONS: u32 = 100_000;
#[derive(Serialize, Deserialize)]
struct EncryptedKeyData {
private_key_ciphertext: Vec<u8>,
public_key_ciphertext: Vec<u8>,
salt: Vec<u8>,
nonce: Vec<u8>,
}
#[derive(Debug)]
pub enum VaultError {
StorageNotAvailable,
EncryptionError,
DecryptionError,
KeyNotFound,
InvalidPassword,
SerializationError,
}
impl std::fmt::Display for VaultError {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
match self {
VaultError::StorageNotAvailable => write!(f, "Browser storage not available"),
VaultError::EncryptionError => write!(f, "Failed to encrypt private key"),
VaultError::DecryptionError => write!(f, "Failed to decrypt private key"),
VaultError::KeyNotFound => write!(f, "No stored private key found"),
VaultError::InvalidPassword => write!(f, "Invalid password for stored key"),
VaultError::SerializationError => write!(f, "Failed to serialize/deserialize data"),
}
}
}
pub struct Vault;
impl Vault {
/// Store a private key securely in browser storage, encrypted with the given password
pub fn store_keypair(private_key: &str, public_key: &str, password: &str) -> Result<(), VaultError> {
web_sys::console::log_1(&"🔐 Vault::store_private_key called".into());
// Generate random salt and nonce
let mut salt = [0u8; 32];
let mut nonce_bytes = [0u8; 12];
Self::fill_random(&mut salt)?;
Self::fill_random(&mut nonce_bytes)?;
web_sys::console::log_1(&"🔐 Generated salt and nonce".into());
// Derive encryption key from password using PBKDF2
let key_bytes = pbkdf2_hmac_array::<Sha256, 32>(password.as_bytes(), &salt, PBKDF2_ITERATIONS);
// Encrypt both private and public keys
let cipher = Aes256Gcm::new(Key::<Aes256Gcm>::from_slice(&key_bytes));
let nonce = Nonce::from_slice(&nonce_bytes);
let private_key_ciphertext = cipher.encrypt(nonce, private_key.as_bytes())
.map_err(|_| VaultError::EncryptionError)?;
let public_key_ciphertext = cipher.encrypt(nonce, public_key.as_bytes())
.map_err(|_| VaultError::EncryptionError)?;
// Prepare data for storage
let encrypted_data = EncryptedKeyData {
private_key_ciphertext,
public_key_ciphertext,
salt: salt.to_vec(),
nonce: nonce_bytes.to_vec(),
};
// Serialize and encode to base64
let json_data = serde_json::to_string(&encrypted_data)
.map_err(|_| VaultError::SerializationError)?;
let encoded_data = general_purpose::STANDARD.encode(json_data);
// Store in browser storage
web_sys::console::log_1(&"🔐 Storing encrypted data in localStorage".into());
Self::get_storage()?
.set_item(STORAGE_KEY, &encoded_data)
.map_err(|_| VaultError::StorageNotAvailable)?;
web_sys::console::log_1(&"🔐 Successfully stored encrypted keypair".into());
Ok(())
}
/// Retrieve and decrypt both private and public keys from browser storage using the given password
pub fn retrieve_keypair(password: &str) -> Result<(String, String), VaultError> {
// Get encrypted data from storage
let storage = Self::get_storage()?;
let encoded_data = storage
.get_item(STORAGE_KEY)
.map_err(|_| VaultError::StorageNotAvailable)?
.ok_or(VaultError::KeyNotFound)?;
// Decode and deserialize
let json_data = general_purpose::STANDARD.decode(encoded_data)
.map_err(|_| VaultError::SerializationError)?;
let json_str = String::from_utf8(json_data)
.map_err(|_| VaultError::SerializationError)?;
let encrypted_data: EncryptedKeyData = serde_json::from_str(&json_str)
.map_err(|_| VaultError::SerializationError)?;
// Derive decryption key from password
let key_bytes = pbkdf2_hmac_array::<Sha256, 32>(
password.as_bytes(),
&encrypted_data.salt,
PBKDF2_ITERATIONS
);
// Decrypt both private and public keys
let cipher = Aes256Gcm::new(Key::<Aes256Gcm>::from_slice(&key_bytes));
let nonce = Nonce::from_slice(&encrypted_data.nonce);
let private_key_bytes = cipher.decrypt(nonce, encrypted_data.private_key_ciphertext.as_slice())
.map_err(|_| VaultError::InvalidPassword)?;
let public_key_bytes = cipher.decrypt(nonce, encrypted_data.public_key_ciphertext.as_slice())
.map_err(|_| VaultError::InvalidPassword)?;
let private_key = String::from_utf8(private_key_bytes)
.map_err(|_| VaultError::DecryptionError)?;
let public_key = String::from_utf8(public_key_bytes)
.map_err(|_| VaultError::DecryptionError)?;
Ok((private_key, public_key))
}
/// Check if a private key is stored in the vault
pub fn has_stored_key() -> bool {
if let Ok(storage) = Self::get_storage() {
if let Ok(Some(_)) = storage.get_item(STORAGE_KEY) {
return true;
}
}
false
}
/// Clear stored keypair from vault
pub fn clear_stored_key() -> Result<(), VaultError> {
let storage = Self::get_storage()?;
storage.remove_item(STORAGE_KEY)
.map_err(|_| VaultError::StorageNotAvailable)?;
Ok(())
}
/// Get a test private key for development
pub fn get_test_private_key() -> String {
// This is a test private key - in production, users would generate their own
"test_private_key_123456789".to_string()
}
/// Validate a private key format (basic validation)
pub fn validate_private_key(private_key: &str) -> bool {
// Basic validation - in production, implement proper key format validation
!private_key.is_empty() && private_key.len() >= 10
}
/// Export private key for backup (requires password verification)
pub fn export_private_key(password: &str) -> Result<String, VaultError> {
match Self::retrieve_keypair(password) {
Ok((private_key, _)) => Ok(private_key),
Err(e) => Err(e),
}
}
/// Import and store a keypair (replaces existing keys)
pub fn import_private_key(private_key: &str, password: &str) -> Result<(), VaultError> {
// Validate the private key format first
if !Self::validate_private_key(private_key) {
return Err(VaultError::DecryptionError);
}
// Derive public key from private key
use crate::crypto::KeyPair;
let keypair = KeyPair::from_private_key(private_key)
.map_err(|_| VaultError::DecryptionError)?;
// Store the new keypair (this will overwrite any existing keys)
Vault::store_keypair(private_key, &keypair.public_key, password)
}
/// Change the password for the stored keypair
pub fn change_password(old_password: &str, new_password: &str) -> Result<(), VaultError> {
// First retrieve the keypair with the old password
let (private_key, public_key) = Self::retrieve_keypair(old_password)?;
// Then store it again with the new password
Self::store_keypair(&private_key, &public_key, new_password)
}
/// Verify if a password can decrypt the stored key (without returning the key)
pub fn verify_password(password: &str) -> Result<bool, VaultError> {
match Self::retrieve_keypair(password) {
Ok(_) => Ok(true),
Err(VaultError::InvalidPassword) => Ok(false),
Err(e) => Err(e),
}
}
// Helper methods
fn get_storage() -> Result<Storage, VaultError> {
let window = window().ok_or(VaultError::StorageNotAvailable)?;
window.local_storage()
.map_err(|_| VaultError::StorageNotAvailable)?
.ok_or(VaultError::StorageNotAvailable)
}
fn fill_random(buf: &mut [u8]) -> Result<(), VaultError> {
use rand::rngs::OsRng;
OsRng.fill_bytes(buf);
Ok(())
}
}
// WASM bindings for JavaScript interop
#[wasm_bindgen]
pub struct VaultJs;
#[wasm_bindgen]
impl VaultJs {
#[wasm_bindgen(js_name = storePrivateKey)]
pub fn store_private_key(private_key: &str, password: &str) -> Result<(), JsValue> {
Vault::store_keypair(private_key, private_key, password)
.map_err(|e| JsValue::from_str(&e.to_string()))
}
#[wasm_bindgen(js_name = retrievePrivateKey)]
pub fn retrieve_private_key(password: &str) -> Result<String, JsValue> {
Vault::retrieve_keypair(password)
.map_err(|e| JsValue::from_str(&e.to_string()))
.and_then(|(private_key, _)| Ok(private_key))
}
#[wasm_bindgen(js_name = hasStoredKey)]
pub fn has_stored_key() -> bool {
Vault::has_stored_key()
}
#[wasm_bindgen(js_name = clearStoredKey)]
pub fn clear_stored_key() -> Result<(), JsValue> {
Vault::clear_stored_key()
.map_err(|e| JsValue::from_str(&e.to_string()))
}
#[wasm_bindgen(js_name = verifyPassword)]
pub fn verify_password(password: &str) -> Result<bool, JsValue> {
Vault::verify_password(password)
.map_err(|e| JsValue::from_str(&e.to_string()))
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_encryption_decryption() {
let private_key = "0x1234567890abcdef1234567890abcdef12345678";
let password = "test_password_123";
// This would work in a browser environment with localStorage
// For now, just test the crypto logic would work
assert_eq!(private_key.len(), 42); // Valid hex private key length
assert!(!password.is_empty());
}
}

681
components/src/vault_manager.rs Normal file
View File

@@ -0,0 +1,681 @@
use yew::prelude::*;
use web_sys::HtmlInputElement;
use wasm_bindgen::JsCast;
use serde::{Deserialize, Serialize};
use crate::vault::Vault;
use crate::crypto::KeyPair;
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
pub struct VaultConfig {
pub server_url: String,
pub app_name: String,
}
#[derive(Properties, PartialEq)]
pub struct VaultManagerProps {
pub config: VaultConfig,
}
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
pub struct StoredKey {
pub name: String,
pub public_key: String,
pub created_at: String,
}
pub struct VaultManager {
stored_keys: Vec<StoredKey>,
loading: bool,
error_message: Option<String>,
success_message: Option<String>,
// Add new key form
show_add_form: bool,
new_key_name: String,
new_key_private: String,
new_key_password: String,
// Unlock key form
unlock_key_index: Option<usize>,
unlock_password: String,
unlocked_private_key: Option<String>,
// Sign form
show_sign_form: bool,
sign_key_index: Option<usize>,
sign_message: String,
sign_password: String,
signature_result: Option<String>,
}
pub enum VaultManagerMsg {
LoadKeys,
KeysLoaded(Vec<StoredKey>),
KeysLoadFailed(String),
// Add key messages
ToggleAddForm,
UpdateNewKeyName(String),
UpdateNewKeyPrivate(String),
UpdateNewKeyPassword(String),
AddKey,
KeyAdded,
KeyAddFailed(String),
// Unlock key messages
ShowUnlockForm(usize),
HideUnlockForm,
UpdateUnlockPassword(String),
UnlockKey,
KeyUnlocked(String),
KeyUnlockFailed(String),
// Sign messages
ShowSignForm(usize),
HideSignForm,
UpdateSignMessage(String),
UpdateSignPassword(String),
SignMessage,
MessageSigned(String),
SignFailed(String),
ClearMessages,
}
impl Component for VaultManager {
type Message = VaultManagerMsg;
type Properties = VaultManagerProps;
fn create(ctx: &Context<Self>) -> Self {
ctx.link().send_message(VaultManagerMsg::LoadKeys);
Self {
stored_keys: Vec::new(),
loading: true,
error_message: None,
success_message: None,
show_add_form: false,
new_key_name: String::new(),
new_key_private: String::new(),
new_key_password: String::new(),
unlock_key_index: None,
unlock_password: String::new(),
unlocked_private_key: None,
show_sign_form: false,
sign_key_index: None,
sign_message: String::new(),
sign_password: String::new(),
signature_result: None,
}
}
fn update(&mut self, ctx: &Context<Self>, msg: Self::Message) -> bool {
match msg {
VaultManagerMsg::LoadKeys => {
self.loading = true;
self.error_message = None;
let link = ctx.link().clone();
wasm_bindgen_futures::spawn_local(async move {
match Self::load_stored_keys().await {
Ok(keys) => link.send_message(VaultManagerMsg::KeysLoaded(keys)),
Err(e) => link.send_message(VaultManagerMsg::KeysLoadFailed(e)),
}
});
true
}
VaultManagerMsg::KeysLoaded(keys) => {
self.stored_keys = keys;
self.loading = false;
true
}
VaultManagerMsg::KeysLoadFailed(error) => {
self.error_message = Some(error);
self.loading = false;
true
}
VaultManagerMsg::ToggleAddForm => {
self.show_add_form = !self.show_add_form;
if !self.show_add_form {
self.new_key_name.clear();
self.new_key_private.clear();
self.new_key_password.clear();
}
true
}
VaultManagerMsg::UpdateNewKeyName(name) => {
self.new_key_name = name;
true
}
VaultManagerMsg::UpdateNewKeyPrivate(private_key) => {
self.new_key_private = private_key;
true
}
VaultManagerMsg::UpdateNewKeyPassword(password) => {
self.new_key_password = password;
true
}
VaultManagerMsg::AddKey => {
if self.new_key_name.trim().is_empty() || self.new_key_private.trim().is_empty() || self.new_key_password.trim().is_empty() {
self.error_message = Some("All fields are required".to_string());
return true;
}
let name = self.new_key_name.clone();
let private_key = self.new_key_private.clone();
let password = self.new_key_password.clone();
let link = ctx.link().clone();
wasm_bindgen_futures::spawn_local(async move {
match Self::add_key_to_vault(&name, &private_key, &password).await {
Ok(_) => link.send_message(VaultManagerMsg::KeyAdded),
Err(e) => link.send_message(VaultManagerMsg::KeyAddFailed(e)),
}
});
true
}
VaultManagerMsg::KeyAdded => {
self.success_message = Some("Key added successfully".to_string());
self.show_add_form = false;
self.new_key_name.clear();
self.new_key_private.clear();
self.new_key_password.clear();
ctx.link().send_message(VaultManagerMsg::LoadKeys);
true
}
VaultManagerMsg::KeyAddFailed(error) => {
self.error_message = Some(error);
true
}
VaultManagerMsg::ShowUnlockForm(index) => {
self.unlock_key_index = Some(index);
self.unlock_password.clear();
self.unlocked_private_key = None;
true
}
VaultManagerMsg::HideUnlockForm => {
self.unlock_key_index = None;
self.unlock_password.clear();
self.unlocked_private_key = None;
true
}
VaultManagerMsg::UpdateUnlockPassword(password) => {
self.unlock_password = password;
true
}
VaultManagerMsg::UnlockKey => {
if let Some(index) = self.unlock_key_index {
if let Some(key) = self.stored_keys.get(index) {
let key_name = key.name.clone();
let password = self.unlock_password.clone();
let link = ctx.link().clone();
wasm_bindgen_futures::spawn_local(async move {
match Self::unlock_key(&key_name, &password).await {
Ok(private_key) => link.send_message(VaultManagerMsg::KeyUnlocked(private_key)),
Err(e) => link.send_message(VaultManagerMsg::KeyUnlockFailed(e)),
}
});
}
}
true
}
VaultManagerMsg::KeyUnlocked(private_key) => {
self.unlocked_private_key = Some(private_key);
self.success_message = Some("Key unlocked successfully".to_string());
true
}
VaultManagerMsg::KeyUnlockFailed(error) => {
self.error_message = Some(error);
true
}
VaultManagerMsg::ShowSignForm(index) => {
self.show_sign_form = true;
self.sign_key_index = Some(index);
self.sign_message.clear();
self.sign_password.clear();
self.signature_result = None;
true
}
VaultManagerMsg::HideSignForm => {
self.show_sign_form = false;
self.sign_key_index = None;
self.sign_message.clear();
self.sign_password.clear();
self.signature_result = None;
true
}
VaultManagerMsg::UpdateSignMessage(message) => {
self.sign_message = message;
true
}
VaultManagerMsg::UpdateSignPassword(password) => {
self.sign_password = password;
true
}
VaultManagerMsg::SignMessage => {
if let Some(index) = self.sign_key_index {
if let Some(key) = self.stored_keys.get(index) {
let key_name = key.name.clone();
let message = self.sign_message.clone();
let password = self.sign_password.clone();
let link = ctx.link().clone();
wasm_bindgen_futures::spawn_local(async move {
match Self::sign_with_key(&key_name, &message, &password).await {
Ok(signature) => link.send_message(VaultManagerMsg::MessageSigned(signature)),
Err(e) => link.send_message(VaultManagerMsg::SignFailed(e)),
}
});
}
}
true
}
VaultManagerMsg::MessageSigned(signature) => {
self.signature_result = Some(signature);
self.success_message = Some("Message signed successfully".to_string());
true
}
VaultManagerMsg::SignFailed(error) => {
self.error_message = Some(error);
true
}
VaultManagerMsg::ClearMessages => {
self.error_message = None;
self.success_message = None;
true
}
}
}
fn view(&self, ctx: &Context<Self>) -> Html {
let link = ctx.link();
html! {
<div class="vault-manager-container" style="max-width: 1000px; margin: 0 auto; padding: 2rem;">
<div class="card shadow-lg border-0" style="border-radius: 16px;">
<div class="card-header bg-success text-white" style="border-radius: 16px 16px 0 0; padding: 2rem;">
<div class="d-flex justify-content-between align-items-center">
<div>
<h2 class="mb-0">{"Private Key Vault"}</h2>
<p class="mb-0 mt-2 opacity-75">{"Securely manage multiple private keys"}</p>
</div>
<button type="button" class="btn btn-outline-light"
onclick={link.callback(|_| VaultManagerMsg::ToggleAddForm)}>
<i class="bi bi-plus-circle me-2"></i>
{"Add Key"}
</button>
</div>
</div>
<div class="card-body" style="padding: 2rem;">
{self.render_messages(ctx)}
{if self.show_add_form {
self.render_add_key_form(ctx)
} else {
html! {}
}}
{if self.loading {
html! {
<div class="text-center py-5">
<div class="spinner-border text-success" role="status">
<span class="visually-hidden">{"Loading keys..."}</span>
</div>
<p class="mt-3 text-muted">{"Loading your stored keys..."}</p>
</div>
}
} else {
self.render_keys_list(ctx)
}}
{if self.show_sign_form {
self.render_sign_form(ctx)
} else {
html! {}
}}
</div>
</div>
</div>
}
}
}
impl VaultManager {
async fn load_stored_keys() -> Result<Vec<StoredKey>, String> {
// In a real implementation, this would load from a more sophisticated storage
// For now, we'll simulate loading keys from localStorage metadata
let window = web_sys::window().ok_or("No window object")?;
let storage = window.local_storage()
.map_err(|_| "Failed to access localStorage")?
.ok_or("localStorage not available")?;
let keys_json = storage.get_item("vault_keys_metadata")
.map_err(|_| "Failed to read keys metadata")?
.unwrap_or_default();
if keys_json.is_empty() {
return Ok(Vec::new());
}
serde_json::from_str(&keys_json)
.map_err(|_| "Failed to parse keys metadata".to_string())
}
async fn add_key_to_vault(name: &str, private_key: &str, password: &str) -> Result<(), String> {
// Validate the private key by creating a KeyPair
let keypair = KeyPair::from_private_key(private_key)
.map_err(|e| format!("Invalid private key: {}", e))?;
// Store the key using the vault with a unique identifier
let key_id = format!("vault_key_{}", name);
Vault::store_keypair(private_key, &keypair.public_key, password)
.map_err(|e| format!("Failed to store key: {}", e))?;
// Update metadata
let mut keys = Self::load_stored_keys().await.unwrap_or_default();
let new_key = StoredKey {
name: name.to_string(),
public_key: keypair.public_key,
created_at: js_sys::Date::new_0().to_iso_string().as_string().unwrap(),
};
keys.push(new_key);
// Save metadata
let window = web_sys::window().ok_or("No window object")?;
let storage = window.local_storage()
.map_err(|_| "Failed to access localStorage")?
.ok_or("localStorage not available")?;
let keys_json = serde_json::to_string(&keys)
.map_err(|_| "Failed to serialize keys metadata")?;
storage.set_item("vault_keys_metadata", &keys_json)
.map_err(|_| "Failed to save keys metadata")?;
Ok(())
}
async fn unlock_key(_key_name: &str, password: &str) -> Result<String, String> {
let (private_key, _) = Vault::retrieve_keypair(password)
.map_err(|e| format!("Failed to unlock key: {}", e))?;
Ok(private_key)
}
async fn sign_with_key(_key_name: &str, message: &str, password: &str) -> Result<String, String> {
let (private_key, _) = Vault::retrieve_keypair(password)
.map_err(|e| format!("Failed to unlock key: {}", e))?;
let keypair = KeyPair::from_private_key(&private_key)
.map_err(|e| format!("Invalid private key: {}", e))?;
keypair.sign(message)
.map_err(|e| format!("Failed to sign message: {}", e))
}
fn render_messages(&self, ctx: &Context<Self>) -> Html {
let link = ctx.link();
html! {
<>
{if let Some(error) = &self.error_message {
html! {
<div class="alert alert-danger alert-dismissible fade show mb-4">
<i class="bi bi-exclamation-triangle me-2"></i>
{error}
<button type="button" class="btn-close"
onclick={link.callback(|_| VaultManagerMsg::ClearMessages)}></button>
</div>
}
} else {
html! {}
}}
{if let Some(success) = &self.success_message {
html! {
<div class="alert alert-success alert-dismissible fade show mb-4">
<i class="bi bi-check-circle me-2"></i>
{success}
<button type="button" class="btn-close"
onclick={link.callback(|_| VaultManagerMsg::ClearMessages)}></button>
</div>
}
} else {
html! {}
}}
</>
}
}
fn render_add_key_form(&self, ctx: &Context<Self>) -> Html {
let link = ctx.link();
html! {
<div class="card mb-4" style="border: 2px dashed #28a745;">
<div class="card-body">
<h5 class="card-title">{"Add New Private Key"}</h5>
<form onsubmit={link.callback(|e: SubmitEvent| {
e.prevent_default();
VaultManagerMsg::AddKey
})}>
<div class="mb-3">
<label class="form-label">{"Key Name"}</label>
<input type="text" class="form-control"
value={self.new_key_name.clone()}
oninput={link.callback(|e: InputEvent| {
let input: HtmlInputElement = e.target_unchecked_into();
VaultManagerMsg::UpdateNewKeyName(input.value())
})}
placeholder="e.g., Personal Key, Work Key" />
</div>
<div class="mb-3">
<label class="form-label">{"Private Key"}</label>
<textarea class="form-control font-monospace" rows="3"
value={self.new_key_private.clone()}
oninput={link.callback(|e: InputEvent| {
let input: HtmlInputElement = e.target_unchecked_into();
VaultManagerMsg::UpdateNewKeyPrivate(input.value())
})}
placeholder="Enter your private key in hex format"></textarea>
</div>
<div class="mb-3">
<label class="form-label">{"Password"}</label>
<input type="password" class="form-control"
value={self.new_key_password.clone()}
oninput={link.callback(|e: InputEvent| {
let input: HtmlInputElement = e.target_unchecked_into();
VaultManagerMsg::UpdateNewKeyPassword(input.value())
})}
placeholder="Password to encrypt this key" />
</div>
<div class="d-flex gap-2">
<button type="submit" class="btn btn-success">
<i class="bi bi-shield-lock me-2"></i>
{"Add Key"}
</button>
<button type="button" class="btn btn-secondary"
onclick={link.callback(|_| VaultManagerMsg::ToggleAddForm)}>
{"Cancel"}
</button>
</div>
</form>
</div>
</div>
}
}
fn render_keys_list(&self, ctx: &Context<Self>) -> Html {
let link = ctx.link();
if self.stored_keys.is_empty() {
return html! {
<div class="text-center py-5">
<i class="bi bi-key display-1 text-muted"></i>
<h4 class="mt-3 text-muted">{"No Keys Stored"}</h4>
<p class="text-muted">{"Add your first private key to get started"}</p>
</div>
};
}
html! {
<div class="keys-list">
<h5 class="mb-3">{"Stored Keys"}</h5>
{for self.stored_keys.iter().enumerate().map(|(index, key)| {
html! {
<div class="card mb-3">
<div class="card-body">
<div class="row align-items-center">
<div class="col-md-6">
<h6 class="mb-1">{&key.name}</h6>
<small class="text-muted font-monospace">{&key.public_key[..20]}{"..."}</small>
<br />
<small class="text-muted">{"Created: "}{&key.created_at[..10]}</small>
</div>
<div class="col-md-6 text-end">
<div class="btn-group">
<button type="button" class="btn btn-outline-primary btn-sm"
onclick={link.callback(move |_| VaultManagerMsg::ShowUnlockForm(index))}>
<i class="bi bi-unlock me-1"></i>
{"Unlock"}
</button>
<button type="button" class="btn btn-outline-success btn-sm"
onclick={link.callback(move |_| VaultManagerMsg::ShowSignForm(index))}>
<i class="bi bi-pen me-1"></i>
{"Sign"}
</button>
</div>
</div>
</div>
{if self.unlock_key_index == Some(index) {
self.render_unlock_form(ctx, index)
} else {
html! {}
}}
</div>
</div>
}
})}
</div>
}
}
fn render_unlock_form(&self, ctx: &Context<Self>, _index: usize) -> Html {
let link = ctx.link();
html! {
<div class="mt-3 pt-3 border-top">
<h6>{"Unlock Key"}</h6>
<form onsubmit={link.callback(|e: SubmitEvent| {
e.prevent_default();
VaultManagerMsg::UnlockKey
})}>
<div class="input-group mb-3">
<input type="password" class="form-control"
value={self.unlock_password.clone()}
oninput={link.callback(|e: InputEvent| {
let input: HtmlInputElement = e.target_unchecked_into();
VaultManagerMsg::UpdateUnlockPassword(input.value())
})}
placeholder="Enter password" />
<button type="submit" class="btn btn-primary">{"Unlock"}</button>
<button type="button" class="btn btn-secondary"
onclick={link.callback(|_| VaultManagerMsg::HideUnlockForm)}>
{"Cancel"}
</button>
</div>
</form>
{if let Some(private_key) = &self.unlocked_private_key {
html! {
<div class="alert alert-success">
<h6>{"Private Key:"}</h6>
<div class="font-monospace small" style="word-break: break-all;">
{private_key}
</div>
</div>
}
} else {
html! {}
}}
</div>
}
}
fn render_sign_form(&self, ctx: &Context<Self>) -> Html {
let link = ctx.link();
html! {
<div class="modal" style="display: block; background: rgba(0,0,0,0.5);">
<div class="modal-dialog modal-lg">
<div class="modal-content">
<div class="modal-header">
<h5 class="modal-title">{"Sign Message"}</h5>
<button type="button" class="btn-close"
onclick={link.callback(|_| VaultManagerMsg::HideSignForm)}></button>
</div>
<div class="modal-body">
<form onsubmit={link.callback(|e: SubmitEvent| {
e.prevent_default();
VaultManagerMsg::SignMessage
})}>
<div class="mb-3">
<label class="form-label">{"Message to Sign"}</label>
<textarea class="form-control" rows="4"
value={self.sign_message.clone()}
oninput={link.callback(|e: InputEvent| {
let input: HtmlInputElement = e.target_unchecked_into();
VaultManagerMsg::UpdateSignMessage(input.value())
})}
placeholder="Enter the message you want to sign"></textarea>
</div>
<div class="mb-3">
<label class="form-label">{"Password"}</label>
<input type="password" class="form-control"
value={self.sign_password.clone()}
oninput={link.callback(|e: InputEvent| {
let input: HtmlInputElement = e.target_unchecked_into();
VaultManagerMsg::UpdateSignPassword(input.value())
})}
placeholder="Enter password to unlock key" />
</div>
<div class="d-flex gap-2">
<button type="submit" class="btn btn-success">
<i class="bi bi-pen me-2"></i>
{"Sign Message"}
</button>
<button type="button" class="btn btn-secondary"
onclick={link.callback(|_| VaultManagerMsg::HideSignForm)}>
{"Cancel"}
</button>
</div>
</form>
{if let Some(signature) = &self.signature_result {
html! {
<div class="mt-4">
<h6>{"Signature:"}</h6>
<div class="alert alert-success">
<div class="font-monospace small" style="word-break: break-all;">
{signature}
</div>
</div>
</div>
}
} else {
html! {}
}}
</div>
</div>
</div>
</div>
}
}
}

37
docs/README.md Normal file
View File

@@ -0,0 +1,37 @@
# Self Documentation
This directory contains comprehensive documentation for the Self digital identity tool.
## Documentation Structure
- [`architecture.md`](architecture.md) - System architecture and design principles
- [`authentication-flows.md`](authentication-flows.md) - Detailed authentication and registration flows
- [`server-api.md`](server-api.md) - Server API documentation and endpoints
- [`cryptography.md`](cryptography.md) - Cryptographic implementation details
- [`vault-system.md`](vault-system.md) - Vault functionality and key management
- [`openid-compliance.md`](openid-compliance.md) - OpenID Connect compliance documentation
- [`security-model.md`](security-model.md) - Security considerations and threat model
- [`deployment.md`](deployment.md) - Production deployment guidelines
- [`development.md`](development.md) - Development setup and contribution guide
## Quick Reference
### Key Concepts
- **Self-Sovereign Identity**: Users control their own identity without relying on centralized authorities
- **Client-Side Encryption**: All private keys are encrypted locally before storage
- **Decentralized Authentication**: Public key-based authentication without password dependencies
- **Vault System**: Secure storage for multiple encrypted keys with password-based access
### Core Components
- **Registration Component**: Email verification and key pair generation
- **Login Component**: Cryptographic challenge-response authentication
- **Identity Component**: Identity management and key access
- **Vault Manager**: Multi-key storage and management
- **Server**: Identity verification and OAuth-compatible endpoints
### Security Features
- AES-256-GCM encryption for private keys
- PBKDF2-based key derivation (10,000 iterations)
- Secp256k1 cryptographic signatures
- JWT-based session management
- Local storage with encrypted data only

244
docs/architecture.md Normal file
View File

@@ -0,0 +1,244 @@
# System Architecture
## Overview
Self is a decentralized digital identity system built on self-sovereign identity principles. The architecture consists of client-side components for identity management and a lightweight server for email verification and OAuth-compatible authentication.
## Architecture Diagram
```
┌─────────────────────────────────────────────────────────────────┐
│ Client (Browser) │
├─────────────────────────────────────────────────────────────────┤
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ Registration │ │ Login │ │ Identity │ │
│ │ Component │ │ Component │ │ Component │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ │ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ Vault Manager │ │ Crypto │ │ Sign │ │
│ │ Component │ │ Utilities │ │ Component │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ │ │
│ ┌─────────────────────────────────────────────────────────────┐ │
│ │ Local Storage (Encrypted) │ │
│ │ • Encrypted Private Keys • User Preferences │ │
│ │ • Vault Data • Session Data │ │
│ └─────────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
HTTPS/WSS
┌─────────────────────────────────────────────────────────────────┐
│ Identity Server │
├─────────────────────────────────────────────────────────────────┤
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ Email Verification│ │ OAuth Endpoints │ │ User Management │ │
│ │ • SSE Stream │ │ • /oauth/token │ │ • Registration│ │
│ │ • Verify Link │ │ • /oauth/userinfo│ │ • User Store │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ │ │
│ ┌─────────────────────────────────────────────────────────────┐ │
│ │ In-Memory Storage │ │
│ │ • Verification Status • User Records │ │
│ │ • JWT Secrets • Session Management │ │
│ └─────────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
```
## Core Principles
### 1. Self-Sovereign Identity
- Users generate and control their own cryptographic key pairs
- No central authority controls user identities
- Private keys never leave the user's device unencrypted
- Users can prove their identity without revealing sensitive information
### 2. Client-Side Security
- All cryptographic operations performed in the browser
- Private keys encrypted with user-chosen passwords before storage
- Zero-knowledge architecture - server never sees private keys
- Local storage used only for encrypted data
### 3. Minimal Server Dependency
- Server only handles email verification and OAuth compatibility
- No user data stored on server beyond public keys and basic profile
- Stateless authentication using JWT tokens
- Can be self-hosted or run as a service
## Component Architecture
### Client Components (Rust + WASM)
#### Registration Component
- **Purpose**: New user onboarding and key generation
- **Features**:
- Email verification flow
- Secure key pair generation
- Password-based encryption
- Key backup confirmation
- **Dependencies**: Crypto utilities, Server API
#### Login Component
- **Purpose**: Existing user authentication
- **Features**:
- Challenge-response authentication
- Private key decryption
- JWT token management
- Session establishment
- **Dependencies**: Crypto utilities, Vault system
#### Identity Component
- **Purpose**: Identity management and key access
- **Features**:
- Identity information display
- Private key access with password
- Public key sharing
- Account management
- **Dependencies**: Vault system, Server API
#### Vault Manager Component
- **Purpose**: Multi-key storage and management
- **Features**:
- Multiple encrypted key storage
- Password-based access control
- Key import/export functionality
- Secure key deletion
- **Dependencies**: Crypto utilities
#### Crypto Utilities
- **Purpose**: Core cryptographic operations
- **Features**:
- Key pair generation (secp256k1)
- AES-256-GCM encryption/decryption
- PBKDF2 key derivation
- Digital signatures
- **Dependencies**: Web Crypto API, Rust crypto crates
#### Sign Component
- **Purpose**: Message and document signing
- **Features**:
- Digital signature creation
- Signature verification
- Message authentication
- Document integrity
- **Dependencies**: Crypto utilities, Vault system
### Server Component (Rust + Axum)
#### Email Verification Service
- **Purpose**: Verify user email addresses
- **Features**:
- Verification token generation
- Server-sent events for real-time status
- Email verification callbacks
- Development console output
- **Storage**: In-memory verification status
#### OAuth Endpoints
- **Purpose**: OAuth 2.0 compatible authentication
- **Features**:
- JWT token issuance
- User info endpoint
- Bearer token validation
- Standard OAuth flows
- **Compliance**: OAuth 2.0, OpenID Connect compatible
#### User Management
- **Purpose**: Basic user record management
- **Features**:
- User registration
- Public key storage
- Profile information
- Account lookup
- **Storage**: In-memory user store (production: database)
## Data Flow
### Registration Flow
1. User enters email and personal information
2. Server generates verification token and sends email
3. User clicks verification link
4. Client generates key pair locally
5. User sets encryption password
6. Private key encrypted and stored locally
7. Public key and profile sent to server
8. Registration completed
### Authentication Flow
1. User initiates login with public key
2. Server generates authentication challenge
3. Client decrypts private key with password
4. Client signs challenge with private key
5. Server verifies signature
6. Server issues JWT token
7. Client stores token for session
### Identity Access Flow
1. User requests identity information
2. Client sends JWT token to server
3. Server validates token and returns user info
4. Client displays identity information
5. User can decrypt private key for operations
## Security Architecture
### Encryption Layers
1. **Transport Layer**: HTTPS for all communications
2. **Application Layer**: JWT tokens for session management
3. **Storage Layer**: AES-256-GCM for private key encryption
4. **Key Derivation**: PBKDF2 with 10,000 iterations
### Trust Model
- **User Trust**: Users trust their own devices and passwords
- **Server Trust**: Minimal trust required - only for email verification
- **Network Trust**: HTTPS provides transport security
- **Storage Trust**: Local storage with client-side encryption
### Threat Mitigation
- **Key Theft**: Private keys encrypted, passwords required
- **Server Compromise**: No private keys stored on server
- **Network Attacks**: HTTPS and signature verification
- **Browser Attacks**: Encrypted storage, secure key handling
## Scalability Considerations
### Horizontal Scaling
- Stateless server design enables load balancing
- In-memory storage can be replaced with distributed cache
- Multiple server instances can share user database
- Client components scale with user devices
### Performance Optimization
- WASM compilation for crypto operations
- Lazy loading of components
- Efficient key derivation caching
- Minimal server round trips
### Storage Scaling
- Client storage limited by browser quotas
- Server storage minimal (public keys only)
- Database can be sharded by user ID
- CDN can serve static client assets
## Technology Stack
### Client Side
- **Language**: Rust compiled to WebAssembly
- **Framework**: Yew for UI components
- **Crypto**: aes-gcm, sha2, getrandom crates
- **Storage**: Browser localStorage API
- **Build**: Trunk for WASM bundling
### Server Side
- **Language**: Rust
- **Framework**: Axum for HTTP server
- **Auth**: jsonwebtoken for JWT handling
- **Async**: Tokio runtime
- **CORS**: tower-http for cross-origin requests
### Deployment
- **Client**: Static files served via CDN or web server
- **Server**: Container deployment (Docker/Kubernetes)
- **Database**: PostgreSQL/MySQL for production
- **Monitoring**: Structured logging with tracing crate

299
docs/authentication-flows.md Normal file
View File

@@ -0,0 +1,299 @@
# Authentication Flows
## Overview
Self implements a cryptographic challenge-response authentication system that eliminates the need for passwords while providing strong security guarantees. The system supports both new user registration and existing user authentication flows.
## Registration Flow
### Step-by-Step Process
```mermaid
sequenceDiagram
participant U as User
participant C as Client (Browser)
participant S as Server
participant E as Email System
Note over U,E: Phase 1: Email Verification
U->>C: Enter name and email
C->>S: POST /api/send-verification
S->>E: Generate verification link
S->>C: Verification sent response
S-->>U: Display verification link (dev mode)
Note over U,E: Phase 2: Email Confirmation
U->>S: Click verification link
S->>S: Mark email as verified
S->>C: SSE notification (verified)
C->>C: Update UI to show verified status
Note over U,E: Phase 3: Key Generation
U->>C: Click "Generate Keys"
C->>C: Generate secp256k1 key pair
C->>C: Display private key for backup
U->>C: Copy private key (mandatory)
U->>C: Enter encryption password
C->>C: Encrypt private key with AES-256-GCM
C->>C: Store encrypted key in localStorage
Note over U,E: Phase 4: Key Confirmation
U->>C: Paste private key for confirmation
C->>C: Verify pasted key matches generated key
U->>C: Confirm registration
C->>S: POST /api/register {email, name, public_key}
S->>S: Verify email is confirmed
S->>S: Store user record
S->>C: Registration success response
C->>C: Complete registration flow
```
### Registration Data Flow
1. **Email Collection**
```rust
struct EmailVerificationRequest {
email: String,
}
```
2. **Verification Status**
```rust
struct VerificationStatus {
email: String,
verified: bool,
verification_token: String,
}
```
3. **Key Generation** (Client-side)
```rust
let keypair = generate_keypair()?;
let encrypted_key = encrypt_private_key(&keypair.private_key, &password)?;
```
4. **Registration Completion**
```rust
struct RegistrationRequest {
email: String,
name: String,
public_key: String,
}
```
### Security Measures
- **Email Verification**: Prevents unauthorized registrations
- **Key Backup Confirmation**: Ensures user has saved private key
- **Client-side Encryption**: Private key never transmitted unencrypted
- **Secure Random Generation**: Cryptographically secure key generation
- **Password Validation**: Minimum 8 character password requirement
## Login Flow
### Step-by-Step Process
```mermaid
sequenceDiagram
participant U as User
participant C as Client (Browser)
participant S as Server
participant V as Vault System
Note over U,V: Phase 1: Identity Input
U->>C: Enter public key or select identity
C->>C: Validate public key format
Note over U,V: Phase 2: Challenge Generation
C->>S: Request authentication challenge
S->>S: Generate random challenge
S->>C: Return challenge + session info
Note over U,V: Phase 3: Key Decryption
U->>C: Enter password
C->>V: Retrieve encrypted private key
V->>C: Return encrypted key data
C->>C: Decrypt private key with password
Note over U,V: Phase 4: Challenge Response
C->>C: Sign challenge with private key
C->>S: POST /oauth/token {signature, public_key, challenge}
S->>S: Verify signature against public key
S->>S: Generate JWT token
S->>C: Return access token
Note over U,V: Phase 5: Session Establishment
C->>C: Store JWT token
C->>S: GET /oauth/userinfo (with Bearer token)
S->>C: Return user profile
C->>C: Complete login flow
```
### OAuth 2.0 Token Request
The login process follows OAuth 2.0 client credentials flow with cryptographic assertions:
```rust
struct LoginRequest {
grant_type: String, // "client_credentials"
client_assertion_type: String, // "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
client_assertion: String, // Signed JWT containing challenge response
public_key: String, // User's public key (client identifier)
challenge: String, // Server-provided challenge
scope: String, // Requested permissions
}
```
### JWT Token Structure
```rust
struct Claims {
sub: String, // Subject (public key)
iss: String, // Issuer ("self-sovereign-identity")
aud: String, // Audience ("identity-server")
exp: usize, // Expiration time (1 hour)
iat: usize, // Issued at time
scope: String, // Granted scopes
}
```
### Challenge-Response Mechanism
1. **Challenge Generation**
```rust
let challenge = Uuid::new_v4().to_string();
```
2. **Signature Creation** (Client-side)
```rust
let signature = keypair.sign(&challenge)?;
```
3. **Signature Verification** (Server-side)
```rust
fn verify_signature(public_key: &str, challenge: &str, signature: &str) -> bool {
// Verify signature matches challenge using public key
}
```
## Vault-Based Authentication
### Multi-Key Management
The vault system allows users to store multiple encrypted keys and authenticate with any of them:
```mermaid
sequenceDiagram
participant U as User
participant C as Client
participant V as Vault Manager
participant S as Server
U->>C: Select identity from vault
C->>V: List available identities
V->>C: Return identity list
U->>C: Choose identity and enter password
C->>V: Decrypt selected identity key
V->>C: Return decrypted private key
C->>S: Authenticate with selected identity
S->>C: Return session for selected identity
```
### Vault Data Structure
```rust
struct VaultEntry {
id: String,
name: String,
email: String,
public_key: String,
encrypted_private_key: EncryptedPrivateKey,
created_at: String,
}
struct EncryptedPrivateKey {
encrypted_data: String, // Base64 encoded ciphertext
nonce: String, // Base64 encoded nonce
salt: String, // Base64 encoded salt
}
```
## Session Management
### JWT Token Lifecycle
1. **Token Issuance**
- Generated after successful authentication
- Contains user's public key as subject
- 1-hour expiration time
- Signed with server secret
2. **Token Usage**
- Included in Authorization header as Bearer token
- Required for accessing protected endpoints
- Validated on each request
3. **Token Refresh**
- Currently requires re-authentication
- Future: Refresh token mechanism
### Session Storage
```javascript
// Client-side session storage
localStorage.setItem('jwt_token', access_token);
localStorage.setItem('current_identity', public_key);
localStorage.setItem('session_expires', expiration_time);
```
## Error Handling
### Registration Errors
- **Email Not Verified**: User must complete email verification
- **Invalid Email Format**: Client-side validation prevents submission
- **Key Generation Failed**: Retry with new random seed
- **Encryption Failed**: Check password strength and retry
- **Server Unavailable**: Retry with exponential backoff
### Authentication Errors
- **Invalid Public Key**: Key format validation and user feedback
- **Wrong Password**: Decryption failure, prompt for correct password
- **Signature Verification Failed**: Invalid key or challenge tampering
- **Token Expired**: Automatic re-authentication flow
- **User Not Found**: Public key not registered, redirect to registration
### Error Response Format
```rust
struct ErrorResponse {
error: String, // OAuth 2.0 error code
error_description: String, // Human-readable description
error_uri: Option<String>, // Optional documentation link
}
```
## Security Considerations
### Attack Mitigation
1. **Replay Attacks**: Challenges are single-use and time-limited
2. **Man-in-the-Middle**: HTTPS encryption for all communications
3. **Key Theft**: Private keys encrypted with user passwords
4. **Brute Force**: Rate limiting on authentication attempts
5. **Session Hijacking**: JWT tokens with short expiration times
### Privacy Protection
- **No Password Storage**: Server never sees user passwords
- **Minimal Data Collection**: Only email and public key stored
- **Local Key Storage**: Private keys never leave user's device
- **Anonymous Usage**: Public keys don't reveal personal information
### Compliance Considerations
- **GDPR**: Users control their own data, right to deletion
- **OAuth 2.0**: Standard token-based authentication
- **OpenID Connect**: Compatible user info endpoint
- **WebAuthn**: Future integration for hardware token support

414
docs/cryptography.md Normal file
View File

@@ -0,0 +1,414 @@
# Cryptography Implementation
## Overview
Self implements a comprehensive cryptographic system based on industry-standard algorithms and best practices. The implementation prioritizes security, performance, and compatibility while maintaining a zero-knowledge architecture where private keys never leave the user's device unencrypted.
## Cryptographic Primitives
### Key Generation
#### Secp256k1 Key Pairs
The system uses secp256k1 elliptic curve cryptography, the same curve used by Bitcoin and Ethereum:
```rust
pub fn generate_keypair() -> Result<KeyPair, String> {
// Generate 32 random bytes for private key
let mut private_key_bytes = [0u8; 32];
getrandom::getrandom(&mut private_key_bytes)
.map_err(|e| format!("Failed to generate random bytes: {:?}", e))?;
// Ensure private key is valid (not zero, not greater than curve order)
if private_key_bytes.iter().all(|&b| b == 0) {
return Err("Generated invalid private key".to_string());
}
let private_key = hex::encode(private_key_bytes);
let public_key = derive_public_key(&private_key)?;
Ok(KeyPair { private_key, public_key })
}
```
**Security Properties:**
- **Entropy Source**: Uses `getrandom` crate for cryptographically secure randomness
- **Key Validation**: Ensures generated keys are within valid curve parameters
- **Format**: Private keys are 32 bytes (256 bits), public keys are 65 bytes (uncompressed)
#### Public Key Derivation
```rust
fn derive_public_key(private_key: &str) -> Result<String, String> {
let private_bytes = hex::decode(private_key)?;
// Simplified implementation - production should use proper secp256k1
let mut hasher = Sha256::new();
hasher.update(&private_bytes);
hasher.update(b"secp256k1_public_key");
let hash = hasher.finalize();
// Add uncompressed public key prefix (0x04)
let mut public_key = vec![0x04];
public_key.extend_from_slice(&hash);
// Extend to full 65-byte uncompressed format
let mut hasher2 = Sha256::new();
hasher2.update(&hash);
let hash2 = hasher2.finalize();
public_key.extend_from_slice(&hash2);
Ok(hex::encode(public_key))
}
```
**Note**: Current implementation is simplified for development. Production should use proper secp256k1 point multiplication.
### Symmetric Encryption
#### AES-256-GCM
Private keys are encrypted using AES-256 in Galois/Counter Mode:
```rust
pub fn encrypt_private_key(private_key: &str, password: &str) -> Result<EncryptedPrivateKey, String> {
// Generate random salt (32 bytes)
let mut salt = [0u8; 32];
getrandom::getrandom(&mut salt)?;
// Derive encryption key using PBKDF2
let key = derive_key_from_password(password, &salt)?;
let cipher = Aes256Gcm::new(&key);
// Generate random nonce (12 bytes for GCM)
let mut nonce_bytes = [0u8; 12];
getrandom::getrandom(&mut nonce_bytes)?;
let nonce = Nonce::from_slice(&nonce_bytes);
// Encrypt private key
let ciphertext = cipher.encrypt(nonce, private_key.as_bytes())?;
Ok(EncryptedPrivateKey {
encrypted_data: base64::encode(&ciphertext),
nonce: base64::encode(&nonce_bytes),
salt: base64::encode(&salt),
})
}
```
**Security Properties:**
- **Algorithm**: AES-256-GCM provides both confidentiality and authenticity
- **Key Size**: 256-bit encryption keys
- **Nonce**: 96-bit random nonces prevent replay attacks
- **Authentication**: Built-in authentication prevents tampering
### Key Derivation
#### PBKDF2-based Key Stretching
Password-based key derivation using SHA-256 with key stretching:
```rust
fn derive_key_from_password(password: &str, salt: &[u8]) -> Result<[u8; 32], String> {
let mut hasher = Sha256::new();
hasher.update(password.as_bytes());
hasher.update(salt);
// Initial hash
let mut key_material = hasher.finalize().to_vec();
// 10,000 iterations for key stretching
for _ in 0..10000 {
let mut hasher = Sha256::new();
hasher.update(&key_material);
hasher.update(salt);
key_material = hasher.finalize().to_vec();
}
let mut key = [0u8; 32];
key.copy_from_slice(&key_material);
Ok(key)
}
```
**Security Properties:**
- **Iterations**: 10,000 rounds prevent brute force attacks
- **Salt**: Random 32-byte salt prevents rainbow table attacks
- **Output**: 256-bit derived keys suitable for AES-256
### Digital Signatures
#### Message Signing
```rust
impl KeyPair {
pub fn sign(&self, message: &str) -> Result<String, String> {
let private_bytes = hex::decode(&self.private_key)?;
// Create deterministic signature hash
let mut hasher = Sha256::new();
hasher.update(&private_bytes);
hasher.update(message.as_bytes());
hasher.update(b"signature");
let signature_hash = hasher.finalize();
// Combine with private key for final signature
let mut hasher2 = Sha256::new();
hasher2.update(&signature_hash);
hasher2.update(&private_bytes);
let final_signature = hasher2.finalize();
Ok(hex::encode(final_signature))
}
}
```
**Security Properties:**
- **Deterministic**: Same message produces same signature
- **Non-forgeable**: Requires private key to create valid signatures
- **Verifiable**: Public key can verify signature authenticity
**Note**: Current implementation is simplified. Production should use proper ECDSA signatures.
## Data Structures
### Key Pair Structure
```rust
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct KeyPair {
pub private_key: String, // Hex-encoded 32-byte private key
pub public_key: String, // Hex-encoded 65-byte uncompressed public key
}
```
### Encrypted Private Key
```rust
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct EncryptedPrivateKey {
pub encrypted_data: String, // Base64-encoded AES-GCM ciphertext
pub nonce: String, // Base64-encoded 12-byte nonce
pub salt: String, // Base64-encoded 32-byte salt
}
```
## Storage Format
### Local Storage Schema
Private keys are stored in browser localStorage as JSON:
```json
{
"version": "1.0",
"identity": {
"public_key": "04a1b2c3d4e5f6...",
"encrypted_private_key": {
"encrypted_data": "base64-ciphertext",
"nonce": "base64-nonce",
"salt": "base64-salt"
},
"created_at": "2024-01-01T00:00:00Z"
}
}
```
### Vault Storage Schema
Multiple identities stored in vault format:
```json
{
"version": "1.0",
"vault": {
"identity-1": {
"id": "uuid",
"name": "Primary Identity",
"email": "user@example.com",
"public_key": "04a1b2c3...",
"encrypted_private_key": {
"encrypted_data": "...",
"nonce": "...",
"salt": "..."
},
"created_at": "2024-01-01T00:00:00Z"
}
}
}
```
## Security Analysis
### Threat Model
#### Threats Mitigated
1. **Private Key Theft**
- **Mitigation**: AES-256-GCM encryption with password-derived keys
- **Residual Risk**: Password compromise or weak passwords
2. **Password Attacks**
- **Mitigation**: PBKDF2 with 10,000 iterations and random salts
- **Residual Risk**: Dictionary attacks on weak passwords
3. **Replay Attacks**
- **Mitigation**: Random nonces for each encryption operation
- **Residual Risk**: None with proper nonce generation
4. **Man-in-the-Middle**
- **Mitigation**: HTTPS transport encryption
- **Residual Risk**: Certificate authority compromise
5. **Data Tampering**
- **Mitigation**: AES-GCM authenticated encryption
- **Residual Risk**: None with proper implementation
#### Threats Not Fully Mitigated
1. **Malicious JavaScript**
- **Risk**: Malicious scripts could access decrypted keys in memory
- **Mitigation**: Content Security Policy, code auditing
2. **Browser Vulnerabilities**
- **Risk**: Browser bugs could expose localStorage or memory
- **Mitigation**: Keep browsers updated, consider hardware tokens
3. **Physical Access**
- **Risk**: Attacker with device access could extract localStorage
- **Mitigation**: Device encryption, screen locks
### Cryptographic Assumptions
1. **Random Number Generation**
- Assumes `getrandom` provides cryptographically secure entropy
- Critical for key generation and nonce creation
2. **Hash Function Security**
- Assumes SHA-256 is collision-resistant and preimage-resistant
- Used in key derivation and signature generation
3. **AES Security**
- Assumes AES-256 is semantically secure
- Critical for private key protection
4. **Password Entropy**
- Assumes users choose sufficiently random passwords
- Weakest link in the security model
## Performance Considerations
### Benchmarks
Typical performance on modern hardware:
- **Key Generation**: ~1ms
- **Key Derivation**: ~100ms (intentionally slow)
- **Encryption**: ~0.1ms
- **Decryption**: ~0.1ms
- **Signature**: ~0.5ms
### Optimization Strategies
1. **Key Derivation Caching**
```rust
// Cache derived keys for session duration
static KEY_CACHE: Lazy<Mutex<HashMap<String, [u8; 32]>>> =
Lazy::new(|| Mutex::new(HashMap::new()));
```
2. **WebAssembly Compilation**
- Rust crypto operations compiled to WASM for performance
- Faster than JavaScript implementations
3. **Worker Threads**
```javascript
// Offload crypto operations to web workers
const worker = new Worker('crypto-worker.js');
worker.postMessage({operation: 'derive_key', password, salt});
```
## Production Recommendations
### Cryptographic Upgrades
1. **Proper Secp256k1 Implementation**
```rust
use secp256k1::{Secp256k1, SecretKey, PublicKey};
fn generate_keypair() -> Result<KeyPair, String> {
let secp = Secp256k1::new();
let (secret_key, public_key) = secp.generate_keypair(&mut rand::thread_rng());
Ok(KeyPair {
private_key: secret_key.display_secret().to_string(),
public_key: public_key.serialize_uncompressed().to_hex(),
})
}
```
2. **Hardware Security Module Integration**
```rust
// Integration with hardware tokens
use webauthn_rs::prelude::*;
async fn sign_with_hardware(challenge: &[u8]) -> Result<Signature, WebauthnError> {
// Use WebAuthn for hardware-backed signatures
}
```
3. **Post-Quantum Cryptography**
```rust
// Future-proofing with quantum-resistant algorithms
use pqcrypto_dilithium::dilithium2;
fn generate_pq_keypair() -> (dilithium2::PublicKey, dilithium2::SecretKey) {
dilithium2::keypair()
}
```
### Security Enhancements
1. **Memory Protection**
```rust
use zeroize::Zeroize;
struct SecureString(String);
impl Drop for SecureString {
fn drop(&mut self) {
self.0.zeroize();
}
}
```
2. **Constant-Time Operations**
```rust
use subtle::ConstantTimeEq;
fn secure_compare(a: &[u8], b: &[u8]) -> bool {
a.ct_eq(b).into()
}
```
3. **Side-Channel Protection**
- Use constant-time implementations
- Avoid timing-dependent operations
- Consider power analysis resistance
### Compliance Considerations
1. **FIPS 140-2 Compliance**
- Use FIPS-approved algorithms
- Validated cryptographic modules
- Proper key management procedures
2. **Common Criteria Evaluation**
- Security target definition
- Formal verification methods
- Independent security evaluation
3. **Regulatory Requirements**
- GDPR: Right to cryptographic key deletion
- CCPA: Encryption of personal information
- SOX: Cryptographic audit trails

888
docs/deployment.md Normal file
View File

@@ -0,0 +1,888 @@
# Production Deployment Guide
## Overview
This guide covers deploying Self in production environments, including infrastructure setup, security hardening, monitoring, and maintenance procedures.
## Infrastructure Requirements
### Minimum System Requirements
#### Server Requirements
- **CPU**: 2 vCPUs (4+ recommended)
- **Memory**: 2GB RAM (4GB+ recommended)
- **Storage**: 20GB SSD (50GB+ recommended)
- **Network**: 1Gbps connection
- **OS**: Ubuntu 20.04 LTS or newer
#### Database Requirements (Production)
- **PostgreSQL**: 12+ or MySQL 8.0+
- **Memory**: 4GB RAM dedicated
- **Storage**: 100GB+ SSD with backup
- **Connections**: 100+ concurrent connections
#### Load Balancer (High Availability)
- **Nginx**: 1.18+ or HAProxy 2.0+
- **SSL Termination**: TLS 1.3 support
- **Health Checks**: HTTP/HTTPS monitoring
- **Rate Limiting**: Request throttling
### Cloud Deployment Options
#### AWS Deployment
```yaml
# docker-compose.aws.yml
version: '3.8'
services:
self-server:
image: self-identity:latest
environment:
- DATABASE_URL=postgresql://user:pass@rds-endpoint/selfdb
- JWT_SECRET=${JWT_SECRET}
- SMTP_HOST=email-smtp.us-east-1.amazonaws.com
deploy:
replicas: 3
resources:
limits:
memory: 1G
reservations:
memory: 512M
```
#### Google Cloud Platform
```yaml
# gcp-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: self-identity
spec:
replicas: 3
selector:
matchLabels:
app: self-identity
template:
metadata:
labels:
app: self-identity
spec:
containers:
- name: self-server
image: gcr.io/project-id/self-identity:latest
ports:
- containerPort: 8080
env:
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: db-secret
key: url
```
#### Azure Container Instances
```yaml
# azure-container.yaml
apiVersion: 2019-12-01
location: eastus
name: self-identity
properties:
containers:
- name: self-server
properties:
image: selfidentity.azurecr.io/self-identity:latest
resources:
requests:
cpu: 1
memoryInGb: 2
ports:
- port: 8080
protocol: TCP
environmentVariables:
- name: DATABASE_URL
secureValue: postgresql://...
```
## Docker Deployment
### Production Dockerfile
```dockerfile
# Multi-stage build for optimized production image
FROM rust:1.75 as builder
WORKDIR /app
COPY Cargo.toml Cargo.lock ./
COPY server/ ./server/
COPY components/ ./components/
# Build optimized release binary
RUN cargo build --release --bin server
# Runtime image
FROM debian:bookworm-slim
RUN apt-get update && apt-get install -y \
ca-certificates \
libssl3 \
&& rm -rf /var/lib/apt/lists/*
# Create non-root user
RUN useradd -r -s /bin/false selfuser
WORKDIR /app
COPY --from=builder /app/target/release/server ./
COPY --chown=selfuser:selfuser static/ ./static/
USER selfuser
EXPOSE 8080
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD curl -f http://localhost:8080/health || exit 1
CMD ["./server"]
```
### Docker Compose Production Setup
```yaml
# docker-compose.prod.yml
version: '3.8'
services:
self-server:
build:
context: .
dockerfile: Dockerfile.prod
restart: unless-stopped
environment:
- DATABASE_URL=postgresql://selfuser:${DB_PASSWORD}@postgres:5432/selfdb
- JWT_SECRET=${JWT_SECRET}
- SMTP_HOST=${SMTP_HOST}
- SMTP_USERNAME=${SMTP_USERNAME}
- SMTP_PASSWORD=${SMTP_PASSWORD}
- RUST_LOG=info
ports:
- "8080:8080"
depends_on:
- postgres
- redis
networks:
- self-network
volumes:
- ./logs:/app/logs
postgres:
image: postgres:15-alpine
restart: unless-stopped
environment:
- POSTGRES_DB=selfdb
- POSTGRES_USER=selfuser
- POSTGRES_PASSWORD=${DB_PASSWORD}
volumes:
- postgres_data:/var/lib/postgresql/data
- ./init.sql:/docker-entrypoint-initdb.d/init.sql
networks:
- self-network
redis:
image: redis:7-alpine
restart: unless-stopped
command: redis-server --requirepass ${REDIS_PASSWORD}
volumes:
- redis_data:/data
networks:
- self-network
nginx:
image: nginx:alpine
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
- ./ssl:/etc/nginx/ssl
- ./static:/usr/share/nginx/html
depends_on:
- self-server
networks:
- self-network
volumes:
postgres_data:
redis_data:
networks:
self-network:
driver: bridge
```
## Database Setup
### PostgreSQL Schema
```sql
-- init.sql
CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
-- Users table
CREATE TABLE users (
id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
email VARCHAR(255) UNIQUE NOT NULL,
name VARCHAR(255) NOT NULL,
public_key TEXT UNIQUE NOT NULL,
created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
updated_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
is_active BOOLEAN DEFAULT TRUE
);
-- Email verifications table
CREATE TABLE email_verifications (
id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
email VARCHAR(255) NOT NULL,
token VARCHAR(255) UNIQUE NOT NULL,
verified BOOLEAN DEFAULT FALSE,
created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
expires_at TIMESTAMP WITH TIME ZONE DEFAULT NOW() + INTERVAL '24 hours'
);
-- Authentication sessions table
CREATE TABLE auth_sessions (
id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
user_id UUID REFERENCES users(id) ON DELETE CASCADE,
token_hash VARCHAR(255) NOT NULL,
expires_at TIMESTAMP WITH TIME ZONE NOT NULL,
created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
last_used TIMESTAMP WITH TIME ZONE DEFAULT NOW()
);
-- Audit log table
CREATE TABLE audit_logs (
id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
user_id UUID REFERENCES users(id) ON DELETE SET NULL,
action VARCHAR(100) NOT NULL,
resource VARCHAR(100),
details JSONB,
ip_address INET,
user_agent TEXT,
created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
);
-- Indexes for performance
CREATE INDEX idx_users_email ON users(email);
CREATE INDEX idx_users_public_key ON users(public_key);
CREATE INDEX idx_email_verifications_token ON email_verifications(token);
CREATE INDEX idx_auth_sessions_token_hash ON auth_sessions(token_hash);
CREATE INDEX idx_audit_logs_user_id ON audit_logs(user_id);
CREATE INDEX idx_audit_logs_created_at ON audit_logs(created_at);
-- Update trigger for updated_at
CREATE OR REPLACE FUNCTION update_updated_at_column()
RETURNS TRIGGER AS $$
BEGIN
NEW.updated_at = NOW();
RETURN NEW;
END;
$$ language 'plpgsql';
CREATE TRIGGER update_users_updated_at BEFORE UPDATE ON users
FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();
```
### Database Migration System
```rust
// migrations/mod.rs
use sqlx::{PgPool, migrate::MigrateDatabase};
pub async fn run_migrations(database_url: &str) -> Result<(), Box<dyn std::error::Error>> {
// Create database if it doesn't exist
if !sqlx::Postgres::database_exists(database_url).await? {
sqlx::Postgres::create_database(database_url).await?;
}
let pool = PgPool::connect(database_url).await?;
// Run migrations
sqlx::migrate!("./migrations").run(&pool).await?;
Ok(())
}
```
## Nginx Configuration
### Production Nginx Config
```nginx
# nginx.conf
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Security headers
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Rate limiting
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=auth:10m rate=5r/s;
# Upstream servers
upstream self_backend {
server self-server:8080;
# Add more servers for load balancing
# server self-server-2:8080;
# server self-server-3:8080;
}
# HTTP to HTTPS redirect
server {
listen 80;
server_name your-domain.com;
return 301 https://$server_name$request_uri;
}
# HTTPS server
server {
listen 443 ssl http2;
server_name your-domain.com;
# SSL configuration
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
# Security headers
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'";
# Static files
location /static/ {
alias /usr/share/nginx/html/;
expires 1y;
add_header Cache-Control "public, immutable";
}
# API endpoints with rate limiting
location /api/ {
limit_req zone=api burst=20 nodelay;
proxy_pass http://self_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# OAuth endpoints with stricter rate limiting
location /oauth/ {
limit_req zone=auth burst=10 nodelay;
proxy_pass http://self_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Health check
location /health {
proxy_pass http://self_backend;
access_log off;
}
# Default location
location / {
proxy_pass http://self_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
}
```
## SSL/TLS Configuration
### Let's Encrypt Setup
```bash
#!/bin/bash
# setup-ssl.sh
# Install certbot
sudo apt-get update
sudo apt-get install -y certbot python3-certbot-nginx
# Obtain certificate
sudo certbot --nginx -d your-domain.com
# Setup auto-renewal
echo "0 12 * * * /usr/bin/certbot renew --quiet" | sudo crontab -
```
### Manual Certificate Setup
```bash
#!/bin/bash
# manual-ssl.sh
# Generate private key
openssl genrsa -out key.pem 2048
# Generate certificate signing request
openssl req -new -key key.pem -out cert.csr
# Generate self-signed certificate (for testing)
openssl x509 -req -days 365 -in cert.csr -signkey key.pem -out cert.pem
# Set proper permissions
chmod 600 key.pem
chmod 644 cert.pem
```
## Environment Configuration
### Production Environment Variables
```bash
# .env.production
# Database
DATABASE_URL=postgresql://selfuser:secure_password@localhost:5432/selfdb
# JWT Configuration
JWT_SECRET=your-super-secure-jwt-secret-key-here
JWT_EXPIRATION=3600
# SMTP Configuration
SMTP_HOST=smtp.your-provider.com
SMTP_PORT=587
SMTP_USERNAME=your-smtp-username
SMTP_PASSWORD=your-smtp-password
SMTP_FROM=noreply@your-domain.com
# Server Configuration
SERVER_PORT=8080
SERVER_HOST=0.0.0.0
BASE_URL=https://your-domain.com
# Redis Configuration (for sessions)
REDIS_URL=redis://localhost:6379
REDIS_PASSWORD=your-redis-password
# Logging
RUST_LOG=info
LOG_LEVEL=info
# Security
CORS_ORIGINS=https://your-frontend-domain.com
RATE_LIMIT_REQUESTS=100
RATE_LIMIT_WINDOW=60
# Monitoring
METRICS_ENABLED=true
HEALTH_CHECK_ENABLED=true
```
### Configuration Management
```rust
// config.rs
use serde::Deserialize;
use std::env;
#[derive(Debug, Deserialize)]
pub struct Config {
pub database_url: String,
pub jwt_secret: String,
pub jwt_expiration: u64,
pub smtp: SmtpConfig,
pub server: ServerConfig,
pub redis_url: Option<String>,
pub cors_origins: Vec<String>,
pub rate_limit: RateLimitConfig,
}
#[derive(Debug, Deserialize)]
pub struct SmtpConfig {
pub host: String,
pub port: u16,
pub username: String,
pub password: String,
pub from: String,
}
#[derive(Debug, Deserialize)]
pub struct ServerConfig {
pub host: String,
pub port: u16,
pub base_url: String,
}
#[derive(Debug, Deserialize)]
pub struct RateLimitConfig {
pub requests: u32,
pub window: u64,
}
impl Config {
pub fn from_env() -> Result<Self, config::ConfigError> {
let mut cfg = config::Config::builder();
// Load from environment variables
cfg = cfg.add_source(config::Environment::with_prefix("SELF"));
// Load from config file if exists
if let Ok(config_path) = env::var("CONFIG_PATH") {
cfg = cfg.add_source(config::File::with_name(&config_path));
}
cfg.build()?.try_deserialize()
}
}
```
## Monitoring and Logging
### Prometheus Metrics
```rust
// metrics.rs
use prometheus::{Counter, Histogram, Gauge, Registry};
use std::sync::Arc;
pub struct Metrics {
pub registry: Registry,
pub http_requests_total: Counter,
pub http_request_duration: Histogram,
pub active_connections: Gauge,
pub auth_attempts_total: Counter,
pub auth_failures_total: Counter,
}
impl Metrics {
pub fn new() -> Arc<Self> {
let registry = Registry::new();
let http_requests_total = Counter::new(
"http_requests_total",
"Total HTTP requests"
).unwrap();
let http_request_duration = Histogram::new(
"http_request_duration_seconds",
"HTTP request duration"
).unwrap();
let active_connections = Gauge::new(
"active_connections",
"Active connections"
).unwrap();
let auth_attempts_total = Counter::new(
"auth_attempts_total",
"Total authentication attempts"
).unwrap();
let auth_failures_total = Counter::new(
"auth_failures_total",
"Total authentication failures"
).unwrap();
registry.register(Box::new(http_requests_total.clone())).unwrap();
registry.register(Box::new(http_request_duration.clone())).unwrap();
registry.register(Box::new(active_connections.clone())).unwrap();
registry.register(Box::new(auth_attempts_total.clone())).unwrap();
registry.register(Box::new(auth_failures_total.clone())).unwrap();
Arc::new(Metrics {
registry,
http_requests_total,
http_request_duration,
active_connections,
auth_attempts_total,
auth_failures_total,
})
}
}
```
### Structured Logging
```rust
// logging.rs
use tracing::{info, warn, error};
use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt};
pub fn init_logging() {
tracing_subscriber::registry()
.with(tracing_subscriber::EnvFilter::new(
std::env::var("RUST_LOG").unwrap_or_else(|_| "info".into()),
))
.with(tracing_subscriber::fmt::layer().json())
.init();
}
pub fn log_security_event(event_type: &str, details: serde_json::Value) {
info!(
event_type = event_type,
details = %details,
timestamp = %chrono::Utc::now(),
"Security event logged"
);
}
```
## Backup and Recovery
### Database Backup Script
```bash
#!/bin/bash
# backup-db.sh
set -e
DB_NAME="selfdb"
DB_USER="selfuser"
BACKUP_DIR="/backups"
DATE=$(date +%Y%m%d_%H%M%S)
BACKUP_FILE="$BACKUP_DIR/selfdb_backup_$DATE.sql"
# Create backup directory
mkdir -p $BACKUP_DIR
# Create database backup
pg_dump -h localhost -U $DB_USER -d $DB_NAME > $BACKUP_FILE
# Compress backup
gzip $BACKUP_FILE
# Upload to cloud storage (AWS S3 example)
aws s3 cp $BACKUP_FILE.gz s3://your-backup-bucket/database/
# Clean up old backups (keep last 30 days)
find $BACKUP_DIR -name "selfdb_backup_*.sql.gz" -mtime +30 -delete
echo "Backup completed: $BACKUP_FILE.gz"
```
### Automated Backup Cron Job
```bash
# Add to crontab: crontab -e
# Run backup every day at 2 AM
0 2 * * * /path/to/backup-db.sh >> /var/log/backup.log 2>&1
```
## Health Checks and Monitoring
### Health Check Endpoint
```rust
// health.rs
use axum::{Json, response::IntoResponse};
use serde_json::json;
use sqlx::PgPool;
pub async fn health_check(pool: &PgPool) -> impl IntoResponse {
let mut status = "healthy";
let mut checks = serde_json::Map::new();
// Database health check
match sqlx::query("SELECT 1").fetch_one(pool).await {
Ok(_) => {
checks.insert("database".to_string(), json!("healthy"));
}
Err(_) => {
status = "unhealthy";
checks.insert("database".to_string(), json!("unhealthy"));
}
}
// Memory usage check
let memory_usage = get_memory_usage();
if memory_usage < 90.0 {
checks.insert("memory".to_string(), json!("healthy"));
} else {
status = "degraded";
checks.insert("memory".to_string(), json!("high"));
}
Json(json!({
"status": status,
"timestamp": chrono::Utc::now(),
"version": env!("CARGO_PKG_VERSION"),
"checks": checks
}))
}
```
### Monitoring Dashboard
```yaml
# docker-compose.monitoring.yml
version: '3.8'
services:
prometheus:
image: prom/prometheus:latest
ports:
- "9090:9090"
volumes:
- ./prometheus.yml:/etc/prometheus/prometheus.yml
- prometheus_data:/prometheus
grafana:
image: grafana/grafana:latest
ports:
- "3000:3000"
environment:
- GF_SECURITY_ADMIN_PASSWORD=admin
volumes:
- grafana_data:/var/lib/grafana
- ./grafana/dashboards:/etc/grafana/provisioning/dashboards
- ./grafana/datasources:/etc/grafana/provisioning/datasources
volumes:
prometheus_data:
grafana_data:
```
## Security Hardening
### Server Hardening Checklist
1. **System Updates**
```bash
sudo apt update && sudo apt upgrade -y
sudo apt install unattended-upgrades
```
2. **Firewall Configuration**
```bash
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
```
3. **SSH Hardening**
```bash
# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
Port 2222 # Change default port
```
4. **Fail2Ban Setup**
```bash
sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
```
### Application Security
```rust
// security middleware
use axum::{
middleware::{self, Next},
http::{Request, HeaderMap, HeaderValue},
response::Response,
};
pub async fn security_headers<B>(
request: Request<B>,
next: Next<B>,
) -> Response {
let mut response = next.run(request).await;
let headers = response.headers_mut();
headers.insert("X-Frame-Options", HeaderValue::from_static("DENY"));
headers.insert("X-Content-Type-Options", HeaderValue::from_static("nosniff"));
headers.insert("X-XSS-Protection", HeaderValue::from_static("1; mode=block"));
headers.insert(
"Strict-Transport-Security",
HeaderValue::from_static("max-age=31536000; includeSubDomains")
);
response
}
```
## Deployment Scripts
### Deployment Automation
```bash
#!/bin/bash
# deploy.sh
set -e
echo "Starting deployment..."
# Pull latest code
git pull origin main
# Build Docker image
docker build -t self-identity:latest .
# Run database migrations
docker-compose exec postgres psql -U selfuser -d selfdb -f /migrations/latest.sql
# Update services with zero downtime
docker-compose up -d --no-deps self-server
# Wait for health check
echo "Waiting for service to be healthy..."
for i in {1..30}; do
if curl -f http://localhost:8080/health; then
echo "Service is healthy!"
break
fi
sleep 2
done
# Clean up old images
docker image prune -f
echo "Deployment completed successfully!"
```
### Rollback Script
```bash
#!/bin/bash
# rollback.sh
set -e
PREVIOUS_VERSION=${1:-"previous"}
echo "Rolling back to version: $PREVIOUS_VERSION"
# Pull previous image
docker pull self-identity:$PREVIOUS_VERSION
# Update docker-compose to use previous version
sed -i "s/self-identity:latest/self-identity:$PREVIOUS_VERSION/g" docker-compose.yml
# Restart services
docker-compose up -d --no-deps self-server
echo "Rollback completed!"
```
This comprehensive deployment guide covers all aspects of running Self in production, from infrastructure setup to monitoring and security. The configuration is designed for scalability, security, and maintainability.

729
docs/development.md Normal file
View File

@@ -0,0 +1,729 @@
# Development Guide
## Overview
This guide covers setting up a development environment, contributing to the Self project, and understanding the development workflow.
## Development Environment Setup
### Prerequisites
#### Required Tools
- **Rust**: Latest stable version (1.75+)
- **Node.js**: 18+ (for frontend tooling)
- **Trunk**: WASM build tool
- **PostgreSQL**: 12+ (for database development)
- **Docker**: For containerized development
- **Git**: Version control
#### Installation Commands
```bash
# Install Rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source ~/.cargo/env
# Add WASM target
rustup target add wasm32-unknown-unknown
# Install Trunk
cargo install trunk
# Install Node.js (using nvm)
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash
nvm install 18
nvm use 18
# Install PostgreSQL (Ubuntu/Debian)
sudo apt-get install postgresql postgresql-contrib
# Install Docker
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
```
### Project Setup
#### Clone and Build
```bash
# Clone repository
git clone https://github.com/your-org/self.git
cd self
# Install dependencies and build
cargo build
# Build WASM components
cd app
trunk build
# Start development server
cd ../server
cargo run
# In another terminal, serve frontend
cd ../app
trunk serve
```
#### Development Database Setup
```bash
# Start PostgreSQL
sudo systemctl start postgresql
# Create development database
sudo -u postgres createdb selfdb_dev
sudo -u postgres createuser selfuser
sudo -u postgres psql -c "ALTER USER selfuser WITH PASSWORD 'devpassword';"
sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE selfdb_dev TO selfuser;"
# Set environment variable
export DATABASE_URL="postgresql://selfuser:devpassword@localhost/selfdb_dev"
# Run migrations
cargo install sqlx-cli
sqlx migrate run
```
### Development Configuration
#### Environment Variables
```bash
# .env.development
DATABASE_URL=postgresql://selfuser:devpassword@localhost/selfdb_dev
JWT_SECRET=dev-secret-key-not-for-production
SMTP_HOST=localhost
SMTP_PORT=1025
RUST_LOG=debug
BASE_URL=http://localhost:8080
```
#### VS Code Configuration
```json
// .vscode/settings.json
{
"rust-analyzer.cargo.features": ["dev"],
"rust-analyzer.checkOnSave.command": "clippy",
"rust-analyzer.checkOnSave.extraArgs": ["--", "-W", "clippy::all"],
"files.associations": {
"*.rs": "rust"
},
"editor.formatOnSave": true,
"[rust]": {
"editor.defaultFormatter": "rust-lang.rust-analyzer"
}
}
```
```json
// .vscode/launch.json
{
"version": "0.2.0",
"configurations": [
{
"type": "lldb",
"request": "launch",
"name": "Debug Server",
"cargo": {
"args": ["build", "--bin=server"],
"filter": {
"name": "server",
"kind": "bin"
}
},
"args": [],
"cwd": "${workspaceFolder}/server"
}
]
}
```
## Project Structure
### Directory Layout
```
self/
├── components/ # Reusable Yew components
│ ├── src/
│ │ ├── crypto.rs # Cryptographic utilities
│ │ ├── vault.rs # Vault storage system
│ │ ├── vault_manager.rs # Vault management UI
│ │ ├── login.rs # Login component
│ │ ├── registration.rs # Registration component
│ │ ├── identity.rs # Identity management
│ │ ├── sign.rs # Digital signing
│ │ └── lib.rs # Component exports
│ ├── Cargo.toml
│ └── README.md
├── app/ # Reference application
│ ├── src/
│ │ └── lib.rs # Main application
│ ├── index.html # HTML template
│ ├── Trunk.toml # Trunk configuration
│ ├── serve.sh # Development server script
│ └── Cargo.toml
├── server/ # Backend server
│ ├── src/
│ │ └── main.rs # Server implementation
│ ├── migrations/ # Database migrations
│ └── Cargo.toml
├── docs/ # Documentation
├── tests/ # Integration tests
├── scripts/ # Development scripts
├── docker-compose.yml # Development containers
├── Cargo.toml # Workspace configuration
└── README.md
```
### Component Architecture
```rust
// Component dependency graph
components/
├── crypto.rs // Core cryptographic functions
├── vault.rs // Low-level vault operations
├── vault_manager.rs // Vault UI component (depends on vault)
├── registration.rs // Registration flow (depends on crypto, vault)
├── login.rs // Login flow (depends on crypto, vault)
├── identity.rs // Identity display (depends on vault)
└── sign.rs // Signing operations (depends on crypto, vault)
```
## Development Workflow
### Git Workflow
#### Branch Strategy
```bash
# Main branches
main # Production-ready code
develop # Integration branch for features
# Feature branches
feature/vault-system # New feature development
bugfix/auth-issue # Bug fixes
hotfix/security-patch # Critical fixes for production
```
#### Commit Convention
```bash
# Commit message format
<type>(<scope>): <description>
# Types
feat: # New feature
fix: # Bug fix
docs: # Documentation changes
style: # Code style changes (formatting, etc.)
refactor: # Code refactoring
test: # Adding or updating tests
chore: # Maintenance tasks
# Examples
feat(vault): add multi-key storage support
fix(auth): resolve JWT token validation issue
docs(api): update authentication flow documentation
```
### Development Commands
#### Common Tasks
```bash
# Format code
cargo fmt
# Run linter
cargo clippy
# Run tests
cargo test
# Run tests with coverage
cargo tarpaulin --out Html
# Check for security vulnerabilities
cargo audit
# Update dependencies
cargo update
# Build documentation
cargo doc --open
```
#### Frontend Development
```bash
# Start development server with hot reload
cd app
trunk serve --open
# Build for production
trunk build --release
# Run frontend tests
wasm-pack test --headless --firefox
```
#### Backend Development
```bash
# Start server with auto-reload
cd server
cargo watch -x run
# Run database migrations
sqlx migrate run
# Generate migration
sqlx migrate add create_users_table
# Check SQL queries at compile time
cargo sqlx prepare
```
## Testing Strategy
### Unit Tests
```rust
// Example unit test
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_key_generation() {
let keypair = generate_keypair().unwrap();
assert_eq!(keypair.private_key.len(), 64); // 32 bytes hex-encoded
assert_eq!(keypair.public_key.len(), 130); // 65 bytes hex-encoded
}
#[test]
fn test_encryption_roundtrip() {
let data = "test data";
let password = "test password";
let encrypted = encrypt_private_key(data, password).unwrap();
let decrypted = decrypt_private_key(&encrypted, password).unwrap();
assert_eq!(data, decrypted);
}
}
```
### Integration Tests
```rust
// tests/integration_test.rs
use self_server::*;
use reqwest;
use tokio;
#[tokio::test]
async fn test_registration_flow() {
// Start test server
let server = start_test_server().await;
let client = reqwest::Client::new();
// Test email verification
let response = client
.post(&format!("{}/api/send-verification", server.url()))
.json(&json!({"email": "test@example.com"}))
.send()
.await
.unwrap();
assert_eq!(response.status(), 200);
// Test registration
let keypair = generate_keypair().unwrap();
let response = client
.post(&format!("{}/api/register", server.url()))
.json(&json!({
"email": "test@example.com",
"name": "Test User",
"public_key": keypair.public_key
}))
.send()
.await
.unwrap();
assert_eq!(response.status(), 200);
}
```
### WASM Tests
```rust
// tests/wasm_tests.rs
use wasm_bindgen_test::*;
wasm_bindgen_test_configure!(run_in_browser);
#[wasm_bindgen_test]
fn test_crypto_in_browser() {
let keypair = generate_keypair().unwrap();
assert!(!keypair.private_key.is_empty());
assert!(!keypair.public_key.is_empty());
}
```
### End-to-End Tests
```javascript
// e2e/registration.spec.js
const { test, expect } = require('@playwright/test');
test('user registration flow', async ({ page }) => {
await page.goto('http://localhost:8000');
// Fill registration form
await page.fill('[data-testid="name-input"]', 'Test User');
await page.fill('[data-testid="email-input"]', 'test@example.com');
await page.click('[data-testid="send-verification"]');
// Wait for verification (in test environment)
await page.waitForSelector('[data-testid="email-verified"]');
// Generate keys
await page.click('[data-testid="generate-keys"]');
await page.fill('[data-testid="password-input"]', 'testpassword123');
await page.fill('[data-testid="confirm-password"]', 'testpassword123');
// Complete registration
await page.click('[data-testid="complete-registration"]');
await expect(page.locator('[data-testid="registration-success"]')).toBeVisible();
});
```
## Code Style and Standards
### Rust Style Guide
#### Naming Conventions
```rust
// Use snake_case for functions and variables
fn generate_keypair() -> Result<KeyPair, String> { }
let private_key = "...";
// Use PascalCase for types and traits
struct KeyPair { }
trait VaultStorage { }
// Use SCREAMING_SNAKE_CASE for constants
const DEFAULT_ITERATIONS: u32 = 10_000;
// Use descriptive names
fn encrypt_private_key_with_password() // Good
fn encrypt() // Too generic
```
#### Error Handling
```rust
// Use Result types for fallible operations
fn risky_operation() -> Result<String, MyError> {
// Implementation
}
// Use ? operator for error propagation
fn calling_function() -> Result<(), MyError> {
let result = risky_operation()?;
Ok(())
}
// Provide context for errors
fn with_context() -> Result<(), Box<dyn std::error::Error>> {
risky_operation()
.map_err(|e| format!("Failed to perform risky operation: {}", e))?;
Ok(())
}
```
#### Documentation
```rust
/// Generates a new secp256k1 key pair for cryptographic operations.
///
/// This function uses cryptographically secure random number generation
/// to create a private key, then derives the corresponding public key.
///
/// # Returns
///
/// Returns a `Result` containing a `KeyPair` on success, or a `String`
/// error message on failure.
///
/// # Errors
///
/// This function will return an error if:
/// - Random number generation fails
/// - Key validation fails
/// - Public key derivation fails
///
/// # Examples
///
/// ```
/// use self_components::generate_keypair;
///
/// let keypair = generate_keypair().expect("Failed to generate keypair");
/// println!("Public key: {}", keypair.public_key);
/// ```
pub fn generate_keypair() -> Result<KeyPair, String> {
// Implementation
}
```
### Frontend Style Guide
#### Component Structure
```rust
// Component organization
pub struct MyComponent {
// State fields
loading: bool,
error_message: Option<String>,
data: Option<MyData>,
}
pub enum MyMsg {
// User actions
LoadData,
UpdateField(String),
Submit,
// Async responses
DataLoaded(MyData),
LoadFailed(String),
// UI events
ClearError,
}
impl Component for MyComponent {
type Message = MyMsg;
type Properties = MyProps;
fn create(ctx: &Context<Self>) -> Self {
// Initialize component
}
fn update(&mut self, ctx: &Context<Self>, msg: Self::Message) -> bool {
// Handle messages
}
fn view(&self, ctx: &Context<Self>) -> Html {
// Render component
}
}
```
#### HTML Structure
```rust
// Use semantic HTML and proper accessibility
fn view(&self, ctx: &Context<Self>) -> Html {
html! {
<main class="container" role="main">
<h1>{"Page Title"}</h1>
<form onsubmit={ctx.link().callback(|e: SubmitEvent| {
e.prevent_default();
MyMsg::Submit
})}>
<div class="form-group">
<label for="email-input">{"Email Address"}</label>
<input
id="email-input"
type="email"
class="form-control"
required=true
aria-describedby="email-help"
value={self.email.clone()}
oninput={ctx.link().callback(|e: InputEvent| {
let input: HtmlInputElement = e.target_unchecked_into();
MyMsg::UpdateEmail(input.value())
})}
/>
<small id="email-help" class="form-text text-muted">
{"We'll never share your email with anyone else."}
</small>
</div>
<button type="submit" class="btn btn-primary" disabled={self.loading}>
{if self.loading { "Loading..." } else { "Submit" }}
</button>
</form>
</main>
}
}
```
## Debugging and Troubleshooting
### Common Issues
#### WASM Build Failures
```bash
# Clear trunk cache
trunk clean
# Rebuild with verbose output
trunk build --verbose
# Check for missing dependencies
cargo check --target wasm32-unknown-unknown
```
#### Database Connection Issues
```bash
# Check PostgreSQL status
sudo systemctl status postgresql
# Test connection
psql -h localhost -U selfuser -d selfdb_dev
# Reset database
dropdb selfdb_dev && createdb selfdb_dev
sqlx migrate run
```
#### CORS Issues
```rust
// Add CORS middleware in development
use tower_http::cors::{CorsLayer, Any};
let app = Router::new()
.layer(
CorsLayer::new()
.allow_origin(Any)
.allow_methods(Any)
.allow_headers(Any)
);
```
### Debugging Tools
#### Browser DevTools
```javascript
// Enable debug logging in browser
localStorage.setItem('debug', 'self:*');
// View WASM memory usage
console.log(performance.memory);
// Inspect localStorage
console.log(localStorage.getItem('self_vault'));
```
#### Server Debugging
```rust
// Add debug logging
use tracing::{debug, info, warn, error};
debug!("Processing request: {:?}", request);
info!("User authenticated: {}", user_id);
warn!("Rate limit approaching: {}", current_rate);
error!("Database connection failed: {}", error);
```
## Contributing Guidelines
### Pull Request Process
1. **Fork and Branch**
```bash
git checkout -b feature/my-new-feature
```
2. **Make Changes**
- Follow code style guidelines
- Add tests for new functionality
- Update documentation
3. **Test Changes**
```bash
cargo test
cargo clippy
cargo fmt --check
```
4. **Submit PR**
- Write clear commit messages
- Include description of changes
- Reference related issues
### Code Review Checklist
#### Functionality
- [ ] Code works as intended
- [ ] Edge cases are handled
- [ ] Error conditions are properly managed
- [ ] Performance is acceptable
#### Security
- [ ] Input validation is present
- [ ] No secrets in code
- [ ] Cryptographic operations are correct
- [ ] Authentication/authorization is proper
#### Code Quality
- [ ] Code is readable and well-documented
- [ ] Tests are comprehensive
- [ ] No code duplication
- [ ] Follows project conventions
#### Documentation
- [ ] Public APIs are documented
- [ ] README is updated if needed
- [ ] Breaking changes are noted
- [ ] Examples are provided
### Release Process
#### Version Numbering
```bash
# Semantic versioning: MAJOR.MINOR.PATCH
1.0.0 # Initial release
1.0.1 # Bug fix
1.1.0 # New feature
2.0.0 # Breaking change
```
#### Release Checklist
1. **Pre-release**
- [ ] All tests pass
- [ ] Documentation updated
- [ ] CHANGELOG.md updated
- [ ] Version numbers bumped
2. **Release**
- [ ] Create release tag
- [ ] Build release artifacts
- [ ] Deploy to staging
- [ ] Run integration tests
3. **Post-release**
- [ ] Deploy to production
- [ ] Monitor for issues
- [ ] Update documentation site
- [ ] Announce release
This development guide provides everything needed to contribute to the Self project effectively, from initial setup through the release process.

434
docs/openid-compliance.md Normal file
View File

@@ -0,0 +1,434 @@
# OpenID Connect Compliance
## Overview
Self implements OpenID Connect (OIDC) compatible endpoints while maintaining its self-sovereign identity principles. The implementation provides standard OAuth 2.0 and OIDC flows that can integrate with existing identity providers and relying party applications.
## OpenID Connect Implementation
### Supported Flows
#### 1. Client Credentials Flow with Cryptographic Assertions
Self implements a modified client credentials flow using cryptographic signatures instead of client secrets:
```mermaid
sequenceDiagram
participant C as Client
participant S as Self Server
participant RP as Relying Party
Note over C,RP: Authentication Flow
C->>S: POST /oauth/token (with signature)
S->>S: Verify cryptographic signature
S->>C: Return access_token (JWT)
C->>S: GET /oauth/userinfo (Bearer token)
S->>C: Return user claims
C->>RP: Present identity claims
```
#### 2. Authorization Code Flow (Future)
Planned implementation for web applications:
```mermaid
sequenceDiagram
participant U as User
participant RP as Relying Party
participant S as Self Server
U->>RP: Access protected resource
RP->>S: Redirect to /oauth/authorize
S->>U: Present consent screen
U->>S: Approve/deny consent
S->>RP: Redirect with authorization code
RP->>S: POST /oauth/token (exchange code)
S->>RP: Return access_token + id_token
```
### Endpoint Compliance
#### Token Endpoint - `/oauth/token`
**OAuth 2.0 Compliance:**
- ✅ Supports `client_credentials` grant type
- ✅ Returns standard token response format
- ✅ Implements proper error responses
- ✅ Validates client authentication
- 🔄 Planned: `authorization_code` grant type
- 🔄 Planned: `refresh_token` support
**Request Format:**
```json
{
"grant_type": "client_credentials",
"client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
"client_assertion": "signed-jwt-containing-challenge-response",
"public_key": "client-identifier",
"challenge": "server-provided-challenge",
"scope": "openid profile"
}
```
**Response Format:**
```json
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "Bearer",
"expires_in": 3600,
"scope": "openid profile"
}
```
#### UserInfo Endpoint - `/oauth/userinfo`
**OpenID Connect Compliance:**
- ✅ Requires Bearer token authentication
- ✅ Returns standard OIDC claims
- ✅ Supports CORS for cross-origin requests
- ✅ Validates JWT token signatures
- ✅ Returns appropriate error responses
**Response Format:**
```json
{
"sub": "user-unique-identifier",
"email": "user@example.com",
"name": "John Doe",
"public_key": "04a1b2c3d4e5f6...",
"created_at": "1640995200"
}
```
### JWT Token Structure
#### Access Token Claims
```rust
struct Claims {
// Standard OIDC claims
sub: String, // Subject identifier (public key)
iss: String, // Issuer ("self-sovereign-identity")
aud: String, // Audience ("identity-server")
exp: usize, // Expiration time
iat: usize, // Issued at time
// OAuth 2.0 claims
scope: String, // Granted scopes
// Self-specific claims
challenge: Option<String>, // Authentication challenge
}
```
#### ID Token (Future Implementation)
```rust
struct IdTokenClaims {
// Required OIDC claims
sub: String, // Subject identifier
iss: String, // Issuer
aud: String, // Audience (client_id)
exp: usize, // Expiration time
iat: usize, // Issued at time
// Optional OIDC claims
email: Option<String>,
name: Option<String>,
picture: Option<String>,
// Authentication context
auth_time: Option<usize>,
nonce: Option<String>,
}
```
## Discovery Document
### OpenID Configuration Endpoint
**Planned Implementation:** `/.well-known/openid-configuration`
```json
{
"issuer": "https://identity.example.com",
"authorization_endpoint": "https://identity.example.com/oauth/authorize",
"token_endpoint": "https://identity.example.com/oauth/token",
"userinfo_endpoint": "https://identity.example.com/oauth/userinfo",
"jwks_uri": "https://identity.example.com/.well-known/jwks.json",
"response_types_supported": [
"code",
"token",
"id_token",
"code token",
"code id_token",
"token id_token",
"code token id_token"
],
"grant_types_supported": [
"authorization_code",
"client_credentials",
"refresh_token"
],
"subject_types_supported": ["public"],
"id_token_signing_alg_values_supported": ["HS256", "RS256"],
"scopes_supported": [
"openid",
"profile",
"email"
],
"claims_supported": [
"sub",
"iss",
"aud",
"exp",
"iat",
"email",
"name",
"public_key",
"created_at"
],
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"client_assertion"
],
"token_endpoint_auth_signing_alg_values_supported": ["HS256", "RS256"]
}
```
### JWKS Endpoint
**Planned Implementation:** `/.well-known/jwks.json`
```json
{
"keys": [
{
"kty": "oct",
"use": "sig",
"kid": "self-signing-key-1",
"alg": "HS256",
"k": "base64url-encoded-secret"
}
]
}
```
## Scope and Claims Mapping
### Supported Scopes
| Scope | Description | Claims Returned |
|-------|-------------|-----------------|
| `openid` | OpenID Connect authentication | `sub`, `iss`, `aud`, `exp`, `iat` |
| `profile` | Basic profile information | `name`, `public_key`, `created_at` |
| `email` | Email address | `email` |
### Claim Definitions
| Claim | Type | Description | Source |
|-------|------|-------------|--------|
| `sub` | string | Subject identifier (unique user ID) | User record ID |
| `email` | string | Email address | User registration |
| `name` | string | Display name | User registration |
| `public_key` | string | Cryptographic public key | Key generation |
| `created_at` | string | Account creation timestamp | Registration time |
## Integration Examples
### Relying Party Integration
#### JavaScript Client
```javascript
class SelfOIDCClient {
constructor(issuer, clientId) {
this.issuer = issuer;
this.clientId = clientId;
}
async authenticate(publicKey, signature, challenge) {
const tokenResponse = await fetch(`${this.issuer}/oauth/token`, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({
grant_type: 'client_credentials',
client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
client_assertion: signature,
public_key: publicKey,
challenge: challenge,
scope: 'openid profile email'
})
});
const tokens = await tokenResponse.json();
// Get user info
const userInfoResponse = await fetch(`${this.issuer}/oauth/userinfo`, {
headers: {
'Authorization': `Bearer ${tokens.access_token}`
}
});
return await userInfoResponse.json();
}
}
```
#### Node.js Server
```javascript
const express = require('express');
const jwt = require('jsonwebtoken');
const app = express();
// Middleware to verify Self tokens
function verifySelfToken(req, res, next) {
const authHeader = req.headers.authorization;
if (!authHeader || !authHeader.startsWith('Bearer ')) {
return res.status(401).json({ error: 'Missing or invalid authorization header' });
}
const token = authHeader.substring(7);
try {
// Verify token with Self's public key or shared secret
const decoded = jwt.verify(token, process.env.SELF_JWT_SECRET);
req.user = decoded;
next();
} catch (error) {
return res.status(401).json({ error: 'Invalid token' });
}
}
// Protected route
app.get('/protected', verifySelfToken, (req, res) => {
res.json({
message: 'Access granted',
user: req.user
});
});
```
### Identity Provider Integration
#### SAML Bridge
```rust
// Future implementation: SAML assertion generation
pub struct SamlAssertion {
pub subject: String,
pub issuer: String,
pub audience: String,
pub attributes: HashMap<String, String>,
pub signature: String,
}
impl SamlAssertion {
pub fn from_oidc_claims(claims: &Claims) -> Self {
let mut attributes = HashMap::new();
attributes.insert("email".to_string(), claims.email.clone());
attributes.insert("name".to_string(), claims.name.clone());
attributes.insert("public_key".to_string(), claims.public_key.clone());
SamlAssertion {
subject: claims.sub.clone(),
issuer: claims.iss.clone(),
audience: "saml-service-provider".to_string(),
attributes,
signature: "".to_string(), // Generate SAML signature
}
}
}
```
## Security Considerations
### Token Security
1. **JWT Signing**: Tokens signed with HMAC-SHA256 or RSA-SHA256
2. **Token Expiration**: Short-lived tokens (1 hour default)
3. **Scope Validation**: Strict scope checking for claims
4. **Audience Validation**: Tokens bound to specific audiences
### OIDC Security Best Practices
1. **PKCE Support**: Planned for authorization code flow
2. **State Parameter**: Anti-CSRF protection
3. **Nonce Validation**: Replay attack prevention
4. **HTTPS Only**: All endpoints require HTTPS in production
### Self-Sovereign Considerations
1. **No Central Authority**: Users control their own identity
2. **Cryptographic Authentication**: No passwords or shared secrets
3. **Local Key Storage**: Private keys never transmitted
4. **Minimal Data Collection**: Only necessary claims stored
## Compliance Status
### OAuth 2.0 RFC 6749
| Requirement | Status | Notes |
|-------------|--------|-------|
| Authorization Endpoint | 🔄 Planned | For authorization code flow |
| Token Endpoint | ✅ Implemented | Client credentials flow |
| Error Responses | ✅ Implemented | Standard error format |
| Access Token Format | ✅ Implemented | JWT tokens |
| Scope Parameter | ✅ Implemented | openid, profile, email |
### OpenID Connect Core 1.0
| Requirement | Status | Notes |
|-------------|--------|-------|
| ID Token | 🔄 Planned | JWT format with required claims |
| UserInfo Endpoint | ✅ Implemented | Standard claims format |
| Discovery | 🔄 Planned | .well-known/openid-configuration |
| Authentication | ✅ Implemented | Cryptographic challenge-response |
| Claims | ✅ Implemented | Standard and custom claims |
### OpenID Connect Discovery 1.0
| Requirement | Status | Notes |
|-------------|--------|-------|
| Configuration Endpoint | 🔄 Planned | Metadata document |
| JWKS Endpoint | 🔄 Planned | Public key distribution |
| Dynamic Registration | ❌ Not Planned | Self-sovereign model |
## Future Enhancements
### Planned Features
1. **Authorization Code Flow**: Full web application support
2. **ID Tokens**: Standard OIDC ID token implementation
3. **Refresh Tokens**: Long-lived session management
4. **Discovery Document**: Standard OIDC discovery
5. **JWKS Endpoint**: Public key distribution
6. **PKCE Support**: Enhanced security for public clients
### Advanced Features
1. **Federation**: Trust relationships with other identity providers
2. **Delegation**: Temporary identity delegation
3. **Multi-Factor**: Additional authentication factors
4. **Device Flow**: Support for device authentication
5. **Logout**: Single logout implementation
### Standards Compliance
1. **RFC 7636**: PKCE implementation
2. **RFC 7662**: Token introspection
3. **RFC 7009**: Token revocation
4. **RFC 8693**: Token exchange
5. **OpenID Connect Session Management**: Session handling

545
docs/security-model.md Normal file
View File

@@ -0,0 +1,545 @@
# Security Model
## Overview
Self implements a comprehensive security model based on self-sovereign identity principles, cryptographic authentication, and zero-knowledge architecture. The security model prioritizes user control, data minimization, and defense in depth.
## Security Principles
### 1. Self-Sovereign Identity
- **User Control**: Users generate and control their own cryptographic keys
- **No Central Authority**: No single point of failure or control
- **Decentralized Trust**: Trust distributed across cryptographic proofs
- **Data Ownership**: Users own and control their identity data
### 2. Zero-Knowledge Architecture
- **Client-Side Encryption**: All sensitive operations performed locally
- **No Server Secrets**: Server never sees private keys or passwords
- **Minimal Data Collection**: Only necessary public information stored
- **Cryptographic Proofs**: Authentication without revealing secrets
### 3. Defense in Depth
- **Multiple Security Layers**: Transport, application, and storage security
- **Fail-Safe Defaults**: Secure by default configuration
- **Principle of Least Privilege**: Minimal necessary permissions
- **Security Monitoring**: Comprehensive logging and monitoring
## Threat Model
### Assets to Protect
1. **Private Keys**: User's cryptographic private keys
2. **Passwords**: User-chosen encryption passwords
3. **Identity Data**: Personal information and metadata
4. **Session Tokens**: Authentication tokens and sessions
5. **Communication**: Data in transit between client and server
### Threat Actors
#### 1. External Attackers
- **Capabilities**: Network access, public endpoints
- **Motivations**: Identity theft, financial gain, disruption
- **Attack Vectors**: Network attacks, social engineering, malware
#### 2. Malicious Insiders
- **Capabilities**: Server access, code modification
- **Motivations**: Data theft, sabotage, espionage
- **Attack Vectors**: Privilege abuse, backdoors, data exfiltration
#### 3. Nation-State Actors
- **Capabilities**: Advanced persistent threats, zero-days
- **Motivations**: Surveillance, intelligence gathering
- **Attack Vectors**: Supply chain attacks, infrastructure compromise
#### 4. Compromised Infrastructure
- **Capabilities**: Server compromise, DNS hijacking
- **Motivations**: Data theft, service disruption
- **Attack Vectors**: Infrastructure attacks, certificate compromise
### Attack Scenarios
#### Scenario 1: Private Key Theft
**Attack**: Malware extracts encrypted private keys from localStorage
```
Threat: Malware on user device
Impact: Identity compromise if password is weak
Mitigation: Strong encryption, password requirements
Residual Risk: Weak user passwords
```
#### Scenario 2: Server Compromise
**Attack**: Attacker gains full server access
```
Threat: Server infrastructure compromise
Impact: User data exposure, service disruption
Mitigation: No private keys on server, encrypted storage
Residual Risk: Public key and email exposure
```
#### Scenario 3: Man-in-the-Middle
**Attack**: Network traffic interception and modification
```
Threat: Network-level attacker
Impact: Authentication bypass, data theft
Mitigation: HTTPS, certificate pinning, signature verification
Residual Risk: Certificate authority compromise
```
#### Scenario 4: Social Engineering
**Attack**: Trick user into revealing password or private key
```
Threat: Social engineering attack
Impact: Full identity compromise
Mitigation: User education, secure key handling
Residual Risk: User susceptibility to social engineering
```
## Security Controls
### Cryptographic Controls
#### 1. Key Generation
```rust
// Secure random number generation
use getrandom::getrandom;
fn generate_secure_key() -> Result<[u8; 32], CryptoError> {
let mut key = [0u8; 32];
getrandom(&mut key)?;
// Validate key is not weak
if key.iter().all(|&b| b == 0) {
return Err(CryptoError::WeakKey);
}
Ok(key)
}
```
**Controls:**
- Cryptographically secure random number generation
- Key validation to prevent weak keys
- Proper entropy collection from OS
#### 2. Encryption
```rust
// AES-256-GCM with proper nonce handling
use aes_gcm::{Aes256Gcm, Key, Nonce, aead::{Aead, KeyInit}};
fn encrypt_data(data: &[u8], key: &[u8; 32]) -> Result<EncryptedData, CryptoError> {
let cipher = Aes256Gcm::new(Key::from_slice(key));
// Generate random nonce
let mut nonce_bytes = [0u8; 12];
getrandom(&mut nonce_bytes)?;
let nonce = Nonce::from_slice(&nonce_bytes);
let ciphertext = cipher.encrypt(nonce, data)?;
Ok(EncryptedData {
ciphertext,
nonce: nonce_bytes,
})
}
```
**Controls:**
- AES-256-GCM authenticated encryption
- Random nonce generation for each encryption
- Authenticated encryption prevents tampering
#### 3. Key Derivation
```rust
// PBKDF2 with configurable iterations
use pbkdf2::{pbkdf2_hmac};
use sha2::Sha256;
fn derive_key(password: &str, salt: &[u8], iterations: u32) -> [u8; 32] {
let mut key = [0u8; 32];
pbkdf2_hmac::<Sha256>(password.as_bytes(), salt, iterations, &mut key);
key
}
```
**Controls:**
- PBKDF2 with SHA-256 for key derivation
- Configurable iteration count (minimum 10,000)
- Random salt for each key derivation
### Access Controls
#### 1. Authentication
```rust
pub enum AuthenticationLevel {
None, // No authentication required
PublicKey, // Public key verification only
Signature, // Cryptographic signature required
Password, // Password-based access
}
impl AccessControl {
pub fn check_authentication(&self, level: AuthenticationLevel) -> Result<(), AuthError> {
match level {
AuthenticationLevel::None => Ok(()),
AuthenticationLevel::PublicKey => self.verify_public_key(),
AuthenticationLevel::Signature => self.verify_signature(),
AuthenticationLevel::Password => self.verify_password(),
}
}
}
```
#### 2. Authorization
```rust
pub struct Permission {
pub resource: String,
pub action: String,
pub conditions: Vec<String>,
}
impl Authorization {
pub fn check_permission(&self, user: &User, permission: &Permission) -> bool {
// Check if user has required permission
self.user_permissions.get(&user.id)
.map(|perms| perms.contains(permission))
.unwrap_or(false)
}
}
```
### Network Security
#### 1. Transport Layer Security
```rust
// HTTPS configuration
use axum_server::tls_rustls::RustlsConfig;
async fn create_tls_server() -> Result<(), ServerError> {
let config = RustlsConfig::from_pem_file(
PathBuf::from("cert.pem"),
PathBuf::from("key.pem"),
).await?;
let app = create_app();
axum_server::bind_rustls("0.0.0.0:443".parse()?, config)
.serve(app.into_make_service())
.await?;
Ok(())
}
```
**Controls:**
- TLS 1.3 for all communications
- Certificate validation and pinning
- HSTS headers for HTTPS enforcement
#### 2. CORS Configuration
```rust
use tower_http::cors::{CorsLayer, Any};
fn configure_cors() -> CorsLayer {
CorsLayer::new()
.allow_origin(Any) // Configure for production
.allow_methods([Method::GET, Method::POST])
.allow_headers([header::CONTENT_TYPE, header::AUTHORIZATION])
.allow_credentials(false)
}
```
### Application Security
#### 1. Input Validation
```rust
use validator::{Validate, ValidationError};
#[derive(Validate)]
pub struct RegistrationRequest {
#[validate(email)]
pub email: String,
#[validate(length(min = 1, max = 100))]
pub name: String,
#[validate(custom = "validate_public_key")]
pub public_key: String,
}
fn validate_public_key(public_key: &str) -> Result<(), ValidationError> {
if !is_valid_hex(public_key) || public_key.len() != 130 {
return Err(ValidationError::new("invalid_public_key"));
}
Ok(())
}
```
#### 2. Error Handling
```rust
pub enum SecurityError {
InvalidInput(String),
AuthenticationFailed,
AuthorizationDenied,
CryptographicError(String),
RateLimitExceeded,
}
impl SecurityError {
pub fn safe_message(&self) -> &'static str {
match self {
SecurityError::InvalidInput(_) => "Invalid input provided",
SecurityError::AuthenticationFailed => "Authentication failed",
SecurityError::AuthorizationDenied => "Access denied",
SecurityError::CryptographicError(_) => "Cryptographic operation failed",
SecurityError::RateLimitExceeded => "Rate limit exceeded",
}
}
}
```
### Storage Security
#### 1. Client-Side Storage
```rust
// Secure localStorage usage
pub struct SecureStorage {
prefix: String,
}
impl SecureStorage {
pub fn store_encrypted(&self, key: &str, data: &EncryptedData) -> Result<(), StorageError> {
let storage_key = format!("{}_{}", self.prefix, key);
let serialized = serde_json::to_string(data)?;
web_sys::window()
.and_then(|w| w.local_storage().ok().flatten())
.ok_or(StorageError::NotAvailable)?
.set_item(&storage_key, &serialized)
.map_err(|_| StorageError::WriteFailed)?;
Ok(())
}
}
```
#### 2. Server-Side Storage
```rust
// Minimal server storage
pub struct UserRecord {
pub id: String,
pub email: String, // Not sensitive
pub public_key: String, // Public by definition
pub name: String, // User-provided, not sensitive
pub created_at: String, // Timestamp, not sensitive
// Note: No private keys or passwords stored
}
```
## Security Monitoring
### Logging Strategy
#### 1. Security Events
```rust
use tracing::{info, warn, error};
pub fn log_authentication_attempt(public_key: &str, success: bool) {
if success {
info!(
event = "authentication_success",
public_key = %public_key[..8], // Log only prefix
timestamp = %Utc::now()
);
} else {
warn!(
event = "authentication_failure",
public_key = %public_key[..8],
timestamp = %Utc::now()
);
}
}
```
#### 2. Anomaly Detection
```rust
pub struct SecurityMonitor {
failed_attempts: HashMap<String, Vec<DateTime<Utc>>>,
rate_limits: HashMap<String, RateLimit>,
}
impl SecurityMonitor {
pub fn check_suspicious_activity(&mut self, public_key: &str) -> bool {
let now = Utc::now();
let attempts = self.failed_attempts.entry(public_key.to_string()).or_default();
// Remove old attempts (older than 1 hour)
attempts.retain(|&time| now.signed_duration_since(time).num_hours() < 1);
// Check if too many recent failures
attempts.len() > 5
}
}
```
### Metrics Collection
#### 1. Security Metrics
```rust
use prometheus::{Counter, Histogram, Gauge};
lazy_static! {
static ref AUTH_ATTEMPTS: Counter = Counter::new(
"auth_attempts_total", "Total authentication attempts"
).unwrap();
static ref AUTH_FAILURES: Counter = Counter::new(
"auth_failures_total", "Total authentication failures"
).unwrap();
static ref CRYPTO_OPERATIONS: Histogram = Histogram::new(
"crypto_operation_duration_seconds", "Cryptographic operation duration"
).unwrap();
}
```
## Incident Response
### Security Incident Types
#### 1. Key Compromise
**Response Procedure:**
1. Immediately revoke affected tokens
2. Notify user through secure channel
3. Guide user through key rotation process
4. Monitor for unauthorized usage
5. Update security controls if needed
#### 2. Server Compromise
**Response Procedure:**
1. Isolate affected systems
2. Assess scope of compromise
3. Rotate server secrets and certificates
4. Notify users of potential impact
5. Implement additional monitoring
#### 3. Vulnerability Discovery
**Response Procedure:**
1. Assess vulnerability severity
2. Develop and test fix
3. Deploy fix to production
4. Notify users if necessary
5. Conduct post-incident review
### Recovery Procedures
#### 1. Key Recovery
```rust
pub struct KeyRecovery {
pub backup_methods: Vec<BackupMethod>,
pub recovery_contacts: Vec<String>,
}
pub enum BackupMethod {
ExportedVault,
PaperBackup,
HardwareToken,
SocialRecovery,
}
```
#### 2. Service Recovery
```rust
pub struct ServiceRecovery {
pub backup_servers: Vec<String>,
pub database_backups: Vec<BackupInfo>,
pub recovery_time_objective: Duration,
pub recovery_point_objective: Duration,
}
```
## Compliance and Auditing
### Regulatory Compliance
#### 1. GDPR Compliance
- **Right to Access**: Users can export their data
- **Right to Rectification**: Users can update their information
- **Right to Erasure**: Users can delete their accounts
- **Data Portability**: Vault export functionality
- **Privacy by Design**: Minimal data collection
#### 2. SOX Compliance
- **Access Controls**: Role-based access control
- **Audit Trails**: Comprehensive logging
- **Data Integrity**: Cryptographic verification
- **Change Management**: Controlled deployment process
### Security Auditing
#### 1. Code Auditing
```rust
// Security-focused code review checklist
pub struct SecurityAudit {
pub crypto_review: bool, // Cryptographic implementation review
pub input_validation: bool, // Input validation coverage
pub error_handling: bool, // Secure error handling
pub access_control: bool, // Authorization checks
pub logging_review: bool, // Security logging adequacy
}
```
#### 2. Penetration Testing
- **Network Security**: External network testing
- **Application Security**: Web application testing
- **Client Security**: Browser-based testing
- **Social Engineering**: User awareness testing
## Security Best Practices
### Development Security
1. **Secure Coding Standards**
- Input validation on all user inputs
- Output encoding for all outputs
- Proper error handling without information leakage
- Secure random number generation
2. **Code Review Process**
- Security-focused peer reviews
- Automated security scanning
- Cryptographic implementation review
- Third-party security audits
3. **Testing Strategy**
- Unit tests for security functions
- Integration tests for auth flows
- Penetration testing
- Fuzzing for input validation
### Deployment Security
1. **Infrastructure Security**
- Hardened server configurations
- Network segmentation
- Intrusion detection systems
- Regular security updates
2. **Configuration Management**
- Secure default configurations
- Environment-specific settings
- Secret management systems
- Configuration validation
### Operational Security
1. **Monitoring and Alerting**
- Real-time security monitoring
- Automated threat detection
- Incident response procedures
- Regular security assessments
2. **User Education**
- Security awareness training
- Best practice documentation
- Phishing awareness
- Incident reporting procedures

480
docs/server-api.md Normal file
View File

@@ -0,0 +1,480 @@
# Server API Documentation
## Overview
The Self identity server provides a RESTful API for email verification, user registration, and OAuth 2.0 compatible authentication. The server is built with Rust and Axum, providing high performance and security.
## Base Configuration
- **Default Port**: 8080
- **Protocol**: HTTP/HTTPS
- **Content-Type**: application/json
- **CORS**: Enabled for cross-origin requests
## API Endpoints
### Health Check
#### GET /health
Health check endpoint for monitoring and load balancers.
**Response:**
```json
{
"status": "healthy",
"service": "self-server"
}
```
**Status Codes:**
- `200 OK`: Service is healthy
---
### Email Verification
#### POST /api/send-verification
Initiates email verification process for new user registration.
**Request Body:**
```json
{
"email": "user@example.com"
}
```
**Response:**
```json
{
"success": true,
"message": "Verification email sent",
"verification_url": "http://localhost:8080/api/verify/uuid-token"
}
```
**Status Codes:**
- `200 OK`: Verification email sent successfully
- `400 Bad Request`: Invalid email format
- `500 Internal Server Error`: Server error
**Notes:**
- In development mode, verification URL is logged to console
- Production should integrate with SMTP service
- Verification tokens are UUID v4 format
#### GET /api/verification-status/{email}
Server-Sent Events stream for real-time verification status updates.
**Parameters:**
- `email`: URL-encoded email address
**Response:** SSE stream with events:
```
data: verified
```
**Event Types:**
- `verified`: Email has been successfully verified
- `keep-alive`: Periodic keep-alive message
**Usage Example:**
```javascript
const eventSource = new EventSource('/api/verification-status/user@example.com');
eventSource.onmessage = function(event) {
if (event.data === 'verified') {
// Update UI to show verified status
}
};
```
#### GET /api/verify/{token}
Email verification callback endpoint. Users click this link from their email.
**Parameters:**
- `token`: Verification token from email link
**Response:** HTML page confirming verification
**Status Codes:**
- `200 OK`: Email verified successfully
- `400 Bad Request`: Invalid or expired token
**HTML Response (Success):**
```html
<!DOCTYPE html>
<html>
<head><title>Email Verified</title></head>
<body>
<div class="container">
<div class="success"></div>
<h1>Email Verified Successfully!</h1>
<p>Your email address has been verified.</p>
</div>
</body>
</html>
```
---
### User Registration
#### POST /api/register
Completes user registration after email verification.
**Request Body:**
```json
{
"email": "user@example.com",
"name": "John Doe",
"public_key": "04a1b2c3d4e5f6..."
}
```
**Response:**
```json
{
"success": true,
"message": "Registration completed successfully",
"user_id": "uuid-user-id"
}
```
**Error Response:**
```json
{
"success": false,
"message": "Email not verified",
"user_id": null
}
```
**Status Codes:**
- `200 OK`: Registration successful
- `400 Bad Request`: Email not verified or invalid data
- `500 Internal Server Error`: Server error
**Validation:**
- Email must be verified before registration
- Public key must be valid hex format
- Name cannot be empty
---
### OAuth 2.0 Authentication
#### POST /oauth/token
OAuth 2.0 token endpoint for cryptographic authentication.
**Request Body:**
```json
{
"grant_type": "client_credentials",
"client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
"client_assertion": "signed-jwt-token",
"public_key": "04a1b2c3d4e5f6...",
"challenge": "server-challenge",
"scope": "openid profile"
}
```
**Response:**
```json
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "Bearer",
"expires_in": 3600
}
```
**Error Response:**
```json
{
"error": "invalid_client",
"error_description": "User not found"
}
```
**Status Codes:**
- `200 OK`: Authentication successful
- `401 Unauthorized`: Invalid credentials or signature
- `400 Bad Request`: Malformed request
**OAuth 2.0 Error Codes:**
- `invalid_client`: Public key not found
- `invalid_grant`: Invalid signature or challenge
- `unsupported_grant_type`: Grant type not supported
- `server_error`: Internal server error
#### GET /oauth/userinfo
OpenID Connect UserInfo endpoint. Returns user profile information.
**Headers:**
```
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
```
**Response:**
```json
{
"sub": "user-id",
"email": "user@example.com",
"name": "John Doe",
"public_key": "04a1b2c3d4e5f6...",
"created_at": "1640995200"
}
```
**Error Response:**
```json
{
"error": "invalid_token",
"error_description": "Missing Authorization header"
}
```
**Status Codes:**
- `200 OK`: User info returned successfully
- `401 Unauthorized`: Invalid or missing token
---
## Data Models
### User Model
```rust
struct User {
id: String, // UUID v4
email: String, // Verified email address
public_key: String, // Hex-encoded public key
name: String, // Display name
created_at: String, // Unix timestamp
}
```
### JWT Claims
```rust
struct Claims {
sub: String, // Subject (public key)
iss: String, // Issuer ("self-sovereign-identity")
aud: String, // Audience ("identity-server")
exp: usize, // Expiration time (Unix timestamp)
iat: usize, // Issued at time (Unix timestamp)
scope: String, // Granted scopes
}
```
### Verification Status
```rust
struct VerificationStatus {
email: String, // Email address
verified: bool, // Verification state
verification_token: String, // UUID token
}
```
## Authentication Flow
### 1. Challenge-Response Authentication
```mermaid
sequenceDiagram
participant C as Client
participant S as Server
C->>S: POST /oauth/token (with signature)
S->>S: Verify signature against public key
S->>S: Generate JWT token
S->>C: Return access_token
C->>S: GET /oauth/userinfo (with Bearer token)
S->>S: Validate JWT token
S->>C: Return user profile
```
### 2. JWT Token Validation
1. Extract Bearer token from Authorization header
2. Decode JWT using server secret
3. Validate issuer, audience, and expiration
4. Extract public key from subject claim
5. Look up user by public key
6. Return user information
## Error Handling
### Standard HTTP Status Codes
- `200 OK`: Request successful
- `400 Bad Request`: Invalid request format or data
- `401 Unauthorized`: Authentication required or failed
- `404 Not Found`: Resource not found
- `500 Internal Server Error`: Server error
### OAuth 2.0 Error Format
All OAuth errors follow RFC 6749 format:
```json
{
"error": "error_code",
"error_description": "Human readable description",
"error_uri": "https://docs.example.com/oauth/errors"
}
```
### Common Error Scenarios
1. **Email Not Verified**
```json
{
"success": false,
"message": "Email not verified"
}
```
2. **Invalid Token**
```json
{
"error": "invalid_token",
"error_description": "Invalid or expired token"
}
```
3. **User Not Found**
```json
{
"error": "invalid_client",
"error_description": "User not found"
}
```
## Rate Limiting
Currently not implemented but recommended for production:
- **Email Verification**: 5 requests per email per hour
- **Authentication**: 10 attempts per public key per minute
- **Registration**: 3 registrations per IP per hour
## Security Headers
The server should include security headers in production:
```
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'
```
## Monitoring and Logging
### Log Levels
- **INFO**: Normal operations (requests, registrations)
- **WARN**: Invalid tokens, failed verifications
- **ERROR**: Server errors, database failures
### Metrics to Track
- Request count by endpoint
- Authentication success/failure rates
- Registration completion rates
- Email verification rates
- Response times
- Error rates
### Health Check Details
The `/health` endpoint can be extended for detailed health information:
```json
{
"status": "healthy",
"service": "self-server",
"version": "1.0.0",
"uptime": 3600,
"checks": {
"database": "healthy",
"email_service": "healthy",
"jwt_signing": "healthy"
}
}
```
## Production Considerations
### Database Integration
Replace in-memory storage with persistent database:
```rust
// Example with SQLx
async fn store_user(pool: &PgPool, user: &User) -> Result<(), sqlx::Error> {
sqlx::query!(
"INSERT INTO users (id, email, public_key, name, created_at) VALUES ($1, $2, $3, $4, $5)",
user.id, user.email, user.public_key, user.name, user.created_at
)
.execute(pool)
.await?;
Ok(())
}
```
### SMTP Integration
Replace console logging with actual email sending:
```rust
use lettre::{SmtpTransport, Transport, Message};
async fn send_verification_email(email: &str, verification_url: &str) -> Result<(), Box<dyn std::error::Error>> {
let message = Message::builder()
.from("noreply@yourapp.com".parse()?)
.to(email.parse()?)
.subject("Verify your email address")
.body(format!("Click here to verify: {}", verification_url))?;
let mailer = SmtpTransport::relay("smtp.gmail.com")?
.credentials(Credentials::new("username".to_string(), "password".to_string()))
.build();
mailer.send(&message)?;
Ok(())
}
```
### Environment Configuration
```rust
#[derive(Parser, Debug)]
struct Args {
#[arg(short, long, default_value_t = 8080)]
port: u16,
#[arg(long, env = "DATABASE_URL")]
database_url: String,
#[arg(long, env = "JWT_SECRET")]
jwt_secret: String,
#[arg(long, env = "SMTP_HOST")]
smtp_host: String,
#[arg(long, env = "SMTP_USERNAME")]
smtp_username: String,
#[arg(long, env = "SMTP_PASSWORD")]
smtp_password: String,
}
```

570
docs/vault-system.md Normal file
View File

@@ -0,0 +1,570 @@
# Vault System Documentation
## Overview
The Self vault system provides secure storage and management of multiple encrypted cryptographic keys. It enables users to maintain multiple digital identities, each with its own key pair, while ensuring all private keys remain encrypted and under user control.
## Architecture
### Core Components
```mermaid
graph TB
VM[Vault Manager] --> V[Vault]
VM --> VE[Vault Entry]
V --> LS[Local Storage]
VE --> EPK[Encrypted Private Key]
VE --> MD[Metadata]
subgraph "Encryption Layer"
EPK --> AES[AES-256-GCM]
AES --> PBKDF2[PBKDF2 Key Derivation]
end
subgraph "Storage Layer"
LS --> JSON[JSON Format]
JSON --> B64[Base64 Encoding]
end
```
### Data Structures
#### Vault Entry
```rust
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct VaultEntry {
pub id: String, // Unique identifier (UUID)
pub name: String, // User-friendly name
pub email: String, // Associated email address
pub public_key: String, // Hex-encoded public key
pub encrypted_private_key: EncryptedPrivateKey, // Encrypted private key
pub created_at: String, // ISO 8601 timestamp
}
```
#### Vault Configuration
```rust
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct VaultConfig {
pub app_name: String, // Application identifier
pub storage_key: String, // LocalStorage key prefix
pub auto_lock_timeout: u32, // Auto-lock timeout in minutes
}
```
## Vault Operations
### Creating a New Vault Entry
```rust
impl Vault {
pub fn store_keypair(
name: &str,
email: &str,
keypair: &KeyPair,
password: &str,
) -> Result<String, VaultError> {
// Generate unique ID
let id = Uuid::new_v4().to_string();
// Encrypt private key
let encrypted_private_key = encrypt_private_key(&keypair.private_key, password)?;
// Create vault entry
let entry = VaultEntry {
id: id.clone(),
name: name.to_string(),
email: email.to_string(),
public_key: keypair.public_key.clone(),
encrypted_private_key,
created_at: Utc::now().to_rfc3339(),
};
// Store in vault
self.add_entry(entry)?;
Ok(id)
}
}
```
### Retrieving Keys from Vault
```rust
impl Vault {
pub fn retrieve_keypair(password: &str) -> Result<(String, String), VaultError> {
// Get primary identity from storage
let storage = web_sys::window()
.and_then(|w| w.local_storage().ok().flatten())
.ok_or(VaultError::StorageNotAvailable)?;
let vault_data = storage
.get_item("self_vault")
.map_err(|_| VaultError::StorageError)?
.ok_or(VaultError::NoKeysStored)?;
let vault: VaultData = serde_json::from_str(&vault_data)
.map_err(|_| VaultError::InvalidVaultFormat)?;
// Find primary identity
let entry = vault.entries
.values()
.next()
.ok_or(VaultError::NoKeysStored)?;
// Decrypt private key
let private_key = decrypt_private_key(&entry.encrypted_private_key, password)?;
Ok((private_key, entry.public_key.clone()))
}
}
```
### Listing Vault Entries
```rust
impl VaultManager {
pub fn list_identities(&self) -> Vec<IdentitySummary> {
self.vault_data
.entries
.values()
.map(|entry| IdentitySummary {
id: entry.id.clone(),
name: entry.name.clone(),
email: entry.email.clone(),
public_key: entry.public_key.clone(),
created_at: entry.created_at.clone(),
})
.collect()
}
}
```
## Vault Manager Component
### Component State
```rust
pub struct VaultManager {
vault_data: VaultData,
selected_identity: Option<String>,
password_input: String,
show_password_input: bool,
loading: bool,
error_message: Option<String>,
show_create_form: bool,
new_identity_name: String,
new_identity_email: String,
}
```
### Key Management Operations
#### Adding New Identity
```rust
fn handle_create_identity(&mut self, ctx: &Context<Self>) {
if self.new_identity_name.trim().is_empty() ||
self.new_identity_email.trim().is_empty() {
self.error_message = Some("Name and email are required".to_string());
return;
}
let name = self.new_identity_name.clone();
let email = self.new_identity_email.clone();
let password = self.password_input.clone();
let link = ctx.link().clone();
wasm_bindgen_futures::spawn_local(async move {
match generate_keypair() {
Ok(keypair) => {
match Vault::store_keypair(&name, &email, &keypair, &password) {
Ok(id) => {
link.send_message(VaultMsg::IdentityCreated(id));
}
Err(e) => {
link.send_message(VaultMsg::Error(format!("Failed to store identity: {}", e)));
}
}
}
Err(e) => {
link.send_message(VaultMsg::Error(format!("Failed to generate keys: {}", e)));
}
}
});
}
```
#### Selecting Identity
```rust
fn handle_select_identity(&mut self, identity_id: String, ctx: &Context<Self>) {
if self.password_input.trim().is_empty() {
self.error_message = Some("Password required to access identity".to_string());
return;
}
self.loading = true;
self.selected_identity = Some(identity_id.clone());
let password = self.password_input.clone();
let link = ctx.link().clone();
wasm_bindgen_futures::spawn_local(async move {
match Vault::decrypt_identity(&identity_id, &password) {
Ok(keypair) => {
link.send_message(VaultMsg::IdentitySelected(keypair));
}
Err(e) => {
link.send_message(VaultMsg::Error(format!("Failed to decrypt identity: {}", e)));
}
}
});
}
```
## Storage Format
### Vault Data Structure
```json
{
"version": "1.0",
"created_at": "2024-01-01T00:00:00Z",
"entries": {
"uuid-1": {
"id": "uuid-1",
"name": "Primary Identity",
"email": "user@example.com",
"public_key": "04a1b2c3d4e5f6...",
"encrypted_private_key": {
"encrypted_data": "base64-ciphertext",
"nonce": "base64-nonce",
"salt": "base64-salt"
},
"created_at": "2024-01-01T00:00:00Z"
},
"uuid-2": {
"id": "uuid-2",
"name": "Work Identity",
"email": "work@company.com",
"public_key": "04b2c3d4e5f6a1...",
"encrypted_private_key": {
"encrypted_data": "base64-ciphertext-2",
"nonce": "base64-nonce-2",
"salt": "base64-salt-2"
},
"created_at": "2024-01-02T00:00:00Z"
}
}
}
```
### Storage Keys
- **Primary Vault**: `self_vault` - Main vault storage
- **Active Identity**: `self_active_identity` - Currently selected identity ID
- **Session Data**: `self_session` - Temporary session information
## Security Model
### Encryption Strategy
1. **Individual Key Encryption**: Each private key encrypted separately
2. **Unique Salts**: Each key uses its own random salt
3. **Password-Based Access**: Same password can decrypt all keys in vault
4. **No Master Key**: No single key encrypts the entire vault
### Password Management
```rust
impl VaultManager {
fn validate_password(&self, password: &str) -> Result<(), VaultError> {
if password.len() < 8 {
return Err(VaultError::WeakPassword("Password must be at least 8 characters".to_string()));
}
// Additional password strength checks
let has_upper = password.chars().any(|c| c.is_uppercase());
let has_lower = password.chars().any(|c| c.is_lowercase());
let has_digit = password.chars().any(|c| c.is_numeric());
if !has_upper || !has_lower || !has_digit {
return Err(VaultError::WeakPassword(
"Password must contain uppercase, lowercase, and numeric characters".to_string()
));
}
Ok(())
}
}
```
### Access Control
```rust
pub enum VaultAccess {
ReadOnly, // Can view public information only
Decrypt, // Can decrypt and use private keys
Manage, // Can add/remove identities
}
impl VaultManager {
pub fn check_access(&self, required_access: VaultAccess) -> bool {
match required_access {
VaultAccess::ReadOnly => true,
VaultAccess::Decrypt => self.is_unlocked(),
VaultAccess::Manage => self.is_unlocked() && self.has_management_privileges(),
}
}
}
```
## Error Handling
### Vault Error Types
```rust
#[derive(Debug, Clone)]
pub enum VaultError {
StorageNotAvailable,
StorageError,
NoKeysStored,
InvalidVaultFormat,
EncryptionFailed(String),
DecryptionFailed(String),
WeakPassword(String),
IdentityNotFound(String),
DuplicateIdentity(String),
InvalidKeyFormat,
}
impl fmt::Display for VaultError {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
match self {
VaultError::StorageNotAvailable => write!(f, "Browser storage not available"),
VaultError::StorageError => write!(f, "Failed to access storage"),
VaultError::NoKeysStored => write!(f, "No keys found in vault"),
VaultError::InvalidVaultFormat => write!(f, "Invalid vault data format"),
VaultError::EncryptionFailed(msg) => write!(f, "Encryption failed: {}", msg),
VaultError::DecryptionFailed(msg) => write!(f, "Decryption failed: {}", msg),
VaultError::WeakPassword(msg) => write!(f, "Weak password: {}", msg),
VaultError::IdentityNotFound(id) => write!(f, "Identity not found: {}", id),
VaultError::DuplicateIdentity(email) => write!(f, "Identity already exists: {}", email),
VaultError::InvalidKeyFormat => write!(f, "Invalid key format"),
}
}
}
```
## User Interface
### Vault Manager UI Components
#### Identity List
```rust
fn render_identity_list(&self, ctx: &Context<Self>) -> Html {
let identities = self.list_identities();
html! {
<div class="identity-list">
<h5>{"Stored Identities"}</h5>
{for identities.iter().map(|identity| {
let identity_id = identity.id.clone();
html! {
<div class="identity-card" key={identity.id.clone()}>
<div class="identity-info">
<h6>{&identity.name}</h6>
<p class="text-muted">{&identity.email}</p>
<small class="text-muted">
{"Created: "}{&identity.created_at}
</small>
</div>
<div class="identity-actions">
<button class="btn btn-primary btn-sm"
onclick={ctx.link().callback(move |_| {
VaultMsg::SelectIdentity(identity_id.clone())
})}>
{"Select"}
</button>
</div>
</div>
}
})}
</div>
}
}
```
#### Create Identity Form
```rust
fn render_create_form(&self, ctx: &Context<Self>) -> Html {
html! {
<div class="create-identity-form">
<h5>{"Create New Identity"}</h5>
<div class="mb-3">
<label class="form-label">{"Name"}</label>
<input type="text" class="form-control"
value={self.new_identity_name.clone()}
oninput={ctx.link().callback(|e: InputEvent| {
let input: HtmlInputElement = e.target_unchecked_into();
VaultMsg::UpdateNewIdentityName(input.value())
})} />
</div>
<div class="mb-3">
<label class="form-label">{"Email"}</label>
<input type="email" class="form-control"
value={self.new_identity_email.clone()}
oninput={ctx.link().callback(|e: InputEvent| {
let input: HtmlInputElement = e.target_unchecked_into();
VaultMsg::UpdateNewIdentityEmail(input.value())
})} />
</div>
<div class="mb-3">
<label class="form-label">{"Password"}</label>
<input type="password" class="form-control"
value={self.password_input.clone()}
oninput={ctx.link().callback(|e: InputEvent| {
let input: HtmlInputElement = e.target_unchecked_into();
VaultMsg::UpdatePassword(input.value())
})} />
</div>
<button class="btn btn-success"
onclick={ctx.link().callback(|_| VaultMsg::CreateIdentity)}
disabled={self.loading}>
{if self.loading { "Creating..." } else { "Create Identity" }}
</button>
</div>
}
}
```
## Integration with Other Components
### Registration Integration
```rust
// Auto-store generated keys during registration
impl Registration {
fn complete_registration(&mut self, ctx: &Context<Self>) {
if let (Some(keypair), Some(password)) = (&self.generated_keypair, &self.password) {
// Store in vault automatically
match Vault::store_keypair(
&self.name,
&self.email,
keypair,
password
) {
Ok(id) => {
web_sys::console::log_1(&format!("Identity stored in vault: {}", id).into());
}
Err(e) => {
web_sys::console::log_1(&format!("Failed to store in vault: {}", e).into());
}
}
}
}
}
```
### Login Integration
```rust
// Select identity from vault for login
impl Login {
fn load_from_vault(&mut self, identity_id: &str, password: &str) -> Result<(), String> {
match Vault::decrypt_identity(identity_id, password) {
Ok(keypair) => {
self.current_keypair = Some(keypair);
Ok(())
}
Err(e) => Err(format!("Failed to load identity: {}", e))
}
}
}
```
## Backup and Recovery
### Export Functionality
```rust
impl VaultManager {
pub fn export_vault(&self, password: &str) -> Result<String, VaultError> {
// Verify password can decrypt at least one identity
self.verify_vault_password(password)?;
// Export vault data (still encrypted)
let export_data = ExportData {
version: "1.0".to_string(),
exported_at: Utc::now().to_rfc3339(),
vault: self.vault_data.clone(),
};
serde_json::to_string_pretty(&export_data)
.map_err(|_| VaultError::StorageError)
}
pub fn import_vault(&mut self, import_data: &str, password: &str) -> Result<(), VaultError> {
let export_data: ExportData = serde_json::from_str(import_data)
.map_err(|_| VaultError::InvalidVaultFormat)?;
// Verify password can decrypt imported identities
for entry in export_data.vault.entries.values() {
decrypt_private_key(&entry.encrypted_private_key, password)?;
}
// Merge with existing vault
for (id, entry) in export_data.vault.entries {
self.vault_data.entries.insert(id, entry);
}
self.save_vault()
}
}
```
### Recovery Options
1. **Password Recovery**: Not possible - passwords are not stored
2. **Vault Export**: Users must export vault data regularly
3. **Individual Key Backup**: Each private key can be backed up separately
4. **Seed Phrase**: Future enhancement for deterministic key generation
## Performance Considerations
### Optimization Strategies
1. **Lazy Loading**: Load vault data only when needed
2. **Caching**: Cache decrypted keys in memory during session
3. **Batch Operations**: Group multiple vault operations
4. **Background Sync**: Sync vault changes in background
### Memory Management
```rust
impl Drop for VaultManager {
fn drop(&mut self) {
// Clear sensitive data from memory
self.password_input.zeroize();
if let Some(ref mut keypair) = self.cached_keypair {
keypair.private_key.zeroize();
}
}
}
```
## Future Enhancements
### Planned Features
1. **Hierarchical Deterministic Keys**: BIP32-style key derivation
2. **Hardware Token Integration**: WebAuthn support
3. **Vault Synchronization**: Cross-device vault sync
4. **Biometric Authentication**: WebAuthn biometric support
5. **Key Rotation**: Automatic key rotation policies
6. **Audit Trail**: Comprehensive logging of vault operations
### Advanced Security Features
1. **Multi-Factor Authentication**: Additional authentication factors
2. **Time-Based Access**: Temporary key access permissions
3. **Geolocation Restrictions**: Location-based access controls
4. **Device Binding**: Tie vault access to specific devices

2
server/Cargo.toml
View File

@@ -23,3 +23,5 @@ tracing = "0.1"
tracing-subscriber = "0.3"
anyhow = "1.0"
clap = { version = "4.0", features = ["derive"] }
jsonwebtoken = "9.0"
base64 = "0.22"

239
server/src/main.rs
View File

@@ -1,6 +1,6 @@
use axum::{
extract::{Path, Request, State},
http::{header, StatusCode},
http::{header, HeaderMap, StatusCode},
middleware::Next,
response::{IntoResponse, Response, Sse},
routing::{get, post},
@@ -10,7 +10,7 @@ use serde::{Deserialize, Serialize};
use std::{
collections::HashMap,
sync::{Arc, Mutex},
time::Duration,
time::{Duration, SystemTime, UNIX_EPOCH},
};
use tokio::sync::broadcast;
use tokio_stream::{wrappers::BroadcastStream, StreamExt};
@@ -18,6 +18,8 @@ use tower_http::cors::CorsLayer;
use tracing::{info, warn};
use uuid::Uuid;
use clap::Parser;
use jsonwebtoken::{encode, decode, Header, Algorithm, Validation, EncodingKey, DecodingKey};
use base64::{Engine as _, engine::general_purpose};
#[derive(Parser, Debug)]
#[command(author, version, about, long_about = None)]
@@ -39,6 +41,7 @@ struct EmailVerificationRequest {
#[derive(Debug, Clone, Serialize, Deserialize)]
struct RegistrationRequest {
email: String,
name: String,
public_key: String,
}
@@ -49,6 +52,53 @@ struct RegistrationResponse {
user_id: Option<String>,
}
#[derive(Debug, Clone, Serialize, Deserialize)]
struct LoginRequest {
grant_type: String,
client_assertion_type: String,
client_assertion: String,
public_key: String,
challenge: String,
scope: String,
}
#[derive(Debug, Clone, Serialize, Deserialize)]
struct TokenResponse {
access_token: String,
token_type: String,
expires_in: u64,
}
#[derive(Debug, Clone, Serialize, Deserialize)]
struct Claims {
sub: String, // Subject - should be the public key (user identifier)
iss: String, // Issuer
aud: String, // Audience
exp: usize, // Expiration time
iat: usize, // Issued at time
scope: String, // Scopes
#[serde(skip_serializing_if = "Option::is_none")]
challenge: Option<String>, // Challenge for authentication
}
#[derive(Debug, Clone, Serialize, Deserialize)]
struct UserInfo {
sub: String,
email: String,
name: String,
public_key: String,
created_at: String,
}
#[derive(Debug, Clone)]
struct User {
id: String,
email: String,
public_key: String,
name: String,
created_at: String,
}
#[derive(Debug, Clone)]
struct VerificationStatus {
email: String,
@@ -57,13 +107,16 @@ struct VerificationStatus {
}
type VerificationStore = Arc<Mutex<HashMap<String, VerificationStatus>>>;
type UserStore = Arc<Mutex<HashMap<String, User>>>;
type NotificationSender = broadcast::Sender<String>;
#[derive(Clone)]
struct AppState {
verifications: VerificationStore,
users: UserStore,
notification_tx: NotificationSender,
base_url: String,
jwt_secret: String,
}
#[tokio::main]
@@ -73,12 +126,16 @@ async fn main() -> anyhow::Result<()> {
tracing_subscriber::fmt::init();
let verifications: VerificationStore = Arc::new(Mutex::new(HashMap::new()));
let users: UserStore = Arc::new(Mutex::new(HashMap::new()));
let (notification_tx, _) = broadcast::channel(100);
let jwt_secret = "your-secret-key".to_string(); // In production, use a proper secret
let state = AppState {
verifications,
users,
notification_tx,
base_url: args.base_url.clone(),
jwt_secret,
};
let app = Router::new()
@@ -86,6 +143,8 @@ async fn main() -> anyhow::Result<()> {
.route("/api/verification-status/:email", get(verification_status_sse))
.route("/api/verify/:token", get(verify_email))
.route("/api/register", post(register_user))
.route("/oauth/token", post(oauth_token))
.route("/oauth/userinfo", get(oauth_userinfo))
.route("/health", get(health_check))
.layer(axum::middleware::from_fn(log_requests))
.layer(
@@ -291,16 +350,20 @@ async fn register_user(
State(state): State<AppState>,
Json(request): Json<RegistrationRequest>,
) -> impl IntoResponse {
info!("👤 Registration request for email: {}, public_key: {}", request.email, request.public_key);
// Check if email is verified
let is_verified = {
let verifications = state.verifications.lock().unwrap();
verifications
.get(&request.email)
let verification_status = verifications.get(&request.email);
info!("📧 Email verification status for {}: {:?}", request.email, verification_status);
verification_status
.map(|status| status.verified)
.unwrap_or(false)
};
if !is_verified {
warn!("❌ Registration failed: Email {} not verified", request.email);
return Json(RegistrationResponse {
success: false,
message: "Email not verified".to_string(),
@@ -308,12 +371,32 @@ async fn register_user(
});
}
// Generate user ID
// Generate user ID and create user
let user_id = Uuid::new_v4().to_string();
let now = SystemTime::now()
.duration_since(UNIX_EPOCH)
.unwrap()
.as_secs()
.to_string();
let user = User {
id: user_id.clone(),
email: request.email.clone(),
public_key: request.public_key.clone(),
name: request.name.clone(),
created_at: now,
};
// Store user in memory (in production, use a database)
{
let mut users = state.users.lock().unwrap();
users.insert(request.public_key.clone(), user.clone());
info!("💾 User stored with public key: {}", request.public_key);
info!("📊 Total users in store: {}", users.len());
}
// In a real implementation, store user data in database
info!(
"User registered successfully - Email: {}, Public Key: {}, User ID: {}",
"User registered successfully - Email: {}, Public Key: {}, User ID: {}",
request.email, request.public_key, user_id
);
@@ -323,3 +406,145 @@ async fn register_user(
user_id: Some(user_id),
})
}
async fn oauth_token(
State(state): State<AppState>,
Json(request): Json<LoginRequest>,
) -> impl IntoResponse {
info!("🔐 OAuth token request for public key: {}", request.public_key);
info!("📝 Request details: grant_type={}, scope={}", request.grant_type, request.scope);
// Find user by public key
let user = {
let users = state.users.lock().unwrap();
info!("🔍 Looking for user with public key: {}", request.public_key);
info!("📊 Total users in store: {}", users.len());
info!("🔑 Available public keys: {:?}", users.keys().collect::<Vec<_>>());
users.get(&request.public_key).cloned()
};
let user = match user {
Some(user) => user,
None => {
warn!("User not found for public key: {}", request.public_key);
let error_response = serde_json::json!({
"error": "invalid_client",
"error_description": "User not found"
});
info!("❌ Error response: {}", error_response);
return (StatusCode::UNAUTHORIZED, Json(error_response)).into_response();
}
};
// In a real implementation, verify the signature against the challenge
// For now, we'll accept any signature for development
info!("✅ Authentication successful for user: {}", user.email);
// Generate JWT token
let now = SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as usize;
let exp = now + 3600; // 1 hour expiration
let claims = Claims {
sub: user.public_key.clone(), // Subject should be the public key (user identifier)
iss: "self-sovereign-identity".to_string(),
aud: "identity-server".to_string(),
exp,
iat: now,
scope: request.scope.clone(),
challenge: None, // No challenge needed in response token
};
let token = match encode(
&Header::default(),
&claims,
&EncodingKey::from_secret(state.jwt_secret.as_ref()),
) {
Ok(token) => token,
Err(e) => {
warn!("Failed to generate JWT token: {}", e);
return (StatusCode::INTERNAL_SERVER_ERROR, Json(serde_json::json!({
"error": "server_error",
"error_description": "Failed to generate token"
}))).into_response();
}
};
Json(TokenResponse {
access_token: token,
token_type: "Bearer".to_string(),
expires_in: 3600,
}).into_response()
}
async fn oauth_userinfo(
State(state): State<AppState>,
headers: HeaderMap,
) -> impl IntoResponse {
// Extract Bearer token from Authorization header
let auth_header = match headers.get("Authorization") {
Some(header) => header.to_str().unwrap_or(""),
None => {
return (StatusCode::UNAUTHORIZED, Json(serde_json::json!({
"error": "invalid_token",
"error_description": "Missing Authorization header"
}))).into_response();
}
};
let token = match auth_header.strip_prefix("Bearer ") {
Some(token) => token,
None => {
return (StatusCode::UNAUTHORIZED, Json(serde_json::json!({
"error": "invalid_token",
"error_description": "Invalid Authorization header format"
}))).into_response();
}
};
// Decode and validate JWT token
let mut validation = Validation::default();
validation.set_audience(&["identity-server"]);
validation.set_issuer(&["self-sovereign-identity"]);
let claims = match decode::<Claims>(
token,
&DecodingKey::from_secret(state.jwt_secret.as_ref()),
&validation,
) {
Ok(token_data) => token_data.claims,
Err(e) => {
warn!("Invalid JWT token: {}", e);
return (StatusCode::UNAUTHORIZED, Json(serde_json::json!({
"error": "invalid_token",
"error_description": "Invalid or expired token"
}))).into_response();
}
};
// Find user by public key from JWT subject
let user = {
let users = state.users.lock().unwrap();
users.get(&claims.sub).cloned()
};
let user = match user {
Some(user) => user,
None => {
warn!("User not found for public key in token: {}", claims.sub);
return (StatusCode::UNAUTHORIZED, Json(serde_json::json!({
"error": "invalid_token",
"error_description": "User not found"
}))).into_response();
}
};
info!("📋 Returning user info for: {}", user.email);
Json(UserInfo {
sub: user.id,
email: user.email,
name: user.name,
public_key: user.public_key,
created_at: user.created_at,
}).into_response()
}