feat: support for MSC4108 rendezvous protocol (#9)

BREAKING CHANGE support for MSC3886 has been dropped

Bumped all dependencies

Author: hughns

.github/dependabot.yml

@@ -5,7 +5,11 @@
 
 version: 2
 updates:
-  - package-ecosystem: "yarn" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  - package-ecosystem: "npm"
+    directory: "/"
     schedule:
-      interval: "weekly"
+      interval: "monthly"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"

README.md

@@ -1,9 +1,8 @@
 # Node.js HTTP Rendezvous Server
 
-A standalone implementation of [MSC3886: Simple rendezvous capability](https://github.com/matrix-org/matrix-spec-proposals/pull/3886).
+A standalone implementation of the rendezvous session API proposed by [MSC4108: Mechanism to allow OIDC sign in and E2EE set up via QR code](https://github.com/matrix-org/matrix-spec-proposals/pull/4108).
 
 Functionality constraints:
 
 - the in progress rendezvous do not need to be persisted between server restarts
 - the server does not need to work in a clustered/sharded deployment
-- no authentication is needed for use of the server

package.json

@@ -4,12 +4,13 @@
   "license": "Apache-2.0",
   "author": "The Matrix.org Foundation C.I.C.",
   "dependencies": {
-    "body-parser": "^1.20.0",
+    "body-parser": "^1.20.2",
+    "content-type": "^1.0.5",
     "cors": "^2.8.5",
     "express": "^4.19.2",
     "morgan": "^1.10.0",
     "node-cache": "^5.1.2",
-    "uuid": "^8.3.2"
+    "uuid": "^9.0.1"
   },
   "scripts": {
     "clean": "rm -rf dist",
@@ -24,28 +25,29 @@
     "release": "yarn semantic-release"
   },
   "devDependencies": {
-    "@commitlint/cli": "^16.0.2",
-    "@commitlint/config-conventional": "^16.0.0",
-    "@eclass/semantic-release-docker": "^3.0.1",
-    "@semantic-release/changelog": "^6.0.1",
+    "@commitlint/cli": "^19.2.1",
+    "@commitlint/config-conventional": "^19.1.0",
+    "@eclass/semantic-release-docker": "^4.0.0",
+    "@semantic-release/changelog": "^6.0.3",
     "@semantic-release/git": "^10.0.1",
-    "@types/cors": "^2.8.12",
-    "@types/express": "^4.17.13",
-    "@types/morgan": "^1.9.3",
-    "@types/uuid": "^8.3.4",
-    "@typescript-eslint/eslint-plugin": "^5.3.0",
-    "@typescript-eslint/parser": "^5.3.0",
-    "eslint": "^8.54.0",
+    "@types/content-type": "^1.1.8",
+    "@types/cors": "^2.8.17",
+    "@types/express": "^4.17.21",
+    "@types/morgan": "^1.9.9",
+    "@types/uuid": "^9.0.8",
+    "@typescript-eslint/eslint-plugin": "^7.5.0",
+    "@typescript-eslint/parser": "^7.5.0",
+    "eslint": "^8.57.0",
     "eslint-config-google": "^0.14.0",
     "eslint-config-prettier": "^9.1.0",
     "eslint-plugin-import": "^2.29.1",
     "eslint-plugin-matrix-org": "^1.2.1",
-    "eslint-plugin-unicorn": "^50.0.1",
-    "husky": "^7.0.4",
-    "nodemon": "^3.0.2",
-    "prettier": "^3.1.1",
-    "semantic-release": "^19.0.2",
-    "ts-node": "^10.8.1",
-    "typescript": "^4.7.4"
+    "eslint-plugin-unicorn": "^52.0.0",
+    "husky": "^9.0.11",
+    "nodemon": "^3.1.0",
+    "prettier": "^3.2.5",
+    "semantic-release": "^23.0.7",
+    "ts-node": "^10.9.2",
+    "typescript": "^5.4.4"
   }
 }

src/config.ts

@@ -17,3 +17,4 @@ limitations under the License.
 export const ttlSeconds = parseInt(process.env.RZ_TIMEOUT ?? "60");
 export const maxBytes = parseInt(process.env.RZ_MAX_BYTES ?? "10240");
 export const port = parseInt(process.env.RZ_PORT ?? "8080");
+export const trustProxy = process.env.RZ_TRUST_PROXY === "1" || false;

src/index.ts

@@ -23,19 +23,17 @@ import cors from "cors";
 import http from "http";
 import https from "https";
 import { readFileSync } from "fs";
+import { parse as parseContentType } from "content-type";
 
 import { Rendezvous } from "./rendezvous";
-import { maxBytes, ttlSeconds, port } from "./config";
+import { maxBytes, ttlSeconds, port, trustProxy } from "./config";
 
 const app = express();
-app.use(cors({
-    allowedHeaders: ["Content-Type", "If-Match", "If-None-Match"],
-    exposedHeaders: ["ETag", "Location", "X-Max-Bytes"],
-}));
 app.use(morgan("common"));
 app.set("env", "production");
 app.set("x-powered-by", false);
 app.set("etag", false);
+app.set("trust proxy", trustProxy);
 
 // treat everything as raw
 app.use(bodyParser.raw({
@@ -51,59 +49,96 @@ const rvs = new NodeCache({
     useClones: false,
 });
 
-app.post("/", (req, res) => {
-    let id: string | undefined;
-    while (!id || id in rvs) {
-        id = v4();
-    }
-    const rv = new Rendezvous(id, ttlSeconds, maxBytes, req);
-    rvs.set(id, rv, rv.ttlSeconds);
+app.options("/", cors({
+    origin: "*",
+    methods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+    allowedHeaders: ["X-Requested-With", "Content-Type", "Authorization"], // https://spec.matrix.org/v1.10/client-server-api/#web-browser-clients
+    exposedHeaders: ["ETag"],
+}));
 
-    rv.setHeaders(res);
+function notFound(res: express.Response): express.Response {
+    return res.status(404).json({ "errcode": "M_NOT_FOUND", "error": "Rendezvous not found" });
+}
 
-    res.setHeader("Location", id);
-    res.setHeader("X-Max-Bytes", maxBytes);
+function withContentType(req: express.Request, res: express.Response) {
+    return (fn: (contentType: string) => express.Response): express.Response => {
+        const contentType = req.get("content-type");
+        if (!contentType) {
+            return res.status(400).json({ "errcode": "M_MISSING_PARAM", "error": "Missing Content-Type header" });
+        }
+        try {
+            parseContentType(contentType);
+        } catch (e) {
+            return res.status(400).json({ "errcode": "M_INVALID_PARAM", "error": "Invalid Content-Type header" });
+        }
+        return fn(contentType);
+    };
+}
+app.post("/", (req, res) => {
+    withContentType(req, res)((contentType) => {
 
-    return res.sendStatus(201);
-});
+        let id: string | undefined;
+        while (!id || id in rvs) {
+            id = v4();
+        }
+        const rv = new Rendezvous(id, ttlSeconds, maxBytes, req.body, contentType);
+        rvs.set(id, rv, rv.ttlSeconds);
 
-app.put("/:id", (req, res) => {
-    const { id } = req.params;
-    const rv = rvs.get<Rendezvous>(id);
+        rv.setHeaders(res);
 
-    if (!rv) {
-        return res.sendStatus(404);
-    }
+        const url = `${req.protocol}://${req.hostname}/${id}`;
 
-    if (rv.expired()) {
-        rvs.del(id);
-        return res.sendStatus(404);
-    }
+        return res.status(201).json({ url });
+    });
+});
 
-    const ifMatch = req.headers["if-match"];
+app.options("/:id", cors({
+    origin: "*",
+    methods: ["GET", "PUT", "DELETE", "OPTIONS"],
+    allowedHeaders: ["If-Match", "If-None-Match"],
+    exposedHeaders: ["ETag"],
+}));
 
-    if (ifMatch && ifMatch !== rv.etag) {
+app.put("/:id", (req, res) => {
+    withContentType(req, res)((contentType) => {
+        const { id } = req.params;
+        const rv = rvs.get<Rendezvous>(id);
+
+        if (!rv) {
+            return notFound(res);
+        }
+
+        if (rv.expired()) {
+            rvs.del(id);
+            return notFound(res);
+        }
+
+        const ifMatch = req.headers["if-match"];
+        if (!ifMatch) {
+            return res.status(400).json({ "errcode": "M_MISSING_PARAM", "error": "Missing If-Match header" });
+        } else if (ifMatch !== rv.etag) {
+            rv.setHeaders(res);
+            return res.send(412).json({ "errcode": "M_CONCURRENT_WRITE", "error": "Rendezvous has been modified" });
+        }
+
+        rv.update(req.body, contentType);
         rv.setHeaders(res);
-        return res.sendStatus(412);
-    }
 
-    rv.update(req);
-    rv.setHeaders(res);
-
-    return res.sendStatus(202);
+        return res.sendStatus(202);
+    });
 });
 
 app.get("/:id", (req, res) => {
     const { id } = req.params;
     const rv = rvs.get<Rendezvous>(id);
 
     if (!rv) {
-        return res.sendStatus(404);
+        return notFound(res);
     }
 
     if (rv.expired()) {
         rvs.del(id);
-        return res.sendStatus(404);
+        return notFound(res);
     }
 
     rv.setHeaders(res);
@@ -118,7 +153,7 @@ app.get("/:id", (req, res) => {
 app.delete("/:id", (req, res) => {
     const { id } = req.params;
     if (!rvs.has(id)) {
-        return res.sendStatus(404);
+        return notFound(res);
     }
     rvs.del(id);
     return res.sendStatus(204);
@@ -130,11 +165,11 @@ if (process.env.DEV_SSL === "yes") {
         cert: readFileSync("./devssl/cert.pem"),
     }, app);
     httpsServer.listen(port, () => {
-        console.log(`Starting rendezvous server at https://0.0.0.0:${port} with self-signed certificate`);
+        console.log(`Starting rendezvous server at https://0.0.0.0:${port} with self-signed certificate${trustProxy ? " behind trusted proxy" : ""}`);
     });
 } else {
     const httpServer = http.createServer(app);
     httpServer.listen(port, () => {
-        console.log(`Starting rendezvous server at http://0.0.0.0:${port}`);
+        console.log(`Starting rendezvous server at http://0.0.0.0:${port}${trustProxy ? " behind trusted proxy" : ""}`);
     });
 }

src/rendezvous.ts

@@ -27,18 +27,18 @@ export class Rendezvous {
     private lastModified!: Date;
     public etag!: string;
 
-    public constructor(id: string, ttlSeconds: number, maxBytes: number, initialRequest: express.Request) {
+    public constructor(id: string, ttlSeconds: number, maxBytes: number, data: Buffer, contentType: string) {
         const now = new Date();
         this.id = id;
         this.ttlSeconds = ttlSeconds;
         this.expiresAt = new Date(now.getTime() + ttlSeconds * 1000);
         this.maxBytes = maxBytes;
-        this.update(initialRequest);
+        this.update(data, contentType);
     }
 
-    public update(req: express.Request): void {
-        this.data = req.body;
-        this.contentType = req.get("Content-Type") ?? "application/octet-stream";
+    public update(data: Buffer, contentType: string): void {
+        this.data = data;
+        this.contentType = contentType;
         this.lastModified = new Date();
         const hash = createHash("sha256");
         // include ID so that it is rendezvous-specific

tsconfig.json

@@ -13,9 +13,9 @@
         "strictNullChecks": true,
         "noImplicitReturns": true,
         "preserveConstEnums": true,
-        "suppressImplicitAnyIndexErrors": true,
         "forceConsistentCasingInFileNames": true,
         "outDir": "./dist",
         "rootDir": "./src"
-    }
+    },
+    "include": ["src/**/*"]
 }