X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=lib%2Fsession-manager.js;h=cb4c7126ec54cffc18b1856270cd1112f5c60182;hb=681ff60618195ab6754e5b8718a32e53ab2222ec;hp=bd08eef26e7cc44d11473b53bfcd3a8a1e2f6e4f;hpb=5b90f0a97b1f49b19d395ffe2cf14dda12d87fc9;p=squeep-authentication-module

diff --git a/lib/session-manager.js b/lib/session-manager.js
index bd08eef..cb4c712 100644
--- a/lib/session-manager.js
+++ b/lib/session-manager.js
@@ -6,6 +6,7 @@
 
 const { Communication: IndieAuthCommunication } = require('@squeep/indieauth-helper');
 const { MysteryBox } = require('@squeep/mystery-box');
+const { randomUUID } = require('crypto');
 const common = require('./common');
 const Enum = require('./enum');
 const Template = require('./template');
@@ -22,15 +23,16 @@ class SessionManager {
    * @param {Number=} options.authenticator.inactiveSessionLifespanSeconds
    * @param {Boolean} options.authenticator.secureAuthOnly
    * @param {Object} options.dingus
-   * @param {Object} options.dingus.proxyPrefix
-   * @param {Object} options.dingus.selfBaseUrl
+   * @param {String} options.dingus.proxyPrefix
+   * @param {String} options.dingus.selfBaseUrl
    */
   constructor(logger, authenticator, options) {
     this.logger = logger;
     this.authenticator = authenticator;
     this.options = options;
     this.indieAuthCommunication = new IndieAuthCommunication(logger, options);
-    this.mysteryBox = new MysteryBox(logger, options);
+    this.mysteryBox = new MysteryBox(options);
+    this.mysteryBox.on('statistics', common.mysteryBoxLogger(logger, _fileScope(this.constructor.name)));
 
     this.cookieLifespan = options.authenticator.inactiveSessionLifespanSeconds || 60 * 60 * 24 * 32;
   }
@@ -124,9 +126,11 @@ class SessionManager {
     }
 
     // Otherwise, carry on with IndieAuth handshake.
-    let me, session, authorizationEndpoint;
+    let me, meAutoScheme, session, authorizationEndpoint;
     try {
       me = new URL(ctx.parsedBody['me']);
+      meAutoScheme = !!ctx.parsedBody['me_auto_scheme'];
+
     } catch (e) {
       this.logger.debug(_scope, 'failed to parse supplied profile url', { ctx });
       ctx.errors.push(`Unable to understand '${ctx.parsedBody['me']}' as a profile URL.`);
@@ -134,8 +138,15 @@ class SessionManager {
 
     if (this.options.authenticator.authnEnabled.includes('indieAuth')
     &&  me) {
-      const profile = await this.indieAuthCommunication.fetchProfile(me);
-      if (!profile || !profile.metadata) {
+      let profile;
+      profile = await this.indieAuthCommunication.fetchProfile(me);
+      if ((!profile?.metadata)
+      &&  meAutoScheme) {
+        this.logger.debug(_scope, 'trying http fallback', { ctx });
+        me.protocol = 'http';
+        profile = await this.indieAuthCommunication.fetchProfile(me);
+      }
+      if (!profile?.metadata) {
         this.logger.debug(_scope, 'failed to find any profile information at url', { ctx });
         ctx.errors.push(`No profile information was found at '${me}'.`);
       } else {
@@ -170,9 +181,10 @@ class SessionManager {
       if (authorizationEndpoint) {
         const pkce = await IndieAuthCommunication.generatePKCE();
 
+        const state = randomUUID();
         session = {
           authorizationEndpoint: authorizationEndpoint.href,
-          state: ctx.requestId,
+          state,
           codeVerifier: pkce.codeVerifier,
           me,
           redirect,