feat: add EncryptID auth to sync server and gate room creation

Verify JWT tokens on WebSocket connections via query param. Check room visibility before allowing access. Block writes from read-only connections. Add room config endpoint. Require auth for creating new rooms. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-13 11:54:20 -07:00 · 2026-02-13 11:54:20 -07:00 · f174709086
parent d7fc2cc8db
commit f174709086
6 changed files with 204 additions and 15 deletions
--- a/src/app/[slug]/page.tsx
+++ b/src/app/[slug]/page.tsx
@ -33,7 +33,7 @@ export default function RoomPage() {
  const params = useParams();
  const router = useRouter();
  const slug = params.slug as string;
-  const { did: encryptIdDid } = useAuthStore();
+  const { did: encryptIdDid, token: authToken } = useAuthStore();
  const [showShare, setShowShare] = useState(false);
  const [showParticipants, setShowParticipants] = useState(true);
@ -95,6 +95,7 @@ export default function RoomPage() {
    userName: currentUser?.name || '',
    userEmoji: currentUser?.emoji || '👤',
    encryptIdDid,
    authToken,
  });
  // Use refs to avoid stale closures in callbacks
--- a/src/app/page.tsx
+++ b/src/app/page.tsx
@ -63,6 +63,12 @@ export default function HomePage() {
  const handleCreateRoom = async () => {
    if (!name.trim()) return;
    // Require EncryptID auth to create rooms
    if (!isAuthenticated) {
      alert('Please sign in with EncryptID to create a room.');
      return;
    }
    const slug = roomName.trim()
      ? roomName.toLowerCase().replace(/[^a-z0-9]/g, '-').slice(0, 20)
      : generateSlug();
@ -169,9 +175,10 @@ export default function HomePage() {
              <button
                onClick={() => setIsCreating(true)}
                className="btn-primary w-full text-lg py-3"
-                disabled={!name.trim()}
+                disabled={!name.trim() || !isAuthenticated}
                title={!isAuthenticated ? 'Sign in with EncryptID to create rooms' : ''}
              >
-                Create New Map
+                {isAuthenticated ? 'Create New Map' : 'Sign in to Create Map'}
              </button>
              <div className="text-center text-white/40 text-sm">or</div>
--- a/src/hooks/useRoom.ts
+++ b/src/hooks/useRoom.ts
@ -99,6 +99,8 @@ interface UseRoomOptions {
  userEmoji: string;
  /** EncryptID DID for persistent cross-session identity (optional) */
  encryptIdDid?: string | null;
  /** EncryptID JWT token for authenticated sync server access (optional) */
  authToken?: string | null;
 }
 interface UseRoomReturn {
@ -119,7 +121,7 @@ interface UseRoomReturn {
  setLocationRequestCallback: (callback: () => void) => void;
 }
-export function useRoom({ slug, userName, userEmoji, encryptIdDid }: UseRoomOptions): UseRoomReturn {
+export function useRoom({ slug, userName, userEmoji, encryptIdDid, authToken }: UseRoomOptions): UseRoomReturn {
  const [isConnected, setIsConnected] = useState(false);
  const [isLoading, setIsLoading] = useState(true);
  const [error, setError] = useState<string | null>(null);
@ -182,12 +184,14 @@ export function useRoom({ slug, userName, userEmoji, encryptIdDid }: UseRoomOpti
    participantIdRef.current = participantId;
    const color = COLORS[Math.floor(Math.random() * COLORS.length)];
-    // Create sync instance
+    // Create sync instance (pass auth token for server-side access control)
    const sync = new RoomSync(
      slug,
      participantId,
      handleStateChange,
-      handleConnectionChange
+      handleConnectionChange,
      undefined,
      authToken
    );
    syncRef.current = sync;
--- a/src/lib/sync.ts
+++ b/src/lib/sync.ts
@ -106,19 +106,22 @@ export class RoomSync {
  private onLocationRequest: LocationRequestCallback | null = null;
  private participantId: string;
  private currentParticipant: ParticipantState | null = null;
  private authToken: string | null = null;
  constructor(
    slug: string,
    participantId: string,
    onStateChange: SyncCallback,
    onConnectionChange: ConnectionCallback,
-    onLocationRequest?: LocationRequestCallback
+    onLocationRequest?: LocationRequestCallback,
    authToken?: string | null
  ) {
    this.slug = slug;
    this.participantId = participantId;
    this.onStateChange = onStateChange;
    this.onConnectionChange = onConnectionChange;
    this.onLocationRequest = onLocationRequest || null;
    this.authToken = authToken || null;
    // Initialize or load state
    this.state = this.loadState() || this.createInitialState();
@ -215,7 +218,10 @@ export class RoomSync {
    }
    try {
-      this.ws = new WebSocket(`${syncUrl}/room/${this.slug}`);
+      const wsUrl = this.authToken
        ? `${syncUrl}/room/${this.slug}?token=${encodeURIComponent(this.authToken)}`
        : `${syncUrl}/room/${this.slug}`;
      this.ws = new WebSocket(wsUrl);
      this.ws.onopen = () => {
        console.log('Connected to sync server');
--- a/sync-server/server.js
+++ b/sync-server/server.js
@ -3,6 +3,7 @@ import { createServer } from 'http';
 import { parse } from 'url';
 import { randomUUID } from 'crypto';
 import webpush from 'web-push';
 import { verifyToken, extractTokenFromURL } from './verify-token.js';
 const PORT = process.env.PORT || 3001;
 const STALE_THRESHOLD_MS = 60 * 60 * 1000; // 1 hour
@ -25,7 +26,7 @@ if (VAPID_PUBLIC_KEY && VAPID_PRIVATE_KEY) {
 // Room state storage: Map<roomSlug, RoomState>
 const rooms = new Map();
-// Client tracking: Map<WebSocket, { roomSlug, participantId }>
+// Client tracking: Map<WebSocket, { roomSlug, participantId, claims, readOnly }>
 const clients = new Map();
 // Push subscriptions: Map<roomSlug, Set<subscription>>
@ -40,7 +41,9 @@ function getRoomState(slug) {
      createdAt: new Date().toISOString(),
      participants: {},
      waypoints: [],
-      lastActivity: Date.now()
+      lastActivity: Date.now(),
      visibility: 'public',    // public | public_read | authenticated | members_only
      ownerDID: null,
    });
  }
  const room = rooms.get(slug);
@ -48,6 +51,41 @@ function getRoomState(slug) {
  return room;
 }
 /**
 * Evaluate whether a connection should be allowed based on room visibility.
 * Returns { allowed, readOnly, reason }
 */
 function evaluateRoomAccess(room, claims, isRead = false) {
  const { visibility, ownerDID } = room;
  const isOwner = !!(claims && ownerDID && (claims.sub === ownerDID || claims.did === ownerDID));
  if (visibility === 'public') {
    return { allowed: true, readOnly: false, isOwner };
  }
  if (visibility === 'public_read') {
    // Everyone can connect, but writes require auth
    return { allowed: true, readOnly: !claims, isOwner };
  }
  if (visibility === 'authenticated') {
    if (!claims) {
      return { allowed: false, readOnly: false, isOwner: false, reason: 'Authentication required' };
    }
    return { allowed: true, readOnly: false, isOwner };
  }
  if (visibility === 'members_only') {
    if (!claims) {
      return { allowed: false, readOnly: false, isOwner: false, reason: 'Authentication required' };
    }
    // Further membership checks could be added here
    return { allowed: true, readOnly: false, isOwner };
  }
  return { allowed: false, readOnly: false, isOwner: false, reason: 'Unknown visibility' };
 }
 function cleanupStaleParticipants(room) {
  const now = Date.now();
  const staleIds = [];
@ -130,6 +168,13 @@ function handleMessage(ws, data) {
  const room = getRoomState(clientInfo.roomSlug);
  // Block write operations from readOnly connections
  const writeOps = ['join', 'leave', 'location', 'status', 'waypoint_add', 'waypoint_remove'];
  if (clientInfo.readOnly && writeOps.includes(message.type)) {
    ws.send(JSON.stringify({ type: 'error', error: 'Read-only access — authenticate to interact' }));
    return;
  }
  switch (message.type) {
    case 'join': {
      const participant = {
@ -358,7 +403,7 @@ async function parseJsonBody(req) {
 function addCorsHeaders(res) {
  res.setHeader('Access-Control-Allow-Origin', '*');
  res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
-  res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+  res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
 }
 // Create HTTP server for health checks and push subscription endpoints
@ -469,6 +514,53 @@ const server = createServer(async (req, res) => {
      res.writeHead(500, { 'Content-Type': 'application/json' });
      res.end(JSON.stringify({ error: 'Failed to send test' }));
    }
  } else if (pathname?.startsWith('/room/') && pathname.endsWith('/config') && req.method === 'POST') {
    // Set room visibility and config (requires auth + ownership)
    try {
      const roomSlug = pathname.replace('/room/', '').replace('/config', '');
      const body = await parseJsonBody(req);
      const authHeader = req.headers['authorization'] || '';
      const token = authHeader.startsWith('Bearer ') ? authHeader.slice(7) : null;
      const claims = token ? await verifyToken(token) : null;
      if (!claims) {
        res.writeHead(401, { 'Content-Type': 'application/json' });
        res.end(JSON.stringify({ error: 'Authentication required' }));
        return;
      }
      const room = getRoomState(roomSlug);
      // Only the owner (or first authenticated user) can change room config
      if (room.ownerDID && room.ownerDID !== claims.sub && room.ownerDID !== claims.did) {
        res.writeHead(403, { 'Content-Type': 'application/json' });
        res.end(JSON.stringify({ error: 'Only the room owner can change settings' }));
        return;
      }
      // Set owner if not set
      if (!room.ownerDID) {
        room.ownerDID = claims.sub || claims.did;
      }
      const validVisibilities = ['public', 'public_read', 'authenticated', 'members_only'];
      if (body.visibility && validVisibilities.includes(body.visibility)) {
        room.visibility = body.visibility;
      }
      if (body.name) {
        room.name = body.name;
      }
      res.writeHead(200, { 'Content-Type': 'application/json' });
      res.end(JSON.stringify({
        success: true,
        room: { slug: room.slug, visibility: room.visibility, ownerDID: room.ownerDID, name: room.name }
      }));
    } catch (error) {
      console.error('Room config error:', error);
      res.writeHead(500, { 'Content-Type': 'application/json' });
      res.end(JSON.stringify({ error: 'Failed to update room config' }));
    }
  } else if (pathname === '/push/request-location' && req.method === 'POST') {
    // Manually trigger location request for a room or specific participant
    // Uses WebSocket for online clients, push for offline/background
@ -577,7 +669,7 @@ const server = createServer(async (req, res) => {
 // Create WebSocket server
 const wss = new WebSocketServer({ server });
-wss.on('connection', (ws, req) => {
+wss.on('connection', async (ws, req) => {
  const { pathname } = parse(req.url);
  // Extract room slug from path: /room/{slug}
@ -589,10 +681,37 @@ wss.on('connection', (ws, req) => {
  }
  const roomSlug = decodeURIComponent(match[1]);
  console.log(`New connection to room: ${roomSlug}`);
-  // Register client
+  // Extract and verify auth token from query string
-  clients.set(ws, { roomSlug, participantId: null });
+  const token = extractTokenFromURL(req.url);
  let claims = null;
  if (token) {
    claims = await verifyToken(token);
    if (claims) {
      console.log(`[${roomSlug}] Authenticated connection: ${claims.username || claims.sub}`);
    }
  }
  // Check room access based on visibility
  const room = getRoomState(roomSlug);
  const access = evaluateRoomAccess(room, claims);
  if (!access.allowed) {
    console.log(`[${roomSlug}] Connection rejected: ${access.reason}`);
    ws.close(4001, access.reason || 'Access denied');
    return;
  }
  console.log(`New connection to room: ${roomSlug}${access.readOnly ? ' (read-only)' : ''}`);
  // Register client with auth info
  clients.set(ws, { roomSlug, participantId: null, claims, readOnly: access.readOnly });
  // If authenticated and room has no owner, set this user as owner
  if (claims && !room.ownerDID && Object.keys(room.participants).length === 0) {
    room.ownerDID = claims.sub || claims.did;
    console.log(`[${roomSlug}] Room owner set to: ${room.ownerDID}`);
  }
  // Set up handlers
  ws.on('message', (data) => handleMessage(ws, data.toString()));
--- a/sync-server/verify-token.js
+++ b/sync-server/verify-token.js
@ -0,0 +1,52 @@
 /**
 * Lightweight EncryptID JWT verification for the sync server.
 *
 * Verifies tokens by calling the EncryptID server's /api/session/verify endpoint.
 * No dependencies required — uses Node.js built-in fetch.
 */
 const ENCRYPTID_SERVER_URL = process.env.ENCRYPTID_SERVER_URL || 'https://encryptid.jeffemmett.com';
 /**
 * Verify an EncryptID JWT token by calling the EncryptID server.
 * @param {string} token - The JWT token to verify
 * @returns {Promise<object|null>} The claims if valid, null otherwise
 */
 export async function verifyToken(token) {
  if (!token) return null;
  try {
    const res = await fetch(`${ENCRYPTID_SERVER_URL.replace(/\/$/, '')}/api/session/verify`, {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ token }),
      signal: AbortSignal.timeout(5000),
    });
    if (!res.ok) return null;
    const data = await res.json();
    if (data.valid) {
      return data.claims || {};
    }
    return null;
  } catch (error) {
    console.error('Token verification failed:', error.message);
    return null;
  }
 }
 /**
 * Extract token from a URL query string.
 * @param {string} url - The full URL or path with query string
 * @returns {string|null} The token or null
 */
 export function extractTokenFromURL(url) {
  try {
    // parse handles both full URLs and just paths with query strings
    const searchParams = new URL(url, 'http://localhost').searchParams;
    return searchParams.get('token') || null;
  } catch {
    return null;
  }
 }