Add logout endpoint and shared secret for API access

example-config.yaml

@@ -37,6 +37,10 @@ appservice:
         # The base URL where the public-facing endpoints are available. The prefix is not added
         # implicitly.
         external: https://example.com/public
+        # Shared secret for integration managers such as Dimension.
+        # If set to "generate", a random string will be generated on the next startup.
+        # If null, integration manager access to the API will not be possible.
+        shared_secret: generate
 
     # The unique ID of this appservice.
     id: facebook

mautrix_facebook/__main__.py

@@ -55,7 +55,7 @@ class MessengerBridge(Bridge):
         self._prepare_website()
 
     def _prepare_website(self) -> None:
-        self.public_website = PublicBridgeWebsite()
+        self.public_website = PublicBridgeWebsite(self.config["appservice.public.shared_secret"])
         self.az.app.add_subapp(self.config["appservice.public.prefix"], self.public_website.app)
 
     def prepare_shutdown(self) -> None:

mautrix_facebook/config.py

@@ -40,6 +40,10 @@ class Config(BaseBridgeConfig):
         copy("appservice.public.enabled")
         copy("appservice.public.prefix")
         copy("appservice.public.external")
+        if self["appservice.public.shared_secret"] == "generate":
+            base["appservice.public.shared_secret"] = self._new_token()
+        else:
+            copy("appservice.public.shared_secret")
 
         copy("bridge.username_template")
         copy("bridge.displayname_template")
@@ -56,13 +60,13 @@ class Config(BaseBridgeConfig):
 
         copy_dict("bridge.permissions")
 
-    def _get_permissions(self, key: str) -> Tuple[bool, bool]:
+    def _get_permissions(self, key: str) -> Tuple[bool, bool, str]:
         level = self["bridge.permissions"].get(key, "")
         admin = level == "admin"
         user = level == "user" or admin
-        return user, admin
+        return user, admin, level
 
-    def get_permissions(self, mxid: UserID) -> Tuple[bool, bool]:
+    def get_permissions(self, mxid: UserID) -> Tuple[bool, bool, str]:
         permissions = self["bridge.permissions"] or {}
         if mxid in permissions:
             return self._get_permissions(mxid)

mautrix_facebook/user.py

@@ -48,6 +48,7 @@ class User(Client):
     command_status: Optional[Dict[str, Any]]
     is_whitelisted: bool
     is_admin: bool
+    permission_level: str
     _is_logged_in: Optional[bool]
     _session_data: Optional[SimpleCookie]
     _db_instance: Optional[DBUser]
@@ -62,7 +63,7 @@ class User(Client):
         self.by_mxid[mxid] = self
         self.user_agent = user_agent
         self.command_status = None
-        self.is_whitelisted, self.is_admin = config.get_permissions(mxid)
+        self.is_whitelisted, self.is_admin, self.permission_level = config.get_permissions(mxid)
         self._is_logged_in = None
         self._session_data = session
         self._db_instance = db_instance

mautrix_facebook/web/public.py

@@ -13,7 +13,7 @@
 #
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
-from typing import Optional
+from typing import Optional, Dict
 from http.cookies import SimpleCookie
 import logging
 import random
@@ -23,25 +23,32 @@ import json
 
 from aiohttp import web
 import pkg_resources
+import attr
+
+from fbchat import User as FBUser
 
 from mautrix.types import UserID
 from mautrix.util.signed_token import verify_token
 
-from .. import user as u
+from .. import user as u, puppet as pu
 
 
 class PublicBridgeWebsite:
-    log: logging.Logger = logging.getLogger("ma.web.public")
+    log: logging.Logger = logging.getLogger("mau.web.public")
     app: web.Application
     secret_key: str
+    shared_secret: str
 
-    def __init__(self) -> None:
+    def __init__(self, shared_secret: str) -> None:
         self.app = web.Application()
         self.secret_key = "".join(random.choices(string.ascii_lowercase + string.digits, k=64))
-        self.app.router.add_static("/", pkg_resources.resource_filename("mautrix_facebook",
-                                                                        "web/static/"))
+        self.shared_secret = shared_secret
+        self.app.router.add_get("/api/whoami", self.status)
         self.app.router.add_options("/api/login", self.login_options)
         self.app.router.add_post("/api/login", self.login)
+        self.app.router.add_post("/api/logout", self.login)
+        self.app.router.add_static("/", pkg_resources.resource_filename("mautrix_facebook",
+                                                                        "web/static/"))
 
     def verify_token(self, token: str) -> Optional[UserID]:
         token = verify_token(self.secret_key, token)
@@ -49,40 +56,69 @@ class PublicBridgeWebsite:
             return UserID(token.get("mxid"))
         return None
 
-    @staticmethod
-    async def login_options(_: web.Request) -> web.Response:
-        return web.Response(status=200, headers={
+    @property
+    def _headers(self) -> Dict[str, str]:
+        return {
             "Access-Control-Allow-Origin": "*",
             "Access-Control-Allow-Headers": "Authorization, Content-Type",
             "Access-Control-Allow-Methods": "POST, OPTIONS",
-        })
+            "Content-Type": "application/json",
+        }
 
-    async def login(self, request: web.Request) -> web.Response:
-        headers = (await self.login_options(request)).headers
+    async def login_options(self, _: web.Request) -> web.Response:
+        return web.Response(status=200, headers=self._headers)
+
+    def check_token(self, request: web.Request) -> Optional['u.User']:
         try:
             token = request.headers["Authorization"]
             token = token[len("Bearer "):]
-            user_id = self.verify_token(token)
         except KeyError:
-            return web.json_response({"error": "Missing Authorization header"}, status=403,
-                                     headers=headers)
+            raise web.HTTPBadRequest(body='{"error": "Missing Authorization header"}',
+                                     headers=self._headers)
         except IndexError:
-            return web.json_response({"error": "Malformed Authorization header"}, status=401,
-                                     headers=headers)
-        if not user_id:
-            return web.json_response({"error": "Invalid token"}, status=401, headers=headers)
+            raise web.HTTPBadRequest(body='{"error": "Malformed Authorization header"}',
+                                     headers=self._headers)
+        if self.shared_secret and token == self.shared_secret:
+            try:
+                user_id = request.query["user_id"]
+            except KeyError:
+                raise web.HTTPBadRequest(body='{"error": "Missing user_id query param"}',
+                                         headers=self._headers)
+        else:
+            user_id = self.verify_token(token)
+            if not user_id:
+                raise web.HTTPForbidden(body='{"error": "Invalid token"}', headers=self._headers)
+
+        user = u.User.get_by_mxid(user_id)
+        return user
+
+    async def status(self, request: web.Request) -> web.Response:
+        print("HI")
+        user = self.check_token(request)
+        data = {
+            "permissions": user.permission_level,
+            "mxid": user.mxid,
+            "facebook": None,
+        }
+        if await user.is_logged_in():
+            info: FBUser = (await user.fetch_user_info(user.fbid))[user.fbid]
+            data["facebook"] = attr.asdict(info)
+        return web.json_response(data)
+
+    async def login(self, request: web.Request) -> web.Response:
+        user = self.check_token(request)
 
         try:
             user_agent = request.headers["User-Agent"]
         except KeyError:
             return web.json_response({"error": "Missing User-Agent header"}, status=400,
-                                     headers=headers)
+                                     headers=self._headers)
         try:
             data = await request.json()
         except json.JSONDecodeError:
-            return web.json_response({"error": "Malformed JSON"}, status=400, headers=headers)
+            return web.json_response({"error": "Malformed JSON"}, status=400,
+                                     headers=self._headers)
 
-        user = u.User.get_by_mxid(user_id)
         cookie = SimpleCookie()
         cookie["c_user"] = data["c_user"]
         cookie["xs"] = data["xs"]
@@ -91,8 +127,17 @@ class PublicBridgeWebsite:
         ok = await user.set_session(cookie, user_agent) and await user.is_logged_in(True)
         if not ok:
             return web.json_response({"error": "Facebook authorization failed"}, status=401,
-                                     headers=headers)
+                                     headers=self._headers)
         await user.on_logged_in(data["c_user"])
         if user.command_status and user.command_status.get("action") == "Login":
             user.command_status = None
-        return web.json_response({}, status=200, headers=headers)
+        return web.json_response({}, status=200, headers=self._headers)
+
+    async def logout(self, request: web.Request) -> web.Response:
+        user = self.check_token(request)
+
+        puppet = pu.Puppet.get_by_fbid(user.uid)
+        await user.logout()
+        if puppet.is_real_user:
+            await puppet.switch_mxid(None, None)
+        return web.json_response({})