Version protocol handshake & backwards compatibility #1150

Author: joepio

browser/lib/src/client.ts

@@ -32,6 +32,8 @@ const isFileLike = (file: FileOrFileLike): file is FileLike =>
   'blob' in file && 'name' in file;
 
 const JSON_AD_MIME = 'application/ad+json';
+const ATOMIC_SERVER_VERSION_HEADER = 'X-Atomic-Server-Version';
+const MIN_DID_AUTH_SERVER_MINOR = 40;
 
 interface FetchResourceOptions extends ParseOpts {
   /**
@@ -65,6 +67,9 @@ interface HTTPResourceResult {
 /** Contains a `fetch` instance, provides methods to GET and POST several types */
 export class Client {
   private __fetchOverride?: typeof fetch;
+  private warnedDidAuthCompatibilityOrigins = new Set<string>();
+  private supportsDidAuthByOrigin = new Map<string, boolean>();
+  private serverVersionByOrigin = new Map<string, string>();
 
   public constructor(fetchOverride?: typeof fetch) {
     if (fetchOverride) {
@@ -164,19 +169,25 @@ export class Client {
 
       // Sign the request with the actual URL being fetched (not the raw DID
       // subject) since the server verifies against the full HTTP URL.
-      if (signInfo && !subject.startsWith('https://atomicdata.dev')) {
-        // Cookies only work in browsers for same-origin requests right now
-        // https://github.com/atomicdata-dev/atomic-data-browser/issues/253
-        if (hasBrowserAPI() && subject.startsWith(window.location.origin)) {
-          if (!checkAuthenticationCookie()) {
-            setCookieAuthentication(signInfo.serverURL, signInfo.agent);
+      if (signInfo) {
+        if (
+          this.shouldSkipDidAuthForLegacyServer(url, signInfo.agent.subject)
+        ) {
+          this.warnDidAuthCompatibility(url);
+        } else if (!subject.startsWith('https://atomicdata.dev')) {
+          // Cookies only work in browsers for same-origin requests right now
+          // https://github.com/atomicdata-dev/atomic-data-browser/issues/253
+          if (hasBrowserAPI() && subject.startsWith(window.location.origin)) {
+            if (!checkAuthenticationCookie()) {
+              setCookieAuthentication(signInfo.serverURL, signInfo.agent);
+            }
+          } else {
+            requestHeaders = await signRequest(
+              url,
+              signInfo.agent,
+              requestHeaders,
+            );
           }
-        } else {
-          requestHeaders = await signRequest(
-            url,
-            signInfo.agent,
-            requestHeaders,
-          );
         }
       }
 
@@ -191,6 +202,7 @@ export class Client {
         method: method ?? 'GET',
         body: bodyReq,
       });
+      this.recordServerVersionFromResponse(url, response);
       const body = await response.text();
 
       if (response.status === 200) {
@@ -323,4 +335,112 @@ export class Client {
 
     return fetch(...params);
   }
+
+  /**
+   * Legacy servers (<0.40) cannot verify DID-based auth for cross-origin
+   * requests. We default to legacy compatibility unless a custom handshake is
+   * implemented elsewhere.
+   */
+  private shouldSkipDidAuthForLegacyServer(
+    url: string,
+    agentSubject?: string,
+  ): boolean {
+    if (!agentSubject?.startsWith('did:ad:')) {
+      return false;
+    }
+
+    if (!hasBrowserAPI()) {
+      return false;
+    }
+
+    const requestOrigin = this.tryGetOrigin(url);
+
+    if (!requestOrigin) {
+      return false;
+    }
+
+    if (requestOrigin === window.location.origin) {
+      return false;
+    }
+
+    const supportsDidAuth = this.supportsDidAuthByOrigin.get(requestOrigin);
+
+    // Legacy-safe default: if we don't know this origin yet, assume <0.40.
+    return supportsDidAuth !== true;
+  }
+
+  private warnDidAuthCompatibility(url: string): void {
+    if (!hasBrowserAPI()) {
+      return;
+    }
+
+    const origin = this.tryGetOrigin(url);
+
+    if (!origin) {
+      return;
+    }
+
+    if (this.warnedDidAuthCompatibilityOrigins.has(origin)) {
+      return;
+    }
+
+    const version = this.serverVersionByOrigin.get(origin);
+    const reason = version
+      ? `server version '${version}' does not support DID auth`
+      : `server version unknown (assuming <0.40)`;
+
+    this.warnedDidAuthCompatibilityOrigins.add(origin);
+    console.warn(
+      `[atomic-lib] Skipping signed auth request for DID agent on cross-origin request to '${origin}': ${reason}.`,
+    );
+  }
+
+  private recordServerVersionFromResponse(
+    url: string,
+    response: Response,
+  ): void {
+    const version = response.headers.get(ATOMIC_SERVER_VERSION_HEADER);
+
+    if (!version) {
+      return;
+    }
+
+    const origin = this.tryGetOrigin(url);
+
+    if (!origin) {
+      return;
+    }
+
+    this.serverVersionByOrigin.set(origin, version);
+    this.supportsDidAuthByOrigin.set(
+      origin,
+      this.versionSupportsDidAuth(version),
+    );
+  }
+
+  private versionSupportsDidAuth(version: string): boolean {
+    const match = version.match(/^(\d+)\.(\d+)(?:\.(\d+))?/);
+
+    if (!match) {
+      return false;
+    }
+
+    const major = Number.parseInt(match[1], 10);
+    const minor = Number.parseInt(match[2], 10);
+
+    if (Number.isNaN(major) || Number.isNaN(minor)) {
+      return false;
+    }
+
+    return major > 0 || (major === 0 && minor >= MIN_DID_AUTH_SERVER_MINOR);
+  }
+
+  private tryGetOrigin(url: string): string | undefined {
+    try {
+      return new URL(url, hasBrowserAPI() ? window.location.origin : undefined)
+        .origin;
+    } catch {
+      return undefined;
+    }
+  }
 }

browser/lib/src/websockets.ts

@@ -1,4 +1,5 @@
 import { createAuthentication } from './authentication.js';
+import { hasBrowserAPI } from './hasBrowserAPI.js';
 import { parseAndApplyCommit } from './index.js';
 import { JSONADParser } from './parse.js';
 import type { Resource } from './resource.js';
@@ -115,6 +116,19 @@ export class WSClient {
       return;
     }
 
+    // Legacy-safe fallback: remote servers may not support DID-based websocket auth.
+    if (
+      agent.subject.startsWith('did:ad:') &&
+      hasBrowserAPI() &&
+      !this.isSameOriginWebSocket()
+    ) {
+      console.warn(
+        `Skipping websocket authentication for DID agent on cross-origin socket ${this.ws.url}. Assuming legacy server compatibility (<0.40).`,
+      );
+
+      return;
+    }
+
     await this.openPromise;
 
     if (this.authenticatedWith === agent.subject) {
@@ -306,4 +320,18 @@ export class WSClient {
       this.ws.addEventListener('message', listener);
     });
   }
+
+  private isSameOriginWebSocket(): boolean {
+    if (!hasBrowserAPI()) {
+      return true;
+    }
+
+    try {
+      const wsOrigin = new URL(this.ws.url).origin;
+
+      return wsOrigin === window.location.origin;
+    } catch {
+      return false;
+    }
+  }
 }

server/src/serve.rs

@@ -113,6 +113,8 @@ fn spawn_dht_announcer(appstate: crate::appstate::AppState) {
 
 // Increase the maximum payload size (for POSTing a body, for example) to 50MB
 const PAYLOAD_MAX: usize = 50_242_880;
+const SERVER_VERSION_HEADER: &str = "X-Atomic-Server-Version";
+const SERVER_VERSION: &str = env!("CARGO_PKG_VERSION");
 
 /// Start the server
 pub async fn serve(config: crate::config::Config) -> AtomicServerResult<()> {
@@ -140,6 +142,10 @@ pub async fn serve(config: crate::config::Config) -> AtomicServerResult<()> {
             .app_data(web::PayloadConfig::new(PAYLOAD_MAX))
             .app_data(web::Data::new(appstate.clone()))
             .wrap(cors)
+            .wrap(
+                middleware::DefaultHeaders::new()
+                    .add((SERVER_VERSION_HEADER, SERVER_VERSION)),
+            )
             .wrap(tracing_actix_web::TracingLogger::default())
             .wrap(middleware::Compress::default())
             // Here are the actual handlers / endpoints