devlooped · kzu · Jun 8, 2024 · Jun 8, 2024
diff --git a/src/Web/SponsorLink.Legacy.cs b/src/Web/SponsorLink.Legacy.cs
@@ -0,0 +1,13 @@
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Azure.Functions.Worker;
+
+partial class SponsorLink
+{
+    /// <summary>
+    /// Backwards compatibility for pre-beta endpoint.
+    /// </summary>
+    [Function("sync")]
+    public IActionResult LegacySyncAsync([HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = "sync")] HttpRequest req)
+        => new RedirectResult("me", true, true);
+}
diff --git a/src/Web/SponsorLink.cs b/src/Web/SponsorLink.cs
@@ -12,17 +12,21 @@
 using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
+using Microsoft.IdentityModel.Tokens;
 
 namespace Devlooped.Sponsors;
 
 /// <summary>
 /// Returns a JWT or JSON manifest of the authenticated user's claims.
 /// </summary>
-class SponsorLink(IConfiguration configuration, IHttpClientFactory httpFactory, SponsorsManager sponsors, RSA rsa, IOptions<SponsorLinkOptions> options, IWebHostEnvironment host, ILogger<SponsorLink> logger)
+partial class SponsorLink(IConfiguration configuration, IHttpClientFactory httpFactory, SponsorsManager sponsors, RSA rsa, IOptions<SponsorLinkOptions> options, IWebHostEnvironment host, ILogger<SponsorLink> logger)
 {
     SponsorLinkOptions options = options.Value;
 
-    [Function("me")]
+    /// <summary>
+    /// Helper to visualize the user's claims and the request/response headers as available to the backend.
+    /// </summary>
+    [Function("user")]
     public async Task<IActionResult> UserAsync([HttpTrigger(AuthorizationLevel.Anonymous, "get")] HttpRequest req)
     {
         if (!configuration.TryGetClientId(logger, out var clientId))
@@ -98,8 +102,8 @@ public async Task<IActionResult> GetStatus([HttpTrigger(AuthorizationLevel.Anony
     /// <summary>
     /// Depending on the Accept header, returns a JWT or JSON manifest of the authenticated user's claims.
     /// </summary>
-    [Function("sync")]
-    public async Task<IActionResult> SyncAsync([HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = "sync")] HttpRequest req)
+    [Function("me-get")]
+    public async Task<IActionResult> SyncAsync([HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = "me")] HttpRequest req)
     {
         if (!configuration.TryGetClientId(logger, out var clientId))
             return new StatusCodeResult(500);
@@ -110,7 +114,7 @@ public async Task<IActionResult> SyncAsync([HttpTrigger(AuthorizationLevel.Anony
             // or the token-based principal population won't work.
             // Never redirect requests for JWT, as they are likely from a CLI or other non-browser client.
             if (!req.Headers.Accept.Contains("application/jwt") && !string.IsNullOrEmpty(clientId))
-                return new RedirectResult($"https://github.com/login/oauth/authorize?client_id={clientId}&scope=read:user%20read:org%20user:email&redirect_uri=https://{req.Headers["Host"]}/.auth/login/github/callback&state=redir=/sync");
+                return new RedirectResult($"https://github.com/login/oauth/authorize?client_id={clientId}&scope=read:user%20read:org%20user:email&redirect_uri=https://{req.Headers["Host"]}/.auth/login/github/callback&state=redir=/me");
 
             logger.LogError("Ensure GitHub identity provider is configured for the functions app.");
 
@@ -171,13 +175,13 @@ public async Task<IActionResult> SyncAsync([HttpTrigger(AuthorizationLevel.Anony
         };
     }
 
-    [Function("delete")]
-    public IActionResult Delete([HttpTrigger(AuthorizationLevel.Anonymous, "delete", Route = "sync")] HttpRequest req)
+    [Function("me-delete")]
+    public IActionResult Delete([HttpTrigger(AuthorizationLevel.Anonymous, "delete", Route = "me")] HttpRequest req)
     {
-        if (!configuration.TryGetClientId(logger, out var clientId))
+        if (!configuration.TryGetClientId(logger, out _))
             return new StatusCodeResult(500);
 
-        if (ClaimsPrincipal.Current is not { Identity.IsAuthenticated: true } principal)
+        if (ClaimsPrincipal.Current is not { Identity.IsAuthenticated: true })
             return new UnauthorizedResult();
 
         logger.LogInformation("We don't persist anything, so there's nothing to delete :)");

diff --git a/src/Web/Version.cs b/src/Web/Version.cs
@@ -26,8 +26,7 @@ public async Task<IActionResult> GetStatus([HttpTrigger(AuthorizationLevel.Anony
         var json = jwt.Payload.SerializeToJson();
         var doc = JsonDocument.Parse(json);
 
-        var pubKey = Convert.ToBase64String(rsa.ExportRSAPublicKey());
-        if (pubKey != manifest.PublicKey)
+        if (!rsa.ThumbprintEquals(manifest.SecurityKey))
         {
             logger.LogError($"Configured private key 'SponsorLink:{nameof(SponsorLinkOptions.PrivateKey)}' does not match the manifest public key.");
             return new StatusCodeResult(500);
@@ -59,37 +58,4 @@ public IActionResult GetVersion([HttpTrigger(AuthorizationLevel.Anonymous, "get"
             StatusCode = 200,
         };
     }
-
-    [Function("pub")]
-    public IActionResult GetPublicKey([HttpTrigger(AuthorizationLevel.Anonymous, "get")] HttpRequest req)
-    {
-        if (options.PublicKey is not { Length: > 0 } key)
-        {
-            logger.LogError($"Missing required configuration 'SponsorLink:{nameof(SponsorLinkOptions.PublicKey)}'");
-            return new StatusCodeResult(500);
-        }
-
-        if (req.GetTypedHeaders().Accept?.Any(x =>
-                x.MediaType == "application/json" ||
-                x.MediaType == "application/jwk+json") == true)
-        {
-            var rsa = RSA.Create();
-            rsa.ImportRSAPublicKey(Convert.FromBase64String(key), out _);
-            return new ContentResult
-            {
-                Content = JsonSerializer.Serialize(
-                    JsonWebKeyConverter.ConvertFromRSASecurityKey(new RsaSecurityKey(rsa.ExportParameters(false))),
-                    JsonOptions.JsonWebKey),
-                ContentType = "application/jwk+json",
-                StatusCode = 200,
-            };
-        }
-
-        return new ContentResult
-        {
-            Content = key,
-            ContentType = "text/plain",
-            StatusCode = 200,
-        };
-    }
 }