feat: add Humanode verification callback (#466)

Add a Humanode OAuth callback that will give a "free storage with no
credit card" plan to a user who uses Humanode to prove they are a unique
person.

<img width="1220" alt="Screenshot 2025-04-10 at 3 42 22 PM"
src="https://github.com/user-attachments/assets/3ae37e80-dd0c-4348-8ad2-1761ce4213cb"
/>
<img width="1220" alt="Screenshot 2025-04-10 at 3 43 09 PM"
src="https://github.com/user-attachments/assets/dddcc6da-2863-465f-9c1c-808f40a172e1"
/>
<img width="1225" alt="Screenshot 2025-04-10 at 3 44 11 PM"
src="https://github.com/user-attachments/assets/30f13cd5-4c52-4858-84ad-738d9b658c6d"
/>
<img width="1220" alt="Screenshot 2025-04-10 at 3 43 19 PM"
src="https://github.com/user-attachments/assets/b56609c3-ea21-4e15-a09a-12c3f9c71a95"
/>

The one remaining concern I have with this code is the duplication in
the templates - we now have 4 blobs of HTML like this across the two
OAuth handlers and I'm not sure the best way to consolidate - any
thoughts @alanshaw ?

Author: travis

.env.tpl

@@ -75,3 +75,6 @@ INTEGRATION_TESTS_STORAGE_PROVIDER_PROOF = ''
 # Optional - custom gateway to authorize in integration tests (defaults to staging)
 INTEGRATION_TESTS_GATEWAY_DID = ''
 INTEGRATION_TESTS_GATEWAY_ENDPOINT = ''
+
+HUMANODE_TOKEN_ENDPOINT='https://auth.demo-storacha-2025-03-31.oauth2.humanode.io/oauth2/token'
+HUMANODE_CLIENT_ID='e9756297-b2d1-4bbe-a139-a9ad1cdc43ee'

package.json

@@ -69,6 +69,7 @@
   },
   "dependencies": {
     "aws-cdk-lib": "catalog:",
+    "jwt-decode": "^4.0.0",
     "sst": "catalog:"
   },
   "simple-git-hooks": {

pnpm-lock.yaml

@@ -43,7 +43,7 @@ export function UploadApiStack({ stack, app }) {
 
   // Get references to constructs created in other stacks
   const { carparkBucket } = use(CarparkStack)
-  const { allocationTable, blobRegistryTable, storeTable, uploadTable, delegationBucket, delegationTable, revocationTable, adminMetricsTable, spaceMetricsTable, consumerTable, subscriptionTable, storageProviderTable, rateLimitTable, pieceTable, privateKey, indexingServiceProof, githubClientSecret } = use(UploadDbStack)
+  const { allocationTable, blobRegistryTable, humanodeTable, storeTable, uploadTable, delegationBucket, delegationTable, revocationTable, adminMetricsTable, spaceMetricsTable, consumerTable, subscriptionTable, storageProviderTable, rateLimitTable, pieceTable, privateKey, indexingServiceProof, githubClientSecret, humanodeClientSecret } = use(UploadDbStack)
   const { agentIndexBucket, agentMessageBucket, ucanStream } = use(UcanInvocationStack)
   const { customerTable, spaceDiffTable, spaceSnapshotTable, egressTrafficTable, stripeSecretKey } = use(BillingDbStack)
   const { pieceOfferQueue, filecoinSubmitQueue } = use(FilecoinStack)
@@ -70,6 +70,7 @@ export function UploadApiStack({ stack, app }) {
           permissions: [
             allocationTable, // legacy
             blobRegistryTable,
+            humanodeTable,
             storeTable, // legacy
             uploadTable,
             customerTable,
@@ -105,6 +106,7 @@ export function UploadApiStack({ stack, app }) {
             UPLOAD_TABLE_NAME: uploadTable.tableName,
             CONSUMER_TABLE_NAME: consumerTable.tableName,
             CUSTOMER_TABLE_NAME: customerTable.tableName,
+            HUMANODE_TABLE_NAME: humanodeTable.tableName,
             SUBSCRIPTION_TABLE_NAME: subscriptionTable.tableName,
             SPACE_METRICS_TABLE_NAME: spaceMetricsTable.tableName,
             ADMIN_METRICS_TABLE_NAME: adminMetricsTable.tableName,
@@ -151,12 +153,15 @@ export function UploadApiStack({ stack, app }) {
             HOSTED_ZONE: hostedZone ?? '',
             GITHUB_CLIENT_ID: process.env.GITHUB_CLIENT_ID ?? '',
             PRINCIPAL_MAPPING: process.env.PRINCIPAL_MAPPING ?? '',
+            HUMANODE_TOKEN_ENDPOINT: process.env.HUMANODE_TOKEN_ENDPOINT ?? '',
+            HUMANODE_CLIENT_ID: process.env.HUMANODE_CLIENT_ID ?? ''
           },
           bind: [
             privateKey,
             ucanInvocationPostbasicAuth,
             stripeSecretKey,
             githubClientSecret,
+            humanodeClientSecret,
             indexingServiceProof,
           ]
         }
@@ -177,6 +182,7 @@ export function UploadApiStack({ stack, app }) {
         'GET /metrics/{proxy+}': 'upload-api/functions/metrics.handler',
         'GET /sample': 'upload-api/functions/sample.handler',
         'GET /oauth/callback': 'upload-api/functions/oauth-callback.handler',
+        'GET /oauth/humanode/callback': 'upload-api/functions/oauth-humanode-callback.handler',
       },
       accessLog: {
         format:'{"requestTime":"$context.requestTime","requestId":"$context.requestId","httpMethod":"$context.httpMethod","path":"$context.path","routeKey":"$context.routeKey","status":$context.status,"responseLatency":$context.responseLatency,"integrationRequestId":"$context.integration.requestId","integrationStatus":"$context.integration.status","integrationLatency":"$context.integration.latency","integrationServiceStatus":"$context.integration.integrationStatus","ip":"$context.identity.sourceIp","userAgent":"$context.identity.userAgent"}'

stacks/upload-api-stack.js

@@ -12,7 +12,8 @@ import {
   rateLimitTableProps,
   adminMetricsTableProps,
   spaceMetricsTableProps,
-  storageProviderTableProps
+  storageProviderTableProps,
+  humanodeTableProps
 } from '../upload-api/tables/index.js'
 import {
   pieceTableProps
@@ -34,6 +35,9 @@ export function UploadDbStack({ stack, app }) {
   const indexingServiceProof = new Config.Secret(stack, 'INDEXING_SERVICE_PROOF')
 
   const githubClientSecret = new Config.Secret(stack, 'GITHUB_CLIENT_SECRET')
+  const humanodeClientSecret = new Config.Secret(stack, 'HUMANODE_CLIENT_SECRET')
+
+  const humanodeTable = new Table(stack, 'humanode', humanodeTableProps)
 
   /**
    * The allocation table tracks allocated multihashes per space.
@@ -122,6 +126,7 @@ export function UploadDbStack({ stack, app }) {
   return {
     allocationTable,
     blobRegistryTable,
+    humanodeTable,
     storeTable,
     uploadTable,
     pieceTable,
@@ -136,6 +141,7 @@ export function UploadDbStack({ stack, app }) {
     storageProviderTable,
     privateKey,
     githubClientSecret,
+    humanodeClientSecret,
     indexingServiceProof,
   }
 }

stacks/upload-db-stack.js

@@ -0,0 +1,238 @@
+import { Config } from 'sst/node/config'
+import * as Sentry from '@sentry/serverless'
+import { base64url } from 'multiformats/bases/base64'
+import { Delegation, ok } from '@ucanto/core'
+import * as Validator from '@ucanto/validator'
+import { Verifier } from '@ucanto/principal'
+import * as Access from '@storacha/capabilities/access'
+import * as DidMailto from '@storacha/did-mailto'
+import { mustGetEnv } from '../../lib/env.js'
+import { createCustomerStore } from '../../billing/tables/customer.js'
+import { getServiceSigner } from '../config.js'
+import { jwtDecode } from "jwt-decode"
+import { createHumanodesTable } from '../stores/humanodes.js'
+
+
+/**
+ * @import { Endpoints } from '@octokit/types'
+ * @import { Signer, Result } from '@ucanto/interface'
+ * @typedef {{
+ *   getOAuthAccessToken: (params: { code: string }) => Promise<Result<{ access_token: string }>>
+ *   getUser: (params: { accessToken: string }) => Promise<Result<Endpoints['GET /user']['response']['data']>>
+ *   getUserEmails: (params: { accessToken: string }) => Promise<Result<Endpoints['GET /user/emails']['response']['data']>>
+ * }} GitHub
+ * @typedef {{
+ *   serviceSigner: Signer
+ *   customerStore: import('../../billing/lib/api.js').CustomerStore
+ *   humanodeStore: import('../types.js').HumanodeStore
+ * }} Context
+ */
+
+Sentry.AWSLambda.init({
+  environment: process.env.SST_STAGE,
+  dsn: process.env.SENTRY_DSN,
+  tracesSampleRate: 0,
+})
+
+const HUMANODE_TOKEN_ENDPOINT = mustGetEnv('HUMANODE_TOKEN_ENDPOINT')
+const HUMANODE_CLIENT_ID = mustGetEnv('HUMANODE_CLIENT_ID')
+const HUMANODE_CLIENT_SECRET = Config.HUMANODE_CLIENT_SECRET
+
+/**
+ * AWS HTTP Gateway handler for GET /oauth/humanode/callback.
+ *
+ * @param {import('aws-lambda').APIGatewayProxyEventV2} request
+ * @param {import('aws-lambda').Context} [context]
+ */
+export const oauthCallbackGet = async (request, context) => {
+  const {
+    serviceSigner,
+    customerStore,
+    humanodeStore
+  } = getContext(context?.clientContext?.Custom)
+
+  const code = request.queryStringParameters?.code
+  if (!code) {
+    console.error('missing code in query params')
+    return htmlResponse(400, getUnexpectedErrorResponseHTML('Query params are missing code'))
+  }
+
+  // fetch the auth token from Humanode
+  const tokenResponse = await fetch(HUMANODE_TOKEN_ENDPOINT, {
+    method: 'POST', body: new URLSearchParams(
+      {
+        client_id: HUMANODE_CLIENT_ID,
+        client_secret: HUMANODE_CLIENT_SECRET,
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: `https://${request.headers.host}${request.rawPath}`
+      }
+    )
+  })
+  const tokenResult = await tokenResponse.json()
+  const humanodeIdToken = jwtDecode(tokenResult.id_token)
+  const humanodeId = humanodeIdToken.sub
+  if (!humanodeId) {
+    console.error("humanodeId is not undefined, this is very strange")
+    return htmlResponse(500, getUnexpectedErrorResponseHTML('Failed to get Humanode ID'))
+  }
+
+  const existsResponse = await humanodeStore.exists(humanodeId)
+  if (existsResponse.error){
+    return htmlResponse(500, getUnexpectedErrorResponseHTML(existsResponse.error.message))
+  }
+  if (existsResponse.ok){
+    return htmlResponse(400, getDuplicateHumanodeResponseHTML())
+  }
+
+  // validate the access/authorize delegation and pull the customer email out of it
+  const extractRes = await Delegation.extract(base64url.decode(request.queryStringParameters?.state ?? ''))
+  if (extractRes.error) {
+    console.error('decoding access/authorize delegation', extractRes.error)
+    return htmlResponse(400, getUnexpectedErrorResponseHTML('Failed to decode access/authorization delegation.'))
+  }
+  const authRequest =
+    /** @type {import('@ucanto/interface').Invocation<import('@storacha/upload-api').AccessAuthorize>} */
+    (extractRes.ok)
+  const accessRes = await Validator.access(authRequest, {
+    capability: Access.authorize,
+    authority: serviceSigner,
+    principal: Verifier,
+    validateAuthorization: () => ok({})
+  })
+  if (accessRes.error) {
+    console.error('validating access/authorize delegation', accessRes.error)
+
+    return htmlResponse(400, getUnexpectedErrorResponseHTML('Failed to validate access/authorization delegation.'))
+  }
+
+  if (!accessRes.ok.capability.nb.iss) {
+    return htmlResponse(400, getUnexpectedErrorResponseHTML('Account DID not included in authorize request.'))
+  }
+
+  let customer
+  try {
+    customer = DidMailto.fromString(accessRes.ok.capability.nb.iss)
+  } catch (e) {
+    console.error("error parsing did:mailto:", e)
+    return htmlResponse(400, getUnexpectedErrorResponseHTML('Invalid Account DID received.'))
+  }
+
+  // add a customer with a trial product
+  const customerPutRes = await customerStore.put({
+    customer,
+    product: 'did:web:trial.storacha.network',
+    details: JSON.stringify({ humanode: { id: humanodeId } }),
+    insertedAt: new Date()
+  })
+  if (!customerPutRes.ok) {
+    console.error(`putting customer: ${customer}`, customerPutRes.error)
+    return htmlResponse(500, getUnexpectedErrorResponseHTML('Failed to update customer store.'))
+  }
+
+  await humanodeStore.add(humanodeId)
+
+  return htmlResponse(200, getResponseHTML())
+}
+
+export const handler = Sentry.AWSLambda.wrapHandler((event) => oauthCallbackGet(event))
+
+/**
+ * @param {Context} [customContext]
+ * @returns {Context}
+ */
+const getContext = (customContext) => {
+  if (customContext) return customContext
+
+  const region = process.env.AWS_REGION || 'us-west-2'
+
+  const serviceSigner = getServiceSigner({
+    did: process.env.UPLOAD_API_DID,
+    privateKey: Config.PRIVATE_KEY
+  })
+
+  const customerStore = createCustomerStore({ region }, { tableName: mustGetEnv('CUSTOMER_TABLE_NAME') })
+  const humanodeStore = createHumanodesTable(region, mustGetEnv('HUMANODE_TABLE_NAME'))
+  
+  return {
+    serviceSigner,
+    customerStore,
+    humanodeStore
+  }
+}
+
+/**
+ * @param {number} statusCode
+ * @param {string} body 
+ * @returns 
+ */
+function htmlResponse(statusCode, body) {
+  return {
+    statusCode,
+    headers: { 'Content-Type': 'text/html' },
+    body: Buffer.from(body).toString('base64'),
+    isBase64Encoded: true,
+  }
+}
+
+const getResponseHTML = () => `
+<!doctype html>
+<html lang="en">
+  <head>
+    <title>Authorized - Storacha Network</title>
+  </head>
+  <body style="font-family:sans-serif;color:#000">
+    <div style="height:100vh;display:flex;align-items:center;justify-content:center">
+      <div style="text-align:center">
+        <img src="https://w3s.link/ipfs/bafybeihinjwsn3kgjrlpdada4xingozsni3boywlscxspc5knatftauety/storacha-bug.svg" alt="Storacha - Decentralized Hot Storage Layer on Filecoin">
+        <h1 style="font-weight:normal">Authorization Successful</h1>
+        <p>You have been granted a free Storacha storage plan.</p>
+        <p>You may now close this window.</p>
+      </div>
+    </div>
+  </body>
+</html>
+`.trim()
+
+const getDuplicateHumanodeResponseHTML = () => `
+<!doctype html>
+<html lang="en">
+  <head>
+    <title>Authorized - Storacha Network</title>
+  </head>
+  <body style="font-family:sans-serif;color:#000">
+    <div style="height:100vh;display:flex;align-items:center;justify-content:center">
+      <div style="text-align:center">
+        <img src="https://w3s.link/ipfs/bafybeihinjwsn3kgjrlpdada4xingozsni3boywlscxspc5knatftauety/storacha-bug.svg" alt="Storacha - Decentralized Hot Storage Layer on Filecoin">
+        <h1 style="font-weight:normal">Plan Selection Unsuccessful</h1>
+        <p>The identified human has already claimed their free plan.</p>
+        <p>You may now close this window.</p>
+      </div>
+    </div>
+  </body>
+</html>
+`.trim()
+
+/**
+ * 
+ * @param {string} message 
+ * @returns 
+ */
+const getUnexpectedErrorResponseHTML = (message) => `
+<!doctype html>
+<html lang="en">
+  <head>
+    <title>Authorized - Storacha Network</title>
+  </head>
+  <body style="font-family:sans-serif;color:#000">
+    <div style="height:100vh;display:flex;align-items:center;justify-content:center">
+      <div style="text-align:center">
+        <img src="https://w3s.link/ipfs/bafybeihinjwsn3kgjrlpdada4xingozsni3boywlscxspc5knatftauety/storacha-bug.svg" alt="Storacha - Decentralized Hot Storage Layer on Filecoin">
+        <h1 style="font-weight:normal">Unexpected Error</h1>
+        <p>An unexpected error occured while trying to authenticate you: ${message} </p>
+        <p>Please close this window and try again.</p>
+      </div>
+    </div>
+  </body>
+</html>
+`.trim()