Implements admin/avatar/maps/profile/session/shards/registration apis and small fixes

[dragonhunt02]

#103

Additions

• Add temporary Mailer config (in-memory email storage) for production. This must be replaced with an email service adapter in final server.
• Serve user content at /uploads with Waffle and Caddyfile
• Require authenticated_user to access certain endpoints. Since game client and website share some endpoints, a ChooseAuth plug was added to fallback to Cookie authentication if Authorization header is missing.
• Add avatar/maps /dashboard endpoints
• Add /admin api endpoint and control panel page stub
• Add /profile /session /registration game client endpoints
• Add /session/renew dummy endpoint to refresh access tokens for game client compatibility
• Completed /shards endpoints implementation
• Add SIGNUP_API_KEY key to authenticate game client signup requests
• Add script priv/repo/test_user_content.exs to populate database with test user content

Fixes

• Disable cache_static_manifest (no file is served from priv/static)
• Fix missing alias in lib/uro/controllers/identity_proof_controller.ex
• Add missing function is_session_admin?/1
• Fix Uro.Plug.Authentication authentication. Client Authorization token was not recognized because it was sent without Bearer prefix
• Fix priv/repo/test_seeds.exs not confirming email of generated users

Endpoints were tested with curl, further testing is needed

Missing features:

• Define openapi avatar/maps query specs

[dragonhunt02]

Updated with new endpoints

[dragonhunt02]

Updated with /shards fixes.

Server can receive uploads and host shards now

[fire]

Weird

[dragonhunt02]

Weird

All test files are empty dummy files generated with touch. I'm not sure what we want to use in final server, however they were good enough as placeholders.

We can replace them after we decide what test scenes to use.

[fire]

Let's merge in a few days.

[fire]

My argument for making the test files real is we should not allow fake files in theory. Yes thats hard but we should at least block mime types that don’t match and zero files

[dragonhunt02]

My argument for making the test files real is we should not allow fake files in theory. Yes thats hard but we should at least block mime types that don’t match and zero files

I agree, an extension whitelist is not enough

uro/lib/uro/uploaders/user_content_data.ex

Lines 4 to 9 in 9d09c44

	@versions [:original]
	@extension_whitelist ~w(.scn)
	# Whitelist file extensions:
	def validate({file, _}) do

I think we should handle this in a new issue though.

By the way, if we make test files real we will have a binary .scn in repository, is it ok? @lyuma

[lyuma]

@dragonhunt02 If the binary .scn is for a test scene with a plane and default cube, it should be a few kilobytes which is fine. Same thing for .glb and .vrm

File type Checks could make it harder to add more formats or encrypted formats, so I am worried it will make that more difficult in the future, but for now glb header (.glb and .vrm) and RSRC header (.scn) is all I upload

[dragonhunt02]

@dragonhunt02 If the binary .scn is for a test scene with a plane and default cube, it should be a few kilobytes which is fine. Same thing for .glb and .vrm

.glb and .vrm are blocked right now. Indeed the test scene needs to be a minimal working scene. 👍

File type Checks could make it harder to add more formats or encrypted formats, so I am worried it will make that more difficult in the future, but for now glb header (.glb and .vrm) and RSRC header (.scn) is all I upload

I don't think it will be a problem, we can filter allowed extensions like what we are doing now and then run optional tests to ensure extension matches binaries.

[lyuma]

My code in xr_avatar supports glb. This sort of debate is why I'd prefer not to enforce a whitelist for now, but if we do go for a whitelist, I want at least one standardized 3d format such as glb.

[dragonhunt02]

My code in xr_avatar supports glb. This sort of debate is why I'd prefer not to enforce a whitelist for now, but if we do go for a whitelist, I want at least one standardized 3d format such as glb.

Well, whitelist on uploads was already enforced before my PR. So, I will add .glb to allowed extensions (next PR?)

@fire Could you handle generating the test avatars/scenes/images?

[fire]

Sure.

I'll grab the vrm1, a standard glb and a binary godot engine scene.

[fire]

1. https://github.com/pixiv/three-vrm/blob/release/packages/three-vrm/examples/models/VRM1_Constraint_Twist_Sample.vrm
2. https://github.com/KhronosGroup/glTF-Sample-Assets/blob/main/Models/MetalRoughSpheres/README.md

I can't choose which godot binary scene yet.

[lyuma]

I am not okay with anything above a few kilobytes at this stage.
They should be simple, export a cube with no texture for glb. For VRM, we don't technically need a vrm sample since the file format is still glb.

if we really want to write a validator on the server, that should be a separate PR and we need to consider security implications. For now I assume that all this should be doing is checking the magic bytes in the file header

[fire]

How about this one? https://github.com/KhronosGroup/glTF-Sample-Assets/tree/main/Models/SimpleSkin

[fire]

We'll need to convert https://github.com/KhronosGroup/glTF-Sample-Assets/blob/main/Models/SimpleSkin/glTF-Embedded/SimpleSkin.gltf to glb/scn but it is 3.48 KB.

[dragonhunt02]

@fire Lyuma suggested opening another PR for test_content/ scenes, I agree.
So I removed test_content from this PR.

[fire]

Thanks! I am a bit busy this week so I'd like a small tutorial how to run uro.

[dragonhunt02]

Instructions are in README.md Quick Setup
After booting server with docker compose up, you have to export/run V-Sekai game with https://vsekai.local set as address in Project Settings/Uro

I don't have a script ready to quickly install Caddy SSL certificates though. Game will fail TLS handshake if they're not correctly installed.

[fire]

I can proxy uro through tailscale that has a proper CA certificate and is globally accessible.

[dragonhunt02]

Well, you can replace Caddyfile with Caddyfile.development from my other PR. It runs Caddy server on port 80 so you won't have to deal with certificates.

You can send me a message if you find issues setting it up.