From 64d12ec535949d28a82e93f81dce24d97d04679a Mon Sep 17 00:00:00 2001
From: AJ ONeal <coolaj86@gmail.com>
Date: Fri, 17 Jul 2020 07:50:55 +0000
Subject: [PATCH] add back SECRET for ACME relay

---
 cmd/telebit/telebit.go   | 27 ++++++++++++++++++++++-----
 examples/relay.env       |  1 +
 examples/run-as-relay.sh |  2 ++
 3 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/cmd/telebit/telebit.go b/cmd/telebit/telebit.go
index a5838b8..a161155 100644
--- a/cmd/telebit/telebit.go
+++ b/cmd/telebit/telebit.go
@@ -54,6 +54,10 @@ var authorizer telebit.Authorizer
 
 var isHostname = regexp.MustCompile(`^[A-Za-z0-9_\.\-]+$`).MatchString
 
+// ClientID may be baked in, or may be supplied via command line
+var ClientID string
+var ClientSecret string
+
 func main() {
 	var domains []string
 	var forwards []Forward
@@ -150,10 +154,20 @@ func main() {
 		return
 	}
 
-	if 0 == len(*secret) {
-		*secret = os.Getenv("SECRET")
+	// Baked-in takes precedence
+	if 0 == len(ClientID) {
+		ClientID = *appID
 	}
-	ppid, err := machineid.ProtectedID(fmt.Sprintf("%s|%s", *appID, *secret))
+	if 0 == len(ClientID) {
+		ClientID = os.Getenv("APP_ID")
+	}
+	if 0 == len(ClientSecret) {
+		ClientSecret = *secret
+	}
+	if 0 == len(ClientSecret) {
+		ClientSecret = os.Getenv("SECRET")
+	}
+	ppid, err := machineid.ProtectedID(fmt.Sprintf("%s|%s", ClientID, ClientSecret))
 	if nil != err {
 		fmt.Fprintf(os.Stderr, "unauthorized device\n")
 		os.Exit(1)
@@ -162,6 +176,9 @@ func main() {
 	ppidBytes, err := hex.DecodeString(ppid)
 	ppid = base64.RawURLEncoding.EncodeToString(ppidBytes)
 
+	if 0 == len(*token) {
+		*token = os.Getenv("TOKEN")
+	}
 	if 0 == len(*token) {
 		*token, err = authstore.HMACToken(ppid)
 		if nil != err {
@@ -194,14 +211,14 @@ func main() {
 	}
 	if len(*relay) > 0 /* || len(*acmeRelay) > 0 */ {
 		if "" == *authURL {
-			*authURL = strings.Replace(*relay, "ws", "http", 1) // "https://example.com:443"
+			*authURL = strings.Replace(*relay, "ws", "http", 1) + "/api" // "https://example.com:443"
 		}
 		// TODO look at relay rather than authURL?
 		fmt.Println("Auth URL", *authURL)
 		authorizer = NewAuthorizer(*authURL)
 		grants, err := telebit.Inspect(*authURL, *token)
 		if nil != err {
-			_, err := mgmt.Register(*authURL, *secret, ppid)
+			_, err := mgmt.Register(*authURL, ClientSecret, ppid)
 			if nil != err {
 				fmt.Fprintf(os.Stderr, "failed to register client: %s\n", err)
 				os.Exit(1)
diff --git a/examples/relay.env b/examples/relay.env
index 2b0e323..5142b91 100644
--- a/examples/relay.env
+++ b/examples/relay.env
@@ -11,6 +11,7 @@ ACME_EMAIL=jon.doe@example.com
 
 # For Let's Encrypt ACME Challenges (pick one)
 ACME_RELAY_URL=http://localhost:4200
+SECRET=xxxxxxxxxxxxxxxx
 #DUCKDNS_TOKEN=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
 #GODADDY_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 #GODADDY_API_SECRET=XXXXXXXXXXXXXXXXXXXXXX
diff --git a/examples/run-as-relay.sh b/examples/run-as-relay.sh
index 74a6916..4edd2ec 100644
--- a/examples/run-as-relay.sh
+++ b/examples/run-as-relay.sh
@@ -22,6 +22,7 @@ AUTH_URL=${AUTH_URL:-"https://devices.example.com/api"}
 
 # For Let's Encrypt / ACME challenges
 ACME_RELAY_URL=${ACME_RELAY_URL:-"http://localhost:4200"}
+SECRET=${SECRET:-"xxxxxxxxxxxxxxxx"}
 
 # For Let's Encrypt / ACME registration
 ACME_AGREE=${ACME_AGREE:-}
@@ -33,4 +34,5 @@ ACME_EMAIL="${ACME_EMAIL:-}"
     --acme-agree "$ACME_AGREE" \
     --acme-email "$ACME_EMAIL" \
     --acme-relay-url "$ACME_RELAY_URL" \
+    --secret "$SECRET" \
     --listen "$LISTEN"