an-empty-string / amethyst Goto Github PK

Client certificates should be handled, and information about the certificate should be made available to resources. At least this information should be available:

• Raw certificate data (as bytes)
• Certificate subject common name
• Certificate fingerprint

Currently, we use a hardcoded dictionary of file extensions mapped to MIME types to decide what type to return to the client. The builtin mimetypes module provides a better way of handling this.

Currently, CGI script handling leaves a lot to be desired:

• It's impossible to have a CGI script as the index.gmi (or similar) of a directory -- the script's source is served instead.
• Path handling doesn't work as the CGI spec says it should. For example, URLs such as /cgi-bin/index.cgi/this/should/be/pathinfo/ simply don't work (they should execute index.cgi and pass /this/should/be/pathinfo/ as the PATH_INFO environment variable).
• CGI scripts should receive information about the client certificate they are being requested with, if any.

Additionally, it's probably worth reviewing the CGI spec again to make sure we are implementing as much of it as possible.

Currently we enforce RSA key usage, but this is mostly just to satisfy the typechecker. Non-RSA keys are great but we need to make sure we handle them properly in every case.

Other Gemini servers support .meta files, which contain information about how to serve the files in the directory (for example, MIME type overrides, lists of authorized client certificates, and other directory-specific configuration). Amethyst should support these too.

Currently, the NixOS module for this project lives at an-empty-string/nixos-modules, but it could easily be moved into this repository.

This would be a good opportunity to switch the project over to using flakes.

Set up GitHub Actions for CI. Currently we can run type checking (mypy) and potentially some other static analysis tooling, but it would be nice to have some unit tests too.

config.TLSConfig.get_ssl_context never automatically updates a certificate at runtime, even though it should when the tls config option is set to auto. Manually clearing the _context_cache (by sending SIGHUP) causes the certificate to be automatically regenerated, however.