Version two with snapshot

.github/workflows/snapshot.yml

@@ -5,6 +5,7 @@ on:
     branches:
       - master
       - development
+      - version-**
 
 jobs:
   release:

server-core/src/main/kotlin/com/lightningkite/lightningserver/auth/proof/EmailProofEndpoints.kt

@@ -48,4 +48,12 @@ class EmailProofEndpoints(
         if(verifyEmail(to))
             email().send(emailTemplate(to, pin))
     }
+
+    suspend fun send(destination: String, content: (Proof)->Email) {
+        email().send(content(issueProof(destination)).also {
+            if(it.to.singleOrNull()?.value?.equals(destination, true) != true) {
+                throw IllegalArgumentException("Email mismatch")
+            }
+        })
+    }
 }

server-core/src/main/kotlin/com/lightningkite/lightningserver/auth/proof/PinBasedProofEndpoints.kt

@@ -52,6 +52,13 @@ abstract class PinBasedProofEndpoints(
             p.key
         }
     )
+    protected fun issueProof(destination: String): Proof {
+        return proofHasher().makeProof(
+            info = info,
+            value = destination,
+            at = now()
+        )
+    }
     override val prove = path("prove").post.api(
         authOptions = noAuth,
         summary = "Prove $validates ownership",

server-core/src/main/kotlin/com/lightningkite/lightningserver/auth/proof/SmsProofEndpoints.kt

@@ -48,4 +48,8 @@ class SmsProofEndpoints(
         if (verifyPhone(to))
             sms().send(to, smsTemplate(pin))
     }
+
+    suspend fun send(destination: String, content: (Proof)->String) {
+        sms().send(destination, content(issueProof(destination)))
+    }
 }

server-core/src/main/kotlin/com/lightningkite/lightningserver/auth/subject/AuthEndpointsForSubject.kt

@@ -39,6 +39,7 @@ import java.security.SecureRandom
 import java.util.*
 import kotlin.math.min
 import kotlin.time.Duration.Companion.hours
+import kotlin.time.Duration.Companion.minutes
 
 class AuthEndpointsForSubject<SUBJECT : HasId<ID>, ID : Comparable<ID>>(
     path: ServerPath,
@@ -219,6 +220,28 @@ class AuthEndpointsForSubject<SUBJECT : HasId<ID>, ID : Comparable<ID>>(
         }
     )
 
+    val openSession = path("open-session").post.api(
+        authOptions = noAuth,
+        summary = "Open Session",
+        description = "Exchanges a future session token for a full session token.",
+        inputType = String.serializer(),
+        outputType = String.serializer(),
+        errorCases = listOf(),
+        implementation = { futureSessionToken: String ->
+            val future = FutureSession.fromToken(futureSessionToken)
+            val (s, secret) = newSessionPrivate(
+                label = future.label,
+                subjectId = future.subjectId,
+                derivedFrom = future.originalSessionId,
+                scopes = future.scopes,
+                expires = null,
+                oauthClient = future.oauthClient
+            )
+            sessionInfo.collection().insertOne(s)
+            secret.string
+        }
+    )
+
     val createSubSession = path("sub-session").post.api(
         authOptions = AuthOptions<SUBJECT>(setOf(AuthOption(handler.authType))),
         inputType = SubSessionRequest.serializer(),
@@ -286,8 +309,9 @@ class AuthEndpointsForSubject<SUBJECT : HasId<ID>, ID : Comparable<ID>>(
                         "Client ID/Secret mismatch"
                     )
                     val future = FutureSession.fromToken(input.code!!)
+                    if (future.oauthClient != client._id) throw BadRequestException("Client/Token mismatch")
                     val (s, secret) = newSessionPrivate(
-                        label = "Oauth with ${client.niceName}",
+                        label = future.label ?: "Oauth with ${client.niceName}",
                         subjectId = future.subjectId,
                         derivedFrom = future.originalSessionId,
                         scopes = future.scopes,
@@ -347,6 +371,22 @@ class AuthEndpointsForSubject<SUBJECT : HasId<ID>, ID : Comparable<ID>>(
         }
     )
 
+    suspend fun futureSessionToken(
+        subjectId: ID,
+        scopes: Set<String> = setOf("*"),
+        label: String? = null,
+        expires: Instant = now() + 5.minutes,
+        oauthClient: String? = null,
+        derivedFrom: UUID? = null,
+    ): String = FutureSession(
+        scopes = scopes,
+        subjectId = subjectId,
+        label = label,
+        expires = expires,
+        oauthClient = oauthClient,
+        originalSessionId = derivedFrom,
+    ).asToken()
+
     val sessions = ModelRestEndpoints(
         path = path("sessions"),
         info = sessionInfo

server-core/src/main/kotlin/com/lightningkite/lightningserver/auth/subject/subjectModels.kt

@@ -58,5 +58,6 @@ internal data class FutureSession<ID>(
     val scopes: Set<String>,
     val expires: Instant = now().plus(5.minutes),
     val originalSessionId: UUID?,
+    val label: String? = null,
     @References(OauthClient::class) val oauthClient: String? = null
 )

server-core/src/test/kotlin/com/lightningkite/lightningserver/auth/subject/test/AuthEndpointsForSubjectTest.kt

@@ -40,6 +40,14 @@ class AuthEndpointsForSubjectTest {
         assert(result.session != null)
     }
 
+    @Test
+    fun testFutureToken(): Unit = runBlocking {
+        val future = TestSettings.testUserSubject.futureSessionToken(
+            TestSettings.testUser.await()._id
+        )
+        TestSettings.testUserSubject.openSession.implementation(AuthAndPathParts(null, null, arrayOf()), future)
+    }
+
     @Test fun masquerade(): Unit = runBlocking {
         val (session, token) = TestSettings.testUserSubject.newSession(TestSettings.testAdmin.await()._id)
         HttpRequest(