nostr login with NIP-07 (window.nostr)

This commit is contained in:
ekzyis 2024-10-01 05:06:41 -05:00
parent a8ea82ec5d
commit a98cd36cb5
12 changed files with 430 additions and 8 deletions

View File

@ -5,7 +5,7 @@ SOURCE := $(shell find db env lib lnd public server -type f) main.go
delphi.market: $(SOURCE)
npm run build
tailwindcss -i public/css/tw-input.css -o public/css/tailwind.css
tailwindcss -i public/css/base.css -o public/css/tailwind.css
templ generate -path server/router/pages
go build -o delphi.market .
@ -13,7 +13,7 @@ build: delphi.market
run:
npm run build
tailwindcss -i public/css/tw-input.css -o public/css/tailwind.css
tailwindcss -i public/css/base.css -o public/css/tailwind.css
templ generate -path server/router/pages
go run .

View File

@ -20,6 +20,12 @@ CREATE TABLE lnauth(
session_id VARCHAR(48) NOT NULL DEFAULT encode(gen_random_uuid()::text::bytea, 'base64')
);
CREATE TABLE nostr_auth(
k1 VARCHAR(64) PRIMARY KEY,
created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP,
session_id VARCHAR(48) NOT NULL DEFAULT encode(gen_random_uuid()::text::bytea, 'base64')
);
CREATE TABLE invoices(
id SERIAL PRIMARY KEY,
user_id INTEGER NOT NULL REFERENCES users(id),

4
go.mod
View File

@ -12,6 +12,7 @@ require (
github.com/btcsuite/btcd/btcutil v1.1.3
github.com/btcsuite/btcutil v1.0.2
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0
github.com/dustin/go-humanize v1.0.1
github.com/joho/godotenv v1.5.1
github.com/labstack/echo/v4 v4.11.1
github.com/lib/pq v1.10.9
@ -21,6 +22,7 @@ require (
github.com/namsral/flag v1.7.4-pre
github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
github.com/stretchr/testify v1.8.4
golang.org/x/exp v0.0.0-20230905200255-921286631fa9
gopkg.in/guregu/null.v4 v4.0.0
)
@ -50,7 +52,6 @@ require (
github.com/decred/dcrd/crypto/blake256 v1.0.1 // indirect
github.com/decred/dcrd/lru v1.0.0 // indirect
github.com/dsnet/compress v0.0.1 // indirect
github.com/dustin/go-humanize v1.0.1 // indirect
github.com/fergusstrange/embedded-postgres v1.10.0 // indirect
github.com/go-errors/errors v1.0.1 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
@ -141,7 +142,6 @@ require (
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.27.0 // indirect
golang.org/x/crypto v0.22.0 // indirect
golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
golang.org/x/mod v0.17.0 // indirect
golang.org/x/net v0.24.0 // indirect
golang.org/x/sys v0.21.0 // indirect

2
go.sum
View File

@ -159,8 +159,6 @@ github.com/decred/dcrd/lru v1.0.0/go.mod h1:mxKOwFd7lFjN2GZYsiz/ecgqR6kkYAl+0pz0
github.com/dsnet/compress v0.0.1 h1:PlZu0n3Tuv04TzpfPbrnI0HW/YwodEXDS+oPKahKF0Q=
github.com/dsnet/compress v0.0.1/go.mod h1:Aw8dCMJ7RioblQeTqt88akK31OvO8Dhf5JflhBbQEHo=
github.com/dsnet/golib v0.0.0-20171103203638-1ea166775780/go.mod h1:Lj+Z9rebOhdfkVLjJ8T6VcRQv3SXugXy999NBtR9aFY=
github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo=
github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=

View File

@ -200,4 +200,34 @@
[x-cloak] {
display: none !important;
}
div.loading>span {
width: 3px;
height: 3px;
margin: 0 2px;
background-color: var(--color);
border-radius: 50%;
display: inline-block;
animation-name: jumping;
animation-duration: 1.8s;
animation-iteration-count: infinite;
animation-timing-function: linear;
}
div.loading>span:nth-child(2) {
animation-delay: 0.4s;
}
div.loading>span:nth-child(3) {
animation-delay: 0.8s;
}
@keyframes jumping {
40% {
transform: translateY(0px);
}
50% {
transform: translateY(-5px);
}
}
}

View File

@ -0,0 +1 @@
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="currentColor"><path d="M6.9998 6V3C6.9998 2.44772 7.44752 2 7.9998 2H19.9998C20.5521 2 20.9998 2.44772 20.9998 3V17C20.9998 17.5523 20.5521 18 19.9998 18H16.9998V20.9991C16.9998 21.5519 16.5499 22 15.993 22H4.00666C3.45059 22 3 21.5554 3 20.9991L3.0026 7.00087C3.0027 6.44811 3.45264 6 4.00942 6H6.9998ZM5.00242 8L5.00019 20H14.9998V8H5.00242ZM8.9998 6H16.9998V16H18.9998V4H8.9998V6Z"></path></svg>

After

Width:  |  Height:  |  Size: 464 B

View File

@ -35,7 +35,7 @@ func NewLnAuth(action string) (*LnAuth, error) {
err error
)
if _, err := rand.Read(k1); err != nil {
if _, err = rand.Read(k1); err != nil {
return nil, fmt.Errorf("rand.Read error: %w", err)
}

182
server/auth/nostr.go Normal file
View File

@ -0,0 +1,182 @@
package auth
import (
"crypto/rand"
"crypto/sha256"
"encoding/hex"
"fmt"
"github.com/btcsuite/btcd/btcec/v2/schnorr"
)
type NostrAuth struct {
K1 string
}
type NostrAuthCallback struct {
K1 string `query:"k1"`
Sig string `query:"sig"`
PubKey string `query:"key"`
Action string `query:"action"`
CreatedAt int `query:"created_at"`
}
// reference: https://github.com/nbd-wtf/go-nostr
type Event struct {
ID string
PubKey string
CreatedAt int
Kind int
Tags Tags
Content string
Sig string
// anything here will be mashed together with the main event object when serializing
// extra map[string]any
}
type Tag []string
type Tags []Tag
func NewNostrAuth(action string) (*NostrAuth, error) {
var (
k1 = make([]byte, 32)
err error
)
if _, err = rand.Read(k1); err != nil {
return nil, fmt.Errorf("rand.Read error: %w", err)
}
return &NostrAuth{K1: hex.EncodeToString(k1)}, nil
}
func VerifyNostrAuth(r *NostrAuthCallback) (bool, error) {
// https://github.com/nbd-wtf/go-nostr/blob/master/signature.go
e := Event{
PubKey: r.PubKey,
Sig: r.Sig,
Kind: 22242,
Content: "delphi.market authentication",
Tags: []Tag{{"challenge", r.K1}},
CreatedAt: r.CreatedAt,
}
return e.CheckSignature()
}
func (tag Tag) marshalTo(dst []byte) []byte {
dst = append(dst, '[')
for i, s := range tag {
if i > 0 {
dst = append(dst, ',')
}
dst = escapeString(dst, s)
}
dst = append(dst, ']')
return dst
}
func (tags Tags) marshalTo(dst []byte) []byte {
dst = append(dst, '[')
for i, tag := range tags {
if i > 0 {
dst = append(dst, ',')
}
dst = tag.marshalTo(dst)
}
dst = append(dst, ']')
return dst
}
func (evt *Event) Serialize() []byte {
// the serialization process is just putting everything into a JSON array
// so the order is kept. See NIP-01
dst := make([]byte, 0)
// the header portion is easy to serialize
// [0,"pubkey",created_at,kind,[
dst = append(dst, []byte(
fmt.Sprintf(
"[0,\"%s\",%d,%d,",
evt.PubKey,
evt.CreatedAt,
evt.Kind,
))...)
// tags
dst = evt.Tags.marshalTo(dst)
dst = append(dst, ',')
// content needs to be escaped in general as it is user generated.
dst = escapeString(dst, evt.Content)
dst = append(dst, ']')
return dst
}
func escapeString(dst []byte, s string) []byte {
dst = append(dst, '"')
for i := 0; i < len(s); i++ {
c := s[i]
switch {
case c == '"':
// quotation mark
dst = append(dst, []byte{'\\', '"'}...)
case c == '\\':
// reverse solidus
dst = append(dst, []byte{'\\', '\\'}...)
case c >= 0x20:
// default, rest below are control chars
dst = append(dst, c)
case c == 0x08:
dst = append(dst, []byte{'\\', 'b'}...)
case c < 0x09:
dst = append(dst, []byte{'\\', 'u', '0', '0', '0', '0' + c}...)
case c == 0x09:
dst = append(dst, []byte{'\\', 't'}...)
case c == 0x0a:
dst = append(dst, []byte{'\\', 'n'}...)
case c == 0x0c:
dst = append(dst, []byte{'\\', 'f'}...)
case c == 0x0d:
dst = append(dst, []byte{'\\', 'r'}...)
case c < 0x10:
dst = append(dst, []byte{'\\', 'u', '0', '0', '0', 0x57 + c}...)
case c < 0x1a:
dst = append(dst, []byte{'\\', 'u', '0', '0', '1', 0x20 + c}...)
case c < 0x20:
dst = append(dst, []byte{'\\', 'u', '0', '0', '1', 0x47 + c}...)
}
}
dst = append(dst, '"')
return dst
}
func (e *Event) CheckSignature() (bool, error) {
// read and check pubkey
pk, err := hex.DecodeString(e.PubKey)
if err != nil {
return false, fmt.Errorf("event pubkey '%s' is invalid hex: %w", e.PubKey, err)
}
pubkey, err := schnorr.ParsePubKey(pk)
if err != nil {
return false, fmt.Errorf("event has invalid pubkey '%s': %w", e.PubKey, err)
}
// read signature
s, err := hex.DecodeString(e.Sig)
if err != nil {
return false, fmt.Errorf("signature '%s' is invalid hex: %w", e.Sig, err)
}
sig, err := schnorr.ParseSignature(s)
if err != nil {
return false, fmt.Errorf("failed to parse signature: %w", err)
}
// check signature
hash := sha256.Sum256(e.Serialize())
return sig.Verify(hash[:], pubkey), nil
}

View File

@ -2,6 +2,7 @@ package handler
import (
"database/sql"
"log"
"net/http"
"time"
@ -152,7 +153,131 @@ func HandleLnAuthCallback(sc context.Context) echo.HandlerFunc {
}
func NostrAuth(sc context.Context, c echo.Context, action string) error {
return echo.NewHTTPError(http.StatusNotImplemented)
var (
db = sc.Db
ctx = c.Request().Context()
nostrAuth *auth.NostrAuth
sessionId string
// sessions expire in 30 days. TODO: refresh sessions
expires = time.Now().Add(60 * 60 * 24 * 30 * time.Second)
err error
)
if nostrAuth, err = auth.NewNostrAuth(action); err != nil {
return err
}
if err = db.QueryRowContext(
ctx,
"INSERT INTO nostr_auth(k1) VALUES($1) RETURNING session_id",
nostrAuth.K1).Scan(&sessionId); err != nil {
return err
}
c.SetCookie(&http.Cookie{
Name: "session",
HttpOnly: true,
Path: "/",
Value: sessionId,
Secure: true,
Expires: expires,
})
return pages.NostrAuth(nostrAuth.K1, mapAction(action)).Render(context.RenderContext(sc, c), c.Response().Writer)
}
func HandleNostrAuthCallback(sc context.Context) echo.HandlerFunc {
return func(c echo.Context) error {
var (
db = sc.Db
tx *sql.Tx
ctx = c.Request().Context()
query auth.NostrAuthCallback
sessionId string
userId int
ok bool
err error
pqErr *pq.Error
)
bail := func(code int, reason string) error {
if tx != nil {
// manual rollback is only required for tests afaik
tx.Rollback()
}
return c.JSON(code, map[string]string{"status": "ERROR", "reason": reason})
}
if err = c.Bind(&query); err != nil {
return bail(http.StatusInternalServerError, err.Error())
} else if query.K1 == "" || query.Sig == "" {
return bail(http.StatusBadRequest, "bad query")
}
if tx, err = db.BeginTx(ctx, &sql.TxOptions{Isolation: sql.LevelReadCommitted}); err != nil {
return bail(http.StatusInternalServerError, err.Error())
}
err = tx.QueryRow("SELECT session_id FROM nostr_auth WHERE k1 = $1 LIMIT 1", query.K1).Scan(&sessionId)
if err == sql.ErrNoRows {
return bail(http.StatusNotFound, "session not found")
} else if err != nil {
return bail(http.StatusInternalServerError, err.Error())
}
ok, err = auth.VerifyNostrAuth(&query)
if err != nil {
log.Println("sig error", err)
return bail(http.StatusInternalServerError, err.Error())
} else if !ok {
return bail(http.StatusBadRequest, "bad signature")
}
switch query.Action {
case "register":
case "signup":
{
err = tx.QueryRow(""+
"INSERT INTO users(nostr_pubkey) VALUES ($1) "+
"ON CONFLICT(nostr_pubkey) DO UPDATE SET nostr_pubkey = $1 "+
"RETURNING id", query.PubKey).Scan(&userId)
if err != nil {
pqErr, ok = err.(*pq.Error)
if ok && pqErr.Code == "23505" {
return bail(http.StatusBadRequest, "user already exists")
}
return bail(http.StatusInternalServerError, err.Error())
}
}
case "login":
{
err = tx.QueryRow("SELECT id FROM users WHERE nostr_pubkey = $1", query.PubKey).Scan(&userId)
if err == sql.ErrNoRows {
return bail(http.StatusNotFound, "user not found")
} else if err != nil {
return bail(http.StatusInternalServerError, err.Error())
}
}
default:
{
return bail(http.StatusBadRequest, "bad action")
}
}
if _, err = tx.Exec("INSERT INTO sessions(id, user_id) VALUES($1, $2)", sessionId, userId); err != nil {
return bail(http.StatusInternalServerError, err.Error())
}
if _, err = tx.Exec("DELETE FROM nostr_auth WHERE k1 = $1", query.K1); err != nil {
return bail(http.StatusInternalServerError, err.Error())
}
if err = tx.Commit(); err != nil {
return bail(http.StatusInternalServerError, err.Error())
}
return c.JSON(http.StatusOK, map[string]string{"status": "OK"})
}
}
func HandleSessionCheck(sc context.Context) echo.HandlerFunc {

View File

@ -0,0 +1,9 @@
package components
templ Loading() {
<div class="loading">
<span />
<span />
<span />
</div>
}

View File

@ -0,0 +1,70 @@
package pages
import "git.ekzyis.com/ekzyis/delphi.market/server/router/pages/components"
templ NostrAuth(k1 string, action string) {
<html>
@components.Head()
<body class="container">
@components.Nav()
<div
id="content"
class="flex flex-col text-center items-center"
x-data="{ found: typeof window.nostr !== 'undefined', sig: undefined }"
>
@components.Figlet("random", action)
<small><code>with nostr</code></small>
<div class="flex flex-col my-3 text-center w-fit">
<div :class="{ hidden: found !== undefined }">
<i>checking for nostr extension</i>
@components.Loading()
</div>
<div class="hidden neon error my-3" :class="{ hidden: found }" >
nostr extension not found
</div>
<div x-cloak :class="{ hidden: !found }">
<div class="neon success my-3">nostr extension found</div>
<div :class="{ hidden: !sig }">
<i>waiting for signature</i>
@components.Loading()
</div>
<div class="hidden" id="auth"
auth-data={ templ.JSONString(k1) }
action-data={ templ.JSONString(action) }></div>
<script type="text/javascript">
var k1 = JSON.parse($("#auth").getAttribute("auth-data"))
var action = JSON.parse($("#auth").getAttribute("action-data"))
async function sign() {
const created_at = Math.floor(Date.now() / 1000)
const event = await window.nostr.signEvent({
kind: 22242,
created_at,
tags: [['challenge', k1]],
content: 'delphi.market authentication'
})
Alpine.data('sig', () => true)
const params = new URLSearchParams({
key: event.pubkey,
sig: event.sig,
k1,
action,
created_at
})
const r = await fetch("/api/nostrauth/callback?" + params)
// TODO: error handling
}
sign()
</script>
</div>
</div>
<div hx-get="/session" hx-trigger="every 1s" hx-swap="none"></div>
</div>
@components.Footer()
</body>
</html>
}

View File

@ -25,6 +25,7 @@ func Init(e *echo.Echo, sc Context) {
e.GET("/signup", handler.HandleAuth(sc, "register"))
e.GET("/signup/:method", handler.HandleAuth(sc, "register"))
e.GET("/api/lnauth/callback", handler.HandleLnAuthCallback(sc))
e.GET("/api/nostrauth/callback", handler.HandleNostrAuthCallback(sc))
e.GET("/session", handler.HandleSessionCheck(sc))
e.GET("/user", handler.HandleUser(sc), middleware.SessionGuard(sc))