mirror of
https://github.com/0ceanSlim/grain.git
synced 2024-10-30 01:26:32 +00:00
NIP42, AUTH Implementation
This commit is contained in:
parent
2b071fb7d8
commit
3ea051cb37
@ -2,6 +2,10 @@ mongodb:
|
|||||||
uri: mongodb://localhost:27017/
|
uri: mongodb://localhost:27017/
|
||||||
database: grain
|
database: grain
|
||||||
|
|
||||||
|
auth:
|
||||||
|
enabled: false # Enable or disable AUTH handling
|
||||||
|
relay_url: "wss://relay.example.com/" # Specify the relay URL
|
||||||
|
|
||||||
server:
|
server:
|
||||||
port: :8181
|
port: :8181
|
||||||
read_timeout: 10 # in seconds
|
read_timeout: 10 # in seconds
|
||||||
|
6
config/types/authConfig.go
Normal file
6
config/types/authConfig.go
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
package config
|
||||||
|
|
||||||
|
type AuthConfig struct {
|
||||||
|
Enabled bool `yaml:"enabled"`
|
||||||
|
RelayURL string `yaml:"relay_url"`
|
||||||
|
}
|
@ -19,4 +19,5 @@ type ServerConfig struct {
|
|||||||
DomainWhitelist DomainWhitelistConfig `yaml:"domain_whitelist"`
|
DomainWhitelist DomainWhitelistConfig `yaml:"domain_whitelist"`
|
||||||
Blacklist BlacklistConfig `yaml:"blacklist"`
|
Blacklist BlacklistConfig `yaml:"blacklist"`
|
||||||
ResourceLimits ResourceLimits `yaml:"resource_limits"`
|
ResourceLimits ResourceLimits `yaml:"resource_limits"`
|
||||||
|
Auth AuthConfig `yaml:"auth"`
|
||||||
}
|
}
|
||||||
|
139
server/handlers/auth.go
Normal file
139
server/handlers/auth.go
Normal file
@ -0,0 +1,139 @@
|
|||||||
|
package handlers
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/json"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"grain/config"
|
||||||
|
"grain/server/handlers/response"
|
||||||
|
"grain/server/utils"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
relay "grain/server/types"
|
||||||
|
|
||||||
|
"golang.org/x/net/websocket"
|
||||||
|
)
|
||||||
|
|
||||||
|
// HandleAuth handles the "AUTH" message type as defined in NIP-42
|
||||||
|
func HandleAuth(ws *websocket.Conn, message []interface{}) {
|
||||||
|
if !config.GetConfig().Auth.Enabled {
|
||||||
|
fmt.Println("AUTH is disabled in the configuration")
|
||||||
|
response.SendNotice(ws, "", "AUTH is disabled")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(message) != 2 {
|
||||||
|
fmt.Println("Invalid AUTH message format")
|
||||||
|
response.SendNotice(ws, "", "Invalid AUTH message format")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
authData, ok := message[1].(map[string]interface{})
|
||||||
|
if !ok {
|
||||||
|
fmt.Println("Invalid auth data format")
|
||||||
|
response.SendNotice(ws, "", "Invalid auth data format")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
authBytes, err := json.Marshal(authData)
|
||||||
|
if err != nil {
|
||||||
|
fmt.Println("Error marshaling auth data:", err)
|
||||||
|
response.SendNotice(ws, "", "Error marshaling auth data")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
var authEvent relay.Event
|
||||||
|
err = json.Unmarshal(authBytes, &authEvent)
|
||||||
|
if err != nil {
|
||||||
|
fmt.Println("Error unmarshaling auth data:", err)
|
||||||
|
response.SendNotice(ws, "", "Error unmarshaling auth data")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
err = VerifyAuthEvent(authEvent)
|
||||||
|
if err != nil {
|
||||||
|
response.SendOK(ws, authEvent.ID, false, err.Error())
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Mark the session as authenticated after successful verification
|
||||||
|
SetAuthenticated(ws)
|
||||||
|
response.SendOK(ws, authEvent.ID, true, "")
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyAuthEvent verifies the authentication event according to NIP-42
|
||||||
|
func VerifyAuthEvent(evt relay.Event) error {
|
||||||
|
if evt.Kind != 22242 {
|
||||||
|
return errors.New("invalid: event kind must be 22242")
|
||||||
|
}
|
||||||
|
|
||||||
|
if time.Since(time.Unix(evt.CreatedAt, 0)) > 10*time.Minute {
|
||||||
|
return errors.New("invalid: event is too old")
|
||||||
|
}
|
||||||
|
|
||||||
|
challenge, err := extractTag(evt.Tags, "challenge")
|
||||||
|
if err != nil {
|
||||||
|
return errors.New("invalid: challenge tag missing")
|
||||||
|
}
|
||||||
|
|
||||||
|
relayURL, err := extractTag(evt.Tags, "relay")
|
||||||
|
if err != nil {
|
||||||
|
return errors.New("invalid: relay tag missing")
|
||||||
|
}
|
||||||
|
|
||||||
|
expectedChallenge := GetChallengeForConnection(evt.PubKey)
|
||||||
|
if challenge != expectedChallenge {
|
||||||
|
return errors.New("invalid: challenge does not match")
|
||||||
|
}
|
||||||
|
|
||||||
|
if relayURL != config.GetConfig().Auth.RelayURL {
|
||||||
|
return errors.New("invalid: relay URL does not match")
|
||||||
|
}
|
||||||
|
|
||||||
|
if !utils.CheckSignature(evt) {
|
||||||
|
return errors.New("invalid: signature verification failed")
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// extractTag extracts a specific tag from an event's tags
|
||||||
|
func extractTag(tags [][]string, key string) (string, error) {
|
||||||
|
for _, tag := range tags {
|
||||||
|
if len(tag) >= 2 && tag[0] == key {
|
||||||
|
return tag[1], nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return "", errors.New("tag not found")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Map to store challenges associated with connections
|
||||||
|
var challenges = make(map[string]string)
|
||||||
|
var authSessions = make(map[*websocket.Conn]bool)
|
||||||
|
|
||||||
|
// GetChallengeForConnection retrieves the challenge string for a given connection
|
||||||
|
func GetChallengeForConnection(pubKey string) string {
|
||||||
|
mu.Lock()
|
||||||
|
defer mu.Unlock()
|
||||||
|
return challenges[pubKey]
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetChallengeForConnection sets the challenge string for a given connection
|
||||||
|
func SetChallengeForConnection(pubKey, challenge string) {
|
||||||
|
mu.Lock()
|
||||||
|
defer mu.Unlock()
|
||||||
|
challenges[pubKey] = challenge
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetAuthenticated marks a connection as authenticated
|
||||||
|
func SetAuthenticated(ws *websocket.Conn) {
|
||||||
|
mu.Lock()
|
||||||
|
defer mu.Unlock()
|
||||||
|
authSessions[ws] = true
|
||||||
|
}
|
||||||
|
|
||||||
|
// IsAuthenticated checks if a connection is authenticated
|
||||||
|
func IsAuthenticated(ws *websocket.Conn) bool {
|
||||||
|
mu.Lock()
|
||||||
|
defer mu.Unlock()
|
||||||
|
return authSessions[ws]
|
||||||
|
}
|
@ -105,6 +105,12 @@ func WebSocketHandler(ws *websocket.Conn) {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
handlers.HandleReq(ws, message, subscriptions)
|
handlers.HandleReq(ws, message, subscriptions)
|
||||||
|
case "AUTH":
|
||||||
|
if config.GetConfig().Auth.Enabled {
|
||||||
|
handlers.HandleAuth(ws, message)
|
||||||
|
} else {
|
||||||
|
fmt.Println("Received AUTH message, but AUTH is disabled")
|
||||||
|
}
|
||||||
case "CLOSE":
|
case "CLOSE":
|
||||||
handlers.HandleClose(ws, message)
|
handlers.HandleClose(ws, message)
|
||||||
default:
|
default:
|
||||||
|
Loading…
Reference in New Issue
Block a user