NIP42, AUTH Implementation

This commit is contained in:
0ceanSlim 2024-08-19 14:28:13 -04:00
parent 2b071fb7d8
commit 3ea051cb37
5 changed files with 156 additions and 0 deletions

View File

@ -2,6 +2,10 @@ mongodb:
uri: mongodb://localhost:27017/ uri: mongodb://localhost:27017/
database: grain database: grain
auth:
enabled: false # Enable or disable AUTH handling
relay_url: "wss://relay.example.com/" # Specify the relay URL
server: server:
port: :8181 port: :8181
read_timeout: 10 # in seconds read_timeout: 10 # in seconds

View File

@ -0,0 +1,6 @@
package config
type AuthConfig struct {
Enabled bool `yaml:"enabled"`
RelayURL string `yaml:"relay_url"`
}

View File

@ -19,4 +19,5 @@ type ServerConfig struct {
DomainWhitelist DomainWhitelistConfig `yaml:"domain_whitelist"` DomainWhitelist DomainWhitelistConfig `yaml:"domain_whitelist"`
Blacklist BlacklistConfig `yaml:"blacklist"` Blacklist BlacklistConfig `yaml:"blacklist"`
ResourceLimits ResourceLimits `yaml:"resource_limits"` ResourceLimits ResourceLimits `yaml:"resource_limits"`
Auth AuthConfig `yaml:"auth"`
} }

139
server/handlers/auth.go Normal file
View File

@ -0,0 +1,139 @@
package handlers
import (
"encoding/json"
"errors"
"fmt"
"grain/config"
"grain/server/handlers/response"
"grain/server/utils"
"time"
relay "grain/server/types"
"golang.org/x/net/websocket"
)
// HandleAuth handles the "AUTH" message type as defined in NIP-42
func HandleAuth(ws *websocket.Conn, message []interface{}) {
if !config.GetConfig().Auth.Enabled {
fmt.Println("AUTH is disabled in the configuration")
response.SendNotice(ws, "", "AUTH is disabled")
return
}
if len(message) != 2 {
fmt.Println("Invalid AUTH message format")
response.SendNotice(ws, "", "Invalid AUTH message format")
return
}
authData, ok := message[1].(map[string]interface{})
if !ok {
fmt.Println("Invalid auth data format")
response.SendNotice(ws, "", "Invalid auth data format")
return
}
authBytes, err := json.Marshal(authData)
if err != nil {
fmt.Println("Error marshaling auth data:", err)
response.SendNotice(ws, "", "Error marshaling auth data")
return
}
var authEvent relay.Event
err = json.Unmarshal(authBytes, &authEvent)
if err != nil {
fmt.Println("Error unmarshaling auth data:", err)
response.SendNotice(ws, "", "Error unmarshaling auth data")
return
}
err = VerifyAuthEvent(authEvent)
if err != nil {
response.SendOK(ws, authEvent.ID, false, err.Error())
return
}
// Mark the session as authenticated after successful verification
SetAuthenticated(ws)
response.SendOK(ws, authEvent.ID, true, "")
}
// VerifyAuthEvent verifies the authentication event according to NIP-42
func VerifyAuthEvent(evt relay.Event) error {
if evt.Kind != 22242 {
return errors.New("invalid: event kind must be 22242")
}
if time.Since(time.Unix(evt.CreatedAt, 0)) > 10*time.Minute {
return errors.New("invalid: event is too old")
}
challenge, err := extractTag(evt.Tags, "challenge")
if err != nil {
return errors.New("invalid: challenge tag missing")
}
relayURL, err := extractTag(evt.Tags, "relay")
if err != nil {
return errors.New("invalid: relay tag missing")
}
expectedChallenge := GetChallengeForConnection(evt.PubKey)
if challenge != expectedChallenge {
return errors.New("invalid: challenge does not match")
}
if relayURL != config.GetConfig().Auth.RelayURL {
return errors.New("invalid: relay URL does not match")
}
if !utils.CheckSignature(evt) {
return errors.New("invalid: signature verification failed")
}
return nil
}
// extractTag extracts a specific tag from an event's tags
func extractTag(tags [][]string, key string) (string, error) {
for _, tag := range tags {
if len(tag) >= 2 && tag[0] == key {
return tag[1], nil
}
}
return "", errors.New("tag not found")
}
// Map to store challenges associated with connections
var challenges = make(map[string]string)
var authSessions = make(map[*websocket.Conn]bool)
// GetChallengeForConnection retrieves the challenge string for a given connection
func GetChallengeForConnection(pubKey string) string {
mu.Lock()
defer mu.Unlock()
return challenges[pubKey]
}
// SetChallengeForConnection sets the challenge string for a given connection
func SetChallengeForConnection(pubKey, challenge string) {
mu.Lock()
defer mu.Unlock()
challenges[pubKey] = challenge
}
// SetAuthenticated marks a connection as authenticated
func SetAuthenticated(ws *websocket.Conn) {
mu.Lock()
defer mu.Unlock()
authSessions[ws] = true
}
// IsAuthenticated checks if a connection is authenticated
func IsAuthenticated(ws *websocket.Conn) bool {
mu.Lock()
defer mu.Unlock()
return authSessions[ws]
}

View File

@ -105,6 +105,12 @@ func WebSocketHandler(ws *websocket.Conn) {
return return
} }
handlers.HandleReq(ws, message, subscriptions) handlers.HandleReq(ws, message, subscriptions)
case "AUTH":
if config.GetConfig().Auth.Enabled {
handlers.HandleAuth(ws, message)
} else {
fmt.Println("Received AUTH message, but AUTH is disabled")
}
case "CLOSE": case "CLOSE":
handlers.HandleClose(ws, message) handlers.HandleClose(ws, message)
default: default: