mirror of
https://github.com/0ceanSlim/grain.git
synced 2024-10-29 17:16:31 +00:00
NIP42, AUTH Implementation
This commit is contained in:
parent
2b071fb7d8
commit
3ea051cb37
@ -2,6 +2,10 @@ mongodb:
|
||||
uri: mongodb://localhost:27017/
|
||||
database: grain
|
||||
|
||||
auth:
|
||||
enabled: false # Enable or disable AUTH handling
|
||||
relay_url: "wss://relay.example.com/" # Specify the relay URL
|
||||
|
||||
server:
|
||||
port: :8181
|
||||
read_timeout: 10 # in seconds
|
||||
|
6
config/types/authConfig.go
Normal file
6
config/types/authConfig.go
Normal file
@ -0,0 +1,6 @@
|
||||
package config
|
||||
|
||||
type AuthConfig struct {
|
||||
Enabled bool `yaml:"enabled"`
|
||||
RelayURL string `yaml:"relay_url"`
|
||||
}
|
@ -19,4 +19,5 @@ type ServerConfig struct {
|
||||
DomainWhitelist DomainWhitelistConfig `yaml:"domain_whitelist"`
|
||||
Blacklist BlacklistConfig `yaml:"blacklist"`
|
||||
ResourceLimits ResourceLimits `yaml:"resource_limits"`
|
||||
Auth AuthConfig `yaml:"auth"`
|
||||
}
|
||||
|
139
server/handlers/auth.go
Normal file
139
server/handlers/auth.go
Normal file
@ -0,0 +1,139 @@
|
||||
package handlers
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"grain/config"
|
||||
"grain/server/handlers/response"
|
||||
"grain/server/utils"
|
||||
"time"
|
||||
|
||||
relay "grain/server/types"
|
||||
|
||||
"golang.org/x/net/websocket"
|
||||
)
|
||||
|
||||
// HandleAuth handles the "AUTH" message type as defined in NIP-42
|
||||
func HandleAuth(ws *websocket.Conn, message []interface{}) {
|
||||
if !config.GetConfig().Auth.Enabled {
|
||||
fmt.Println("AUTH is disabled in the configuration")
|
||||
response.SendNotice(ws, "", "AUTH is disabled")
|
||||
return
|
||||
}
|
||||
|
||||
if len(message) != 2 {
|
||||
fmt.Println("Invalid AUTH message format")
|
||||
response.SendNotice(ws, "", "Invalid AUTH message format")
|
||||
return
|
||||
}
|
||||
|
||||
authData, ok := message[1].(map[string]interface{})
|
||||
if !ok {
|
||||
fmt.Println("Invalid auth data format")
|
||||
response.SendNotice(ws, "", "Invalid auth data format")
|
||||
return
|
||||
}
|
||||
authBytes, err := json.Marshal(authData)
|
||||
if err != nil {
|
||||
fmt.Println("Error marshaling auth data:", err)
|
||||
response.SendNotice(ws, "", "Error marshaling auth data")
|
||||
return
|
||||
}
|
||||
|
||||
var authEvent relay.Event
|
||||
err = json.Unmarshal(authBytes, &authEvent)
|
||||
if err != nil {
|
||||
fmt.Println("Error unmarshaling auth data:", err)
|
||||
response.SendNotice(ws, "", "Error unmarshaling auth data")
|
||||
return
|
||||
}
|
||||
|
||||
err = VerifyAuthEvent(authEvent)
|
||||
if err != nil {
|
||||
response.SendOK(ws, authEvent.ID, false, err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
// Mark the session as authenticated after successful verification
|
||||
SetAuthenticated(ws)
|
||||
response.SendOK(ws, authEvent.ID, true, "")
|
||||
}
|
||||
|
||||
// VerifyAuthEvent verifies the authentication event according to NIP-42
|
||||
func VerifyAuthEvent(evt relay.Event) error {
|
||||
if evt.Kind != 22242 {
|
||||
return errors.New("invalid: event kind must be 22242")
|
||||
}
|
||||
|
||||
if time.Since(time.Unix(evt.CreatedAt, 0)) > 10*time.Minute {
|
||||
return errors.New("invalid: event is too old")
|
||||
}
|
||||
|
||||
challenge, err := extractTag(evt.Tags, "challenge")
|
||||
if err != nil {
|
||||
return errors.New("invalid: challenge tag missing")
|
||||
}
|
||||
|
||||
relayURL, err := extractTag(evt.Tags, "relay")
|
||||
if err != nil {
|
||||
return errors.New("invalid: relay tag missing")
|
||||
}
|
||||
|
||||
expectedChallenge := GetChallengeForConnection(evt.PubKey)
|
||||
if challenge != expectedChallenge {
|
||||
return errors.New("invalid: challenge does not match")
|
||||
}
|
||||
|
||||
if relayURL != config.GetConfig().Auth.RelayURL {
|
||||
return errors.New("invalid: relay URL does not match")
|
||||
}
|
||||
|
||||
if !utils.CheckSignature(evt) {
|
||||
return errors.New("invalid: signature verification failed")
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// extractTag extracts a specific tag from an event's tags
|
||||
func extractTag(tags [][]string, key string) (string, error) {
|
||||
for _, tag := range tags {
|
||||
if len(tag) >= 2 && tag[0] == key {
|
||||
return tag[1], nil
|
||||
}
|
||||
}
|
||||
return "", errors.New("tag not found")
|
||||
}
|
||||
|
||||
// Map to store challenges associated with connections
|
||||
var challenges = make(map[string]string)
|
||||
var authSessions = make(map[*websocket.Conn]bool)
|
||||
|
||||
// GetChallengeForConnection retrieves the challenge string for a given connection
|
||||
func GetChallengeForConnection(pubKey string) string {
|
||||
mu.Lock()
|
||||
defer mu.Unlock()
|
||||
return challenges[pubKey]
|
||||
}
|
||||
|
||||
// SetChallengeForConnection sets the challenge string for a given connection
|
||||
func SetChallengeForConnection(pubKey, challenge string) {
|
||||
mu.Lock()
|
||||
defer mu.Unlock()
|
||||
challenges[pubKey] = challenge
|
||||
}
|
||||
|
||||
// SetAuthenticated marks a connection as authenticated
|
||||
func SetAuthenticated(ws *websocket.Conn) {
|
||||
mu.Lock()
|
||||
defer mu.Unlock()
|
||||
authSessions[ws] = true
|
||||
}
|
||||
|
||||
// IsAuthenticated checks if a connection is authenticated
|
||||
func IsAuthenticated(ws *websocket.Conn) bool {
|
||||
mu.Lock()
|
||||
defer mu.Unlock()
|
||||
return authSessions[ws]
|
||||
}
|
@ -105,6 +105,12 @@ func WebSocketHandler(ws *websocket.Conn) {
|
||||
return
|
||||
}
|
||||
handlers.HandleReq(ws, message, subscriptions)
|
||||
case "AUTH":
|
||||
if config.GetConfig().Auth.Enabled {
|
||||
handlers.HandleAuth(ws, message)
|
||||
} else {
|
||||
fmt.Println("Received AUTH message, but AUTH is disabled")
|
||||
}
|
||||
case "CLOSE":
|
||||
handlers.HandleClose(ws, message)
|
||||
default:
|
||||
|
Loading…
Reference in New Issue
Block a user