From 52023b1156f85c3c44de0a2c6a5b07ac4ac1c1bd Mon Sep 17 00:00:00 2001 From: enki Date: Wed, 14 May 2025 10:37:58 -0700 Subject: [PATCH] fucking auth BS --- internal/auth/auth.go | 53 +++++++++++++++++++++++++++++++++++-------- 1 file changed, 44 insertions(+), 9 deletions(-) diff --git a/internal/auth/auth.go b/internal/auth/auth.go index 531a060..37cef4e 100644 --- a/internal/auth/auth.go +++ b/internal/auth/auth.go @@ -69,8 +69,12 @@ func NewService(db *db.DB, logger *zap.Logger, secretKey string, tokenDuration t // Login handles user login with a Nostr signature func (s *Service) Login(pubkey, signature, eventJSON string) (string, error) { + s.logger.Info("Login attempt", + zap.String("pubkey", pubkey), + zap.String("configured_allowed_npub", s.allowedNpub)) + // Check if there's a whitelist and enforce it - if s.allowedNpub != "" { + if s.allowedNpub != "" && s.allowedNpub != "none" { // If the allowed value starts with "npub", we need to decode it to hex allowedHexPubkey := s.allowedNpub if strings.HasPrefix(s.allowedNpub, "npub") { @@ -80,19 +84,31 @@ func (s *Service) Login(pubkey, signature, eventJSON string) (string, error) { s.logger.Error("Failed to decode allowed_npub", zap.String("allowed_npub", s.allowedNpub), zap.Error(err)) - // If we can't decode, we'll just use the original value + return "", errors.New("server configuration error: invalid allowed_npub format") } else { allowedHexPubkey = decodedPubkey } } + // Normalize both pubkeys to lowercase for case-insensitive comparison + normalizedAllowed := strings.ToLower(allowedHexPubkey) + normalizedAttempt := strings.ToLower(pubkey) + + // Log the comparison for debugging + s.logger.Info("Comparing pubkeys for auth restriction", + zap.String("normalized_allowed", normalizedAllowed), + zap.String("normalized_attempt", normalizedAttempt)) + // Compare with the provided pubkey (case-insensitive comparison) - if strings.ToLower(allowedHexPubkey) != strings.ToLower(pubkey) { - s.logger.Warn("Login attempt from non-whitelisted pubkey", + if normalizedAllowed != normalizedAttempt { + s.logger.Warn("Login attempt from non-whitelisted pubkey - REJECTED", zap.String("attempt_pubkey", pubkey), zap.String("allowed_pubkey", allowedHexPubkey), zap.String("allowed_npub", s.allowedNpub)) return "", errors.New("unauthorized: only the configured npub is allowed to log in") + } else { + s.logger.Info("Login attempt from whitelisted pubkey - APPROVED", + zap.String("pubkey", pubkey)) } } @@ -155,23 +171,42 @@ func (s *Service) VerifyToken(tokenStr string) (string, error) { } // Additional check for whitelist if it's configured - if s.allowedNpub != "" { + if s.allowedNpub != "" && s.allowedNpub != "none" { // If the allowed value starts with "npub", we need to decode it to hex allowedHexPubkey := s.allowedNpub if strings.HasPrefix(s.allowedNpub, "npub") { // Try to decode the npub to hex decodedPubkey, err := utils.DecodeNpub(s.allowedNpub) - if err == nil { + if err != nil { + s.logger.Error("Failed to decode allowed_npub in token verification", + zap.String("allowed_npub", s.allowedNpub), + zap.Error(err)) + return "", errors.New("server configuration error: invalid allowed_npub format") + } else { allowedHexPubkey = decodedPubkey } } + // Normalize both pubkeys for case-insensitive comparison + normalizedAllowed := strings.ToLower(allowedHexPubkey) + normalizedToken := strings.ToLower(token.Pubkey) + + // Log the comparison for debugging + s.logger.Info("Token verification comparing pubkeys", + zap.String("normalized_allowed", normalizedAllowed), + zap.String("normalized_token", normalizedToken)) + // Compare with the token's pubkey (case-insensitive comparison) - if strings.ToLower(allowedHexPubkey) != strings.ToLower(token.Pubkey) { - s.logger.Warn("Token verification from non-whitelisted pubkey", + if normalizedAllowed != normalizedToken { + s.logger.Warn("Token verification from non-whitelisted pubkey - REJECTED", zap.String("token_pubkey", token.Pubkey), - zap.String("allowed_pubkey", allowedHexPubkey)) + zap.String("allowed_pubkey", allowedHexPubkey), + zap.String("normalized_allowed", normalizedAllowed), + zap.String("normalized_token", normalizedToken)) return "", errors.New("unauthorized: token is for a non-whitelisted pubkey") + } else { + s.logger.Info("Token verification from whitelisted pubkey - APPROVED", + zap.String("pubkey", token.Pubkey)) } }