fucking auth BS
This commit is contained in:
parent
cdad91c110
commit
52023b1156
@ -69,8 +69,12 @@ func NewService(db *db.DB, logger *zap.Logger, secretKey string, tokenDuration t
|
||||
|
||||
// Login handles user login with a Nostr signature
|
||||
func (s *Service) Login(pubkey, signature, eventJSON string) (string, error) {
|
||||
s.logger.Info("Login attempt",
|
||||
zap.String("pubkey", pubkey),
|
||||
zap.String("configured_allowed_npub", s.allowedNpub))
|
||||
|
||||
// Check if there's a whitelist and enforce it
|
||||
if s.allowedNpub != "" {
|
||||
if s.allowedNpub != "" && s.allowedNpub != "none" {
|
||||
// If the allowed value starts with "npub", we need to decode it to hex
|
||||
allowedHexPubkey := s.allowedNpub
|
||||
if strings.HasPrefix(s.allowedNpub, "npub") {
|
||||
@ -80,19 +84,31 @@ func (s *Service) Login(pubkey, signature, eventJSON string) (string, error) {
|
||||
s.logger.Error("Failed to decode allowed_npub",
|
||||
zap.String("allowed_npub", s.allowedNpub),
|
||||
zap.Error(err))
|
||||
// If we can't decode, we'll just use the original value
|
||||
return "", errors.New("server configuration error: invalid allowed_npub format")
|
||||
} else {
|
||||
allowedHexPubkey = decodedPubkey
|
||||
}
|
||||
}
|
||||
|
||||
// Normalize both pubkeys to lowercase for case-insensitive comparison
|
||||
normalizedAllowed := strings.ToLower(allowedHexPubkey)
|
||||
normalizedAttempt := strings.ToLower(pubkey)
|
||||
|
||||
// Log the comparison for debugging
|
||||
s.logger.Info("Comparing pubkeys for auth restriction",
|
||||
zap.String("normalized_allowed", normalizedAllowed),
|
||||
zap.String("normalized_attempt", normalizedAttempt))
|
||||
|
||||
// Compare with the provided pubkey (case-insensitive comparison)
|
||||
if strings.ToLower(allowedHexPubkey) != strings.ToLower(pubkey) {
|
||||
s.logger.Warn("Login attempt from non-whitelisted pubkey",
|
||||
if normalizedAllowed != normalizedAttempt {
|
||||
s.logger.Warn("Login attempt from non-whitelisted pubkey - REJECTED",
|
||||
zap.String("attempt_pubkey", pubkey),
|
||||
zap.String("allowed_pubkey", allowedHexPubkey),
|
||||
zap.String("allowed_npub", s.allowedNpub))
|
||||
return "", errors.New("unauthorized: only the configured npub is allowed to log in")
|
||||
} else {
|
||||
s.logger.Info("Login attempt from whitelisted pubkey - APPROVED",
|
||||
zap.String("pubkey", pubkey))
|
||||
}
|
||||
}
|
||||
|
||||
@ -155,23 +171,42 @@ func (s *Service) VerifyToken(tokenStr string) (string, error) {
|
||||
}
|
||||
|
||||
// Additional check for whitelist if it's configured
|
||||
if s.allowedNpub != "" {
|
||||
if s.allowedNpub != "" && s.allowedNpub != "none" {
|
||||
// If the allowed value starts with "npub", we need to decode it to hex
|
||||
allowedHexPubkey := s.allowedNpub
|
||||
if strings.HasPrefix(s.allowedNpub, "npub") {
|
||||
// Try to decode the npub to hex
|
||||
decodedPubkey, err := utils.DecodeNpub(s.allowedNpub)
|
||||
if err == nil {
|
||||
if err != nil {
|
||||
s.logger.Error("Failed to decode allowed_npub in token verification",
|
||||
zap.String("allowed_npub", s.allowedNpub),
|
||||
zap.Error(err))
|
||||
return "", errors.New("server configuration error: invalid allowed_npub format")
|
||||
} else {
|
||||
allowedHexPubkey = decodedPubkey
|
||||
}
|
||||
}
|
||||
|
||||
// Normalize both pubkeys for case-insensitive comparison
|
||||
normalizedAllowed := strings.ToLower(allowedHexPubkey)
|
||||
normalizedToken := strings.ToLower(token.Pubkey)
|
||||
|
||||
// Log the comparison for debugging
|
||||
s.logger.Info("Token verification comparing pubkeys",
|
||||
zap.String("normalized_allowed", normalizedAllowed),
|
||||
zap.String("normalized_token", normalizedToken))
|
||||
|
||||
// Compare with the token's pubkey (case-insensitive comparison)
|
||||
if strings.ToLower(allowedHexPubkey) != strings.ToLower(token.Pubkey) {
|
||||
s.logger.Warn("Token verification from non-whitelisted pubkey",
|
||||
if normalizedAllowed != normalizedToken {
|
||||
s.logger.Warn("Token verification from non-whitelisted pubkey - REJECTED",
|
||||
zap.String("token_pubkey", token.Pubkey),
|
||||
zap.String("allowed_pubkey", allowedHexPubkey))
|
||||
zap.String("allowed_pubkey", allowedHexPubkey),
|
||||
zap.String("normalized_allowed", normalizedAllowed),
|
||||
zap.String("normalized_token", normalizedToken))
|
||||
return "", errors.New("unauthorized: token is for a non-whitelisted pubkey")
|
||||
} else {
|
||||
s.logger.Info("Token verification from whitelisted pubkey - APPROVED",
|
||||
zap.String("pubkey", token.Pubkey))
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user