Auth fixed now allows more than one user
This commit is contained in:
parent
52023b1156
commit
b29a30df43
@ -75,40 +75,64 @@ func (s *Service) Login(pubkey, signature, eventJSON string) (string, error) {
|
||||
|
||||
// Check if there's a whitelist and enforce it
|
||||
if s.allowedNpub != "" && s.allowedNpub != "none" {
|
||||
// If the allowed value starts with "npub", we need to decode it to hex
|
||||
allowedHexPubkey := s.allowedNpub
|
||||
if strings.HasPrefix(s.allowedNpub, "npub") {
|
||||
// Try to decode the npub to hex
|
||||
decodedPubkey, err := utils.DecodeNpub(s.allowedNpub)
|
||||
if err != nil {
|
||||
s.logger.Error("Failed to decode allowed_npub",
|
||||
zap.String("allowed_npub", s.allowedNpub),
|
||||
zap.Error(err))
|
||||
return "", errors.New("server configuration error: invalid allowed_npub format")
|
||||
} else {
|
||||
allowedHexPubkey = decodedPubkey
|
||||
// Split by comma to support multiple allowed npubs
|
||||
allowedNpubs := strings.Split(s.allowedNpub, ",")
|
||||
isAuthorized := false
|
||||
|
||||
// Log the number of npubs being checked
|
||||
s.logger.Info("Checking authorization against allowed npubs",
|
||||
zap.Int("allowed_npub_count", len(allowedNpubs)))
|
||||
|
||||
// Check each allowed npub
|
||||
for _, allowedNpub := range allowedNpubs {
|
||||
// Trim any whitespace
|
||||
allowedNpub = strings.TrimSpace(allowedNpub)
|
||||
|
||||
// If empty after trimming, skip
|
||||
if allowedNpub == "" {
|
||||
continue
|
||||
}
|
||||
|
||||
// If the allowed value starts with "npub", we need to decode it to hex
|
||||
allowedHexPubkey := allowedNpub
|
||||
if strings.HasPrefix(allowedNpub, "npub") {
|
||||
// Try to decode the npub to hex
|
||||
decodedPubkey, err := utils.DecodeNpub(allowedNpub)
|
||||
if err != nil {
|
||||
s.logger.Warn("Failed to decode one of the allowed_npub values, skipping",
|
||||
zap.String("allowed_npub", allowedNpub),
|
||||
zap.Error(err))
|
||||
continue
|
||||
} else {
|
||||
allowedHexPubkey = decodedPubkey
|
||||
}
|
||||
}
|
||||
|
||||
// Normalize both pubkeys to lowercase for case-insensitive comparison
|
||||
normalizedAllowed := strings.ToLower(allowedHexPubkey)
|
||||
normalizedAttempt := strings.ToLower(pubkey)
|
||||
|
||||
// Log the comparison for debugging
|
||||
s.logger.Info("Comparing pubkeys for auth restriction",
|
||||
zap.String("normalized_allowed", normalizedAllowed),
|
||||
zap.String("normalized_attempt", normalizedAttempt))
|
||||
|
||||
// Compare with the provided pubkey (case-insensitive comparison)
|
||||
if normalizedAllowed == normalizedAttempt {
|
||||
s.logger.Info("Login attempt from whitelisted pubkey - APPROVED",
|
||||
zap.String("pubkey", pubkey),
|
||||
zap.String("matching_allowed_npub", allowedNpub))
|
||||
isAuthorized = true
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
// Normalize both pubkeys to lowercase for case-insensitive comparison
|
||||
normalizedAllowed := strings.ToLower(allowedHexPubkey)
|
||||
normalizedAttempt := strings.ToLower(pubkey)
|
||||
|
||||
// Log the comparison for debugging
|
||||
s.logger.Info("Comparing pubkeys for auth restriction",
|
||||
zap.String("normalized_allowed", normalizedAllowed),
|
||||
zap.String("normalized_attempt", normalizedAttempt))
|
||||
|
||||
// Compare with the provided pubkey (case-insensitive comparison)
|
||||
if normalizedAllowed != normalizedAttempt {
|
||||
// If not authorized by any of the allowed npubs, reject
|
||||
if !isAuthorized {
|
||||
s.logger.Warn("Login attempt from non-whitelisted pubkey - REJECTED",
|
||||
zap.String("attempt_pubkey", pubkey),
|
||||
zap.String("allowed_pubkey", allowedHexPubkey),
|
||||
zap.String("allowed_npub", s.allowedNpub))
|
||||
return "", errors.New("unauthorized: only the configured npub is allowed to log in")
|
||||
} else {
|
||||
s.logger.Info("Login attempt from whitelisted pubkey - APPROVED",
|
||||
zap.String("pubkey", pubkey))
|
||||
zap.String("allowed_npubs", s.allowedNpub))
|
||||
return "", errors.New("unauthorized: only configured npubs are allowed to log in")
|
||||
}
|
||||
}
|
||||
|
||||
@ -172,41 +196,66 @@ func (s *Service) VerifyToken(tokenStr string) (string, error) {
|
||||
|
||||
// Additional check for whitelist if it's configured
|
||||
if s.allowedNpub != "" && s.allowedNpub != "none" {
|
||||
// If the allowed value starts with "npub", we need to decode it to hex
|
||||
allowedHexPubkey := s.allowedNpub
|
||||
if strings.HasPrefix(s.allowedNpub, "npub") {
|
||||
// Try to decode the npub to hex
|
||||
decodedPubkey, err := utils.DecodeNpub(s.allowedNpub)
|
||||
if err != nil {
|
||||
s.logger.Error("Failed to decode allowed_npub in token verification",
|
||||
zap.String("allowed_npub", s.allowedNpub),
|
||||
zap.Error(err))
|
||||
return "", errors.New("server configuration error: invalid allowed_npub format")
|
||||
} else {
|
||||
allowedHexPubkey = decodedPubkey
|
||||
}
|
||||
}
|
||||
|
||||
// Normalize both pubkeys for case-insensitive comparison
|
||||
normalizedAllowed := strings.ToLower(allowedHexPubkey)
|
||||
// Split by comma to support multiple allowed npubs
|
||||
allowedNpubs := strings.Split(s.allowedNpub, ",")
|
||||
isAuthorized := false
|
||||
|
||||
// Log the number of npubs being checked
|
||||
s.logger.Info("Token verification checking against allowed npubs",
|
||||
zap.Int("allowed_npub_count", len(allowedNpubs)))
|
||||
|
||||
// Normalize the token pubkey once
|
||||
normalizedToken := strings.ToLower(token.Pubkey)
|
||||
|
||||
// Log the comparison for debugging
|
||||
s.logger.Info("Token verification comparing pubkeys",
|
||||
zap.String("normalized_allowed", normalizedAllowed),
|
||||
zap.String("normalized_token", normalizedToken))
|
||||
// Check each allowed npub
|
||||
for _, allowedNpub := range allowedNpubs {
|
||||
// Trim any whitespace
|
||||
allowedNpub = strings.TrimSpace(allowedNpub)
|
||||
|
||||
// If empty after trimming, skip
|
||||
if allowedNpub == "" {
|
||||
continue
|
||||
}
|
||||
|
||||
// If the allowed value starts with "npub", we need to decode it to hex
|
||||
allowedHexPubkey := allowedNpub
|
||||
if strings.HasPrefix(allowedNpub, "npub") {
|
||||
// Try to decode the npub to hex
|
||||
decodedPubkey, err := utils.DecodeNpub(allowedNpub)
|
||||
if err != nil {
|
||||
s.logger.Warn("Failed to decode one of the allowed_npub values in token verification, skipping",
|
||||
zap.String("allowed_npub", allowedNpub),
|
||||
zap.Error(err))
|
||||
continue
|
||||
} else {
|
||||
allowedHexPubkey = decodedPubkey
|
||||
}
|
||||
}
|
||||
|
||||
// Compare with the token's pubkey (case-insensitive comparison)
|
||||
if normalizedAllowed != normalizedToken {
|
||||
s.logger.Warn("Token verification from non-whitelisted pubkey - REJECTED",
|
||||
zap.String("token_pubkey", token.Pubkey),
|
||||
zap.String("allowed_pubkey", allowedHexPubkey),
|
||||
// Normalize the allowed pubkey
|
||||
normalizedAllowed := strings.ToLower(allowedHexPubkey)
|
||||
|
||||
// Log the comparison for debugging
|
||||
s.logger.Info("Token verification comparing pubkeys",
|
||||
zap.String("normalized_allowed", normalizedAllowed),
|
||||
zap.String("normalized_token", normalizedToken))
|
||||
|
||||
// Compare with the token's pubkey (case-insensitive comparison)
|
||||
if normalizedAllowed == normalizedToken {
|
||||
s.logger.Info("Token verification from whitelisted pubkey - APPROVED",
|
||||
zap.String("pubkey", token.Pubkey),
|
||||
zap.String("matching_allowed_npub", allowedNpub))
|
||||
isAuthorized = true
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
// If not authorized by any of the allowed npubs, reject
|
||||
if !isAuthorized {
|
||||
s.logger.Warn("Token verification from non-whitelisted pubkey - REJECTED",
|
||||
zap.String("token_pubkey", token.Pubkey),
|
||||
zap.String("allowed_npubs", s.allowedNpub))
|
||||
return "", errors.New("unauthorized: token is for a non-whitelisted pubkey")
|
||||
} else {
|
||||
s.logger.Info("Token verification from whitelisted pubkey - APPROVED",
|
||||
zap.String("pubkey", token.Pubkey))
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user