Auth fixed now allows more than one user

This commit is contained in:
Enki 2025-05-14 10:54:28 -07:00
parent 52023b1156
commit b29a30df43

View File

@ -75,40 +75,64 @@ func (s *Service) Login(pubkey, signature, eventJSON string) (string, error) {
// Check if there's a whitelist and enforce it
if s.allowedNpub != "" && s.allowedNpub != "none" {
// If the allowed value starts with "npub", we need to decode it to hex
allowedHexPubkey := s.allowedNpub
if strings.HasPrefix(s.allowedNpub, "npub") {
// Try to decode the npub to hex
decodedPubkey, err := utils.DecodeNpub(s.allowedNpub)
if err != nil {
s.logger.Error("Failed to decode allowed_npub",
zap.String("allowed_npub", s.allowedNpub),
zap.Error(err))
return "", errors.New("server configuration error: invalid allowed_npub format")
} else {
allowedHexPubkey = decodedPubkey
// Split by comma to support multiple allowed npubs
allowedNpubs := strings.Split(s.allowedNpub, ",")
isAuthorized := false
// Log the number of npubs being checked
s.logger.Info("Checking authorization against allowed npubs",
zap.Int("allowed_npub_count", len(allowedNpubs)))
// Check each allowed npub
for _, allowedNpub := range allowedNpubs {
// Trim any whitespace
allowedNpub = strings.TrimSpace(allowedNpub)
// If empty after trimming, skip
if allowedNpub == "" {
continue
}
// If the allowed value starts with "npub", we need to decode it to hex
allowedHexPubkey := allowedNpub
if strings.HasPrefix(allowedNpub, "npub") {
// Try to decode the npub to hex
decodedPubkey, err := utils.DecodeNpub(allowedNpub)
if err != nil {
s.logger.Warn("Failed to decode one of the allowed_npub values, skipping",
zap.String("allowed_npub", allowedNpub),
zap.Error(err))
continue
} else {
allowedHexPubkey = decodedPubkey
}
}
// Normalize both pubkeys to lowercase for case-insensitive comparison
normalizedAllowed := strings.ToLower(allowedHexPubkey)
normalizedAttempt := strings.ToLower(pubkey)
// Log the comparison for debugging
s.logger.Info("Comparing pubkeys for auth restriction",
zap.String("normalized_allowed", normalizedAllowed),
zap.String("normalized_attempt", normalizedAttempt))
// Compare with the provided pubkey (case-insensitive comparison)
if normalizedAllowed == normalizedAttempt {
s.logger.Info("Login attempt from whitelisted pubkey - APPROVED",
zap.String("pubkey", pubkey),
zap.String("matching_allowed_npub", allowedNpub))
isAuthorized = true
break
}
}
// Normalize both pubkeys to lowercase for case-insensitive comparison
normalizedAllowed := strings.ToLower(allowedHexPubkey)
normalizedAttempt := strings.ToLower(pubkey)
// Log the comparison for debugging
s.logger.Info("Comparing pubkeys for auth restriction",
zap.String("normalized_allowed", normalizedAllowed),
zap.String("normalized_attempt", normalizedAttempt))
// Compare with the provided pubkey (case-insensitive comparison)
if normalizedAllowed != normalizedAttempt {
// If not authorized by any of the allowed npubs, reject
if !isAuthorized {
s.logger.Warn("Login attempt from non-whitelisted pubkey - REJECTED",
zap.String("attempt_pubkey", pubkey),
zap.String("allowed_pubkey", allowedHexPubkey),
zap.String("allowed_npub", s.allowedNpub))
return "", errors.New("unauthorized: only the configured npub is allowed to log in")
} else {
s.logger.Info("Login attempt from whitelisted pubkey - APPROVED",
zap.String("pubkey", pubkey))
zap.String("allowed_npubs", s.allowedNpub))
return "", errors.New("unauthorized: only configured npubs are allowed to log in")
}
}
@ -172,41 +196,66 @@ func (s *Service) VerifyToken(tokenStr string) (string, error) {
// Additional check for whitelist if it's configured
if s.allowedNpub != "" && s.allowedNpub != "none" {
// If the allowed value starts with "npub", we need to decode it to hex
allowedHexPubkey := s.allowedNpub
if strings.HasPrefix(s.allowedNpub, "npub") {
// Try to decode the npub to hex
decodedPubkey, err := utils.DecodeNpub(s.allowedNpub)
if err != nil {
s.logger.Error("Failed to decode allowed_npub in token verification",
zap.String("allowed_npub", s.allowedNpub),
zap.Error(err))
return "", errors.New("server configuration error: invalid allowed_npub format")
} else {
allowedHexPubkey = decodedPubkey
}
}
// Normalize both pubkeys for case-insensitive comparison
normalizedAllowed := strings.ToLower(allowedHexPubkey)
// Split by comma to support multiple allowed npubs
allowedNpubs := strings.Split(s.allowedNpub, ",")
isAuthorized := false
// Log the number of npubs being checked
s.logger.Info("Token verification checking against allowed npubs",
zap.Int("allowed_npub_count", len(allowedNpubs)))
// Normalize the token pubkey once
normalizedToken := strings.ToLower(token.Pubkey)
// Log the comparison for debugging
s.logger.Info("Token verification comparing pubkeys",
zap.String("normalized_allowed", normalizedAllowed),
zap.String("normalized_token", normalizedToken))
// Check each allowed npub
for _, allowedNpub := range allowedNpubs {
// Trim any whitespace
allowedNpub = strings.TrimSpace(allowedNpub)
// If empty after trimming, skip
if allowedNpub == "" {
continue
}
// If the allowed value starts with "npub", we need to decode it to hex
allowedHexPubkey := allowedNpub
if strings.HasPrefix(allowedNpub, "npub") {
// Try to decode the npub to hex
decodedPubkey, err := utils.DecodeNpub(allowedNpub)
if err != nil {
s.logger.Warn("Failed to decode one of the allowed_npub values in token verification, skipping",
zap.String("allowed_npub", allowedNpub),
zap.Error(err))
continue
} else {
allowedHexPubkey = decodedPubkey
}
}
// Compare with the token's pubkey (case-insensitive comparison)
if normalizedAllowed != normalizedToken {
s.logger.Warn("Token verification from non-whitelisted pubkey - REJECTED",
zap.String("token_pubkey", token.Pubkey),
zap.String("allowed_pubkey", allowedHexPubkey),
// Normalize the allowed pubkey
normalizedAllowed := strings.ToLower(allowedHexPubkey)
// Log the comparison for debugging
s.logger.Info("Token verification comparing pubkeys",
zap.String("normalized_allowed", normalizedAllowed),
zap.String("normalized_token", normalizedToken))
// Compare with the token's pubkey (case-insensitive comparison)
if normalizedAllowed == normalizedToken {
s.logger.Info("Token verification from whitelisted pubkey - APPROVED",
zap.String("pubkey", token.Pubkey),
zap.String("matching_allowed_npub", allowedNpub))
isAuthorized = true
break
}
}
// If not authorized by any of the allowed npubs, reject
if !isAuthorized {
s.logger.Warn("Token verification from non-whitelisted pubkey - REJECTED",
zap.String("token_pubkey", token.Pubkey),
zap.String("allowed_npubs", s.allowedNpub))
return "", errors.New("unauthorized: token is for a non-whitelisted pubkey")
} else {
s.logger.Info("Token verification from whitelisted pubkey - APPROVED",
zap.String("pubkey", token.Pubkey))
}
}