enki/nostr-poster
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Auth fixed now allows more than one user

Browse Source
This commit is contained in:
Enki 2025-05-14 10:54:28 -07:00
parent 52023b1156
commit b29a30df43
1 changed files with 107 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

165
internal/auth/auth.go
View File

@ -75,40 +75,64 @@ func (s *Service) Login(pubkey, signature, eventJSON string) (string, error) {
// Check if there's a whitelist and enforce it // Check if there's a whitelist and enforce it
if s.allowedNpub != "" && s.allowedNpub != "none" { if s.allowedNpub != "" && s.allowedNpub != "none" {
// If the allowed value starts with "npub", we need to decode it to hex // Split by comma to support multiple allowed npubs
allowedHexPubkey := s.allowedNpub allowedNpubs := strings.Split(s.allowedNpub, ",")
if strings.HasPrefix(s.allowedNpub, "npub") { isAuthorized := false
// Try to decode the npub to hex
decodedPubkey, err := utils.DecodeNpub(s.allowedNpub) // Log the number of npubs being checked
if err != nil { s.logger.Info("Checking authorization against allowed npubs",
s.logger.Error("Failed to decode allowed_npub", zap.Int("allowed_npub_count", len(allowedNpubs)))
zap.String("allowed_npub", s.allowedNpub),
zap.Error(err)) // Check each allowed npub
return "", errors.New("server configuration error: invalid allowed_npub format") for _, allowedNpub := range allowedNpubs {
} else { // Trim any whitespace
allowedHexPubkey = decodedPubkey allowedNpub = strings.TrimSpace(allowedNpub)
// If empty after trimming, skip
if allowedNpub == "" {
continue
}
// If the allowed value starts with "npub", we need to decode it to hex
allowedHexPubkey := allowedNpub
if strings.HasPrefix(allowedNpub, "npub") {
// Try to decode the npub to hex
decodedPubkey, err := utils.DecodeNpub(allowedNpub)
if err != nil {
s.logger.Warn("Failed to decode one of the allowed_npub values, skipping",
zap.String("allowed_npub", allowedNpub),
zap.Error(err))
continue
} else {
allowedHexPubkey = decodedPubkey
}
}
// Normalize both pubkeys to lowercase for case-insensitive comparison
normalizedAllowed := strings.ToLower(allowedHexPubkey)
normalizedAttempt := strings.ToLower(pubkey)
// Log the comparison for debugging
s.logger.Info("Comparing pubkeys for auth restriction",
zap.String("normalized_allowed", normalizedAllowed),
zap.String("normalized_attempt", normalizedAttempt))
// Compare with the provided pubkey (case-insensitive comparison)
if normalizedAllowed == normalizedAttempt {
s.logger.Info("Login attempt from whitelisted pubkey - APPROVED",
zap.String("pubkey", pubkey),
zap.String("matching_allowed_npub", allowedNpub))
isAuthorized = true
break
} }
} }
// Normalize both pubkeys to lowercase for case-insensitive comparison // If not authorized by any of the allowed npubs, reject
normalizedAllowed := strings.ToLower(allowedHexPubkey) if !isAuthorized {
normalizedAttempt := strings.ToLower(pubkey)
// Log the comparison for debugging
s.logger.Info("Comparing pubkeys for auth restriction",
zap.String("normalized_allowed", normalizedAllowed),
zap.String("normalized_attempt", normalizedAttempt))
// Compare with the provided pubkey (case-insensitive comparison)
if normalizedAllowed != normalizedAttempt {
s.logger.Warn("Login attempt from non-whitelisted pubkey - REJECTED", s.logger.Warn("Login attempt from non-whitelisted pubkey - REJECTED",
zap.String("attempt_pubkey", pubkey), zap.String("attempt_pubkey", pubkey),
zap.String("allowed_pubkey", allowedHexPubkey), zap.String("allowed_npubs", s.allowedNpub))
zap.String("allowed_npub", s.allowedNpub)) return "", errors.New("unauthorized: only configured npubs are allowed to log in")
return "", errors.New("unauthorized: only the configured npub is allowed to log in")
} else {
s.logger.Info("Login attempt from whitelisted pubkey - APPROVED",
zap.String("pubkey", pubkey))
} }
} }
@ -172,41 +196,66 @@ func (s *Service) VerifyToken(tokenStr string) (string, error) {
// Additional check for whitelist if it's configured // Additional check for whitelist if it's configured
if s.allowedNpub != "" && s.allowedNpub != "none" { if s.allowedNpub != "" && s.allowedNpub != "none" {
// If the allowed value starts with "npub", we need to decode it to hex // Split by comma to support multiple allowed npubs
allowedHexPubkey := s.allowedNpub allowedNpubs := strings.Split(s.allowedNpub, ",")
if strings.HasPrefix(s.allowedNpub, "npub") { isAuthorized := false
// Try to decode the npub to hex
decodedPubkey, err := utils.DecodeNpub(s.allowedNpub) // Log the number of npubs being checked
if err != nil { s.logger.Info("Token verification checking against allowed npubs",
s.logger.Error("Failed to decode allowed_npub in token verification", zap.Int("allowed_npub_count", len(allowedNpubs)))
zap.String("allowed_npub", s.allowedNpub),
zap.Error(err)) // Normalize the token pubkey once
return "", errors.New("server configuration error: invalid allowed_npub format") normalizedToken := strings.ToLower(token.Pubkey)
} else {
allowedHexPubkey = decodedPubkey // Check each allowed npub
for _, allowedNpub := range allowedNpubs {
// Trim any whitespace
allowedNpub = strings.TrimSpace(allowedNpub)
// If empty after trimming, skip
if allowedNpub == "" {
continue
}
// If the allowed value starts with "npub", we need to decode it to hex
allowedHexPubkey := allowedNpub
if strings.HasPrefix(allowedNpub, "npub") {
// Try to decode the npub to hex
decodedPubkey, err := utils.DecodeNpub(allowedNpub)
if err != nil {
s.logger.Warn("Failed to decode one of the allowed_npub values in token verification, skipping",
zap.String("allowed_npub", allowedNpub),
zap.Error(err))
continue
} else {
allowedHexPubkey = decodedPubkey
}
}
// Normalize the allowed pubkey
normalizedAllowed := strings.ToLower(allowedHexPubkey)
// Log the comparison for debugging
s.logger.Info("Token verification comparing pubkeys",
zap.String("normalized_allowed", normalizedAllowed),
zap.String("normalized_token", normalizedToken))
// Compare with the token's pubkey (case-insensitive comparison)
if normalizedAllowed == normalizedToken {
s.logger.Info("Token verification from whitelisted pubkey - APPROVED",
zap.String("pubkey", token.Pubkey),
zap.String("matching_allowed_npub", allowedNpub))
isAuthorized = true
break
} }
} }
// Normalize both pubkeys for case-insensitive comparison // If not authorized by any of the allowed npubs, reject
normalizedAllowed := strings.ToLower(allowedHexPubkey) if !isAuthorized {
normalizedToken := strings.ToLower(token.Pubkey)
// Log the comparison for debugging
s.logger.Info("Token verification comparing pubkeys",
zap.String("normalized_allowed", normalizedAllowed),
zap.String("normalized_token", normalizedToken))
// Compare with the token's pubkey (case-insensitive comparison)
if normalizedAllowed != normalizedToken {
s.logger.Warn("Token verification from non-whitelisted pubkey - REJECTED", s.logger.Warn("Token verification from non-whitelisted pubkey - REJECTED",
zap.String("token_pubkey", token.Pubkey), zap.String("token_pubkey", token.Pubkey),
zap.String("allowed_pubkey", allowedHexPubkey), zap.String("allowed_npubs", s.allowedNpub))
zap.String("normalized_allowed", normalizedAllowed),
zap.String("normalized_token", normalizedToken))
return "", errors.New("unauthorized: token is for a non-whitelisted pubkey") return "", errors.New("unauthorized: token is for a non-whitelisted pubkey")
} else {
s.logger.Info("Token verification from whitelisted pubkey - APPROVED",
zap.String("pubkey", token.Pubkey))
} }
} }