Auth issues Fix
This commit is contained in:
parent
b470e0041d
commit
be9cd52ac6
@ -162,6 +162,7 @@ func main() {
|
|||||||
logger,
|
logger,
|
||||||
keyPassword, // Use the same password for simplicity
|
keyPassword, // Use the same password for simplicity
|
||||||
24*time.Hour, // Token duration
|
24*time.Hour, // Token duration
|
||||||
|
cfg.AllowedNpub, // Pass the allowed npub from config
|
||||||
)
|
)
|
||||||
|
|
||||||
// Initialize bot service
|
// Initialize bot service
|
||||||
|
|||||||
@ -41,10 +41,11 @@ type Service struct {
|
|||||||
logger *zap.Logger
|
logger *zap.Logger
|
||||||
secretKey []byte
|
secretKey []byte
|
||||||
tokenDuration time.Duration
|
tokenDuration time.Duration
|
||||||
|
allowedNpub string // Add allowed npub for whitelisting
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewService creates a new authentication service
|
// NewService creates a new authentication service
|
||||||
func NewService(db *db.DB, logger *zap.Logger, secretKey string, tokenDuration time.Duration) *Service {
|
func NewService(db *db.DB, logger *zap.Logger, secretKey string, tokenDuration time.Duration, allowedNpub string) *Service {
|
||||||
// If no secret key is provided, generate a secure random one
|
// If no secret key is provided, generate a secure random one
|
||||||
decodedKey := []byte(secretKey)
|
decodedKey := []byte(secretKey)
|
||||||
if secretKey == "" {
|
if secretKey == "" {
|
||||||
@ -55,28 +56,37 @@ func NewService(db *db.DB, logger *zap.Logger, secretKey string, tokenDuration t
|
|||||||
}
|
}
|
||||||
decodedKey = key
|
decodedKey = key
|
||||||
}
|
}
|
||||||
|
|
||||||
return &Service{
|
return &Service{
|
||||||
db: db,
|
db: db,
|
||||||
logger: logger,
|
logger: logger,
|
||||||
secretKey: decodedKey,
|
secretKey: decodedKey,
|
||||||
tokenDuration: tokenDuration,
|
tokenDuration: tokenDuration,
|
||||||
|
allowedNpub: allowedNpub,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Login handles user login with a Nostr signature
|
// Login handles user login with a Nostr signature
|
||||||
func (s *Service) Login(pubkey, signature, eventJSON string) (string, error) {
|
func (s *Service) Login(pubkey, signature, eventJSON string) (string, error) {
|
||||||
|
// Check if there's a whitelist and enforce it
|
||||||
|
if s.allowedNpub != "" && s.allowedNpub != pubkey {
|
||||||
|
s.logger.Warn("Login attempt from non-whitelisted pubkey",
|
||||||
|
zap.String("attempt_pubkey", pubkey),
|
||||||
|
zap.String("allowed_npub", s.allowedNpub))
|
||||||
|
return "", errors.New("unauthorized: only the configured npub is allowed to log in")
|
||||||
|
}
|
||||||
|
|
||||||
// Parse the event
|
// Parse the event
|
||||||
var event nostr.Event
|
var event nostr.Event
|
||||||
if err := json.Unmarshal([]byte(eventJSON), &event); err != nil {
|
if err := json.Unmarshal([]byte(eventJSON), &event); err != nil {
|
||||||
return "", fmt.Errorf("failed to parse event: %w", err)
|
return "", fmt.Errorf("failed to parse event: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Verify the event
|
// Verify the event
|
||||||
if event.PubKey != pubkey {
|
if event.PubKey != pubkey {
|
||||||
return "", errors.New("pubkey mismatch in event")
|
return "", errors.New("pubkey mismatch in event")
|
||||||
}
|
}
|
||||||
|
|
||||||
// Verify the signature
|
// Verify the signature
|
||||||
ok, err := event.CheckSignature()
|
ok, err := event.CheckSignature()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -85,20 +95,20 @@ func (s *Service) Login(pubkey, signature, eventJSON string) (string, error) {
|
|||||||
if !ok {
|
if !ok {
|
||||||
return "", ErrInvalidSignature
|
return "", ErrInvalidSignature
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check if the event was created recently
|
// Check if the event was created recently
|
||||||
now := time.Now()
|
now := time.Now()
|
||||||
eventTime := time.Unix(int64(event.CreatedAt), 0)
|
eventTime := time.Unix(int64(event.CreatedAt), 0)
|
||||||
if now.Sub(eventTime) > 5*time.Minute || eventTime.After(now.Add(5*time.Minute)) {
|
if now.Sub(eventTime) > 5*time.Minute || eventTime.After(now.Add(5*time.Minute)) {
|
||||||
return "", errors.New("event timestamp is too far from current time")
|
return "", errors.New("event timestamp is too far from current time")
|
||||||
}
|
}
|
||||||
|
|
||||||
// Generate a token
|
// Generate a token
|
||||||
token, err := s.createToken(pubkey)
|
token, err := s.createToken(pubkey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", fmt.Errorf("failed to create token: %w", err)
|
return "", fmt.Errorf("failed to create token: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
return token, nil
|
return token, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -52,7 +52,7 @@ type Config struct {
|
|||||||
Write bool `mapstructure:"write"`
|
Write bool `mapstructure:"write"`
|
||||||
} `mapstructure:"relays"`
|
} `mapstructure:"relays"`
|
||||||
|
|
||||||
AllowedNpub string `mapstructure:"allowed_npub"` // NEW
|
AllowedNpub string `mapstructure:"allowed_npub"` // Set this to restrict login to a specific Nostr pubkey
|
||||||
}
|
}
|
||||||
|
|
||||||
// LoadConfig loads the configuration from file or environment variables
|
// LoadConfig loads the configuration from file or environment variables
|
||||||
@ -79,7 +79,7 @@ func LoadConfig(configPath string) (*Config, error) {
|
|||||||
{"url": "wss://freelay.sovbit.host", "read": true, "write": true},
|
{"url": "wss://freelay.sovbit.host", "read": true, "write": true},
|
||||||
})
|
})
|
||||||
|
|
||||||
v.SetDefault("allowed_npub", "")
|
v.SetDefault("allowed_npub", "") // Empty string means no restriction
|
||||||
|
|
||||||
// Setup config file search
|
// Setup config file search
|
||||||
if configPath != "" {
|
if configPath != "" {
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user