Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add sign in with solana (EIP-4361) support #1918

Open
wants to merge 22 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
9e42bb2
feat: implement EIP-4361 support with SIWS message handling and verif…
Bewinxed Jan 17, 2025
fd8b16d
refactor: migrate SIWS utilities to web3/solana and remove deprecated…
Bewinxed Jan 18, 2025
6e4c871
refactor: consolidate Ethereum signature verification into crypto pac…
Bewinxed Jan 18, 2025
118eba4
refactor: migrate Solana utilities to a dedicated package and remove …
Bewinxed Jan 18, 2025
d8cdba4
feat: add domain validation for SIWS messages and refactor domain che…
Bewinxed Jan 18, 2025
311291a
refactor: rename EIP-4361 references to Web3 and update related confi…
Bewinxed Jan 18, 2025
0e96f8a
refactor: enhance SIWS error handling with structured error types and…
Bewinxed Jan 18, 2025
54fdc0a
- streamline error messages & moved them to unified package.
Bewinxed Jan 19, 2025
efb21e7
- adjusted verification for some siws parameters.
Bewinxed Jan 29, 2025
15cbbe7
refactor(api): change HTTP method for nonce endpoint to POST for secu…
Bewinxed Jan 29, 2025
35f2b28
add replay attack tests, adjust imports
Bewinxed Feb 9, 2025
429cd3d
Code reorganization, add tests for web3, add db constraint for nonces…
Bewinxed Feb 9, 2025
07e904b
added unique nonce/address constraint
Bewinxed Feb 9, 2025
e309d38
Omitted server-side nonce generation, cleanup unimplemented chain fun…
Bewinxed Feb 16, 2025
f9c02f5
Update internal/api/web3.go
Bewinxed Mar 7, 2025
6b4b624
Update internal/utilities/solana/helpers.go
Bewinxed Mar 7, 2025
6025328
updated verifySIWS logging, resolved conversationsm, added omitEmpty …
Bewinxed Mar 7, 2025
8632fb5
Refactor nonce handling and improve address uniqueness validation
Bewinxed Mar 7, 2025
56a7c12
Refactor Web3 provider signature verification and clean up unused code
Bewinxed Mar 11, 2025
d49ba26
fix openapi yaml quotes
Bewinxed Mar 12, 2025
d8cfb57
Fix quotes in OpenAPI YAML references for consistency
Bewinxed Mar 12, 2025
0910890
Fix quotes in OpenAPI YAML references for consistency
Bewinxed Mar 12, 2025
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions example.env
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,15 @@ GOTRUE_EXTERNAL_ZOOM_CLIENT_ID=""
GOTRUE_EXTERNAL_ZOOM_SECRET=""
GOTRUE_EXTERNAL_ZOOM_REDIRECT_URI="http://localhost:9999/callback"

# EIP-4361 OAuth config
GOTRUE_EXTERNAL_WEB3_ENABLED="true"
GOTRUE_EXTERNAL_WEB3_TIMEOUT="300s"
GOTRUE_EXTERNAL_WEB3_DOMAIN="localhost:9999"

# Supported Chains Configuration
GOTRUE_EXTERNAL_WEB3_SUPPORTED_CHAINS="solana:mainnet,solana:devnet"
GOTRUE_EXTERNAL_WEB3_DEFAULT_CHAIN="solana:mainnet"

# Anonymous auth config
GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED="false"

Expand Down
18 changes: 10 additions & 8 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -34,14 +34,16 @@ require (
)

require (
github.com/bits-and-blooms/bitset v1.10.0 // indirect
github.com/bits-and-blooms/bitset v1.13.0 // indirect
github.com/btcsuite/btcutil v1.0.2 // indirect
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 // indirect
github.com/fxamacker/cbor/v2 v2.7.0 // indirect
github.com/go-jose/go-jose/v3 v3.0.3 // indirect
github.com/go-webauthn/x v0.1.12 // indirect
github.com/gobuffalo/nulls v0.4.2 // indirect
github.com/goccy/go-json v0.10.3 // indirect
github.com/google/go-tpm v0.9.1 // indirect
github.com/holiman/uint256 v1.3.1 // indirect
github.com/jackc/pgx/v4 v4.18.2 // indirect
github.com/lestrrat-go/blackmagic v1.0.2 // indirect
github.com/lestrrat-go/httpcc v1.0.1 // indirect
Expand Down Expand Up @@ -98,10 +100,10 @@ require (
github.com/beevik/etree v1.1.0 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/cenkalti/backoff/v4 v4.3.0 // indirect
github.com/cespare/xxhash/v2 v2.2.0 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/crewjam/httperr v0.2.0 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/fatih/color v1.13.0 // indirect
github.com/fatih/color v1.16.0 // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/go-logr/logr v1.4.1 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
Expand Down Expand Up @@ -130,7 +132,7 @@ require (
github.com/luna-duclos/instrumentedsql v1.1.3 // indirect
github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
github.com/mattn/go-isatty v0.0.16 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/mattn/go-sqlite3 v2.0.3+incompatible // indirect
github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
Expand All @@ -146,15 +148,15 @@ require (
github.com/spf13/pflag v1.0.5 // indirect
github.com/stretchr/objx v0.5.2 // indirect
go.opentelemetry.io/proto/otlp v1.2.0 // indirect
golang.org/x/exp v0.0.0-20230213192124-5e25df0256eb
golang.org/x/net v0.23.0 // indirect
golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa
golang.org/x/net v0.24.0 // indirect
golang.org/x/sync v0.10.0
golang.org/x/sys v0.28.0 // indirect
golang.org/x/text v0.21.0 // indirect
golang.org/x/time v0.0.0-20220411224347-583f2d630306 // indirect
golang.org/x/time v0.5.0 // indirect
google.golang.org/appengine v1.6.8 // indirect
google.golang.org/grpc v1.63.2 // indirect
google.golang.org/protobuf v1.33.0 // indirect
google.golang.org/protobuf v1.34.2 // indirect
gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
Expand Down
48 changes: 48 additions & 0 deletions go.sum

Large diffs are not rendered by default.

5 changes: 5 additions & 0 deletions hack/test.env
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,11 @@ GOTRUE_EXTERNAL_ZOOM_CLIENT_ID=testclientid
GOTRUE_EXTERNAL_ZOOM_SECRET=testsecret
GOTRUE_EXTERNAL_ZOOM_REDIRECT_URI=https://identity.services.netlify.com/callback
GOTRUE_EXTERNAL_FLOW_STATE_EXPIRY_DURATION="300s"
GOTRUE_EXTERNAL_WEB3_ENABLED="true"
GOTRUE_EXTERNAL_WEB3_TIMEOUT="300s"
GOTRUE_EXTERNAL_WEB3_DOMAIN="example.com"
GOTRUE_EXTERNAL_WEB3_SUPPORTED_CHAINS="solana:mainnet,solana:devnet"
GOTRUE_EXTERNAL_WEB3_DEFAULT_CHAIN="solana:mainnet"
GOTRUE_RATE_LIMIT_VERIFY="100000"
GOTRUE_RATE_LIMIT_TOKEN_REFRESH="30"
GOTRUE_RATE_LIMIT_ANONYMOUS_USERS="5"
Expand Down
1 change: 1 addition & 0 deletions internal/api/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,7 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
})

r.Route("/", func(r *router) {

r.Use(api.isValidExternalHost)

r.Get("/settings", api.Settings)
Expand Down
167 changes: 167 additions & 0 deletions internal/api/external_web3_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,167 @@
package api

import (
"bytes"
"crypto/ed25519"
"crypto/rand"
"encoding/base64"
"encoding/json"
"fmt"
"net/http"
"net/http/httptest"
"testing"
"time"

"github.com/btcsuite/btcutil/base58"
"github.com/stretchr/testify/require"
"github.com/stretchr/testify/suite"
"github.com/supabase/auth/internal/conf"
"github.com/supabase/auth/internal/crypto"
"github.com/supabase/auth/internal/models"
siws "github.com/supabase/auth/internal/utilities/solana"
)

const (
// Chain identifiers
chainSolanaMainnet = "solana:mainnet"

// Grant type
grantTypeWeb3 = "web3"

// Error responses
errorInvalidGrant = "invalid_grant"

// Test values
defaultTestURI = "https://example.com"

// Endpoints
tokenEndpoint = "/token"
)

type Web3TestSuite struct {
suite.Suite
API *API
Config *conf.GlobalConfiguration
pubKey ed25519.PublicKey
privKey ed25519.PrivateKey
pubKeyBase58 string

// Test configuration
testURI string
}

type TokenRequest struct {
GrantType string `json:"grant_type"`
Message string `json:"message"`
Signature string `json:"signature"`
Address string `json:"address"`
Chain string `json:"chain"`
}

func TestWeb3(t *testing.T) {
api, config, err := setupAPIForTest()
require.NoError(t, err)

ts := &Web3TestSuite{
API: api,
Config: config,
testURI: defaultTestURI,
}
defer api.db.Close()

suite.Run(t, ts)
}

func (ts *Web3TestSuite) SetupTest() {
models.TruncateAll(ts.API.db)

ts.Config.DisableSignup = false
ts.Config.Mailer.AllowUnverifiedEmailSignIns = true

// Generate test keys for Solana
var err error
ts.pubKey, ts.privKey, err = ed25519.GenerateKey(rand.Reader)
ts.Require().NoError(err)
ts.pubKeyBase58 = base58.Encode(ts.pubKey)
}

func newSIWSRequest(t *testing.T, grantType, message, signature, address, chain string) *http.Request {
tokenRequest := TokenRequest{
Message: message,
Signature: signature,
Address: address,
Chain: chain,
}
jsonBody, err := json.Marshal(tokenRequest)
require.NoError(t, err)

req := httptest.NewRequest(http.MethodPost, fmt.Sprintf("%s?grant_type=%s", tokenEndpoint, grantType), bytes.NewReader(jsonBody))
req.Header.Set("Content-Type", "application/json")
return req
}

func (ts *Web3TestSuite) generateSIWSMessageAndSignature(nonce string) (string, string) {
msg := siws.SIWSMessage{
Domain: ts.Config.External.Web3.Domain,
Address: ts.pubKeyBase58,
Statement: ts.Config.External.Web3.Statement,
URI: ts.testURI,
Version: ts.Config.External.Web3.Version,
Nonce: nonce,
IssuedAt: time.Now().UTC(),
}
rawMessage := siws.ConstructMessage(msg)
signature := ed25519.Sign(ts.privKey, []byte(rawMessage))
signatureBase64 := base64.StdEncoding.EncodeToString(signature)
return rawMessage, signatureBase64
}

func (ts *Web3TestSuite) assertErrorResponse(w *httptest.ResponseRecorder, expectedCode int, expectedError string) {
ts.Require().Equal(expectedCode, w.Code)
var errorResponse map[string]interface{}
err := json.NewDecoder(w.Body).Decode(&errorResponse)
ts.Require().NoError(err)
ts.Require().Equal(expectedError, errorResponse["error"])
}

func (ts *Web3TestSuite) TestSignupWeb3_InvalidSignature() {
nonce := crypto.SecureAlphanumeric(12)

rawMessage, _ := ts.generateSIWSMessageAndSignature(nonce)

invalidSignature := base64.StdEncoding.EncodeToString(make([]byte, 64))

req := newSIWSRequest(ts.T(), grantTypeWeb3, rawMessage, invalidSignature, ts.pubKeyBase58, chainSolanaMainnet)
w := httptest.NewRecorder()
ts.API.handler.ServeHTTP(w, req)
ts.assertErrorResponse(w, http.StatusBadRequest, errorInvalidGrant)
}

func (ts *Web3TestSuite) TestSignupWeb3_MalformedMessage() {
nonce := crypto.SecureAlphanumeric(12)

malformedMessage := fmt.Sprintf(`{
"domain": "%s",
"uri": "%s",
"version": "1",
"nonce": "%s"
}`, ts.Config.External.Web3.Domain, ts.testURI, nonce)

_, signatureBase64 := ts.generateSIWSMessageAndSignature(nonce)

req := newSIWSRequest(ts.T(), grantTypeWeb3, malformedMessage, signatureBase64, ts.pubKeyBase58, chainSolanaMainnet)
w := httptest.NewRecorder()
ts.API.handler.ServeHTTP(w, req)
ts.assertErrorResponse(w, http.StatusBadRequest, errorInvalidGrant)
}

func (ts *Web3TestSuite) TestSignupWeb3_InvalidChain() {
nonce := crypto.SecureAlphanumeric(12)
rawMessage, signatureBase64 := ts.generateSIWSMessageAndSignature(nonce)

invalidChain := "invalid-chain"
req := newSIWSRequest(ts.T(), grantTypeWeb3, rawMessage, signatureBase64, ts.pubKeyBase58, invalidChain)
w := httptest.NewRecorder()
ts.API.handler.ServeHTTP(w, req)
ts.assertErrorResponse(w, http.StatusBadRequest, errorInvalidGrant)
}
3 changes: 3 additions & 0 deletions internal/api/helpers.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"github.com/supabase/auth/internal/conf"
"github.com/supabase/auth/internal/models"
"github.com/supabase/auth/internal/security"

"github.com/supabase/auth/internal/utilities"
)

Expand Down Expand Up @@ -74,13 +75,15 @@ type RequestParams interface {
SignupParams |
SingleSignOnParams |
SmsParams |
Web3GrantParams |
UserUpdateParams |
VerifyFactorParams |
VerifyParams |
adminUserUpdateFactorParams |
adminUserDeleteParams |
security.GotrueRequest |
ChallengeFactorParams |

struct {
Email string `json:"email"`
Phone string `json:"phone"`
Expand Down
Loading