supabase · Bewinxed · Jan 17, 2025 · Jan 18, 2025 · Jan 18, 2025 · Jan 18, 2025
@@ -168,6 +168,15 @@ GOTRUE_EXTERNAL_ZOOM_CLIENT_ID=""
 GOTRUE_EXTERNAL_ZOOM_SECRET=""
 GOTRUE_EXTERNAL_ZOOM_REDIRECT_URI="http://localhost:9999/callback"
 
+# EIP-4361 OAuth config
+GOTRUE_EXTERNAL_WEB3_ENABLED="true"
+GOTRUE_EXTERNAL_WEB3_TIMEOUT="300s"
+GOTRUE_EXTERNAL_WEB3_DOMAIN="localhost:9999"
+
+# Supported Chains Configuration
+GOTRUE_EXTERNAL_WEB3_SUPPORTED_CHAINS="solana:mainnet,solana:devnet"
+GOTRUE_EXTERNAL_WEB3_DEFAULT_CHAIN="solana:mainnet"
+
 # Anonymous auth config
 GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED="false"
 

@@ -34,14 +34,16 @@ require (
 )
 
 require (
-	github.com/bits-and-blooms/bitset v1.10.0 // indirect
+	github.com/bits-and-blooms/bitset v1.13.0 // indirect
+	github.com/btcsuite/btcutil v1.0.2 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
 	github.com/go-webauthn/x v0.1.12 // indirect
 	github.com/gobuffalo/nulls v0.4.2 // indirect
 	github.com/goccy/go-json v0.10.3 // indirect
 	github.com/google/go-tpm v0.9.1 // indirect
+	github.com/holiman/uint256 v1.3.1 // indirect
 	github.com/jackc/pgx/v4 v4.18.2 // indirect
 	github.com/lestrrat-go/blackmagic v1.0.2 // indirect
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
@@ -98,10 +100,10 @@ require (
 	github.com/beevik/etree v1.1.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/crewjam/httperr v0.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/fatih/color v1.13.0 // indirect
+	github.com/fatih/color v1.16.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
@@ -130,7 +132,7 @@ require (
 	github.com/luna-duclos/instrumentedsql v1.1.3 // indirect
 	github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.16 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-sqlite3 v2.0.3+incompatible // indirect
 	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
@@ -146,15 +148,15 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	go.opentelemetry.io/proto/otlp v1.2.0 // indirect
-	golang.org/x/exp v0.0.0-20230213192124-5e25df0256eb
-	golang.org/x/net v0.23.0 // indirect
+	golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa
+	golang.org/x/net v0.24.0 // indirect
 	golang.org/x/sync v0.10.0
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
-	golang.org/x/time v0.0.0-20220411224347-583f2d630306 // indirect
+	golang.org/x/time v0.5.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/grpc v1.63.2 // indirect
-	google.golang.org/protobuf v1.33.0 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

@@ -105,6 +105,11 @@ GOTRUE_EXTERNAL_ZOOM_CLIENT_ID=testclientid
 GOTRUE_EXTERNAL_ZOOM_SECRET=testsecret
 GOTRUE_EXTERNAL_ZOOM_REDIRECT_URI=https://identity.services.netlify.com/callback
 GOTRUE_EXTERNAL_FLOW_STATE_EXPIRY_DURATION="300s"
+GOTRUE_EXTERNAL_WEB3_ENABLED="true"
+GOTRUE_EXTERNAL_WEB3_TIMEOUT="300s"
+GOTRUE_EXTERNAL_WEB3_DOMAIN="example.com"
+GOTRUE_EXTERNAL_WEB3_SUPPORTED_CHAINS="solana:mainnet,solana:devnet"
+GOTRUE_EXTERNAL_WEB3_DEFAULT_CHAIN="solana:mainnet"
 GOTRUE_RATE_LIMIT_VERIFY="100000"
 GOTRUE_RATE_LIMIT_TOKEN_REFRESH="30"
 GOTRUE_RATE_LIMIT_ANONYMOUS_USERS="5"

@@ -133,6 +133,7 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 	})
 
 	r.Route("/", func(r *router) {
+
 		r.Use(api.isValidExternalHost)
 
 		r.Get("/settings", api.Settings)

@@ -0,0 +1,167 @@
+package api
+
+import (
+	"bytes"
+	"crypto/ed25519"
+	"crypto/rand"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/btcsuite/btcutil/base58"
+	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/suite"
+	"github.com/supabase/auth/internal/conf"
+	"github.com/supabase/auth/internal/crypto"
+	"github.com/supabase/auth/internal/models"
+	siws "github.com/supabase/auth/internal/utilities/solana"
+)
+
+const (
+	// Chain identifiers
+	chainSolanaMainnet = "solana:mainnet"
+
+	// Grant type
+	grantTypeWeb3 = "web3"
+
+	// Error responses
+	errorInvalidGrant = "invalid_grant"
+
+	// Test values
+	defaultTestURI = "https://example.com"
+
+	// Endpoints
+	tokenEndpoint = "/token"
+)
+
+type Web3TestSuite struct {
+	suite.Suite
+	API          *API
+	Config       *conf.GlobalConfiguration
+	pubKey       ed25519.PublicKey
+	privKey      ed25519.PrivateKey
+	pubKeyBase58 string
+
+	// Test configuration
+	testURI string
+}
+
+type TokenRequest struct {
+	GrantType string `json:"grant_type"`
+	Message   string `json:"message"`
+	Signature string `json:"signature"`
+	Address   string `json:"address"`
+	Chain     string `json:"chain"`
+}
+
+func TestWeb3(t *testing.T) {
+	api, config, err := setupAPIForTest()
+	require.NoError(t, err)
+
+	ts := &Web3TestSuite{
+		API:     api,
+		Config:  config,
+		testURI: defaultTestURI,
+	}
+	defer api.db.Close()
+
+	suite.Run(t, ts)
+}
+
+func (ts *Web3TestSuite) SetupTest() {
+	models.TruncateAll(ts.API.db)
+
+	ts.Config.DisableSignup = false
+	ts.Config.Mailer.AllowUnverifiedEmailSignIns = true
+
+	// Generate test keys for Solana
+	var err error
+	ts.pubKey, ts.privKey, err = ed25519.GenerateKey(rand.Reader)
+	ts.Require().NoError(err)
+	ts.pubKeyBase58 = base58.Encode(ts.pubKey)
+}
+
+func newSIWSRequest(t *testing.T, grantType, message, signature, address, chain string) *http.Request {
+	tokenRequest := TokenRequest{
+		Message:   message,
+		Signature: signature,
+		Address:   address,
+		Chain:     chain,
+	}
+	jsonBody, err := json.Marshal(tokenRequest)
+	require.NoError(t, err)
+
+	req := httptest.NewRequest(http.MethodPost, fmt.Sprintf("%s?grant_type=%s", tokenEndpoint, grantType), bytes.NewReader(jsonBody))
+	req.Header.Set("Content-Type", "application/json")
+	return req
+}
+
+func (ts *Web3TestSuite) generateSIWSMessageAndSignature(nonce string) (string, string) {
+	msg := siws.SIWSMessage{
+		Domain:    ts.Config.External.Web3.Domain,
+		Address:   ts.pubKeyBase58,
+		Statement: ts.Config.External.Web3.Statement,
+		URI:       ts.testURI,
+		Version:   ts.Config.External.Web3.Version,
+		Nonce:     nonce,
+		IssuedAt:  time.Now().UTC(),
+	}
+	rawMessage := siws.ConstructMessage(msg)
+	signature := ed25519.Sign(ts.privKey, []byte(rawMessage))
+	signatureBase64 := base64.StdEncoding.EncodeToString(signature)
+	return rawMessage, signatureBase64
+}
+
+func (ts *Web3TestSuite) assertErrorResponse(w *httptest.ResponseRecorder, expectedCode int, expectedError string) {
+	ts.Require().Equal(expectedCode, w.Code)
+	var errorResponse map[string]interface{}
+	err := json.NewDecoder(w.Body).Decode(&errorResponse)
+	ts.Require().NoError(err)
+	ts.Require().Equal(expectedError, errorResponse["error"])
+}
+
+func (ts *Web3TestSuite) TestSignupWeb3_InvalidSignature() {
+	nonce := crypto.SecureAlphanumeric(12)
+
+	rawMessage, _ := ts.generateSIWSMessageAndSignature(nonce)
+
+	invalidSignature := base64.StdEncoding.EncodeToString(make([]byte, 64))
+
+	req := newSIWSRequest(ts.T(), grantTypeWeb3, rawMessage, invalidSignature, ts.pubKeyBase58, chainSolanaMainnet)
+	w := httptest.NewRecorder()
+	ts.API.handler.ServeHTTP(w, req)
+	ts.assertErrorResponse(w, http.StatusBadRequest, errorInvalidGrant)
+}
+
+func (ts *Web3TestSuite) TestSignupWeb3_MalformedMessage() {
+	nonce := crypto.SecureAlphanumeric(12)
+
+	malformedMessage := fmt.Sprintf(`{
+		"domain": "%s",
+		"uri": "%s",
+		"version": "1",
+		"nonce": "%s"
+	}`, ts.Config.External.Web3.Domain, ts.testURI, nonce)
+
+	_, signatureBase64 := ts.generateSIWSMessageAndSignature(nonce)
+
+	req := newSIWSRequest(ts.T(), grantTypeWeb3, malformedMessage, signatureBase64, ts.pubKeyBase58, chainSolanaMainnet)
+	w := httptest.NewRecorder()
+	ts.API.handler.ServeHTTP(w, req)
+	ts.assertErrorResponse(w, http.StatusBadRequest, errorInvalidGrant)
+}
+
+func (ts *Web3TestSuite) TestSignupWeb3_InvalidChain() {
+	nonce := crypto.SecureAlphanumeric(12)
+	rawMessage, signatureBase64 := ts.generateSIWSMessageAndSignature(nonce)
+
+	invalidChain := "invalid-chain"
+	req := newSIWSRequest(ts.T(), grantTypeWeb3, rawMessage, signatureBase64, ts.pubKeyBase58, invalidChain)
+	w := httptest.NewRecorder()
+	ts.API.handler.ServeHTTP(w, req)
+	ts.assertErrorResponse(w, http.StatusBadRequest, errorInvalidGrant)
+}
@@ -10,6 +10,7 @@ import (
 	"github.com/supabase/auth/internal/conf"
 	"github.com/supabase/auth/internal/models"
 	"github.com/supabase/auth/internal/security"
+
 	"github.com/supabase/auth/internal/utilities"
 )
 
@@ -74,13 +75,15 @@ type RequestParams interface {
 		SignupParams |
 		SingleSignOnParams |
 		SmsParams |
+		Web3GrantParams |
 		UserUpdateParams |
 		VerifyFactorParams |
 		VerifyParams |
 		adminUserUpdateFactorParams |
 		adminUserDeleteParams |
 		security.GotrueRequest |
 		ChallengeFactorParams |
+
 		struct {
 			Email string `json:"email"`
 			Phone string `json:"phone"`
-Original file line number
+Diff line change
@@ Expand Up @@
     	})
     	r.Route("/", func(r *router) {
     		r.Use(api.isValidExternalHost)
     		r.Get("/settings", api.Settings)
@@ Expand Down @@