Authenticate recurrent users with memo.

package.json

@@ -47,6 +47,7 @@
     "bn.js": "^5.2.1",
     "buffer": "^6.0.3",
     "daisyui": "^4.11.1",
+    "ethers": "^6.13.4",
     "framer-motion": "^11.2.14",
     "postcss": "^8.4.38",
     "preact": "^10.12.1",
@@ -56,6 +57,7 @@
     "react-hook-form": "^7.51.5",
     "react-router-dom": "^6.8.1",
     "react-toastify": "^10.0.5",
+    "siwe": "^2.3.2",
     "stellar-base": "^11.0.1",
     "stellar-sdk": "^11.3.0",
     "tailwind": "^4.0.0",

signer-service/package.json

@@ -29,6 +29,7 @@
     "cors": "^2.8.3",
     "cross-env": "^7.0.3",
     "dotenv": "^16.4.5",
+    "ethers": "^6.13.4",
     "express": "^5.0.1",
     "express-rate-limit": "^6.7.0",
     "express-validation": "^1.0.2",
@@ -40,6 +41,7 @@
     "method-override": "^3.0.0",
     "mongoose": "^5.2.17",
     "morgan": "^1.8.1",
+    "siwe": "^2.3.2",
     "stellar-sdk": "^11.3.0",
     "viem": "^2.21.3",
     "winston": "^3.1.0"

signer-service/src/api/controllers/siwe.controller.js

@@ -0,0 +1,26 @@
+const { createAndSendSiweMessage, verifySiweMessage } = require('../services/siwe.service');
+
+exports.sendSiweMessage = async (req, res) => {
+  const { walletAddress } = req.body;
+  try {
+    const { siweMessage, nonce } = await createAndSendSiweMessage(walletAddress);
+    return res.json({
+      siweMessage,
+      nonce,
+    });
+  } catch (e) {
+    console.error(e);
+    return res.status(500).json({ error: 'Error while creating siwe message' });
+  }
+};
+
+exports.validateSiweSignature = async (req, res) => {
+  const { nonce, signature } = req.body;
+  try {
+    await verifySiweMessage(nonce, signature);
+    return res.status(200).json({ message: 'Signature is valid' });
+  } catch (e) {
+    console.error(e);
+    return res.status(500).json({ error: 'Could not validate signature' });
+  }
+};

signer-service/src/api/controllers/stellar.controller.js

@@ -1,7 +1,7 @@
 require('dotenv').config();
 
 const { Keypair } = require('stellar-sdk');
-const { FUNDING_SECRET } = require('../../constants/constants');
+const { FUNDING_SECRET, SEP10_MASTER_SECRET } = require('../../constants/constants');
 
 const { buildCreationStellarTx, buildPaymentAndMergeTx, sendStatusWithPk } = require('../services/stellar.service');
 const { signSep10Challenge } = require('../services/sep10.service');
@@ -54,12 +54,32 @@ exports.changeOpTransaction = async (req, res, next) => {
 
 exports.signSep10Challenge = async (req, res, next) => {
   try {
-    let { clientSignature, clientPublic } = await signSep10Challenge(
+    let { masterClientSignature, masterClientPublic, clientSignature, clientPublic } = await signSep10Challenge(
       req.body.challengeXDR,
       req.body.outToken,
       req.body.clientPublicKey,
+      req.body.maybeChallengeSignature,
+      req.body.maybeNonce,
     );
-    return res.json({ clientSignature, clientPublic });
+    return res.json({ masterClientSignature, masterClientPublic, clientSignature, clientPublic });
+  } catch (error) {
+    if (error.message.includes('Could not verify signature')) {
+      // Distinguish between failed signature check and other errors.
+      return res.status(401).json({
+        error: 'Signature validation failed.',
+        details: error.message,
+      });
+    }
+
+    console.error('Error in signSep10Challenge:', error);
+    return res.status(500).json({ error: 'Failed to sign challenge', details: error.message });
+  }
+};
+
+exports.getSep10MasterPK = async (req, res, next) => {
+  try {
+    const masterSep10Public = Keypair.fromSecret(SEP10_MASTER_SECRET).publicKey();
+    return res.json({ masterSep10Public });
   } catch (error) {
     console.error('Error in signSep10Challenge:', error);
     return res.status(500).json({ error: 'Failed to sign challenge', details: error.message });

signer-service/src/api/middlewares/validators.js

@@ -155,6 +155,27 @@ const validateSep10Input = (req, res, next) => {
   next();
 };
 
+const validateSiweCreate = (req, res, next) => {
+  const { walletAddress } = req.body;
+  if (!walletAddress) {
+    return res.status(400).json({ error: 'Missing address: walletAddress' });
+  }
+  next();
+};
+
+const validateSiweValidate = (req, res, next) => {
+  const { nonce, signature } = req.body;
+  if (!signature) {
+    return res.status(400).json({ error: 'Missing signature: signature' });
+  }
+
+  if (!nonce) {
+    return res.status(400).json({ error: 'Missing initial nonce: nonce' });
+  }
+
+  next();
+};
+
 module.exports = {
   validateChangeOpInput,
   validateQuoteInput,
@@ -166,4 +187,6 @@ module.exports = {
   validateRatingInput,
   validateExecuteXCM,
   validateSep10Input,
+  validateSiweCreate,
+  validateSiweValidate,
 };

signer-service/src/api/routes/v1/index.js

@@ -7,6 +7,7 @@ const storageRoutes = require('./storage.route');
 const emailRoutes = require('./email.route');
 const ratingRoutes = require('./rating.route');
 const subsidizeRoutes = require('./subsidize.route');
+const siweRoutes = require('./siwe.route');
 const quoteRoutes = require('./quote.route');
 
 const router = express.Router({ mergeParams: true });
@@ -76,4 +77,9 @@ router.use('/subsidize', subsidizeRoutes);
  */
 router.use('/rating', ratingRoutes);
 
+/**
+ * POST v1/siwe
+ */
+router.use('/siwe', siweRoutes);
+
 module.exports = router;

signer-service/src/api/routes/v1/siwe.route.js

@@ -0,0 +1,11 @@
+const express = require('express');
+const controller = require('../../controllers/siwe.controller');
+const { validateSiweCreate, validateSiweValidate } = require('../../middlewares/validators');
+
+const router = express.Router({ mergeParams: true });
+
+router.route('/create').post(validateSiweCreate, controller.sendSiweMessage);
+
+router.route('/validate').post(validateSiweValidate, controller.validateSiweSignature);
+
+module.exports = router;

signer-service/src/api/routes/v1/stellar.route.js

@@ -10,4 +10,6 @@ router.route('/payment').post(validateChangeOpInput, controller.changeOpTransact
 
 router.route('/sep10').post(validateSep10Input, controller.signSep10Challenge);
 
+router.route('/sep10').get(controller.getSep10MasterPK);
+
 module.exports = router;

signer-service/src/api/services/sep10.service.js

@@ -1,17 +1,46 @@
 const { Keypair } = require('stellar-sdk');
 const { TransactionBuilder, Networks } = require('stellar-sdk');
 const { fetchTomlValues } = require('../helpers/anchors');
+const { verifySiweMessage } = require('./siwe.service');
+const { keccak256 } = require('viem/utils');
 
 const { TOKEN_CONFIG } = require('../../constants/tokenConfig');
-const { CLIENT_DOMAIN_SECRET } = require('../../constants/constants');
+const { SEP10_MASTER_SECRET, CLIENT_DOMAIN_SECRET } = require('../../constants/constants');
 
 const NETWORK_PASSPHRASE = Networks.PUBLIC;
 
-exports.signSep10Challenge = async (challengeXDR, outToken, clientPublicKey) => {
+async function deriveMemoFromAddress(address) {
+  const hash = keccak256(address);
+  return BigInt(hash).toString().slice(0, 15);
+}
+
+// we validate a challenge for a given nonce. From it we obtain the address and derive the memo
+// we can then ensure that the memo is the same as the one we expect from the anchor challenge
+const validateSignatureAndGetMemo = async (nonce, userChallengeSignature) => {
+  if (!userChallengeSignature || !nonce) {
+    return null; // Default memo value when single stellar account is used
+  }
+
+  let message;
+  try {
+    message = await verifySiweMessage(nonce, userChallengeSignature);
+  } catch (e) {
+    throw new Error(`Could not verify signature: ${e.message}`);
+  }
+
+  const memo = await deriveMemoFromAddress(message.address);
+  return memo;
+};
+
+exports.signSep10Challenge = async (challengeXDR, outToken, clientPublicKey, userChallengeSignature, nonce) => {
+  const masterStellarKeypair = Keypair.fromSecret(SEP10_MASTER_SECRET);
   const clientDomainStellarKeypair = Keypair.fromSecret(CLIENT_DOMAIN_SECRET);
 
   const { signingKey: anchorSigningKey } = await fetchTomlValues(TOKEN_CONFIG[outToken].tomlFileUrl);
-  const { homeDomain, clientDomainEnabled } = TOKEN_CONFIG[outToken];
+  const { homeDomain, clientDomainEnabled, memoEnabled } = TOKEN_CONFIG[outToken];
+
+  // Expected memo based on user's signature and nonce.
+  memo = await validateSignatureAndGetMemo(nonce, userChallengeSignature);
 
   const transactionSigned = new TransactionBuilder.fromXDR(challengeXDR, NETWORK_PASSPHRASE);
   if (transactionSigned.source !== anchorSigningKey) {
@@ -22,10 +51,10 @@ exports.signSep10Challenge = async (challengeXDR, outToken, clientPublicKey) =>
   }
 
   // See https://github.com/stellar/stellar-protocol/blob/master/ecosystem/sep-0010.md#success
-  // memo field should be empty as we assume (in this implementation) that we use the ephemeral
-  // to authenticate. But no memo sub account derivation.
-  if (transactionSigned.memo.value !== null) {
-    throw new Error('Memo does not match');
+  // memo field should be empty for the ephemeral case, or the corresponding one based on evm address
+  // derivation.
+  if (transactionSigned.memo.value !== memo) {
+    throw new Error('Memo does not match with specified user signature or address. Could not validate.');
   }
 
   const { operations } = transactionSigned;
@@ -35,23 +64,29 @@ exports.signSep10Challenge = async (challengeXDR, outToken, clientPublicKey) =>
     throw new Error('The first operation should be manageData');
   }
 
-  // Only authorize a session that corresponds with the ephemeral client account
+  // clientPublicKey is either: the ephemeral, or the master account
   if (firstOp.source !== clientPublicKey) {
     throw new Error('First manageData operation must have the client account as the source');
   }
 
+  if (memo !== null && memoEnabled) {
+    if (firstOp.source !== masterStellarKeypair.publicKey()) {
+      throw new Error(
+        'First manageData operation must have the master signing key as the source when memo is being used.',
+      );
+    }
+  }
+
   if (firstOp.name !== `${homeDomain} auth`) {
     throw new Error(`First manageData operation should have key '${homeDomain} auth'`);
   }
   if (!firstOp.value || firstOp.value.length !== 64) {
     throw new Error('First manageData operation should have a 64-byte random nonce as value');
   }
 
-  // Flags to check presence of required operations
   let hasWebAuthDomain = false;
   let hasClientDomain = false;
 
-  // Verify extra manage_data operations, web_auth and proper client domain.
   for (let i = 1; i < operations.length; i++) {
     const op = operations[i];
 
@@ -88,8 +123,15 @@ exports.signSep10Challenge = async (challengeXDR, outToken, clientPublicKey) =>
     clientDomainSignature = transactionSigned.getKeypairSignature(clientDomainStellarKeypair);
   }
 
+  let masterClientSignature;
+  if (memo !== null && memoEnabled) {
+    masterClientSignature = transactionSigned.getKeypairSignature(masterStellarKeypair);
+  }
+
   return {
     clientSignature: clientDomainSignature,
     clientPublic: clientDomainStellarKeypair.publicKey(),
+    masterClientSignature,
+    masterClientPublic: masterStellarKeypair.publicKey(),
   };
 };

signer-service/src/api/services/siwe.service.js

@@ -0,0 +1,75 @@
+const siwe = require('siwe');
+const { createPublicClient, http } = require('viem');
+const { polygon } = require('viem/chains');
+const { DEFAULT_EXPIRATION_TIME_HOURS } = require('../../constants/constants');
+
+// Make constants on config
+const scheme = 'https';
+const domain = 'satoshipay.io';
+const origin = 'https://app.vortexfinance.co';
+const statement = 'Please sign the message to login!';
+
+// Map that will hold the siwe messages sent + nonce we defined
+const siweMessagesMap = new Map();
+
+exports.createAndSendSiweMessage = async (address) => {
+  const nonce = siwe.generateNonce();
+  const siweMessage = new siwe.SiweMessage({
+    scheme,
+    domain,
+    address,
+    statement,
+    uri: origin,
+    version: '1',
+    chainId: polygon.id,
+    nonce,
+    expirationTime: new Date(Date.now() + DEFAULT_EXPIRATION_TIME_HOURS * 60 * 60 * 1000).toISOString(), // Constructor in ms.
+  });
+  const preparedMessage = siweMessage.toMessage();
+  siweMessagesMap.set(nonce, { siweMessage, address });
+
+  return { siweMessage: preparedMessage, nonce };
+};
+
+exports.verifySiweMessage = async (nonce, signature) => {
+  const maybeSiweData = siweMessagesMap.get(nonce);
+  if (!maybeSiweData) {
+    throw new Error('Message not found, we have not send this message or nonce is incorrect.');
+  }
+
+  const publicClient = createPublicClient({
+    chain: polygon,
+    transport: http(),
+  });
+
+  const valid = await publicClient.verifyMessage({
+    address: maybeSiweData.address,
+    message: maybeSiweData.siweMessage.toMessage(),
+    signature,
+  });
+
+  if (!valid) {
+    throw new Error('Invalid signature.');
+  }
+
+  // Perform additional checks to ensure message integrity
+  if (maybeSiweData.siweMessage.nonce !== nonce) {
+    throw new Error('Nonce mismatch.');
+  }
+
+  if (maybeSiweData.expirationTime && new Date(maybeSiweData.expirationTime) < new Date()) {
+    throw new Error('Message has expired.');
+  }
+
+  // Successful verification, remove messages with same address
+  // from map except for the one we just verified.
+  siweMessagesMap.forEach((data, nonce) => {
+    if (data.address === maybeSiweData.address && nonce !== maybeSiweData.siweMessage.nonce) {
+      siweMessagesMap.delete(nonce);
+    }
+  });
+
+  return maybeSiweData.siweMessage;
+};
+
+// TODO we need some sort of session log-out.

signer-service/src/constants/constants.js

@@ -9,12 +9,14 @@ const SUBSIDY_MINIMUM_RATIO_FUND_UNITS = '10'; // 10 Subsidies considering maxim
 const MOONBEAM_RECEIVER_CONTRACT_ADDRESS = '0x0004446021fe650c15fb0b2e046b39130e3bfe36';
 const STELLAR_EPHEMERAL_STARTING_BALANCE_UNITS = '2.5'; // Amount to send to the new stellar ephemeral account created
 const PENDULUM_EPHEMERAL_STARTING_BALANCE_UNITS = '0.1'; // Amount to send to the new pendulum ephemeral account created
+const DEFAULT_EXPIRATION_TIME_HOURS = 24;
 
 require('dotenv').config();
 
 const PENDULUM_FUNDING_SEED = process.env.PENDULUM_FUNDING_SEED;
 const FUNDING_SECRET = process.env.FUNDING_SECRET;
 const MOONBEAM_EXECUTOR_PRIVATE_KEY = process.env.MOONBEAM_EXECUTOR_PRIVATE_KEY;
+const SEP10_MASTER_SECRET = FUNDING_SECRET;
 const CLIENT_DOMAIN_SECRET = process.env.CLIENT_DOMAIN_SECRET;
 
 module.exports = {
@@ -32,5 +34,7 @@ module.exports = {
   SUBSIDY_MINIMUM_RATIO_FUND_UNITS,
   STELLAR_EPHEMERAL_STARTING_BALANCE_UNITS,
   PENDULUM_EPHEMERAL_STARTING_BALANCE_UNITS,
+  SEP10_MASTER_SECRET,
   CLIENT_DOMAIN_SECRET,
+  DEFAULT_EXPIRATION_TIME_HOURS,
 };