feat: Eth wallet support

.gitignore

@@ -7,6 +7,7 @@ coverage.out
 
 .DS_Store
 .vscode
+.idea
 www/dist/
 www/.DS_Store
 www/node_modules

api/api.go

@@ -145,6 +145,14 @@ func NewAPIWithVersion(ctx context.Context, globalConfig *conf.GlobalConfigurati
 		r.With(sharedLimiter).With(api.verifyCaptcha).With(api.requireEmailProvider).Post("/recover", api.Recover)
 		r.With(sharedLimiter).With(api.verifyCaptcha).Post("/magiclink", api.MagicLink)
 
+		r.With(sharedLimiter).With(api.verifyCaptcha).Post("/crypto", api.Crypto)
+		r.With(api.limitHandler(
+			// Allow requests at a rate of 30 per 5 minutes.
+			tollbooth.NewLimiter(30.0/(60*5), &limiter.ExpirableOptions{
+				DefaultExpirationTTL: time.Hour,
+			}).SetBurst(30),
+		)).With(api.verifyCaptcha).Post("/nonce", api.Nonce)
+
 		r.With(sharedLimiter).With(api.verifyCaptcha).Post("/otp", api.Otp)
 
 		r.With(api.limitHandler(

api/crypto.go

@@ -0,0 +1,166 @@
+package api
+
+import (
+	"bytes"
+	"encoding/json"
+	"github.com/gofrs/uuid"
+	"github.com/netlify/gotrue/api/crypto_provider"
+	"github.com/netlify/gotrue/metering"
+	"github.com/netlify/gotrue/models"
+	"github.com/netlify/gotrue/storage"
+	"io/ioutil"
+	"net/http"
+	"strings"
+)
+
+// CryptoParams contains the request body params for the eth endpoint, all values hex encoded
+type CryptoParams struct {
+	Provider  string  `json:"provider"`
+	NonceId   *string `json:"nonce_id"`
+	Signature *string `json:"signature"`
+}
+
+func (a *API) Crypto(w http.ResponseWriter, r *http.Request) error {
+	ctx := r.Context()
+	config := a.getConfig(ctx)
+	instanceID := getInstanceID(ctx)
+	useCookie := r.Header.Get(useCookieHeader)
+
+	// Get the params
+	params := &CryptoParams{}
+	body, err := ioutil.ReadAll(r.Body)
+	jsonDecoder := json.NewDecoder(bytes.NewReader(body))
+	if err = jsonDecoder.Decode(params); err != nil {
+		return badRequestError("Could not read verification params: %v", err)
+	}
+
+	// Get the crypto provider
+	provider, err := crypto_provider.GetCryptoProvider(config, params.Provider)
+	if err != nil {
+		return badRequestError(err.Error())
+	}
+
+	var nonce *models.Nonce = nil
+	if provider.RequiresNonce() {
+		if params.NonceId == nil {
+			return badRequestError("Missing `nonce_id` which is required by %s provider", strings.ToLower(params.Provider))
+		}
+
+		if params.Signature == nil {
+			return badRequestError("Missing `signature` which is required by %s provider", strings.ToLower(params.Provider))
+		}
+
+		// Get the nonce from the id in params
+		nonce, err = models.GetNonceById(a.db, instanceID, uuid.FromStringOrNil(*params.NonceId))
+		if err != nil {
+			return badRequestError("Failed to find nonce: %v", err)
+		}
+
+		safe, err := provider.ValidateNonce(nonce, *params.Signature)
+		if !safe {
+			return badRequestError(err.Error())
+		}
+
+		if err != nil {
+			return internalServerError(err.Error())
+		}
+	}
+
+	didUserExist := true
+
+	aud := a.requestAud(ctx, r)
+	user, uerr := provider.FetchUser(a.db, instanceID, aud, nonce)
+
+	if err != nil && !models.IsNotFoundError(err) {
+		return internalServerError("Database error finding user").WithInternalError(err)
+	}
+
+	if models.IsNotFoundError(uerr) {
+		uerr = a.db.Transaction(func(tx *storage.Connection) error {
+			accountInfo, uerr := provider.FetchAccountInformation(nonce)
+			if uerr != nil {
+				return uerr
+			}
+
+			user, uerr = a.signupNewUser(ctx, tx, &SignupParams{
+				CryptoAddress:  accountInfo.Address,
+				Provider:       "crypto",
+				CryptoProvider: params.Provider,
+				Aud:            aud,
+			})
+			didUserExist = false
+
+			identity, terr := a.createNewIdentity(tx, user, params.Provider, map[string]interface{}{"sub": accountInfo.Address, "address": accountInfo.Address})
+			if terr != nil {
+				return terr
+			}
+
+			user.Identities = []models.Identity{*identity}
+
+			if uerr = user.Confirm(tx); uerr != nil {
+				return uerr
+			}
+
+			if uerr = models.NewAuditLogEntry(r, tx, instanceID, user, models.UserSignedUpAction, "", nil); uerr != nil {
+				return uerr
+			}
+			if uerr = triggerEventHooks(ctx, tx, SignupEvent, user, instanceID, config); uerr != nil {
+				return uerr
+			}
+
+			return uerr
+		})
+
+		if uerr != nil {
+			return uerr
+		}
+	}
+
+	err = a.db.Transaction(func(tx *storage.Connection) error {
+		// Consume the nonce
+		if terr := nonce.Consume(tx); terr != nil {
+			return terr
+		}
+
+		// Add audit log entry for consuming nonce
+		return models.NewAuditLogEntry(r, tx, instanceID, user, models.NonceConsumed, "", nil)
+	})
+
+	if err != nil {
+		return internalServerError("Failed to consume nonce").WithInternalError(err)
+	}
+
+	var token *AccessTokenResponse
+	err = a.db.Transaction(func(tx *storage.Connection) error {
+		var terr error
+		if terr = models.NewAuditLogEntry(r, tx, instanceID, user, models.LoginAction, "", nil); terr != nil {
+			return terr
+		}
+		if terr = triggerEventHooks(ctx, tx, LoginEvent, user, instanceID, config); terr != nil {
+			return terr
+		}
+
+		token, terr = a.issueRefreshToken(ctx, tx, user)
+		if terr != nil {
+			return terr
+		}
+
+		if useCookie != "" && config.Cookie.Duration > 0 {
+			if terr = a.setCookieTokens(config, token, useCookie == useSessionCookie, w); terr != nil {
+				return internalServerError("Failed to set JWT cookie. %s", terr)
+			}
+		}
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+	metering.RecordLogin("crypto", user.ID, instanceID)
+	token.User = user
+
+	status := http.StatusOK
+	if !didUserExist {
+		status = http.StatusCreated
+	}
+	return sendJSON(w, status, token)
+}

api/crypto_provider/crypto_provider.go

@@ -0,0 +1,51 @@
+package crypto_provider
+
+import (
+	"fmt"
+	"github.com/gofrs/uuid"
+	"github.com/netlify/gotrue/conf"
+	"github.com/netlify/gotrue/models"
+	"github.com/netlify/gotrue/storage"
+	"net/http"
+	"strings"
+)
+
+type CryptoAccountInformation struct {
+	Address string `json:"address"`
+}
+
+type CryptoNonceOptions struct {
+	WalletAddress string `json:"wallet_address"` // Hex Encoded
+	Url           string `json:"url"`
+	// Option as only used by EVM
+	ChainId *int `json:"chain_id"`
+}
+
+type CryptoProvider interface {
+	// RequiresNonce Used to skip nonces for crypto providers that don't use nonces
+	RequiresNonce() bool
+
+	// GenerateNonce Generate the nonce model for the provider
+	GenerateNonce(req *http.Request, instanceId uuid.UUID, options CryptoNonceOptions) (*models.Nonce, error)
+	// BuildNonce Build the nonce into a string
+	BuildNonce(nonce *models.Nonce) (string, error)
+	// ValidateNonce Validate the nonce against a signature
+	ValidateNonce(nonce *models.Nonce, signature string) (bool, error)
+
+	// FetchUser Fetch the user for a nonce
+	FetchUser(tx *storage.Connection, instanceId uuid.UUID, aud string, nonce *models.Nonce) (*models.User, error)
+
+	// FetchAccountInformation Fetch account information for a new account
+	FetchAccountInformation(nonce *models.Nonce) (*CryptoAccountInformation, error)
+}
+
+func GetCryptoProvider(config *conf.Configuration, name string) (CryptoProvider, error) {
+	name = strings.ToLower(name)
+
+	switch name {
+	case "eth":
+		return NewEthProvider(&config.External.Eth)
+	default:
+		return nil, fmt.Errorf("crypto provider %s could not be found", name)
+	}
+}

api/crypto_provider/eth.go

@@ -0,0 +1,90 @@
+package crypto_provider
+
+import (
+	"fmt"
+	"github.com/gofrs/uuid"
+	"github.com/netlify/gotrue/conf"
+	"github.com/netlify/gotrue/models"
+	"github.com/netlify/gotrue/storage"
+	"github.com/spruceid/siwe-go"
+	"net/http"
+	"net/url"
+	"strconv"
+)
+
+type EthProvider struct {
+	config *conf.EthProviderConfiguration
+}
+
+var _ CryptoProvider = (*EthProvider)(nil)
+
+func NewEthProvider(config *conf.EthProviderConfiguration) (*EthProvider, error) {
+	return &EthProvider{
+		config: config,
+	}, nil
+}
+
+func (e *EthProvider) RequiresNonce() bool {
+	return true
+}
+
+func (e *EthProvider) GenerateNonce(_ *http.Request, instanceId uuid.UUID, options CryptoNonceOptions) (*models.Nonce, error) {
+	uri, err := url.Parse(options.Url)
+
+	if err != nil {
+		return nil, err
+	}
+
+	if options.ChainId == nil {
+		return nil, fmt.Errorf("eth provider requires a `chain_id` be provided")
+	}
+
+	return models.NewNonce(instanceId, *options.ChainId, "eth", uri.String(), uri.Hostname(), options.WalletAddress, "eip155")
+}
+
+func (e *EthProvider) BuildNonce(n *models.Nonce) (string, error) {
+	msg, err := e.toSiweMessage(n)
+
+	if err != nil {
+		return "", err
+	}
+
+	return msg.String(), nil
+}
+
+func (e *EthProvider) ValidateNonce(nonce *models.Nonce, signature string) (bool, error) {
+	nonceMessage, err := e.toSiweMessage(nonce)
+	if err != nil {
+		return false, err
+	}
+
+	_, err = nonceMessage.Verify(signature, &nonce.Hostname, nil, nil)
+	if err != nil {
+		return false, err
+	}
+
+	return true, nil
+}
+
+// Used internally to convert to a SIWE message
+func (e *EthProvider) toSiweMessage(n *models.Nonce) (*siwe.Message, error) {
+	return siwe.InitMessage(n.Hostname, n.Address, n.Url, n.Nonce, map[string]interface{}{
+		"statement":      e.config.Message,
+		"issuedAt":       n.UpdatedAt,
+		"nonce":          n.Nonce,
+		"chainId":        strconv.Itoa(n.ChainId),
+		"expirationTime": n.ExpiresAt,
+	})
+}
+
+func (e *EthProvider) FetchUser(tx *storage.Connection, instanceId uuid.UUID, aud string, nonce *models.Nonce) (*models.User, error) {
+	// Because we have the address in the nonce we can just request the using that address
+	return models.FindUserByCryptoAddressAndAudience(tx, instanceId, nonce.Address, aud)
+}
+
+func (e *EthProvider) FetchAccountInformation(nonce *models.Nonce) (*CryptoAccountInformation, error) {
+	// Eth Provider has the address in the nonce, so it can just be returned
+	return &CryptoAccountInformation{
+		Address: nonce.Address,
+	}, nil
+}