supabase · HarryET · Nov 19, 2021 · Nov 19, 2021 · Nov 19, 2021 · Nov 19, 2021
@@ -119,8 +119,13 @@ func NewAPIWithVersion(ctx context.Context, globalConfig *conf.GlobalConfigurati
 		r.With(sharedLimiter).With(api.verifyCaptcha).Post("/signup", api.Signup)
 		r.With(sharedLimiter).With(api.verifyCaptcha).With(api.requireEmailProvider).Post("/recover", api.Recover)
 		r.With(sharedLimiter).With(api.verifyCaptcha).Post("/magiclink", api.MagicLink)
+		r.With(sharedLimiter).With(api.verifyCaptcha).Route("/nonce", func(r *router) {
+			r.Post("/", api.Nonce)
+			r.Get("/{nonce_id}", api.NonceById)
+		})
 
 		r.With(sharedLimiter).With(api.verifyCaptcha).Post("/otp", api.Otp)
+		r.With(sharedLimiter).With(api.verifyCaptcha).Post("/eth", api.Eth)
 
 		r.With(api.requireEmailProvider).With(api.limitHandler(
 			// Allow requests at a rate of 30 per 5 minutes.

diff --git a/api/eth.go b/api/eth.go
@@ -0,0 +1,163 @@
+package api
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+
+	"github.com/ethereum/go-ethereum/common"
+	"github.com/ethereum/go-ethereum/common/hexutil"
+	"github.com/ethereum/go-ethereum/crypto"
+	"github.com/gofrs/uuid"
+	"github.com/netlify/gotrue/metering"
+	"github.com/netlify/gotrue/models"
+	"github.com/netlify/gotrue/storage"
+)
+
+// EthParams contains the request body params for the eth endpoint, all values hex encoded
+type EthParams struct {
+	WalletAddress string `json:"wallet_address"`
+	NonceId       string `json:"nonce_id"`
+	Signature     string `json:"signature"`
+}
+
+func signHash(data []byte) []byte {
+	msg := fmt.Sprintf("\x19Ethereum Signed Message:\n%d%s", len(data), data)
+	return crypto.Keccak256([]byte(msg))
+}
+
+func (a *API) Eth(w http.ResponseWriter, r *http.Request) error {
+	ctx := r.Context()
+	config := a.getConfig(ctx)
+	instanceID := getInstanceID(ctx)
+	useCookie := r.Header.Get(useCookieHeader)
+
+	if !config.External.Eth.Enabled {
+		return badRequestError("Unsupported eth provider")
+	}
+
+	params := &EthParams{}
+	body, err := ioutil.ReadAll(r.Body)
+	jsonDecoder := json.NewDecoder(bytes.NewReader(body))
+	if err = jsonDecoder.Decode(params); err != nil {
+		return badRequestError("Could not read verification params: %v", err)
+	}
+
+	nonce, err := models.GetNonceById(a.db, uuid.FromStringOrNil(params.NonceId))
+	if err != nil {
+		return badRequestError("Failed to find nonce: %v", err)
+	}
+
+	// TODO (HarryET): Validate nonce expiry time
+
+	clientIP := strings.Split(r.RemoteAddr, ":")[0]
+	if !nonce.VerifyIp(clientIP) {
+		return badRequestError("IP not the same as the IP this nonce was issued too")
+	}
+
+	walletAddress := common.HexToAddress(params.WalletAddress)
+
+	sig, err := hexutil.Decode(params.Signature)
+	if err != nil {
+		return badRequestError("Invalid Signature: Failed to decode, not valid hex")
+	}
+
+	// https://github.com/ethereum/go-ethereum/blob/55599ee95d4151a2502465e0afc7c47bd1acba77/internal/ethapi/api.go#L442
+	if sig[64] != 27 && sig[64] != 28 {
+		return badRequestError("Invalid Signature: Invalid formatting")
+	}
+	sig[64] -= 27
+
+	nonceString, err := nonce.Build()
+	msg := []byte(nonceString)
+	pubKey, err := crypto.SigToPub(signHash(msg), sig)
+	if err != nil {
+		return badRequestError("Invalid Signature: Failed to extract public key")
+	}
+
+	recoveredWalletAddress := crypto.PubkeyToAddress(*pubKey)
+	if walletAddress != recoveredWalletAddress {
+		return badRequestError("Invalid Signature: Wallet address not the same as suplied address")
+	}
+
+	didUserExist := true
+
+	aud := a.requestAud(ctx, r)
+	user, uerr := models.FindUserByEthAddressAndAudience(a.db, instanceID, params.WalletAddress, aud)
+
+	if err != nil && !models.IsNotFoundError(err) {
+		return internalServerError("Database error finding user").WithInternalError(err)
+	}
+
+	if models.IsNotFoundError(uerr) {
+		uerr = a.db.Transaction(func(tx *storage.Connection) error {
+			user, uerr = a.signupNewUser(ctx, tx, &SignupParams{
+				EthAddress: params.WalletAddress,
+				Provider:   "eth",
+				Aud:        aud,
+			})
+			didUserExist = false
+
+			if uerr = models.NewAuditLogEntry(tx, instanceID, user, models.UserSignedUpAction, nil); uerr != nil {
+				return uerr
+			}
+			if uerr = triggerEventHooks(ctx, tx, SignupEvent, user, instanceID, config); uerr != nil {
+				return uerr
+			}
+
+			return uerr
+		})
+
+		if uerr != nil {
+			return uerr
+		}
+	}
+
+	err = a.db.Transaction(func(tx *storage.Connection) error {
+		if terr := models.NewAuditLogEntry(tx, instanceID, user, models.NonceConsumed, nil); terr != nil {
+			return terr
+		}
+		return nonce.Consume(tx)
+	})
+
+	if err != nil {
+		return internalServerError("Failed to consume nonce").WithInternalError(err)
+	}
+
+	var token *AccessTokenResponse
+	err = a.db.Transaction(func(tx *storage.Connection) error {
+		var terr error
+		if terr = models.NewAuditLogEntry(tx, instanceID, user, models.LoginAction, nil); terr != nil {
+			return terr
+		}
+		if terr = triggerEventHooks(ctx, tx, LoginEvent, user, instanceID, config); terr != nil {
+			return terr
+		}
+
+		token, terr = a.issueRefreshToken(ctx, tx, user)
+		if terr != nil {
+			return terr
+		}
+
+		if useCookie != "" && config.Cookie.Duration > 0 {
+			if terr = a.setCookieToken(config, token.Token, useCookie == useSessionCookie, w); terr != nil {
+				return internalServerError("Failed to set JWT cookie. %s", terr)
+			}
+		}
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+	metering.RecordLogin("eth", user.ID, instanceID)
+	token.User = user
+
+	status := http.StatusOK
+	if !didUserExist {
+		status = http.StatusCreated
+	}
+	return sendJSON(w, status, token)
+}
@@ -0,0 +1,99 @@
+package api
+
+import (
+	"bytes"
+	"encoding/json"
+	"io/ioutil"
+	"net/http"
+	"strings"
+
+	"github.com/go-chi/chi"
+	"github.com/gofrs/uuid"
+	"github.com/netlify/gotrue/models"
+	"github.com/netlify/gotrue/storage"
+)
+
+// NonceParams contains the request body params for the nonce endpoint
+type NonceParams struct {
+	WalletAddress string `json:"wallet_address"`
+	ChainId       int    `json:"chain_id"`
+	Url           string `json:"url"`
+}
+
+type NonceResponse struct {
+	Id    string `json:"id"`
+	Nonce string `json:"nonce"`
+}
+
+func (a *API) Nonce(w http.ResponseWriter, r *http.Request) error {
+	ctx := r.Context()
+	config := a.getConfig(ctx)
+	instanceID := getInstanceID(ctx)
+
+	if !config.External.Eth.Enabled {
+		return badRequestError("Unsupported eth provider")
+	}
+
+	params := &NonceParams{}
+	body, err := ioutil.ReadAll(r.Body)
+	jsonDecoder := json.NewDecoder(bytes.NewReader(body))
+	if err = jsonDecoder.Decode(params); err != nil {
+		return badRequestError("Could not read verification params: %v", err)
+	}
+
+	clientIP := strings.Split(r.RemoteAddr, ":")[0]
+
+	nonce, err := models.NewNonce(instanceID, params.ChainId, params.Url, params.WalletAddress, clientIP)
+	if err != nil || nonce == nil {
+		return internalServerError("Failed to generate nonce")
+	}
+
+	err = a.db.Transaction(func(tx *storage.Connection) error {
+		if err := tx.Create(nonce); err != nil {
+			return internalServerError("Failed to save nonce")
+		}
+
+		return nil
+	})
+
+	if err != nil {
+		return err
+	}
+
+	builtNonce, err := nonce.Build()
+	if err != nil {
+		return internalServerError("Failed to build nonce")
+	}
+
+	return sendJSON(w, http.StatusCreated, &NonceResponse{
+		Id:    nonce.ID.String(),
+		Nonce: builtNonce,
+	})
+}
+
+func (a *API) NonceById(w http.ResponseWriter, r *http.Request) error {
+	nonceId, err := uuid.FromString(chi.URLParam(r, "nonce_id"))
+	if err != nil {
+		return badRequestError("nonce_id must be an UUID")
+	}
+
+	nonce, err := models.GetNonceById(a.db, nonceId)
+	if err != nil {
+		if models.IsNotFoundError(err) {
+			return badRequestError("Invalid nonce_id")
+		}
+		return internalServerError("Failed to find nonce")
+	}
+
+	builtNonce, err := nonce.Build()
+	if err != nil {
+		return internalServerError("Failed to build nonce")
+	}
+
+	// TODO (HarryET): Concider checking IP?
+
+	return sendJSON(w, http.StatusCreated, &NonceResponse{
+		Id:    nonce.ID.String(),
+		Nonce: builtNonce,
+	})
+}
@@ -15,6 +15,7 @@ type ProviderSettings struct {
 	Slack     bool `json:"slack"`
 	Twitch    bool `json:"twitch"`
 	Twitter   bool `json:"twitter"`
+	Eth       bool `json:"eth"`
 	Email     bool `json:"email"`
 	Phone     bool `json:"phone"`
 	SAML      bool `json:"saml"`
@@ -50,6 +51,7 @@ func (a *API) Settings(w http.ResponseWriter, r *http.Request) error {
 			Slack:     config.External.Slack.Enabled,
 			Twitch:    config.External.Twitch.Enabled,
 			Twitter:   config.External.Twitter.Enabled,
+			Eth:       config.External.Eth.Enabled,
 			Email:     config.External.Email.Enabled,
 			Phone:     config.External.Phone.Enabled,
 			SAML:      config.External.Saml.Enabled,

@@ -16,12 +16,13 @@ import (
 
 // SignupParams are the parameters the Signup endpoint accepts
 type SignupParams struct {
-	Email    string                 `json:"email"`
-	Phone    string                 `json:"phone"`
-	Password string                 `json:"password"`
-	Data     map[string]interface{} `json:"data"`
-	Provider string                 `json:"-"`
-	Aud      string                 `json:"-"`
+	Email      string                 `json:"email"`
+	Phone      string                 `json:"phone"`
+	EthAddress string                 `json:"-"`
+	Password   string                 `json:"password"`
+	Data       map[string]interface{} `json:"data"`
+	Provider   string                 `json:"-"`
+	Aud        string                 `json:"-"`
 }
 
 // Signup is the endpoint for registering a new user
@@ -264,6 +265,9 @@ func (a *API) signupNewUser(ctx context.Context, conn *storage.Connection, param
 	case "phone":
 		user, err = models.NewUser(instanceID, "", params.Password, params.Aud, params.Data)
 		user.Phone = storage.NullString(params.Phone)
+	case "eth":
+		user, err = models.NewUser(instanceID, "", "", params.Aud, params.Data)
+		user.EthAddress = storage.NullString(params.EthAddress)
 	default:
 		// handles external provider case
 		user, err = models.NewUser(instanceID, params.Email, params.Password, params.Aud, params.Data)
@@ -278,7 +282,7 @@ func (a *API) signupNewUser(ctx context.Context, conn *storage.Connection, param
 
 	user.Identities = make([]models.Identity, 0)
 
-	// TODO: Depcreate "provider" field
+	// TODO: Deprecate "provider" field
 	user.AppMetaData["provider"] = params.Provider
 
 	user.AppMetaData["providers"] = []string{params.Provider}

@@ -24,6 +24,10 @@ type EmailProviderConfiguration struct {
 	Enabled bool `json:"enabled" default:"true"`
 }
 
+type EthProviderConfiguration struct {
+	Enabled bool `json:"enabled" default:"false"`
+}
+
 type SamlProviderConfiguration struct {
 	Enabled     bool   `json:"enabled"`
 	MetadataURL string `json:"metadata_url" envconfig:"METADATA_URL"`
@@ -94,6 +98,7 @@ type ProviderConfiguration struct {
 	Twitch      OAuthProviderConfiguration `json:"twitch"`
 	Email       EmailProviderConfiguration `json:"email"`
 	Phone       PhoneProviderConfiguration `json:"phone"`
+	Eth         EthProviderConfiguration   `json:"eth"`
 	Saml        SamlProviderConfiguration  `json:"saml"`
 	IosBundleId string                     `json:"ios_bundle_id" split_words:"true"`
 	RedirectURL string                     `json:"redirect_url"`
@@ -153,6 +158,10 @@ type SecurityConfiguration struct {
 	Captcha CaptchaConfiguration `json:"captcha"`
 }
 
+type Web3Configuration struct {
+	Enabled bool `json:"enabled" default:"false"`
+}
+
 // Configuration holds all the per-instance configuration.
 type Configuration struct {
 	SiteURL           string                   `json:"site_url" split_words:"true" required:"true"`

@@ -29,6 +29,7 @@ GOTRUE_MAILER_SUBJECTS_EMAIL_CHANGE="Confirm Email Change"
 GOTRUE_MAILER_SUBJECTS_INVITE="You have been invited"
 GOTRUE_EXTERNAL_EMAIL_ENABLED="true"
 GOTRUE_EXTERNAL_PHONE_ENABLED="true"
+GOTRUE_EXTERNAL_ETH_ENABLED="true"
 GOTRUE_EXTERNAL_GITHUB_ENABLED="false"
 GOTRUE_EXTERNAL_GITHUB_CLIENT_ID=""
 GOTRUE_EXTERNAL_GITHUB_SECRET=""
@@ -111,4 +112,4 @@ GOTRUE_WEBHOOK_EVENTS=validate,signup,login
 
 GOTRUE_SECURITY_CAPTCHA_ENABLED="true"
 GOTRUE_SECURITY_CAPTCHA_PROVIDER="hcaptcha"
-GOTRUE_SECURITY_CAPTCHA_SECRET="0x0000000000000000000000000000000000000000"
+GOTRUE_SECURITY_CAPTCHA_SECRET="0x0000000000000000000000000000000000000000"