Refactor Nostr settings/connect

* Use NIP-42 auth event instead of short text note * Verify event ID and signature using the nostr gem instead of custom code
2024-04-01 18:22:32 +03:00
parent d4e67a830c
commit 22d362e1a0
9 changed files with 77 additions and 67 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -63,4 +63,9 @@ class ApplicationController < ActionController::Base
    @fetch_balance_retried = true
    lndhub_fetch_balance
  end
+
+  def nostr_event_from_params
+    params.permit!
+    params[:signed_event].to_h.symbolize_keys
+  end
 end
--- a/app/controllers/settings_controller.rb
+++ b/app/controllers/settings_controller.rb
@@ -87,25 +87,27 @@ class SettingsController < ApplicationController
  end

  def set_nostr_pubkey
-    signed_event = nostr_event_params[:signed_event].to_h.symbolize_keys
+    signed_event = Nostr::Event.new(**nostr_event_from_params)

-    is_valid_id  = NostrManager::ValidateId.call(event: signed_event)
-    is_valid_sig = NostrManager::VerifySignature.call(event: signed_event)
-    is_correct_content = signed_event[:content] == "Connect my public key to #{current_user.address} (confirmation #{session[:shared_secret]})"
+    is_valid_sig  = signed_event.verify_signature
+    is_valid_auth = NostrManager::VerifyAuth.call(
+      event: signed_event,
+      challenge: session[:shared_secret]
+    )

-    unless is_valid_id && is_valid_sig && is_correct_content
+    unless is_valid_sig && is_valid_auth
      flash[:alert] = "Public key could not be verified"
      http_status :unprocessable_entity and return
    end

-    user_with_pubkey = LdapManager::FetchUserByNostrKey.call(pubkey: signed_event[:pubkey])
+    user_with_pubkey = LdapManager::FetchUserByNostrKey.call(pubkey: signed_event.pubkey)

    if user_with_pubkey.present? && (user_with_pubkey != current_user)
      flash[:alert] = "Public key already in use for a different account"
      http_status :unprocessable_entity and return
    end

-    LdapManager::UpdateNostrKey.call(dn: current_user.dn, pubkey: signed_event[:pubkey])
+    LdapManager::UpdateNostrKey.call(dn: current_user.dn, pubkey: signed_event.pubkey)
    session[:shared_secret] = nil

    flash[:success] = "Public key verification successful"
@@ -160,12 +162,6 @@ class SettingsController < ApplicationController
      params.require(:user).permit(:current_password)
    end

-    def nostr_event_params
-      params.permit(signed_event: [
-        :id, :pubkey, :created_at, :kind, :content, :sig, tags: []
-      ])
-    end
-
    def generate_email_password
      characters = [('a'..'z'), ('A'..'Z'), (0..9)].map(&:to_a).flatten
      SecureRandom.random_bytes(16).each_byte.map { |b| characters[b % characters.length] }.join