Merge pull request 'Refactor Nostr auth, add login via Nostr (web extension)' (#188) from feature/nostr_login into master

Reviewed-on: #188 Reviewed-by: bumi <bumi@noreply.kosmos.org>
2024-05-10 11:01:00 +00:00 · 2024-05-10 11:01:00 +00:00 · 46fa42e387
commit 46fa42e387
parent 6ddeacb779 d9dff3e872
18 changed files with 333 additions and 101 deletions
--- a/.env.test
+++ b/.env.test
@ -1,4 +1,5 @@
 PRIMARY_DOMAIN=kosmos.org
+AKKOUNTS_DOMAIN=accounts.kosmos.org

 REDIS_URL='redis://localhost:6379/0'

--- a/2
+++ b/2
@ -62,7 +62,7 @@ gem "sentry-rails"
 gem 'discourse_api'
 gem "lnurl"
 gem 'manifique'
-gem 'nostr'
+gem 'nostr', '~> 0.6.0'

 group :development, :test do
  # Use sqlite3 as the database for Active Record
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -155,7 +155,7 @@ GEM
      ruby2_keywords
    e2mmap (0.1.0)
    ecdsa (1.2.0)
-    ecdsa_ext (0.5.0)
+    ecdsa_ext (0.5.1)
      ecdsa (~> 1.2.0)
    erubi (1.12.0)
    et-orbi (1.2.7)
@ -278,9 +278,9 @@ GEM
      racc (~> 1.4)
    nokogiri (1.16.0-x86_64-linux)
      racc (~> 1.4)
-    nostr (0.5.0)
+    nostr (0.6.0)
      bech32 (~> 1.4)
-      bip-schnorr (~> 0.6)
+      bip-schnorr (~> 0.7)
      ecdsa (~> 1.2)
      event_emitter (~> 0.2)
      faye-websocket (~> 0.11)
@ -517,7 +517,7 @@ DEPENDENCIES
  lockbox
  manifique
  net-ldap
-  nostr
+  nostr (~> 0.6.0)
  pagy (~> 6.0, >= 6.0.2)
  pg (~> 1.5)
  puma (~> 4.1)
--- a/app/assets/stylesheets/components/buttons.css
+++ b/app/assets/stylesheets/components/buttons.css
@ -42,6 +42,11 @@
           focus:ring-red-500 focus:ring-opacity-75;
  }

+  .btn-outline-purple {
+    @apply border-2 border-purple-500 hover:bg-purple-100
+           focus:ring-purple-400 focus:ring-opacity-75;
+  }
+
  .btn:disabled {
    @apply bg-gray-100 hover:bg-gray-200 text-gray-400
           focus:ring-gray-300 focus:ring-opacity-75;
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -63,4 +63,9 @@ class ApplicationController < ActionController::Base
    @fetch_balance_retried = true
    lndhub_fetch_balance
  end
+
+  def nostr_event_from_params
+    params.permit!
+    params[:signed_event].to_h.symbolize_keys
+  end
 end
--- a/app/controllers/settings_controller.rb
+++ b/app/controllers/settings_controller.rb
@ -87,25 +87,27 @@ class SettingsController < ApplicationController
  end

  def set_nostr_pubkey
-    signed_event = nostr_event_params[:signed_event].to_h.symbolize_keys
+    signed_event = Nostr::Event.new(**nostr_event_from_params)

-    is_valid_id  = NostrManager::ValidateId.call(event: signed_event)
-    is_valid_sig = NostrManager::VerifySignature.call(event: signed_event)
-    is_correct_content = signed_event[:content] == "Connect my public key to #{current_user.address} (confirmation #{session[:shared_secret]})"
+    is_valid_sig  = signed_event.verify_signature
+    is_valid_auth = NostrManager::VerifyAuth.call(
+      event: signed_event,
+      challenge: session[:shared_secret]
+    )

-    unless is_valid_id && is_valid_sig && is_correct_content
+    unless is_valid_sig && is_valid_auth
      flash[:alert] = "Public key could not be verified"
      http_status :unprocessable_entity and return
    end

-    user_with_pubkey = LdapManager::FetchUserByNostrKey.call(pubkey: signed_event[:pubkey])
+    user_with_pubkey = LdapManager::FetchUserByNostrKey.call(pubkey: signed_event.pubkey)

    if user_with_pubkey.present? && (user_with_pubkey != current_user)
      flash[:alert] = "Public key already in use for a different account"
      http_status :unprocessable_entity and return
    end

-    LdapManager::UpdateNostrKey.call(dn: current_user.dn, pubkey: signed_event[:pubkey])
+    LdapManager::UpdateNostrKey.call(dn: current_user.dn, pubkey: signed_event.pubkey)
    session[:shared_secret] = nil

    flash[:success] = "Public key verification successful"
@ -160,12 +162,6 @@ class SettingsController < ApplicationController
      params.require(:user).permit(:current_password)
    end

-    def nostr_event_params
-      params.permit(signed_event: [
-        :id, :pubkey, :created_at, :kind, :content, :sig, tags: []
-      ])
-    end
-
    def generate_email_password
      characters = [('a'..'z'), ('A'..'Z'), (0..9)].map(&:to_a).flatten
      SecureRandom.random_bytes(16).each_byte.map { |b| characters[b % characters.length] }.join
--- a/app/controllers/users/sessions_controller.rb
+++ b/app/controllers/users/sessions_controller.rb
@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+class Users::SessionsController < Devise::SessionsController
+  # before_action :configure_sign_in_params, only: [:create]
+
+  # GET /resource/sign_in
+  def new
+    session[:shared_secret] = SecureRandom.base64(12)
+    super
+  end
+
+  # POST /resource/sign_in
+  # def create
+  #   super
+  # end
+
+  # DELETE /resource/sign_out
+  # def destroy
+  #   super
+  # end
+
+  # POST /users/nostr_login
+  def nostr_login
+    signed_event = Nostr::Event.new(**nostr_event_from_params)
+
+    is_valid_sig  = signed_event.verify_signature
+    is_valid_auth = NostrManager::VerifyAuth.call(
+      event: signed_event,
+      challenge: session[:shared_secret]
+    )
+
+    session[:shared_secret] = nil
+
+    unless is_valid_sig && is_valid_auth
+      flash[:alert] = "Login verification failed"
+      http_status :unauthorized and return
+    end
+
+    user = LdapManager::FetchUserByNostrKey.call(pubkey: signed_event.pubkey)
+
+    if user.present?
+      set_flash_message!(:notice, :signed_in)
+      sign_in("user", user)
+      render json: { redirect_url: after_sign_in_path_for(user) }, status: :ok
+    else
+      flash[:alert] = "Failed to find your account. Nostr login may be disabled."
+      http_status :unauthorized
+    end
+  end
+
+  protected
+
+    def set_flash_message(key, kind, options = {})
+      # Hide flash message after redirecting from a signin route while logged in
+      super unless key == :alert && kind == "already_authenticated"
+    end
+
+  # If you have extra params to permit, append them to the sanitizer.
+  # def configure_sign_in_params
+  #   devise_parameter_sanitizer.permit(:sign_in, keys: [:attribute])
+  # end
+end
--- a/app/javascript/controllers/nostr_login_controller.js
+++ b/app/javascript/controllers/nostr_login_controller.js
@ -0,0 +1,53 @@
+import { Controller } from "@hotwired/stimulus"
+
+// Connects to data-controller="nostr-login"
+export default class extends Controller {
+  static targets = [ "loginForm", "loginButton" ]
+  static values  = { site: String, sharedSecret: String }
+
+  connect() {
+    if (window.nostr) {
+      this.loginButtonTarget.disabled = false
+      this.loginFormTarget.classList.remove("hidden")
+    }
+  }
+
+  async login () {
+    this.loginButtonTarget.disabled = true
+
+    try {
+      // Auth based on NIP-42
+      const signedEvent = await window.nostr.signEvent({
+        created_at: Math.floor(Date.now() / 1000),
+        kind: 22242,
+        tags: [
+          ["site", this.siteValue],
+          ["challenge", this.sharedSecretValue]
+        ],
+        content: ""
+      })
+
+      const res = await fetch("/users/nostr_login", {
+        method: "POST", credentials: "include", headers: {
+          "Accept": "application/json", 'Content-Type': 'application/json',
+          "X-CSRF-Token": this.csrfToken
+        }, body: JSON.stringify({ signed_event: signedEvent })
+      })
+
+      if (res.status === 200) {
+        res.json().then(r => { window.location.href = r.redirect_url })
+      } else {
+        window.location.reload()
+      }
+    } catch (error) {
+      console.warn('Unable to authenticate:', error.message)
+    } finally {
+      this.loginButtonTarget.disabled = false
+    }
+  }
+
+  get csrfToken () {
+    const element = document.head.querySelector('meta[name="csrf-token"]')
+    return element.getAttribute("content")
+  }
+}
--- a/app/javascript/controllers/settings/nostr_pubkey_controller.js
+++ b/app/javascript/controllers/settings/nostr_pubkey_controller.js
@ -3,7 +3,12 @@ import { Controller } from "@hotwired/stimulus"
 // Connects to data-controller="settings--nostr-pubkey"
 export default class extends Controller {
  static targets = [ "noExtension", "setPubkey", "pubkeyBech32Input" ]
-  static values  = { userAddress: String, pubkeyHex: String, sharedSecret: String }
+  static values  = {
+    userAddress: String,
+    pubkeyHex: String,
+    site: String,
+    sharedSecret: String
+  }

  connect () {
    if (window.nostr) {
@ -19,11 +24,15 @@ export default class extends Controller {
    this.setPubkeyTarget.disabled = true

    try {
+      // Auth based on NIP-42
      const signedEvent = await window.nostr.signEvent({
        created_at: Math.floor(Date.now() / 1000),
-        kind: 1,
-        tags: [],
-        content: `Connect my public key to ${this.userAddressValue} (confirmation ${this.sharedSecretValue})`
+        kind: 22242,
+        tags: [
+          ["site", this.siteValue],
+          ["challenge", this.sharedSecretValue]
+        ],
+        content: ""
      })

      const res = await fetch("/settings/set_nostr_pubkey", {
--- a/app/services/nostr_manager/validate_id.rb
+++ b/app/services/nostr_manager/validate_id.rb
@ -1,11 +0,0 @@
-module NostrManager
-  class ValidateId < NostrManagerService
-    def initialize(event:)
-      @event = Nostr::Event.new(**event)
-    end
-
-    def call
-      @event.id == Digest::SHA256.hexdigest(JSON.generate(@event.serialize))
-    end
-  end
-end
--- a/app/services/nostr_manager/verify_auth.rb
+++ b/app/services/nostr_manager/verify_auth.rb
@ -0,0 +1,17 @@
+module NostrManager
+  class VerifyAuth < NostrManagerService
+    def initialize(event:, challenge:)
+      @event = event
+      @challenge_expected = challenge
+      @site_expected = Setting.accounts_domain
+    end
+
+    def call
+      site_given      = @event.tags.find{|t| t[0] == "site"}[1]
+      challenge_given = @event.tags.find{|t| t[0] == "challenge"}[1]
+
+      site_given == @site_expected &&
+      challenge_given == @challenge_expected
+    end
+  end
+end
--- a/app/services/nostr_manager/verify_signature.rb
+++ b/app/services/nostr_manager/verify_signature.rb
@ -1,17 +0,0 @@
-module NostrManager
-  class VerifySignature < NostrManagerService
-    def initialize(event:)
-      @event = Nostr::Event.new(**event)
-    end
-
-    def call
-      Schnorr.check_sig!(
-        [@event.id].pack('H*'),
-        [@event.pubkey].pack('H*'),
-        [@event.sig].pack('H*')
-      )
-    rescue Schnorr::InvalidSignatureError
-      false
-    end
-  end
-end
--- a/app/views/devise/sessions/new.html.erb
+++ b/app/views/devise/sessions/new.html.erb
@ -55,4 +55,27 @@
      <%= f.submit "Log in", class: 'btn-md btn-blue w-full', tabindex: "4" %>
    </p>
  <% end %>
+
+  <div data-controller="nostr-login"
+       data-nostr-login-target="loginForm"
+       data-nostr-login-site-value="<%= Setting.accounts_domain %>"
+       data-nostr-login-shared-secret-value="<%= session[:shared_secret] %>"
+       class="hidden">
+    <div class="relative my-6">
+      <div class="absolute inset-0 flex items-center" aria-hidden="true">
+        <div class="w-full border-t border-gray-200"></div>
+      </div>
+      <div class="relative flex justify-center">
+        <span class="bg-white px-2 text-sm text-gray-500 italic">or</span>
+      </div>
+    </div>
+    <p>
+      <button disabled tabindex="5"
+              class="w-full btn-md btn-gray text-purple-600"
+              data-nostr-login-target="loginButton"
+              data-action="nostr-login#login">
+        Log in with Nostr
+      </button>
+    </p>
+  </div>
 <% end %>
--- a/app/views/settings/_nostr.html.erb
+++ b/app/views/settings/_nostr.html.erb
@ -3,6 +3,7 @@
  <h4 class="mb-0">Public Key</h4>
  <div data-controller="settings--nostr-pubkey"
       data-settings--nostr-pubkey-user-address-value="<%= current_user.address %>"
+       data-settings--nostr-pubkey-site-value="<%= Setting.accounts_domain %>"
       data-settings--nostr-pubkey-shared-secret-value="<%= session[:shared_secret] %>"
       data-settings--nostr-pubkey-pubkey-hex-value="<%= current_user.nostr_pubkey %>">

--- a/config/routes.rb
+++ b/config/routes.rb
@ -1,7 +1,14 @@
 require 'sidekiq/web'

 Rails.application.routes.draw do
-  devise_for :users, controllers: { confirmations: 'users/confirmations' }
+  devise_for :users, controllers: {
+    confirmations: 'users/confirmations',
+    sessions: 'users/sessions'
+  }
+
+  devise_scope :user do
+    post 'users/nostr_login', to: 'users/sessions#nostr_login'
+  end

  get 'welcome', to: 'welcome#index'
  get 'check_your_email', to: 'welcome#check_your_email'
--- a/spec/fixtures/nostr/valid_auth_event.json
+++ b/spec/fixtures/nostr/valid_auth_event.json
@ -0,0 +1,9 @@
+{
+  "id": "7cc165c4fe4c9ec3f2b859cb422f01b38beaf6bbd228fea928ea1400ec254a89",
+  "pubkey": "07e188a1ff87ce171d517b8ed2bb7a31b1d3453a0db3b15379ec07b724d232f3",
+  "created_at": 1711963922,
+  "kind": 22242,
+  "tags": [["site","accounts.kosmos.org"],["challenge","YMeTyOxIEJcfe6vd"]],
+  "content": "",
+  "sig": "b484a28cd9c92facca0eba80e8ef5303d25ed044c3815e3a068b9887f91d3546ad209a0dd674c59b48cf8057aecd75df5416973d17ed58f68195030af09c28d1"
+}
--- a/spec/requests/settings_spec.rb
+++ b/spec/requests/settings_spec.rb
@ -3,6 +3,7 @@ require 'rails_helper'
 RSpec.describe "Settings", type: :request do
  let(:user) { create :user, cn: 'mark', ou: 'kosmos.org' }
  let(:other_user) { create :user, id: 2, cn: 'markymark', ou: 'kosmos.org', email: 'markymark@interscope.com' }
+  let(:auth_event) { JSON.parse(File.read("#{Rails.root}/spec/fixtures/nostr/valid_auth_event.json")) }

  before do
    login_as user, :scope => :user
@ -25,7 +26,7 @@ RSpec.describe "Settings", type: :request do

  describe "POST /settings/set_nostr_pubkey" do
    before do
-      session_stub = { shared_secret: "rMjWEmvcvtTlQkMd" }
+      session_stub = { shared_secret: "YMeTyOxIEJcfe6vd" }
      allow_any_instance_of(SettingsController).to receive(:session).and_return(session_stub)
    end

@ -36,19 +37,12 @@ RSpec.describe "Settings", type: :request do
          pubkey: "07e188a1ff87ce171d517b8ed2bb7a31b1d3453a0db3b15379ec07b724d232f3"
        ).and_return(0)

-        post set_nostr_pubkey_settings_path, params: {
-          signed_event: {
-            id: "84f266bbd784551aaa9e35cb0aceb4ee59182a1dab9ab279d9e40dd56ecbbdd3",
-            pubkey: "07e188a1ff87ce171d517b8ed2bb7a31b1d3453a0db3b15379ec07b724d232f3",
-            created_at: 1678254161,
-            kind: 1,
-            content: "Connect my public key to mark@kosmos.org (confirmation rMjWEmvcvtTlQkMd)",
-            sig: "96796d420547d6e2c7be5de82a2ce7a48be99aac6415464a6081859ac1a9017305accc0228c630466a57d45ec1c3b456376eb538b76dfdaa2397e3258be02fdd"
+        post set_nostr_pubkey_settings_path,
+          params: { signed_event: auth_event }.to_json,
+          headers: {
+            "CONTENT_TYPE" => "application/json",
+            "HTTP_ACCEPT" => "application/json"
          }
-        }.to_json, headers: {
-          "CONTENT_TYPE" => "application/json",
-          "HTTP_ACCEPT" => "application/json"
-        }
      end

      it "returns a success status" do
@ -67,19 +61,12 @@ RSpec.describe "Settings", type: :request do
        ).and_return(other_user)
        expect(LdapManager::UpdateNostrKey).not_to receive(:call)

-        post set_nostr_pubkey_settings_path, params: {
-          signed_event: {
-            id: "84f266bbd784551aaa9e35cb0aceb4ee59182a1dab9ab279d9e40dd56ecbbdd3",
-            pubkey: "07e188a1ff87ce171d517b8ed2bb7a31b1d3453a0db3b15379ec07b724d232f3",
-            created_at: 1678254161,
-            kind: 1,
-            content: "Connect my public key to mark@kosmos.org (confirmation rMjWEmvcvtTlQkMd)",
-            sig: "96796d420547d6e2c7be5de82a2ce7a48be99aac6415464a6081859ac1a9017305accc0228c630466a57d45ec1c3b456376eb538b76dfdaa2397e3258be02fdd"
+        post set_nostr_pubkey_settings_path,
+          params: { signed_event: auth_event }.to_json,
+          headers: {
+            "CONTENT_TYPE" => "application/json",
+            "HTTP_ACCEPT" => "application/json"
          }
-        }.to_json, headers: {
-          "CONTENT_TYPE" => "application/json",
-          "HTTP_ACCEPT" => "application/json"
-        }
      end

      it "returns a 422 status" do
@ -91,23 +78,21 @@ RSpec.describe "Settings", type: :request do
      end
    end

-    context "With wrong username" do
+    context "With wrong site tag" do
      before do
+        Setting.accounts_domain = "accounts.wikipedia.org"
        expect(LdapManager::UpdateNostrKey).not_to receive(:call)

-        post set_nostr_pubkey_settings_path, params: {
-          signed_event: {
-            id: "2e1e20ee762d6a5b5b30835eda9ca03146e4baf82490e53fd75794c08de08ac0",
-            pubkey: "07e188a1ff87ce171d517b8ed2bb7a31b1d3453a0db3b15379ec07b724d232f3",
-            created_at: 1678255391,
-            kind: 1,
-            content: "Connect my public key to admin@kosmos.org (confirmation rMjWEmvcvtTlQkMd)",
-            sig: "2ace19c9db892ac6383848721a3e08b13d90d689fdeac60d9633a623d3f08eb7e0d468f1b3e928d1ea979477c2ec46ee6cdb2d053ef2e4ed3c0630a51d249029"
+        post set_nostr_pubkey_settings_path,
+          params: { signed_event: auth_event }.to_json,
+          headers: {
+            "CONTENT_TYPE" => "application/json",
+            "HTTP_ACCEPT" => "application/json"
          }
-        }.to_json, headers: {
-          "CONTENT_TYPE" => "application/json",
-          "HTTP_ACCEPT" => "application/json"
-        }
+      end
+
+      after do
+        Setting.accounts_domain = "accounts.kosmos.org"
      end

      it "returns a 422 status" do
@ -126,19 +111,12 @@ RSpec.describe "Settings", type: :request do

        expect(LdapManager::UpdateNostrKey).not_to receive(:call)

-        post set_nostr_pubkey_settings_path, params: {
-          signed_event: {
-            id: "84f266bbd784551aaa9e35cb0aceb4ee59182a1dab9ab279d9e40dd56ecbbdd3",
-            pubkey: "07e188a1ff87ce171d517b8ed2bb7a31b1d3453a0db3b15379ec07b724d232f3",
-            created_at: 1678254161,
-            kind: 1,
-            content: "Connect my public key to mark@kosmos.org (confirmation rMjWEmvcvtTlQkMd)",
-            sig: "96796d420547d6e2c7be5de82a2ce7a48be99aac6415464a6081859ac1a9017305accc0228c630466a57d45ec1c3b456376eb538b76dfdaa2397e3258be02fdd"
+        post set_nostr_pubkey_settings_path,
+          params: { signed_event: auth_event }.to_json,
+          headers: {
+            "CONTENT_TYPE" => "application/json",
+            "HTTP_ACCEPT" => "application/json"
          }
-        }.to_json, headers: {
-          "CONTENT_TYPE" => "application/json",
-          "HTTP_ACCEPT" => "application/json"
-        }
      end

      it "returns a 422 status" do
--- a/spec/requests/users/sessions_spec.rb
+++ b/spec/requests/users/sessions_spec.rb
@ -0,0 +1,94 @@
+require 'rails_helper'
+
+RSpec.describe "Devise login sessions", type: :request do
+  let(:user) { create :user, cn: 'fiatjaf', ou: 'kosmos.org' }
+  let(:auth_event) { JSON.parse(File.read("#{Rails.root}/spec/fixtures/nostr/valid_auth_event.json")) }
+
+  before do
+    login_as user, :scope => :user
+
+    allow_any_instance_of(User).to receive(:dn)
+      .and_return("cn=#{user.cn},ou=kosmos.org,cn=users,dc=kosmos,dc=org")
+    allow_any_instance_of(User).to receive(:nostr_pubkey).and_return(nil)
+
+    allow(LdapManager::FetchUserByNostrKey).to receive(:call).with(
+      pubkey: "07e188a1ff87ce171d517b8ed2bb7a31b1d3453a0db3b15379ec07b724d232f3"
+    ).and_return(nil)
+  end
+
+  describe "POST /users/nostr_login" do
+    before do
+      session_stub = { shared_secret: "YMeTyOxIEJcfe6vd" }
+      allow_any_instance_of(Users::SessionsController).to receive(:session).and_return(session_stub)
+    end
+
+    context "With key configured for an account" do
+      before do
+        expect(LdapManager::FetchUserByNostrKey).to receive(:call).with(
+          pubkey: "07e188a1ff87ce171d517b8ed2bb7a31b1d3453a0db3b15379ec07b724d232f3"
+        ).and_return(user)
+
+        post users_nostr_login_path,
+          params: { signed_event: auth_event }.to_json,
+          headers: {
+            "CONTENT_TYPE" => "application/json",
+            "HTTP_ACCEPT" => "application/json"
+          }
+      end
+
+      it "returns a success status" do
+        expect(response).to have_http_status(200)
+      end
+    end
+
+    context "With wrong site tag" do
+      before do
+        Setting.accounts_domain = "accounts.wikipedia.org"
+        expect(LdapManager::FetchUserByNostrKey).not_to receive(:call)
+
+        post users_nostr_login_path,
+          params: { signed_event: auth_event }.to_json,
+          headers: {
+            "CONTENT_TYPE" => "application/json",
+            "HTTP_ACCEPT" => "application/json"
+          }
+      end
+
+      after do
+        Setting.accounts_domain = "accounts.kosmos.org"
+      end
+
+      it "returns a 422 status" do
+        expect(response).to have_http_status(401)
+      end
+
+      it "informs the user about the failure" do
+        expect(flash[:alert]).to eq("Login verification failed")
+      end
+    end
+
+    context "With wrong shared secret" do
+      before do
+        session_stub = { shared_secret: "ho-chi-minh" }
+        allow_any_instance_of(Users::SessionsController).to receive(:session).and_return(session_stub)
+
+        expect(LdapManager::FetchUserByNostrKey).not_to receive(:call)
+
+        post users_nostr_login_path,
+          params: { signed_event: auth_event }.to_json,
+          headers: {
+            "CONTENT_TYPE" => "application/json",
+            "HTTP_ACCEPT" => "application/json"
+          }
+      end
+
+      it "returns a 422 status" do
+        expect(response).to have_http_status(401)
+      end
+
+      it "informs the user about the failure" do
+        expect(flash[:alert]).to eq("Login verification failed")
+      end
+    end
+  end
+end