Adding tests, nonce, and validation (#3)

Nathan Hurst · web-flow · commit bdb8a97c1e68 · 2021-11-16T10:48:45.000+01:00
* Adding tests and nonce

* Removing boilerplate

* Updating Gemfile

* Testing root directory rspec run

* Including spec_helper by default

* Including field as hidden and read only

* Renaming invalid_nonce =&gt; invalid_time

* Embedding js in the form so that simple apps can use it

* Adding js file missed before and updating README with example app
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -15,7 +15,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-latest, macos-latest]
+        os: [ubuntu-latest]
         ruby: ['2.7', '3.0']
     steps:
     - uses: actions/checkout@v2
@@ -27,4 +27,4 @@ jobs:
         bundle install
     - name: Run Tests
       run: |
-        bundle exec rspec spec
+        bundle exec rspec --require spec_helper
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,18 +1,19 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    eth-patched (0.4.14)
-      ffi (~> 1.0)
+    diff-lcs (1.4.4)
+    eth (0.4.16)
+      ffi (~> 1.15)
       keccak (~> 1.2)
-      money-tree (~> 0.10.0)
-      rlp (~> 0.7.3)
-      scrypt (~> 3.0.6)
+      money-tree (~> 0.10)
+      rlp (~> 0.7)
+      scrypt (~> 3.0)
     ffi (1.15.4)
     ffi-compiler (1.0.1)
       ffi (>= 1.0.0)
       rake
-    hashie (4.1.0)
-    keccak (1.2.0)
+    hashie (5.0.0)
+    keccak (1.2.2)
     money-tree (0.10.0)
       ffi
     omniauth (2.0.4)
@@ -22,17 +23,34 @@ GEM
     rack (2.2.3)
     rack-protection (2.1.0)
       rack
+    rack-test (1.1.0)
+      rack (>= 1.0, < 3)
     rake (13.0.6)
     rlp (0.7.3)
+    rspec (3.10.0)
+      rspec-core (~> 3.10.0)
+      rspec-expectations (~> 3.10.0)
+      rspec-mocks (~> 3.10.0)
+    rspec-core (3.10.1)
+      rspec-support (~> 3.10.0)
+    rspec-expectations (3.10.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.10.0)
+    rspec-mocks (3.10.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.10.0)
+    rspec-support (3.10.3)
     scrypt (3.0.7)
       ffi-compiler (>= 1.0, < 2.0)
 
 PLATFORMS
-  x86_64-linux
+  x86_64-darwin-19
 
 DEPENDENCIES
-  eth-patched (>= 0.4.13)
+  eth (>= 0.4.16)
   omniauth (>= 2.0)
+  rack-test
+  rspec (>= 3.10.0)
 
 BUNDLED WITH
    2.2.27
diff --git a/README.md b/README.md
@@ -1,2 +1,10 @@
 # omniauth-ethereum
 Implements the Ethereum provider strategy for OmniAuth
+
+To test
+```
+bundle
+rspec
+```
+
+An [example Rails app using omniauth-ethereum](https://github.com/nahurst/omniauth-ethereum-rails)
diff --git a/lib/new_session.js b/lib/new_session.js
@@ -0,0 +1,61 @@
+// the button to connect to an ethereum wallet
+const buttonEthConnect = document.querySelector('button');
+
+// the read-only eth fields, we process them automatically
+const formInputEthMessage = document.querySelector('input#eth_message');
+const formInputEthAddress = document.querySelector('input#eth_address');
+const formInputEthSignature = document.querySelector('input#eth_signature');
+formInputEthMessage.hidden = true;
+formInputEthAddress.hidden = true;
+formInputEthSignature.hidden = true;
+
+// get the new session form for submission later
+const formNewSession = document.querySelector('form');
+
+// only proceed with ethereum context available
+if (typeof window.ethereum !== 'undefined') {
+  buttonEthConnect.addEventListener('click', async () => {
+    buttonEthConnect.disabled = true;
+
+    // request accounts from ethereum provider
+    const accounts = await requestAccounts();
+    const etherbase = accounts[0];
+
+    // sign a message with current time
+    const customTitle = "Hello from Ruby!";
+    const requestTime = Math.floor(new Date().getTime() / 1000);
+    const message = customTitle + " " + requestTime;
+    const signature = await personalSign(etherbase, message);
+
+    // populate and submit form
+    formInputEthMessage.value = message;
+    formInputEthAddress.value = etherbase;
+    formInputEthSignature.value = signature;
+    formNewSession.submit();
+  });
+} else {
+  // disable form submission in case there is no ethereum wallet available
+  buttonEthConnect.innerHTML = "No Ethereum Context Available";
+  buttonEthConnect.disabled = true;
+}
+
+// request ethereum wallet access and approved accounts[]
+async function requestAccounts() {
+  const accounts = await ethereum.request({ method: 'eth_requestAccounts' });
+  return accounts;
+}
+
+// request ethereum signature for message from account
+async function personalSign(account, message) {
+  const signature = await ethereum.request({ method: 'personal_sign', params: [ message, account ] });
+  return signature;
+}
+
+// get nonce from /api/v1/users/ by account
+async function getUuidByAccount(account) {
+  const response = await fetch("/api/v1/users/" + account);
+  const nonceJson = await response.json();
+  if (!nonceJson) return null;
+  const uuid = nonceJson[0].eth_nonce;
+  return uuid;
+}
diff --git a/lib/omniauth-ethereum.rb b/lib/omniauth-ethereum.rb
@@ -1,4 +1,5 @@
 require 'omniauth'
+require 'eth'
 
 module OmniAuth
   module Strategies
@@ -13,22 +14,56 @@ class Ethereum
 
       # the `eth_address` will be the _fake_ unique identifier for the Ethereum strategy
       option :uid_field, :eth_address
+      option :fields, [:eth_message, :eth_address, :eth_signature]
+      option :uid_field, :eth_address
 
-      # the omniauth request phase
       def request_phase
-
-        # helper omniauth form to gather required data
-        form = OmniAuth::Form.new :title => "Ethereum Authentication", :url => callback_path
+        form = OmniAuth::Form.new :title => 'Ethereum Authentication', :url => callback_path
         options.fields.each do |field|
 
           # these fields are read-only and will be filled by javascript in the process
-          form.text_field field.to_s.capitalize.gsub("_", " "), field.to_s, readonly: true, class: field.to_s
+          if field == :eth_message
+            form.html("<input type='hidden' id='eth_message' name='eth_message' value='#{now}' />")
+          else
+            form.html("<input type='hidden' id='#{field.to_s}' name='#{field.to_s}' />")
+          end
         end
 
         # the form button will be heavy on javascript, requesting account, nonce, and signature before submission
-        form.button "Sign-In with Ethereum", class: "eth_connect"
+        form.button 'Sign In'
+        path = File.join( File.dirname(__FILE__), 'new_session.js')
+        js = File.read(path)
+        mod = "<script type='module'>\n#{js}\n</script>"
+
+        form.html(mod)
         form.to_response
       end
+
+      def callback_phase
+        address = request.params['eth_address'].downcase
+        message = request.params['eth_message']
+        signature = request.params['eth_signature']
+        signature_pubkey = Eth::Key.personal_recover message, signature
+        signature_address = (Eth::Utils.public_key_to_address signature_pubkey).downcase
+
+        unix_time = message.scan(/\d+/).first.to_i
+        ten_min = 10 * 60
+        return fail!(:invalid_time) unless unix_time + ten_min >= now && unix_time - ten_min <= now
+
+        return fail!(:invalid_credentials) unless signature_address == address
+
+        super
+      end
+
+      uid do
+        request.params[options.uid_field.to_s]
+      end
+
+      private
+
+      def now
+        Time.now.utc.to_i
+      end
     end
   end
 end
diff --git a/omniauth-ethereum.gemspec b/omniauth-ethereum.gemspec
@@ -1,3 +1,7 @@
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'omniauth-ethereum'
+
 Gem::Specification.new do |spec|
   spec.name = 'omniauth-ethereum'
   spec.version = '0.0.1'
diff --git a/spec/omniauth/strategies/ethereum_spec.rb b/spec/omniauth/strategies/ethereum_spec.rb
@@ -0,0 +1,96 @@
+RSpec.describe OmniAuth::Strategies::Ethereum do
+  let(:app) do
+    Rack::Builder.new do |b|
+      b.use Rack::Session::Cookie, :secret => 'abc123'
+      b.use OmniAuth::Strategies::Ethereum
+      b.run lambda { |_env| [200, {}, ['Not Found']] }
+    end.to_app
+  end
+
+  before(:each) do
+    allow(Time).to receive(:now).and_return(
+      Time.at(1636680000, in: '+00:00'))
+  end
+
+  context 'request phase' do
+    before(:each) { post '/auth/ethereum' }
+
+    it 'displays a form' do
+      expect(last_response.status).to eq(200)
+      expect(last_response.body).to be_include('<form')
+    end
+
+    it 'has the callback as the action for the form' do
+      expect(last_response.body).to be_include("action='/auth/ethereum/callback'")
+    end
+
+    it 'has a text field for each of the fields' do
+      expect(last_response.body.scan('<input').size).to eq(3)
+    end
+  end
+
+  context 'callback phase' do
+    let(:auth_hash) { last_request.env['omniauth.auth'] }
+    let(:eth_message) { "Hello from Ruby! #{Time.now.utc.to_i}" }
+    let(:eth_address) { '0xf39fd6e51aad88f6f4ce6ab8827279cfffb92266' }
+    let(:eth_signature) { '0x362b5463470038a62c9d0652712539bab36f9c74914f5a05475a8e2e84a9719e396ab201e62d0c92da7de91a3a4a61a221c3f4e0b528b709ecdaa22ee8391d0f1c' }
+
+    describe 'with varied nonces' do
+      before do
+        post '/auth/ethereum/callback',
+          :eth_message => eth_message,
+          :eth_address => eth_address,
+          :eth_signature => eth_signature
+      end
+
+      context 'with nonce from too long ago' do
+        let(:eth_message) { "Hello from Ruby! #{Time.now.utc.to_i - 11 * 60}" }
+
+        it 'fails with invalid nonce' do
+          expect(last_response.status).to eq(302)
+          expect(last_response.location).to eq('/auth/failure?message=invalid_time&strategy=ethereum')
+        end
+      end
+
+      context 'with nonce from too far in future' do
+        let(:eth_message) { "Hello from Ruby! #{Time.now.utc.to_i + 11 * 60}" }
+
+        it 'fails with invalid nonce' do
+          expect(last_response.status).to eq(302)
+          expect(last_response.location).to eq('/auth/failure?message=invalid_time&strategy=ethereum')
+        end
+      end
+    end
+
+    context 'with mismatching address' do
+      before do
+        post '/auth/ethereum/callback',
+          :name => 'Example User',
+          :email => 'user@example.com',
+          :eth_message => eth_message,
+          :eth_address => '0xBADDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD',
+          :eth_signature => '0x0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
+      end
+
+      it 'fails with invalid credentials' do
+        expect(last_response.status).to eq(302)
+        expect(last_response.location).to eq('/auth/failure?message=invalid_credentials&strategy=ethereum')
+      end
+    end
+
+    context 'with default options' do
+      before do
+        post '/auth/ethereum/callback',
+          :eth_message => eth_message,
+          :eth_address => eth_address,
+          :eth_signature => eth_signature
+      end
+
+      it 'sets the uid to the address' do
+        expect(last_response.status).to eq(200)
+        expect(auth_hash.uid).to eq(eth_address)
+      end
+    end
+
+  end
+end
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
@@ -0,0 +1,22 @@
+require 'rspec'
+require 'rack/test'
+require 'omniauth'
+require 'omniauth/test'
+
+require 'omniauth-ethereum'
+
+OmniAuth.config.request_validation_phase = nil
+
+RSpec.configure do |config|
+
+  config.include Rack::Test::Methods
+  config.expect_with :rspec do |expectations|
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  config.mock_with :rspec do |mocks|
+    mocks.verify_partial_doubles = true
+  end
+
+  config.shared_context_metadata_behavior = :apply_to_host_groups
+end
