Application header for web3 auth

Author: kompotkot

brood/actions.py

@@ -40,7 +40,6 @@
     VerificationEmail,
 )
 from .settings import (
-    APPLICATION_NAME,
     BUGOUT_FROM_EMAIL,
     BUGOUT_URL,
     DEFAULT_USER_GROUP_LIMIT,
@@ -463,7 +462,10 @@ def create_user(
         payload_json = base64.decodebytes(signature.encode()).decode("utf-8")
         payload = json.loads(payload_json)
         verified = verify(
-            authorization_payload=payload, application_to_check=APPLICATION_NAME
+            authorization_payload=payload,
+            application_to_check=str(application_id)
+            if application_id is not None
+            else "",
         )
         if not verified:
             logger.info("Web3 registration verification error")

brood/api.py

@@ -21,7 +21,11 @@
 from fastapi.middleware.cors import CORSMiddleware
 from fastapi.security import OAuth2PasswordRequestForm
 from fastapi.security.utils import get_authorization_scheme_param
-from web3login.exceptions import Web3VerificationError
+from web3login.exceptions import (
+    Web3AuthorizationExpired,
+    Web3AuthorizationWrongApplication,
+    Web3VerificationError,
+)
 
 from . import actions, data, exceptions, models, subscriptions
 from .db import yield_db_session_from_env
@@ -160,8 +164,12 @@ async def create_user_handler(
             status_code=422,
             detail=invalid_password_error.generic_error_message,
         )
+    except Web3AuthorizationExpired:
+        raise HTTPException(status_code=403, detail="Signature not verified")
+    except Web3AuthorizationWrongApplication:
+        raise HTTPException(status_code=403, detail="Signature not verified")
     except Web3VerificationError:
-        raise HTTPException(status_code=400, detail="Invalid user signature")
+        raise HTTPException(status_code=403, detail="Signature not verified")
     except Exception:
         raise HTTPException(status_code=500)
 

brood/middleware.py

@@ -1,22 +1,26 @@
 import base64
 import json
 import logging
-from typing import Optional
+from typing import cast, Optional
 from uuid import UUID
 
 from fastapi import Depends, HTTPException, Request
 from fastapi.exceptions import HTTPException
 from fastapi.security.utils import get_authorization_scheme_param
 from web3login.auth import to_checksum_address, verify
-from web3login.exceptions import Web3VerificationError
+from web3login.exceptions import (
+    Web3AuthorizationExpired,
+    Web3AuthorizationWrongApplication,
+    Web3VerificationError,
+)
 from web3login.middlewares.fastapi import OAuth2BearerOrWeb3
 
 from . import actions, data
 from .db import yield_db_read_only_session
 from .settings import (
-    APPLICATION_NAME,
     BOT_INSTALLATION_TOKEN,
     BOT_INSTALLATION_TOKEN_HEADER,
+    BUGOUT_WEB3_SIGNATURE_APPLICATION_HEADER,
 )
 
 logger = logging.getLogger(__name__)
@@ -41,13 +45,27 @@ async def get_current_user(
     if token is None or token == "":
         raise HTTPException(status_code=404, detail="Access token not found")
 
+    signature_application: str = request.headers.get(
+        BUGOUT_WEB3_SIGNATURE_APPLICATION_HEADER
+    )
+    application_id = None
+    if signature_application is not None:
+        try:
+            application_id = cast(UUID, signature_application)
+        except Exception:
+            raise HTTPException(
+                status_code=403, detail="Wrong Web3 signature application provided"
+            )
+
     try:
         if scheme == "web3":
             payload_json = base64.decodebytes(str(token).encode()).decode("utf-8")
             payload = json.loads(payload_json)
             verified = verify(
                 authorization_payload=payload,
-                application_to_check=APPLICATION_NAME,
+                application_to_check=str(application_id)
+                if application_id is not None
+                else "",
             )
             if not verified:
                 logger.info("Web3 verification error")
@@ -57,7 +75,11 @@ async def get_current_user(
                 logger.error("Web3 address in payload could not be None")
                 raise Exception()
             web3_address = to_checksum_address(web3_address)
-            user = actions.get_user(session=db_session, web3_address=web3_address)
+            user = actions.get_user(
+                session=db_session,
+                web3_address=web3_address,
+                application_id=application_id,
+            )
 
         elif scheme == "bearer":
             is_token_active, user = actions.get_current_user_by_token(
@@ -82,6 +104,10 @@ async def get_current_user(
     except actions.UserInvalidParameters as e:
         logger.info(e)
         raise HTTPException(status_code=500)
+    except Web3AuthorizationExpired:
+        raise HTTPException(status_code=403, detail="Signature not verified")
+    except Web3AuthorizationWrongApplication:
+        raise HTTPException(status_code=403, detail="Signature not verified")
     except Web3VerificationError:
         raise HTTPException(status_code=403, detail="Signature not verified")
     except Exception:
@@ -117,13 +143,27 @@ async def get_current_user_with_groups(
     if token is None or token == "":
         raise HTTPException(status_code=404, detail="Access token not found")
 
+    signature_application: str = request.headers.get(
+        BUGOUT_WEB3_SIGNATURE_APPLICATION_HEADER
+    )
+    application_id = None
+    if signature_application is not None:
+        try:
+            application_id = cast(UUID, signature_application)
+        except Exception:
+            raise HTTPException(
+                status_code=403, detail="Wrong Web3 signature application provided"
+            )
+
     try:
         if scheme == "web3":
             payload_json = base64.decodebytes(str(token).encode()).decode("utf-8")
             payload = json.loads(payload_json)
             verified = verify(
                 authorization_payload=payload,
-                application_to_check=APPLICATION_NAME,
+                application_to_check=str(application_id)
+                if application_id is not None
+                else "",
             )
             if not verified:
                 logger.info("Web3 authorization verification error")
@@ -134,7 +174,9 @@ async def get_current_user_with_groups(
                 raise Exception()
             web3_address = to_checksum_address(web3_address)
             user_extended = actions.get_user_with_groups(
-                session=db_session, web3_address=web3_address
+                session=db_session,
+                web3_address=web3_address,
+                application_id=application_id,
             )
 
         elif scheme == "bearer":
@@ -163,6 +205,10 @@ async def get_current_user_with_groups(
     except actions.UserInvalidParameters as e:
         logger.info(e)
         raise HTTPException(status_code=500)
+    except Web3AuthorizationExpired:
+        raise HTTPException(status_code=403, detail="Signature not verified")
+    except Web3AuthorizationWrongApplication:
+        raise HTTPException(status_code=403, detail="Signature not verified")
     except Web3VerificationError:
         raise HTTPException(status_code=403, detail="Signature not verified")
     except Exception:

brood/settings.py

@@ -3,8 +3,6 @@
 
 import stripe  # type: ignore
 
-APPLICATION_NAME = "brood"
-
 RAW_ORIGIN = os.environ.get("BROOD_CORS_ALLOWED_ORIGINS")
 if RAW_ORIGIN is None:
     raise ValueError(
@@ -98,3 +96,16 @@ def group_invite_link_from_env(code: str, email: Optional[str] = None) -> str:
 BROOD_OPENAPI_LIST_RAW = os.environ.get("BROOD_OPENAPI_LIST")
 if BROOD_OPENAPI_LIST_RAW is not None:
     BROOD_OPENAPI_LIST = BROOD_OPENAPI_LIST_RAW.split(",")
+
+# Web3 signature
+BUGOUT_WEB3_SIGNATURE_APPLICATION_HEADER_RAW = os.environ.get(
+    "BUGOUT_WEB3_SIGNATURE_APPLICATION_HEADER"
+)
+if BUGOUT_WEB3_SIGNATURE_APPLICATION_HEADER_RAW is not None:
+    BUGOUT_WEB3_SIGNATURE_APPLICATION_HEADER = (
+        BUGOUT_WEB3_SIGNATURE_APPLICATION_HEADER_RAW
+    )
+else:
+    raise ValueError(
+        "BUGOUT_WEB3_SIGNATURE_APPLICATION_HEADER environment variable must be set"
+    )

configs/sample.env

@@ -13,6 +13,9 @@ export MOONSTREAM_APPLICATION_ID="<moonstream_app_id>"
 export BUGOUT_BOT_INSTALLATION_TOKEN="<token_for_autogenerated_users>"
 export BUGOUT_BOT_INSTALLATION_TOKEN_HEADER="<bugout_installation_token_header>"
 
+# Web3 signature variables
+export BUGOUT_WEB3_SIGNATURE_APPLICATION_HEADER="x-bugout-web3-signature-application"
+
 # Set the following variables in the most reasonable manner for your development environment
 export STRIPE_SECRET_KEY="<Stripe_API_secret_key>"
 export STRIPE_SIGNING_SECRET="<Stripe_Webhook_signing_key>"