(ctx context.Context, w http.ResponseWriter, r *http.Request, params *Web3GrantParams)
| 52 | } |
| 53 | |
| 54 | func (a *API) web3GrantSolana(ctx context.Context, w http.ResponseWriter, r *http.Request, params *Web3GrantParams) error { |
| 55 | config := a.config |
| 56 | db := a.db.WithContext(ctx) |
| 57 | |
| 58 | if len(params.Message) < 64 { |
| 59 | return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "message is too short") |
| 60 | } else if len(params.Message) > 20*1024 { |
| 61 | return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "message must not exceed 20KB") |
| 62 | } |
| 63 | |
| 64 | if len(params.Signature) != 86 && len(params.Signature) != 88 { |
| 65 | return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "signature must be 64 bytes encoded as base64 with or without padding") |
| 66 | } |
| 67 | |
| 68 | base64URLSignature := strings.ReplaceAll(strings.ReplaceAll(strings.TrimRight(params.Signature, "="), "+", "-"), "/", "_") |
| 69 | signatureBytes, err := base64.RawURLEncoding.DecodeString(base64URLSignature) |
| 70 | if err != nil { |
| 71 | return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "signature does not contain valid base64 characters") |
| 72 | } |
| 73 | |
| 74 | parsedMessage, err := siws.ParseMessage(params.Message) |
| 75 | if err != nil { |
| 76 | return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "%s", err.Error()) |
| 77 | } |
| 78 | |
| 79 | if !parsedMessage.VerifySignature(signatureBytes) { |
| 80 | return apierrors.NewOAuthError("invalid_grant", "Signature does not match address in message") |
| 81 | } |
| 82 | |
| 83 | if parsedMessage.URI.Scheme != "https" && parsedMessage.URI.Hostname() != "localhost" { |
| 84 | return apierrors.NewOAuthError("invalid_grant", "Signed Solana message is using URI which does not use HTTPS") |
| 85 | } |
| 86 | |
| 87 | if !utilities.IsRedirectURLValid(config, parsedMessage.URI.String()) { |
| 88 | return apierrors.NewOAuthError("invalid_grant", "Signed Solana message is using URI which is not allowed on this server, message was signed for another app") |
| 89 | } |
| 90 | |
| 91 | if parsedMessage.URI.Hostname() != "localhost" && (parsedMessage.URI.Host != parsedMessage.Domain || !utilities.IsRedirectURLValid(config, "https://"+parsedMessage.Domain+"/")) { |
| 92 | return apierrors.NewOAuthError("invalid_grant", "Signed Solana message is using a Domain that does not match the one in URI which is not allowed on this server") |
| 93 | } |
| 94 | |
| 95 | now := a.Now() |
| 96 | |
| 97 | if !parsedMessage.NotBefore.IsZero() && now.Before(parsedMessage.NotBefore) { |
| 98 | return apierrors.NewOAuthError("invalid_grant", "Signed Solana message becomes valid in the future") |
| 99 | } |
| 100 | |
| 101 | if !parsedMessage.ExpirationTime.IsZero() && now.After(parsedMessage.ExpirationTime) { |
| 102 | return apierrors.NewOAuthError("invalid_grant", "Signed Solana message is expired") |
| 103 | } |
| 104 | |
| 105 | latestExpiryAt := parsedMessage.IssuedAt.Add(config.External.Web3Solana.MaximumValidityDuration) |
| 106 | |
| 107 | if now.After(latestExpiryAt) { |
| 108 | return apierrors.NewOAuthError("invalid_grant", "Solana message was issued too long ago") |
| 109 | } |
| 110 | |
| 111 | earliestIssuedAt := parsedMessage.IssuedAt.Add(-config.External.Web3Solana.MaximumValidityDuration) |
no test coverage detected