einundzwanzig/einundzwanzig-verein
1
0
Fork 0
mirror of https://github.com/HolgerHatGarKeineNode/einundzwanzig-nostr.git synced 2026-05-23 13:15:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
6bb7d93d1dc7b87f95367522c25c6f2452ab3bec
einundzwanzig-verein/app/Livewire/Traits/WithNostrAuth.php
T
HolgerHatGarKeineNode 6bb7d93d1d feat(auth): require signed NIP-42 event for Nostr login 
Closes a security flaw where the server trusted any pubkey the client
sent. The frontend now signs a per-session, time-bound challenge
(kind-22242 event) that the backend verifies with swentel/nostr-php
before establishing the session.

- NostrAuth: issueChallenge() + loginWithSignedEvent() with full
  schnorr/id verification, TTL window, and idempotent re-entry for
  concurrent Livewire listeners.
- auth-button: mounts a fresh challenge, exposes it via data-attribute
  + requestNostrChallenge() fallback, renders a full-viewport AAA-style
  loading overlay while the wallet signs.
- NostrSessionGuard: override logout() to drop the cookie-jar dep so
  programmatic logout works in any context.
2026-05-20 01:09:20 +02:00

71 lines
1.7 KiB
PHP
Raw Blame History

<?php
namespace App\Livewire\Traits;
use App\Models\EinundzwanzigPleb;
use App\Support\NostrAuth;
use Illuminate\Support\Facades\RateLimiter;
use Livewire\Attributes\On;
trait WithNostrAuth
{
public ?string $currentPubkey = null;
public ?object $currentPleb = null;
public bool $isAllowed = false;
public bool $canEdit = false;
#[On('nostrLoggedIn')]
public function handleNostrLogin($signedEvent = null): void
{
$executed = RateLimiter::attempt(
'nostr-login:'.request()->ip(),
10,
function () {},
);
if (! $executed) {
abort(429, 'Too many login attempts.');
}
$pubkey = NostrAuth::loginWithSignedEvent($signedEvent);
$this->currentPubkey = $pubkey;
$this->currentPleb = EinundzwanzigPleb::query()
->where('pubkey', $pubkey)
->first();
if ($this->currentPleb && $this->currentPleb->isBoardMember()) {
$this->canEdit = true;
}
$this->isAllowed = true;
}
#[On('nostrLoggedOut')]
public function handleNostrLogout(): void
{
NostrAuth::logout();
$this->isAllowed = false;
$this->currentPubkey = null;
$this->currentPleb = null;
$this->canEdit = false;
}
public function mountWithNostrAuth(): void
{
if ($user = NostrAuth::user()) {
$this->currentPubkey = $user->getPubkey();
$this->currentPleb = $user->getPleb();
$this->isAllowed = true;
if ($this->currentPleb && $this->currentPleb->isBoardMember()) {
$this->canEdit = true;
}
}
}
}
Reference in New Issue View Git Blame Copy Permalink