[feat] Nostr Login (lnbits#2703)

---------

Co-authored-by: dni ⚡ <[email protected]>

Author: motorina0

.env.example

@@ -140,7 +140,7 @@ BREEZ_GREENLIGHT_DEVICE_CERT="/path/to/breezsdk/device.crt"  # or BASE64/HEXSTRI
 # Secret Key: will default to the hash of the super user. It is strongly recommended that you set your own value.
 AUTH_SECRET_KEY=""
 AUTH_TOKEN_EXPIRE_MINUTES=525600
-# Possible authorization methods: user-id-only, username-password, google-auth, github-auth, keycloak-auth
+# Possible authorization methods: user-id-only, username-password, nostr-auth-nip98, google-auth, github-auth, keycloak-auth
 AUTH_ALLOWED_METHODS="user-id-only, username-password"
 # Set this flag if HTTP is used for OAuth
 # OAUTHLIB_INSECURE_TRANSPORT="1"

lnbits/commands.py

@@ -4,7 +4,6 @@
 from functools import wraps
 from pathlib import Path
 from typing import List, Optional, Tuple
-from urllib.parse import urlparse
 
 import click
 import httpx
@@ -30,7 +29,7 @@
     ExtensionRelease,
     InstallableExtension,
 )
-from lnbits.core.helpers import migrate_databases
+from lnbits.core.helpers import is_valid_url, migrate_databases
 from lnbits.core.models import Payment, PaymentState
 from lnbits.core.services import check_admin_settings
 from lnbits.core.views.extension_api import (
@@ -328,7 +327,7 @@ async def extensions_update(
     if extension and all_extensions:
         click.echo("Only one of extension ID or the '--all' flag must be specified")
         return
-    if url and not _is_url(url):
+    if url and not is_valid_url(url):
         click.echo(f"Invalid '--url' option value: {url}")
         return
 
@@ -402,7 +401,7 @@ async def extensions_install(
 ):
     """Install a extension"""
     click.echo(f"Installing {extension}... {repo_index}")
-    if url and not _is_url(url):
+    if url and not is_valid_url(url):
         click.echo(f"Invalid '--url' option value: {url}")
         return
 
@@ -430,7 +429,7 @@ async def extensions_uninstall(
     """Uninstall a extension"""
     click.echo(f"Uninstalling '{extension}'...")
 
-    if url and not _is_url(url):
+    if url and not is_valid_url(url):
         click.echo(f"Invalid '--url' option value: {url}")
         return
 
@@ -659,11 +658,3 @@ async def _is_lnbits_started(url: Optional[str]):
             return True
     except Exception:
         return False
-
-
-def _is_url(url):
-    try:
-        result = urlparse(url)
-        return all([result.scheme, result.netloc])
-    except ValueError:
-        return False

lnbits/core/crud.py

@@ -31,6 +31,7 @@
     PaymentHistoryPoint,
     TinyURL,
     UpdateUserPassword,
+    UpdateUserPubkey,
     User,
     UserConfig,
     Wallet,
@@ -41,6 +42,7 @@
 async def create_account(
     user_id: Optional[str] = None,
     username: Optional[str] = None,
+    pubkey: Optional[str] = None,
     email: Optional[str] = None,
     password: Optional[str] = None,
     user_config: Optional[UserConfig] = None,
@@ -52,14 +54,17 @@ async def create_account(
     now_ph = db.timestamp_placeholder("now")
     await (conn or db).execute(
         f"""
-        INSERT INTO accounts (id, username, pass, email, extra, created_at, updated_at)
-        VALUES (:user, :username, :password, :email, :extra, {now_ph}, {now_ph})
+        INSERT INTO accounts
+            (id, username, pass, email, pubkey, extra, created_at, updated_at)
+        VALUES
+            (:user, :username, :password, :email, :pubkey, :extra, {now_ph}, {now_ph})
         """,
         {
             "user": user_id,
             "username": username,
             "password": password,
             "email": email,
+            "pubkey": pubkey,
             "extra": extra,
             "now": now,
         },
@@ -88,7 +93,7 @@ async def update_account(
     if username:
         assert not user.username or username == user.username, "Cannot change username."
         account = await get_account_by_username(username)
-        assert not account or account.id == user_id, "Username already in exists."
+        assert not account or account.id == user_id, "Username already exists."
 
     username = user.username or username
     email = user.email or email
@@ -161,7 +166,7 @@ async def get_account(
 ) -> Optional[User]:
     row = await (conn or db).fetchone(
         """
-           SELECT id, email, username, created_at, updated_at, extra
+           SELECT id, email, username, pubkey, created_at, updated_at, extra
            FROM accounts WHERE id = :id
         """,
         {"id": user_id},
@@ -210,28 +215,56 @@ async def verify_user_password(user_id: str, password: str) -> bool:
     return pwd_context.verify(password, existing_password)
 
 
-# TODO: , conn: Optional[Connection] = None ??, maybe also not a crud function
-async def update_user_password(data: UpdateUserPassword) -> Optional[User]:
-    assert data.password == data.password_repeat, "Passwords do not match."
+async def update_user_password(data: UpdateUserPassword, last_login_time: int) -> User:
 
-    # old accounts do not have a pasword
-    if await get_user_password(data.user_id):
-        assert data.password_old, "Missing old password"
-        old_pwd_ok = await verify_user_password(data.user_id, data.password_old)
-        assert old_pwd_ok, "Invalid credentials."
+    assert 0 <= time() - last_login_time <= settings.auth_credetials_update_threshold, (
+        "You can only update your credentials in the first"
+        f" {settings.auth_credetials_update_threshold} seconds after login."
+        " Please login again!"
+    )
+    assert data.password == data.password_repeat, "Passwords do not match."
 
     pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
 
-    now = int(time())
-    now_ph = db.timestamp_placeholder("now")
     await db.execute(
         f"""
-        UPDATE accounts SET pass = :pass, updated_at = {now_ph}
+        UPDATE accounts
+        SET pass = :pass, updated_at = {db.timestamp_placeholder("now")}
         WHERE id = :user
         """,
         {
             "pass": pwd_context.hash(data.password),
-            "now": now,
+            "now": int(time()),
+            "user": data.user_id,
+        },
+    )
+
+    user = await get_user(data.user_id)
+    assert user, "Updated account couldn't be retrieved"
+    return user
+
+
+async def update_user_pubkey(data: UpdateUserPubkey, last_login_time: int) -> User:
+
+    assert 0 <= time() - last_login_time <= settings.auth_credetials_update_threshold, (
+        "You can only update your credentials in the first"
+        f" {settings.auth_credetials_update_threshold} seconds after login."
+        " Please login again!"
+    )
+
+    user = await get_account_by_pubkey(data.pubkey)
+    if user:
+        assert user.id == data.user_id, "Public key already in use."
+
+    await db.execute(
+        f"""
+        UPDATE accounts
+        SET pubkey = :pubkey, updated_at = {db.timestamp_placeholder("now")}
+        WHERE id = :user
+        """,
+        {
+            "pubkey": data.pubkey,
+            "now": int(time()),
             "user": data.user_id,
         },
     )
@@ -246,7 +279,7 @@ async def get_account_by_username(
 ) -> Optional[User]:
     row = await (conn or db).fetchone(
         """
-        SELECT id, username, email, created_at, updated_at
+        SELECT id, username, pubkey, email, created_at, updated_at
         FROM accounts WHERE username = :username
         """,
         {"username": username},
@@ -255,12 +288,26 @@ async def get_account_by_username(
     return User(**row) if row else None
 
 
+async def get_account_by_pubkey(
+    pubkey: str, conn: Optional[Connection] = None
+) -> Optional[User]:
+    row = await (conn or db).fetchone(
+        """
+        SELECT id, username, pubkey, email, created_at, updated_at
+        FROM accounts WHERE pubkey = :pubkey
+        """,
+        {"pubkey": pubkey},
+    )
+
+    return User(**row) if row else None
+
+
 async def get_account_by_email(
     email: str, conn: Optional[Connection] = None
 ) -> Optional[User]:
     row = await (conn or db).fetchone(
         """
-        SELECT id, username, email, created_at, updated_at
+        SELECT id, username, pubkey, email, created_at, updated_at
         FROM accounts WHERE email = :email
         """,
         {"email": email},
@@ -281,7 +328,7 @@ async def get_account_by_username_or_email(
 async def get_user(user_id: str, conn: Optional[Connection] = None) -> Optional[User]:
     user = await (conn or db).fetchone(
         """
-        SELECT id, email, username, pass, extra, created_at, updated_at
+        SELECT id, email, username, pubkey, pass, extra, created_at, updated_at
         FROM accounts WHERE id = :id
         """,
         {"id": user_id},
@@ -306,6 +353,7 @@ async def get_user(user_id: str, conn: Optional[Connection] = None) -> Optional[
         id=user["id"],
         email=user["email"],
         username=user["username"],
+        pubkey=user["pubkey"],
         extensions=[
             e for e in extensions if User.is_extension_for_user(e[0], user["id"])
         ],

lnbits/core/helpers.py

@@ -1,6 +1,7 @@
 import importlib
 import re
 from typing import Any
+from urllib.parse import urlparse
 from uuid import UUID
 
 from loguru import logger
@@ -103,3 +104,11 @@ async def migrate_databases():
             logger.exception(f"Error migrating extension {ext.code}: {e}")
 
     logger.info("✔️ All migrations done.")
+
+
+def is_valid_url(url):
+    try:
+        result = urlparse(url)
+        return all([result.scheme, result.netloc])
+    except ValueError:
+        return False

lnbits/core/migrations.py

@@ -543,3 +543,13 @@ async def m021_add_success_failed_to_apipayments(db):
     )
     # TODO: drop column in next release
     # await db.execute("ALTER TABLE apipayments DROP COLUMN pending")
+
+
+async def m022_add_pubkey_to_accounts(db):
+    """
+    Adds pubkey column to accounts.
+    """
+    try:
+        await db.execute("ALTER TABLE accounts ADD COLUMN pubkey TEXT")
+    except OperationalError:
+        pass

lnbits/core/models.py

@@ -138,6 +138,7 @@ class User(BaseModel):
     id: str
     email: Optional[str] = None
     username: Optional[str] = None
+    pubkey: Optional[str] = None
     extensions: list[str] = []
     wallets: list[Wallet] = []
     admin: bool = False
@@ -182,10 +183,15 @@ class UpdateUser(BaseModel):
 
 class UpdateUserPassword(BaseModel):
     user_id: str
+    password_old: Optional[str] = None
     password: str = Query(default=..., min_length=8, max_length=50)
     password_repeat: str = Query(default=..., min_length=8, max_length=50)
-    password_old: Optional[str] = Query(default=None, min_length=8, max_length=50)
-    username: Optional[str] = Query(default=..., min_length=2, max_length=20)
+    username: str = Query(default=..., min_length=2, max_length=20)
+
+
+class UpdateUserPubkey(BaseModel):
+    user_id: str
+    pubkey: str = Query(default=..., max_length=64)
 
 
 class UpdateSuperuserPassword(BaseModel):
@@ -203,6 +209,13 @@ class LoginUsernamePassword(BaseModel):
     password: str
 
 
+class AccessTokenPayload(BaseModel):
+    sub: str
+    usr: Optional[str] = None
+    email: Optional[str] = None
+    auth_time: Optional[int] = 0
+
+
 class PaymentState(str, Enum):
     PENDING = "pending"
     SUCCESS = "success"

lnbits/core/services.py

@@ -826,6 +826,7 @@ async def create_user_account(
     user_id: Optional[str] = None,
     email: Optional[str] = None,
     username: Optional[str] = None,
+    pubkey: Optional[str] = None,
     password: Optional[str] = None,
     wallet_name: Optional[str] = None,
     user_config: Optional[UserConfig] = None,
@@ -847,7 +848,9 @@ async def create_user_account(
     pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
     password = pwd_context.hash(password) if password else None
 
-    account = await create_account(user_id, username, email, password, user_config)
+    account = await create_account(
+        user_id, username, pubkey, email, password, user_config
+    )
     wallet = await create_wallet(user_id=account.id, wallet_name=wallet_name)
     account.wallets = [wallet]
 

lnbits/core/templates/admin/_tab_security.html

@@ -24,6 +24,40 @@ <h6 class="q-my-none q-mb-sm">Authentication</h6>
       </div>
     </div>
   </q-card-section>
+  <q-card-section
+    v-if="formData.auth_allowed_methods?.includes('nostr-auth-nip98')"
+    class="q-pl-xl"
+  >
+    <strong class="q-my-none q-mb-sm">Nostr Auth</strong>
+
+    <div class="row">
+      <div class="col-md-12 col-sm-12 q-pr-sm">
+        <q-input
+          filled
+          v-model="nostrAcceptedUrl"
+          @keydown.enter="addNostrUrl"
+          type="text"
+          label="Nostr Request URL"
+          hint="Absolute URL that the clients will use to login."
+        >
+          <q-btn @click="addNostrUrl" dense flat icon="add"></q-btn>
+        </q-input>
+      </div>
+      <div>
+        <div>
+          <q-chip
+            v-for="url in formData.nostr_absolute_request_urls"
+            :key="url"
+            removable
+            @remove="removeNostrUrl(url)"
+            color="primary"
+            text-color="white"
+            :label="url"
+          ></q-chip>
+        </div>
+      </div>
+    </div>
+  </q-card-section>
   <q-card-section
     v-if="formData.auth_allowed_methods?.includes('google-auth')"
     class="q-pl-xl"

lnbits/core/templates/admin/index.html

@@ -26,6 +26,7 @@
       :label="$t('restart')"
       color="primary"
       @click="restartServer"
+      class="q-ml-md"
     >
       <q-tooltip v-if="needsRestart">
         <span v-text="$t('restart_tooltip')"></span>