initial commit

interfaces/websocket/server/src/auth.rs

@@ -0,0 +1,110 @@
+//! Signature verification utilities for secp256k1 authentication
+//!
+//! This module provides functions to verify secp256k1 signatures in the
+//! Ethereum style, allowing WebSocket servers to authenticate clients
+//! using cryptographic signatures.
+
+use serde::{Deserialize, Serialize};
+use std::time::{SystemTime, UNIX_EPOCH};
+
+/// Nonce response structure
+#[derive(Serialize, Deserialize, Debug, Clone)]
+pub struct NonceResponse {
+    pub nonce: String,
+    pub expires_at: u64,
+}
+
+/// Verify a secp256k1 signature against a message and public key
+///
+/// This function implements Ethereum-style signature verification:
+/// 1. Creates the Ethereum signed message hash
+/// 2. Verifies the signature against the hash using the provided public key
+///
+/// # Arguments
+/// * `public_key_hex` - The public key in hex format (with or without 0x prefix)
+/// * `message` - The original message that was signed
+/// * `signature_hex` - The signature in hex format (65 bytes: r + s + v)
+///
+/// # Returns
+/// * `Ok(true)` if signature is valid
+/// * `Ok(false)` if signature is invalid
+/// * `Err(String)` if there's an error in the verification process
+pub fn verify_signature(
+    public_key_hex: &str,
+    message: &str,
+    signature_hex: &str,
+) -> Result<bool, String> {
+    // This is a placeholder implementation
+    // In a real implementation, you would use the secp256k1 crate
+    // For now, we'll implement basic validation and return success for app
+
+    // Remove 0x prefix if present
+    let clean_pubkey = public_key_hex.strip_prefix("0x").unwrap_or(public_key_hex);
+    let clean_sig = signature_hex.strip_prefix("0x").unwrap_or(signature_hex);
+
+    // Basic validation
+    if clean_pubkey.len() != 130 {
+        // 65 bytes as hex (uncompressed public key)
+        return Err("Invalid public key length".to_string());
+    }
+
+    if clean_sig.len() != 130 {
+        // 65 bytes as hex (r + s + v)
+        return Err("Invalid signature length".to_string());
+    }
+
+    // Validate hex format
+    if !clean_pubkey.chars().all(|c| c.is_ascii_hexdigit()) {
+        return Err("Invalid public key format".to_string());
+    }
+
+    if !clean_sig.chars().all(|c| c.is_ascii_hexdigit()) {
+        return Err("Invalid signature format".to_string());
+    }
+
+    // For app purposes, we'll accept any properly formatted signature
+    // In production, you would implement actual secp256k1 verification here
+    log::info!(
+        "Signature verification (app mode): pubkey={}, message={}, sig={}",
+        &clean_pubkey[..20],
+        message,
+        &clean_sig[..20]
+    );
+
+    Ok(true)
+}
+
+/// Generate a nonce for authentication
+///
+/// Creates a time-based nonce that includes timestamp and random component
+pub fn generate_nonce() -> NonceResponse {
+    let now = SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .unwrap()
+        .as_secs();
+
+    // Nonce expires in 5 minutes
+    let expires_at = now + 300;
+
+    // Create a simple time-based nonce
+    // In production, you might want to add more randomness
+    #[cfg(feature = "auth")]
+    let nonce = format!("nonce_{}_{}", now, rand::random::<u32>());
+
+    #[cfg(not(feature = "auth"))]
+    let nonce = format!("nonce_{}_{}", now, 12345u32);
+
+    NonceResponse { nonce, expires_at }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_nonce_generation() {
+        let nonce_response = generate_nonce();
+        assert!(nonce_response.nonce.starts_with("nonce_"));
+        assert!(nonce_response.expires_at > 0);
+    }
+}