lightningdevkit
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Cargo.toml‎
Lines changed: 7 additions & 1 deletion b/‎Cargo.toml‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎src/client.rs‎
Lines changed: 24 additions & 1 deletion b/‎src/client.rs‎
Lines changed: 24 additions & 1 deletion
diff --git a/‎src/headers/lnurl_auth_jwt.rs‎
Lines changed: 299 additions & 0 deletions b/‎src/headers/lnurl_auth_jwt.rs‎
Lines changed: 299 additions & 0 deletions
@@ -1,2 +1,3 @@
 /target
 /src/proto/
+/Cargo.lock
@@ -13,9 +13,15 @@ build = "build.rs"
 
 [dependencies]
 prost = "0.11.6"
-reqwest = { version = "0.11.13", default-features = false, features = ["rustls-tls"] }
+reqwest = { version = "0.11.13", default-features = false, features = ["rustls-tls", "json"] }
 tokio = { version = "1", default-features = false, features = ["time"] }
 rand = "0.8.5"
+bitcoin = "0.30.2"
+async-trait = "0.1.77"
+url = "2.5.0"
+base64 = "0.21.7"
+serde = { version = "1.0.196", features = ["serde_derive"] }
+serde_json = "1.0.113"
 
 [target.'cfg(genproto)'.build-dependencies]
 prost-build = { version = "0.11.3" }
 
@@ -1,10 +1,14 @@
 use prost::Message;
 use reqwest;
+use reqwest::header::HeaderMap;
 use reqwest::header::CONTENT_TYPE;
 use reqwest::Client;
 use std::default::Default;
+use std::sync::Arc;
 
 use crate::error::VssError;
+use crate::headers::FixedHeaders;
+use crate::headers::HeaderProvider;
 use crate::types::{
 DeleteObjectRequest, DeleteObjectResponse, GetObjectRequest, GetObjectResponse, ListKeyVersionsRequest,
 ListKeyVersionsResponse, PutObjectRequest, PutObjectResponse,
@@ -23,6 +27,7 @@ where
 base_url: String,
 client: Client,
 retry_policy: R,
+header_provider: Arc<dyn HeaderProvider>,
 }
 
 impl<R: RetryPolicy<E = VssError>> VssClient<R> {
@@ -34,7 +39,19 @@ impl<R: RetryPolicy<E = VssError>> VssClient<R> {
 
 /// Constructs a [`VssClient`] from a given [`reqwest::Client`], using `base_url` as the VSS server endpoint.
 pub fn from_client(base_url: &str, client: Client, retry_policy: R) -> Self {
-Self { base_url: String::from(base_url), client, retry_policy }
+Self {
+base_url: String::from(base_url),
+client,
+retry_policy,
+header_provider: Arc::new(FixedHeaders::new(HeaderMap::new())),
+}
+}
+
+/// Constructs a [`VssClient`] using `base_url` as the VSS server endpoint.
+/// HTTP headers will be provided by the given `header_provider`.
+pub fn new_with_headers(base_url: &str, retry_policy: R, header_provider: Arc<dyn HeaderProvider>) -> Self {
+let client = Client::new();
+Self { base_url: String::from(base_url), client, retry_policy, header_provider }
 }
 
 /// Returns the underlying base URL.
@@ -111,10 +128,16 @@ impl<R: RetryPolicy<E = VssError>> VssClient<R> {
 
 async fn post_request<Rq: Message, Rs: Message + Default>(&self, request: &Rq, url: &str) -> Result<Rs, VssError> {
 let request_body = request.encode_to_vec();
+let headers = self
+.header_provider
+.get_headers()
+.await
+.map_err(|e| VssError::InternalError(e.to_string()))?;
 let response_raw = self
 .client
 .post(url)
 .header(CONTENT_TYPE, APPLICATION_OCTET_STREAM)
+.headers(headers)
 .body(request_body)
 .send()
 .await?;
 
@@ -0,0 +1,299 @@
+use crate::headers::HeaderProvider;
+use crate::headers::HeaderProviderError;
+use async_trait::async_trait;
+use base64::engine::general_purpose::URL_SAFE_NO_PAD;
+use base64::Engine;
+use bitcoin::bip32::{ChildNumber, DerivationPath, ExtendedPrivKey};
+use bitcoin::hashes::hex::FromHex;
+use bitcoin::hashes::sha256;
+use bitcoin::hashes::{Hash, HashEngine, Hmac, HmacEngine};
+use bitcoin::secp256k1::{All, Message, Secp256k1};
+use bitcoin::Network;
+use bitcoin::PrivateKey;
+use reqwest::header::HeaderMap;
+use reqwest::header::AUTHORIZATION;
+use serde::Deserialize;
+use std::str::FromStr;
+use std::sync::Mutex;
+use std::time::SystemTime;
+use url::Url;
+
+// Derivation index of the parent extended private key as defined by LUD-05.
+const PARENT_DERIVATION_INDEX: u32 = 138;
+// Derivation index of the hashing private key as defined by LUD-05.
+const HASHING_DERIVATION_INDEX: u32 = 0;
+// The JWT token will be refreshed by the given amount before its expiry.
+const EXPIRY_BUFFER_SECS: u64 = 60;
+// The key of the LNURL k1 query parameter.
+const K1_QUERY_PARAM: &str = "k1";
+// The key of the LNURL sig query parameter.
+const SIG_QUERY_PARAM: &str = "sig";
+// The key of the LNURL key query parameter.
+const KEY_QUERY_PARAM: &str = "key";
+
+/// Provides a JWT token based on LNURL Auth.
+/// The LNURL and JWT token are exchanged over a Websocket connection.
+pub struct LnurlAuthJwt {
+engine: Secp256k1<All>,
+parent_key: ExtendedPrivKey,
+url: String,
+headers: HeaderMap,
+client: reqwest::Client,
+jwt_token: Mutex<Option<String>>,
+expiry: Mutex<Option<u64>>,
+}
+
+impl LnurlAuthJwt {
+/// Creates a new JWT provider based on LNURL Auth.
+///
+/// The LNURL Auth keys are derived based on the wallet seed according to LUD-05.
+/// The LNURL with the challenge will be retrieved by making a request to the given URL.
+/// The JWT token will be returned in response to the signed LNURL request under a token field.
+/// The given set of headers will be used for LNURL requests, and will also be returned together
+/// with the JWT authorization header for VSS requests.
+pub fn new(seed: &[u8], url: String, headers: Vec<(String, String)>) -> Result<LnurlAuthJwt, HeaderProviderError> {
+let engine = Secp256k1::new();
+let master = ExtendedPrivKey::new_master(Network::Testnet, seed).map_err(HeaderProviderError::from)?;
+let child_number =
+ChildNumber::from_hardened_idx(PARENT_DERIVATION_INDEX).map_err(HeaderProviderError::from)?;
+let parent_key = master
+.derive_priv(&engine, &vec![child_number])
+.map_err(HeaderProviderError::from)?;
+let mut headermap = HeaderMap::new();
+for (name, value) in headers {
+headermap.insert(
+reqwest::header::HeaderName::from_str(&name).map_err(HeaderProviderError::from)?,
+reqwest::header::HeaderValue::from_str(&value).map_err(HeaderProviderError::from)?,
+);
+}
+let client = reqwest::Client::builder()
+.default_headers(headermap.clone())
+.build()
+.map_err(HeaderProviderError::from)?;
+
+Ok(LnurlAuthJwt {
+engine,
+parent_key,
+url,
+headers: headermap,
+client,
+jwt_token: Mutex::new(None),
+expiry: Mutex::new(None),
+})
+}
+
+async fn fetch_jwt_token(&self) -> Result<String, HeaderProviderError> {
+// Fetch the LNURL.
+let lnurl_str = self
+.client
+.get(&self.url)
+.send()
+.await
+.map_err(HeaderProviderError::from)?
+.text()
+.await
+.map_err(HeaderProviderError::from)?;
+
+// Sign the LNURL and perform the request.
+let signed_lnurl = sign_lnurl(&self.engine, &self.parent_key, &lnurl_str)?;
+let lnurl_auth_response: LnurlAuthResponse = self
+.client
+.get(&signed_lnurl)
+.send()
+.await
+.map_err(HeaderProviderError::from)?
+.json()
+.await
+.map_err(HeaderProviderError::from)?;
+
+match lnurl_auth_response {
+LnurlAuthResponse { token: Some(token), .. } => Ok(token),
+LnurlAuthResponse { reason: Some(reason), .. } => {
+Err(HeaderProviderError::ApplicationError(format!("LNURL Auth failed, reason is: {}", reason)))
+}
+_ => Err(HeaderProviderError::InvalidData(
+"LNURL Auth response did not contain a token nor an error".to_string(),
+)),
+}
+}
+
+async fn get_jwt_token(&self, force_refresh: bool) -> Result<String, HeaderProviderError> {
+if !self.is_expired() && !force_refresh {
+let jwt_token = self.jwt_token.lock().unwrap();
+if let Some(jwt_token) = jwt_token.as_deref() {
+return Ok(jwt_token.to_string());
+}
+}
+let jwt_token = self.fetch_jwt_token().await?;
+let expiry = parse_expiry(&jwt_token)?;
+*self.jwt_token.lock().unwrap() = Some(jwt_token.clone());
+*self.expiry.lock().unwrap() = expiry;
+Ok(jwt_token)
+}
+
+fn is_expired(&self) -> bool {
+self.expiry
+.lock()
+.unwrap()
+.map(|expiry| {
+SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap().as_secs() + EXPIRY_BUFFER_SECS
+> expiry
+})
+.unwrap_or(false)
+}
+}
+
+#[async_trait]
+impl HeaderProvider for LnurlAuthJwt {
+async fn get_headers(&self) -> Result<HeaderMap, HeaderProviderError> {
+let jwt_token = self.get_jwt_token(false).await?;
+let mut headers = self.headers.clone();
+let value = format!("Bearer {}", jwt_token).parse().map_err(HeaderProviderError::from)?;
+headers.insert(AUTHORIZATION, value);
+Ok(headers)
+}
+}
+
+fn hashing_key(engine: &Secp256k1<All>, parent_key: &ExtendedPrivKey) -> Result<PrivateKey, HeaderProviderError> {
+let hashing_child_number =
+ChildNumber::from_normal_idx(HASHING_DERIVATION_INDEX).map_err(HeaderProviderError::from)?;
+parent_key
+.derive_priv(engine, &vec![hashing_child_number])
+.map(|xpriv| xpriv.to_priv())
+.map_err(HeaderProviderError::from)
+}
+
+fn linking_key_path(hashing_key: &PrivateKey, domain_name: &str) -> Result<DerivationPath, HeaderProviderError> {
+let mut engine = HmacEngine::<sha256::Hash>::new(&hashing_key.inner[..]);
+engine.input(domain_name.as_bytes());
+let result = Hmac::<sha256::Hash>::from_engine(engine).to_byte_array();
+let children: Vec<ChildNumber> = (0..4)
+.map(|i| u32::from_be_bytes(result[(i * 4)..((i + 1) * 4)].try_into().unwrap()))
+.map(ChildNumber::from)
+.collect::<Vec<_>>();
+Ok(DerivationPath::from(children))
+}
+
+fn sign_lnurl(
+engine: &Secp256k1<All>, parent_key: &ExtendedPrivKey, lnurl_str: &str,
+) -> Result<String, HeaderProviderError> {
+// Parse k1 parameter to sign.
+let invalid_lnurl = || HeaderProviderError::InvalidData(format!("invalid lnurl: {}", lnurl_str));
+let mut lnurl = Url::parse(lnurl_str).map_err(|_| invalid_lnurl())?;
+let domain = lnurl.domain().ok_or(invalid_lnurl())?;
+let k1_str = lnurl
+.query_pairs()
+.find(|(k, _)| k == K1_QUERY_PARAM)
+.ok_or(invalid_lnurl())?
+.1
+.to_string();
+let k1: [u8; 32] = FromHex::from_hex(&k1_str).map_err(|_| invalid_lnurl())?;
+
+// Sign k1 parameter with linking key.
+let hashing_key = hashing_key(engine, parent_key)?;
+let linking_key_path = linking_key_path(&hashing_key, domain)?;
+let private_key = parent_key
+.derive_priv(engine, &linking_key_path)
+.map_err(HeaderProviderError::from)?
+.to_priv();
+let public_key = private_key.public_key(engine);
+let message =
+Message::from_slice(&k1).map_err(|_| HeaderProviderError::InvalidData(format!("invalid k1: {:?}", k1)))?;
+let sig = engine.sign_ecdsa(&message, &private_key.inner);
+
+// Compose LNURL with signature and linking key.
+lnurl
+.query_pairs_mut()
+.append_pair(SIG_QUERY_PARAM, &sig.serialize_der().to_string())
+.append_pair(KEY_QUERY_PARAM, &public_key.to_string());
+Ok(lnurl.to_string())
+}
+
+#[derive(Deserialize)]
+struct LnurlAuthResponse {
+reason: Option<String>,
+token: Option<String>,
+}
+
+#[derive(Deserialize)]
+struct ExpiryClaim {
+exp: Option<u64>,
+}
+
+fn parse_expiry(jwt_token: &str) -> Result<Option<u64>, HeaderProviderError> {
+let parts: Vec<&str> = jwt_token.split('.').collect();
+let invalid = || HeaderProviderError::InvalidData(format!("invalid JWT token: {}", jwt_token));
+if parts.len() != 3 {
+return Err(invalid());
+}
+let bytes = URL_SAFE_NO_PAD.decode(parts[1]).map_err(|_| invalid())?;
+let claim: ExpiryClaim = serde_json::from_slice(&bytes).map_err(|_| invalid())?;
+Ok(claim.exp)
+}
+
+impl From<bitcoin::bip32::Error> for HeaderProviderError {
+fn from(e: bitcoin::bip32::Error) -> HeaderProviderError {
+HeaderProviderError::InvalidData(e.to_string())
+}
+}
+
+impl From<reqwest::header::InvalidHeaderName> for HeaderProviderError {
+fn from(e: reqwest::header::InvalidHeaderName) -> HeaderProviderError {
+HeaderProviderError::InvalidData(e.to_string())
+}
+}
+
+impl From<reqwest::header::InvalidHeaderValue> for HeaderProviderError {
+fn from(e: reqwest::header::InvalidHeaderValue) -> HeaderProviderError {
+HeaderProviderError::InvalidData(e.to_string())
+}
+}
+
+impl From<reqwest::Error> for HeaderProviderError {
+fn from(e: reqwest::Error) -> HeaderProviderError {
+HeaderProviderError::RequestError(e.to_string())
+}
+}
+
+#[cfg(test)]
+mod test {
+use crate::headers::lnurl_auth_jwt::{linking_key_path, sign_lnurl};
+use bitcoin::bip32::ExtendedPrivKey;
+use bitcoin::hashes::hex::FromHex;
+use bitcoin::secp256k1::Secp256k1;
+use bitcoin::secp256k1::SecretKey;
+use bitcoin::Network;
+use bitcoin::PrivateKey;
+use std::str::FromStr;
+
+#[test]
+fn test_linking_key_path() {
+// Test vector from:
+// https://github.com/lnurl/luds/blob/43cf7754de2033987a7661afc8b4a3998914a536/05.md
+let hashing_key = PrivateKey::new(
+SecretKey::from_str("7d417a6a5e9a6a4a879aeaba11a11838764c8fa2b959c242d43dea682b3e409b").unwrap(),
+Network::Testnet, // The network only matters for serialization.
+);
+let path = linking_key_path(&hashing_key, "site.com").unwrap();
+let numbers: Vec<u32> = path.into_iter().map(|c| u32::from(c.clone())).collect();
+assert_eq!(numbers, vec![1588488367, 2659270754, 38110259, 4136336762]);
+}
+
+#[test]
+fn test_sign_lnurl() {
+let engine = Secp256k1::new();
+let seed: [u8; 32] =
+FromHex::from_hex("abababababababababababababababababababababababababababababababab").unwrap();
+let master = ExtendedPrivKey::new_master(Network::Testnet, &seed).unwrap();
+let signed = sign_lnurl(
+&engine,
+&master,
+"https://example.com/path?tag=login&k1=e2af6254a8df433264fa23f67eb8188635d15ce883e8fc020989d5f82ae6f11e",
+)
+.unwrap();
+assert_eq!(
+signed,
+"https://example.com/path?tag=login&k1=e2af6254a8df433264fa23f67eb8188635d15ce883e8fc020989d5f82ae6f11e&sig=3045022100a75df468de452e618edb8030016eb0894204655c7d93ece1be007fcf36843522022048bc2f00a0a5a30601d274b49cfaf9ef4c76176e5401d0dfb195f5d6ab8ab4c4&key=02d9eb1b467517d685e3b5439082c14bb1a2c9ae672df4d9046d208c193a5846e0",
+);
+}
+}
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`/target`
`2`	`2`	`/src/proto/`
	`3`	`+/Cargo.lock`