omniauth-trezorconnect 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 87705d9d851a9c40a94b044bd7e50c7c2a75ee88f140c7256587a064abfde940
+  data.tar.gz: e3f96ee1a6d8665d88e513584c16115d3912fa9e6a88c81b08b8077f978abfd9
+SHA512:
+  metadata.gz: f42c77e6288482583b732e1da0c4b8129ebccb2a004e4014a175166a24cb55dadd2412b3d53ce6414d14578af0dd8c6270621adf1c5d518ba47231d9add28279
+  data.tar.gz: b477bd8315c27f8e9c6374210e259fd265b7a22c8c944a0df3cb22d16422ef8deb9f22a748786396dd3ee402135d3ebd387208a0ab94081c0cad81e76e2f4524

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in omniauth-trezorconnect.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 Jiri Kubicek
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,69 @@
+# omniauth-trezorconnect
+
+`omniauth-trezorconnect` provides an [OmniAuth][omniauth] strategy for [Trezor Connect Version 9][trezor_connect].
+
+With this strategy your users can use popular [Trezor Wallet][trezor] to login to your website.
+
+[omniauth]: https://github.com/omniauth/omniauth
+[trezor_connect]: https://github.com/trezor/trezor-suite/tree/develop/packages/connect
+[trezor]: https://trezor.io
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'omniauth-trezorconnect'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install omniauth-trezorconnect
+
+## Usage
+
+In Rails app, add config/initializers/omniauth.rb:
+Trezor requires requires that you, as a Trezor Connect integrator, share your e-mail and application url with us. This provides with the ability to reach you in case of any required maintenance. This subscription is mandatory.
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :trezor, client_options: { 
+                        trezor_site: "https://examplesite.com",
+                        trezor_email: "email@example.com"
+                                    }
+end
+```
+### Options
+
+These are the options you can specify that are relevant to Omniauth Trezor:
+
+Challenge-response authentication via TREZOR. To protect against replay attacks, you must use a server-side generated and randomized challenge_hidden for every attempt. You can also provide a visual challenge that will be shown on the device.
+
+* `:visual_challenge` - Text that will be shown on the device (defaults to `Time.now.strftime("%Y-%m-%d %H:%M:%S")`)
+* `:hidden_challenge` - Hidden randomized hex string used to protect agains replay attacks (defaults to `SecureRandom.hex(32)`)
+
+### Callback phase
+
+After successful authentication `request.env['omniauth.auth'].extra` contains all data that was used to verify the signature: `visual_challenge`, `hidden_challenge`, `signature` and `public_key` for your additional needs (ie. audit log).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/karim-semmoud/omniauth-trezorconnect.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+
+## A Special thanks 
+This gem is based on the gem [omniauth-trezor](https://github.com/kraxnet/omniauth-trezor).
+A special thanks goes to [Kraxnet](https://github.com/kraxnet) for his amazing contribution
+
+## Whats new ?
+* Updgrade Trezor Connect from version 8 to version 9
+
+* Upgrade Omniauth gem from version 1 to version 2
+
+* Add mandatory App URL and Email to be shared with Trezor

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/lib/omniauth/strategies/trezorconnect.rb

@@ -0,0 +1,114 @@
+require 'omniauth'
+require 'bitcoin'
+require 'securerandom'
+
+module OmniAuth
+  module Strategies
+    class Trezorconnect
+      include OmniAuth::Strategy
+
+      option :trezor_site
+      option :trezor_email
+      option :visual_challenge
+      option :hidden_challenge
+      option :fields, [:public_key, :signature]
+      option :uid_field, :public_key
+
+      def request_phase
+        visual_challenge = options[:challenge_visual]
+        visual_challenge ||= Time.now.strftime("%Y-%m-%d %H:%M:%S")
+
+        hidden_challenge = options[:hidden_challenge]
+        hidden_challenge ||= SecureRandom.hex(32)
+
+        trezor_site = options[:trezor_site]
+        trezor_email = options[:trezor_email]
+
+        session['omniauth.trezor_visual_challenge'] = visual_challenge
+        session['omniauth.trezor_hidden_challenge'] = hidden_challenge
+
+        OmniAuth::Form.build(
+          title: "Trezor Login",
+          url: callback_path,
+          header_info: <<-HTML
+            <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.0/jquery.min.js" type="text/javascript"></script>
+            <script src="https://connect.trezor.io/9/trezor-connect.js"></script>
+            <script type='text/javascript'>
+              function trezorLogin() {
+                TrezorConnect.init({
+                  lazyLoad: true,
+                  manifest: {
+                    email: '#{trezor_email}',
+                    appUrl: '#{trezor_site}',
+                  },
+                });
+
+                TrezorConnect.requestLogin({
+                  challengeHidden: '#{hidden_challenge}',
+                  challengeVisual: '#{visual_challenge}'
+                })
+                .then((result) => {
+                  if (result.success) {
+                    $('input[name=public_key]').val(result.payload.publicKey);
+                    $('input[name=signature]').val(result.payload.signature);
+                    $('form').submit();
+                  } else {
+                    console.log('Error:', result.payload.error);
+                  }
+                });
+               
+              }
+              $(function() {
+                $('button').click(function() {
+                  trezorLogin();
+                  return false;
+                });
+              });
+            </script>
+          HTML
+        ) do |f|
+          f.input_field('hidden', 'public_key')
+          f.input_field('hidden', 'signature')
+          f.html "<p>Logging in at: #{visual_challenge}</p>"
+        end.to_response
+      end
+
+      def callback_phase
+        verified = verify_signature(
+            extra[:public_key],
+            extra[:signature],
+            extra[:hidden_challenge],
+            extra[:visual_challenge]
+        )
+        if verified
+          super
+        else
+          fail!(:invalid_credentials)
+        end
+      end
+
+      uid do
+        request.params['public_key']
+      end
+
+      extra do
+        {
+          hidden_challenge: session['omniauth.trezor_hidden_challenge'],
+          visual_challenge: session['omniauth.trezor_visual_challenge'],
+          public_key: request.params['public_key'],
+          signature: request.params['signature'],
+        }
+      end
+
+
+      private
+      def verify_signature(pubkey, signature, challenge_hidden='', challenge_visual='')
+        address = Bitcoin.pubkey_to_address(pubkey)
+        sha256 = Digest::SHA256.new
+        signature = [signature.htb].pack('m0')
+        message = sha256.digest(challenge_hidden.htb) + sha256.digest(challenge_visual)
+        Bitcoin.verify_message(address, signature, message)
+      end
+    end
+  end
+end

data/lib/omniauth-trezorconnect/version.rb

@@ -0,0 +1,5 @@
+module OmniAuth
+  module Trezorconnect
+    VERSION = "1.0.0"
+  end
+end

data/lib/omniauth-trezorconnect.rb

@@ -0,0 +1,8 @@
+require "omniauth-trezorconnect/version"
+require "omniauth"
+
+module OmniAuth
+  module Strategies
+    autoload :Trezorconnect,  'omniauth/strategies/trezorconnect'
+  end
+end

data/omniauth-trezorconnect.gemspec

@@ -0,0 +1,27 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'omniauth-trezorconnect/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "omniauth-trezorconnect"
+  spec.version       = OmniAuth::Trezorconnect::VERSION
+  spec.authors       = ["Karim Semmoud"]
+  spec.email         = ["karim.semmoud@gmail.com"]
+
+  spec.summary       = "OmniAuth strategy for authenticating against the Trezor Connect version 9"
+  spec.description   = "Custom Omniatuh strategy using open source Javascript instead of a third party"
+  spec.homepage      = "https://github.com/karim-semmoud/omniauth-trezorconnect"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "omniauth", "~> 2.1"
+  spec.add_dependency "bitcoin", "~> 0.2"
+
+  spec.add_development_dependency "bundler", "~> 1.10"
+  spec.add_development_dependency "rake", "~> 10.0"
+end

metadata

@@ -0,0 +1,108 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-trezorconnect
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Karim Semmoud
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2023-05-08 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+- !ruby/object:Gem::Dependency
+  name: bitcoin
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+description: Custom Omniatuh strategy using open source Javascript instead of a third
+  party
+email:
+- karim.semmoud@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/omniauth-trezorconnect.rb
+- lib/omniauth-trezorconnect/version.rb
+- lib/omniauth/strategies/trezorconnect.rb
+- omniauth-trezorconnect.gemspec
+homepage: https://github.com/karim-semmoud/omniauth-trezorconnect
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.6
+signing_key: 
+specification_version: 4
+summary: OmniAuth strategy for authenticating against the Trezor Connect version 9
+test_files: []