solrengine-auth 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 6622627cd1bbb261117bfab5b6a746b51c511885aae27f43f9246a9985d861d7
+  data.tar.gz: 6cdab9cc1a1b92d0a4dff46b2119d90ab76a78e2fdae6181ffb3d34eaa82ab0d
+SHA512:
+  metadata.gz: 9a90484823d798a4aadc0c448a79bc99094b26ed85f4c24ab71aa301a8f31461cfb020de3c3bf6f7751bfe386a1b0e66e38f370e4980d37c651bd52f4a8b6ce5
+  data.tar.gz: 0f994647ae7a0a85ac5b8c7ab459c95a25fe23ed2fd47a564544d6de4d0a02ebae3627bb0683398aba1f4c10604312b4fb4b692ff6022ec2d68eb36215cf9a92

data/README.md

@@ -0,0 +1,106 @@
+# SolRengine Auth
+
+Solana wallet authentication for Ruby on Rails. Sign in with any Wallet Standard compatible wallet (Phantom, Solflare, Backpack, Jupiter, etc.) using SIWS (Sign In With Solana).
+
+Part of the [SolRengine](https://github.com/solrengine) framework.
+
+## Install
+
+Add to your Gemfile:
+
+```ruby
+gem "solrengine-auth"
+```
+
+Run the generator:
+
+```bash
+rails generate solrengine:auth:install
+rails db:migrate
+```
+
+This adds:
+- `wallet_address`, `nonce`, `nonce_expires_at` columns to your User model
+- `Authenticatable` concern included in User
+- `ControllerHelpers` concern included in ApplicationController
+- Routes mounted at `/auth` (login, nonce, verify, logout)
+- Configuration initializer
+
+## Setup
+
+Install the JavaScript dependencies:
+
+```bash
+yarn add @wallet-standard/app @solana/wallet-standard-features
+```
+
+Register the wallet Stimulus controller in your `app/javascript/controllers/index.js`:
+
+```js
+import WalletController from "solrengine/auth/wallet_controller"
+application.register("wallet", WalletController)
+```
+
+## Configuration
+
+```ruby
+# config/initializers/solrengine_auth.rb
+Solrengine::Auth.configure do |config|
+  config.domain = ENV.fetch("APP_DOMAIN", "localhost")
+  config.nonce_ttl = 5.minutes
+  config.after_sign_out_path = "/"
+
+  # The model class used for wallet authentication (String or Class).
+  # config.user_class = "User"
+
+  # Chain ID shown in the wallet sign-in message.
+  # Defaults to ENV["SOLANA_NETWORK"] or "mainnet".
+  # config.chain_id = "devnet"
+end
+```
+
+## How It Works
+
+1. User clicks "Connect Wallet" -- Stimulus discovers installed wallets via Wallet Standard
+2. User selects a wallet -- extension popup opens
+3. Rails generates a SIWS message with a nonce (POST `/auth/nonce`)
+4. Wallet signs the message (Ed25519)
+5. Rails verifies the signature, validates the nonce, and creates a session (POST `/auth/verify`)
+
+No passwords. No emails. The wallet is the identity.
+
+## Usage in Controllers
+
+```ruby
+class DashboardController < ApplicationController
+  before_action :authenticate!
+
+  def show
+    @wallet_address = current_user.wallet_address
+  end
+end
+```
+
+`current_user`, `logged_in?`, and `authenticate!` are provided by the `Solrengine::Auth::Concerns::ControllerHelpers` concern, which the generator includes in your ApplicationController.
+
+## Standalone Usage
+
+The verifier can be used without Rails:
+
+```ruby
+require "solrengine/auth"
+
+verifier = Solrengine::Auth::SiwsVerifier.new(
+  wallet_address: "Abc...xyz",
+  message: siws_message,
+  signature: signature_bytes,
+  domain: "myapp.com"
+)
+
+verifier.verify  # => true/false
+verifier.verify! # => true or raises VerificationError
+```
+
+## License
+
+MIT

data/app/assets/javascripts/solrengine/auth/wallet_controller.js

@@ -0,0 +1,262 @@
+import { Controller } from "@hotwired/stimulus"
+import { getWallets } from "@wallet-standard/app"
+import { SolanaSignMessage } from "@solana/wallet-standard-features"
+
+// Wallet connection + SIWS authentication controller.
+//
+// Discovers wallets via Wallet Standard. Uses legacy provider for connect
+// (preserves user gesture for popup), wallet-standard for signMessage.
+export default class extends Controller {
+  static targets = ["connectBtn", "signing", "status", "walletList"]
+  static values = {
+    nonceUrl: String,
+    verifyUrl: String,
+    dashboardUrl: String
+  }
+
+  connect() {
+    this.availableWallets = []
+    this.selectedWallet = null
+    this.discoverWallets()
+  }
+
+  discoverWallets() {
+    const { get, on } = getWallets()
+
+    this.addWallets(get())
+
+    on("register", (...newWallets) => {
+      this.addWallets(newWallets)
+    })
+  }
+
+  addWallets(wallets) {
+    for (const wallet of wallets) {
+      if (wallet.features[SolanaSignMessage]) {
+        if (!this.availableWallets.find(w => w.name === wallet.name)) {
+          this.availableWallets.push(wallet)
+        }
+      }
+    }
+
+    if (this.availableWallets.length > 0 && !this.selectedWallet) {
+      this.selectedWallet = this.availableWallets[0]
+    }
+
+    this.renderWalletList()
+  }
+
+  renderWalletList() {
+    if (!this.hasWalletListTarget) return
+    if (this.availableWallets.length === 0) return
+
+    this.walletListTarget.replaceChildren()
+
+    this.availableWallets.forEach((wallet, index) => {
+      const button = document.createElement("button")
+      button.dataset.action = "click->wallet#selectWallet"
+      button.dataset.walletIndex = index
+      button.className = `flex items-center gap-3 w-full p-3 rounded-xl border cursor-pointer transition-all duration-200 ${
+        this.selectedWallet === wallet
+          ? 'border-purple-500 bg-purple-900/20'
+          : 'border-gray-700 hover:border-gray-500 bg-gray-800/30'
+      }`
+
+      if (wallet.icon && /^(https?:|data:image\/)/.test(wallet.icon)) {
+        const img = document.createElement("img")
+        img.src = wallet.icon
+        img.alt = wallet.name
+        img.className = "w-8 h-8 rounded-lg"
+        button.appendChild(img)
+      }
+
+      const span = document.createElement("span")
+      span.className = "text-white font-medium"
+      span.textContent = wallet.name
+      button.appendChild(span)
+
+      this.walletListTarget.appendChild(button)
+    })
+
+    this.walletListTarget.classList.remove("hidden")
+  }
+
+  selectWallet(event) {
+    const index = parseInt(event.currentTarget.dataset.walletIndex)
+    this.selectedWallet = this.availableWallets[index]
+    this.renderWalletList()
+  }
+
+  // Map wallet-standard wallets to their legacy window providers.
+  // Legacy connect() is called first to preserve user gesture context
+  // (Chrome only allows extension popups within a direct user action).
+  getLegacyProvider(walletName) {
+    const name = walletName.toLowerCase()
+    if (name.includes("phantom")) return window.phantom?.solana || window.solana
+    if (name.includes("solflare")) return window.solflare
+    if (name.includes("backpack")) return window.backpack
+    return null
+  }
+
+  async authenticate() {
+    if (!this.selectedWallet) {
+      this.showStatus("No Solana wallet found. Please install a Solana wallet extension.", "error")
+      return
+    }
+
+    try {
+      this.connectBtnTarget.disabled = true
+      this.connectBtnTarget.textContent = `Connecting to ${this.selectedWallet.name}...`
+
+      let publicKey
+      let signMessage
+
+      // Try legacy provider FIRST — this must happen immediately on user click
+      // so Chrome allows the extension popup to open.
+      const provider = this.getLegacyProvider(this.selectedWallet.name)
+
+      if (provider) {
+        // Legacy connect — happens immediately in the user gesture, popup shows
+        const response = await provider.connect()
+
+        // Different wallets return publicKey differently:
+        // Phantom: response.publicKey.toString()
+        // Solflare: response.publicKey?.toString() or provider.publicKey.toString()
+        // Backpack: response.publicKey.toString() or provider.publicKey.toString()
+        const pk = response?.publicKey || provider.publicKey
+        if (!pk) {
+          throw new Error("Wallet connected but no public key returned. Please try again.")
+        }
+        publicKey = pk.toString()
+
+        signMessage = async (messageBytes) => {
+          // signMessage API differs per wallet:
+          // Phantom: signMessage(bytes, "utf8") → { signature }
+          // Solflare: signMessage(bytes) → { signature }
+          // Backpack: signMessage(bytes) → Uint8Array
+          // Only pass encoding for Phantom; others don't accept it.
+          const isPhantom = provider.isPhantom === true
+          const result = isPhantom
+            ? await provider.signMessage(messageBytes, "utf8")
+            : await provider.signMessage(messageBytes)
+
+          if (result instanceof Uint8Array) return result
+          if (result?.signature) return new Uint8Array(result.signature)
+          return new Uint8Array(result)
+        }
+      } else {
+        // No legacy provider — use wallet-standard connect
+        const connectFeature = this.selectedWallet.features["standard:connect"]
+        const { accounts } = await connectFeature.connect()
+
+        if (!accounts || accounts.length === 0) {
+          throw new Error("No accounts returned. Please unlock your wallet and try again.")
+        }
+
+        const account = accounts[0]
+        publicKey = account.address
+
+        const signMessageFeature = this.selectedWallet.features[SolanaSignMessage]
+        signMessage = async (messageBytes) => {
+          const [{ signature }] = await signMessageFeature.signMessage(
+            { account, message: messageBytes }
+          )
+          return new Uint8Array(signature)
+        }
+      }
+
+      // Step 2: Request a nonce from the server
+      this.showSigning()
+      const csrfToken = document.querySelector('meta[name="csrf-token"]')?.content
+      const nonceResponse = await fetch(this.nonceUrlValue, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Accept": "application/json",
+          "X-CSRF-Token": csrfToken
+        },
+        body: JSON.stringify({ wallet_address: publicKey })
+      })
+
+      if (!nonceResponse.ok) {
+        throw new Error("Failed to get authentication challenge")
+      }
+
+      const { message } = await nonceResponse.json()
+
+      // Step 3: Sign the SIWS message
+      const encodedMessage = new TextEncoder().encode(message)
+      const signatureBytes = await signMessage(encodedMessage)
+
+      // Step 4: Send the signed message to the server for verification
+      const signatureString = Array.from(signatureBytes).join(",")
+
+      const verifyResponse = await fetch(this.verifyUrlValue, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Accept": "application/json",
+          "X-CSRF-Token": csrfToken
+        },
+        body: JSON.stringify({
+          wallet_address: publicKey,
+          message: message,
+          signature: signatureString
+        })
+      })
+
+      if (!verifyResponse.ok) {
+        const error = await verifyResponse.json()
+        throw new Error(error.error || "Verification failed")
+      }
+
+      // Step 5: Redirect to dashboard
+      window.location.href = this.dashboardUrlValue
+
+    } catch (error) {
+      console.error("Wallet authentication error:", error)
+
+      if (error.message?.includes("User rejected") || error.message?.includes("cancelled")) {
+        this.showStatus("Sign-in cancelled", "warning")
+      } else if (error.message?.includes("Unexpected error")) {
+        this.showStatus(`Please unlock ${this.selectedWallet.name} and try again.`, "error")
+      } else {
+        this.showStatus(error.message || "Connection failed.", "error")
+      }
+
+      this.resetUI()
+    }
+  }
+
+  showSigning() {
+    this.connectBtnTarget.classList.add("hidden")
+    if (this.hasWalletListTarget) this.walletListTarget.classList.add("hidden")
+    this.signingTarget.classList.remove("hidden")
+  }
+
+  resetUI() {
+    this.connectBtnTarget.classList.remove("hidden")
+    this.connectBtnTarget.disabled = false
+    this.connectBtnTarget.textContent = "Connect Wallet"
+    if (this.hasWalletListTarget) this.walletListTarget.classList.remove("hidden")
+    this.signingTarget.classList.add("hidden")
+  }
+
+  showStatus(message, type = "info") {
+    const statusEl = this.statusTarget
+    statusEl.textContent = message
+    statusEl.classList.remove("hidden", "bg-red-900/50", "text-red-300", "bg-yellow-900/50", "text-yellow-300", "bg-green-900/50", "text-green-300")
+
+    switch (type) {
+      case "error":
+        statusEl.classList.add("bg-red-900/50", "text-red-300")
+        break
+      case "warning":
+        statusEl.classList.add("bg-yellow-900/50", "text-yellow-300")
+        break
+      default:
+        statusEl.classList.add("bg-green-900/50", "text-green-300")
+    }
+    statusEl.classList.remove("hidden")
+  }
+}

data/app/controllers/solrengine/auth/application_controller.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module Solrengine
+  module Auth
+    class ApplicationController < ActionController::Base
+    end
+  end
+end

data/app/controllers/solrengine/auth/concerns/controller_helpers.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Solrengine
+  module Auth
+    module Concerns
+      module ControllerHelpers
+        extend ActiveSupport::Concern
+
+        included do
+          helper_method :current_user, :logged_in?
+        end
+
+        private
+
+        def current_user
+          @current_user ||= Solrengine::Auth.configuration.user_model.find_by(id: session[:user_id]) if session[:user_id]
+        end
+
+        def logged_in?
+          current_user.present?
+        end
+
+        def authenticate!
+          redirect_to solrengine_auth.login_path unless logged_in?
+        end
+      end
+    end
+  end
+end

data/app/controllers/solrengine/auth/sessions_controller.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+module Solrengine
+  module Auth
+    class SessionsController < ApplicationController
+      def new
+        # Renders the wallet connect view
+      end
+
+      def nonce
+        wallet_address = params[:wallet_address]
+
+        unless wallet_address.match?(Concerns::Authenticatable::SOLANA_ADDRESS_FORMAT)
+          return render json: { error: "Invalid wallet address" }, status: :unprocessable_entity
+        end
+
+        user_class = _user_class
+        user = user_class.find_or_initialize_by(wallet_address: wallet_address)
+        user.generate_nonce! if user.persisted?
+        user.save! unless user.persisted?
+
+        domain = Solrengine::Auth.configuration.domain
+        message = SiwsMessageBuilder.new(
+          domain: domain,
+          wallet_address: wallet_address,
+          nonce: user.nonce,
+          uri: request.base_url
+        ).build
+
+        render json: { message: message, nonce: user.nonce }
+      end
+
+      def create
+        wallet_address = params[:wallet_address]
+        message = params[:message]
+        signature = params[:signature]
+
+        user = _user_class.find_by(wallet_address: wallet_address)
+
+        unless user&.nonce_valid?
+          return render json: { error: "Authentication expired. Please try again." }, status: :unprocessable_entity
+        end
+
+        verifier = SiwsVerifier.new(
+          wallet_address: wallet_address,
+          message: message,
+          signature: signature
+        )
+
+        unless verifier.verify
+          return render json: { error: "Signature verification failed" }, status: :unauthorized
+        end
+
+        # Verify the nonce in the signed message matches the database nonce
+        message_nonce = message.match(/Nonce: ([a-f0-9]+)/)&.captures&.first
+        unless message_nonce.present? && ActiveSupport::SecurityUtils.secure_compare(message_nonce, user.nonce)
+          return render json: { error: "Nonce mismatch" }, status: :unauthorized
+        end
+
+        user.generate_nonce!
+
+        reset_session
+        session[:user_id] = user.id
+        render json: { success: true, wallet_address: user.wallet_address }
+      end
+
+      def destroy
+        reset_session
+        redirect_to Solrengine::Auth.configuration.after_sign_out_path, notice: "Disconnected"
+      end
+
+      private
+
+      def _user_class
+        Solrengine::Auth.configuration.user_model
+      end
+    end
+  end
+end

data/app/models/solrengine/auth/concerns/authenticatable.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module Solrengine
+  module Auth
+    module Concerns
+      module Authenticatable
+        extend ActiveSupport::Concern
+
+        SOLANA_ADDRESS_FORMAT = /\A[1-9A-HJ-NP-Za-km-z]{32,44}\z/
+
+        included do
+          validates :wallet_address, presence: true, uniqueness: true,
+            format: { with: SOLANA_ADDRESS_FORMAT, message: "is not a valid Solana address" }
+
+          before_create :generate_nonce
+        end
+
+        def generate_nonce!
+          generate_nonce
+          save! if persisted?
+        end
+
+        def nonce_valid?
+          nonce.present? && nonce_expires_at.present? && nonce_expires_at > Time.current
+        end
+
+        private
+
+        def generate_nonce
+          nonce_ttl = Solrengine::Auth.configuration.nonce_ttl
+          self.nonce = SecureRandom.hex(16)
+          self.nonce_expires_at = nonce_ttl.from_now
+        end
+      end
+    end
+  end
+end

data/app/views/solrengine/auth/sessions/new.html.erb

@@ -0,0 +1,37 @@
+<div class="min-h-screen flex items-center justify-center bg-gradient-to-br from-gray-950 via-gray-900 to-purple-950">
+  <div class="max-w-md w-full mx-4" data-controller="wallet" data-wallet-nonce-url-value="<%= solrengine_auth.nonce_path %>" data-wallet-verify-url-value="<%= solrengine_auth.verify_path %>" data-wallet-dashboard-url-value="<%= Solrengine::Auth.configuration.after_sign_in_path %>">
+
+    <div class="text-center mb-8">
+      <h1 class="text-4xl font-bold text-white mb-2"><%= yield(:solrengine_auth_title) || "Sign In" %></h1>
+      <p class="text-gray-400">Connect your wallet to get started</p>
+    </div>
+
+    <div class="bg-gray-800/50 backdrop-blur border border-gray-700 rounded-2xl p-8 shadow-xl">
+      <div data-wallet-target="status" class="hidden mb-4 p-3 rounded-lg text-sm text-center"></div>
+
+      <div data-wallet-target="walletList" class="hidden mb-4 space-y-2"></div>
+
+      <button
+        data-wallet-target="connectBtn"
+        data-action="click->wallet#authenticate"
+        class="w-full cursor-pointer bg-gradient-to-r from-purple-600 to-blue-600 hover:from-purple-500 hover:to-blue-500 text-white font-semibold py-3 px-6 rounded-xl transition-all duration-200 flex items-center justify-center gap-2"
+      >
+        <svg class="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+          <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
+        </svg>
+        Connect Wallet
+      </button>
+
+      <div data-wallet-target="signing" class="hidden">
+        <div class="text-center">
+          <div class="animate-spin w-8 h-8 border-2 border-purple-500 border-t-transparent rounded-full mx-auto mb-3"></div>
+          <p class="text-gray-300">Approve the sign-in request in your wallet...</p>
+        </div>
+      </div>
+    </div>
+
+    <p class="text-center text-gray-500 text-sm mt-6">
+      Powered by SolRengine
+    </p>
+  </div>
+</div>

data/config/routes.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+Solrengine::Auth::Engine.routes.draw do
+  get  "login",  to: "sessions#new",     as: :login
+  post "nonce",  to: "sessions#nonce",   as: :nonce
+  post "verify", to: "sessions#create",  as: :verify
+  delete "logout", to: "sessions#destroy", as: :logout
+end

data/lib/generators/solrengine/auth/install_generator.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require "rails/generators"
+require "rails/generators/migration"
+
+module Solrengine
+  module Auth
+    class InstallGenerator < Rails::Generators::Base
+      include Rails::Generators::Migration
+
+      source_root File.expand_path("templates", __dir__)
+
+      def self.next_migration_number(dirname)
+        if ActiveRecord.respond_to?(:timestamped_migrations) && ActiveRecord.timestamped_migrations
+          Time.now.utc.strftime("%Y%m%d%H%M%S")
+        else
+          "%.3d" % (current_migration_number(dirname) + 1)
+        end
+      end
+
+      def create_initializer
+        template "initializer.rb", "config/initializers/solrengine_auth.rb"
+      end
+
+      def create_user_model
+        unless File.exist?("app/models/user.rb")
+          create_file "app/models/user.rb", <<~RUBY
+            class User < ApplicationRecord
+              include Solrengine::Auth::Concerns::Authenticatable
+            end
+          RUBY
+        else
+          unless File.read("app/models/user.rb").include?("Solrengine::Auth::Concerns::Authenticatable")
+            inject_into_class "app/models/user.rb", "User",
+              "  include Solrengine::Auth::Concerns::Authenticatable\n\n"
+          end
+        end
+      end
+
+      def create_migration
+        migration_template "migration.rb.erb", "db/migrate/create_users_with_wallet_auth.rb"
+      rescue Rails::Generators::Error
+        say_status :skip, "Migration already exists", :yellow
+      end
+
+      def add_routes
+        route_string = 'mount Solrengine::Auth::Engine, at: "/auth"'
+        return if File.read("config/routes.rb").include?(route_string)
+
+        route route_string
+      end
+
+      def add_application_controller_helpers
+        controller_file = "app/controllers/application_controller.rb"
+        include_line = "include Solrengine::Auth::Concerns::ControllerHelpers"
+
+        return if File.read(controller_file).include?(include_line)
+
+        inject_into_class controller_file, "ApplicationController", "  #{include_line}\n"
+      end
+
+      def show_post_install
+        say "\n  SolRengine Auth installed!", :green
+        say "  Run `rails db:migrate` to create the users table.\n\n"
+      end
+    end
+  end
+end

data/lib/generators/solrengine/auth/templates/initializer.rb

@@ -0,0 +1,16 @@
+Solrengine::Auth.configure do |config|
+  # The domain used in SIWS messages. Must match your app's domain.
+  config.domain = ENV.fetch("APP_DOMAIN", "localhost")
+
+  # How long a nonce is valid before expiring.
+  config.nonce_ttl = 5.minutes
+
+  # The model class used for wallet authentication (String or Class).
+  # config.user_class = "User"
+
+  # Where to redirect after sign-in (used by the JS wallet controller).
+  config.after_sign_in_path = "/"
+
+  # Where to redirect after sign-out.
+  config.after_sign_out_path = "/"
+end

data/lib/generators/solrengine/auth/templates/migration.rb.erb

@@ -0,0 +1,19 @@
+class CreateUsersWithWalletAuth < ActiveRecord::Migration[<%= ActiveRecord::Migration.current_version %>]
+  def change
+    if table_exists?(:users)
+      add_column :users, :wallet_address, :string, null: false unless column_exists?(:users, :wallet_address)
+      add_index :users, :wallet_address, unique: true unless index_exists?(:users, :wallet_address)
+      add_column :users, :nonce, :string unless column_exists?(:users, :nonce)
+      add_column :users, :nonce_expires_at, :datetime unless column_exists?(:users, :nonce_expires_at)
+    else
+      create_table :users do |t|
+        t.string :wallet_address, null: false
+        t.string :nonce
+        t.datetime :nonce_expires_at
+
+        t.timestamps
+      end
+      add_index :users, :wallet_address, unique: true
+    end
+  end
+end

data/lib/solrengine/auth/configuration.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Solrengine
+  module Auth
+    class Configuration
+      attr_accessor :domain, :nonce_ttl, :after_sign_in_path, :after_sign_out_path, :user_class, :chain_id
+
+      def initialize
+        @domain = "localhost"
+        @nonce_ttl = 5.minutes
+        @after_sign_in_path = "/"
+        @after_sign_out_path = "/"
+        @user_class = "User"
+        @chain_id = ENV.fetch("SOLANA_NETWORK", "mainnet")
+      end
+
+      def user_model
+        @user_class.is_a?(String) ? @user_class.constantize : @user_class
+      end
+    end
+  end
+end

data/lib/solrengine/auth/engine.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Solrengine
+  module Auth
+    class Engine < ::Rails::Engine
+      isolate_namespace Solrengine::Auth
+
+      initializer "solrengine-auth.assets" do |app|
+        app.config.assets.paths << root.join("app/assets/javascripts")
+      end
+    end
+  end
+end

data/lib/solrengine/auth/siws_message_builder.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Solrengine
+  module Auth
+    # Builds a SIWS (Sign In With Solana) message following the standard format.
+    # Modeled after EIP-4361 (SIWE) adapted for Solana.
+    class SiwsMessageBuilder
+      def initialize(domain:, wallet_address:, nonce:, statement: nil, uri: nil, chain_id: nil)
+        @domain = domain
+        @wallet_address = wallet_address
+        @nonce = nonce
+        @statement = statement || "Sign in to #{domain}"
+        @uri = uri || "https://#{domain}"
+        @chain_id = chain_id || Solrengine::Auth.configuration.chain_id
+        @issued_at = Time.current.iso8601
+      end
+
+      def build
+        [
+          "#{@domain} wants you to sign in with your Solana account:",
+          @wallet_address,
+          "",
+          @statement,
+          "",
+          "URI: #{@uri}",
+          "Version: 1",
+          "Chain ID: #{@chain_id}",
+          "Nonce: #{@nonce}",
+          "Issued At: #{@issued_at}"
+        ].join("\n")
+      end
+    end
+  end
+end

data/lib/solrengine/auth/siws_verifier.rb

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+require "ed25519"
+require "base58"
+
+module Solrengine
+  module Auth
+    # Verifies SIWS (Sign In With Solana) signed messages.
+    # Uses Ed25519 signature verification and validates domain
+    # to prevent cross-site replay attacks.
+    class SiwsVerifier
+      class VerificationError < StandardError; end
+
+      def initialize(wallet_address:, message:, signature:, domain: nil)
+        @wallet_address = wallet_address
+        @message = message
+        @signature = signature
+        @domain = domain || Solrengine::Auth.configuration.domain
+      end
+
+      def verify!
+        verify_message_format!
+        verify_domain!
+        verify_signature!
+        true
+      rescue Ed25519::VerifyError
+        raise VerificationError, "Invalid signature"
+      end
+
+      def verify
+        verify!
+      rescue VerificationError
+        false
+      end
+
+      private
+
+      def verify_message_format!
+        unless @message.include?(@wallet_address)
+          raise VerificationError, "Message does not contain the claimed wallet address"
+        end
+
+        unless extract_nonce.present?
+          raise VerificationError, "Message does not contain a nonce"
+        end
+      end
+
+      def verify_domain!
+        first_line = @message.lines.first&.strip
+        unless first_line == "#{@domain} wants you to sign in with your Solana account:"
+          raise VerificationError, "Message domain does not match expected domain"
+        end
+      end
+
+      def verify_signature!
+        pubkey_bytes = Base58.base58_to_binary(@wallet_address, :bitcoin)
+        signature_bytes = decode_signature(@signature)
+
+        verify_key = Ed25519::VerifyKey.new(pubkey_bytes)
+        verify_key.verify(signature_bytes, @message)
+      end
+
+      def extract_nonce
+        match = @message.match(/Nonce: ([a-f0-9]+)/)
+        match&.captures&.first
+      end
+
+      def decode_signature(signature)
+        bytes = if signature.match?(/\A[0-9,\s]+\z/)
+          values = signature.split(",").map(&:to_i)
+          raise VerificationError, "Invalid signature byte values" if values.any? { |v| v < 0 || v > 255 }
+          values.pack("C*")
+        else
+          Base64.strict_decode64(signature)
+        end
+        raise VerificationError, "Signature must be 64 bytes" unless bytes.bytesize == 64
+        bytes
+      rescue ArgumentError
+        raise VerificationError, "Invalid signature encoding"
+      end
+    end
+  end
+end

data/lib/solrengine/auth/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Solrengine
+  module Auth
+    VERSION = "0.1.0"
+  end
+end

data/lib/solrengine/auth.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require_relative "auth/version"
+require_relative "auth/configuration"
+require_relative "auth/siws_verifier"
+require_relative "auth/siws_message_builder"
+require_relative "auth/engine" if defined?(Rails::Engine)
+
+module Solrengine
+  module Auth
+    class << self
+      def configuration
+        @configuration ||= Configuration.new
+      end
+
+      def configure
+        yield(configuration)
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,107 @@
+--- !ruby/object:Gem::Specification
+name: solrengine-auth
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Jose Ferrer
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2026-03-21 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.1'
+- !ruby/object:Gem::Dependency
+  name: ed25519
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+- !ruby/object:Gem::Dependency
+  name: base58
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+description: Drop-in wallet authentication for Rails apps. Sign in with Phantom, Solflare,
+  Backpack, or any Wallet Standard compatible Solana wallet. Ed25519 signature verification
+  in Ruby.
+email:
+- estoy@moviendo.me
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- app/assets/javascripts/solrengine/auth/wallet_controller.js
+- app/controllers/solrengine/auth/application_controller.rb
+- app/controllers/solrengine/auth/concerns/controller_helpers.rb
+- app/controllers/solrengine/auth/sessions_controller.rb
+- app/models/solrengine/auth/concerns/authenticatable.rb
+- app/views/solrengine/auth/sessions/new.html.erb
+- config/routes.rb
+- lib/generators/solrengine/auth/install_generator.rb
+- lib/generators/solrengine/auth/templates/initializer.rb
+- lib/generators/solrengine/auth/templates/migration.rb.erb
+- lib/solrengine/auth.rb
+- lib/solrengine/auth/configuration.rb
+- lib/solrengine/auth/engine.rb
+- lib/solrengine/auth/siws_message_builder.rb
+- lib/solrengine/auth/siws_verifier.rb
+- lib/solrengine/auth/version.rb
+homepage: https://github.com/solrengine/auth
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/solrengine/auth
+  source_code_uri: https://github.com/solrengine/auth
+  changelog_uri: https://github.com/solrengine/auth/blob/main/CHANGELOG.md
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.2.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.22
+signing_key:
+specification_version: 4
+summary: Solana wallet authentication for Rails using SIWS (Sign In With Solana)
+test_files: []