Skip to content

Commit

Permalink
SEP-45: Handle require_auth in __check_auth
Browse files Browse the repository at this point in the history
  • Loading branch information
@philipliu
philipliu committed Feb 10, 2025
1 parent 99fa31e commit 737ed93
Showing 1 changed file with 32 additions and 28 deletions.
60 changes: 32 additions & 28 deletions ecosystem/sep-0045.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,34 +89,38 @@ The authentication flow is as follows:
1. The **Client** obtains a signature from the **Client Domain Address** for the authorization entry where
`credentials.address.address` is the **Client Domain Address** if the **Client** included a client domain in the
request
1. The **Client** simulates the transaction with the signed authorization entries and verifies the following to ensure
1. If the **Client** contract's `__check_auth` implementation requires additional signed authorization entries, the
**Client** signs those entries as well
1. The **Client** simulates the transaction with all signed authorization entries and verifies the following to ensure
the transaction does not have any unintended side effects:
- The transaction's ledger footprint `read_write` set contains only `contract_data` entries where:
- The `contract` is the **Client Account** address, and the `key` is `ledger_key_nonce`.
- The `contract` is the **Home Domain Address**, and the `key` is `ledger_key_nonce`.
- (Optional) if an authorization entry for the **Client Domain Address** was present in the challenge, the
`contract` is the **Client Domain Address**, and the `key` is `ledger_key_nonce`.
1. The **Client** submits the signed authorization entries back to the **Server** using [`token`](#token) endpoint
1. The **Server** extracts the arguments from the authorization entries returned by the client
1. The **Server** verifies that the `contract_address` in each authorization entry matches the `WEB_AUTH_CONTRACT_ID`
from the **Server**'s `stellar.toml`
1. The **Server** verifies that the `function_name` in each authorization entry is `web_auth_verify`
1. The **Server** verifies that the `args` map in each authorization entry match the expected values and are the same
across all authorization entries:
1. The `account` value matches the **Client Account** address
1. The `home_domain` value matches the **Home Domain**
1. The `home_domain_address` value matches the **Home Domain Address**
1. The `web_auth_domain` value matches the **Server**'s domain
1. The `client_domain_address` value matches the **Client Domain Address** if the **Client** included a
`client_domain` in the request, otherwise it is not present
1. (Optional) The **Server** verifies that the `nonce` argument is the same across all authorization entries and is
unique
1. The **Client** submits all signed authorization entries back to the **Server** using [`token`](#token) endpoint
1. The **Server** verifies there are authorization entries where `contract_address` in each authorization entry matches
the `WEB_AUTH_CONTRACT_ID` from the **Server**'s `stellar.toml` and for each authorization entry:
1. The **Server** verifies that the `function_name` in each authorization entry is `web_auth_verify`
1. The **Server** extracts the arguments from the authorization entries returned by the client
1. The **Server** verifies that the `args` map in each authorization entry match the expected values and are the same
across all authorization entries:
- The `account` value matches the **Client Account** address
- The `home_domain` value matches the **Home Domain**
- The `home_domain_address` value matches the **Home Domain Address**
- The `web_auth_domain` value matches the **Server**'s domain
- The `client_domain_address` value matches the **Client Domain Address** if the **Client** included a
`client_domain` in the request, otherwise it is not present
- (Optional) The **Server** verifies that the `nonce` argument is the same across all authorization entries and is
unique
1. The **Server** verifies that there is an authorization entry where `credentials.address.address` is the **Home Domain
Address** and contains a valid signature from the **Home Domain Address**
1. The **Server** verifies that there is an authorization entry where `credentials.address.address` is the **Client
Account** address
1. The **Server** verifies that there is an authorization entry where `credentials.address.address` is the **Client
Domain Address** if the arguments included a `client_domain_address`
1. The **Server** does not validate any additional authorization entries that the **Client** may have included in the
request
1. The **Server** constructs a transaction with a single Invoke Host Function operation where the contract address is
`WEB_AUTH_CONTRACT_ID` and the function is `web_auth_verify` using the previously extracted arguments and the
authorization entries returned by the client
Expand Down Expand Up @@ -247,18 +251,18 @@ by the server):
To validate the challenge transaction the following steps are performed by the **Server**. If any of the listed steps
fail, then the authentication request must be rejected — that is, treated by the **Server** as an invalid input.

1. Extract the arguments from the authorization entries returned by the client;
1. Verify that the `contract_address` in each authorization entry matches the `WEB_AUTH_CONTRACT_ID` from the
**Server**'s `stellar.toml`;
1. Verify that the `function_name` in each authorization entry is `web_auth_verify`;
1. Verify that the `args` in each authorization entry match the expected values and is the same across all authorization
entries:
1. The `home_domain` value matches the **Home Domain**;
1. The `home_domain_address` value matches the **Home Domain Address**;
1. The `web_auth_domain` value matches the **Server**'s domain;
1. The `client_domain` is present if `client_domain_address` is present;
1. The `client_domain_address` value matches the **Client Domain Address** if `client_domain` is present;
1. (Optional) Verify that the `nonce` argument is the same across all authorization entries and is valid;
1. Verify there are authorization entries where `contract_address` in each authorization entry matches the
`WEB_AUTH_CONTRACT_ID` from the **Server**'s `stellar.toml` and for each authorization entry;
1. Verify that the `function_name` in each authorization entry is `web_auth_verify`;
1. Extract the arguments from the authorization entries returned by the client;
1. Verify that the `args` in each authorization entry match the expected values and is the same across all
authorization entries:
- The `home_domain` value matches the **Home Domain**;
- The `home_domain_address` value matches the **Home Domain Address**;
- The `web_auth_domain` value matches the **Server**'s domain;
- The `client_domain` is present if `client_domain_address` is present;
- The `client_domain_address` value matches the **Client Domain Address** if `client_domain` is present;
- (Optional) Verify that the `nonce` argument is the same across all authorization entries and is valid;
1. Verify that there is an authorization entry where `credentials.address.address` is the **Home Domain Address** and
contains a valid signature from the **Home Domain Address**;
1. Verify that there is an authorization entry where `credentials.address.address` is the **Client Account** address
Expand Down

0 comments on commit 737ed93

Please sign in to comment.