feat: add sign in with ethereum (#2069)

Adds Sign in with Ethereum. Configure it by:

```
GOTRUE_EXTERNAL_WEB3_ETHEREUM_ENABLED="true"
GOTRUE_EXTERNAL_WEB3_ETHEREUM_MAXIMUM_VALIDITY_DURATION="10m"
```

SIWS & SIWE are based off of EIP-4361, which is referenced here:
https://eips.ethereum.org/EIPS/eip-4361, so they are close in
implementation with slight differences between address/signature
verification format & algorithm.

For Ethereum, specifically the signature verification part, It requires
recovering the public address from the signature, and then testing the
signature against it, with the algorithm Ethereum uses, this is tedious
to implement without using the https://github.com/ethereum/go-ethereum
package, as the verification has some error correction that it does,
would be hard to test/maintain without the dependency, let me know what
you think.

Author: Bewinxed

example.env

@@ -173,6 +173,10 @@ GOTRUE_EXTERNAL_ZOOM_REDIRECT_URI="http://localhost:9999/callback"
 GOTRUE_EXTERNAL_WEB3_SOLANA_ENABLED="true"
 GOTRUE_EXTERNAL_WEB3_SOLANA_MAXIMUM_VALIDITY_DURATION="10m"
 
+# Web3 Ethereum config
+GOTRUE_EXTERNAL_WEB3_ETHEREUM_ENABLED="true"
+GOTRUE_EXTERNAL_WEB3_ETHEREUM_MAXIMUM_VALIDITY_DURATION="10m"
+
 # Anonymous auth config
 GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED="false"
 

go.mod

@@ -26,26 +26,32 @@ require (
 	github.com/sebest/xff v0.0.0-20160910043805-6c115e0ffa35
 	github.com/sethvargo/go-password v0.2.0
 	github.com/sirupsen/logrus v1.9.3
-	github.com/spf13/cobra v1.7.0
+	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.10.0
-	golang.org/x/crypto v0.35.0
+	golang.org/x/crypto v0.36.0
 	golang.org/x/oauth2 v0.17.0
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df
 )
 
 require (
-	github.com/bits-and-blooms/bitset v1.13.0 // indirect
+	github.com/bits-and-blooms/bitset v1.20.0 // indirect
+	github.com/consensys/gnark-crypto v0.18.0 // indirect
+	github.com/crate-crypto/go-eth-kzg v1.3.0 // indirect
+	github.com/crate-crypto/go-ipa v0.0.0-20240724233137-53bbb0ceb27a // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 // indirect
 	github.com/dprotaso/go-yit v0.0.0-20220510233725-9ba8df137936 // indirect
+	github.com/ethereum/c-kzg-4844/v2 v2.1.0 // indirect
+	github.com/ethereum/go-verkle v0.2.2 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/getkin/kin-openapi v0.131.0 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.4 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-webauthn/x v0.1.12 // indirect
 	github.com/gobuffalo/nulls v0.4.2 // indirect
-	github.com/goccy/go-json v0.10.3 // indirect
+	github.com/goccy/go-json v0.10.4 // indirect
 	github.com/google/go-tpm v0.9.1 // indirect
+	github.com/holiman/uint256 v1.3.2 // indirect
 	github.com/jackc/pgx/v4 v4.18.2 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/lestrrat-go/blackmagic v1.0.2 // indirect
@@ -60,12 +66,13 @@ require (
 	github.com/perimeterx/marshmallow v1.1.5 // indirect
 	github.com/segmentio/asm v1.2.0 // indirect
 	github.com/speakeasy-api/openapi-overlay v0.9.0 // indirect
+	github.com/supranational/blst v0.3.14 // indirect
 	github.com/vmware-labs/yaml-jsonpath v0.3.2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
-	golang.org/x/mod v0.17.0 // indirect
-	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
+	golang.org/x/mod v0.22.0 // indirect
+	golang.org/x/tools v0.29.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240227224415-6ceb2ff114de // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240401170217-c3f982113cda // indirect
 )
@@ -116,6 +123,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/crewjam/httperr v0.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/ethereum/go-ethereum v1.16.0
 	github.com/fatih/color v1.16.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
@@ -158,15 +166,15 @@ require (
 	github.com/sergi/go-diff v1.2.0 // indirect
 	github.com/sourcegraph/annotate v0.0.0-20160123013949-f4cad6c6324d // indirect
 	github.com/sourcegraph/syntaxhighlight v0.0.0-20170531221838-bd320f5d308e // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	go.opentelemetry.io/proto/otlp v1.2.0 // indirect
 	golang.org/x/exp v0.0.0-20230811145659-89c5cff77bcb
-	golang.org/x/net v0.36.0 // indirect
-	golang.org/x/sync v0.11.0
-	golang.org/x/sys v0.30.0
-	golang.org/x/text v0.22.0 // indirect
-	golang.org/x/time v0.5.0
+	golang.org/x/net v0.38.0 // indirect
+	golang.org/x/sync v0.12.0
+	golang.org/x/sys v0.31.0
+	golang.org/x/text v0.23.0 // indirect
+	golang.org/x/time v0.9.0
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/grpc v1.63.2 // indirect
 	google.golang.org/protobuf v1.34.2 // indirect

go.sum

@@ -12,6 +12,7 @@ import (
 	"github.com/supabase/auth/internal/models"
 	"github.com/supabase/auth/internal/storage"
 	"github.com/supabase/auth/internal/utilities"
+	"github.com/supabase/auth/internal/utilities/siwe"
 	"github.com/supabase/auth/internal/utilities/siws"
 )
 
@@ -24,7 +25,7 @@ type Web3GrantParams struct {
 func (a *API) Web3Grant(ctx context.Context, w http.ResponseWriter, r *http.Request) error {
 	config := a.config
 
-	if !config.External.Web3Solana.Enabled {
+	if !config.External.Web3Solana.Enabled && !config.External.Web3Ethereum.Enabled {
 		return apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeWeb3ProviderDisabled, "Web3 provider is disabled")
 	}
 
@@ -33,11 +34,21 @@ func (a *API) Web3Grant(ctx context.Context, w http.ResponseWriter, r *http.Requ
 		return err
 	}
 
-	if params.Chain != "solana" {
+	switch params.Chain {
+	case "solana":
+		if !config.External.Web3Solana.Enabled {
+			return apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeWeb3ProviderDisabled, "Solana Web3 provider is disabled")
+		}
+		return a.web3GrantSolana(ctx, w, r, params)
+	case "ethereum":
+		if !config.External.Web3Ethereum.Enabled {
+			return apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeWeb3ProviderDisabled, "Ethereum Web3 provider is disabled")
+		}
+		return a.web3GrantEthereum(ctx, w, r, params)
+	default:
 		return apierrors.NewBadRequestError(apierrors.ErrorCodeWeb3UnsupportedChain, "Unsupported chain")
 	}
 
-	return a.web3GrantSolana(ctx, w, r, params)
 }
 
 func (a *API) web3GrantSolana(ctx context.Context, w http.ResponseWriter, r *http.Request, params *Web3GrantParams) error {
@@ -181,3 +192,128 @@ func (a *API) web3GrantSolana(ctx context.Context, w http.ResponseWriter, r *htt
 
 	return sendJSON(w, http.StatusOK, token)
 }
+
+func (a *API) web3GrantEthereum(ctx context.Context, w http.ResponseWriter, r *http.Request, params *Web3GrantParams) error {
+	config := a.config
+	db := a.db.WithContext(ctx)
+
+	if len(params.Message) < 64 {
+		return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "message is too short")
+	} else if len(params.Message) > 20*1024 {
+		return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "message must not exceed 20KB")
+	}
+
+	if len(strings.TrimPrefix(params.Signature, "0x")) != 130 {
+		return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "signature must be 65 bytes long, encoded as a 130 character-long hexadecimal string")
+	}
+
+	parsedMessage, err := siwe.ParseMessage(params.Message)
+	if err != nil {
+		return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, err.Error())
+	}
+
+	if !parsedMessage.VerifySignature(params.Signature) {
+		return apierrors.NewOAuthError("invalid_grant", "Signature does not match address in message")
+	}
+
+	if parsedMessage.URI.Scheme != "https" && parsedMessage.URI.Hostname() != "localhost" {
+		return apierrors.NewOAuthError("invalid_grant", "Signed Ethereum message is using URI which does not use HTTPS")
+	}
+
+	if !utilities.IsRedirectURLValid(config, parsedMessage.URI.String()) {
+		return apierrors.NewOAuthError("invalid_grant", "Signed Ethereum message is using URI which is not allowed on this server, message was signed for another app")
+	}
+
+	if parsedMessage.URI.Hostname() != "localhost" && (parsedMessage.URI.Host != parsedMessage.Domain || !utilities.IsRedirectURLValid(config, "https://"+parsedMessage.Domain+"/")) {
+		return apierrors.NewOAuthError("invalid_grant", "Signed Ethereum message is using a Domain that does not match the one in URI which is not allowed on this server")
+	}
+
+	now := a.Now()
+
+	if parsedMessage.NotBefore != nil && !parsedMessage.NotBefore.IsZero() && now.Before(*parsedMessage.NotBefore) {
+		return apierrors.NewOAuthError("invalid_grant", "Signed Ethereum message becomes valid in the future")
+	}
+
+	if parsedMessage.NotBefore != nil && parsedMessage.ExpirationTime != nil && !parsedMessage.ExpirationTime.IsZero() && now.After(*parsedMessage.ExpirationTime) {
+		return apierrors.NewOAuthError("invalid_grant", "Signed Ethereum message is expired")
+	}
+
+	latestExpiryAt := parsedMessage.IssuedAt.Add(config.External.Web3Ethereum.MaximumValidityDuration)
+
+	if now.After(latestExpiryAt) {
+		return apierrors.NewOAuthError("invalid_grant", "Ethereum message was issued too long ago")
+	}
+
+	earliestIssuedAt := parsedMessage.IssuedAt.Add(-config.External.Web3Ethereum.MaximumValidityDuration)
+
+	if now.Before(earliestIssuedAt) {
+		return apierrors.NewOAuthError("invalid_grant", "Ethereum message was issued too far in the future")
+	}
+
+	const providerType = "web3"
+	providerId := strings.Join([]string{
+		providerType,
+		params.Chain,
+		parsedMessage.Address,
+	}, ":")
+
+	userData := provider.UserProvidedData{
+		Metadata: &provider.Claims{
+			CustomClaims: map[string]interface{}{
+				"address":   parsedMessage.Address,
+				"chain":     params.Chain,
+				"network":   parsedMessage.ChainID,
+				"domain":    parsedMessage.Domain,
+				"statement": parsedMessage.Statement,
+			},
+			Subject: providerId,
+		},
+		Emails: []provider.Email{},
+	}
+
+	var token *AccessTokenResponse
+	var grantParams models.GrantParams
+	grantParams.FillGrantParams(r)
+
+	if err := a.triggerBeforeUserCreatedExternal(r, db, &userData, providerType); err != nil {
+		return err
+	}
+
+	err = db.Transaction(func(tx *storage.Connection) error {
+		user, terr := a.createAccountFromExternalIdentity(tx, r, &userData, providerType)
+		if terr != nil {
+			return terr
+		}
+
+		if terr := models.NewAuditLogEntry(config.AuditLog, r, tx, user, models.LoginAction, "", map[string]interface{}{
+			"provider": providerType,
+			"chain":    params.Chain,
+			"network":  parsedMessage.ChainID,
+			"address":  parsedMessage.Address,
+			"domain":   parsedMessage.Domain,
+			"uri":      parsedMessage.URI,
+		}); terr != nil {
+			return terr
+		}
+
+		token, terr = a.issueRefreshToken(r, tx, user, models.Web3, grantParams)
+		if terr != nil {
+			return terr
+		}
+
+		return nil
+	})
+
+	if err != nil {
+		switch err.(type) {
+		case *storage.CommitWithError:
+			return err
+		case *HTTPError:
+			return err
+		default:
+			return apierrors.NewOAuthError("server_error", "Internal Server Error").WithInternalError(err)
+		}
+	}
+
+	return sendJSON(w, http.StatusOK, token)
+}