JWT authorization header based on LNURL Auth

[wvanlint]

• Introduces a HeaderProvider trait that will provide headers for each VSS call.
• Implements a specific HeaderProvider that will provide a JWT authorization header based on LNURL Auth.
  • LUD-05 will be used for key derivation instead of LUD-13.
  • A token field will be expected in a successful LUD-04 verification response, containing the JWT token.
  • JWT tokens will be cached according to their expiry.

[tnull]

Did a really high-level pass, mostly questions about the design choices and introduced dependencies.

[tnull]

Let's use bitcoin::hashes crate here rather than the extra hmac/sha2 dependencies.

[wvanlint]

Done.

[tnull]

As this is a library, checking in Cargo.lock should be avoided.

[wvanlint]

Ah accidentally added this, added to .gitignore.

[tnull]

Is there a reason we need yet another mocking library? Why can't we use the mockito dependency we already have available?

[wvanlint]

The mockito library is a specific mocking library for HTTP calls. The mockall library allows more general mocking of Rust traits.

[wvanlint]

Removed this as Websockets were removed in favor of simple HTTP calls by depending on a token field in the LNURL Auth response.

[tnull]

I'm not convinced that we need to introduce a dependency just to check whether a URL is invalid.

[wvanlint]

We also use this library to handle parsing the domain name, parsing the query parameters, and adding additional sig and key query parameters. We can implement this functionality, but it would be nice to use the library here.

[G8XSU]

We have tried to minimize dependencies in this crate,
it might make sense to feature-gate these additional deps to "lnurl-auth" ?

[wvanlint]

Put the LNURL Auth JWT implementation and relevant dependencies under a feature.

[tnull]

We should probably define a clear error type here rather than using type Error: std::error::Error;.

[wvanlint]

What do you have in mind here? I added the associated type with a trait bound because each implementation might run into different kinds of errors. Returning fixed headers is infallible, but LNURL Auth might run into protocol-specific errors.

[tnull]

Hm, yeah, I guess. I'd generally still prefer to clearly define the possible error cases as this kind of pattern would often result in using dyn Error which is a mess to reliably/predictably handle by the user (and also comes with a bunch of overhead, such as heap allocations).

[wvanlint]

Simplified these into some basic error cases, but let me know if using String or std::io::Error would be better.

[tnull]

Could you expand on why this needs to use websockets rather than, e.g., just HTTPS requests?

[wvanlint]

AFAIU, the LNURL Auth spec defines a flow that "side-loads" authentication: a call providing a signature will be made by the client to the server, but the server can only return success/failure: https://github.com/lnurl/luds/blob/luds/04.md#wallet-to-service-interaction-flow. The server is responsible for correlating that call to the original challenge and continuing the user's intent there. In this case, the Websocket connection is used to maintain the context between providing the challenge and issuing the JWT token and allows the server to push the JWT token without the client having to poll.

[wvanlint]

Discussed offline. Although leveraging Websockets can support multiple devices e.g. with a QR scanning flow and it is used in Mutiny wallet, it is not relevant to our use case. We confirmed a token field can be added to the LNURL Auth response, and the simplification is definitely worthwhile. Changed this to only use HTTP(S) requests and returning a token field.

[tnull]

LDK/LDK Node are currently on bitcoin v0.30.2. While we'll upgrade soon, it might be best to keep it compatible here for the time being.

[wvanlint]

Changed this to use 0.30.2.

[tnull]

Thanks for removing the websocket requirement, this scheme is much simpler!

Generally LGTM, just a few questions and comments.

[tnull]

Usually I'm no fan of using variable prefixes. However, in this case we'll want to expose this trait in other interfaces, e.g., in LDK Node (if we ever wanted to expose the trait there), where HeaderProvider would suggest that it's a general interface. Unfortunately, trait aliases are not supported by Rust yet, so we can't expose the trait under a different name downstream. Could we therefore rename it (and the corresponding error type) to VssHeaderProvider?

[wvanlint]

Added prefixes.

[tnull]

Can we have this return a core::collections::HashMap rather than the reqwest-specific HeaderMap?

[wvanlint]

I think headers can be a multimap, changed this to Vec<(String, String)>.

[tnull]

Ah, I usually would prefer Vec<(String, String)>, too, however, in this case I'm afraid that UniFFI doesn't support tuples (see https://mozilla.github.io/uniffi-rs/udl/builtin_types.html), so using HashMap would be appreciated in this instance.

[wvanlint]

Done.

[tnull]

Should we introduce a JwtToken type that holds both the token string and the expiry? This would avoid the possibility that both fields are updated independently. We could also hold an RwLock<JwtToken>, which would avoid us having to lock the Mutex just to check the expiry.

[wvanlint]

Done.

[tnull]

Should this field be called default_headers to disambiguate it from the headers actually sent?

[wvanlint]

Done.

[tnull]

We should be able to avoid this allocation by using DerivationPath::from_iter.

[wvanlint]

Done.

[tnull]

nit: Could always derive Debug, possibly also Clone, as they might come handy eventually.

[wvanlint]

Done.

[tnull]

Same question regarding string sanitization as above.

[wvanlint]

Changed to using UntrustedString.

[tnull]

Could we make these variants InvalidData { error: String }, etc?

(Unfortunately, the UniFFI bindings generator doesn't support tuple structs generally, so it would help us to expose the trait in LDK Node, if we'd ever want to go this way)

[wvanlint]

Done.

[tnull]

Hmm, should this module be called auth or header_auth rather than just headers?

[wvanlint]

There might be other use cases for headers, so I left it open ended. Can remove or reword the reference to authentication though.

[tnull]

But for other use cases we might want to introduce another module, no? What would be a non-auth use case that would reuse exactly the types introduced here?

[wvanlint]

I think the VssHeaderProvider trait and FixedHeaders type are both generic, they can be used to set various HTTP headers, maybe User-Agent for example?

[tnull]

Yeah, possibly, although I doubt this would ever happen without any additional refactoring becoming necessary. In any case, the module naming isn't that important, so feel free to leave as is if you prefer.

[tnull]

Want to note that this means that we're only supporting LNURL servers with FQDNs, i.e., no IP-only webservers. Fine I guess and also inline with LUD-05, but previously I wasn't aware of this limitation.

[wvanlint]

Yes, exactly, the key derivation and signature will depend on it, likely to avoid certain attacks. I wonder if we should enforce HTTPS as well.

[wvanlint]

@G8XSU @tnull Were there remaining questions here from the LDK sync?

From my understanding, the domain name is used for isolation so that a signature for a LNURL Auth-based todo app for example cannot be used to access the LNURL Auth-based VSS server. HTTPS also protects against man-in-the-middle attacks.

[tnull]

Not from my side, I think requiring a FQDN is 'okay' even though it restricts self-hosting to a degree.

[tnull]

Cool, thanks for addressing the feedback!

Basically LGTM from my side, mod the outstanding comments/nits (use HashMap in trait, improve UntrustedString, possibly rename module).

Probably @G8XSU wants to have a look also.

[tnull]

Should this be true? If we don't have a token/expiry set, wouldn't it mean we'd consider it expired?

[wvanlint]

If we have a token, it's possible it does not have an expiry (not a good idea, but that's up to the JWT signer). However, if the token is not present, we would need to fetch it. Moved the is_expired method to the JWT token to make these cases clearer.

[tnull]

Ah, alright.

[tnull]

nit: Could make this a simple if/else rather than using an early-return pattern.

[wvanlint]

Done.

[tnull]

LGTM from my side, I think.

[wvanlint]

@G8XSU Could you write down what you mentioned during the LDK dev sync for anything that needs to be addressed?

[G8XSU]

Imo, we should also provide request as input to this trait.
This can enable adding headers for request-signing etc.

[wvanlint]

I was adding this, but the trait does need to remain object-safe since we use dyn VssHeaderProvider, so we can't use generics here to provide the structured request. The binary serialization of the body can be provided though specifically for request signing. Shall I add that?

[G8XSU]

Yes i think we can add serialized request, that should be enough for request signing.

[wvanlint]

Done.

[G8XSU]

Was planning to re-use the existing defined VssError here.

1 additional variant needs to be added i.e. VssError::AuthError (let me make this proto change)
apart from that we should re-use InvalidRequestError and InternalError.

[wvanlint]

Sounds good! This will be a change in https://github.com/lightningdevkit/vss-server/blob/main/app/src/main/proto/vss.proto right? Would you like to make the change or shall I open a PR?

[G8XSU]

I can do that.

[wvanlint]

Using the AuthError and InternalError now.

[G8XSU]

is this mandatory?
Are we good if we derive the key from vss-seed/vss-secret?
This is because i don't expect this headerProvider to have access to wallet seed.

[wvanlint]

Yes, I think this is useful for portability following the LNURL Auth spec. I believe we can have access similar to here: https://github.com/lightningdevkit/ldk-node/blob/640a1fdb7833ad9c74ede0926f990d85ac1b3bca/src/builder.rs#L342 ?

We discussed this a little bit on Slack (https://cash.slack.com/archives/C03Q9S7K99R/p1707986857336199?thread_ts=1706544261.279069&cid=C03Q9S7K99R) whether to go with LUD-05 or LUD-13 (based on a node signature), but LUD-05 seemed more straight-forward.

[G8XSU]

Ideally, this auth provider shouldn't have access to wallet seed, we can derive the parent key for auth and provide to auth-provider.

now that parent key can either be derived from wallet seed directly or from vss-secret.

i preferred the later because both data-encryption and request-signing keys would be derived from vss-secret but i see your point about benefit of deriving from wallet seed to follow spec. (but i thought the spec is just "derive a key by some path")

I am ok with both the options here depending on if ldk-node plans on using lnurl auth at other places.

[wvanlint]

Would we provide a helper for the parent key derivation to avoid user error? If so, the exposure might be similar? Overall, I felt like giving the wallet seed directly is less error prone and should be safe if the repo is well-reviewed.

[G8XSU]

It isn't just about this authorizer, imo this pattern of passing around wallet seed to code(potentially implemented by non-ldk-node) should be avoided, even if we maintain this repo directly.

we can just send the hardened derived parent key.

@tnull , any thoughts around seed derivation here?

[tnull]

Hm, I agree that handing around the wallet seed is a bit unfortunate. Given that we already deviate from the LNURL spec (and hence basically run a custom protocol), I assume it's fine to use a (seed derived from a) hardened child key as input here, preferably the VSS secret or even one derived from that? At least I currently don't see why it would make a difference?

[wvanlint]

Is the deviation you mentioned the return of a JWT token from the LNURL Auth server?

The only reason to use the specification would be to get to a point where Lightning wallets can be portable between implementations with just a wallet seed, and have a well-defined derivation from the wallet seed to the linking key to access the protected data on the VSS server side. That might be out of scope right now though, and things will work either way for a single implementation. It just might be difficult to migrate existing VSS data to a different linking key, other things like using JWT are easier to change I think.

[tnull]

Is the deviation you mentioned the return of a JWT token from the LNURL Auth server?

Yes. And that generally we're implementing a protocol that is not specified anywhere but in code. This is fine, but it means we're currently rolling something pretty custom and if interoperability with other protocols should be ascertained in the future, I expect to be further changes necessary anyways?

The only reason to use the specification would be to get to a point where Lightning wallets can be portable between implementations with just a wallet seed, and have a well-defined derivation from the wallet seed to the linking key to access the protected data on the VSS server side. That might be out of scope right now though, and things will work either way for a single implementation. It just > might be difficult to migrate existing VSS data to a different linking key, other things like using JWT are easier to > change I think.

Right, but it's ambiguous as it is: I think we expect the seed to be the seed of the onchain wallet, but we also have the seed for the Lightning wallet, which may or may not be derived from the former (usually is, e.g., in LDK Node). Some nodes might not even have an onchain wallet readily available, so they'd need to use something different. All that is to say: if we want to define a standard, we should do exactly that: clearly define which derivation path is expected (e.g., '877' for 'VSS'?).

[G8XSU]

We don't expect ldk-node specific storage to be interoperable with other wallets.
This only needs to be interoperable within ldk-node, and for that deriving from any path of master should be fine.

[G8XSU]

could be renamed to "cached_jwt_token"

[wvanlint]

Done.

[G8XSU]

should we rename public_key -> linking_key and private_key ->linking_key_xpriv?

[wvanlint]

Done.

[G8XSU]

do we need to verify something here? will we get jwt signature ?

[wvanlint]

Hmm, we can do more extensive validation (which might require additional dependencies), but I think it's okay to consider the JWT token as opaque as possible as validation will always occur at the consuming service. We also can't always verify the signature, e.g. the JWT token is signed by a symmetric key known by a joint LNURL Auth / VSS provider.

[G8XSU]

iiuc, we expect claim.subject==linkingKey, maybe we could just verify that in claim?

[G8XSU]

We have tried to minimize dependencies in this crate,
it might make sense to feature-gate these additional deps to "lnurl-auth" ?

[G8XSU]

How does hosted service provider map/link node's identity with linking_key for authorization purpose ?
will we expose some get method in ldk-node interface?

As backend would be using linking-key as user-identity, we have established authentication, but how does service provide correlate with their actual paid-user etc?

[wvanlint]

We're currently aiming to keep authentication and authorization separate, using an API key is sufficient for our authorization purposes for now. We discussed this briefly offline here https://square.enterprise.slack.com/archives/C03Q9S7K99R/p1710885872464219?thread_ts=1706544261.279069&channel=C03Q9S7K99R&message_ts=1710885872.464219

We can verify a node id signature in the future or do something more complex like https://github.com/ZmnSCPxj-jr/lsptoken. The latter aims to reduce the conflict of interest when the VSS provider is also the LSP of the user. The LSP token implementation could prove that a VSS request is coming from a LSP user without the LSP being able to determine exactly which counterparty it is.

[G8XSU]

I understand for that usecase it is sufficient to have fixed header based api-key authorization,
I wanted to understand if other users might need access to linkingKey for user-identification for authorization purpose,
if yes, then ldk-node will need access to it and somehow might need to expose it in future?

(whether to expose linkingKey or not can be tackled separately and doesn't block this pr)

cc: @tnull

[tnull]

Yeah, I agree we can just leave it for now. If we ever find a use case that would want to reuse the linking key, we can reconsider if it's worth it. Possibly at that point it might even make sense to run a separate auth round, at least if there is no hard requirement to reuse exactly the same linking key.

[wvanlint]

@G8XSU Split off the header provider trait in #31 as requested.

[G8XSU]

imo, if creating a map from provided headers failed, it could be InvalidRequestError

[G8XSU]

'A' should be capital for 'Authorization' header

[G8XSU]

It isn't just about this authorizer, imo this pattern of passing around wallet seed to code(potentially implemented by non-ldk-node) should be avoided, even if we maintain this repo directly.

we can just send the hardened derived parent key.

@tnull , any thoughts around seed derivation here?

[G8XSU]

iiuc, we expect claim.subject==linkingKey, maybe we could just verify that in claim?

[G8XSU]

I understand for that usecase it is sufficient to have fixed header based api-key authorization,
I wanted to understand if other users might need access to linkingKey for user-identification for authorization purpose,
if yes, then ldk-node will need access to it and somehow might need to expose it in future?

(whether to expose linkingKey or not can be tackled separately and doesn't block this pr)

cc: @tnull