search

ZeusLN / zeus

A mobile Bitcoin wallet fit for the gods. ⚡️ Est. 563345
https://ZeusLN.com
Other
1.02k stars 145 forks source link

Lnurl-auth failing sometimes #550

Closed saucecoat closed 3 years ago

saucecoat commented 3 years ago

The lnurl-auth functionality doesn't work reliably right now. I tried to login in on lightninglogin.live and the first login usually works. If I log out and try to log in again the login fails and I get the error message: Invalid signature. After some time I can log in again.

kaloudis commented 3 years ago

@pseudozach fyi

pseudozach commented 3 years ago

Looks like they're using https://github.com/chill117/passport-lnurl-auth I get the same error on https://lnurl-toolbox.degreesofzero.com I reached out to @chill117 who's the library maintainer, will check with him where the gap is.

pseudozach commented 3 years ago

Current status: I've reproduced the issue. Looks like somehow secp256k1 that's used by some libraries is stricter compared to elliptic and fast-sha256 Zeus is using so we end up with an invalid signature depending on the k1 provided by the lnurl-auth service.

$ node lnurlauthtest.js k1, domain: bb7525afb3f340c0cbe9d018acfb7a17dab25e618fe8e4ab88f3f9b875739e7b lnurl-toolbox.degreesofzero.com linkingKeyPriv: 2a060124b78548bca3f14e76f3e597f7f91da32cd6d3a4a78a33d9a1fc76ea50 linkingKeyPub: 0371cf12e0f3c376616ded62c82d28b8f993943dcee070d769867058ea68fe0405 sig: 3045022100eb2d2e4d0e84eebb9dbd635fda1b5209bff8338d607cbde14990a8b0a7cd7d0202205912c37fe9b2f171b4ab3f4f9b81abd95ef6de9d48d163900629336e54a2cce0 secp256k1 privkey valid secp256k1 ecdsaVerify signature?: true elliptic verification ok: true lnurl-node ok

$ node lnurlauthtest.js k1, domain: c7bd00833bf66b33b9a7da548c54068cc7b5d2c4bb207a9d90f11817eec0f9a6 lnurl-toolbox.degreesofzero.com linkingKeyPriv: 2a060124b78548bca3f14e76f3e597f7f91da32cd6d3a4a78a33d9a1fc76ea50 linkingKeyPub: 0371cf12e0f3c376616ded62c82d28b8f993943dcee070d769867058ea68fe0405 sig: 3046022100a83eeb44eeeaef075cd0cc503d4da24f221e1c71496147b76c8d7993032cac92022100e2c2172bf35586cf1fb82c0b79fca9f08945e68797f34a4f891d85a2c4bbe23e secp256k1 privkey valid secp256k1 ecdsaVerify signature?: false elliptic verification ok: true lnurl-node (secp256k1) verification failed

The simplest solution would be to move to secp256k1 which blixt is using as well but for some reason I was unable to import and use it to Zeus.

I'll try to find if there's some other way to mitigate this.

ZeusLN commented 3 years ago

https://github.com/ZeusLN/zeus/pull/553