Login with nostr

[akhavr]

User should be able to login with nostr and have his identity connected to the git one.

What should happen:

1. User with email alice@nostrya.com logins with nostr to the web ui (whatever it takes)
2. She adds a comment to an existing issue
3. Nostrya runs bridge push on the background to the github
4. Github shows correct user profile of alice@nostrya.com in the comments

[akhavr]

Identity management is done in entities/identity package (https://github.com/MichaelMure/git-bug/blob/master/doc/architecture.md#identity )

Consider handling every nostr identity as remote: see ReadRemote etc

[akhavr]

.. or even straight NewIdentity and NewIdentityFull

[akhavr]

Detailed the desired result

[akhavr]

So, investigating how git identity travels through bridge.

PS second task - create git id from cmd line

[akhavr]

test comment

[akhavr]

Managing github tokens from CLI: commands/bridge/bridge_auth_addtoken.go

$ git bug bridge  auth add-token -h
Store a new token

Usage:
  git-bug bridge auth add-token [TOKEN] [flags]

Flags:
  -t, --target string   The target of the bridge. Valid values are [github,gitlab,jira,launchpad-preview]
  -l, --login string    The login in the remote bug-tracker
  -u, --user string     The user to add the token to. Default is the current user
  -h, --help            help for add-token

[akhavr]

Managing github tokens from CLI: commands/bridge/bridge_auth_addtoken.go

user, err = env.Backend.Identities().ResolvePrefix(opts.user)

[akhavr]

cache/subcache.go

[akhavr]

So, local identities are saved in git repo under refs/identities/ prefix (see entitites/identity/identity.go)

[akhavr]

Hmm.... NostrGit doesn't plan to sync with github now

[akhavr]

Basically, when logging in with nostr, we run git bug user new with the respective keys:

Flags:
  -a, --avatar string     Avatar URL
  -e, --email string      Email of the user
  -h, --help              help for new
  -n, --name string       Name to identify the user
      --non-interactive   Do not ask for user input

Optionally let user add his github token.

Perhaps show nostr npub on the profile page.

[akhavr]

Test login with nostr with Alby

[cypherhoodlum]

@akhavr, sorry I was not aware of this issue.

Hmm.... NostrGit https://github.com/NostrGit/NostrGit/issues/115#issuecomment-1468351220

I'm not against having github bridges in general, if you want to try to implement them. I just meant (in the issue you linked) that it is not something we have planned as of yet. If you want to try to implement a solution for that, go ahead! :rocket: Sorry for the confusion! Your work has not been for nothing :smile:

[akhavr]

@akhavr, sorry I was not aware of this issue.

Hmm.... NostrGit NostrGit/NostrGit#115 (comment)

I'm not against having github bridges in general, if you want to try to implement them. I just meant (in the issue you linked) that it is not something we have planned as of yet.

Yes, I've got it perfectly, no problem.

Hopefully I'll be able to release something working in couple weeks.

[akhavr]

So far npub = nip19.npubEncode(hex); in browser fails with Uncaught TypeError: can't convert BigInt to number

[akhavr]

Ok, rebuilding webui from scratch step-by-step to see where it breaks.

So far it fails when trying to add themes:

$ npm install @mui/styles/defaultTheme
[...]
pm ERR! While resolving: my-app@0.1.0
npm ERR! Found: react@18.2.0
npm ERR! node_modules/react
npm ERR!   react@"^18.2.0" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer react@"^17.0.0" from @mui/styles@5.11.13
npm ERR! node_modules/@mui/styles
npm ERR!   @mui/styles@"*" from the root project

[akhavr]

Ok, version issues are resolved. Now working on starting correct graphql

[akhavr]

Note this in webui.go:

    // If the webUI is not read-only, use an authentication middleware with a
    // fixed identity: the default user of the repo
    // TODO: support dynamic authentication with OAuth
    if !opts.readOnly {
        author, err := identity.GetUserIdentity(env.Repo)
        if err != nil {
            return err
        }
        router.Use(auth.Middleware(author.Id()))
    }

[akhavr]

Ok, so git-bug actually runs two webservers: one in golang for git-related stuff and the backend, other - react-based.

[akhavr]

Transferring all git-bug related plumbing from golang project to react one just to figure out why it react can't convert BigInt somewhere in the cryptographic library is a mess.

Let's go different way: dump existing react webui within git-bug and add it back with Nostr login, step-by-step, figuring out where it fails.

[akhavr]

Uncaught TypeError: can't convert BigInt to number
    SWUFpSqrtRatio weierstrass.ts:1068
    mapToCurveSimpleSWU weierstrass.ts:1137
    node_modules bundle.js:48538
    factory react refresh:6
    Webpack 19
weierstrass.ts:1068

Bug happens somewhere in @noble/curves/esm/secp256k1.js

[akhavr]

https://github.com/paulmillr/noble-secp256k1/issues/64 ?

[akhavr]

  "browserslist": {
    "production": [
      ">0.2%",
      "not dead",
      "not op_mini all"
    ],
    "development": [
      "last 1 chrome version",
      "last 1 firefox version",
      "last 1 safari version"
    ]
  }

in package.json fixes this

[akhavr]

Default page with bug list is rendered in pages/list/ListQuery.txt

User data is retrieved by useCurrentIdentityQuery defined in components/Identity/CurrentIdentity.generated which then queries graphql

[akhavr]

query CurrentIdentity {
  repository {
    name
    userIdentity {
      ...Identity
    }
  }
}

fragment Identity on Identity {
  id
  humanId
  displayName
  email
  name
  avatarUrl
  isProtected
  login
}

[akhavr]

On the other side, webui.go -> identity_user.go:GetUserIdentity -> GetUserIdentityId -> repo.LocalConfig().ReadString(identityConfigKey)

const identityConfigKey = "git-bug.identity"

[akhavr]

On the golang side:

api/auth.UserFromCtx({0x13e1da0, 0xc0003a69f0}, 0xc00029e480)
    pi/auth/context.go:27 +0x56
api/graphql/resolvers.repoResolver.UserIdentity({}, {0x13e1da0?, 0xc0003a69f0?}, 0x7fc08656a6f0?)
    api/graphql/resolvers/repo.go:157 +0x2b
api/graphql/graph.(*executionContext)._Repository_userIdentity.func2({0x13e1da0?, 0xc0003a69f0})
    api/graphql/graph/repository.generated.go:541 +0x84
github.com/99designs/gqlgen/graphql/executor.processExtensions.func4({0x13e1da0?, 0xc0003a69f0?}, 0xc0000fe8c0?)
    /go/pkg/mod/github.com/99designs/gqlgen@v0.17.20/graphql/executor/extensions.go:72 +0x26
api/graphql/graph.(*executionContext)._Repository_userIdentity(0xc00031a0c0, {0x13e1da0, 0xc0003a6930}, {0xc00029e780?, {0xc00029a8a0?, 0x0?, 0x0?}}, 0xc00031a1c0)
    api/graphql/graph/repository.generated.go:539 +0x228
api/graphql/graph.(*executionContext)._Repository.func11({0x13e1da0?, 0xc0003a6930?})
    api/graphql/graph/repository.generated.go:773 +0xa9
api/graphql/graph.(*executionContext)._Repository.func12()
    api/graphql/graph/repository.generated.go:778 +0x25
github.com/99designs/gqlgen/graphql.(*FieldSet).Dispatch.func1({0x0?, 0xc00029ac00?})
    /go/pkg/mod/github.com/99designs/gqlgen@v0.17.20/graphql/fieldset.go:42 +0x3c
created by github.com/99designs/gqlgen/graphql.(*FieldSet).Dispatch
    /go/pkg/mod/github.com/99designs/gqlgen@v0.17.20/graphql/fieldset.go:41 +0x265

[akhavr]

Hmm.... What rights and permissions nostr-authenticated user should get?...

[akhavr]

Possible permissions:

• view issues and comments
• add comments
• add issues
• close issues

Trying to fit it in this multilayered system

[akhavr]

In https://github.com/MichaelMure/git-bug/issues/640 there's a discussion about introducing OAuth support

[akhavr]

Reading https://github.com/go-pkgz/auth re oAuth support

[akhavr]

Trying this example https://github.com/go-pkgz/auth/blob/master/_example/main.go

[akhavr]

3 hackable candidates:

• devauth
• anonymous direct provider
• custom oauth2 server

[akhavr]

* devauth

Works only to streamline developmenbt

* ~anonymous~ direct provider

Could be used if server-side challenge is sent together with the main page

* custom oauth2 server

Most likely candidate.

[akhavr]

Where's the code for login page of this custom oauth2 server?

[akhavr]

Where's the code for login page of this custom oauth2 server?

Read https://github.com/go-pkgz/auth#custom-oauth2

[akhavr]

Plan:

• [x] modify example to show custom working login page
• [ ] add oauth2 github + custom login support to git-bug
• [ ] change custom login to nostr login

[akhavr]

func (p Oauth2Handler) AuthHandler(w http.ResponseWriter, r *http.Request) {
    oauthClaims, _, err := p.JwtService.Get(r)

Returned oauthClaims has wrong state. I don't get something, obviously

[akhavr]

Ok, wrong cookie :-/

[akhavr]

At what moment does it set the JWT cookie?

[akhavr]

Works. Problem was related to stale cookie and 127.0.0.1 vs localhost confusion.

[akhavr]

* [ ]  add oauth2 github + custom login support to git-bug

Current take: upon login attempt check against existing user identities in git-bug store and reject if not found.

[akhavr]

..looking at git bug user new implementation

[akhavr]

    id, err := env.Backend.Identities().NewRaw(opts.name, opts.email, "", opts.avatarURL, nil, nil)

[akhavr]

/entities/identity/version.go: type version struct

Perhaps nostr pubkey better be stored in a metadata to stay compatible

[akhavr]

Nostr auth might return git-bug user identity id, but this won't be compatible with github oauth authentication.

github.com:go-pkgz/auth returns claims in the following form (see _example/main.go):

        Validator: token.ValidatorFunc(func(_ string, claims token.Claims) bool { // rejects some tokens
            if claims.User != nil {
                if strings.HasPrefix(claims.User.ID, "github_") { // allow all users with github auth
                    return true
                }
                if strings.HasPrefix(claims.User.ID, "microsoft_") { // allow all users with ms auth
...

[akhavr]

Basically, instead of router.Use(auth.Middleware(author.Id())) which uses fixed used id (see api/auth/middleware.go, I'd better use https://github.com/go-pkgz/auth#user-info

[akhavr]

Le Professionnel crashes compiler while learning new language :)

$ go get github.com/go-pkgz/auth
panic: internal error: can't find reason for requirement on github.com/golang/snappy@v0.0.1

goroutine 1 [running]:
cmd/go/internal/modget.(*resolver).updateBuildList.func1({{0xc000d8ca98?, 0xc000772f00?}, {0xc00011ae80?, 0xc0000114b8?}})
    /usr/lib/go-1.18/src/cmd/go/internal/modget/get.go:1760 +0x114
cmd/go/internal/modget.(*resolver).updateBuildList(0xc000332100, {0xadc858, 0xc00011a000}, {0x0, 0x0, 0x0})
    /usr/lib/go-1.18/src/cmd/go/internal/modget/get.go:1765 +0x593
cmd/go/internal/modget.(*resolver).applyUpgrades(0xc000332100, {0xadc858, 0xc00011a000}, {0x0?, 0x1?, 0x46fa6f?})
    /usr/lib/go-1.18/src/cmd/go/internal/modget/get.go:1312 +0x105
cmd/go/internal/modget.runGet({0xadc858, 0xc00011a000}, 0xc000146450?, {0xc000114170, 0x1, 0x1})
    /usr/lib/go-1.18/src/cmd/go/internal/modget/get.go:351 +0x45e
main.invoke(0xdb79a0, {0xc000114160, 0x2, 0x2})
    /usr/lib/go-1.18/src/cmd/go/main.go:218 +0x2ee
main.main()
    /usr/lib/go-1.18/src/cmd/go/main.go:175 +0x78e

[akhavr]

Checking if it would reproduce under golang 1.20.2

[akhavr]

Well, the panic does reproduce, but looks like it doesn't matter: compilation passes on both golang versions.