Auth Duniter v2 : vérification réelle + extension signing + titres outils

Backend : - Vérification Sr25519/Ed25519 réelle via substrateinterface (bypass démo) - Message signé : <Bytes>{challenge}</Bytes> (convention polkadot.js) - DEV_PROFILES : Charlie → Référent structure, Dave → Auteur (WoT member) Frontend : - Signing via extension polkadot.js / Cesium2 (_signWithExtension) - @polkadot/extension-dapp + @polkadot/util installés - Vite : global=globalThis + optimizeDeps pour les packages polkadot - Boîte à outils : titres complets des 4 sections Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-24 03:36:51 +01:00
parent 02629c4e68
commit 224e5b0f5e
6 changed files with 2831 additions and 24 deletions
--- a/backend/app/routers/auth.py
+++ b/backend/app/routers/auth.py
@@ -45,15 +45,15 @@ DEV_PROFILES = [
    },
    {
        "address": "5FLSigC9HGRKVhB9FiEo4Y3koPsNmBmkP7j4bJa3zN7d8tY",
-        "display_name": "Charlie (Comite Tech)",
+        "display_name": "Charlie (Référent structure)",
        "wot_status": "member",
        "is_smith": True,
        "is_techcomm": True,
    },
    {
        "address": "5DAAnrj7VHTznn2AWBemMuyBwZWs6FNFjdyVXUeYum3PTXFy",
-        "display_name": "Dave (Observateur)",
-        "wot_status": "unknown",
+        "display_name": "Dave (Auteur)",
+        "wot_status": "member",
        "is_smith": False,
        "is_techcomm": False,
    },
@@ -132,15 +132,40 @@ async def verify_challenge(
            detail="Challenge invalide",
        )

-    # 4. Verify Ed25519 signature
-    # TODO: Implement actual Ed25519 verification using substrate-interface
-    # For now we accept any signature to allow development/testing.
-    # In production this MUST verify: verify(address_pubkey, challenge_bytes, signature_bytes)
-    #
-    # from substrateinterface import Keypair
-    # keypair = Keypair(ss58_address=payload.address)
-    # if not keypair.verify(payload.challenge.encode(), bytes.fromhex(payload.signature)):
-    #     raise HTTPException(status_code=401, detail="Signature invalide")
+    # 4. Verify signature (bypass for demo profiles in DEMO_MODE)
+    _demo_addresses = {p["address"] for p in DEV_PROFILES}
+    is_demo_bypass = settings.DEMO_MODE and payload.address in _demo_addresses
+
+    if not is_demo_bypass:
+        # polkadot.js / Cesium2 signRaw(type='bytes') wraps: <Bytes>{challenge}</Bytes>
+        message = f"<Bytes>{payload.challenge}</Bytes>".encode("utf-8")
+        sig_hex = payload.signature.removeprefix("0x")
+        try:
+            sig_bytes = bytes.fromhex(sig_hex)
+        except ValueError:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Format de signature invalide (hex attendu)",
+            )
+
+        from substrateinterface import Keypair, KeypairType
+
+        verified = False
+        # Try Sr25519 first (default Substrate/Cesium2), then Ed25519 (Duniter v1 migration)
+        for key_type in [KeypairType.SR25519, KeypairType.ED25519]:
+            try:
+                kp = Keypair(ss58_address=payload.address, crypto_type=key_type)
+                if kp.verify(message, sig_bytes):
+                    verified = True
+                    break
+            except Exception:
+                continue
+
+        if not verified:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Signature invalide",
+            )

    # 5. Consume the challenge
    del _pending_challenges[payload.address]
--- a/frontend/app/pages/tools.vue
+++ b/frontend/app/pages/tools.vue
@@ -23,7 +23,7 @@ interface ToolSection {
 const sections: ToolSection[] = [
  {
    key: 'documents',
-    title: 'Documents',
+    title: 'Documents de référence',
    icon: 'i-lucide-book-open',
    color: 'var(--mood-accent)',
    tools: [
@@ -36,7 +36,7 @@ const sections: ToolSection[] = [
  },
  {
    key: 'decisions',
-    title: 'Décisions',
+    title: 'Décisions et consultation d\'avis',
    icon: 'i-lucide-scale',
    color: 'var(--mood-secondary, var(--mood-accent))',
    tools: [
@@ -49,7 +49,7 @@ const sections: ToolSection[] = [
  },
  {
    key: 'mandats',
-    title: 'Mandats',
+    title: 'Mandats et nominations',
    icon: 'i-lucide-user-check',
    color: 'var(--mood-success)',
    tools: [
@@ -61,7 +61,7 @@ const sections: ToolSection[] = [
  },
  {
    key: 'protocoles',
-    title: 'Protocoles',
+    title: 'Protocoles et fonctionnement',
    icon: 'i-lucide-settings',
    color: 'var(--mood-tertiary, var(--mood-accent))',
    tools: [
--- a/frontend/app/stores/auth.ts
+++ b/frontend/app/stores/auth.ts
@@ -5,6 +5,40 @@
 * The identity object mirrors the backend IdentityOut schema.
 */

+/**
+ * Sign a challenge using the injected Duniter/Substrate wallet extension
+ * (Cesium2, polkadot.js extension, Talisman, etc.).
+ *
+ * The extension signs <Bytes>{challenge}</Bytes> to match the backend verifier.
+ */
+async function _signWithExtension(address: string, challenge: string): Promise<string> {
+  const { web3Enable, web3FromAddress } = await import('@polkadot/extension-dapp')
+  const { stringToHex } = await import('@polkadot/util')
+
+  const extensions = await web3Enable('libreDecision')
+  if (!extensions.length) {
+    throw new Error('Aucune extension Duniter détectée. Installez Cesium² ou Polkadot.js.')
+  }
+
+  let injector
+  try {
+    injector = await web3FromAddress(address)
+  } catch {
+    throw new Error(`Adresse ${address.slice(0, 10)}… introuvable dans l'extension.`)
+  }
+
+  if (!injector.signer?.signRaw) {
+    throw new Error("L'extension ne supporte pas la signature de messages bruts.")
+  }
+
+  const { signature } = await injector.signer.signRaw({
+    address,
+    data: stringToHex(challenge),
+    type: 'bytes',
+  })
+  return signature
+}
+
 export interface DuniterIdentity {
  id: string
  address: string
@@ -65,15 +99,12 @@ export const useAuthStore = defineStore('auth', {
          },
        )

-        // Step 2: Sign the challenge
-        // In production, signFn would use the Duniter keypair to produce an Ed25519 signature.
-        // For development, we use a placeholder signature.
+        // Step 2: Sign the challenge via polkadot.js / Cesium2 extension
        let signature: string
        if (signFn) {
          signature = await signFn(challengeRes.challenge)
        } else {
-          // Development placeholder -- backend currently accepts any signature
-          signature = 'dev_signature_placeholder'
+          signature = await _signWithExtension(address, challengeRes.challenge)
        }

        // Step 3: Verify and get token
--- a/frontend/nuxt.config.ts
+++ b/frontend/nuxt.config.ts
@@ -45,4 +45,13 @@ export default defineNuxtConfig({
  nitro: {
    compressPublicAssets: true,
  },
+  vite: {
+    define: {
+      // Polkadot packages expect a Node-like global
+      global: 'globalThis',
+    },
+    optimizeDeps: {
+      include: ['@polkadot/extension-dapp', '@polkadot/util'],
+    },
+  },
 })
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -14,6 +14,8 @@
    "@nuxt/content": "^3.11.2",
    "@nuxt/ui": "^3.1.0",
    "@pinia/nuxt": "^0.11.0",
+    "@polkadot/extension-dapp": "^0.46.9",
+    "@polkadot/util": "^13.5.9",
    "@unocss/nuxt": "^66.6.0",
    "@vueuse/nuxt": "^14.2.1",
    "nuxt": "^4.3.1",