2022-08-09 07:13:04 +00:00
2 changed files with 20 additions and 2 deletions
--- a/funding/routes.py
+++ b/funding/routes.py
@ -10,6 +10,9 @@ import settings
 from funding.factory import app, db, cache
 from funding.orm import Address, Slate

+import secp256k1
+import base58
+

@app.route('/')
 def index():
@ -50,11 +53,24 @@ def postSlate(receivingAddress, slate):
@app.route('/getSlates', methods=['POST'])
@endpoint.api(
    parameter('receivingAddress', type=str, required=True),
+    parameter('signature', type=str, required=True)
 )
-def getSlates(receivingAddress):
+def getSlates(receivingAddress, signature):
    try:
        if receivingAddress is None:
            return make_response(jsonify({'status': 'failure', 'error': str("missing correct arguments")}))
+        
+        # Deserialize the base-58 address to hex, and then to an internal public key format
+        # NOTE: This assumes that the network version (which is not part of the key) is exactly 2 bytes
+        public_key = secp256k1.PublicKey(base58.b58decode_check(receivingAddress)[2:])
+        
+        # Prepare the message bound to the signature: a domain separator and the encoded address
+        # For some reason, the original client code calls this the "challenge"
+        message = 'SubscribeRequest_' + receivingAddress
+
+        # Deserialize and verify the provided signature against the message and address public key
+        if not public_key.ecdsa_verify(message, public_key.ecdsa_deserialize(signature)):
+            return make_response(jsonify({'status': 'failure', 'error': str("bad signature")}))

        slates = Slate.find_slates(address=receivingAddress)
        return make_response(jsonify({'status': 'success', 'slates': slates}))
--- a/requirements.txt
+++ b/requirements.txt
@ -14,4 +14,6 @@ pypng
 pillow-simd
 Flask-Caching
 flask-sqlalchemy
-sqlalchemy_json
+sqlalchemy_json
+secp256k1
+base58