txnbuild: add muxed account & memo support to SEP-10 utility functions

exp/services/webauth/internal/serve/challenge.go

@@ -2,6 +2,7 @@ package serve
 
 import (
 	"net/http"
+	"strconv"
 	"strings"
 	"time"
 
@@ -33,7 +34,9 @@ func (h challengeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	queryValues := r.URL.Query()
 
 	account := queryValues.Get("account")
-	if !strkey.IsValidEd25519PublicKey(account) {
+	isStellarAccount := strkey.IsValidEd25519PublicKey(account)
+	isMuxedAccount := strkey.IsValidMuxedAccountEd25519PublicKey(account)
+	if !isStellarAccount && !isMuxedAccount {
 		badRequest.Render(w)
 		return
 	}
@@ -57,17 +60,30 @@ func (h challengeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		homeDomain = h.HomeDomains[0]
 	}
 
+	var memo *txnbuild.MemoID
+	memoParam := queryValues.Get("memo")
+	if memoParam != "" {
+		memoInt, err := strconv.ParseUint(memoParam, 10, 64)
+		if err != nil {
+			badRequest.Render(w)
+			return
+		}
+		memoId := txnbuild.MemoID(memoInt)
+		memo = &memoId
+	}
+
 	tx, err := txnbuild.BuildChallengeTx(
 		h.SigningKey.Seed(),
 		account,
 		h.Domain,
 		homeDomain,
 		h.NetworkPassphrase,
 		h.ChallengeExpiresIn,
+		memo,
 	)
 	if err != nil {
 		h.Logger.Ctx(ctx).WithStack(err).Error(err)
-		serverError.Render(w)
+		badRequest.Render(w)
 		return
 	}
 

exp/services/webauth/internal/serve/token.go

@@ -2,6 +2,7 @@ package serve
 
 import (
 	"net/http"
+	"strconv"
 	"strings"
 	"time"
 
@@ -11,6 +12,7 @@ import (
 	supportlog "github.com/stellar/go/support/log"
 	"github.com/stellar/go/support/render/httpjson"
 	"github.com/stellar/go/txnbuild"
+	"github.com/stellar/go/xdr"
 	"gopkg.in/square/go-jose.v2"
 	"gopkg.in/square/go-jose.v2/jwt"
 )
@@ -52,9 +54,10 @@ func (h tokenHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		clientAccountID string
 		signingAddress  *keypair.FromAddress
 		homeDomain      string
+		memo            *txnbuild.MemoID
 	)
 	for _, s := range h.SigningAddresses {
-		tx, clientAccountID, homeDomain, err = txnbuild.ReadChallengeTx(req.Transaction, s.Address(), h.NetworkPassphrase, h.Domain, h.HomeDomains)
+		tx, clientAccountID, homeDomain, memo, err = txnbuild.ReadChallengeTx(req.Transaction, s.Address(), h.NetworkPassphrase, h.Domain, h.HomeDomains)
 		if err == nil {
 			signingAddress = s
 			break
@@ -80,10 +83,16 @@ func (h tokenHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		WithField("tx", hash).
 		WithField("account", clientAccountID).
 		WithField("serversigner", signingAddress.Address()).
-		WithField("homedomain", homeDomain)
+		WithField("homedomain", homeDomain).
+		WithField("memo", memo)
 
 	l.Info("Start verifying challenge transaction.")
 
+	muxedAccount, err := xdr.AddressToMuxedAccount(clientAccountID)
+	if err == nil {
+		clientAccountID = muxedAccount.ToAccountId().Address()
+	}
+
 	var clientAccountExists bool
 	clientAccount, err := h.HorizonClient.AccountDetail(horizonclient.AccountRequest{AccountID: clientAccountID})
 	switch {
@@ -140,10 +149,20 @@ func (h tokenHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	var sub string
+	if muxedAccount == (xdr.MuxedAccount{}) {
+		sub = clientAccountID
+		if memo != nil {
+			sub += ":" + strconv.FormatUint(uint64(*memo), 10)
+		}
+	} else {
+		sub = muxedAccount.Address()
+	}
+
 	issuedAt := time.Unix(tx.Timebounds().MinTime, 0)
 	claims := jwt.Claims{
 		Issuer:   h.JWTIssuer,
-		Subject:  clientAccountID,
+		Subject:  sub,
 		IssuedAt: jwt.NewNumericDate(issuedAt),
 		Expiry:   jwt.NewNumericDate(issuedAt.Add(h.JWTExpiresIn)),
 	}

exp/services/webauth/internal/serve/token_test.go

@@ -46,6 +46,7 @@ func TestToken_formInputSuccess(t *testing.T) {
 		homeDomain,
 		network.TestNetworkPassphrase,
 		time.Minute,
+		nil,
 	)
 	require.NoError(t, err)
 
@@ -146,6 +147,7 @@ func TestToken_formInputSuccess_jwtHeaderAndPayloadAreDeterministic(t *testing.T
 		homeDomain,
 		network.TestNetworkPassphrase,
 		time.Minute,
+		nil,
 	)
 	require.NoError(t, err)
 
@@ -255,6 +257,7 @@ func TestToken_jsonInputSuccess(t *testing.T) {
 		homeDomain,
 		network.TestNetworkPassphrase,
 		time.Minute,
+		nil,
 	)
 	require.NoError(t, err)
 
@@ -412,6 +415,7 @@ func TestToken_jsonInputValidRotatingServerSigners(t *testing.T) {
 				homeDomain,
 				network.TestNetworkPassphrase,
 				time.Minute,
+				nil,
 			)
 			require.NoError(t, err)
 
@@ -497,6 +501,7 @@ func TestToken_jsonInputValidMultipleSigners(t *testing.T) {
 		homeDomain,
 		network.TestNetworkPassphrase,
 		time.Minute,
+		nil,
 	)
 	require.NoError(t, err)
 
@@ -605,6 +610,7 @@ func TestToken_jsonInputNotEnoughWeight(t *testing.T) {
 		homeDomain,
 		network.TestNetworkPassphrase,
 		time.Minute,
+		nil,
 	)
 	require.NoError(t, err)
 
@@ -691,6 +697,7 @@ func TestToken_jsonInputUnrecognizedSigner(t *testing.T) {
 		homeDomain,
 		network.TestNetworkPassphrase,
 		time.Minute,
+		nil,
 	)
 	require.NoError(t, err)
 
@@ -777,6 +784,7 @@ func TestToken_jsonInputAccountNotExistSuccess(t *testing.T) {
 		homeDomain,
 		network.TestNetworkPassphrase,
 		time.Minute,
+		nil,
 	)
 	require.NoError(t, err)
 
@@ -881,6 +889,7 @@ func TestToken_jsonInputAccountNotExistFail(t *testing.T) {
 		homeDomain,
 		network.TestNetworkPassphrase,
 		time.Minute,
+		nil,
 	)
 	require.NoError(t, err)
 
@@ -963,6 +972,7 @@ func TestToken_jsonInputAccountNotExistNotAllowed(t *testing.T) {
 		homeDomain,
 		network.TestNetworkPassphrase,
 		time.Minute,
+		nil,
 	)
 	require.NoError(t, err)
 
@@ -1047,6 +1057,7 @@ func TestToken_jsonInputUnrecognizedServerSigner(t *testing.T) {
 		homeDomain,
 		network.TestNetworkPassphrase,
 		time.Minute,
+		nil,
 	)
 	require.NoError(t, err)
 
@@ -1248,6 +1259,7 @@ func TestToken_jsonInputInvalidWebAuthDomainFail(t *testing.T) {
 		homeDomain,
 		network.TestNetworkPassphrase,
 		time.Minute,
+		nil,
 	)
 	require.NoError(t, err)
 

txnbuild/CHANGELOG.md

@@ -6,6 +6,16 @@ file.  This project adheres to [Semantic Versioning](http://semver.org/).
 
 ## Unreleased
 
+### Breaking changes
+
+* Muxed accounts and ID memos can be used in the `BuildChallengeTx()` and `ReadChallengeTx()` SEP-10 utilitiy functions to identify users of shared Stellar accounts. ([#4746](https://github.com/stellar/go/pull/4746))
+  * `BuildChallengeTx()`:
+    * Muxed account addresses can be passed as the `clientAccountID`.
+    * Adds an additional parameter of type `*txnbuild.MemoID`. Memos cannot be specified if the `clientAccoutID` id a muxed account address.
+  * `ReadChallengeTx()`:
+    * Muxed account addresses may be returned as the `clientAccountID`.
+    * Adds an additional return value of type `*txnbuild.MemoID`.
+
 
 ## [10.0.0](https://github.com/stellar/go/releases/tag/horizonclient-v9.0.0) - 2022-04-18
 

txnbuild/example_test.go

@@ -760,7 +760,7 @@ func ExampleBuildChallengeTx() {
 	webAuthDomain := "webauthdomain.example.org"
 	timebound := time.Duration(5 * time.Minute)
 
-	tx, err := BuildChallengeTx(serverSignerSeed, clientAccountID, webAuthDomain, anchorName, network.TestNetworkPassphrase, timebound)
+	tx, err := BuildChallengeTx(serverSignerSeed, clientAccountID, webAuthDomain, anchorName, network.TestNetworkPassphrase, timebound, nil)
 	check(err)
 
 	txeBase64, err := tx.Base64()