Refactor authentication challenge logic in HandleCount and HandleReq

- Updated the authentication challenge conditions in both HandleCount and HandleReq functions to check for the presence of an authenticated public key.
- Introduced the schnorr package to handle public key length validation.
- Bumped version to v0.25.7 to reflect these changes.

.github/workflows/go.yml

@@ -36,7 +36,10 @@ jobs:
         run: CGO_ENABLED=0 go build -v ./...
 
       - name: Test (Pure Go + purego)
-        run: CGO_ENABLED=0 go test -v $(go list ./... | xargs -n1 sh -c 'ls $0/*_test.go 1>/dev/null 2>&1 && echo $0' | grep .)
+        run: |
+          # Copy the libsecp256k1.so to root directory so tests can find it
+          cp pkg/crypto/p8k/libsecp256k1.so .
+          CGO_ENABLED=0 go test -v $(go list ./... | xargs -n1 sh -c 'ls $0/*_test.go 1>/dev/null 2>&1 && echo $0' | grep .)
   release:
     needs: build
     runs-on: ubuntu-latest

app/handle-count.go

@@ -9,6 +9,7 @@ import (
 	"lol.mleku.dev/chk"
 	"lol.mleku.dev/log"
 	"next.orly.dev/pkg/acl"
+	"next.orly.dev/pkg/crypto/ec/schnorr"
 	"next.orly.dev/pkg/encoders/envelopes/authenvelope"
 	"next.orly.dev/pkg/encoders/envelopes/countenvelope"
 	"next.orly.dev/pkg/utils/normalize"
@@ -28,7 +29,7 @@ func (l *Listener) HandleCount(msg []byte) (err error) {
 	log.D.C(func() string { return fmt.Sprintf("COUNT sub=%s filters=%d", env.Subscription, len(env.Filters)) })
 
 	// If ACL is active, auth is required, or AuthToWrite is enabled, send a challenge (same as REQ path)
-	if acl.Registry.Active.Load() != "none" || l.Config.AuthRequired || l.Config.AuthToWrite {
+	if len(l.authedPubkey.Load()) != schnorr.PubKeyBytesLen && (acl.Registry.Active.Load() != "none" || l.Config.AuthRequired || l.Config.AuthToWrite) {
 		if err = authenvelope.NewChallengeWith(l.challenge.Load()).Write(l); chk.E(err) {
 			return
 		}

app/handle-req.go

@@ -52,7 +52,7 @@ func (l *Listener) HandleReq(msg []byte) (err error) {
 		},
 	)
 	// send a challenge to the client to auth if an ACL is active, auth is required, or AuthToWrite is enabled
-	if acl.Registry.Active.Load() != "none" || l.Config.AuthRequired || l.Config.AuthToWrite {
+	if len(l.authedPubkey.Load()) == 0 && (acl.Registry.Active.Load() != "none" || l.Config.AuthRequired || l.Config.AuthToWrite) {
 		if err = authenvelope.NewChallengeWith(l.challenge.Load()).
 			Write(l); chk.E(err) {
 			return

pkg/crypto/p8k/secp.go

@@ -4,6 +4,7 @@ package secp
 
 import (
 	"fmt"
+	"log"
 	"runtime"
 	"sync"
 	"unsafe"
@@ -158,6 +159,7 @@ func LoadLibrary() (err error) {
 			return
 		}
 
+		log.Printf("INFO: Successfully loaded libsecp256k1 v5.0.0 from %s", libPath)
 		loadLibErr = nil
 	})
 

pkg/interfaces/signer/p8k/p8k.go

@@ -362,6 +362,11 @@ func (s *FallbackSigner) InitPub(pub []byte) (err error) {
 	s.xonlyPub = make([]byte, 32)
 	copy(s.xonlyPub, pub)
 
+	// Parse the x-only public key into a full public key for verification
+	if s.pubKey, err = schnorr.ParsePubKey(pub); err != nil {
+		return errorf.E("failed to parse public key: %w", err)
+	}
+
 	return nil
 }
 

pkg/version/version

@@ -1 +1 @@
-v0.25.4
+v0.25.7