From 21d6ec8a766cebd53026712fbbceb6d22c103822 Mon Sep 17 00:00:00 2001 From: Daniel Lugo Date: Fri, 28 Jan 2022 14:15:46 -0500 Subject: [PATCH] No more alias auth, only access secret + wallet password --- src/routes.js | 157 +++++++-------------------------------- src/server.js | 21 ++++-- utils/protectedRoutes.js | 5 +- 3 files changed, 45 insertions(+), 138 deletions(-) diff --git a/src/routes.js b/src/routes.js index b179f5f8..48d33775 100644 --- a/src/routes.js +++ b/src/routes.js @@ -46,7 +46,6 @@ const SESSION_ID = uuid() module.exports = async ( _app, config, - mySocketsEvents, { serverPort, useTLS, CA, CA_KEY, runPrivateKey, runPublicKey, accessSecret } ) => { /** @@ -456,21 +455,21 @@ module.exports = async ( try { let { publicKey, deviceId } = req.body - if (Buffer.isBuffer(accessSecret)) { - logger.info('Will decrypt public key and device ID for key exchange.') + logger.info('Will decrypt public key and device ID for key exchange.') - publicKey = await ECCrypto.decrypt( - accessSecret, - ECC.convertToEncryptedMessage(publicKey) - ) - deviceId = await ECCrypto.decrypt( - accessSecret, - ECC.convertToEncryptedMessage(deviceId) - ) + console.log(req.body) - publicKey = publicKey.toString('utf8') - deviceId = deviceId.toString('utf8') - } + publicKey = await ECCrypto.decrypt( + accessSecret, + ECC.convertToEncryptedMessage(publicKey) + ) + deviceId = await ECCrypto.decrypt( + accessSecret, + ECC.convertToEncryptedMessage(deviceId) + ) + + publicKey = publicKey.toString('utf8') + deviceId = deviceId.toString('utf8') if (typeof publicKey !== 'string' || !publicKey) { return res.status(500).json({ @@ -527,15 +526,6 @@ module.exports = async ( } }) - const validateToken = async token => { - try { - const tokenValid = await auth.validateToken(token) - return tokenValid - } catch (err) { - return false - } - } - /** * Get the latest channel backups before subscribing. */ @@ -626,15 +616,13 @@ module.exports = async ( }) } - app.post('/api/lnd/auth', async (req, res) => { + app.post('/api/lnd/unlock', async (req, res) => { try { const health = await checkHealth() const walletInitialized = await walletExists() - const { alias, pass } = req.body + const { pass } = req.body const lndUp = health.LNDStatus.success const walletUnlocked = health.LNDStatus.walletStatus === 'unlocked' - const { authorization = '' } = req.headers - const allowUnlockedLND = process.env.ALLOW_UNLOCKED_LND === 'true' const { lightning } = LightningServices.services if (!lndUp) { @@ -647,38 +635,10 @@ module.exports = async ( await recreateLnServices() - if (GunDB.isAuthenticated()) { - GunDB.logoff() - } - - const publicKey = await GunDB.authenticate(alias, pass) - - if (!publicKey) { - throw new Error('Invalid alias/password combination') - } - if (!walletUnlocked) { await unlockWallet(pass) } - if (walletUnlocked && !authorization && !allowUnlockedLND) { - throw new Error( - 'Invalid alias/password combination (Untrusted Device)' - ) - } - - if (walletUnlocked && !allowUnlockedLND) { - const validatedToken = await validateToken( - authorization.replace('Bearer ', '') - ) - - if (!validatedToken) { - throw new Error( - 'Invalid alias/password combination (Untrusted Auth Token)' - ) - } - } - // Generate auth token and send it as a JSON response const token = await auth.generateToken() @@ -706,23 +666,14 @@ module.exports = async ( }, 1000) }) - saveChannelsBackup() - - // Send an event to update lightning's status - mySocketsEvents.emit('updateLightning') - - onNewChannelBackup() - - setTimeout(() => { - channelRequest() - }, 30 * 1000) + // saveChannelsBackup() + // onNewChannelBackup() + // setTimeout(() => { + // channelRequest() + // }, 30 * 1000) res.json({ - authorization: token, - user: { - alias, - publicKey - } + authorization: token }) } catch (err) { logger.error('Unlock Error:', err) @@ -739,17 +690,11 @@ module.exports = async ( app.post('/api/lnd/wallet', async (req, res) => { try { const { walletUnlocker } = LightningServices.services - const { password, alias } = req.body + const { password } = req.body const healthResponse = await checkHealth() + const walletInitialized = await walletExists() const isUnlocked = healthResponse.LNDStatus.service !== 'walletUnlocker' - if (!alias) { - return res.status(400).json({ - field: 'alias', - errorMessage: 'Please specify an alias for your new wallet' - }) - } - if (!password) { return res.status(400).json({ field: 'password', @@ -765,8 +710,8 @@ module.exports = async ( }) } - if (isUnlocked) { - throw new Error('Wallet is already unlocked') + if (walletInitialized || isUnlocked) { + throw new Error('A wallet already exists') } const [genSeedErr, genSeedResponse] = await new Promise(res => { @@ -795,15 +740,6 @@ module.exports = async ( cipher_seed_mnemonic: mnemonicPhrase } - // Register user before creating wallet - const publicKey = await GunDB.register(alias, password) - - await GunActions.saveSeedBackup( - mnemonicPhrase, - GunDB.getUser(), - GunDB.mySEA - ) - const [initWalletErr, initWalletResponse] = await new Promise(res => { walletUnlocker.initWallet( walletArgs, @@ -850,11 +786,7 @@ module.exports = async ( }, 30 * 1000) return res.json({ mnemonicPhrase, - authorization: token, - user: { - alias, - publicKey - } + authorization: token }) } catch (err) { logger.error(err) @@ -2707,42 +2639,7 @@ module.exports = async ( return } try { - const [relayId, relayUrl, accessSecret] = await Promise.all([ - Storage.getItem('relay/id'), - Storage.getItem('relay/url'), - Storage.getItem('FirstAccessSecret') - ]) - const response = {} - if (config.cliArgs.tunnel) { - if (!relayId || !relayUrl) { - response.relayNotFound = true - } else { - response.relayId = relayId - response.relayUrl = relayUrl - } - } else { - response.tunnelDisabled = true - } - - if (process.env.ALLOW_UNLOCKED_LND !== 'true') { - response.accessSecretDisabled = true - return res.json(response) - } - - if (!accessSecret) { - response.accessCodeNotFound = true - res.json(response) - return - } - const codeUsed = await Storage.getItem( - `UnlockedAccessSecrets/${accessSecret}` - ) - if (codeUsed !== false) { - response.accessCodeUsed = true - return res.json(response) - } - response.accessCode = accessSecret - res.json(response) + throw new Error('') } catch (e) { logger.error(e) res.status(500).json({ diff --git a/src/server.js b/src/server.js index 33b099bf..1425b31e 100644 --- a/src/server.js +++ b/src/server.js @@ -54,7 +54,8 @@ const server = program => { * exchange. Neither the tunnel nor the WWW should see this private key, it * should only be served through STDOUT (via QR or else). */ - const accessSecret = program.tunnel ? ECCrypto.generatePrivate() : null + const accessSecret = ECCrypto.generatePrivate() + const accessSecretBase64 = accessSecret.toString('base64') // load app default configuration data const defaults = require('../config/defaults')(program.mainnet) @@ -342,8 +343,6 @@ const server = program => { } }) - const Sockets = require('./sockets')(io) - require('./routes')( app, { @@ -351,7 +350,6 @@ const server = program => { lndAddress: program.lndAddress, cliArgs: program }, - Sockets, { serverPort, useTLS: program.useTLS, @@ -399,14 +397,27 @@ const server = program => { const dataToQr = JSON.stringify({ URI: `https://${params.relayId}@${noProtocolAddress}`, // Null-check is just to please typescript - accessSecret: accessSecret && accessSecret.toString('base64') + accessSecret: accessSecretBase64 }) qrcode.generate(dataToQr, { small: false }) logger.info(`connect to ${params.relayId}@${noProtocolAddress}:443`) + console.log('\n') + console.log(`Here's your access secret:`) + console.log('\n') + console.log(accessSecretBase64) + console.log('\n') + console.log('\n') } else { logger.error('!! Relay did not connect to server !!') } }) + } else { + console.log('\n') + console.log(`Here's your access secret:`) + console.log('\n') + console.log(accessSecretBase64) + console.log('\n') + console.log('\n') } serverInstance.listen(serverPort, serverHost) diff --git a/utils/protectedRoutes.js b/utils/protectedRoutes.js index 0396dde5..f9413d1f 100644 --- a/utils/protectedRoutes.js +++ b/utils/protectedRoutes.js @@ -8,9 +8,8 @@ module.exports = { '/favicon.ico': true, '/api/lnd/connect': true, '/api/lnd/wallet/status': true, - '/api/lnd/auth': true, // - '/api/gun/auth': true, + '/api/gunw': true, '/api/subscribeStream': true, '/': true, '/api/accessInfo': true, @@ -20,7 +19,7 @@ module.exports = { '/api/lnd/connect': true, '/api/lnd/wallet': true, '/api/lnd/wallet/existing': true, - '/api/lnd/auth': true, + '/api/lnd/unlock': true, '/api/security/exchangeKeys': true, '/api/encryption/exchange': true },