From 319f104acfe2453ddc0345abe63c733ddd5b903f Mon Sep 17 00:00:00 2001
From: Daniel Lugo <danlugo92@gmail.com>
Date: Thu, 20 Jan 2022 17:35:21 -0400
Subject: [PATCH] Offline access secret for authenticating when tunneled

---
 src/routes.js | 11 ++++++++---
 src/server.js | 20 ++++++++++++++------
 2 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/src/routes.js b/src/routes.js
index ffb45d02..7ddd0082 100644
--- a/src/routes.js
+++ b/src/routes.js
@@ -47,7 +47,7 @@ module.exports = async (
   _app,
   config,
   mySocketsEvents,
-  { serverPort, useTLS, CA, CA_KEY, runPrivateKey, runPublicKey }
+  { serverPort, useTLS, CA, CA_KEY, runPrivateKey, runPublicKey, accessSecret }
 ) => {
   /**
    * @typedef {import('express').Application} Application
@@ -451,9 +451,14 @@ module.exports = async (
 
     app.post('/api/encryption/exchange', async (req, res) => {
       try {
-        const { publicKey, deviceId } = req.body
+        let { publicKey, deviceId } = req.body
 
-        if (!publicKey) {
+        if (Buffer.isBuffer(accessSecret)) {
+          publicKey = await ECCrypto.decrypt(accessSecret, publicKey)
+          deviceId = await ECCrypto.decrypt(accessSecret, deviceId)
+        }
+
+        if (typeof publicKey !== 'string' || !publicKey) {
           return res.status(400).json({
             field: 'publicKey',
             message: 'Please provide a valid public key'
diff --git a/src/server.js b/src/server.js
index ccd104fe..cc667f77 100644
--- a/src/server.js
+++ b/src/server.js
@@ -49,6 +49,13 @@ const server = program => {
     nonEncryptedRoutes
   } = require('../utils/protectedRoutes')
 
+  /**
+   * An offline-only private key used for authenticating a client's key
+   * exchange. Neither the tunnel nor the WWW should see this private key, it
+   * should only be served through STDOUT (via QR or else).
+   */
+  const accessSecret = program.tunnel ? ECCrypto.generatePrivate() : null
+
   // load app default configuration data
   const defaults = require('../config/defaults')(program.mainnet)
   const rootFolder = program.rootPath || process.resourcesPath || __dirname
@@ -351,7 +358,8 @@ const server = program => {
           CA,
           CA_KEY,
           runPrivateKey,
-          runPublicKey
+          runPublicKey,
+          accessSecret
         }
       )
 
@@ -389,12 +397,12 @@ const server = program => {
               Storage.setItem('relay/url', noProtocolAddress)
             ])
             const dataToQr = JSON.stringify({
-              internalIP: `${params.relayId}@${noProtocolAddress}`,
-              walletPort: 443,
-              externalIP: `${params.relayId}@${noProtocolAddress}`
+              URI: `https://${params.relayId}@${noProtocolAddress}`,
+              // Null-check is just to please typescript
+              accessSecret: accessSecret && accessSecret.toString('base64')
             })
-            qrcode.generate(dataToQr, { small: true })
-            logger.info(`connect to ${params.relayId}@${noProtocolAddress}`)
+            qrcode.generate(dataToQr, { small: false })
+            logger.info(`connect to ${params.relayId}@${noProtocolAddress}:443`)
           } else {
             logger.error('!! Relay did not connect to server !!')
           }