Offline access secret for authenticating when tunneled

2022-01-20 17:35:21 -04:00 · 2022-01-20 17:35:21 -04:00 · 319f104acf
commit 319f104acf
parent 808959b845
2 changed files with 22 additions and 9 deletions
--- a/src/routes.js
+++ b/src/routes.js
@ -47,7 +47,7 @@ module.exports = async (
  _app,
  config,
  mySocketsEvents,
-  { serverPort, useTLS, CA, CA_KEY, runPrivateKey, runPublicKey }
+  { serverPort, useTLS, CA, CA_KEY, runPrivateKey, runPublicKey, accessSecret }
 ) => {
  /**
   * @typedef {import('express').Application} Application
@ -451,9 +451,14 @@ module.exports = async (

    app.post('/api/encryption/exchange', async (req, res) => {
      try {
-        const { publicKey, deviceId } = req.body
+        let { publicKey, deviceId } = req.body

-        if (!publicKey) {
+        if (Buffer.isBuffer(accessSecret)) {
+          publicKey = await ECCrypto.decrypt(accessSecret, publicKey)
+          deviceId = await ECCrypto.decrypt(accessSecret, deviceId)
+        }
+
+        if (typeof publicKey !== 'string' || !publicKey) {
          return res.status(400).json({
            field: 'publicKey',
            message: 'Please provide a valid public key'
--- a/src/server.js
+++ b/src/server.js
@ -49,6 +49,13 @@ const server = program => {
    nonEncryptedRoutes
  } = require('../utils/protectedRoutes')

+  /**
+   * An offline-only private key used for authenticating a client's key
+   * exchange. Neither the tunnel nor the WWW should see this private key, it
+   * should only be served through STDOUT (via QR or else).
+   */
+  const accessSecret = program.tunnel ? ECCrypto.generatePrivate() : null
+
  // load app default configuration data
  const defaults = require('../config/defaults')(program.mainnet)
  const rootFolder = program.rootPath || process.resourcesPath || __dirname
@ -351,7 +358,8 @@ const server = program => {
          CA,
          CA_KEY,
          runPrivateKey,
-          runPublicKey
+          runPublicKey,
+          accessSecret
        }
      )

@ -389,12 +397,12 @@ const server = program => {
              Storage.setItem('relay/url', noProtocolAddress)
            ])
            const dataToQr = JSON.stringify({
-              internalIP: `${params.relayId}@${noProtocolAddress}`,
-              walletPort: 443,
-              externalIP: `${params.relayId}@${noProtocolAddress}`
+              URI: `https://${params.relayId}@${noProtocolAddress}`,
+              // Null-check is just to please typescript
+              accessSecret: accessSecret && accessSecret.toString('base64')
            })
-            qrcode.generate(dataToQr, { small: true })
-            logger.info(`connect to ${params.relayId}@${noProtocolAddress}`)
+            qrcode.generate(dataToQr, { small: false })
+            logger.info(`connect to ${params.relayId}@${noProtocolAddress}:443`)
          } else {
            logger.error('!! Relay did not connect to server !!')
          }