From 27276be53f94c7ec62de20f9442ef772359b4a84 Mon Sep 17 00:00:00 2001 From: Daniel Lugo Date: Fri, 28 Jan 2022 10:32:50 -0500 Subject: [PATCH 1/4] Update node version in nvmrc --- .nvmrc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.nvmrc b/.nvmrc index 4ec320b2..d4fca6f6 100644 --- a/.nvmrc +++ b/.nvmrc @@ -1 +1 @@ -v14.17.6 +v14.18.3 From cbf40449fc7e7054475088cca57edc3c1987962a Mon Sep 17 00:00:00 2001 From: Daniel Lugo Date: Fri, 28 Jan 2022 11:16:58 -0500 Subject: [PATCH 2/4] Remove old access secret mechanics code --- src/server.js | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/src/server.js b/src/server.js index cc667f77..33b099bf 100644 --- a/src/server.js +++ b/src/server.js @@ -409,20 +409,6 @@ const server = program => { }) } - if (process.env.ALLOW_UNLOCKED_LND === 'true') { - const codes = await Storage.valuesWithKeyMatch( - /^UnlockedAccessSecrets\//u - ) - if (codes.length === 0) { - const code = ECC.generateRandomString(12) - await Storage.setItem(`UnlockedAccessSecrets/${code}`, false) - await Storage.setItem(`FirstAccessSecret`, code) - logger.info('the access code is:' + code) - } else if (codes.length === 1 && codes[0] === false) { - const firstCode = await Storage.getItem('FirstAccessSecret') - logger.info('the access code is:' + firstCode) - } - } serverInstance.listen(serverPort, serverHost) logger.info('App listening on ' + serverHost + ' port ' + serverPort) // @ts-expect-error From a48170c2746fc89b52c70e716e0fc07901d13439 Mon Sep 17 00:00:00 2001 From: Daniel Lugo Date: Fri, 28 Jan 2022 14:15:36 -0500 Subject: [PATCH 3/4] Do not actually start up gun --- services/gunDB/Mediator/index.js | 2 +- utils/GunSmith/GunSmith.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/gunDB/Mediator/index.js b/services/gunDB/Mediator/index.js index 09609f5c..a906c2a3 100644 --- a/services/gunDB/Mediator/index.js +++ b/services/gunDB/Mediator/index.js @@ -281,7 +281,7 @@ const isAuthenticating = () => _isAuthenticating const isRegistering = () => _isRegistering const getGun = () => { - return gun + throw new Error('NO GUNS') } const getUser = () => { diff --git a/utils/GunSmith/GunSmith.js b/utils/GunSmith/GunSmith.js index 738f9e62..b755c2ab 100644 --- a/utils/GunSmith/GunSmith.js +++ b/utils/GunSmith/GunSmith.js @@ -734,7 +734,7 @@ function createUserReplica() { */ const Gun = opts => { lastOpts = opts - forge() + // forge() return createReplica('$root') } From 21d6ec8a766cebd53026712fbbceb6d22c103822 Mon Sep 17 00:00:00 2001 From: Daniel Lugo Date: Fri, 28 Jan 2022 14:15:46 -0500 Subject: [PATCH 4/4] No more alias auth, only access secret + wallet password --- src/routes.js | 157 +++++++-------------------------------- src/server.js | 21 ++++-- utils/protectedRoutes.js | 5 +- 3 files changed, 45 insertions(+), 138 deletions(-) diff --git a/src/routes.js b/src/routes.js index b179f5f8..48d33775 100644 --- a/src/routes.js +++ b/src/routes.js @@ -46,7 +46,6 @@ const SESSION_ID = uuid() module.exports = async ( _app, config, - mySocketsEvents, { serverPort, useTLS, CA, CA_KEY, runPrivateKey, runPublicKey, accessSecret } ) => { /** @@ -456,21 +455,21 @@ module.exports = async ( try { let { publicKey, deviceId } = req.body - if (Buffer.isBuffer(accessSecret)) { - logger.info('Will decrypt public key and device ID for key exchange.') + logger.info('Will decrypt public key and device ID for key exchange.') - publicKey = await ECCrypto.decrypt( - accessSecret, - ECC.convertToEncryptedMessage(publicKey) - ) - deviceId = await ECCrypto.decrypt( - accessSecret, - ECC.convertToEncryptedMessage(deviceId) - ) + console.log(req.body) - publicKey = publicKey.toString('utf8') - deviceId = deviceId.toString('utf8') - } + publicKey = await ECCrypto.decrypt( + accessSecret, + ECC.convertToEncryptedMessage(publicKey) + ) + deviceId = await ECCrypto.decrypt( + accessSecret, + ECC.convertToEncryptedMessage(deviceId) + ) + + publicKey = publicKey.toString('utf8') + deviceId = deviceId.toString('utf8') if (typeof publicKey !== 'string' || !publicKey) { return res.status(500).json({ @@ -527,15 +526,6 @@ module.exports = async ( } }) - const validateToken = async token => { - try { - const tokenValid = await auth.validateToken(token) - return tokenValid - } catch (err) { - return false - } - } - /** * Get the latest channel backups before subscribing. */ @@ -626,15 +616,13 @@ module.exports = async ( }) } - app.post('/api/lnd/auth', async (req, res) => { + app.post('/api/lnd/unlock', async (req, res) => { try { const health = await checkHealth() const walletInitialized = await walletExists() - const { alias, pass } = req.body + const { pass } = req.body const lndUp = health.LNDStatus.success const walletUnlocked = health.LNDStatus.walletStatus === 'unlocked' - const { authorization = '' } = req.headers - const allowUnlockedLND = process.env.ALLOW_UNLOCKED_LND === 'true' const { lightning } = LightningServices.services if (!lndUp) { @@ -647,38 +635,10 @@ module.exports = async ( await recreateLnServices() - if (GunDB.isAuthenticated()) { - GunDB.logoff() - } - - const publicKey = await GunDB.authenticate(alias, pass) - - if (!publicKey) { - throw new Error('Invalid alias/password combination') - } - if (!walletUnlocked) { await unlockWallet(pass) } - if (walletUnlocked && !authorization && !allowUnlockedLND) { - throw new Error( - 'Invalid alias/password combination (Untrusted Device)' - ) - } - - if (walletUnlocked && !allowUnlockedLND) { - const validatedToken = await validateToken( - authorization.replace('Bearer ', '') - ) - - if (!validatedToken) { - throw new Error( - 'Invalid alias/password combination (Untrusted Auth Token)' - ) - } - } - // Generate auth token and send it as a JSON response const token = await auth.generateToken() @@ -706,23 +666,14 @@ module.exports = async ( }, 1000) }) - saveChannelsBackup() - - // Send an event to update lightning's status - mySocketsEvents.emit('updateLightning') - - onNewChannelBackup() - - setTimeout(() => { - channelRequest() - }, 30 * 1000) + // saveChannelsBackup() + // onNewChannelBackup() + // setTimeout(() => { + // channelRequest() + // }, 30 * 1000) res.json({ - authorization: token, - user: { - alias, - publicKey - } + authorization: token }) } catch (err) { logger.error('Unlock Error:', err) @@ -739,17 +690,11 @@ module.exports = async ( app.post('/api/lnd/wallet', async (req, res) => { try { const { walletUnlocker } = LightningServices.services - const { password, alias } = req.body + const { password } = req.body const healthResponse = await checkHealth() + const walletInitialized = await walletExists() const isUnlocked = healthResponse.LNDStatus.service !== 'walletUnlocker' - if (!alias) { - return res.status(400).json({ - field: 'alias', - errorMessage: 'Please specify an alias for your new wallet' - }) - } - if (!password) { return res.status(400).json({ field: 'password', @@ -765,8 +710,8 @@ module.exports = async ( }) } - if (isUnlocked) { - throw new Error('Wallet is already unlocked') + if (walletInitialized || isUnlocked) { + throw new Error('A wallet already exists') } const [genSeedErr, genSeedResponse] = await new Promise(res => { @@ -795,15 +740,6 @@ module.exports = async ( cipher_seed_mnemonic: mnemonicPhrase } - // Register user before creating wallet - const publicKey = await GunDB.register(alias, password) - - await GunActions.saveSeedBackup( - mnemonicPhrase, - GunDB.getUser(), - GunDB.mySEA - ) - const [initWalletErr, initWalletResponse] = await new Promise(res => { walletUnlocker.initWallet( walletArgs, @@ -850,11 +786,7 @@ module.exports = async ( }, 30 * 1000) return res.json({ mnemonicPhrase, - authorization: token, - user: { - alias, - publicKey - } + authorization: token }) } catch (err) { logger.error(err) @@ -2707,42 +2639,7 @@ module.exports = async ( return } try { - const [relayId, relayUrl, accessSecret] = await Promise.all([ - Storage.getItem('relay/id'), - Storage.getItem('relay/url'), - Storage.getItem('FirstAccessSecret') - ]) - const response = {} - if (config.cliArgs.tunnel) { - if (!relayId || !relayUrl) { - response.relayNotFound = true - } else { - response.relayId = relayId - response.relayUrl = relayUrl - } - } else { - response.tunnelDisabled = true - } - - if (process.env.ALLOW_UNLOCKED_LND !== 'true') { - response.accessSecretDisabled = true - return res.json(response) - } - - if (!accessSecret) { - response.accessCodeNotFound = true - res.json(response) - return - } - const codeUsed = await Storage.getItem( - `UnlockedAccessSecrets/${accessSecret}` - ) - if (codeUsed !== false) { - response.accessCodeUsed = true - return res.json(response) - } - response.accessCode = accessSecret - res.json(response) + throw new Error('') } catch (e) { logger.error(e) res.status(500).json({ diff --git a/src/server.js b/src/server.js index 33b099bf..1425b31e 100644 --- a/src/server.js +++ b/src/server.js @@ -54,7 +54,8 @@ const server = program => { * exchange. Neither the tunnel nor the WWW should see this private key, it * should only be served through STDOUT (via QR or else). */ - const accessSecret = program.tunnel ? ECCrypto.generatePrivate() : null + const accessSecret = ECCrypto.generatePrivate() + const accessSecretBase64 = accessSecret.toString('base64') // load app default configuration data const defaults = require('../config/defaults')(program.mainnet) @@ -342,8 +343,6 @@ const server = program => { } }) - const Sockets = require('./sockets')(io) - require('./routes')( app, { @@ -351,7 +350,6 @@ const server = program => { lndAddress: program.lndAddress, cliArgs: program }, - Sockets, { serverPort, useTLS: program.useTLS, @@ -399,14 +397,27 @@ const server = program => { const dataToQr = JSON.stringify({ URI: `https://${params.relayId}@${noProtocolAddress}`, // Null-check is just to please typescript - accessSecret: accessSecret && accessSecret.toString('base64') + accessSecret: accessSecretBase64 }) qrcode.generate(dataToQr, { small: false }) logger.info(`connect to ${params.relayId}@${noProtocolAddress}:443`) + console.log('\n') + console.log(`Here's your access secret:`) + console.log('\n') + console.log(accessSecretBase64) + console.log('\n') + console.log('\n') } else { logger.error('!! Relay did not connect to server !!') } }) + } else { + console.log('\n') + console.log(`Here's your access secret:`) + console.log('\n') + console.log(accessSecretBase64) + console.log('\n') + console.log('\n') } serverInstance.listen(serverPort, serverHost) diff --git a/utils/protectedRoutes.js b/utils/protectedRoutes.js index 0396dde5..f9413d1f 100644 --- a/utils/protectedRoutes.js +++ b/utils/protectedRoutes.js @@ -8,9 +8,8 @@ module.exports = { '/favicon.ico': true, '/api/lnd/connect': true, '/api/lnd/wallet/status': true, - '/api/lnd/auth': true, // - '/api/gun/auth': true, + '/api/gunw': true, '/api/subscribeStream': true, '/': true, '/api/accessInfo': true, @@ -20,7 +19,7 @@ module.exports = { '/api/lnd/connect': true, '/api/lnd/wallet': true, '/api/lnd/wallet/existing': true, - '/api/lnd/auth': true, + '/api/lnd/unlock': true, '/api/security/exchangeKeys': true, '/api/encryption/exchange': true },