Merge pull request #140 from shocknet/feature/trusted-keys

Trusted keys functionality completed
2020-08-11 10:41:10 -04:00 · 2020-08-11 10:41:10 -04:00 · de08e08d98
commit de08e08d98
parent 4f52a4fc24 41306c5b8a
2 changed files with 61 additions and 7 deletions
--- a/.env.example
+++ b/.env.example
@ -4,3 +4,4 @@ MS_TO_TOKEN_EXPIRATION=4500000
 DISABLE_SHOCK_ENCRYPTION=false
 CACHE_HEADERS_MANDATORY=true
 SHOCK_CACHE=true
+TRUSTED_KEYS=true
--- a/src/routes.js
+++ b/src/routes.js
@ -5,6 +5,7 @@

 const Axios = require('axios')
 const Crypto = require('crypto')
+const Storage = require('node-persist')
 const logger = require('winston')
 const httpsAgent = require('https')
 const responseTime = require('response-time')
@ -189,14 +190,16 @@ module.exports = async (
          resolve(unlockResponse)
        })
      } catch (err) {
-        logger.error(err)
        if (err.message === 'unknown service lnrpc.WalletUnlocker') {
          resolve({
+            field: 'walletUnlocker',
            message: 'Wallet already unlocked'
          })
          return
        }

+        logger.error('Unlock Error:', err)
+
        reject({
          field: 'wallet',
          code: err.code,
@ -476,6 +479,15 @@ module.exports = async (
    }
  })

+  const validateToken = async token => {
+    try {
+      const tokenValid = await auth.validateToken(token)
+      return tokenValid
+    } catch (err) {
+      return false
+    }
+  }
+
  app.post('/api/lnd/auth', async (req, res) => {
    try {
      const health = await checkHealth()
@ -492,12 +504,47 @@ module.exports = async (
        }

        const publicKey = await GunDB.authenticate(alias, password)
-        if (
-          walletInitialized &&
-          health.LNDStatus.walletStatus === 'locked' &&
-          publicKey
-        ) {
-          await unlockWallet(password)
+
+        if (!publicKey) {
+          res.status(401).json({
+            field: 'alias',
+            errorMessage: 'Invalid alias/password combination',
+            success: false
+          })
+          return false
+        }
+
+        const trustedKeysEnabled =
+          process.env.TRUSTED_KEYS === 'true' || !process.env.TRUSTED_KEYS
+        const trustedKeys = await Storage.get('trustedPKs')
+        // Falls back to true if trusted keys is disabled in .env
+        const [isKeyTrusted = !trustedKeysEnabled] = (trustedKeys || []).filter(
+          trustedKey => trustedKey === publicKey
+        )
+        const walletUnlocked = health.LNDStatus.walletStatus === 'unlocked'
+
+        if (!walletUnlocked) {
+          const unlockedWallet = await unlockWallet(password)
+
+          if (!isKeyTrusted && unlockedWallet.field !== 'walletUnlocker') {
+            await Storage.set('trustedPKs', [...trustedKeys, publicKey])
+          }
+        }
+
+        if (walletUnlocked && !isKeyTrusted) {
+          const { authorization = '' } = req.headers
+          const validatedToken = await validateToken(
+            authorization.replace('Bearer ', '')
+          )
+
+          if (!validatedToken) {
+            res.status(401).json({
+              field: 'alias',
+              errorMessage: 'Invalid alias/password combination',
+              success: false
+            })
+            return
+          }
        }

        // Send an event to update lightning's status
@ -657,6 +704,12 @@ module.exports = async (
            GunDB.mySEA
          )

+          const trustedKeys = await Storage.get('trustedPKs')
+          await Storage.setItem('trustedPKs', [
+            ...(trustedKeys || []),
+            publicKey
+          ])
+
          walletUnlocker.initWallet(
            walletArgs,
            async (initWalletErr, initWalletResponse) => {