From 8167976eb47195428f7aed68531b9c8d0a56a048 Mon Sep 17 00:00:00 2001 From: Sean Date: Mon, 9 Jan 2023 13:03:24 -0700 Subject: [PATCH 1/7] stashing --- api/api.go | 2 +- pkg/service/auth.go | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/api/api.go b/api/api.go index 0deb9481..ec9110ba 100644 --- a/api/api.go +++ b/api/api.go @@ -40,7 +40,7 @@ func Start(config APIConfig) { services := NewServices(config, repos) // initialize routes - A route group only needs access to the services layer. It should'n access the repos layer directly - AuthAPIKey(services, e, false) + AuthAPIKey(services, e, true) transactRoute(services, e) quoteRoute(services, e) userRoute(services, e) diff --git a/pkg/service/auth.go b/pkg/service/auth.go index 9c5be7c0..71672daf 100644 --- a/pkg/service/auth.go +++ b/pkg/service/auth.go @@ -22,6 +22,8 @@ type SignablePayload struct { var hexRegex *regexp.Regexp = regexp.MustCompile(`^0x[a-fA-F0-9]{40}$`) +var walletAuthenticationPrefix string = "Thank you for using String!\nBy signing this message you are:\n+Authorizing String to initiate off-chain transactions on your behalf, including your bank account, credit card, or debit card.\n+Confirming that this wallet is owned by you.\nThis request will not trigger any blockchain transaction or cost any gas:\n" + type RefreshTokenResponse struct { Token string `json:"token"` ExpAt time.Time `json:"expAt"` @@ -80,13 +82,14 @@ func (a auth) PayloadToSign(walletAddress string) (SignablePayload, error) { if err != nil { return signable, common.StringError(err) } - return SignablePayload{encrypted}, nil + return SignablePayload{walletAuthenticationPrefix + encrypted}, nil } func (a auth) VerifySignedPayload(request model.WalletSignaturePayloadSigned) (UserCreateResponse, error) { + nonce := request.Nonce[len(walletAuthenticationPrefix):] resp := UserCreateResponse{} key := os.Getenv("STRING_ENCRYPTION_KEY") - payload, err := common.Decrypt[model.WalletSignaturePayload](request.Nonce, key) + payload, err := common.Decrypt[model.WalletSignaturePayload](nonce, key) if err != nil { return resp, common.StringError(err) } From 6afbe28d7c48915fa70cd65688a91bd07b6dfda3 Mon Sep 17 00:00:00 2001 From: Sean Date: Mon, 9 Jan 2023 13:49:15 -0700 Subject: [PATCH 2/7] Added message to beginning of WalletAuthenticationPayload, then dealt with that being signed in addition to the nonce suffix --- pkg/service/auth.go | 4 ++-- pkg/service/user.go | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/service/auth.go b/pkg/service/auth.go index 71672daf..99b8518f 100644 --- a/pkg/service/auth.go +++ b/pkg/service/auth.go @@ -22,7 +22,7 @@ type SignablePayload struct { var hexRegex *regexp.Regexp = regexp.MustCompile(`^0x[a-fA-F0-9]{40}$`) -var walletAuthenticationPrefix string = "Thank you for using String!\nBy signing this message you are:\n+Authorizing String to initiate off-chain transactions on your behalf, including your bank account, credit card, or debit card.\n+Confirming that this wallet is owned by you.\nThis request will not trigger any blockchain transaction or cost any gas:\n" +var walletAuthenticationPrefix string = "Thank you for using String! By signing this message you are: 1) Authorizing String to initiate off-chain transactions on your behalf, including your bank account, credit card, or debit card. 2) Confirming that this wallet is owned by you. This request will not trigger any blockchain transaction or cost any gas:" type RefreshTokenResponse struct { Token string `json:"token"` @@ -255,7 +255,7 @@ func (a auth) RefreshToken(refreshToken string, walletAddress string) (JWT, erro func verifyWalletAuthentication(request model.WalletSignaturePayloadSigned) error { key := os.Getenv("STRING_ENCRYPTION_KEY") - preSignedPayload, err := common.Decrypt[model.WalletSignaturePayload](request.Nonce, key) + preSignedPayload, err := common.Decrypt[model.WalletSignaturePayload](request.Nonce[len(walletAuthenticationPrefix):], key) if err != nil { return common.StringError(err) } diff --git a/pkg/service/user.go b/pkg/service/user.go index 6b3aa3ec..13d485f9 100644 --- a/pkg/service/user.go +++ b/pkg/service/user.go @@ -63,7 +63,7 @@ func (u user) GetStatus(userID string) (model.UserOnboardingStatus, error) { func (u user) Create(request model.WalletSignaturePayloadSigned) (UserCreateResponse, error) { resp := UserCreateResponse{} key := os.Getenv("STRING_ENCRYPTION_KEY") - payload, err := common.Decrypt[model.WalletSignaturePayload](request.Nonce, key) + payload, err := common.Decrypt[model.WalletSignaturePayload](request.Nonce[len(walletAuthenticationPrefix):], key) if err != nil { return resp, common.StringError(err) } From 1018e8b1f07596b0276d5b0700e841195ae116c8 Mon Sep 17 00:00:00 2001 From: Sean Date: Mon, 9 Jan 2023 13:51:09 -0700 Subject: [PATCH 3/7] re-enable API key protection --- api/api.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/api.go b/api/api.go index ec9110ba..0deb9481 100644 --- a/api/api.go +++ b/api/api.go @@ -40,7 +40,7 @@ func Start(config APIConfig) { services := NewServices(config, repos) // initialize routes - A route group only needs access to the services layer. It should'n access the repos layer directly - AuthAPIKey(services, e, true) + AuthAPIKey(services, e, false) transactRoute(services, e) quoteRoute(services, e) userRoute(services, e) From 63c81b7f68d54ca99918c895fdde58decc394e04 Mon Sep 17 00:00:00 2001 From: Sean Date: Mon, 9 Jan 2023 13:54:54 -0700 Subject: [PATCH 4/7] shorten logic --- pkg/service/auth.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pkg/service/auth.go b/pkg/service/auth.go index 99b8518f..2497c97a 100644 --- a/pkg/service/auth.go +++ b/pkg/service/auth.go @@ -86,10 +86,9 @@ func (a auth) PayloadToSign(walletAddress string) (SignablePayload, error) { } func (a auth) VerifySignedPayload(request model.WalletSignaturePayloadSigned) (UserCreateResponse, error) { - nonce := request.Nonce[len(walletAuthenticationPrefix):] resp := UserCreateResponse{} key := os.Getenv("STRING_ENCRYPTION_KEY") - payload, err := common.Decrypt[model.WalletSignaturePayload](nonce, key) + payload, err := common.Decrypt[model.WalletSignaturePayload](request.Nonce[len(walletAuthenticationPrefix):], key) if err != nil { return resp, common.StringError(err) } From 65ccdecf90b32212c7f2f64a77448415607d9368 Mon Sep 17 00:00:00 2001 From: Sean Date: Mon, 9 Jan 2023 13:57:43 -0700 Subject: [PATCH 5/7] added a space between message and nonce --- pkg/service/auth.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/service/auth.go b/pkg/service/auth.go index 2497c97a..db0bd185 100644 --- a/pkg/service/auth.go +++ b/pkg/service/auth.go @@ -22,7 +22,7 @@ type SignablePayload struct { var hexRegex *regexp.Regexp = regexp.MustCompile(`^0x[a-fA-F0-9]{40}$`) -var walletAuthenticationPrefix string = "Thank you for using String! By signing this message you are: 1) Authorizing String to initiate off-chain transactions on your behalf, including your bank account, credit card, or debit card. 2) Confirming that this wallet is owned by you. This request will not trigger any blockchain transaction or cost any gas:" +var walletAuthenticationPrefix string = "Thank you for using String! By signing this message you are: 1) Authorizing String to initiate off-chain transactions on your behalf, including your bank account, credit card, or debit card. 2) Confirming that this wallet is owned by you. This request will not trigger any blockchain transaction or cost any gas: " type RefreshTokenResponse struct { Token string `json:"token"` From f938dbeb7be6751f0677c5a8f0c23b9fead75318 Mon Sep 17 00:00:00 2001 From: Sean Date: Mon, 9 Jan 2023 15:35:27 -0700 Subject: [PATCH 6/7] now with newlines! --- pkg/service/auth.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/service/auth.go b/pkg/service/auth.go index db0bd185..e3be8b4e 100644 --- a/pkg/service/auth.go +++ b/pkg/service/auth.go @@ -22,7 +22,7 @@ type SignablePayload struct { var hexRegex *regexp.Regexp = regexp.MustCompile(`^0x[a-fA-F0-9]{40}$`) -var walletAuthenticationPrefix string = "Thank you for using String! By signing this message you are: 1) Authorizing String to initiate off-chain transactions on your behalf, including your bank account, credit card, or debit card. 2) Confirming that this wallet is owned by you. This request will not trigger any blockchain transaction or cost any gas: " +var walletAuthenticationPrefix string = "Thank you for using String! By signing this message you are:\n\n 1) Authorizing String to initiate off-chain transactions on your behalf, including your bank account, credit card, or debit card.\n\n 2) Confirming that this wallet is owned by you.\n\nThis request will not trigger any blockchain transaction or cost any gas:\n\n" type RefreshTokenResponse struct { Token string `json:"token"` From 68f7b064c6e6478868b9d1ae80f3d245df44f9e7 Mon Sep 17 00:00:00 2001 From: Sean Date: Mon, 9 Jan 2023 17:28:30 -0700 Subject: [PATCH 7/7] punctuation --- pkg/service/auth.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/service/auth.go b/pkg/service/auth.go index e3be8b4e..668b9b0c 100644 --- a/pkg/service/auth.go +++ b/pkg/service/auth.go @@ -22,7 +22,7 @@ type SignablePayload struct { var hexRegex *regexp.Regexp = regexp.MustCompile(`^0x[a-fA-F0-9]{40}$`) -var walletAuthenticationPrefix string = "Thank you for using String! By signing this message you are:\n\n 1) Authorizing String to initiate off-chain transactions on your behalf, including your bank account, credit card, or debit card.\n\n 2) Confirming that this wallet is owned by you.\n\nThis request will not trigger any blockchain transaction or cost any gas:\n\n" +var walletAuthenticationPrefix string = "Thank you for using String! By signing this message you are:\n\n1) Authorizing String to initiate off-chain transactions on your behalf, including your bank account, credit card, or debit card.\n\n2) Confirming that this wallet is owned by you.\n\nThis request will not trigger any blockchain transaction or cost any gas.\n\nNonce: " type RefreshTokenResponse struct { Token string `json:"token"`