fix tests, update webauth server

stellar · Jan 24, 2023 · 58bafb1 · 58bafb1
1 parent 11d5a94
commit 58bafb1
Show file tree

Hide file tree

Showing 7 changed files with 96 additions and 57 deletions.
diff --git a/exp/services/webauth/internal/serve/challenge.go b/exp/services/webauth/internal/serve/challenge.go
@@ -2,6 +2,7 @@ package serve
 
 import (
  "net/http"
+ "strconv"
  "strings"
  "time"
 
@@ -57,13 +58,24 @@ func (h challengeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
  homeDomain = h.HomeDomains[0]
  }
 
+ var memo txnbuild.MemoID
+ if queryValues.Get("memo") != "" {
+ memoInt, err := strconv.ParseUint(queryValues.Get("memo"), 10, 64)
+ if err != nil {
+ badRequest.Render(w)
+ return
+ }
+ memo = txnbuild.MemoID(memoInt)
+ }
+
  tx, err := txnbuild.BuildChallengeTx(
  h.SigningKey.Seed(),
  account,
  h.Domain,
  homeDomain,
  h.NetworkPassphrase,
  h.ChallengeExpiresIn,
+ memo,
  )
  if err != nil {
  h.Logger.Ctx(ctx).WithStack(err).Error(err)

diff --git a/exp/services/webauth/internal/serve/token.go b/exp/services/webauth/internal/serve/token.go
@@ -11,6 +11,7 @@ import (
  supportlog "github.com/stellar/go/support/log"
  "github.com/stellar/go/support/render/httpjson"
  "github.com/stellar/go/txnbuild"
+ "github.com/stellar/go/xdr"
  "gopkg.in/square/go-jose.v2"
  "gopkg.in/square/go-jose.v2/jwt"
 )
@@ -52,9 +53,10 @@ func (h tokenHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
  clientAccountID string
  signingAddress *keypair.FromAddress
  homeDomain string
+ memo txnbuild.Memo
  )
  for _, s := range h.SigningAddresses {
- tx, clientAccountID, homeDomain, err = txnbuild.ReadChallengeTx(req.Transaction, s.Address(), h.NetworkPassphrase, h.Domain, h.HomeDomains)
+ tx, clientAccountID, homeDomain, memo, err = txnbuild.ReadChallengeTx(req.Transaction, s.Address(), h.NetworkPassphrase, h.Domain, h.HomeDomains)
  if err == nil {
  signingAddress = s
  break
@@ -80,10 +82,16 @@ func (h tokenHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
  WithField("tx", hash).
  WithField("account", clientAccountID).
  WithField("serversigner", signingAddress.Address()).
- WithField("homedomain", homeDomain)
+ WithField("homedomain", homeDomain).
+ WithField("memo", memo)
 
  l.Info("Start verifying challenge transaction.")
 
+ var muxedAccount xdr.MuxedAccount
+ if muxedAccount, err = xdr.AddressToMuxedAccount(clientAccountID); err == nil {
+ clientAccountID = muxedAccount.ToAccountId().Address()
+ }
+
  var clientAccountExists bool
  clientAccount, err := h.HorizonClient.AccountDetail(horizonclient.AccountRequest{AccountID: clientAccountID})
  switch {
@@ -143,7 +151,7 @@ func (h tokenHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
  issuedAt := time.Unix(tx.Timebounds().MinTime, 0)
  claims := jwt.Claims{
  Issuer: h.JWTIssuer,
- Subject: clientAccountID,
+ Subject: muxedAccount.Address(),
  IssuedAt: jwt.NewNumericDate(issuedAt),
  Expiry: jwt.NewNumericDate(issuedAt.Add(h.JWTExpiresIn)),
  }

diff --git a/exp/services/webauth/internal/serve/token_test.go b/exp/services/webauth/internal/serve/token_test.go
@@ -46,6 +46,7 @@ func TestToken_formInputSuccess(t *testing.T) {
  homeDomain,
  network.TestNetworkPassphrase,
  time.Minute,
+ nil,
  )
  require.NoError(t, err)
 
@@ -146,6 +147,7 @@ func TestToken_formInputSuccess_jwtHeaderAndPayloadAreDeterministic(t *testing.T
  homeDomain,
  network.TestNetworkPassphrase,
  time.Minute,
+ nil,
  )
  require.NoError(t, err)
 
@@ -255,6 +257,7 @@ func TestToken_jsonInputSuccess(t *testing.T) {
  homeDomain,
  network.TestNetworkPassphrase,
  time.Minute,
+ nil,
  )
  require.NoError(t, err)
 
@@ -412,6 +415,7 @@ func TestToken_jsonInputValidRotatingServerSigners(t *testing.T) {
  homeDomain,
  network.TestNetworkPassphrase,
  time.Minute,
+ nil,
  )
  require.NoError(t, err)
 
@@ -497,6 +501,7 @@ func TestToken_jsonInputValidMultipleSigners(t *testing.T) {
  homeDomain,
  network.TestNetworkPassphrase,
  time.Minute,
+ nil,
  )
  require.NoError(t, err)
 
@@ -605,6 +610,7 @@ func TestToken_jsonInputNotEnoughWeight(t *testing.T) {
  homeDomain,
  network.TestNetworkPassphrase,
  time.Minute,
+ nil,
  )
  require.NoError(t, err)
 
@@ -691,6 +697,7 @@ func TestToken_jsonInputUnrecognizedSigner(t *testing.T) {
  homeDomain,
  network.TestNetworkPassphrase,
  time.Minute,
+ nil,
  )
  require.NoError(t, err)
 
@@ -777,6 +784,7 @@ func TestToken_jsonInputAccountNotExistSuccess(t *testing.T) {
  homeDomain,
  network.TestNetworkPassphrase,
  time.Minute,
+ nil,
  )
  require.NoError(t, err)
 
@@ -881,6 +889,7 @@ func TestToken_jsonInputAccountNotExistFail(t *testing.T) {
  homeDomain,
  network.TestNetworkPassphrase,
  time.Minute,
+ nil,
  )
  require.NoError(t, err)
 
@@ -963,6 +972,7 @@ func TestToken_jsonInputAccountNotExistNotAllowed(t *testing.T) {
  homeDomain,
  network.TestNetworkPassphrase,
  time.Minute,
+ nil,
  )
  require.NoError(t, err)
 
@@ -1047,6 +1057,7 @@ func TestToken_jsonInputUnrecognizedServerSigner(t *testing.T) {
  homeDomain,
  network.TestNetworkPassphrase,
  time.Minute,
+ nil,
  )
  require.NoError(t, err)
 
@@ -1248,6 +1259,7 @@ func TestToken_jsonInputInvalidWebAuthDomainFail(t *testing.T) {
  homeDomain,
  network.TestNetworkPassphrase,
  time.Minute,
+ nil,
  )
  require.NoError(t, err)
 

diff --git a/txnbuild/example_test.go b/txnbuild/example_test.go
@@ -760,7 +760,7 @@ func ExampleBuildChallengeTx() {
  webAuthDomain := "webauthdomain.example.org"
  timebound := time.Duration(5 * time.Minute)
 
- tx, err := BuildChallengeTx(serverSignerSeed, clientAccountID, webAuthDomain, anchorName, network.TestNetworkPassphrase, timebound)
+ tx, err := BuildChallengeTx(serverSignerSeed, clientAccountID, webAuthDomain, anchorName, network.TestNetworkPassphrase, timebound, nil)
  check(err)
 
  txeBase64, err := tx.Base64()

diff --git a/txnbuild/transaction.go b/txnbuild/transaction.go
@@ -1113,7 +1113,7 @@ func generateRandomNonce(n int) ([]byte, error) {
 // one of the following functions to completely verify the transaction:
 // - VerifyChallengeTxThreshold
 // - VerifyChallengeTxSigners
-func ReadChallengeTx(challengeTx, serverAccountID, network, webAuthDomain string, homeDomains []string) (tx *Transaction, clientAccountID string, matchedHomeDomain string, memo MemoID, err error) {
+func ReadChallengeTx(challengeTx, serverAccountID, network, webAuthDomain string, homeDomains []string) (tx *Transaction, clientAccountID string, matchedHomeDomain string, memo Memo, err error) {
  parsed, err := TransactionFromXDR(challengeTx)
  if err != nil {
  return tx, clientAccountID, matchedHomeDomain, memo, errors.Wrap(err, "could not parse challenge")
@@ -1176,10 +1176,16 @@ func ReadChallengeTx(challengeTx, serverAccountID, network, webAuthDomain string
  }
 
  clientAccountID = op.SourceAccount
+ memo = tx.Memo()
  rawOperations := tx.envelope.Operations()
- if len(rawOperations) > 0 && rawOperations[0].SourceAccount.Type == xdr.CryptoKeyTypeKeyTypeMuxedEd25519 && tx.Memo() != nil {
+ if rawOperations[0].SourceAccount.Type == xdr.CryptoKeyTypeKeyTypeMuxedEd25519 && memo != nil {
  err = errors.New("memos are not valid for challenge transactions with a muxed client account")
  return tx, clientAccountID, matchedHomeDomain, memo, err
+ } else if rawOperations[0].SourceAccount.Type == xdr.CryptoKeyTypeKeyTypeEd25519 && memo != nil {
+ if rawMemo, err := memo.ToXDR(); err != nil || rawMemo.Type != xdr.MemoTypeMemoId {
+ err = errors.New("invalid memo, only ID memos are permitted")
+ return tx, clientAccountID, matchedHomeDomain, memo, err
+ }
  }
 
  // verify manage data value
@@ -1297,7 +1303,7 @@ func VerifyChallengeTxThreshold(challengeTx, serverAccountID, network, webAuthDo
 // server account or one of the signers provided in the arguments.
 func VerifyChallengeTxSigners(challengeTx, serverAccountID, network, webAuthDomain string, homeDomains []string, signers ...string) ([]string, error) {
  // Read the transaction which validates its structure.
- tx, _, _, err := ReadChallengeTx(challengeTx, serverAccountID, network, webAuthDomain, homeDomains)
+ tx, _, _, _, err := ReadChallengeTx(challengeTx, serverAccountID, network, webAuthDomain, homeDomains)
  if err != nil {
  return nil, err
  }

diff --git a/txnbuild/transaction_challenge_example_test.go b/txnbuild/transaction_challenge_example_test.go
@@ -37,7 +37,7 @@ func ExampleVerifyChallengeTxThreshold() {
  // Server builds challenge transaction
  var challengeTx string
  {
- tx, err := txnbuild.BuildChallengeTx(serverAccount.Seed(), clientAccount.Address(), "webauthdomain.stellar.org", "test", network.TestNetworkPassphrase, time.Minute)
+ tx, err := txnbuild.BuildChallengeTx(serverAccount.Seed(), clientAccount.Address(), "webauthdomain.stellar.org", "test", network.TestNetworkPassphrase, time.Minute, nil)
  if err != nil {
  fmt.Println("Error:", err)
  return
@@ -52,7 +52,7 @@ func ExampleVerifyChallengeTxThreshold() {
  // Client reads and signs challenge transaction
  var signedChallengeTx string
  {
- tx, txClientAccountID, _, err := txnbuild.ReadChallengeTx(challengeTx, serverAccount.Address(), network.TestNetworkPassphrase, "webauthdomain.stellar.org", []string{"test"})
+ tx, txClientAccountID, _, _, err := txnbuild.ReadChallengeTx(challengeTx, serverAccount.Address(), network.TestNetworkPassphrase, "webauthdomain.stellar.org", []string{"test"})
  if err != nil {
  fmt.Println("Error:", err)
  return
@@ -75,7 +75,7 @@ func ExampleVerifyChallengeTxThreshold() {
 
  // Server verifies signed challenge transaction
  {
- _, txClientAccountID, _, err := txnbuild.ReadChallengeTx(challengeTx, serverAccount.Address(), network.TestNetworkPassphrase, "webauthdomain.stellar.org", []string{"test"})
+ _, txClientAccountID, _, _, err := txnbuild.ReadChallengeTx(challengeTx, serverAccount.Address(), network.TestNetworkPassphrase, "webauthdomain.stellar.org", []string{"test"})
  if err != nil {
  fmt.Println("Error:", err)
  return