From d9dcbcdf1275cf131fd6cd0c8526cf7db8a1350e Mon Sep 17 00:00:00 2001 From: Rodolfo Miranda Date: Wed, 21 Feb 2024 22:01:50 -0300 Subject: [PATCH 1/2] add documentation --- GETTING_STARTED_VENDOR.md | 12 ++++++++++++ README.md | 35 ++++++++++++++++++++++++++++++++++- example-web/my-app/src/App.js | 2 +- src/pages/background/index.ts | 5 +++-- src/screens/config/config.tsx | 4 ++-- 5 files changed, 52 insertions(+), 6 deletions(-) diff --git a/GETTING_STARTED_VENDOR.md b/GETTING_STARTED_VENDOR.md index 45edc406..18690195 100644 --- a/GETTING_STARTED_VENDOR.md +++ b/GETTING_STARTED_VENDOR.md @@ -17,6 +17,9 @@ Following is the JSON structure "title": "Provenant", "logo": "https://media.licdn.com/dms/image/C4E0BAQG2_zXeSh-Qdw/company-logo_200_200/0/1663180132032/provenant_inc_logo?e=1715212800&v=beta&t=yINW7CaXVG50h3Ay7vu13OpY4mAu30qpijZwJAe5g-I", "icon":"https://cdn-icons-png.flaticon.com/128/3291/3291695.png", + "onboardingUrl": "https://github.com/signup", + "docsUrl": "https://docs.github.com", + "supportUrl": "https://support.github.com", "theme": { "colors": { "primary": "#004DB5", @@ -58,6 +61,15 @@ This attribute is used to indicate the vendor icon. ### icon This attribute is used to set the icon provided by the vendor as extension icon. +### onboardingUrl +Hyperlink asociated to the text "Don't have a KERIA agent?" + +### docsUrl +Hyperlink asociated to the text "docs" + +### supportUrl +Hyperlink asociated to the text "support" + ### theme this attribute is the essence of colors (and others e.g. spacing, fonts, etc in the FUTURE) customization. To keep it simplistic, the colors are designed to work in a two-tone fashion. diff --git a/README.md b/README.md index d5c4ccf2..7d009c90 100644 --- a/README.md +++ b/README.md @@ -1 +1,34 @@ -# Signify Browser Extension \ No newline at end of file +# Signify Browser Extension +This browser extension was initially developed as part of Provenant's [Bounty PB311.1](https://docs.google.com/document/d/1mq82RDRGfoOMCs8sR8Cuj_hMC5i1_aP7e6DVqp8o13g/edit?usp=sharing) + +This browser extension, initialy implemented for Chromium browsers, uses [sifnify-ts](https://github.com/weboftrust/signify-ts) to connect to a [KERIA](https://github.com/weboftrust/keria) agent and retrieve user AIDs and their associated keys and credentials. Those AIDs and credentials are use to signin into enabled websites. Once a signin is asociated with a website, it's stored in chrome store for future use. + +The primary goal of this extension is to provide a secure way to signin into websites without disclosing private keys to untrusted websites. Websites developers should adopt [polaris-web]() library to send messages to the extension requesting signed headers that are needed to authenticate in a backend service. Additionally to the signed headers, the website may request to provide a credential (ACDC). + +This browser extension adopts [Manifest V3](https://developer.chrome.com/docs/extensions/develop/migrate/what-is-mv3) to take advantage of the new security features and performance improvements. + +## Architecture +The browser extension is composed of the following components: + +### Background +The background script, knwon as service worker in Manifest v3, is responsible for handling messages received from the content script, popup, and external webpages that were alredy allowed to request signed headers from the extension. The background script is also responsible for handling the communication with the KERIA agent. + +### Popup +It's the user interface of the browser extension. It can be accessed by clicking on the extension action icon in the browser toolbar. + +### Content Script +The content script is injected in the active web page and is responsible for handling messages from the website, the background script and the popup. + +### Dialog +The dialog is a html that is injected by the content script in the active web page. It's used to display messages to the user and request user interaction. + +## Security considerations +The following rules are enforced by design to ensure the security of the extension: +* The extension only sends signed headers to the website if the user has previously create a signing asociation with that website. +* The extension only sends signed headers to the website if the website is the active tab on the browser. +* The passcode is temporarry stored in the extension and is zeroed out after a few minutes. +* Messages from content script are allowed if the content script belongs to the active tab. +* Direct messages from the website to the background script are only allowed for the active tab and if a signing asociation exists with the auto-singin flag enabled. +* Request minumin permision in the Manifest. +* All sesitive data is only accessed by the background script and popup, and never reaches the content script. +* Never run external scripts in the extension (`eval()`). diff --git a/example-web/my-app/src/App.js b/example-web/my-app/src/App.js index 88f6ba35..2d1ccb41 100644 --- a/example-web/my-app/src/App.js +++ b/example-web/my-app/src/App.js @@ -37,7 +37,7 @@ function App() { return () => { unsubscribeFromSignature(); }; - }, []); + }); const removeData = () => { localStorage.removeItem("signify-data"); diff --git a/src/pages/background/index.ts b/src/pages/background/index.ts index 65ea3ffa..5322b074 100644 --- a/src/pages/background/index.ts +++ b/src/pages/background/index.ts @@ -19,7 +19,7 @@ chrome.runtime.onInstalled.addListener(function (object) { } }); -// Handle messages +// Listener to handle internal messages from content scripts from active tab and popup chrome.runtime.onMessage.addListener(function ( message: IMessage, sender, @@ -89,7 +89,7 @@ chrome.runtime.onMessage.addListener(function ( sendResponse({ data: { signins: signins ?? [], autoSigninObj } }); } - // Handle messages from Popup + // Handle messages from Popup } else if (senderIsPopup(sender)) { console.log( "Message received from browser extension: " + @@ -247,6 +247,7 @@ chrome.runtime.onMessage.addListener(function ( return true; }); +// Listener to handle external messages from allowed web pages with auto signin chrome.runtime.onMessageExternal.addListener(function ( message, sender, diff --git a/src/screens/config/config.tsx b/src/screens/config/config.tsx index 3f1153a6..465a9345 100644 --- a/src/screens/config/config.tsx +++ b/src/screens/config/config.tsx @@ -10,7 +10,7 @@ const langMap = Object.entries(languageCodeMap).map((s) => ({ value: s[0], })); -export function Config(props): JSX.Element { +export function Config(props:any): JSX.Element { const [vendorUrl, setVendorUrl] = useState(""); const [vendorUrlError, setVendorUrlError] = useState(""); const [agentUrl, setAgentUrl] = useState(""); @@ -54,7 +54,7 @@ export function Config(props): JSX.Element { }; const handleSetAgentUrl = async (_url) => { - const hasError = checkErrorAgentUrl(_url); + const hasError = (_url); if (!hasError) { await configService.setAgentUrl(_url); setAgentUrl(_url); From 81feca6a605ec3e6b805a99ef0f3422fab8f5830 Mon Sep 17 00:00:00 2001 From: Rodolfo Miranda Date: Wed, 21 Feb 2024 22:05:53 -0300 Subject: [PATCH 2/2] merge conflict --- src/screens/config/config.tsx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/screens/config/config.tsx b/src/screens/config/config.tsx index 465a9345..6c00474d 100644 --- a/src/screens/config/config.tsx +++ b/src/screens/config/config.tsx @@ -54,7 +54,7 @@ export function Config(props:any): JSX.Element { }; const handleSetAgentUrl = async (_url) => { - const hasError = (_url); + const hasError = checkErrorAgentUrl(_url); if (!hasError) { await configService.setAgentUrl(_url); setAgentUrl(_url);