add meta code verify #311
add meta code verify #311
Conversation
|
|
|
@spiritupbro is attempting to deploy a commit to the HUMAN Protocol Team on Vercel. A member of the Team first needs to authorize it. |
|
Gotchu let me try cloning fresh and then get back to you
…On Thu, Apr 6, 2023, 2:54 PM portuu3 ***@***.***> wrote:
***@***.**** requested changes on this pull request.
I get this error when I run yarn build-local-dev
[image: image]
<https://user-images.githubusercontent.com/61605646/230311318-42ff20e5-42b7-4f0c-9af7-1442952e1a47.png>
—
Reply to this email directly, view it on GitHub
<#311 (review)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AO5B4AKQ4S7SB6QIFSJOE4DW7ZZE7ANCNFSM6AAAAAAVVBCPFE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
@portuu3 please pull again and try again it turns out 'build' not getting pushed it basically a script for rollup, it works now |
I am getting this now when I run |
|
ah its need nft.storage token i need fix the docs i guess 😅 sorry let me
fix the docs you need to add ` VITE_APP_NFT_STORAGE_API= `
…On Tue, Apr 11, 2023 at 8:15 PM portuu3 ***@***.***> wrote:
@portuu3 <https://github.com/portuu3> please pull again and try again it
turns out 'build' not getting pushed it basically a script for rollup, it
works now
I am getting this now when I run yarn build --mode development:
[image: image]
<https://user-images.githubusercontent.com/61605646/231174169-491c2ed9-1efe-4460-8e5e-0bb0a5938180.png>
—
Reply to this email directly, view it on GitHub
<#311 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AO5B4AJ3YYSIQG6BDP6VWTDXAVKQBANCNFSM6AAAAAAVVBCPFE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Now if builds ok for both code verify and dashboard, but I get this without modifying |
|
Is this on localhost?
…On Thu, Apr 13, 2023, 2:10 PM portuu3 ***@***.***> wrote:
Now if builds ok for both code verify and dashboard, but I get this
without modifying index.html
[image: image]
<https://user-images.githubusercontent.com/61605646/231681182-145bbe8e-cfdb-4335-b2af-c79244acb58c.png>
—
Reply to this email directly, view it on GitHub
<#311 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AO5B4APXEQZYFQO2GGUTP6TXA6RGLANCNFSM6AAAAAAVVBCPFE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Oh wait @portuu3 could you please try using incognito? Because in the original meta-code-verify by facebook there are a list of whitelist extension if there are a blacklisted extension it will trigger validation warning coz sometimes browser extension also inject a script see this one facebookincubator/meta-code-verify#139 i think i need to fix the docs again |
|
For me extension is not showing up for http://localhost:3000/, but showing for https://web.whatsapp.com/. |
|
@mrhouzlane can you tell me how you run this? Are you using this readme https://github.com/spiritbroski/human-protocol/blob/meta-code-verify/packages/apps/meta-code-verify/README.md to run? i fresh clone the repo and it work for me this is my reproduction step:
are you also run it just like me? and are you adding something in index.html? have you tried refreshing it, is it the same? could you please disable any other extension other than meta code verify first then try reload again? |
Working now. Modify the 2.
|
@mrhouzlane which readme? escrow-dashboard or meta-code-verify? also could you please try using metamask on? is it throwing error? if it is then my app is correct, also use https://github.com/spiritbroski/human-protocol/tree/meta-code-verify/packages/apps/meta-code-verify#allowlist to allow to use metamask without disabling it first |
Steps are already detailed, all good. Do you have any tests for |
uhm, no basically the correct flow if there is any other extension it will throw an error or a risk message so thats why i ask you that, and thats why i create allowlist so you can allow some of the extension that you deemed safe to use, you can try it like this install metamask and go to localhost:3000 it will throw validation error
nope, i will add that i guess |
|
@mrhouzlane adding the generateMerkleTree test check again |
vercel
bot
temporarily deployed
to
Preview – fortune-exchange-oracle-server
Test working, good for me. |
|
Let's fix the lint and tests |
|
@posix4e ok |
vercel
bot
temporarily deployed
to
Preview – fortune-exchange-oracle-server
|
@posix4e i think most of the check failing is not coming from the package that i work with |
Merge develop branch and check if it gets fixed |
|
Ok let me try that
…On Mon, Apr 24, 2023, 2:00 PM portuu3 ***@***.***> wrote:
@posix4e <https://github.com/posix4e> i think most of the check failing
is not coming from the package that i work with
Merge develop branch and check if it gets fixed
—
Reply to this email directly, view it on GitHub
<#311 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AO5B4AN4XN4SEQU2ADV2VGLXCYQKTANCNFSM6AAAAAAVVBCPFE>
.
You are receiving this because you were assigned.Message ID:
***@***.***>
|
|
@portuu3 it said already up to date
|
vercel
bot
temporarily deployed
to
Preview – fortune-exchange-oracle-server
Add meta code verify to check integrity of dashboard
closes #277
Video Demo
https://www.youtube.com/watch?v=BZfnLPGep-4
Description
This is a modified version of https://github.com/facebookincubator/meta-code-verify by facebook, to describe what it does in simple terms,it is basically a web extension for checking if the js doesnt get tampered by creating a merkle tree both in a client and in a server you can read this https://wiki.mozilla.org/Security/Binary_Transparency, if you see in the code that i push you can see that i create a scripts https://github.com/spiritbroski/human-protocol/blob/24b39697a51096c9f982b00b44a469b0c11470de/packages/apps/escrow-dashboard/scripts/generateMerkleTree.ts to generate merkle tree in vite then push the root of the merkle tree to ipfs, i design it to look like the whatsapp binary transparency manifest:
this is what it look like in our apps:
the difference is i remove
hash_function, and for the whatsapp they push their merkle root into cloudflare like this https://staging-api.privacy-auditability.cloudflare.com/v1/hash/whatsapp.com/2.2313.8 and this is ours https://bafkreicgn4acvov2oilxnbeootwvxdnakn4a6lcf3sgs2ubi5u76wcdrny.ipfs.nftstorage.link/ its the same and we are much more resilient coz its decentralized in ipfs however cloudflare is centralized server, so this is a brief description of what i've been working onHow to use
As this is a web extension first you need to have either chrome based browser or firefox, in this demo i use brave browser, first navigate to
packages/apps/meta-code-verifyand run this script:Then go to your browser and open this url
brave://extensions/turn on developer mode if you haven't:Then click load unpacked:
Then navigate to the
dist/chromefolder of meta-code-verify then click select folderIf successful it will show something like this:
Now go to
packages/apps/escrow-dashboardand run this command:Wait until it finish building then run
Go to your browser and navigate to
http://localhost:3000, if you click on the web extension earlier you can see the green checkmark which mean our code is not tamperedSo how to check if our code is getting tampered first we need to stop the
yarn start-prodcommand if youre on linux its simplyCTRL+Cthen now go toindex.htmlin escrow-dashboard packages and add this<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.3/jquery.min.js"></script>:and run
yarn build --mode developmentagain and followed byyarn start-prodand when you go tohttp://localhost:3000again you will see red exclamation mark:It means that one or more script is not in the merkle tree and if you download it you will get list of all js files and its source code in gzip files so you can check it yourself, ok thats it waiting for your review