Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEP-10 Multisig Support #107

Merged
merged 13 commits into from
Jan 31, 2020
Merged

SEP-10 Multisig Support #107

merged 13 commits into from
Jan 31, 2020

Conversation

JakeUrban
Copy link
Contributor

@JakeUrban JakeUrban commented Jan 24, 2020

#60

Refactors the SEP-10 authentication code and adds support for multi-signature accounts according to the changes in stellar-protocol, utilizing the stellar_sdk changes released in 2.1.1-beta1.

2.1.1 has been released today, so I'll update this PR to use that.

@codecov-io
Copy link

codecov-io commented Jan 24, 2020

Codecov Report

Merging #107 into master will decrease coverage by 0.89%.
The diff coverage is 77.41%.

Impacted file tree graph

@@            Coverage Diff            @@
##           master     #107     +/-   ##
=========================================
- Coverage   87.44%   86.55%   -0.9%     
=========================================
  Files          25       25             
  Lines        1171     1190     +19     
=========================================
+ Hits         1024     1030      +6     
- Misses        147      160     +13
Impacted Files Coverage Δ
polaris/polaris/helpers.py 86.54% <100%> (+0.07%) ⬆️
...is/polaris/management/commands/check_trustlines.py 68.29% <100%> (ø) ⬆️
polaris/polaris/sep10auth/views.py 79.61% <76.13%> (-5.1%) ⬇️
...aris/management/commands/create_stellar_deposit.py 55.55% <0%> (-27.78%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ecb99f1...c7a8647. Read the comment docs.

@JakeUrban
Copy link
Contributor Author

JakeUrban commented Jan 24, 2020

@overcat I'd like your thoughts on how this should be implemented in the Python SDK. I left code comments describing my ideas.

@JakeUrban JakeUrban mentioned this pull request Jan 24, 2020
Copy link
Member

@leighmcculloch leighmcculloch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JakeUrban I took a look at the PR. I'm not fluent in Python, so please apologies if I've misinterpreted the code, please correct me if I've done so.

I noted inline some concerns ❗️ and ideas 💡.

I really like 👏 how you're proposing to change the Python SDK, I think that will have the least impact on existing users and tells a clear story for how to use the function with the changes.

polaris/polaris/sep10auth/views.py Outdated Show resolved Hide resolved
polaris/polaris/sep10auth/views.py Outdated Show resolved Hide resolved
polaris/polaris/sep10auth/views.py Outdated Show resolved Hide resolved
polaris/polaris/sep10auth/views.py Outdated Show resolved Hide resolved
polaris/polaris/sep10auth/views.py Outdated Show resolved Hide resolved
polaris/polaris/sep10auth/views.py Outdated Show resolved Hide resolved
polaris/polaris/sep10auth/views.py Outdated Show resolved Hide resolved
@overcat
Copy link
Contributor

overcat commented Jan 25, 2020

Thanks for your suggestions, I will release a pre-release version in these two days.

@overcat
Copy link
Contributor

overcat commented Jan 27, 2020

Hi @JakeUrban, I just released a pre-release version, please let me know if you have any questions.

Copy link
Member

@leighmcculloch leighmcculloch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I took a look and this looks good bar a couple comments that are inline below.

I haven't finished looking through the Python SDK challenge transaction implementation that is in 2.1.1, I'll post here when I've done that too.

"""
Validate the provided TransactionEnvelope XDR (base64 string). Return the
appropriate error if it fails, else the empty string.
`GET /auth` can be used to get an invalid challenge Stellar transaction.
Copy link
Member

@leighmcculloch leighmcculloch Jan 31, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

invalid challenge Stellar transaction

When you say that the challenge transaction is invalid, do you mean to say that it hasn't been signed by the client? If that's the case I'd avoid the concept of invalid here because from the clients perspective who will be reading the challenge transaction before they sign it it is valid, it is just not yet signed by the client.

server_secret=settings.SIGNING_SEED,
client_account_id=client_account,
anchor_name=ANCHOR_NAME,
network_passphrase=settings.STELLAR_NETWORK_PASSPHRASE,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Python SDK still has a default timeout of 300ms rather than 900ms as in v1.3.0. I think we should set it explicitly here though so we're making a conscious decision that's what we want the timeout to be. Could we add that?

polaris/polaris/sep10auth/views.py Show resolved Hide resolved
polaris/polaris/sep10auth/views.py Show resolved Hide resolved
)
hash_hex = binascii.hexlify(transaction_envelope.hash()).decode()
jwt_dict = {
"iss": request.build_absolute_uri("/auth"),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this line allows injection into the JWT. If an anchor hosts their server in anyway that allows arbitrary hostnames in the requests, e.g. if they host it on a static IP without hostname filtering which is possible, the iss field can be made to contain any hostname a caller wants.

I'd lean towards this being the server signing key address, e.g. https://github.com/stellar/go/blob/4268b290621430b89c3ed687e0d83df3800c227a/exp/services/webauth/internal/serve/token.go#L87, if we don't have a good way to get some other definitive exact URI for the issuer.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not convinced that using the server signing key is any better than the current value for iss; both can be faked. The only real protection against someone attempting to side-step SEP-10 by using a fake JWT (a JWT not created by the anchor server) is the server's secret used to encode the data. The SEP also states that iss should be a URI. What do you think?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah you're right, the SEP does say to use a URI. I was thinking about the RFC7519 Section 4.1.1 where technically it doesn't have to be a URI, but I forgot we specify that in the SEP. I'll change the webauth implementation to make it a URI too.

Can we get the hostname from the settings or somewhere else instead of the incoming request? I still think we should avoid allowing any data from the request making its way into the JWT.

Copy link
Member

@leighmcculloch leighmcculloch Jan 31, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI I updated the Go implementation here to align with ☝️, stellar/go#2214.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea, I can add an AUTH_SERVER setting since the SEP-10 authentication could be hosted on a different URI than the anchor server.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, if they're using Polaris there isn't a reason you'd want to have a separate server handling authentication. I'll use a HOST_URL instead.

@JakeUrban JakeUrban merged commit f03a100 into stellar:master Jan 31, 2020
@JakeUrban JakeUrban deleted the sep10-multisig branch January 31, 2020 21:10
@leighmcculloch
Copy link
Member

leighmcculloch commented Feb 1, 2020

I haven't finished looking through the Python SDK challenge transaction implementation that is in 2.1.1, I'll post here when I've done that too.

FYI I had a look through the Python SDK challenge transaction implementation that is in 2.1.1 and I posted some recommendations on that repositories issue about. It would be ideal if the changes to how signatures and signers are matched could be made since we're using this in Polaris.
StellarCN/py-stellar-base#252 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants