-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SEP-10 Multisig Support #107
Conversation
Codecov Report
@@ Coverage Diff @@
## master #107 +/- ##
=========================================
- Coverage 87.44% 86.55% -0.9%
=========================================
Files 25 25
Lines 1171 1190 +19
=========================================
+ Hits 1024 1030 +6
- Misses 147 160 +13
Continue to review full report at Codecov.
|
@overcat I'd like your thoughts on how this should be implemented in the Python SDK. I left code comments describing my ideas. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@JakeUrban I took a look at the PR. I'm not fluent in Python, so please apologies if I've misinterpreted the code, please correct me if I've done so.
I noted inline some concerns ❗️ and ideas 💡.
I really like 👏 how you're proposing to change the Python SDK, I think that will have the least impact on existing users and tells a clear story for how to use the function with the changes.
Thanks for your suggestions, I will release a pre-release version in these two days. |
Hi @JakeUrban, I just released a pre-release version, please let me know if you have any questions. |
3562c90
to
982bf32
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I took a look and this looks good bar a couple comments that are inline below.
I haven't finished looking through the Python SDK challenge transaction implementation that is in 2.1.1, I'll post here when I've done that too.
polaris/polaris/sep10auth/views.py
Outdated
""" | ||
Validate the provided TransactionEnvelope XDR (base64 string). Return the | ||
appropriate error if it fails, else the empty string. | ||
`GET /auth` can be used to get an invalid challenge Stellar transaction. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
invalid challenge Stellar transaction
When you say that the challenge transaction is invalid, do you mean to say that it hasn't been signed by the client? If that's the case I'd avoid the concept of invalid here because from the clients perspective who will be reading the challenge transaction before they sign it it is valid, it is just not yet signed by the client.
server_secret=settings.SIGNING_SEED, | ||
client_account_id=client_account, | ||
anchor_name=ANCHOR_NAME, | ||
network_passphrase=settings.STELLAR_NETWORK_PASSPHRASE, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The Python SDK still has a default timeout of 300ms rather than 900ms as in v1.3.0. I think we should set it explicitly here though so we're making a conscious decision that's what we want the timeout to be. Could we add that?
polaris/polaris/sep10auth/views.py
Outdated
) | ||
hash_hex = binascii.hexlify(transaction_envelope.hash()).decode() | ||
jwt_dict = { | ||
"iss": request.build_absolute_uri("/auth"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this line allows injection into the JWT. If an anchor hosts their server in anyway that allows arbitrary hostnames in the requests, e.g. if they host it on a static IP without hostname filtering which is possible, the iss
field can be made to contain any hostname a caller wants.
I'd lean towards this being the server signing key address, e.g. https://github.com/stellar/go/blob/4268b290621430b89c3ed687e0d83df3800c227a/exp/services/webauth/internal/serve/token.go#L87, if we don't have a good way to get some other definitive exact URI for the issuer.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not convinced that using the server signing key is any better than the current value for iss
; both can be faked. The only real protection against someone attempting to side-step SEP-10 by using a fake JWT (a JWT not created by the anchor server) is the server's secret used to encode the data. The SEP also states that iss
should be a URI. What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah you're right, the SEP does say to use a URI. I was thinking about the RFC7519 Section 4.1.1 where technically it doesn't have to be a URI, but I forgot we specify that in the SEP. I'll change the webauth
implementation to make it a URI too.
Can we get the hostname from the settings or somewhere else instead of the incoming request? I still think we should avoid allowing any data from the request making its way into the JWT.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI I updated the Go implementation here to align with ☝️, stellar/go#2214.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yea, I can add an AUTH_SERVER
setting since the SEP-10 authentication could be hosted on a different URI than the anchor server.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, if they're using Polaris there isn't a reason you'd want to have a separate server handling authentication. I'll use a HOST_URL
instead.
001f31c
to
c7a8647
Compare
FYI I had a look through the Python SDK challenge transaction implementation that is in 2.1.1 and I posted some recommendations on that repositories issue about. It would be ideal if the changes to how signatures and signers are matched could be made since we're using this in Polaris. |
#60
Refactors the SEP-10 authentication code and adds support for multi-signature accounts according to the changes in stellar-protocol, utilizing the
stellar_sdk
changes released in 2.1.1-beta1.2.1.1 has been released today, so I'll update this PR to use that.