Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

exp/services/webauth: remove the stellar.toml domain checks #3113

Merged
merged 3 commits into from
Oct 8, 2020
Merged

exp/services/webauth: remove the stellar.toml domain checks #3113

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c4a7b0f
exp/services/webauth: remove the stellar.toml domain checks
leighmcculloch Oct 8, 2020
765e8e3
removed unused var
leighmcculloch Oct 8, 2020
902b26e
Merge branch 'master' into webauth-no-more-stellar-toml-checks
leighmcculloch Oct 8, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion exp/services/webauth/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,6 @@ Flags:
--network-passphrase string Network passphrase of the Stellar network transactions should be signed for (NETWORK_PASSPHRASE) (default "Test SDF Network ; September 2015")
--port int Port to listen and serve on (PORT) (default 8000)
--signing-key string Stellar signing key(s) used for signing transactions comma separated (first key is used for signing, others used for verifying challenges) (SIGNING_KEY)
--stellar-toml-domain string Domain where stellar.toml is served. The private key counterpart of the SIGNING_KEY specified in the stellar.toml file has to be provided via signing-key (STELLAR_TOML_DOMAIN)
```

[SEP-10]: https://github.com/stellar/stellar-protocol/blob/28c636b4ef5074ca0c3d46bbe9bf0f3f38095233/ecosystem/sep-0010.md
7 changes: 0 additions & 7 deletions exp/services/webauth/cmd/serve.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,13 +51,6 @@ func (c *ServeCommand) Command() *cobra.Command {
ConfigKey: &opts.SigningKeys,
Required: true,
},
{
Name: "stellar-toml-domain",
Usage: "Domain where stellar.toml is served. The private key counterpart of the SIGNING_KEY specified in the stellar.toml file has to be provided via signing-key",
OptType: types.String,
ConfigKey: &opts.StellarTOMLDomain,
Required: true,
},
{
Name: "auth-home-domain",
Usage: "Home domain(s) of the service(s) requiring SEP-10 authentication comma separated (first domain is the default domain)",
Expand Down
54 changes: 3 additions & 51 deletions exp/services/webauth/internal/serve/serve.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,10 @@ package serve
import (
"encoding/json"
"fmt"
"io"
"net/http"
"strings"
"time"

"github.com/BurntSushi/toml"
"github.com/stellar/go/clients/horizonclient"
"github.com/stellar/go/keypair"
"github.com/stellar/go/support/errors"
Expand All @@ -18,15 +16,12 @@ import (
"gopkg.in/square/go-jose.v2"
)

const stellarTomlMaxSize = 100 * 1024

type Options struct {
Logger *supportlog.Entry
HorizonURL string
Port int
NetworkPassphrase string
SigningKeys string
StellarTOMLDomain string
AuthHomeDomains string
ChallengeExpiresIn time.Duration
JWK string
Expand Down Expand Up @@ -54,7 +49,7 @@ func Serve(opts Options) {
}

func handler(opts Options) (http.Handler, error) {
var signingKeyFull *keypair.Full
signingKeys := []*keypair.Full{}
signingKeyStrs := strings.Split(opts.SigningKeys, ",")
signingAddresses := make([]*keypair.FromAddress, 0, len(signingKeyStrs))

Expand All @@ -63,21 +58,7 @@ func handler(opts Options) (http.Handler, error) {
if err != nil {
return nil, errors.Wrap(err, "parsing signing key seed")
}

// Only the first key is used for signing. The rest is for verifying challenge transactions, if any.
if i == 0 {
var signingKeyPub string
signingKeyPub, err = getStellarTOMLSigningKey(opts.StellarTOMLDomain)
if err != nil {
opts.Logger.Errorf("Error reading SIGNING_KEY from domain %s: %v", opts.StellarTOMLDomain, err)
}

if err == nil && signingKey.Address() != signingKeyPub {
opts.Logger.Error("The configured signing key does not match the private key counterpart of the SIGNING_KEY in the stellar.toml file.")
}

signingKeyFull = signingKey
}
signingKeys = append(signingKeys, signingKey)
signingAddresses = append(signingAddresses, signingKey.FromAddress())
opts.Logger.Info("Signing key ", i, ": ", signingKey.Address())
}
Expand Down Expand Up @@ -117,7 +98,7 @@ func handler(opts Options) (http.Handler, error) {
mux.Get("/", challengeHandler{
Logger: opts.Logger,
NetworkPassphrase: opts.NetworkPassphrase,
SigningKey: signingKeyFull,
SigningKey: signingKeys[0],
ChallengeExpiresIn: opts.ChallengeExpiresIn,
HomeDomains: trimmedHomeDomains,
}.ServeHTTP)
Expand All @@ -135,32 +116,3 @@ func handler(opts Options) (http.Handler, error) {

return mux, nil
}

func getStellarTOMLSigningKey(domain string) (string, error) {
var signingKeyTOML struct {
SigningKey string `toml:"SIGNING_KEY"`
}

httpClient := &http.Client{
Timeout: 5 * time.Second,
}

domain = strings.TrimRight(domain, "./")
resp, err := httpClient.Get(fmt.Sprintf("https://%s/.well-known/stellar.toml", domain))
if err != nil {
return "", errors.Wrap(err, "sending http request")
}
defer resp.Body.Close()

if resp.StatusCode/100 != 2 {
return "", errors.New("http request failed with non-200 status code")
}

safeResBody := io.LimitReader(resp.Body, stellarTomlMaxSize)
_, err = toml.DecodeReader(safeResBody, &signingKeyTOML)
if err != nil {
return "", errors.Wrap(err, "decoding signing key")
}

return signingKeyTOML.SigningKey, nil
}