From 3145a9dc524a007fcff4b5586f8c8704813fd17f Mon Sep 17 00:00:00 2001 From: Tak Wai Wong <64229756+tak-hntlabs@users.noreply.github.com> Date: Thu, 12 May 2022 16:47:48 -0700 Subject: [PATCH] Takwaiw/dendrite publickey (#2) * Implementation of MSC 3782 Add publickey login as a new auth type. Co-authored-by: Tak Wai Wong --- clientapi/auth/user_interactive.go | 2 +- clientapi/auth/user_interactive_test.go | 11 ++---- clientapi/routing/deactivate.go | 2 +- clientapi/routing/device.go | 2 +- setup/config/config_clientapi.go | 43 ++++++++++++++++++++++ userapi/storage/tables/stats_table_test.go | 6 +-- 6 files changed, 52 insertions(+), 14 deletions(-) diff --git a/clientapi/auth/user_interactive.go b/clientapi/auth/user_interactive.go index 9dad49a39..717e140f1 100644 --- a/clientapi/auth/user_interactive.go +++ b/clientapi/auth/user_interactive.go @@ -246,7 +246,7 @@ func (u *UserInteractive) ResponseWithChallenge(sessionID string, response inter // Verify returns an error/challenge response to send to the client, or nil if the user is authenticated. // `bodyBytes` is the HTTP request body which must contain an `auth` key. // Returns the login that was verified for additional checks if required. -func (u *UserInteractive) Verify(ctx context.Context, bodyBytes []byte, device *api.Device) (*Login, *util.JSONResponse) { +func (u *UserInteractive) Verify(ctx context.Context, bodyBytes []byte) (*Login, *util.JSONResponse) { // TODO: rate limit // "A client should first make a request with no auth parameter. The homeserver returns an HTTP 401 response, with a JSON body" diff --git a/clientapi/auth/user_interactive_test.go b/clientapi/auth/user_interactive_test.go index 3dbb9dabc..bc1239910 100644 --- a/clientapi/auth/user_interactive_test.go +++ b/clientapi/auth/user_interactive_test.go @@ -17,11 +17,6 @@ var ( serverName = gomatrixserverlib.ServerName("example.com") // space separated localpart+password -> account lookup = make(map[string]*api.Account) - device = &api.Device{ - AccessToken: "flibble", - DisplayName: "My Device", - ID: "device_id_goes_here", - } ) type fakeAccountDatabase struct { @@ -60,7 +55,7 @@ func setup() *UserInteractive { func TestUserInteractiveChallenge(t *testing.T) { uia := setup() // no auth key results in a challenge - _, errRes := uia.Verify(ctx, []byte(`{}`), device) + _, errRes := uia.Verify(ctx, []byte(`{}`)) if errRes == nil { t.Fatalf("Verify succeeded with {} but expected failure") } @@ -100,7 +95,7 @@ func TestUserInteractivePasswordLogin(t *testing.T) { }`), } for _, tc := range testCases { - _, errRes := uia.Verify(ctx, tc, device) + _, errRes := uia.Verify(ctx, tc) if errRes != nil { t.Errorf("Verify failed but expected success for request: %s - got %+v", string(tc), errRes) } @@ -181,7 +176,7 @@ func TestUserInteractivePasswordBadLogin(t *testing.T) { }, } for _, tc := range testCases { - _, errRes := uia.Verify(ctx, tc.body, device) + _, errRes := uia.Verify(ctx, tc.body) if errRes == nil { t.Errorf("Verify succeeded but expected failure for request: %s", string(tc.body)) continue diff --git a/clientapi/routing/deactivate.go b/clientapi/routing/deactivate.go index f213db7f3..9f80dff61 100644 --- a/clientapi/routing/deactivate.go +++ b/clientapi/routing/deactivate.go @@ -28,7 +28,7 @@ func Deactivate( } } - login, errRes := userInteractiveAuth.Verify(ctx, bodyBytes, deviceAPI) + login, errRes := userInteractiveAuth.Verify(ctx, bodyBytes) if errRes != nil { return *errRes } diff --git a/clientapi/routing/device.go b/clientapi/routing/device.go index e3a02661c..84e11bc7a 100644 --- a/clientapi/routing/device.go +++ b/clientapi/routing/device.go @@ -198,7 +198,7 @@ func DeleteDeviceById( sessionID = s } - login, errRes := userInteractiveAuth.Verify(ctx, bodyBytes, device) + login, errRes := userInteractiveAuth.Verify(ctx, bodyBytes) if errRes != nil { switch data := errRes.JSON.(type) { case auth.Challenge: diff --git a/setup/config/config_clientapi.go b/setup/config/config_clientapi.go index fe88a5db6..e87438e5c 100644 --- a/setup/config/config_clientapi.go +++ b/setup/config/config_clientapi.go @@ -3,6 +3,8 @@ package config import ( "fmt" "time" + + "github.com/matrix-org/dendrite/clientapi/auth/authtypes" ) type ClientAPI struct { @@ -160,3 +162,44 @@ func (r *RateLimiting) Defaults() { r.Threshold = 5 r.CooloffMS = 500 } + +type ethereumAuthParams struct { + Version uint32 `json:"version"` + ChainIDs []string `json:"chain_ids"` +} + +type ethereumAuthConfig struct { + Enabled bool `yaml:"enabled"` + Version uint32 `yaml:"version"` + ChainIDs []string `yaml:"chain_ids"` +} + +type publicKeyAuthentication struct { + Ethereum ethereumAuthConfig `yaml:"ethereum"` +} + +func (pk *publicKeyAuthentication) Enabled() bool { + return pk.Ethereum.Enabled +} + +func (pk *publicKeyAuthentication) GetPublicKeyRegistrationFlows() []authtypes.Flow { + var flows []authtypes.Flow + if pk.Ethereum.Enabled { + flows = append(flows, authtypes.Flow{Stages: []authtypes.LoginType{authtypes.LoginTypePublicKeyEthereum}}) + } + + return flows +} + +func (pk *publicKeyAuthentication) GetPublicKeyRegistrationParams() map[string]interface{} { + params := make(map[string]interface{}) + if pk.Ethereum.Enabled { + p := ethereumAuthParams{ + Version: pk.Ethereum.Version, + ChainIDs: pk.Ethereum.ChainIDs, + } + params[authtypes.LoginTypePublicKeyEthereum] = p + } + + return params +} diff --git a/userapi/storage/tables/stats_table_test.go b/userapi/storage/tables/stats_table_test.go index 3b67a4acc..c4aec552c 100644 --- a/userapi/storage/tables/stats_table_test.go +++ b/userapi/storage/tables/stats_table_test.go @@ -300,10 +300,10 @@ func Test_UserStatistics(t *testing.T) { }, R30UsersV2: map[string]int64{ "ios": 0, - "android": 0, - "web": 0, + "android": 1, + "web": 1, "electron": 0, - "all": 0, + "all": 2, }, AllUsers: 6, NonBridgedUsers: 5,