token security: not finished yet

Author: kostysh

.eslintrc.js

@@ -0,0 +1,65 @@
+module.exports = {
+    "extends": "eslint:recommended",
+    "env": {
+        "es6": true,
+        "browser": true,
+        "node": true,
+        "mocha": true,
+        "jest": true
+    },
+    "globals": {
+        "artifacts": false,
+        "contract": false,
+        "assert": false,
+        "web3": false
+    },
+    "parserOptions": {
+        "ecmaVersion": 8
+    },
+    "rules": {
+
+        // Strict mode
+        "strict": 0,
+
+        // Code style
+        "indent": ["error", 2, {
+            "SwitchCase": 1
+        }],
+        "quotes": [2, "single"],
+        "semi": ["error", "always"],
+        "space-before-function-paren": ["error", "always"],
+        "no-use-before-define": 0,
+        "eqeqeq": [2, "smart"],
+        "dot-notation": [2, {
+            "allowKeywords": true,
+            "allowPattern": ""
+        }],
+        "no-redeclare": [2, {
+            "builtinGlobals": true
+        }],
+        "no-trailing-spaces": [2, {
+            "skipBlankLines": true
+        }],
+        "eol-last": 1,
+        "comma-spacing": [2, {
+            "before": false,
+            "after": true
+        }],
+        "camelcase": [2, {
+            "properties": "always"
+        }],
+        "no-mixed-spaces-and-tabs": [2, "smart-tabs"],
+        "comma-dangle": [1, "only-multiline"],
+        "no-dupe-args": 2,
+        "no-dupe-keys": 2,
+        "no-debugger": 0,
+        "no-undef": 2,
+        "one-var": [0],
+        "object-curly-spacing": [2, "always"],
+        "generator-star-spacing": ["error", "before"],
+        "padded-blocks": 0,
+        "no-unused-expressions": 0,
+        "arrow-body-style": 0,
+        "no-extra-semi": 0
+    }
+};

decorators/basic.js

@@ -1,21 +1,25 @@
-const { verifyJWT, isAuthorized } = require('../helpers/jwt');
+const { verifyJWT } = require('../helpers/jwt');
 
 const basicDecorator = fn => async (req, res) => {
+
   try {
     const { headers } = req;
-    if (!headers.authorization) throw new Error('Authorization missing');
+
+    if (!headers.authorization) {
+      throw new Error('Authorization missing');
+    }
+    
     const auth = headers.authorization.split(' ');
-    const { payload, signingAddress } = await verifyJWT(...auth);
-    await isAuthorized(payload.iss, signingAddress);
+    await verifyJWT(...auth);
     await fn(req, res);
   } catch (e) {
     console.log(e);
     res.status(500).json({
       message: e.message,
-    });  
+    });
   }
 };
 
 module.exports = {
   basicDecorator,
-}
+};

helpers/jwt.js

@@ -1,44 +1,137 @@
 const JWT = require('jsonwebtoken');
 const ethers = require('ethers');
-const { organizationAbi } = require('./contracts/organization');
+const KeyEncoder = require('key-encoder').default;
+const { ec, eddsa } = require('elliptic');
+const Web3 = require('web3');
+const { OrgIdResolver, httpFetchMethod } = require('@windingtree/org.id-resolver');
+const { addresses } = require('@windingtree/org.id');
+const web3 = new Web3(process.env.INFURA_ENDPOINT);
 
-const validisTyp = ["jwt", 'application/jwt'];
-const verifyJWT = (type, jwt) => {
-  if (type !== 'Bearer') throw new Error('JWT Token format is not valid');
-  
-  const decodedToken = JWT.decode(jwt, {complete: true});
-  if(!decodedToken) throw new Error('JWT Token format is not valid');
-  const { header, payload, signature} = decodedToken;
-  
-  if(!validisTyp.includes(header.typ.toLowerCase())) throw new Error('JWT Token header typ invalid');
-  if(header.alg !== 'ETH') throw new Error('JWT Token algorithm must be ETH');
- 
-  if (payload.exp < Date.now()/1000) throw new Error('JWT Token has Expired');
+// ORG.ID resolver configuration
+const orgIdResolver = new OrgIdResolver({
+  web3,
+  orgId: addresses.ropsten // @todo Set the network type on the base of environment config
+});
+orgIdResolver.registerFetchMethod(httpFetchMethod);
 
-  const lastPeriod = jwt.lastIndexOf('.');
+const validisTyp = ['jwt', 'application/jwt'];
+const validAlg = ['ETH', 'ES256K'];
 
-  const signedMessage = jwt.substring(0, lastPeriod);
-  const sigatureB64 = jwt.substring(lastPeriod + 1);
+const verifyJWT = async (type, jwt) => {
 
-  const signatureB16 = (Buffer.from(sigatureB64.toString().replace('-', '+').replace('_', '/'), 'base64')).toString('hex');
-  const hashedMessage = ethers.utils.hashMessage(signedMessage);
-  const signingAddress = ethers.utils.recoverAddress(hashedMessage, `0x${signatureB16}`);
+  if (type !== 'Bearer') {
+    throw new Error('JWT Token format is not valid');
+  };
 
-  return { header, payload, signature, signingAddress };
-};
+  const decodedToken = JWT.decode(jwt, {
+    complete: true
+  });
 
-const isAuthorized = async (contractAddress, signer) => {
-  const provider = ethers.getDefaultProvider('ropsten');
-  const contract = new ethers.Contract(contractAddress, organizationAbi, provider);
-  
-  const owner = await contract.owner();
-  if (owner === signer) return;
+  if (!decodedToken) {
+    throw new Error('JWT Token format is not valid');
+  };
+
+  const {
+    header,
+    payload,
+    signature
+  } = decodedToken;
+
+  if (!validisTyp.includes(header.typ.toLowerCase())) {
+    throw new Error('JWT Token header typ invalid');
+  }
+
+  if (!validAlg.includes(header.alg)) {
+    throw new Error('JWT Token algorithm is invalid');
+  }
+
+  if (payload.exp < Date.now() / 1000) {
+    throw new Error('JWT Token has Expired');
+  }
+
+  const [ did, fragment ] = payload.iss.split('#');
+  const didResult = await orgIdResolver.resolve(did);
+
+  console.log('>>>', didResult);
+
+  const lastPeriod = jwt.lastIndexOf('.');
+  const signedMessage = jwt.substring(0, lastPeriod);
+  const signatureB16 = (Buffer.from(
+    signature
+      .toString()
+      .replace('-', '+')
+      .replace('_', '/'),
+    'base64')).toString('hex');
 
-  const isAssociadtedKey = await contract.hasAssociatedKey(signer);
-  if(!isAssociadtedKey) throw new Error('JWT Token not authorized');
+  if (header.alg === 'ETH') {
+    // Validate signature of the organization owner or director
+    const hashedMessage = ethers.utils.hashMessage(signedMessage);
+    const signingAddress = ethers.utils.recoverAddress(hashedMessage, `0x${signatureB16}`);
+
+    if (![
+      didResult.organization.owner,
+      ...didResult.organization.director === '0x0000000000000000000000000000000000000000'
+        ? []
+        : [didResult.organization.director]
+    ].includes(signingAddress)) {
+      throw new Error('JWT Token not authorized');
+    }
+
+  } else if (fragment && didResult.didDocument.publicKey) {
+    // Validate signature using publickKey
+    let publicKey = didResult.didDocument.publicKey.filter(
+      p => p.id.match(RegExp(`#${fragment}$`, 'g'))
+    )[0];
+
+    if (!publicKey) {
+      throw new Error('Public key definition not found in the DID document');
+    }
+
+    let curveType;
+
+    switch (publicKey.type) {
+      case 'X25519':
+        curveType = 'ed25519';
+        break;
+
+      case 'secp256k1':
+        curveType = 'secp256k1';
+        break;
+      
+      default:
+        throw new Error('Signature verification method not found');
+    }
+
+    const context = new ec(curveType);
+    const keyEncoder = new KeyEncoder(curveType);
+
+    if (!publicKey.publicKeyPem.match(RegExp('BEGIN PUBLIC KEY', 'gi'))) {
+      publicKey.publicKeyPem = `-----BEGIN PUBLIC KEY-----\n${publicKey.publicKeyPem}\n-----END PUBLIC KEY-----`;
+    }
+    
+    const rawPub = keyEncoder.encodePublic(publicKey.publicKeyPem, 'pem', 'raw');
+    const key = context.keyFromPublic(rawPub, 'hex');
+    const sigParts = signatureB16.match(/([a-f\d]{64})/gi);
+    const sig = {
+      r: sigParts[0],
+      s: sigParts[1]
+    };
+
+    if (!key.verify(signedMessage, sig)) {
+      throw new Error('JWT Token not authorized');
+    }
+
+  } else {
+    throw new Error('Signature verification method not found');
+  }
+
+  return {
+    header,
+    payload,
+    signature
+  };
 };
 
 module.exports = {
-  verifyJWT,
-  isAuthorized,
-};
+  verifyJWT
+};

package.json

@@ -1,11 +1,11 @@
 {
-  "name": "wt-aggregator",
+  "name": "glider-aggregator",
   "version": "0.0.1",
   "description": "Winding Tree aggregator",
   "main": "index.js",
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/windingtree/wt-aggregator.git"
+    "url": "git+https://github.com/windingtree/glider-aggregator.git"
   },
   "keywords": [
     "Winding",
@@ -15,9 +15,9 @@
   "author": "Winding Tree devs",
   "license": "SEE LICENSE IN LICENSE",
   "bugs": {
-    "url": "https://github.com/windingtree/wt-aggregator/issues"
+    "url": "https://github.com/windingtree/glider-aggregator/issues"
   },
-  "homepage": "https://github.com/windingtree/wt-aggregator#readme",
+  "homepage": "https://github.com/windingtree/glider-aggregator#readme",
   "dependencies": {
     "axios": "0.19.2",
     "camaro": "^4.1.2",
@@ -28,7 +28,14 @@
     "express": "^4.17.1",
     "jsonwebtoken": "^8.5.1",
     "redis": "^3.0.2",
-    "uuid": "^7.0.0"
+    "uuid": "^7.0.0",
+    "web3": "1.2.6",
+    "@windingtree/org.id-resolver": "0.3.1",
+    "key-encoder": "2.0.3",
+    "elliptic": "6.5.2"
+  },
+  "devDependencies": {
+    "eslint": "6.8.0"
   },
   "engines": {
     "node": "12.x"