set idstrings async, validate sig on plaintext blocks before save, and change to returning unpadded key from API

2019-09-06 17:22:33 -05:00 · 2019-09-06 17:22:33 -05:00 · 50e2efee32
commit 50e2efee32
parent ddcb1e39e3
3 changed files with 35 additions and 8 deletions
--- a/onionr/httpapi/miscclientapi/endpoints.py
+++ b/onionr/httpapi/miscclientapi/endpoints.py
@ -18,6 +18,7 @@
    along with this program.  If not, see <https://www.gnu.org/licenses/>.
 '''
 from flask import Response, Blueprint, request, send_from_directory, abort
+
 from httpapi import apiutils
 import onionrcrypto, config
 from netcontroller import NetController
@ -25,7 +26,8 @@ from serializeddata import SerializedData
 from onionrutils import mnemonickeys
 from onionrutils import bytesconverter

-pub_key = onionrcrypto.pub_key
+pub_key = onionrcrypto.pub_key.replace('=', '')
+
 class PrivateEndpoints:
    def __init__(self, client_api):
        private_endpoints_bp = Blueprint('privateendpoints', __name__)
--- a/onionr/onionrutils/validatemetadata.py
+++ b/onionr/onionrutils/validatemetadata.py
@ -76,6 +76,16 @@ def validate_metadata(metadata, block_data) -> bool:
                except AssertionError:
                    logger.warn('Invalid encryption mode')
                    break
+            elif i == 'sig':
+                try:
+                    metadata['encryptType']
+                except KeyError:
+                    signer = metadata['signer']
+                    sig = metadata['sig']
+                    encodedMeta = bytesconverter.str_to_bytes(metadata['meta'])
+                    encodedBlock = bytesconverter.str_to_bytes(block_data)
+                    if not onionrcrypto.signing.ed_verify(encodedMeta + encodedBlock[1:], signer, sig):
+                        break
        else:
            # if metadata loop gets no errors, it does not break, therefore metadata is valid
            # make sure we do not have another block with the same data content (prevent data duplication and replay attacks)
--- a/onionr/static-data/www/shared/misc.js
+++ b/onionr/static-data/www/shared/misc.js
@ -19,8 +19,16 @@

 webpass = document.location.hash.replace('#', '')
 nowebpass = false
+myPub = ""

-myPub = httpGet('/getHumanReadable')
+fetch('/getActivePubkey', {
+    headers: {
+      "token": webpass
+    }})
+.then((resp) => resp.text()) 
+.then(function(resp) {
+    myPub = resp
+})

 function post_to_url(path, params) {

@ -95,6 +103,11 @@ for (var i = 0; i < document.getElementsByClassName('closeOverlay').length; i++)
    }
 }

+function setIdStrings(){
+    if (myPub === ""){
+        setTimeout(function(){setIdStrings()}, 700)
+        return
+    }
    var idStrings = document.getElementsByClassName('myPub')
    for (var i = 0; i < idStrings.length; i++){
        if (idStrings[i].tagName.toLowerCase() == 'input'){
@ -104,6 +117,8 @@ for (var i = 0; i < idStrings.length; i++){
            idStrings[i].innerText = myPub
        }
    }
+}
+setIdStrings()

 /* Copy public ID on homepage  */
 if (typeof myPubCopy != "undefined"){