Added explanation of server auth and started authentication tests

2022-09-08 13:33:57 -05:00 · 2022-09-08 13:33:57 -05:00 · 8e5f0ef73f
commit 8e5f0ef73f
parent cb27d192c2
2 changed files with 114 additions and 0 deletions
--- a/security/Authentication.md
+++ b/security/Authentication.md
@ -0,0 +1,98 @@
+# Keyboard connection authentication
+
+Keyboarding obviously has a ton of sensitive data, so we need to both encrypt and
+authenticate the connections.
+
+All connections are encrypted using an external TLS proxy (e.g. Caddy) outside the
+scope of this project, but we perform application level authentication using two
+randomly generated UUIDv4s in a manner similar to a passphrase. @{token generation}
+
+We hash the token using sha3-256 to avoid accidentally exposing the token to a
+readonly attacker.
+
+
+## Generating the authentication token
+
+``` go
+--- token generation
+id := uuid.New() + uuid.New()
+hashedID := sha3.Sum256([]byte(id))
+---
+```
+
+## Storing the authentication token
+
+We then store the token in a file, which is set
+by the environment variable `KEYBOARD_AUTH_TOKEN_FILE`, but defaults to
+'XDG_CONFIG_HOME/smartkeyboard/auth-token.' @{defineProvisionTokenFile}
+
+
+``` go
+--- store token
+if err := os.WriteFile(KEYBOARD_AUTH_TOKEN_FILE, hashedID, 0666); err != nil {
+    log.Fatal(err)
+}
+---
+```
+
+## Checking authentication
+
+When a client connects, the [websocket server](Server.md) checks the token they send against the stored token.
+
+``` go
+--- check token
+func checkAuthToken(token string) error {
+    hashedToken := sha3.Sum256([]byte(token))
+    storedToken, err := os.ReadFile(KEYBOARD_AUTH_TOKEN_FILE)
+    if err != nil {
+        return err
+    }
+
+    if subtle.ConstantTimeCompare(hashedToken[:], storedToken) != 1 {
+        return errors.New("invalid token")
+    }
+
+    return nil
+}
+---
+```
+
+
+--- /auth/auth.go
+package main
+
+@{auth imports}
+@{check token}
+---
+
+--- auth imports
+
+import(
+    //"github.com/google/uuid"
+    //"encoding/base64"
+    "golang.org/x/crypto/sha3"
+    "os"
+    "errors"
+    "crypto/subtle"
+)
+---
+
+``` go
+--- defineProvisionTokenFile
+provisionTokenFile, keyboardAuthExists := os.Getenv("KEYBOARD_AUTH_TOKEN_FILE")
+
+if keyboardAuthExists == false {
+    provisionTokenFile = filepath.Join(xdg.ConfigHome, "smartkeyboard", "auth-token")
+}
+---
+```
+
+```go
+--- provisionToken
+func provisionToken() (error){
+    @{defineProvisionTokenFile}
+    @{token generation}
+    @{store token}
+}
+---
+```
--- a/smartkeyboard/auth/auth_test.go
+++ b/smartkeyboard/auth/auth_test.go
@ -0,0 +1,16 @@
+package main
+
+import (
+	"testing"
+)
+
+func TestAuthPasswordHashBad(t *testing.T) {
+	t.Log("TestAuthPasswordHash")
+	expectedResult := error(nil) // OK
+	password := "wrong password"
+
+	result := checkAuthToken(password)
+	if result != expectedResult {
+		t.Errorf("Expected %s, got %s", expectedResult, result)
+	}
+}