fix: open session replay attack (#240)

* open session take use of random string as header * fix integration test in jssdk * rust fmt * add open_session_payload with header and startime for ttl check * fix js sdk compile error
dbpunk-labs · Dec 26, 2022 · 041fff8 · 041fff8
1 parent 2fdd454
commit 041fff8
Show file tree

Hide file tree

Showing 11 changed files with 472 additions and 91 deletions.
diff --git a/src/db3js/src/lib/db3.ts b/src/db3js/src/lib/db3.ts
@@ -196,12 +196,19 @@ export class DB3 {
         if (this.querySessionInfo) {
             return {}
         }
+
+
         const sessionRequest = new db3_node_pb.OpenSessionRequest()
         const header = window.crypto.getRandomValues(new Uint8Array(32))
-        const [signature, public_key] = await sign(header)
-        sessionRequest.setHeader(header)
+        const payload = new db3_session_pb.OpenSessionPayload()
+        payload.setHeader(header.toString())
+        payload.setStartTime(Math.floor(Date.now() / 1000))
+        const payloadU8 = payload.serializeBinary()
+        const [signature, public_key] = await sign(payloadU8)
+        sessionRequest.setPayload(payloadU8)
         sessionRequest.setSignature(signature)
         sessionRequest.setPublicKey(public_key)
+
         try {
             const res = await this.client.openQuerySession(sessionRequest, {})
             this.sessionToken = res.getSessionToken()

diff --git a/src/db3js/src/pkg/db3_node_pb.d.ts b/src/db3js/src/pkg/db3_node_pb.d.ts
@@ -360,10 +360,10 @@ export namespace GetSessionInfoRequest {
 }
 
 export class OpenSessionRequest extends jspb.Message {
-  getHeader(): Uint8Array | string;
-  getHeader_asU8(): Uint8Array;
-  getHeader_asB64(): string;
-  setHeader(value: Uint8Array | string): OpenSessionRequest;
+  getPayload(): Uint8Array | string;
+  getPayload_asU8(): Uint8Array;
+  getPayload_asB64(): string;
+  setPayload(value: Uint8Array | string): OpenSessionRequest;
 
   getSignature(): Uint8Array | string;
   getSignature_asU8(): Uint8Array;
@@ -385,7 +385,7 @@ export class OpenSessionRequest extends jspb.Message {
 
 export namespace OpenSessionRequest {
   export type AsObject = {
-    header: Uint8Array | string,
+    payload: Uint8Array | string,
     signature: Uint8Array | string,
     publicKey: Uint8Array | string,
   }

diff --git a/src/db3js/src/pkg/db3_node_pb.js b/src/db3js/src/pkg/db3_node_pb.js
@@ -3743,88 +3743,94 @@ proto.db3_node_proto.OpenSessionRequest.prototype.serializeBinary = function() {
  * @param {!jspb.BinaryWriter} writer
  * @suppress {unusedLocalVariables} f is only used for nested messages
  */
-proto.db3_node_proto.OpenSessionRequest.serializeBinaryToWriter = function(
-	message,
-	writer,
-) {
-	var f = undefined;
-	f = message.getHeader_asU8();
-	if (f.length > 0) {
-		writer.writeBytes(1, f);
-	}
-	f = message.getSignature_asU8();
-	if (f.length > 0) {
-		writer.writeBytes(2, f);
-	}
-	f = message.getPublicKey_asU8();
-	if (f.length > 0) {
-		writer.writeBytes(3, f);
-	}
+proto.db3_node_proto.OpenSessionRequest.serializeBinaryToWriter = function (message, writer) {
+    var f = undefined;
+    f = message.getPayload_asU8();
+    if (f.length > 0) {
+        writer.writeBytes(
+            1,
+            f
+        );
+    }
+    f = message.getSignature_asU8();
+    if (f.length > 0) {
+        writer.writeBytes(
+            2,
+            f
+        );
+    }
+    f = message.getPublicKey_asU8();
+    if (f.length > 0) {
+        writer.writeBytes(
+            3,
+            f
+        );
+    }
 };
 
+
 /**
- * optional bytes header = 1;
+ * optional bytes payload = 1;
  * @return {string}
  */
-proto.db3_node_proto.OpenSessionRequest.prototype.getHeader = function() {
-	return /** @type {string} */ (jspb.Message.getFieldWithDefault(
-		this,
-		1,
-		"",
-	));
+proto.db3_node_proto.OpenSessionRequest.prototype.getPayload = function () {
+    return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 1, ""));
 };
 
+
 /**
- * optional bytes header = 1;
- * This is a type-conversion wrapper around `getHeader()`
+ * optional bytes payload = 1;
+ * This is a type-conversion wrapper around `getPayload()`
  * @return {string}
  */
-proto.db3_node_proto.OpenSessionRequest.prototype.getHeader_asB64 = function() {
-	return /** @type {string} */ (jspb.Message.bytesAsB64(this.getHeader()));
+proto.db3_node_proto.OpenSessionRequest.prototype.getPayload_asB64 = function () {
+    return /** @type {string} */ (jspb.Message.bytesAsB64(
+        this.getPayload()));
 };
 
+
 /**
- * optional bytes header = 1;
+ * optional bytes payload = 1;
  * Note that Uint8Array is not supported on all browsers.
  * @see http://caniuse.com/Uint8Array
- * This is a type-conversion wrapper around `getHeader()`
+ * This is a type-conversion wrapper around `getPayload()`
  * @return {!Uint8Array}
  */
-proto.db3_node_proto.OpenSessionRequest.prototype.getHeader_asU8 = function() {
-	return /** @type {!Uint8Array} */ (jspb.Message.bytesAsU8(
-		this.getHeader(),
-	));
+proto.db3_node_proto.OpenSessionRequest.prototype.getPayload_asU8 = function () {
+    return /** @type {!Uint8Array} */ (jspb.Message.bytesAsU8(
+        this.getPayload()));
 };
 
+
 /**
  * @param {!(string|Uint8Array)} value
  * @return {!proto.db3_node_proto.OpenSessionRequest} returns this
  */
-proto.db3_node_proto.OpenSessionRequest.prototype.setHeader = function(value) {
-	return jspb.Message.setProto3BytesField(this, 1, value);
+proto.db3_node_proto.OpenSessionRequest.prototype.setPayload = function (value) {
+    return jspb.Message.setProto3BytesField(this, 1, value);
 };
 
+
 /**
  * optional bytes signature = 2;
  * @return {string}
  */
-proto.db3_node_proto.OpenSessionRequest.prototype.getSignature = function() {
-	return /** @type {string} */ (jspb.Message.getFieldWithDefault(
-		this,
-		2,
-		"",
-	));
+proto.db3_node_proto.OpenSessionRequest.prototype.getSignature = function () {
+    return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 2, ""));
 };
 
+
 /**
  * optional bytes signature = 2;
  * This is a type-conversion wrapper around `getSignature()`
  * @return {string}
  */
-proto.db3_node_proto.OpenSessionRequest.prototype.getSignature_asB64 = function() {
-	return /** @type {string} */ (jspb.Message.bytesAsB64(this.getSignature()));
+proto.db3_node_proto.OpenSessionRequest.prototype.getSignature_asB64 = function () {
+    return /** @type {string} */ (jspb.Message.bytesAsB64(
+        this.getSignature()));
 };
 
+
 /**
  * optional bytes signature = 2;
  * Note that Uint8Array is not supported on all browsers.

diff --git a/src/db3js/src/pkg/db3_session_pb.d.ts b/src/db3js/src/pkg/db3_session_pb.d.ts
@@ -57,6 +57,28 @@ export namespace CloseSessionPayload {
   }
 }
 
+export class OpenSessionPayload extends jspb.Message {
+  getHeader(): string;
+  setHeader(value: string): OpenSessionPayload;
+
+  getStartTime(): number;
+  setStartTime(value: number): OpenSessionPayload;
+
+  serializeBinary(): Uint8Array;
+  toObject(includeInstance?: boolean): OpenSessionPayload.AsObject;
+  static toObject(includeInstance: boolean, msg: OpenSessionPayload): OpenSessionPayload.AsObject;
+  static serializeBinaryToWriter(message: OpenSessionPayload, writer: jspb.BinaryWriter): void;
+  static deserializeBinary(bytes: Uint8Array): OpenSessionPayload;
+  static deserializeBinaryFromReader(message: OpenSessionPayload, reader: jspb.BinaryReader): OpenSessionPayload;
+}
+
+export namespace OpenSessionPayload {
+  export type AsObject = {
+    header: string,
+    startTime: number,
+  }
+}
+
 export class QuerySession extends jspb.Message {
   getNonce(): number;
   setNonce(value: number): QuerySession;