From 4069297c845369961451af96d025c93e69524529 Mon Sep 17 00:00:00 2001 From: Dzerasha Date: Mon, 19 Jul 2021 16:38:30 +0300 Subject: [PATCH 1/2] eth.sign is replaced with eth.personal.sign --- cvat-core/src/api-implementation.js | 6 ++---- cvat-core/src/api.js | 24 +++--------------------- cvat-core/src/server-proxy.js | 15 ++------------- cvat-ui/src/actions/auth-actions.ts | 7 +++---- cvat-ui/src/utils/web3wallets.ts | 14 ++------------ cvat/apps/authentication/models.py | 25 ++++++++++++------------- cvat/apps/authentication/serializers.py | 3 +-- cvat/apps/authentication/utils.py | 6 ++++-- 8 files changed, 29 insertions(+), 71 deletions(-) diff --git a/cvat-core/src/api-implementation.js b/cvat-core/src/api-implementation.js index 722412c4d4cd..6bbd8266bd31 100644 --- a/cvat-core/src/api-implementation.js +++ b/cvat-core/src/api-implementation.js @@ -61,7 +61,6 @@ lastName, email, walletAddress, - hashedEmail, signedEmail, userConfirmations, ) => { @@ -71,7 +70,6 @@ lastName, email, walletAddress, - hashedEmail, signedEmail, userConfirmations, ); @@ -79,8 +77,8 @@ return new User(user); }; - cvat.server.login.implementation = async (email, walletAddress, hashedEmail, signedEmail) => { - await serverProxy.server.login(email, walletAddress, hashedEmail, signedEmail); + cvat.server.login.implementation = async (email, walletAddress, signedEmail) => { + await serverProxy.server.login(email, walletAddress, signedEmail); }; cvat.server.logout.implementation = async () => { diff --git a/cvat-core/src/api.js b/cvat-core/src/api.js index a2e09c4cda85..257d736714b5 100644 --- a/cvat-core/src/api.js +++ b/cvat-core/src/api.js @@ -123,23 +123,13 @@ function build() { * @param {string} lastName A last name for the new account * @param {string} email A email address for the new account * @param {string} walletAddress A wallet address for the new account - * @param {string} hashedEmail A hashed email for the new account * @param {string} signedEmail The signed email password for the new account * @param {Object} userConfirmations An user confirmations of terms of use if needed * @returns {Object} response data * @throws {module:API.cvat.exceptions.PluginError} * @throws {module:API.cvat.exceptions.ServerError} */ - async register( - username, - firstName, - lastName, - email, - walletAddress, - hashedEmail, - signedEmail, - userConfirmations, - ) { + async register(username, firstName, lastName, email, walletAddress, signedEmail, userConfirmations) { const result = await PluginRegistry.apiWrapper( cvat.server.register, username, @@ -147,7 +137,6 @@ function build() { lastName, email, walletAddress, - hashedEmail, signedEmail, userConfirmations, ); @@ -160,19 +149,12 @@ function build() { * @memberof module:API.cvat.server * @param {string} email An email of an account * @param {string} walletAddress A wallet address of an account - * @param {string} hashedEmail A hashed email of an account * @param {string} signedEmail The signed email password of an account * @throws {module:API.cvat.exceptions.PluginError} * @throws {module:API.cvat.exceptions.ServerError} */ - async login(email, walletAddress, hashedEmail, signedEmail) { - const result = await PluginRegistry.apiWrapper( - cvat.server.login, - email, - walletAddress, - hashedEmail, - signedEmail, - ); + async login(email, walletAddress, signedEmail) { + const result = await PluginRegistry.apiWrapper(cvat.server.login, email, walletAddress, signedEmail); return result; }, /** diff --git a/cvat-core/src/server-proxy.js b/cvat-core/src/server-proxy.js index 577887dc0952..d3908e362554 100644 --- a/cvat-core/src/server-proxy.js +++ b/cvat-core/src/server-proxy.js @@ -195,16 +195,7 @@ return response.data; } - async function register( - username, - firstName, - lastName, - email, - walletAddress, - hashedEmail, - signedEmail, - confirmations, - ) { + async function register(username, firstName, lastName, email, walletAddress, signedEmail, confirmations) { let response = null; try { const data = JSON.stringify({ @@ -213,7 +204,6 @@ last_name: lastName, email, wallet_address: walletAddress, - hashed_email: hashedEmail, signed_email: signedEmail, confirmations, }); @@ -230,11 +220,10 @@ return response.data; } - async function login(email, walletAddress, hashedEmail, signedEmail) { + async function login(email, walletAddress, signedEmail) { const authenticationData = [ `${encodeURIComponent('email')}=${encodeURIComponent(email)}`, `${encodeURIComponent('wallet_address')}=${encodeURIComponent(walletAddress)}`, - `${encodeURIComponent('hashed_email')}=${encodeURIComponent(hashedEmail)}`, `${encodeURIComponent('signed_email')}=${encodeURIComponent(signedEmail)}`, ] .join('&') diff --git a/cvat-ui/src/actions/auth-actions.ts b/cvat-ui/src/actions/auth-actions.ts index 5fb7d5ffedbb..36645b31e37b 100644 --- a/cvat-ui/src/actions/auth-actions.ts +++ b/cvat-ui/src/actions/auth-actions.ts @@ -81,7 +81,7 @@ export const registerAsync = ( dispatch(authActions.register()); try { - const { address, hashedEmail, signedEmail } = await connectWallet(email); + const { address, signedEmail } = await connectWallet(email); const user = await cvat.server.register( username, @@ -89,7 +89,6 @@ export const registerAsync = ( lastName, email, address, - hashedEmail, signedEmail, confirmations, ); @@ -104,9 +103,9 @@ export const loginAsync = (email: string): ThunkAction => async (dispatch) => { dispatch(authActions.login()); try { - const { address, hashedEmail, signedEmail } = await connectWallet(email); + const { address, signedEmail } = await connectWallet(email); - await cvat.server.login(email, address, hashedEmail, signedEmail); + await cvat.server.login(email, address, signedEmail); const users = await cvat.users.get({ self: true }); diff --git a/cvat-ui/src/utils/web3wallets.ts b/cvat-ui/src/utils/web3wallets.ts index 5fd10b2d521c..46e9a06e7166 100644 --- a/cvat-ui/src/utils/web3wallets.ts +++ b/cvat-ui/src/utils/web3wallets.ts @@ -1,8 +1,6 @@ // Copyright (C) 2021 Intel Corporation // // SPDX-License-Identifier: MIT -import * as ethUtil from 'ethereumjs-util'; - import Authereum from 'authereum'; import MewConnect from '@myetherwallet/mewconnect-web-client'; import WalletConnectProvider from '@walletconnect/web3-provider'; @@ -10,13 +8,6 @@ import WalletConnectProvider from '@walletconnect/web3-provider'; import Web3 from 'web3'; import Web3Modal from 'web3modal'; -function hashPersonalMessage(msg: string): string { - const buffer = Buffer.from(msg); - const result = ethUtil.hashPersonalMessage(buffer); - const hash = ethUtil.bufferToHex(result); - return hash; -} - const providerOptions = { mewconnect: { package: MewConnect, // required @@ -55,8 +46,7 @@ export default async function connectWallet(email: string) { const accounts = await web3.eth.getAccounts(); const [address] = accounts; - const hashedEmail = hashPersonalMessage(email); - const signedEmail = await web3.eth.sign(hashedEmail, address); + const signedEmail = await web3.eth.personal.sign(email, address); - return { address, hashedEmail, signedEmail }; + return { address, signedEmail }; } diff --git a/cvat/apps/authentication/models.py b/cvat/apps/authentication/models.py index b6cd211ed894..7a804311c15e 100644 --- a/cvat/apps/authentication/models.py +++ b/cvat/apps/authentication/models.py @@ -13,19 +13,18 @@ class User(AbstractUser): password = None def get_session_auth_hash(self): - return '' - # """ - # Return an HMAC of the password field. - # """ - # key_salt = "django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash" - # return salted_hmac( - # key_salt, - # self.email, - # # RemovedInDjango40Warning: when the deprecation ends, replace - # # with: - # # algorithm='sha256', - # algorithm=settings.DEFAULT_HASHING_ALGORITHM, - # ).hexdigest() + """ + Return an HMAC of the password field. + """ + key_salt = "django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash" + return salted_hmac( + key_salt, + self.email, + # RemovedInDjango40Warning: when the deprecation ends, replace + # with: + # algorithm='sha256', + algorithm=settings.DEFAULT_HASHING_ALGORITHM, + ).hexdigest() class WalletToUser(models.Model): user = models.ForeignKey(User, null=True, blank=True, diff --git a/cvat/apps/authentication/serializers.py b/cvat/apps/authentication/serializers.py index f76c5095e5b7..36f48b705955 100644 --- a/cvat/apps/authentication/serializers.py +++ b/cvat/apps/authentication/serializers.py @@ -20,7 +20,6 @@ class RegisterSerializerEx(RegisterSerializer): last_name = serializers.CharField(required=False) wallet_address = serializers.CharField(write_only=True, required=True) signed_email = serializers.CharField(write_only=True, required=True) - hashed_email = serializers.CharField(write_only=True, required=True) password1 = None password2 = None @@ -31,7 +30,7 @@ def validate_password1(self, password): pass def validate(self, data): - validate_user_wallet_address(data['wallet_address'], data['hashed_email'], data['signed_email']) + validate_user_wallet_address(data['wallet_address'], data['email'], data['signed_email']) return data def get_cleaned_data(self): diff --git a/cvat/apps/authentication/utils.py b/cvat/apps/authentication/utils.py index e72a568cd5f0..5ec67d810139 100644 --- a/cvat/apps/authentication/utils.py +++ b/cvat/apps/authentication/utils.py @@ -3,9 +3,11 @@ # SPDX-License-Identifier: MIT from web3.auto import w3 +from eth_account.messages import defunct_hash_message -def validate_user_wallet_address(wallet_address, hashed_email, signed_email): - signer = w3.eth.account.recoverHash(hashed_email, signature=signed_email) +def validate_user_wallet_address(wallet_address, email, signed_email): + message_hash = defunct_hash_message(text=email) + signer = w3.eth.account.recoverHash(message_hash, signature=signed_email) assert wallet_address == signer From 7c88157381bfb0ab7f8926e644869f6505ffe329 Mon Sep 17 00:00:00 2001 From: Dzerasha Date: Mon, 19 Jul 2021 20:01:11 +0300 Subject: [PATCH 2/2] defunct_hash_message is replaced with encode_defunct --- cvat/apps/authentication/models.py | 3 ++- cvat/apps/authentication/utils.py | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/cvat/apps/authentication/models.py b/cvat/apps/authentication/models.py index 7a804311c15e..40f8a7a1fc6e 100644 --- a/cvat/apps/authentication/models.py +++ b/cvat/apps/authentication/models.py @@ -13,8 +13,9 @@ class User(AbstractUser): password = None def get_session_auth_hash(self): + # TODO: rework this temporary solution """ - Return an HMAC of the password field. + Return an HMAC of the email field. """ key_salt = "django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash" return salted_hmac( diff --git a/cvat/apps/authentication/utils.py b/cvat/apps/authentication/utils.py index 5ec67d810139..8cc4951c777c 100644 --- a/cvat/apps/authentication/utils.py +++ b/cvat/apps/authentication/utils.py @@ -3,11 +3,11 @@ # SPDX-License-Identifier: MIT from web3.auto import w3 -from eth_account.messages import defunct_hash_message +from eth_account.messages import encode_defunct def validate_user_wallet_address(wallet_address, email, signed_email): - message_hash = defunct_hash_message(text=email) - signer = w3.eth.account.recoverHash(message_hash, signature=signed_email) + message_hash = encode_defunct(text=email) + signer = w3.eth.account.recover_message(message_hash, signature=signed_email) assert wallet_address == signer