fetchAuthToken: Only sign auth txes with seq number 0 (#167)

Clients must check seq numbers before signing SEP-10 auth transaction (see stellar/stellar-protocol@09903b1).
stellar · Aug 3, 2020 · 1be392d · 1be392d
1 parent 075ac21
commit 1be392d
Show file tree

Hide file tree

Showing 4 changed files with 101 additions and 9 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,8 +1,7 @@
-# Changelog
+## In master
 
 - [KeyManager] Added Trezor wallet.
-
-## In master
+- [KeyManager] Only sign SEP-10 auth transactions with seq number 0.
 
 ## [v0.1.0-rc.1](https://github.com/stellar/js-stellar-wallets/compare/v0.0.9-rc.1...v0.1.0-rc.1)
 

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@stellar/wallet-sdk",
-  "version": "0.1.0-rc.7",
+  "version": "0.1.0-rc.8",
   "description": "Libraries to help you write Stellar-enabled wallets in Javascript",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

diff --git a/src/KeyManager.test.ts b/src/KeyManager.test.ts
@@ -297,17 +297,102 @@ describe("KeyManager", function() {
       }
     });
 
-    test("Rejects challenges with network mismatches", async () => {
+    test("Accepts challenges with zero seqs", async () => {
       const authServer = "https://www.stellar.org/auth";
       const password = "very secure password";
 
       const keyNetwork = StellarBase.Networks.TESTNET;
-      const challengeNetwork = StellarBase.Networks.PUBLIC;
+
+      const token = "👍";
+      const account = new StellarBase.Account(
+        StellarBase.Keypair.random().publicKey(),
+        "-1",
+      );
+
+      const tx = new StellarBase.TransactionBuilder(account, {
+        fee: "10000",
+        networkPassphrase: keyNetwork,
+      })
+        .setTimeout(1000)
+        .build()
+        .toXDR();
+
+      fetch
+        // @ts-ignore
+        .mockResponseOnce(
+          JSON.stringify({
+            transaction: tx,
+            network_passphrase: keyNetwork,
+          }),
+        )
+        // @ts-ignore
+        .mockResponseOnce(
+          JSON.stringify({
+            token,
+            status: 1,
+            message: "Good job friend",
+          }),
+        );
+
+      // set up the manager
+      const testStore = new MemoryKeyStore();
+      const testKeyManager = new KeyManager({
+        keyStore: testStore,
+      });
+
+      testKeyManager.registerEncrypter(IdentityEncrypter);
+
+      const keypair = StellarBase.Keypair.master(keyNetwork);
+
+      // save this key
+      const keyMetadata = await testKeyManager.storeKey({
+        key: {
+          type: KeyType.plaintextKey,
+          publicKey: keypair.publicKey(),
+          privateKey: keypair.secret(),
+          network: keyNetwork,
+        },
+        password,
+        encrypterName: "IdentityEncrypter",
+      });
+
+      try {
+        const res = await testKeyManager.fetchAuthToken({
+          id: keyMetadata.id,
+          password,
+          authServer,
+        });
+
+        expect(res).toBe(token);
+      } catch (e) {
+        expect(e).toBe(null);
+      }
+    });
+
+    test("Rejects TXs with non-zero seq numbers", async () => {
+      const authServer = "https://www.stellar.org/auth";
+      const password = "very secure password";
+
+      const keyNetwork = StellarBase.Networks.TESTNET;
+
+      const account = new StellarBase.Account(
+        StellarBase.Keypair.random().publicKey(),
+        "1",
+      );
+
+      const tx = new StellarBase.TransactionBuilder(account, {
+        fee: "10000",
+        networkPassphrase: keyNetwork,
+      })
+        .setTimeout(1000)
+        .build()
+        .toXDR();
 
       // @ts-ignore
       fetch.mockResponseOnce(
         JSON.stringify({
-          network_passphrase: challengeNetwork,
+          transaction: tx,
+          network_passphrase: keyNetwork,
         }),
       );
 
@@ -340,9 +425,9 @@ describe("KeyManager", function() {
           authServer,
         });
 
-        expect("This test failed").toBe(null);
+        expect("This test failed: transaction didn't cause error").toBe(null);
       } catch (e) {
-        expect(e.toString()).toMatch(`Network mismatch`);
+        expect(e.toString()).toMatch(`Invalid transaction`);
       }
     });
   });

diff --git a/src/KeyManager.ts b/src/KeyManager.ts
@@ -362,6 +362,14 @@ export class KeyManager {
 
     const firstTransaction = new Transaction(transaction, keyNetwork);
 
+    if (firstTransaction.sequence !== "0") {
+      throw new Error(
+        `Invalid transaction: Expected a sequence number 0, but got ${
+          firstTransaction.sequence
+        }`,
+      );
+    }
+
     const signedTransaction = await keyHandler.signTransaction({
       transaction: firstTransaction,
       key,