ten-protocol · zkokelj · Sep 21, 2023 · Sep 20, 2023 · Sep 20, 2023 · Sep 21, 2023
diff --git a/tools/walletextension/api/routes.go b/tools/walletextension/api/routes.go
@@ -156,8 +156,8 @@ func ethRequestHandler(walletExt *walletextension.WalletExtension, conn userconn
 		return
 	}
 
-	// Get userID and check if user exists (if not - use default user)
-	hexUserID, err := getQueryParameter(conn.ReadRequestParams(), common.UserQueryParameter)
+	// Get userID
+	hexUserID, err := getUserID(conn, 1)
 	if err != nil || !walletExt.UserExists(hexUserID) {
 		walletExt.Logger().Error(fmt.Errorf("user not found in the query params: %w. Using the default user", err).Error())
 		hexUserID = hex.EncodeToString([]byte(common.DefaultUser)) // todo (@ziga) - this can be removed once old WE endpoints are removed
@@ -317,7 +317,7 @@ func authenticateRequestHandler(walletExt *walletextension.WalletExtension, user
 	}
 
 	// read userID from query params
-	hexUserID, err := getQueryParameter(userConn.ReadRequestParams(), common.UserQueryParameter)
+	hexUserID, err := getUserID(userConn, 2)
 	if err != nil {
 		userConn.HandleError("Malformed query: 'u' required - representing userID")
 		walletExt.Logger().Error(fmt.Errorf("user not found in the query params: %w", err).Error())
@@ -350,7 +350,7 @@ func queryRequestHandler(walletExt *walletextension.WalletExtension, userConn us
 		return
 	}
 
-	hexUserID, err := getQueryParameter(userConn.ReadRequestParams(), common.UserQueryParameter)
+	hexUserID, err := getUserID(userConn, 2)
 	if err != nil {
 		userConn.HandleError("user ('u') not found in query parameters")
 		walletExt.Logger().Error(fmt.Errorf("user not found in the query params: %w", err).Error())
@@ -362,6 +362,12 @@ func queryRequestHandler(walletExt *walletextension.WalletExtension, userConn us
 		walletExt.Logger().Error(fmt.Errorf("address not found in the query params: %w", err).Error())
 		return
 	}
+	// check if address length is correct
+	if len(address) != common.EthereumAddressLen {
+		userConn.HandleError(fmt.Sprintf("provided address length is %d, expected: %d", len(address), common.EthereumAddressLen))
+		walletExt.Logger().Error(fmt.Errorf(fmt.Sprintf("provided address length is %d, expected: %d", len(address), common.EthereumAddressLen)).Error())
+		return
+	}
 
 	// check if this account is registered with given user
 	found, err := walletExt.UserHasAccount(hexUserID, address)
@@ -399,7 +405,7 @@ func revokeRequestHandler(walletExt *walletextension.WalletExtension, userConn u
 		return
 	}
 
-	hexUserID, err := getQueryParameter(userConn.ReadRequestParams(), common.UserQueryParameter)
+	hexUserID, err := getUserID(userConn, 2)
 	if err != nil {
 		userConn.HandleError("user ('u') not found in query parameters")
 		walletExt.Logger().Error(fmt.Errorf("user not found in the query params: %w", err).Error())

diff --git a/tools/walletextension/api/staticOG/javascript.js b/tools/walletextension/api/staticOG/javascript.js
@@ -64,7 +64,7 @@ async function authenticateAccountWithObscuroGateway(ethereum, account, userID)
         return "Account is already authenticated"
     }
 
-    const textToSign = "Register " + userID + " for " + account;
+    const textToSign = "Register " + userID + " for " + account.toLowerCase();
     const signature = await ethereum.request({
         method: metamaskPersonalSign,
         params: [textToSign, account]

diff --git a/tools/walletextension/api/utils.go b/tools/walletextension/api/utils.go
@@ -3,9 +3,11 @@ package api
 import (
 	"encoding/json"
 	"fmt"
+	"strings"
 
 	"github.com/obscuronet/go-obscuro/tools/walletextension/accountmanager"
 	"github.com/obscuronet/go-obscuro/tools/walletextension/common"
+	"github.com/obscuronet/go-obscuro/tools/walletextension/userconn"
 )
 
 func parseRequest(body []byte) (*accountmanager.RPCRequest, error) {
@@ -46,3 +48,36 @@ func getQueryParameter(params map[string]string, selectedParameter string) (stri
 
 	return value, nil
 }
+
+func getUserID(conn userconn.UserConn, userIDPosition int) (string, error) {
+	// try getting userID from query parameters and return it if successful
+	userID, err := getQueryParameter(conn.ReadRequestParams(), common.UserQueryParameter)
+	if err == nil {
+		if len(userID) != common.MessageUserIDLen {
+			return "", fmt.Errorf(fmt.Sprintf("wrong length of userID from URL. Got: %d, Expected: %d", len(userID), common.MessageUserIDLen))
+		}
+		return userID, err
+	}
+
+	// Alternatively, try to get it from URL path
+	// This is a temporary hack to work around hardhat bug which causes hardhat to ignore query parameters.
+	// It is unsafe because https encrypts query parameters,
+	// but not URL itself and will be removed once hardhat bug is resolved.
+	path := conn.GetHTTPRequest().URL.Path
+	path = strings.Trim(path, "/")
+	parts := strings.Split(path, "/")
+
+	// our URLs, which require userID, have following pattern: <version>/<endpoint (*optional)>/<userID (*optional)>
+	// userID can be only on second or third position
+	if len(parts) != userIDPosition+1 {
+		return "", fmt.Errorf("URL structure of the request looks wrong")
+	}
+	userID = parts[userIDPosition]
+
+	// Check if userID has the correct length
+	if len(userID) != common.MessageUserIDLen {
+		return "", fmt.Errorf(fmt.Sprintf("wrong length of userID from URL. Got: %d, Expected: %d", len(userID), common.MessageUserIDLen))
+	}
+
+	return userID, nil
+}
diff --git a/tools/walletextension/common/constants.go b/tools/walletextension/common/constants.go
@@ -45,6 +45,7 @@ const (
 	MessageFormatRegex                  = `^Register\s(\w+)\sfor\s(\w+)$`
 	MessageUserIDLen                    = 64
 	SignatureLen                        = 65
+	EthereumAddressLen                  = 42
 	PersonalSignMessagePrefix           = "\x19Ethereum Signed Message:\n%d%s"
 	GetStorageAtUserIDRequestMethodName = "getUserID"
 	SuccessMsg                          = "success"

diff --git a/tools/walletextension/userconn/user_conn.go b/tools/walletextension/userconn/user_conn.go
@@ -31,6 +31,7 @@ type UserConn interface {
 	HandleError(msg string)
 	SupportsSubscriptions() bool
 	IsClosed() bool
+	GetHTTPRequest() *http.Request
 }
 
 // Represents a user's connection over HTTP.
@@ -106,6 +107,10 @@ func (h *userConnHTTP) ReadRequestParams() map[string]string {
 	return getQueryParams(h.req.URL.Query())
 }
 
+func (h *userConnHTTP) GetHTTPRequest() *http.Request {
+	return h.req
+}
+
 func (w *userConnWS) ReadRequest() ([]byte, error) {
 	_, msg, err := w.conn.ReadMessage()
 	if err != nil {
@@ -166,6 +171,10 @@ func (w *userConnWS) ReadRequestParams() map[string]string {
 	return getQueryParams(w.req.URL.Query())
 }
 
+func (w *userConnWS) GetHTTPRequest() *http.Request {
+	return w.req
+}
+
 // Logs the error, prints it to the console, and returns the error over HTTP.
 func httpLogAndSendErr(resp http.ResponseWriter, msg string) {
 	http.Error(resp, msg, httpCodeErr)