From 1639d4a31fea709e872424c52dabfe222fe4f02d Mon Sep 17 00:00:00 2001 From: Mo Bitar Date: Sat, 5 Aug 2017 11:26:34 -0500 Subject: [PATCH] Add version param, remove auth param --- .../javascripts/app/services/authManager.js | 84 +++++++++---------- .../services/directives/views/accountMenu.js | 9 +- .../app/services/extensionManager.js | 2 +- .../app/services/helpers/crypto.js | 14 +--- .../app/services/helpers/webcrypto.js | 2 +- .../javascripts/app/services/syncManager.js | 4 +- .../directives/account-menu.html.haml | 4 +- 7 files changed, 51 insertions(+), 68 deletions(-) diff --git a/app/assets/javascripts/app/services/authManager.js b/app/assets/javascripts/app/services/authManager.js index 9390eda69..d2fa26802 100644 --- a/app/assets/javascripts/app/services/authManager.js +++ b/app/assets/javascripts/app/services/authManager.js @@ -37,7 +37,10 @@ angular.module('app.frontend') } this.getAuthParams = function() { - return JSON.parse(localStorage.getItem("auth_params")); + if(!this._authParams) { + this._authParams = JSON.parse(localStorage.getItem("auth_params")); + } + return this._authParams; } this.keys = function() { @@ -49,7 +52,12 @@ angular.module('app.frontend') return keys; } - this.encryptionVersion = function() { + this.protocolVersion = function() { + var version = this.getAuthParams().version; + if(version) { + return version; + } + var keys = this.keys(); if(keys && keys.ak) { return "002"; @@ -58,6 +66,17 @@ angular.module('app.frontend') } } + this.costMinimumForVersion = function(version) { + // all current versions have a min of 3000 + // future versions will increase this + return 3000; + } + + this.isProtocolVersionSupported = function(version) { + var supportedVersions = ["001", "002"]; + return supportedVersions.includes(version); + } + this.getAuthParamsForEmail = function(url, email, callback) { var requestUrl = url + "/auth/params"; httpManager.getAbsolute(requestUrl, {email: email}, function(response){ @@ -82,8 +101,15 @@ angular.module('app.frontend') this.login = function(url, email, password, callback) { this.getAuthParamsForEmail(url, email, function(authParams){ - if(!authParams.pw_cost) { - callback({error : {message: "Unable to get authentication parameters."}}); + + if(!authParams || !authParams.pw_cost) { + callback({error : {message: "Invalid email or password."}}); + return; + } + + if(!this.isProtocolVersionSupported(authParams.version)) { + alert("The protocol version associated with your account is outdated and no longer supported by this application. Please visit standardnotes.org/help/security-update for more information."); + callback({didDisplayAlert: true}); return; } @@ -96,41 +122,20 @@ angular.module('app.frontend') return; } + var minimum = this.costMinimumForVersion(authParams.version); + if(authParams.pw_cost < minimum) { + alert("Unable to login due to insecure password parameters. Please visit standardnotes.org/help/password-upgrade for more information."); + callback({didDisplayAlert: true}); + return; + } Neeto.crypto.computeEncryptionKeysForUser(_.merge({password: password}, authParams), function(keys){ - var uploadVTagOnCompletion = false; - var localVTag = Neeto.crypto.calculateVerificationTag(authParams.pw_cost, authParams.pw_salt, keys.ak); - - if(authParams.pw_auth) { - // verify auth params - if(localVTag !== authParams.pw_auth) { - alert("Invalid server verification tag; aborting login. This is most likely caused by an incorrect password. Learn more at standardnotes.org/verification."); - $timeout(function(){ - callback({error: true, didDisplayAlert: true}); - }) - return; - } else { - console.log("Verification tag success."); - } - } else { - // either user has not uploaded pw_auth, or server is attempting to bypass authentication - if(confirm("Unable to locate verification tag for server. If this is your first time seeing this message and your account was created before July 2017, press OK to upload verification tag. If your account was created after July 2017, or if you've already seen this message, press cancel to abort login. Learn more at standardnotes.org/verification.")) { - // upload verification tag on completion - uploadVTagOnCompletion = true; - } else { - return; - } - } - var requestUrl = url + "/auth/sign_in"; var params = {password: keys.pw, email: email}; httpManager.postAbsolute(requestUrl, params, function(response){ this.handleAuthResponse(response, email, url, authParams, keys); callback(response); - if(uploadVTagOnCompletion) { - this.uploadVerificationTag(localVTag, authParams); - } }.bind(this), function(response){ console.error("Error logging in", response); callback(response); @@ -140,19 +145,6 @@ angular.module('app.frontend') }.bind(this)) } - this.uploadVerificationTag = function(tag, authParams) { - var requestUrl = localStorage.getItem("server") + "/auth/update"; - var params = {pw_auth: tag}; - - httpManager.postAbsolute(requestUrl, params, function(response){ - _.merge(authParams, params); - localStorage.setItem("auth_params", JSON.stringify(authParams)); - alert("Your verification tag was successfully uploaded."); - }.bind(this), function(response){ - alert("There was an error uploading your verification tag."); - }) - } - this.handleAuthResponse = function(response, email, url, authParams, keys) { try { if(url) { @@ -211,5 +203,9 @@ angular.module('app.frontend') return JSON.parse(JSON.stringify(object)); } + this.signOut = function() { + this._authParams = null; + } + } }); diff --git a/app/assets/javascripts/app/services/directives/views/accountMenu.js b/app/assets/javascripts/app/services/directives/views/accountMenu.js index bdb331ff9..a1fe8fb3d 100644 --- a/app/assets/javascripts/app/services/directives/views/accountMenu.js +++ b/app/assets/javascripts/app/services/directives/views/accountMenu.js @@ -165,6 +165,7 @@ class AccountMenu { return; } + authManager.signOut(); syncManager.destroyLocalData(function(){ window.location.reload(); }) @@ -345,7 +346,7 @@ class AccountMenu { $scope.itemsData = function(keys) { var items = _.map(modelManager.allItems, function(item){ - var itemParams = new ItemParams(item, keys, authManager.encryptionVersion()); + var itemParams = new ItemParams(item, keys, authManager.protocolVersion()); return itemParams.paramsForExportFile(); }.bind(this)); @@ -393,8 +394,8 @@ class AccountMenu { // 002 Update $scope.securityUpdateAvailable = function() { - // whether user needs to upload pw_auth - return !authManager.getAuthParams().pw_auth; + var keys = authManager.keys() + return keys && !keys.ak; } $scope.clickedSecurityUpdate = function() { @@ -417,8 +418,6 @@ class AccountMenu { return; } - var tag = Neeto.crypto.calculateVerificationTag(authParams.pw_cost, authParams.pw_salt, keys.ak); - authManager.uploadVerificationTag(tag, authParams); authManager.saveKeys(keys); }); } diff --git a/app/assets/javascripts/app/services/extensionManager.js b/app/assets/javascripts/app/services/extensionManager.js index 5f2c15f6a..83dabe76d 100644 --- a/app/assets/javascripts/app/services/extensionManager.js +++ b/app/assets/javascripts/app/services/extensionManager.js @@ -319,7 +319,7 @@ class ExtensionManager { if(!this.extensionUsesEncryptedData(extension)) { keys = null; } - var itemParams = new ItemParams(item, keys, this.authManager.encryptionVersion()); + var itemParams = new ItemParams(item, keys, this.authManager.protocolVersion()); return itemParams.paramsForExtension(); } diff --git a/app/assets/javascripts/app/services/helpers/crypto.js b/app/assets/javascripts/app/services/helpers/crypto.js index 7a7e3b9ad..3c673cea5 100644 --- a/app/assets/javascripts/app/services/helpers/crypto.js +++ b/app/assets/javascripts/app/services/helpers/crypto.js @@ -82,10 +82,6 @@ class SNCrypto { return CryptoJS.SHA256(text).toString(); } - sha1(text) { - return CryptoJS.SHA1(text).toString(); - } - hmac256(message, key) { var keyData = CryptoJS.enc.Hex.parse(key); var messageData = CryptoJS.enc.Utf8.parse(message); @@ -99,18 +95,12 @@ class SNCrypto { }.bind(this)); } - calculateVerificationTag(cost, salt, ak) { - return Neeto.crypto.hmac256([cost, salt].join(":"), ak); - } - generateInitialEncryptionKeysForUser({email, password} = {}, callback) { var pw_cost = this.defaultPasswordGenerationCost(); var pw_nonce = this.generateRandomKey(512); - var pw_salt = this.sha1([email, pw_nonce].join(":")); + var pw_salt = this.sha256([email, pw_nonce].join(":")); this.generateSymmetricKeyPair({email: email, password: password, pw_salt: pw_salt, pw_cost: pw_cost}, function(keys){ - var ak = keys[2]; - var pw_auth = this.calculateVerificationTag(pw_cost, pw_salt, ak); - callback({pw: keys[0], mk: keys[1], ak: ak}, {pw_auth: pw_auth, pw_salt: pw_salt, pw_cost: pw_cost}); + callback({pw: keys[0], mk: keys[1], ak: keys[2]}, {pw_salt: pw_salt, pw_cost: pw_cost, version: "002"}); }.bind(this)); } } diff --git a/app/assets/javascripts/app/services/helpers/webcrypto.js b/app/assets/javascripts/app/services/helpers/webcrypto.js index 2695ae50a..26f8a94bd 100644 --- a/app/assets/javascripts/app/services/helpers/webcrypto.js +++ b/app/assets/javascripts/app/services/helpers/webcrypto.js @@ -6,7 +6,7 @@ class SNCryptoWeb extends SNCrypto { Overrides */ defaultPasswordGenerationCost() { - return 10000; + return 61000; } /** Generates two deterministic keys based on one input */ diff --git a/app/assets/javascripts/app/services/syncManager.js b/app/assets/javascripts/app/services/syncManager.js index 0d2e8efef..abdad20eb 100644 --- a/app/assets/javascripts/app/services/syncManager.js +++ b/app/assets/javascripts/app/services/syncManager.js @@ -24,7 +24,7 @@ class SyncManager { writeItemsToLocalStorage(items, offlineOnly, callback) { var params = items.map(function(item) { - var itemParams = new ItemParams(item, null, this.authManager.encryptionVersion()); + var itemParams = new ItemParams(item, null, this.authManager.protocolVersion()); itemParams = itemParams.paramsForLocalStorage(); if(offlineOnly) { delete itemParams.dirty; @@ -189,7 +189,7 @@ class SyncManager { var params = {}; params.limit = 150; params.items = _.map(subItems, function(item){ - var itemParams = new ItemParams(item, this.authManager.keys(), this.authManager.encryptionVersion()); + var itemParams = new ItemParams(item, this.authManager.keys(), this.authManager.protocolVersion()); itemParams.additionalFields = options.additionalFields; return itemParams.paramsForSync(); }.bind(this)); diff --git a/app/assets/templates/frontend/directives/account-menu.html.haml b/app/assets/templates/frontend/directives/account-menu.html.haml index b99849a54..39e3f48c9 100644 --- a/app/assets/templates/frontend/directives/account-menu.html.haml +++ b/app/assets/templates/frontend/directives/account-menu.html.haml @@ -97,9 +97,7 @@ %a.block.mt-5{"ng-click" => "clickedSecurityUpdate()"} Security Update Available %section.gray-bg.mt-10.medium-padding{"ng-if" => "securityUpdateData.showForm"} %p - A new security feature is available that adds an additional level of verification to your sign-ins. - This feature assures that when you login, the server cannot tamper or modify your authentication parameters. - %a{"href" => "https://standardnotes.org/verification", "target" => "_blank"} Learn more. + %a{"href" => "https://standardnotes.org/help/security-update", "target" => "_blank"} Learn more. %div.mt-10{"ng-if" => "!securityUpdateData.processing"} %p.bold Enter your password to update: %form.mt-5