combine fixes for community authentication

2026-02-06 09:56:05 +00:00 · 2025-10-09 12:16:12 +02:00 · 2025-10-09 12:16:12 +02:00 · 47b38ac58f
commit 47b38ac58f
parent 46c4711edb
2 changed files with 18 additions and 6 deletions
--- a/federation/src/graphql/api/1_0/resolver/AuthenticationResolver.ts
+++ b/federation/src/graphql/api/1_0/resolver/AuthenticationResolver.ts
@ -9,7 +9,15 @@ import {
  getHomeCommunity,
 } from 'database'
 import { getLogger } from 'log4js'
-import { AuthenticationJwtPayloadType, AuthenticationResponseJwtPayloadType, encryptAndSign, OpenConnectionCallbackJwtPayloadType, OpenConnectionJwtPayloadType, uint32Schema, uuidv4Schema } from 'shared'
+import { 
+  AuthenticationJwtPayloadType, 
+  AuthenticationResponseJwtPayloadType, 
+  encryptAndSign, 
+  OpenConnectionCallbackJwtPayloadType, 
+  OpenConnectionJwtPayloadType, 
+  uint32Schema, 
+  uuidv4Schema 
+} from 'shared'
 import { Arg, Mutation, Resolver } from 'type-graphql'
 import { startAuthentication, startOpenConnectionCallback } from '../util/authenticateCommunity'

@ -134,15 +142,15 @@ export class AuthenticationResolver {
      const authCom = await DbCommunity.findOneByOrFail({ communityUuid: authArgs.oneTimeCode })
      if (authCom) {
        methodLogger.debug('found authCom:', new CommunityLoggingView(authCom))
-        if (authCom.publicKey !== authArgs.publicKey) {
-          const errmsg = `corrupt authentication call detected, oneTimeCode: ${authArgs.oneTimeCode} doesn't belong to caller: ${authArgs.publicKey}`
+        if (authCom.publicKey.compare(Buffer.from(args.publicKey, 'hex')) !== 0) {
+          const errmsg = `corrupt authentication call detected, oneTimeCode: ${authArgs.oneTimeCode} doesn't belong to caller: ${args.publicKey}`
          methodLogger.error(errmsg)
          // no infos to the caller
          return null
        }
        const communityUuid = uuidv4Schema.safeParse(authArgs.uuid)
        if (!communityUuid.success) {
-          const errmsg = `invalid uuid: ${authArgs.uuid} for community with publicKey ${authArgs.publicKey}`
+          const errmsg = `invalid uuid: ${authArgs.uuid} for community with publicKey ${authCom.publicKey}`
          methodLogger.error(errmsg)
          // no infos to the caller
          return null
--- a/federation/src/graphql/api/1_0/util/authenticateCommunity.ts
+++ b/federation/src/graphql/api/1_0/util/authenticateCommunity.ts
@ -14,7 +14,7 @@ import { randombytes_random } from 'sodium-native'

 import { AuthenticationClient as V1_0_AuthenticationClient } from '@/client/1_0/AuthenticationClient'
 import { LOG4JS_BASE_CATEGORY_NAME } from '@/config/const'
-import { AuthenticationJwtPayloadType, AuthenticationResponseJwtPayloadType, encryptAndSign, OpenConnectionCallbackJwtPayloadType, uuidv4Schema, verifyAndDecrypt } from 'shared'
+import { AuthenticationJwtPayloadType, AuthenticationResponseJwtPayloadType, encryptAndSign, OpenConnectionCallbackJwtPayloadType, uint32Schema, uuidv4Schema, verifyAndDecrypt } from 'shared'

 const logger = getLogger(`${LOG4JS_BASE_CATEGORY_NAME}.graphql.api.1_0.util.authenticateCommunity`)

@ -43,7 +43,11 @@ export async function startOpenConnectionCallback(
    // store oneTimeCode in requestedCom.community_uuid as authenticate-request-identifier
    // prevent overwriting valid UUID with oneTimeCode, because this request could be initiated at any time from federated community
    if (uuidv4Schema.safeParse(comA.communityUuid).success) {
-      throw new Error('Community UUID is already a valid UUID')
+      methodLogger.debug('Community UUID is already a valid UUID')
+      return
+    } else if (uint32Schema.safeParse(Number(comA.communityUuid)).success) {
+      methodLogger.debug('Community UUID is still in authentication...oneTimeCode=', comA.communityUuid)
+      return
    }
    // TODO: make sure it is unique
    const oneTimeCode = randombytes_random().toString()