diff --git a/federation/src/graphql/api/1_0/resolver/AuthenticationResolver.ts b/federation/src/graphql/api/1_0/resolver/AuthenticationResolver.ts index 4c14360e9..84d85a0af 100644 --- a/federation/src/graphql/api/1_0/resolver/AuthenticationResolver.ts +++ b/federation/src/graphql/api/1_0/resolver/AuthenticationResolver.ts @@ -9,7 +9,15 @@ import { getHomeCommunity, } from 'database' import { getLogger } from 'log4js' -import { AuthenticationJwtPayloadType, AuthenticationResponseJwtPayloadType, encryptAndSign, OpenConnectionCallbackJwtPayloadType, OpenConnectionJwtPayloadType, uint32Schema, uuidv4Schema } from 'shared' +import { + AuthenticationJwtPayloadType, + AuthenticationResponseJwtPayloadType, + encryptAndSign, + OpenConnectionCallbackJwtPayloadType, + OpenConnectionJwtPayloadType, + uint32Schema, + uuidv4Schema +} from 'shared' import { Arg, Mutation, Resolver } from 'type-graphql' import { startAuthentication, startOpenConnectionCallback } from '../util/authenticateCommunity' @@ -134,15 +142,15 @@ export class AuthenticationResolver { const authCom = await DbCommunity.findOneByOrFail({ communityUuid: authArgs.oneTimeCode }) if (authCom) { methodLogger.debug('found authCom:', new CommunityLoggingView(authCom)) - if (authCom.publicKey !== authArgs.publicKey) { - const errmsg = `corrupt authentication call detected, oneTimeCode: ${authArgs.oneTimeCode} doesn't belong to caller: ${authArgs.publicKey}` + if (authCom.publicKey.compare(Buffer.from(args.publicKey, 'hex')) !== 0) { + const errmsg = `corrupt authentication call detected, oneTimeCode: ${authArgs.oneTimeCode} doesn't belong to caller: ${args.publicKey}` methodLogger.error(errmsg) // no infos to the caller return null } const communityUuid = uuidv4Schema.safeParse(authArgs.uuid) if (!communityUuid.success) { - const errmsg = `invalid uuid: ${authArgs.uuid} for community with publicKey ${authArgs.publicKey}` + const errmsg = `invalid uuid: ${authArgs.uuid} for community with publicKey ${authCom.publicKey}` methodLogger.error(errmsg) // no infos to the caller return null diff --git a/federation/src/graphql/api/1_0/util/authenticateCommunity.ts b/federation/src/graphql/api/1_0/util/authenticateCommunity.ts index 33f725737..a5a3f532a 100644 --- a/federation/src/graphql/api/1_0/util/authenticateCommunity.ts +++ b/federation/src/graphql/api/1_0/util/authenticateCommunity.ts @@ -14,7 +14,7 @@ import { randombytes_random } from 'sodium-native' import { AuthenticationClient as V1_0_AuthenticationClient } from '@/client/1_0/AuthenticationClient' import { LOG4JS_BASE_CATEGORY_NAME } from '@/config/const' -import { AuthenticationJwtPayloadType, AuthenticationResponseJwtPayloadType, encryptAndSign, OpenConnectionCallbackJwtPayloadType, uuidv4Schema, verifyAndDecrypt } from 'shared' +import { AuthenticationJwtPayloadType, AuthenticationResponseJwtPayloadType, encryptAndSign, OpenConnectionCallbackJwtPayloadType, uint32Schema, uuidv4Schema, verifyAndDecrypt } from 'shared' const logger = getLogger(`${LOG4JS_BASE_CATEGORY_NAME}.graphql.api.1_0.util.authenticateCommunity`) @@ -43,7 +43,11 @@ export async function startOpenConnectionCallback( // store oneTimeCode in requestedCom.community_uuid as authenticate-request-identifier // prevent overwriting valid UUID with oneTimeCode, because this request could be initiated at any time from federated community if (uuidv4Schema.safeParse(comA.communityUuid).success) { - throw new Error('Community UUID is already a valid UUID') + methodLogger.debug('Community UUID is already a valid UUID') + return + } else if (uint32Schema.safeParse(Number(comA.communityUuid)).success) { + methodLogger.debug('Community UUID is still in authentication...oneTimeCode=', comA.communityUuid) + return } // TODO: make sure it is unique const oneTimeCode = randombytes_random().toString()