Merge pull request #29 from spknetwork/unlink-have-account

Link hive account

Author: sisygoboom

Dockerfile.local

@@ -2,7 +2,7 @@ FROM node:18.14.2-alpine
 WORKDIR /usr/app
 COPY package*.json ./
 RUN apk add --no-cache git python3 make g++
-RUN npm install && npm install typescript -g
+RUN npm install
 COPY . .
 RUN npm run tsc:noemit
 CMD ["npm", "run", "dev"]

Dockerfile.staging

@@ -2,7 +2,7 @@ FROM node:18.14.2-alpine
 WORKDIR /usr/app
 COPY package*.json ./
 RUN apk add --no-cache git python3 make g++ ffmpeg
-RUN npm install && npm install typescript -g
+RUN npm install
 COPY . .
-RUN tsc
+RUN npm run build
 CMD ["node","--experimental-specifier-resolution=node", "./dist/index.js"]

src/repositories/hive-chain/hive-chain.repository.spec.ts

@@ -17,10 +17,8 @@ describe('HiveRepository', () => {
       const blueTeamPrivateKey = PrivateKey.fromSeed(crypto.randomBytes(32).toString("hex"));
       const blueTeamPublicKey = blueTeamPrivateKey.createPublic();
       const blueTeamPublicKeyString = blueTeamPublicKey.toString();
-  
       const message = JSON.stringify({ ts: Date.now() });
       const forgedSignature = redTeamPrivateKey.sign(crypto.createHash('sha256').update(message).digest());
-  
       const account: ExtendedAccount = {
         name: 'blueteam',
         memo_key: blueTeamPublicKeyString,
@@ -110,16 +108,15 @@ describe('HiveRepository', () => {
         lifetime_market_bandwidth: '',
         last_market_bandwidth_update: ''
       };
-  
-      // Act
-      const result = hiveRepository.verifyHiveMessage(
-        crypto.createHash('sha256').update('different message').digest(),
-        forgedSignature.toString(),
-        account
-      );
-  
-      // Assert
-      expect(result).toBe(false);
+    
+      // Act and Assert
+      await expect(async () => {
+        await hiveRepository.verifyHiveMessage(
+          'different message',
+          forgedSignature.toString(),
+          account
+        );
+      }).rejects.toThrow();
     });
 
     it('Should fail to verify an account if the signature height isn`t enough', async () => {
@@ -220,15 +217,12 @@ describe('HiveRepository', () => {
         last_market_bandwidth_update: ''
       };
 
-      // Act
-      const result = hiveRepository.verifyHiveMessage(
-        crypto.createHash('sha256').update(message).digest(),
+      // Assert
+      expect(async () => await hiveRepository.verifyHiveMessage(
+        message,
         signature.toString(),
         account
-      );
-  
-      // Assert
-      expect(result).toBe(false);
+      )).rejects.toThrow();
     });
 
     it('Should successfully verify a valid Hive message', async () => {
@@ -329,15 +323,12 @@ describe('HiveRepository', () => {
         last_market_bandwidth_update: ''
       };
 
-      // Act
-      const result = hiveRepository.verifyHiveMessage(
-        crypto.createHash('sha256').update(message).digest(),
+      // Assert
+      expect(async () => await hiveRepository.verifyHiveMessage(
+        message,
         signature.toString(),
         account
-      );
-  
-      // Assert
-      expect(result).toBe(true);
+      )).not.toThrow();
     });
   })
 

src/repositories/hive-chain/hive-chain.repository.ts

@@ -1,4 +1,4 @@
-import { BadRequestException, Injectable, Logger } from '@nestjs/common';
+import { BadRequestException, Injectable, Logger, UnauthorizedException } from '@nestjs/common';
 import hiveJsPackage from '@hiveio/hive-js';
 import { AuthorPerm, OperationsArray } from './types';
 import {
@@ -8,6 +8,7 @@ import {
   PrivateKey,
   PublicKey,
   Signature,
+  cryptoUtils,
 } from '@hiveio/dhive';
 import crypto from 'crypto';
 import 'dotenv/config';
@@ -154,29 +155,41 @@ export class HiveChainRepository {
     );
   }
 
-  verifyHiveMessage(message: Buffer, signature: string, account: ExtendedAccount): boolean {
+  async verifyHiveMessage(
+    message: string,
+    signature: string,
+    account: ExtendedAccount,
+  ): Promise<void> {
+    const bufferMessage = cryptoUtils.sha256(message);
+    let hasValidKey = false;
+
     for (const auth of account.posting.key_auths) {
       const publicKey = PublicKey.fromString(auth[0].toString());
       if (auth[1] < account.posting.weight_threshold) continue;
-      try {
-        const signatureBuffer = Signature.fromBuffer(Buffer.from(signature, 'hex'));
-        const verified = publicKey.verify(message, signatureBuffer);
-        if (verified) {
-          return true;
-        }
-      } catch (e) {
-        this.#logger.debug(e);
+
+      hasValidKey = true;
+      const signatureBuffer = Signature.fromBuffer(Buffer.from(signature, 'hex'));
+      const verified = publicKey.verify(bufferMessage, signatureBuffer);
+      if (verified) {
+        return;
       }
     }
-    return false;
+
+    if (!hasValidKey) {
+      throw new UnauthorizedException('No valid keys found with sufficient weight');
+    }
+
+    throw new UnauthorizedException('The message did not match the signature');
   }
 
   async vote(options: { author: string; permlink: string; voter: string; weight: number }) {
     if (options.weight < -10_000 || options.weight > 10_000) {
       this.#logger.error(
         `Vote weight was out of bounds: ${options.weight}. Skipping ${options.author}/${options.permlink}`,
       );
-      throw new BadRequestException('Hive vote weight out of bounds. Must be between -10000 and 10000');
+      throw new BadRequestException(
+        'Hive vote weight out of bounds. Must be between -10000 and 10000',
+      );
     }
     return this._hive.broadcast.vote(
       options,
@@ -221,16 +234,16 @@ export class HiveChainRepository {
   }
 
   verifyPostingAuth(account: ExtendedAccount): boolean {
-    let doWe = false;
-    if (Array.isArray(account.posting.account_auths)) {
-      account.posting.account_auths.forEach(function (item) {
-        if (item[0] === process.env.DELEGATED_ACCOUNT) {
-          doWe = true;
-        }
-      });
-      return doWe;
-    } else {
+    if (!Array.isArray(account.posting.account_auths)) {
       return false;
     }
+
+    for (const item of account.posting.account_auths) {
+      if (item[0] === process.env.DELEGATED_ACCOUNT) {
+        return true;
+      }
+    }
+
+    return false;
   }
 }

src/repositories/linked-accounts/linked-account.repository.ts

@@ -11,28 +11,23 @@ export class LinkedAccountRepository {
     private readonly linkedAccountModel: Model<LinkedAccount>,
   ) {}
 
-  async linkHiveAccount(user_id: string, account: string, challenge: string) {
+  async linkHiveAccount(user_id: string, account: string) {
     return await this.linkedAccountModel.create({
-      status: 'unverified',
       user_id,
       account,
+      status: 'verified',
       network: 'HIVE',
-      challenge,
-      linked_at: new Date(),
-      verified_at: null,
-      type: 'native',
-    });
-  }
-
-  async findOneByChallenge(query: { challenge: LinkedAccount['challenge'] }) {
-    return await this.linkedAccountModel.findOne(query);
+    } satisfies LinkedAccount);
   }
 
   async findOneByUserIdAndAccountName(query: {
     account: LinkedAccount['account'];
     user_id: LinkedAccount['user_id'];
   }) {
-    return await this.linkedAccountModel.findOne(query);
+    return await this.linkedAccountModel.findOne({
+      ...query,
+      status: 'verified',
+    } satisfies Partial<LinkedAccount>);
   }
 
   async verify(_id: ObjectId) {

src/repositories/linked-accounts/schemas/linked-account.schema.ts

@@ -14,8 +14,8 @@ export class LinkedAccount {
   @Prop({ required: true })
   user_id: string;
 
-  @Prop({ required: true })
-  challenge: string;
+  @Prop({ required: true, enum: ['HIVE'] })
+  network: 'HIVE';
 }
 
 export const LinkedAccountSchema = SchemaFactory.createForClass(LinkedAccount);

src/services/api/api.contoller.test.ts

@@ -23,6 +23,7 @@ import { HiveChainModule } from '../../repositories/hive-chain/hive-chain.module
 import { EmailModule } from '../email/email.module';
 import * as crypto from 'crypto';
 import { HiveModule } from '../hive/hive.module';
+import { PrivateKey } from '@hiveio/dhive';
 
 describe('ApiController', () => {
   let app: INestApplication;
@@ -138,7 +139,16 @@ describe('ApiController', () => {
   describe('/POST /v1/hive/linkaccount', () => {
     it('should link a Hive account', async () => {
       const jwtToken = 'test_jwt_token';
-      const body = { username: 'test-account' };
+
+      const privateKey = PrivateKey.fromSeed(crypto.randomBytes(32).toString("hex"));
+      const publicKey = privateKey.createPublic();
+      const publicKeyString = publicKey.toString();
+      const message = "singleton/bob/did is the owner of @starkerz";
+      const signature = privateKey.sign(crypto.createHash('sha256').update(message).digest());
+
+      const body = { username: 'starkerz', proof: signature.toString() };
+
+      process.env.TEST_PUBLIC_KEY = publicKeyString;
 
       return request(app.getHttpServer())
         .post('/v1/hive/linkaccount')
@@ -147,7 +157,12 @@ describe('ApiController', () => {
         .expect(201)
         .then(response => {
           expect(response.body).toEqual({
-            challenge: expect.any(String),
+            __v: 0,
+            _id: expect.any(String),
+            account: "starkerz",
+            network: "HIVE",
+            status: "verified",
+            user_id: "singleton/bob/did",
           });
         });
     });
@@ -165,8 +180,9 @@ describe('ApiController', () => {
           expect(response.body).toEqual({
             id: "test_user_id",
             network: "did",
-            sub: "test_user_id",
-            username: "test",
+            sub: "singleton/bob/did",
+            type: "singleton",
+            username: "test_user_id",
           });
         });
     });
@@ -177,7 +193,7 @@ describe('ApiController', () => {
       const jwtToken = 'test_jwt_token';
 
       // Mock linking and verifying an account
-      const link = await linkedAccountsRepository.linkHiveAccount('singleton/bob/did', 'test-account', 'challenge');
+      const link = await linkedAccountsRepository.linkHiveAccount('singleton/bob/did', 'test-account');
       await linkedAccountsRepository.verify(link._id);
 
       return request(app.getHttpServer())