From 6fa1a8116ecf44168d9c32b81e7419ff9d513cbd Mon Sep 17 00:00:00 2001 From: Ash Date: Wed, 20 Dec 2023 10:31:18 -0800 Subject: [PATCH 1/8] disable webauthn in contract --- account/Cargo.toml | 10 +++++----- account/src/error.rs | 3 --- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/account/Cargo.toml b/account/Cargo.toml index 59285ac..0258664 100644 --- a/account/Cargo.toml +++ b/account/Cargo.toml @@ -27,11 +27,11 @@ phf = { workspace = true } rsa = { workspace = true } getrandom = { workspace = true } p256 = { workspace = true } -webauthn-rs = { workspace = true } -webauthn-rs-proto = { workspace = true } -webauthn-rs-core = { workspace = true } -passkey = { git="https://github.com/aptos-labs/passkey-rs.git", branch = "fix-passkey-rs"} -passkey-authenticator = { git="https://github.com/aptos-labs/passkey-rs.git", branch = "fix-passkey-rs", features = ["testable"] } +#webauthn-rs = { workspace = true } +#webauthn-rs-proto = { workspace = true } +#webauthn-rs-core = { workspace = true } +#passkey = { git="https://github.com/aptos-labs/passkey-rs.git", branch = "fix-passkey-rs"} +#passkey-authenticator = { git="https://github.com/aptos-labs/passkey-rs.git", branch = "fix-passkey-rs", features = ["testable"] } url = "2.4.1" coset = "0.3.5" futures = "0.3.29" diff --git a/account/src/error.rs b/account/src/error.rs index f1420e4..3a80ae5 100644 --- a/account/src/error.rs +++ b/account/src/error.rs @@ -30,9 +30,6 @@ pub enum ContractError { #[error(transparent)] P256EcdsaCurve(#[from] p256::ecdsa::Error), - #[error(transparent)] - WebauthnError(#[from] webauthn_rs_core::error::WebauthnError), - #[error("error rebuilding key")] RebuildingKey, From 39ce897426811717b03275027c556d1395ba9b34 Mon Sep 17 00:00:00 2001 From: Ash Date: Mon, 5 Feb 2024 13:06:40 -0800 Subject: [PATCH 2/8] update pubkey : --- account/src/auth/jwt.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/account/src/auth/jwt.rs b/account/src/auth/jwt.rs index 9249330..3f511cc 100644 --- a/account/src/auth/jwt.rs +++ b/account/src/auth/jwt.rs @@ -16,7 +16,7 @@ static AUD_KEY_MAP: Map<&'static str, &'static str> = phf_map! { // GA - Testnet - Test project "project-test-5ae234a7-6b74-46af-a7b7-969f3df38cc0" => "4ia1pODcj-BPNblyJ1ao1etK0VltRWQEmeoQtHaCWrOES-2BCFbcOBsDDxrXPzkTUK5j15fpMFbg36vDqXiYDNPHTp7WxUrOKOSyONk4gZUd626GZwKJBryMAhU7mBMByO56sLUHdDPajykYIlpHut75gDqipDI5QY9fh_piLh7OMy-MORaWdmkv1zFqLfjAr2GUKFmd7xiUAYTsjDClTTMn1rGskjBF8qPK9jDrPz9SEwN1n7N0JPsJVRqP6m5Yf_l9JWSKarSLbV9O0qMC7Nl0MpBKTw8HTVlwaBWF-5aGbg3dMQl8Cbn4vNUv-pPjrlvrpw2m_r0Gr5N9CBEKFQ;AQAB", // GA - Testnet - Live project - "project-live-7e4a3221-79cd-4f34-ac1d-fedac4bde13e" => "7DEDs11mtM85pjdpELjoNBqBPcPf3rUU7llkoycaUfhlQF3ghMVBrIoVs4ivaBGJiBGBEnM64lKeCMYDaTDa67AUsUIahyBtKTHvZ_tEgOiqX6feWg-z6MsoA7HFoxbIzgwTGEVcFzy5y0BQEqffPstSBLUeZRfh7NGSXbGoo5zXPx1oEgrFtzfpnBgz-OP2rg1JLdycMP3YoKFIu5v2nnRobvlEraXil3ETJ-c6TLcaOctd1T4HSFNk5xy7HqiqMqU4Ixy5HfzC7gJqo1g1ppPrkSY36hpPgtpa6xR161cPr9Acvejqt8LK5xpoeW8oS67r1_m-TkKjTOhKzjbVNw;AQAB", + "project-live-7e4a3221-79cd-4f34-ac1d-fedac4bde13e" => "qm5TbnKO8tCEVdwQK1Zit0_ig2nitUzA4V_m7oePByX1oSMismJOpbgEY2xjLVCMl_JdZOUIBQvaoFx169GS0-PrKEA8sXS-20Dp8rjiEG1hSaHapRfrDPjyN5TvPPp_xNAi8YBpZ5-msK0TZmG13Rcwn9xcu74AVW0PE19s0xWGAeukoaALfgk66RdwA7_C3KKeFkaEk9VpTtVJS7e-H815L2utXaqMC7uf-Qg93l0ifVBqaJj318BdV1dBj4cliMd1k7LlSD_qmcrqYUdggJB5FquVHjSj6-j5SMBne2IzWh4GLMneS_HGoTclRCHsOGi_3BhsjgkaZt6QCLr0_fafWUinJYrnEcIjojFlWuDvzPfoSV3bRefe_IQT4-Ht8fvwVcw5wEDhBiE2lfjHjMyRG-knlM910xnEJjJjxYWbyb_fLW-NVWULFH-L91DhxlXjDwO7hbbMlGlviTcsEa3ahwszNooQ63JJdp96iSA2JgWY6JPvWHG0mNrEU3AC6UMHLUtI2Hpg1ij6tiieFUMvFLvjj7dCozpDnZr2z6msCyTgUAmO3KQHaQ3Rvo2WwyuJPzOJLBnefLZIqZzAOXHAjI_bPTTOte1vPYkfLJxLKncdd-1OCwoLMyWAdCpD4gpIsam3jPhhQfAOio1XI1BXtDMxqIyXtCQD94ycwtU;AQAB", // Exodvs - Test project "project-test-185e9a9f-8bab-42f2-a924-953a59e8ff94" => "sQKkA829tzjU2VA-INHvdrewkbQzjpsMn0PNM7KJaBODbB4ItZM4x1NVSWBiy2DGHkaDDvADRbbq1BZsC1iXVtIYm0AoD7x4QC1w89kp2_s0wmvUOSPiQZlYrgJqRDXirXJZX3MNku2McXbwdyPajDaR4nBBQOoUOF21CHqLDqBHs2R6tHyL80R_8mgueiqQ-4wg6SSVcB_6ZOh59vRcjKr34upKPWGQzvMGCkeTO9whzbIWbA1j-8ykiS63EhjWBZU_sSolsf1ZGq8peVrADDLhOvHtZxCZLKwB46k2kb8GKAWlO4wRP6BDVjzpnea7BsvZ6JwULKg3HisH9gzaiQ;AQAB", "integration-test-project" => "olg7TF3aai-wR4HTDe5oR-WRhEsdW3u-O3IJHl0BiHkmR4MLskHG9HzivWoXsloUBnBMrFNxOH0x5cNMI07oi4PeRbHySiogRW9CXPjJaNlTi-pT_IgKFsyJNXsLyzrnajLkDbQU6pRsHmNeL0hAOUv48rtXv8VVWWN8okJehD2q9N7LHoFAOmIUEPg_VTHTt8K__O-9eMZKN4eMjh_4-sxRX6NXPSPT87XRlrK4GZ4pUdp86K0tOFLhwO4Uj0JkMNfI82eVZ1tAbDlqjd8jFnAb8fWm8wtdaTNbL_AAXmbDhswwJOyrw8fARZIhrXSdKBWa6e4k7sLwTIy-OO8saebnlARsjGst7ZCzmw5KCm2ctEVl3hYhHwyXu_A5rOblMrV3H0G7WqeKMCMVSJ11ssrlsmfVhNIwu1Qlt5GYmPTTJiCgGUGRxZkgDyOyjFNHglYpZamCGyJ9oyofsukEGoqMQ6WzjFi_hjVapzXi7Li-Q0OjEopIUUDDgeUrgjbGY0eiHI6sAz5hoaD0Qjc9e3Hk6-y7VcKCTCAanZOlJV0vJkHB98LBLh9qAoVUei_VaLFe2IcfVlrL_43aXlsHhr_SUQY5pHPlUMbQihE_57dpPRh31qDX_w6ye8dilniP8JmpKM2uIwnJ0x7hfJ45Qa0oLHmrGlzY9wi-RGP0YUk;AQAB", From 5fbe22b9fb6145648354010c1d8d107f35118c8c Mon Sep 17 00:00:00 2001 From: Ash Date: Fri, 9 Feb 2024 12:57:56 -0800 Subject: [PATCH 3/8] update timing on jwt check --- account/src/auth/jwt.rs | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/account/src/auth/jwt.rs b/account/src/auth/jwt.rs index 3f511cc..8f6f7f4 100644 --- a/account/src/auth/jwt.rs +++ b/account/src/auth/jwt.rs @@ -23,7 +23,7 @@ static AUD_KEY_MAP: Map<&'static str, &'static str> = phf_map! { }; // The average block time of 2 blocks. -const AVERAGE_BLOCK_TIME_OF_TWO_BLOCKS: u64 = 12; +const AVERAGE_SYNC_TIME_OF_TWO_BLOCKS: u64 = 60; #[derive(Debug, Serialize, Deserialize)] struct Claims { @@ -95,13 +95,13 @@ pub fn verify( } // complete the time checks - // because the provided time is the completion of the the last block, we add - // the average block time to allow for a more realistic timestamp. this has - // implications for the "not before" and "expiration" timestamps, in that we - // are more forgiving for "not before" and less forgiving for "expiration" - let working_time = ¤t_time.plus_seconds(AVERAGE_BLOCK_TIME_OF_TWO_BLOCKS); + // because the provided time is the completion of the last block, and the + // time for it to be synced between blocks, we add a buffer to allow for a + // more realistic timestamp. this has implications for the "not before" + // timestamp, we do not add this buffer to "expiration" + let working_time = ¤t_time.plus_seconds(AVERAGE_SYNC_TIME_OF_TWO_BLOCKS); let expiration = Timestamp::from_seconds(claims.exp as u64); - if expiration.lt(working_time) { + if expiration.lt(current_time) { return Err(InvalidTime { current: current_time.seconds(), received: expiration.seconds(), From 6dd10cc888a13fa6b40d7db54cfa5c789ed2ce4a Mon Sep 17 00:00:00 2001 From: Ash Date: Tue, 13 Feb 2024 21:59:51 -0700 Subject: [PATCH 4/8] add noop migrate command --- account/src/contract.rs | 8 +++++++- account/src/msg.rs | 3 +++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/account/src/contract.rs b/account/src/contract.rs index 003c90d..f7a44c3 100644 --- a/account/src/contract.rs +++ b/account/src/contract.rs @@ -5,7 +5,7 @@ use cosmwasm_std::{ use absacc::AccountSudoMsg; use crate::execute::{add_auth_method, remove_auth_method}; -use crate::msg::ExecuteMsg; +use crate::msg::{ExecuteMsg, MigrateMsg}; use crate::{ error::ContractResult, execute, @@ -67,3 +67,9 @@ pub fn query(deps: Deps, _env: Env, msg: QueryMsg) -> StdResult { } } } + +#[entry_point] +pub fn migrate(deps: DepsMut, _env: Env, msg: MigrateMsg) -> Result { + // No state migrations performed, just returned a Response + Ok(Response::default()) +} diff --git a/account/src/msg.rs b/account/src/msg.rs index 7836656..f571cda 100644 --- a/account/src/msg.rs +++ b/account/src/msg.rs @@ -25,3 +25,6 @@ pub enum QueryMsg { #[returns(Binary)] AuthenticatorByID { id: u8 }, } + +#[cw_serde] +pub enum MigrateMsg {} From 21e71cf82319c4163ba21245db7bb5d23f60adfa Mon Sep 17 00:00:00 2001 From: Ash Date: Tue, 13 Feb 2024 22:09:21 -0700 Subject: [PATCH 5/8] unused import --- account/src/execute.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/account/src/execute.rs b/account/src/execute.rs index 700bfff..2789f79 100644 --- a/account/src/execute.rs +++ b/account/src/execute.rs @@ -1,4 +1,4 @@ -use cosmwasm_std::{Addr, Binary, Deps, DepsMut, Env, Event, MessageInfo, Order, Response}; +use cosmwasm_std::{Addr, Binary, Deps, DepsMut, Env, Event, Order, Response}; use crate::auth::{passkey, AddAuthenticator, Authenticator}; use crate::{ From d7e72154b75e3b23ba62cd58e5eae35c5ddf9ac8 Mon Sep 17 00:00:00 2001 From: Ash Date: Tue, 13 Feb 2024 22:24:07 -0700 Subject: [PATCH 6/8] remove webauthn comments --- Cargo.toml | 5 +- account/Cargo.toml | 5 -- account/src/auth/passkey.rs | 118 ------------------------------------ 3 files changed, 1 insertion(+), 127 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 2a6b687..1a50471 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -24,7 +24,4 @@ base64 = "0.21.4" phf = { version = "0.11.2", features = ["macros"] } rsa = { version = "0.9.2" } getrandom = { version = "0.2.10", features = ["custom"] } -p256 = {version = "0.13.2", features = ["ecdsa-core", "arithmetic", "serde"]} -webauthn-rs = { git = "https://github.com/burnt-labs/webauthn-rs.git", features = ["danger-credential-internals"] } -webauthn-rs-proto = { git = "https://github.com/burnt-labs/webauthn-rs.git" } -webauthn-rs-core = { git = "https://github.com/burnt-labs/webauthn-rs.git" } +p256 = {version = "0.13.2", features = ["ecdsa-core", "arithmetic", "serde"]} \ No newline at end of file diff --git a/account/Cargo.toml b/account/Cargo.toml index 0258664..6b095da 100644 --- a/account/Cargo.toml +++ b/account/Cargo.toml @@ -27,11 +27,6 @@ phf = { workspace = true } rsa = { workspace = true } getrandom = { workspace = true } p256 = { workspace = true } -#webauthn-rs = { workspace = true } -#webauthn-rs-proto = { workspace = true } -#webauthn-rs-core = { workspace = true } -#passkey = { git="https://github.com/aptos-labs/passkey-rs.git", branch = "fix-passkey-rs"} -#passkey-authenticator = { git="https://github.com/aptos-labs/passkey-rs.git", branch = "fix-passkey-rs", features = ["testable"] } url = "2.4.1" coset = "0.3.5" futures = "0.3.29" diff --git a/account/src/auth/passkey.rs b/account/src/auth/passkey.rs index dc67981..e3bf67b 100644 --- a/account/src/auth/passkey.rs +++ b/account/src/auth/passkey.rs @@ -70,121 +70,3 @@ pub fn verify( Ok(true) } - -// use crate::error::{ContractError, ContractResult}; -// use cosmwasm_std::{from_binary, Binary}; -// use webauthn_rs::prelude::{Passkey, PasskeyAuthentication, PasskeyRegistration, Url}; -// // use webauthn_rs::prelude::*; -// use crate::error::ContractError::InvalidToken; -// use webauthn_rs::WebauthnBuilder; -// use webauthn_rs_core::interface::{AuthenticationState, RegistrationState}; -// use webauthn_rs_proto::{COSEAlgorithm, PublicKeyCredential, UserVerificationPolicy}; -// -// -// -// pub fn register(url: String, cred: &Binary, challenge: Vec) -> ContractResult { -// let rp_origin = match Url::parse(&url) { -// Ok(u) => u, -// Err(_) => return Err(ContractError::URLParse { url }), -// }; -// -// let reg = from_binary(cred)?; -// -// let rp_id = rp_origin.domain().ok_or(ContractError::URLParse { url })?; -// let builder = WebauthnBuilder::new(rp_id, &rp_origin)?; -// let webauthn = builder.build()?; -// -// let registration_state = RegistrationState { -// policy: UserVerificationPolicy::Preferred, -// exclude_credentials: vec![], -// challenge: challenge.into(), -// credential_algorithms: vec![COSEAlgorithm::ES256], -// require_resident_key: false, -// authenticator_attachment: None, -// extensions: Default::default(), -// experimental_allow_passkeys: true, -// }; -// -// let passkey = webauthn.finish_passkey_registration( -// ®, -// &PasskeyRegistration { -// rs: registration_state, -// }, -// )?; -// -// Ok(passkey) -// } -// -// pub fn verify( -// url: String, -// passkey_bytes: &Binary, -// cred: &Binary, -// tx_bytes: Vec, -// ) -> ContractResult<()> { -// let rp_origin = match Url::parse(&url) { -// Ok(u) => u, -// Err(_err) => return Err(ContractError::URLParse { url }), -// }; -// -// let rp_id = rp_origin.domain().ok_or(ContractError::URLParse { url })?; -// let builder = WebauthnBuilder::new(rp_id, &rp_origin).expect("Invalid configuration"); -// let webauthn = builder.build().expect("Invalid configuration"); -// -// let passkey: Passkey = from_binary(passkey_bytes)?; -// -// let authentication_state = AuthenticationState { -// credentials: vec![passkey.into()], -// policy: UserVerificationPolicy::Preferred, -// challenge: tx_bytes.into(), -// appid: None, -// allow_backup_eligible_upgrade: false, -// }; -// -// let public_key_credential: PublicKeyCredential = from_binary(cred)?; -// -// webauthn.finish_passkey_authentication( -// &public_key_credential, -// &PasskeyAuthentication { -// ast: authentication_state, -// }, -// )?; -// -// Ok(()) -// } -// -// #[cfg(test)] -// mod tests { -// use crate::auth::passkey::{register, verify}; -// use cosmwasm_std::to_binary; -// use webauthn_rs::prelude::*; -// -// #[test] -// fn test_passkey_example() { -// let challenge = "test-challenge"; -// -// let rp_origin = -// Url::parse("https://xion-dapp-example-git-feat-faceid-burntfinance.vercel.app") -// .expect("Invalid URL"); -// let register_credential: RegisterPublicKeyCredential = serde_json::from_str(r#"{"type":"public-key","id":"6BnpSHlIXwOndHhxfPw4l3SylupnZIvTVP9Vp_aK34w","rawId":"6BnpSHlIXwOndHhxfPw4l3SylupnZIvTVP9Vp_aK34w","authenticatorAttachment":"platform","response":{"clientDataJSON":"eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiZEdWemRDMWphR0ZzYkdWdVoyVSIsIm9yaWdpbiI6Imh0dHBzOi8veGlvbi1kYXBwLWV4YW1wbGUtZ2l0LWZlYXQtZmFjZWlkLWJ1cm50ZmluYW5jZS52ZXJjZWwuYXBwIiwiY3Jvc3NPcmlnaW4iOmZhbHNlfQ","attestationObject":"o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViksGMBiDcEppiMfxQ10TPCe2-FaKrLeTkvpzxczngTMw1BAAAAAK3OAAI1vMYKZIsLJfHwVQMAIOgZ6Uh5SF8Dp3R4cXz8OJd0spbqZ2SL01T_Vaf2it-MpQECAyYgASFYINnBKEMfG6wkb9W1grSXgNAQ8lx6H7j6EcMyTSbZ91-XIlggdk2OOxV_bISxCsqFac6ZE8-gEurV4xQd7kFFYdfMqtE","transports":["internal"]},"clientExtensionResults":{}}"#).unwrap(); -// -// let reg_bytes = to_binary(®ister_credential).unwrap(); -// let passkey = register( -// rp_origin.to_string(), -// ®_bytes, -// challenge.as_bytes().to_vec(), -// ) -// .unwrap(); -// let passkey_bytes = to_binary(&passkey).unwrap(); -// -// let authenticate_credential: PublicKeyCredential = serde_json::from_str(r#"{"type":"public-key","id":"6BnpSHlIXwOndHhxfPw4l3SylupnZIvTVP9Vp_aK34w","rawId":"6BnpSHlIXwOndHhxfPw4l3SylupnZIvTVP9Vp_aK34w","authenticatorAttachment":"platform","response":{"clientDataJSON":"eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiZEdWemRDMWphR0ZzYkdWdVoyVSIsIm9yaWdpbiI6Imh0dHBzOi8veGlvbi1kYXBwLWV4YW1wbGUtZ2l0LWZlYXQtZmFjZWlkLWJ1cm50ZmluYW5jZS52ZXJjZWwuYXBwIiwiY3Jvc3NPcmlnaW4iOmZhbHNlfQ","authenticatorData":"sGMBiDcEppiMfxQ10TPCe2-FaKrLeTkvpzxczngTMw0BAAAAAA","signature":"MEQCIF1Fm_XjFV5FjBRYXNN1WcDm0V4xbPn3sQ85gC34_FGmAiBzLYGsat3HwDcn4jh50gTW4mgGcmYqkvT2g1bfdFxElA","userHandle":null},"clientExtensionResults":{}}"#).unwrap(); -// let authenticate_credential_bytes = to_binary(&authenticate_credential).unwrap(); -// -// verify( -// rp_origin.to_string(), -// &passkey_bytes, -// &authenticate_credential_bytes, -// challenge.as_bytes().to_vec(), -// ) -// .unwrap(); -// } -// } From bf98c105689cb3022fedf44863240073b11bd52d Mon Sep 17 00:00:00 2001 From: Ash Date: Wed, 21 Feb 2024 07:03:14 -0800 Subject: [PATCH 7/8] kill nbf --- account/src/auth/jwt.rs | 25 ++++++++----------------- account/src/contract.rs | 3 ++- 2 files changed, 10 insertions(+), 18 deletions(-) diff --git a/account/src/auth/jwt.rs b/account/src/auth/jwt.rs index 8f6f7f4..5147182 100644 --- a/account/src/auth/jwt.rs +++ b/account/src/auth/jwt.rs @@ -22,9 +22,6 @@ static AUD_KEY_MAP: Map<&'static str, &'static str> = phf_map! { "integration-test-project" => "olg7TF3aai-wR4HTDe5oR-WRhEsdW3u-O3IJHl0BiHkmR4MLskHG9HzivWoXsloUBnBMrFNxOH0x5cNMI07oi4PeRbHySiogRW9CXPjJaNlTi-pT_IgKFsyJNXsLyzrnajLkDbQU6pRsHmNeL0hAOUv48rtXv8VVWWN8okJehD2q9N7LHoFAOmIUEPg_VTHTt8K__O-9eMZKN4eMjh_4-sxRX6NXPSPT87XRlrK4GZ4pUdp86K0tOFLhwO4Uj0JkMNfI82eVZ1tAbDlqjd8jFnAb8fWm8wtdaTNbL_AAXmbDhswwJOyrw8fARZIhrXSdKBWa6e4k7sLwTIy-OO8saebnlARsjGst7ZCzmw5KCm2ctEVl3hYhHwyXu_A5rOblMrV3H0G7WqeKMCMVSJ11ssrlsmfVhNIwu1Qlt5GYmPTTJiCgGUGRxZkgDyOyjFNHglYpZamCGyJ9oyofsukEGoqMQ6WzjFi_hjVapzXi7Li-Q0OjEopIUUDDgeUrgjbGY0eiHI6sAz5hoaD0Qjc9e3Hk6-y7VcKCTCAanZOlJV0vJkHB98LBLh9qAoVUei_VaLFe2IcfVlrL_43aXlsHhr_SUQY5pHPlUMbQihE_57dpPRh31qDX_w6ye8dilniP8JmpKM2uIwnJ0x7hfJ45Qa0oLHmrGlzY9wi-RGP0YUk;AQAB", }; -// The average block time of 2 blocks. -const AVERAGE_SYNC_TIME_OF_TWO_BLOCKS: u64 = 60; - #[derive(Debug, Serialize, Deserialize)] struct Claims { aud: Box<[String]>, // Optional. Audience @@ -94,26 +91,20 @@ pub fn verify( return Err(InvalidToken); } - // complete the time checks - // because the provided time is the completion of the last block, and the - // time for it to be synced between blocks, we add a buffer to allow for a - // more realistic timestamp. this has implications for the "not before" - // timestamp, we do not add this buffer to "expiration" - let working_time = ¤t_time.plus_seconds(AVERAGE_SYNC_TIME_OF_TWO_BLOCKS); - let expiration = Timestamp::from_seconds(claims.exp as u64); + // complete the time check + // + // timing in cosmos is unstable to say the least. therefore we have noticed + // that the perceived time in the chain can swing quite a bit, and is almost + // exclusively in the past. Therefore, NBF (not before) checks, which are + // primarily set at time of JWT creation, almost always fail. Knowing this, + // we have decided to only check expiration + let expiration = Timestamp::from_seconds(claims.exp); if expiration.lt(current_time) { return Err(InvalidTime { current: current_time.seconds(), received: expiration.seconds(), }); } - let not_before = Timestamp::from_seconds(claims.nbf as u64); - if not_before.gt(working_time) { - return Err(InvalidTime { - current: current_time.seconds(), - received: not_before.seconds(), - }); - } // make sure the provided hash matches the one from the tx if tx_hash.eq(&claims.transaction_hash) { Ok(true) diff --git a/account/src/contract.rs b/account/src/contract.rs index f7a44c3..6dc8a0b 100644 --- a/account/src/contract.rs +++ b/account/src/contract.rs @@ -4,6 +4,7 @@ use cosmwasm_std::{ use absacc::AccountSudoMsg; +use crate::error::ContractError; use crate::execute::{add_auth_method, remove_auth_method}; use crate::msg::{ExecuteMsg, MigrateMsg}; use crate::{ @@ -69,7 +70,7 @@ pub fn query(deps: Deps, _env: Env, msg: QueryMsg) -> StdResult { } #[entry_point] -pub fn migrate(deps: DepsMut, _env: Env, msg: MigrateMsg) -> Result { +pub fn migrate(_deps: DepsMut, _env: Env, _msg: MigrateMsg) -> Result { // No state migrations performed, just returned a Response Ok(Response::default()) } From e5415d7ae168b635c9b2fd3918db183e0726521e Mon Sep 17 00:00:00 2001 From: Ash Date: Wed, 21 Feb 2024 12:38:52 -0800 Subject: [PATCH 8/8] import for macro --- account/src/msg.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/account/src/msg.rs b/account/src/msg.rs index 4ea82f7..fd9907f 100644 --- a/account/src/msg.rs +++ b/account/src/msg.rs @@ -1,5 +1,6 @@ use crate::auth::AddAuthenticator; use cosmwasm_schema::{cw_serde, QueryResponses}; +use cosmwasm_std::Binary; #[cw_serde] pub struct InstantiateMsg {