Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ivpn light: why is private key being sent to the server? #842

Open
maan2003 opened this issue Nov 11, 2024 · 6 comments
Open

ivpn light: why is private key being sent to the server? #842

maan2003 opened this issue Nov 11, 2024 · 6 comments
Assignees
@nathanrod
Labels
priority: high Privacy Security

Comments

@maan2003
Copy link

just trying to understand the api

ivpn.net/src/themes/ivpn-v3/assets/js/api/api.js

Lines 414 to 420 in 406e03c

let response = await this.Post('/web/accounts/btc/create-light-invoice', {
price_id: priceID,
private_key: privateKey,
public_key: publicKey,
exit_server: exitServer,
entry_server: entryServer
})

@nathanrod nathanrod mentioned this issue Nov 18, 2024
Merged
12 tasks
@nathanrod nathanrod reopened this Nov 18, 2024
@nathanrod
Copy link
Member

Thanks for the report, the private key is actually not used in our backend since it is not required for the account deployment. The Wireguard private key is only used in the client config settings that is available in the client browser session.
A PR has been created and merged.

@nathanrod nathanrod self-assigned this Nov 18, 2024
@nathanrod nathanrod moved this to Done in ivpn.net Nov 18, 2024
@maan2003
Copy link
Author

Thanks.

@maan2003
Copy link
Author

maan2003 commented Nov 20, 2024
edited
Loading

looks like private key is still being sent to server, these js cookies are being sent to the server

ivpn.net/src/themes/ivpn-v3/assets/js/views/OnePageCheckout.vue

Line 345 in ca475ac

JSCookie.set('lpv', this.privateKey, { expires: 0.5, })

please reopen this issue or I can open new one.

@nathanrod
Copy link
Member

nathanrod commented Nov 20, 2024
edited
Loading

If you check the api request implementation, although there is a reference, the private key is never sent to our backend :

ivpn.net/src/themes/ivpn-v3/assets/js/api/api.js

Line 409 in ca475ac

async createLightInvoice(priceID, exitServer, entryServer, privateKey, publicKey) {

Regarding storing the private key in a cookie with an expire time in the client browser, it is required to be able to generate the config files when a payment is completed since it is not stored in our backend to fetch it:

ivpn.net/src/themes/ivpn-v3/assets/js/views/Account/ThankYouLight.vue

Line 124 in ca475ac

"\nPrivateKey = " + JSCookie.get('lpv') +

The whole logic can be verified at https://www.ivpn.net/light/ .

@nathanrod nathanrod reopened this Nov 20, 2024
@maan2003
Copy link
Author

you should use local stoarge for storing this.

cookies are implicitly sent to the server with every request to https://ivpn.net, I can see it being sent as Cookie: header in the network tab

@nathanrod
Copy link
Member

The main issue with using localstorage is that it is persistent until the client deletes it or the app force a deletion ( which may create issues when trying to download the config for a second time) for temporal accounts.

I will have a meeting with the team to review the current logic, until then i will keep the issue opened.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nathanrod nathanrod

Labels
priority: high Privacy Security
Projects
ivpn.net
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nathanrod @maan2003