Merge branch 'develop'

RELEASES.md

@@ -3,6 +3,7 @@
 
 ## Releases ##
 
+- [v1.10.1](#1_10_1)
 - [v1.10.0](#1_10_0)
 - [v1.9.0](#1_9_0)
 - [v1.8.1](#1_8_1)
@@ -16,6 +17,26 @@
 - [v1.2.0](#1_2_0)
 - [v1.1.0](#1_1_0)
 
+<a name="1_10_1"/>
+
+## Samourai Dojo v1.10.1 ##
+
+#### Bug fixes ####
+
+- [#mr236](https://code.samourai.io/dojo/samourai-dojo/-/merge_requests/236) fix auth errors
+- [#mr237](https://code.samourai.io/dojo/samourai-dojo/-/merge_requests/237) fix zmq block notifications
+
+#### Security ####
+
+- [#mr235](https://code.samourai.io/dojo/samourai-dojo/-/merge_requests/235) apply middleware in correct order
+
+#### Credits ###
+
+- pajasevi
+- lukechilds
+- kenshin-samourai
+- zeroleak
+
 
 <a name="1_10_0"/>
 

accounts/fees-rest-api.js

@@ -28,7 +28,6 @@ class FeesRestApi {
       '/fees',
       authMgr.checkAuthentication.bind(authMgr),
       this.getFees.bind(this),
-      HttpServer.sendAuthError
     )
     // Refresh the network fees
     rpcFees.refresh()

accounts/headers-rest-api.js

@@ -33,7 +33,6 @@ class HeadersRestApi {
       authMgr.checkAuthentication.bind(authMgr),
       this.validateArgsGetHeader.bind(this),
       this.getHeader.bind(this),
-      HttpServer.sendAuthError
     )
   }
 

accounts/multiaddr-rest-api.js

@@ -36,7 +36,6 @@ class MultiaddrRestApi {
       authMgr.checkAuthentication.bind(authMgr),
       apiHelper.validateEntitiesParams.bind(apiHelper),
       this.getMultiaddr.bind(this),
-      HttpServer.sendAuthError
     )
 
     this.httpServer.app.post(
@@ -45,7 +44,6 @@ class MultiaddrRestApi {
       authMgr.checkAuthentication.bind(authMgr),
       apiHelper.validateEntitiesParams.bind(apiHelper),
       this.postMultiaddr.bind(this),
-      HttpServer.sendAuthError
     )
   }
 

accounts/status-rest-api.js

@@ -31,7 +31,6 @@ class StatusRestApi {
       `/${keys.prefixes.status}/`,
       authMgr.checkHasAdminProfile.bind(authMgr),
       this.getStatus.bind(this),
-      HttpServer.sendAuthError
     )
   }
 

accounts/support-rest-api.js

@@ -42,7 +42,6 @@ class SupportRestApi {
       authMgr.checkHasAdminProfile.bind(authMgr),
       this.validateAddress.bind(this),
       this.getAddressInfo.bind(this),
-      HttpServer.sendAuthError
     )
 
     this.httpServer.app.get(
@@ -50,7 +49,6 @@ class SupportRestApi {
       authMgr.checkHasAdminProfile.bind(authMgr),
       this.validateAddress.bind(this),
       this.getAddressRescan.bind(this),
-      HttpServer.sendAuthError
     )
 
     this.httpServer.app.get(
@@ -58,7 +56,6 @@ class SupportRestApi {
       authMgr.checkHasAdminProfile.bind(authMgr),
       this.validateArgsGetXpubInfo.bind(this),
       this.getXpubInfo.bind(this),
-      HttpServer.sendAuthError
     )
 
     this.httpServer.app.get(
@@ -66,7 +63,6 @@ class SupportRestApi {
       authMgr.checkHasAdminProfile.bind(authMgr),
       this.validateArgsGetXpubRescan.bind(this),
       this.getXpubRescan.bind(this),
-      HttpServer.sendAuthError
     )
 
     this.httpServer.app.get(
@@ -74,21 +70,18 @@ class SupportRestApi {
       authMgr.checkHasAdminProfile.bind(authMgr),
       this.validateArgsGetXpubDelete.bind(this),
       this.getXpubDelete.bind(this),
-      HttpServer.sendAuthError
     )
 
     this.httpServer.app.get(
       `/${keys.prefixes.support}/pairing/explorer`,
       authMgr.checkHasAdminProfile.bind(authMgr),
       this.getPairingExplorer.bind(this),
-      HttpServer.sendAuthError
     )
 
     this.httpServer.app.get(
       `/${keys.prefixes.support}/pairing`,
       authMgr.checkHasAdminProfile.bind(authMgr),
       this.getPairing.bind(this),
-      HttpServer.sendAuthError
     )
   }
 

accounts/transactions-rest-api.js

@@ -36,7 +36,6 @@ class TransactionsRestApi {
       authMgr.checkAuthentication.bind(authMgr),
       this.validateArgsGetTransaction.bind(this),
       this.getTransaction.bind(this),
-      HttpServer.sendAuthError
     )
 
     this.httpServer.app.get(
@@ -45,7 +44,6 @@ class TransactionsRestApi {
       apiHelper.validateEntitiesParams.bind(apiHelper),
       this.validateArgsGetTransactions.bind(this),
       this.getTransactions.bind(this),
-      HttpServer.sendAuthError
     )
   }
 

accounts/unspent-rest-api.js

@@ -36,7 +36,6 @@ class UnspentRestApi {
       authMgr.checkAuthentication.bind(authMgr),
       apiHelper.validateEntitiesParams.bind(apiHelper),
       this.getUnspent.bind(this),
-      HttpServer.sendAuthError
     )
 
     this.httpServer.app.post(
@@ -45,7 +44,6 @@ class UnspentRestApi {
       authMgr.checkAuthentication.bind(authMgr),
       apiHelper.validateEntitiesParams.bind(apiHelper),
       this.postUnspent.bind(this),
-      HttpServer.sendAuthError
     )
   }
 

accounts/wallet-rest-api.js

@@ -35,7 +35,6 @@ class WalletRestApi {
       authMgr.checkAuthentication.bind(authMgr),
       apiHelper.validateEntitiesParams.bind(apiHelper),
       this.getWallet.bind(this),
-      HttpServer.sendAuthError
     )
 
     this.httpServer.app.post(
@@ -44,7 +43,6 @@ class WalletRestApi {
       authMgr.checkAuthentication.bind(authMgr),
       apiHelper.validateEntitiesParams.bind(apiHelper),
       this.postWallet.bind(this),
-      HttpServer.sendAuthError
     )
   }
 

accounts/xpub-rest-api.js

@@ -41,7 +41,6 @@ class XPubRestApi {
       authMgr.checkAuthentication.bind(authMgr),
       this.validateArgsPostXpub.bind(this),
       this.postXpub.bind(this),
-      HttpServer.sendAuthError
     )
 
     this.httpServer.app.get(
@@ -49,7 +48,6 @@ class XPubRestApi {
       authMgr.checkAuthentication.bind(authMgr),
       this.validateArgsGetXpub.bind(this),
       this.getXpubImportStatus.bind(this),
-      HttpServer.sendAuthError
     )
 
     this.httpServer.app.get(
@@ -57,7 +55,6 @@ class XPubRestApi {
       authMgr.checkAuthentication.bind(authMgr),
       this.validateArgsGetXpub.bind(this),
       this.getXpub.bind(this),
-      HttpServer.sendAuthError
     )
 
     this.httpServer.app.post(
@@ -66,7 +63,6 @@ class XPubRestApi {
       authMgr.checkAuthentication.bind(authMgr),
       this.validateArgsPostLockXpub.bind(this),
       this.postLockXpub.bind(this),
-      HttpServer.sendAuthError
     )
 
     this.httpServer.app.delete(
@@ -75,7 +71,6 @@ class XPubRestApi {
       authMgr.checkAuthentication.bind(authMgr),
       this.validateArgsDeleteXpub.bind(this),
       this.deleteXpub.bind(this),
-      HttpServer.sendAuthError
     )
   }
 

keys/index-example.js

@@ -16,7 +16,7 @@ module.exports = {
     /*
      * Dojo version
      */
-    dojoVersion: '1.10.0',
+    dojoVersion: '1.10.1',
     /*
      * Bitcoind
      */
@@ -329,4 +329,4 @@ module.exports = {
       unconfirmedTxsProcessPeriod: 300000
     }
   }
-}
+}

lib/auth/auth-rest-api.js

@@ -41,24 +41,21 @@ class AuthRestApi {
       authentMgr.authenticate({session: false}),
       authentMgr.serialize,
       authorzMgr.generateAuthorizations.bind(authorzMgr),
-      this.login.bind(this),
-      HttpServer.sendAuthError
+      this.login.bind(this)
     )
 
     this.httpServer.app.post(
       '/auth/logout',
       urlencodedParser,
       authorzMgr.revokeAuthorizations.bind(authorzMgr),
-      this.logout.bind(this),
-      HttpServer.sendAuthError
+      this.logout.bind(this)
     )
 
     this.httpServer.app.post(
       '/auth/refresh',
       urlencodedParser,
       authorzMgr.refreshAuthorizations.bind(authorzMgr),
-      this.refresh.bind(this),
-      HttpServer.sendAuthError
+      this.refresh.bind(this)
     )
   }
 

lib/auth/authorizations-manager.js

@@ -174,7 +174,7 @@ class AuthorizationsManager {
   }
 
   /**
-   * Check if user is authenticated 
+   * Check if user is authenticated
    * (i.e. we have received a valid json web token)
    * @param {string} token - json web token
    * @returns {boolean} returns the decoded token if valid
@@ -329,7 +329,7 @@ class AuthorizationsManager {
         const token = authHeader.substring(7)
         if (validator.isJWT(token))
           return token
-      }        
+      }
     }
     return null
   }

lib/auth/localapikey-strategy-configurator.js

@@ -51,7 +51,7 @@ class LocalApiKeyStrategyConfigurator {
       return done(null, {'profile': authorzMgr.TOKEN_PROFILE_API})
     } else {
       Logger.error(null, `Auth : Authentication failure (apikey=${apiKey})`)
-      return done('Invalid API key', false)
+      return done(errors.auth.INVALID_API_KEY, false)
     }
   }
 

lib/errors.js

@@ -66,7 +66,8 @@ module.exports = {
     INVALID_JWT: 'Invalid JSON Web Token',
     INVALID_PRF: 'Your current access rights do not allow this operation',
     MISSING_JWT: 'Missing JSON Web Token',
-    TECH_ISSUE: 'A technical problem was encountered. Unable to authenticate the user'
+    TECH_ISSUE: 'A technical problem was encountered. Unable to authenticate the user',
+    INVALID_API_KEY: 'Invalid API key',
   },
   db: {
     ERROR_NO_ADDRESS: 'ERROR_NO_ADDRESS',

lib/http-server/http-server.js

@@ -30,16 +30,29 @@ class HttpServer {
     this.server = null
 
     // Initialize the tiny-http app
-    this.app = new App();
-    this.app.set('trust proxy', 'loopback')
+    this.app = new App({
+      // Error handler
+      onError: (err, req, res) => {
+        // Detect if this is auth error
+        if (Object.values(errors.auth).includes(err)) {
+          HttpServer.sendError(res, err, 401)
+        } else {
+          Logger.error(err.stack, 'HttpServer : general error')
+          const ret = {status: 'Server error'}
+          HttpServer.sendError(res, ret, 500)
+        }
+      }
+    });
 
     // Middlewares for json responses and requests logging
-    this.app.use('/static', sirv('../static'));
-    this.app.use(HttpServer.setJSONResponse)
     this.app.use(HttpServer.requestLogger)
     this.app.use(HttpServer.setCrossOrigin)
-    this.app.use(HttpServer.setConnection)
     this.app.use(helmet(HttpServer.HELMET_POLICY))
+
+    this.app.use('/static', sirv('../static'));
+
+    this.app.use(HttpServer.setJSONResponse)
+    this.app.use(HttpServer.setConnection)
   }
 
 
@@ -48,14 +61,6 @@ class HttpServer {
    * @returns {object} returns the listening server instance
    */
   start() {
-    // Error handler, should be final middleware
-    this.app.use(function(err, req, res, next) {
-      if (res.headersSent) return next(err)
-      Logger.error(err.stack, 'HttpServer : start()')
-      const ret = {status: 'Server error'}
-      HttpServer.sendError(res, ret, 500)
-    })
-
     // Start a http server
     this.server = this.app.listen(this.port, this.host, () => {
       Logger.info(`HttpServer : Listening on ${this.host}:${this.port}`)
@@ -140,12 +145,10 @@ class HttpServer {
 
   /*
    * A middleware returning an authorization error response
-   * @param {string} err - error
-   * @param {object} req - http request object
    * @param {object} res - http response object
-   * @param {function} next - callback function
+   * @param {string} err - error
    */
-  static sendAuthError(err, req, res, next) {
+  static sendAuthError(res, err) {
     if (err) {
       HttpServer.sendError(res, err, 401)
     }
@@ -205,9 +208,15 @@ class HttpServer {
 HttpServer.HELMET_POLICY = {
   'contentSecurityPolicy' : {
     'directives': {
-      'defaultSrc': ['"self"'],
-      'styleSrc' : ['"self"', '"unsafe-inline"'],
-      'img-src' : ['"self" data:']
+      'default-src': ["'self'", "data:"],
+      'base-uri': ["'self'"],
+      'font-src': ["'self'", "https:", "data:"],
+      'frame-ancestors': ["'self'"],
+      'img-src': ["'self'", "data:"],
+      'object-src': ["'none'"],
+      'script-src': ["'self'", "'unsafe-inline'"],
+      'style-src': ["'self'", "https:", "'unsafe-inline'"],
+      'media-src': ["'self'", 'data:'],
     },
     'browserSniff': false,
     'disableAndroid': true

package-lock.json

@@ -1,11 +1,11 @@
 {
   "name": "samourai-dojo",
-  "version": "1.10.0",
+  "version": "1.10.1",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
-      "version": "1.10.0",
+      "version": "1.10.1",
       "license": "AGPL-3.0-only",
       "dependencies": {
         "@tinyhttp/app": "1.3.3",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "samourai-dojo",
-  "version": "1.10.0",
+  "version": "1.10.1",
   "description": "Backend server for Samourai Wallet",
   "main": "accounts/index.js",
   "scripts": {

pushtx/pushtx-rest-api.js

@@ -40,35 +40,30 @@ class PushTxRestApi {
       jsonParser,
       authMgr.checkAuthentication.bind(authMgr),
       this.postScheduleTxs.bind(this),
-      HttpServer.sendAuthError
     )
 
     this.httpServer.app.post(
       '/',
       authMgr.checkAuthentication.bind(authMgr),
       this.postPushTx.bind(this),
-      HttpServer.sendAuthError
     )
 
     this.httpServer.app.get(
       '/',
       authMgr.checkAuthentication.bind(authMgr),
       this.getPushTx.bind(this),
-      HttpServer.sendAuthError
     )
 
     this.httpServer.app.get(
       `/${keys.prefixes.statusPushtx}/`,
       authMgr.checkHasAdminProfile.bind(authMgr),
       this.getStatus.bind(this),
-      HttpServer.sendAuthError
     )
 
     this.httpServer.app.get(
       `/${keys.prefixes.statusPushtx}/schedule`,
       authMgr.checkHasAdminProfile.bind(authMgr),
       this.getStatusSchedule.bind(this),
-      HttpServer.sendAuthError
     )
 
     // Handle unknown paths, returning a help message
@@ -76,7 +71,6 @@ class PushTxRestApi {
       '/*',
       authMgr.checkAuthentication.bind(authMgr),
       this.getHelp.bind(this),
-      HttpServer.sendAuthError
     )
   }
 

tracker/blocks-processor.js

@@ -32,10 +32,10 @@ module.exports.nbWorkers = nbWorkers
 
 /**
  * Initialize the processor
- * @param {object} notifSock - ZMQ socket used for notifications
+ * @param {object} aNotifSock - ZMQ socket used for notifications
  */
-function init(notifSock) {
-  notifSock = notifSock
+function init(aNotifSock) {
+  notifSock = aNotifSock
 
   for (let i = 0; i < nbWorkers; i++) {
     const worker = new Worker(

tracker/tracker-rest-api.js

@@ -31,7 +31,6 @@ class TrackerRestApi {
       `/${keys.prefixes.support}/rescan`,
       authMgr.checkHasAdminProfile.bind(authMgr),
       this.getBlocksRescan.bind(this),
-      HttpServer.sendAuthError
     )
   }