Ensure the use SecureRandom when creating authentication token

parent 8d55911d
......@@ -33,11 +33,11 @@ By default, Briar creates a folder `~/.briar` where it stores its database and o
There you also find the authentication token which is required to interact with the API:
$ cat ~/.briar/auth_token
e175b010-e647-4440-ae8a-638d92ecfc8a
DZbfoUie8sjap7CSDR9y6cgJCojV+xUITTIFbgtAgqk=
You can test that things work as expected by running:
$ curl -H "Authorization: Bearer e175b010-e647-4440-ae8a-638d92ecfc8a" http://127.0.0.1:7000/v1/contacts
$ curl -H "Authorization: Bearer DZbfoUie8sjap7CSDR9y6cgJCojV+xUITTIFbgtAgqk=" http://127.0.0.1:7000/v1/contacts
[]
The answer is an empty JSON array, because you don't have any contacts.
......@@ -150,7 +150,7 @@ You can test connecting to the websocket with curl:
--header "Upgrade: websocket" \
--header "Sec-WebSocket-Key: SGVsbG8sIHdvcmxkIQ==" \
--header "Sec-WebSocket-Version: 13" \
http://e175b010-e647-4440-ae8a-638d92ecfc8a@127.0.0.1:7000/v1/ws
http://DZbfoUie8sjap7CSDR9y6cgJCojV+xUITTIFbgtAgqk=@127.0.0.1:7000/v1/ws
### Receiving new private messages
......
......@@ -7,6 +7,7 @@ import org.briarproject.bramble.account.AccountModule
import org.briarproject.bramble.system.DesktopSecureRandomModule
import org.briarproject.briar.BriarCoreEagerSingletons
import org.briarproject.briar.BriarCoreModule
import java.security.SecureRandom
import javax.inject.Singleton
@Component(
......@@ -20,5 +21,7 @@ import javax.inject.Singleton
)
@Singleton
internal interface BriarHeadlessApp : BrambleCoreEagerSingletons, BriarCoreEagerSingletons {
fun router(): Router
fun getRouter(): Router
fun getSecureRandom(): SecureRandom
}
......@@ -9,6 +9,7 @@ import com.github.ajalt.clikt.parameters.types.int
import org.briarproject.bramble.BrambleCoreModule
import org.briarproject.briar.BriarCoreModule
import org.slf4j.impl.SimpleLogger.DEFAULT_LOG_LEVEL_KEY
import org.spongycastle.util.encoders.Base64.toBase64String
import java.io.File
import java.io.File.separator
import java.io.IOException
......@@ -17,7 +18,7 @@ import java.lang.System.setProperty
import java.nio.file.Files.setPosixFilePermissions
import java.nio.file.attribute.PosixFilePermission
import java.nio.file.attribute.PosixFilePermission.*
import java.util.UUID.randomUUID
import java.security.SecureRandom
import java.util.logging.Level.*
import java.util.logging.LogManager
......@@ -65,8 +66,6 @@ private class Main : CliktCommand(
LogManager.getLogManager().getLogger("").level = level
val dataDir = getDataDir()
val authToken = getOrCreateAuthToken(dataDir)
val app =
DaggerBriarHeadlessApp.builder().headlessModule(HeadlessModule(dataDir)).build()
// We need to load the eager singletons directly after making the
......@@ -74,7 +73,9 @@ private class Main : CliktCommand(
BrambleCoreModule.initEagerSingletons(app)
BriarCoreModule.initEagerSingletons(app)
app.router().start(authToken, port, debug)
val authToken = getOrCreateAuthToken(dataDir, app.getSecureRandom())
app.getRouter().start(authToken, port, debug)
}
private fun getDataDir(): File {
......@@ -92,18 +93,23 @@ private class Main : CliktCommand(
return file
}
private fun getOrCreateAuthToken(dataDir: File): String {
private fun getOrCreateAuthToken(dataDir: File, secureRandom: SecureRandom): String {
val tokenFile = File(dataDir, "auth_token")
return if (tokenFile.isFile) {
tokenFile.readText()
} else {
// TODO use better way of getting random token?
val authToken = randomUUID().toString()
val authToken = createAuthToken(secureRandom)
tokenFile.writeText(authToken)
authToken
}
}
private fun createAuthToken(secureRandom: SecureRandom): String {
val bytes = ByteArray(32)
secureRandom.nextBytes(bytes)
return toBase64String(bytes)
}
}
fun main(args: Array<String>) = Main().main(args)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment