Enforce retrieval authentication at HF19 (except for namespace -10)

-10 is for legacy closed group messages, which will be the only unauthenticated-retrieval namespace starting at HF19.
2023-12-13 21:00:26 +01:00 · 2022-04-26 17:59:13 -03:00 · 2022-04-26 17:59:13 -03:00 · 91337019f1
parent 84277ef035
commit 91337019f1
4 changed files with 24 additions and 2 deletions
--- a/common/include/oxen_common.h
+++ b/common/include/oxen_common.h
@ -66,7 +66,14 @@ class user_pubkey_t {
    std::string prefixed_raw() const;
 };

-enum class namespace_id : int16_t { Default = 0, Min = -32768, Max = 32767 };
+enum class namespace_id : int16_t {
+    Default = 0,  // Ordinary Session messages
+    Min = -32768,
+    Max = 32767,
+    SessionSync = 5,     // Session sync data for imports & multidevice syncing
+    ClosedV2 = 3,        // Reserved for future Session closed group implementations
+    LegacyClosed = -10,  // For storage of "old" closed group messages; allows unauthenticated retrieval
+};

 constexpr bool is_public_namespace(namespace_id ns) {
    return static_cast<std::underlying_type_t<namespace_id>>(ns) % 10 == 0;
--- a/httpserver/client_rpc_endpoints.cpp
+++ b/httpserver/client_rpc_endpoints.cpp
@ -407,7 +407,7 @@ static void load(retrieve& r, Dict& d) {
    require_exactly_one_of("pubkey", pubkey, "pubKey", pubKey, true);
    auto& pk = pubkey ? pubkey : pubKey;

-    if (pk_ed25519 || sig || ts || msg_ns) {
+    if (pk_ed25519 || sig || ts || (msg_ns && *msg_ns != namespace_id::LegacyClosed)) {
        load_pk_signature(r, d, pk, pk_ed25519, sig);
        r.timestamp = std::move(*ts);
        r.check_signature = true;
--- a/httpserver/request_handler.cpp
+++ b/httpserver/request_handler.cpp
@ -570,6 +570,17 @@ void RequestHandler::process_client_req(
        return cb(handle_wrong_swarm(req.pubkey));

    auto now = system_clock::now();
+
+    // At HF19 start requiring authentication for all retrievals (except legacy closed groups, which
+    // can't be authenticated for technical reasons).
+    if (service_node_.hf_at_least(HARDFORK_RETRIEVE_AUTH) &&
+        req.msg_namespace != namespace_id::LegacyClosed) {
+        if (!req.check_signature) {
+            OXEN_LOG(debug, "retrieve: request signature required as of HF19");
+            return cb(Response{http::UNAUTHORIZED, "retrieve: request signature required"sv});
+        }
+    }
+
    if (req.check_signature) {
        if (req.timestamp < now - SIGNATURE_TOLERANCE ||
            req.timestamp > now + SIGNATURE_TOLERANCE) {
--- a/httpserver/service_node.h
+++ b/httpserver/service_node.h
@ -41,6 +41,10 @@ using hf_revision = std::pair<int, int>;
 // The earliest hardfork *this* version of storage server will work on:
 inline constexpr hf_revision STORAGE_SERVER_HARDFORK = {18, 1};

+// The hardfork at which we require authentication for (almost) all retrieval.  (Message namespace
+// -10 is temporarily exempt for closed group backwards support).
+inline constexpr hf_revision HARDFORK_RETRIEVE_AUTH = {19, 0};
+
 class OxenmqServer;
 struct OnionRequestMetadata;
 class Swarm;