fix: domain-separate auth signatures, enable CSP, harden key export (#76) #101
No reviewers
Labels
No labels
area:api
area:core
area:docs
area:infra
area:ux
dependencies
documentation
duplicate
good first issue
help wanted
invalid
question
rust
status:complete
status:partial
status:planned
type:bug
type:design
type:feature
type:infra
type:refactor
type:refactor
type:research
type:ux
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
icub3d/decentcom!101
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "feature/76-signing-oracle-csp"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Fixes the compounding webview key-handling risks in #76 as one coordinated change across server, client, SDK, and shared.
1. Signing oracle → domain separation
sign(data)used to sign any JS-supplied string with no domain separation — a compromised webview could forge auth challenges, messages, or any protocol artifact.shared::auth::auth_signing_payloadprepends adecentcom-auth:tag. Both the signer and the verifier build the signed bytes through this single helper, so a signature produced for auth can never be replayed as (or forged from) a signature over another artifact — and vice versa.verify()now verifies against the tagged payload.signcommand is replaced bysign_auth_challenge, which applies the tag itself. The webview supplies only the server-issued challenge, never the domain — so it is no longer a generic signing oracle. Removed the unused genericsignwrapper fromuseIdentity.This is a coordinated protocol change — server and all signers ship together (pre-1.0, no compatibility shim).
2. CSP
"csp": null→ strict policy.script-src 'self'closes the XSS→IPC amplifier the issue calls out.connect-src/img-srcstay network-permissive because the client connects to arbitrary self-hosted servers (fetch + WebSocket).3. Key export hardening
inner_key_exportenforcesvalidate_passphrase(..).acceptablebefore touching the key — a direct IPC call can't bypass the JS-side check.Tests
shared: payload tagging.cargo test+clippy -D warnings; frontendtsc,eslint --max-warnings=0,vitest(89),vite build.Closes #76