exp/services/webauth: add SEP-10 v1.2.0 implementation

exp/services/webauth/README.md

@@ -1,8 +1,16 @@
 # webauth
 
-This is a SEP-10 Web Authentication implementation based on SEP-10 v1.2.0.
+This is a [SEP-10] Web Authentication implementation based on SEP-10 v1.2.0
+that requires the master key have a high threshold for authentication to
+succeed.
 
-This implementation is not polished and is still experimental. Running this implementation in production is not recommended.
+SEP-10 defines an endpoint for authenticating a user in possession of a Stellar
+account using their Stellar account as credentials. This implementation is a
+standalone microservice that implements the minimum requirements as defined by
+the SEP-10 protocol and will be adapted as the protocol evolves.
+
+This implementation is not polished and is still experimental.
+Running this implementation in production is not recommended.
 
 ## Usage
 
@@ -34,11 +42,13 @@ Usage:
   webauth serve [flags]
 
 Flags:
-      --challenge-expires-in int    The time period after which the challenge transaction expires (default 300000000000)
+      --challenge-expires-in int    The time period in seconds after which the challenge transaction expires (default 300)
       --horizon-url string          Horizon URL used for looking up account details (default "https://horizon-testnet.stellar.org/")
-      --jwt-expires-in int          The time period that after which the JWT expires (default 18000000000000)
+      --jwt-expires-in int          The time period in seconds after which the JWT expires (default 300)
       --jwt-key string              Base64 encoded ECDSA private key used for signing JWTs
       --network-passphrase string   Network passphrase of the Stellar network transactions should be signed for (default "Test SDF Network ; September 2015")
       --port int                    Port to listen and serve on (default 8000)
       --signing-key string          Stellar signing key used for signing transactions
 ```
+
+[SEP-10]: https://github.com/stellar/stellar-protocol/blob/2be91ce8d8032ca9b2f368800d06b9fba346a147/ecosystem/sep-0010.md

exp/services/webauth/internal/commands/serve.go

@@ -2,7 +2,6 @@ package commands
 
 import (
 	"go/types"
-	"time"
 
 	"github.com/spf13/cobra"
 	"github.com/stellar/go/clients/horizonclient"
@@ -54,11 +53,11 @@ func (c *ServeCommand) Command() *cobra.Command {
 		},
 		{
 			Name:           "challenge-expires-in",
-			Usage:          "The time period after which the challenge transaction expires",
+			Usage:          "The time period in seconds after which the challenge transaction expires",
 			OptType:        types.Int,
 			CustomSetValue: config.SetDuration,
 			ConfigKey:      &opts.ChallengeExpiresIn,
-			FlagDefault:    int(300 * time.Second),
+			FlagDefault:    300,
 			Required:       true,
 		},
 		{
@@ -70,11 +69,11 @@ func (c *ServeCommand) Command() *cobra.Command {
 		},
 		{
 			Name:           "jwt-expires-in",
-			Usage:          "The time period that after which the JWT expires",
+			Usage:          "The time period in seconds after which the JWT expires",
 			OptType:        types.Int,
 			CustomSetValue: config.SetDuration,
 			ConfigKey:      &opts.JWTExpiresIn,
-			FlagDefault:    int(300 * time.Minute),
+			FlagDefault:    300,
 			Required:       true,
 		},
 	}
@@ -92,5 +91,5 @@ func (c *ServeCommand) Command() *cobra.Command {
 }
 
 func (c *ServeCommand) Run(opts serve.Options) {
-	serve.Main(opts)
+	serve.Serve(opts)
 }

exp/services/webauth/internal/serve/challenge_test.go

@@ -3,6 +3,7 @@ package serve
 import (
 	"encoding/json"
 	"io/ioutil"
+	"net/http"
 	"net/http/httptest"
 	"testing"
 	"time"
@@ -16,9 +17,8 @@ import (
 )
 
 func TestChallenge(t *testing.T) {
-	serverKey, err := keypair.Random()
-	require.NoError(t, err)
-	account, err := keypair.Random()
+	serverKey := keypair.MustRandom()
+	account := keypair.MustRandom()
 
 	h := challengeHandler{
 		Logger:             supportlog.DefaultLogger,
@@ -33,14 +33,14 @@ func TestChallenge(t *testing.T) {
 	h.ServeHTTP(w, r)
 	resp := w.Result()
 
-	require.Equal(t, 200, resp.StatusCode)
+	require.Equal(t, http.StatusOK, resp.StatusCode)
 	assert.Equal(t, "application/json; charset=utf-8", resp.Header.Get("Content-Type"))
 
 	res := struct {
 		Transaction       string `json:"transaction"`
 		NetworkPassphrase string `json:"network_passphrase"`
 	}{}
-	err = json.NewDecoder(resp.Body).Decode(&res)
+	err := json.NewDecoder(resp.Body).Decode(&res)
 	require.NoError(t, err)
 
 	var tx xdr.TransactionEnvelope
@@ -71,7 +71,7 @@ func TestChallengeNoAccount(t *testing.T) {
 	h.ServeHTTP(w, r)
 	resp := w.Result()
 
-	require.Equal(t, 400, resp.StatusCode)
+	require.Equal(t, http.StatusBadRequest, resp.StatusCode)
 	assert.Equal(t, "application/json; charset=utf-8", resp.Header.Get("Content-Type"))
 
 	body, err := ioutil.ReadAll(resp.Body)
@@ -87,7 +87,7 @@ func TestChallengeInvalidAccount(t *testing.T) {
 	h.ServeHTTP(w, r)
 	resp := w.Result()
 
-	require.Equal(t, 400, resp.StatusCode)
+	require.Equal(t, http.StatusBadRequest, resp.StatusCode)
 	assert.Equal(t, "application/json; charset=utf-8", resp.Header.Get("Content-Type"))
 
 	body, err := ioutil.ReadAll(resp.Body)

exp/services/webauth/internal/serve/errors.go

@@ -22,10 +22,6 @@ var badRequest = errorResponse{
 	Status: http.StatusBadRequest,
 	Error:  "The request was invalid in some way.",
 }
-var unsupportedMediaType = errorResponse{
-	Status: http.StatusUnsupportedMediaType,
-	Error:  "The request is of content type or encoding that is unsupported.",
-}
 var unauthorized = errorResponse{
 	Status: http.StatusUnauthorized,
 	Error:  "The request could not be authenticated.",

exp/services/webauth/internal/serve/errors_test.go

@@ -2,6 +2,7 @@ package serve
 
 import (
 	"io/ioutil"
+	"net/http"
 	"net/http/httptest"
 	"testing"
 
@@ -13,7 +14,7 @@ func TestErrorResponseRender(t *testing.T) {
 	w := httptest.NewRecorder()
 	serverError.Render(w)
 	resp := w.Result()
-	assert.Equal(t, 500, resp.StatusCode)
+	assert.Equal(t, http.StatusInternalServerError, resp.StatusCode)
 	body, err := ioutil.ReadAll(resp.Body)
 	require.NoError(t, err)
 	assert.JSONEq(t, `{"error":"An error occurred while processing this request."}`, string(body))
@@ -25,7 +26,7 @@ func TestErrorHandler(t *testing.T) {
 	handler := errorHandler{Error: notFound}
 	handler.ServeHTTP(w, r)
 	resp := w.Result()
-	assert.Equal(t, 404, resp.StatusCode)
+	assert.Equal(t, http.StatusNotFound, resp.StatusCode)
 	body, err := ioutil.ReadAll(resp.Body)
 	require.NoError(t, err)
 	assert.JSONEq(t, `{"error":"The resource at the url requested was not found."}`, string(body))

exp/services/webauth/internal/serve/serve.go

@@ -8,6 +8,7 @@ import (
 	"github.com/stellar/go/clients/horizonclient"
 	"github.com/stellar/go/exp/support/jwtkey"
 	"github.com/stellar/go/keypair"
+	"github.com/stellar/go/support/errors"
 	supporthttp "github.com/stellar/go/support/http"
 	supportlog "github.com/stellar/go/support/log"
 )
@@ -23,8 +24,13 @@ type Options struct {
 	JWTExpiresIn       time.Duration
 }
 
-func Main(opts Options) {
-	handler := handler(opts)
+func Serve(opts Options) {
+	handler, err := handler(opts)
+	if err != nil {
+		opts.Logger.Fatalf("Error: %v", err)
+		return
+	}
+
 	addr := fmt.Sprintf(":%d", opts.Port)
 	supporthttp.Run(supporthttp.Config{
 		ListenAddr: addr,
@@ -36,15 +42,15 @@ func Main(opts Options) {
 	})
 }
 
-func handler(opts Options) http.Handler {
+func handler(opts Options) (http.Handler, error) {
 	signingKey, err := keypair.ParseFull(opts.SigningKey)
 	if err != nil {
-		opts.Logger.Fatalf("Error parsing signing key seed: %v", err)
+		return nil, errors.Wrap(err, "parsing signing key seed")
 	}
 
 	jwtPrivateKey, err := jwtkey.PrivateKeyFromString(opts.JWTPrivateKey)
 	if err != nil {
-		opts.Logger.Fatalf("Error parsing JWT private key: %v", err)
+		return nil, errors.Wrap(err, "parsing JWT private key")
 	}
 
 	httpClient := &http.Client{
@@ -77,5 +83,5 @@ func handler(opts Options) http.Handler {
 		JWTExpiresIn:      opts.JWTExpiresIn,
 	}.ServeHTTP)
 
-	return mux
+	return mux, nil
 }

exp/services/webauth/internal/serve/token.go

@@ -2,13 +2,13 @@ package serve
 
 import (
 	"crypto/ecdsa"
-	"encoding/json"
 	"net/http"
 	"time"
 
 	"github.com/dgrijalva/jwt-go"
 	"github.com/stellar/go/clients/horizonclient"
 	"github.com/stellar/go/keypair"
+	"github.com/stellar/go/support/http/httpdecode"
 	supportlog "github.com/stellar/go/support/log"
 
 	"github.com/stellar/go/support/render/httpjson"
@@ -25,7 +25,7 @@ type tokenHandler struct {
 }
 
 type tokenRequest struct {
-	Transaction string `json:"transaction"`
+	Transaction string `json:"transaction" form:"transaction"`
 }
 
 type tokenResponse struct {
@@ -37,29 +37,13 @@ func (h tokenHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 	req := tokenRequest{}
 
-	contentType := r.Header.Get("Content-Type")
-	switch contentType {
-	case "application/x-www-form-urlencoded":
-		defer r.Body.Close()
-		err := r.ParseForm()
-		if err != nil {
-			badRequest.Render(w)
-			return
-		}
-		req.Transaction = r.PostForm.Get("transaction")
-	case "application/json", "application/json; charset=utf-8":
-		defer r.Body.Close()
-		err := json.NewDecoder(r.Body).Decode(&req)
-		if err != nil {
-			badRequest.Render(w)
-			return
-		}
-	default:
-		unsupportedMediaType.Render(w)
+	err := httpdecode.Decode(r, &req)
+	if err != nil {
+		badRequest.Render(w)
 		return
 	}
 
-	_, err := txnbuild.VerifyChallengeTx(req.Transaction, h.SigningAddress.Address(), h.NetworkPassphrase)
+	_, err = txnbuild.VerifyChallengeTx(req.Transaction, h.SigningAddress.Address(), h.NetworkPassphrase)
 	if err != nil {
 		unauthorized.Render(w)
 		return
@@ -72,6 +56,23 @@ func (h tokenHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 	clientAccountID := tx.Operations[0].(*txnbuild.ManageData).SourceAccount.GetAccountID()
 
+	clientAccount, err := h.HorizonClient.AccountDetail(horizonclient.AccountRequest{AccountID: clientAccountID})
+	if err != nil {
+		serverError.Render(w)
+		return
+	}
+	verifiedWeight := false
+	for _, clientSigner := range clientAccount.Signers {
+		if clientSigner.Key == clientAccountID && clientSigner.Weight >= int32(clientAccount.Thresholds.HighThreshold) {
+			verifiedWeight = true
+			break
+		}
+	}
+	if !verifiedWeight {
+		unauthorized.Render(w)
+		return
+	}
+
 	now := time.Now().UTC()
 	token := jwt.NewWithClaims(jwt.SigningMethodES256, jwt.MapClaims{
 		"iss": h.SigningAddress.Address(),