Filter invalid authorisations from the file server

libloki/crypto.d.ts

@@ -1,27 +1,27 @@
-import { PairingAuthorisation } from "../js/modules/data";
+import { PairingAuthorisation } from '../js/modules/data';
 
 declare enum PairingTypeEnum {
   REQUEST = 1,
-  GRANT
+  GRANT,
 }
 
 export interface CryptoInterface {
-  DHDecrypt: any,
+  DHDecrypt: any;
-  DHEncrypt: any,
+  DHEncrypt: any;
-  DecryptGCM: any, // AES-GCM
+  DecryptGCM: any; // AES-GCM
-  EncryptGCM: any, // AES-GCM
+  EncryptGCM: any; // AES-GCM
-  FallBackDecryptionError: any,
+  FallBackDecryptionError: any;
-  FallBackSessionCipher: any,
+  FallBackSessionCipher: any;
-  LokiSessionCipher: any,
+  LokiSessionCipher: any;
-  PairingType: PairingTypeEnum,
+  PairingType: PairingTypeEnum;
-  _decodeSnodeAddressToPubKey: any,
+  _decodeSnodeAddressToPubKey: any;
-  decryptForPubkey: any,
+  decryptForPubkey: any;
-  decryptToken: any,
+  decryptToken: any;
-  encryptForPubkey: any,
+  encryptForPubkey: any;
-  generateEphemeralKeyPair: any,
+  generateEphemeralKeyPair: any;
-  generateSignatureForPairing: any,
+  generateSignatureForPairing: any;
-  sha512: any,
+  sha512: any;
-  validateAuthorisation: any,
+  validateAuthorisation: any;
   verifyAuthorisation(authorisation: PairingAuthorisation): Promise<boolean>;
-  verifyPairingSignature: any,
+  verifyPairingSignature: any;
 }

libloki/index.d.ts

@@ -1,4 +1,4 @@
-import { CryptoInterface } from "./crypto";
+import { CryptoInterface } from './crypto';
 
 export interface Libloki {
   api: any;

ts/session/protocols/MultiDeviceProtocol.ts

@@ -82,25 +82,45 @@ export class MultiDeviceProtocol {
     const mapping = await window.lokiFileServerAPI.getUserDeviceMapping(
       device.key
     );
-    // TODO: Filter out invalid authorisations
 
     if (!mapping || !mapping.authorisations) {
       return [];
     }
 
-    return mapping.authorisations.map(
+    try {
-      ({
+      const authorisations = mapping.authorisations.map(
-        primaryDevicePubKey,
+        ({
-        secondaryDevicePubKey,
+          primaryDevicePubKey,
-        requestSignature,
+          secondaryDevicePubKey,
-        grantSignature,
+          requestSignature,
-      }) => ({
+          grantSignature,
-        primaryDevicePubKey,
+        }) => ({
-        secondaryDevicePubKey,
+          primaryDevicePubKey,
-        requestSignature: StringUtils.encode(requestSignature, 'base64'),
+          secondaryDevicePubKey,
-        grantSignature: StringUtils.encode(grantSignature, 'base64'),
+          requestSignature: StringUtils.encode(requestSignature, 'base64'),
-      })
+          grantSignature: StringUtils.encode(grantSignature, 'base64'),
-    );
+        })
+      );
+
+      const validAuthorisations = await Promise.all(
+        authorisations.map(async authoritsation => {
+          const valid = await window.libloki.crypto.verifyAuthorisation(
+            authoritsation
+          );
+          return valid ? authoritsation : undefined;
+        })
+      );
+
+      return validAuthorisations.filter(a => !!a) as Array<
+        PairingAuthorisation
+      >;
+    } catch (e) {
+      console.warn(
+        `MultiDeviceProtocol::fetchPairingAuthorisation: Failed to map authorisations for ${device.key}.`,
+        e
+      );
+      return [];
+    }
   }
 
   /**

ts/test/session/crypto/MessageEncrypter_test.ts

@@ -33,7 +33,7 @@ describe('MessageEncrypter', () => {
     TestUtils.stubWindow('libloki', {
       crypto: {
         FallBackSessionCipher: Stubs.FallBackSessionCipherStub,
-      },
+      } as any,
     });
 
     sandbox.stub(UserUtil, 'getCurrentDevicePubKey').resolves(ourNumber);

ts/test/session/protocols/MultiDeviceProtocol_test.ts

@@ -71,6 +71,21 @@ describe('MultiDeviceProtocol', () => {
   });
 
   describe('fetchPairingAuthorisations', () => {
+    let verifyAuthorisationStub: sinon.SinonStub<
+      [PairingAuthorisation],
+      Promise<boolean>
+    >;
+    beforeEach(() => {
+      verifyAuthorisationStub = sandbox
+        .stub<[PairingAuthorisation], Promise<boolean>>()
+        .resolves(true);
+      TestUtils.stubWindow('libloki', {
+        crypto: {
+          verifyAuthorisation: verifyAuthorisationStub,
+        } as any,
+      });
+    });
+
     it('should throw if lokiFileServerAPI does not exist', async () => {
       TestUtils.stubWindow('lokiFileServerAPI', undefined);
       expect(
@@ -125,9 +140,96 @@ describe('MultiDeviceProtocol', () => {
         networkAuth.grantSignature
       );
     });
+
+    it('should not return invalid authorisations', async () => {
+      const networkAuth = {
+        primaryDevicePubKey:
+          '05caa6310a490415df45f8f4ad1b3655ad7a11e722257887a30cf71601d679720b',
+        secondaryDevicePubKey:
+          '051296b9588641eea268d60ad6636eecb53a95150e91c0531a00203e01a2c16a39',
+        requestSignature:
+          '+knEdlenTV+MooRqlFsZRPWW8s9pcjKwB40fY5o0GJmAi2RPZtaVGRTqgApTIn2zPBTE4GQlmPD7uxcczHDjAg==',
+        grantSignature:
+          'eKzcOWMEVetybkuiVK2u18B9en5pywohn2Hn25/VOVTMrIsKSCW4xXpqwipfqvgvi62WtUt6SA9bCEB5Ngcyiw==',
+      };
+
+      const stub = sinon.stub().resolves({
+        isPrimary: false,
+        authorisations: [networkAuth],
+      });
+      TestUtils.stubWindow('lokiFileServerAPI', {
+        getUserDeviceMapping: stub,
+      });
+
+      verifyAuthorisationStub.resolves(false);
+
+      const authorisations = await MultiDeviceProtocol.fetchPairingAuthorisations(
+        TestUtils.generateFakePubKey()
+      );
+      expect(verifyAuthorisationStub.callCount).to.equal(1);
+      expect(authorisations.length).to.equal(0);
+    });
+
+    it('should handle incorrect pairing authorisations from the file server', async () => {
+      const invalidAuth = {
+        primaryDevicePubKey:
+          '05caa6310a490415df45f8f4ad1b3655ad7a11e722257887a30cf71601d679720b',
+        secondaryDevicePubKey:
+          '051296b9588641eea268d60ad6636eecb53a95150e91c0531a00203e01a2c16a39',
+        requestSignatures:
+          '+knEdlenTV+MooRqlFsZRPWW8s9pcjKwB40fY5o0GJmAi2RPZtaVGRTqgApTIn2zPBTE4GQlmPD7uxcczHDjAg==',
+      };
+
+      const stub = sinon.stub().resolves({
+        isPrimary: false,
+        authorisations: [invalidAuth],
+      });
+      TestUtils.stubWindow('lokiFileServerAPI', {
+        getUserDeviceMapping: stub,
+      });
+      const authorisations = await MultiDeviceProtocol.fetchPairingAuthorisations(
+        TestUtils.generateFakePubKey()
+      );
+      expect(authorisations.length).to.equal(0);
+    });
+
+    it('should return empty array if mapping is null', async () => {
+      const stub = sinon.stub().resolves(null);
+      TestUtils.stubWindow('lokiFileServerAPI', {
+        getUserDeviceMapping: stub,
+      });
+
+      const authorisations = await MultiDeviceProtocol.fetchPairingAuthorisations(
+        TestUtils.generateFakePubKey()
+      );
+      expect(authorisations.length).to.equal(0);
+    });
+
+    it('should return empty array if authorisations in mapping are null', async () => {
+      const stub = sinon.stub().resolves({
+        isPrimary: false,
+        authorisations: null,
+      });
+      TestUtils.stubWindow('lokiFileServerAPI', {
+        getUserDeviceMapping: stub,
+      });
+
+      const authorisations = await MultiDeviceProtocol.fetchPairingAuthorisations(
+        TestUtils.generateFakePubKey()
+      );
+      expect(authorisations.length).to.equal(0);
+    });
   });
 
   describe('fetchPairingAuthorisationIfNeeded', () => {
+    beforeEach(() => {
+      TestUtils.stubWindow('libloki', {
+        crypto: {
+          verifyAuthorisation: async () => true,
+        } as any,
+      });
+    });
+
     let fetchPairingAuthorisationStub: sinon.SinonStub<
       [PubKey],
       Promise<Array<PairingAuthorisation>>
@@ -250,6 +352,16 @@ describe('MultiDeviceProtocol', () => {
         expect(allDevicePubKeys).to.have.same.members(devices.map(d => d.key));
       }
     });
+
+    it('should return the passed in user device if no pairing authorisations are found', async () => {
+      const pubKey = TestUtils.generateFakePubKey();
+      sandbox
+        .stub(MultiDeviceProtocol, 'getPairingAuthorisations')
+        .resolves([]);
+      const allDevices = await MultiDeviceProtocol.getAllDevices(pubKey);
+      expect(allDevices).to.have.length(1);
+      expect(allDevices[0].key).to.equal(pubKey.key);
+    });
   });
 
   describe('getPrimaryDevice', () => {