chore: make signature verification & generation use ms for timestamp (#3236)

* chore(backend): make signature validation use milliseconds instead of seconds

* chore(auth): make signature validation use milliseconds instead of seconds

* chore(frontend): make signature generation use milliseconds for timestamp

* chore(mase): make signature generation use milliseconds for timestamp

* chore(bruno): make signature generation use milliseconds for timestamp

* test(backend): update webhook service tests

* test(backend): update test file to stop logging out warning

* test(integration): sign apollo client requests

* chore(ci): ignore trivy vulnerability indefinitely

Author: mkurapov

.trivyignore

@@ -1 +1 @@
-CVE-2024-21538 exp:2024-12-31
+CVE-2024-21538

bruno/collections/Rafiki/scripts.js

@@ -85,7 +85,7 @@ const scripts = {
   generateAuthApiSignature: function (body) {
     const version = bru.getEnvVar('authApiSignatureVersion')
     const secret = bru.getEnvVar('authApiSignatureSecret')
-    const timestamp = Math.round(new Date().getTime() / 1000)
+    const timestamp = Date.now()
     const payload = `${timestamp}.${canonicalize(body)}`
     const hmac = createHmac('sha256', secret)
     hmac.update(payload)
@@ -97,7 +97,7 @@ const scripts = {
   generateBackendApiSignature: function (body) {
     const version = bru.getEnvVar('backendApiSignatureVersion')
     const secret = bru.getEnvVar('backendApiSignatureSecret')
-    const timestamp = Math.round(new Date().getTime() / 1000)
+    const timestamp = Date.now()
     const payload = `${timestamp}.${canonicalize(body)}`
     const hmac = createHmac('sha256', secret)
     hmac.update(payload)

localenv/mock-account-servicing-entity/app/lib/apolloClient.ts

@@ -51,7 +51,7 @@ const errorLink = onError(({ graphQLErrors }) => {
 const authLink = setContext((request, { headers }) => {
   if (!process.env.SIGNATURE_SECRET || !process.env.SIGNATURE_VERSION)
     return { headers }
-  const timestamp = Math.round(new Date().getTime() / 1000)
+  const timestamp = Date.now()
   const version = process.env.SIGNATURE_VERSION
 
   const { query, variables, operationName } = request

packages/auth/src/config/app.ts

@@ -58,7 +58,7 @@ export const Config = {
   authServerUrl: envString('AUTH_SERVER_URL'),
   adminApiSecret: process.env.ADMIN_API_SECRET, // optional
   adminApiSignatureVersion: envInt('ADMIN_API_SIGNATURE_VERSION', 1),
-  adminApiSignatureTtl: envInt('ADMIN_API_SIGNATURE_TTL_SECONDS', 30),
+  adminApiSignatureTtlSeconds: envInt('ADMIN_API_SIGNATURE_TTL_SECONDS', 30),
   waitTimeSeconds: envInt('WAIT_SECONDS', 5),
   cookieKey: envString('COOKIE_KEY'),
   interactionCookieSameSite: envEnum(

packages/auth/src/shared/utils.test.ts

@@ -91,7 +91,9 @@ describe('utils', (): void => {
       )
 
       const timestamp = signature.split(', ')[0].split('=')[1]
-      const now = new Date((Number(timestamp) + 60) * 1000)
+      const now = new Date(
+        Number(timestamp) + (Config.adminApiSignatureTtlSeconds + 1) * 1000
+      )
       jest.useFakeTimers({ now })
       const ctx = createContext<AppContext>(
         {
@@ -120,11 +122,7 @@ describe('utils', (): void => {
         Config.adminApiSignatureVersion,
         requestBody
       )
-      const key = `signature:${signature}`
-      const op = redis.multi()
-      op.set(key, signature)
-      op.expire(key, Config.adminApiSignatureTtl * 1000)
-      await op.exec()
+
       const ctx = createContext<AppContext>(
         {
           headers: {
@@ -138,6 +136,13 @@ describe('utils', (): void => {
       )
       ctx.request.body = requestBody
 
+      await expect(
+        verifyApiSignature(ctx, {
+          ...Config,
+          adminApiSecret: 'test-secret'
+        })
+      ).resolves.toBe(true)
+
       const verified = await verifyApiSignature(ctx, {
         ...Config,
         adminApiSecret: 'test-secret'

packages/auth/src/shared/utils.ts

@@ -71,9 +71,9 @@ async function canApiSignatureBeProcessed(
   config: IAppConfig
 ): Promise<boolean> {
   const { timestamp } = getSignatureParts(signature)
-  const signatureTime = Number(timestamp) * 1000
+  const signatureTime = Number(timestamp)
   const currentTime = Date.now()
-  const ttlMilliseconds = config.adminApiSignatureTtl * 1000
+  const ttlMilliseconds = config.adminApiSignatureTtlSeconds * 1000
 
   if (currentTime - signatureTime > ttlMilliseconds) return false
 

packages/auth/src/tests/apiSignature.ts

@@ -7,7 +7,7 @@ export function generateApiSignature(
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
   body: any
 ): string {
-  const timestamp = Math.round(new Date().getTime() / 1000)
+  const timestamp = Date.now()
   const payload = `${timestamp}.${canonicalize(body)}`
   const hmac = createHmac('sha256', secret)
   hmac.update(payload)

packages/backend/src/config/app.ts

@@ -161,7 +161,7 @@ export const Config = {
 
   adminApiSecret: process.env.API_SECRET, // optional
   adminApiSignatureVersion: envInt('API_SIGNATURE_VERSION', 1),
-  adminApiSignatureTtl: envInt('ADMIN_API_SIGNATURE_TTL_SECONDS', 30),
+  adminApiSignatureTtlSeconds: envInt('ADMIN_API_SIGNATURE_TTL_SECONDS', 30),
 
   keyId: envString('KEY_ID'),
   privateKey: privateKeyFileValue,

packages/backend/src/shared/utils.test.ts

@@ -204,7 +204,9 @@ describe('utils', (): void => {
       )
 
       const timestamp = signature.split(', ')[0].split('=')[1]
-      const now = new Date((Number(timestamp) + 60) * 1000)
+      const now = new Date(
+        Number(timestamp) + (Config.adminApiSignatureTtlSeconds + 1) * 1000
+      )
       jest.useFakeTimers({ now })
       const ctx = createContext<AppContext>(
         {
@@ -233,11 +235,6 @@ describe('utils', (): void => {
         Config.adminApiSignatureVersion,
         requestBody
       )
-      const key = `signature:${signature}`
-      const op = redis.multi()
-      op.set(key, signature)
-      op.expire(key, Config.adminApiSignatureTtl * 1000)
-      await op.exec()
       const ctx = createContext<AppContext>(
         {
           headers: {
@@ -251,6 +248,13 @@ describe('utils', (): void => {
       )
       ctx.request.body = requestBody
 
+      await expect(
+        verifyApiSignature(ctx, {
+          ...Config,
+          adminApiSecret: 'test-secret'
+        })
+      ).resolves.toBe(true)
+
       const verified = await verifyApiSignature(ctx, {
         ...Config,
         adminApiSecret: 'test-secret'

packages/backend/src/shared/utils.ts

@@ -153,9 +153,9 @@ async function canApiSignatureBeProcessed(
   config: IAppConfig
 ): Promise<boolean> {
   const { timestamp } = getSignatureParts(signature)
-  const signatureTime = Number(timestamp) * 1000
+  const signatureTime = Number(timestamp)
   const currentTime = Date.now()
-  const ttlMilliseconds = config.adminApiSignatureTtl * 1000
+  const ttlMilliseconds = config.adminApiSignatureTtlSeconds * 1000
 
   if (currentTime - signatureTime > ttlMilliseconds) return false
 

packages/backend/src/tests/apiSignature.ts

@@ -7,7 +7,7 @@ export function generateApiSignature(
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
   body: any
 ): string {
-  const timestamp = Math.round(new Date().getTime() / 1000)
+  const timestamp = Date.now()
   const payload = `${timestamp}.${canonicalize(body)}`
   const hmac = createHmac('sha256', secret)
   hmac.update(payload)

packages/backend/src/tests/quote.ts

@@ -165,11 +165,7 @@ export async function createQuote(
     maxPacketAmount: BigInt('9223372036854775807')
   })
 
-  const withGraphFetchedArray = [
-    'asset',
-    'walletAddress',
-    'walletAddress.asset'
-  ]
+  const withGraphFetchedArray = ['asset', 'walletAddress.asset']
   if (withFee) {
     withGraphFetchedArray.push('fee')
   }

packages/backend/src/webhook/service.test.ts

@@ -73,6 +73,7 @@ describe('Webhook Service', (): void => {
   })
 
   afterEach(async (): Promise<void> => {
+    jest.useRealTimers()
     await truncateTables(knex)
   })
 
@@ -317,16 +318,6 @@ describe('Webhook Service', (): void => {
     ): Scope {
       return nock(webhookUrl.origin)
         .post(webhookUrl.pathname, function (this: Definition, body) {
-          assert.ok(this.headers)
-          const headers = this.headers as Record<string, ReplyHeaderValue>
-          const signature = headers['rafiki-signature']
-          expect(
-            generateWebhookSignature(
-              body,
-              WEBHOOK_SECRET,
-              Config.signatureVersion
-            )
-          ).toEqual(signature)
           expect(body).toMatchObject({
             id: expectedEvent.id,
             type: expectedEvent.type,
@@ -356,6 +347,32 @@ describe('Webhook Service', (): void => {
       })
     })
 
+    test('Signs webhook event', async (): Promise<void> => {
+      jest.useFakeTimers({
+        now: Date.now(),
+        advanceTimers: true // needed for nock when using fake timers
+      })
+
+      const scope = nock(webhookUrl.origin)
+        .post(webhookUrl.pathname, function (this: Definition, body) {
+          assert.ok(this.headers)
+          const headers = this.headers as Record<string, ReplyHeaderValue>
+          const signature = headers['rafiki-signature']
+          expect(
+            generateWebhookSignature(
+              body,
+              WEBHOOK_SECRET,
+              Config.signatureVersion
+            )
+          ).toEqual(signature)
+          return true
+        })
+        .reply(200)
+
+      await expect(webhookService.processNext()).resolves.toEqual(event.id)
+      scope.done()
+    })
+
     test.each([[201], [400], [504]])(
       'Schedules retry if request fails (%i)',
       async (status): Promise<void> => {

packages/backend/src/webhook/service.ts

@@ -230,7 +230,7 @@ export function generateWebhookSignature(
   secret: string,
   version: number
 ): string {
-  const timestamp = Math.round(new Date().getTime() / 1000)
+  const timestamp = Date.now()
 
   const payload = `${timestamp}.${canonicalize({
     id: event.id,

packages/frontend/app/lib/apollo.server.ts

@@ -29,7 +29,7 @@ BigInt.prototype.toJSON = function (this: bigint) {
 const authLink = setContext((request, { headers }) => {
   if (!process.env.SIGNATURE_SECRET || !process.env.SIGNATURE_VERSION)
     return { headers }
-  const timestamp = Math.round(new Date().getTime() / 1000)
+  const timestamp = Date.now()
   const version = process.env.SIGNATURE_VERSION
 
   const { query, variables, operationName } = request

pnpm-lock.yaml

@@ -1,12 +1,54 @@
 import type { NormalizedCacheObject } from '@apollo/client'
-import { ApolloClient, InMemoryCache } from '@apollo/client'
+import {
+  ApolloClient,
+  InMemoryCache,
+  createHttpLink,
+  ApolloLink
+} from '@apollo/client'
+import { setContext } from '@apollo/client/link/context'
+import { print } from 'graphql/language/printer'
+import { createHmac } from 'crypto'
+import { canonicalize } from 'json-canonicalize'
 
-export function createApolloClient(
+interface CreateApolloClientArgs {
   graphqlUrl: string
+  signatureSecret?: string
+  signatureVersion?: string
+}
+
+export function createApolloClient(
+  args: CreateApolloClientArgs
 ): ApolloClient<NormalizedCacheObject> {
+  const httpLink = createHttpLink({
+    uri: args.graphqlUrl
+  })
+
+  const authLink = setContext((request, { headers }) => {
+    if (!args.signatureSecret || !args.signatureVersion) return { headers }
+    const timestamp = Date.now()
+
+    const { query, variables, operationName } = request
+    const formattedRequest = {
+      variables,
+      operationName,
+      query: print(query)
+    }
+
+    const payload = `${timestamp}.${canonicalize(formattedRequest)}`
+    const hmac = createHmac('sha256', args.signatureSecret)
+    hmac.update(payload)
+    const digest = hmac.digest('hex')
+    return {
+      headers: {
+        ...headers,
+        signature: `t=${timestamp}, v${args.signatureVersion}=${digest}`
+      }
+    }
+  })
+
   return new ApolloClient({
-    uri: graphqlUrl,
     cache: new InMemoryCache(),
+    link: ApolloLink.from([authLink, httpLink]),
     defaultOptions: {
       query: {
         fetchPolicy: 'no-cache'