diff --git a/README.md b/README.md index 3fba5c1..cc343fd 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ NEVidebla-EKOnomia (invisible economy) [![cargo-build](https://github.com/creating2morrow/neveko/actions/workflows/rust.yml/badge.svg?branch=main)](https://github.com/creating2morrow/neveko/actions/workflows/rust.yml) [![cargo-audit](https://github.com/creating2morrow/neveko/actions/workflows/audit.yml/badge.svg?branch=main)](https://github.com/creating2morrow/neveko/actions/workflows/audit.yml) -### gpg and i2p made simple for end-to-end encrypted, secure marketplace, messaging and more +### gpg and i2p made simple for E2EE marketplace, messaging and more ## About diff --git a/neveko-core/src/auth.rs b/neveko-core/src/auth.rs index 5d05e80..fa7e8e5 100644 --- a/neveko-core/src/auth.rs +++ b/neveko-core/src/auth.rs @@ -101,8 +101,13 @@ pub async fn verify_login(aid: String, uid: String, signature: String) -> Author return create(&address); } let data: String = String::from(&f_auth.rnd); - let sig_address: String = + let is_valid_sig: bool = monero::verify(String::from(&address), data, String::from(&signature)).await; + let sig_address: String = if is_valid_sig { + String::from(&address) + } else { + utils::ApplicationErrors::LoginError.value() + }; if sig_address == utils::ApplicationErrors::LoginError.value() { error!("signature validation failed"); monero::close_wallet(&wallet_name, &wallet_password).await; @@ -155,8 +160,13 @@ async fn verify_access(address: &String, signature: &String) -> bool { } // verify signature on the data if not expired let data = f_auth.rnd; - let sig_address: String = + let is_valid_sig: bool = monero::verify(String::from(address), data, String::from(signature)).await; + let sig_address: String = if is_valid_sig { + String::from(address) + } else { + utils::ApplicationErrors::LoginError.value() + }; if sig_address == utils::ApplicationErrors::LoginError.value() { debug!("signing failed"); return false; diff --git a/neveko-core/src/monero.rs b/neveko-core/src/monero.rs index eb44f3a..9ab1f09 100644 --- a/neveko-core/src/monero.rs +++ b/neveko-core/src/monero.rs @@ -135,8 +135,7 @@ pub fn start_daemon() { debug!("{:?}", output.stdout); } else { let args = [ - " - --data-dir", + "--data-dir", &blockchain_dir, "--tx-proxy", &tx_proxy, @@ -302,7 +301,7 @@ pub async fn check_rpc_connection() -> () { } /// Performs the xmr rpc 'verify' method -pub async fn verify(address: String, data: String, signature: String) -> String { +pub async fn verify(address: String, data: String, signature: String) -> bool { info!("executing {}", RpcFields::Verify.value()); let client = reqwest::Client::new(); let host = get_rpc_host(); @@ -330,15 +329,15 @@ pub async fn verify(address: String, data: String, signature: String) -> String match res { Ok(res) => { if res.result.good { - req.params.address + true } else { - utils::ApplicationErrors::LoginError.value() + false } } - _ => utils::ApplicationErrors::LoginError.value(), + _ => false, } } - Err(_e) => utils::ApplicationErrors::LoginError.value(), + Err(_e) => false, } } diff --git a/neveko-core/src/order.rs b/neveko-core/src/order.rs index bcb2cab..eb2893a 100644 --- a/neveko-core/src/order.rs +++ b/neveko-core/src/order.rs @@ -1,4 +1,5 @@ use crate::{ + contact, db, models::*, monero, @@ -16,7 +17,7 @@ use rocket::serde::json::Json; TODOs(c2m): - API to validate payment and import multisig info, update to multisig complete - API to upload gpg encrypted tracking number, update order to shipped - release tracking (locker code?) when txset is released, update to delivered + - release tracking (locker code?) when txset is released, update to delivered */ enum StatusType { @@ -167,6 +168,33 @@ pub async fn sign_and_submit_multisig( r_submit } +/// In order for the order (...ha) to only be accessed by the customer +/// +/// they must sign the order id with their NEVEKO wallet instance. This means +/// +/// that the mediator can see order id for disputes without being able to access +/// +/// the details of said order. +pub async fn retrieve_order(orid: &String, signature: &String) -> Order { + // get customer address for NEVEKO NOT order wallet + let m_order: Order = find(&orid); + let mut xmr_address: String = String::new(); + let a_customers: Vec = contact::find_all(); + for customer in a_customers { + if customer.i2p_address == m_order.cid { + xmr_address = customer.xmr_address; + } + } + // send address, orid and signature to verify() + let id: String = String::from(&m_order.orid); + let sig: String = String::from(signature); + let is_valid_signature = monero::verify(xmr_address, id, sig).await; + if !is_valid_signature { + return Default::default(); + } + m_order +} + pub async fn validate_order_for_ship() -> bool { info!("validating order for shipment"); // import multisig info diff --git a/src/controller.rs b/src/controller.rs index 8684f0c..1227186 100644 --- a/src/controller.rs +++ b/src/controller.rs @@ -98,22 +98,21 @@ pub async fn create_order( Custom(Status::Created, Json(m_order)) } -/// TODO(c2m): Customer order retreival. Must send `signature` +/// Customer order retreival. Must send `signature` /// -/// which is the order id signed by the wallet. +/// which is the order id signed by the NEVEKO wallet. /// /// Protected: true -#[get("/order/retrieve//<_signature>")] +#[get("/order/retrieve//")] pub async fn retrieve_order( orid: String, - _signature: String, + signature: String, _jwp: proof::PaymentProof, ) -> Custom> { - // get customer address - - // send address, orid and signature to verify() - - let m_order: models::Order = order::find(&orid); + let m_order = order::retrieve_order(&orid, &signature).await; + if m_order.cid == utils::empty_string() { + return Custom(Status::BadRequest, Json(Default::default())); + } Custom(Status::Created, Json(m_order)) }