add secure order retrieval

README.md

@@ -5,7 +5,7 @@ NEVidebla-EKOnomia (invisible economy)
 [![cargo-build](https://github.com/creating2morrow/neveko/actions/workflows/rust.yml/badge.svg?branch=main)](https://github.com/creating2morrow/neveko/actions/workflows/rust.yml)
 [![cargo-audit](https://github.com/creating2morrow/neveko/actions/workflows/audit.yml/badge.svg?branch=main)](https://github.com/creating2morrow/neveko/actions/workflows/audit.yml)
 
-### gpg and i2p made simple for end-to-end encrypted, secure marketplace, messaging and more
+### gpg and i2p made simple for E2EE marketplace, messaging and more
 
 ## About
 

neveko-core/src/auth.rs

@@ -101,8 +101,13 @@ pub async fn verify_login(aid: String, uid: String, signature: String) -> Author
         return create(&address);
     }
     let data: String = String::from(&f_auth.rnd);
-    let sig_address: String =
+    let is_valid_sig: bool =
         monero::verify(String::from(&address), data, String::from(&signature)).await;
+    let sig_address: String = if is_valid_sig {
+        String::from(&address)
+    } else {
+        utils::ApplicationErrors::LoginError.value()
+    };
     if sig_address == utils::ApplicationErrors::LoginError.value() {
         error!("signature validation failed");
         monero::close_wallet(&wallet_name, &wallet_password).await;
@@ -155,8 +160,13 @@ async fn verify_access(address: &String, signature: &String) -> bool {
     }
     // verify signature on the data if not expired
     let data = f_auth.rnd;
-    let sig_address: String =
+    let is_valid_sig: bool =
         monero::verify(String::from(address), data, String::from(signature)).await;
+    let sig_address: String = if is_valid_sig {
+        String::from(address)
+    } else {
+        utils::ApplicationErrors::LoginError.value()
+    };
     if sig_address == utils::ApplicationErrors::LoginError.value() {
         debug!("signing failed");
         return false;

neveko-core/src/monero.rs

@@ -135,8 +135,7 @@ pub fn start_daemon() {
         debug!("{:?}", output.stdout);
     } else {
         let args = [
-            "
+            "--data-dir",
-            --data-dir",
             &blockchain_dir,
             "--tx-proxy",
             &tx_proxy,
@@ -302,7 +301,7 @@ pub async fn check_rpc_connection() -> () {
 }
 
 /// Performs the xmr rpc 'verify' method
-pub async fn verify(address: String, data: String, signature: String) -> String {
+pub async fn verify(address: String, data: String, signature: String) -> bool {
     info!("executing {}", RpcFields::Verify.value());
     let client = reqwest::Client::new();
     let host = get_rpc_host();
@@ -330,15 +329,15 @@ pub async fn verify(address: String, data: String, signature: String) -> String
             match res {
                 Ok(res) => {
                     if res.result.good {
-                        req.params.address
+                        true
                     } else {
-                        utils::ApplicationErrors::LoginError.value()
+                        false
                     }
                 }
-                _ => utils::ApplicationErrors::LoginError.value(),
+                _ => false,
             }
         }
-        Err(_e) => utils::ApplicationErrors::LoginError.value(),
+        Err(_e) => false,
     }
 }
 

neveko-core/src/order.rs

@@ -1,4 +1,5 @@
 use crate::{
+    contact,
     db,
     models::*,
     monero,
@@ -16,7 +17,7 @@ use rocket::serde::json::Json;
   TODOs(c2m):
     - API to validate payment and import multisig info, update to multisig complete
     - API to upload gpg encrypted tracking number, update order to shipped
-      release tracking (locker code?) when txset is released, update to delivered
+    - release tracking (locker code?) when txset is released, update to delivered
 */
 
 enum StatusType {
@@ -167,6 +168,33 @@ pub async fn sign_and_submit_multisig(
     r_submit
 }
 
+/// In order for the order (...ha) to only be accessed by the customer
+///
+/// they must sign the order id with their NEVEKO wallet instance. This means
+///
+/// that the mediator can see order id for disputes without being able to access
+///
+/// the details of said order.
+pub async fn retrieve_order(orid: &String, signature: &String) -> Order {
+    // get customer address for NEVEKO NOT order wallet
+    let m_order: Order = find(&orid);
+    let mut xmr_address: String = String::new();
+    let a_customers: Vec<Contact> = contact::find_all();
+    for customer in a_customers {
+        if customer.i2p_address == m_order.cid {
+            xmr_address = customer.xmr_address;
+        }
+    }
+    // send address, orid and signature to verify()
+    let id: String = String::from(&m_order.orid);
+    let sig: String = String::from(signature);
+    let is_valid_signature = monero::verify(xmr_address, id, sig).await;
+    if !is_valid_signature {
+        return Default::default();
+    }
+    m_order
+}
+
 pub async fn validate_order_for_ship() -> bool {
     info!("validating order for shipment");
     // import multisig info

src/controller.rs

@@ -98,22 +98,21 @@ pub async fn create_order(
     Custom(Status::Created, Json(m_order))
 }
 
-/// TODO(c2m): Customer order retreival. Must send `signature`
+/// Customer order retreival. Must send `signature`
 ///
-/// which is the order id signed by the wallet.
+/// which is the order id signed by the NEVEKO wallet.
 ///
 /// Protected: true
-#[get("/order/retrieve/<orid>/<_signature>")]
+#[get("/order/retrieve/<orid>/<signature>")]
 pub async fn retrieve_order(
     orid: String,
-    _signature: String,
+    signature: String,
     _jwp: proof::PaymentProof,
 ) -> Custom<Json<models::Order>> {
-    // get customer address
+    let m_order = order::retrieve_order(&orid, &signature).await;
-
+    if m_order.cid == utils::empty_string() {
-    // send address, orid and signature to verify()
+        return Custom(Status::BadRequest, Json(Default::default()));
-
+    }
-    let m_order: models::Order = order::find(&orid);
     Custom(Status::Created, Json(m_order))
 }