security(2820): More secure frontend<->backend socket secret generation/verification (#2928)

* Use libsodium for generating and verifying socketiosecrets

- updates verification for all environments
- updates secret gen on desktop
- mobile still in progress

* Add libsodium to android and properly generate socket IO secret

* Fix mobile issues and use hex vs base64 for compatibility with android library

* Make secrets on ios hex strings

* Update changelog

* Accidental commit

* Remove debug log

* Another

Author: islathehut

3rd-party/auth

@@ -1,5 +1,13 @@
 # Changelog
 
+## [Unreleased]
+
+### Security
+
+* Use libsodium for socketIOSecret comparison and migrate logic from common to backend [#2820](https://github.com/TryQuiet/quiet/issues/2820)
+* Use libsodium for socketIOSecret generation in desktop and android [#2820](https://github.com/TryQuiet/quiet/issues/2820)
+* Simplify/standardize socketIOSecret generation on IOS (no libsodium) [#2820](https://github.com/TryQuiet/quiet/issues/2820)
+
 ## [6.0.0]
 
 ### Features

CHANGELOG.md

@@ -71,7 +71,6 @@
     "@types/express": "^4.17.9",
     "@types/get-port": "4.2.0",
     "@types/jest": "28.1.8",
-    "@types/libsodium-wrappers-sumo": "^0.7.8",
     "@types/luxon": "^3.4.2",
     "@types/mock-fs": "^4.13.1",
     "@types/node": "18.11.9",
@@ -124,6 +123,7 @@
     "@libp2p/websockets": "^9.1.0",
     "@localfirst/auth": "file:../../3rd-party/auth/packages/auth/dist",
     "@localfirst/crdx": "file:../../3rd-party/auth/packages/crdx/dist",
+    "@localfirst/crypto": "file:../../3rd-party/auth/packages/crypto/dist",
     "@multiformats/multiaddr": "^12.3.0",
     "@multiformats/multiaddr-matcher": "^1.6.0",
     "@multiformats/multiaddr-to-uri": "^10.1.0",
@@ -176,7 +176,6 @@
     "joi": "^17.13.3",
     "level": "8.0.1",
     "libp2p": "2.4.2",
-    "libsodium-wrappers-sumo": "0.7.15",
     "luxon": "^3.4.4",
     "multiformats": "13.3.1",
     "node-fetch": "^3.3.0",

packages/backend/package-lock.json

@@ -36,10 +36,10 @@ import { Server as SocketIO } from 'socket.io'
 import { StorageModule } from './storage/storage.module'
 import { IpfsModule } from './ipfs/ipfs.module'
 import { Level } from 'level'
-import { verifyToken } from '@quiet/common'
 import { createLogger } from './common/logger'
 import { SocketActionsMap, SocketEventsMap } from '@quiet/types'
 import { QSSModule } from './qss/qss.module'
+import { verifyToken } from './common/token'
 
 const logger = createLogger('appModule')
 
@@ -115,7 +115,7 @@ export class AppModule {
               pingTimeout: 30_000,
             })
             // @ts-ignore
-            io.engine.use((req, res, next) => {
+            io.engine.use(async (req, res, next) => {
               const authHeader = req.headers['authorization']
               if (!authHeader) {
                 _ioLogger.error('Backend server: No authorization header')
@@ -132,7 +132,7 @@ export class AppModule {
                 return
               }
 
-              if (verifyToken(options.socketIOSecret, token)) {
+              if (await verifyToken(options.socketIOSecret, token)) {
                 next()
               } else {
                 _ioLogger.error('Backend server: Unauthorized')

packages/backend/package.json

@@ -0,0 +1,34 @@
+import { to_hex, to_base64, randomBytes, base64_variants } from '@localfirst/crypto'
+
+import { verifyToken } from './token'
+import { createLogger } from './logger'
+
+const logger = createLogger('token:test')
+
+describe('token', () => {
+  describe('verifyToken', () => {
+    it('returns true for matching tokens', async () => {
+      const token = to_hex(randomBytes(32))
+      expect(await verifyToken(token, token)).toBeTruthy()
+    })
+
+    it('returns false for non-matching tokens', async () => {
+      const token1 = to_hex(randomBytes(32))
+      const token2 = to_hex(randomBytes(32))
+      expect(await verifyToken(token1, token2)).toBeFalsy()
+    })
+
+    it('returns false for tokens in different encodings', async () => {
+      const bytes = randomBytes(32)
+      const token1 = to_base64(bytes, base64_variants.ORIGINAL)
+      const token2 = to_hex(bytes)
+      expect(await verifyToken(token1, token2)).toBeFalsy()
+    })
+
+    it('returns false for tokens of different lengths', async () => {
+      const token1 = to_hex(randomBytes(32))
+      const token2 = to_hex(randomBytes(8))
+      expect(await verifyToken(token1, token2)).toBeFalsy()
+    })
+  })
+})

packages/backend/src/nest/app.module.ts

@@ -0,0 +1,16 @@
+import { from_hex, compare } from '@localfirst/crypto'
+import { createLogger } from './logger'
+
+const logger = createLogger('token')
+
+export const verifyToken = async (secret: string, token: string): Promise<boolean> => {
+  try {
+    const secretBytes = from_hex(secret)
+    const tokenBytes = from_hex(token)
+    const result = compare(secretBytes, tokenBytes)
+    return result === 0
+  } catch (e) {
+    console.error('Error while comparing tokens', e)
+    return false
+  }
+}

packages/backend/src/nest/common/token.spec.ts

@@ -10,7 +10,6 @@ export * from './naming'
 export * from './fileData'
 export * from './libp2p'
 export * from './tests'
-export * from './auth'
 export * from './messages'
 export * from './compare'
 export * from './dir'