Mirrors/chatmail-core
1
0
Fork 0
mirror of https://github.com/chatmail/core.git synced 2026-05-08 09:26:29 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix: Fix order of operations when handling "vc-request-with-auth" (#6850)

Browse Source
This commit is contained in:
Hocuri
2025-05-12 16:52:10 +02:00
committed by GitHub
parent 8fb3a7514e
commit a981573e48
2 changed files with 40 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/securejoin.rs
View File

@@ -374,14 +374,6 @@ pub(crate) async fn handle_securejoin_handshake(
); );
return Ok(HandshakeMessage::Ignore); return Ok(HandshakeMessage::Ignore);
} }
if !verify_sender_by_fingerprint(context, &fingerprint, contact_id).await? {
warn!(
context,
"Ignoring {step} message because of fingerprint mismatch."
);
return Ok(HandshakeMessage::Ignore);
}
info!(context, "Fingerprint verified.",);
// verify that the `Secure-Join-Auth:`-header matches the secret written to the QR code // verify that the `Secure-Join-Auth:`-header matches the secret written to the QR code
let Some(auth) = mime_message.get_header(HeaderDef::SecureJoinAuth) else { let Some(auth) = mime_message.get_header(HeaderDef::SecureJoinAuth) else {
warn!( warn!(
@@ -408,6 +400,14 @@ pub(crate) async fn handle_securejoin_handshake(
} }
}; };
if !verify_sender_by_fingerprint(context, &fingerprint, contact_id).await? {
warn!(
context,
"Ignoring {step} message because of fingerprint mismatch."
);
return Ok(HandshakeMessage::Ignore);
}
let contact_addr = Contact::get_by_id(context, contact_id) let contact_addr = Contact::get_by_id(context, contact_id)
.await? .await?
.get_addr() .get_addr()
@@ -427,6 +427,7 @@ pub(crate) async fn handle_securejoin_handshake(
); );
return Ok(HandshakeMessage::Ignore); return Ok(HandshakeMessage::Ignore);
} }
info!(context, "Fingerprint verified via Auth code.",);
contact_id.regossip_keys(context).await?; contact_id.regossip_keys(context).await?;
ContactId::scaleup_origin(context, &[contact_id], Origin::SecurejoinInvited).await?; ContactId::scaleup_origin(context, &[contact_id], Origin::SecurejoinInvited).await?;
// for setup-contact, make Alice's one-to-one chat with Bob visible // for setup-contact, make Alice's one-to-one chat with Bob visible
@@ -434,7 +435,6 @@ pub(crate) async fn handle_securejoin_handshake(
if !join_vg { if !join_vg {
ChatId::create_for_contact(context, contact_id).await?; ChatId::create_for_contact(context, contact_id).await?;
} }
info!(context, "Auth verified.",);
context.emit_event(EventType::ContactsChanged(Some(contact_id))); context.emit_event(EventType::ContactsChanged(Some(contact_id)));
inviter_progress(context, contact_id, 600); inviter_progress(context, contact_id, 600);
if let Some(group_chat_id) = group_chat_id { if let Some(group_chat_id) = group_chat_id {

31
src/securejoin/securejoin_tests.rs
View File

@@ -951,3 +951,34 @@ async fn test_parallel_setup_contact() -> Result<()> {
Ok(()) Ok(())
} }
#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
async fn test_wrong_auth_token() -> Result<()> {
let mut tcm = TestContextManager::new();
let alice = &tcm.alice().await;
let bob = &tcm.bob().await;
// Bob should already have Alice's key
// so that he can directly send vc-request-with-auth
tcm.send_recv(alice, bob, "hi").await;
let alice_qr = get_securejoin_qr(alice, None).await?;
println!("{}", &alice_qr);
let invalid_alice_qr = alice_qr.replace("&s=", "&s=INVALIDAUTHTOKEN&someotherkey=");
join_securejoin(bob, &invalid_alice_qr).await?;
let sent = bob.pop_sent_msg().await;
let msg = alice.parse_msg(&sent).await;
assert_eq!(
msg.get_header(HeaderDef::SecureJoin).unwrap(),
"vc-request-with-auth"
);
alice.recv_msg_trash(&sent).await;
let alice_bob_contact = alice.add_or_lookup_contact(bob).await;
assert!(!alice_bob_contact.is_forward_verified(alice).await?);
Ok(())
}