diff --git a/config.js.dist b/config.js.dist index 479949b74..379db3a3c 100644 --- a/config.js.dist +++ b/config.js.dist @@ -37,9 +37,17 @@ module.exports = { "style-src 'unsafe-inline' 'self'", // Unsafe inline, unsafe-eval are needed for ckeditor :( "script-src 'self' 'unsafe-eval' 'unsafe-inline'", - "child-src 'self' cryptpad.fr *.cryptpad.fr", "font-src 'self'", - "connect-src 'self' wss://cryptpad.fr", + + /* child-src is used to restrict iframes to a set of allowed domains. + * connect-src is used to restrict what domains can connect to the websocket. + * + * it is recommended that you configure these fields to match the + * domain which will serve your cryptpad instance. + */ + // "child-src 'self' cryptpad.fr *.cryptpad.fr", + // "connect-src 'self' wss://cryptpad.fr", + // (insecure remote) images are included by users of the wysiwyg who embed photos in their pads "img-src *", ].join('; '), diff --git a/rpc.js b/rpc.js index eacaa05b2..47c63d221 100644 --- a/rpc.js +++ b/rpc.js @@ -55,12 +55,17 @@ RPC.create = function (config, cb) { switch (msg[0]) { case 'ECHO': - respond(void 0, msg); - break; + return void respond(void 0, msg); + case 'RESET': + return void respond('NOT_IMPLEMENTED', msg); case 'PIN': + return void respond('NOT_IMPLEMENTED', msg); case 'UNPIN': + return void respond('NOT_IMPLEMENTED', msg); case 'GET_HASH': + return void respond('NOT_IMPLEMENTED', msg); case 'GET_TOTAL_SIZE': + return void respond('NOT_IMPLEMENTED', msg); case 'GET_FILE_SIZE': if (!isValidChannel(msg[1])) { return void respond('INVALID_CHAN'); @@ -71,8 +76,7 @@ RPC.create = function (config, cb) { respond(void 0, size); }); default: - respond('UNSUPPORTED_RPC_CALL', msg); - break; + return void respond('UNSUPPORTED_RPC_CALL', msg); } }; diff --git a/www/common/cryptpad-common.js b/www/common/cryptpad-common.js index 3b7e756c6..5519916e5 100644 --- a/www/common/cryptpad-common.js +++ b/www/common/cryptpad-common.js @@ -1004,6 +1004,13 @@ define([ var proxy = store.getProxy(); var fo = proxy.fo; + // start with your userHash... + var userHash = localStorage && localStorage.User_hash; + if (!userHash) { return null; } + + var userChannel = common.parseHash(userHash).channel; + if (!userChannel) { return null; } + var list = fo.getFilesDataFiles().map(function (href) { var parsed = common.parsePadUrl(href); if (!parsed || !parsed.hash) { return; } @@ -1015,7 +1022,10 @@ define([ var hex = common.base64ToHex(channel); return hex; - }).filter(function (x) { return x; }).sort(); + }).filter(function (x) { return x; }); + + list.push(userChannel); + list.sort(); return list; }; diff --git a/www/common/pinpad.js b/www/common/pinpad.js index 300650169..dce9f328c 100644 --- a/www/common/pinpad.js +++ b/www/common/pinpad.js @@ -12,7 +12,8 @@ define([ var rpc = Rpc.create(network, ed); var checkHash = exp.checkHash = function (fileList) { - //var fileList = fo.getFilesDataFiles(); + fileList = fileList || Cryptpad.getUserChannelList(); + var channelIdList = []; fileList.forEach(function (href) { var parsedHref = Cryptpad.parsePadUrl(href); @@ -31,12 +32,10 @@ define([ AWESOME if they are not UNPIN all, send all - */ var hash = Nacl.util.encodeBase64(Nacl.hash(Nacl.util.decodeUTF8( JSON.stringify(uniqueList) ))); - console.log(hash); return hash; }; diff --git a/www/common/rpc.js b/www/common/rpc.js index 8cb7c6f8a..25248b147 100644 --- a/www/common/rpc.js +++ b/www/common/rpc.js @@ -4,12 +4,19 @@ define([ '/bower_components/tweetnacl/nacl-fast.min.js', ], function (Encode) { var MAX_LAG_BEFORE_TIMEOUT = 30000; + var Nacl = window.nacl; var uid = function () { return Number(Math.floor(Math.random() * Number.MAX_SAFE_INTEGER)) .toString(32).replace(/\./g, ''); }; + var signMsg = function (type, msg, signKey) { + var toSign = JSON.stringify([type, msg]); + var buffer = Nacl.util.decodeUTF8(toSign); + return Nacl.util.encodeBase64(Nacl.sign(buffer, signKey)); + }; + /* types of messages: pin -> hash @@ -24,14 +31,14 @@ types of messages: messages have the format: [TYPE, txid, msg] */ - var sendMsg = function (ctx, type, msg, cb) { + var sendMsg = function (ctx, type, signed, id, cb) { var network = ctx.network; var hkn = network.historyKeeper; var txid = uid(); ctx.pending[txid] = cb; - return network.sendto(hkn, JSON.stringify([txid, type, msg])); + return network.sendto(hkn, JSON.stringify([txid, signed, id])); }; var parse = function (msg) { @@ -68,18 +75,19 @@ types of messages: } }; - var cookie = function (ctx, cb) { - // TODO txid - }; - - var signMsg = function (msg, secKey) { - // TODO - }; + var create = function (network, edPrivateKey, edPublicKey) { + var signKey = Nacl.util.decodeBase64(edPrivateKey); - var create = function (network, edPrivateKey) { - if (!/[0-9a-f]{64}/.test(edPrivateKey)) { - //throw new Error("private signing key is not valid"); + try { + if (signKey.length !== 64) { + throw new Error('private key did not match expected length of 64'); + } + } catch (err) { + throw new Error("private signing key is not valid"); } + + // TODO validate public key as well + var ctx = { //privateKey: Encode.hexToUint8Array(edPrivateKey), seq: new Date().getTime(), @@ -91,13 +99,15 @@ types of messages: var pin = function (channel, cb) { }; var send = function (type, msg, cb) { - return sendMsg(ctx, type, msg, cb); + // construct a signed message... + var signed = signMsg(type, msg, signKey); + + return sendMsg(ctx, type, signed, edPublicKey, cb); }; network.on('message', function (msg, sender) { onMsg(ctx, msg); }); return { - cookie: function (cb) { cookie(ctx, cb); }, send: send, }; }; diff --git a/www/examples/rpc/main.js b/www/examples/rpc/main.js index 37b1751d7..7ebb0c4ea 100644 --- a/www/examples/rpc/main.js +++ b/www/examples/rpc/main.js @@ -12,7 +12,12 @@ define([ $(function () { Cryptpad.ready(function (err, env) { var network = Cryptpad.getNetwork(); - var rpc = RPC.create(network); // TODO signing key + var proxy = Cryptpad.getStore().getProxy().proxy; + + var edPrivate = proxy.edPrivate; + var edPublic = proxy.edPublic; + + var rpc = RPC.create(network, edPrivate, edPublic); var payload = { a: Math.floor(Math.random() * 1000),