Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add mnemonic validation #9648

Merged
merged 1 commit into from
Jan 6, 2020
Merged

Add mnemonic validation #9648

merged 1 commit into from
Jan 6, 2020

Conversation

acolytec3
Copy link
Contributor

@acolytec3 acolytec3 commented Dec 11, 2019
edited by StatusWrike
Loading

Fixes #9050 and #9670

Summary

In account recovery, status-react doesn't currently validate that a mnemonic seed phrase only contains words from the BIP39 dictionary and also doesn't validate the checksum. This PR will ultimately replace the existing mnemonic validation code in the account-recovery flow with a single call to validate-mnemonic from status-go that validates the checksum appropriately.

Testing notes

Needs to be tested on iOS as I do not have a Mac or iPhone so can't test the iOS native code.

Platforms

  • Android
  • iOS

Areas that maybe impacted

Account onboarding

Functional
  • account recovery
  • new account

Steps to test

For #9050

  • Open Status
  • Select recover an account from seed phrase
  • Enter an invalid seedphrase with the right number of words but with one not in the BIP39 dictionary
  • Verify that erorr message is presented

For #9670

  • Open Status
  • Select recover an account from seed phrase
  • Enter a valid seedphrase
  • Add spaces at end
  • Verify that it generates the same multiaccount as with no spaces

status: ready

@acolytec3 acolytec3 requested a review from a team as a code owner December 11, 2019 18:42
@ghost
Copy link

ghost commented Dec 11, 2019

Pull Request Checklist

  • Docs: Updated the documentation, if affected
  • Docs: Added or updated inline comments explaining intention of the code
  • Tests: Ensured that all new UI elements have been assigned accessibility IDs
  • Tests: Signaled need for E2E tests with label, if applicable
  • Tests: Briefly described what was tested and what platforms were used
  • UI: In case of UI changes, ensured that UI matches Figma
  • UI: In case of UI changes, requested review from a Core UI designer
  • UI: In case of UI changes, included screenshots of implementation

@acolytec3
Copy link
Contributor Author

@yenda @flexsurfer This is just a start on a PR to use the new status-go validateMnemonic method I'm implementing but need some initial assistance. I'm not sure how to make a new status-go function available to be called by status-react. I've tried to follow the pattern for other functions exposed by the status-go api (e.g. Identicon) and added my function to the native-module and externs files but I'm getting an "undefined" error when I try to call it. Are there other places I need to update before I can call the new function or does this sound like I'm compiling the status-go side wrong?

@status-im-auto
Copy link
Member

status-im-auto commented Dec 11, 2019
edited
Loading

Jenkins Builds

Click to see older builds (30)
Commit #️⃣ Finished (UTC) Duration Platform Result
✔️ adc1d4d #1 2019-12-11 18:51:01 ~8 min ios 📦ipa 📲
✔️ adc1d4d #1 2019-12-11 18:54:14 ~11 min android 📦apk 📲
✔️ adc1d4d #1 2019-12-11 18:56:01 ~13 min android-e2e 📦apk 📲
6168b22 #2 2019-12-14 11:55:30 ~3 min ios 📄log
6168b22 #2 2019-12-14 11:59:26 ~7 min android-e2e 📄log
6168b22 #2 2019-12-14 12:03:08 ~10 min android 📄log
1058408 #3 2019-12-17 10:44:21 ~21 sec android 📄log
1058408 #3 2019-12-17 10:44:25 ~18 sec ios 📄log
1058408 #3 2019-12-17 10:47:30 ~3 min android-e2e 📄log
e7dee19 #4 2019-12-18 20:55:02 ~8 min ios 📄log
e7dee19 #4 2019-12-18 20:59:24 ~12 min android-e2e 📄log
5e10ee9 #5 2019-12-18 20:59:32 ~18 sec android 📄log
5e10ee9 #5 2019-12-18 20:59:36 ~19 sec ios 📄log
5e10ee9 #5 2019-12-18 21:11:03 ~11 min android-e2e 📄log
affc9f0 #6 2019-12-19 10:03:41 ~8 min ios 📄log
affc9f0 #6 2019-12-19 10:08:57 ~13 min android-e2e 📄log
affc9f0 #6 2019-12-19 10:09:16 ~13 min android 📄log
0642731 #7 2019-12-19 12:23:57 ~8 min ios 📄log
0642731 #7 2019-12-19 12:27:44 ~12 min android 📄log
0642731 #7 2019-12-19 12:31:55 ~16 min android-e2e 📄log
✔️ bc7c017 #8 2019-12-23 02:11:31 ~9 min ios 📦ipa 📲
✔️ bc7c017 #8 2019-12-23 02:15:06 ~12 min android 📦apk 📲
✔️ bc7c017 #8 2019-12-23 02:17:18 ~14 min android-e2e 📦apk 📲
114e0ee #9 2019-12-30 20:25:35 ~6 min android 📄log
114e0ee #9 2019-12-30 20:27:16 ~8 min android-e2e 📄log
✔️ 114e0ee #9 2019-12-30 20:28:03 ~9 min ios 📦ipa 📲
44962ba #10 2019-12-31 10:52:37 ~28 sec ios 📄log
✔️ 6efdaa6 #11 2019-12-31 11:03:46 ~9 min ios 📦ipa 📲
✔️ 6efdaa6 #11 2019-12-31 11:05:16 ~11 min android-e2e 📦apk 📲
✔️ 6efdaa6 #11 2019-12-31 11:05:53 ~11 min android 📦apk 📲
Commit #️⃣ Finished (UTC) Duration Platform Result
✔️ 1e171f7 #12 2020-01-02 20:54:23 ~12 min ios 📦ipa 📲
✔️ 1e171f7 #12 2020-01-02 21:00:32 ~18 min android 📦apk 📲
✔️ 1e171f7 #12 2020-01-02 21:05:33 ~23 min android-e2e 📦apk 📲
✔️ f309d6e #13 2020-01-06 11:16:08 ~9 min ios 📦ipa 📲
✔️ f309d6e #13 2020-01-06 11:20:30 ~13 min android-e2e 📦apk 📲
✔️ f309d6e #13 2020-01-06 11:20:34 ~13 min android 📦apk 📲

@acolytec3
Copy link
Contributor Author

acolytec3 commented Dec 16, 2019
edited
Loading

Status-go BIP39 PR is now merged. So...how long until that gets folded into the version of status-go that the status-react/develop branch uses? I either need that to happen or else some direction on why the validate-mnemonic function I added to the native-module is returning an error about can't call undefined before I can make anymore forward progress on this PR. @flexsurfer @yenda, @rasom, can any of you point me in the right direction with regard to how to access status-go methods? I'm using the directions on how to build with a locally checked out status-go repo and everything compiles but it doesn't seem like my local build of status-react knows that there is a validateMmenonic method in the local status-go build.

@yenda
Copy link
Contributor

yenda commented Dec 17, 2019
edited
Loading

@acolytec3 Hi nice to see you on another issue!

So there is two ways status-react communicates with status-go:

  • direct calls
  • rpc methods (which uses the direct call rpc-call)

When you are using an rpc method, you don't need to write any new native code. But these only work when a node is started, which is not the case here. So the mnemonic validation is implemented as a direct call, which means you need to write some native code.

This is not very hard though, because you can basically mimic what is done with other calls. The module is in https://github.com/status-im/status-react/tree/develop/modules/react-native-status

For Android it's this file, in which I highlighted the kind of method you want to mimic: https://github.com/status-im/status-react/blob/develop/modules/react-native-status/android/src/main/java/im/status/ethereum/module/StatusModule.java#L1194-L1215

Same for iOS:
https://github.com/status-im/status-react/blob/develop/modules/react-native-status/ios/RCTStatus/RCTStatus.m#L610-L618

@acolytec3
Copy link
Contributor Author

@yenda Thanks for the guidance. I added the native code that seems to be necessary for Android and now Gradle is throwing the below error.

Error: Command failed: ./gradlew app:installDebug -PreactNativeDevServerPort=8081
/home/jim/status-react/modules/react-native-status/android/src/main/java/im/status/ethereum/module/StatusModule.java:1268: error: cannot find symbol
                String resMnemonic = Statusgo.ValidateMnemonic(mnemonic);
                                             ^
  symbol:   method ValidateMnemonic(String)
  location: class Statusgo

This seems to indicate to me that Statusgo still isn't being compiled from the correct source since it can't find the ValidateMnemonic function that's exposed in the status.go module.

To make sure I'm doing this right, here are my build steps:

  1. Verify that my local status-go branch is checked out to the correct branch (validate-bip39-checksum in this case)
  2. export STATUS_GO_SRC_OVERRIDE=/home/jim/status-go
  3. make startdev-android-real
  4. Verify that iOS Build setup #3 is using the local version of status-go (output log below seems correct)
    trace: Using local status-go sources from /home/jim/status-go
  5. make react-native-android
  6. make run-android

Is there something else I'm missing in terms of where I need to add references to ValidateMnemonic?

@flexsurfer
Copy link
Member

hey @acolytec3 are you sure your go version is used ? try this make run-android STATUS_GO_SRC_OVERRIDE=/home/jim/status-go

@flexsurfer
Copy link
Member

or do you know if you made changes for ValidateMnemonic method in status-go so its available in status-react? im not familiar with status-go , might be @cammellos could help

@acolytec3
Copy link
Contributor Author

@flexsurfer I think our responses crossed in the ether :-) See my response above. I outlined the steps I'm currently taking which include the one you suggested. And yes, I did add ValidateMnemonic to the status.go file. It's merged on the status-go side so as soon as status-react bumps up to the latest version of status-go, I'm hoping this issue will naturally resolve itself.

@cammellos Any thoughts on my process above? Is there something else that you see I'm missing?

@flexsurfer
Copy link
Member

@acolytec3 i mean you need to export variable for make run-android in your steps you do it for make startdev-android-real

@acolytec3
Copy link
Contributor Author

@flexsurfer Oh, so I have to do it explicitly in make run-andnroid even though I've already exported it globally? I missed that. I'll try that once my environment settles down. Gradle decided to bork itself so having to completely rebuild the repo again locally before I start coding again.

@yenda
Copy link
Contributor

yenda commented Dec 17, 2019

@acolytec3 since the method you want is already merged in status-go develop you should just rebase your branch and it should be included because I updated status-go version yesterday after merging my account PR

@acolytec3
Copy link
Contributor Author

@yenda Thanks for calling that out. I've got it working locally now and should have the basics of the PR done tomorrow morning if life allows.

@acolytec3
Copy link
Contributor Author

acolytec3 commented Dec 18, 2019
edited
Loading

@yenda @flexsurfer @errorists @rasom Is below the error message we want to use when a mnemonic doesn't pass validate-mnemonic? That's what I have happening in my local build and it still let's you recover an account using the unsafe seed phrase. error

@flexsurfer
Copy link
Member

@acolytec3 the goal of this task to prevent importing custom phrases, so we need to change this popup, @andmironov do we have a design? @acolytec3, for now, i would just remove "continue" button and last sentence "If so, you'll...."

@andmironov
Copy link

Only this, not sure about the copy.

Screen Shot 2019-12-18 at 14 50 46

Figma: https://www.figma.com/file/dEIljL7UPbXgsZUA0Q4qlE5E/Onboarding?node-id=4540%3A11552

@acolytec3 acolytec3 force-pushed the add-mnemonic-validation branch from 1058408 to e7dee19 Compare December 18, 2019 20:46
@acolytec3 acolytec3 changed the title Add mnemonic validation - WIP Add mnemonic validation Dec 18, 2019
@acolytec3
Copy link
Contributor Author

@yenda @flexsurfer @andmironov Here's what it looks like with the language removed from above. This look good?
Screenshot_20191218-155635

@acolytec3
Copy link
Contributor Author

acolytec3 commented Dec 18, 2019
edited
Loading

@yenda @flexsurfer @rasom This is now working locally and fixes both #9050 and #9670. Can someone tell me what the jenkins errors are keeping it from being built?

@flexsurfer
Copy link
Member

@acolytec3 to fix builds you need to rebase onto the latest develop

@flexsurfer
Copy link
Member

@hesterbruikman @rachelhamlin could pls take a look #9648 (comment)

flexsurfer
flexsurfer approved these changes Dec 31, 2019
View reviewed changes
env/dev/env/config.cljs Outdated Show resolved Hide resolved
@acolytec3 acolytec3 force-pushed the add-mnemonic-validation branch 2 times, most recently from 44962ba to 6efdaa6 Compare December 31, 2019 10:53
@acolytec3
Copy link
Contributor Author

Everything is rebased on current develop and Jenkins buiilds are completing so should be ready for testing. Thanks all!

@Serhy Serhy self-assigned this Jan 2, 2020
@statustestbot
Copy link

98% of end-end tests have passed

Total executed tests: 99
Failed tests: 2
Passed tests: 97

Failed tests (2)

Click to expand
1. test_offline_messaging_1_1_chat

Device 1: Tap on AirplaneModeButton
Device 1: Looking for an element by text part: 'MmsService'

Device 1: 'ChatElement' is not found on the screen

Device sessions

2. test_pass_phrase_validation

Device 1: Tap on CancelCustomSeedPhraseButton
Device 1: Tap on NextButton

Device 1: 'ContinueCustomSeedPhraseButton' is not found on the screen

Device sessions

Passed tests (97)

Click to expand
1. test_unread_messages_counter_1_1_chat
Device sessions

2. test_delete_public_chat_via_delete_button
Device sessions

3. test_request_public_key_status_test_daap
Device sessions

4. test_open_public_chat_using_deep_link
Device sessions

5. test_decline_invitation_to_group_chat
Device sessions

6. test_ens_username_recipient
Device sessions

7. test_delete_one_to_one_chat_via_delete_button
Device sessions

8. test_offline_status
Device sessions

9. test_open_transaction_on_etherscan
Device sessions

10. test_open_chat_by_pasting_public_key
Device sessions

11. test_password_in_logcat_creating_account
Device sessions

12. test_can_use_purchased_stickers_on_recovered_account
Device sessions

13. test_modify_transaction_fee_values
Device sessions

14. test_mobile_data_usage_settings
Device sessions

15. test_delete_group_chat_via_delete_button
Device sessions

16. test_open_google_com_via_open_dapp
Device sessions

17. test_logcat_backup_recovery_phrase
Device sessions

18. test_search_chat_on_home
Device sessions

19. test_unread_messages_counter_public_chat
Device sessions

20. test_send_two_transactions_one_after_another_in_dapp
Device sessions

21. test_message_marked_as_sent_in_1_1_chat
Device sessions

22. test_can_open_dapp_from_dapp_store
Device sessions

23. test_user_can_switch_network
Device sessions

24. test_public_chat_clear_history
Device sessions

25. test_wallet_set_up
Device sessions

26. test_send_funds_between_accounts_in_multiaccount_instance
Device sessions

27. test_group_chat_system_messages
Device sessions

28. test_fetch_more_history_in_empty_chat
Device sessions

29. test_mobile_data_usage_popup_continue_syncing
Device sessions

30. test_add_to_contacts
Device sessions

31. test_dapps_permissions
Device sessions

32. test_long_press_delete_clear_all_dapps
Device sessions

33. test_need_help_section
Device sessions

34. test_transaction_wrong_password_wallet
Device sessions

35. test_pair_devices_sync_name_photo_public_group_chats
Device sessions

36. test_text_message_1_1_chat
Device sessions

37. test_install_pack_and_send_sticker
Device sessions

38. test_make_admin_member_of_group_chat
Device sessions

39. test_add_account_to_multiaccount_instance
Device sessions

40. test_send_emoji
Device sessions

41. test_copy_and_paste_messages
Device sessions

42. test_set_profile_picture
Device sessions

43. test_clear_history_of_group_chat_via_group_view
Device sessions

44. test_send_eth_from_wallet_to_address
Device sessions

45. test_messaging_in_different_networks
Device sessions

46. test_start_chat_with_ens
Device sessions

47. test_logcat_recovering_account
Device sessions

48. test_user_can_complete_tx_to_dapp_when_onboarding_via_dapp_completed
Device sessions

49. test_connection_is_secure
Device sessions

50. test_user_can_see_all_own_assets_after_account_recovering
Device sessions

51. test_add_new_group_chat_member
Device sessions

52. test_pair_devices_sync_one_to_one_contacts
Device sessions

53. test_add_and_remove_contact_from_public_chat
Device sessions

54. test_send_transaction_from_daap
Device sessions

55. test_onboarding_screen_when_requesting_tokens_for_recovered_account
Device sessions

56. test_long_press_to_delete_1_1_chat
Device sessions

57. test_add_and_delete_watch_only_account_to_multiaccount_instance
Device sessions

58. test_open_blocked_site
Device sessions

59. test_refresh_button_browsing_app_webview
Device sessions

60. test_public_chat_messaging
Device sessions

61. test_user_can_remove_profile_picture
Device sessions

62. test_remove_member_from_group_chat
Device sessions

63. test_send_token_with_7_decimals
Device sessions

64. test_sign_message_from_daap
Device sessions

65. test_send_message_in_group_chat
Device sessions

66. test_deploy_contract_from_daap
Device sessions

67. test_recover_account_from_new_user_seedphrase
Device sessions

68. test_add_custom_token
Device sessions

69. test_send_and_open_links
Device sessions

70. test_manage_assets
Device sessions

71. test_share_contact_code_and_wallet_address
Device sessions

72. test_redirect_to_public_chat_tapping_tag_message
Device sessions

73. test_block_user_from_public_chat
Device sessions

74. test_ens_in_public_and_1_1_chats
Device sessions

75. test_sign_typed_message
Device sessions

76. test_create_new_group_chat
Device sessions

77. test_password_in_logcat_sign_in
Device sessions

78. test_account_recovery_with_uppercase_recovery_phrase
Device sessions

79. test_send_message_to_newly_added_contact
Device sessions

80. test_logcat_sign_message_from_daap
Device sessions

81. test_mobile_data_usage_popup_stop_syncing
Device sessions

82. test_collectible_from_wallet_opens_in_browser_view
Device sessions

83. test_logcat_send_transaction_from_daap
Device sessions

84. test_contact_profile_view
Device sessions

85. test_switch_users_and_add_new_account
Device sessions

86. test_logcat_send_transaction_from_wallet
Device sessions

87. test_send_two_transactions_in_batch_in_dapp
Device sessions

88. test_filters_from_daap
Device sessions

89. test_send_stt_from_wallet
Device sessions

90. test_login_with_new_account
Device sessions

91. test_home_view
Device sessions

92. test_log_level_and_fleet
Device sessions

93. test_can_add_existing_ens
Device sessions

94. test_copy_contact_code_and_wallet_address
Device sessions

95. test_long_press_to_delete_public_chat
Device sessions

96. test_fetching_balance_after_offline
Device sessions

97. test_can_see_all_transactions_in_history
Device sessions

@acolytec3
Copy link
Contributor Author

I'm assuming that second failed e2e test needs to be rewritten since we're no longer allowing custom seed phrases, right?

@Serhy
Copy link
Contributor

Serhy commented Jan 2, 2020

I'm assuming that second failed e2e test needs to be rewritten since we're no longer allowing custom seed phrases, right?

Correct, i'll take care about that separately, @acolytec3

Tested with Android and iOS latest builds (Android one is https://status-im-prs.ams3.digitaloceanspaces.com/StatusIm-191231-105400-6efdaa-pr-universal.apk), all good with word count/entropy validation against BEP39, but we still don't trim seed phrase it seems. I.e. can reproduce #9670 bug: if whitespace or newline or whispace-in-between seed phrase is present - it leads to recovery of different account

  1. Open Status and tap Access existing keys -> Enter Seed phrase

2a) Enter [whitespace] what name teach trigger fantasy diagram skate museum leave modify hair execute

2b) Enter what name teach trigger fantasy diagram skate museum leave modify hair execute [whitespaces]

2c) Enter what name teach trigger fantasy diagram [whitespace][whitespace] skate museum leave modify hair execute

2d) Enter what name teach trigger fantasy diagram skate museum leave modify hair execute [newline]

  1. Proceed with account recovery and check wallet / whisper keys in generate account
    Expected result: with any of 2nd items above the Brave Legal Gecko with 0xFD274e08EA5973D1b26D1862Aa4DB041140c3542 expected to be recovered.
    Actual result: different accounts are recovered with any of 2nd items above

@acolytec3
Copy link
Contributor Author

@Serhy Thanks for validating. I'll take a look. I only tried variation 2b, that you mentioned above and my edits seemed to work when I restored a known account. That said, should be pretty straight forward to resolve and sanitize extra white space/newlines so will work on the method that sanitizes excess whitespace and push a new commit tonight or tomorrow.

@acolytec3 acolytec3 force-pushed the add-mnemonic-validation branch from 6efdaa6 to 1e171f7 Compare January 2, 2020 20:41
@acolytec3
Copy link
Contributor Author

@Serhy Please review my latest commit. Looks like the change that I had made previously to sanitize the seed phrases of newlines/spaces got reverted. It's been added back and appears to work as expected.

@Serhy
Copy link
Contributor

Serhy commented Jan 3, 2020

Looks good to me now! Passphrase validated for checksum and whether any of words is not from BIP39, whitespace/new-line between words or at the end/beginning of seed phrase have no impact and appropriate account is recovered

yenda
yenda approved these changes Jan 6, 2020
View reviewed changes
Copy link
Contributor

@yenda yenda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the good work again, looks good to merge, could you just rename validateMnemonicAsync to validateMnemonic. Some method have async at the end because they have a synchronous equivalent but this one doesn't so it is superfluous.

@acolytec3 acolytec3 force-pushed the add-mnemonic-validation branch from 1e171f7 to f309d6e Compare January 6, 2020 11:06
@acolytec3
Copy link
Contributor Author

@yenda Done. Also rebased on current develop.

@acolytec3
Add BIP39 validation for seed phrase recovery
3bcf7ec 
Signed-off-by: yenda <eric@status.im>
@yenda yenda force-pushed the add-mnemonic-validation branch from f309d6e to 3bcf7ec Compare January 6, 2020 15:02
@yenda yenda merged commit 3bcf7ec into status-im:develop Jan 6, 2020
@acolytec3
Copy link
Contributor Author

Sorry to have left you hanging @acolytec3! We can address translation separately. I'm completely okay with the button remaining as Cancel. And I realize we don't have a bounty on this issue but will get you paid for it regardless.

@rachelhamlin PR has been merged. Any chance you could just add a bounty on gitcoin and I'll submit this PR for it?

@rachelhamlin rachelhamlin mentioned this pull request Jan 7, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rasom rasom rasom left review comments

@flexsurfer flexsurfer flexsurfer approved these changes

@yenda yenda yenda approved these changes

Assignees
No one assigned
Labels
request-manual-qa Tested - OK
Projects
No open projects
Legacy QA Automation Project
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

In recovery, we need to refuse any mnemonic with words out of our supported BIP-39 dictionaries
9 participants
@acolytec3 @status-im-auto @yenda @flexsurfer @andmironov @rachelhamlin @statustestbot @Serhy @rasom