SEP-10 Multisig Support

[JakeUrban]

#60

Refactors the SEP-10 authentication code and adds support for multi-signature accounts according to the changes in stellar-protocol, utilizing the stellar_sdk changes released in 2.1.1-beta1.

2.1.1 has been released today, so I'll update this PR to use that.

[codecov-io]

Codecov Report

Merging #107 into master will decrease coverage by 0.89%.
The diff coverage is 77.41%.

@@            Coverage Diff            @@
##           master     #107     +/-   ##
=========================================
- Coverage   87.44%   86.55%   -0.9%     
=========================================
  Files          25       25             
  Lines        1171     1190     +19     
=========================================
+ Hits         1024     1030      +6     
- Misses        147      160     +13

Impacted Files	Coverage Δ
polaris/polaris/helpers.py	86.54% <100%> (+0.07%)	⬆️
...is/polaris/management/commands/check_trustlines.py	68.29% <100%> (ø)	⬆️
polaris/polaris/sep10auth/views.py	79.61% <76.13%> (-5.1%)	⬇️
...aris/management/commands/create_stellar_deposit.py	55.55% <0%> (-27.78%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ecb99f1...c7a8647. Read the comment docs.

[JakeUrban]

@overcat I'd like your thoughts on how this should be implemented in the Python SDK. I left code comments describing my ideas.

[leighmcculloch]

@JakeUrban I took a look at the PR. I'm not fluent in Python, so please apologies if I've misinterpreted the code, please correct me if I've done so.

I noted inline some concerns ❗️ and ideas 💡.

I really like 👏 how you're proposing to change the Python SDK, I think that will have the least impact on existing users and tells a clear story for how to use the function with the changes.

[overcat]

Thanks for your suggestions, I will release a pre-release version in these two days.

[overcat]

Hi @JakeUrban, I just released a pre-release version, please let me know if you have any questions.

• Github Release
• PyPi Release
• Document
• Code Example

[leighmcculloch]

I took a look and this looks good bar a couple comments that are inline below.

I haven't finished looking through the Python SDK challenge transaction implementation that is in 2.1.1, I'll post here when I've done that too.

[leighmcculloch]

invalid challenge Stellar transaction

When you say that the challenge transaction is invalid, do you mean to say that it hasn't been signed by the client? If that's the case I'd avoid the concept of invalid here because from the clients perspective who will be reading the challenge transaction before they sign it it is valid, it is just not yet signed by the client.

[leighmcculloch]

The Python SDK still has a default timeout of 300ms rather than 900ms as in v1.3.0. I think we should set it explicitly here though so we're making a conscious decision that's what we want the timeout to be. Could we add that?

[leighmcculloch]

I think this line allows injection into the JWT. If an anchor hosts their server in anyway that allows arbitrary hostnames in the requests, e.g. if they host it on a static IP without hostname filtering which is possible, the iss field can be made to contain any hostname a caller wants.

I'd lean towards this being the server signing key address, e.g. https://github.com/stellar/go/blob/4268b290621430b89c3ed687e0d83df3800c227a/exp/services/webauth/internal/serve/token.go#L87, if we don't have a good way to get some other definitive exact URI for the issuer.

[JakeUrban]

I'm not convinced that using the server signing key is any better than the current value for iss; both can be faked. The only real protection against someone attempting to side-step SEP-10 by using a fake JWT (a JWT not created by the anchor server) is the server's secret used to encode the data. The SEP also states that iss should be a URI. What do you think?

[leighmcculloch]

Ah you're right, the SEP does say to use a URI. I was thinking about the RFC7519 Section 4.1.1 where technically it doesn't have to be a URI, but I forgot we specify that in the SEP. I'll change the webauth implementation to make it a URI too.

Can we get the hostname from the settings or somewhere else instead of the incoming request? I still think we should avoid allowing any data from the request making its way into the JWT.

[leighmcculloch]

FYI I updated the Go implementation here to align with ☝️, stellar/go#2214.

[JakeUrban]

Yea, I can add an AUTH_SERVER setting since the SEP-10 authentication could be hosted on a different URI than the anchor server.

[JakeUrban]

Actually, if they're using Polaris there isn't a reason you'd want to have a separate server handling authentication. I'll use a HOST_URL instead.

[leighmcculloch]

I haven't finished looking through the Python SDK challenge transaction implementation that is in 2.1.1, I'll post here when I've done that too.

FYI I had a look through the Python SDK challenge transaction implementation that is in 2.1.1 and I posted some recommendations on that repositories issue about. It would be ideal if the changes to how signatures and signers are matched could be made since we're using this in Polaris.
StellarCN/py-stellar-base#252 (comment)