diff --git a/keyserver/src/creators/account-creator.js b/keyserver/src/creators/account-creator.js --- a/keyserver/src/creators/account-creator.js +++ b/keyserver/src/creators/account-creator.js @@ -16,6 +16,7 @@ RegisterResponse, RegisterRequest, } from 'lib/types/account-types.js'; +import type { SignedIdentityKeysBlob } from 'lib/types/crypto-types.js'; import type { PlatformDetails, DeviceTokenUpdateRequest, @@ -116,6 +117,7 @@ createNewUserCookie(id, { platformDetails: request.platformDetails, deviceToken, + signedIdentityKeysBlob: request.signedIdentityKeysBlob, }), deleteCookie(viewer.cookieID), dbQuery(newUserQuery), @@ -206,6 +208,7 @@ +deviceTokenUpdateRequest?: ?DeviceTokenUpdateRequest, +platformDetails: PlatformDetails, +socialProof: SIWESocialProof, + +signedIdentityKeysBlob?: ?SignedIdentityKeysBlob, }; // Note: `processSIWEAccountCreation(...)` assumes that the validity of // `ProcessSIWEAccountCreationRequest` was checked at call site. @@ -213,7 +216,7 @@ viewer: Viewer, request: ProcessSIWEAccountCreationRequest, ): Promise { - const { calendarQuery } = request; + const { calendarQuery, signedIdentityKeysBlob } = request; await verifyCalendarQueryThreadIDs(calendarQuery); const time = Date.now(); @@ -231,6 +234,7 @@ platformDetails: request.platformDetails, deviceToken, socialProof: request.socialProof, + signedIdentityKeysBlob, }), deleteCookie(viewer.cookieID), dbQuery(newUserQuery), diff --git a/keyserver/src/responders/user-responders.js b/keyserver/src/responders/user-responders.js --- a/keyserver/src/responders/user-responders.js +++ b/keyserver/src/responders/user-responders.js @@ -217,6 +217,23 @@ ): Promise { const request: RegisterRequest = input; await validateInput(viewer, registerRequestInputValidator, request); + const { signedIdentityKeysBlob } = request; + if (signedIdentityKeysBlob) { + const identityKeys: IdentityKeysBlob = JSON.parse( + signedIdentityKeysBlob.payload, + ); + + const olmUtil: OLMUtility = getOLMUtility(); + try { + olmUtil.ed25519_verify( + identityKeys.primaryIdentityPublicKeys.ed25519, + signedIdentityKeysBlob.payload, + signedIdentityKeysBlob.signature, + ); + } catch (e) { + throw new ServerError('invalid_signature'); + } + } return await createAccount(viewer, request); } diff --git a/keyserver/src/session/cookies.js b/keyserver/src/session/cookies.js --- a/keyserver/src/session/cookies.js +++ b/keyserver/src/session/cookies.js @@ -647,10 +647,10 @@ } type UserCookieCreationParams = { - platformDetails: PlatformDetails, - deviceToken?: ?string, - socialProof?: ?SIWESocialProof, - signedIdentityKeysBlob?: ?SignedIdentityKeysBlob, + +platformDetails: PlatformDetails, + +deviceToken?: ?string, + +socialProof?: ?SIWESocialProof, + +signedIdentityKeysBlob?: ?SignedIdentityKeysBlob, }; // The result of this function should never be passed directly to the Viewer diff --git a/lib/types/account-types.js b/lib/types/account-types.js --- a/lib/types/account-types.js +++ b/lib/types/account-types.js @@ -52,6 +52,7 @@ +calendarQuery?: ?CalendarQuery, +deviceTokenUpdateRequest?: ?DeviceTokenUpdateRequest, +platformDetails: PlatformDetails, + +signedIdentityKeysBlob?: SignedIdentityKeysBlob, }; export type RegisterResponse = {