diff --git a/package-lock.json b/package-lock.json index c4066e1a..988106d0 100644 --- a/package-lock.json +++ b/package-lock.json @@ -12,7 +12,6 @@ "@metamask/obs-store": "^8.1.0", "@toruslabs/http-helpers": "^4.0.0", "@toruslabs/openlogin-jrpc": "^4.4.0", - "create-hash": "^1.2.0", "end-of-stream": "^1.4.4", "eth-rpc-errors": "^4.0.3", "events": "^3.3.0", @@ -4854,6 +4853,7 @@ "version": "1.0.4", "resolved": "https://registry.npmjs.org/cipher-base/-/cipher-base-1.0.4.tgz", "integrity": "sha512-Kkht5ye6ZGmwv40uUDZztayT2ThLQGfnj/T71N/XzeZeo3nf8foyW7zGTsPYkEya3m5f3cAypH+qe7YOrM1U2Q==", + "dev": true, "dependencies": { "inherits": "^2.0.1", "safe-buffer": "^5.0.1" @@ -5170,6 +5170,7 @@ "version": "1.2.0", "resolved": "https://registry.npmjs.org/create-hash/-/create-hash-1.2.0.tgz", "integrity": "sha512-z00bCGNHDG8mHAkP7CtT1qVu+bFQUPjYq/4Iv3C3kWjTFV10zIjfSoeqXo9Asws8gwSHDGj/hl2u4OGIjapeCg==", + "dev": true, "dependencies": { "cipher-base": "^1.0.1", "inherits": "^2.0.1", @@ -7439,6 +7440,7 @@ "version": "3.1.0", "resolved": "https://registry.npmjs.org/hash-base/-/hash-base-3.1.0.tgz", "integrity": "sha512-1nmYp/rhMDiE7AYkDw+lLwlAzz0AntGIe51F3RfFfEqyQ3feY2eI/NcwC6umIQVOASPMsWJLJScWKSSvzL9IVA==", + "dev": true, "dependencies": { "inherits": "^2.0.4", "readable-stream": "^3.6.0", @@ -9060,6 +9062,7 @@ "version": "1.3.5", "resolved": "https://registry.npmjs.org/md5.js/-/md5.js-1.3.5.tgz", "integrity": "sha512-xitP+WxNPcTTOgnTJcrhM0xvdPepipPSf3I8EIpGKeFLjt3PlJLIDG3u8EX53ZIubkb+5U2+3rELYpEhHhzdkg==", + "dev": true, "dependencies": { "hash-base": "^3.0.0", "inherits": "^2.0.1", @@ -10480,6 +10483,7 @@ "version": "3.6.0", "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.0.tgz", "integrity": "sha512-BViHy7LKeTz4oNnkcLJ+lVSL6vpiFeX6/d3oSH8zCW7UxP2onchk+vTGB143xuFjHS3deTgkKoXXymXqymiIdA==", + "dev": true, "dependencies": { "inherits": "^2.0.3", "string_decoder": "^1.1.1", @@ -10972,6 +10976,7 @@ "version": "2.0.2", "resolved": "https://registry.npmjs.org/ripemd160/-/ripemd160-2.0.2.tgz", "integrity": "sha512-ii4iagi25WusVoiC4B4lq7pbXfAp3D9v5CwfkY33vffw2+pkDjY1D8GaN7spsxvCSx8dkPqOZCEZyfxcmJG2IA==", + "dev": true, "dependencies": { "hash-base": "^3.0.0", "inherits": "^2.0.1" @@ -11130,6 +11135,7 @@ "version": "5.2.1", "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz", "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==", + "dev": true, "funding": [ { "type": "github", @@ -11294,6 +11300,7 @@ "version": "2.4.11", "resolved": "https://registry.npmjs.org/sha.js/-/sha.js-2.4.11.tgz", "integrity": "sha512-QMEp5B7cftE7APOjk5Y6xgrbWu+WkLVQwk8JNjZ8nKRciZaByEW6MubieAiToS7+dwvrjGhH8jRXz3MVd0AYqQ==", + "dev": true, "dependencies": { "inherits": "^2.0.1", "safe-buffer": "^5.0.1" @@ -11548,6 +11555,7 @@ "version": "1.3.0", "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz", "integrity": "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==", + "dev": true, "dependencies": { "safe-buffer": "~5.2.0" } @@ -16512,6 +16520,7 @@ "version": "1.0.4", "resolved": "https://registry.npmjs.org/cipher-base/-/cipher-base-1.0.4.tgz", "integrity": "sha512-Kkht5ye6ZGmwv40uUDZztayT2ThLQGfnj/T71N/XzeZeo3nf8foyW7zGTsPYkEya3m5f3cAypH+qe7YOrM1U2Q==", + "dev": true, "requires": { "inherits": "^2.0.1", "safe-buffer": "^5.0.1" @@ -16763,6 +16772,7 @@ "version": "1.2.0", "resolved": "https://registry.npmjs.org/create-hash/-/create-hash-1.2.0.tgz", "integrity": "sha512-z00bCGNHDG8mHAkP7CtT1qVu+bFQUPjYq/4Iv3C3kWjTFV10zIjfSoeqXo9Asws8gwSHDGj/hl2u4OGIjapeCg==", + "dev": true, "requires": { "cipher-base": "^1.0.1", "inherits": "^2.0.1", @@ -18422,6 +18432,7 @@ "version": "3.1.0", "resolved": "https://registry.npmjs.org/hash-base/-/hash-base-3.1.0.tgz", "integrity": "sha512-1nmYp/rhMDiE7AYkDw+lLwlAzz0AntGIe51F3RfFfEqyQ3feY2eI/NcwC6umIQVOASPMsWJLJScWKSSvzL9IVA==", + "dev": true, "requires": { "inherits": "^2.0.4", "readable-stream": "^3.6.0", @@ -19550,6 +19561,7 @@ "version": "1.3.5", "resolved": "https://registry.npmjs.org/md5.js/-/md5.js-1.3.5.tgz", "integrity": "sha512-xitP+WxNPcTTOgnTJcrhM0xvdPepipPSf3I8EIpGKeFLjt3PlJLIDG3u8EX53ZIubkb+5U2+3rELYpEhHhzdkg==", + "dev": true, "requires": { "hash-base": "^3.0.0", "inherits": "^2.0.1", @@ -20567,6 +20579,7 @@ "version": "3.6.0", "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.0.tgz", "integrity": "sha512-BViHy7LKeTz4oNnkcLJ+lVSL6vpiFeX6/d3oSH8zCW7UxP2onchk+vTGB143xuFjHS3deTgkKoXXymXqymiIdA==", + "dev": true, "requires": { "inherits": "^2.0.3", "string_decoder": "^1.1.1", @@ -20924,6 +20937,7 @@ "version": "2.0.2", "resolved": "https://registry.npmjs.org/ripemd160/-/ripemd160-2.0.2.tgz", "integrity": "sha512-ii4iagi25WusVoiC4B4lq7pbXfAp3D9v5CwfkY33vffw2+pkDjY1D8GaN7spsxvCSx8dkPqOZCEZyfxcmJG2IA==", + "dev": true, "requires": { "hash-base": "^3.0.0", "inherits": "^2.0.1" @@ -21029,7 +21043,8 @@ "safe-buffer": { "version": "5.2.1", "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz", - "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==" + "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==", + "dev": true }, "safe-regex-test": { "version": "1.0.0", @@ -21149,6 +21164,7 @@ "version": "2.4.11", "resolved": "https://registry.npmjs.org/sha.js/-/sha.js-2.4.11.tgz", "integrity": "sha512-QMEp5B7cftE7APOjk5Y6xgrbWu+WkLVQwk8JNjZ8nKRciZaByEW6MubieAiToS7+dwvrjGhH8jRXz3MVd0AYqQ==", + "dev": true, "requires": { "inherits": "^2.0.1", "safe-buffer": "^5.0.1" @@ -21342,6 +21358,7 @@ "version": "1.3.0", "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz", "integrity": "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==", + "dev": true, "requires": { "safe-buffer": "~5.2.0" } diff --git a/package.json b/package.json index ffd393eb..f1869bde 100644 --- a/package.json +++ b/package.json @@ -30,7 +30,6 @@ "@metamask/obs-store": "^8.1.0", "@toruslabs/http-helpers": "^4.0.0", "@toruslabs/openlogin-jrpc": "^4.4.0", - "create-hash": "^1.2.0", "end-of-stream": "^1.4.4", "eth-rpc-errors": "^4.0.3", "events": "^3.3.0", diff --git a/src/embed.ts b/src/embed.ts index 74bb42a2..8002ceb3 100644 --- a/src/embed.ts +++ b/src/embed.ts @@ -5,7 +5,6 @@ import deepmerge from "lodash.merge"; import configuration from "./config"; import { documentReady, handleStream, htmlToElement, runOnLoad } from "./embedUtils"; import TorusInpageProvider from "./inpage-provider"; -import generateIntegrity from "./integrity"; import { BUTTON_POSITION, BUTTON_POSITION_TYPE, @@ -47,10 +46,6 @@ const defaultVerifiers = { [LOGIN_PROVIDER.DISCORD]: true, }; -const iframeIntegrity = "sha384-5wfQNApq4YIunQu3JVyIfoWQHdz5824c+mHr1WOMddVX9N+d6ErcA25MCuLSLeQH"; - -const expectedCacheControlHeader = "max-age=3600"; - const UNSAFE_METHODS = [ "eth_sendTransaction", "eth_signTypedData", @@ -68,7 +63,7 @@ const UNSAFE_METHODS = [ try { if (typeof document === "undefined") return; const torusIframeHtml = document.createElement("link"); - const { torusUrl } = await getTorusUrl("production", { check: false, hash: iframeIntegrity, version: "" }); + const { torusUrl } = await getTorusUrl("production", { version: "" }); torusIframeHtml.href = `${torusUrl}/popup`; torusIframeHtml.crossOrigin = "anonymous"; torusIframeHtml.type = "text/html"; @@ -174,8 +169,6 @@ class Torus { loginConfig = {}, showTorusButton = true, integrity = { - check: false, - hash: iframeIntegrity, version: "", }, whiteLabel, @@ -268,30 +261,7 @@ class Torus { }); }; - if (buildEnv === "production" && integrity.check) { - // hacky solution to check for iframe integrity - const fetchUrl = `${torusUrl}/popup`; - const resp = await fetch(fetchUrl, { cache: "reload" }); - if (resp.headers.get("Cache-Control") !== expectedCacheControlHeader) { - throw new Error(`Unexpected Cache-Control headers, got ${resp.headers.get("Cache-Control")}`); - } - const response = await resp.text(); - const calculatedIntegrity = generateIntegrity( - { - algorithms: ["sha384"], - }, - response - ); - log.info(calculatedIntegrity, "integrity"); - if (calculatedIntegrity === integrity.hash) { - await handleSetup(); - } else { - this.clearInit(); - throw new Error("Integrity check failed"); - } - } else { - await handleSetup(); - } + await handleSetup(); return undefined; } diff --git a/src/integrity.ts b/src/integrity.ts deleted file mode 100644 index 186fdf51..00000000 --- a/src/integrity.ts +++ /dev/null @@ -1,44 +0,0 @@ -import createHash from "create-hash"; - -import { IHashAlgorithmOptions, SRI } from "./interfaces"; - -const defaults = (options: IHashAlgorithmOptions) => ({ - algorithms: options.algorithms || ["sha256"], - delimiter: options.delimiter || " ", - full: options.full || false, -}); - -// Generate list of hashes -const hashes = (options: IHashAlgorithmOptions, data: string): Record => { - const internalHashes: Record = {}; - options.algorithms.forEach((algorithm) => { - internalHashes[algorithm] = createHash(algorithm).update(data, "utf8").digest("base64"); - }); - return internalHashes; -}; -// Build an integrity string -const integrity = (options: IHashAlgorithmOptions, sri: SRI): string => { - let output = ""; - - // Hash list - output += Object.keys(sri.hashes) - .map((algorithm: createHash.algorithm) => `${algorithm}-${sri.hashes[algorithm]}`) - .join(options.delimiter); - - return output; -}; - -const main = (options: IHashAlgorithmOptions, data: string): SRI | string => { - // Defaults - const finalOptions = defaults(options); - - const sri = { - hashes: hashes(finalOptions, data), - integrity: undefined, - }; - sri.integrity = integrity(finalOptions, sri); - - return finalOptions.full ? sri : sri.integrity; -}; - -export default main; diff --git a/src/interfaces.ts b/src/interfaces.ts index 72f33860..078dbb88 100644 --- a/src/interfaces.ts +++ b/src/interfaces.ts @@ -1,5 +1,4 @@ import { JRPCId, JRPCMiddleware, JRPCRequest, JRPCVersion, SafeEventEmitter } from "@toruslabs/openlogin-jrpc"; -import createHash from "create-hash"; import type { Duplex } from "readable-stream"; export const LOGIN_PROVIDER = { @@ -77,17 +76,6 @@ export interface IPaymentProvider { sell?: boolean; } -export interface IHashAlgorithmOptions { - algorithms?: createHash.algorithm[]; - delimiter?: string; - full?: boolean; -} - -export interface SRI { - hashes: Record; - integrity?: string; -} - export const BUTTON_POSITION = { BOTTOM_LEFT: "bottom-left", TOP_LEFT: "top-left", @@ -492,17 +480,6 @@ export interface ThemeParams { } export interface IntegrityParams { - /** - * Whether to check for integrity. - * Defaults to false - * @defaultValue false - */ - check: boolean; - /** - * if check is true, hash must be provided. The SRI sha-384 integrity hash - * {@link https://www.srihash.org/ | SRI Hash} - */ - hash?: string; /** * Version of torus-website to load */