Update app action commitment, disallow signing arbitrary appActionMetadata (#81)

* Update app action commitment, disallow signing arbitrary appActionMetadata

* Linter fix

package.json

@@ -37,7 +37,7 @@
     "@graphql-tools/schema": "^8.3.1",
     "@graphql-tools/stitch": "^8.4.1",
     "@graphql-tools/url-loader": "^7.5.2",
-    "@polkadot/util-crypto": "^10.2.1",
+    "@joystream/js": "^1.3.0",
     "@typegoose/auto-increment": "^1.3.0",
     "@typegoose/typegoose": "^9.8.1",
     "apollo-server-core": "^3.8.1",

src/resolvers/admin.ts

@@ -3,7 +3,8 @@ import { Admin, GeneratedSignature, getAdminDoc } from '../models/Admin'
 import config, { ADMIN_ROLE } from '../config'
 import { ed25519Sign } from '@polkadot/util-crypto'
 import { u8aToHex, hexToU8a, isHex } from '@polkadot/util'
-import { generateAppActionCommitment } from './helpers'
+import { generateAppActionCommitment } from '@joystream/js/utils'
+import { createType } from '@joystream/types'
 
 @ArgsType()
 class AdminInput implements Admin {
@@ -13,14 +14,14 @@ class AdminInput implements Admin {
 
 @ArgsType()
 class AppActionSignatureInput {
+  @Field()
+  nonce: number
   @Field()
   creatorId: string
   @Field({ description: 'Hex string from UInt8Array' })
   assets: string
   @Field({ description: 'Hex string from UInt8Array' })
   rawAction: string
-  @Field({ description: 'Hex string from UInt8Array' })
-  rawAppActionMetadata: string
 }
 
 @Resolver()
@@ -41,17 +42,18 @@ export class AdminResolver {
 
   @Mutation(() => GeneratedSignature)
   async signAppActionCommitment(
-    @Args() { rawAppActionMetadata, rawAction, assets, creatorId }: AppActionSignatureInput
+    // FIXME: In the initial implementation we don't verify the nonce, but this should be changed in the future
+    @Args() { nonce, rawAction, assets, creatorId }: AppActionSignatureInput
   ) {
-    if (!isHex(assets) || !isHex(rawAction) || !isHex(rawAppActionMetadata)) {
-      throw new Error('One of input is not hex: assets, rawAction, rawAppActionMetadata')
+    if (!isHex(assets) || !isHex(rawAction)) {
+      throw new Error('One of input is not hex: assets, rawAction')
     }
 
     const message = generateAppActionCommitment(
-      creatorId,
+      nonce,
+      `m:${creatorId}`,
       hexToU8a(assets),
-      hexToU8a(rawAction),
-      hexToU8a(rawAppActionMetadata)
+      createType('Bytes', rawAction)
     )
     const signature = ed25519Sign(message, config.appKeypair)
     return { signature: u8aToHex(signature) }

src/resolvers/helpers.ts

@@ -1,4 +1,3 @@
-import { stringToHex, u8aToHex } from '@polkadot/util'
 import { OrionContext } from '../types'
 import { mapPeriods } from '../helpers'
 
@@ -47,14 +46,3 @@ export const getMostFollowedChannelsIds = (context: OrionContext, { period, limi
 
   return limitedFollows.filter((entity) => entity.follows).map((entity) => entity.id)
 }
-
-// preferably this would be imported from @joystream/js -> https://github.com/Joystream/joystream/pull/4586
-export const generateAppActionCommitment = (
-  creatorId: string,
-  assets: Uint8Array,
-  rawAction: Uint8Array,
-  rawAppActionMetadata: Uint8Array
-): string => {
-  const rawCommitment = [creatorId, u8aToHex(assets), u8aToHex(rawAction), u8aToHex(rawAppActionMetadata)]
-  return stringToHex(JSON.stringify(rawCommitment))
-}

tsconfig.json

@@ -13,7 +13,8 @@
     "strict": true,
     "emitDecoratorMetadata": true,
     "experimentalDecorators": true,
-    "strictPropertyInitialization": false
+    "strictPropertyInitialization": false,
+    "skipLibCheck": true
   },
   "exclude": ["node_modules", "dist"]
 }