feat(coordinator): fix login replay attack (#723)

Co-authored-by: Péter Garamvölgyi <peter@scroll.io>
Co-authored-by: colinlyguo <colinlyguo@scroll.io>

common/types/message/message.go

@@ -60,6 +60,8 @@ type AuthMsg struct {
 type Identity struct {
 	// ProverName the prover name
 	ProverName string `json:"prover_name"`
+	// ProverVersion the prover version
+	ProverVersion string `json:"prover_version"`
 	// Challenge unique challenge generated by manager
 	Challenge string `json:"challenge"`
 }

common/types/message/message_test.go

@@ -15,8 +15,9 @@ func TestAuthMessageSignAndVerify(t *testing.T) {
 
 	authMsg := &AuthMsg{
 		Identity: &Identity{
-			Challenge:  "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2OTEwMzgxNzUsIm9yaWdfaWF0IjoxNjkxMDM0NTc1fQ.HybBMsEJFhyZqtIa2iVcHUP7CEFttf708jmTMAImAWA",
-			ProverName: "test",
+			Challenge:     "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2OTEwMzgxNzUsIm9yaWdfaWF0IjoxNjkxMDM0NTc1fQ.HybBMsEJFhyZqtIa2iVcHUP7CEFttf708jmTMAImAWA",
+			ProverName:    "test",
+			ProverVersion: "v1.0.0",
 		},
 	}
 	assert.NoError(t, authMsg.SignWithKey(privkey))
@@ -45,14 +46,15 @@ func TestGenerateToken(t *testing.T) {
 
 func TestIdentityHash(t *testing.T) {
 	identity := &Identity{
-		Challenge:  "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2OTEwMzM0MTksIm9yaWdfaWF0IjoxNjkxMDI5ODE5fQ.EhkLZsj__rNPVC3ZDYBtvdh0nB8mmM_Hl82hObaIWOs",
-		ProverName: "test",
+		Challenge:     "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2OTEwMzM0MTksIm9yaWdfaWF0IjoxNjkxMDI5ODE5fQ.EhkLZsj__rNPVC3ZDYBtvdh0nB8mmM_Hl82hObaIWOs",
+		ProverName:    "test",
+		ProverVersion: "v1.0.0",
 	}
 
 	hash, err := identity.Hash()
 	assert.NoError(t, err)
 
-	expectedHash := "7373bb57ab7c01307d86fec55e088e00c526d82d9d1303fa4a189ff6ea95fbe2"
+	expectedHash := "83f5e0ad023e9c1de639ab07b9b4cb972ec9dbbd2524794c533a420a5b137721"
 	assert.Equal(t, expectedHash, hex.EncodeToString(hash))
 }
 

common/version/version.go

@@ -5,7 +5,7 @@ import (
 	"runtime/debug"
 )
 
-var tag = "v4.1.0"
+var tag = "v4.1.1"
 
 var commit = func() string {
 	if info, ok := debug.ReadBuildInfo(); ok {

coordinator/cmd/app/mock_app.go

@@ -81,9 +81,11 @@ func (c *CoordinatorApp) MockConfig(store bool) error {
 	}
 	// Reset prover manager config for manager test cases.
 	cfg.ProverManager = &coordinatorConfig.ProverManager{
-		ProversPerSession: 1,
-		Verifier:          &coordinatorConfig.VerifierConfig{MockMode: true},
-		CollectionTimeSec: 60,
+		ProversPerSession:  1,
+		Verifier:           &coordinatorConfig.VerifierConfig{MockMode: true},
+		CollectionTimeSec:  60,
+		SessionAttempts:    10,
+		MaxVerifierWorkers: 4,
 	}
 	cfg.DB.DSN = base.DBImg.Endpoint()
 	cfg.L2.ChainID = 111

coordinator/conf/config.json

@@ -1,14 +1,14 @@
 {
   "prover_manager": {
     "provers_per_session": 1,
-    "session_attempts": 2,
+    "session_attempts": 5,
     "collection_time_sec": 180,
     "verifier": {
       "mock_mode": true,
       "params_path": "",
       "assets_path": ""
     },
-    "max_verifier_workers": 10
+    "max_verifier_workers": 4
   },
   "db": {
     "driver_name": "postgres",
@@ -22,6 +22,6 @@
   "auth": {
     "secret": "prover secret key",
     "challenge_expire_duration_sec": 3600,
-    "login_expire_duration_sec": 3600
+    "login_expire_duration_sec": 10
   }
 }

coordinator/internal/config/config.go

@@ -8,24 +8,19 @@ import (
 	"scroll-tech/common/database"
 )
 
-const (
-	defaultNumberOfVerifierWorkers      = 10
-	defaultNumberOfSessionRetryAttempts = 2
-)
-
 // ProverManager loads sequencer configuration items.
 type ProverManager struct {
 	// The amount of provers to pick per proof generation session.
 	ProversPerSession uint8 `json:"provers_per_session"`
 	// Number of attempts that a session can be retried if previous attempts failed.
 	// Currently we only consider proving timeout as failure here.
-	SessionAttempts uint8 `json:"session_attempts,omitempty"`
+	SessionAttempts uint8 `json:"session_attempts"`
 	// Zk verifier config.
-	Verifier *VerifierConfig `json:"verifier,omitempty"`
+	Verifier *VerifierConfig `json:"verifier"`
 	// Proof collection time (in seconds).
 	CollectionTimeSec int `json:"collection_time_sec"`
 	// Max number of workers in verifier worker pool
-	MaxVerifierWorkers int `json:"max_verifier_workers,omitempty"`
+	MaxVerifierWorkers int `json:"max_verifier_workers"`
 }
 
 // L2 loads l2geth configuration items.
@@ -38,7 +33,7 @@ type L2 struct {
 type Auth struct {
 	Secret                     string `json:"secret"`
 	ChallengeExpireDurationSec int    `json:"challenge_expire_duration_sec"`
-	LoginExpireDurationSec     int    `json:"token_expire_duration_sec"` // unit: seconds
+	LoginExpireDurationSec     int    `json:"token_expire_duration_sec"`
 }
 
 // Config load configuration items.
@@ -69,12 +64,5 @@ func NewConfig(file string) (*Config, error) {
 		return nil, err
 	}
 
-	if cfg.ProverManager.MaxVerifierWorkers == 0 {
-		cfg.ProverManager.MaxVerifierWorkers = defaultNumberOfVerifierWorkers
-	}
-	if cfg.ProverManager.SessionAttempts == 0 {
-		cfg.ProverManager.SessionAttempts = defaultNumberOfSessionRetryAttempts
-	}
-
 	return cfg, nil
 }

coordinator/internal/config/config_test.go

@@ -14,14 +14,14 @@ func TestConfig(t *testing.T) {
 	configTemplate := `{
 		"prover_manager": {
 			"provers_per_session": 1,
-			"session_attempts": %d,
+			"session_attempts": 5,
 			"collection_time_sec": 180,
 			"verifier": {
 				"mock_mode": true,
 				"params_path": "",
 				"agg_vk_path": ""
 			},
-			"max_verifier_workers": %d
+			"max_verifier_workers": 4
 		},
 		"db": {
 			"driver_name": "postgres",
@@ -46,8 +46,7 @@ func TestConfig(t *testing.T) {
 			assert.NoError(t, tmpFile.Close())
 			assert.NoError(t, os.Remove(tmpFile.Name()))
 		}()
-		config := fmt.Sprintf(configTemplate, defaultNumberOfSessionRetryAttempts, defaultNumberOfVerifierWorkers)
-		_, err = tmpFile.WriteString(config)
+		_, err = tmpFile.WriteString(configTemplate)
 		assert.NoError(t, err)
 
 		cfg, err := NewConfig(tmpFile.Name())
@@ -88,36 +87,4 @@ func TestConfig(t *testing.T) {
 		_, err = NewConfig(tmpFile.Name())
 		assert.Error(t, err)
 	})
-
-	t.Run("Default MaxVerifierWorkers", func(t *testing.T) {
-		tmpFile, err := os.CreateTemp("", "example")
-		assert.NoError(t, err)
-		defer func() {
-			assert.NoError(t, tmpFile.Close())
-			assert.NoError(t, os.Remove(tmpFile.Name()))
-		}()
-		config := fmt.Sprintf(configTemplate, defaultNumberOfSessionRetryAttempts, 0)
-		_, err = tmpFile.WriteString(config)
-		assert.NoError(t, err)
-
-		cfg, err := NewConfig(tmpFile.Name())
-		assert.NoError(t, err)
-		assert.Equal(t, defaultNumberOfVerifierWorkers, cfg.ProverManager.MaxVerifierWorkers)
-	})
-
-	t.Run("Default SessionAttempts", func(t *testing.T) {
-		tmpFile, err := os.CreateTemp("", "example")
-		assert.NoError(t, err)
-		defer func() {
-			assert.NoError(t, tmpFile.Close())
-			assert.NoError(t, os.Remove(tmpFile.Name()))
-		}()
-		config := fmt.Sprintf(configTemplate, 0, defaultNumberOfVerifierWorkers)
-		_, err = tmpFile.WriteString(config)
-		assert.NoError(t, err)
-
-		cfg, err := NewConfig(tmpFile.Name())
-		assert.NoError(t, err)
-		assert.Equal(t, uint8(defaultNumberOfSessionRetryAttempts), cfg.ProverManager.SessionAttempts)
-	})
 }

coordinator/internal/controller/api/auth.go

@@ -31,8 +31,16 @@ func (a *AuthController) Login(c *gin.Context) (interface{}, error) {
 	if err := c.ShouldBind(&login); err != nil {
 		return "", fmt.Errorf("missing the public_key, err:%w", err)
 	}
+
+	// check login parameter's token is equal to bearer token, the Authorization must be existed
+	// if not exist, the jwt token will intercept it
+	brearToken := c.GetHeader("Authorization")
+	if brearToken != "Bearer "+login.Message.Challenge {
+		return "", fmt.Errorf("check challenge failure for the not equal challenge string")
+	}
+
 	// check the challenge is used, if used, return failure
-	if err := a.loginLogic.InsertChallengeString(c, login.Signature); err != nil {
+	if err := a.loginLogic.InsertChallengeString(c, login.Message.Challenge); err != nil {
 		return "", fmt.Errorf("login insert challenge string failure:%w", err)
 	}
 	return login, nil
@@ -48,8 +56,9 @@ func (a *AuthController) PayloadFunc(data interface{}) jwt.MapClaims {
 	// recover the public key
 	authMsg := message.AuthMsg{
 		Identity: &message.Identity{
-			Challenge:  v.Message.Challenge,
-			ProverName: v.Message.ProverName,
+			Challenge:     v.Message.Challenge,
+			ProverName:    v.Message.ProverName,
+			ProverVersion: v.Message.ProverVersion,
 		},
 		Signature: v.Signature,
 	}
@@ -60,8 +69,9 @@ func (a *AuthController) PayloadFunc(data interface{}) jwt.MapClaims {
 	}
 
 	return jwt.MapClaims{
-		types.PublicKey:  publicKey,
-		types.ProverName: v.Message.ProverName,
+		types.PublicKey:     publicKey,
+		types.ProverName:    v.Message.ProverName,
+		types.ProverVersion: v.Message.ProverVersion,
 	}
 }
 
@@ -75,5 +85,9 @@ func (a *AuthController) IdentityHandler(c *gin.Context) interface{} {
 	if publicKey, ok := claims[types.PublicKey]; ok {
 		c.Set(types.PublicKey, publicKey)
 	}
+
+	if proverVersion, ok := claims[types.ProverVersion]; ok {
+		c.Set(types.ProverVersion, proverVersion)
+	}
 	return nil
 }

coordinator/internal/logic/auth/login.go

@@ -20,6 +20,6 @@ func NewLoginLogic(db *gorm.DB) *LoginLogic {
 }
 
 // InsertChallengeString insert and check the challenge string is existed
-func (l *LoginLogic) InsertChallengeString(ctx *gin.Context, signature string) error {
-	return l.challengeOrm.InsertChallenge(ctx, signature)
+func (l *LoginLogic) InsertChallengeString(ctx *gin.Context, challenge string) error {
+	return l.challengeOrm.InsertChallenge(ctx, challenge)
 }

coordinator/internal/types/auth.go

@@ -7,12 +7,15 @@ const (
 	PublicKey = "public_key"
 	// ProverName the prover name key for context
 	ProverName = "prover_name"
+	// ProverVersion the prover version for context
+	ProverVersion = "prover_version"
 )
 
 // Message the login message struct
 type Message struct {
-	Challenge  string `form:"challenge" json:"challenge" binding:"required"`
-	ProverName string `form:"prover_name" json:"prover_name" binding:"required"`
+	Challenge     string `form:"challenge" json:"challenge" binding:"required"`
+	ProverVersion string `form:"prover_version" json:"prover_version" binding:"required"`
+	ProverName    string `form:"prover_name" json:"prover_name" binding:"required"`
 }
 
 // LoginParameter for /login api

coordinator/internal/types/get_task.go

@@ -2,9 +2,8 @@ package types
 
 // GetTaskParameter for ProverTasks request parameter
 type GetTaskParameter struct {
-	ProverVersion string `form:"prover_version" json:"prover_version" binding:"required"`
-	ProverHeight  int    `form:"prover_height" json:"prover_height" binding:"required"`
-	TaskType      int    `form:"task_type" json:"task_type"`
+	ProverHeight int `form:"prover_height" json:"prover_height" binding:"required"`
+	TaskType     int `form:"task_type" json:"task_type"`
 }
 
 // GetTaskSchema the schema data return to prover for get prover task

coordinator/test/mock_prover.go

@@ -76,14 +76,15 @@ func (r *mockProver) challenge(t *testing.T) string {
 func (r *mockProver) login(t *testing.T, challengeString string) string {
 	authMsg := message.AuthMsg{
 		Identity: &message.Identity{
-			Challenge:  challengeString,
-			ProverName: "test",
+			Challenge:     challengeString,
+			ProverName:    "test",
+			ProverVersion: "v1.0.0",
 		},
 	}
 	assert.NoError(t, authMsg.SignWithKey(r.privKey))
 
-	body := fmt.Sprintf("{\"message\":{\"challenge\":\"%s\",\"prover_name\":\"%s\"},\"signature\":\"%s\"}",
-		authMsg.Identity.Challenge, authMsg.Identity.ProverName, authMsg.Signature)
+	body := fmt.Sprintf("{\"message\":{\"challenge\":\"%s\",\"prover_name\":\"%s\", \"prover_version\":\"%s\"},\"signature\":\"%s\"}",
+		authMsg.Identity.Challenge, authMsg.Identity.ProverName, authMsg.Identity.ProverVersion, authMsg.Signature)
 
 	var result types.Response
 	client := resty.New()
@@ -137,7 +138,7 @@ func (r *mockProver) getProverTask(t *testing.T, proofType message.ProofType) *t
 	resp, err := client.R().
 		SetHeader("Content-Type", "application/json").
 		SetHeader("Authorization", fmt.Sprintf("Bearer %s", token)).
-		SetBody(map[string]interface{}{"prover_version": "v1.0.0", "prover_height": 100, "task_type": int(proofType)}).
+		SetBody(map[string]interface{}{"prover_height": 100, "task_type": int(proofType)}).
 		SetResult(&result).
 		Post("http://" + r.coordinatorURL + "/coordinator/v1/get_task")
 	assert.NoError(t, err)

prover/client/client.go

@@ -14,6 +14,7 @@ import (
 
 	"scroll-tech/common/types"
 	"scroll-tech/common/types/message"
+	"scroll-tech/common/version"
 )
 
 // CoordinatorClient is a client used for interacting with the Coordinator service.
@@ -65,8 +66,9 @@ func (c *CoordinatorClient) Login(ctx context.Context) error {
 	// Prepare and sign the login request
 	authMsg := &message.AuthMsg{
 		Identity: &message.Identity{
-			ProverName: c.proverName,
-			Challenge:  challengeResult.Data.Token,
+			ProverVersion: version.Version,
+			ProverName:    c.proverName,
+			Challenge:     challengeResult.Data.Token,
 		},
 	}
 
@@ -78,11 +80,13 @@ func (c *CoordinatorClient) Login(ctx context.Context) error {
 	// Login to coordinator
 	loginReq := &LoginRequest{
 		Message: struct {
-			Challenge  string `json:"challenge"`
-			ProverName string `json:"prover_name"`
+			Challenge     string `json:"challenge"`
+			ProverName    string `json:"prover_name"`
+			ProverVersion string `json:"prover_version"`
 		}{
-			Challenge:  authMsg.Identity.Challenge,
-			ProverName: authMsg.Identity.ProverName,
+			Challenge:     authMsg.Identity.Challenge,
+			ProverName:    authMsg.Identity.ProverName,
+			ProverVersion: authMsg.Identity.ProverVersion,
 		},
 		Signature: authMsg.Signature,
 	}

prover/client/types.go

@@ -17,8 +17,9 @@ type ChallengeResponse struct {
 // LoginRequest defines the request structure for login API
 type LoginRequest struct {
 	Message struct {
-		Challenge  string `json:"challenge"`
-		ProverName string `json:"prover_name"`
+		Challenge     string `json:"challenge"`
+		ProverName    string `json:"prover_name"`
+		ProverVersion string `json:"prover_version"`
 	} `json:"message"`
 	Signature string `json:"signature"`
 }
@@ -35,9 +36,8 @@ type LoginResponse struct {
 
 // GetTaskRequest defines the request structure for GetTask API
 type GetTaskRequest struct {
-	ProverVersion string            `json:"prover_version"`
-	ProverHeight  uint64            `json:"prover_height"`
-	TaskType      message.ProofType `json:"task_type"`
+	ProverHeight uint64            `json:"prover_height"`
+	TaskType     message.ProofType `json:"task_type"`
 }
 
 // GetTaskResponse defines the response structure for GetTask API

prover/prover.go

@@ -24,7 +24,6 @@ import (
 
 	"scroll-tech/common/types/message"
 	"scroll-tech/common/utils"
-	"scroll-tech/common/version"
 )
 
 var (
@@ -190,9 +189,8 @@ func (r *Prover) fetchTaskFromCoordinator() (*store.ProvingTask, error) {
 
 	// prepare the request
 	req := &client.GetTaskRequest{
-		ProverVersion: version.Version,
-		ProverHeight:  latestBlockNumber,
-		TaskType:      r.Type(),
+		ProverHeight: latestBlockNumber,
+		TaskType:     r.Type(),
 	}
 
 	// send the request