fix: security issue in pub key registration (#208)

packages/background/src/messaging/memorandum-client.ts

@@ -32,7 +32,10 @@ export const registerPubKey = async (
   walletAddress: string,
   channelId: string,
   privacySetting: PrivacySetting,
-  chatReadReceiptSetting?: boolean
+  chatReadReceiptSetting?: boolean,
+  signingPubKey?: string,
+  signature?: string,
+  signedObjBase64?: string
 ): Promise<void> => {
   try {
     await client.mutate({
@@ -50,6 +53,9 @@ export const registerPubKey = async (
           channelId,
           privacySetting,
           readReceipt: chatReadReceiptSetting,
+          signingPubKey,
+          signature,
+          signedObjBase64,
         },
       },
       context: {
@@ -60,6 +66,7 @@ export const registerPubKey = async (
     });
   } catch (e) {
     console.log(e);
+    throw new Error("Pub key registration failed");
   }
 };
 

packages/background/src/messaging/service.ts

@@ -69,6 +69,29 @@ export class MessagingService {
     const privateKey = new PrivateKey(Buffer.from(sk));
     const pubKey = toHex(privateKey.publicKey.compressed);
 
+    const encoder = new TextEncoder();
+
+    const encoded = encoder.encode(pubKey);
+    const signDoc = {
+      chain_id: "",
+      account_number: "0",
+      sequence: "0",
+      fee: {
+        gas: "0",
+        amount: [],
+      },
+      msgs: [
+        {
+          type: "sign/MsgSignData",
+          value: {
+            signer: address,
+            data: toBase64(encoded),
+          },
+        },
+      ],
+      memo: "",
+    };
+
     const regPubKey = await this.lookupPublicKey(accessToken, address);
     if (
       !regPubKey.privacySetting ||
@@ -77,14 +100,30 @@ export class MessagingService {
       regPubKey.privacySetting !== privacySetting ||
       regPubKey.chatReadReceiptSetting !== chatReadReceiptSetting
     ) {
+      const {
+        signature,
+        signed,
+      } = await this.keyRingService.requestSignAmino(
+        env,
+        "",
+        chainId,
+        address,
+        signDoc,
+        { isADR36WithString: true }
+      );
+
       await registerPubKey(
         accessToken,
         pubKey,
         address,
         MESSAGE_CHANNEL_ID,
         privacySetting,
-        chatReadReceiptSetting
+        chatReadReceiptSetting,
+        signature.pub_key.value,
+        signature.signature,
+        Buffer.from(JSON.stringify(signed)).toString("base64")
       );
+
       this._publicKeyCache.set(address, {
         publicKey: pubKey,
         privacySetting,

packages/extension/src/components/chat/chat-init-popup.tsx

@@ -7,8 +7,11 @@ import React, { useState } from "react";
 import { useSelector } from "react-redux";
 import { useHistory } from "react-router";
 import { store } from "@chatStore/index";
-import { setMessageError } from "@chatStore/messages-slice";
-import { setMessagingPubKey, userDetails } from "@chatStore/user-slice";
+import {
+  resetUser,
+  setMessagingPubKey,
+  userDetails,
+} from "@chatStore/user-slice";
 import privacyIcon from "@assets/hello.png";
 import { useStore } from "../../stores";
 import style from "./style.module.scss";
@@ -57,16 +60,11 @@ export const ChatInitPopup = ({
       );
 
       store.dispatch(setMessagingPubKey(messagingPubKey));
+      history.replace("/chat");
     } catch (e) {
       // Show error toaster
       console.error("error", e);
-      store.dispatch(
-        setMessageError({
-          type: "setup",
-          message: "Something went wrong, Please try again in sometime.",
-          level: 3,
-        })
-      );
+      store.dispatch(resetUser({}));
       // Redirect to home
       history.replace("/");
     } finally {