def _validate_challenge_xdr(envelope_xdr: str):
"""
Validate the provided TransactionEnvelope XDR (base64 string).
If the source account of the challenge transaction exists, verify the weight
of the signers on the challenge are signers for the account and the medium
threshold on the account is met by those signers.
If the source account does not exist, verify that the keypair used as the
source for the challenge transaction has signed the challenge. This is
sufficient because newly created accounts have their own keypair as signer
with a weight greater than the default thresholds.
"""
server_key = settings.SIGNING_KEY
net = settings.STELLAR_NETWORK_PASSPHRASE
logger.info("Validating challenge transaction")
try:
tx_envelope, account_id = read_challenge_transaction(
envelope_xdr, server_key, DOMAIN_NAME, net)
except InvalidSep10ChallengeError as e:
err_msg = f"Error while validating challenge: {str(e)}"
logger.error(err_msg)
raise ValueError(err_msg)
try:
account = settings.HORIZON_SERVER.load_account(account_id)
except NotFoundError:
logger.warning(
"Account does not exist, using client's master key to verify")
try:
verify_challenge_transaction_signed_by_client_master_key(
envelope_xdr, server_key, DOMAIN_NAME, net)
if len(tx_envelope.signatures) != 2:
raise InvalidSep10ChallengeError(
"There is more than one client signer on a challenge "
"transaction for an account that doesn't exist")
except InvalidSep10ChallengeError as e:
logger.info(
f"Missing or invalid signature(s) for {account_id}: {str(e)}"
)
raise ValueError(str(e))
else:
logger.info("Challenge verified using client's master key")
return
signers = account.load_ed25519_public_key_signers()
threshold = account.thresholds.med_threshold
try:
signers_found = verify_challenge_transaction_threshold(
envelope_xdr, server_key, DOMAIN_NAME, net, threshold, signers)
except InvalidSep10ChallengeError as e:
logger.info(str(e))
raise ValueError(str(e))
logger.info(
f"Challenge verified using account signers: {signers_found}")
def _validate_challenge_xdr(envelope_xdr: str):
"""
Validate the provided TransactionEnvelope XDR (base64 string).
If the source account of the challenge transaction exists, verify the weight
of the signers on the challenge are signers for the account and the medium
threshold on the account is met by those signers.
If the source account does not exist, verify that the keypair used as the
source for the challenge transaction has signed the challenge. This is
sufficient because newly created accounts have their own keypair as signer
with a weight greater than the default thresholds.
"""
logger.info("Validating challenge transaction")
generic_err_msg = gettext("error while validating challenge: %s")
try:
tx_envelope, account_id, _ = read_challenge_transaction(
challenge_transaction=envelope_xdr,
server_account_id=settings.SIGNING_KEY,
home_domains=settings.SEP10_HOME_DOMAINS,
web_auth_domain=urlparse(settings.HOST_URL).netloc,
network_passphrase=settings.STELLAR_NETWORK_PASSPHRASE,
)
except InvalidSep10ChallengeError as e:
return None, render_error_response(generic_err_msg % (str(e)))
client_domain = None
for operation in tx_envelope.transaction.operations:
if (isinstance(operation, ManageData)
and operation.data_name == "client_domain"):
client_domain = operation.data_value.decode()
break
try:
account = settings.HORIZON_SERVER.load_account(account_id)
except NotFoundError:
logger.info(
"Account does not exist, using client's master key to verify")
try:
verify_challenge_transaction_signed_by_client_master_key(
challenge_transaction=envelope_xdr,
server_account_id=settings.SIGNING_KEY,
home_domains=settings.SEP10_HOME_DOMAINS,
web_auth_domain=urlparse(settings.HOST_URL).netloc,
network_passphrase=settings.STELLAR_NETWORK_PASSPHRASE,
)
if (client_domain and len(tx_envelope.signatures) != 3) or (
not client_domain
and len(tx_envelope.signatures) != 2):
raise InvalidSep10ChallengeError(
gettext(
"There is more than one client signer on a challenge "
"transaction for an account that doesn't exist"))
except InvalidSep10ChallengeError as e:
logger.info(
f"Missing or invalid signature(s) for {account_id}: {str(e)}"
)
return None, render_error_response(generic_err_msg % (str(e)))
else:
logger.info("Challenge verified using client's master key")
return client_domain, None
signers = account.load_ed25519_public_key_signers()
threshold = account.thresholds.med_threshold
try:
signers_found = verify_challenge_transaction_threshold(
challenge_transaction=envelope_xdr,
server_account_id=settings.SIGNING_KEY,
home_domains=settings.SEP10_HOME_DOMAINS,
web_auth_domain=urlparse(settings.HOST_URL).netloc,
network_passphrase=settings.STELLAR_NETWORK_PASSPHRASE,
threshold=threshold,
signers=signers,
)
except InvalidSep10ChallengeError as e:
return None, render_error_response(generic_err_msg % (str(e)))
logger.info(
f"Challenge verified using account signers: {[s.account_id for s in signers_found]}"
)
return client_domain, None