[bisq-network/proposals] API security (#69)

Bernard Labno notifications at github.com
Mon Jan 21 11:36:43 UTC 2019 

> _This is a Bisq Network proposal. Please familiarize yourself with the [submission and review process](https://docs.bisq.network/proposals.html)._

## Introduction

There is a work on exposing some of the Bisq functionality for external programatic access over HTTP API.
The API might be used by local scripts or programs or by remote clients, like a mobile app.

This proposal presents how to access API in a secure manner over TOR and using password and token based authentication.

![Bisq HTTP API network diagram](https://user-images.githubusercontent.com/431064/51472023-9e434300-1d78-11e9-900d-adbce651e086.png)

## Local access

API exposes an HTTP port bound to localhost only.
We do not use SSL because it would force every user to get an SSL certificate, which in turn requires a registered domain name.

---
**Important assumption** 

We assume that local machine is not compromised and local traffic is not being listened by any malicious actors.

---

In order to protect from CSRF attack (i.e. user visits website with hidden image linking to http://localhost:8080)
every request needs to have `Authorization` header which contains access token.
Access token is generated when user executes request to `/user/login` endpoint with a valid password.
Access token is stored only in process memory.
The password digest (SHA256) and salt (to prevent [Rainbow table](https://en.wikipedia.org/wiki/Rainbow_table) attack) is stored in Bisq data directory in a dedicated file.

---
*Side note*

Initially there was an idea to use wallet password instead separate password for the API, but there might be cases
when users don't want wallet password, which also complicates the startup/restart process as the wallet must be 
decrypted before other services are initialized.

---

## Remote access over TOR

Every service bound to localhost can be exposed over TOR as a [hidden service](https://www.torproject.org/docs/tor-onion-service).
Here is a code snipped showing how to publish hidden service that proxies traffic from port 80 (on TOR) to `localPort`: 

```
private void publishHiddenServiceIfTorEnabled() {
    try {
        Tor tor = Tor.getDefault();
        if (null == tor) {
            return;
        }
        final Integer localPort = bisqEnvironment.getHttpApiPort();
        final HsContainer hsContainer = tor.publishHiddenService$tor("http-api", 80, localPort);
        log.info("HTTP API Tor hostname: {}", hsContainer.getHostname$tor());
    } catch (Throwable ex) {
        throw new RuntimeException(ex);
    }
}
```

### Mobile devices

As of time of this writing, TOR is available only on Android devices.
In order to access the API from mobile device it needs to have [Orbot](https://guardianproject.info/apps/orbot/) installed.
User can download it from Goolge Play store.
Once Orbot is started user must enable `VPN mode` and press `Start` button.
Now the traffic will be directed over TOR and all hidden services will be visible to any application installed on that
mobile device (i.e. user can access the API using the browser).



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/proposals/issues/69
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20190121/4d5e867e/attachment.html>

More information about the bisq-github mailing list