Merge pull request #1251 from dfinity/marc0olo/improve-examples

Marc0olo/improve examples

Author: letmejustputthishere

hosting/oisy-signer-demo/frontend/public/.ic-assets.json5

@@ -0,0 +1,55 @@
+[
+    {
+        "match": "**/*",
+        "security_policy" : "hardened",
+        "headers": {
+            // Security: The Content Security Policy (CSP) given below aims at working with many apps rather than providing maximal security.
+            // We recommend tightening the CSP for your specific application. Some recommendations are as follows:
+            // - Use the CSP Evaluator (https://csp-evaluator.withgoogle.com/) to validate the CSP you define.
+            // - Follow the “Strict CSP” recommendations (https://csp.withgoogle.com/docs/strict-csp.html). However, note that in the context of the IC,
+            //   nonces cannot be used because the response bodies must be static to work well with HTTP asset certification.
+            //   Thus, we recommend to include script hashes (in combination with strict-dynamic) in the CSP as described
+            //   in https://csp.withgoogle.com/docs/faq.html in section “What if my site is static and I can't add nonces to scripts?”.
+            //   See for example the II CSP (https://github.com/dfinity/internet-identity/blob/main/src/internet_identity/src/http.rs).
+            // - It is recommended to tighten the connect-src directive. With the current CSP configuration the browser can
+            //   make requests to https://*.icp0.io, hence being able to call any canister via https://icp0.io/api/v2/canister/{canister-ID}.
+            //   This could potentially be used in combination with another vulnerability (e.g. XSS) to exfiltrate private data.
+            //   The developer can configure this policy to only allow requests to their specific canisters,
+            //   e.g: connect-src 'self' https://icp-api.io/api/v2/canister/{my-canister-ID}, where {my-canister-ID} has the following format: aaaaa-aaaaa-aaaaa-aaaaa-aaa
+            // - It is recommended to configure style-src, style-src-elem and font-src directives with the resources your canister is going to use
+            //   instead of using the wild card (*) option. Normally this will include 'self' but also other third party styles or fonts resources (e.g: https://fonts.googleapis.com or other CDNs)
+
+            // Notes about the CSP below:
+            // - We added img-src data: because data: images are used often.
+            // - frame-ancestors: none mitigates clickjacking attacks. See https://owasp.org/www-community/attacks/Clickjacking.
+            "Content-Security-Policy": "default-src 'self';script-src 'self';connect-src 'self' http://localhost:* https://icp0.io https://*.icp0.io https://icp-api.io;img-src 'self' data:;style-src * 'unsafe-inline';style-src-elem * 'unsafe-inline';font-src *;object-src 'none';base-uri 'self';frame-ancestors 'none';form-action 'self';upgrade-insecure-requests;",
+
+            // Security: The permissions policy disables all features for security reasons. If your site needs such permissions, activate them.
+            // To configure permissions go here https://www.permissionspolicy.com/
+            // This example updated the clipboard-write permission to allow writing to clipboard
+            "Permissions-Policy": "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(self), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), sync-script=(), trust-token-redemption=(), window-placement=(), vertical-scroll=()",
+
+            // Security: Mitigates clickjacking attacks.
+            // See: https://owasp.org/www-community/attacks/Clickjacking.
+            "X-Frame-Options": "DENY",
+
+            // Security: Avoids forwarding referrer information to other origins.
+            // See: https://owasp.org/www-project-secure-headers/#referrer-policy.
+            "Referrer-Policy": "same-origin",
+
+            // Security: Tells the user’s browser that it must always use HTTPS with your site.
+            // See: https://owasp.org/www-project-secure-headers/#http-strict-transport-security
+            "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
+
+            // Security: Prevents the browser from interpreting files as a different MIME type to what is specified in the Content-Type header.
+            // See: https://owasp.org/www-project-secure-headers/#x-content-type-options
+            "X-Content-Type-Options": "nosniff",
+
+            // Security: Enables browser features to mitigate some of the XSS attacks. Note that it has to be in mode=block.
+            // See: https://owasp.org/www-community/attacks/xss/
+            "X-XSS-Protection": "1; mode=block"
+        },
+        // Uncomment to redirect all requests from .raw.icp0.io to .icp0.io
+        // "allow_raw_access": false
+    },
+]

hosting/oisy-signer-demo/frontend/src/hooks/useOisyWallet.js

@@ -16,8 +16,8 @@ export function useOisyWallet() {
   const [accountIdentifier, setAccountIdentifier] = useState(null);
   const [defaultAgent, setDefaultAgent] = useState(null);
   const [oisySignerAgent, setOisySignerAgent] = useState(null);
-  const [oisyIcpLedgerAgent, setOisyIcpLedgerAgent] = useState(null);
-  const [oisyCkUsdcLedgerAgent, setOisyCkUsdcLedgerAgent] = useState(null);
+  const [oisyIcpActor, setOisyIcpActor] = useState(null);
+  const [oisyCkUsdcActor, setOisyCkUsdcActor] = useState(null);
 
   const [icpMetadata, setIcpMetadata] = useState();
   const [ckUsdcMetadata, setCkUsdcMetadata] = useState();
@@ -29,17 +29,17 @@ export function useOisyWallet() {
   const oisySigner = new Signer({ transport: oisyTransport });
 
   useEffect(() => {
-    if (oisySignerAgent && !oisyIcpLedgerAgent && !oisyCkUsdcLedgerAgent) {
-      const oisyIcpLedgerAgent = IcrcLedgerCanister.create({
+    if (oisySignerAgent && !oisyIcpActor && !oisyCkUsdcActor) {
+      const oisyIcpActor = IcrcLedgerCanister.create({
         agent: oisySignerAgent,
         canisterId: Principal.fromText(ICP_LEDGER_ID),
       });
-      const oisyckUsdcLedgerAgent = IcrcLedgerCanister.create({
+      const oisyCkUsdcActor = IcrcLedgerCanister.create({
         agent: oisySignerAgent,
         canisterId: Principal.fromText(CKUSDC_LEDGER_ID),
       });
-      setOisyIcpLedgerAgent(oisyIcpLedgerAgent);
-      setOisyCkUsdcLedgerAgent(oisyckUsdcLedgerAgent);
+      setOisyIcpActor(oisyIcpActor);
+      setOisyCkUsdcActor(oisyCkUsdcActor);
     }
     // eslint-disable-next-line react-hooks/exhaustive-deps
   }, [oisySignerAgent]);
@@ -90,7 +90,7 @@ export function useOisyWallet() {
     const principal = icrcAccount.owner;
     const accountIdentifier = AccountIdentifier.fromPrincipal({ principal });
 
-    const defaultAgent = await HttpAgent.create({ host: 'https://ic0.app' });
+    const defaultAgent = await HttpAgent.create({ host: 'https://icp0.io' });
     const signerAgent = await SignerAgent.create({
       agent: defaultAgent,
       signer: oisySigner,
@@ -110,8 +110,8 @@ export function useOisyWallet() {
     setAccountIdentifier(null);
     setDefaultAgent(null);
     setOisySignerAgent(null);
-    setOisyIcpLedgerAgent(null);
-    setOisyCkUsdcLedgerAgent(null);
+    setOisyIcpActor(null);
+    setOisyCkUsdcActor(null);
     setIcpBalance(null);
     setCkUsdcBalance(null);
     setIcpMetadata(undefined);
@@ -147,7 +147,7 @@ export function useOisyWallet() {
     ckUsdcBalance,
     icpMetadata,
     ckUsdcMetadata,
-    transferIcp: () => transfer(oisyIcpLedgerAgent, icpMetadata),
-    transferCkUsdc: () => transfer(oisyCkUsdcLedgerAgent, ckUsdcMetadata),
+    transferIcp: () => transfer(oisyIcpActor, icpMetadata),
+    transferCkUsdc: () => transfer(oisyCkUsdcActor, ckUsdcMetadata),
   };
 }

motoko/nft-creator/frontend/public/.ic-assets.json5

@@ -11,6 +11,10 @@
 
         "headers": {
             "Content-Security-Policy": "default-src 'self';script-src 'self' 'unsafe-eval' 'unsafe-inline';connect-src 'self' http://localhost:* https://icp0.io https://*.icp0.io https://icp-api.io;img-src 'self' data: https://science.nasa.gov;style-src * 'unsafe-inline';style-src-elem * 'unsafe-inline';font-src *;object-src 'none';base-uri 'self';frame-ancestors 'none';form-action 'self';upgrade-insecure-requests;",
+            // Security: The permissions policy disables all features for security reasons. If your site needs such permissions, activate them.
+            // To configure permissions go here https://www.permissionspolicy.com/
+            // This example updated the clipboard-write permission to allow writing to clipboard
+            "Permissions-Policy": "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(self), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), sync-script=(), trust-token-redemption=(), window-placement=(), vertical-scroll=()",
         },
 
         // Uncomment to disable the warning about using the

motoko/nft-creator/src/declarations/internet_identity/internet_identity.did

@@ -301,10 +301,12 @@ type CaptchaResult = ChallengeResult;
 
 // Extra information about registration status for new devices
 type DeviceRegistrationInfo = record {
-    // If present, the user has tentatively added a new device. This
-    // new device needs to be verified (see relevant endpoint) before
-    // 'expiration'.
+    // If present, the user has registered a new authentication method. This new authentication
+    // method needs to be confirmed before 'expiration' in order to be added to the identity.
     tentative_device : opt DeviceData;
+    // If present, the user has registered a new session. This new session needs to be confirmed before
+    // 'expiration' in order for it be authorized to register an authentication method to the identity.
+    tentative_session : opt principal;
     // The timestamp at which the anchor will turn off registration mode
     // (and the tentative device will be forgotten, if any, and if not verified)
     expiration : Timestamp;
@@ -481,10 +483,13 @@ type OpenIDRegFinishArg = record {
 
 // Extra information about registration status for new authentication methods
 type AuthnMethodRegistrationInfo = record {
-    // If present, the user has registered a new authentication method. This
-    // new authentication needs to be verified before 'expiration' in order to
-    // be added to the identity.
+
+    // If present, the user has registered a new authentication method. This new authentication
+    // method needs to be confirmed before 'expiration' in order to be added to the identity.
     authn_method : opt AuthnMethodData;
+    // If present, the user has registered a new session. This new session needs to be confirmed before
+    // 'expiration' in order for it be authorized to register an authentication method to the identity.
+    session : opt principal;
     // The timestamp at which the identity will turn off registration mode
     // (and the authentication method will be forgotten, if any, and if not verified)
     expiration : Timestamp;
@@ -495,6 +500,10 @@ type AuthnMethodConfirmationCode = record {
     expiration : Timestamp;
 };
 
+type AuthnMethodSessionInfo = record {
+    name : opt text;
+};
+
 type RegistrationId = text;
 
 type AuthnMethodRegisterError = variant {
@@ -526,6 +535,13 @@ type AuthnMethodRegistrationModeEnterError = variant {
     InternalCanisterError : text;
 };
 
+type AuthnMethodRegistrationModeExitError = variant {
+    Unauthorized : principal;
+    InternalCanisterError : text;
+    RegistrationModeOff;
+    InvalidMetadata : text;
+};
+
 type LookupByRegistrationIdError = variant {
     InvalidRegistrationId : text;
 };
@@ -860,12 +876,19 @@ service : (opt InternetIdentityInit) -> {
 
     // Exits the authentication method registration mode for the identity.
     // Requires authentication.
-    authn_method_registration_mode_exit : (IdentityNumber) -> (variant { Ok; Err });
+    authn_method_registration_mode_exit : (IdentityNumber, opt AuthnMethodData) -> (variant { Ok; Err : AuthnMethodRegistrationModeExitError });
 
     // Registers a new authentication method to the identity.
     // This authentication method needs to be confirmed before it can be used for authentication on this identity.
     authn_method_register : (IdentityNumber, AuthnMethodData) -> (variant { Ok : AuthnMethodConfirmationCode; Err : AuthnMethodRegisterError });
 
+    // Registers a new session for the identity.
+    // This session needs to be confirmed before it can be used to register an authentication method on this identity.
+    authn_method_session_register : (IdentityNumber) -> (variant { Ok : AuthnMethodConfirmationCode; Err : AuthnMethodRegisterError });
+
+    // Returns session info when session is confirmed and caller matches session.
+    authn_method_session_info : (IdentityNumber) -> (opt AuthnMethodSessionInfo) query;
+
     // Confirms a previously registered authentication method.
     // On successful confirmation, the authentication method is permanently added to the identity and can
     // subsequently be used for authentication for that identity.

motoko/nft-creator/src/declarations/internet_identity/internet_identity.did.d.ts

@@ -78,6 +78,7 @@ export type AuthnMethodRegisterError = { 'RegistrationModeOff' : null } |
   { 'InvalidMetadata' : string };
 export interface AuthnMethodRegistrationInfo {
   'expiration' : Timestamp,
+  'session' : [] | [Principal],
   'authn_method' : [] | [AuthnMethodData],
 }
 export type AuthnMethodRegistrationModeEnterError = {
@@ -86,6 +87,12 @@ export type AuthnMethodRegistrationModeEnterError = {
   { 'InternalCanisterError' : string } |
   { 'AlreadyInProgress' : null } |
   { 'Unauthorized' : Principal };
+export type AuthnMethodRegistrationModeExitError = {
+    'InternalCanisterError' : string
+  } |
+  { 'RegistrationModeOff' : null } |
+  { 'Unauthorized' : Principal } |
+  { 'InvalidMetadata' : string };
 export type AuthnMethodReplaceError = { 'AuthnMethodNotFound' : null } |
   { 'InvalidMetadata' : string };
 export interface AuthnMethodSecuritySettings {
@@ -95,6 +102,7 @@ export interface AuthnMethodSecuritySettings {
 export type AuthnMethodSecuritySettingsReplaceError = {
     'AuthnMethodNotFound' : null
   };
+export interface AuthnMethodSessionInfo { 'name' : [] | [string] }
 export interface BufferedArchiveEntry {
   'sequence_number' : bigint,
   'entry' : Uint8Array | number[],
@@ -156,6 +164,7 @@ export type DeviceProtection = { 'unprotected' : null } |
 export interface DeviceRegistrationInfo {
   'tentative_device' : [] | [DeviceData],
   'expiration' : Timestamp,
+  'tentative_session' : [] | [Principal],
 }
 export interface DeviceWithUsage {
   'alias' : string,
@@ -442,9 +451,9 @@ export interface _SERVICE {
       { 'Err' : AuthnMethodRegistrationModeEnterError }
   >,
   'authn_method_registration_mode_exit' : ActorMethod<
-    [IdentityNumber],
+    [IdentityNumber, [] | [AuthnMethodData]],
     { 'Ok' : null } |
-      { 'Err' : null }
+      { 'Err' : AuthnMethodRegistrationModeExitError }
   >,
   'authn_method_remove' : ActorMethod<
     [IdentityNumber, PublicKey],
@@ -461,6 +470,15 @@ export interface _SERVICE {
     { 'Ok' : null } |
       { 'Err' : AuthnMethodSecuritySettingsReplaceError }
   >,
+  'authn_method_session_info' : ActorMethod<
+    [IdentityNumber],
+    [] | [AuthnMethodSessionInfo]
+  >,
+  'authn_method_session_register' : ActorMethod<
+    [IdentityNumber],
+    { 'Ok' : AuthnMethodConfirmationCode } |
+      { 'Err' : AuthnMethodRegisterError }
+  >,
   'check_captcha' : ActorMethod<
     [CheckCaptchaArg],
     { 'Ok' : IdRegNextStepResult } |

motoko/nft-creator/src/declarations/internet_identity/internet_identity.did.js

@@ -169,13 +169,20 @@ export const idlFactory = ({ IDL }) => {
     'AlreadyInProgress' : IDL.Null,
     'Unauthorized' : IDL.Principal,
   });
+  const AuthnMethodRegistrationModeExitError = IDL.Variant({
+    'InternalCanisterError' : IDL.Text,
+    'RegistrationModeOff' : IDL.Null,
+    'Unauthorized' : IDL.Principal,
+    'InvalidMetadata' : IDL.Text,
+  });
   const AuthnMethodReplaceError = IDL.Variant({
     'AuthnMethodNotFound' : IDL.Null,
     'InvalidMetadata' : IDL.Text,
   });
   const AuthnMethodSecuritySettingsReplaceError = IDL.Variant({
     'AuthnMethodNotFound' : IDL.Null,
   });
+  const AuthnMethodSessionInfo = IDL.Record({ 'name' : IDL.Opt(IDL.Text) });
   const CheckCaptchaArg = IDL.Record({ 'solution' : IDL.Text });
   const RegistrationFlowNextStep = IDL.Variant({
     'CheckCaptcha' : IDL.Record({ 'captcha_png_base64' : IDL.Text }),
@@ -271,6 +278,7 @@ export const idlFactory = ({ IDL }) => {
   const DeviceRegistrationInfo = IDL.Record({
     'tentative_device' : IDL.Opt(DeviceData),
     'expiration' : Timestamp,
+    'tentative_session' : IDL.Opt(IDL.Principal),
   });
   const IdentityAnchorInfo = IDL.Record({
     'name' : IDL.Opt(IDL.Text),
@@ -339,6 +347,7 @@ export const idlFactory = ({ IDL }) => {
   });
   const AuthnMethodRegistrationInfo = IDL.Record({
     'expiration' : Timestamp,
+    'session' : IDL.Opt(IDL.Principal),
     'authn_method' : IDL.Opt(AuthnMethodData),
   });
   const IdentityInfo = IDL.Record({
@@ -527,8 +536,13 @@ export const idlFactory = ({ IDL }) => {
         [],
       ),
     'authn_method_registration_mode_exit' : IDL.Func(
-        [IdentityNumber],
-        [IDL.Variant({ 'Ok' : IDL.Null, 'Err' : IDL.Null })],
+        [IdentityNumber, IDL.Opt(AuthnMethodData)],
+        [
+          IDL.Variant({
+            'Ok' : IDL.Null,
+            'Err' : AuthnMethodRegistrationModeExitError,
+          }),
+        ],
         [],
       ),
     'authn_method_remove' : IDL.Func(
@@ -551,6 +565,21 @@ export const idlFactory = ({ IDL }) => {
         ],
         [],
       ),
+    'authn_method_session_info' : IDL.Func(
+        [IdentityNumber],
+        [IDL.Opt(AuthnMethodSessionInfo)],
+        ['query'],
+      ),
+    'authn_method_session_register' : IDL.Func(
+        [IdentityNumber],
+        [
+          IDL.Variant({
+            'Ok' : AuthnMethodConfirmationCode,
+            'Err' : AuthnMethodRegisterError,
+          }),
+        ],
+        [],
+      ),
     'check_captcha' : IDL.Func(
         [CheckCaptchaArg],
         [