Merge pull request #52 from Impa10r/v1.5.2

v1.5.2
Impa10r · Jun 6, 2024 · 87f11a4 · 87f11a4
2 parents 90be01f + ea01563
commit 87f11a4
Show file tree

Hide file tree

Showing 24 changed files with 501 additions and 162 deletions.
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -9,11 +9,11 @@
             "type": "go",
             "request": "launch",
             "mode": "auto",
-            "buildFlags": "-tags cln",
+            "buildFlags": "-tags lnd",
             "program": "${workspaceFolder}/cmd/psweb/",
             "showLog": false,
             "envFile": "${workspaceFolder}/.env",
-            //"args": ["-datadir", "/home/vlad/.peerswap2"]
+            // "args": ["-datadir", "/home/vlad/.peerswap2"]
         }
     ]
 }
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Versions
 
+## 1.5.2
+
+- Add navigation menu
+- Allow HTTPS with single password client authentication
+- Add -password key to configure PSWeb with HTTPS and password 
+
 ## 1.5.1
 
 - Enable setting fee rates, including inbound for LND 0.18+

diff --git a/README.md b/README.md
@@ -109,6 +109,8 @@ To enable downloading of a backup file of the Elements wallet it is necessary to
 
 ***Warning*** If you tried PS Web's Docker version first and then switched to the one built from source, the configuration files will be incorrect. The easiest way to fix this is to delete ```peerswap.conf``` and ```pswebconfig.json```.
 
+PeerSwap Web UI can be initialized in HTTPS mode with a pre-set password using -password key. CA and server certificates will be generated and saved in the data folder.
+
 ## Update
 
 When a new version comes out, just build the app again and restart:

diff --git a/SECURITY.md b/SECURITY.md
@@ -2,6 +2,8 @@
 
 PeerSwap Web UI offers secure communication with the clients via TLS. When HTTPS option is enabled, a self-signed root Certificate Authority CA.crt is created first. It is then used to sign two certificates: server.crt and client.crt. Both CA.crt and client.crt need to be installed on the client's devices, to bootstrap a secure connection with the server. The server.crt certificate is used during the TLS handshake to authenticate the server to the client. Our communication channel is now encrypted and no third party can eavesdrop or connect to the server.
 
+For networks with small attack surface it is possible to opt-in for a less secure setup with a single client password instead of the client.crt certificate. In this case a session browser cookie is used to maintain authentication status. This cookie expires on browser close or logout menu item. Warning: without CA certificate installed on the user device an unencripted HTTP connection can still be established. If a user logs in with the password over HTTP it can be sniffed by an attacker. Always make sure to install the CA certificates when opting for password authentication.  
+
 ## Privacy Disclosure
 
 There is no centralized server. PeerSwap Web UI does not share your private data with the contributors. The software, however, may utilize API endpoints of github.com, mempool.space, telegram.org and getblock.io to send and receive certain information. You can avoid leaking your IP address to these websites by specifying a Tor proxy on the Configuration page. You may also provide URL of a locally installed Mempool server. 

diff --git a/cmd/psweb/config/common.go b/cmd/psweb/config/common.go
@@ -48,8 +48,8 @@ type Configuration struct {
 	AutoSwapTargetPct       uint64
 	SecureConnection        bool
 	ServerIPs               string
-	SerialNumber            int64 // for CA-signed server certificates
 	SecurePort              string
+	Password                string
 }
 
 var Config Configuration

diff --git a/cmd/psweb/config/tls.go b/cmd/psweb/config/tls.go
@@ -9,6 +9,7 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
+	"log"
 	"math/big"
 	"net"
 	"os"
@@ -82,10 +83,12 @@ func GenerateCA() error {
 	defer signedCertFile.Close()
 	pem.Encode(signedCertFile, &pem.Block{Type: "CERTIFICATE", Bytes: certDER})
 
+	log.Println("Generated new CA.crt and CA.key")
+
 	return nil
 }
 
-func GenereateServerCertificate() error {
+func GenerateServerCertificate() error {
 	crtPath := filepath.Join(Config.DataDir, "server.crt")
 	keyPath := filepath.Join(Config.DataDir, "server.key")
 	crtPathCA := filepath.Join(Config.DataDir, "CA.crt")
@@ -175,6 +178,8 @@ func GenereateServerCertificate() error {
 
 	Save()
 
+	log.Println("Generated new server.crt and server.key")
+
 	return nil
 }
 
@@ -253,6 +258,8 @@ func GenerateClientCertificate(password string) error {
 		return err
 	}
 
+	log.Println("Generated new client.crt and client.key")
+
 	return nil
 }