This release is focused on security upgrades which include:
Refactoring existing JWT implementation by adding validation for JWT fields.
Automatic member registration based on JWT payload.
Removal of keypair auth.
Removal requirement for private key to be stored at environment variable (now Peatio requires only public key for JWT to work).
The release also includes various fixes and improvements.
#629: Remove keypair authentication.
The patch removes all stuff related to APIv2 authentication using Hash-based Message Authentication Code (HMAC).
Some important components which are removed:
All existing Peatio clients should think of upgrading to JWT, or wait until secure server-to-server API is released.
#620: Refactor withdraw destination: implement new fiat withdraw story, leverage existing withdraw API resources, and update UI.
The patch replaces
FundSource in favor of
WithdrawDestination works in STI mode providing
WithdrawDestination::Fiat are packed with common fields:
WithdrawDestination::Coin is shipped with additional fields:
WithdrawDestination::Fiat is shipped with typical bank withdraw fields:
Instead of keeping common table structure we moved specific fields into JSON field called
API changes include:
type, available values are
address(string) is replaced with
currency, and all specific fields to withdraw destination type.
GET /withdraws/addressesis now
POST /withdraws/addressesis now
POST /withdraws/destinations: mandatory params include
label, and specific fields to withdraw destination type.
DELETE /withdraws/addresses/:idis now
POST /withdraws: parameter
Member#withdraw_destinations are now always ordered with
Private::FundSourcesController is migrated to
destroy action is removed until we will denormalize withdraw fields, or find another solution for storing withdraw destination data.
#676: Stop keeping private key for JWT, use it only in specs.
The patch replaces
JWT_SHARED_SECRET_KEY (private key) with
JWT_PUBLIC_KEY (public key) for security reasons. So Peatio now will not store any private keys which is much better for security.
We removed all predefined values for
JWT_SHARED_SECRET_KEY in all environments.
We included new guide for getting keypair to be used with JWT in config/application.yml (available after
curl -H "Authorization: Bearer JWT" http://localhost:3000/api/v2/members/me.
#661: Remove Member#jwt without replacements.
The patch removes dangerous method which was used only for testing purposes.
#662: Remove helper controller used for testing: Test::ModuleController & Test::MembersController.
The patch removed controllers & routes which was used for QA purposes. These resources could generate example members, and return them including JWT.
#657: Add on the fly member registration based on JWT payload (Barong only).
The patch implements automatic member registration based on JWT payload when using API (only for JWT provided by Barong).
How it works: When client makes request to API and passes header
Authorization: Bearer JWT authenticator
APIv2::Auth::JWTAuthenticator will decode, verify JWT, and, if JWT is issued by Barong, will register or update member.
JWT payload structure (see linked commit at Barong):
uid: used ID at barong (similar value to
level: member level represented as number (see available values at
state: member state (values are defined by Barong, some of them include
pending), Peatio will set member to disabled unless
#665: Update JWT specs by adding additional JWT fields.
The patch adds specs which cover most of common usage for the next fields:
#658: Update JWT gem to 2.1.x.
#669: Enable verification of special JWT payload fields.
The patch allows to customize which JWT fields should be validated by setting environment variables:
Get more info at config/application.yml (available after running
Specs will now generate public and private keypair in runtime automatically.
#643: Update bin/init_config & bin/link_config according to new config templates structure and updated requirements for config/seed.
#616: Fix wrong blockchain explorer URL in deposit & withdrawal history.
The patch fixes interpolation issues with URL addresses displayed at user deposit/withdraw history, and in many places at admin panel. The wallet URL address template was interpolated using transaction ID, now it is interpolated with address.
#649: Fix broken market «Notify» On/Off buttons.
The feature was broken after migration currencies.yml to database. The patch restores previous behaviour.
#675: Fix order of commands in bin/setup to resolve issues with asset installation step.
The patch fixes related issues in workbench:
#674: Add missing DASH/USD market to markets.yml.
The patch resolved issues with broken websocket_api.rb daemon.