This release is focused on security upgrades which include:
Refactoring existing JWT implementation by adding validation for JWT fields.
Automatic member registration based on JWT payload.
Removal of keypair auth.
Removal requirement for private key to be stored at environment variable (now Peatio requires only public key for JWT to work).
The release also includes various fixes and improvements.
#629: Remove keypair authentication.
The patch removes all stuff related to APIv2 authentication using Hash-based Message Authentication Code (HMAC).
Some important components which are removed:
APIToken
APIv2::Auth::KeypairAuthenticator
Private::APITokensController
APIv2::IncorrectSignatureError
APIv2::TonceUsedError
APIv2::InvalidTonceError
APIv2::InvalidAccessKeyError
APIv2::DisabledAccessKeyError
APIv2::ExpiredAccessKeyError
APIv2::OutOfScopeError
All existing Peatio clients should think of upgrading to JWT, or wait until secure server-to-server API is released.
#620: Refactor withdraw destination: implement new fiat withdraw story, leverage existing withdraw API resources, and update UI.
The patch replaces FundSource
in favor of WithdrawDestination
.
Model WithdrawDestination
works in STI mode providing WithdrawDestination::Coin
and WithdrawDestination::Fiat
.
Both WithdrawDestination::Coin
and WithdrawDestination::Fiat
are packed with common fields:
label
WithdrawDestination::Coin
is shipped with additional fields:
address
WithdrawDestination::Fiat
is shipped with typical bank withdraw fields:
bank_name
bank_branch_name
bank_branch_address
bank_identifier_code
bank_account_number
bank_account_holder_name
Instead of keeping common table structure we moved specific fields into JSON field called details
.
API changes include:
type
, available values are fiat
and coin
.address
(string) is replaced with destination
object.id
, label
, type
, currency
, and all specific fields to withdraw destination type.GET /withdraws/addresses
is now GET /withdraws/destinations
.POST /withdraws/addresses
is now POST /withdraws/destinations
.POST /withdraws/destinations
: mandatory params include currency
, label
, and specific fields to withdraw destination type.DELETE /withdraws/addresses/:id
is now DELETE /withdraws/destinations/:id
.POST /withdraws
: parameter address_id
renamed to destination_id
.Member#withdraws
and Member#withdraw_destinations
are now always ordered with id DESC
.
Private::FundSourcesController
is migrated to Private::WithdrawDestinationsController
, destroy
action is removed until we will denormalize withdraw fields, or find another solution for storing withdraw destination data.
#676: Stop keeping private key for JWT, use it only in specs.
The patch replaces JWT_SHARED_SECRET_KEY
(private key) with JWT_PUBLIC_KEY
(public key) for security reasons. So Peatio now will not store any private keys which is much better for security.
We removed all predefined values for JWT_SHARED_SECRET_KEY
in all environments.
We included new guide for getting keypair to be used with JWT in config/application.yml (available after bin/init_config
).
Migration steps:
JWT_PUBLIC_KEY
at Peatio.curl -H "Authorization: Bearer JWT" http://localhost:3000/api/v2/members/me
.#661: Remove Member#jwt without replacements.
The patch removes dangerous method which was used only for testing purposes.
#662: Remove helper controller used for testing: Test::ModuleController & Test::MembersController.
The patch removed controllers & routes which was used for QA purposes. These resources could generate example members, and return them including JWT.
#657: Add on the fly member registration based on JWT payload (Barong only).
The patch implements automatic member registration based on JWT payload when using API (only for JWT provided by Barong).
How it works: When client makes request to API and passes header Authorization: Bearer JWT
authenticator APIv2::Auth::JWTAuthenticator
will decode, verify JWT, and, if JWT is issued by Barong, will register or update member.
JWT payload structure (see linked commit at Barong):
email
: member email.uid
: used ID at barong (similar value to sn
at Peatio).level
: member level represented as number (see available values at Member::Levels
, app/enums/member/levels.rb).state
: member state (values are defined by Barong, some of them include active
, pending
), Peatio will set member to disabled unless state
is active
.#665: Update JWT specs by adding additional JWT fields.
The patch adds specs which cover most of common usage for the next fields:
#658: Update JWT gem to 2.1.x.
#669: Enable verification of special JWT payload fields.
The patch allows to customize which JWT fields should be validated by setting environment variables:
JWT_ISSUER
JWT_AUDIENCE
JWT_DEFAULT_LEEWAY
JWT_ISSUED_AT_LEEWAY
JWT_EXPIRATION_LEEWAY
JWT_NOT_BEFORE_LEEWAY
Get more info at config/application.yml (available after running bin/init_config
).
Specs will now generate public and private keypair in runtime automatically.
#643: Update bin/init_config & bin/link_config according to new config templates structure and updated requirements for config/seed.
#616: Fix wrong blockchain explorer URL in deposit & withdrawal history.
The patch fixes interpolation issues with URL addresses displayed at user deposit/withdraw history, and in many places at admin panel. The wallet URL address template was interpolated using transaction ID, now it is interpolated with address.
#649: Fix broken market «Notify» On/Off buttons.
The feature was broken after migration currencies.yml to database. The patch restores previous behaviour.
#675: Fix order of commands in bin/setup to resolve issues with asset installation step.
The patch fixes related issues in workbench:
#674: Add missing DASH/USD market to markets.yml.
#677: Fix regression after #372.
The patch resolved issues with broken websocket_api.rb daemon.