Peatio 1.4.0 (March 12, 2018)

Overview

This release is focused on security upgrades which include:

  1. Refactoring existing JWT implementation by adding validation for JWT fields.

  2. Automatic member registration based on JWT payload.

  3. Removal of keypair auth.

  4. Removal requirement for private key to be stored at environment variable (now Peatio requires only public key for JWT to work).

The release also includes various fixes and improvements.

Breaking changes

  • #629: Remove keypair authentication.

The patch removes all stuff related to APIv2 authentication using Hash-based Message Authentication Code (HMAC).

Some important components which are removed:

  • APIToken
  • APIv2::Auth::KeypairAuthenticator
  • Private::APITokensController
  • APIv2::IncorrectSignatureError
  • APIv2::TonceUsedError
  • APIv2::InvalidTonceError
  • APIv2::InvalidAccessKeyError
  • APIv2::DisabledAccessKeyError
  • APIv2::ExpiredAccessKeyError
  • APIv2::OutOfScopeError

All existing Peatio clients should think of upgrading to JWT, or wait until secure server-to-server API is released.

  • #620: Refactor withdraw destination: implement new fiat withdraw story, leverage existing withdraw API resources, and update UI.

The patch replaces FundSource in favor of WithdrawDestination.

Model WithdrawDestination works in STI mode providing WithdrawDestination::Coin and WithdrawDestination::Fiat.

Both WithdrawDestination::Coin and WithdrawDestination::Fiat are packed with common fields:

  • label

WithdrawDestination::Coin is shipped with additional fields:

  • address

WithdrawDestination::Fiat is shipped with typical bank withdraw fields:

  • bank_name
  • bank_branch_name
  • bank_branch_address
  • bank_identifier_code
  • bank_account_number
  • bank_account_holder_name

Instead of keeping common table structure we moved specific fields into JSON field called details.

API changes include:

  • Withdraw entity: new field called type, available values are fiat and coin.
  • Withdraw entity: field address (string) is replaced with destination object.
  • Withdraw address entity replaced in favor of destination: includes id, label, type, currency, and all specific fields to withdraw destination type.
  • GET /withdraws/addresses is now GET /withdraws/destinations.
  • POST /withdraws/addresses is now POST /withdraws/destinations.
  • POST /withdraws/destinations: mandatory params include currency, label, and specific fields to withdraw destination type.
  • DELETE /withdraws/addresses/:id is now DELETE /withdraws/destinations/:id.
  • POST /withdraws: parameter address_id renamed to destination_id.

Member#withdraws and Member#withdraw_destinations are now always ordered with id DESC.

Private::FundSourcesController is migrated to Private::WithdrawDestinationsController, destroy action is removed until we will denormalize withdraw fields, or find another solution for storing withdraw destination data.

  • #676: Stop keeping private key for JWT, use it only in specs.

The patch replaces JWT_SHARED_SECRET_KEY (private key) with JWT_PUBLIC_KEY (public key) for security reasons. So Peatio now will not store any private keys which is much better for security.

We removed all predefined values for JWT_SHARED_SECRET_KEY in all environments.

We included new guide for getting keypair to be used with JWT in config/application.yml (available after bin/init_config).

Migration steps:

  1. Generate new keypair using guide from application.yml.
  2. Update private key at your JWT provider.
  3. Set public key value to JWT_PUBLIC_KEY at Peatio.
  4. Ask JWT provider for new token.
  5. Ensure API works by using cURL: curl -H "Authorization: Bearer JWT" http://localhost:3000/api/v2/members/me.
  • #661: Remove Member#jwt without replacements.

The patch removes dangerous method which was used only for testing purposes.

  • #662: Remove helper controller used for testing: Test::ModuleController & Test::MembersController.

The patch removed controllers & routes which was used for QA purposes. These resources could generate example members, and return them including JWT.

New features

  • #657: Add on the fly member registration based on JWT payload (Barong only).

The patch implements automatic member registration based on JWT payload when using API (only for JWT provided by Barong).

How it works: When client makes request to API and passes header Authorization: Bearer JWT authenticator APIv2::Auth::JWTAuthenticator will decode, verify JWT, and, if JWT is issued by Barong, will register or update member.

JWT payload structure (see linked commit at Barong):

  1. email: member email.
  2. uid: used ID at barong (similar value to sn at Peatio).
  3. level: member level represented as number (see available values at Member::Levels, app/enums/member/levels.rb).
  4. state: member state (values are defined by Barong, some of them include active, pending), Peatio will set member to disabled unless state is active.

Enhancements

  • #665: Update JWT specs by adding additional JWT fields.

The patch adds specs which cover most of common usage for the next fields:

  1. iat
  2. exp
  3. jti
  4. sub
  5. iss
  6. aud
  • #658: Update JWT gem to 2.1.x.

  • #669: Enable verification of special JWT payload fields.

The patch allows to customize which JWT fields should be validated by setting environment variables:

  1. JWT_ISSUER
  2. JWT_AUDIENCE
  3. JWT_DEFAULT_LEEWAY
  4. JWT_ISSUED_AT_LEEWAY
  5. JWT_EXPIRATION_LEEWAY
  6. JWT_NOT_BEFORE_LEEWAY

Get more info at config/application.yml (available after running bin/init_config).

Specs will now generate public and private keypair in runtime automatically.

  • #643: Update bin/init_config & bin/link_config according to new config templates structure and updated requirements for config/seed.

Fixes

  • #616: Fix wrong blockchain explorer URL in deposit & withdrawal history.

The patch fixes interpolation issues with URL addresses displayed at user deposit/withdraw history, and in many places at admin panel. The wallet URL address template was interpolated using transaction ID, now it is interpolated with address.

  • #649: Fix broken market «Notify» On/Off buttons.

The feature was broken after migration currencies.yml to database. The patch restores previous behaviour.

  • #675: Fix order of commands in bin/setup to resolve issues with asset installation step.

The patch fixes related issues in workbench:

The patch resolved issues with broken websocket_api.rb daemon.