hirosystems · janniks · Apr 19, 2022 · Mar 21, 2022 · Apr 14, 2022 · Apr 18, 2022
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/auth/package.json b/packages/auth/package.json
@@ -44,7 +44,6 @@
     "@stacks/encryption": "^3.3.0",
     "@stacks/network": "^3.3.0",
     "@stacks/profile": "^3.3.0",
-    "c32check": "^1.1.3",
     "cross-fetch": "^3.1.4",
     "jsontokens": "^3.0.0",
     "query-string": "^6.13.1"

diff --git a/packages/auth/src/index.ts b/packages/auth/src/index.ts
@@ -6,7 +6,6 @@ export {
   verifyAuthResponse,
   isExpirationDateValid,
   isIssuanceDateValid,
-  doPublicKeysMatchUsername,
   doPublicKeysMatchIssuer,
   doSignaturesMatchPublicKeys,
   isManifestUriValid,

diff --git a/packages/auth/src/messages.ts b/packages/auth/src/messages.ts
@@ -12,7 +12,7 @@ import {
 } from '@stacks/encryption';
 import { DEFAULT_SCOPE, AuthScope } from './constants';
 
-const VERSION = '1.3.1';
+const VERSION = '1.4.0';
 
 type AuthMetadata = {
   email?: string;
@@ -159,7 +159,6 @@ export async function decryptPrivateKey(
  * @param  {String} privateKey the identity key of the Blockstack ID generating
  * the authentication response
  * @param  {Object} profile the profile object for the Blockstack ID
- * @param  {String} username the username of the Blockstack ID if any, otherwise `null`
  * @param  {AuthMetadata} metadata an object containing metadata sent as part of the authentication
  * response including `email` if requested and available and a URL to the profile
  * @param  {String} coreToken core session token when responding to a legacy auth request
@@ -181,7 +180,6 @@ export async function makeAuthResponse(
   privateKey: string,
   // eslint-disable-next-line @typescript-eslint/ban-types
   profile: {} = {},
-  username: string | null = null,
   metadata: AuthMetadata | null,
   coreToken: string | null = null,
   appPrivateKey: string | null = null,
@@ -232,7 +230,6 @@ export async function makeAuthResponse(
       public_keys: [publicKey],
       appPrivateKeyFromWalletSalt,
       profile,
-      username,
       core_token: coreTokenPayload,
     },
     additionalProperties

diff --git a/packages/auth/src/userData.ts b/packages/auth/src/userData.ts
@@ -2,8 +2,6 @@
  *  Returned from the [[UserSession.loadUserData]] function.
  */
 export interface UserData {
-  // public: the blockstack ID (for example: stackerson.id or alice.blockstack.id)
-  username: string;
   // public: the email address for the user. only available if the `email`
   // scope is requested, and if the user has entered a valid email into
   // their profile.

diff --git a/packages/auth/src/userSession.ts b/packages/auth/src/userSession.ts
@@ -25,7 +25,7 @@ import {
   nextHour,
 } from '@stacks/common';
 import { extractProfile } from '@stacks/profile';
-import { AuthScope, DEFAULT_PROFILE, NAME_LOOKUP_PATH } from './constants';
+import { AuthScope, DEFAULT_PROFILE } from './constants';
 import * as queryString from 'query-string';
 import { UserData } from './userData';
 import { StacksMainnet } from '@stacks/network';
@@ -237,27 +237,7 @@ export class UserSession {
       throw new Error('Unexpected token payload type of string');
     }
 
-    // Section below is removed since the config was never persisted and therefore useless
-
-    // if (isLaterVersion(tokenPayload.version as string, '1.3.0')
-    //    && tokenPayload.blockstackAPIUrl !== null && tokenPayload.blockstackAPIUrl !== undefined) {
-    //   // override globally
-    //   Logger.info(`Overriding ${config.network.blockstackAPIUrl} `
-    //     + `with ${tokenPayload.blockstackAPIUrl}`)
-    //   // TODO: this config is never saved so the user node preference
-    //   // is not respected in later sessions..
-    //   config.network.blockstackAPIUrl = tokenPayload.blockstackAPIUrl as string
-    //   coreNode = tokenPayload.blockstackAPIUrl as string
-    // }
-
-    const nameLookupURL = `${coreNode}${NAME_LOOKUP_PATH}`;
-
-    const fallbackLookupURLs = [
-      `https://stacks-node-api.stacks.co${NAME_LOOKUP_PATH}`,
-      `https://registrar.stacks.co${NAME_LOOKUP_PATH}`,
-    ].filter(url => url !== nameLookupURL);
-
-    const isValid = await verifyAuthResponse(authResponseToken, nameLookupURL, fallbackLookupURLs);
+    const isValid = await verifyAuthResponse(authResponseToken);
     if (!isValid) {
       throw new LoginFailedError('Invalid authentication response.');
     }
@@ -317,7 +297,6 @@ export class UserSession {
     }
 
     const userData: UserData = {
-      username: tokenPayload.username as string,
       profile: tokenPayload.profile,
       email: tokenPayload.email as string,
       decentralizedID: tokenPayload.iss,

diff --git a/packages/auth/src/verification.ts b/packages/auth/src/verification.ts
@@ -1,9 +1,8 @@
+import { isSameOriginAbsoluteUrl } from '@stacks/common';
+import { publicKeyToAddress } from '@stacks/encryption';
 import { decodeToken, TokenVerifier } from 'jsontokens';
 import { getAddressFromDID } from './dids';
-import { publicKeyToAddress } from '@stacks/encryption';
-import { fetchPrivate, isSameOriginAbsoluteUrl } from '@stacks/common';
 import { fetchAppManifest } from './provider';
-import { c32ToB58 } from 'c32check';
 
 /**
  * Checks if the ES256k signature on passed `token` match the claimed public key
@@ -65,70 +64,6 @@ export function doPublicKeysMatchIssuer(token: string): boolean {
   return false;
 }
 
-/**
- * Looks up the identity address that owns the claimed username
- * in `token` using the lookup endpoint provided in `nameLookupURL`
- * to determine if the username is owned by the identity address
- * that matches the claimed public key
- *
- * @param  {String} token  encoded and signed authentication token
- * @param  {String} nameLookupURL a URL to the name lookup endpoint of the Blockstack Core API
- * @return {Promise<Boolean>} returns a `Promise` that resolves to
- * `true` if the username is owned by the public key, otherwise the
- * `Promise` resolves to `false`
- * @private
- * @ignore
- */
-export async function doPublicKeysMatchUsername(
-  token: string,
-  nameLookupURL: string
-): Promise<boolean> {
-  try {
-    const payload = decodeToken(token).payload;
-    if (typeof payload === 'string') {
-      throw new Error('Unexpected token payload type of string');
-    }
-    if (!payload.username) {
-      return true;
-    }
-
-    if (payload.username === null) {
-      return true;
-    }
-
-    if (nameLookupURL === null) {
-      return false;
-    }
-
-    const username = payload.username;
-    const url = `${nameLookupURL.replace(/\/$/, '')}/${username}`;
-    const response = await fetchPrivate(url);
-    const responseText = await response.text();
-    const responseJSON = JSON.parse(responseText);
-    if (responseJSON.hasOwnProperty('address')) {
-      const nameOwningAddress = responseJSON.address;
-      let nameOwningAddressBtc = nameOwningAddress;
-      try {
-        // try converting STX to BTC
-        // if this throws, it's already a BTC address
-        nameOwningAddressBtc = c32ToB58(nameOwningAddress, 0);
-      } catch {}
-      const addressFromIssuer = getAddressFromDID(payload.iss);
-      if (nameOwningAddressBtc === addressFromIssuer) {
-        return true;
-      } else {
-        return false;
-      }
-    } else {
-      return false;
-    }
-  } catch (error) {
-    console.log(error);
-    console.log('Error checking `doPublicKeysMatchUsername`');
-    return false;
-  }
-}
-
 /**
  * Checks if the if the token issuance time and date is after the
  * current time and date.
@@ -268,29 +203,17 @@ export async function verifyAuthRequestAndLoadManifest(token: string): Promise<a
 /**
  * Verify the authentication response is valid.
  * @param {String} token the authentication response token
- * @param {String} nameLookupURL the url use to verify owner of a username
- * @param fallbackLookupURLs an optional array of name lookup URLs to check usernames for
  * @return {Promise} that resolves to true if auth response
  * is valid and false if it does not
  * @private
  * @ignore
  */
-export async function verifyAuthResponse(
-  token: string,
-  nameLookupURL: string,
-  fallbackLookupURLs?: string[]
-): Promise<boolean> {
-  const values = await Promise.all([
+export async function verifyAuthResponse(token: string): Promise<boolean> {
+  const conditions = await Promise.all([
     isExpirationDateValid(token),
     isIssuanceDateValid(token),
     doSignaturesMatchPublicKeys(token),
     doPublicKeysMatchIssuer(token),
   ]);
-  const usernameMatchings = await Promise.all(
-    [nameLookupURL]
-      .concat(fallbackLookupURLs || [])
-      .map(url => doPublicKeysMatchUsername(token, url))
-  );
-  const someUsernameMatches = usernameMatchings.includes(true);
-  return !!someUsernameMatches && values.every(val => val);
+  return conditions.every(val => val);
 }