Releases: Lamden/wallet
v2.5.2 Misc Hotfixes
Misc Hotfixes - Version 2.5.2
Fixes
The change password feature would change the login password but fail to re-encrypt the keys in the legacy vault storage.
The "View Private Key" button in the account options didn't work and now does.
The masternode policy was always OPEN and never closed after completing the motion.
Hotfix for change password
After the 2.5.0 upgrade, which brought the wallet compatible with manifest V3, the change password feature of the wallet was broken.
This hotfix addresses that issue as well as offers a new page under settings called "Fix Vault" to repair anyone who may have used the change password feature while it was broken.
Steps to fix Vault:
- Click
Settings > Fix Vault - Enter the previous password
- Click
Repair
v2.5.0
Compatibility with Chrome Manifest V3.
Auth Endpoint for Dapp API
Add Account Auth to Lamden Vault API
Description
Add a mechanism to the Lamden Vault that will allow the Dapp to authenticate that the VK provided by the Lamden Vault has the private key. Authenticating this can open up new more trusted possibilities in Dapps such as logins.
Problem
This needs to be done in a secure way. There are possibilities of a man-in-the-middle attack or that a user has a modified Lamden Vault. We also don't want this feature to be used to sign data that can be used anywhere else or create logins elsewhere. A Dapp should have no doubt this Lamden Vault has the associated private key and the user should be protected from signing data that could be used for other non-auth things.
Solution
- A new endpoint will be added to the content.js file that can be called via a new Event.
- A new event will be added to the content.js file to allow the Lamden Vault to communicate back to the Dapp
- The Dapp will be required to provide a string of data called a
dapp_challenge - The Lamden Vault will append a string of data similar to the
dapp_challengecalled thevault_challenge - The Lamden Vault will join the two strings together with some boilerplate:
[VAULT_AUTH]__DAPP__ + dapp_challenge + __VAULT__ + vault_challengeto create thechalllenge_message - This new string will be signed with the private key for whatever Lamden Vault account is currently attached to that Dapp.
- The Lamden Vault sends back the signature and the
vault_challengeso the Dapp can reconstruct thechallenge_messageand verify the signature.
Security
This auth method is similar to other oAuth flows where both sides provide a piece of challenge_message to the signature. Among other things, this prevents the signature from being reused somewhere else or the Lamden Vault from signing ANY anonymous data.
The dapp_challenge gives the Dapp the ability to reconstruct the challenge_message after the fact because only he would know it. If the Dapp changes this info every time (by say using the current date.time stamps) then any auth response can be ensured to be current and responsive to that particular auth call. It would not be advisable for a Dapp to use a static dapp_challenge as if the signature is leaked for this phrase then a compromised Lamden Vault can just provide this over and over again to "prove" auth even though the challege_message was signed elsewhere.
In addition to the above we will also impose the following restrictions as to what a dapp_challenge can be:
- Must be a string
- Must not be a JSON parseable string (although mitigated by other means this also avoids sending tx payloads to be signed)
- Must have a length <= 64 characters (avoid signing massive challenges for no reason)
The added vault_challenge ensures that the auth is being used for the correct purpose and the user isn't just being asked to sign ANY string with their private key. The danger in that is that a Dapp could have the user sign some other package and use it somewhere else to prove the user wanted to do something they are unaware of.
The boilerplate is a simple visual cue to anyone looking at the challenge_message to know what it is. If provided the challege_message and the signature that is valid and asked "why did you sign this?" you could reason that it was an authentication from the Lamden Vault. The boilerplate isn't meant to be secret, but it will need to be known when reconstructing the challenge_message.
Example Auth routine
// Import lamden-js
import Lamden from 'lamden-js'
// Listen for auth responses (see handler definition further down)
document.addEventListener('auth_return', handle_auth_return)
// create a challenge_string for a new date string
const dapp_challenge = new Date().toString()
// Send the auth event to the Lamden Vault, response will be handled via auth_return
document.dispatchEvent(new CustomEvent('auth', {detail: JSON.stringify({dapp_challenge})}));
// Handler for auth responses
function handle_auth_return(response){
// extract info from the response
const { signature, vault_challenge } = response
// get the account the Lamden Vault has previously provided
const account_vk = get_vk_from_vault()
// join the 'dapp_challenge' and the 'vault_challenge' with boilerplate to recreate 'challenge_message'
// This should be the message that was created in the Lamden Vault and signed by the user's private key
const challenge_message = `[VAULT_AUTH]__DAPP__${dapp_challenge}__VAULT__${vault_challenge}`
// Verify the signature using lamden-js
if (Lamden.wallet.verify(account_vk, challenge_message, signature)){
// User is authorized
}else{
// User NOT authorized
}
}Fix dapp connections for V2
A hotfix to enable DAPP connections on V2 networks.
Hotfix 2.3.1
Fixes:
- Fixed Issue #265 which was a UI bug when switching between tokens when sending
- Made it so a user cannot initiate a transaction if they don't have TAU in their wallet
- Fixed how the wallet encodes Lists into transactions
- Added a 10% buffer to the stamp estimation in case the node network determines a higher stamp amount than the estimator.
Testnet V2 Support
Features
- Lamden Vault is now compatible with Testnet V2 which you can find in the network dropdown.
- Transactions will now estimate how many stamps your transaction will take, so no more guessing! Stamp Estimation also allows the wallet to get the expected result of the transaction and let you know why it will fail before you run it!
Fixes
- Fixed transactions hanging and not reporting success or failure.
Fiat values for TAU and Tokens
Features
- Wallet now displays fiat values and allows the user to switch between a few major ones.
- The transaction popup now allows stamps to be edited from what the Dapp specified.
- The "Any" KWARG in the smart contract interface now allows you to choose any of the types to send
- The account details screens are now gone with the main accounts screen being the only view now. They were viewed as redundant.
Fixes
- Minor UI fixes
Hotfix 2.1.5
Fixes
- Many users reported the wallet would report all transactions as successful regardless of the real result. This has been fixed.
- Custom networks were showing the currency symbol as "dTAU" instead of the custom set symbol.
Lamden Vault Release 2.0!
Introducing Lamden Vault 2.0!
A major update to the Lamden Wallet which is now rebranded as Lamden Vault. The main change is now the addition of Vault wallets that are BIP39/36 compliant. This allows backing up the entire Lamden Vault with a 24-word seed phrase.
Current accounts are renamed to Legacy Accounts and they will continue to be backed up via a Keystore and are not covered under your seed phrase.
New users will be defaulted to Vault accounts and will never see Legacy accounts (unless added via the recovery options). Current users will have the option to Create a Vault and begin to move assets over from their legacy accounts.
Along with the Vault, the wallet also got some much-needed support for custom networks. The wallet can now be easily connected to another Lamden network for developers or what have you.
New Features
- New and refreshed look including a rebrand to
Lamden Vault - Lamden Vault now supports BIP39 Wallets (HD Wallets) as the main way to make accounts and back up the wallet.
- New Manage Networks section where you can add other Lamden networks
Bug fixes
- Many