Account recovery

.gitignore

@@ -1 +1,2 @@
 node_modules/
+.env

README.md

@@ -14,26 +14,16 @@ npm install
 
 ## Run server
 
-```
-node app.js
-```
-
-## Create contract
-
-```
-http post http://localhost:3000/contract nonce:=2 sender=bob receiver=test contract=`base64 main.wasm`
-```
-
-## Call contract method
-
-```
-http post http://localhost:3000/contract/test/totalSupply nonce:=2 sender=bob args:="[]"
-```
+Make sure that before running service there are appropriate env variables set (can be put in  `.env` file in root directory of project):
 
-## View account
+* `NODE_ENV` Node.js environment (should be `production` for production use, `development` for local development)
+* `PORT` HTTP port to listen at, defaults to `3000`
+* `TWILIO_FROM_PHONE` – phone number from which to send SMS with security code (international format, starting with `+`)
+* `TWILIO_ACCOUNT_SID` – account SID from Twilio (used to send security code)
+* `TWILIO_AUTH_TOKEN` – auth token from Twilio (used to send security code)
 
 ```
-http get http://localhost:3000/account/bob
+npm start
 ```
 
 ## Create account

app.js

@@ -15,7 +15,7 @@ app.use(async function(ctx, next) {
     try {
         await next();
     } catch(e) {
-        console.log("Error: ", e);
+        console.log('Error: ', e);
         if (e.response) {
             ctx.throw(e.response.status, e.response.text);
         }
@@ -47,41 +47,7 @@ const near = new Near(nearClient);
 const account = new Account(nearClient);
 const NEW_ACCOUNT_AMOUNT = 100;
 
-const viewAccount = accountId => {
-    return account.viewAccount(accountId);
-};
-
-router.post('/contract', async ctx => {
-    const body = ctx.request.body;
-    keyStore.setKey(body.receiver, defaultKey);
-    ctx.body = await near.waitForTransactionResult(
-        await near.deployContract(body.receiver, Buffer.from(body.contract, 'base64')));
-});
-
-router.post('/contract/:name/:methodName', async ctx => {
-    const body = ctx.request.body;
-    const sender = body.sender || defaultSender;
-    const args = body.args || {};
-    ctx.body = await near.waitForTransactionResult(
-        await near.scheduleFunctionCall(parseInt(body.amount) || 0, sender, ctx.params.name, ctx.params.methodName, args));
-});
-
-router.post('/contract/view/:name/:methodName', async ctx => {
-    const body = ctx.request.body;
-    const args = body.args || {};
-    ctx.body = await near.callViewFunction(defaultSender, ctx.params.name, ctx.params.methodName, args);
-});
-
-router.get('/account/:name', async ctx => {
-    ctx.body = await viewAccount(ctx.params.name);
-});
-
-/**
- * Create a new account. Generate a throw away account id (UUID).
- * Returns account name and public/private key.
- */
 router.post('/account', async ctx => {
-    // TODO: this is using alice account to create all accounts. We may want to change that.
     const body = ctx.request.body;
     const newAccountId = body.newAccountId;
     const newAccountPublicKey = body.newAccountPublicKey;
@@ -93,6 +59,49 @@ router.post('/account', async ctx => {
     ctx.body = response;
 });
 
+const password = require('secure-random-password');
+const models = require('./models');
+const FROM_PHONE = process.env.TWILIO_FROM_PHONE || '+14086179592';
+const SECURITY_CODE_DIGITS = 6;
+router.post('/account/:phoneNumber/:accountId/requestCode', async ctx => {
+    const accountId = ctx.params.accountId;
+    const phoneNumber = ctx.params.phoneNumber;
+
+    const securityCode = password.randomPassword({ length: SECURITY_CODE_DIGITS, characters: password.digits });
+    const [account] = await models.Account.findOrCreate({ where: { accountId, phoneNumber } });
+    await account.update({ securityCode });
+
+    const accountSid = process.env.TWILIO_ACCOUNT_SID;
+    const authToken = process.env.TWILIO_AUTH_TOKEN;
+    const client = require('twilio')(accountSid, authToken);
+    await client.messages
+        .create({
+            body: `Your NEAR Wallet security code is: ${securityCode}`,
+            from: FROM_PHONE,
+            to: phoneNumber
+        });
+    ctx.body = {};
+});
+
+router.post('/account/:phoneNumber/:accountId/validateCode', async ctx => {
+    const accountId = ctx.params.accountId;
+    const phoneNumber = ctx.params.phoneNumber;
+
+    const securityCode = ctx.request.body.securityCode
+
+    const account = await models.Account.findOne({ where: { accountId, phoneNumber } });
+    if (!account.securityCode || account.securityCode != securityCode) {
+        ctx.throw(401);
+    }
+    if (!account.confirmed) {
+        // TODO: Validate that user actually owns account (e.g. expect signed message with securityCode)
+    }
+    await account.update({ securityCode: null, confirmed: true });
+    // TODO: Update account key using nearlib
+
+    ctx.body = {};
+});
+
 app
     .use(router.routes())
     .use(router.allowedMethods());

config/config.json

@@ -0,0 +1,23 @@
+{
+  "development": {
+    "username": "helper",
+    "password": "helper",
+    "database": "accounts_development",
+    "host": "127.0.0.1",
+    "dialect": "postgres"
+  },
+  "test": {
+    "username": "helper",
+    "password": "helper",
+    "database": "accounts_test",
+    "host": "127.0.0.1",
+    "dialect": "postgres"
+  },
+  "production": {
+    "username": "helper",
+    "password": "helper",
+    "database": "accounts_production",
+    "host": "127.0.0.1",
+    "dialect": "postgres"
+  }
+}

migrations/20190430081305-create-account.js

@@ -0,0 +1,38 @@
+'use strict';
+module.exports = {
+    up: (queryInterface, Sequelize) => {
+        return queryInterface.createTable('Accounts', {
+            id: {
+                allowNull: false,
+                autoIncrement: true,
+                primaryKey: true,
+                type: Sequelize.INTEGER
+            },
+            accountId: {
+                type: Sequelize.STRING
+            },
+            phoneNumber: {
+                type: Sequelize.STRING
+            },
+            securityCode: {
+                type: Sequelize.STRING
+            },
+            confirmed: {
+                type: Sequelize.BOOLEAN,
+                allowNull: false,
+                defaultValue: false
+            },
+            createdAt: {
+                allowNull: false,
+                type: Sequelize.DATE
+            },
+            updatedAt: {
+                allowNull: false,
+                type: Sequelize.DATE
+            }
+        });
+    },
+    down: (queryInterface, Sequelize) => {
+        return queryInterface.dropTable('Accounts');
+    }
+};

models/account.js

@@ -0,0 +1,17 @@
+'use strict';
+module.exports = (sequelize, DataTypes) => {
+    const Account = sequelize.define('Account', {
+        accountId: DataTypes.STRING,
+        phoneNumber: DataTypes.STRING,
+        securityCode: DataTypes.STRING,
+        confirmed: {
+            type: DataTypes.BOOLEAN,
+            allowNull: false,
+            defaultValue: false
+        }
+    }, {});
+    Account.associate = function(models) {
+    // associations can be defined here
+    };
+    return Account;
+};

models/index.js

@@ -0,0 +1,37 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const Sequelize = require('sequelize');
+const basename = path.basename(__filename);
+const env = process.env.NODE_ENV || 'development';
+const config = require(__dirname + '/../config/config.json')[env];
+const db = {};
+
+let sequelize;
+if (config.use_env_variable) {
+    sequelize = new Sequelize(process.env[config.use_env_variable], config);
+} else {
+    sequelize = new Sequelize(config.database, config.username, config.password, config);
+}
+
+fs
+    .readdirSync(__dirname)
+    .filter(file => {
+        return (file.indexOf('.') !== 0) && (file !== basename) && (file.slice(-3) === '.js');
+    })
+    .forEach(file => {
+        const model = sequelize['import'](path.join(__dirname, file));
+        db[model.name] = model;
+    });
+
+Object.keys(db).forEach(modelName => {
+    if (db[modelName].associate) {
+        db[modelName].associate(db);
+    }
+});
+
+db.sequelize = sequelize;
+db.Sequelize = Sequelize;
+
+module.exports = db;