feat: all unverified inbound sessions

package.json

@@ -13,7 +13,7 @@
     "lint": "eslint --color --ext .ts src/",
     "test": "yarn test:unit && yarn test:e2e",
     "test:unit": "mocha 'test/unit/**/*.test.ts'",
-    "test:e2e": "mocha 'test/unit/**/*.test.ts'"
+    "test:e2e": "mocha 'test/e2e/**/*.test.ts'"
   },
   "pre-push": [
     "lint"

src/config/index.ts

@@ -31,4 +31,5 @@ export const defaultConfig: IDiscv5Config = {
   lookupTimeout: 60 * 1000,
   pingInterval: 300 * 1000,
   enrUpdate: true,
+  allowUnverifiedSessions: false,
 };

src/service/service.ts

@@ -73,18 +73,18 @@ export interface IDiscv5CreateOptions {
  * Additionally, the service offers events when peers are added to the peer table or discovered via lookup.
  */
 export class Discv5 extends (EventEmitter as { new (): Discv5EventEmitter }) {
+  /**
+   * Session service that establishes sessions with peers
+   */
+  public sessionService: SessionService;
+
   /**
    * Configuration
    */
   private config: IDiscv5Config;
 
   private started = false;
 
-  /**
-   * Session service that establishes sessions with peers
-   */
-  private sessionService: SessionService;
-
   /**
    * Storage of the ENR record for each node
    *
@@ -386,10 +386,9 @@ export class Discv5 extends (EventEmitter as { new (): Discv5EventEmitter }) {
   /**
    * Send TALKRESP message to requesting node
    */
-  public async sendTalkResp(remote: ENR | Multiaddr, requestId: RequestId, payload: Uint8Array): Promise<void> {
+  public async sendTalkResp(remote: INodeAddress, requestId: RequestId, payload: Uint8Array): Promise<void> {
     const msg = createTalkResponseMessage(requestId, payload);
-    const nodeAddr = getNodeAddress(createNodeContact(remote));
-    this.sendRpcResponse(nodeAddr, msg);
+    this.sendRpcResponse(remote, msg);
   }
 
   /**
@@ -402,8 +401,8 @@ export class Discv5 extends (EventEmitter as { new (): Discv5EventEmitter }) {
   /**
    * Sends a PING request to a node
    */
-  private sendPing(enr: ENR): void {
-    this.sendRpcRequest({ contact: createNodeContact(enr), request: createPingMessage(this.enr.seq) });
+  public sendPing(nodeAddr: ENR | Multiaddr): void {
+    this.sendRpcRequest({ contact: createNodeContact(nodeAddr), request: createPingMessage(this.enr.seq) });
   }
 
   /**
@@ -638,9 +637,14 @@ export class Discv5 extends (EventEmitter as { new (): Discv5EventEmitter }) {
 
   // process events from the session service
 
-  private onEstablished = (enr: ENR, direction: ConnectionDirection): void => {
-    // Ignore sessions with non-contactable ENRs
-    if (!enr.getLocationMultiaddr("udp")) {
+  private onEstablished = (
+    nodeAddr: INodeAddress,
+    enr: ENR,
+    direction: ConnectionDirection,
+    verified: boolean
+  ): void => {
+    // Ignore sessions with unverified or non-contactable ENRs
+    if (!verified || !enr.getLocationMultiaddr("udp")) {
       return;
     }
 

src/session/service.ts

@@ -430,7 +430,7 @@ export class SessionService extends (EventEmitter as { new (): StrictEventEmitte
         this.send(nodeAddr, authPacket);
 
         // Notify the application that the session has been established
-        this.emit("established", requestCall.contact.enr, connectionDirection);
+        this.emit("established", nodeAddr, requestCall.contact.enr, connectionDirection, true);
         break;
       }
       case INodeContactType.Raw: {
@@ -460,13 +460,10 @@ export class SessionService extends (EventEmitter as { new (): StrictEventEmitte
   }
 
   /**
-   * Verifies a Node ENR to its observed address.
-   * If it fails, any associated session is also considered failed.
-   * If it succeeds, we notify the application
+   * Compares the ENR multiaddr to its observed address.
+   * Returns true if they match
    */
   private verifyEnr(enr: ENR, nodeAddr: INodeAddress): boolean {
-    // If the ENR does not match the observed IP addresses,
-    // we consider the session failed.
     const enrMultiaddr = enr.getLocationMultiaddr("udp");
     return enr.nodeId === nodeAddr.nodeId && (enrMultiaddr?.equals(nodeAddr.socketAddr) ?? true);
   }
@@ -510,28 +507,34 @@ export class SessionService extends (EventEmitter as { new (): StrictEventEmitte
       );
 
       // Receiving an AuthResponse must give us an up-to-date view of the node ENR.
-      // Verify the ENR is valid
-      if (this.verifyEnr(enr, nodeAddr)) {
-        // Session is valid
-        // Notify the application
-        // The session established here are from WHOAREYOU packets that we sent.
-        // This occurs when a node established a connection with us.
-        this.emit("established", enr, ConnectionDirection.Incoming);
-
-        this.newSession(nodeAddr, session);
-
-        // decrypt the message
-        this.handleMessage(src, {
-          maskingIv: packet.maskingIv,
-          header: createHeader(
-            PacketType.Message,
-            encodeMessageAuthdata({ srcId: nodeAddr.nodeId }),
-            packet.header.nonce
-          ),
-          message: packet.message,
-          messageAd: encodeChallengeData(packet.maskingIv, packet.header),
-        });
+      // Verify the ENR endpoint matches observed node address
+      const verified = this.verifyEnr(enr, nodeAddr);
+
+      // Drop session if invalid ENR and session service not configured to allow unverified sessions
+      if (!verified && !this.config.allowUnverifiedSessions) {
+        log("ENR contains invalid socket address. Dropping session with %o", nodeAddr);
+        this.failSession(nodeAddr, RequestErrorType.InvalidRemoteENR, true);
+        return;
       }
+
+      // Notify application
+      // The session established here are from WHOAREYOU packets that we sent.
+      // This occurs when a node established a connection with us.
+      this.emit("established", nodeAddr, enr, ConnectionDirection.Outgoing, verified);
+
+      this.newSession(nodeAddr, session);
+
+      // decrypt the message
+      this.handleMessage(src, {
+        maskingIv: packet.maskingIv,
+        header: createHeader(
+          PacketType.Message,
+          encodeMessageAuthdata({ srcId: nodeAddr.nodeId }),
+          packet.header.nonce
+        ),
+        message: packet.message,
+        messageAd: encodeChallengeData(packet.maskingIv, packet.header),
+      });
     } catch (e) {
       if ((e as Error).name === ERR_INVALID_SIG) {
         log("Authentication header contained invalid signature. Ignoring packet from: %o", nodeAddr);
@@ -619,15 +622,24 @@ export class SessionService extends (EventEmitter as { new (): StrictEventEmitte
           if (message.type === MessageType.NODES) {
             // Received the requested ENR
             const enr = message.enrs.pop();
+
             if (enr) {
-              if (this.verifyEnr(enr, nodeAddr)) {
-                // Notify the application
-                // This can occur when we try to dial a node without an
-                // ENR. In this case we have attempted to establish the
-                // connection, so this is an outgoing connection.
-                this.emit("established", enr, ConnectionDirection.Outgoing);
+              // Verify the ENR endpoint matches observed node address
+              const verified = this.verifyEnr(enr, nodeAddr);
+
+              // Drop session if invalid ENR and session service not configured to allow unverified sessions
+              if (!verified && !this.config.allowUnverifiedSessions) {
+                log("ENR contains invalid socket address. Dropping session with %o", nodeAddr);
+                this.failSession(nodeAddr, RequestErrorType.InvalidRemoteENR, true);
                 return;
               }
+              // Notify the application
+              // This can occur when we try to dial a node without an
+              // ENR. In this case we have attempted to establish the
+              // connection, so this is an outgoing connection.
+              this.emit("established", nodeAddr, enr, ConnectionDirection.Outgoing, verified);
+
+              return;
             }
           }
 

src/session/types.ts

@@ -31,6 +31,11 @@ export interface ISessionConfig {
    * The maximum number of established sessions to maintain
    */
   sessionCacheCapacity: number;
+  /**
+   * Allow sessions with unverified ENRs (i.e. either have no UDP endpoint specified or else reported
+   * UDP endpoint does not match observed socket address)
+   */
+  allowUnverifiedSessions: boolean;
 }
 
 export enum RequestErrorType {
@@ -122,7 +127,7 @@ export interface ISessionEvents {
   /**
    * A session has been established with a node
    */
-  established: (enr: ENR, connectionDirection: ConnectionDirection) => void;
+  established: (nodeAddr: INodeAddress, enr: ENR, connectionDirection: ConnectionDirection, verified: boolean) => void;
   /**
    * A Request was received
    */

test/e2e/connect.test.ts

@@ -66,17 +66,17 @@ describe("discv5 integration test", function () {
 
     // test a TALKRESP with no response
     try {
-      await node0.discv5.sendTalkReq(node1.enr.nodeId, Buffer.from([0, 1, 2, 3]), "foo");
+      await node0.discv5.sendTalkReq(node1.enr, Buffer.from([0, 1, 2, 3]), "foo");
       expect.fail("TALKREQ response should throw when no response is given");
     } catch (e) {
     }
 
     // test a TALKRESP with a response
     const expectedResp = Buffer.from([4, 5, 6, 7]);
     node1.discv5.on("talkReqReceived", (nodeAddr, enr, request) => {
-      node1.discv5.sendTalkResp(nodeAddr.nodeId, request.id, expectedResp);
+      node1.discv5.sendTalkResp(nodeAddr, request.id, expectedResp);
     });
-    const resp = await node0.discv5.sendTalkReq(node1.enr.nodeId, Buffer.from([0, 1, 2, 3]), "foo");
+    const resp = await node0.discv5.sendTalkReq(node1.enr, Buffer.from([0, 1, 2, 3]), "foo");
     expect(resp).to.deep.equal(expectedResp);
 
   });

test/unit/session/service.test.ts

@@ -37,6 +37,7 @@ describe("session service", () => {
 
   let service0: SessionService;
   let service1: SessionService;
+  let service2: SessionService;
 
   beforeEach(async () => {
     transport0 = new UDPTransportService(addr0, enr0.nodeId);
@@ -74,7 +75,7 @@ describe("session service", () => {
       service1.sendChallenge(nodeAddr, authTag, enr0);
     });
     const establishedSession = new Promise<void>((resolve) =>
-      service1.once("established", (enr) => {
+      service1.once("established", (_, enr) => {
         expect(enr).to.deep.equal(enr0);
         resolve();
       })