Username hashing

ts/components/EditUsernameModalBody.stories.tsx

@@ -20,7 +20,7 @@ const i18n = setupI18n('en', enMessages);
 const DEFAULT_RESERVATION: UsernameReservationType = {
   username: 'reserved.56',
   previousUsername: undefined,
-  reservationToken: 'unused token',
+  hash: new Uint8Array(),
 };
 
 export default {
@@ -87,7 +87,7 @@ const Template: Story<ArgsType> = args => {
     reservation = {
       username: `reserved.${args.discriminator}`,
       previousUsername: undefined,
-      reservationToken: 'unused token',
+      hash: new Uint8Array(),
     };
   }
   return <EditUsernameModalBody {...args} reservation={reservation} />;

ts/services/storageRecordOps.ts

@@ -236,6 +236,10 @@ export function toAccountRecord(
   if (avatarUrl !== undefined) {
     accountRecord.avatarUrl = avatarUrl;
   }
+  const username = conversation.get('username');
+  if (username !== undefined) {
+    accountRecord.username = username;
+  }
   accountRecord.noteToSelfArchived = Boolean(conversation.get('isArchived'));
   accountRecord.noteToSelfMarkedUnread = Boolean(
     conversation.get('markedUnread')
@@ -1136,6 +1140,7 @@ export async function mergeAccountRecord(
     hasViewedOnboardingStory,
     storiesDisabled,
     storyViewReceiptsEnabled,
+    username,
   } = accountRecord;
 
   const updatedConversations = new Array<ConversationModel>();
@@ -1407,6 +1412,7 @@ export async function mergeAccountRecord(
   conversation.set({
     isArchived: Boolean(noteToSelfArchived),
     markedUnread: Boolean(noteToSelfMarkedUnread),
+    username: dropNull(username),
     storageID,
     storageVersion,
   });

ts/services/username.ts

@@ -1,8 +1,12 @@
 // Copyright 2021 Signal Messenger, LLC
 // SPDX-License-Identifier: AGPL-3.0-only
 
+import { usernames } from '@signalapp/libsignal-client';
+
 import { singleProtoJobQueue } from '../jobs/singleProtoJobQueue';
+import { strictAssert } from '../util/assert';
 import { sleep } from '../util/sleep';
+import { getMinNickname, getMaxNickname } from '../util/Username';
 import type { UsernameReservationType } from '../types/Username';
 import { ReserveUsernameError } from '../types/Username';
 import * as Errors from '../types/errors';
@@ -58,14 +62,29 @@ export async function reserveUsername(
   }
 
   try {
-    const { username, reservationToken } = await server.reserveUsername({
+    const candidates = usernames.generateCandidates(
       nickname,
+      getMinNickname(),
+      getMaxNickname()
+    );
+    const hashes = candidates.map(username => usernames.hash(username));
+
+    const { usernameHash } = await server.reserveUsername({
+      hashes,
       abortSignal,
     });
 
+    const index = hashes.findIndex(hash => hash.equals(usernameHash));
+    if (index === -1) {
+      log.warn('reserveUsername: failed to find username hash in the response');
+      return { ok: false, error: ReserveUsernameError.Unprocessable };
+    }
+
+    const username = candidates[index];
+
     return {
       ok: true,
-      reservation: { previousUsername, username, reservationToken },
+      reservation: { previousUsername, username, hash: usernameHash },
     };
   } catch (error) {
     if (error instanceof HTTPError) {
@@ -116,18 +135,20 @@ export async function confirmUsername(
     throw new Error('server interface is not available!');
   }
 
-  const { previousUsername, username, reservationToken } = reservation;
+  const { previousUsername, username, hash } = reservation;
 
   const me = window.ConversationController.getOurConversationOrThrow();
 
   if (me.get('username') !== previousUsername) {
     throw new Error('Username has changed on another device');
   }
+  const proof = usernames.generateProof(username);
+  strictAssert(usernames.hash(username).equals(hash), 'username hash mismatch');
 
   try {
     await server.confirmUsername({
-      usernameToConfirm: username,
-      reservationToken,
+      hash,
+      proof,
       abortSignal,
     });
 

ts/test-electron/state/ducks/username_test.ts

@@ -25,7 +25,7 @@ import { ReserveUsernameError } from '../../../types/Username';
 const DEFAULT_RESERVATION = {
   username: 'abc.12',
   previousUsername: undefined,
-  reservationToken: 'def',
+  hash: new Uint8Array(),
 };
 
 describe('electron/state/ducks/username', () => {

ts/test-mock/pnp/merge_test.ts

@@ -432,6 +432,13 @@ describe('pnp/merge', function needsName() {
     debug('Open PNI conversation');
     await leftPane.locator(`[data-testid="${pniContact.device.pni}"]`).click();
 
+    debug('Wait for ACI conversation to go away');
+    await window
+      .locator(`.module-conversation-hero >> ${pniContact.profileName}`)
+      .waitFor({
+        state: 'hidden',
+      });
+
     debug('Verify absence of messages in the PNI conversation');
     {
       const messages = window.locator('.module-message__text');

ts/test-mock/pnp/username_test.ts

@@ -17,6 +17,8 @@ export const debug = createDebug('mock:test:username');
 const IdentifierType = Proto.ManifestRecord.Identifier.Type;
 
 const USERNAME = 'signalapp.55';
+const NICKNAME = 'signalapp';
+const CARL_USERNAME = 'carl.84';
 
 describe('pnp/username', function needsName() {
   this.timeout(durations.MINUTE);
@@ -92,9 +94,7 @@ describe('pnp/username', function needsName() {
       .waitFor();
 
     debug('adding profile key for username contact');
-    let state: StorageState = await phone.expectStorageState(
-      'consistency check'
-    );
+    let state = await phone.expectStorageState('consistency check');
     state = state.updateContact(usernameContact, {
       profileKey: usernameContact.profileKey.serialize(),
     });
@@ -134,4 +134,132 @@ describe('pnp/username', function needsName() {
       assert.strictEqual(removed[0].contact?.username, USERNAME);
     }
   });
+
+  it('reserves/confirms/deletes username', async () => {
+    const { phone, server } = bootstrap;
+
+    const window = await app.getWindow();
+
+    debug('opening avatar context menu');
+    await window
+      .locator('.module-main-header .module-Avatar__contents')
+      .click();
+
+    debug('opening profile editor');
+    await window
+      .locator('.module-avatar-popup .module-avatar-popup__profile')
+      .click();
+
+    debug('opening username editor');
+    const profileEditor = window.locator('.ProfileEditor');
+    await profileEditor.locator('.ProfileEditor__row >> "Username"').click();
+
+    debug('entering new username');
+    const usernameField = profileEditor.locator('.Input__input');
+    await usernameField.type(NICKNAME);
+
+    debug('waiting for generated discriminator');
+    const discriminator = profileEditor.locator(
+      '.EditUsernameModalBody__discriminator:not(:empty)'
+    );
+    await discriminator.waitFor();
+
+    const discriminatorValue = await discriminator.innerText();
+    assert.match(discriminatorValue, /^\.\d+$/);
+
+    const username = `${NICKNAME}${discriminatorValue}`;
+
+    debug('saving username');
+    let state = await phone.expectStorageState('consistency check');
+    await profileEditor.locator('.module-Button >> "Save"').click();
+
+    debug('checking the username is saved');
+    {
+      await profileEditor
+        .locator(`.ProfileEditor__row >> "${username}"`)
+        .waitFor();
+
+      const uuid = await server.lookupByUsername(username);
+      assert.strictEqual(uuid, phone.device.uuid);
+
+      const newState = await phone.waitForStorageState({
+        after: state,
+      });
+
+      const { added, removed } = newState.diff(state);
+      assert.strictEqual(added.length, 1, 'only one record must be added');
+      assert.strictEqual(removed.length, 1, 'only one record must be removed');
+
+      assert.strictEqual(added[0]?.account?.username, username);
+
+      state = newState;
+    }
+
+    debug('deleting username');
+    await profileEditor
+      .locator('button[aria-label="Copy or delete username"]')
+      .click();
+    await profileEditor.locator('button[aria-label="Delete"]').click();
+    await window
+      .locator('.module-Modal .module-Modal__button-footer button >> "Delete"')
+      .click();
+    await profileEditor.locator('.ProfileEditor__row >> "Username"').waitFor();
+
+    debug('confirming username deletion');
+    {
+      const uuid = await server.lookupByUsername(username);
+      assert.strictEqual(uuid, undefined);
+
+      const newState = await phone.waitForStorageState({
+        after: state,
+      });
+
+      const { added, removed } = newState.diff(state);
+      assert.strictEqual(added.length, 1, 'only one record must be added');
+      assert.strictEqual(removed.length, 1, 'only one record must be removed');
+
+      assert.strictEqual(added[0]?.account?.username, '');
+
+      state = newState;
+    }
+  });
+
+  it('looks up contacts by username', async () => {
+    const { desktop, server } = bootstrap;
+
+    debug('creating a contact with username');
+    const carl = await server.createPrimaryDevice({
+      profileName: 'Carl',
+    });
+
+    await server.setUsername(carl.device.uuid, CARL_USERNAME);
+
+    const window = await app.getWindow();
+
+    debug('entering username into search field');
+    await window.locator('button[aria-label="New conversation"]').click();
+
+    const searchInput = window.locator('.module-SearchInput__container input');
+    await searchInput.type(`@${CARL_USERNAME}`);
+
+    debug('starting lookup');
+    await window.locator(`button >> "@${CARL_USERNAME}"`).click();
+
+    debug('sending a message');
+    {
+      const composeArea = window.locator(
+        '.composition-area-wrapper, .conversation .ConversationView'
+      );
+      const compositionInput = composeArea.locator(
+        '[data-testid=CompositionInput]'
+      );
+
+      await compositionInput.type('Hello Carl');
+      await compositionInput.press('Enter');
+
+      const { body, source } = await carl.waitForMessage();
+      assert.strictEqual(body, 'Hello Carl');
+      assert.strictEqual(source, desktop);
+    }
+  });
 });

ts/textsecure/WebAPI.ts

@@ -24,7 +24,7 @@ import { explodePromise } from '../util/explodePromise';
 import { getUserAgent } from '../util/getUserAgent';
 import { getStreamWithTimeout } from '../util/getStreamWithTimeout';
 import { formatAcceptLanguageHeader } from '../util/userLanguages';
-import { toWebSafeBase64 } from '../util/webSafeBase64';
+import { toWebSafeBase64, fromWebSafeBase64 } from '../util/webSafeBase64';
 import { getBasicAuth } from '../util/getBasicAuth';
 import { isPnpEnabled } from '../util/isPnpEnabled';
 import type { SocketStatus } from '../types/SocketStatus';
@@ -505,9 +505,9 @@ const URL_CALLS = {
   subscriptions: 'v1/subscription',
   supportUnauthenticatedDelivery: 'v1/devices/unauthenticated_delivery',
   updateDeviceName: 'v1/accounts/name',
-  username: 'v1/accounts/username',
-  reservedUsername: 'v1/accounts/username/reserved',
-  confirmUsername: 'v1/accounts/username/confirm',
+  username: 'v1/accounts/username_hash',
+  reserveUsername: 'v1/accounts/username_hash/reserve',
+  confirmUsername: 'v1/accounts/username_hash/confirm',
   whoami: 'v1/accounts/whoami',
 };
 
@@ -687,10 +687,18 @@ export type ProfileType = Readonly<{
   badges?: unknown;
 }>;
 
-export type AccountType = Readonly<{
-  uuid?: string;
+export type GetAccountForUsernameOptionsType = Readonly<{
+  hash: Uint8Array;
 }>;
 
+const getAccountForUsernameResultZod = z.object({
+  uuid: z.string(),
+});
+
+export type GetAccountForUsernameResultType = z.infer<
+  typeof getAccountForUsernameResultZod
+>;
+
 export type GetIceServersResultType = Readonly<{
   username: string;
   password: string;
@@ -784,19 +792,20 @@ export type VerifyAciRequestType = Array<{ aci: string; fingerprint: string }>;
 export type VerifyAciResponseType = z.infer<typeof verifyAciResponse>;
 
 export type ReserveUsernameOptionsType = Readonly<{
-  nickname: string;
+  hashes: ReadonlyArray<Uint8Array>;
   abortSignal?: AbortSignal;
 }>;
 
 export type ConfirmUsernameOptionsType = Readonly<{
-  usernameToConfirm: string;
-  reservationToken: string;
+  hash: Uint8Array;
+  proof: Uint8Array;
   abortSignal?: AbortSignal;
 }>;
 
 const reserveUsernameResultZod = z.object({
-  username: z.string(),
-  reservationToken: z.string(),
+  usernameHash: z
+    .string()
+    .transform(x => Bytes.fromBase64(fromWebSafeBase64(x))),
 });
 export type ReserveUsernameResultType = z.infer<
   typeof reserveUsernameResultZod
@@ -874,7 +883,9 @@ export type WebAPIType = {
     identifier: string,
     options: GetProfileOptionsType
   ) => Promise<ProfileType>;
-  getAccountForUsername: (username: string) => Promise<AccountType>;
+  getAccountForUsername: (
+    options: GetAccountForUsernameOptionsType
+  ) => Promise<GetAccountForUsernameResultType>;
   getProfileUnauth: (
     identifier: string,
     options: GetProfileUnauthOptionsType
@@ -1628,16 +1639,21 @@ export function initialize({
       })) as ProfileType;
     }
 
-    async function getAccountForUsername(usernameToFetch: string) {
-      return (await _ajax({
-        call: 'username',
-        httpType: 'GET',
-        urlParameters: `/${encodeURIComponent(usernameToFetch)}`,
-        responseType: 'json',
-        redactUrl: _createRedactor(usernameToFetch),
-        unauthenticated: true,
-        accessKey: undefined,
-      })) as ProfileType;
+    async function getAccountForUsername({
+      hash,
+    }: GetAccountForUsernameOptionsType) {
+      const hashBase64 = toWebSafeBase64(Bytes.toBase64(hash));
+      return getAccountForUsernameResultZod.parse(
+        await _ajax({
+          call: 'username',
+          httpType: 'GET',
+          urlParameters: `/${hashBase64}`,
+          responseType: 'json',
+          redactUrl: _createRedactor(hashBase64),
+          unauthenticated: true,
+          accessKey: undefined,
+        })
+      );
     }
 
     async function putProfile(
@@ -1774,15 +1790,18 @@ export function initialize({
         abortSignal,
       });
     }
+
     async function reserveUsername({
-      nickname,
+      hashes,
       abortSignal,
     }: ReserveUsernameOptionsType) {
       const response = await _ajax({
-        call: 'reservedUsername',
+        call: 'reserveUsername',
         httpType: 'PUT',
         jsonData: {
-          nickname,
+          usernameHashes: hashes.map(hash =>
+            toWebSafeBase64(Bytes.toBase64(hash))
+          ),
         },
         responseType: 'json',
         abortSignal,
@@ -1791,16 +1810,16 @@ export function initialize({
       return reserveUsernameResultZod.parse(response);
     }
     async function confirmUsername({
-      usernameToConfirm,
-      reservationToken,
+      hash,
+      proof,
       abortSignal,
     }: ConfirmUsernameOptionsType) {
       await _ajax({
         call: 'confirmUsername',
         httpType: 'PUT',
         jsonData: {
-          usernameToConfirm,
-          reservationToken,
+          usernameHash: toWebSafeBase64(Bytes.toBase64(hash)),
+          zkProof: toWebSafeBase64(Bytes.toBase64(proof)),
         },
         abortSignal,
       });

ts/types/Username.ts

@@ -4,7 +4,7 @@
 export type UsernameReservationType = Readonly<{
   username: string;
   previousUsername: string | undefined;
-  reservationToken: string;
+  hash: Uint8Array;
 }>;
 
 export enum ReserveUsernameError {

ts/util/lookupConversationWithoutUuid.ts

@@ -1,6 +1,8 @@
 // Copyright 2022 Signal Messenger, LLC
 // SPDX-License-Identifier: AGPL-3.0-only
 
+import { usernames } from '@signalapp/libsignal-client';
+
 import { ToastFailedToFetchUsername } from '../components/ToastFailedToFetchUsername';
 import { ToastFailedToFetchPhoneNumber } from '../components/ToastFailedToFetchPhoneNumber';
 import type { UserNotFoundModalStateType } from '../state/ducks/globalModals';
@@ -145,7 +147,9 @@ async function checkForUsername(
   }
 
   try {
-    const account = await server.getAccountForUsername(username);
+    const account = await server.getAccountForUsername({
+      hash: usernames.hash(username),
+    });
 
     if (!account.uuid) {
       log.error("checkForUsername: Returned account didn't include a uuid");