Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@libre-chain/libre-link
Advanced tools
Library for authenticating and signing transactions using the Libre Link protocol
Persistent, fast and secure signature provider for EOSIO chains built on top of EOSIO Signing Requests (EEP-7)
Key features:
Resources:
Guides:
Examples:
The anchor-link
package is distributed both as a module on npm and a standalone bundle on unpkg.
Install Anchor Link and a transport:
yarn add anchor-link anchor-link-browser-transport
# or
npm install --save anchor-link anchor-link-browser-transport
Import them into your project:
import AnchorLink from 'anchor-link'
import AnchorLinkBrowserTransport from 'anchor-link-browser-transport'
Include the scripts in your <head>
tag.
<script src="https://unpkg.com/anchor-link@3"></script>
<script src="https://unpkg.com/anchor-link-browser-transport@3"></script>
AnchorLink
and AnchorLinkBrowserTransport
are now available in the global scope of your document.
Using node.js
yarn add anchor-link anchor-link-console-transport
# or
npm install --save anchor-link anchor-link-console-transport
Import them into your project:
const AnchorLink = require('anchor-link')
const AnchorLinkConsoleTransport = require('anchor-link-console-transport')
First you need to instantiate your transport and the link.
const transport = new AnchorLinkBrowserTransport()
const link = new AnchorLink({
transport,
chains: [
{
chainId: 'aca376f206b8fc25a6ed44dbdc66547c36c6c33e3a119ffbeaef943642f0e906',
nodeUrl: 'https://eos.greymass.com',
}
],
})
Now you have a link instance that can be used in the browser to login and/or transact. See options for a full list of available options. Also refer to the anchor-link-browser-transport README for a list of available options within the transport.
To create a persistent session where you can push multiple transaction to a users wallet you need to call the login method on your link instance and pass your application name.
// Perform the login, which returns the users identity
const identity = await link.login('mydapp')
// Save the session within your application for future use
const {session} = identity
console.log(`Logged in as ${session.auth}`)
Using the session you have persisted within your applications state from the user login, you can now send transactions through the session to the users wallet using the transact method.
const action = {
account: 'eosio',
name: 'voteproducer',
authorization: [session.auth],
data: {
voter: session.auth.actor,
proxy: 'greymassvote',
producers: [],
},
}
session.transact({action}).then(({transaction}) => {
console.log(`Transaction broadcast! Id: ${transaction.id}`)
})
If a user has previously logged in to your application, you can restore that previous session by calling the restoreSession method on your link instance.
link.restoreSession('mydapp').then(({session}) => {
console.log(`Session for ${session.auth} restored`)
const action = {
account: 'eosio',
name: 'voteproducer',
authorization: [session.auth],
data: {
voter: session.auth.actor,
proxy: 'greymassvote',
producers: [],
},
}
session.transact({action}).then(({transaction}) => {
console.log(`Transaction broadcast! Id: ${transaction.id}`)
})
})
A full list of all methods can be found in the Link class documentation.
To sign action(s) or a transaction using the link without logging in you can call the transact method on your link instance.
const action = {
account: 'eosio',
name: 'voteproducer',
authorization: [
{
actor: '............1', // ............1 will be resolved to the signing accounts name
permission: '............2', // ............2 will be resolved to the signing accounts authority (e.g. 'active')
},
],
data: {
voter: '............1', // same as above, resolved to the signers account name
proxy: 'greymassvote',
producers: [],
},
}
link.transact({action}).then(({signer, transaction}) => {
console.log(
`Success! Transaction signed by ${signer} and bradcast with transaction id: ${transaction.id}`
)
})
You can find more examples in the examples directory at the root of this repository and don't forget to look at the API documentation.
Transports in Anchor Link are responsible for getting signature requests to the users wallet when establishing a session or when using anchor link without logging in.
Available transports:
Package | Description |
---|---|
anchor-link-browser-transport | Browser overlay that generates QR codes or triggers local URI handler if available |
anchor-link-console-transport | Transport that prints ASCII QR codes and esr:// links to the JavaScript console |
See the LinkTransport
documentation for details on how to implement custom transports.
The Anchor Link protocol uses EEP-7 identity requests to establish a channel to compatible wallets using an untrusted HTTP POST to WebSocket forwarder (see buoy node.js).
A session key and unique channel URL is generated by the client which is attached to the identity request and sent to the wallet (see transports). The wallet signs the identity proof and sends it back along with its own channel URL and session key. Subsequent signature requests can now be encrypted to a shared secret derived from the two keys and pushed directly to the wallet channel.
You need Make, node.js and yarn installed.
Clone the repository and run make
to checkout all dependencies and build the project. See the Makefile for other useful targets. Before submitting a pull request make sure to run make lint
.
Made with ☕️ & ❤️ by Greymass, if you find this useful please consider supporting us.
FAQs
Library for authenticating and signing transactions using the Libre Link protocol
The npm package @libre-chain/libre-link receives a total of 7 weekly downloads. As such, @libre-chain/libre-link popularity was classified as not popular.
We found that @libre-chain/libre-link demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.