simplicity_client 0.1.2 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 495342a938dfee303d9653d8ea49bd7a8f94f9f31eaf367ac32de7ef1048b775
-  data.tar.gz: ad30760937ee2466ed5b53026f7f64c5f36f8685141700dd236e1645275c81a9
+  metadata.gz: 3283578b786c0a520eeaee6b46290f1459e9075925f8fdf172534ac533270e33
+  data.tar.gz: cee5f3f5ac077c4cea0bc246d7f1a4b2ea03a23db7ad21795485730685ba3959
 SHA512:
-  metadata.gz: f2817cbe355a5c5c614ad16a644d27c9b12694e69644029db52e06ee2039fff3a173b3089a4d6bea406dd545adc2ad2ec0313c069c8b0892efc50a67b1723148
-  data.tar.gz: 58bc2f845410fd0687afc51135c28b20e42a1dcdd1bacf89e8b240358d5b8a610ee0c5c3c77c7a4839c89130c6f51cef763195ed8bda0730f7a06007acf28f3e
+  metadata.gz: 2ddd8ee90c05b00ba4ed232846f5c2e546e087c93c7e2c3a58965c74480640fe04823bea6d94c9b3b0f58e64f41cd738b8b157420b71d5864846cb74e0600185
+  data.tar.gz: fbf5d020b63bae7fd804154b34513d95e9991afa39023877905072e69df66879b4afd3e7028251204e314720c4ca472860dc9e81d86d4a90e521202791dd7bbe

data/lib/fido2_client.rb

@@ -0,0 +1,91 @@
+require "json"
+require "digest"
+require "openssl"
+require "base64"
+
+module Fido2Client
+  Passkey = Data.define(:credentialId, :keyAlgorithm, :keyCurve, :keyValue, :userHandle)
+  Assertion = Data.define(:authenticator_data, :client_data_json, :credential_id, :user_handle, :signature)
+
+  class Client
+    def initialize
+      @origin = "https://app.simplicity.kiwi"
+      @rp_id = "simplicity.kiwi"
+    end
+
+    def get_assertion(passkey, challenge)
+      collected_client_data = {
+        type: "webauthn.get",
+        challenge: challenge,
+        origin: @origin,
+        crossOrigin: false,
+      }
+      client_data_json = JSON.dump(collected_client_data)
+      client_data_hash = Digest::SHA256.digest(client_data_json)
+
+      # Assertion
+      auth_data = generate_auth_data
+      private_key = parse_private_key(passkey.keyAlgorithm, passkey.keyCurve, passkey.keyValue)
+      signature = generate_signature(auth_data, client_data_hash, private_key)
+
+      Assertion.new(
+        authenticator_data: Base64.urlsafe_encode64(auth_data.pack("c*"), padding: false),
+        client_data_json: Base64.urlsafe_encode64(client_data_json, padding: false),
+        credential_id: Base64.urlsafe_encode64(guid_to_raw_format(passkey.credentialId), padding: false),
+        user_handle: passkey.userHandle,
+        signature: Base64.urlsafe_encode64(signature, padding: false),
+      )
+    end
+
+    private
+
+    def box(tag, lines)
+      lines.unshift "-----BEGIN #{tag}-----"
+      lines.push "-----END #{tag}-----"
+      lines.join("\n")
+    end
+
+    def der_to_pem(tag, der)
+      box tag, Base64.strict_encode64(der).scan(/.{1,64}/)
+    end
+
+    def parse_private_key(key_algorithm, key_curve, key_value)
+      raise "Unsupported key algorithm: #{key_algorithm}" unless key_algorithm == "ECDSA"
+      raise "Unsupported key curve: #{key_curve}" unless key_curve == "P-256"
+
+      # Decode the Base64 key value
+      key_value_bin = Base64.urlsafe_decode64(key_value)
+
+      pem = der_to_pem("PRIVATE KEY", key_value_bin)
+      OpenSSL::PKey::EC.new(pem)
+    end
+
+    def generate_signature(auth_data, client_data_hash, private_key)
+      sig_base = [*auth_data, *client_data_hash.bytes]
+      digest = OpenSSL::Digest.new("SHA256")
+      private_key.sign(digest, sig_base.pack("c*"))
+    end
+
+    def generate_auth_data
+      auth_data = []
+      rp_id_hash = Digest::SHA256.digest(@rp_id)
+      auth_data += rp_id_hash.bytes
+
+      # Flags asserted: Backup eligibility, Backup State, User Verification, User Presence
+      flags = 0x1D
+      auth_data.push(flags)
+
+      # Counter
+      auth_data += [0, 0, 0, 0]
+
+      auth_data
+    end
+
+    def guid_to_raw_format(guid)
+      raise TypeError, "GUID parameter is invalid" unless guid.match?(/\A[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\z/)
+
+      # Remove the hyphens and pack the string into raw binary
+      [guid.delete("-")].pack("H*")
+    end
+  end
+end

data/lib/simplicity_client.rb

@@ -9,29 +9,45 @@ require "faraday"
 require "faraday-cookie_jar"
 require "faraday/follow_redirects"
 require "aws-sdk-cognitoidentityprovider"
-require "aws-cognito-srp"
 require "aws-sdk-cognitoidentity"
 require "aws-sigv4"
+require_relative "fido2_client"
 
 module SimplicityClient
+  Params = Struct.new(:email, :credentialId, :keyAlgorithm, :keyCurve, :keyValue, :userHandle, keyword_init: true)
+  ParamDefinition = Struct.new(:name, :label, :primary_id)
+
   class Error < StandardError; end
 
+  # For the user interface
+  PARAMS_INFO = [
+    ParamDefinition.new(name: "email", label: "Email address", primary_id: true),
+    ParamDefinition.new(name: "credentialId", label: "Passkey credential ID"),
+    ParamDefinition.new(name: "keyAlgorithm", label: "Passkey key algorithm"),
+    ParamDefinition.new(name: "keyCurve", label: "Passkey key curve"),
+    ParamDefinition.new(name: "keyValue", label: "Passkey value"),
+    ParamDefinition.new(name: "userHandle", label: "Passkey user handle")
+  ].freeze
+
   class Session
     def initialize
       @logger = Logger.new $stderr
-      @logger.level = Logger::INFO
+      @logger.level = Logger::DEBUG
 
       @user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
 
       @client = Faraday.new(
         headers: { "User-Agent" => @user_agent },
-      # proxy: "http://Thinkbook.local:8080",
-      # :ssl => {:verify => false}
-        ) do |builder|
+        # proxy: "http://Thinkbook.local:8080",
+        # :ssl => {:verify => false}
+      ) do |builder|
         builder.response :follow_redirects
-        # builder.response :logger
+        builder.response :logger
         builder.adapter Faraday.default_adapter
       end
+
+      @authsignal_base = "https://au.api.authsignal.com/v1"
+      @authsignal_tenant_id = "e768822f-b1a1-404c-a685-0e37905ca5f5"
     end
 
     # Write the session data out to a string so that the session can be restored later
@@ -47,49 +63,76 @@ module SimplicityClient
       @auth_data = json["auth_data"]
     end
 
-    def login(username, password)
-      client = Aws::CognitoIdentityProvider::Client.new(region: 'ap-southeast-2')
+    def login(params)
+      client = Aws::CognitoIdentityProvider::Client.new(region: "ap-southeast-2")
 
       user_pool_id = "ap-southeast-2_abAklW6ap"
 
-      aws_srp = Aws::CognitoSrp.new(
-        username: username.downcase,
-        password: password,
-        pool_id: user_pool_id,
-        client_id: "kvoiu7unft0c8hqqsa6hkmeu5",
-        aws_client: client,
+      device_id = SecureRandom.uuid
+      passkey = Fido2Client::Passkey.new(params.credentialId, params.keyAlgorithm, params.keyCurve, params.keyValue, params.userHandle)
+      challenge_id = fetch_challenge_id
+      authentication_options = fetch_authentication_options(challenge_id)
+      challenge = authentication_options["options"]["challenge"]
+      assertion = Fido2Client::Client.new.get_assertion(passkey, challenge)
+      passkey_result = present_passkey(challenge_id, assertion, device_id)
+
+      resp = client.initiate_auth(
+        {
+          auth_flow: "CUSTOM_AUTH",
+          auth_parameters: {
+            USERNAME: params.email,
+          },
+          client_metadata: {
+            anonymousId: device_id,
+          },
+          client_id: "kvoiu7unft0c8hqqsa6hkmeu5",
+        },
       )
 
-      resp = aws_srp.authenticate
+      resp = client.respond_to_auth_challenge(
+        {
+          challenge_name: "CUSTOM_CHALLENGE",
+          challenge_responses: {
+            USERNAME: params.email,
+            ANSWER: passkey_result["accessToken"],
+          },
+          client_id: "kvoiu7unft0c8hqqsa6hkmeu5",
+          session: resp.session,
+        },
+      )
 
-      cognito_identity_client = Aws::CognitoIdentity::Client.new(region: 'ap-southeast-2')
+      cognito_identity_client = Aws::CognitoIdentity::Client.new(region: "ap-southeast-2")
 
       # Assuming you have the Identity Pool ID and the ID token
-      identity_pool_id = 'ap-southeast-2:0ed33fc6-4cef-4f2e-b634-31c616e108e2'
-      id_token = resp.id_token
+      identity_pool_id = "ap-southeast-2:0ed33fc6-4cef-4f2e-b634-31c616e108e2"
+      id_token = resp.authentication_result.id_token
 
       # Get ID from the identity pool
-      id_response = cognito_identity_client.get_id({
-        identity_pool_id: identity_pool_id,
-        logins: {
-          "cognito-idp.ap-southeast-2.amazonaws.com/#{user_pool_id}" => id_token
-        }
-      })
+      id_response = cognito_identity_client.get_id(
+        {
+          identity_pool_id: identity_pool_id,
+          logins: {
+            "cognito-idp.ap-southeast-2.amazonaws.com/#{user_pool_id}" => id_token,
+          },
+        },
+      )
 
       # Get credentials for the ID
-      credentials_response = cognito_identity_client.get_credentials_for_identity({
-        identity_id: id_response.identity_id,
-        logins: {
-          "cognito-idp.ap-southeast-2.amazonaws.com/#{user_pool_id}" => id_token
-        }
-      })
+      credentials_response = cognito_identity_client.get_credentials_for_identity(
+        {
+          identity_id: id_response.identity_id,
+          logins: {
+            "cognito-idp.ap-southeast-2.amazonaws.com/#{user_pool_id}" => id_token,
+          },
+        },
+      )
 
       access_key_id = credentials_response.credentials.access_key_id
       secret_key = credentials_response.credentials.secret_key
       session_token = credentials_response.credentials.session_token
 
       @auth_data = {
-        email: username,
+        email: params.email,
         access_key_id: access_key_id,
         secret_key: secret_key,
         region: "ap-southeast-2",
@@ -126,12 +169,12 @@ module SimplicityClient
       signature = signer.sign_request(
         http_method: http_method,
         url: url,
-        body: body
+        body: body,
       )
 
       response = @client.post(url) do |req|
         req.headers = signature.headers.merge({
-          'Content-Type' => 'application/json'
+          "Content-Type" => "application/json",
         })
         req.body = body
       end
@@ -154,5 +197,76 @@ module SimplicityClient
         raise Error, "Failed to list accounts: #{response.status}, #{response.body}"
       end
     end
+
+    private
+
+    def fetch_challenge_id
+      response = @client.post("#{@authsignal_base}/client/challenge") do |req|
+        req.headers = {
+          "Authorization" => "Basic #{Base64.encode64(@authsignal_tenant_id)}",
+          "Content-Type" => "application/json",
+        }
+        req.body = {
+          action: "cognitoAuth",
+        }.to_json
+      end
+
+      if response.success?
+        obj = JSON.parse(response.body)
+        obj["challengeId"]
+      else
+        raise Error, "Failed to get challenge ID: #{response.status}, #{response.body}"
+      end
+    end
+
+    def fetch_authentication_options(challenge_id)
+      response = @client.post("#{@authsignal_base}/client/user-authenticators/passkey/authentication-options") do |req|
+        req.headers = {
+          "Authorization" => "Basic #{Base64.encode64(@authsignal_tenant_id)}",
+          "Content-Type" => "application/json",
+        }
+        req.body = {
+          challengeId: challenge_id,
+        }.to_json
+      end
+
+      if response.success?
+        JSON.parse(response.body)
+      else
+        raise Error, "Failed to get authentication options: #{response.status}, #{response.body}"
+      end
+    end
+
+    def present_passkey(challenge_id, assertion, device_id)
+      response = @client.post("#{@authsignal_base}/client/verify/passkey") do |req|
+        req.headers = {
+          "Authorization" => "Basic #{Base64.encode64(@authsignal_tenant_id)}",
+          "Content-Type" => "application/json",
+        }
+        req.body = {
+          challengeId: challenge_id,
+          authenticationCredential: {
+            id: assertion.credential_id,
+            rawId: assertion.credential_id,
+            response: {
+              authenticatorData: assertion.authenticator_data,
+              clientDataJSON: assertion.client_data_json,
+              signature: assertion.signature,
+              userHandle: assertion.user_handle,
+            },
+            type: "public-key",
+            clientExtensionResults: {},
+            authenticatorAttachment: "platform",
+          },
+          deviceId: device_id,
+        }.to_json
+      end
+
+      if response.success?
+        JSON.parse(response.body)
+      else
+        raise Error, "Failed to get JWT: #{response.status}, #{response.body}"
+      end
+    end
   end
 end

metadata

@@ -1,113 +1,99 @@
 --- !ruby/object:Gem::Specification
 name: simplicity_client
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.2.1
 platform: ruby
 authors:
 - George Dewar
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-03-02 00:00:00.000000000 Z
+date: 2025-01-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: faraday
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.7'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.7'
-- !ruby/object:Gem::Dependency
-  name: faraday-cookie_jar
+  name: aws-sdk-cognitoidentity
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.0.7
+        version: 1.52.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.0.7
+        version: 1.52.0
 - !ruby/object:Gem::Dependency
-  name: faraday-follow_redirects
+  name: aws-sdk-cognitoidentityprovider
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.0
+        version: '1.87'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.0
+        version: '1.87'
 - !ruby/object:Gem::Dependency
-  name: aws-sdk-cognitoidentityprovider
+  name: aws-sigv4
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.87'
+        version: 1.8.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.87'
+        version: 1.8.0
 - !ruby/object:Gem::Dependency
-  name: aws-cognito-srp
+  name: faraday
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: '2.7'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: '2.7'
 - !ruby/object:Gem::Dependency
-  name: aws-sdk-cognitoidentity
+  name: faraday-cookie_jar
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.52.0
+        version: 0.0.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.52.0
+        version: 0.0.7
 - !ruby/object:Gem::Dependency
-  name: aws-sigv4
+  name: faraday-follow_redirects
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.8.0
+        version: 0.3.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.8.0
+        version: 0.3.0
 description: This gem can log into Simplicity and fetch fund balances
 email:
 - george@dewar.co.nz
@@ -115,12 +101,13 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- lib/fido2_client.rb
 - lib/simplicity_client.rb
-homepage: https://rubygems.org/gems/hola
+homepage: https://github.com/GeorgeDewar/simplicity_client
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -135,8 +122,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
-signing_key: 
+rubygems_version: 3.5.16
+signing_key:
 specification_version: 4
 summary: Fetch KiwiSaver and investment fund balances from Simplicity
 test_files: []