@benzid.wael/secure-vault 0.0.1

package/src/electron/services/recovery/PasswordRecoveryService.js

@@ -0,0 +1,128 @@
+import { IRecoveryMethod, RecoveryData } from './IRecoveryMethod.js';
+import { CryptographyService } from '../CryptographyService.js';
+
+export class PasswordRecoveryService extends IRecoveryMethod {
+  #version = '1.0';
+
+  constructor() {
+    super();
+    this.methodId = 'lastUsedPassword';
+  }
+
+  /**
+   * Check if the metadata is valid
+   * @param {string} vaultName
+   * @param {Object} metadata
+   * @returns {Promise<boolean>}
+   */
+  isValid(vaultName, metadata) {
+    if (!!metadata && !metadata?.salt && !metadata?.encryptedMasterPassword) {
+      return false;
+    }
+    return true;
+  }
+
+  /**
+   * Get the unique identifier for this recovery method
+   * @returns {string} Unique identifier
+   */
+  getRecoveryMethodId() {
+    return this.methodId;
+  }
+
+  /**
+   * Generate new recovery method
+   * @param {string} vaultName
+   * @returns {Promise<RecoveryData>} RecoveryData
+   */
+  async generate(vaultName) {
+    // This is not useful for this method, return dummy result
+    return new RecoveryData({ data: { password: '' } });
+  }
+
+  /**
+   * Create and returns metadata for the recovery option
+   * @param {string} vaultName
+   * @param {str} masterPassword
+   * @param {Object} recoveryData
+   * @returns {Promise<Object>} - metadata object
+   */
+  createMetadata(vaultName, masterPassword, recoveryData = {}) {
+    // We just need to handle onPasswordChange event for this method
+    return {};
+  }
+
+  /**
+   * Recreate metadata when password change
+   * @param {string} vaultName
+   * @param {Object} metadata
+   * @param {str} oldPassword
+   * @param {str} newPassword
+   * @returns {Promise<Object>} - new metadata object
+   */
+  onPasswordChange(vaultName, metadata, oldPassword, newPassword) {
+    try {
+      const salt = CryptographyService.generateSalt();
+      const oldPasswordKey = CryptographyService.deriveKey(oldPassword, salt);
+      const encryptedMasterPassword = CryptographyService.encrypt(
+        { masterPassword: newPassword },
+        oldPasswordKey
+      );
+
+      const newMetadata = {
+        salt: salt.toString('hex'),
+        encryptedMasterPassword,
+        createdAt: new Date().toISOString(),
+        version: this.#version,
+      };
+      return { success: true, metadata: newMetadata };
+    } catch (error) {
+      console.error('Failed to generate recovery metadata:', error);
+      return { success: false, error: 'Failed to generate recovery metadata!' };
+    }
+  }
+
+  /**
+   * Verify recovery data
+   * @param {string} vaultName
+   * @param {Object} metadata
+   * @param {Object} recoveryData
+   * @returns {Promise<Object>} - Boolean indicating whether key is valid or not!
+   */
+  async verify(vaultName, metadata = {}, recoveryData = {}) {
+    const result = await this.recoverMasterPassword(
+      vaultName,
+      metadata,
+      recoveryData
+    );
+    if (result.success) {
+      return { success: true };
+    } else {
+      return result;
+    }
+  }
+
+  /**
+   * recover master password
+   * @param {string} vaultName
+   * @param {Object} metadata
+   * @param {Object} recoveryData
+   * @returns {Promise<Object>} - Master password
+   */
+  async recoverMasterPassword(vaultName, metadata, recoveryData = {}) {
+    try {
+      const salt = Buffer.from(metadata.salt, 'hex');
+      const oldPassword = recoveryData.data.password;
+      const oldPasswordKey = CryptographyService.deriveKey(oldPassword, salt);
+      const masterPassword = CryptographyService.decrypt(
+        metadata.encryptedMasterPassword,
+        oldPasswordKey
+      );
+
+      return { success: true, ...masterPassword };
+    } catch (error) {
+      console.error('Invalid master password: ', error);
+      return { success: false, error: 'Invalid master password' };
+    }
+  }
+}

package/src/electron/services/recovery/SecretQuestionRecoveryService.js

@@ -0,0 +1,267 @@
+import { IRecoveryMethod, RecoveryData } from './IRecoveryMethod.js';
+import { CryptographyService } from '../CryptographyService.js';
+
+export class SecretQuestionRecoveryService extends IRecoveryMethod {
+  #version = '1.0';
+
+  constructor() {
+    super();
+    this.methodId = 'secretQuestions';
+  }
+
+  /**
+   * Check if the metadata is valid
+   * @param {string} vaultName
+   * @param {Object} metadata
+   * @returns {Promise<boolean>}
+   */
+  isValid(vaultName, metadata) {
+    if (
+      !!metadata &&
+      !metadata?.salt &&
+      !metadata?.encryptedMasterPassword &&
+      !metadata?.encryptedRecoveryKey &&
+      !metadata?.encryptedQuestions
+    ) {
+      return false;
+    }
+    return true;
+  }
+
+  /**
+   * Get the unique identifier for this recovery method
+   * @returns {string} Unique identifier
+   */
+  getRecoveryMethodId() {
+    return this.methodId;
+  }
+
+  /**
+   * Generate new recovery method
+   * @param {string} vaultName
+   * @returns {Promise<RecoveryData>} RecoveryData
+   */
+  async generate(vaultName) {
+    // This is not useful for this method, return dummy result
+    return new RecoveryData({ data: { questions: [] } });
+  }
+
+  /**
+   * Create and returns metadata for the recovery option
+   * @param {string} vaultName
+   * @param {str} masterPassword
+   * @param {Object} recoveryData
+   * @returns {Promise<Object>} - metadata object
+   */
+  createMetadata(vaultName, masterPassword, recoveryData = {}) {
+    if (
+      !recoveryData.data.questions ||
+      recoveryData.data.questions.length === 0
+    ) {
+      return {};
+    }
+
+    const salt = CryptographyService.generateSalt();
+    // The recovery key will be used to encrypt the master password
+    // and it it will be encrypted using the master password and questions
+    const recoveryKey = this.#generateRecoveryKey();
+    const masterKey = CryptographyService.deriveKey(masterPassword, salt);
+    const recoveryKeyDerived = KeyRecoveryService.deriveKeyFromRecoveryKey(
+      recoveryKey,
+      salt
+    );
+
+    const encryptedRecoveryKey = CryptographyService.encrypt(
+      { recoveryKey },
+      masterKey
+    );
+    const encryptedMasterPassword = CryptographyService.encrypt(
+      { masterPassword },
+      recoveryKeyDerived
+    );
+
+    // Encrypt questions using the recovery key
+    encryptedQuestions = [];
+    for (const question of recoveryData.data.questions) {
+      const answerKeyDerived = KeyRecoveryService.deriveKeyFromRecoveryKey(
+        question.answer,
+        salt
+      );
+      const encryptedRecoveryKey = CryptographyService.encrypt(
+        { recoveryKey },
+        answerKeyDerived
+      );
+      const encryptedAnswer = CryptographyService.encrypt(
+        { answer: question.answer },
+        recoveryKeyDerived
+      );
+      const questionHash = CryptographyService.hashPassword(question.question);
+      encryptedQuestions.push({
+        questionHash,
+        encryptedQuestion: CryptographyService.encrypt(
+          question,
+          encryptedAnswer,
+          encryptedRecoveryKey
+        ),
+      });
+    }
+
+    const createdAt = new Date().toISOString();
+    return {
+      salt: salt.toString('hex'),
+      encryptedRecoveryKey,
+      encryptedMasterPassword,
+      encryptedQuestions,
+      createdAt: createdAt,
+      updatedAt: createdAt,
+      version: this.#version,
+    };
+  }
+
+  /**
+   * Recreate metadata when password change
+   * @param {string} vaultName
+   * @param {Object} metadata
+   * @param {str} oldPassword
+   * @param {str} newPassword
+   * @returns {Promise<Object>} - new metadata object
+   */
+  onPasswordChange(vaultName, metadata, oldPassword, newPassword) {
+    try {
+      const salt = Buffer.from(metadata.salt, 'hex');
+      const oldKey = CryptographyService.deriveKey(oldPassword, salt);
+      const recoveryKey = CryptographyService.decrypt(
+        metadata.encryptedRecoveryKey,
+        oldKey
+      );
+
+      // Generate new metadata
+      const masterKey = CryptographyService.deriveKey(newPassword, salt);
+      const recoveryKeyDerived = KeyRecoveryService.deriveKeyFromRecoveryKey(
+        recoveryKey,
+        salt
+      );
+
+      const encryptedRecoveryKey = CryptographyService.encrypt(
+        { recoveryKey },
+        masterKey
+      );
+      const encryptedMasterPassword = CryptographyService.encrypt(
+        { masterPassword: newPassword },
+        recoveryKeyDerived
+      );
+
+      const newMetadata = {
+        ...metadata,
+        encryptedMasterPassword,
+        encryptedRecoveryKey,
+        updatedAt: new Date().toISOString(),
+      };
+      return { success: true, metadata: newMetadata };
+    } catch (error) {
+      console.error(
+        'Internal error: Look like the metadata is corrupted:',
+        error
+      );
+      return {
+        success: false,
+        error: 'Internal error: Look like the metadata is corrupted.',
+      };
+    }
+  }
+
+  /**
+   * Verify recovery data
+   * @param {string} vaultName
+   * @param {Object} metadata
+   * @param {Object} recoveryData
+   * @returns {Promise<Object>} - Boolean indicating whether key is valid or not!
+   */
+  async verify(vaultName, metadata = {}, recoveryData = {}) {
+    const result = await this.recoverMasterPassword(
+      vaultName,
+      metadata,
+      recoveryData
+    );
+    if (result.success) {
+      return { success: true };
+    } else {
+      return result;
+    }
+  }
+
+  /**
+   * recover master password
+   * @param {string} vaultName
+   * @param {Object} metadata
+   * @param {Object} recoveryData
+   * @returns {Promise<Object>} - Master password
+   */
+  async recoverMasterPassword(vaultName, metadata, recoveryData = {}) {
+    try {
+      const salt = Buffer.from(metadata.salt, 'hex');
+
+      for (const question in recoveryData.data.questions) {
+        const questionHash = CryptographyService.hashPassword(
+          question.question
+        );
+        for (const storedQuestion of metadata.encryptedQuestions) {
+          if (questionHash !== storedQuestion.questionHash) {
+            try {
+              const answerDerived = KeyRecoveryService.deriveKeyFromRecoveryKey(
+                question.answer,
+                salt
+              );
+              const decryptedRecoveryKey = CryptographyService.decrypt(
+                storedQuestion.encryptedQuestion,
+                answerDerived
+              );
+              const recoveryKey = decryptedRecoveryKey.recoveryKey;
+              const recoveryKeyDerived =
+                KeyRecoveryService.deriveKeyFromRecoveryKey(recoveryKey, salt);
+              const masterPassword = CryptographyService.decrypt(
+                metadata.encryptedMasterPassword,
+                recoveryKeyDerived
+              );
+
+              return { success: true, ...masterPassword };
+            } catch (error) {
+              console.error('Invalid question:', error);
+              return { success: false, error: `Invalid question: ${error}` };
+            }
+          }
+        }
+      }
+
+      return { success: true, ...masterPassword };
+    } catch (error) {
+      console.error('Invalid question: ', error);
+      return { success: false, error: 'Invalid question' };
+    }
+  }
+
+  #generateRecoveryKey() {
+    const recoveryKeyBytes = crypto.randomBytes(32);
+
+    let result = '';
+    let bits = 0;
+    let value = 0;
+
+    for (let i = 0; i < recoveryKeyBytes.length; i++) {
+      value = (value << 8) | recoveryKeyBytes[i];
+      bits += 8;
+
+      while (bits >= 5) {
+        result +=
+          KeyRecoveryService.BASE32_ALPHABET[(value >>> (bits - 5)) & 31];
+        bits -= 5;
+      }
+    }
+
+    if (bits > 0) {
+      result += KeyRecoveryService.BASE32_ALPHABET[(value << (5 - bits)) & 31];
+    }
+
+    return result.match(/.{1,4}/g).join('-');
+  }
+}

package/src/electron/services/recovery/UsbRecoveryService.js

@@ -0,0 +1,244 @@
+import crypto from 'crypto';
+
+import { IRecoveryMethod, RecoveryData } from './IRecoveryMethod.js';
+import { CryptographyService } from '../CryptographyService.js';
+
+export class UsbRecoveryService extends IRecoveryMethod {
+  #version = '1.0';
+
+  constructor() {
+    super();
+    this.methodId = 'usbDrive';
+  }
+
+  /**
+   * Get the unique identifier for this recovery method
+   * @returns {string} Unique identifier
+   */
+  getRecoveryMethodId() {
+    return this.methodId;
+  }
+
+  /**
+   * Check if the metadata is valid
+   * @param {string} vaultName
+   * @param {Object} metadata
+   * @returns {Promise<boolean>}
+   */
+  isValid(vaultName, metadata) {
+    if (
+      !!!metadata ||
+      !metadata?.salt ||
+      !metadata?.encryptedMasterPassword ||
+      !metadata?.encryptedRecoveryKey
+    ) {
+      return false;
+    }
+    return true;
+  }
+
+  /**
+   * Generate new recovery method
+   * @param {string} vaultName
+   * @returns {Promise<RecoveryData>} RecoveryData
+   */
+  async generate(vaultName) {
+    // This is not useful for this method, return dummy result
+    return new RecoveryData({ data: { usbDrives: [] } });
+  }
+
+  /**
+   * Create and returns metadata for the recovery option
+   * @param {string} vaultName
+   * @param {str} masterPassword
+   * @param {Object} recoveryData
+   * @returns {Promise<Object>} - metadata object
+   */
+  createMetadata(vaultName, masterPassword, recoveryData = {}) {
+    const salt = CryptographyService.generateSalt();
+    const recoveryKey = recoveryData.data.key;
+    const masterKey = CryptographyService.deriveKey(masterPassword, salt);
+    const recoveryKeyDerived = KeyRecoveryService.deriveKeyFromRecoveryKey(
+      recoveryKey,
+      salt
+    );
+
+    const encryptedRecoveryKey = CryptographyService.encrypt(
+      { recoveryKey },
+      masterKey
+    );
+    const encryptedMasterPassword = CryptographyService.encrypt(
+      { masterPassword },
+      recoveryKeyDerived
+    );
+
+    return {
+      salt: salt.toString('hex'),
+      encryptedRecoveryKey,
+      encryptedMasterPassword,
+      createdAt: new Date().toISOString(),
+      version: this.#version,
+    };
+  }
+
+  /**
+   * Verify recovery data
+   * @param {string} vaultName
+   * @param {Object} metadata
+   * @param {Object} recoveryData
+   * @returns {Promise<object>} - Result
+   */
+  async verify(vaultName, metadata, recoveryData) {
+    const result = await this.recoverMasterPassword(
+      vaultName,
+      metadata,
+      recoveryData
+    );
+    if (result.success) {
+      return { success: true };
+    } else {
+      return result;
+    }
+  }
+
+  /**
+   * recover master password
+   * @param {string} vaultName
+   * @param {Object} metadata
+   * @param {Object} recoveryData
+   * @returns {Promise<str>} - Master password
+   */
+  async recoverMasterPassword(vaultName, metadata, recoveryData) {
+    // TODO: validate metadata/recoveryData
+    try {
+      const recoveryKey = recoveryData.data.key;
+      if (!this.#validateRecoveryKeyFormat(recoveryKey)) {
+        return { success: false, error: 'Invalid recovery key format' };
+      }
+
+      const salt = Buffer.from(metadata.salt, 'hex');
+      const recoveryKeyDerived = KeyRecoveryService.deriveKeyFromRecoveryKey(
+        recoveryKey,
+        salt
+      );
+
+      try {
+        const masterPassword = CryptographyService.decrypt(
+          metadata.encryptedMasterPassword,
+          recoveryKeyDerived
+        );
+        return { success: true, ...masterPassword };
+      } catch (error) {
+        console.error('Invalid recovery key:', error);
+        return { success: false, error: `Invalid recovery key: ${error}` };
+      }
+    } catch (error) {
+      console.error('Failed to recover vault using given recovery key:', error);
+      return {
+        success: false,
+        error: 'Failed to recover vault using given recovery key!',
+      };
+    }
+  }
+
+  /**
+   * Recreate metadata when password change
+   * @param {string} vaultName
+   * @param {Object} metadata
+   * @param {str} oldPassword
+   * @param {str} newPassword
+   * @returns {Promise<Object>} - new metadata object
+   */
+  onPasswordChange(vaultName, metadata, oldPassword, newPassword) {
+    const result = this.#loadRecoveryKey(vaultName, metadata, oldPassword);
+    if (!result.success) {
+      console.warn(`Unable to load recovery key for vault: ${vaultName}.`);
+      console.log(
+        'Looks like the recovery key does not exist or already corrupted!'
+      );
+      return { success: false, metadata };
+    }
+
+    try {
+      const recoveryData = new RecoveryData({
+        data: { key: result.recoveryKey },
+      });
+      const newMetadata = this.createMetadata(
+        vaultName,
+        newPassword,
+        recoveryData
+      );
+      return { success: true, metadata: newMetadata };
+    } catch (error) {
+      console.error('Failed to create metadata:', error);
+      return { success: false, error: 'Failed to create metadata' };
+    }
+  }
+
+  #loadRecoveryKey(vaultName, metadata, masterPassword) {
+    // TODO: validate metadata
+    try {
+      const salt = Buffer.from(metadata.salt, 'hex');
+      const key = CryptographyService.deriveKey(masterPassword, salt);
+
+      try {
+        const recoveryKey = CryptographyService.decrypt(
+          metadata.encryptedRecoveryKey,
+          key
+        );
+        return { success: true, ...recoveryKey };
+      } catch (error) {
+        console.error('Invalid recovery key:', error);
+        return { success: false, error: `Invalid recovery key: ${error}` };
+      }
+    } catch (error) {
+      console.error(
+        'Internal error: Look like the recovery key is corrupted:',
+        error
+      );
+      return {
+        success: false,
+        error: 'Internal error: Look like the recovery key is corrupted.',
+      };
+    }
+  }
+
+  #generateRecoveryKey() {
+    const recoveryKeyBytes = crypto.randomBytes(32);
+
+    let result = '';
+    let bits = 0;
+    let value = 0;
+
+    for (let i = 0; i < recoveryKeyBytes.length; i++) {
+      value = (value << 8) | recoveryKeyBytes[i];
+      bits += 8;
+
+      while (bits >= 5) {
+        result +=
+          KeyRecoveryService.BASE32_ALPHABET[(value >>> (bits - 5)) & 31];
+        bits -= 5;
+      }
+    }
+
+    if (bits > 0) {
+      result += KeyRecoveryService.BASE32_ALPHABET[(value << (5 - bits)) & 31];
+    }
+
+    return result.match(/.{1,4}/g).join('-');
+  }
+
+  #validateRecoveryKeyFormat(recoveryKey) {
+    const cleanKey = recoveryKey.replace(/-/g, '').toUpperCase();
+    const base32Regex = /^[ABCDEFGHIJKLMNOPQRSTUVWXYZ234567]+$/;
+    return (
+      base32Regex.test(cleanKey) &&
+      cleanKey.length >= KeyRecoveryService.MIN_KEY_LENGTH
+    );
+  }
+
+  static deriveKeyFromRecoveryKey(recoveryKey, salt) {
+    const cleanKey = recoveryKey.replace(/-/g, '').toUpperCase();
+    return CryptographyService.deriveKey(cleanKey, salt);
+  }
+}

package/src/electron/utils/appPaths.js

@@ -0,0 +1,50 @@
+import path from 'path';
+import os from 'os';
+
+/**
+ * Single source of truth for where SecureVault stores its data on disk.
+ *
+ * Both the desktop app (Electron main process) and the `vault` CLI must
+ * resolve to the *same* directory so that vaults created in one are visible
+ * in the other. We deliberately do NOT derive this from Electron's
+ * `app.getPath('userData')` (which is based on the packaged productName
+ * "Secure Password Manager") nor from package.json `name` — those diverge
+ * between dev/packaged builds and the CLI. Keep this constant stable across
+ * renames; changing it orphans existing vaults.
+ */
+export const APP_DATA_DIR_NAME = 'secure-password-manager';
+
+function resolvePath(...segments) {
+  return process.platform === 'win32'
+    ? path.win32.join(...segments)
+    : path.posix.join(...segments);
+}
+
+/** Absolute path to the application data directory for the current platform. */
+export function getAppDataPath() {
+  switch (process.platform) {
+    case 'darwin':
+      return resolvePath(
+        os.homedir(),
+        'Library',
+        'Application Support',
+        APP_DATA_DIR_NAME
+      );
+    case 'win32':
+      return resolvePath(process.env.APPDATA, APP_DATA_DIR_NAME);
+    case 'linux':
+      return resolvePath(os.homedir(), `.${APP_DATA_DIR_NAME}`);
+    default:
+      throw new Error(`Unsupported platform: ${process.platform}`);
+  }
+}
+
+/** Directory holding the regular password vaults. */
+export function getVaultsDir() {
+  return resolvePath(getAppDataPath(), 'vaults');
+}
+
+/** Directory holding the environment (`.env`) vaults. */
+export function getEnvsDir() {
+  return resolvePath(getAppDataPath(), 'envs');
+}