@lifeready/core 1.0.0 → 1.0.1

package/src/lib/api/shared-contact-card.service.ts

@@ -0,0 +1,156 @@
+import { Injectable } from '@angular/core';
+import gql from 'graphql-tag';
+import { Key } from '../cryptography/cryptography.types';
+import { EncryptionService } from '../cryptography/encryption.service';
+import { KeyGraphService } from '../cryptography/key-graph.service';
+import { KeyService } from '../cryptography/key.service';
+import { SharedTrustedPartyDetails } from '../trusted-parties/trusted-party.types';
+import { ContactCardName, TrustedPartyDetails } from '../users/profile.types';
+import { User } from '../users/user.types';
+import { KeyGraphField } from '../_common/queries.gql';
+import { LrApolloService } from './lr-apollo.service';
+
+export const SharedContactCardFields = `
+  id
+  owner {
+    id
+    username
+  }
+  ownerKey {
+    id
+  }
+  ownerCipherData
+  receiver {
+    id
+    username
+  }
+  receiverKey {
+    id
+  }
+  receiverCipherData
+  sharedKey {
+    id
+  }
+  sharedCipherData
+  sharedCipherDataSig
+  sharedCipherDataSigPxk {
+    id
+  }
+`;
+
+const UpdateOwnedContactCard = gql`
+mutation UpdateOwnedContactCard(
+  $input: UpdateOwnedContactCardInput!
+) {
+  updateOwnedContactCard(
+    input: $input
+  ) {
+    ownedContactCard {
+      ${SharedContactCardFields}
+    }
+  }
+}`;
+
+interface UpdateOwnedContactCard {
+  updateOwnedContactCard: {
+    ownedContactCard: SharedContactCard;
+  };
+}
+
+export interface SharedContactCard {
+  id: string;
+  owner: User;
+  ownerKey: Key;
+  ownerCipherData: string;
+  receiver: User;
+  receiverKey: Key;
+  receiverCipherData: string;
+  sharedKey: Key;
+  sharedCipherData: string;
+  // Decrypted
+  plainOwnerCipherDataJson: any;
+  plainReceiverCipherDataJson: any;
+  plainSharedCipherDataJson: any;
+}
+
+@Injectable({
+  providedIn: 'root',
+})
+export class SharedContactCardService {
+  constructor(
+    private keyService: KeyService,
+    private lrApollo: LrApolloService,
+    private keyGraph: KeyGraphService,
+    private encryptionService: EncryptionService
+  ) {}
+
+  async decryptSharedTrustedPartyDetails(
+    cc: SharedContactCard
+  ): Promise<SharedTrustedPartyDetails> {
+    const details = await this.decryptTrustedPartyDetails(cc);
+
+    return {
+      id: cc.id,
+      ownedKeyId: cc.ownerKey.id,
+      sharedKeyId: cc.sharedKey.id,
+      ...details,
+    };
+  }
+
+  async decryptTrustedPartyDetails(
+    cc: SharedContactCard
+  ): Promise<TrustedPartyDetails> {
+    if (cc && cc.sharedKey && cc.sharedCipherData) {
+      try {
+        return await this.encryptionService.decrypt(
+          await this.keyGraph.getJwkKey(cc.sharedKey.id),
+          cc.sharedCipherData
+        );
+      } catch (e) {
+        console.error('Cannot decrypt trusted party details', e);
+      }
+    }
+    return null;
+  }
+
+  async updateMySharedContactCard(
+    id: string,
+    ownedKeyId: string,
+    sharedKeyId: string,
+    contactCard: TrustedPartyDetails
+  ): Promise<void> {
+    const ownerKey = await this.keyGraph.getKey(ownedKeyId);
+    const sharedKey = await this.keyGraph.getKey(sharedKeyId);
+    const sigPxk = await this.keyService.getCurrentSigPxk();
+
+    const sharedCipherData = await this.encryptionService.encrypt(
+      sharedKey.jwk,
+      contactCard
+    );
+    const sharedCipherDataSig = JSON.stringify(
+      await this.encryptionService.sign(sigPxk.jwk, sharedCipherData)
+    );
+
+    const ownerPlainData = {
+      name: new ContactCardName(contactCard.name),
+    };
+    const ownerPlainDataSig = JSON.stringify(
+      await this.encryptionService.sign(sigPxk.jwk, ownerPlainData)
+    );
+
+    await this.lrApollo.mutate<UpdateOwnedContactCard>({
+      mutation: UpdateOwnedContactCard,
+      variables: {
+        input: {
+          id,
+          ownerCipherData: '',
+          ownerKeyId: ownerKey.id,
+          sharedCipherDataSig,
+          sharedKeyId: sharedKey.id,
+          sigPxkId: sigPxk.id,
+          ownerPlainDataSig,
+        },
+      },
+    });
+  }
+}

package/src/lib/api/shared-contact-card2.gql.ts

@@ -0,0 +1,76 @@
+import { gqlTyped } from '../_common/ast';
+import { ID } from './types';
+
+export interface UpdateOwnedContactCardMutation {
+  updateOwnedContactCard: {
+    ownedContactCard: {
+      id: ID;
+    };
+  };
+}
+export const UpdateOwnedContactCardMutation = gqlTyped<UpdateOwnedContactCardMutation>`
+mutation UpdateOwnedContactCardMutation(
+  $input: UpdateOwnedContactCardInput!
+) {
+  updateOwnedContactCard(input: $input) {
+    ownedContactCard {
+      id
+    }
+  }
+}`;
+
+export interface UpdateReceivedContactCardMutation {
+  updateReceivedContactCard: {
+    receivedContactCard: {
+      id: ID;
+    };
+  };
+}
+export const UpdateReceivedContactCardMutation = gqlTyped<UpdateReceivedContactCardMutation>`
+mutation UpdateReceivedContactCardMutation(
+  $input: UpdateReceivedContactCardInput!
+) {
+  updateReceivedContactCard(input: $input) {
+    receivedContactCard {
+      id
+    }
+  }
+}`;
+
+export interface GetOwnedContactCardKeyIdsQuery {
+  ownedContactCard: {
+    sharedKey: {
+      id: ID;
+    };
+    ownerKey: {
+      id: ID;
+    };
+  };
+}
+export const GetOwnedContactCardKeyIdsQuery = gqlTyped<GetOwnedContactCardKeyIdsQuery>`
+query GetOwnedContactCardKeyIdsQuery($id: LrRelayIdInput!) {
+  ownedContactCard(id: $id) {
+    sharedKey {
+      id
+    }
+    ownerKey {
+      id
+    }
+  }
+}`;
+
+export interface GetReceivedContactCardKeyIdQuery {
+  receivedContactCard: {
+    receiverKey: {
+      id: ID;
+    };
+  };
+}
+export const GetReceivedContactCardKeyIdQuery = gqlTyped<GetReceivedContactCardKeyIdQuery>`
+query GetReceivedContactCardKeyIdQuery($id: LrRelayIdInput!) {
+  receivedContactCard(id: $id) {
+    receiverKey {
+      id
+    }
+  }
+}`;

package/src/lib/api/shared-contact-card2.service.ts

@@ -0,0 +1,154 @@
+import { Injectable, NgZone } from '@angular/core';
+import { Key } from '../cryptography/cryptography.types';
+import { EncryptionService } from '../cryptography/encryption.service';
+import { KeyGraphService } from '../cryptography/key-graph.service';
+import { KeyService } from '../cryptography/key.service';
+import { RunOutsideAngular } from '../_common/run-outside-angular';
+import {
+  ContactCardReceiverCipherData,
+  SendContactCardInput,
+} from './key-exchange2.service';
+import { LrGraphQLService, LrMutation } from './lr-graphql';
+import {
+  GetOwnedContactCardKeyIdsQuery,
+  GetReceivedContactCardKeyIdQuery,
+  UpdateOwnedContactCardMutation,
+  UpdateReceivedContactCardMutation,
+} from './shared-contact-card2.gql';
+import { LrRelayIdInput } from './types';
+
+export interface UpdateOwnedContactCardInput extends SendContactCardInput {
+  id: LrRelayIdInput;
+  ownerKeyId?: LrRelayIdInput;
+  sharedKeyId?: LrRelayIdInput;
+}
+
+export interface UpdateReceivedContactCardInput
+  extends ContactCardReceiverCipherData {
+  id: LrRelayIdInput;
+  receiverKeyId?: LrRelayIdInput;
+}
+
+@RunOutsideAngular({
+  ngZoneName: 'ngZone',
+})
+@Injectable({
+  providedIn: 'root',
+})
+export class SharedContactCard2Service {
+  constructor(
+    private ngZone: NgZone,
+    private keyService: KeyService,
+    private keyGraph: KeyGraphService,
+    private encryptionService: EncryptionService,
+    private lrGraphQL: LrGraphQLService
+  ) {}
+
+  private async getOwnedContactCardKeyIds(id: LrRelayIdInput) {
+    const { ownedContactCard: cc } = await this.lrGraphQL.query({
+      query: GetOwnedContactCardKeyIdsQuery,
+      variables: {
+        id,
+      },
+    });
+
+    return {
+      sharedKeyId: cc.sharedKey.id,
+      ownerKeyId: cc.ownerKey.id,
+    };
+  }
+
+  private async getReceivedContactCardKeyId(id: LrRelayIdInput) {
+    return (
+      await this.lrGraphQL.query({
+        query: GetReceivedContactCardKeyIdQuery,
+        variables: {
+          id,
+        },
+      })
+    ).receivedContactCard.receiverKey.id;
+  }
+
+  async updateOwnedContactCard({
+    id,
+    ownerKeyId,
+    sharedKeyId,
+    ownerPlainDataJson,
+    ownerCipherDataClearJson,
+    sharedCipherDataClearJson,
+  }: UpdateOwnedContactCardInput) {
+    let ownerKey: Key;
+    let sharedKey: Key;
+
+    try {
+      ownerKey = await this.keyGraph.getKey(ownerKeyId);
+      sharedKey = await this.keyGraph.getKey(sharedKeyId);
+    } catch (error) {
+      const keys = await this.getOwnedContactCardKeyIds(id);
+
+      // try again
+      ownerKey = await this.keyGraph.getKey(keys.ownerKeyId);
+      sharedKey = await this.keyGraph.getKey(keys.sharedKeyId);
+    }
+
+    const sigPxk = await this.keyService.getCurrentSigPxk();
+
+    const sharedCipherData = await this.encryptionService.encrypt(
+      sharedKey.jwk,
+      sharedCipherDataClearJson
+    );
+    const sharedCipherDataSig = JSON.stringify(
+      await this.encryptionService.sign(sigPxk.jwk, sharedCipherData)
+    );
+
+    const ownerPlainDataSig = JSON.stringify(
+      await this.encryptionService.sign(sigPxk.jwk, ownerPlainDataJson)
+    );
+
+    const ownerCipherData = await this.encryptionService.encryptToString(
+      ownerKey.jwk,
+      ownerCipherDataClearJson
+    );
+
+    return new LrMutation({
+      mutation: UpdateOwnedContactCardMutation,
+      variables: {
+        input: {
+          id,
+          ownerCipherData,
+          ownerKeyId: ownerKey.id,
+          sharedCipherDataSig,
+          sharedKeyId: sharedKey.id,
+          sigPxkId: sigPxk.id,
+          ownerPlainDataSig,
+        },
+      },
+    });
+  }
+
+  async updateReceivedContactCard({
+    id,
+    receiverKeyId,
+    receiverCipherDataClearJson,
+  }: UpdateReceivedContactCardInput) {
+    const receiverKey = await this.keyGraph.getKey(receiverKeyId, () =>
+      this.getReceivedContactCardKeyId(id)
+    );
+
+    const receiverCipherData = await this.encryptionService.encryptToString(
+      receiverKey.jwk,
+      receiverCipherDataClearJson
+    );
+
+    return new LrMutation({
+      mutation: UpdateReceivedContactCardMutation,
+      variables: {
+        input: {
+          id,
+          receiverCipherData,
+          receiverKeyId: receiverKey.id,
+        },
+      },
+    });
+  }
+}

package/src/lib/api/time.service.spec.ts

@@ -0,0 +1,48 @@
+import { TimeService } from './time.service';
+import { TestBed } from '@angular/core/testing';
+import { environment } from 'projects/lr-auth-app/src/environments/environment';
+import {
+  loginTestUser,
+  logoutUser,
+} from '../auth/life-ready-auth.service.spec';
+import { lrConfigureTestingModule, lrit } from '../_common/tests';
+
+const TIMEOUT = 1000 * 60 * 10;
+
+describe('TimeService', () => {
+  let timeService: TimeService;
+
+  beforeEach(async () => {
+    lrConfigureTestingModule();
+    timeService = TestBed.inject(TimeService);
+  });
+
+  lrit('should get server time', async () => {
+    const serverNow = await timeService.serverNow();
+    console.log('server now', serverNow);
+    console.log('local now', Date.now());
+    expect(serverNow).toBeTruthy();
+    expect(timeService.offsetMs).not.toBeNull();
+    console.log('timeService.offsetMs', timeService.offsetMs);
+  });
+
+  lrit(
+    'should confirm time from independent source',
+    async () => {
+      if (!timeService.VERIFY_ENABLED) {
+        return;
+      }
+
+      // Using AWS Cognito, so need to login first, it might block the client/host as malicious.
+      const {
+        username: username1,
+        password: password1,
+      } = environment.test.users[0];
+      await loginTestUser(username1, password1);
+
+      const serverNow = await timeService.serverNow();
+      expect(timeService.verified).toBeTrue();
+    },
+    TIMEOUT
+  );
+});

package/src/lib/api/time.service.ts

@@ -0,0 +1,155 @@
+import { Injectable } from '@angular/core';
+import { AuthClass } from '@aws-amplify/auth/lib-esm/Auth';
+import { Apollo } from 'apollo-angular';
+import gql from 'graphql-tag';
+import * as moment_ from 'moment';
+import {
+  LrErrorCode,
+  LrException,
+  handleApolloError,
+} from '../_common/exceptions';
+// "why?" you ask: https://stackoverflow.com/questions/59735280/angular-8-moment-error-cannot-call-a-namespace-moment
+const moment = moment_;
+
+export const ServerTimeQuery = gql`
+  query {
+    serverTime {
+      timestamp
+    }
+  }
+`;
+
+interface ServerTime {
+  timestamp: string;
+}
+
+@Injectable({
+  providedIn: 'root',
+})
+export class TimeService {
+  public VERIFY_ENABLED = true;
+  private readonly MAX_DIFF_MSEC = moment
+    .duration({ seconds: 30 })
+    .asMilliseconds();
+
+  offsetMs: number = null; // Millisecond offset of local clock.
+  verified = false; // Verified with independent time source
+
+  constructor(private auth: AuthClass, private apollo: Apollo) {}
+
+  private async getAccessToken(): Promise<string> {
+    try {
+      return (await this.auth.currentAuthenticatedUser())
+        .getSignInUserSession()
+        .getAccessToken()
+        .getJwtToken();
+    } catch (error) {
+      return ''; // Not authenticated
+    }
+  }
+
+  // Get time from independent source to confirm.
+  private async verifyCognito(): Promise<void> {
+    const accessToken = await this.getAccessToken();
+    if (!accessToken) {
+      return;
+    }
+
+    // Request headers from AWS Amplify Auth lib
+    // accept: */*
+    // accept-encoding: gzip, deflate, br
+    // accept-language: en-GB,en-US;q=0.9,en;q=0.8
+    // cache-control: no-cache
+    // content-length: 1089
+    // content-type: application/x-amz-json-1.1
+    // origin: http://localhost:4200
+    // pragma: no-cache
+    // referer: http://localhost:4200/
+    // sec-fetch-dest: empty
+    // sec-fetch-mode: cors
+    // sec-fetch-site: cross-site
+    // user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
+    // x-amz-target: AWSCognitoIdentityProviderService.GetUser
+    // x-amz-user-agent: aws-amplify/0.1.x js
+
+    // We are only interested in the Date field.
+    // AZ: I suppose we could use any end-point that provides a reliable Date field in the header. And we don't
+    // need to be authenticated. Even a 400 response would have a Date header. But the worry is that AWS might
+    // think it's some sort of attack, and block the IP or domain. At least in an authenticated call it can't be
+    // seen as illegitimate.
+    const response = await fetch(
+      'https://cognito-idp.ap-southeast-2.amazonaws.com/',
+      {
+        method: 'POST', // *GET, POST, PUT, DELETE, etc.
+        mode: 'cors', // no-cors, *cors, same-origin
+        cache: 'no-cache', // *default, no-cache, reload, force-cache, only-if-cached
+        headers: {
+          'x-amz-target': 'AWSCognitoIdentityProviderService.GetUser',
+          'x-amz-user-agent': 'aws-amplify/0.1.x js',
+          'Content-Type': 'application/x-amz-json-1.1',
+        },
+        // redirect: 'follow', // manual, *follow, error
+        // referrerPolicy: 'no-referrer', // no-referrer, *no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url
+        body: JSON.stringify({
+          AccessToken: accessToken,
+        }), // body data type must match "Content-Type" header
+      }
+    );
+
+    const now = Date.now();
+
+    const verifyTime = moment(response.headers.get('Date')).valueOf();
+    const serverTime = now + this.offsetMs;
+    const diff = Math.abs(serverTime - verifyTime);
+
+    if (diff > this.MAX_DIFF_MSEC) {
+      throw new LrException({
+        code: LrErrorCode.BadTimeSync,
+        message: `Server time does not match independent source. ServerTime: ${serverTime}, Cognito time: ${verifyTime}`,
+      });
+    }
+
+    this.verified = true;
+  }
+
+  private async refresh(): Promise<void> {
+    const start = Date.now();
+    const res = await this.apollo
+      .query<{ serverTime: ServerTime }>({ query: ServerTimeQuery })
+      .toPromise();
+    const end = Date.now();
+
+    handleApolloError(res.errors);
+
+    const serverTime = parseInt(res.data.serverTime.timestamp, 10);
+
+    const roundtrip = end - start;
+    this.offsetMs = serverTime - (start + roundtrip / 2);
+
+    if (this.VERIFY_ENABLED) {
+      await this.verifyCognito();
+    }
+  }
+
+  async serverNow(): Promise<number> {
+    let needsRefresh = false;
+
+    // First call
+    if (this.offsetMs === null) {
+      needsRefresh = true;
+    }
+
+    if (this.VERIFY_ENABLED) {
+      // logged in but not yet verified time matches.
+      if (!this.verified && (await this.getAccessToken())) {
+        needsRefresh = true;
+      }
+    }
+
+    if (needsRefresh) {
+      await this.refresh();
+    }
+
+    return Date.now() + this.offsetMs;
+  }
+}

package/src/lib/api/types/graphql.types.ts

@@ -0,0 +1,48 @@
+// ------------------------------------------------------
+// Basic types
+// ------------------------------------------------------
+// These types map directory to types of the same name in graphql.
+// We use these aliases in case in the future we wish to reify the types and do
+// additional automated conversion.
+
+export type ID = string;
+// Server requires this to have certain format. But client
+// just treats this as an opaque string.
+export type LrRelayIdInput = string;
+export type DateTime = string;
+// This is basically the results of: JSON.stringify(obj)
+// Server validated to make sure it can JSON.parse() this.
+export type LrJSONString = string;
+// JSONString is a type from graphene. DB JSON fields maps to this type
+// automatically.
+// Where as LrJSONString is out custom implementation for input variables.
+export type JSONString = string;
+export type LrEmail = string;
+export type GenericScalar = any;
+export type UUID = string;
+
+export interface Node {
+  id?: string;
+}
+
+export interface TimeStamped {
+  created?: DateTime;
+  modified?: DateTime;
+}
+
+export interface Edge<NodeType extends Node> {
+  node?: NodeType;
+  cursor?: string;
+}
+
+export interface Connection<NodeType> {
+  pageInfo?: PageInfo;
+  edges?: Edge<NodeType>[];
+}
+
+export interface PageInfo {
+  hasNextPage?: boolean;
+  hasPreviousPage?: boolean;
+  startCursor?: string;
+  endCursor?: string;
+}

package/{lib/api/types/index.d.ts → src/lib/api/types/index.ts}

@@ -1,2 +1,2 @@
-export * from './graphql.types';
-export * from './lr-graphql.types';
+export * from './graphql.types';
+export * from './lr-graphql.types';