@lifeready/core 1.0.0 → 1.0.1

package/src/lib/api/types/lr-graphql.types.ts

@@ -0,0 +1,467 @@
+import { Time } from '@angular/common';
+import {
+  Connection,
+  DateTime,
+  GenericScalar,
+  ID,
+  JSONString,
+  LrEmail,
+  Node,
+  TimeStamped,
+} from './graphql.types';
+
+// TODO: fill these types
+export type UserStripeNode = any;
+export type UserPlanNode = any;
+export type UserDeleteNode = any;
+export type FeaturesNode = any;
+export type ScenarioNode = any;
+export type SharedScenarioNode = any;
+
+export type TpPasswordResetRequestNode = any;
+
+export interface PassKeyNode extends Node, TimeStamped {
+  passKeyParams?: GenericScalar;
+  passIdpParams?: GenericScalar;
+  wrappedPassIdpVerifierPrk?: GenericScalar;
+}
+
+export interface CurrentUserKeyNode extends Node, TimeStamped {
+  passKeys?: PassKeyNode[];
+  passKey?: PassKeyNode;
+  rootKey?: KeyNode;
+  masterKey?: KeyNode;
+  pxk?: KeyNode;
+  sigPxk?: KeyNode;
+}
+
+// ------------------------------------------------------
+// Node types
+// ------------------------------------------------------
+export interface UserNode extends Node {
+  username?: string;
+  contactCards?: Connection<ContactCardNode>;
+  currentUserKey?: CurrentUserKeyNode;
+  ownedContactCard?: SharedContactCardNode;
+  receivedContactCard?: SharedContactCardNode;
+  isCurrentUser?: boolean;
+  haveTp?: boolean;
+  stripe?: UserStripeNode;
+  userPlans?: Connection<UserPlanNode>;
+  userDelete?: UserDeleteNode;
+  features?: FeaturesNode;
+}
+
+export interface ServerTime {
+  timestamp?: string;
+}
+
+export interface KeyNode extends Node, TimeStamped {
+  pbk?: string;
+}
+
+export interface ContactCardNode extends Node, TimeStamped {
+  owner?: UserNode;
+  publicDataSig?: string;
+  publicSearchableSig?: string;
+  sigPxk?: KeyNode;
+  defaultFrom?: DateTime;
+  publicData?: string;
+  publicSearchable?: string;
+  cipherData?: string;
+  cipherDataClearJson?: any;
+  key?: KeyNode;
+  plainData?: string;
+  plainDataSig?: string;
+}
+
+export interface DirectoryNode extends Node, TimeStamped {
+  plainMeta?: JSONString;
+  plainMetaJson?: any;
+  cipherMeta?: string;
+  cipherMetaClearJson?: any;
+  archived?: boolean;
+  keyId?: ID;
+  childFileLinks?: Connection<FileLinkNode>;
+  childDirectoryLinks?: Connection<DirectoryLinkNode>;
+  parentDirectoryLinks?: Connection<DirectoryLinkNode>;
+  nParentDirectoryLinks?: DirectoryLinkNodeLrNList;
+  descendants?: Descendants;
+  accessRoles?: AccessRole[];
+}
+
+export interface FileNode extends Node, TimeStamped {
+  currentVersion?: FileVersionNode;
+  archived?: boolean;
+  versions?: Connection<FileVersionNode>;
+  keyId?: ID;
+  parentDirectoryLinks?: Connection<FileLinkNode>;
+  nParentDirectoryLinks?: FileLinkNodeLrNList;
+  accessRoles?: AccessRole[];
+}
+
+export interface DirectoryLinkNode extends Node, TimeStamped {
+  parentDirectory?: DirectoryNode;
+  childDirectory?: DirectoryNode;
+}
+
+export interface FileLinkNode extends Node, TimeStamped {
+  parentDirectory?: DirectoryNode;
+  childFile?: FileNode;
+}
+
+export interface DirectoryLinkNodeLrNList {
+  list?: DirectoryLinkNode[];
+}
+
+export interface FileLinkNodeLrNList {
+  list?: FileLinkNode[];
+}
+
+export interface Descendants {
+  directories?: Connection<DirectoryNode>;
+  files?: Connection<FileNode>;
+  directoriesCount?: number;
+  filesCount?: number;
+}
+
+export enum AccessRoleChoice {
+  READER = 'READER',
+  WRITER = 'WRITER',
+  ADMIN = 'ADMIN',
+  DENY = 'DENY',
+  OWNER = 'OWNER',
+}
+
+export enum AccessRoleMethod {
+  inherited = 'inherited',
+  direct = 'direct',
+}
+
+export interface AccessRole {
+  issuer?: UserNode;
+  subject?: UserNode;
+  role?: AccessRoleChoice;
+  method?: AccessRoleMethod;
+  inheritedFrom?: DirectoryNode;
+  trustedParty?: TpNode;
+  isIssuer?: boolean;
+}
+
+export enum FileVersionOperation {
+  CREATE = 'CREATE',
+  READ = 'READ',
+  UPDATE = 'UPDATE',
+  REVERT = 'REVERT',
+  DELETE = 'DELETE',
+}
+
+export interface FileVersionNode extends Node, TimeStamped {
+  file?: FileNode;
+  state?: FileStateNode;
+  operation?: FileVersionOperation;
+  author?: UserNode;
+}
+export interface FileStateNode extends Node, TimeStamped {
+  plainMeta?: JSONString;
+  plainMetaJson?: any;
+  cipherMeta?: string;
+  cipherMetaClearJson?: any;
+  contentResource?: string;
+  versions?: Connection<FileVersionNode>;
+  keyId: ID;
+}
+
+export enum KeyExchangeOtkState {
+  OTK_INITIATED = 'OTK_INITIATED',
+  OTK_ACCEPTED = 'OTK_ACCEPTED',
+  OTK_COMPLETED = 'OTK_COMPLETED',
+}
+
+export interface ContactCardSharedCipherData {
+  // Shared read access between initiator and responder. But only the initiator has write access.
+  sharedCipherDataClearJson: any;
+}
+
+/**
+ * The contents of the one-time key cipher
+ */
+export interface OtKeyCipherClearJson2 {
+  // Used to confirm to the initiator that the responder has access to the one-time key.
+  nonce: string;
+  // Data sent from initiator to the responder
+  initiator: {
+    oneTimePbk: object; // one-time public encryption key the responder will use to send data back to the initiator
+    pbk: object; // public encryption key
+    sigPbk: object; // public signing key
+    message?: any;
+    contactCard?: ContactCardSharedCipherData;
+  };
+}
+
+export interface KeyExchangeOtkNode extends Node, TimeStamped {
+  state?: KeyExchangeOtkState;
+  sharedKey?: KeyNode;
+  mkSharedKey?: KeyNode;
+  initiatorSigPxk?: KeyNode;
+  responderSigPxk?: KeyNode;
+  initiatorOneTimePbkCipher?: string;
+  otKeyParams?: string;
+  otKeyCipher?: string;
+  otKeyCipherClearJson?: OtKeyCipherClearJson2;
+  responderPbkCipher?: string;
+}
+
+export enum KeyExchangeState {
+  IN_PROGRESS = 'IN_PROGRESS',
+  COMPLETED = 'COMPLETED',
+  DECLINED = 'DECLINED',
+  CANCELLED = 'CANCELLED',
+  DELETED = 'DELETED',
+}
+
+export enum KeyExchangeMode {
+  OTK = 'OTK',
+}
+
+export interface KeyExchangeNode extends Node, TimeStamped {
+  expiryTime?: DateTime;
+  token?: string;
+  tokenExpiryTime?: DateTime;
+  state?: KeyExchangeState;
+  mode?: KeyExchangeMode;
+  initiator?: UserNode;
+  responder?: UserNode;
+  initiatorRootKeyCipher?: string;
+  responderRootKeyCipher?: string;
+  initiatorActionRequired?: boolean;
+  responderActionRequired?: boolean;
+  createTp?: boolean;
+  otk?: KeyExchangeOtkNode;
+  isInitiator?: boolean;
+  isExpired?: boolean;
+  responderEmailAddress?: LrEmail;
+}
+
+export interface SharedItems {
+  directories?: Connection<DirectoryNode>;
+  files?: Connection<FileNode>;
+}
+
+export interface SharedContactCardNode extends Node, TimeStamped {
+  owner?: UserNode;
+  receiver?: UserNode;
+  sharedKey?: KeyNode;
+  sharedCipherData?: string;
+  sharedCipherDataClearJson?: any;
+  sharedCipherDataSig?: string;
+  sharedCipherDataSigPxk?: KeyNode;
+  ownerCipherData?: string;
+  ownerCipherDataClearJson?: any;
+  ownerKey?: KeyNode;
+  ownerPlainData?: string;
+  ownerPlainDataJson?: any;
+  ownerPlainDataSig?: string;
+  receiverCipherData?: string;
+  receiverCipherDataClearJson?: any;
+  receiverKey?: KeyNode;
+}
+
+export interface UserSharedKeyNode extends Node, TimeStamped {
+  keyExchange?: KeyExchangeNode;
+  user?: UserNode;
+  userPrk?: KeyNode;
+  userSigPrk?: KeyNode;
+  other?: UserNode;
+  otherPbk?: KeyNode;
+  otherSigPbk?: KeyNode;
+  sharedKey?: KeyNode;
+  mkSharedKey?: KeyNode;
+  mkPxk?: KeyNode;
+  mkReshareRequestCipher?: string;
+  mkReshareResponseCipher?: string;
+  mkReshareRequestCipherClearJson?: any;
+  mkReshareResponseCipherClearJson?: any;
+  mkReshareRequestSent?: boolean;
+  mkReshareResponseSent?: boolean;
+}
+
+export interface CurrentUserSharedKeyNode extends Node, TimeStamped {
+  user?: UserNode;
+  other?: UserNode;
+  userSharedKey?: UserSharedKeyNode;
+}
+
+export interface TpNode extends Node, TimeStamped {
+  user?: UserNode;
+  other?: UserNode;
+  currentUserSharedKey?: CurrentUserSharedKeyNode;
+  isCompleted?: boolean;
+  sharedKey?: KeyNode;
+  sharedContactCard?: SharedContactCardNode;
+  myContactCard?: SharedContactCardNode;
+  myItems?: SharedItems;
+  sharedItems?: SharedItems;
+  myScenarios?: Connection<ScenarioNode>;
+  sharedScenarios?: Connection<SharedScenarioNode>;
+}
+
+export enum TpAssemblyState {
+  DISABLED = 'DISABLED',
+  ENABLED = 'ENABLED',
+  CLAIMED = 'CLAIMED',
+  APPROVED = 'APPROVED',
+  REJECTED = 'REJECTED',
+  EXPIRED = 'EXPIRED',
+  CANCELLED = 'CANCELLED',
+  RESET = 'RESET',
+}
+
+export enum TpClaimState {
+  CLAIMED = 'CLAIMED',
+  APPROVED = 'APPROVED',
+  REJECTED = 'REJECTED',
+  EXPIRED = 'EXPIRED',
+  CANCELLED = 'CANCELLED',
+  RESET = 'RESET',
+}
+
+export enum TpClaimApproverState {
+  CLAIMED = 'CLAIMED',
+  APPROVED = 'APPROVED',
+  REJECTED = 'REJECTED',
+}
+
+export interface TpPasswordResetApproval extends Node, TimeStamped {
+  approverEmail?: string;
+  receiverCipher?: string;
+  receiverCipherClearJson?: any;
+  receiverCipherPartialAssemblyKey?: string;
+  receiverCipherPartialAssemblyKeyClearJson?: any;
+}
+
+// export interface TpPasswordResetUser {
+//   username?: string;
+//   resetUsername?: string;
+//   state?: TpAssemblyState;
+//   passKey?: PassKeyNode;
+//   masterKey?: KeyNode;
+//   pxk?: KeyNode;
+//   approvals?: TpPasswordResetApproval[];
+//   assemblyCipherData?: string;
+//   wrappedAssemblyKeyVerifierPrk?: string;
+// }
+
+export interface TpPasswordResetUserApprovalNode extends Node, TimeStamped {
+  receiverCipher?: string;
+  receiverCipherClearJson?: any;
+  receiverCipherPartialAssemblyKey?: string;
+  receiverCipherPartialAssemblyKeyClearJson?: any;
+  approverEmail?: string;
+}
+
+export interface TpPasswordResetUserApprover {
+  name?: string;
+  email?: string;
+  state?: TpClaimApproverState;
+}
+
+export interface TpPasswordResetUserSubAssembly {
+  singleReject?: boolean;
+  quorum?: number;
+  approvers?: TpPasswordResetUserApprover[];
+}
+
+export interface TpPasswordResetUserAssembly {
+  singleReject?: boolean;
+  quorum?: number;
+  subAssemblies?: TpPasswordResetUserSubAssembly[];
+}
+
+export interface TpPasswordResetUserNode {
+  username?: string;
+  resetUsername?: string;
+  state?: TpClaimState;
+  passKey?: PassKeyNode;
+  masterKey?: KeyNode;
+  pxk?: KeyNode;
+  sessionEncryptionKey?: string;
+  approvals?: TpPasswordResetUserApprovalNode[];
+  assemblyCipherData?: string;
+  wrappedAssemblyKeyVerifierPrk?: string;
+  assembly?: TpPasswordResetUserAssembly;
+}
+
+export interface TpPasswordResetNode extends Node, TimeStamped {
+  assembly?: TpAssemblyNode;
+  request?: TpPasswordResetRequestNode;
+  applied?: boolean;
+}
+
+export interface TpAssemblyNode extends Node, TimeStamped {
+  id?: ID;
+  singleReject?: boolean;
+  quorum?: number;
+  subjectKey?: KeyNode;
+  assemblyKey?: KeyNode;
+  assemblyCipherData?: string;
+  assemblyCipherDataClearJson?: any;
+  subAssemblies?: Connection<TpSubAssemblyNode>;
+}
+
+export interface TpSubAssemblyNode extends Node, TimeStamped {
+  singleReject?: boolean;
+  quorum?: number;
+  subjectCipherData?: string;
+  subjectCipherDataClearJson?: string;
+  approvers?: Connection<TpAssemblyApproverNode>;
+}
+
+export interface TpAssemblyApproverNode extends Node, TimeStamped {
+  sharedKey?: KeyNode;
+  sharedCipherData?: string;
+  sharedCipherApprovalData?: string;
+  tp?: TpNode;
+}
+
+export interface SharedTpPasswordResetNode extends Node, TimeStamped {
+  assembly?: SharedTpAssemblyNode;
+  tp?: TpNode;
+  sharedRequest?: SharedTpPasswordResetRequestNode;
+}
+
+export interface SharedTpAssemblyNode extends Node, TimeStamped {
+  asApprovers?: Connection<TpAssemblyAsApproverNode>;
+}
+
+export interface TpAssemblyAsApproverNode extends Node, TimeStamped {
+  sharedKey?: KeyNode;
+  sharedCipherData?: string;
+}
+
+export interface SharedTpPasswordResetRequestNode extends Node, TimeStamped {
+  claim?: SharedTpClaimNode;
+  pxk?: KeyNode;
+}
+
+export interface SharedTpClaimNode extends Node, TimeStamped {
+  state?: TpClaimState;
+  asClaimApprovers?: Connection<SharedTpClaimApproverNode>;
+}
+
+export interface SharedTpClaimApproverNode extends Node, TimeStamped {
+  state?: TpClaimApproverState;
+  sharedKey?: KeyNode;
+  sharedCipherApprovalData?: string;
+  sharedCipherPartialAssemblyKey?: string;
+  receiverApprovals?: Connection<SharedTpClaimReceiverApprovalNode>;
+}
+
+export interface SharedTpClaimReceiverApprovalNode extends Node, TimeStamped {
+  pxk?: KeyNode;
+}
+
+export enum LockState {
+  UNLOCKED = 'UNLOCKED',
+  MUTEX_LOCKED = 'MUTEX_LOCKED',
+}

package/src/lib/auth/auth.config.ts

@@ -0,0 +1,83 @@
+import { AuthClass } from '@aws-amplify/auth/lib-esm/Auth';
+import { LifeReadyConfig } from '../life-ready.config';
+
+export function handleCognitoCallback<T>(
+  method: (callback: (err?: Error, result?: T) => void) => void
+): Promise<T> {
+  return new Promise<T>((resolve, reject) =>
+    method((err, result) => (err ? reject(err) : resolve(result)))
+  );
+}
+
+export const awsFetch = (authUrl: string) => {
+  const fetch = window.fetch;
+
+  return (url, options) => {
+    const pass = () => fetch(url, options);
+
+    if (!options || !options.headers || !options.headers['X-Amz-Target']) {
+      return pass();
+    }
+
+    const operation = options.headers['X-Amz-Target'].split('.');
+    if (
+      operation.length < 2 ||
+      operation[0] !== 'AWSCognitoIdentityProviderService'
+    ) {
+      return pass();
+    }
+
+    const body = JSON.parse(options.body);
+
+    if (body && body.ClientMetadata && body.ClientMetadata.noProxy === 'true') {
+      return pass();
+    }
+
+    let custom = false;
+
+    if (operation[1] === 'RespondToAuthChallenge') {
+      if (body && body.ChallengeName === 'NEW_PASSWORD_REQUIRED') {
+        return pass();
+      }
+      custom = true;
+    } else if (operation[1] === 'InitiateAuth') {
+      if (body.AuthFlow === 'REFRESH_TOKEN_AUTH') {
+        custom = true;
+      }
+    }
+
+    if (!custom) {
+      return pass();
+    }
+
+    return fetch(`${authUrl}auth/proxy/`, {
+      ...options,
+      credentials: 'include',
+    });
+  };
+};
+
+export const configureAmplifyAuth = (
+  { authUrl: authUrl, userPoolId, userPoolWebClientId }: LifeReadyConfig,
+  auth: AuthClass
+) => {
+  return () => {
+    const tokens = userPoolId.split('_');
+    if (tokens.length < 2) {
+      throw new Error('userPoolId should have this format: {aws-region}_xxxxx');
+    }
+
+    window.fetch = awsFetch(authUrl);
+
+    auth.configure({
+      // REQUIRED - Amazon Cognito Region
+      region: tokens[0],
+      // OPTIONAL - Amazon Cognito User Pool ID
+      userPoolId,
+      // OPTIONAL - Amazon Cognito Web Client ID (26-char alphanumeric string)
+      userPoolWebClientId,
+      // OPTIONAL - Enforce user authentication prior to accessing AWS resources or not
+      mandatorySignIn: false,
+    });
+  };
+};

package/src/lib/auth/auth.gql.ts

@@ -0,0 +1,62 @@
+import gql from 'graphql-tag';
+import { gqlTyped } from '../_common/ast';
+
+export const PasswordChangeRequestMutation = gql`
+  mutation {
+    passwordChangeRequest(input: {}) {
+      challenge
+      passKeys {
+        id
+        passIdpParams
+        wrappedPassIdpVerifierPrk
+      }
+    }
+  }
+`;
+
+export const PasswordChangeMutation = gql`
+  mutation PasswordChange($input: PasswordChangeInput!) {
+    passwordChange(input: $input) {
+      token
+      newPassKey {
+        id
+      }
+    }
+  }
+`;
+
+export const PasswordChangeConfigQuery = gql`
+  query PasswordChangeConfigQuery {
+    passwordChangeConfig {
+      maxAuthAgeSeconds
+      authTime
+      serverTime
+    }
+  }
+`;
+
+export interface SetSessionEncryptionKeyMutation {
+  setSessionEncryptionKey: {
+    sessionEncryptionKey: string;
+  };
+}
+export const SetSessionEncryptionKeyMutation = gqlTyped<SetSessionEncryptionKeyMutation>`
+mutation SetSessionEncryptionKeyMutation($input: SetSessionEncryptionKeyInput!) {
+  setSessionEncryptionKey(input: $input) {
+    sessionEncryptionKey
+  }
+}
+`;
+
+export interface ClearSessionEncryptionKeyMutation {
+  clearSessionEncryptionKey: {
+    sessionEncryptionKey: string;
+  };
+}
+export const ClearSessionEncryptionKeyMutation = gqlTyped<ClearSessionEncryptionKeyMutation>`
+mutation ClearSessionEncryptionKeyMutation {
+  clearSessionEncryptionKey(input: {}) {
+    sessionEncryptionKey
+  }
+}
+`;

package/src/lib/auth/auth.types.ts

@@ -0,0 +1,79 @@
+import { CognitoUser } from '@aws-amplify/auth';
+import { JWK } from 'node-jose';
+import { TpPasswordResetUserNode } from '../api/types';
+import {
+  PassIdpParams,
+  PassKeyParams,
+} from '../cryptography/cryptography.types';
+import { UserPlan } from '../plan/plan.types';
+import { CurrentUserKey, MainContactCard } from '../users/profile.types';
+import { UserDelete } from '../users/user.types';
+
+export interface PassKeyBundle {
+  passKeyParams: PassKeyParams;
+  passKey: JWK.Key;
+  passIdpParams: PassIdpParams;
+  passIdp: JWK.Key;
+  passIdpVerifier: JWK.Key;
+  wrappedPassIdpVerifierPrk: object;
+}
+
+export class CognitoChallengeUser extends CognitoUser {
+  recoveryStatus: RecoveryStatus;
+  challengeName: 'SMS_MFA' | 'SOFTWARE_TOKEN_MFA';
+  challengeParam: any;
+  isTpPasswordResetUser = false;
+}
+
+export enum FeatureAction {
+  // Just the one for now
+  ACCESS = 'access',
+}
+
+export class Features {
+  myVault: FeatureAction[];
+  tpVault: FeatureAction[];
+  shareVault: FeatureAction[];
+}
+
+export class CurrentUser {
+  id: string;
+  sub: string;
+  username: string;
+  currentUserKey: CurrentUserKey;
+  email: string;
+  emailVerified: boolean;
+  phone: string;
+  phoneVerified: boolean;
+  getAccessJwtToken: () => string;
+  contactCard: MainContactCard;
+  userDelete?: UserDelete;
+  userPlans: UserPlan[];
+  features: Features;
+  hasTPVaultAccess: boolean;
+  sessionEncryptionKey: string;
+}
+
+export interface TpPasswordResetUser extends TpPasswordResetUserNode {
+  sub: string;
+}
+
+export class LoginResult {
+  hasChallenge: boolean;
+  challenge?: CognitoChallengeUser;
+  user?: CurrentUser;
+  resetUser?: TpPasswordResetUserNode;
+}
+
+export class RegisterResult {
+  username: string;
+  userId: string;
+  preSignUpToken: string;
+  userSub: string;
+}
+
+export enum RecoveryStatus {
+  NONE = 'none',
+  NEW_PASSWORD = 'new-password',
+  OLD_PASSWORD = 'old-password',
+}