@lifeready/core 1.0.0 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (17) hide show
  1. package/bundles/lifeready-core.umd.js +725 -662
  2. package/bundles/lifeready-core.umd.js.map +1 -1
  3. package/bundles/lifeready-core.umd.min.js +2 -2
  4. package/bundles/lifeready-core.umd.min.js.map +1 -1
  5. package/esm2015/lib/api/query-processor/tp-password-reset-processor.service.js +3 -3
  6. package/esm2015/lib/auth/life-ready-auth.service.js +174 -7
  7. package/esm2015/lib/trusted-parties/tp-password-reset-user.service.js +2 -139
  8. package/esm2015/lib/trusted-parties/tp-password-reset.constants.js +4 -0
  9. package/esm2015/lib/trusted-parties/tp-password-reset.service.js +5 -6
  10. package/fesm2015/lifeready-core.js +483 -451
  11. package/fesm2015/lifeready-core.js.map +1 -1
  12. package/lib/auth/life-ready-auth.service.d.ts +15 -2
  13. package/lib/trusted-parties/tp-password-reset-user.service.d.ts +0 -6
  14. package/lib/trusted-parties/tp-password-reset.constants.d.ts +3 -0
  15. package/lib/trusted-parties/tp-password-reset.service.d.ts +0 -1
  16. package/lifeready-core.metadata.json +1 -1
  17. package/package.json +1 -1
package/bundles/lifeready-core.umd.js CHANGED
@@ -4179,16 +4179,22 @@
4179
4179
  };
4180
4180
  TpPasswordResetProcessorService.prototype.processTpPasswordResetUserApprovalNode = function (approval, pxk) {
4181
4181
  return __awaiter(this, void 0, void 0, function () {
4182
- var ret;
4183
- return __generator(this, function (_b) {
4184
- ret = Object.assign({}, approval);
4185
- if (approval.receiverCipher) {
4186
- ret.receiverCipherClearJson = this.keyGraph.decryptFromString(pxk, approval.receiverCipher);
4187
- }
4188
- if (approval.receiverCipherPartialAssemblyKey) {
4189
- ret.receiverCipherPartialAssemblyKeyClearJson = this.keyGraph.decryptFromString(pxk, approval.receiverCipherPartialAssemblyKey);
4182
+ var ret, _b;
4183
+ return __generator(this, function (_c) {
4184
+ switch (_c.label) {
4185
+ case 0:
4186
+ ret = Object.assign({}, approval);
4187
+ if (approval.receiverCipher) {
4188
+ ret.receiverCipherClearJson = this.keyGraph.decryptFromString(pxk, approval.receiverCipher);
4189
+ }
4190
+ if (!approval.receiverCipherPartialAssemblyKey) return [3 /*break*/, 2];
4191
+ _b = ret;
4192
+ return [4 /*yield*/, this.keyGraph.decryptFromString(pxk, approval.receiverCipherPartialAssemblyKey)];
4193
+ case 1:
4194
+ _b.receiverCipherPartialAssemblyKeyClearJson = _c.sent();
4195
+ _c.label = 2;
4196
+ case 2: return [2 /*return*/, ret];
4190
4197
  }
4191
- return [2 /*return*/, ret];
4192
4198
  });
4193
4199
  });
4194
4200
  };
@@ -4204,7 +4210,7 @@
4204
4210
  ret = Object.assign({}, field);
4205
4211
  if (!field.assembly) return [3 /*break*/, 2];
4206
4212
  if (field.applied == null) {
4207
- throw new LrBadRequestException('If you request for field "assembly" in the TpPasswordResetNode, then you must also request the "applied" field');
4213
+ throw new LrBadRequestException('If you request for field \'assembly\' in the TpPasswordResetNode, then you must also request the \'applied\' field');
4208
4214
  }
4209
4215
  _b = ret;
4210
4216
  return [4 /*yield*/, this.processTpAssemblyNode(field.assembly, field.applied)];
@@ -5032,113 +5038,421 @@
5032
5038
  return LrService;
5033
5039
  }());
5034
5040
 
5035
- var initialiseAuth = function (authService) {
5036
- return function () { return authService.initialise(); };
5037
- };
5038
- var LifeReadyAuthService = /** @class */ (function () {
5039
- function LifeReadyAuthService(config, auth, keyFactory, keyService, profileService, keyGraphService, passwordService, idleService, lrGraphQL, tpPasswordResetProcessorService, persistService) {
5040
- this.config = config;
5041
- this.auth = auth;
5042
- this.keyFactory = keyFactory;
5043
- this.keyService = keyService;
5044
- this.profileService = profileService;
5045
- this.keyGraphService = keyGraphService;
5046
- this.passwordService = passwordService;
5047
- this.idleService = idleService;
5048
- this.lrGraphQL = lrGraphQL;
5049
- this.tpPasswordResetProcessorService = tpPasswordResetProcessorService;
5050
- this.persistService = persistService;
5051
- this.hubSubject = new rxjs.ReplaySubject(1);
5041
+ // ------------------------------------------------------
5042
+ // Basic types
5043
+ // ------------------------------------------------------
5044
+ // These types map directory to types of the same name in graphql.
5045
+ // We use these aliases in case in the future we wish to reify the types and do
5046
+ // additional automated conversion.
5047
+
5048
+ var AccessRoleChoice;
5049
+ (function (AccessRoleChoice) {
5050
+ AccessRoleChoice["READER"] = "READER";
5051
+ AccessRoleChoice["WRITER"] = "WRITER";
5052
+ AccessRoleChoice["ADMIN"] = "ADMIN";
5053
+ AccessRoleChoice["DENY"] = "DENY";
5054
+ AccessRoleChoice["OWNER"] = "OWNER";
5055
+ })(AccessRoleChoice || (AccessRoleChoice = {}));
5056
+ var AccessRoleMethod;
5057
+ (function (AccessRoleMethod) {
5058
+ AccessRoleMethod["inherited"] = "inherited";
5059
+ AccessRoleMethod["direct"] = "direct";
5060
+ })(AccessRoleMethod || (AccessRoleMethod = {}));
5061
+ var FileVersionOperation;
5062
+ (function (FileVersionOperation) {
5063
+ FileVersionOperation["CREATE"] = "CREATE";
5064
+ FileVersionOperation["READ"] = "READ";
5065
+ FileVersionOperation["UPDATE"] = "UPDATE";
5066
+ FileVersionOperation["REVERT"] = "REVERT";
5067
+ FileVersionOperation["DELETE"] = "DELETE";
5068
+ })(FileVersionOperation || (FileVersionOperation = {}));
5069
+ var KeyExchangeOtkState;
5070
+ (function (KeyExchangeOtkState) {
5071
+ KeyExchangeOtkState["OTK_INITIATED"] = "OTK_INITIATED";
5072
+ KeyExchangeOtkState["OTK_ACCEPTED"] = "OTK_ACCEPTED";
5073
+ KeyExchangeOtkState["OTK_COMPLETED"] = "OTK_COMPLETED";
5074
+ })(KeyExchangeOtkState || (KeyExchangeOtkState = {}));
5075
+ var KeyExchangeState;
5076
+ (function (KeyExchangeState) {
5077
+ KeyExchangeState["IN_PROGRESS"] = "IN_PROGRESS";
5078
+ KeyExchangeState["COMPLETED"] = "COMPLETED";
5079
+ KeyExchangeState["DECLINED"] = "DECLINED";
5080
+ KeyExchangeState["CANCELLED"] = "CANCELLED";
5081
+ KeyExchangeState["DELETED"] = "DELETED";
5082
+ })(KeyExchangeState || (KeyExchangeState = {}));
5083
+ var KeyExchangeMode;
5084
+ (function (KeyExchangeMode) {
5085
+ KeyExchangeMode["OTK"] = "OTK";
5086
+ })(KeyExchangeMode || (KeyExchangeMode = {}));
5087
+ var TpAssemblyState;
5088
+ (function (TpAssemblyState) {
5089
+ TpAssemblyState["DISABLED"] = "DISABLED";
5090
+ TpAssemblyState["ENABLED"] = "ENABLED";
5091
+ TpAssemblyState["CLAIMED"] = "CLAIMED";
5092
+ TpAssemblyState["APPROVED"] = "APPROVED";
5093
+ TpAssemblyState["REJECTED"] = "REJECTED";
5094
+ TpAssemblyState["EXPIRED"] = "EXPIRED";
5095
+ TpAssemblyState["CANCELLED"] = "CANCELLED";
5096
+ TpAssemblyState["RESET"] = "RESET";
5097
+ })(TpAssemblyState || (TpAssemblyState = {}));
5098
+ var TpClaimState;
5099
+ (function (TpClaimState) {
5100
+ TpClaimState["CLAIMED"] = "CLAIMED";
5101
+ TpClaimState["APPROVED"] = "APPROVED";
5102
+ TpClaimState["REJECTED"] = "REJECTED";
5103
+ TpClaimState["EXPIRED"] = "EXPIRED";
5104
+ TpClaimState["CANCELLED"] = "CANCELLED";
5105
+ TpClaimState["RESET"] = "RESET";
5106
+ })(TpClaimState || (TpClaimState = {}));
5107
+ var TpClaimApproverState;
5108
+ (function (TpClaimApproverState) {
5109
+ TpClaimApproverState["CLAIMED"] = "CLAIMED";
5110
+ TpClaimApproverState["APPROVED"] = "APPROVED";
5111
+ TpClaimApproverState["REJECTED"] = "REJECTED";
5112
+ })(TpClaimApproverState || (TpClaimApproverState = {}));
5113
+ var LockState;
5114
+ (function (LockState) {
5115
+ LockState["UNLOCKED"] = "UNLOCKED";
5116
+ LockState["MUTEX_LOCKED"] = "MUTEX_LOCKED";
5117
+ })(LockState || (LockState = {}));
5118
+
5119
+ var SecretShare = /** @class */ (function () {
5120
+ function SecretShare(assembly, subAssembly, mnemonics) {
5121
+ if (assembly === void 0) { assembly = 0; }
5122
+ if (subAssembly === void 0) { subAssembly = 0; }
5123
+ if (mnemonics === void 0) { mnemonics = ''; }
5124
+ this.assembly = assembly;
5125
+ this.subAssembly = subAssembly;
5126
+ this.mnemonics = mnemonics;
5052
5127
  }
5053
- LifeReadyAuthService.prototype.initialise = function () {
5054
- return __awaiter(this, void 0, void 0, function () {
5055
- var _this = this;
5056
- return __generator(this, function (_a) {
5057
- core$1.Hub.listen('auth', function (data) { return _this.hubSubject.next(data.payload); });
5058
- return [2 /*return*/];
5059
- });
5128
+ return SecretShare;
5129
+ }());
5130
+ var SubAssembly = /** @class */ (function () {
5131
+ function SubAssembly(index, threshold, size) {
5132
+ if (threshold === void 0) { threshold = 0; }
5133
+ if (size === void 0) { size = 0; }
5134
+ this.index = index;
5135
+ this.threshold = threshold;
5136
+ this.size = size;
5137
+ this.clearShares();
5138
+ }
5139
+ SubAssembly.prototype.clearShares = function () {
5140
+ this.shares = Array();
5141
+ };
5142
+ SubAssembly.prototype.addShare = function (share) {
5143
+ this.shares.push(share);
5144
+ };
5145
+ return SubAssembly;
5146
+ }());
5147
+ var Assembly = /** @class */ (function () {
5148
+ function Assembly(threshold) {
5149
+ if (threshold === void 0) { threshold = 0; }
5150
+ this.threshold = threshold;
5151
+ this.clearSubAssemblies();
5152
+ }
5153
+ Assembly.prototype.size = function () {
5154
+ return this.subAssemblies.length;
5155
+ };
5156
+ Assembly.prototype.clearSubAssemblies = function () {
5157
+ this.subAssemblies = new Array();
5158
+ };
5159
+ Assembly.prototype.addSubAssembly = function (subAssembly) {
5160
+ this.subAssemblies.push(subAssembly);
5161
+ };
5162
+ return Assembly;
5163
+ }());
5164
+ var SubQuorum = /** @class */ (function () {
5165
+ function SubQuorum(subAssemblyIndex) {
5166
+ this.subAssemblyIndex = subAssemblyIndex;
5167
+ this.clearShares();
5168
+ }
5169
+ SubQuorum.prototype.clearShares = function () {
5170
+ this.shares = new Array();
5171
+ };
5172
+ SubQuorum.prototype.addShare = function (share) {
5173
+ this.shares.push(share);
5174
+ };
5175
+ return SubQuorum;
5176
+ }());
5177
+ var Quorum = /** @class */ (function () {
5178
+ function Quorum() {
5179
+ this.clearSubQuora();
5180
+ }
5181
+ Quorum.prototype.clearSubQuora = function () {
5182
+ this.subQuora = new Array();
5183
+ };
5184
+ Quorum.prototype.addSubQuorum = function (subQuorum) {
5185
+ this.subQuora.push(subQuorum);
5186
+ };
5187
+ Quorum.prototype.serialiseShares = function () {
5188
+ var shares = [];
5189
+ this.subQuora.forEach(function (subQuorum) {
5190
+ shares = shares.concat(subQuorum.shares);
5060
5191
  });
5192
+ return shares;
5061
5193
  };
5062
- LifeReadyAuthService.prototype.loginIdpImpl = function (emailOrPhone, password, passIdpParams, recoveryStatus) {
5194
+ return Quorum;
5195
+ }());
5196
+ var Slip39Service = /** @class */ (function () {
5197
+ function Slip39Service() {
5198
+ }
5199
+ Slip39Service.prototype.generateShares = function (secret, passphrase, assembly) {
5063
5200
  return __awaiter(this, void 0, void 0, function () {
5064
- var passIdpResult, user;
5065
- return __generator(this, function (_a) {
5066
- switch (_a.label) {
5067
- case 0: return [4 /*yield*/, this.keyFactory.derivePassIdp(Object.assign({ password: password }, passIdpParams))];
5201
+ var ems, groups, _a, _b, sa, slip;
5202
+ var e_1, _c;
5203
+ return __generator(this, function (_d) {
5204
+ switch (_d.label) {
5205
+ case 0:
5206
+ ems = btoa(secret);
5207
+ ems = slip39.Slip39Helper.slip39EncodeHex(ems);
5208
+ groups = [];
5209
+ try {
5210
+ for (_a = __values(assembly.subAssemblies), _b = _a.next(); !_b.done; _b = _a.next()) {
5211
+ sa = _b.value;
5212
+ groups.push([sa.threshold, sa.size]);
5213
+ }
5214
+ }
5215
+ catch (e_1_1) { e_1 = { error: e_1_1 }; }
5216
+ finally {
5217
+ try {
5218
+ if (_b && !_b.done && (_c = _a.return)) _c.call(_a);
5219
+ }
5220
+ finally { if (e_1) throw e_1.error; }
5221
+ }
5222
+ return [4 /*yield*/, slip39.Slip39.fromArray(ems, {
5223
+ passphrase: passphrase,
5224
+ threshold: assembly.threshold,
5225
+ groups: groups,
5226
+ title: '',
5227
+ })];
5068
5228
  case 1:
5069
- passIdpResult = _a.sent();
5070
- return [4 /*yield*/, this.auth.signIn(emailOrPhone, this.passwordService.getPassIdpString(passIdpResult.jwk))];
5071
- case 2:
5072
- user = _a.sent();
5073
- user.recoveryStatus = recoveryStatus;
5074
- return [2 /*return*/, user];
5229
+ slip = _d.sent();
5230
+ // Extract shares
5231
+ assembly.subAssemblies.forEach(function (sa, isa) {
5232
+ // Remove any existing shares
5233
+ sa.clearShares();
5234
+ for (var im = 0; im < sa.size; im++) {
5235
+ // Construct the path to the share, formatted as "r/<subassembly index>/<member index>"
5236
+ // with <subassembly index> and <member index> being two-digit, zero-padded integers.
5237
+ var path = 'r/' +
5238
+ isa.toString().padStart(2, '0') +
5239
+ '/' +
5240
+ im.toString().padStart(2, '0');
5241
+ var mnemonics = slip.fromPath(path).mnemonics[0];
5242
+ var share = new SecretShare(isa, im, mnemonics);
5243
+ sa.addShare(share);
5244
+ }
5245
+ });
5246
+ return [2 /*return*/];
5075
5247
  }
5076
5248
  });
5077
5249
  });
5078
5250
  };
5079
- LifeReadyAuthService.prototype.loginIdp = function (emailOrPhone, password) {
5080
- return __awaiter(this, void 0, void 0, function () {
5081
- var passIdpApiResult, user, error_1, user, error_2, reset, ret, err_1;
5082
- return __generator(this, function (_a) {
5083
- switch (_a.label) {
5084
- case 0: return [4 /*yield*/, this.profileService.getPassIdpParams(emailOrPhone)];
5085
- case 1:
5086
- passIdpApiResult = _a.sent();
5087
- if (passIdpApiResult.passwordChangeStatus === exports.PasswordChangeStatus.InProgress) {
5088
- throw new LrConcurrentAccessException('A password change is in progress');
5089
- }
5090
- if (!(passIdpApiResult.passwordChangeStatus === exports.PasswordChangeStatus.Recovery)) return [3 /*break*/, 8];
5251
+ // Remove all redundant shares. i.e. keep only enough members and groups to satisfy the thresholds.
5252
+ Slip39Service.prototype.minimalSet = function (mnemonics) {
5253
+ var e_2, _a, e_3, _b;
5254
+ // Decode the mnemonics and sort then into groups.
5255
+ var groupThresh = null;
5256
+ var groups = new Map();
5257
+ try {
5258
+ for (var mnemonics_1 = __values(mnemonics), mnemonics_1_1 = mnemonics_1.next(); !mnemonics_1_1.done; mnemonics_1_1 = mnemonics_1.next()) {
5259
+ var mnemonic = mnemonics_1_1.value;
5260
+ var decoded = slip39.Slip39Helper.decodeMnemonic(mnemonic);
5261
+ if (groupThresh && groupThresh !== decoded.groupThreshold) {
5262
+ throw new Error('groupThreshold is different in mnemonics');
5263
+ }
5264
+ groupThresh = decoded.groupThreshold;
5265
+ // Note that Slip39.recoverSecret() will do all the error checking again. So it's not critical
5266
+ // that we error check here. So we just optimistically assume it's all good.
5267
+ var g = groups.get(decoded.groupIndex);
5268
+ if (g == null) {
5269
+ g = {
5270
+ memberThreshold: decoded.memberThreshold,
5271
+ members: [],
5272
+ };
5273
+ groups.set(decoded.groupIndex, g);
5274
+ }
5275
+ g.members.push({
5276
+ mnemonic: mnemonic,
5277
+ decoded: decoded,
5278
+ });
5279
+ }
5280
+ }
5281
+ catch (e_2_1) { e_2 = { error: e_2_1 }; }
5282
+ finally {
5283
+ try {
5284
+ if (mnemonics_1_1 && !mnemonics_1_1.done && (_a = mnemonics_1.return)) _a.call(mnemonics_1);
5285
+ }
5286
+ finally { if (e_2) throw e_2.error; }
5287
+ }
5288
+ // Keep the minimum set of groups that meet threshold.
5289
+ var mnemonicsMinSet = [];
5290
+ var groupCount = 0;
5291
+ try {
5292
+ for (var _c = __values(groups.values()), _d = _c.next(); !_d.done; _d = _c.next()) {
5293
+ var g = _d.value;
5294
+ // Keep only groups that meet threshold
5295
+ if (g.members.length < g.memberThreshold) {
5296
+ continue;
5297
+ }
5298
+ // Keep minimum number of approvals needed for group
5299
+ g.members.slice(0, g.memberThreshold).forEach(function (member) {
5300
+ mnemonicsMinSet.push(member.mnemonic);
5301
+ });
5302
+ ++groupCount;
5303
+ if (groupCount >= groupThresh) {
5304
+ break;
5305
+ }
5306
+ }
5307
+ }
5308
+ catch (e_3_1) { e_3 = { error: e_3_1 }; }
5309
+ finally {
5310
+ try {
5311
+ if (_d && !_d.done && (_b = _c.return)) _b.call(_c);
5312
+ }
5313
+ finally { if (e_3) throw e_3.error; }
5314
+ }
5315
+ return mnemonicsMinSet;
5316
+ };
5317
+ Slip39Service.prototype.recoverSecret = function (shares, passphrase) {
5318
+ return __awaiter(this, void 0, void 0, function () {
5319
+ var recovered, secret;
5320
+ return __generator(this, function (_a) {
5321
+ switch (_a.label) {
5322
+ case 0:
5323
+ shares = this.minimalSet(shares);
5324
+ return [4 /*yield*/, slip39.Slip39.recoverSecret(shares, passphrase)];
5325
+ case 1:
5326
+ recovered = _a.sent();
5327
+ secret = slip39.Slip39Helper.slip39DecodeHex(recovered);
5328
+ return [2 /*return*/, atob(secret)];
5329
+ }
5330
+ });
5331
+ });
5332
+ };
5333
+ return Slip39Service;
5334
+ }());
5335
+ Slip39Service.ɵprov = i0.ɵɵdefineInjectable({ factory: function Slip39Service_Factory() { return new Slip39Service(); }, token: Slip39Service, providedIn: "root" });
5336
+ Slip39Service.decorators = [
5337
+ { type: i0.Injectable, args: [{
5338
+ providedIn: 'root',
5339
+ },] }
5340
+ ];
5341
+ Slip39Service.ctorParameters = function () { return []; };
5342
+
5343
+ var TP_PASSWORD_RESET_CLIENT_NONCE_LENGTH = 32;
5344
+ var TP_PASSWORD_RESET_SLIP39_PASSPHRASE = 'lifeready';
5345
+ var TP_PASSWORD_RESET_USERNAME_SUFFIX = '.tp_password_reset';
5346
+
5347
+ var initialiseAuth = function (authService) {
5348
+ return function () { return authService.initialise(); };
5349
+ };
5350
+ var LifeReadyAuthService = /** @class */ (function () {
5351
+ function LifeReadyAuthService(config, auth, keyFactory, keyService, profileService, keyGraphService, passwordService, idleService, lrGraphQL, tpPasswordResetProcessorService, persistService, encryptionService, slip39Service) {
5352
+ this.config = config;
5353
+ this.auth = auth;
5354
+ this.keyFactory = keyFactory;
5355
+ this.keyService = keyService;
5356
+ this.profileService = profileService;
5357
+ this.keyGraphService = keyGraphService;
5358
+ this.passwordService = passwordService;
5359
+ this.idleService = idleService;
5360
+ this.lrGraphQL = lrGraphQL;
5361
+ this.tpPasswordResetProcessorService = tpPasswordResetProcessorService;
5362
+ this.persistService = persistService;
5363
+ this.encryptionService = encryptionService;
5364
+ this.slip39Service = slip39Service;
5365
+ this.hubSubject = new rxjs.ReplaySubject(1);
5366
+ }
5367
+ LifeReadyAuthService.prototype.initialise = function () {
5368
+ return __awaiter(this, void 0, void 0, function () {
5369
+ var _this = this;
5370
+ return __generator(this, function (_b) {
5371
+ core$1.Hub.listen('auth', function (data) { return _this.hubSubject.next(data.payload); });
5372
+ return [2 /*return*/];
5373
+ });
5374
+ });
5375
+ };
5376
+ LifeReadyAuthService.prototype.loginIdpImpl = function (emailOrPhone, password, passIdpParams, recoveryStatus) {
5377
+ return __awaiter(this, void 0, void 0, function () {
5378
+ var passIdpResult, user;
5379
+ return __generator(this, function (_b) {
5380
+ switch (_b.label) {
5381
+ case 0: return [4 /*yield*/, this.keyFactory.derivePassIdp(Object.assign({ password: password }, passIdpParams))];
5382
+ case 1:
5383
+ passIdpResult = _b.sent();
5384
+ return [4 /*yield*/, this.auth.signIn(emailOrPhone, this.passwordService.getPassIdpString(passIdpResult.jwk))];
5385
+ case 2:
5386
+ user = _b.sent();
5387
+ user.recoveryStatus = recoveryStatus;
5388
+ return [2 /*return*/, user];
5389
+ }
5390
+ });
5391
+ });
5392
+ };
5393
+ LifeReadyAuthService.prototype.loginIdp = function (emailOrPhone, password) {
5394
+ return __awaiter(this, void 0, void 0, function () {
5395
+ var passIdpApiResult, user, error_1, user, error_2, reset, ret, err_1;
5396
+ return __generator(this, function (_b) {
5397
+ switch (_b.label) {
5398
+ case 0: return [4 /*yield*/, this.profileService.getPassIdpParams(emailOrPhone)];
5399
+ case 1:
5400
+ passIdpApiResult = _b.sent();
5401
+ if (passIdpApiResult.passwordChangeStatus === exports.PasswordChangeStatus.InProgress) {
5402
+ throw new LrConcurrentAccessException('A password change is in progress');
5403
+ }
5404
+ if (!(passIdpApiResult.passwordChangeStatus === exports.PasswordChangeStatus.Recovery)) return [3 /*break*/, 8];
5091
5405
  console.log('In recovery mode.');
5092
- _a.label = 2;
5406
+ _b.label = 2;
5093
5407
  case 2:
5094
- _a.trys.push([2, 4, , 5]);
5408
+ _b.trys.push([2, 4, , 5]);
5095
5409
  return [4 /*yield*/, this.loginIdpImpl(emailOrPhone, password, passIdpApiResult.newPassIdpParams, exports.RecoveryStatus.NEW_PASSWORD)];
5096
5410
  case 3:
5097
- user = _a.sent();
5411
+ user = _b.sent();
5098
5412
  // New password worked. Let's set to the current password
5099
5413
  // --Potential Failure Point 1--
5100
5414
  // if changePasswordComplete() doesn't get called, then it should remain
5101
5415
  console.log('New password works!');
5102
5416
  return [2 /*return*/, user];
5103
5417
  case 4:
5104
- error_1 = _a.sent();
5418
+ error_1 = _b.sent();
5105
5419
  // Just bubble up any other type of error.
5106
5420
  if (error_1.code !== 'NotAuthorizedException') {
5107
5421
  throw error_1;
5108
5422
  }
5109
5423
  return [3 /*break*/, 5];
5110
5424
  case 5:
5111
- _a.trys.push([5, 7, , 8]);
5425
+ _b.trys.push([5, 7, , 8]);
5112
5426
  return [4 /*yield*/, this.loginIdpImpl(emailOrPhone, password, passIdpApiResult.currentPassIdpParams, exports.RecoveryStatus.OLD_PASSWORD)];
5113
5427
  case 6:
5114
- user = _a.sent();
5428
+ user = _b.sent();
5115
5429
  // Old password worked.
5116
5430
  console.log('Old password works!');
5117
5431
  return [2 /*return*/, user];
5118
5432
  case 7:
5119
- error_2 = _a.sent();
5433
+ error_2 = _b.sent();
5120
5434
  // Just bubble up any other type of error.
5121
5435
  throw error_2.code === 'NotAuthorizedException'
5122
5436
  ? new LrBadRequestException('The password change request was interrupted, please try to login with both your new and old password')
5123
5437
  : error_2;
5124
5438
  case 8:
5125
5439
  if (!passIdpApiResult.tpPasswordReset) return [3 /*break*/, 12];
5126
- _a.label = 9;
5440
+ _b.label = 9;
5127
5441
  case 9:
5128
- _a.trys.push([9, 11, , 12]);
5442
+ _b.trys.push([9, 11, , 12]);
5129
5443
  reset = passIdpApiResult.tpPasswordReset;
5130
5444
  return [4 /*yield*/, this.loginIdpImpl(reset.resetUsername, password, reset.passIdpParams, exports.RecoveryStatus.NONE)];
5131
5445
  case 10:
5132
- ret = _a.sent();
5446
+ ret = _b.sent();
5133
5447
  ret.isTpPasswordResetUser = true;
5134
5448
  return [2 /*return*/, ret];
5135
5449
  case 11:
5136
- err_1 = _a.sent();
5450
+ err_1 = _b.sent();
5137
5451
  return [3 /*break*/, 12];
5138
5452
  case 12: return [4 /*yield*/, this.loginIdpImpl(emailOrPhone, password, passIdpApiResult.currentPassIdpParams, exports.RecoveryStatus.NONE)];
5139
5453
  case 13:
5140
5454
  // Login as regular user
5141
- return [2 /*return*/, _a.sent()];
5455
+ return [2 /*return*/, _b.sent()];
5142
5456
  }
5143
5457
  });
5144
5458
  });
@@ -5146,8 +5460,8 @@
5146
5460
  LifeReadyAuthService.prototype.handleSessionEncryptionKey = function () {
5147
5461
  return __awaiter(this, void 0, void 0, function () {
5148
5462
  var msg, sessionEncryptionKey;
5149
- return __generator(this, function (_a) {
5150
- switch (_a.label) {
5463
+ return __generator(this, function (_b) {
5464
+ switch (_b.label) {
5151
5465
  case 0:
5152
5466
  if (!this.config.disableSessionEncryptionKey) return [3 /*break*/, 1];
5153
5467
  if (!i0.isDevMode()) {
@@ -5161,7 +5475,7 @@
5161
5475
  return [3 /*break*/, 4];
5162
5476
  case 1: return [4 /*yield*/, this.keyFactory.createKey()];
5163
5477
  case 2:
5164
- sessionEncryptionKey = _a.sent();
5478
+ sessionEncryptionKey = _b.sent();
5165
5479
  return [4 /*yield*/, this.lrGraphQL.lrMutate(new LrMutation({
5166
5480
  mutation: SetSessionEncryptionKeyMutation,
5167
5481
  variables: {
@@ -5173,9 +5487,9 @@
5173
5487
  includeKeyGraph: false,
5174
5488
  })];
5175
5489
  case 3:
5176
- _a.sent();
5490
+ _b.sent();
5177
5491
  this.persistService.setServerSessionEncryptionKey(sessionEncryptionKey);
5178
- _a.label = 4;
5492
+ _b.label = 4;
5179
5493
  case 4: return [2 /*return*/];
5180
5494
  }
5181
5495
  });
@@ -5183,45 +5497,72 @@
5183
5497
  };
5184
5498
  LifeReadyAuthService.prototype.handlePostAuth = function (cognitoUser) {
5185
5499
  return __awaiter(this, void 0, void 0, function () {
5186
- return __generator(this, function (_a) {
5187
- switch (_a.label) {
5500
+ return __generator(this, function (_b) {
5501
+ switch (_b.label) {
5188
5502
  case 0: return [4 /*yield*/, this.handlePasswordRecovery(cognitoUser)];
5189
5503
  case 1:
5190
- _a.sent();
5504
+ _b.sent();
5191
5505
  return [4 /*yield*/, this.handleSessionEncryptionKey()];
5192
5506
  case 2:
5193
- _a.sent();
5507
+ _b.sent();
5194
5508
  return [2 /*return*/];
5195
5509
  }
5196
5510
  });
5197
5511
  });
5198
5512
  };
5199
- LifeReadyAuthService.prototype.login = function (emailOrPhone, password) {
5513
+ LifeReadyAuthService.prototype.login = function (emailOrPhone, password, _b) {
5514
+ var _c = (_b === void 0 ? {} : _b).tpPasswordResetAutoComplete, tpPasswordResetAutoComplete = _c === void 0 ? true : _c;
5515
+ var _a;
5516
+ return __awaiter(this, void 0, void 0, function () {
5517
+ var loginResult;
5518
+ return __generator(this, function (_b) {
5519
+ switch (_b.label) {
5520
+ case 0: return [4 /*yield*/, this.loginImpl(emailOrPhone, password)];
5521
+ case 1:
5522
+ loginResult = _b.sent();
5523
+ if (!(tpPasswordResetAutoComplete &&
5524
+ ((_a = loginResult.resetUser) === null || _a === void 0 ? void 0 : _a.state) === TpClaimState.APPROVED)) return [3 /*break*/, 4];
5525
+ return [4 /*yield*/, this.completeRequest(password)];
5526
+ case 2:
5527
+ _b.sent();
5528
+ return [4 /*yield*/, this.loginImpl(emailOrPhone, password)];
5529
+ case 3:
5530
+ loginResult = _b.sent();
5531
+ _b.label = 4;
5532
+ case 4: return [2 /*return*/, loginResult];
5533
+ }
5534
+ });
5535
+ });
5536
+ };
5537
+ LifeReadyAuthService.prototype.loginImpl = function (emailOrPhone, password) {
5200
5538
  return __awaiter(this, void 0, void 0, function () {
5201
5539
  var cognitoUser, resetUser, user;
5202
- return __generator(this, function (_a) {
5203
- switch (_a.label) {
5204
- case 0: return [4 /*yield*/, this.loginIdp(emailOrPhone, password)];
5540
+ return __generator(this, function (_b) {
5541
+ switch (_b.label) {
5542
+ case 0: return [4 /*yield*/, this.logout()];
5205
5543
  case 1:
5206
- cognitoUser = _a.sent();
5544
+ _b.sent();
5545
+ return [4 /*yield*/, this.loginIdp(emailOrPhone, password)];
5546
+ case 2:
5547
+ cognitoUser = _b.sent();
5207
5548
  // todo: Meet MFA challenges.
5208
5549
  if (['SMS_MFA', 'SOFTWARE_TOKEN_MFA'].includes(cognitoUser.challengeName)) {
5209
5550
  return [2 /*return*/, { hasChallenge: true, challenge: cognitoUser }];
5210
5551
  }
5211
5552
  return [4 /*yield*/, this.handlePostAuth(cognitoUser)];
5212
- case 2:
5213
- _a.sent();
5214
- if (!cognitoUser.isTpPasswordResetUser) return [3 /*break*/, 4];
5215
- return [4 /*yield*/, this.loadResetUser(password)];
5216
5553
  case 3:
5217
- resetUser = _a.sent();
5554
+ _b.sent();
5555
+ if (!cognitoUser.isTpPasswordResetUser) return [3 /*break*/, 5];
5556
+ return [4 /*yield*/, this.loadResetUser(password)];
5557
+ case 4:
5558
+ resetUser = _b.sent();
5218
5559
  return [2 /*return*/, { hasChallenge: false, resetUser: resetUser }];
5219
- case 4: return [4 /*yield*/, this.loadUser(cognitoUser, password)];
5220
- case 5:
5221
- user = _a.sent();
5222
- return [4 /*yield*/, this.idleService.start()];
5560
+ case 5: return [4 /*yield*/, this.loadUser(cognitoUser, password)];
5223
5561
  case 6:
5224
- _a.sent(); // Run idleService whenever user is logged in.
5562
+ user = _b.sent();
5563
+ return [4 /*yield*/, this.idleService.start()];
5564
+ case 7:
5565
+ _b.sent(); // Run idleService whenever user is logged in.
5225
5566
  return [2 /*return*/, { hasChallenge: false, user: user }];
5226
5567
  }
5227
5568
  });
@@ -5231,20 +5572,20 @@
5231
5572
  LifeReadyAuthService.prototype.verifyLogin = function (challenge, password, rememberMe, code) {
5232
5573
  return __awaiter(this, void 0, void 0, function () {
5233
5574
  var cognitoUser, user;
5234
- return __generator(this, function (_a) {
5235
- switch (_a.label) {
5575
+ return __generator(this, function (_b) {
5576
+ switch (_b.label) {
5236
5577
  case 0: return [4 /*yield*/, this.auth.confirmSignIn(challenge, code, challenge.challengeName)];
5237
5578
  case 1:
5238
- _a.sent();
5579
+ _b.sent();
5239
5580
  return [4 /*yield*/, this.auth.currentAuthenticatedUser()];
5240
5581
  case 2:
5241
- cognitoUser = _a.sent();
5582
+ cognitoUser = _b.sent();
5242
5583
  return [4 /*yield*/, this.handlePostAuth(challenge)];
5243
5584
  case 3:
5244
- _a.sent();
5585
+ _b.sent();
5245
5586
  return [4 /*yield*/, this.loadUser(cognitoUser, password)];
5246
5587
  case 4:
5247
- user = _a.sent();
5588
+ user = _b.sent();
5248
5589
  if (rememberMe) {
5249
5590
  cognitoUser.setDeviceStatusRemembered({
5250
5591
  onSuccess: function () { },
@@ -5259,8 +5600,8 @@
5259
5600
  LifeReadyAuthService.prototype.handlePasswordRecovery = function (user) {
5260
5601
  return __awaiter(this, void 0, void 0, function () {
5261
5602
  var jwtToken;
5262
- return __generator(this, function (_a) {
5263
- switch (_a.label) {
5603
+ return __generator(this, function (_b) {
5604
+ switch (_b.label) {
5264
5605
  case 0:
5265
5606
  if (!(user.recoveryStatus !== exports.RecoveryStatus.NONE)) return [3 /*break*/, 2];
5266
5607
  jwtToken = user
@@ -5269,33 +5610,75 @@
5269
5610
  .getJwtToken();
5270
5611
  return [4 /*yield*/, this.passwordService.changePasswordComplete(jwtToken, user.recoveryStatus === exports.RecoveryStatus.NEW_PASSWORD)];
5271
5612
  case 1:
5272
- _a.sent();
5273
- _a.label = 2;
5613
+ _b.sent();
5614
+ _b.label = 2;
5274
5615
  case 2: return [2 /*return*/];
5275
5616
  }
5276
5617
  });
5277
5618
  });
5278
5619
  };
5279
- LifeReadyAuthService.prototype.getUser = function (reload) {
5620
+ LifeReadyAuthService.prototype.getUserOrResetUser = function (reload) {
5280
5621
  if (reload === void 0) { reload = false; }
5281
5622
  return __awaiter(this, void 0, void 0, function () {
5282
- var _a, _b;
5623
+ var cognitoUser;
5624
+ return __generator(this, function (_b) {
5625
+ switch (_b.label) {
5626
+ case 0: return [4 /*yield*/, this.auth.currentAuthenticatedUser()];
5627
+ case 1:
5628
+ cognitoUser = _b.sent();
5629
+ if (cognitoUser.getUsername().endsWith(TP_PASSWORD_RESET_USERNAME_SUFFIX)) {
5630
+ return [2 /*return*/, this.getResetUser(reload)];
5631
+ }
5632
+ else {
5633
+ return [2 /*return*/, this.getUser(reload)];
5634
+ }
5635
+ return [2 /*return*/];
5636
+ }
5637
+ });
5638
+ });
5639
+ };
5640
+ LifeReadyAuthService.prototype.getResetUser = function (reload) {
5641
+ if (reload === void 0) { reload = false; }
5642
+ return __awaiter(this, void 0, void 0, function () {
5643
+ var _b;
5283
5644
  return __generator(this, function (_c) {
5284
5645
  switch (_c.label) {
5646
+ case 0:
5647
+ if (!reload && this.currentResetUser) {
5648
+ return [2 /*return*/, this.currentResetUser];
5649
+ }
5650
+ _b = this;
5651
+ return [4 /*yield*/, this.loadResetUser()];
5652
+ case 1:
5653
+ _b.currentResetUser = _c.sent();
5654
+ return [4 /*yield*/, this.idleService.start()];
5655
+ case 2:
5656
+ _c.sent(); // Run idleService whenever user is logged in.
5657
+ return [2 /*return*/, this.currentResetUser];
5658
+ }
5659
+ });
5660
+ });
5661
+ };
5662
+ LifeReadyAuthService.prototype.getUser = function (reload) {
5663
+ if (reload === void 0) { reload = false; }
5664
+ return __awaiter(this, void 0, void 0, function () {
5665
+ var _b, _c;
5666
+ return __generator(this, function (_d) {
5667
+ switch (_d.label) {
5285
5668
  case 0:
5286
5669
  if (!reload && this.currentUser) {
5287
5670
  return [2 /*return*/, this.currentUser];
5288
5671
  }
5289
- _a = this;
5290
- _b = this.loadUser;
5672
+ _b = this;
5673
+ _c = this.loadUser;
5291
5674
  return [4 /*yield*/, this.auth.currentAuthenticatedUser()];
5292
- case 1: return [4 /*yield*/, _b.apply(this, [_c.sent()])];
5675
+ case 1: return [4 /*yield*/, _c.apply(this, [_d.sent()])];
5293
5676
  case 2:
5294
- _a.currentUser = _c.sent();
5677
+ _b.currentUser = _d.sent();
5295
5678
  console.log('Starting idle service.');
5296
5679
  return [4 /*yield*/, this.idleService.start()];
5297
5680
  case 3:
5298
- _c.sent(); // Run idleService whenever user is logged in.
5681
+ _d.sent(); // Run idleService whenever user is logged in.
5299
5682
  return [2 /*return*/, this.currentUser];
5300
5683
  }
5301
5684
  });
@@ -5308,35 +5691,35 @@
5308
5691
  };
5309
5692
  LifeReadyAuthService.prototype.loadUser = function (cognitoUser, password) {
5310
5693
  return __awaiter(this, void 0, void 0, function () {
5311
- var _a, currentUser, contactCard, userPlans, _b, _c, userAttributes, passKey, _d, _e, _f, _g, _h, _j;
5312
- return __generator(this, function (_k) {
5313
- switch (_k.label) {
5694
+ var _b, currentUser, contactCard, userPlans, _c, _d, userAttributes, passKey, _e, _f, _g, _h, _j, _k;
5695
+ return __generator(this, function (_l) {
5696
+ switch (_l.label) {
5314
5697
  case 0: return [4 /*yield*/, this.profileService.getCurrentUser()];
5315
5698
  case 1:
5316
- _a = _k.sent(), currentUser = _a.currentUser, contactCard = _a.contactCard, userPlans = _a.userPlans;
5699
+ _b = _l.sent(), currentUser = _b.currentUser, contactCard = _b.contactCard, userPlans = _b.userPlans;
5317
5700
  if (!currentUser.sessionEncryptionKey) return [3 /*break*/, 3];
5318
- _c = (_b = this.persistService).setServerSessionEncryptionKey;
5701
+ _d = (_c = this.persistService).setServerSessionEncryptionKey;
5319
5702
  return [4 /*yield*/, nodeJose.JWK.asKey(currentUser.sessionEncryptionKey)];
5320
5703
  case 2:
5321
- _c.apply(_b, [_k.sent()]);
5322
- _k.label = 3;
5704
+ _d.apply(_c, [_l.sent()]);
5705
+ _l.label = 3;
5323
5706
  case 3: return [4 /*yield*/, this.auth.userAttributes(cognitoUser)];
5324
5707
  case 4:
5325
- userAttributes = _k.sent();
5708
+ userAttributes = _l.sent();
5326
5709
  if (!password) return [3 /*break*/, 8];
5327
5710
  return [4 /*yield*/, this.keyFactory.derivePassKey(Object.assign({ password: password }, currentUser.currentUserKey.passKey.passKeyParams))];
5328
5711
  case 5:
5329
- passKey = (_k.sent()).jwk;
5330
- _e = (_d = this.idleService).persistMasterKey;
5712
+ passKey = (_l.sent()).jwk;
5713
+ _f = (_e = this.idleService).persistMasterKey;
5331
5714
  return [4 /*yield*/, this.keyGraphService.unwrapWithPassKey(currentUser.currentUserKey.passKey.id, passKey, currentUser.currentUserKey.masterKey.id)];
5332
- case 6: return [4 /*yield*/, _e.apply(_d, [_k.sent()])];
5715
+ case 6: return [4 /*yield*/, _f.apply(_e, [_l.sent()])];
5333
5716
  case 7:
5334
- _k.sent();
5335
- _k.label = 8;
5717
+ _l.sent();
5718
+ _l.label = 8;
5336
5719
  case 8: return [4 /*yield*/, this.keyGraphService.populateKeys(currentUser.currentUserKey)];
5337
5720
  case 9:
5338
- _k.sent();
5339
- _f = {
5721
+ _l.sent();
5722
+ _g = {
5340
5723
  id: currentUser.id,
5341
5724
  sub: this.getUserAttribute('sub', userAttributes),
5342
5725
  username: currentUser.username,
@@ -5348,16 +5731,16 @@
5348
5731
  phoneVerified: this.getUserAttribute('phone_number_verified', userAttributes) ===
5349
5732
  'true'
5350
5733
  };
5351
- _h = (_g = Object).assign;
5352
- _j = [{}];
5734
+ _j = (_h = Object).assign;
5735
+ _k = [{}];
5353
5736
  return [4 /*yield*/, this.profileService.decryptContactCard(contactCard)];
5354
- case 10: return [2 /*return*/, (_f.contactCard = _h.apply(_g, _j.concat([(_k.sent())])),
5355
- _f.userDelete = currentUser.userDelete,
5356
- _f.userPlans = userPlans,
5357
- _f.hasTPVaultAccess = this.mapTPVaultAccess(currentUser.features),
5358
- _f.features = currentUser.features,
5359
- _f.sessionEncryptionKey = currentUser.sessionEncryptionKey,
5360
- _f)];
5737
+ case 10: return [2 /*return*/, (_g.contactCard = _j.apply(_h, _k.concat([(_l.sent())])),
5738
+ _g.userDelete = currentUser.userDelete,
5739
+ _g.userPlans = userPlans,
5740
+ _g.hasTPVaultAccess = this.mapTPVaultAccess(currentUser.features),
5741
+ _g.features = currentUser.features,
5742
+ _g.sessionEncryptionKey = currentUser.sessionEncryptionKey,
5743
+ _g)];
5361
5744
  }
5362
5745
  });
5363
5746
  });
@@ -5367,15 +5750,15 @@
5367
5750
  };
5368
5751
  LifeReadyAuthService.prototype.logout = function () {
5369
5752
  return __awaiter(this, void 0, void 0, function () {
5370
- return __generator(this, function (_a) {
5371
- switch (_a.label) {
5753
+ return __generator(this, function (_b) {
5754
+ switch (_b.label) {
5372
5755
  case 0:
5373
5756
  this.currentUser = null;
5374
5757
  this.keyService.purgeKeys();
5375
5758
  this.keyGraphService.purgeKeys();
5376
5759
  return [4 /*yield*/, Promise.all([this.auth.signOut(), this.profileService.signOut()])];
5377
5760
  case 1:
5378
- _a.sent();
5761
+ _b.sent();
5379
5762
  return [2 /*return*/];
5380
5763
  }
5381
5764
  });
@@ -5387,31 +5770,31 @@
5387
5770
  };
5388
5771
  LifeReadyAuthService.prototype.loadResetUser = function (password) {
5389
5772
  return __awaiter(this, void 0, void 0, function () {
5390
- var resetUser, _a, _b, passKey, _c, _d, userAttributes, _e, _f, sub, _g, _h, _j, _k, _l;
5391
- return __generator(this, function (_m) {
5392
- switch (_m.label) {
5773
+ var resetUser, _b, _c, passKey, _d, _e, userAttributes, _f, _g, sub, _h, _j, _k, _l, _m;
5774
+ return __generator(this, function (_o) {
5775
+ switch (_o.label) {
5393
5776
  case 0: return [4 /*yield*/, this.lrGraphQL.query({
5394
5777
  query: TpPasswordResetUserQuery,
5395
5778
  })];
5396
5779
  case 1:
5397
- resetUser = (_m.sent()).tpPasswordResetUser;
5780
+ resetUser = (_o.sent()).tpPasswordResetUser;
5398
5781
  if (!resetUser.sessionEncryptionKey) return [3 /*break*/, 3];
5399
- _b = (_a = this.persistService).setServerSessionEncryptionKey;
5782
+ _c = (_b = this.persistService).setServerSessionEncryptionKey;
5400
5783
  return [4 /*yield*/, nodeJose.JWK.asKey(resetUser.sessionEncryptionKey)];
5401
5784
  case 2:
5402
- _b.apply(_a, [_m.sent()]);
5403
- _m.label = 3;
5785
+ _c.apply(_b, [_o.sent()]);
5786
+ _o.label = 3;
5404
5787
  case 3:
5405
5788
  if (!password) return [3 /*break*/, 7];
5406
5789
  return [4 /*yield*/, this.keyFactory.derivePassKey(Object.assign({ password: password }, resetUser.passKey.passKeyParams))];
5407
5790
  case 4:
5408
- passKey = (_m.sent()).jwk;
5409
- _d = (_c = this.idleService).persistMasterKey;
5791
+ passKey = (_o.sent()).jwk;
5792
+ _e = (_d = this.idleService).persistMasterKey;
5410
5793
  return [4 /*yield*/, this.keyGraphService.unwrapWithPassKey(resetUser.passKey.id, passKey, resetUser.masterKey.id)];
5411
- case 5: return [4 /*yield*/, _d.apply(_c, [_m.sent()])];
5794
+ case 5: return [4 /*yield*/, _e.apply(_d, [_o.sent()])];
5412
5795
  case 6:
5413
- _m.sent();
5414
- _m.label = 7;
5796
+ _o.sent();
5797
+ _o.label = 7;
5415
5798
  case 7:
5416
5799
  this.keyService.populateKeys({
5417
5800
  passKey: {
@@ -5421,17 +5804,17 @@
5421
5804
  id: resetUser.masterKey.id,
5422
5805
  },
5423
5806
  });
5424
- _f = (_e = this.auth).userAttributes;
5807
+ _g = (_f = this.auth).userAttributes;
5425
5808
  return [4 /*yield*/, this.auth.currentAuthenticatedUser()];
5426
- case 8: return [4 /*yield*/, _f.apply(_e, [_m.sent()])];
5809
+ case 8: return [4 /*yield*/, _g.apply(_f, [_o.sent()])];
5427
5810
  case 9:
5428
- userAttributes = _m.sent();
5811
+ userAttributes = _o.sent();
5429
5812
  sub = this.getUserAttribute('sub', userAttributes);
5430
- _h = (_g = Object).assign;
5431
- _k = (_j = Object).assign;
5432
- _l = [{}];
5813
+ _j = (_h = Object).assign;
5814
+ _l = (_k = Object).assign;
5815
+ _m = [{}];
5433
5816
  return [4 /*yield*/, this.tpPasswordResetProcessorService.processTpPasswordResetUserNode(resetUser)];
5434
- case 10: return [2 /*return*/, _h.apply(_g, [_k.apply(_j, _l.concat([(_m.sent())])), { sub: sub }])];
5817
+ case 10: return [2 /*return*/, _j.apply(_h, [_l.apply(_k, _m.concat([(_o.sent())])), { sub: sub }])];
5435
5818
  }
5436
5819
  });
5437
5820
  });
@@ -5439,11 +5822,11 @@
5439
5822
  LifeReadyAuthService.prototype.refreshAccessToken = function () {
5440
5823
  return __awaiter(this, void 0, void 0, function () {
5441
5824
  var cognitoUser, refreshToken;
5442
- return __generator(this, function (_a) {
5443
- switch (_a.label) {
5825
+ return __generator(this, function (_b) {
5826
+ switch (_b.label) {
5444
5827
  case 0: return [4 /*yield*/, this.auth.currentAuthenticatedUser()];
5445
5828
  case 1:
5446
- cognitoUser = _a.sent();
5829
+ cognitoUser = _b.sent();
5447
5830
  refreshToken = cognitoUser.getSignInUserSession().getRefreshToken();
5448
5831
  return [2 /*return*/, new Promise(function (resolve, reject) {
5449
5832
  cognitoUser.refreshSession(refreshToken, function (err, data) {
@@ -5456,14 +5839,175 @@
5456
5839
  resolve(0);
5457
5840
  }
5458
5841
  });
5459
- })];
5842
+ })];
5843
+ }
5844
+ });
5845
+ });
5846
+ };
5847
+ LifeReadyAuthService.prototype.completeRequest = function (newPassword) {
5848
+ return __awaiter(this, void 0, void 0, function () {
5849
+ var resetUser, assemblyKey, rootKey, rootKeyJwk, masterKey, masterKeyWrappedRootKey, newPassIdpResult, newIdpPassword, challenge, assemblyKeyVerifierPrk, signedChallenge, tempIdpPassword, retPromise, user;
5850
+ var _this = this;
5851
+ return __generator(this, function (_b) {
5852
+ switch (_b.label) {
5853
+ case 0: return [4 /*yield*/, this.getResetUser(true)];
5854
+ case 1:
5855
+ resetUser = _b.sent();
5856
+ if (resetUser.state !== TpClaimState.APPROVED) {
5857
+ throw new LrBadStateException('Password reset request has not been approved.');
5858
+ }
5859
+ return [4 /*yield*/, this.recoverAssemblyKey(resetUser)];
5860
+ case 2:
5861
+ assemblyKey = _b.sent();
5862
+ return [4 /*yield*/, this.encryptionService.decrypt(assemblyKey, resetUser.assemblyCipherData)];
5863
+ case 3:
5864
+ rootKey = (_b.sent()).rootKey;
5865
+ console.log(rootKey);
5866
+ return [4 /*yield*/, nodeJose.JWK.asKey(rootKey)];
5867
+ case 4:
5868
+ rootKeyJwk = _b.sent();
5869
+ return [4 /*yield*/, this.keyGraphService.getKey(resetUser.masterKey.id)];
5870
+ case 5:
5871
+ masterKey = _b.sent();
5872
+ return [4 /*yield*/, this.encryptionService.encryptToString(masterKey.jwk, rootKeyJwk.toJSON(true))];
5873
+ case 6:
5874
+ masterKeyWrappedRootKey = _b.sent();
5875
+ return [4 /*yield*/, this.keyFactory.derivePassIdp(Object.assign({ password: newPassword }, resetUser.passKey.passIdpParams))];
5876
+ case 7:
5877
+ newPassIdpResult = _b.sent();
5878
+ newIdpPassword = this.passwordService.getPassIdpString(newPassIdpResult.jwk);
5879
+ return [4 /*yield*/, this.lrGraphQL.lrMutate(new LrMutation({
5880
+ mutation: CreateTpAssemblyKeyChallengeMutation,
5881
+ variables: {
5882
+ input: {},
5883
+ },
5884
+ }), {
5885
+ includeKeyGraph: false,
5886
+ })];
5887
+ case 8:
5888
+ challenge = (_b.sent()).createTpAssemblyKeyChallenge.challenge;
5889
+ console.log(challenge);
5890
+ // Sign the challenge
5891
+ // Generate a client side nonce that's no in the server's control.
5892
+ challenge.clientNonce = this.keyFactory.randomString(TP_PASSWORD_RESET_CLIENT_NONCE_LENGTH);
5893
+ console.log(challenge);
5894
+ return [4 /*yield*/, this.encryptionService.decrypt(assemblyKey, resetUser.wrappedAssemblyKeyVerifierPrk)];
5895
+ case 9:
5896
+ assemblyKeyVerifierPrk = _b.sent();
5897
+ return [4 /*yield*/, this.encryptionService.sign(assemblyKeyVerifierPrk, challenge)];
5898
+ case 10:
5899
+ signedChallenge = _b.sent();
5900
+ return [4 /*yield*/, this.lrGraphQL.lrMutate(new LrMutation({
5901
+ mutation: PreCompleteTpPasswordResetRequestMutation,
5902
+ variables: {
5903
+ input: {
5904
+ signedChallenge: JSON.stringify(signedChallenge),
5905
+ },
5906
+ },
5907
+ }), {
5908
+ includeKeyGraph: false,
5909
+ })];
5910
+ case 11:
5911
+ tempIdpPassword = (_b.sent()).preCompleteTpPasswordResetRequest.idpPassword;
5912
+ retPromise = new Promise(function (resolve) {
5913
+ var listener = function (data) { return __awaiter(_this, void 0, void 0, function () {
5914
+ return __generator(this, function (_b) {
5915
+ switch (_b.label) {
5916
+ case 0:
5917
+ if (data.payload.event !== 'signIn') {
5918
+ return [2 /*return*/];
5919
+ }
5920
+ core$1.Hub.remove('auth', listener);
5921
+ console.log(data.payload);
5922
+ return [4 /*yield*/, this.auth.signIn(resetUser.username, newIdpPassword)];
5923
+ case 1:
5924
+ _b.sent();
5925
+ // Switch over to the new set of keys
5926
+ return [4 /*yield*/, this.lrGraphQL.lrMutate(new LrMutation({
5927
+ mutation: CompleteTpPasswordResetRequestMutation,
5928
+ variables: {
5929
+ input: {
5930
+ masterKeyWrappedRootKey: masterKeyWrappedRootKey,
5931
+ masterKeyId: masterKey.id,
5932
+ },
5933
+ },
5934
+ }))];
5935
+ case 2:
5936
+ // Switch over to the new set of keys
5937
+ _b.sent();
5938
+ resolve();
5939
+ return [2 /*return*/];
5940
+ }
5941
+ });
5942
+ }); };
5943
+ core$1.Hub.listen('auth', listener);
5944
+ });
5945
+ return [4 /*yield*/, this.auth.signIn(resetUser.username, tempIdpPassword, {
5946
+ noProxy: 'true',
5947
+ })];
5948
+ case 12:
5949
+ user = _b.sent();
5950
+ if (user.challengeName !== 'NEW_PASSWORD_REQUIRED') {
5951
+ throw new LrException({
5952
+ message: 'Internal error. Expecting Cognito to have done a password reset after call to PreCompleteTpPasswordResetRequestMutation.',
5953
+ });
5954
+ }
5955
+ return [4 /*yield*/, this.auth.completeNewPassword(user, newIdpPassword, {})];
5956
+ case 13:
5957
+ // Set new password on Idp
5958
+ // the awsFetch() function passes NEW_PASSWORD_REQUIRED directly to AWS without
5959
+ // going through the proxy.
5960
+ user = _b.sent();
5961
+ return [2 /*return*/, retPromise];
5962
+ }
5963
+ });
5964
+ });
5965
+ };
5966
+ LifeReadyAuthService.prototype.recoverAssemblyKey = function (resetUser) {
5967
+ return __awaiter(this, void 0, void 0, function () {
5968
+ var assemblyKeyParams, prk, shares, rawAssemblyKey;
5969
+ var _this = this;
5970
+ return __generator(this, function (_b) {
5971
+ switch (_b.label) {
5972
+ case 0: return [4 /*yield*/, this.keyGraphService.getKey(resetUser.pxk.id)];
5973
+ case 1:
5974
+ prk = _b.sent();
5975
+ return [4 /*yield*/, Promise.all(resetUser.approvals
5976
+ .filter(function (approval) { return !!approval.receiverCipherPartialAssemblyKey; })
5977
+ .map(function (approval) { return __awaiter(_this, void 0, void 0, function () {
5978
+ var partialAssemblyKey;
5979
+ return __generator(this, function (_b) {
5980
+ switch (_b.label) {
5981
+ case 0: return [4 /*yield*/, this.encryptionService.decrypt(prk, approval.receiverCipherPartialAssemblyKey)];
5982
+ case 1:
5983
+ partialAssemblyKey = _b.sent();
5984
+ if (assemblyKeyParams) {
5985
+ if (JSON.stringify(assemblyKeyParams) !==
5986
+ JSON.stringify(partialAssemblyKey.assemblyKeyParams)) {
5987
+ throw new LrBadStateException('The assembly key parameters are different between the approvals.');
5988
+ }
5989
+ }
5990
+ else {
5991
+ assemblyKeyParams = partialAssemblyKey.assemblyKeyParams;
5992
+ }
5993
+ return [2 /*return*/, partialAssemblyKey.slip39.share.mnemonics];
5994
+ }
5995
+ });
5996
+ }); }))];
5997
+ case 2:
5998
+ shares = _b.sent();
5999
+ console.log('recoverAssemblyKey()', shares);
6000
+ return [4 /*yield*/, this.slip39Service.recoverSecret(shares, TP_PASSWORD_RESET_SLIP39_PASSPHRASE)];
6001
+ case 3:
6002
+ rawAssemblyKey = _b.sent();
6003
+ return [2 /*return*/, nodeJose.JWK.asKey(Object.assign(Object.assign({}, assemblyKeyParams), { k: rawAssemblyKey }))];
5460
6004
  }
5461
6005
  });
5462
6006
  });
5463
6007
  };
5464
6008
  return LifeReadyAuthService;
5465
6009
  }());
5466
- LifeReadyAuthService.ɵprov = i0.ɵɵdefineInjectable({ factory: function LifeReadyAuthService_Factory() { return new LifeReadyAuthService(i0.ɵɵinject(LR_CONFIG), i0.ɵɵinject(i4.AuthClass), i0.ɵɵinject(KeyFactoryService), i0.ɵɵinject(KeyService), i0.ɵɵinject(ProfileService), i0.ɵɵinject(KeyGraphService), i0.ɵɵinject(PasswordService), i0.ɵɵinject(IdleService), i0.ɵɵinject(exports.ɵb), i0.ɵɵinject(exports.ɵc), i0.ɵɵinject(PersistService)); }, token: LifeReadyAuthService, providedIn: "root" });
6010
+ LifeReadyAuthService.ɵprov = i0.ɵɵdefineInjectable({ factory: function LifeReadyAuthService_Factory() { return new LifeReadyAuthService(i0.ɵɵinject(LR_CONFIG), i0.ɵɵinject(i4.AuthClass), i0.ɵɵinject(KeyFactoryService), i0.ɵɵinject(KeyService), i0.ɵɵinject(ProfileService), i0.ɵɵinject(KeyGraphService), i0.ɵɵinject(PasswordService), i0.ɵɵinject(IdleService), i0.ɵɵinject(exports.ɵb), i0.ɵɵinject(exports.ɵc), i0.ɵɵinject(PersistService), i0.ɵɵinject(EncryptionService), i0.ɵɵinject(Slip39Service)); }, token: LifeReadyAuthService, providedIn: "root" });
5467
6011
  LifeReadyAuthService.decorators = [
5468
6012
  { type: i0.Injectable, args: [{
5469
6013
  providedIn: 'root',
@@ -5480,7 +6024,9 @@
5480
6024
  { type: IdleService },
5481
6025
  { type: exports.ɵb },
5482
6026
  { type: exports.ɵc },
5483
- { type: PersistService }
6027
+ { type: PersistService },
6028
+ { type: EncryptionService },
6029
+ { type: Slip39Service }
5484
6030
  ]; };
5485
6031
 
5486
6032
  var FileService = /** @class */ (function () {
@@ -7313,257 +7859,33 @@
7313
7859
  });
7314
7860
  });
7315
7861
  };
7316
- TwoFactorService.prototype.verifySoftwareToken = function (totpCode) {
7317
- return __awaiter(this, void 0, void 0, function () {
7318
- var cognitoUser;
7319
- return __generator(this, function (_a) {
7320
- switch (_a.label) {
7321
- case 0: return [4 /*yield*/, this.auth.currentAuthenticatedUser()];
7322
- case 1:
7323
- cognitoUser = _a.sent();
7324
- return [4 /*yield*/, this.auth.verifyTotpToken(cognitoUser, totpCode)];
7325
- case 2:
7326
- _a.sent();
7327
- return [2 /*return*/];
7328
- }
7329
- });
7330
- });
7331
- };
7332
- return TwoFactorService;
7333
- }());
7334
- TwoFactorService.ɵprov = i0.ɵɵdefineInjectable({ factory: function TwoFactorService_Factory() { return new TwoFactorService(i0.ɵɵinject(i4.AuthClass)); }, token: TwoFactorService, providedIn: "root" });
7335
- TwoFactorService.decorators = [
7336
- { type: i0.Injectable, args: [{
7337
- providedIn: 'root',
7338
- },] }
7339
- ];
7340
- TwoFactorService.ctorParameters = function () { return [
7341
- { type: i4.AuthClass }
7342
- ]; };
7343
-
7344
- var SecretShare = /** @class */ (function () {
7345
- function SecretShare(assembly, subAssembly, mnemonics) {
7346
- if (assembly === void 0) { assembly = 0; }
7347
- if (subAssembly === void 0) { subAssembly = 0; }
7348
- if (mnemonics === void 0) { mnemonics = ''; }
7349
- this.assembly = assembly;
7350
- this.subAssembly = subAssembly;
7351
- this.mnemonics = mnemonics;
7352
- }
7353
- return SecretShare;
7354
- }());
7355
- var SubAssembly = /** @class */ (function () {
7356
- function SubAssembly(index, threshold, size) {
7357
- if (threshold === void 0) { threshold = 0; }
7358
- if (size === void 0) { size = 0; }
7359
- this.index = index;
7360
- this.threshold = threshold;
7361
- this.size = size;
7362
- this.clearShares();
7363
- }
7364
- SubAssembly.prototype.clearShares = function () {
7365
- this.shares = Array();
7366
- };
7367
- SubAssembly.prototype.addShare = function (share) {
7368
- this.shares.push(share);
7369
- };
7370
- return SubAssembly;
7371
- }());
7372
- var Assembly = /** @class */ (function () {
7373
- function Assembly(threshold) {
7374
- if (threshold === void 0) { threshold = 0; }
7375
- this.threshold = threshold;
7376
- this.clearSubAssemblies();
7377
- }
7378
- Assembly.prototype.size = function () {
7379
- return this.subAssemblies.length;
7380
- };
7381
- Assembly.prototype.clearSubAssemblies = function () {
7382
- this.subAssemblies = new Array();
7383
- };
7384
- Assembly.prototype.addSubAssembly = function (subAssembly) {
7385
- this.subAssemblies.push(subAssembly);
7386
- };
7387
- return Assembly;
7388
- }());
7389
- var SubQuorum = /** @class */ (function () {
7390
- function SubQuorum(subAssemblyIndex) {
7391
- this.subAssemblyIndex = subAssemblyIndex;
7392
- this.clearShares();
7393
- }
7394
- SubQuorum.prototype.clearShares = function () {
7395
- this.shares = new Array();
7396
- };
7397
- SubQuorum.prototype.addShare = function (share) {
7398
- this.shares.push(share);
7399
- };
7400
- return SubQuorum;
7401
- }());
7402
- var Quorum = /** @class */ (function () {
7403
- function Quorum() {
7404
- this.clearSubQuora();
7405
- }
7406
- Quorum.prototype.clearSubQuora = function () {
7407
- this.subQuora = new Array();
7408
- };
7409
- Quorum.prototype.addSubQuorum = function (subQuorum) {
7410
- this.subQuora.push(subQuorum);
7411
- };
7412
- Quorum.prototype.serialiseShares = function () {
7413
- var shares = [];
7414
- this.subQuora.forEach(function (subQuorum) {
7415
- shares = shares.concat(subQuorum.shares);
7416
- });
7417
- return shares;
7418
- };
7419
- return Quorum;
7420
- }());
7421
- var Slip39Service = /** @class */ (function () {
7422
- function Slip39Service() {
7423
- }
7424
- Slip39Service.prototype.generateShares = function (secret, passphrase, assembly) {
7425
- return __awaiter(this, void 0, void 0, function () {
7426
- var ems, groups, _a, _b, sa, slip;
7427
- var e_1, _c;
7428
- return __generator(this, function (_d) {
7429
- switch (_d.label) {
7430
- case 0:
7431
- ems = btoa(secret);
7432
- ems = slip39.Slip39Helper.slip39EncodeHex(ems);
7433
- groups = [];
7434
- try {
7435
- for (_a = __values(assembly.subAssemblies), _b = _a.next(); !_b.done; _b = _a.next()) {
7436
- sa = _b.value;
7437
- groups.push([sa.threshold, sa.size]);
7438
- }
7439
- }
7440
- catch (e_1_1) { e_1 = { error: e_1_1 }; }
7441
- finally {
7442
- try {
7443
- if (_b && !_b.done && (_c = _a.return)) _c.call(_a);
7444
- }
7445
- finally { if (e_1) throw e_1.error; }
7446
- }
7447
- return [4 /*yield*/, slip39.Slip39.fromArray(ems, {
7448
- passphrase: passphrase,
7449
- threshold: assembly.threshold,
7450
- groups: groups,
7451
- title: '',
7452
- })];
7453
- case 1:
7454
- slip = _d.sent();
7455
- // Extract shares
7456
- assembly.subAssemblies.forEach(function (sa, isa) {
7457
- // Remove any existing shares
7458
- sa.clearShares();
7459
- for (var im = 0; im < sa.size; im++) {
7460
- // Construct the path to the share, formatted as "r/<subassembly index>/<member index>"
7461
- // with <subassembly index> and <member index> being two-digit, zero-padded integers.
7462
- var path = 'r/' +
7463
- isa.toString().padStart(2, '0') +
7464
- '/' +
7465
- im.toString().padStart(2, '0');
7466
- var mnemonics = slip.fromPath(path).mnemonics[0];
7467
- var share = new SecretShare(isa, im, mnemonics);
7468
- sa.addShare(share);
7469
- }
7470
- });
7471
- return [2 /*return*/];
7472
- }
7473
- });
7474
- });
7475
- };
7476
- // Remove all redundant shares. i.e. keep only enough members and groups to satisfy the thresholds.
7477
- Slip39Service.prototype.minimalSet = function (mnemonics) {
7478
- var e_2, _a, e_3, _b;
7479
- // Decode the mnemonics and sort then into groups.
7480
- var groupThresh = null;
7481
- var groups = new Map();
7482
- try {
7483
- for (var mnemonics_1 = __values(mnemonics), mnemonics_1_1 = mnemonics_1.next(); !mnemonics_1_1.done; mnemonics_1_1 = mnemonics_1.next()) {
7484
- var mnemonic = mnemonics_1_1.value;
7485
- var decoded = slip39.Slip39Helper.decodeMnemonic(mnemonic);
7486
- if (groupThresh && groupThresh !== decoded.groupThreshold) {
7487
- throw new Error('groupThreshold is different in mnemonics');
7488
- }
7489
- groupThresh = decoded.groupThreshold;
7490
- // Note that Slip39.recoverSecret() will do all the error checking again. So it's not critical
7491
- // that we error check here. So we just optimistically assume it's all good.
7492
- var g = groups.get(decoded.groupIndex);
7493
- if (g == null) {
7494
- g = {
7495
- memberThreshold: decoded.memberThreshold,
7496
- members: [],
7497
- };
7498
- groups.set(decoded.groupIndex, g);
7499
- }
7500
- g.members.push({
7501
- mnemonic: mnemonic,
7502
- decoded: decoded,
7503
- });
7504
- }
7505
- }
7506
- catch (e_2_1) { e_2 = { error: e_2_1 }; }
7507
- finally {
7508
- try {
7509
- if (mnemonics_1_1 && !mnemonics_1_1.done && (_a = mnemonics_1.return)) _a.call(mnemonics_1);
7510
- }
7511
- finally { if (e_2) throw e_2.error; }
7512
- }
7513
- // Keep the minimum set of groups that meet threshold.
7514
- var mnemonicsMinSet = [];
7515
- var groupCount = 0;
7516
- try {
7517
- for (var _c = __values(groups.values()), _d = _c.next(); !_d.done; _d = _c.next()) {
7518
- var g = _d.value;
7519
- // Keep only groups that meet threshold
7520
- if (g.members.length < g.memberThreshold) {
7521
- continue;
7522
- }
7523
- // Keep minimum number of approvals needed for group
7524
- g.members.slice(0, g.memberThreshold).forEach(function (member) {
7525
- mnemonicsMinSet.push(member.mnemonic);
7526
- });
7527
- ++groupCount;
7528
- if (groupCount >= groupThresh) {
7529
- break;
7530
- }
7531
- }
7532
- }
7533
- catch (e_3_1) { e_3 = { error: e_3_1 }; }
7534
- finally {
7535
- try {
7536
- if (_d && !_d.done && (_b = _c.return)) _b.call(_c);
7537
- }
7538
- finally { if (e_3) throw e_3.error; }
7539
- }
7540
- return mnemonicsMinSet;
7541
- };
7542
- Slip39Service.prototype.recoverSecret = function (shares, passphrase) {
7862
+ TwoFactorService.prototype.verifySoftwareToken = function (totpCode) {
7543
7863
  return __awaiter(this, void 0, void 0, function () {
7544
- var recovered, secret;
7864
+ var cognitoUser;
7545
7865
  return __generator(this, function (_a) {
7546
7866
  switch (_a.label) {
7547
- case 0:
7548
- shares = this.minimalSet(shares);
7549
- return [4 /*yield*/, slip39.Slip39.recoverSecret(shares, passphrase)];
7867
+ case 0: return [4 /*yield*/, this.auth.currentAuthenticatedUser()];
7550
7868
  case 1:
7551
- recovered = _a.sent();
7552
- secret = slip39.Slip39Helper.slip39DecodeHex(recovered);
7553
- return [2 /*return*/, atob(secret)];
7869
+ cognitoUser = _a.sent();
7870
+ return [4 /*yield*/, this.auth.verifyTotpToken(cognitoUser, totpCode)];
7871
+ case 2:
7872
+ _a.sent();
7873
+ return [2 /*return*/];
7554
7874
  }
7555
7875
  });
7556
7876
  });
7557
7877
  };
7558
- return Slip39Service;
7878
+ return TwoFactorService;
7559
7879
  }());
7560
- Slip39Service.ɵprov = i0.ɵɵdefineInjectable({ factory: function Slip39Service_Factory() { return new Slip39Service(); }, token: Slip39Service, providedIn: "root" });
7561
- Slip39Service.decorators = [
7880
+ TwoFactorService.ɵprov = i0.ɵɵdefineInjectable({ factory: function TwoFactorService_Factory() { return new TwoFactorService(i0.ɵɵinject(i4.AuthClass)); }, token: TwoFactorService, providedIn: "root" });
7881
+ TwoFactorService.decorators = [
7562
7882
  { type: i0.Injectable, args: [{
7563
7883
  providedIn: 'root',
7564
7884
  },] }
7565
7885
  ];
7566
- Slip39Service.ctorParameters = function () { return []; };
7886
+ TwoFactorService.ctorParameters = function () { return [
7887
+ { type: i4.AuthClass }
7888
+ ]; };
7567
7889
 
7568
7890
  (function (FileType) {
7569
7891
  FileType["RecordContent"] = "record-content";
@@ -14625,7 +14947,6 @@
14625
14947
  })
14626
14948
  ], exports.TrustedParty2Service);
14627
14949
 
14628
- var TpPasswordResetService_1;
14629
14950
  var CreateSubAssembliesInput = /** @class */ (function () {
14630
14951
  function CreateSubAssembliesInput() {
14631
14952
  }
@@ -14650,7 +14971,7 @@
14650
14971
  }
14651
14972
  return UpdateTpPasswordResetInput;
14652
14973
  }(CreateTpPasswordResetInput));
14653
- exports.TpPasswordResetService = TpPasswordResetService_1 = /** @class */ (function (_super) {
14974
+ exports.TpPasswordResetService = /** @class */ (function (_super) {
14654
14975
  __extends(TpPasswordResetService, _super);
14655
14976
  function TpPasswordResetService(ngZone, injector, keyService, keyFactory, encryptionService, keyGraph, slip39Service) {
14656
14977
  var _this = _super.call(this, injector) || this;
@@ -14919,7 +15240,7 @@
14919
15240
  }
14920
15241
  slipAssembly.addSubAssembly(new SubAssembly(index, sa.quorum, approverCount));
14921
15242
  });
14922
- return [4 /*yield*/, this.slip39Service.generateShares(rawAssemblyKey, TpPasswordResetService_1.SLIP39_PASSPHRASE, slipAssembly)];
15243
+ return [4 /*yield*/, this.slip39Service.generateShares(rawAssemblyKey, TP_PASSWORD_RESET_SLIP39_PASSPHRASE, slipAssembly)];
14923
15244
  case 1:
14924
15245
  _b.sent();
14925
15246
  return [2 /*return*/, slipAssembly];
@@ -15025,7 +15346,6 @@
15025
15346
  };
15026
15347
  return TpPasswordResetService;
15027
15348
  }(LrService));
15028
- exports.TpPasswordResetService.SLIP39_PASSPHRASE = 'lifeready';
15029
15349
  exports.TpPasswordResetService.ɵprov = i0.ɵɵdefineInjectable({ factory: function TpPasswordResetService_Factory() { return new exports.TpPasswordResetService(i0.ɵɵinject(i0.NgZone), i0.ɵɵinject(i0.INJECTOR), i0.ɵɵinject(KeyService), i0.ɵɵinject(KeyFactoryService), i0.ɵɵinject(EncryptionService), i0.ɵɵinject(KeyGraphService), i0.ɵɵinject(Slip39Service)); }, token: exports.TpPasswordResetService, providedIn: "root" });
15030
15350
  exports.TpPasswordResetService.decorators = [
15031
15351
  { type: i0.Injectable, args: [{
@@ -15041,90 +15361,12 @@
15041
15361
  { type: KeyGraphService },
15042
15362
  { type: Slip39Service }
15043
15363
  ]; };
15044
- exports.TpPasswordResetService = TpPasswordResetService_1 = __decorate([
15364
+ exports.TpPasswordResetService = __decorate([
15045
15365
  RunOutsideAngular({
15046
15366
  ngZoneName: 'ngZone',
15047
15367
  })
15048
15368
  ], exports.TpPasswordResetService);
15049
15369
 
15050
- // ------------------------------------------------------
15051
- // Basic types
15052
- // ------------------------------------------------------
15053
- // These types map directory to types of the same name in graphql.
15054
- // We use these aliases in case in the future we wish to reify the types and do
15055
- // additional automated conversion.
15056
-
15057
- var AccessRoleChoice;
15058
- (function (AccessRoleChoice) {
15059
- AccessRoleChoice["READER"] = "READER";
15060
- AccessRoleChoice["WRITER"] = "WRITER";
15061
- AccessRoleChoice["ADMIN"] = "ADMIN";
15062
- AccessRoleChoice["DENY"] = "DENY";
15063
- AccessRoleChoice["OWNER"] = "OWNER";
15064
- })(AccessRoleChoice || (AccessRoleChoice = {}));
15065
- var AccessRoleMethod;
15066
- (function (AccessRoleMethod) {
15067
- AccessRoleMethod["inherited"] = "inherited";
15068
- AccessRoleMethod["direct"] = "direct";
15069
- })(AccessRoleMethod || (AccessRoleMethod = {}));
15070
- var FileVersionOperation;
15071
- (function (FileVersionOperation) {
15072
- FileVersionOperation["CREATE"] = "CREATE";
15073
- FileVersionOperation["READ"] = "READ";
15074
- FileVersionOperation["UPDATE"] = "UPDATE";
15075
- FileVersionOperation["REVERT"] = "REVERT";
15076
- FileVersionOperation["DELETE"] = "DELETE";
15077
- })(FileVersionOperation || (FileVersionOperation = {}));
15078
- var KeyExchangeOtkState;
15079
- (function (KeyExchangeOtkState) {
15080
- KeyExchangeOtkState["OTK_INITIATED"] = "OTK_INITIATED";
15081
- KeyExchangeOtkState["OTK_ACCEPTED"] = "OTK_ACCEPTED";
15082
- KeyExchangeOtkState["OTK_COMPLETED"] = "OTK_COMPLETED";
15083
- })(KeyExchangeOtkState || (KeyExchangeOtkState = {}));
15084
- var KeyExchangeState;
15085
- (function (KeyExchangeState) {
15086
- KeyExchangeState["IN_PROGRESS"] = "IN_PROGRESS";
15087
- KeyExchangeState["COMPLETED"] = "COMPLETED";
15088
- KeyExchangeState["DECLINED"] = "DECLINED";
15089
- KeyExchangeState["CANCELLED"] = "CANCELLED";
15090
- KeyExchangeState["DELETED"] = "DELETED";
15091
- })(KeyExchangeState || (KeyExchangeState = {}));
15092
- var KeyExchangeMode;
15093
- (function (KeyExchangeMode) {
15094
- KeyExchangeMode["OTK"] = "OTK";
15095
- })(KeyExchangeMode || (KeyExchangeMode = {}));
15096
- var TpAssemblyState;
15097
- (function (TpAssemblyState) {
15098
- TpAssemblyState["DISABLED"] = "DISABLED";
15099
- TpAssemblyState["ENABLED"] = "ENABLED";
15100
- TpAssemblyState["CLAIMED"] = "CLAIMED";
15101
- TpAssemblyState["APPROVED"] = "APPROVED";
15102
- TpAssemblyState["REJECTED"] = "REJECTED";
15103
- TpAssemblyState["EXPIRED"] = "EXPIRED";
15104
- TpAssemblyState["CANCELLED"] = "CANCELLED";
15105
- TpAssemblyState["RESET"] = "RESET";
15106
- })(TpAssemblyState || (TpAssemblyState = {}));
15107
- var TpClaimState;
15108
- (function (TpClaimState) {
15109
- TpClaimState["CLAIMED"] = "CLAIMED";
15110
- TpClaimState["APPROVED"] = "APPROVED";
15111
- TpClaimState["REJECTED"] = "REJECTED";
15112
- TpClaimState["EXPIRED"] = "EXPIRED";
15113
- TpClaimState["CANCELLED"] = "CANCELLED";
15114
- TpClaimState["RESET"] = "RESET";
15115
- })(TpClaimState || (TpClaimState = {}));
15116
- var TpClaimApproverState;
15117
- (function (TpClaimApproverState) {
15118
- TpClaimApproverState["CLAIMED"] = "CLAIMED";
15119
- TpClaimApproverState["APPROVED"] = "APPROVED";
15120
- TpClaimApproverState["REJECTED"] = "REJECTED";
15121
- })(TpClaimApproverState || (TpClaimApproverState = {}));
15122
- var LockState;
15123
- (function (LockState) {
15124
- LockState["UNLOCKED"] = "UNLOCKED";
15125
- LockState["MUTEX_LOCKED"] = "MUTEX_LOCKED";
15126
- })(LockState || (LockState = {}));
15127
-
15128
15370
  exports.TpPasswordResetUserService = /** @class */ (function (_super) {
15129
15371
  __extends(TpPasswordResetUserService, _super);
15130
15372
  function TpPasswordResetUserService(ngZone, injector, config, keyFactory, encryptionService, keyGraphService, slip39Service, passwordService, http, auth, lrAuth) {
@@ -15140,7 +15382,6 @@
15140
15382
  _this.http = http;
15141
15383
  _this.auth = auth;
15142
15384
  _this.lrAuth = lrAuth;
15143
- _this.CLIENT_NONCE_LENGTH = 32;
15144
15385
  return _this;
15145
15386
  }
15146
15387
  TpPasswordResetUserService.prototype.verifyEmailContact = function (email) {
@@ -15232,184 +15473,6 @@
15232
15473
  });
15233
15474
  });
15234
15475
  };
15235
- TpPasswordResetUserService.prototype.getResetUser = function (reload) {
15236
- if (reload === void 0) { reload = false; }
15237
- return __awaiter(this, void 0, void 0, function () {
15238
- var _a;
15239
- return __generator(this, function (_b) {
15240
- switch (_b.label) {
15241
- case 0:
15242
- if (!reload && this.resetUser) {
15243
- return [2 /*return*/, this.resetUser];
15244
- }
15245
- _a = this;
15246
- return [4 /*yield*/, this.lrAuth.loadResetUser()];
15247
- case 1:
15248
- _a.resetUser = _b.sent();
15249
- return [2 /*return*/, this.resetUser];
15250
- }
15251
- });
15252
- });
15253
- };
15254
- TpPasswordResetUserService.prototype.recoverAssemblyKey = function (resetUser) {
15255
- return __awaiter(this, void 0, void 0, function () {
15256
- var assemblyKeyParams, prk, shares, rawAssemblyKey;
15257
- var _this = this;
15258
- return __generator(this, function (_a) {
15259
- switch (_a.label) {
15260
- case 0: return [4 /*yield*/, this.keyGraphService.getKey(resetUser.pxk.id)];
15261
- case 1:
15262
- prk = _a.sent();
15263
- return [4 /*yield*/, Promise.all(resetUser.approvals.map(function (approval) { return __awaiter(_this, void 0, void 0, function () {
15264
- var partialAssemblyKey;
15265
- return __generator(this, function (_a) {
15266
- switch (_a.label) {
15267
- case 0: return [4 /*yield*/, this.encryptionService.decrypt(prk, approval.receiverCipherPartialAssemblyKey)];
15268
- case 1:
15269
- partialAssemblyKey = _a.sent();
15270
- if (assemblyKeyParams) {
15271
- if (JSON.stringify(assemblyKeyParams) !==
15272
- JSON.stringify(partialAssemblyKey.assemblyKeyParams)) {
15273
- throw new LrBadStateException('The assembly key parameters are different between the approvals.');
15274
- }
15275
- }
15276
- else {
15277
- assemblyKeyParams = partialAssemblyKey.assemblyKeyParams;
15278
- }
15279
- return [2 /*return*/, partialAssemblyKey.slip39.share.mnemonics];
15280
- }
15281
- });
15282
- }); }))];
15283
- case 2:
15284
- shares = _a.sent();
15285
- console.log('recoverAssemblyKey()', shares);
15286
- return [4 /*yield*/, this.slip39Service.recoverSecret(shares, exports.TpPasswordResetService.SLIP39_PASSPHRASE)];
15287
- case 3:
15288
- rawAssemblyKey = _a.sent();
15289
- return [2 /*return*/, nodeJose.JWK.asKey(Object.assign(Object.assign({}, assemblyKeyParams), { k: rawAssemblyKey }))];
15290
- }
15291
- });
15292
- });
15293
- };
15294
- TpPasswordResetUserService.prototype.completeRequest = function (newPassword) {
15295
- return __awaiter(this, void 0, void 0, function () {
15296
- var resetUser, assemblyKey, rootKey, rootKeyJwk, masterKey, masterKeyWrappedRootKey, newPassIdpResult, newIdpPassword, challenge, assemblyKeyVerifierPrk, signedChallenge, tempIdpPassword, retPromise, user;
15297
- var _this = this;
15298
- return __generator(this, function (_a) {
15299
- switch (_a.label) {
15300
- case 0: return [4 /*yield*/, this.getResetUser(true)];
15301
- case 1:
15302
- resetUser = _a.sent();
15303
- if (resetUser.state !== TpClaimState.APPROVED) {
15304
- throw new LrBadStateException('Password reset request has not been approved.');
15305
- }
15306
- return [4 /*yield*/, this.recoverAssemblyKey(resetUser)];
15307
- case 2:
15308
- assemblyKey = _a.sent();
15309
- return [4 /*yield*/, this.encryptionService.decrypt(assemblyKey, resetUser.assemblyCipherData)];
15310
- case 3:
15311
- rootKey = (_a.sent()).rootKey;
15312
- console.log(rootKey);
15313
- return [4 /*yield*/, nodeJose.JWK.asKey(rootKey)];
15314
- case 4:
15315
- rootKeyJwk = _a.sent();
15316
- return [4 /*yield*/, this.keyGraphService.getKey(resetUser.masterKey.id)];
15317
- case 5:
15318
- masterKey = _a.sent();
15319
- return [4 /*yield*/, this.encryptionService.encryptToString(masterKey.jwk, rootKeyJwk.toJSON(true))];
15320
- case 6:
15321
- masterKeyWrappedRootKey = _a.sent();
15322
- return [4 /*yield*/, this.keyFactory.derivePassIdp(Object.assign({ password: newPassword }, resetUser.passKey.passIdpParams))];
15323
- case 7:
15324
- newPassIdpResult = _a.sent();
15325
- newIdpPassword = this.passwordService.getPassIdpString(newPassIdpResult.jwk);
15326
- return [4 /*yield*/, this.mutate(new LrMutation({
15327
- mutation: CreateTpAssemblyKeyChallengeMutation,
15328
- variables: {
15329
- input: {},
15330
- },
15331
- }), {
15332
- includeKeyGraph: false,
15333
- })];
15334
- case 8:
15335
- challenge = (_a.sent()).createTpAssemblyKeyChallenge.challenge;
15336
- console.log(challenge);
15337
- // Sign the challenge
15338
- // Generate a client side nonce that's no in the server's control.
15339
- challenge.clientNonce = this.keyFactory.randomString(this.CLIENT_NONCE_LENGTH);
15340
- console.log(challenge);
15341
- return [4 /*yield*/, this.encryptionService.decrypt(assemblyKey, resetUser.wrappedAssemblyKeyVerifierPrk)];
15342
- case 9:
15343
- assemblyKeyVerifierPrk = _a.sent();
15344
- return [4 /*yield*/, this.encryptionService.sign(assemblyKeyVerifierPrk, challenge)];
15345
- case 10:
15346
- signedChallenge = _a.sent();
15347
- return [4 /*yield*/, this.mutate(new LrMutation({
15348
- mutation: PreCompleteTpPasswordResetRequestMutation,
15349
- variables: {
15350
- input: {
15351
- signedChallenge: JSON.stringify(signedChallenge),
15352
- },
15353
- },
15354
- }), {
15355
- includeKeyGraph: false,
15356
- })];
15357
- case 11:
15358
- tempIdpPassword = (_a.sent()).preCompleteTpPasswordResetRequest.idpPassword;
15359
- retPromise = new Promise(function (resolve) {
15360
- var listener = function (data) { return __awaiter(_this, void 0, void 0, function () {
15361
- return __generator(this, function (_a) {
15362
- switch (_a.label) {
15363
- case 0:
15364
- if (data.payload.event !== 'signIn') {
15365
- return [2 /*return*/];
15366
- }
15367
- core$1.Hub.remove('auth', listener);
15368
- console.log(data.payload);
15369
- return [4 /*yield*/, this.auth.signIn(resetUser.username, newIdpPassword)];
15370
- case 1:
15371
- _a.sent();
15372
- // Switch over to the new set of keys
15373
- return [4 /*yield*/, this.mutate(new LrMutation({
15374
- mutation: CompleteTpPasswordResetRequestMutation,
15375
- variables: {
15376
- input: {
15377
- masterKeyWrappedRootKey: masterKeyWrappedRootKey,
15378
- masterKeyId: masterKey.id,
15379
- },
15380
- },
15381
- }))];
15382
- case 2:
15383
- // Switch over to the new set of keys
15384
- _a.sent();
15385
- resolve();
15386
- return [2 /*return*/];
15387
- }
15388
- });
15389
- }); };
15390
- core$1.Hub.listen('auth', listener);
15391
- });
15392
- return [4 /*yield*/, this.auth.signIn(resetUser.username, tempIdpPassword, {
15393
- noProxy: 'true',
15394
- })];
15395
- case 12:
15396
- user = _a.sent();
15397
- if (user.challengeName !== 'NEW_PASSWORD_REQUIRED') {
15398
- throw new LrException({
15399
- message: 'Internal error. Expecting Cognito to have done a password reset after call to PreCompleteTpPasswordResetRequestMutation.',
15400
- });
15401
- }
15402
- return [4 /*yield*/, this.auth.completeNewPassword(user, newIdpPassword, {})];
15403
- case 13:
15404
- // Set new password on Idp
15405
- // the awsFetch() function passes NEW_PASSWORD_REQUIRED directly to AWS without
15406
- // going through the proxy.
15407
- user = _a.sent();
15408
- return [2 /*return*/, retPromise];
15409
- }
15410
- });
15411
- });
15412
- };
15413
15476
  return TpPasswordResetUserService;
15414
15477
  }(LrService));
15415
15478
  exports.TpPasswordResetUserService.ɵprov = i0.ɵɵdefineInjectable({ factory: function TpPasswordResetUserService_Factory() { return new exports.TpPasswordResetUserService(i0.ɵɵinject(i0.NgZone), i0.ɵɵinject(i0.INJECTOR), i0.ɵɵinject(LR_CONFIG), i0.ɵɵinject(KeyFactoryService), i0.ɵɵinject(EncryptionService), i0.ɵɵinject(KeyGraphService), i0.ɵɵinject(Slip39Service), i0.ɵɵinject(PasswordService), i0.ɵɵinject(i2.HttpClient), i0.ɵɵinject(i4.AuthClass), i0.ɵɵinject(LifeReadyAuthService)); }, token: exports.TpPasswordResetUserService, providedIn: "root" });