@lifeready/core 1.0.1 → 1.0.2

package/src/lib/cryptography/key.service.ts

@@ -1,154 +0,0 @@
-import { Inject, Injectable } from '@angular/core';
-import { Key, PassKey } from './cryptography.types';
-import { LrNotFoundException } from '../_common/exceptions';
-import { PersistService } from '../api/persist.service';
-import { KeyFactoryService as KFS } from './key-factory.service';
-import { LifeReadyConfig, LR_CONFIG } from '../life-ready.config';
-
-export class UserKeys {
-  passKey: PassKey;
-  masterKey: Key;
-  rootKey?: Key;
-  pxk?: Key;
-  sigPxk?: Key;
-}
-
-interface StoredPassKey {
-  id: string;
-  jwk: object;
-}
-
-@Injectable({
-  providedIn: 'root',
-})
-export class KeyService {
-  private readonly STORE_MASTER_KEY = 'masterKey';
-  // variables
-  private keys: UserKeys;
-  private masterKey: Key;
-
-  // AZ: This can't be change easily. It's basically a PassK or PassIdp rotation.
-  // todo: we should eventually increase this periodically to match with Moore's law.
-  // The iterations for each key are kept by the server as well but we assume the value
-  // from the server is not trustworthy, so need to have minimum thresholds here.
-  // If creating new keys, these minimum are used.
-  public readonly MIN_PASS_IDP_PBKDF_ITER = 100000;
-  public readonly MIN_PASS_KEY_PBKDF_ITER = 100000;
-  public readonly MIN_LBOP_KEY_PBKDF_ITER = 100000;
-
-  // These are used as the default values. They must be larger than the minimum values.
-  public readonly DEFAULT_PASS_IDP_PBKDF_ITER = this.MIN_PASS_IDP_PBKDF_ITER;
-  public readonly DEFAULT_PASS_KEY_PBKDF_ITER = this.MIN_PASS_KEY_PBKDF_ITER;
-  public readonly DEFAULT_LBOP_KEY_PBKDF_ITER = this.MIN_LBOP_KEY_PBKDF_ITER;
-
-  constructor(
-    @Inject(LR_CONFIG) private config: LifeReadyConfig,
-    private persistService: PersistService
-  ) {
-    this.resetKeys();
-  }
-
-  resetKeys() {
-    this.keys = null;
-    this.masterKey = null;
-  }
-
-  purgeKeys() {
-    this.resetKeys();
-    this.persistService.clear();
-  }
-
-  populateKeys(keys: UserKeys) {
-    this.keys = keys;
-  }
-
-  public getCurrentPassKey(): Key {
-    return this.keys.passKey;
-  }
-
-  public getCurrentMasterKey(): Key {
-    return this.keys.masterKey;
-  }
-
-  public getCurrentRootKey(): Key {
-    return this.keys.rootKey;
-  }
-
-  public getCurrentPxk(): Key {
-    return this.keys.pxk;
-  }
-
-  public getCurrentSigPxk(): Key {
-    return this.keys.sigPxk;
-  }
-
-  private expiresAfter(seconds: number): Date {
-    return new Date(Date.now() + 1000 * seconds);
-  }
-
-  async persistMasterKey(
-    masterKey: Key,
-    expiresAfterSeconds: number
-  ): Promise<void> {
-    const storedKey = {
-      id: masterKey.id,
-      jwk: masterKey.jwk.toJSON(true),
-    };
-
-    this.masterKey = masterKey;
-
-    // Save in an expirable cookie.
-    await this.persistService.set({
-      name: this.STORE_MASTER_KEY,
-      value: storedKey,
-      expiry: this.expiresAfter(expiresAfterSeconds),
-      serverSession: !this.config.disableSessionEncryptionKey,
-    });
-  }
-
-  async setMasterKeyExpiresAfterSeconds(seconds: number): Promise<void> {
-    const storedKey = await this.persistService.get(this.STORE_MASTER_KEY);
-    if (storedKey == null) {
-      throw new LrNotFoundException(
-        `Can not find masterKey in persisted storage using name: ${this.STORE_MASTER_KEY}`
-      );
-    }
-    await this.persistService.set({
-      name: this.STORE_MASTER_KEY,
-      value: storedKey,
-      expiry: this.expiresAfter(seconds),
-      serverSession: !this.config.disableSessionEncryptionKey,
-    });
-  }
-
-  // There's little benefit in using WebCrypto's none-extractable keys because if there
-  // is an XSS attack, then the attacker has control over the js that downloads the keys. The
-  // attacker can modify the code to import the keys as extractable. So none-extractable keys
-  // are only useful if they are already persisted and the user cannot download any more keys,
-  // which is not feasible.
-  // So storing the PassKey in localstorage for now, at least till we know what the usage
-  // pattern is, i.e. how often do we need to use the RootK, MaterK, and PassK.
-  async loadMasterKey(masterKeyId: string): Promise<Key> {
-    if (!this.masterKey) {
-      const storedKey = await this.persistService.get(this.STORE_MASTER_KEY);
-
-      if (!storedKey) {
-        throw new LrNotFoundException(
-          'Could not find masterKey in persisted storage'
-        );
-      }
-
-      if (storedKey.id !== masterKeyId) {
-        throw new LrNotFoundException(
-          `masterKeyId ${storedKey.id} in persisted storage does not match the one requested ${masterKeyId}`
-        );
-      }
-
-      storedKey.jwk = await KFS.asKey(storedKey.jwk);
-
-      this.masterKey = storedKey;
-    }
-
-    return this.masterKey;
-  }
-}

package/src/lib/cryptography/slip39.service.spec.ts

@@ -1,44 +0,0 @@
-import { TestBed } from '@angular/core/testing';
-import { Slip39Service, Assembly, SubAssembly } from './slip39.service';
-import { ScenarioApproverService } from '../scenario/approvals/scenario-approver.service';
-import { lrConfigureTestingModule } from '../_common/tests';
-
-describe('Slip32Service', () => {
-  let slip39Service: Slip39Service;
-
-  beforeEach(() => {
-    lrConfigureTestingModule();
-    slip39Service = TestBed.inject(Slip39Service);
-  });
-
-  it('should combine mnemonics', async () => {
-    const quorum = 2;
-    const slipAssembly = new Assembly(quorum);
-
-    slipAssembly.addSubAssembly(new SubAssembly(0, 2, 3));
-    slipAssembly.addSubAssembly(new SubAssembly(1, 2, 2));
-    slipAssembly.addSubAssembly(new SubAssembly(2, 3, 5));
-
-    const secret = '123456abcdefg';
-    await slip39Service.generateShares(
-      secret,
-      ScenarioApproverService.SLIP39_PASSPHRASE,
-      slipAssembly
-    );
-
-    const mnemonics = [];
-
-    slipAssembly.subAssemblies.forEach((sa) => {
-      sa.shares.forEach((share) => mnemonics.push(share.mnemonics));
-    });
-
-    expect(mnemonics.length).toBe(10);
-
-    // The recoverSecret() should
-    const recovered = await slip39Service.recoverSecret(
-      mnemonics,
-      ScenarioApproverService.SLIP39_PASSPHRASE
-    );
-    expect(recovered).toEqual(secret);
-  });
-});

package/src/lib/cryptography/slip39.service.ts

@@ -1,204 +0,0 @@
-import { Injectable } from '@angular/core';
-import { Slip39, Slip39Helper } from 'slip39';
-
-export class SecretShare {
-  constructor(
-    public assembly: number = 0,
-    public subAssembly: number = 0,
-    public mnemonics: string = ''
-  ) {}
-}
-
-export class SubAssembly {
-  constructor(
-    public index: number,
-    public threshold: number = 0,
-    public size: number = 0
-  ) {
-    this.clearShares();
-  }
-
-  shares: SecretShare[];
-
-  public clearShares() {
-    this.shares = Array();
-  }
-
-  public addShare(share: SecretShare) {
-    this.shares.push(share);
-  }
-}
-
-export class Assembly {
-  constructor(public threshold: number = 0) {
-    this.clearSubAssemblies();
-  }
-
-  subAssemblies: SubAssembly[];
-
-  public size() {
-    return this.subAssemblies.length;
-  }
-
-  public clearSubAssemblies() {
-    this.subAssemblies = new Array();
-  }
-
-  public addSubAssembly(subAssembly: SubAssembly) {
-    this.subAssemblies.push(subAssembly);
-  }
-}
-
-export class SubQuorum {
-  shares: string[];
-
-  constructor(public subAssemblyIndex: number) {
-    this.clearShares();
-  }
-
-  public clearShares() {
-    this.shares = new Array();
-  }
-
-  public addShare(share: string) {
-    this.shares.push(share);
-  }
-}
-
-export class Quorum {
-  subQuora: SubQuorum[];
-
-  constructor() {
-    this.clearSubQuora();
-  }
-
-  public clearSubQuora() {
-    this.subQuora = new Array();
-  }
-
-  public addSubQuorum(subQuorum: SubQuorum) {
-    this.subQuora.push(subQuorum);
-  }
-
-  public serialiseShares() {
-    let shares = [];
-
-    this.subQuora.forEach((subQuorum) => {
-      shares = shares.concat(subQuorum.shares);
-    });
-
-    return shares;
-  }
-}
-
-@Injectable({
-  providedIn: 'root',
-})
-export class Slip39Service {
-  constructor() {}
-
-  public async generateShares(secret, passphrase: string, assembly: Assembly) {
-    // Hex-encode secret.
-    let ems = btoa(secret);
-    ems = Slip39Helper.slip39EncodeHex(ems);
-
-    // Construct group specifications
-    const groups = [];
-
-    for (const sa of assembly.subAssemblies) {
-      groups.push([sa.threshold, sa.size]);
-    }
-
-    // Split!
-    const slip = await Slip39.fromArray(ems, {
-      passphrase,
-      threshold: assembly.threshold,
-      groups,
-      title: '',
-    });
-
-    // Extract shares
-    assembly.subAssemblies.forEach((sa, isa) => {
-      // Remove any existing shares
-      sa.clearShares();
-
-      for (let im = 0; im < sa.size; im++) {
-        // Construct the path to the share, formatted as "r/<subassembly index>/<member index>"
-        // with <subassembly index> and <member index> being two-digit, zero-padded integers.
-        const path =
-          'r/' +
-          isa.toString().padStart(2, '0') +
-          '/' +
-          im.toString().padStart(2, '0');
-        const mnemonics = slip.fromPath(path).mnemonics[0];
-        const share = new SecretShare(isa, im, mnemonics);
-
-        sa.addShare(share);
-      }
-    });
-  }
-
-  // Remove all redundant shares. i.e. keep only enough members and groups to satisfy the thresholds.
-  private minimalSet(mnemonics: string[]): string[] {
-    // Decode the mnemonics and sort then into groups.
-    let groupThresh = null;
-    const groups = new Map();
-    for (const mnemonic of mnemonics) {
-      const decoded = Slip39Helper.decodeMnemonic(mnemonic);
-
-      if (groupThresh && groupThresh !== decoded.groupThreshold) {
-        throw new Error('groupThreshold is different in mnemonics');
-      }
-
-      groupThresh = decoded.groupThreshold;
-
-      // Note that Slip39.recoverSecret() will do all the error checking again. So it's not critical
-      // that we error check here. So we just optimistically assume it's all good.
-      let g = groups.get(decoded.groupIndex);
-      if (g == null) {
-        g = {
-          memberThreshold: decoded.memberThreshold,
-          members: [],
-        };
-        groups.set(decoded.groupIndex, g);
-      }
-
-      g.members.push({
-        mnemonic,
-        decoded,
-      });
-    }
-
-    // Keep the minimum set of groups that meet threshold.
-    const mnemonicsMinSet = [];
-    let groupCount = 0;
-    for (const g of groups.values()) {
-      // Keep only groups that meet threshold
-      if (g.members.length < g.memberThreshold) {
-        continue;
-      }
-
-      // Keep minimum number of approvals needed for group
-      g.members.slice(0, g.memberThreshold).forEach((member) => {
-        mnemonicsMinSet.push(member.mnemonic);
-      });
-
-      ++groupCount;
-      if (groupCount >= groupThresh) {
-        break;
-      }
-    }
-
-    return mnemonicsMinSet;
-  }
-
-  public async recoverSecret(shares: string[], passphrase: string) {
-    shares = this.minimalSet(shares);
-
-    const recovered = await Slip39.recoverSecret(shares, passphrase);
-
-    const secret = Slip39Helper.slip39DecodeHex(recovered);
-
-    return atob(secret);
-  }
-}

package/src/lib/cryptography/web-crypto.service.ts

@@ -1,22 +0,0 @@
-import { Injectable } from '@angular/core';
-
-@Injectable({
-  providedIn: 'root',
-})
-export class WebCryptoService {
-  crypto: Crypto = window.crypto;
-
-  toHex(buffer: ArrayBuffer) {
-    // Ref: https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest
-    const array = Array.from(new Uint8Array(buffer)); // convert buffer to byte array
-    const hex = array.map((b) => b.toString(16).padStart(2, '0')).join(''); // convert bytes to hex string
-    return hex;
-  }
-
-  async stringDigest(algorithm: string, message: string): Promise<string> {
-    const encoder = new TextEncoder();
-    const data = encoder.encode(message);
-    const hash = await this.crypto.subtle.digest(algorithm, data);
-    return this.toHex(hash);
-  }
-}

package/src/lib/life-ready.config.ts

@@ -1,127 +0,0 @@
-import { InjectionToken } from '@angular/core';
-import { AuthClass } from '@aws-amplify/auth/lib-esm/Auth';
-import {
-  ApolloClientOptions,
-  ApolloLink,
-  createHttpLink,
-  DefaultOptions,
-  from,
-  InMemoryCache,
-} from '@apollo/client/core';
-import { setContext } from '@apollo/client/link/context';
-import { RetryLink } from '@apollo/client/link/retry';
-import { LrApiErrorCode } from './_common/exceptions';
-import { GraphQLError } from 'graphql';
-
-export const LR_CONFIG = new InjectionToken<LifeReadyConfig>('LR.AUTH');
-const RETRY_ERROR_CODES = [LrApiErrorCode.CONCURRENT_ACCESS];
-
-export interface LifeReadyConfig {
-  authUrl: string;
-  apiUrl: string;
-  apolloUrl: string;
-  userPoolId: string;
-  userPoolWebClientId: string;
-  apolloConfig?: ApolloClientOptions<any>;
-  // Mainly to allow localhost to not needing this. Default to falsy
-  disableSessionEncryptionKey?: boolean;
-}
-
-export const configureApollo = (
-  config: LifeReadyConfig,
-  auth: AuthClass
-): ApolloClientOptions<any> => {
-  const defaultOptions: DefaultOptions = {
-    watchQuery: {
-      fetchPolicy: 'no-cache',
-      errorPolicy: 'all',
-    },
-    query: {
-      fetchPolicy: 'no-cache',
-      errorPolicy: 'all',
-    },
-    mutate: {
-      errorPolicy: 'all',
-    },
-  };
-
-  const authLink = setContext(async (_, { headers }) => {
-    let accessJwt = null;
-    try {
-      accessJwt = (await auth.currentSession()).getAccessToken();
-    } catch {
-      console.log('User not signed in');
-    }
-
-    return {
-      headers: {
-        ...headers,
-        authorization: accessJwt ? `Bearer ${accessJwt.jwtToken}` : '',
-      },
-    };
-  });
-
-  // We are only retrying on certain errors, like the CONCURRENT_ACCESS gql
-  // error which indicates DB race condition. So can be safely retried.
-  const retryIf = (error, _) => {
-    // The RetryLink is called on network error as well, so we need to filter for GraphQL errors.
-    if (error instanceof GraphQLErrorException) {
-      if (
-        error.errors.some((e) => RETRY_ERROR_CODES.includes(e.extensions?.code))
-      ) {
-        return true;
-      }
-    }
-
-    return false;
-  };
-
-  const retryLink = new RetryLink({
-    delay: {
-      initial: 300,
-      max: Infinity,
-      jitter: true,
-    },
-    attempts: {
-      max: 3,
-      retryIf,
-    },
-  });
-
-  class GraphQLErrorException extends Error {
-    constructor(public errors: readonly GraphQLError[]) {
-      super(errors.map((e) => e.message).join(', '));
-    }
-  }
-
-  // Throw exception on gql errors which effectively promotes it to a network
-  // error, which can then be handled by the RetryLink.
-  const promoteGqlErrors = new ApolloLink((operation, forward) => {
-    return forward(operation).map((data) => {
-      if (data && data.errors) {
-        const errors = data.errors.filter((e) =>
-          RETRY_ERROR_CODES.includes(e.extensions?.code)
-        );
-
-        if (errors.length > 0) {
-          throw new GraphQLErrorException(data.errors);
-        }
-      }
-      return data;
-    });
-  });
-
-  const httpLink = createHttpLink({
-    uri: config.apolloUrl,
-    // Sending the sessionid cookie so that the server can use session data when needed.
-    // eg. setting the session encryption key.
-    credentials: 'include',
-  });
-
-  return {
-    link: from([retryLink, promoteGqlErrors, authLink, httpLink]),
-    cache: new InMemoryCache(),
-    defaultOptions,
-    ...config.apolloConfig,
-  };
-};

package/src/lib/life-ready.module.ts

@@ -1,81 +0,0 @@
-import { HttpClientModule } from '@angular/common/http';
-import { APP_INITIALIZER, ModuleWithProviders, NgModule } from '@angular/core';
-import Auth from '@aws-amplify/auth';
-import { AuthClass } from '@aws-amplify/auth/lib-esm/Auth';
-import { APOLLO_OPTIONS } from 'apollo-angular';
-import { CookieService } from 'ngx-cookie-service';
-import { FileService } from './api/file.service';
-import { ProfileService } from './users/profile.service';
-import { configureAmplifyAuth } from './auth/auth.config';
-import {
-  initialiseAuth,
-  LifeReadyAuthService,
-} from './auth/life-ready-auth.service';
-import { PasswordService } from './auth/password.service';
-import { RegisterService } from './auth/register.service';
-import { EncryptionService } from './cryptography/encryption.service';
-import { KeyGraphService } from './cryptography/key-graph.service';
-import { KeyService } from './cryptography/key.service';
-import { KeyFactoryService } from './cryptography/key-factory.service';
-import { WebCryptoService } from './cryptography/web-crypto.service';
-import {
-  configureApollo,
-  LifeReadyConfig,
-  LR_CONFIG,
-} from './life-ready.config';
-import { TimeService } from './api/time.service';
-import { NgIdleKeepaliveModule } from '@ng-idle/keepalive';
-
-@NgModule({
-  imports: [HttpClientModule, NgIdleKeepaliveModule.forRoot()],
-  providers: [
-    CookieService,
-    TimeService,
-    FileService,
-    ProfileService,
-    RegisterService,
-    LifeReadyAuthService,
-    PasswordService,
-    WebCryptoService,
-    EncryptionService,
-    KeyGraphService,
-    KeyService,
-    KeyFactoryService,
-  ],
-})
-export class LifeReadyModule {
-  public static forRoot(
-    config: LifeReadyConfig
-  ): ModuleWithProviders<LifeReadyModule> {
-    return {
-      ngModule: LifeReadyModule,
-      providers: [
-        {
-          provide: LR_CONFIG,
-          useValue: config,
-        },
-        {
-          provide: AuthClass,
-          useValue: Auth,
-        },
-        {
-          provide: APP_INITIALIZER,
-          useFactory: configureAmplifyAuth,
-          deps: [LR_CONFIG, AuthClass],
-          multi: true,
-        },
-        {
-          provide: APP_INITIALIZER,
-          useFactory: initialiseAuth,
-          deps: [LifeReadyAuthService],
-          multi: true,
-        },
-        {
-          provide: APOLLO_OPTIONS,
-          useFactory: configureApollo,
-          deps: [LR_CONFIG, AuthClass],
-        },
-      ],
-    };
-  }
-}