@lifeready/core 1.0.1 → 1.0.2

package/src/lib/trusted-parties/tp-password-reset-user.service.ts

@@ -1,359 +0,0 @@
-import { Hub } from '@aws-amplify/core';
-import { Inject, Injectable, Injector, NgZone } from '@angular/core';
-import { EncryptionService } from '../cryptography/encryption.service';
-import { KeyGraphService } from '../cryptography/key-graph.service';
-import { LifeReadyConfig, LR_CONFIG } from '../life-ready.config';
-import * as slip from '../cryptography/slip39.service';
-import { JWK } from 'node-jose';
-import { LrBadStateException, LrException } from '../_common/exceptions';
-import {
-  CompleteTpPasswordResetRequestMutation,
-  CreateTpAssemblyKeyChallengeMutation,
-  PreCompleteTpPasswordResetRequestMutation,
-} from './tp-password-reset.gql';
-import { PasswordService } from '../auth/password.service';
-import { HttpClient } from '@angular/common/http';
-import { AuthClass } from '@aws-amplify/auth/lib-esm/Auth';
-import {
-  RequestResetResult,
-  TpPasswordResetService,
-} from './tp-password-reset.service';
-import { ISignUpResult } from 'amazon-cognito-identity-js';
-import { LifeReadyAuthService } from '../auth/life-ready-auth.service';
-import { KeyFactoryService } from '../cryptography/key-factory.service';
-import { TpClaimState, TpPasswordResetUserNode } from '../api/types';
-import { LrMutation, LrService } from '../api/lr-graphql';
-import { RunOutsideAngular } from '../_common/run-outside-angular';
-
-@RunOutsideAngular({
-  ngZoneName: 'ngZone',
-})
-@Injectable({
-  providedIn: 'root',
-})
-export class TpPasswordResetUserService extends LrService {
-  private readonly CLIENT_NONCE_LENGTH = 32;
-  private resetUser: TpPasswordResetUserNode;
-
-  constructor(
-    private ngZone: NgZone,
-    private injector: Injector,
-    @Inject(LR_CONFIG) private config: LifeReadyConfig,
-    private keyFactory: KeyFactoryService,
-    private encryptionService: EncryptionService,
-    private keyGraphService: KeyGraphService,
-    private slip39Service: slip.Slip39Service,
-    private passwordService: PasswordService,
-    private http: HttpClient,
-    private auth: AuthClass,
-    private lrAuth: LifeReadyAuthService
-  ) {
-    super(injector);
-  }
-
-  async verifyEmailContact(email): Promise<{ claimId: string }> {
-    const params = {
-      email,
-    };
-    return this.http
-      .post<any>(
-        `${this.config.authUrl}tp/password-reset/verify-contact/`,
-        params
-      )
-      .toPromise();
-  }
-
-  async verifyContactRespond(
-    claimId: string,
-    claimCode: string
-  ): Promise<string> {
-    const { token } = await this.http
-      .post<{ token }>(`${this.config.authUrl}cove/respond/`, {
-        claim_id: claimId,
-        v_code: claimCode,
-      })
-      .toPromise();
-    return token;
-  }
-
-  async requestReset(
-    password: string,
-    claimId: string,
-    claimToken: string
-  ): Promise<{
-    requestResetResult: RequestResetResult;
-    signUpResult: ISignUpResult;
-  }> {
-    // Generate the key materials
-    const passKeyBundle = await this.passwordService.createPassKeyBundle(
-      password
-    );
-
-    const masterKey = await this.keyFactory.createKey();
-    const wrappedMasterKey = await this.encryptionService.encrypt(
-      passKeyBundle.passKey,
-      masterKey.toJSON(true)
-    );
-
-    // Ephemeral PKC key
-    const prk = await this.keyFactory.createPkcKey();
-    const masterKeyWrappedPrk = await this.encryptionService.encrypt(
-      masterKey,
-      prk.toJSON(true)
-    );
-
-    // API call to setup reset request
-    const requestResetResult = await this.http
-      .post<RequestResetResult>(
-        `${this.config.authUrl}tp/password-reset/request/`,
-        {
-          claimId,
-          claimToken,
-          pass_key_params: passKeyBundle.passKeyParams,
-          pass_idp_params: passKeyBundle.passIdpParams,
-          pass_idp_verifier_pbk: passKeyBundle.passIdpVerifier.toJSON(), // public key
-          wrapped_pass_idp_verifier_prk:
-            passKeyBundle.wrappedPassIdpVerifierPrk,
-          wrapped_master_key: wrappedMasterKey,
-          pbk: prk.toJSON(), // ephemeral public key
-          master_key_wrapped_prk: masterKeyWrappedPrk,
-        }
-      )
-      .toPromise();
-
-    console.log(requestResetResult);
-    console.log(
-      'Using new password: ',
-      this.passwordService.getPassIdpString(passKeyBundle.passIdp)
-    );
-
-    // API call to create user on cognito
-    const signUpResult = await this.auth.signUp({
-      username: requestResetResult.reset_username,
-      password: this.passwordService.getPassIdpString(passKeyBundle.passIdp),
-      clientMetadata: {
-        tp_password_reset_request: JSON.stringify({
-          id: requestResetResult.id,
-          associate_reset_user_token:
-            requestResetResult.associate_reset_user_token,
-        }),
-      },
-    });
-
-    console.log('requestRest done: ', signUpResult);
-
-    return {
-      requestResetResult,
-      signUpResult,
-    };
-  }
-
-  async getResetUser(
-    reload: boolean = false
-  ): Promise<TpPasswordResetUserNode> {
-    if (!reload && this.resetUser) {
-      return this.resetUser;
-    }
-    this.resetUser = await this.lrAuth.loadResetUser();
-    return this.resetUser;
-  }
-
-  private async recoverAssemblyKey(
-    resetUser: TpPasswordResetUserNode
-  ): Promise<JWK.Key> {
-    // Recover the assembly key.
-    let assemblyKeyParams: object;
-
-    const prk = await this.keyGraphService.getKey(resetUser.pxk.id);
-
-    const shares = await Promise.all(
-      resetUser.approvals.map(async (approval) => {
-        const partialAssemblyKey = await this.encryptionService.decrypt(
-          prk,
-          approval.receiverCipherPartialAssemblyKey
-        );
-
-        if (assemblyKeyParams) {
-          if (
-            JSON.stringify(assemblyKeyParams) !==
-            JSON.stringify(partialAssemblyKey.assemblyKeyParams)
-          ) {
-            throw new LrBadStateException(
-              'The assembly key parameters are different between the approvals.'
-            );
-          }
-        } else {
-          assemblyKeyParams = partialAssemblyKey.assemblyKeyParams;
-        }
-        return partialAssemblyKey.slip39.share.mnemonics;
-      })
-    );
-
-    console.log('recoverAssemblyKey()', shares);
-
-    const rawAssemblyKey = await this.slip39Service.recoverSecret(
-      shares,
-      TpPasswordResetService.SLIP39_PASSPHRASE
-    );
-
-    return JWK.asKey({
-      ...assemblyKeyParams,
-      k: rawAssemblyKey,
-    });
-  }
-
-  async completeRequest(newPassword: string): Promise<void> {
-    const resetUser = await this.getResetUser(true);
-    if (resetUser.state !== TpClaimState.APPROVED) {
-      throw new LrBadStateException(
-        'Password reset request has not been approved.'
-      );
-    }
-
-    // --------------------------------------------------------------
-    // Prepare all materials to ensure there are no errors.
-    // --------------------------------------------------------------
-    const assemblyKey = await this.recoverAssemblyKey(resetUser);
-
-    const { rootKey } = await this.encryptionService.decrypt(
-      assemblyKey,
-      resetUser.assemblyCipherData
-    );
-    console.log(rootKey);
-
-    // Making sure it's a valid key.
-    const rootKeyJwk = await JWK.asKey(rootKey);
-
-    const masterKey = await this.keyGraphService.getKey(resetUser.masterKey.id);
-
-    const masterKeyWrappedRootKey = await this.encryptionService.encryptToString(
-      masterKey.jwk,
-      rootKeyJwk.toJSON(true)
-    );
-
-    // The new password
-    const newPassIdpResult = await this.keyFactory.derivePassIdp({
-      password: newPassword,
-      ...resetUser.passKey.passIdpParams,
-    });
-
-    const newIdpPassword = this.passwordService.getPassIdpString(
-      newPassIdpResult.jwk
-    );
-
-    // --------------------------------------------------------------
-    // Get assembly key challenge
-    // --------------------------------------------------------------
-    const challenge = (
-      await this.mutate(
-        new LrMutation({
-          mutation: CreateTpAssemblyKeyChallengeMutation,
-          variables: {
-            input: {},
-          },
-        }),
-        {
-          includeKeyGraph: false,
-        }
-      )
-    ).createTpAssemblyKeyChallenge.challenge;
-
-    console.log(challenge);
-
-    // Sign the challenge
-    // Generate a client side nonce that's no in the server's control.
-    challenge.clientNonce = this.keyFactory.randomString(
-      this.CLIENT_NONCE_LENGTH
-    );
-    console.log(challenge);
-
-    const assemblyKeyVerifierPrk = await this.encryptionService.decrypt(
-      assemblyKey,
-      resetUser.wrappedAssemblyKeyVerifierPrk
-    );
-    const signedChallenge = await this.encryptionService.sign(
-      assemblyKeyVerifierPrk,
-      challenge
-    );
-
-    // --------------------------------------------------------------
-    // Change password for the original user
-    // --------------------------------------------------------------
-    const tempIdpPassword = (
-      await this.mutate(
-        new LrMutation({
-          mutation: PreCompleteTpPasswordResetRequestMutation,
-          variables: {
-            input: {
-              signedChallenge: JSON.stringify(signedChallenge),
-            },
-          },
-        }),
-        {
-          includeKeyGraph: false,
-        }
-      )
-    ).preCompleteTpPasswordResetRequest.idpPassword;
-
-    // --------------------------------------------------------------
-    // Login as the original user using new temporary password
-    // --------------------------------------------------------------
-    // At this point, the original account's password has been changed
-    // to a temporary password. It is no longer possible for the user
-    // to use the original password to login. Any successful login
-    // can only be using the temporary password. So it's safe to assume
-    // that we want to "complete" the password reset.
-
-    // The maybe 2FA so we listen for the auth event from Amplify.
-    const retPromise = new Promise<void>((resolve) => {
-      const listener = async (data) => {
-        if (data.payload.event !== 'signIn') {
-          return;
-        }
-
-        Hub.remove('auth', listener);
-
-        console.log(data.payload);
-
-        await this.auth.signIn(resetUser.username, newIdpPassword);
-
-        // Switch over to the new set of keys
-        await this.mutate(
-          new LrMutation({
-            mutation: CompleteTpPasswordResetRequestMutation,
-            variables: {
-              input: {
-                masterKeyWrappedRootKey,
-                masterKeyId: masterKey.id,
-              },
-            },
-          })
-        );
-
-        resolve();
-      };
-
-      Hub.listen('auth', listener);
-    });
-
-    // Signin as the original user. Password has been reset to temporary one. It should return
-    // with NEW_PASSWORD_REQUIRED
-    let user = await this.auth.signIn(resetUser.username, tempIdpPassword, {
-      noProxy: 'true',
-    });
-
-    if (user.challengeName !== 'NEW_PASSWORD_REQUIRED') {
-      throw new LrException({
-        message:
-          'Internal error. Expecting Cognito to have done a password reset after call to PreCompleteTpPasswordResetRequestMutation.',
-      });
-    }
-
-    // Set new password on Idp
-    // the awsFetch() function passes NEW_PASSWORD_REQUIRED directly to AWS without
-    // going through the proxy.
-    user = await this.auth.completeNewPassword(user, newIdpPassword, {});
-
-    return retPromise;
-  }
-}