@lifeready/core 1.0.1 → 1.0.3

package/src/lib/auth/password.service.ts

@@ -1,438 +0,0 @@
-import { HttpClient } from '@angular/common/http';
-import { Inject, Injectable } from '@angular/core';
-import { CognitoUser } from '@aws-amplify/auth';
-import { AuthClass } from '@aws-amplify/auth/lib-esm/Auth';
-import { JWK, JWS } from 'node-jose';
-import { ProfileService } from '../users/profile.service';
-import { EncryptionService } from '../cryptography/encryption.service';
-import { KeyGraphService } from '../cryptography/key-graph.service';
-import { LifeReadyConfig, LR_CONFIG } from '../life-ready.config';
-import { LrAuthException, LrBadArgumentException } from '../_common/exceptions';
-import { LrApolloService } from './../api/lr-apollo.service';
-import {
-  PasswordChangeMutation,
-  PasswordChangeRequestMutation,
-  PasswordChangeConfigQuery,
-} from './auth.gql';
-import { PassKeyBundle } from './auth.types';
-import { WebCryptoService } from '../cryptography/web-crypto.service';
-import { Duration } from 'moment';
-import * as moment_ from 'moment';
-import { ApiCurrentUser } from '../users/profile.types';
-import { IdleService } from '../auth/idle.service';
-import { KeyFactoryService as KFS } from '../cryptography/key-factory.service';
-
-// "why?" you ask: https://stackoverflow.com/questions/59735280/angular-8-moment-error-cannot-call-a-namespace-moment
-const moment = moment_;
-
-interface PasswordChangeRequestMutation {
-  passwordChangeRequest: {
-    challenge: {
-      serverNonce: string;
-    };
-  };
-}
-
-interface PasswordChangeMutation {
-  passwordChange: {
-    token: string;
-    newPassKey: {
-      id: string;
-    };
-  };
-}
-
-export interface PasswordChangeConfig {
-  maxAuthAgeSeconds: number;
-  authTime: string | Date;
-  serverTime: string | Date;
-}
-
-export class PasswordCheck {
-  length?: number;
-  timeToCrack?: Duration;
-  passwordExposed?: number;
-}
-
-@Injectable({
-  providedIn: 'root',
-})
-export class PasswordService {
-  private readonly CLIENT_NONCE_LENGTH = 32;
-
-  constructor(
-    @Inject(LR_CONFIG) private config: LifeReadyConfig,
-    private http: HttpClient,
-    private apollo: LrApolloService,
-    private auth: AuthClass,
-    private profileService: ProfileService,
-    private keyFactory: KFS,
-    private encryptionService: EncryptionService,
-    private keyGraph: KeyGraphService,
-    private webCryptoService: WebCryptoService,
-    private idleService: IdleService
-  ) {}
-
-  public async checkPassword(password: string): Promise<PasswordCheck> {
-    const { years } = this.passwordStrength(password);
-
-    return {
-      length: password.length,
-      timeToCrack: moment.duration({ years }),
-      passwordExposed: await this.getExposureCount(password),
-    };
-  }
-
-  public async getExposureCount(password: string): Promise<number> {
-    const sha1Password = await this.webCryptoService.stringDigest(
-      'SHA-1',
-      password
-    );
-    const first5sha1 = sha1Password.substring(0, 5);
-
-    const response = await this.http
-      .get(`https://api.pwnedpasswords.com/range/${first5sha1}`, {
-        responseType: 'text',
-      })
-      .toPromise();
-
-    const results = new RegExp(
-      `^(?:${sha1Password.substring(5)}:)(?<count>\\d+)$`,
-      'im'
-    ).exec(response);
-
-    if (results) {
-      return +results.groups.count;
-    }
-    return 0;
-  }
-
-  public getPassIdpString(passIdp: JWK.Key) {
-    return (passIdp.toJSON(true) as any).k;
-  }
-
-  public async createPassKeyBundle(password: string): Promise<PassKeyBundle> {
-    const passIdpParams = await this.keyFactory.createPassIdpParams();
-    const passIdp = (
-      await this.keyFactory.derivePassIdp({
-        password,
-        ...passIdpParams,
-      })
-    ).jwk;
-
-    const passKeyParams = await this.keyFactory.createPassKeyParams();
-    const passKey = (
-      await this.keyFactory.derivePassKey({
-        password,
-        ...passKeyParams,
-      })
-    ).jwk;
-
-    const passIdpVerifier = await this.keyFactory.createPkcSignKey();
-
-    const wrappedPassIdpVerifierPrk = await this.encryptionService.encrypt(
-      passKey,
-      passIdpVerifier.toJSON(true)
-    );
-
-    // There are two formats that the private key can be represented in JWK:
-    // https://tools.ietf.org/html/rfc8017#page-9
-    // The second form is an optimization:
-    // https://crypto.stackexchange.com/questions/19413/what-are-dp-and-dq-in-encryption-by-rsa-in-c
-
-    return {
-      passKeyParams,
-      passKey,
-      passIdpParams,
-      passIdp,
-      passIdpVerifier,
-      wrappedPassIdpVerifierPrk,
-    };
-  }
-
-  /**
-   * We need to allow for interruption of the process at any point. Each API call can be considered
-   * atomic and either succeeds or fails.
-   *
-   * The LR server APIs use semaphore tokens for locking critical operations, so concurrent calls will
-   * fail.
-   *
-   * We assume the worst case for IdP API calls. So we use the semaphore token from LR to prevent
-   * concurrent calls to IdP APIs, but we have to assume that the IdP API calls will either succeed or
-   * fail within a reasonable amount of time.
-   *
-   * Each location where the server state changes can be a potential point of interruption.
-   * Potential points of interruption are marked with: --Potential Failure Point--
-   *
-   * Places for timeout:
-   * - Login age too old at call to: verifyPassword()
-   * - Login age too old at call to: changePasswordMutation()
-   * - Semaphore token expires at call to: changePasswordComplete()
-   *
-   * Tests:
-   * - Potential Failure Point 1: should be able to restart the process, user remains signed in.
-   * - Potential Failure Point 2: should enter recovery flow
-   * - Potential Failure Point 3: should enter recovery flow
-   * - Potential Failure Point 4: should enter recovery flow
-   *
-   */
-
-  public async isLoginRequired(): Promise<boolean> {
-    const changePasswordConfig = await this.getChangePasswordConfig();
-    const authTime = moment(changePasswordConfig.authTime);
-    const serverTime = moment(changePasswordConfig.serverTime);
-    const duration = moment.duration(serverTime.diff(authTime));
-    const seconds = duration.asSeconds();
-    if (seconds > changePasswordConfig.maxAuthAgeSeconds) {
-      return true;
-    } else {
-      return false;
-    }
-  }
-
-  public async changePassword(password: string, newPassword: string) {
-    const cognitoUser: CognitoUser = await this.auth.currentAuthenticatedUser();
-
-    // Validation
-    // todo: Add this back in
-    // Note the passIdp will always have a random salt, so will always be different to the current passIdp.
-    if (password === newPassword) {
-      throw new LrBadArgumentException(
-        'New password is the same as the current one.'
-      );
-    }
-
-    const { currentUser } = await this.profileService.getCurrentUser();
-
-    const { passIdp, signedChallenge } = await this.verifyPassword(
-      password,
-      currentUser
-    );
-
-    // --Potential Failure Point 1--
-    // verifyPassword() asks for a current password challenge hence changes server state.
-    // Place break points here to test the failure scenarios.
-
-    // Generate the new passIdp
-    const newPassKey = await this.createPassKeyBundle(newPassword);
-
-    // Re-encrypt master key with new key
-    const masterKey = await this.keyGraph.getKey(
-      currentUser.currentUserKey.masterKey.id
-    );
-    const newWrappedMasterKey = await this.encryptionService.encrypt(
-      newPassKey.passKey,
-      masterKey.jwk.toJSON(true)
-    );
-
-    // If the IdP change password failed, we need to go into recovery mode by forcing
-    // a login. We can't logout the user just yet since the IdP password change needs
-    // the user to be logged in. We _can_ removed any persisted session values for the IdP
-    // but that seems like too much trouble.
-
-    const { token, newPassKeyId } = await this.changePasswordMutation(
-      signedChallenge,
-      currentUser.currentUserKey.masterKey.id,
-      newWrappedMasterKey,
-      newPassKey
-    );
-
-    // --Potential Failure Point 2--
-    // changePasswordMutation() uploads new keys and obtains a semaphore lock to prevent any other
-    // clients from performing IdP password change.
-
-    // Now we can do the IdP password change.
-    // todo: Add this back in
-    await this.auth.changePassword(
-      cognitoUser,
-      this.getPassIdpString(passIdp),
-      this.getPassIdpString(newPassKey.passIdp)
-    );
-
-    // --Potential Failure Point 3--
-    // IdP password change
-
-    // Note that changePassword() could throw an exception for a number of reason. It could throw
-    // a network timeout for example. But we don't know if it's the response that timed out and
-    // the idp password change was actually carried out. So we have to be extra conservative and
-    // only act on a clear success. Otherwise we go into recover mode.
-    await this.changePasswordComplete(
-      cognitoUser.getSignInUserSession().getAccessToken().getJwtToken(),
-      true,
-      token
-    );
-  }
-
-  public async changePasswordComplete(
-    accessToken: string,
-    useNewPassword: boolean,
-    token: string = null
-  ): Promise<any> {
-    return this.http
-      .post(
-        `${this.config.authUrl}users/password-change-complete/`,
-        {
-          use_new_password: useNewPassword,
-          ...(token && { token }),
-        },
-        {
-          headers: {
-            Authorization: `Bearer ${accessToken}`,
-          },
-        }
-      )
-      .toPromise();
-  }
-
-  private async getVerifierPrK(
-    passKey: JWK.Key,
-    wrappedPrK: object
-  ): Promise<JWK.Key> {
-    try {
-      const prkJson = await this.encryptionService.decrypt(passKey, wrappedPrK);
-      return KFS.asKey(prkJson);
-    } catch (error) {
-      throw new LrAuthException('Wrong current password');
-    }
-  }
-
-  private async verifyPassword(
-    password: string,
-    currentUser: ApiCurrentUser
-  ): Promise<{ passIdp: JWK.Key; signedChallenge: JWS.CreateSignResult }> {
-    // Get information from the server to prepare for password change.
-    const passwordRequest = await this.apollo.mutate<PasswordChangeRequestMutation>(
-      {
-        mutation: PasswordChangeRequestMutation,
-        variables: {},
-      }
-    );
-
-    // Get the old passKey so we can decrypt the old password verifier
-    const passKeyResult = await this.keyFactory.derivePassKey({
-      password,
-      ...currentUser.currentUserKey.passKey.passKeyParams,
-    });
-
-    const verifierPrK = await this.getVerifierPrK(
-      passKeyResult.jwk,
-      currentUser.currentUserKey.passKey.wrappedPassIdpVerifierPrk
-    );
-
-    // Sign the server challenge to prove to the server we can decrypt the password verifier.
-    // Generate
-    const clientNonce = this.keyFactory.randomString(this.CLIENT_NONCE_LENGTH);
-
-    const signedChallenge = await this.encryptionService.sign(verifierPrK, {
-      serverNonce: passwordRequest.passwordChangeRequest.challenge.serverNonce,
-      clientNonce,
-    });
-
-    const passIdpResult = await this.keyFactory.derivePassIdp({
-      password,
-      ...currentUser.currentUserKey.passKey.passIdpParams,
-    });
-
-    return {
-      passIdp: passIdpResult.jwk,
-      signedChallenge,
-    };
-  }
-
-  private async changePasswordMutation(
-    signedChallenge: JWS.CreateSignResult,
-    masterKeyId: string,
-    newWrappedMasterKey: object,
-    passKeyBundle: PassKeyBundle
-  ): Promise<{ token: string; newPassKeyId: string }> {
-    const response = await this.apollo.mutate<PasswordChangeMutation>({
-      mutation: PasswordChangeMutation,
-      variables: {
-        input: {
-          signedChallenge: JSON.stringify(signedChallenge),
-          masterKeyId,
-          newWrappedMasterKey: JSON.stringify(newWrappedMasterKey),
-          newPassKey: {
-            passIdpParams: JSON.stringify(passKeyBundle.passIdpParams),
-            passIdpVerifierPbk: JSON.stringify(
-              passKeyBundle.passIdpVerifier.toJSON()
-            ),
-            wrappedPassIdpVerifierPrk: JSON.stringify(
-              passKeyBundle.wrappedPassIdpVerifierPrk
-            ),
-            passKeyParams: JSON.stringify(passKeyBundle.passKeyParams),
-          },
-        },
-      },
-    });
-    return {
-      token: response.passwordChange.token,
-      newPassKeyId: response.passwordChange.newPassKey.id,
-    };
-  }
-
-  async getChangePasswordConfig(): Promise<PasswordChangeConfig> {
-    const res = await this.apollo.query<any>({
-      query: PasswordChangeConfigQuery,
-    });
-
-    const ret = res.passwordChangeConfig as PasswordChangeConfig;
-
-    ret.authTime = new Date(ret.authTime);
-    ret.serverTime = new Date(ret.serverTime);
-    return ret;
-  }
-
-  public passwordStrength(password): { years: number; bits: number } {
-    const upper = /[A-Z]/g;
-    const lower = /[a-z]/g;
-    const digit = /[0-9]/g;
-
-    const upperChoices = 26;
-    const lowerChoices = 26;
-    const digitChoices = 10;
-    const specialChoices = 30; // /[!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~]/g
-
-    function instanceCount(str, re) {
-      return ((str || '').match(re) || []).length;
-    }
-
-    const uppers = instanceCount(password, upper);
-    const lowers = instanceCount(password, lower);
-    const digits = instanceCount(password, digit);
-    const specials = password.length - uppers - lowers - digits;
-
-    let choices = 0;
-    if (uppers) {
-      choices += upperChoices;
-    }
-    if (lowers) {
-      choices += lowerChoices;
-    }
-    if (digits) {
-      choices += digitChoices;
-    }
-    if (specials) {
-      choices += specialChoices;
-    }
-
-    if (password.length === 0) {
-      return {
-        years: 0,
-        // bits of entropy
-        bits: 0,
-      };
-    }
-
-    const permutations = Math.pow(choices, password.length);
-
-    const years =
-      (54000 * permutations) /
-      Math.pow(upperChoices + lowerChoices + digitChoices, 12);
-    return {
-      years,
-      // bits of entropy
-      bits: Math.round(Math.log2(permutations)),
-    };
-  }
-}

package/src/lib/auth/register.service.spec.ts

@@ -1,31 +0,0 @@
-import { TestBed } from '@angular/core/testing';
-import { lrConfigureTestingModule, lrit } from '../_common/tests';
-import { RegisterService } from './register.service';
-
-const TIMEOUT = 1000 * 60 * 10;
-
-describe('RegisterService', () => {
-  let service: RegisterService;
-
-  beforeEach(() => {
-    lrConfigureTestingModule();
-    service = TestBed.inject(RegisterService);
-  });
-
-  it('should be created', () => {
-    expect(service).toBeTruthy();
-  });
-
-  lrit(
-    'should check hibp',
-    async () => {
-      let res = await service.hibpBreachedAccounts('test@example.com');
-      expect(res.length).toBeGreaterThan(0);
-
-      // Should not have any breaches.
-      res = await service.hibpBreachedAccounts('test@xthsygdsdocs.com');
-      expect(res).toBe(null);
-    },
-    TIMEOUT
-  );
-});

package/src/lib/auth/register.service.ts

@@ -1,181 +0,0 @@
-import { HttpClient } from '@angular/common/http';
-import { Inject, Injectable } from '@angular/core';
-import { AuthClass } from '@aws-amplify/auth/lib-esm/Auth';
-import { EncryptionService } from '../cryptography/encryption.service';
-import { KeyFactoryService } from '../cryptography/key-factory.service';
-import { LifeReadyConfig, LR_CONFIG } from '../life-ready.config';
-import { PasswordService } from './password.service';
-import { RegisterResult } from './auth.types';
-
-@Injectable({
-  providedIn: 'root',
-})
-export class RegisterService {
-  constructor(
-    @Inject(LR_CONFIG) private config: LifeReadyConfig,
-    private auth: AuthClass,
-    private http: HttpClient,
-    private keyFactory: KeyFactoryService,
-    private encryptionService: EncryptionService,
-    private passwordService: PasswordService
-  ) {}
-
-  /**
-   * Request a verification code to be sent out to an email.
-   * @return Info needed to be submitted along with the verification code
-   */
-  public async verifyEmail(email: string): Promise<string> {
-    const { claim_id } = await this.http
-      .post<{ claim_id }>(`${this.config.authUrl}cove/claim/email/`, {
-        address: email,
-        context: 'signup',
-      })
-      .toPromise();
-    return claim_id;
-  }
-
-  public async verifyPhone(phoneNumber: string): Promise<string> {
-    const { claim_id } = await this.http
-      .post<{ claim_id }>(`${this.config.authUrl}cove/claim/sms/`, {
-        address: phoneNumber,
-        context: 'signup',
-      })
-      .toPromise();
-    return claim_id;
-  }
-
-  public async confirmVerificationCode(
-    verificationId: string,
-    verificationCode: string
-  ): Promise<string> {
-    const { token } = await this.http
-      .post<{ token }>(`${this.config.authUrl}cove/respond/`, {
-        claim_id: verificationId,
-        v_code: verificationCode,
-      })
-      .toPromise();
-    return token;
-  }
-
-  public async register(
-    email: string,
-    password: string,
-    verificationId: string,
-    verificationToken: string,
-    verificationType: 'email' | 'phone' = 'email'
-  ): Promise<RegisterResult> {
-    // Generate the key material needed for PassIdp which will be the password used for Cognito.
-    const passKeyBundle = await this.passwordService.createPassKeyBundle(
-      password
-    );
-
-    const masterKey = await this.keyFactory.createKey();
-    const wrappedMasterKey = await this.encryptionService.encrypt(
-      passKeyBundle.passKey,
-      masterKey.toJSON(true)
-    );
-
-    const rootKey = await this.keyFactory.createKey();
-    const wrappedRootKey = await this.encryptionService.encrypt(
-      masterKey,
-      rootKey.toJSON(true)
-    );
-
-    // Encryption PKC key
-    const prk = await this.keyFactory.createPkcKey();
-    const wrappedPrk = await this.encryptionService.encrypt(
-      rootKey,
-      prk.toJSON(true)
-    );
-
-    // Signing PKC key
-    const sigPrk = await this.keyFactory.createPkcSignKey();
-    const wrappedSigPrk = await this.encryptionService.encrypt(
-      rootKey,
-      sigPrk.toJSON(true)
-    );
-
-    // API call to setup profile
-    const user = await this.http
-      .post<any>(`${this.config.authUrl}users/`, {
-        claims: [
-          {
-            type: verificationType,
-            token: verificationToken,
-            claim_id: verificationId,
-          },
-        ],
-        pass_idp_params: passKeyBundle.passIdpParams,
-        pass_idp_verifier_pbk: passKeyBundle.passIdpVerifier.toJSON(),
-        wrapped_pass_idp_verifier_prk: passKeyBundle.wrappedPassIdpVerifierPrk,
-        pass_key_params: passKeyBundle.passKeyParams,
-        wrapped_master_key: wrappedMasterKey,
-        wrapped_root_key: wrappedRootKey,
-        pbk: prk.toJSON(), // public encryption key
-        wrapped_prk: wrappedPrk,
-        sig_pbk: sigPrk.toJSON(), // public signing key
-        wrapped_sig_prk: wrappedSigPrk,
-      })
-      .toPromise();
-
-    // API call to create user on cognito
-    const attributes = {};
-    user.claims.forEach((claim) => {
-      attributes[claim.type] = claim.value;
-    });
-
-    // Random suffix for uniqueness. If there's a duplicate, then used just needs to
-    // sign up again. But chances of collision is low.
-    const suffix = this.keyFactory.randomDigitsNoZeros(4);
-
-    const cognitoUser = await this.auth.signUp({
-      username: `${email.split('@')[0]}.${suffix}`,
-      password: this.passwordService.getPassIdpString(passKeyBundle.passIdp),
-      attributes,
-      // Unfortunately, validationData is not passed to the post
-      // confirmation cognito trigger. So can can't do the association there.
-      // The current workflow will create a new user on LR before signing up
-      // with Cognito. Then Cognito can use the user.id and user.pre_sign_up_token to
-      // do the validation of the attributes.
-      // validationData: [
-      //   new CognitoUserAttribute({
-      //     Name: "user_id",
-      //     Value: String(user.id)
-      //   }),
-      //   new CognitoUserAttribute({
-      //     Name: "user_pre_sign_up_token",
-      //     Value: user.pre_sign_up_token
-      //   })
-      // ]
-      clientMetadata: {
-        user_id: String(user.id),
-        user_pre_sign_up_token: String(user.pre_sign_up_token),
-      },
-    });
-
-    return {
-      username: cognitoUser.user.getUsername(),
-      userId: user.id,
-      preSignUpToken: user.pre_sign_up_token,
-      userSub: cognitoUser.userSub,
-    };
-  }
-
-  public async hibpBreachedAccounts(account: string): Promise<any> {
-    // The account is just the email
-    try {
-      const response = await this.http
-        .get(
-          `${this.config.authUrl}users/hibp/breachedaccount/${account}/?truncateResponse=false`
-        )
-        .toPromise();
-      return response;
-    } catch (error) {
-      if (error.status === 404) {
-        return null;
-      } else {
-        throw error;
-      }
-    }
-  }
-}

package/src/lib/auth/two-factor.service.spec.ts

@@ -1,21 +0,0 @@
-import { TestBed } from '@angular/core/testing';
-
-import { TwoFactorService } from './two-factor.service';
-import { AuthClass } from '@aws-amplify/auth/lib-esm/Auth';
-
-const auth = jasmine.createSpyObj('AuthClass', ['']);
-
-describe('TwoFactorService', () => {
-  let service: TwoFactorService;
-
-  beforeEach(() => {
-    TestBed.configureTestingModule({
-      providers: [{ provide: AuthClass, useValue: auth }],
-    });
-    service = TestBed.inject(TwoFactorService);
-  });
-
-  it('should be created', () => {
-    expect(service).toBeTruthy();
-  });
-});