@lifeready/core 5.0.9 → 5.0.11

package/fesm2015/lifeready-core.js

@@ -1117,22 +1117,22 @@ class KeyService {
         this.resetKeys();
         this.persistService.clear();
     }
-    populateKeys(keys) {
+    setKeys(keys) {
         this.keys = keys;
     }
-    getCurrentPassKey() {
+    get currentPassKey() {
         return this.keys.passKey;
     }
-    getCurrentMasterKey() {
+    get currentMasterKey() {
         return this.keys.masterKey;
     }
-    getCurrentRootKey() {
+    get currentRootKey() {
         return this.keys.rootKey;
     }
-    getCurrentPxk() {
+    get currentPxk() {
         return this.keys.pxk;
     }
-    getCurrentSigPxk() {
+    get currentSigPxk() {
         return this.keys.sigPxk;
     }
     expiresAfter(seconds) {
@@ -1230,7 +1230,7 @@ class KeyGraphService {
     }
     populateKeys(userKey) {
         return __awaiter(this, void 0, void 0, function* () {
-            this.keyService.populateKeys({
+            this.keyService.setKeys({
                 passKey: userKey.passKey,
                 masterKey: yield this.keyService.loadMasterKey(userKey.masterKey.id),
                 rootKey: yield this.unwrapKey(userKey.masterKey.id, userKey.rootKey.id),
@@ -1360,7 +1360,7 @@ class KeyGraphService {
                 return key;
             }
             else {
-                return this.unwrapKey(this.keyService.getCurrentMasterKey().id, keyId);
+                return this.unwrapKey(this.keyService.currentMasterKey.id, keyId);
             }
         });
     }
@@ -3014,8 +3014,6 @@ class CurrentUser {
 }
 class LoginResult {
 }
-class RegisterResult {
-}
 var RecoveryStatus;
 (function (RecoveryStatus) {
     RecoveryStatus["NONE"] = "none";
@@ -3757,7 +3755,7 @@ class KeyMetaService {
             }
             else {
                 // Adding to root directory
-                const rootKey = this.keyService.getCurrentRootKey();
+                const rootKey = this.keyService.currentRootKey;
                 const wrappedKey = JSON.stringify(yield this.encryptionService.encrypt(rootKey.jwk, key.toJSON(true)));
                 rootWrappingKey = {
                     wrappingKeyId: rootKey.id,
@@ -4269,7 +4267,7 @@ class ProfileService {
     }
     prepareContactCardInput(contactCard) {
         return __awaiter(this, void 0, void 0, function* () {
-            const sigPxk = yield this.keyService.getCurrentSigPxk();
+            const sigPxk = this.keyService.currentSigPxk;
             const publicDataSig = JSON.stringify(yield this.encryptionService.sign(sigPxk.jwk, ''));
             const publicSearchableSig = JSON.stringify(yield this.encryptionService.sign(sigPxk.jwk, ''));
             const plainDataJson = {
@@ -5026,7 +5024,7 @@ class TpAssemblyController {
     }
     prepareCreate(input) {
         return __awaiter(this, void 0, void 0, function* () {
-            const rootKey = yield this.keyService.getCurrentRootKey();
+            const rootKey = this.keyService.currentRootKey;
             const subjectKey = yield this.keyFactory.createKey();
             const rootKeyWrappedSubjectKey = yield this.keyGraph.wrapKey(rootKey, subjectKey);
             const _a = yield this.prepareAssembly({
@@ -5080,7 +5078,7 @@ class TpAssemblyController {
                 deleteSubAssembliesInput.length === 0) {
                 throw new KcBadArgumentException('Must specify at least one of: [createSubAssemblies, updateSubAssemblies, deleteSubAssemblies]');
             }
-            const rootKey = yield this.keyService.getCurrentRootKey();
+            const rootKey = this.keyService.currentRootKey;
             const subjectKey = yield this.keyGraph.getKey(assembly.subjectKey.id);
             const _b = yield this.prepareAssembly({
                 rootKey: rootKey.jwk,
@@ -5871,40 +5869,698 @@ class LifeReadyAuthService {
                 const passKey = (yield this.keyFactory.derivePassKey(Object.assign({ password }, resetUser.passKey.passKeyParams))).jwk;
                 yield this.idleService.persistMasterKey(yield this.keyGraphService.unwrapWithPassKey(resetUser.passKey.id, passKey, resetUser.masterKey.id));
             }
-            this.keyService.populateKeys({
+            this.keyService.setKeys({
+                passKey: {
+                    id: resetUser.passKey.id,
+                },
+                masterKey: {
+                    id: resetUser.masterKey.id,
+                },
+            });
+            const userAttributes = yield this.auth.userAttributes(yield this.auth.currentAuthenticatedUser());
+            const sub = this.getUserAttribute('sub', userAttributes);
+            return Object.assign(Object.assign({}, (yield this.tpPasswordResetProcessorService.processTpPasswordResetUserNode(resetUser))), { sub });
+        });
+    }
+    refreshAccessToken() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const cognitoUser = yield this.auth.currentAuthenticatedUser();
+            const refreshToken = cognitoUser.getSignInUserSession().getRefreshToken();
+            return new Promise((resolve, reject) => {
+                cognitoUser.refreshSession(refreshToken, (err) => {
+                    if (err) {
+                        console.error('Error refreshing token: ', err);
+                        reject(err);
+                    }
+                    else {
+                        console.log('Token refresh complete');
+                        resolve(0);
+                    }
+                });
+            });
+        });
+    }
+    completeRequest(newPassword) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const resetUser = yield this.getResetUser(true);
+            if (resetUser.state !== TpClaimState.APPROVED) {
+                throw new KcBadStateException('Password reset request has not been approved.');
+            }
+            // --------------------------------------------------------------
+            // Prepare all materials to ensure there are no errors.
+            // --------------------------------------------------------------
+            const assemblyKey = yield this.recoverAssemblyKey(resetUser);
+            const { rootKey } = yield this.encryptionService.decrypt(assemblyKey, resetUser.assemblyCipherData);
+            // Making sure it's a valid key.
+            const rootKeyJwk = yield JWK.asKey(rootKey);
+            const masterKey = yield this.keyGraphService.getKey(resetUser.masterKey.id);
+            const masterKeyWrappedRootKey = yield this.encryptionService.encryptToString(masterKey.jwk, rootKeyJwk.toJSON(true));
+            // The new password
+            const newPassIdpResult = yield this.keyFactory.derivePassIdp(Object.assign({ password: newPassword }, resetUser.passKey.passIdpParams));
+            const newIdpPassword = this.passwordService.getPassIdpString(newPassIdpResult.jwk);
+            // --------------------------------------------------------------
+            // Get assembly key challenge
+            // --------------------------------------------------------------
+            const challenge = (yield this.lrGraphQL.lrMutate(new LrMutation({
+                mutation: CreateTpAssemblyKeyChallengeMutation,
+                variables: {
+                    input: {},
+                },
+            }), {
+                includeKeyGraph: false,
+            })).createTpAssemblyKeyChallenge.challenge;
+            // Sign the challenge
+            // Generate a client side nonce that's no in the server's control.
+            challenge.clientNonce = this.keyFactory.randomString(TP_PASSWORD_RESET_CLIENT_NONCE_LENGTH);
+            const assemblyKeyVerifierPrk = yield this.encryptionService.decrypt(assemblyKey, resetUser.wrappedAssemblyKeyVerifierPrk);
+            const signedChallenge = yield this.encryptionService.sign(assemblyKeyVerifierPrk, challenge);
+            // --------------------------------------------------------------
+            // Change password for the original user
+            // --------------------------------------------------------------
+            const tempIdpPassword = (yield this.lrGraphQL.lrMutate(new LrMutation({
+                mutation: PreCompleteTpPasswordResetRequestMutation,
+                variables: {
+                    input: {
+                        signedChallenge: JSON.stringify(signedChallenge),
+                    },
+                },
+            }), {
+                includeKeyGraph: false,
+            })).preCompleteTpPasswordResetRequest.idpPassword;
+            // --------------------------------------------------------------
+            // Login as the original user using new temporary password
+            // --------------------------------------------------------------
+            // At this point, the original account's password has been changed
+            // to a temporary password. It is no longer possible for the user
+            // to use the original password to login. Any successful login
+            // can only be using the temporary password. So it's safe to assume
+            // that we want to "complete" the password reset.
+            // The maybe 2FA so we listen for the auth event from Amplify.
+            const retPromise = new Promise((resolve) => {
+                const listener = (data) => __awaiter(this, void 0, void 0, function* () {
+                    if (data.payload.event !== 'signIn') {
+                        return;
+                    }
+                    Hub.remove('auth', listener);
+                    yield this.auth.signIn(resetUser.username, newIdpPassword);
+                    // Switch over to the new set of keys
+                    yield this.lrGraphQL.lrMutate(new LrMutation({
+                        mutation: CompleteTpPasswordResetRequestMutation,
+                        variables: {
+                            input: {
+                                masterKeyWrappedRootKey,
+                                masterKeyId: masterKey.id,
+                            },
+                        },
+                    }));
+                    resolve();
+                });
+                Hub.listen('auth', listener);
+            });
+            // Signin as the original user. Password has been reset to temporary one. It should return
+            // with NEW_PASSWORD_REQUIRED
+            let user = yield this.auth.signIn(resetUser.username, tempIdpPassword, {
+                noProxy: 'true',
+            });
+            if (user.challengeName !== 'NEW_PASSWORD_REQUIRED') {
+                throw new KcInternalErrorException('Expecting Cognito to have done a password reset after call to PreCompleteTpPasswordResetRequestMutation.');
+            }
+            // Set new password on Idp
+            // the awsFetch() function passes NEW_PASSWORD_REQUIRED directly to AWS without
+            // going through the proxy.
+            user = yield this.auth.completeNewPassword(user, newIdpPassword, {});
+            return retPromise;
+        });
+    }
+    recoverAssemblyKey(resetUser) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const prk = yield this.keyGraphService.getKey(resetUser.pxk.id);
+            const partials = yield Promise.all(resetUser.approvals
+                .filter((approval) => !!approval.receiverCipherPartialAssemblyKey)
+                .map((approval) => this.encryptionService.decrypt(prk, approval.receiverCipherPartialAssemblyKey)));
+            return this.assemblyController.recoverAssemblyKey(partials);
+        });
+    }
+}
+LifeReadyAuthService.ɵprov = ɵɵdefineInjectable({ factory: function LifeReadyAuthService_Factory() { return new LifeReadyAuthService(ɵɵinject(KC_CONFIG), ɵɵinject(AuthClass), ɵɵinject(KeyFactoryService), ɵɵinject(KeyService), ɵɵinject(ProfileService), ɵɵinject(KeyGraphService), ɵɵinject(PasswordService), ɵɵinject(IdleService), ɵɵinject(LrGraphQLService), ɵɵinject(TpPasswordResetProcessorService), ɵɵinject(PersistService), ɵɵinject(EncryptionService), ɵɵinject(TpPasswordResetAssemblyController), ɵɵinject(HttpClient)); }, token: LifeReadyAuthService, providedIn: "root" });
+LifeReadyAuthService.decorators = [
+    { type: Injectable, args: [{
+                providedIn: 'root',
+            },] }
+];
+LifeReadyAuthService.ctorParameters = () => [
+    { type: undefined, decorators: [{ type: Inject, args: [KC_CONFIG,] }] },
+    { type: AuthClass },
+    { type: KeyFactoryService },
+    { type: KeyService },
+    { type: ProfileService },
+    { type: KeyGraphService },
+    { type: PasswordService },
+    { type: IdleService },
+    { type: LrGraphQLService },
+    { type: TpPasswordResetProcessorService },
+    { type: PersistService },
+    { type: EncryptionService },
+    { type: TpPasswordResetAssemblyController },
+    { type: HttpClient }
+];
+
+class KeyContainer {
+    constructor(_key, timeout) {
+        this._key = _key;
+        this.timer = setTimeout(() => {
+            this._key = null;
+        }, timeout);
+    }
+    get key() {
+        return this._key;
+    }
+    /**
+     * Clears the reference to the key, clears the timer, return the key.
+     * It's important to call this function when the key is no longer needed because
+     * the anonymous function in setTimeout() holds a reference to "this", and hence
+     * keeps the "this._key" reference until the timer expired. So if we have used
+     * the key before it expired, we should clear the "this._key" reference immediately.
+     */
+    pop() {
+        const ret = this._key;
+        this._key = null;
+        if (this.timer) {
+            clearTimeout(this.timer);
+            this.timer = null;
+        }
+        return ret;
+    }
+}
+
+const CurrentUserQuery$1 = gqlTyped `
+query {
+  currentUser {
+    id
+    username
+    currentUserKey {
+      passKey {
+        id
+        passKeyParams
+        passIdpParams
+        wrappedPassIdpVerifierPrk
+        created
+      }
+      masterKey {
+        id
+      }
+      rootKey {
+        id
+      }
+      pxk {
+        id
+      }
+      sigPxk {
+        id
+      }
+    }
+    sessionEncryptionKey
+  }
+  keyGraph {
+    ...KeyGraphFragment
+  }
+}
+${KeyGraphFragment}
+`;
+const ResetUserQuery = gqlTyped `
+query ResetUserQuery {
+  tpPasswordResetUser {
+    username
+    sessionEncryptionKey
+    state
+    passKey {
+      id
+      passKeyParams
+      passIdpParams
+    }
+    masterKey {
+      id
+    }
+    pxk {
+      id
+    }
+    assembly {
+      singleReject
+      quorum
+      subAssemblies {
+        singleReject
+        quorum
+        approvers {
+          name
+          email
+          state
+        }
+      }
+    }
+    approvals {
+      id
+      modified
+      approverEmail
+      receiverCipher
+      receiverCipherPartialAssemblyKey
+    }
+    assemblyCipherData
+    wrappedAssemblyKeyVerifierPrk
+  }
+}`;
+
+var RecoveryStatus$1;
+(function (RecoveryStatus) {
+    RecoveryStatus["NONE"] = "NONE";
+    RecoveryStatus["NEW_PASSWORD"] = "NEW_PASSWORD";
+    RecoveryStatus["OLD_PASSWORD"] = "OLD_PASSWORD";
+})(RecoveryStatus$1 || (RecoveryStatus$1 = {}));
+// TODO restrict this type
+// export type AuthResetUser = TpPasswordResetUserNode;
+var PasswordChangeStatus$1;
+(function (PasswordChangeStatus) {
+    PasswordChangeStatus["IN_PROGRESS"] = "IN_PROGRESS";
+    PasswordChangeStatus["RECOVERY"] = "RECOVERY";
+})(PasswordChangeStatus$1 || (PasswordChangeStatus$1 = {}));
+var CognitoChallengeName;
+(function (CognitoChallengeName) {
+    CognitoChallengeName["NEW_PASSWORD_REQUIRED"] = "NEW_PASSWORD_REQUIRED";
+    CognitoChallengeName["SMS_MFA"] = "SMS_MFA";
+    CognitoChallengeName["SOFTWARE_TOKEN_MFA"] = "SOFTWARE_TOKEN_MFA";
+    CognitoChallengeName["MFA_SETUP"] = "MFA_SETUP";
+})(CognitoChallengeName || (CognitoChallengeName = {}));
+
+var auth2_types = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    get RecoveryStatus () { return RecoveryStatus$1; },
+    get PasswordChangeStatus () { return PasswordChangeStatus$1; },
+    get CognitoChallengeName () { return CognitoChallengeName; }
+});
+
+var Auth2Service_1;
+let Auth2Service = Auth2Service_1 = class Auth2Service extends LrService {
+    constructor(ngZone, injector, http, cognito, api, keyService, keyGraphService, keyFactoryService, passwordService, idleService, persistService, encryptionService, assemblyController, kcConfig) {
+        super(injector);
+        this.ngZone = ngZone;
+        this.injector = injector;
+        this.http = http;
+        this.cognito = cognito;
+        this.api = api;
+        this.keyService = keyService;
+        this.keyGraphService = keyGraphService;
+        this.keyFactoryService = keyFactoryService;
+        this.passwordService = passwordService;
+        this.idleService = idleService;
+        this.persistService = persistService;
+        this.encryptionService = encryptionService;
+        this.assemblyController = assemblyController;
+        this.kcConfig = kcConfig;
+        // Could use rxjs observables here. But trying to have kc-client use as little angular
+        // features as possible. Rxjs is not used anywhere else in kc-client.
+        this.logoutListeners = new Set();
+        // Stores the password for use after mfa verification to decrypt masterKey.
+        this.password = null;
+        if (!isDevMode()) {
+            if (this.kcConfig.debug != null) {
+                throw new KcBadRequestException('In production mode, "KcConfig.debug" must be set to null');
+            }
+        }
+    }
+    importPassword(plainPassword) {
+        return this.keyFactoryService.importPassword(plainPassword);
+    }
+    logout() {
+        var _a;
+        return __awaiter(this, void 0, void 0, function* () {
+            // Notify all listeners to clean up.
+            yield Promise.all([...this.logoutListeners].map((callback) => callback()));
+            this.user = null;
+            this.keyService.purgeKeys();
+            this.keyGraphService.purgeKeys();
+            // Sign out on both cognito and kc-server
+            yield Promise.all([this.cognito.signOut(), this.kcLogout()]);
+            if ((_a = this.kcConfig.debug) === null || _a === void 0 ? void 0 : _a.username) {
+                this.kcConfig.debug.username = null;
+            }
+        });
+    }
+    addLogoutListener(callback) {
+        this.logoutListeners.add(callback);
+    }
+    removeLogoutListener(callback) {
+        this.logoutListeners.delete(callback);
+    }
+    login(emailOrPhone, password, { tpPasswordResetAutoComplete = true } = {}) {
+        var _a;
+        return __awaiter(this, void 0, void 0, function* () {
+            let loginResult = yield this.loginImpl(emailOrPhone, password);
+            // Save the password for use after meeting challenge.
+            if (loginResult.challenge) {
+                this.password = new KeyContainer(password, Auth2Service_1.CHALLENGE_TIMEOUT);
+                return loginResult;
+            }
+            if (tpPasswordResetAutoComplete &&
+                ((_a = loginResult.user.resetUser) === null || _a === void 0 ? void 0 : _a.state) === TpClaimState.APPROVED) {
+                yield this.completeResetRequest(password);
+                loginResult = yield this.loginImpl(emailOrPhone, password);
+            }
+            return loginResult;
+        });
+    }
+    verifyLogin(options) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { challenge, code, rememberMe } = options;
+            const VALID_CHALLENGE_NAMES = [
+                CognitoChallengeName.SMS_MFA,
+                CognitoChallengeName.SOFTWARE_TOKEN_MFA,
+            ];
+            if (!VALID_CHALLENGE_NAMES.includes(challenge.cognitoUser.challengeName)) {
+                throw new KcBadRequestException(`challengeName must be one of ${VALID_CHALLENGE_NAMES}`);
+            }
+            // TODO: this.auth.confirmSignIn() could return another challenge.
+            const cognitoUser = yield this.cognito.confirmSignIn(challenge.cognitoUser, code, challenge.cognitoUser.challengeName);
+            yield this.handlePostAuth(challenge.recoveryStatus);
+            const user = yield this.loadUser(cognitoUser, this.password.pop());
+            // This is not strictly necessary since the this.password.pop() already clears the
+            // password inside the container. But doesn't hurt either.
+            this.password = null;
+            if (rememberMe) {
+                cognitoUser.setDeviceStatusRemembered({
+                    onSuccess: () => {
+                        return;
+                    },
+                    onFailure: (e) => console.error(e),
+                });
+            }
+            return {
+                user,
+            };
+        });
+    }
+    getUser() {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (this.user) {
+                return this.user;
+            }
+            const cognitoUser = yield this.cognito.currentAuthenticatedUser();
+            return this.loadUser(cognitoUser);
+        });
+    }
+    refreshAccessToken() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const cognitoUser = yield this.cognito.currentAuthenticatedUser();
+            const refreshToken = cognitoUser.getSignInUserSession().getRefreshToken();
+            console.log('Token refresh...');
+            return new Promise((resolve, reject) => {
+                cognitoUser.refreshSession(refreshToken, (err) => {
+                    if (err) {
+                        console.error('Error refreshing token: ', err);
+                        reject(err);
+                    }
+                    else {
+                        console.log('Token refresh complete');
+                        resolve(0);
+                    }
+                });
+            });
+        });
+    }
+    // ----------------------------------------------------------------------------------------------------
+    // Helpers
+    // ----------------------------------------------------------------------------------------------------
+    fetchCurrentUser() {
+        return __awaiter(this, void 0, void 0, function* () {
+            return (yield this.api.query({
+                query: CurrentUserQuery$1,
+                processorOptions: {
+                    hasKeys: false,
+                },
+            })).currentUser;
+        });
+    }
+    fetchResetUser() {
+        return __awaiter(this, void 0, void 0, function* () {
+            return (yield this.api.query({
+                query: ResetUserQuery,
+                processorOptions: {
+                    hasKeys: false,
+                },
+            })).tpPasswordResetUser;
+        });
+    }
+    kcLogout() {
+        return __awaiter(this, void 0, void 0, function* () {
+            yield this.http
+                .post(`${this.kcConfig.authUrl}auth/sign-out/`, null, {
+                withCredentials: true,
+                responseType: 'text',
+            })
+                .toPromise();
+        });
+    }
+    fetchPassIdpParams(emailOrPhone) {
+        return __awaiter(this, void 0, void 0, function* () {
+            return yield this.http
+                .get(`${this.kcConfig.authUrl}users/pass-idp-params/?login_name=${encodeURIComponent(emailOrPhone)}`)
+                .toPromise();
+        });
+    }
+    loginImpl(emailOrPhone, password) {
+        return __awaiter(this, void 0, void 0, function* () {
+            yield this.logout();
+            const loginIdpResult = yield this.loginIdp(emailOrPhone, password);
+            // Can't get the user yet because we still ned to meet MFA challenges
+            if ([
+                CognitoChallengeName.SMS_MFA,
+                CognitoChallengeName.SOFTWARE_TOKEN_MFA,
+            ].includes(loginIdpResult.cognitoUser.challengeName)) {
+                return {
+                    challenge: {
+                        cognitoUser: loginIdpResult.cognitoUser,
+                        recoveryStatus: loginIdpResult.recoveryStatus,
+                    },
+                };
+            }
+            yield this.handlePostAuth(loginIdpResult.recoveryStatus);
+            // There should be no MFA on the TP reset user.
+            const user = yield this.loadUser(loginIdpResult.cognitoUser, password);
+            return {
+                user,
+            };
+        });
+    }
+    loginIdp(emailOrPhone, password) {
+        return __awaiter(this, void 0, void 0, function* () {
+            // Download the salt needed to derive the PassIdp
+            const passIdpApiResult = yield this.fetchPassIdpParams(emailOrPhone);
+            if (passIdpApiResult.passwordChangeStatus === PasswordChangeStatus$1.IN_PROGRESS) {
+                throw new KcConcurrentAccessException('A password change is in progress');
+            }
+            if (passIdpApiResult.passwordChangeStatus === PasswordChangeStatus$1.RECOVERY) {
+                console.log('In recovery mode.');
+                // Let's say we don't know if the password is the new one or the old one. We just have to try both.
+                try {
+                    const user = {
+                        cognitoUser: yield this.loginIdpImpl(emailOrPhone, password, passIdpApiResult.newPassIdpParams),
+                        recoveryStatus: RecoveryStatus$1.NEW_PASSWORD,
+                    };
+                    // New password worked. Let's set to the current password
+                    // --Potential Failure Point 1--
+                    // if changePasswordComplete() doesn't get called, then it should remain
+                    console.log('New password works!');
+                    return user;
+                }
+                catch (error) {
+                    // Just bubble up any other type of error.
+                    if (error.code !== 'NotAuthorizedException') {
+                        throw error;
+                    }
+                    // pass, try again assuming it's the old password
+                }
+                // Now assume it's the previous password. Any exception is allowed to bubble up.
+                try {
+                    const user = {
+                        cognitoUser: yield this.loginIdpImpl(emailOrPhone, password, passIdpApiResult.currentPassIdpParams),
+                        recoveryStatus: RecoveryStatus$1.OLD_PASSWORD,
+                    };
+                    // Old password worked.
+                    console.log('Old password works!');
+                    return user;
+                }
+                catch (error) {
+                    // Just bubble up any other type of error.
+                    throw error.code === 'NotAuthorizedException'
+                        ? new KcBadRequestException('The password change request was interrupted, please try to login with both your new and old password')
+                        : error;
+                }
+            }
+            // Try again as the TP password reset account
+            if (passIdpApiResult.tpPasswordReset) {
+                try {
+                    // TP password reset is in process. We need to try the password against both
+                    // original account and the new reset account.
+                    const reset = passIdpApiResult.tpPasswordReset;
+                    const user = {
+                        cognitoUser: yield this.loginIdpImpl(reset.resetUsername, password, reset.passIdpParams),
+                        recoveryStatus: RecoveryStatus$1.NONE,
+                    };
+                    return user;
+                }
+                catch (err) {
+                    // continue, try again as regular user.
+                }
+            }
+            // Login as regular user
+            const user = {
+                cognitoUser: yield this.loginIdpImpl(emailOrPhone, password, passIdpApiResult.currentPassIdpParams),
+                recoveryStatus: RecoveryStatus$1.NONE,
+            };
+            return user;
+        });
+    }
+    loginIdpImpl(emailOrPhone, password, passIdpParams) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const passIdpResult = yield this.keyFactoryService.derivePassIdp(Object.assign({ password }, passIdpParams));
+            // Use the derived password to signin with cognito
+            return this.cognito.signIn(emailOrPhone, this.passwordService.getPassIdpString(passIdpResult.jwk));
+        });
+    }
+    handlePostAuth(recoveryStatus) {
+        return __awaiter(this, void 0, void 0, function* () {
+            yield this.handlePasswordRecovery(recoveryStatus);
+            yield this.handleSessionEncryptionKey();
+        });
+    }
+    handlePasswordRecovery(recoveryStatus) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (recoveryStatus !== RecoveryStatus$1.NONE) {
+                yield this.passwordService.changePasswordComplete({
+                    useNewPassword: recoveryStatus === RecoveryStatus$1.NEW_PASSWORD,
+                });
+            }
+        });
+    }
+    handleSessionEncryptionKey() {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (this.kcConfig.disableSessionEncryptionKey) {
+                if (!isDevMode()) {
+                    const msg = 'You should not set disableSessionEncryptionKey=True in mode prod. It defaults to false.';
+                    console.error(msg);
+                    throw new KcInternalErrorException(msg);
+                }
+                else {
+                    console.warn('You have set disableSessionEncryptionKey=True. Make sure not to do this in prod mode.');
+                }
+            }
+            else {
+                // Set the session key to a new encryption key for this session
+                const sessionEncryptionKey = yield this.keyFactoryService.createKey();
+                yield this.lrGraphQL.lrMutate(new LrMutation({
+                    mutation: SetSessionEncryptionKeyMutation,
+                    variables: {
+                        input: {
+                            sessionEncryptionKey: JSON.stringify(sessionEncryptionKey.toJSON(true)),
+                        },
+                    },
+                }), {
+                    includeKeyGraph: false,
+                });
+                this.persistService.setServerSessionEncryptionKey(sessionEncryptionKey);
+            }
+        });
+    }
+    getCognitoUserAttribute(attributeName, userAttributes) {
+        const userAttribute = userAttributes.find((x) => x.getName() === attributeName);
+        return userAttribute ? userAttribute.getValue() : null;
+    }
+    loadUserKeys(options) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { userKeys, password, sessionEncryptionKey } = options;
+            if (sessionEncryptionKey) {
+                this.persistService.setServerSessionEncryptionKey(yield JWK.asKey(sessionEncryptionKey));
+            }
+            // password is not needed if the master key is already persisted.
+            if (password) {
+                const passKey = (yield this.keyFactoryService.derivePassKey(Object.assign({ password }, userKeys.passKey.passKeyParams))).jwk;
+                yield this.idleService.persistMasterKey(yield this.keyGraphService.unwrapWithPassKey(userKeys.passKey.id, passKey, userKeys.masterKey.id));
+            }
+        });
+    }
+    loadUser(cognitoUser, password) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (cognitoUser.getUsername().endsWith(TP_PASSWORD_RESET_USERNAME_SUFFIX)) {
+                this.user = yield this.loadResetUser(cognitoUser, password);
+            }
+            else {
+                this.user = yield this.loadRegularUser(cognitoUser, password);
+            }
+            yield this.idleService.start(); // Run idleService whenever user is logged in.
+            return this.user;
+        });
+    }
+    loadRegularUser(cognitoUser, password) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const currentUser = yield this.fetchCurrentUser();
+            yield this.loadUserKeys({
+                userKeys: currentUser.currentUserKey,
+                password,
+                sessionEncryptionKey: currentUser.sessionEncryptionKey,
+            });
+            // Regular user populates all keys
+            yield this.keyGraphService.populateKeys(currentUser.currentUserKey);
+            const { username } = currentUser;
+            const userAttributes = yield this.cognito.userAttributes(cognitoUser);
+            return {
+                username,
+                sub: this.getCognitoUserAttribute('sub', userAttributes),
+                loginEmail: this.getCognitoUserAttribute('email', userAttributes),
+                resetUser: null,
+            };
+        });
+    }
+    loadResetUser(cognitoUser, password) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const resetUser = yield this.fetchResetUser();
+            const userKeys = {
                 passKey: {
                     id: resetUser.passKey.id,
+                    passKeyParams: resetUser.passKey.passKeyParams,
                 },
                 masterKey: {
                     id: resetUser.masterKey.id,
                 },
-            });
-            const userAttributes = yield this.auth.userAttributes(yield this.auth.currentAuthenticatedUser());
-            const sub = this.getUserAttribute('sub', userAttributes);
-            return Object.assign(Object.assign({}, (yield this.tpPasswordResetProcessorService.processTpPasswordResetUserNode(resetUser))), { sub });
+            };
+            yield this.loadUserKeys({
+                userKeys,
+                password,
+                sessionEncryptionKey: resetUser.sessionEncryptionKey,
+            });
+            // Reset user only sets a subset of keys
+            yield this.keyService.setKeys(userKeys);
+            const { username } = resetUser;
+            const userAttributes = yield this.cognito.userAttributes(cognitoUser);
+            return {
+                username,
+                sub: this.getCognitoUserAttribute('sub', userAttributes),
+                loginEmail: this.getCognitoUserAttribute('email', userAttributes),
+                resetUser: {
+                    state: resetUser.state,
+                },
+            };
         });
     }
-    refreshAccessToken() {
+    recoverAssemblyKey(resetUser) {
         return __awaiter(this, void 0, void 0, function* () {
-            const cognitoUser = yield this.auth.currentAuthenticatedUser();
-            const refreshToken = cognitoUser.getSignInUserSession().getRefreshToken();
-            return new Promise((resolve, reject) => {
-                cognitoUser.refreshSession(refreshToken, (err) => {
-                    if (err) {
-                        console.error('Error refreshing token: ', err);
-                        reject(err);
-                    }
-                    else {
-                        console.log('Token refresh complete');
-                        resolve(0);
-                    }
-                });
-            });
+            const prk = yield this.keyGraphService.getKey(resetUser.pxk.id);
+            const partials = yield Promise.all(resetUser.approvals
+                .filter((approval) => !!approval.receiverCipherPartialAssemblyKey)
+                .map((approval) => this.encryptionService.decrypt(prk, approval.receiverCipherPartialAssemblyKey)));
+            return this.assemblyController.recoverAssemblyKey(partials);
         });
     }
-    completeRequest(newPassword) {
+    completeResetRequest(newPassword) {
         return __awaiter(this, void 0, void 0, function* () {
-            const resetUser = yield this.getResetUser(true);
+            const resetUser = yield this.fetchResetUser();
             if (resetUser.state !== TpClaimState.APPROVED) {
                 throw new KcBadStateException('Password reset request has not been approved.');
             }
@@ -5918,7 +6574,7 @@ class LifeReadyAuthService {
             const masterKey = yield this.keyGraphService.getKey(resetUser.masterKey.id);
             const masterKeyWrappedRootKey = yield this.encryptionService.encryptToString(masterKey.jwk, rootKeyJwk.toJSON(true));
             // The new password
-            const newPassIdpResult = yield this.keyFactory.derivePassIdp(Object.assign({ password: newPassword }, resetUser.passKey.passIdpParams));
+            const newPassIdpResult = yield this.keyFactoryService.derivePassIdp(Object.assign({ password: newPassword }, resetUser.passKey.passIdpParams));
             const newIdpPassword = this.passwordService.getPassIdpString(newPassIdpResult.jwk);
             // --------------------------------------------------------------
             // Get assembly key challenge
@@ -5933,7 +6589,7 @@ class LifeReadyAuthService {
             })).createTpAssemblyKeyChallenge.challenge;
             // Sign the challenge
             // Generate a client side nonce that's no in the server's control.
-            challenge.clientNonce = this.keyFactory.randomString(TP_PASSWORD_RESET_CLIENT_NONCE_LENGTH);
+            challenge.clientNonce = this.keyFactoryService.randomString(TP_PASSWORD_RESET_CLIENT_NONCE_LENGTH);
             const assemblyKeyVerifierPrk = yield this.encryptionService.decrypt(assemblyKey, resetUser.wrappedAssemblyKeyVerifierPrk);
             const signedChallenge = yield this.encryptionService.sign(assemblyKeyVerifierPrk, challenge);
             // --------------------------------------------------------------
@@ -5957,14 +6613,14 @@ class LifeReadyAuthService {
             // to use the original password to login. Any successful login
             // can only be using the temporary password. So it's safe to assume
             // that we want to "complete" the password reset.
-            // The maybe 2FA so we listen for the auth event from Amplify.
+            // There maybe 2FA so we listen for the auth event from Amplify.
             const retPromise = new Promise((resolve) => {
                 const listener = (data) => __awaiter(this, void 0, void 0, function* () {
                     if (data.payload.event !== 'signIn') {
                         return;
                     }
                     Hub.remove('auth', listener);
-                    yield this.auth.signIn(resetUser.username, newIdpPassword);
+                    yield this.cognito.signIn(resetUser.username, newIdpPassword);
                     // Switch over to the new set of keys
                     yield this.lrGraphQL.lrMutate(new LrMutation({
                         mutation: CompleteTpPasswordResetRequestMutation,
@@ -5981,7 +6637,7 @@ class LifeReadyAuthService {
             });
             // Signin as the original user. Password has been reset to temporary one. It should return
             // with NEW_PASSWORD_REQUIRED
-            let user = yield this.auth.signIn(resetUser.username, tempIdpPassword, {
+            let user = yield this.cognito.signIn(resetUser.username, tempIdpPassword, {
                 noProxy: 'true',
             });
             if (user.challengeName !== 'NEW_PASSWORD_REQUIRED') {
@@ -5990,42 +6646,73 @@ class LifeReadyAuthService {
             // Set new password on Idp
             // the awsFetch() function passes NEW_PASSWORD_REQUIRED directly to AWS without
             // going through the proxy.
-            user = yield this.auth.completeNewPassword(user, newIdpPassword, {});
+            user = yield this.cognito.completeNewPassword(user, newIdpPassword, {});
             return retPromise;
         });
     }
-    recoverAssemblyKey(resetUser) {
+    // ------------------------------------------------------
+    // Debug utilities
+    // ------------------------------------------------------
+    debugLogin(username, password) {
+        // This will fail if debug is null. But when debug is null, this function
+        // should not be called.
+        this.kcConfig.debug.username = username;
+        return this.debugLoadUser(password);
+    }
+    debugLoadUser(password) {
         return __awaiter(this, void 0, void 0, function* () {
-            const prk = yield this.keyGraphService.getKey(resetUser.pxk.id);
-            const partials = yield Promise.all(resetUser.approvals
-                .filter((approval) => !!approval.receiverCipherPartialAssemblyKey)
-                .map((approval) => this.encryptionService.decrypt(prk, approval.receiverCipherPartialAssemblyKey)));
-            return this.assemblyController.recoverAssemblyKey(partials);
+            const currentUser = yield this.fetchCurrentUser();
+            const { username, currentUserKey } = currentUser;
+            // Debug mode can not deal with session encryption key yet.
+            // NO SESSION ENCRYPTION KEY.
+            const passKey = (yield this.keyFactoryService.derivePassKey(Object.assign({ password }, currentUserKey.passKey.passKeyParams))).jwk;
+            const masterKey = yield this.keyGraphService.unwrapWithPassKey(currentUserKey.passKey.id, passKey, currentUserKey.masterKey.id);
+            yield this.idleService.persistMasterKey(masterKey);
+            yield this.keyGraphService.populateKeys(currentUserKey);
+            this.user = {
+                username,
+                resetUser: null,
+                sub: 'DEBUG_MODE',
+                loginEmail: 'DEBUG_MODE',
+            };
+            return this.user;
         });
     }
-}
-LifeReadyAuthService.ɵprov = ɵɵdefineInjectable({ factory: function LifeReadyAuthService_Factory() { return new LifeReadyAuthService(ɵɵinject(KC_CONFIG), ɵɵinject(AuthClass), ɵɵinject(KeyFactoryService), ɵɵinject(KeyService), ɵɵinject(ProfileService), ɵɵinject(KeyGraphService), ɵɵinject(PasswordService), ɵɵinject(IdleService), ɵɵinject(LrGraphQLService), ɵɵinject(TpPasswordResetProcessorService), ɵɵinject(PersistService), ɵɵinject(EncryptionService), ɵɵinject(TpPasswordResetAssemblyController), ɵɵinject(HttpClient)); }, token: LifeReadyAuthService, providedIn: "root" });
-LifeReadyAuthService.decorators = [
+    /**
+     * Clears the caches user. So we can simulate a page refresh and test getUser().
+     */
+    debugClearUser() {
+        this.user = null;
+    }
+};
+Auth2Service.CHALLENGE_TIMEOUT = 1000 * 60 * 5;
+Auth2Service.ɵprov = ɵɵdefineInjectable({ factory: function Auth2Service_Factory() { return new Auth2Service(ɵɵinject(NgZone), ɵɵinject(INJECTOR), ɵɵinject(HttpClient), ɵɵinject(AuthClass), ɵɵinject(LrGraphQLService), ɵɵinject(KeyService), ɵɵinject(KeyGraphService), ɵɵinject(KeyFactoryService), ɵɵinject(PasswordService), ɵɵinject(IdleService), ɵɵinject(PersistService), ɵɵinject(EncryptionService), ɵɵinject(TpPasswordResetAssemblyController), ɵɵinject(KC_CONFIG)); }, token: Auth2Service, providedIn: "root" });
+Auth2Service.decorators = [
     { type: Injectable, args: [{
                 providedIn: 'root',
             },] }
 ];
-LifeReadyAuthService.ctorParameters = () => [
-    { type: undefined, decorators: [{ type: Inject, args: [KC_CONFIG,] }] },
+Auth2Service.ctorParameters = () => [
+    { type: NgZone },
+    { type: Injector },
+    { type: HttpClient },
     { type: AuthClass },
-    { type: KeyFactoryService },
+    { type: LrGraphQLService },
     { type: KeyService },
-    { type: ProfileService },
     { type: KeyGraphService },
+    { type: KeyFactoryService },
     { type: PasswordService },
     { type: IdleService },
-    { type: LrGraphQLService },
-    { type: TpPasswordResetProcessorService },
     { type: PersistService },
     { type: EncryptionService },
     { type: TpPasswordResetAssemblyController },
-    { type: HttpClient }
+    { type: undefined, decorators: [{ type: Inject, args: [KC_CONFIG,] }] }
 ];
+Auth2Service = Auth2Service_1 = __decorate([
+    RunOutsideAngular({
+        ngZoneName: 'ngZone',
+    })
+], Auth2Service);
 
 var FileType;
 (function (FileType) {
@@ -6717,7 +7404,7 @@ let ContactCard2Service = class ContactCard2Service {
     createContactCard(input) {
         return __awaiter(this, void 0, void 0, function* () {
             // Get encryption key
-            const rootKey = yield this.keyService.getCurrentRootKey();
+            const rootKey = this.keyService.currentRootKey;
             const key = yield this.keyFactory.createKey();
             const wrappedKey = yield this.keyGraph.encryptToString(rootKey.jwk, key.toJSON(true));
             const cipherData = yield this.keyGraph.encryptToString(key, input.plainCipherDataJson);
@@ -6756,7 +7443,7 @@ let ContactCard2Service = class ContactCard2Service {
     }
     prepareContactCardInput(input) {
         return __awaiter(this, void 0, void 0, function* () {
-            const sigPxk = yield this.keyService.getCurrentSigPxk();
+            const sigPxk = this.keyService.currentSigPxk;
             const publicDataSig = JSON.stringify(yield this.encryptionService.sign(sigPxk.jwk, input.publicDataJson));
             const publicSearchableSig = JSON.stringify(yield this.encryptionService.sign(sigPxk.jwk, input.publicSearchableJson));
             const plainDataSig = JSON.stringify(yield this.encryptionService.sign(sigPxk.jwk, input.plainDataJson));
@@ -7128,7 +7815,7 @@ query FileStateKeyQuery($id: LrRelayIdInput!) {
 
 var Item2Service_1;
 let Item2Service = Item2Service_1 = class Item2Service extends LrService {
-    constructor(ngZone, injector, fileUploadService, keyService, keyFactory, keyGraph, lockService, authService) {
+    constructor(ngZone, injector, fileUploadService, keyService, keyFactory, keyGraph, lockService, auth2Service) {
         super(injector);
         this.ngZone = ngZone;
         this.injector = injector;
@@ -7137,10 +7824,10 @@ let Item2Service = Item2Service_1 = class Item2Service extends LrService {
         this.keyFactory = keyFactory;
         this.keyGraph = keyGraph;
         this.lockService = lockService;
-        this.authService = authService;
+        this.auth2Service = auth2Service;
         // Caching the temp directory.
         this.tempDirectory = null;
-        this.authService.addLogoutListener(() => this.onLogout());
+        this.auth2Service.addLogoutListener(() => this.onLogout());
     }
     downloadFileContent(options) {
         return __awaiter(this, void 0, void 0, function* () {
@@ -7635,7 +8322,7 @@ let Item2Service = Item2Service_1 = class Item2Service extends LrService {
             // TODO this is rather an unfortunate name, change it to asRootDirectory.
             let parentRootDirectory;
             if (options.asRootDirectory) {
-                const rootKey = this.keyService.getCurrentRootKey();
+                const rootKey = this.keyService.currentRootKey;
                 parentRootDirectory = {
                     wrappingKeyId: rootKey.id,
                     wrappedKey: yield this.keyGraph.wrapKey(rootKey, directoryKey),
@@ -7704,7 +8391,7 @@ Item2Service.TEMP_DIRECTORY_PLAIN_META_FILTER = JSON.stringify({
         },
     ],
 });
-Item2Service.ɵprov = ɵɵdefineInjectable({ factory: function Item2Service_Factory() { return new Item2Service(ɵɵinject(NgZone), ɵɵinject(INJECTOR), ɵɵinject(FileUploadService), ɵɵinject(KeyService), ɵɵinject(KeyFactoryService), ɵɵinject(KeyGraphService), ɵɵinject(LockService), ɵɵinject(LifeReadyAuthService)); }, token: Item2Service, providedIn: "root" });
+Item2Service.ɵprov = ɵɵdefineInjectable({ factory: function Item2Service_Factory() { return new Item2Service(ɵɵinject(NgZone), ɵɵinject(INJECTOR), ɵɵinject(FileUploadService), ɵɵinject(KeyService), ɵɵinject(KeyFactoryService), ɵɵinject(KeyGraphService), ɵɵinject(LockService), ɵɵinject(Auth2Service)); }, token: Item2Service, providedIn: "root" });
 Item2Service.decorators = [
     { type: Injectable, args: [{
                 providedIn: 'root',
@@ -7718,7 +8405,7 @@ Item2Service.ctorParameters = () => [
     { type: KeyFactoryService },
     { type: KeyGraphService },
     { type: LockService },
-    { type: LifeReadyAuthService }
+    { type: Auth2Service }
 ];
 Item2Service = Item2Service_1 = __decorate([
     RunOutsideAngular({
@@ -7912,88 +8599,6 @@ mutation CompleteKeyExchangeOtk(
   }
 }`;
 
-const RequestUserDeleteMutation = gql `
-  mutation RequestUserDelete($input: RequestUserDeleteInput!) {
-    requestUserDelete(input: $input) {
-      userDelete {
-        state
-        created
-      }
-    }
-  }
-`;
-const CancelUserDeleteMutation = gql `
-  mutation CancelUserDelete($input: CancelUserDeleteInput!) {
-    cancelUserDelete(input: $input) {
-      id
-    }
-  }
-`;
-const LoginHistoryQuery = gql `
-  query LoginHistory($first: Int, $after: String) {
-    loginHistory(first: $first, after: $after) {
-      pageInfo {
-        hasNextPage
-        hasPreviousPage
-        startCursor
-        endCursor
-      }
-      events
-    }
-  }
-`;
-
-class UserService {
-    constructor(lrApollo) {
-        this.lrApollo = lrApollo;
-    }
-    requestUserDelete() {
-        return __awaiter(this, void 0, void 0, function* () {
-            const res = yield this.lrApollo.mutate({
-                mutation: RequestUserDeleteMutation,
-                variables: {
-                    input: {},
-                },
-            });
-            return res.requestUserDelete.userDelete;
-        });
-    }
-    cancelUserDelete() {
-        return __awaiter(this, void 0, void 0, function* () {
-            const res = yield this.lrApollo.mutate({
-                mutation: CancelUserDeleteMutation,
-                variables: {
-                    input: {},
-                },
-            });
-            return res.cancelUserDelete.id;
-        });
-    }
-    loginHistory(first = null, after = null) {
-        return __awaiter(this, void 0, void 0, function* () {
-            // first: return first n entries
-            // after: pass in the pageInfo.endCursor to paginate
-            const res = yield this.lrApollo.query({
-                query: LoginHistoryQuery,
-                variables: {
-                    first,
-                    after,
-                },
-            });
-            return res.loginHistory;
-        });
-    }
-}
-UserService.ɵprov = ɵɵdefineInjectable({ factory: function UserService_Factory() { return new UserService(ɵɵinject(LrApolloService)); }, token: UserService, providedIn: "root" });
-UserService.decorators = [
-    { type: Injectable, args: [{
-                providedIn: 'root',
-            },] }
-];
-UserService.ctorParameters = () => [
-    { type: LrApolloService }
-];
-
 var OtkState;
 (function (OtkState) {
     OtkState["OTK_INITIATED"] = "OTK_INITIATED";
@@ -8002,13 +8607,12 @@ var OtkState;
 })(OtkState || (OtkState = {}));
 
 class KeyExchangeService {
-    constructor(keyFactory, keyService, lrApollo, encryptionService, authService, userService) {
+    constructor(keyFactory, keyService, lrApollo, encryptionService, auth2Service) {
         this.keyFactory = keyFactory;
         this.keyService = keyService;
         this.lrApollo = lrApollo;
         this.encryptionService = encryptionService;
-        this.authService = authService;
-        this.userService = userService;
+        this.auth2Service = auth2Service;
         this.CLIENT_NONCE_LENGTH = 32;
     }
     getKeyExchangeList(input = {}) {
@@ -8057,7 +8661,7 @@ class KeyExchangeService {
     decryptKeyExchange(keyExchange, otKeyK) {
         return __awaiter(this, void 0, void 0, function* () {
             if (keyExchange.isInitiator) {
-                const rootKey = yield this.keyService.getCurrentRootKey();
+                const rootKey = this.keyService.currentRootKey;
                 // Decrypt using the root key to get the Prk
                 const plainInitiatorRootKeyCipher = (yield this.encryptionService.decrypt(rootKey.jwk, keyExchange.initiatorRootKeyCipher));
                 const plainInitiatorOneTimePbkCipher = keyExchange.otk
@@ -8102,7 +8706,7 @@ class KeyExchangeService {
                 !keyExchange.isInitiator &&
                 keyExchange.otk.responderPbkCipher) {
                 // Assuming existing user getting invited where OTK is wrapped in responder's public key.
-                const prk = yield this.keyService.getCurrentPxk();
+                const prk = this.keyService.currentPxk;
                 const decryptedCipher = yield this.encryptionService.decrypt(prk.jwk, JSON.parse(keyExchange.otk.responderPbkCipher), {
                     serializations: [JoseSerialization.COMPACT],
                 });
@@ -8117,7 +8721,7 @@ class KeyExchangeService {
         return __awaiter(this, void 0, void 0, function* () {
             const otKey = yield this.keyFactory.createKey();
             const nonce = this.keyFactory.randomString(this.CLIENT_NONCE_LENGTH);
-            const user = yield this.authService.getUser();
+            const user = yield this.auth2Service.getUser();
             // New PKC key for encryption. This key is used only once when the responder sends
             // back their signing public key.
             const initiatorOneTimePrk = yield this.keyFactory.createPkcKey();
@@ -8125,8 +8729,8 @@ class KeyExchangeService {
             // const initiatorSigPrk = await this.keyService.createPkcSignKey();
             // Option 2: Use the user's global signing key.
             // This key is used to prove the initiator's identity.
-            const initiatorPrk = yield this.keyService.getCurrentPxk();
-            const initiatorSigPrk = yield this.keyService.getCurrentSigPxk();
+            const initiatorPrk = this.keyService.currentPxk;
+            const initiatorSigPrk = this.keyService.currentSigPxk;
             let initiatorPlainDataSig = null;
             if (contactCard && contactCard.ownerPlainData) {
                 initiatorPlainDataSig = JSON.stringify(yield this.encryptionService.sign(initiatorSigPrk.jwk, contactCard.ownerPlainData));
@@ -8162,7 +8766,7 @@ class KeyExchangeService {
                 initiatorContactCard: contactCard,
                 initiator,
             };
-            const rootKey = yield this.keyService.getCurrentRootKey();
+            const rootKey = this.keyService.currentRootKey;
             const initiatorRootKeyCipher = yield this.encryptionService.encrypt(rootKey.jwk, plainInitiatorRootKeyCipher);
             // The raw OTK
             const otKeyK = otKey.toJSON(true).k;
@@ -8195,10 +8799,9 @@ class KeyExchangeService {
     }
     respondOtk({ id, token, decryptedOtk, message, initiatorContactCard, responderContactCard: sentContactCard, }) {
         return __awaiter(this, void 0, void 0, function* () {
-            const user = yield this.authService.getUser();
-            const rootKey = yield this.keyService.getCurrentRootKey();
-            const masterKeyId = this.keyService.getCurrentMasterKey().id;
-            const masterKey = yield this.keyService.getCurrentMasterKey();
+            const user = yield this.auth2Service.getUser();
+            const rootKey = this.keyService.currentRootKey;
+            const masterKey = this.keyService.currentMasterKey;
             const sharedKey = yield this.keyFactory.createKey();
             const mkSharedKey = yield this.keyFactory.createKey();
             const rkWrappedSharedKey = yield this.encryptionService.encrypt(rootKey.jwk, sharedKey.toJSON(true));
@@ -8211,8 +8814,8 @@ class KeyExchangeService {
             // const responderSigPrk = await this.keyService.createPkcSignKey()
             // const rkWrappedResponderSigPrk = await this.encrypt(rootKey, responderSigPrk.toJSON(true));
             // Option 2: Responder already has a signing Prk
-            const responderPrk = yield this.keyService.getCurrentPxk();
-            const responderSigPrk = yield this.keyService.getCurrentSigPxk();
+            const responderPrk = this.keyService.currentPxk;
+            const responderSigPrk = this.keyService.currentSigPxk;
             const signedInitiatorPbk = yield this.encryptionService.sign(responderSigPrk.jwk, initiatorPbk.toJSON());
             const signedInitiatorSigPbk = yield this.encryptionService.sign(responderSigPrk.jwk, initiatorSigPbk.toJSON());
             const plainInitiatorOneTimePbkCipher = {
@@ -8238,7 +8841,7 @@ class KeyExchangeService {
                 // Create keys
                 const receiverKey = yield this.keyFactory.createKey();
                 const ccSharedKey = yield this.keyFactory.createKey();
-                const sigPxk = yield this.keyService.getCurrentSigPxk();
+                const sigPxk = this.keyService.currentSigPxk;
                 receivedCardInput = {
                     receiverWrappedKey: JSON.stringify(yield this.encryptionService.encrypt(rootKey.jwk, receiverKey.toJSON(true))),
                     receiverWrappingKeyId: rootKey.id,
@@ -8257,7 +8860,7 @@ class KeyExchangeService {
                 // Create keys
                 const ownerKey = yield this.keyFactory.createKey();
                 const ccSharedKey = yield this.keyFactory.createKey();
-                const sigPxk = yield this.keyService.getCurrentSigPxk();
+                const sigPxk = this.keyService.currentSigPxk;
                 sentCardInput = {
                     ownerWrappedKey: JSON.stringify(yield this.encryptionService.encrypt(rootKey.jwk, ownerKey.toJSON(true))),
                     ownerWrappingKeyId: rootKey.id,
@@ -8286,7 +8889,7 @@ class KeyExchangeService {
                         keyExchangeId: id,
                         keyExchangeToken: token,
                         rootKeyId: rootKey.id,
-                        masterKeyId,
+                        masterKeyId: masterKey.id,
                         // These will be stored on the server
                         responderPxkId: responderPrk.id,
                         responderSigPxkId: responderSigPrk.id,
@@ -8313,8 +8916,8 @@ class KeyExchangeService {
     }
     completeOtk(keyExchangeId, initiatorRootKeyCipher, initiatorOneTimePbkCipher, responderContactCard) {
         return __awaiter(this, void 0, void 0, function* () {
-            const rootKey = yield this.keyService.getCurrentRootKey();
-            const masterKey = yield this.keyService.getCurrentMasterKey();
+            const rootKey = this.keyService.currentRootKey;
+            const masterKey = this.keyService.currentMasterKey;
             // Decrypt using the root key to get the Prk
             const plainInitiatorRootKeyCipher = (yield this.encryptionService.decrypt(rootKey.jwk, initiatorRootKeyCipher));
             // The Prk is single-use and only used to send information from the responder back to the initiator.
@@ -8330,7 +8933,7 @@ class KeyExchangeService {
             // In this case the initiatorSigPrk is already a part of the key graph.
             // So there's nothing to do here.
             // Protected the signing public key of the responder.
-            const initiatorSigPrk = yield this.keyService.getCurrentSigPxk();
+            const initiatorSigPrk = this.keyService.currentSigPxk;
             const responderSigPbk = yield KeyFactoryService.asKey(plainInitiatorOneTimePbkCipher.responder.sigPbk);
             const responderPbk = yield KeyFactoryService.asKey(plainInitiatorOneTimePbkCipher.responder.pbk);
             const signedResponderPbk = yield this.encryptionService.sign(initiatorSigPrk.jwk, responderPbk.toJSON());
@@ -8408,7 +9011,7 @@ class KeyExchangeService {
         });
     }
 }
-KeyExchangeService.ɵprov = ɵɵdefineInjectable({ factory: function KeyExchangeService_Factory() { return new KeyExchangeService(ɵɵinject(KeyFactoryService), ɵɵinject(KeyService), ɵɵinject(LrApolloService), ɵɵinject(EncryptionService), ɵɵinject(LifeReadyAuthService), ɵɵinject(UserService)); }, token: KeyExchangeService, providedIn: "root" });
+KeyExchangeService.ɵprov = ɵɵdefineInjectable({ factory: function KeyExchangeService_Factory() { return new KeyExchangeService(ɵɵinject(KeyFactoryService), ɵɵinject(KeyService), ɵɵinject(LrApolloService), ɵɵinject(EncryptionService), ɵɵinject(Auth2Service)); }, token: KeyExchangeService, providedIn: "root" });
 KeyExchangeService.decorators = [
     { type: Injectable, args: [{
                 providedIn: 'root',
@@ -8419,8 +9022,7 @@ KeyExchangeService.ctorParameters = () => [
     { type: KeyService },
     { type: LrApolloService },
     { type: EncryptionService },
-    { type: LifeReadyAuthService },
-    { type: UserService }
+    { type: Auth2Service }
 ];
 
 const KeyExchangeFragment = gqlTyped `
@@ -8614,7 +9216,7 @@ let KeyExchange2Service = class KeyExchange2Service extends LrService {
                 !keyExchange.isInitiator &&
                 keyExchange.otk.responderPbkCipher) {
                 // Assuming existing user getting invited where OTK is wrapped in responder's public key.
-                const prk = yield this.keyService.getCurrentPxk();
+                const prk = this.keyService.currentPxk;
                 const decryptedCipher = yield this.encryptionService.decrypt(prk.jwk, JSON.parse(keyExchange.otk.responderPbkCipher), {
                     serializations: [JoseSerialization.COMPACT],
                 });
@@ -8653,7 +9255,7 @@ let KeyExchange2Service = class KeyExchange2Service extends LrService {
     }
     decryptKeyExchangeAsInitiator(keyExchange) {
         return __awaiter(this, void 0, void 0, function* () {
-            const rootKey = yield this.keyService.getCurrentRootKey();
+            const rootKey = this.keyService.currentRootKey;
             // Decrypt using the root key to get the Prk
             const initiatorRootKeyCipherClearJson = (yield this.encryptionService.decrypt(rootKey.jwk, keyExchange.initiatorRootKeyCipher));
             const otKey = yield KeyFactoryService.asKey(initiatorRootKeyCipherClearJson.otKey);
@@ -8778,8 +9380,8 @@ let KeyExchange2Service = class KeyExchange2Service extends LrService {
             // const initiatorSigPrk = await this.keyService.createPkcSignKey();
             // Option 2: Use the user's global signing key.
             // This key is used to prove the initiator's identity.
-            const initiatorPrk = yield this.keyService.getCurrentPxk();
-            const initiatorSigPrk = yield this.keyService.getCurrentSigPxk();
+            const initiatorPrk = this.keyService.currentPxk;
+            const initiatorSigPrk = this.keyService.currentSigPxk;
             let initiatorPlainDataSig = null;
             if (contactCard && contactCard.ownerPlainDataJson) {
                 initiatorPlainDataSig = yield this.encryptionService.signToString(initiatorSigPrk.jwk, contactCard.ownerPlainDataJson);
@@ -8816,7 +9418,7 @@ let KeyExchange2Service = class KeyExchange2Service extends LrService {
                 initiatorContactCard: contactCard,
                 initiator,
             };
-            const rootKey = yield this.keyService.getCurrentRootKey();
+            const rootKey = this.keyService.currentRootKey;
             const initiatorRootKeyCipher = yield this.keyGraph.encryptToString(rootKey.jwk, initiatorRootKeyCipherClearJson);
             // The raw OTK
             const otKeyK = otKey.toJSON(true).k;
@@ -8854,9 +9456,8 @@ let KeyExchange2Service = class KeyExchange2Service extends LrService {
     }
     respondOtkMutation({ keyExchangeId, token, decryptedOtk, message, initiatorContactCard, responderContactCard, }) {
         return __awaiter(this, void 0, void 0, function* () {
-            const rootKey = yield this.keyService.getCurrentRootKey();
-            const masterKeyId = this.keyService.getCurrentMasterKey().id;
-            const masterKey = yield this.keyService.getCurrentMasterKey();
+            const rootKey = this.keyService.currentRootKey;
+            const masterKey = this.keyService.currentMasterKey;
             const sharedKey = yield this.keyFactory.createKey();
             const mkSharedKey = yield this.keyFactory.createKey();
             const rkWrappedSharedKey = yield this.encryptionService.encrypt(rootKey.jwk, sharedKey.toJSON(true));
@@ -8869,8 +9470,8 @@ let KeyExchange2Service = class KeyExchange2Service extends LrService {
             // const responderSigPrk = await this.keyService.createPkcSignKey()
             // const rkWrappedResponderSigPrk = await this.encrypt(rootKey, responderSigPrk.toJSON(true));
             // Option 2: Responder already has a signing Prk
-            const responderPrk = yield this.keyService.getCurrentPxk();
-            const responderSigPrk = yield this.keyService.getCurrentSigPxk();
+            const responderPrk = this.keyService.currentPxk;
+            const responderSigPrk = this.keyService.currentSigPxk;
             const signedInitiatorPbk = yield this.encryptionService.sign(responderSigPrk.jwk, initiatorPbk.toJSON());
             const signedInitiatorSigPbk = yield this.encryptionService.sign(responderSigPrk.jwk, initiatorSigPbk.toJSON());
             const initiatorOneTimePbkCipherClearJson = {
@@ -8893,7 +9494,7 @@ let KeyExchange2Service = class KeyExchange2Service extends LrService {
                 // Create keys
                 const receiverKey = yield this.keyFactory.createKey();
                 const ccSharedKey = yield this.keyFactory.createKey();
-                const sigPxk = yield this.keyService.getCurrentSigPxk();
+                const sigPxk = this.keyService.currentSigPxk;
                 receivedCardInput = {
                     receiverWrappedKey: JSON.stringify(yield this.encryptionService.encrypt(rootKey.jwk, receiverKey.toJSON(true))),
                     receiverWrappingKeyId: rootKey.id,
@@ -8912,7 +9513,7 @@ let KeyExchange2Service = class KeyExchange2Service extends LrService {
                 // Create keys
                 const ownerKey = yield this.keyFactory.createKey();
                 const ccSharedKey = yield this.keyFactory.createKey();
-                const sigPxk = yield this.keyService.getCurrentSigPxk();
+                const sigPxk = this.keyService.currentSigPxk;
                 responderCardInput = {
                     ownerWrappedKey: JSON.stringify(yield this.encryptionService.encrypt(rootKey.jwk, ownerKey.toJSON(true))),
                     ownerWrappingKeyId: rootKey.id,
@@ -8941,7 +9542,7 @@ let KeyExchange2Service = class KeyExchange2Service extends LrService {
                         keyExchangeId,
                         keyExchangeToken: token,
                         rootKeyId: rootKey.id,
-                        masterKeyId,
+                        masterKeyId: masterKey.id,
                         // These will be stored on the server
                         responderPxkId: responderPrk.id,
                         responderSigPxkId: responderSigPrk.id,
@@ -8970,8 +9571,8 @@ let KeyExchange2Service = class KeyExchange2Service extends LrService {
     }
     completeOtkMutation({ keyExchangeId, initiatorRootKeyCipher, initiatorOneTimePbkCipher, responderContactCard, initiatorContactCard, }) {
         return __awaiter(this, void 0, void 0, function* () {
-            const rootKey = yield this.keyService.getCurrentRootKey();
-            const masterKey = yield this.keyService.getCurrentMasterKey();
+            const rootKey = this.keyService.currentRootKey;
+            const masterKey = this.keyService.currentMasterKey;
             // Decrypt using the root key to get the Prk
             const initiatorRootKeyCipherClearJson = (yield this.encryptionService.decrypt(rootKey.jwk, initiatorRootKeyCipher));
             // The Prk is single-use and only used to send information from the responder back to the initiator.
@@ -8988,7 +9589,7 @@ let KeyExchange2Service = class KeyExchange2Service extends LrService {
             // In this case the initiatorSigPrk is already a part of the key graph.
             // So there's nothing to do here.
             // Protected the signing public key of the responder.
-            const initiatorSigPrk = yield this.keyService.getCurrentSigPxk();
+            const initiatorSigPrk = this.keyService.currentSigPxk;
             const responderSigPbk = yield KeyFactoryService.asKey(plainInitiatorOneTimePbkCipher.responder.sigPbk);
             const responderPbk = yield KeyFactoryService.asKey(plainInitiatorOneTimePbkCipher.responder.pbk);
             const signedResponderPbk = yield this.encryptionService.sign(initiatorSigPrk.jwk, responderPbk.toJSON());
@@ -9129,12 +9730,12 @@ const LbopsQuery = gql `
   }
 `;
 class LbopService {
-    constructor(config, http, lrApollo, auth, authService, keyFactory, keyService, encryptionService, keyGraph, passwordService) {
+    constructor(config, http, lrApollo, auth, auth2Service, keyFactory, keyService, encryptionService, keyGraph, passwordService) {
         this.config = config;
         this.http = http;
         this.lrApollo = lrApollo;
         this.auth = auth;
-        this.authService = authService;
+        this.auth2Service = auth2Service;
         this.keyFactory = keyFactory;
         this.keyService = keyService;
         this.encryptionService = encryptionService;
@@ -9164,7 +9765,7 @@ class LbopService {
         return __awaiter(this, void 0, void 0, function* () {
             const lbop = yield this.get(id);
             lbop.name = name;
-            const masterKey = yield this.keyService.getCurrentMasterKey();
+            const masterKey = this.keyService.currentMasterKey;
             const cipherMeta = yield this.encryptionService.encrypt(masterKey.jwk, lbop);
             const res = yield this.lrApollo.mutate({
                 mutation: UpdateLbopQuery,
@@ -9186,7 +9787,7 @@ class LbopService {
                     id,
                 },
             });
-            const masterKey = yield this.keyService.getCurrentMasterKey();
+            const masterKey = this.keyService.currentMasterKey;
             const plainCipherMeta = yield this.encryptionService.decrypt(masterKey.jwk, JSON.parse(res.lbop.cipherMeta));
             return Object.assign({ id: res.id }, plainCipherMeta);
         });
@@ -9196,7 +9797,7 @@ class LbopService {
             const res = yield this.lrApollo.query({
                 query: LbopsQuery,
             });
-            const masterKey = yield this.keyService.getCurrentMasterKey();
+            const masterKey = yield this.keyService.currentMasterKey;
             return Promise.all(res.lbops.edges.map((edge) => __awaiter(this, void 0, void 0, function* () {
                 const plainCipherMeta = yield this.encryptionService.decrypt(masterKey.jwk, JSON.parse(edge.node.cipherMeta));
                 return Object.assign({ id: edge.node.id }, plainCipherMeta);
@@ -9227,8 +9828,7 @@ class LbopService {
             const lbopKeyVerifier = yield this.keyFactory.createSignKey();
             const wrappedLbopKeyVerifier = yield this.encryptionService.encrypt(lbopKey, lbopKeyVerifier.toJSON(true));
             // Re-encrypt master key with new key
-            const currentUser = yield this.authService.getUser();
-            const masterKey = yield this.keyGraph.getKey(currentUser.currentUserKey.masterKey.id);
+            const masterKey = this.keyService.currentMasterKey;
             const wrappedMasterKey = yield this.encryptionService.encrypt(lbopKey, masterKey.jwk.toJSON(true));
             const meta = Object.assign(Object.assign({}, (name && { name })), { partial: this.getPartial(lbopString) });
             const cipherMeta = yield this.encryptionService.encrypt(masterKey.jwk, meta);
@@ -9240,7 +9840,7 @@ class LbopService {
                         lbopKeyParams: JSON.stringify(lbopKeyParams),
                         lbopKeyVerifier: JSON.stringify(lbopKeyVerifier.toJSON(true)),
                         wrappedLbopKeyVerifier: JSON.stringify(wrappedLbopKeyVerifier),
-                        masterKeyId: currentUser.currentUserKey.masterKey.id,
+                        masterKeyId: masterKey.id,
                         wrappedMasterKey: JSON.stringify(wrappedMasterKey),
                     },
                 },
@@ -9392,7 +9992,7 @@ class LbopService {
         });
     }
 }
-LbopService.ɵprov = ɵɵdefineInjectable({ factory: function LbopService_Factory() { return new LbopService(ɵɵinject(KC_CONFIG), ɵɵinject(HttpClient), ɵɵinject(LrApolloService), ɵɵinject(AuthClass), ɵɵinject(LifeReadyAuthService), ɵɵinject(KeyFactoryService), ɵɵinject(KeyService), ɵɵinject(EncryptionService), ɵɵinject(KeyGraphService), ɵɵinject(PasswordService)); }, token: LbopService, providedIn: "root" });
+LbopService.ɵprov = ɵɵdefineInjectable({ factory: function LbopService_Factory() { return new LbopService(ɵɵinject(KC_CONFIG), ɵɵinject(HttpClient), ɵɵinject(LrApolloService), ɵɵinject(AuthClass), ɵɵinject(Auth2Service), ɵɵinject(KeyFactoryService), ɵɵinject(KeyService), ɵɵinject(EncryptionService), ɵɵinject(KeyGraphService), ɵɵinject(PasswordService)); }, token: LbopService, providedIn: "root" });
 LbopService.decorators = [
     { type: Injectable, args: [{
                 providedIn: 'root',
@@ -9403,7 +10003,7 @@ LbopService.ctorParameters = () => [
     { type: HttpClient },
     { type: LrApolloService },
     { type: AuthClass },
-    { type: LifeReadyAuthService },
+    { type: Auth2Service },
     { type: KeyFactoryService },
     { type: KeyService },
     { type: EncryptionService },
@@ -10094,7 +10694,7 @@ class SharedContactCardService {
         return __awaiter(this, void 0, void 0, function* () {
             const ownerKey = yield this.keyGraph.getKey(ownedKeyId);
             const sharedKey = yield this.keyGraph.getKey(sharedKeyId);
-            const sigPxk = yield this.keyService.getCurrentSigPxk();
+            const sigPxk = this.keyService.currentSigPxk;
             const sharedCipherData = yield this.encryptionService.encrypt(sharedKey.jwk, contactCard);
             const sharedCipherDataSig = JSON.stringify(yield this.encryptionService.sign(sigPxk.jwk, sharedCipherData));
             const ownerPlainData = {
@@ -10131,6 +10731,88 @@ SharedContactCardService.ctorParameters = () => [
     { type: EncryptionService }
 ];
 
+const RequestUserDeleteMutation = gql `
+  mutation RequestUserDelete($input: RequestUserDeleteInput!) {
+    requestUserDelete(input: $input) {
+      userDelete {
+        state
+        created
+      }
+    }
+  }
+`;
+const CancelUserDeleteMutation = gql `
+  mutation CancelUserDelete($input: CancelUserDeleteInput!) {
+    cancelUserDelete(input: $input) {
+      id
+    }
+  }
+`;
+const LoginHistoryQuery = gql `
+  query LoginHistory($first: Int, $after: String) {
+    loginHistory(first: $first, after: $after) {
+      pageInfo {
+        hasNextPage
+        hasPreviousPage
+        startCursor
+        endCursor
+      }
+      events
+    }
+  }
+`;
+
+class UserService {
+    constructor(lrApollo) {
+        this.lrApollo = lrApollo;
+    }
+    requestUserDelete() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const res = yield this.lrApollo.mutate({
+                mutation: RequestUserDeleteMutation,
+                variables: {
+                    input: {},
+                },
+            });
+            return res.requestUserDelete.userDelete;
+        });
+    }
+    cancelUserDelete() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const res = yield this.lrApollo.mutate({
+                mutation: CancelUserDeleteMutation,
+                variables: {
+                    input: {},
+                },
+            });
+            return res.cancelUserDelete.id;
+        });
+    }
+    loginHistory(first = null, after = null) {
+        return __awaiter(this, void 0, void 0, function* () {
+            // first: return first n entries
+            // after: pass in the pageInfo.endCursor to paginate
+            const res = yield this.lrApollo.query({
+                query: LoginHistoryQuery,
+                variables: {
+                    first,
+                    after,
+                },
+            });
+            return res.loginHistory;
+        });
+    }
+}
+UserService.ɵprov = ɵɵdefineInjectable({ factory: function UserService_Factory() { return new UserService(ɵɵinject(LrApolloService)); }, token: UserService, providedIn: "root" });
+UserService.decorators = [
+    { type: Injectable, args: [{
+                providedIn: 'root',
+            },] }
+];
+UserService.ctorParameters = () => [
+    { type: LrApolloService }
+];
+
 const TrustedPartyProperties = `
   id
   user {
@@ -12315,7 +12997,7 @@ let SharedContactCard2Service = class SharedContactCard2Service {
                 ownerKey = yield this.keyGraph.getKey(keys.ownerKeyId);
                 sharedKey = yield this.keyGraph.getKey(keys.sharedKeyId);
             }
-            const sigPxk = yield this.keyService.getCurrentSigPxk();
+            const sigPxk = this.keyService.currentSigPxk;
             const sharedCipherData = yield this.encryptionService.encrypt(sharedKey.jwk, sharedCipherDataClearJson);
             const sharedCipherDataSig = JSON.stringify(yield this.encryptionService.sign(sigPxk.jwk, sharedCipherData));
             const ownerPlainDataSig = JSON.stringify(yield this.encryptionService.sign(sigPxk.jwk, ownerPlainDataJson));
@@ -12925,7 +13607,7 @@ let TrustedParty2Service = class TrustedParty2Service extends LrService {
             if (userSharedKey.mkSharedKey) {
                 throw new KcBadStateException('TP already has mkSharedKey');
             }
-            const masterKey = yield this.keyService.getCurrentMasterKey();
+            const masterKey = this.keyService.currentMasterKey;
             const prk = yield this.keyFactory.createPkcKey();
             const mkWrappedMkPrk = yield this.encryptionService.encryptToString(masterKey.jwk, prk.toJSON(true));
             const sharedKey = yield this.keyGraph.getKey(userSharedKey.sharedKey.id);
@@ -12988,7 +13670,7 @@ let TrustedParty2Service = class TrustedParty2Service extends LrService {
                 id: plainMkReshareResponseCipher.mkSharedKey.id,
                 jwk: yield JWK.asKey(plainMkReshareResponseCipher.mkSharedKey.jwk),
             };
-            const masterKey = yield this.keyService.getCurrentMasterKey();
+            const masterKey = this.keyService.currentMasterKey;
             const mkWrappedMkSharedKey = yield this.encryptionService.encryptToString(masterKey.jwk, mkSharedKey.jwk.toJSON(true));
             return new LrMutation({
                 mutation: CompleteTpMkReshareMutation,
@@ -13116,5 +13798,5 @@ TwoFactorService.ctorParameters = () => [
  * Generated bundle index. Do not edit.
  */
 
-export { AccessLevel, AccessRoleChoice, AccessRoleMethodChoice, ApiContactCard, ApiCurrentUser, ArchiveDirectoryMutation, CancelUserDeleteMutation, Category, CategoryFields, CategoryFilter, CategoryMetaService, CategoryService, ClaimApproverState, ClaimState, CognitoChallengeUser, CommonProcessorsService, CompleteOtkMutation, Config, ContactCard2Service, ContactCardAddress, ContactCardName, CreateCategoryMutation, CreateContactCardMutation$1 as CreateContactCardMutation, CreateFileMutation, CreateFileQuery, CreateLbopQuery, CreateRecordContainerMutation, CreateRecordMutation, CreateVaultMutation, CurrentCategory, CurrentUser, CurrentUserKey, CurrentUserQuery, CurrentUserSharedKeyQuery, DEFAULT_BREADCRUMB_DEPTH, DEFAULT_DESCENDANTS_DEPTH, DefaultCategory, DefaultProcessorOptions, DefaultVaultFilter, DeleteCategoryMutation, DeleteFileMutation, DeleteLbopQuery, DeleteRecordMutation, DirectoryQuery, DirectoryType, ERROR_SOURCE, FeatureAction, Features, FetchKeyGraphField, FileOperationField, FileQuery, FileType, FileUploadService, GetCategoriesQuery, GetCategoryKeyIdQuery, GetCategoryQuery, GetMySharedCategoriesQuery, GetRecordQuery, GetRootDirectoryIdsQuery, GetTrustedPartyCategoriesQuery, GetVaultsQuery, IdleService, InitiateOtkMutation, Item2Service, KC_CONFIG, KcAuthException, KcBadArgumentException, KcBadLogicException, KcBadRequestException, KcBadSignatureException, KcBadStateException, KcBadTimeSyncException, KcCodeMismatchException, KcConcurrentAccessException, KcEncryptionException, KcError, KcErrorCode, KcException, KcInternalErrorException, KcLbopErrorCode, KcLockedException, KcNotFoundException, KcSuspiciousOperationException, KcUnsupportedException, KeyExchange2Service, KeyExchangeFields, KeyExchangeMode, KeyExchangeOtkState, KeyExchangeQuery, KeyExchangeService, KeyExchangeState, KeyExchangeTokenQuery, KeyExchangesQuery, KeyGraphField, KeyGraphFragment, LbopQuery, LbopService, LbopsQuery, LifeReadyAuthService, LifeReadyModule, LinkTypeField, LoadedCategoryTree, LockService, LockState, LoginHistoryQuery, LoginResult, LrApolloService, LrGraphQLService, LrMergedMutation, LrMutation, LrMutationBase, LrRecord, LrService, MainContactCard, MainContactCardFields, MainContactCardPlainFields, MainContactCardProperty, MessageService, MoveDirectoryQuery, MoveFileQuery, NewAttachment, NewCategory, NewOrUpdatedAttachment, NewRecord, NotificationService, OtkState, OwnerPlainDataJson, PassIdpApiResult, PasswordChangeStatus, PasswordCheck, PasswordService, PermissionChoice, PersistService, Plan, Plan2Service, PlanService, PlanState, PlanStateField, ProfileDetailsService, ProfileService, QueryProcessorService, RecordAttachment, RecordAttachmentFilter, RecordAttachmentService, RecordContentFilter, RecordField, RecordFieldType, RecordFilter, RecordService, RecordType, RecordTypeField, RecordTypeFieldOption, RecordTypeService, RecordTypeSummary, RecoveryStatus, RegisterResult, RegisterService, RequestUserDeleteMutation, RespondOtkMutation, RevertFileQuery, ScenarioLastClaimState, ScenarioService, ScenarioState, ServerConfigService, ServerTimeQuery, SharedAccess, SharedContactCard2Service, StripeBillingPortalSession, StripeCheckoutSession, Subscription, TimeService, TpAssemblyState, TpClaimApproverState, TpClaimState, TpPasswordResetRequestService, TpPasswordResetService, TpPasswordResetUserService, TrustedParty2Service, TrustedPartyDetails, TwoFactorService, UnarchiveDirectoryMutation, UpdateCategoryMutation, UpdateContactCardMutation$1 as UpdateContactCardMutation, UpdateFileQuery, UpdateLbopQuery, UpdateRecordContainerMutation, UpdateRecordMutation, UpdatedCategory, UpdatedRecord, UserDeleteState, UserPlan, UserService, UserSharedKeyFields, Vault, VaultCategory, VaultFields, VaultRecord, VaultRecordType, WebCryptoService, awsFetch, configureAmplifyAuth, configureApollo, fragmentSpreadAstSelection, gqlTyped, handleApolloError, handleCognitoCallback, httpOptions, initialiseAuth, mapEdges, mapUserPlans, parentCategoriesField, processConnection, throwClaimIdMismatch, throwClaimNotApproved, ɵ0, KeyGraphService as ɵa, EncryptionService as ɵb, KeyService as ɵc, KeyFactoryService as ɵd, KeyMetaService as ɵe, LrGraphQLService as ɵf, TpPasswordResetProcessorService as ɵg, RunOutsideAngular as ɵh, TpPasswordResetAssemblyController as ɵi, TpAssemblyController as ɵj, LrService as ɵk, SharedContactCardService as ɵl, TrustedPartyService as ɵm, ScenarioAssemblyController as ɵn, TpPasswordResetPrivateService as ɵo };
+export { AccessLevel, AccessRoleChoice, AccessRoleMethodChoice, ApiContactCard, ApiCurrentUser, ArchiveDirectoryMutation, Auth2Service, auth2_types as AuthTypes, CancelUserDeleteMutation, Category, CategoryFields, CategoryFilter, CategoryMetaService, CategoryService, ClaimApproverState, ClaimState, CognitoChallengeUser, CommonProcessorsService, CompleteOtkMutation, Config, ContactCard2Service, ContactCardAddress, ContactCardName, CreateCategoryMutation, CreateContactCardMutation$1 as CreateContactCardMutation, CreateFileMutation, CreateFileQuery, CreateLbopQuery, CreateRecordContainerMutation, CreateRecordMutation, CreateVaultMutation, CurrentCategory, CurrentUser, CurrentUserKey, CurrentUserQuery, CurrentUserSharedKeyQuery, DEFAULT_BREADCRUMB_DEPTH, DEFAULT_DESCENDANTS_DEPTH, DefaultCategory, DefaultProcessorOptions, DefaultVaultFilter, DeleteCategoryMutation, DeleteFileMutation, DeleteLbopQuery, DeleteRecordMutation, DirectoryQuery, DirectoryType, ERROR_SOURCE, FeatureAction, Features, FetchKeyGraphField, FileOperationField, FileQuery, FileType, FileUploadService, GetCategoriesQuery, GetCategoryKeyIdQuery, GetCategoryQuery, GetMySharedCategoriesQuery, GetRecordQuery, GetRootDirectoryIdsQuery, GetTrustedPartyCategoriesQuery, GetVaultsQuery, IdleService, InitiateOtkMutation, Item2Service, KC_CONFIG, KcAuthException, KcBadArgumentException, KcBadLogicException, KcBadRequestException, KcBadSignatureException, KcBadStateException, KcBadTimeSyncException, KcCodeMismatchException, KcConcurrentAccessException, KcEncryptionException, KcError, KcErrorCode, KcException, KcInternalErrorException, KcLbopErrorCode, KcLockedException, KcNotFoundException, KcSuspiciousOperationException, KcUnsupportedException, KeyExchange2Service, KeyExchangeFields, KeyExchangeMode, KeyExchangeOtkState, KeyExchangeQuery, KeyExchangeService, KeyExchangeState, KeyExchangeTokenQuery, KeyExchangesQuery, KeyGraphField, KeyGraphFragment, LbopQuery, LbopService, LbopsQuery, LifeReadyAuthService, LifeReadyModule, LinkTypeField, LoadedCategoryTree, LockService, LockState, LoginHistoryQuery, LoginResult, LrApolloService, LrGraphQLService, LrMergedMutation, LrMutation, LrMutationBase, LrRecord, LrService, MainContactCard, MainContactCardFields, MainContactCardPlainFields, MainContactCardProperty, MessageService, MoveDirectoryQuery, MoveFileQuery, NewAttachment, NewCategory, NewOrUpdatedAttachment, NewRecord, NotificationService, OtkState, OwnerPlainDataJson, PassIdpApiResult, PasswordChangeStatus, PasswordCheck, PasswordService, PermissionChoice, PersistService, Plan, Plan2Service, PlanService, PlanState, PlanStateField, ProfileDetailsService, ProfileService, QueryProcessorService, RecordAttachment, RecordAttachmentFilter, RecordAttachmentService, RecordContentFilter, RecordField, RecordFieldType, RecordFilter, RecordService, RecordType, RecordTypeField, RecordTypeFieldOption, RecordTypeService, RecordTypeSummary, RecoveryStatus, RegisterService, RequestUserDeleteMutation, RespondOtkMutation, RevertFileQuery, ScenarioLastClaimState, ScenarioService, ScenarioState, ServerConfigService, ServerTimeQuery, SharedAccess, SharedContactCard2Service, StripeBillingPortalSession, StripeCheckoutSession, Subscription, TimeService, TpAssemblyState, TpClaimApproverState, TpClaimState, TpPasswordResetRequestService, TpPasswordResetService, TpPasswordResetUserService, TrustedParty2Service, TrustedPartyDetails, TwoFactorService, UnarchiveDirectoryMutation, UpdateCategoryMutation, UpdateContactCardMutation$1 as UpdateContactCardMutation, UpdateFileQuery, UpdateLbopQuery, UpdateRecordContainerMutation, UpdateRecordMutation, UpdatedCategory, UpdatedRecord, UserDeleteState, UserPlan, UserService, UserSharedKeyFields, Vault, VaultCategory, VaultFields, VaultRecord, VaultRecordType, WebCryptoService, awsFetch, configureAmplifyAuth, configureApollo, fragmentSpreadAstSelection, gqlTyped, handleApolloError, handleCognitoCallback, httpOptions, initialiseAuth, mapEdges, mapUserPlans, parentCategoriesField, processConnection, throwClaimIdMismatch, throwClaimNotApproved, ɵ0, KeyGraphService as ɵa, EncryptionService as ɵb, KeyService as ɵc, KeyFactoryService as ɵd, KeyMetaService as ɵe, LrGraphQLService as ɵf, TpPasswordResetProcessorService as ɵg, RunOutsideAngular as ɵh, TpPasswordResetAssemblyController as ɵi, TpAssemblyController as ɵj, LrService as ɵk, SharedContactCardService as ɵl, TrustedPartyService as ɵm, ScenarioAssemblyController as ɵn, TpPasswordResetPrivateService as ɵo };
 //# sourceMappingURL=lifeready-core.js.map