@limrun/ui 0.9.0-rc.2 → 0.9.0-rc.5

package/src/core/device-install/apple/client.ts

@@ -1,152 +0,0 @@
-import { AppleGsaSrpClient } from './gsa-srp';
-import {
-  createAppleRelaySession,
-  deleteAppleRelaySession,
-  fetchAppleAccountSession,
-  proxyPhoneTwoFactorCode,
-  proxySrpComplete,
-  proxySrpInit,
-  proxyTwoFactorCode,
-  triggerPhoneTwoFactor,
-  triggerTrustedDeviceTwoFactor,
-  type AppleRelayResponse,
-} from './relay';
-
-export type AppleIDLoginInput = {
-  limbuildApiUrl: string;
-  accountName: string;
-  password: string;
-  token?: string;
-};
-
-export type AppleIDLoginResult = {
-  appleSessionId: string;
-  completeResponse: AppleRelayResponse;
-  twoFactorChallengeResponse?: AppleRelayResponse;
-  requiresTwoFactor: boolean;
-  finishTwoFactor: (code: string) => Promise<AppleRelayResponse>;
-  finalize: () => Promise<AppleRelayResponse>;
-  close: () => Promise<void>;
-};
-
-type TwoFactorMethod =
-  | { type: 'trustedDevice' }
-  | { type: 'phone'; phoneNumberId: number; mode: string };
-
-export async function startBrowserOwnedAppleIDLogin({
-  limbuildApiUrl,
-  accountName,
-  password,
-  token,
-}: AppleIDLoginInput): Promise<AppleIDLoginResult> {
-  const { appleSessionId } = await createAppleRelaySession(limbuildApiUrl, token);
-  try {
-    const srp = new AppleGsaSrpClient(accountName);
-    const initResponse = await proxySrpInit(limbuildApiUrl, appleSessionId, await srp.init(), token);
-    if (initResponse.status < 200 || initResponse.status >= 300) {
-      throw new Error(`Apple SRP init failed: HTTP ${initResponse.status} ${initResponse.rawBody ?? ''}`.trim());
-    }
-    if (!initResponse.body) {
-      throw new Error('Apple SRP init response did not include a body.');
-    }
-    const proof = await srp.complete(password, initResponse.body);
-    const completeResponse = await proxySrpComplete(
-      limbuildApiUrl,
-      appleSessionId,
-      {
-        ...proof,
-        rememberMe: false,
-        trustTokens: [],
-      },
-      token,
-    );
-    const requiresTwoFactor = completeResponse.status === 409;
-    let twoFactorChallengeResponse: AppleRelayResponse | undefined;
-    let twoFactorMethod: TwoFactorMethod = { type: 'trustedDevice' };
-    if (requiresTwoFactor) {
-      twoFactorChallengeResponse = await triggerTrustedDeviceTwoFactor(limbuildApiUrl, appleSessionId, token);
-      const phone = trustedPhoneNumberFromChallenge(twoFactorChallengeResponse.body);
-      if (phone) {
-        twoFactorMethod = {
-          type: 'phone',
-          phoneNumberId: phone.id,
-          mode: phone.pushMode ?? 'sms',
-        };
-      }
-      if (twoFactorChallengeResponse.status === 412) {
-        if (!phone) {
-          throw new Error('Apple requested phone verification but did not include a trusted phone number.');
-        }
-        twoFactorChallengeResponse = await triggerPhoneTwoFactor(
-          limbuildApiUrl,
-          appleSessionId,
-          phone.id,
-          phone.pushMode ?? 'sms',
-          token,
-        );
-      }
-      if (twoFactorChallengeResponse.status < 200 || twoFactorChallengeResponse.status >= 300) {
-        throw new Error(
-          `Apple two-factor challenge failed: HTTP ${twoFactorChallengeResponse.status} ${
-            twoFactorChallengeResponse.rawBody ?? ''
-          }`.trim(),
-        );
-      }
-    } else if (completeResponse.status < 200 || completeResponse.status >= 300) {
-      throw new Error(`Apple SRP complete failed: HTTP ${completeResponse.status} ${completeResponse.rawBody ?? ''}`.trim());
-    }
-    return {
-      appleSessionId,
-      completeResponse,
-      twoFactorChallengeResponse,
-      requiresTwoFactor,
-      finishTwoFactor: async (code) => {
-        const response =
-          twoFactorMethod.type === 'phone'
-            ? await proxyPhoneTwoFactorCode(
-                limbuildApiUrl,
-                appleSessionId,
-                twoFactorMethod.phoneNumberId,
-                code,
-                twoFactorMethod.mode,
-                token,
-              )
-            : await proxyTwoFactorCode(limbuildApiUrl, appleSessionId, code, token);
-        if (response.status < 200 || response.status >= 300) {
-          throw new Error(`Apple two-factor code failed: HTTP ${response.status} ${response.rawBody ?? ''}`.trim());
-        }
-        return response;
-      },
-      finalize: async () => fetchAppleAccountSession(limbuildApiUrl, appleSessionId, token),
-      close: () => deleteAppleRelaySession(limbuildApiUrl, appleSessionId, token),
-    };
-  } catch (error) {
-    await deleteAppleRelaySession(limbuildApiUrl, appleSessionId, token).catch(() => undefined);
-    throw error;
-  }
-}
-
-function trustedPhoneNumberFromChallenge(body: unknown) {
-  if (!isRecord(body)) return undefined;
-  const verification = isRecord(body.phoneNumberVerification) ? body.phoneNumberVerification : undefined;
-  const trustedPhoneNumber =
-    recordValue(verification?.trustedPhoneNumber) ??
-    recordValue(body.trustedPhoneNumber) ??
-    recordValue(body.phoneNumber);
-  if (!trustedPhoneNumber) return undefined;
-  const id = trustedPhoneNumber.id;
-  if (typeof id !== 'number') return undefined;
-  const pushMode =
-    typeof trustedPhoneNumber.pushMode === 'string' ? trustedPhoneNumber.pushMode
-    : typeof body.mode === 'string' ? body.mode
-    : undefined;
-  return { id, pushMode };
-}
-
-function recordValue(value: unknown) {
-  return isRecord(value) ? value : undefined;
-}
-
-function isRecord(value: unknown): value is Record<string, unknown> {
-  return typeof value === 'object' && value !== null && !Array.isArray(value);
-}

package/src/core/device-install/apple/crypto.ts

@@ -1,202 +0,0 @@
-import forge from 'node-forge';
-
-export type AppleSigningKeyMaterial = {
-  privateKey: CryptoKey;
-  privateKeyPKCS8Base64: string;
-  publicKeySPKIBase64: string;
-  csrPEM: string;
-  csrBase64: string;
-};
-
-export type AppleCSRInput = {
-  commonName: string;
-  emailAddress?: string;
-};
-
-export type ExportP12Input = {
-  privateKeyPKCS8Base64: string;
-  certificateBase64?: string;
-  certificatePEM?: string;
-  password: string;
-  friendlyName?: string;
-};
-
-const rsaAlgorithm: RsaHashedKeyGenParams = {
-  name: 'RSASSA-PKCS1-v1_5',
-  modulusLength: 2048,
-  publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
-  hash: 'SHA-256',
-};
-
-export async function generateAppleSigningKeyAndCSR(input: AppleCSRInput): Promise<AppleSigningKeyMaterial> {
-  if (!crypto.subtle) {
-    throw new Error('WebCrypto is not available in this browser.');
-  }
-  const keyPair = await crypto.subtle.generateKey(rsaAlgorithm, true, ['sign', 'verify']);
-  const publicKeySPKI = new Uint8Array(await crypto.subtle.exportKey('spki', keyPair.publicKey));
-  const certificationRequestInfo = derSequence(
-    derInteger(0),
-    derName(input),
-    publicKeySPKI,
-    derContext(0, new Uint8Array()),
-  );
-  const signature = new Uint8Array(
-    await crypto.subtle.sign('RSASSA-PKCS1-v1_5', keyPair.privateKey, toArrayBuffer(certificationRequestInfo)),
-  );
-  const csrDER = derSequence(
-    certificationRequestInfo,
-    derSequence(derOID('1.2.840.113549.1.1.11'), derNull()),
-    derBitString(signature),
-  );
-  const privateKeyPKCS8 = new Uint8Array(await crypto.subtle.exportKey('pkcs8', keyPair.privateKey));
-  return {
-    privateKey: keyPair.privateKey,
-    privateKeyPKCS8Base64: bytesToBase64(privateKeyPKCS8),
-    publicKeySPKIBase64: bytesToBase64(publicKeySPKI),
-    csrPEM: pemBlock('CERTIFICATE REQUEST', csrDER),
-    csrBase64: bytesToBase64(csrDER),
-  };
-}
-
-export function exportAppleCertificateP12(input: ExportP12Input) {
-  if (!input.certificateBase64 && !input.certificatePEM) {
-    throw new Error('certificateBase64 or certificatePEM is required.');
-  }
-  const privateKey = forge.pki.privateKeyFromPem(
-    pemFromBase64('PRIVATE KEY', input.privateKeyPKCS8Base64),
-  );
-  const certificate = input.certificatePEM
-    ? forge.pki.certificateFromPem(input.certificatePEM)
-    : forge.pki.certificateFromAsn1(
-        forge.asn1.fromDer(forge.util.createBuffer(base64ToBinary(input.certificateBase64!))),
-      );
-  const p12 = forge.pkcs12.toPkcs12Asn1(privateKey, [certificate], input.password, {
-    algorithm: '3des',
-    friendlyName: input.friendlyName,
-  });
-  const der = forge.asn1.toDer(p12).getBytes();
-  return binaryToBase64(der);
-}
-
-function derName(input: AppleCSRInput) {
-  const attributes = [derAttribute('2.5.4.3', derUTF8String(input.commonName))];
-  if (input.emailAddress) {
-    attributes.push(derAttribute('1.2.840.113549.1.9.1', derIA5String(input.emailAddress)));
-  }
-  return derSequence(...attributes);
-}
-
-function derAttribute(oid: string, value: Uint8Array) {
-  return derSet(derSequence(derOID(oid), value));
-}
-
-function derSequence(...values: Uint8Array[]) {
-  return derTLV(0x30, concatBytes(...values));
-}
-
-function derSet(...values: Uint8Array[]) {
-  return derTLV(0x31, concatBytes(...values));
-}
-
-function derContext(tag: number, value: Uint8Array) {
-  return derTLV(0xa0 + tag, value);
-}
-
-function derInteger(value: number) {
-  return derTLV(0x02, new Uint8Array([value]));
-}
-
-function derNull() {
-  return new Uint8Array([0x05, 0x00]);
-}
-
-function derUTF8String(value: string) {
-  return derTLV(0x0c, new TextEncoder().encode(value));
-}
-
-function derIA5String(value: string) {
-  return derTLV(0x16, new TextEncoder().encode(value));
-}
-
-function derBitString(value: Uint8Array) {
-  return derTLV(0x03, concatBytes(new Uint8Array([0]), value));
-}
-
-function derOID(oid: string) {
-  const parts = oid.split('.').map((part) => parseInt(part, 10));
-  if (parts.length < 2 || parts.some((part) => !Number.isFinite(part))) {
-    throw new Error(`Invalid OID: ${oid}`);
-  }
-  const encoded = [parts[0] * 40 + parts[1]];
-  for (const part of parts.slice(2)) {
-    const stack = [part & 0x7f];
-    let value = part >> 7;
-    while (value > 0) {
-      stack.unshift((value & 0x7f) | 0x80);
-      value >>= 7;
-    }
-    encoded.push(...stack);
-  }
-  return derTLV(0x06, new Uint8Array(encoded));
-}
-
-function derTLV(tag: number, value: Uint8Array) {
-  return concatBytes(new Uint8Array([tag]), derLength(value.byteLength), value);
-}
-
-function derLength(length: number) {
-  if (length < 0x80) {
-    return new Uint8Array([length]);
-  }
-  const bytes: number[] = [];
-  let value = length;
-  while (value > 0) {
-    bytes.unshift(value & 0xff);
-    value >>= 8;
-  }
-  return new Uint8Array([0x80 | bytes.length, ...bytes]);
-}
-
-function concatBytes(...chunks: Uint8Array[]) {
-  const length = chunks.reduce((sum, chunk) => sum + chunk.byteLength, 0);
-  const out = new Uint8Array(length);
-  let offset = 0;
-  for (const chunk of chunks) {
-    out.set(chunk, offset);
-    offset += chunk.byteLength;
-  }
-  return out;
-}
-
-function pemBlock(label: string, der: Uint8Array) {
-  const base64 = bytesToBase64(der);
-  const lines = base64.match(/.{1,64}/g) ?? [];
-  return `-----BEGIN ${label}-----\n${lines.join('\n')}\n-----END ${label}-----\n`;
-}
-
-function pemFromBase64(label: string, base64: string) {
-  const lines = base64.match(/.{1,64}/g) ?? [];
-  return `-----BEGIN ${label}-----\n${lines.join('\n')}\n-----END ${label}-----\n`;
-}
-
-function bytesToBase64(bytes: Uint8Array) {
-  let binary = '';
-  for (const byte of bytes) {
-    binary += String.fromCharCode(byte);
-  }
-  return btoa(binary);
-}
-
-function binaryToBase64(binary: string) {
-  return btoa(binary);
-}
-
-function base64ToBinary(value: string) {
-  return atob(value);
-}
-
-function toArrayBuffer(bytes: Uint8Array): ArrayBuffer {
-  const copy = new Uint8Array(bytes.byteLength);
-  copy.set(bytes);
-  return copy.buffer;
-}

package/src/core/device-install/apple/gsa-srp.ts

@@ -1,127 +0,0 @@
-import { Hash, Mode, Srp, util } from '@foxt/js-srp';
-
-export type AppleSRPProtocol = 's2k' | 's2k_fo';
-
-export type AppleSRPInitRequest = {
-  a: string;
-  accountName: string;
-  protocols: AppleSRPProtocol[];
-};
-
-export type AppleSRPInitResponse = {
-  iteration: number;
-  salt: string;
-  protocol: AppleSRPProtocol;
-  b: string;
-  c: string;
-};
-
-export type AppleSRPCompleteProof = {
-  accountName: string;
-  m1: string;
-  m2: string;
-  c: string;
-};
-
-const srp = new Srp(Mode.GSA, Hash.SHA256, 2048);
-
-export class AppleGsaSrpClient {
-  private srpClient?: Awaited<ReturnType<typeof srp.newClient>>;
-
-  constructor(private readonly accountName: string) {}
-
-  async init(): Promise<AppleSRPInitRequest> {
-    if (this.srpClient) {
-      throw new Error('SRP client is already initialized.');
-    }
-    this.srpClient = await srp.newClient(stringToBytes(this.accountName), new Uint8Array());
-    return {
-      accountName: this.accountName,
-      protocols: ['s2k', 's2k_fo'],
-      a: bytesToBase64(util.bytesFromBigint(this.srpClient.A)),
-    };
-  }
-
-  async complete(password: string, serverData: AppleSRPInitResponse): Promise<AppleSRPCompleteProof> {
-    if (!this.srpClient) {
-      throw new Error('SRP client is not initialized.');
-    }
-    if (serverData.protocol !== 's2k' && serverData.protocol !== 's2k_fo') {
-      throw new Error(`Unsupported Apple SRP protocol ${serverData.protocol}.`);
-    }
-    const salt = base64ToBytes(serverData.salt);
-    const serverPublicKey = base64ToBytes(serverData.b);
-    const derivedPassword = await deriveApplePassword(
-      serverData.protocol,
-      password,
-      salt,
-      serverData.iteration,
-    );
-    this.srpClient.p = derivedPassword;
-    await this.srpClient.generate(salt, serverPublicKey);
-    const m2 = await this.srpClient.generateM2();
-    return {
-      accountName: this.accountName,
-      c: serverData.c,
-      m1: bytesToBase64(this.srpClient._M),
-      m2: bytesToBase64(m2),
-    };
-  }
-}
-
-async function deriveApplePassword(
-  protocol: AppleSRPProtocol,
-  password: string,
-  salt: Uint8Array,
-  iterations: number,
-) {
-  let passHash = new Uint8Array(await util.hash(srp.h, toArrayBuffer(stringToBytes(password))));
-  if (protocol === 's2k_fo') {
-    passHash = stringToBytes(util.toHex(passHash));
-  }
-  const imported = await crypto.subtle.importKey(
-    'raw',
-    toArrayBuffer(passHash),
-    { name: 'PBKDF2' },
-    false,
-    ['deriveBits'],
-  );
-  const derived = await crypto.subtle.deriveBits(
-    {
-      name: 'PBKDF2',
-      hash: { name: 'SHA-256' },
-      iterations,
-      salt: toArrayBuffer(salt),
-    },
-    imported,
-    256,
-  );
-  return new Uint8Array(derived);
-}
-
-function stringToBytes(value: string) {
-  return new TextEncoder().encode(value);
-}
-
-function bytesToBase64(bytes: Uint8Array) {
-  let binary = '';
-  for (const byte of bytes) {
-    binary += String.fromCharCode(byte);
-  }
-  return btoa(binary);
-}
-
-function base64ToBytes(value: string) {
-  const binary = atob(value);
-  const bytes = new Uint8Array(binary.length);
-  for (let index = 0; index < binary.length; index += 1) {
-    bytes[index] = binary.charCodeAt(index);
-  }
-  return bytes;
-}
-
-function toArrayBuffer(bytes: Uint8Array): ArrayBuffer {
-  const copy = new Uint8Array(bytes.byteLength);
-  copy.set(bytes);
-  return copy.buffer;
-}

package/src/core/device-install/apple/index.ts

@@ -1,5 +0,0 @@
-export * from './client';
-export * from './crypto';
-export * from './gsa-srp';
-export * from './provisioning';
-export * from './relay';