@limrun/ui 0.9.0-rc.5 → 0.9.0-rc.7

package/src/core/device-install/apple/gsa-srp.ts

@@ -0,0 +1,127 @@
+import { Hash, Mode, Srp, util } from '@foxt/js-srp';
+
+export type AppleSRPProtocol = 's2k' | 's2k_fo';
+
+export type AppleSRPInitRequest = {
+  a: string;
+  accountName: string;
+  protocols: AppleSRPProtocol[];
+};
+
+export type AppleSRPInitResponse = {
+  iteration: number;
+  salt: string;
+  protocol: AppleSRPProtocol;
+  b: string;
+  c: string;
+};
+
+export type AppleSRPCompleteProof = {
+  accountName: string;
+  m1: string;
+  m2: string;
+  c: string;
+};
+
+const srp = new Srp(Mode.GSA, Hash.SHA256, 2048);
+
+export class AppleGsaSrpClient {
+  private srpClient?: Awaited<ReturnType<typeof srp.newClient>>;
+
+  constructor(private readonly accountName: string) {}
+
+  async init(): Promise<AppleSRPInitRequest> {
+    if (this.srpClient) {
+      throw new Error('SRP client is already initialized.');
+    }
+    this.srpClient = await srp.newClient(stringToBytes(this.accountName), new Uint8Array());
+    return {
+      accountName: this.accountName,
+      protocols: ['s2k', 's2k_fo'],
+      a: bytesToBase64(util.bytesFromBigint(this.srpClient.A)),
+    };
+  }
+
+  async complete(password: string, serverData: AppleSRPInitResponse): Promise<AppleSRPCompleteProof> {
+    if (!this.srpClient) {
+      throw new Error('SRP client is not initialized.');
+    }
+    if (serverData.protocol !== 's2k' && serverData.protocol !== 's2k_fo') {
+      throw new Error(`Unsupported Apple SRP protocol ${serverData.protocol}.`);
+    }
+    const salt = base64ToBytes(serverData.salt);
+    const serverPublicKey = base64ToBytes(serverData.b);
+    const derivedPassword = await deriveApplePassword(
+      serverData.protocol,
+      password,
+      salt,
+      serverData.iteration,
+    );
+    this.srpClient.p = derivedPassword;
+    await this.srpClient.generate(salt, serverPublicKey);
+    const m2 = await this.srpClient.generateM2();
+    return {
+      accountName: this.accountName,
+      c: serverData.c,
+      m1: bytesToBase64(this.srpClient._M),
+      m2: bytesToBase64(m2),
+    };
+  }
+}
+
+async function deriveApplePassword(
+  protocol: AppleSRPProtocol,
+  password: string,
+  salt: Uint8Array,
+  iterations: number,
+) {
+  let passHash = new Uint8Array(await util.hash(srp.h, toArrayBuffer(stringToBytes(password))));
+  if (protocol === 's2k_fo') {
+    passHash = stringToBytes(util.toHex(passHash));
+  }
+  const imported = await crypto.subtle.importKey(
+    'raw',
+    toArrayBuffer(passHash),
+    { name: 'PBKDF2' },
+    false,
+    ['deriveBits'],
+  );
+  const derived = await crypto.subtle.deriveBits(
+    {
+      name: 'PBKDF2',
+      hash: { name: 'SHA-256' },
+      iterations,
+      salt: toArrayBuffer(salt),
+    },
+    imported,
+    256,
+  );
+  return new Uint8Array(derived);
+}
+
+function stringToBytes(value: string) {
+  return new TextEncoder().encode(value);
+}
+
+function bytesToBase64(bytes: Uint8Array) {
+  let binary = '';
+  for (const byte of bytes) {
+    binary += String.fromCharCode(byte);
+  }
+  return btoa(binary);
+}
+
+function base64ToBytes(value: string) {
+  const binary = atob(value);
+  const bytes = new Uint8Array(binary.length);
+  for (let index = 0; index < binary.length; index += 1) {
+    bytes[index] = binary.charCodeAt(index);
+  }
+  return bytes;
+}
+
+function toArrayBuffer(bytes: Uint8Array): ArrayBuffer {
+  const copy = new Uint8Array(bytes.byteLength);
+  copy.set(bytes);
+  return copy.buffer;
+}

package/src/core/device-install/apple/index.ts

@@ -0,0 +1,5 @@
+export * from './client';
+export * from './crypto';
+export * from './gsa-srp';
+export * from './provisioning';
+export * from './relay';

package/src/core/device-install/apple/provisioning.ts

@@ -0,0 +1,298 @@
+import type { ProvisioningProfileInfo, StoredSigningAssets } from '../types';
+import {
+  getSigningAssets,
+  normalizeBundleID,
+  normalizeUDID,
+  profileContainsDevice,
+  profileMatchesBundleID,
+  putSigningAssets,
+} from '../storage';
+import type { AppleProvisioningRequest } from './relay';
+
+export type AppleDeveloperPortalTeam = {
+  name?: string;
+  teamId?: string;
+  providerId?: string | number;
+  publicProviderId?: string;
+  type?: string;
+  subType?: string;
+};
+
+export type AppleDeveloperPortalDevice = {
+  deviceId?: string;
+  name?: string;
+  deviceNumber?: string;
+  deviceClass?: string;
+  model?: string;
+  status?: string;
+};
+
+export type AppleDeveloperPortalAppID = {
+  appId?: string;
+  appIdId?: string;
+  identifier?: string;
+  bundleId?: string;
+  name?: string;
+  prefix?: string;
+  platform?: string;
+};
+
+export type AppleDeveloperPortalResponse = {
+  resultCode?: number;
+  resultString?: string;
+  userString?: string;
+  teams?: AppleDeveloperPortalTeam[];
+  provider?: AppleDeveloperPortalTeam;
+  availableProviders?: AppleDeveloperPortalTeam[];
+  appIds?: AppleDeveloperPortalAppID[];
+  devices?: AppleDeveloperPortalDevice[];
+  certRequests?: Array<Record<string, unknown>>;
+  certRequest?: Record<string, unknown>;
+  appId?: Record<string, unknown>;
+  device?: Record<string, unknown>;
+  provisioningProfile?: Record<string, unknown>;
+  provisioningProfiles?: Array<Record<string, unknown>>;
+};
+
+export type AppleProvisioningContext = {
+  bundleID: string;
+  deviceUDID: string;
+  teamID?: string;
+};
+
+export type AppleSigningAssetCacheInput = {
+  bundleID: string;
+  deviceUDID?: string;
+  teamID?: string;
+};
+
+export type PutAppleGeneratedSigningAssetsInput = {
+  bundleID: string;
+  deviceUDID?: string;
+  teamID?: string;
+  certificateID?: string;
+  certificateP12Base64: string;
+  certificatePassword: string;
+  provisioningProfileBase64: string;
+  profile: ProvisioningProfileInfo;
+};
+
+export function listTeamsRequest(): AppleProvisioningRequest {
+  return {
+    method: 'POST',
+    path: '/account/listTeams.action',
+    payload: {},
+  };
+}
+
+export function findBundleIDRequest({ bundleID, teamID = '' }: Pick<AppleProvisioningContext, 'bundleID' | 'teamID'>) {
+  void bundleID;
+  return pagedRequest('/account/ios/identifiers/listAppIds.action', teamID, { sort: 'name=asc' });
+}
+
+export function findDeviceRequest({ deviceUDID, teamID = '' }: Pick<AppleProvisioningContext, 'deviceUDID' | 'teamID'>) {
+  void deviceUDID;
+  return pagedRequest('/account/ios/device/listDevices.action', teamID, {
+    sort: 'name=asc',
+    includeRemovedDevices: false,
+  });
+}
+
+export function findDevelopmentCertificatesRequest(teamID = '') {
+  return pagedRequest('/account/ios/certificate/listCertRequests.action', teamID, {
+    sort: 'name=asc',
+    types: '83Q87W3TGH,5QPB9NHCEI',
+  });
+}
+
+export function findDevelopmentProfilesRequest({
+  bundleID,
+  teamID = '',
+}: Pick<AppleProvisioningContext, 'bundleID' | 'teamID'>) {
+  return pagedRequest('/account/ios/profile/listProvisioningProfiles.action', teamID, {
+    search: bundleID,
+    sort: 'name=asc',
+  });
+}
+
+export function registerDeviceRequest({
+  deviceUDID,
+  teamID = '',
+  name = 'Limrun iPhone',
+}: Pick<AppleProvisioningContext, 'deviceUDID' | 'teamID'> & { name?: string }) {
+  return {
+    method: 'POST',
+    path: '/account/ios/device/addDevices.action',
+    payload: {
+      teamId: teamID,
+      deviceNames: name,
+      deviceNumbers: normalizeUDID(deviceUDID),
+      deviceClasses: 'iphone',
+      register: 'single',
+    },
+  } satisfies AppleProvisioningRequest;
+}
+
+export function createBundleIDRequest({
+  bundleID,
+  teamID = '',
+  name,
+}: Pick<AppleProvisioningContext, 'bundleID' | 'teamID'> & { name?: string }) {
+  return {
+    method: 'POST',
+    path: '/account/ios/identifiers/addAppId.action',
+    payload: {
+      teamId: teamID,
+      name: name ?? bundleID,
+      identifier: bundleID,
+      type: 'explicit',
+    },
+  } satisfies AppleProvisioningRequest;
+}
+
+export function submitDevelopmentCSRRequest({
+  csrPEM,
+  teamID = '',
+}: {
+  csrPEM: string;
+  teamID?: string;
+}) {
+  return {
+    method: 'POST',
+    path: '/account/ios/certificate/submitCertificateRequest.action',
+    payload: {
+      teamId: teamID,
+      type: '83Q87W3TGH',
+      csrContent: csrPEM,
+    },
+  } satisfies AppleProvisioningRequest;
+}
+
+export function downloadCertificateRequest(certificateID: string, teamID = '') {
+  return {
+    method: 'GET',
+    path: '/account/ios/certificate/downloadCertificateContent.action',
+    payload: {
+      teamId: teamID,
+      certificateId: certificateID,
+      type: '83Q87W3TGH',
+    },
+  } satisfies AppleProvisioningRequest;
+}
+
+export function createDevelopmentProfileRequest({
+  bundleID,
+  teamID = '',
+  appIDID,
+  certificateID,
+  deviceIDs,
+  name,
+}: Pick<AppleProvisioningContext, 'bundleID' | 'teamID'> & {
+  appIDID: string;
+  certificateID: string;
+  deviceIDs: string[];
+  name?: string;
+}) {
+  return {
+    method: 'POST',
+    path: '/account/ios/profile/createProvisioningProfile.action',
+    payload: {
+      teamId: teamID,
+      provisioningProfileName: name ?? `Limrun ${bundleID}`,
+      certificateIds: [certificateID],
+      appIdId: appIDID,
+      deviceIds: deviceIDs,
+      distributionType: 'limited',
+      subPlatform: 'ios',
+    },
+  } satisfies AppleProvisioningRequest;
+}
+
+export function downloadProfileRequest(profileID: string, teamID = '') {
+  return {
+    method: 'GET',
+    path: '/account/ios/profile/downloadProfileContent',
+    payload: {
+      teamId: teamID,
+      provisioningProfileId: profileID,
+    },
+  } satisfies AppleProvisioningRequest;
+}
+
+export async function getReusableAppleSigningAssets({
+  bundleID,
+  deviceUDID,
+  teamID,
+}: AppleSigningAssetCacheInput) {
+  const stored = await getSigningAssets({ bundleID, deviceUDID });
+  if (!stored || !storedSigningAssetsReusable(stored, { bundleID, deviceUDID, teamID })) {
+    return undefined;
+  }
+  return stored;
+}
+
+export async function putAppleGeneratedSigningAssets(input: PutAppleGeneratedSigningAssetsInput) {
+  return putSigningAssets({
+    ...input,
+    certificateFileName: input.certificateID ? `${input.certificateID}.p12` : 'apple-development.p12',
+    profileFileName: input.profile.uuid ? `${input.profile.uuid}.mobileprovision` : 'apple-development.mobileprovision',
+  });
+}
+
+export function storedSigningAssetsReusable(
+  stored: StoredSigningAssets,
+  { bundleID, deviceUDID, teamID }: AppleSigningAssetCacheInput,
+) {
+  if (!profileMatchesBundleID(stored.profile, bundleID)) {
+    return false;
+  }
+  if (teamID && stored.teamID && stored.teamID !== teamID) {
+    return false;
+  }
+  if (deviceUDID && !profileContainsDevice(stored.profile, deviceUDID)) {
+    return false;
+  }
+  if (stored.profile.expirationDate && new Date(stored.profile.expirationDate).getTime() <= Date.now()) {
+    return false;
+  }
+  return normalizeBundleID(stored.bundleID) === normalizeBundleID(bundleID);
+}
+
+export function selectDeveloperPortalTeam(body: unknown): AppleDeveloperPortalTeam | undefined {
+  const response = body as AppleDeveloperPortalResponse | undefined;
+  return response?.teams?.[0] ?? response?.provider ?? response?.availableProviders?.[0];
+}
+
+export function teamIDCandidates(body: unknown): string[] {
+  const response = body as AppleDeveloperPortalResponse | undefined;
+  const teams = [
+    ...(response?.teams ?? []),
+    ...(response?.provider ? [response.provider] : []),
+    ...(response?.availableProviders ?? []),
+  ];
+  const ids = new Set<string>();
+  for (const team of teams) {
+    for (const value of [team.teamId, team.providerId, team.publicProviderId]) {
+      if (value !== undefined && value !== '') {
+        ids.add(String(value));
+      }
+    }
+  }
+  return [...ids];
+}
+
+function pagedRequest(path: string, teamID: string, payload: Record<string, unknown> = {}) {
+  const basePayload: Record<string, unknown> = {
+    pageNumber: 1,
+    pageSize: 200,
+    ...payload,
+  };
+  if (teamID) {
+    basePayload.teamId = teamID;
+  }
+  return {
+    method: 'POST',
+    path,
+    payload: basePayload,
+  } satisfies AppleProvisioningRequest;
+}

package/src/core/device-install/apple/relay.ts

@@ -0,0 +1,221 @@
+import type { AppleSRPCompleteProof, AppleSRPInitRequest, AppleSRPInitResponse } from './gsa-srp';
+
+export type AppleRelayResponse<T = unknown> = {
+  status: number;
+  statusText: string;
+  headers?: Record<string, string>;
+  body?: T;
+  rawBody?: string;
+  rawBodyBase64?: string;
+};
+
+export type AppleProvisioningRequest = {
+  method?: 'GET' | 'POST';
+  path: string;
+  payload?: unknown;
+};
+
+export async function createAppleRelaySession(limbuildApiUrl: string, token?: string) {
+  const response = await fetch(limbuildURL(limbuildApiUrl, '/apple/auth/session', token), {
+    method: 'POST',
+    headers: authHeaders(token),
+  });
+  if (!response.ok) {
+    throw new Error(`Apple relay session failed: HTTP ${response.status} ${await response.text()}`);
+  }
+  return (await response.json()) as { appleSessionId: string };
+}
+
+export async function deleteAppleRelaySession(limbuildApiUrl: string, appleSessionId: string, token?: string) {
+  const response = await fetch(limbuildURL(limbuildApiUrl, '/apple/auth/session/delete', token), {
+    method: 'POST',
+    headers: jsonHeaders(token),
+    body: JSON.stringify({ appleSessionId }),
+  });
+  if (!response.ok) {
+    throw new Error(`Apple relay session delete failed: HTTP ${response.status} ${await response.text()}`);
+  }
+}
+
+export async function proxySrpInit(
+  limbuildApiUrl: string,
+  appleSessionId: string,
+  payload: AppleSRPInitRequest,
+  token?: string,
+) {
+  return postAppleProxy<AppleSRPInitResponse>(
+    limbuildApiUrl,
+    '/apple/auth/srp/init',
+    appleSessionId,
+    payload,
+    token,
+  );
+}
+
+export async function proxySrpComplete(
+  limbuildApiUrl: string,
+  appleSessionId: string,
+  payload: AppleSRPCompleteProof & {
+    rememberMe: boolean;
+    trustTokens: string[];
+  },
+  token?: string,
+) {
+  return postAppleProxy(limbuildApiUrl, '/apple/auth/srp/complete', appleSessionId, payload, token);
+}
+
+export async function triggerTrustedDeviceTwoFactor(
+  limbuildApiUrl: string,
+  appleSessionId: string,
+  token?: string,
+) {
+  const response = await fetch(limbuildURL(limbuildApiUrl, '/apple/auth/2fa/trigger', token), {
+    method: 'POST',
+    headers: jsonHeaders(token),
+    body: JSON.stringify({ appleSessionId }),
+  });
+  if (!response.ok) {
+    throw new Error(`Apple 2FA trigger failed: HTTP ${response.status} ${await response.text()}`);
+  }
+  return (await response.json()) as AppleRelayResponse;
+}
+
+export async function triggerPhoneTwoFactor(
+  limbuildApiUrl: string,
+  appleSessionId: string,
+  phoneNumberId: number,
+  mode = 'sms',
+  token?: string,
+) {
+  const response = await fetch(limbuildURL(limbuildApiUrl, '/apple/auth/2fa/phone/trigger', token), {
+    method: 'POST',
+    headers: jsonHeaders(token),
+    body: JSON.stringify({ appleSessionId, phoneNumberId, mode }),
+  });
+  if (!response.ok) {
+    throw new Error(`Apple phone 2FA trigger failed: HTTP ${response.status} ${await response.text()}`);
+  }
+  return (await response.json()) as AppleRelayResponse;
+}
+
+export async function proxyTwoFactorCode(
+  limbuildApiUrl: string,
+  appleSessionId: string,
+  code: string,
+  token?: string,
+) {
+  const response = await fetch(limbuildURL(limbuildApiUrl, '/apple/auth/2fa', token), {
+    method: 'POST',
+    headers: jsonHeaders(token),
+    body: JSON.stringify({ appleSessionId, code }),
+  });
+  if (!response.ok) {
+    throw new Error(`Apple 2FA proxy failed: HTTP ${response.status} ${await response.text()}`);
+  }
+  return (await response.json()) as AppleRelayResponse;
+}
+
+export async function proxyPhoneTwoFactorCode(
+  limbuildApiUrl: string,
+  appleSessionId: string,
+  phoneNumberId: number,
+  code: string,
+  mode = 'sms',
+  token?: string,
+) {
+  const response = await fetch(limbuildURL(limbuildApiUrl, '/apple/auth/2fa/phone', token), {
+    method: 'POST',
+    headers: jsonHeaders(token),
+    body: JSON.stringify({ appleSessionId, phoneNumberId, mode, code }),
+  });
+  if (!response.ok) {
+    throw new Error(`Apple phone 2FA proxy failed: HTTP ${response.status} ${await response.text()}`);
+  }
+  return (await response.json()) as AppleRelayResponse;
+}
+
+export async function fetchAppleAccountSession(
+  limbuildApiUrl: string,
+  appleSessionId: string,
+  token?: string,
+) {
+  const response = await fetch(limbuildURL(limbuildApiUrl, '/apple/auth/finalize', token), {
+    method: 'POST',
+    headers: jsonHeaders(token),
+    body: JSON.stringify({ appleSessionId }),
+  });
+  if (!response.ok) {
+    throw new Error(`Apple session finalization failed: HTTP ${response.status} ${await response.text()}`);
+  }
+  return (await response.json()) as AppleRelayResponse;
+}
+
+export async function proxyProvisioningRequest<T = unknown>(
+  limbuildApiUrl: string,
+  appleSessionId: string,
+  request: AppleProvisioningRequest,
+  token?: string,
+) {
+  const response = await fetch(limbuildURL(limbuildApiUrl, '/apple/provisioning', token), {
+    method: 'POST',
+    headers: jsonHeaders(token),
+    body: JSON.stringify({ appleSessionId, ...request }),
+  });
+  if (!response.ok) {
+    throw new Error(`Apple provisioning proxy failed: HTTP ${response.status} ${await response.text()}`);
+  }
+  return normalizeAppleProxyResponse<T>((await response.json()) as AppleRelayResponse<T>);
+}
+
+async function postAppleProxy<T>(
+  limbuildApiUrl: string,
+  path: string,
+  appleSessionId: string,
+  payload: unknown,
+  token?: string,
+) {
+  const response = await fetch(limbuildURL(limbuildApiUrl, path, token), {
+    method: 'POST',
+    headers: jsonHeaders(token),
+    body: JSON.stringify({ appleSessionId, payload }),
+  });
+  if (!response.ok) {
+    throw new Error(`Apple proxy ${path} failed: HTTP ${response.status} ${await response.text()}`);
+  }
+  return normalizeAppleProxyResponse<T>((await response.json()) as AppleRelayResponse<T>);
+}
+
+function normalizeAppleProxyResponse<T>(response: AppleRelayResponse<T>) {
+  if (response.body !== undefined || !response.rawBody) {
+    return response;
+  }
+  try {
+    return {
+      ...response,
+      body: JSON.parse(response.rawBody) as T,
+    };
+  } catch {
+    return response;
+  }
+}
+
+function limbuildURL(limbuildApiUrl: string, path: string, token?: string) {
+  const base = limbuildApiUrl.replace(/\/$/, '');
+  const suffix = path.startsWith('/') ? path : `/${path}`;
+  const url = new URL(`${base}${suffix}`);
+  if (token) {
+    url.searchParams.set('token', token);
+  }
+  return url;
+}
+
+function jsonHeaders(token?: string): Record<string, string> {
+  return {
+    'Content-Type': 'application/json',
+    ...authHeaders(token),
+  };
+}
+
+function authHeaders(token?: string): Record<string, string> {
+  return token ? { Authorization: `Bearer ${token}` } : {};
+}

package/src/core/device-install/index.ts

@@ -0,0 +1,4 @@
+export * from './types';
+export * from './apple';
+export * from './operations';
+export * from './storage';

package/src/core/device-install/operations/index.ts

@@ -0,0 +1,6 @@
+export * from './limbuild-client';
+export * from './operations';
+export * from './relay-client';
+export * from './relay-protocol';
+export * from './usbmux';
+export * from './webusb';