@lockerpm/desktop-service 1.0.0

package/lib/esm/services/api.service.js

@@ -0,0 +1,177 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ApiService = void 0;
+const axios_1 = __importDefault(require("axios"));
+const errors_1 = require("../abstractions/errors");
+class ApiService {
+    baseUrl;
+    token;
+    headers;
+    logger;
+    constructor(params) {
+        const { baseUrl, logger, headers } = params;
+        this.baseUrl = baseUrl;
+        this.token = '';
+        this.logger = logger;
+        this.headers = headers || {};
+    }
+    setToken(token) {
+        this.token = token;
+    }
+    async getPasswordlessCredentials(email) {
+        try {
+            const url = `${this.baseUrl}/cystack_platform/pm/passwordless/credential`;
+            const res = await axios_1.default.get(url, {
+                params: {
+                    email,
+                },
+                headers: this.headers,
+            });
+            const data = res.data;
+            this.logDebug({ url, method: 'GET', data });
+            return data;
+        }
+        catch (error) {
+            if (error.response?.status === 404) {
+                throw new errors_1.ServiceError('1002', error);
+            }
+            throw new errors_1.ServiceError('1000', error);
+        }
+    }
+    // TODO: if service is only built by CyStack, then this base API must be fixed
+    async getReleases(os) {
+        try {
+            const url = `${this.baseUrl}/cystack_platform/pm/releases`;
+            const res = await axios_1.default.get(url, {
+                params: {
+                    client_id: 'desktop',
+                    os,
+                },
+                headers: this.headers,
+            });
+            const data = res.data;
+            this.logDebug({ url, method: 'GET', data });
+            return data;
+        }
+        catch (error) {
+            throw new errors_1.ServiceError('1000', error);
+        }
+    }
+    async setPasswordlessCredential(params) {
+        if (!this.token) {
+            throw new errors_1.ServiceError('1001');
+        }
+        try {
+            const { credentialId, name, type, random } = params;
+            const url = `${this.baseUrl}/cystack_platform/pm/passwordless/credential`;
+            const res = await axios_1.default.post(url, {
+                credential_id: credentialId,
+                name,
+                type,
+                random,
+            }, {
+                headers: {
+                    Authorization: `Bearer ${this.token}`,
+                    ...this.headers,
+                },
+            });
+            const data = res.data;
+            this.logDebug({ url, method: 'POST', data, payload: params });
+            return data;
+        }
+        catch (error) {
+            throw new errors_1.ServiceError('1000', error);
+        }
+    }
+    async deletePasswordlessCredential() {
+        if (!this.token) {
+            throw new errors_1.ServiceError('1001');
+        }
+        try {
+            const url = `${this.baseUrl}/cystack_platform/pm/passwordless/credential`;
+            await axios_1.default.delete(url, {
+                headers: {
+                    Authorization: `Bearer ${this.token}`,
+                    ...this.headers,
+                },
+            });
+            this.logDebug({
+                url,
+                method: 'DELETE',
+                data: undefined,
+            });
+        }
+        catch (error) {
+            throw new errors_1.ServiceError('1000', error);
+        }
+    }
+    // ---------------- BACKUP KEYS ----------------
+    async listBackupPasswordlessCredentials() {
+        if (!this.token) {
+            throw new errors_1.ServiceError('1001');
+        }
+        try {
+            const url = `${this.baseUrl}/cystack_platform/pm/users/backup_credentials`;
+            const res = await axios_1.default.get(url, {
+                params: {
+                    paging: 0,
+                },
+                headers: {
+                    Authorization: `Bearer ${this.token}`,
+                    ...this.headers,
+                },
+            });
+            const data = res.data;
+            this.logDebug({ url, method: 'GET', data });
+            return data;
+        }
+        catch (error) {
+            throw new errors_1.ServiceError('1000', error);
+        }
+    }
+    async setBackupPasswordlessCredential(payload) {
+        if (!this.token) {
+            throw new errors_1.ServiceError('1001');
+        }
+        try {
+            const url = `${this.baseUrl}/cystack_platform/pm/users/backup_credentials`;
+            const res = await axios_1.default.post(url, payload, {
+                headers: {
+                    Authorization: `Bearer ${this.token}`,
+                    ...this.headers,
+                },
+            });
+            this.logDebug({ url, method: 'POST', data: res.data, payload });
+            return res.data;
+        }
+        catch (error) {
+            throw new errors_1.ServiceError('1000', error);
+        }
+    }
+    async deleteBackupPasswordlessCredential(id) {
+        if (!this.token) {
+            throw new errors_1.ServiceError('1001');
+        }
+        try {
+            const url = `${this.baseUrl}/cystack_platform/pm/users/backup_credentials/${id}`;
+            await axios_1.default.delete(url, {
+                headers: {
+                    Authorization: `Bearer ${this.token}`,
+                    ...this.headers,
+                },
+            });
+        }
+        catch (error) {
+            throw new errors_1.ServiceError('1000', error);
+        }
+    }
+    // ---------------- PRIVATE METHODS ----------------
+    logDebug(params) {
+        const { url, method, data, payload } = params;
+        this.logger.debug(`API call ${method} ${url}\nwith ${JSON.stringify(payload)} \nreturn ${JSON.stringify(data)}`);
+    }
+}
+exports.ApiService = ApiService;

package/lib/esm/services/cache.service.js

@@ -0,0 +1,52 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CacheService = void 0;
+const locker_service_grpc_1 = require("../proto/locker-service-grpc");
+const errors_1 = require("../abstractions/errors");
+var CacheMessage;
+(function (CacheMessage) {
+    CacheMessage["GET_CACHE"] = "getCache";
+    CacheMessage["SET_CACHE"] = "setCache";
+})(CacheMessage || (CacheMessage = {}));
+class CacheService {
+    logger;
+    grpc;
+    constructor(logger, grpcService) {
+        this.logger = logger;
+        this.grpc = grpcService;
+    }
+    getCache() {
+        const req = new locker_service_grpc_1.locker_service_grpc.CacheRequest();
+        req.message = CacheMessage.GET_CACHE;
+        return new Promise((resolve, reject) => {
+            this.grpc.client.CacheChannel(req, (err, res) => {
+                this.logger.debug(res);
+                if (err) {
+                    reject(errors_1.ServiceError.fromError(err));
+                    return;
+                }
+                if (!res?.json) {
+                    resolve(null);
+                    return;
+                }
+                resolve(JSON.parse(res.json));
+            });
+        });
+    }
+    setCache(data) {
+        const req = new locker_service_grpc_1.locker_service_grpc.CacheRequest();
+        req.message = CacheMessage.SET_CACHE;
+        req.json = JSON.stringify(data);
+        return new Promise((resolve, reject) => {
+            this.grpc.client.CacheChannel(req, (err, res) => {
+                this.logger.debug(res);
+                if (err) {
+                    reject(errors_1.ServiceError.fromError(err));
+                    return;
+                }
+                resolve();
+            });
+        });
+    }
+}
+exports.CacheService = CacheService;

package/lib/esm/services/core-crypto.service.js

@@ -0,0 +1,164 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CoreCryptoService = void 0;
+/**
+ * Crypto core from Locker Vault
+ *  */
+const crypto_1 = __importDefault(require("crypto"));
+const crypto_service_1 = require("../abstractions/crypto.service");
+const utils_1 = require("../misc/utils");
+const crypto = crypto_1.default.webcrypto;
+class CoreCryptoService {
+    async makeKey(password, salt, kdf, kdfIterations) {
+        let key;
+        if (!kdf || kdf === crypto_service_1.KdfType.PBKDF2_SHA256) {
+            if (!kdfIterations) {
+                kdfIterations = 5000;
+            }
+            else if (kdfIterations < 5000) {
+                throw new Error('PBKDF2 iteration minimum is 5000.');
+            }
+            key = await this.pbkdf2(password, salt, 'sha256', kdfIterations);
+        }
+        else {
+            throw new Error('Unknown Kdf.');
+        }
+        return new crypto_service_1.SymmetricCryptoKey(key);
+    }
+    async hashPassword(password, key) {
+        if (!password || !key) {
+            throw new Error('Invalid parameters.');
+        }
+        const hash = await this.pbkdf2(key.key, password, 'sha256', 1);
+        return utils_1.Utils.fromBufferToB64(hash);
+    }
+    async remakeEncKey(currentEncKey, key) {
+        let encKeyEnc;
+        if (key.key.byteLength === 32) {
+            const newKey = await this.stretchKey(key);
+            encKeyEnc = await this.encrypt(currentEncKey, newKey);
+        }
+        else if (key.key.byteLength === 64) {
+            encKeyEnc = await this.encrypt(currentEncKey, key);
+        }
+        else {
+            throw new Error('Invalid key size.');
+        }
+        return [new crypto_service_1.SymmetricCryptoKey(currentEncKey), encKeyEnc];
+    }
+    // ---------------- PRIVATE METHODS -------------------
+    async pbkdf2(password, salt, algorithm, iterations) {
+        const wcLen = algorithm === 'sha256' ? 256 : 512;
+        const passwordBuf = this.toBuf(password);
+        const saltBuf = this.toBuf(salt);
+        const pbkdf2Params = {
+            name: 'PBKDF2',
+            salt: saltBuf,
+            iterations,
+            hash: { name: this.toWebCryptoAlgorithm(algorithm) },
+        };
+        const impKey = await crypto.subtle.importKey('raw', passwordBuf, { name: 'PBKDF2' }, false, ['deriveBits']);
+        return await crypto.subtle.deriveBits(pbkdf2Params, impKey, wcLen);
+    }
+    toBuf(value) {
+        let buf;
+        if (typeof value === 'string') {
+            buf = utils_1.Utils.fromUtf8ToArray(value).buffer;
+        }
+        else {
+            buf = value;
+        }
+        return buf;
+    }
+    toWebCryptoAlgorithm(algorithm) {
+        if (algorithm === 'md5') {
+            throw new Error('MD5 is not supported in WebCrypto.');
+        }
+        return algorithm === 'sha1' ? 'SHA-1' : algorithm === 'sha256' ? 'SHA-256' : 'SHA-512';
+    }
+    async stretchKey(key) {
+        const newKey = new Uint8Array(64);
+        const encKey = await this.hkdfExpand(key.key, 'enc', 32, 'sha256');
+        const macKey = await this.hkdfExpand(key.key, 'mac', 32, 'sha256');
+        newKey.set(new Uint8Array(encKey));
+        newKey.set(new Uint8Array(macKey), 32);
+        return new crypto_service_1.SymmetricCryptoKey(newKey.buffer);
+    }
+    async hkdfExpand(prk, info, outputByteSize, algorithm) {
+        const hashLen = algorithm === 'sha256' ? 32 : 64;
+        if (outputByteSize > 255 * hashLen) {
+            throw new Error('outputByteSize is too large.');
+        }
+        const prkArr = new Uint8Array(prk);
+        if (prkArr.length < hashLen) {
+            throw new Error('prk is too small.');
+        }
+        const infoBuf = this.toBuf(info);
+        const infoArr = new Uint8Array(infoBuf);
+        let runningOkmLength = 0;
+        let previousT = new Uint8Array(0);
+        const n = Math.ceil(outputByteSize / hashLen);
+        const okm = new Uint8Array(n * hashLen);
+        for (let i = 0; i < n; i++) {
+            const t = new Uint8Array(previousT.length + infoArr.length + 1);
+            t.set(previousT);
+            t.set(infoArr, previousT.length);
+            t.set([i + 1], t.length - 1);
+            previousT = new Uint8Array(await this.hmac(t.buffer, prk, algorithm));
+            okm.set(previousT, runningOkmLength);
+            runningOkmLength += previousT.length;
+            if (runningOkmLength >= outputByteSize) {
+                break;
+            }
+        }
+        return okm.slice(0, outputByteSize).buffer;
+    }
+    async hmac(value, key, algorithm) {
+        const signingAlgorithm = {
+            name: 'HMAC',
+            hash: { name: this.toWebCryptoAlgorithm(algorithm) },
+        };
+        const impKey = await crypto.subtle.importKey('raw', key, signingAlgorithm, false, ['sign']);
+        return await crypto.subtle.sign(signingAlgorithm, impKey, value);
+    }
+    async encrypt(plainValue, key) {
+        let plainBuf;
+        if (typeof plainValue === 'string') {
+            plainBuf = utils_1.Utils.fromUtf8ToArray(plainValue).buffer;
+        }
+        else {
+            plainBuf = plainValue;
+        }
+        const encObj = await this.aesEncrypt(plainBuf, key);
+        const iv = utils_1.Utils.fromBufferToB64(encObj.iv);
+        const data = utils_1.Utils.fromBufferToB64(encObj.data);
+        const mac = encObj.mac ? utils_1.Utils.fromBufferToB64(encObj.mac) : undefined;
+        return new crypto_service_1.EncString(encObj.key.encType, data, iv, mac);
+    }
+    async aesEncrypt(data, key) {
+        const obj = new crypto_service_1.EncryptedObject();
+        obj.key = key;
+        obj.iv = this.randomBytes(16);
+        obj.data = await this._aesEncrypt(data, obj.iv, obj.key.encKey);
+        if (obj.key.macKey != null) {
+            const macData = new Uint8Array(obj.iv.byteLength + obj.data.byteLength);
+            macData.set(new Uint8Array(obj.iv), 0);
+            macData.set(new Uint8Array(obj.data), obj.iv.byteLength);
+            obj.mac = await this.hmac(macData.buffer, obj.key.macKey, 'sha256');
+        }
+        return obj;
+    }
+    randomBytes(length) {
+        return crypto.getRandomValues(new Uint8Array(length));
+    }
+    async _aesEncrypt(data, iv, key) {
+        const impKey = await crypto.subtle.importKey('raw', key, { name: 'AES-CBC' }, false, [
+            'encrypt',
+        ]);
+        return await crypto.subtle.encrypt({ name: 'AES-CBC', iv }, impKey, data);
+    }
+}
+exports.CoreCryptoService = CoreCryptoService;

package/lib/esm/services/crypto.service.js

@@ -0,0 +1,83 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CryptoService = void 0;
+const crypto_1 = __importDefault(require("crypto"));
+const fs_1 = __importDefault(require("fs"));
+const crypto_service_1 = require("../abstractions/crypto.service");
+const utils_1 = require("../misc/utils");
+const core_crypto_service_1 = require("./core-crypto.service");
+const crypto = crypto_1.default.webcrypto;
+class CryptoService {
+    core;
+    constructor() {
+        this.core = new core_crypto_service_1.CoreCryptoService();
+    }
+    async createECDHKeyPair() {
+        const keyPair = await crypto.subtle.generateKey(crypto_service_1.ECDH, true, ['deriveKey', 'deriveBits']);
+        const rawPublicKey = await crypto.subtle.exportKey('raw', keyPair.publicKey);
+        return {
+            publicKey: utils_1.Utils.fromBufferToHex(rawPublicKey),
+            privateKey: keyPair.privateKey,
+        };
+    }
+    async createEncKey(theirPublicKey, ourPrivateKey) {
+        const sharedSecret = await this.createECDHSharedSecret(theirPublicKey, ourPrivateKey);
+        const approveCode = new Uint8Array(sharedSecret, 0, 2).join('').padStart(6, '0').substring(0, 6);
+        return {
+            encKey: utils_1.Utils.fromBufferToHex(sharedSecret),
+            approveCode,
+        };
+    }
+    async aesEncrypt(data, key) {
+        const iv = this.getRandomValues(16);
+        const dataBuffer = new TextEncoder().encode(data);
+        const cryptoKey = await crypto.subtle.importKey('raw', utils_1.Utils.fromHexToArray(key), crypto_service_1.AES, false, [
+            'encrypt',
+        ]);
+        const encrypted = await crypto.subtle.encrypt({
+            name: crypto_service_1.AES.name,
+            iv,
+        }, cryptoKey, dataBuffer);
+        return `${utils_1.Utils.fromBufferToHex(iv)}.${utils_1.Utils.fromBufferToHex(encrypted)}`;
+    }
+    async aesDecrypt(data, key) {
+        const cryptoKey = await crypto.subtle.importKey('raw', utils_1.Utils.fromHexToArray(key), crypto_service_1.AES, false, [
+            'decrypt',
+        ]);
+        const [iv, encString] = data.split('.');
+        const decrypted = await crypto.subtle.decrypt({
+            name: crypto_service_1.AES.name,
+            iv: utils_1.Utils.fromHexToArray(iv),
+        }, cryptoKey, utils_1.Utils.fromHexToArray(encString));
+        const decryptedString = new TextDecoder().decode(decrypted);
+        return decryptedString;
+    }
+    getFileChecksum(path) {
+        return new Promise((resolve, reject) => {
+            try {
+                const file = fs_1.default.readFileSync(path);
+                const checksum = crypto_1.default.createHash('sha256').update(file).digest('hex');
+                resolve(checksum);
+            }
+            catch (error) {
+                reject(error);
+            }
+        });
+    }
+    getRandomValues(length) {
+        return crypto.getRandomValues(new Uint8Array(length));
+    }
+    // ---------------- PRIVATE METHODS -------------------
+    async createECDHSharedSecret(theirPublicKey, ourPrivateKey) {
+        const publicKey = await crypto.subtle.importKey('raw', utils_1.Utils.fromHexToArray(theirPublicKey), crypto_service_1.ECDH, false, []);
+        const secret = await crypto.subtle.deriveBits({
+            name: crypto_service_1.ECDH.name,
+            public: publicKey,
+        }, ourPrivateKey, 256);
+        return secret;
+    }
+}
+exports.CryptoService = CryptoService;

package/lib/esm/services/event.service.js

@@ -0,0 +1,33 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EventService = void 0;
+const eventemitter3_1 = __importDefault(require("eventemitter3"));
+class EventService {
+    events;
+    logger;
+    constructor(logger) {
+        this.events = new eventemitter3_1.default();
+        this.logger = logger;
+    }
+    emit(event, args) {
+        this.logger.debug(`Event '${event}' fired`);
+        // console.log(`Event '${event}' fired`)
+        return this.events.emit(event, args);
+    }
+    on(event, handler) {
+        return this.events.on(event, handler);
+    }
+    once(event, handler) {
+        return this.events.once(event, handler);
+    }
+    removeListener(event, handler) {
+        this.events.removeListener(event, handler);
+    }
+    removeAllListeners() {
+        this.events.removeAllListeners();
+    }
+}
+exports.EventService = EventService;

package/lib/esm/services/fido.service.js

@@ -0,0 +1,139 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FidoService = void 0;
+const locker_service_grpc_1 = require("../proto/locker-service-grpc");
+const errors_1 = require("../abstractions/errors");
+var FidoMessage;
+(function (FidoMessage) {
+    FidoMessage["DEVICE_LIST"] = "deviceListRequest";
+    FidoMessage["DEVICE_SELECT"] = "deviceInitializationRequest";
+    FidoMessage["LIST_CREDENTIALS"] = "listCredentialRequest";
+    FidoMessage["MAKE_CREDENTIAL"] = "createCredentialRequest";
+    FidoMessage["DELETE_CREDENTIAL"] = "deleteCredentialRequest";
+    FidoMessage["GET_HMAC"] = "hmacRequest";
+})(FidoMessage || (FidoMessage = {}));
+class FidoService {
+    logger;
+    eventEmitter;
+    grpc;
+    constructor(logger, eventEmitter, grpcService) {
+        this.logger = logger;
+        this.eventEmitter = eventEmitter;
+        this.grpc = grpcService;
+    }
+    getDeviceList() {
+        const req = new locker_service_grpc_1.locker_service_grpc.FidoRequest();
+        req.message = FidoMessage.DEVICE_LIST;
+        return new Promise((resolve, reject) => {
+            this.grpc.client.FidoChannel(req, (err, res) => {
+                this.logger.debug(res);
+                if (err) {
+                    reject(errors_1.ServiceError.fromError(err));
+                    return;
+                }
+                if (!res?.device_list) {
+                    resolve([]);
+                    return;
+                }
+                resolve(res.device_list.map((d) => ({
+                    name: d.name,
+                    path: d.path,
+                })));
+            });
+        });
+    }
+    setSelectedDevice(path) {
+        const req = new locker_service_grpc_1.locker_service_grpc.FidoRequest();
+        req.message = FidoMessage.DEVICE_SELECT;
+        req.device_path = path;
+        return new Promise((resolve, reject) => {
+            this.grpc.client.FidoChannel(req, (err, res) => {
+                this.logger.debug(res);
+                if (err) {
+                    reject(errors_1.ServiceError.fromError(err));
+                    return;
+                }
+                resolve(!!res?.success);
+            });
+        });
+    }
+    listCredentials(params) {
+        const req = new locker_service_grpc_1.locker_service_grpc.FidoRequest();
+        req.message = FidoMessage.LIST_CREDENTIALS;
+        req.pin = params.pin;
+        return new Promise((resolve, reject) => {
+            this.grpc.client.FidoChannel(req, (err, res) => {
+                this.logger.debug(res);
+                if (err) {
+                    reject(errors_1.ServiceError.fromError(err));
+                    return;
+                }
+                resolve(res?.credential_list.map((c) => ({
+                    name: c.user_name,
+                    displayName: c.user_display_name,
+                    credentialId: c.credential_id,
+                })) || []);
+            });
+        });
+    }
+    makeCredential(params) {
+        const req = new locker_service_grpc_1.locker_service_grpc.FidoRequest();
+        req.message = FidoMessage.MAKE_CREDENTIAL;
+        req.email = params.email;
+        req.name = params.name;
+        req.pin = params.pin || '';
+        this.eventEmitter.emit(params.pin ? 'fidoRequestTouch' : 'fidoRequestFingerprint', undefined);
+        return new Promise((resolve, reject) => {
+            this.grpc.client.FidoChannel(req, (err, res) => {
+                this.logger.debug(res);
+                if (err) {
+                    reject(errors_1.ServiceError.fromError(err));
+                    return;
+                }
+                resolve({
+                    credentialId: res?.credential_id,
+                });
+            });
+        });
+    }
+    deleteCredential(params) {
+        const req = new locker_service_grpc_1.locker_service_grpc.FidoRequest();
+        req.message = FidoMessage.DELETE_CREDENTIAL;
+        req.credential_id = params.credentialId;
+        req.pin = params.pin;
+        return new Promise((resolve, reject) => {
+            this.grpc.client.FidoChannel(req, (err, res) => {
+                this.logger.debug(res);
+                if (err) {
+                    reject(errors_1.ServiceError.fromError(err));
+                    return;
+                }
+                resolve(true);
+            });
+        });
+    }
+    getHmacSecret(params) {
+        const req = new locker_service_grpc_1.locker_service_grpc.FidoRequest();
+        req.message = FidoMessage.GET_HMAC;
+        req.credential_id = params.credentialId;
+        req.salt = params.salt;
+        req.pin = params.pin || '';
+        // UP is disabled when get hmac -> no need to request touch
+        if (!params.pin) {
+            this.eventEmitter.emit('fidoRequestFingerprint', undefined);
+        }
+        return new Promise((resolve, reject) => {
+            this.grpc.client.FidoChannel(req, (err, res) => {
+                this.logger.debug(res);
+                if (err) {
+                    reject(errors_1.ServiceError.fromError(err));
+                    return;
+                }
+                resolve({
+                    secret: res?.assertion_hmac || '',
+                });
+            });
+        });
+    }
+}
+exports.FidoService = FidoService;