@lumiastream/tapo-cove 3.11.0 → 3.12.1

package/CHANGELOG.md

@@ -3,6 +3,22 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [3.12.1](https://github.com/lumiastream/rgb/compare/v3.12.0...v3.12.1) (2023-10-26)
+
+### Bug Fixes
+
+-   tapo host set error ([6437ed3](https://github.com/lumiastream/rgb/commit/6437ed3f0a8f44fbb9ddad2b78d815f71deae7b0))
+
+# [3.12.0](https://github.com/lumiastream/rgb/compare/v3.11.2...v3.12.0) (2023-10-25)
+
+### Bug Fixes
+
+-   tapo build error ([7dd7658](https://github.com/lumiastream/rgb/commit/7dd7658e391108e6aa6c2e4ec28aab47d183f4e5))
+
+### Features
+
+-   tapo new klap cipher implementation ([a82c8f8](https://github.com/lumiastream/rgb/commit/a82c8f8c300108e76494b0ba264a0710537dc386))
+
 # [3.11.0](https://github.com/lumiastream/rgb/compare/v3.10.1...v3.11.0) (2023-08-15)
 
 **Note:** Version bump only for package @lumiastream/tapo-cove

package/dist/index.d.mts

@@ -58,22 +58,37 @@ declare class LightState extends SuperState {
     }) => this;
 }
 
-type TapoDeviceKey = {
-    key: string | Buffer;
-    iv: string | Buffer;
-    deviceIp: string;
-    sessionCookie: string;
-    token?: string;
-};
+declare class KlapCipher {
+    private readonly key;
+    private readonly sig;
+    private readonly iv;
+    private seq;
+    constructor(localSeed: Buffer, remoteSeed: Buffer, authHash: Buffer);
+    encrypt(msg: Buffer | string): {
+        encrypted: Buffer;
+        seq: number;
+    };
+    decrypt(msg: Buffer): string;
+    private keyDerive;
+    private ivDerive;
+    private sigDerive;
+    private ivSeq;
+}
 
 declare class TapoApi {
+    protected readonly terminalUUID: string;
+    protected loginToken?: string;
     _baseUrl: string;
-    _baseTapoCareUrl: string;
+    private static readonly TP_TEST_USER;
+    private static readonly TP_TEST_PASSWORD;
+    private session?;
     private axiosInstance;
     private _config;
     private _token;
     private _devices;
     constructor(config?: {
+        email?: string;
+        password?: string;
         token?: string;
         timeout?: number;
         httpTimeout?: number;
@@ -89,7 +104,7 @@ declare class TapoApi {
             id: string;
             host: string;
         }>;
-    }) => Promise<Map<string, TapoDeviceKey>>;
+    }) => Promise<Map<string, DeviceSession>>;
     sendState: (config: {
         device: {
             id: string;
@@ -105,6 +120,26 @@ declare class TapoApi {
         };
         power: boolean;
     }) => void;
+    private sessionPost;
+    needsNewHandshake(): boolean;
+    private handshake;
+    private firstHandshake;
+    private secondHandshake;
+    private sha256;
+    private sha1;
+    private hashAuth;
+}
+declare class DeviceSession {
+    ip: string;
+    private readonly cookie;
+    readonly cipher?: KlapCipher | undefined;
+    readonly handshakeCompleted: boolean;
+    private readonly expireAt;
+    private readonly rawTimeout;
+    constructor(timeout: string, ip: string, cookie: string, cipher?: KlapCipher | undefined);
+    get IsExpired(): boolean;
+    get Cookie(): string;
+    completeHandshake(ip: string, cipher: KlapCipher): DeviceSession;
 }
 
 declare const TapoDeviceTypes: {

package/dist/index.d.ts

@@ -58,22 +58,37 @@ declare class LightState extends SuperState {
     }) => this;
 }
 
-type TapoDeviceKey = {
-    key: string | Buffer;
-    iv: string | Buffer;
-    deviceIp: string;
-    sessionCookie: string;
-    token?: string;
-};
+declare class KlapCipher {
+    private readonly key;
+    private readonly sig;
+    private readonly iv;
+    private seq;
+    constructor(localSeed: Buffer, remoteSeed: Buffer, authHash: Buffer);
+    encrypt(msg: Buffer | string): {
+        encrypted: Buffer;
+        seq: number;
+    };
+    decrypt(msg: Buffer): string;
+    private keyDerive;
+    private ivDerive;
+    private sigDerive;
+    private ivSeq;
+}
 
 declare class TapoApi {
+    protected readonly terminalUUID: string;
+    protected loginToken?: string;
     _baseUrl: string;
-    _baseTapoCareUrl: string;
+    private static readonly TP_TEST_USER;
+    private static readonly TP_TEST_PASSWORD;
+    private session?;
     private axiosInstance;
     private _config;
     private _token;
     private _devices;
     constructor(config?: {
+        email?: string;
+        password?: string;
         token?: string;
         timeout?: number;
         httpTimeout?: number;
@@ -89,7 +104,7 @@ declare class TapoApi {
             id: string;
             host: string;
         }>;
-    }) => Promise<Map<string, TapoDeviceKey>>;
+    }) => Promise<Map<string, DeviceSession>>;
     sendState: (config: {
         device: {
             id: string;
@@ -105,6 +120,26 @@ declare class TapoApi {
         };
         power: boolean;
     }) => void;
+    private sessionPost;
+    needsNewHandshake(): boolean;
+    private handshake;
+    private firstHandshake;
+    private secondHandshake;
+    private sha256;
+    private sha1;
+    private hashAuth;
+}
+declare class DeviceSession {
+    ip: string;
+    private readonly cookie;
+    readonly cipher?: KlapCipher | undefined;
+    readonly handshakeCompleted: boolean;
+    private readonly expireAt;
+    private readonly rawTimeout;
+    constructor(timeout: string, ip: string, cookie: string, cipher?: KlapCipher | undefined);
+    get IsExpired(): boolean;
+    get Cookie(): string;
+    completeHandshake(ip: string, cipher: KlapCipher): DeviceSession;
 }
 
 declare const TapoDeviceTypes: {

package/dist/index.js

@@ -73,70 +73,19 @@ module.exports = __toCommonJS(src_exports);
 
 // src/discovery.ts
 var import_lumia_rgb_types = require("@lumiastream/lumia-rgb-types");
-var import_axios3 = __toESM(require("axios"));
+var import_axios2 = __toESM(require("axios"));
 var import_local_devices = __toESM(require("local-devices"));
 
 // src/shared/cipher.ts
 var import_crypto = __toESM(require("crypto"));
-var import_util = __toESM(require("util"));
-var RSA_CIPHER_ALGORITHM = "rsa";
-var AES_CIPHER_ALGORITHM = "aes-128-cbc";
-var PASSPHRASE = "top secret";
-var generateKeyPair = () => __async(void 0, null, function* () {
-  const RSA_OPTIONS = {
-    modulusLength: 1024,
-    publicKeyEncoding: {
-      type: "spki",
-      format: "pem"
-    },
-    privateKeyEncoding: {
-      type: "pkcs1",
-      format: "pem",
-      cipher: "aes-256-cbc",
-      passphrase: PASSPHRASE
-    }
-  };
-  const generateKeyPair2 = import_util.default.promisify(import_crypto.default.generateKeyPair);
-  return generateKeyPair2(RSA_CIPHER_ALGORITHM, RSA_OPTIONS);
-});
-var encrypt = (data, deviceKey) => {
-  var cipher = import_crypto.default.createCipheriv(AES_CIPHER_ALGORITHM, deviceKey.key, deviceKey.iv);
-  var ciphertext = cipher.update(Buffer.from(JSON.stringify(data)));
-  return Buffer.concat([ciphertext, cipher.final()]).toString("base64");
-};
-var decrypt = (data, deviceKey) => {
-  var cipher = import_crypto.default.createDecipheriv(AES_CIPHER_ALGORITHM, deviceKey.key, deviceKey.iv);
-  var ciphertext = cipher.update(Buffer.from(data, "base64"));
-  return JSON.parse(Buffer.concat([ciphertext, cipher.final()]).toString());
-};
-var readDeviceKey = (pemKey, privateKey) => {
-  const keyBytes = Buffer.from(pemKey, "base64");
-  const deviceKey = import_crypto.default.privateDecrypt(
-    {
-      key: privateKey,
-      padding: import_crypto.default.constants.RSA_PKCS1_PADDING,
-      passphrase: PASSPHRASE
-    },
-    keyBytes
-  );
-  return deviceKey;
-};
-var base64Encode = (data) => {
-  return Buffer.from(data).toString("base64");
-};
 var base64Decode = (data) => {
   return Buffer.from(data, "base64").toString();
 };
-var shaDigest = (data) => {
-  var shasum = import_crypto.default.createHash("sha1");
-  shasum.update(data);
-  return shasum.digest("hex");
-};
 
 // src/shared/helpers.ts
-var import_axios = __toESM(require("axios"));
 var throwErrorIfFound = (responseData) => {
   const errorCode = responseData["error_code"];
+  console.debug("[Tapo] errorCode: ", errorCode);
   if (errorCode) {
     switch (errorCode) {
       case 0:
@@ -162,64 +111,9 @@ var throwErrorIfFound = (responseData) => {
     }
   }
 };
-var handshake = (deviceIp) => __async(void 0, null, function* () {
-  var _a, _b, _c, _d;
-  const keyPair = yield generateKeyPair();
-  const handshakeRequest = {
-    method: "handshake",
-    params: {
-      key: keyPair.publicKey
-    }
-  };
-  const response = yield (globalThis.nodeAxios ? globalThis.nodeAxios : import_axios.default)({
-    method: "post",
-    url: `http://${deviceIp}/app`,
-    data: handshakeRequest,
-    timeout: 3e3
-  });
-  throwErrorIfFound(response.data);
-  let setCookieHeader;
-  if (response.headers["set-cookie"]) {
-    setCookieHeader = (_b = (_a = response.headers["set-cookie"]) == null ? void 0 : _a[0]) != null ? _b : response.headers["set-cookie"];
-  } else if (response.headers["bypass-cookie"]) {
-    setCookieHeader = (_d = (_c = response.headers["bypass-cookie"]) == null ? void 0 : _c[0]) != null ? _d : response.headers["bypass-cookie"];
-  } else {
-    setCookieHeader = response.headers.get("set-cookie");
-  }
-  const sessionCookie = setCookieHeader.substring(0, setCookieHeader.indexOf(";"));
-  const deviceKey = readDeviceKey(response.data.result.key, keyPair.privateKey);
-  return {
-    key: deviceKey.subarray(0, 16),
-    iv: deviceKey.subarray(16, 32),
-    deviceIp,
-    sessionCookie
-  };
-});
-var securePassthrough = (deviceRequest, deviceKey) => __async(void 0, null, function* () {
-  const encryptedRequest = encrypt(deviceRequest, deviceKey);
-  const securePassthroughRequest = {
-    method: "securePassthrough",
-    params: {
-      request: encryptedRequest
-    }
-  };
-  const response = yield (globalThis.nodeAxios ? globalThis.nodeAxios : import_axios.default)({
-    method: "post",
-    url: `http://${deviceKey.deviceIp}/app?token=${deviceKey.token}`,
-    data: securePassthroughRequest,
-    timeout: 3e3,
-    headers: {
-      Cookie: deviceKey.sessionCookie
-    }
-  });
-  throwErrorIfFound(response.data);
-  const decryptedResponse = decrypt(response.data.result.response, deviceKey);
-  throwErrorIfFound(decryptedResponse);
-  return decryptedResponse.result;
-});
 
 // src/tapo-api.ts
-var import_axios2 = __toESM(require("axios"));
+var import_axios = __toESM(require("axios"));
 
 // src/lightstate.ts
 var import_lumia_rgb_utils = require("@lumiastream/lumia-rgb-utils");
@@ -336,14 +230,140 @@ var LightState = class extends SuperState {
 };
 
 // src/tapo-api.ts
-var import_fetch_cove = require("@lumiastream/fetch-cove");
 var import_lumia_rgb_utils2 = require("@lumiastream/lumia-rgb-utils");
-var TapoApi = class {
+
+// src/shared/tplink-cypher.ts
+var import_crypto2 = __toESM(require("crypto"));
+var TpLinkCipher = class {
+  constructor(key, iv) {
+    this.key = key;
+    this.iv = iv;
+  }
+  static toBase64(data) {
+    return Buffer.from(data.normalize("NFKC"), "utf-8").toString("base64");
+  }
+  static encodeUsername(data) {
+    const sha = import_crypto2.default.createHash("sha1");
+    sha.update(data.normalize("NFKC"));
+    return sha.digest("hex");
+  }
+  static createKeyPair() {
+    return new Promise((resolve, reject) => {
+      import_crypto2.default.generateKeyPair(
+        "rsa",
+        {
+          modulusLength: 1024
+        },
+        (err, publicK, privateK) => {
+          if (err) {
+            return reject(err);
+          }
+          const pub = publicK.export({
+            format: "pem",
+            type: "spki"
+          }).toString("base64");
+          const priv = privateK.export({
+            format: "pem",
+            type: "pkcs1"
+          }).toString("base64");
+          resolve({
+            public: pub,
+            private: priv
+          });
+        }
+      );
+    });
+  }
+  encrypt(data) {
+    const cipher = import_crypto2.default.createCipheriv("aes-128-cbc", this.key, this.iv);
+    const encrypted = cipher.update(data, "utf8", "base64");
+    return `${encrypted}${cipher.final("base64")}`;
+  }
+  decrypt(data) {
+    const decipher = import_crypto2.default.createDecipheriv("aes-128-cbc", this.key, this.iv);
+    const decrypted = decipher.update(data, "base64", "utf8");
+    return `${decrypted}${decipher.final("utf8")}`;
+  }
+};
+
+// src/tapo-api.ts
+var import_crypto4 = __toESM(require("crypto"));
+var import_http = __toESM(require("http"));
+
+// src/shared/klap-cipher.ts
+var import_crypto3 = __toESM(require("crypto"));
+var KlapCipher = class {
+  constructor(localSeed, remoteSeed, authHash) {
+    const { iv, seq } = this.ivDerive(localSeed, remoteSeed, authHash);
+    this.key = this.keyDerive(localSeed, remoteSeed, authHash);
+    this.sig = this.sigDerive(localSeed, remoteSeed, authHash);
+    this.iv = iv;
+    this.seq = seq;
+  }
+  encrypt(msg) {
+    this.seq += 1;
+    if (typeof msg === "string") {
+      msg = Buffer.from(msg, "utf8");
+    }
+    if (!Buffer.isBuffer(msg)) {
+      throw new Error("msg must be a string or buffer");
+    }
+    const cipher = import_crypto3.default.createCipheriv("aes-128-cbc", this.key, this.ivSeq());
+    const cipherText = Buffer.concat([cipher.update(msg), cipher.final()]);
+    const seqBuffer = Buffer.alloc(4);
+    seqBuffer.writeInt32BE(this.seq, 0);
+    const hash = import_crypto3.default.createHash("sha256");
+    hash.update(Buffer.concat([this.sig, seqBuffer, cipherText]));
+    const signature = hash.digest();
+    return {
+      encrypted: Buffer.concat([signature, cipherText]),
+      seq: this.seq
+    };
+  }
+  decrypt(msg) {
+    if (!Buffer.isBuffer(msg)) {
+      throw new Error("msg must be a buffer");
+    }
+    const decipher = import_crypto3.default.createDecipheriv("aes-128-cbc", this.key, this.ivSeq());
+    const decrypted = Buffer.concat([decipher.update(msg.subarray(32)), decipher.final()]);
+    return decrypted.toString("utf8");
+  }
+  keyDerive(l, r, h) {
+    const payload = Buffer.concat([Buffer.from("lsk"), l, r, h]);
+    const hash = import_crypto3.default.createHash("sha256").update(payload).digest();
+    return hash.subarray(0, 16);
+  }
+  ivDerive(l, r, h) {
+    const payload = Buffer.concat([Buffer.from("iv"), l, r, h]);
+    const fullIv = import_crypto3.default.createHash("sha256").update(payload).digest();
+    const seq = fullIv.subarray(-4).readInt32BE(0);
+    return { iv: fullIv.subarray(0, 12), seq };
+  }
+  sigDerive(l, r, h) {
+    const payload = Buffer.concat([Buffer.from("ldk"), l, r, h]);
+    const hash = import_crypto3.default.createHash("sha256").update(payload).digest();
+    return hash.subarray(0, 28);
+  }
+  ivSeq() {
+    const seq = Buffer.alloc(4);
+    seq.writeInt32BE(this.seq, 0);
+    const iv = Buffer.concat([this.iv, seq]);
+    if (iv.length !== 16) {
+      throw new Error("Length of iv is not 16");
+    }
+    return iv;
+  }
+};
+
+// src/tapo-api.ts
+var _TapoApi = class _TapoApi {
   constructor(config) {
     this._baseUrl = "https://eu-wap.tplinkcloud.com/";
-    // https://n-euw1-wap-gw.tplinkcloud.com
-    this._baseTapoCareUrl = "https://euw1-app-tapo-care.i.tplinknbu.com";
     this._config = {
+      rawEmail: "",
+      rawPassword: "",
+      email: "",
+      password: "",
       authToken: null,
       timeout: 1e4,
       httpTimeout: 4e3
@@ -360,7 +380,7 @@ var TapoApi = class {
           terminalUUID: (0, import_lumia_rgb_utils2.uuidv4)()
         }
       };
-      const response = yield (0, import_axios2.default)({
+      const response = yield (0, import_axios.default)({
         method: "post",
         url: this._baseUrl,
         data: loginRequest
@@ -371,65 +391,204 @@ var TapoApi = class {
     });
     this.setup = (_0) => __async(this, [_0], function* ({ email, password, devices }) {
       const promises = devices.map((device) => __async(this, null, function* () {
-        const deviceKey = yield handshake(device.host);
-        const loginDeviceRequest = {
-          method: "login_device",
-          params: {
-            username: base64Encode(shaDigest(email)),
-            password: base64Encode(password)
-          },
-          requestTimeMils: 0
-        };
-        const loginDeviceResponse = yield securePassthrough(loginDeviceRequest, deviceKey);
-        deviceKey.token = loginDeviceResponse.token;
-        this._devices.set(device.id, deviceKey);
+        const deviceSession = yield this.handshake(device.host);
+        this._devices.set(device.id, deviceSession);
         return;
       }));
-      yield Promise.allSettled(promises);
+      try {
+        const responses = yield Promise.allSettled(promises);
+      } catch (err) {
+        console.error("tapo setup err: ", err);
+      }
       return this._devices;
     });
     // Change state using lightstate
-    this.sendState = (config) => {
+    this.sendState = (config) => __async(this, null, function* () {
       const deviceKey = this._devices.get(config.device.id);
+      if (!deviceKey) {
+        return Promise.resolve(false);
+      }
+      yield this.handshake(deviceKey == null ? void 0 : deviceKey.ip, false);
       let shouldWait = false;
       if (config.fetchConfig && config.fetchConfig.shouldWait) {
         shouldWait = true;
       }
-      if (!deviceKey) {
-        return Promise.resolve(false);
-      }
       const values = config.state.getValues();
-      const deviceRequest = {
+      const deviceRequest = JSON.stringify({
         method: "set_device_info",
-        params: values,
-        terminalUUID: (0, import_lumia_rgb_utils2.uuidv4)()
-      };
-      const encryptedRequest = encrypt(deviceRequest, deviceKey);
-      const securePassthroughRequest = {
-        method: "securePassthrough",
-        params: {
-          request: encryptedRequest
-        }
-      };
-      return (0, import_fetch_cove.fetchWork)({
-        url: `http://${deviceKey.deviceIp}/app?token=${deviceKey.token}`,
-        data: {
-          method: "POST",
-          body: securePassthroughRequest,
-          headers: {
-            Cookie: deviceKey.sessionCookie,
-            BypassCookie: deviceKey.sessionCookie
-          }
-        },
-        shouldWait
+        params: values
+        // terminalUUID: uuidv4(),
       });
-    };
+      const requestData = this.session.cipher.encrypt(deviceRequest);
+      const response = yield this.sessionPost(deviceKey.ip, "/request", requestData.encrypted, "arraybuffer", this.session.Cookie, {
+        seq: requestData.seq.toString()
+      });
+      if (response.status !== 200) {
+        throw new Error("[KLAP] Request failed");
+      }
+      const data = JSON.parse(this.session.cipher.decrypt(response.data));
+      return {
+        response,
+        body: data
+      };
+    });
     this.sendPower = (config) => {
       this.sendState({ device: config.device, state: new LightState({ on: config.power }) });
     };
-    this.axiosInstance = import_axios2.default.create();
+    this.axiosInstance = import_axios.default.create();
     this.axiosInstance.defaults.timeout = (config == null ? void 0 : config.httpTimeout) || 4e3;
     this._config = __spreadValues(__spreadValues({}, this._config), config);
+    this._config.rawEmail = this._config.email;
+    this._config.rawPassword = this._config.password;
+    this._config.email = TpLinkCipher.toBase64(TpLinkCipher.encodeUsername(this._config.email));
+    this._config.password = TpLinkCipher.toBase64(this._config.password);
+    this.terminalUUID = import_crypto4.default.randomUUID();
+  }
+  // Helpers
+  sessionPost(deviceIp, path, payload, responseType, cookie, params) {
+    return __async(this, null, function* () {
+      return import_axios.default.post(`http://${deviceIp}/app${path}`, payload, {
+        responseType,
+        params,
+        headers: __spreadValues({
+          Accept: "*/*",
+          "Content-Type": "application/octet-stream"
+        }, cookie && {
+          Cookie: cookie
+        }),
+        httpAgent: new import_http.default.Agent({
+          keepAlive: false
+        })
+      });
+    });
+  }
+  needsNewHandshake() {
+    if (!this.session) {
+      return true;
+    }
+    if (!this.session.cipher) {
+      return true;
+    }
+    if (this.session.IsExpired) {
+      return true;
+    }
+    if (!this.session.Cookie) {
+      return true;
+    }
+    return false;
+  }
+  handshake(deviceIp, force = false) {
+    return __async(this, null, function* () {
+      if (!this.needsNewHandshake() && !force) {
+        return;
+      }
+      const { localSeed, remoteSeed, authHash } = yield this.firstHandshake(deviceIp);
+      return yield this.secondHandshake(deviceIp, localSeed, remoteSeed, authHash);
+    });
+  }
+  firstHandshake(deviceIp, seed) {
+    return __async(this, null, function* () {
+      var _a;
+      const localSeed = seed ? seed : import_crypto4.default.randomBytes(16);
+      const handshake1Result = yield this.sessionPost(deviceIp, "/handshake1", localSeed, "arraybuffer");
+      if (handshake1Result.status !== 200) {
+        throw new Error("Handshake1 failed");
+      }
+      if (handshake1Result.headers["content-length"] !== "48") {
+        throw new Error("Handshake1 failed due to invalid content length");
+      }
+      const cookie = (_a = handshake1Result.headers["set-cookie"]) == null ? void 0 : _a[0];
+      const data = handshake1Result.data;
+      const [cookieValue, timeout] = cookie.split(";");
+      const timeoutValue = timeout.split("=").pop();
+      this.session = new DeviceSession(timeoutValue, deviceIp, cookieValue);
+      const remoteSeed = data.subarray(0, 16);
+      const serverHash = data.subarray(16);
+      console.debug("[KLAP] First handshake decoded successfully:\nRemote Seed:", remoteSeed.toString("hex"), "\nServer Hash:", serverHash.toString("hex"), "\nCookie:", cookieValue);
+      const localHash = this.hashAuth(this._config.rawEmail, this._config.rawPassword);
+      const localAuthHash = this.sha256(Buffer.concat([localSeed, remoteSeed, localHash]));
+      if (Buffer.compare(localAuthHash, serverHash) === 0) {
+        console.debug("[KLAP] Local auth hash matches server hash");
+        return {
+          localSeed,
+          remoteSeed,
+          authHash: localHash
+        };
+      }
+      const emptyHash = this.sha256(Buffer.concat([localSeed, remoteSeed, this.hashAuth("", "")]));
+      if (Buffer.compare(emptyHash, serverHash) === 0) {
+        console.debug("[KLAP] [WARN] Empty auth hash matches server hash");
+        return {
+          localSeed,
+          remoteSeed,
+          authHash: emptyHash
+        };
+      }
+      const testHash = this.sha256(Buffer.concat([localSeed, remoteSeed, this.hashAuth(_TapoApi.TP_TEST_USER, _TapoApi.TP_TEST_PASSWORD)]));
+      if (Buffer.compare(testHash, serverHash) === 0) {
+        console.debug("[KLAP] [WARN] Test auth hash matches server hash");
+        return {
+          localSeed,
+          remoteSeed,
+          authHash: testHash
+        };
+      }
+      this.session = void 0;
+      throw new Error("Failed to verify server hash");
+    });
+  }
+  secondHandshake(deviceIp, localSeed, remoteSeed, authHash) {
+    return __async(this, null, function* () {
+      const localAuthHash = this.sha256(Buffer.concat([remoteSeed, localSeed, authHash]));
+      try {
+        const handshake2Result = yield this.sessionPost(deviceIp, "/handshake2", localAuthHash, "text", this.session.Cookie);
+        if (handshake2Result.status === 200) {
+          console.debug("[KLAP] Second handshake successful");
+          const deviceSession = this.session.completeHandshake(deviceIp, new KlapCipher(localSeed, remoteSeed, authHash));
+          this.session = deviceSession;
+          return deviceSession;
+        }
+        console.warn("[KLAP] Second handshake failed", handshake2Result.data);
+      } catch (e) {
+        console.error("[KLAP] Second handshake failed:", e.response.data || e.message);
+      }
+      this.session = void 0;
+      return void 0;
+    });
+  }
+  sha256(data) {
+    return import_crypto4.default.createHash("sha256").update(data).digest();
+  }
+  sha1(data) {
+    return import_crypto4.default.createHash("sha1").update(data).digest();
+  }
+  hashAuth(email, password) {
+    return this.sha256(Buffer.concat([this.sha1(Buffer.from(email.normalize("NFKC"))), this.sha1(Buffer.from(password.normalize("NFKC")))]));
+  }
+};
+_TapoApi.TP_TEST_USER = "test@tp-link.net";
+_TapoApi.TP_TEST_PASSWORD = "test";
+var TapoApi = _TapoApi;
+var DeviceSession = class _DeviceSession {
+  constructor(timeout, ip, cookie, cipher) {
+    this.ip = ip;
+    this.cookie = cookie;
+    this.cipher = cipher;
+    this.handshakeCompleted = false;
+    this.rawTimeout = timeout;
+    this.expireAt = new Date(Date.now() + parseInt(timeout) * 1e3);
+    if (cipher) {
+      this.handshakeCompleted = true;
+    }
+  }
+  get IsExpired() {
+    return this.expireAt.getTime() - Date.now() <= 40 * 1e3;
+  }
+  get Cookie() {
+    return this.cookie;
+  }
+  completeHandshake(ip, cipher) {
+    return new _DeviceSession(this.rawTimeout, ip, this.cookie, cipher);
   }
 };
 
@@ -444,7 +603,7 @@ var discover = (config) => __async(void 0, null, function* () {
   const getDeviceRequest = {
     method: "getDeviceList"
   };
-  const response = yield (0, import_axios3.default)({
+  const response = yield (0, import_axios2.default)({
     method: "post",
     url: `${api._baseUrl}?token=${token}`,
     data: getDeviceRequest

package/dist/index.mjs

@@ -46,65 +46,14 @@ import findLocalDevices from "local-devices";
 
 // src/shared/cipher.ts
 import crypto from "crypto";
-import util from "util";
-var RSA_CIPHER_ALGORITHM = "rsa";
-var AES_CIPHER_ALGORITHM = "aes-128-cbc";
-var PASSPHRASE = "top secret";
-var generateKeyPair = () => __async(void 0, null, function* () {
-  const RSA_OPTIONS = {
-    modulusLength: 1024,
-    publicKeyEncoding: {
-      type: "spki",
-      format: "pem"
-    },
-    privateKeyEncoding: {
-      type: "pkcs1",
-      format: "pem",
-      cipher: "aes-256-cbc",
-      passphrase: PASSPHRASE
-    }
-  };
-  const generateKeyPair2 = util.promisify(crypto.generateKeyPair);
-  return generateKeyPair2(RSA_CIPHER_ALGORITHM, RSA_OPTIONS);
-});
-var encrypt = (data, deviceKey) => {
-  var cipher = crypto.createCipheriv(AES_CIPHER_ALGORITHM, deviceKey.key, deviceKey.iv);
-  var ciphertext = cipher.update(Buffer.from(JSON.stringify(data)));
-  return Buffer.concat([ciphertext, cipher.final()]).toString("base64");
-};
-var decrypt = (data, deviceKey) => {
-  var cipher = crypto.createDecipheriv(AES_CIPHER_ALGORITHM, deviceKey.key, deviceKey.iv);
-  var ciphertext = cipher.update(Buffer.from(data, "base64"));
-  return JSON.parse(Buffer.concat([ciphertext, cipher.final()]).toString());
-};
-var readDeviceKey = (pemKey, privateKey) => {
-  const keyBytes = Buffer.from(pemKey, "base64");
-  const deviceKey = crypto.privateDecrypt(
-    {
-      key: privateKey,
-      padding: crypto.constants.RSA_PKCS1_PADDING,
-      passphrase: PASSPHRASE
-    },
-    keyBytes
-  );
-  return deviceKey;
-};
-var base64Encode = (data) => {
-  return Buffer.from(data).toString("base64");
-};
 var base64Decode = (data) => {
   return Buffer.from(data, "base64").toString();
 };
-var shaDigest = (data) => {
-  var shasum = crypto.createHash("sha1");
-  shasum.update(data);
-  return shasum.digest("hex");
-};
 
 // src/shared/helpers.ts
-import axios from "axios";
 var throwErrorIfFound = (responseData) => {
   const errorCode = responseData["error_code"];
+  console.debug("[Tapo] errorCode: ", errorCode);
   if (errorCode) {
     switch (errorCode) {
       case 0:
@@ -130,64 +79,9 @@ var throwErrorIfFound = (responseData) => {
     }
   }
 };
-var handshake = (deviceIp) => __async(void 0, null, function* () {
-  var _a, _b, _c, _d;
-  const keyPair = yield generateKeyPair();
-  const handshakeRequest = {
-    method: "handshake",
-    params: {
-      key: keyPair.publicKey
-    }
-  };
-  const response = yield (globalThis.nodeAxios ? globalThis.nodeAxios : axios)({
-    method: "post",
-    url: `http://${deviceIp}/app`,
-    data: handshakeRequest,
-    timeout: 3e3
-  });
-  throwErrorIfFound(response.data);
-  let setCookieHeader;
-  if (response.headers["set-cookie"]) {
-    setCookieHeader = (_b = (_a = response.headers["set-cookie"]) == null ? void 0 : _a[0]) != null ? _b : response.headers["set-cookie"];
-  } else if (response.headers["bypass-cookie"]) {
-    setCookieHeader = (_d = (_c = response.headers["bypass-cookie"]) == null ? void 0 : _c[0]) != null ? _d : response.headers["bypass-cookie"];
-  } else {
-    setCookieHeader = response.headers.get("set-cookie");
-  }
-  const sessionCookie = setCookieHeader.substring(0, setCookieHeader.indexOf(";"));
-  const deviceKey = readDeviceKey(response.data.result.key, keyPair.privateKey);
-  return {
-    key: deviceKey.subarray(0, 16),
-    iv: deviceKey.subarray(16, 32),
-    deviceIp,
-    sessionCookie
-  };
-});
-var securePassthrough = (deviceRequest, deviceKey) => __async(void 0, null, function* () {
-  const encryptedRequest = encrypt(deviceRequest, deviceKey);
-  const securePassthroughRequest = {
-    method: "securePassthrough",
-    params: {
-      request: encryptedRequest
-    }
-  };
-  const response = yield (globalThis.nodeAxios ? globalThis.nodeAxios : axios)({
-    method: "post",
-    url: `http://${deviceKey.deviceIp}/app?token=${deviceKey.token}`,
-    data: securePassthroughRequest,
-    timeout: 3e3,
-    headers: {
-      Cookie: deviceKey.sessionCookie
-    }
-  });
-  throwErrorIfFound(response.data);
-  const decryptedResponse = decrypt(response.data.result.response, deviceKey);
-  throwErrorIfFound(decryptedResponse);
-  return decryptedResponse.result;
-});
 
 // src/tapo-api.ts
-import axios2 from "axios";
+import axios from "axios";
 
 // src/lightstate.ts
 import { isTruly, isFunction, rgb2hsv } from "@lumiastream/lumia-rgb-utils";
@@ -304,14 +198,140 @@ var LightState = class extends SuperState {
 };
 
 // src/tapo-api.ts
-import { fetchWork } from "@lumiastream/fetch-cove";
 import { uuidv4 } from "@lumiastream/lumia-rgb-utils";
-var TapoApi = class {
+
+// src/shared/tplink-cypher.ts
+import crypto2 from "crypto";
+var TpLinkCipher = class {
+  constructor(key, iv) {
+    this.key = key;
+    this.iv = iv;
+  }
+  static toBase64(data) {
+    return Buffer.from(data.normalize("NFKC"), "utf-8").toString("base64");
+  }
+  static encodeUsername(data) {
+    const sha = crypto2.createHash("sha1");
+    sha.update(data.normalize("NFKC"));
+    return sha.digest("hex");
+  }
+  static createKeyPair() {
+    return new Promise((resolve, reject) => {
+      crypto2.generateKeyPair(
+        "rsa",
+        {
+          modulusLength: 1024
+        },
+        (err, publicK, privateK) => {
+          if (err) {
+            return reject(err);
+          }
+          const pub = publicK.export({
+            format: "pem",
+            type: "spki"
+          }).toString("base64");
+          const priv = privateK.export({
+            format: "pem",
+            type: "pkcs1"
+          }).toString("base64");
+          resolve({
+            public: pub,
+            private: priv
+          });
+        }
+      );
+    });
+  }
+  encrypt(data) {
+    const cipher = crypto2.createCipheriv("aes-128-cbc", this.key, this.iv);
+    const encrypted = cipher.update(data, "utf8", "base64");
+    return `${encrypted}${cipher.final("base64")}`;
+  }
+  decrypt(data) {
+    const decipher = crypto2.createDecipheriv("aes-128-cbc", this.key, this.iv);
+    const decrypted = decipher.update(data, "base64", "utf8");
+    return `${decrypted}${decipher.final("utf8")}`;
+  }
+};
+
+// src/tapo-api.ts
+import crypto4 from "crypto";
+import http from "http";
+
+// src/shared/klap-cipher.ts
+import crypto3 from "crypto";
+var KlapCipher = class {
+  constructor(localSeed, remoteSeed, authHash) {
+    const { iv, seq } = this.ivDerive(localSeed, remoteSeed, authHash);
+    this.key = this.keyDerive(localSeed, remoteSeed, authHash);
+    this.sig = this.sigDerive(localSeed, remoteSeed, authHash);
+    this.iv = iv;
+    this.seq = seq;
+  }
+  encrypt(msg) {
+    this.seq += 1;
+    if (typeof msg === "string") {
+      msg = Buffer.from(msg, "utf8");
+    }
+    if (!Buffer.isBuffer(msg)) {
+      throw new Error("msg must be a string or buffer");
+    }
+    const cipher = crypto3.createCipheriv("aes-128-cbc", this.key, this.ivSeq());
+    const cipherText = Buffer.concat([cipher.update(msg), cipher.final()]);
+    const seqBuffer = Buffer.alloc(4);
+    seqBuffer.writeInt32BE(this.seq, 0);
+    const hash = crypto3.createHash("sha256");
+    hash.update(Buffer.concat([this.sig, seqBuffer, cipherText]));
+    const signature = hash.digest();
+    return {
+      encrypted: Buffer.concat([signature, cipherText]),
+      seq: this.seq
+    };
+  }
+  decrypt(msg) {
+    if (!Buffer.isBuffer(msg)) {
+      throw new Error("msg must be a buffer");
+    }
+    const decipher = crypto3.createDecipheriv("aes-128-cbc", this.key, this.ivSeq());
+    const decrypted = Buffer.concat([decipher.update(msg.subarray(32)), decipher.final()]);
+    return decrypted.toString("utf8");
+  }
+  keyDerive(l, r, h) {
+    const payload = Buffer.concat([Buffer.from("lsk"), l, r, h]);
+    const hash = crypto3.createHash("sha256").update(payload).digest();
+    return hash.subarray(0, 16);
+  }
+  ivDerive(l, r, h) {
+    const payload = Buffer.concat([Buffer.from("iv"), l, r, h]);
+    const fullIv = crypto3.createHash("sha256").update(payload).digest();
+    const seq = fullIv.subarray(-4).readInt32BE(0);
+    return { iv: fullIv.subarray(0, 12), seq };
+  }
+  sigDerive(l, r, h) {
+    const payload = Buffer.concat([Buffer.from("ldk"), l, r, h]);
+    const hash = crypto3.createHash("sha256").update(payload).digest();
+    return hash.subarray(0, 28);
+  }
+  ivSeq() {
+    const seq = Buffer.alloc(4);
+    seq.writeInt32BE(this.seq, 0);
+    const iv = Buffer.concat([this.iv, seq]);
+    if (iv.length !== 16) {
+      throw new Error("Length of iv is not 16");
+    }
+    return iv;
+  }
+};
+
+// src/tapo-api.ts
+var _TapoApi = class _TapoApi {
   constructor(config) {
     this._baseUrl = "https://eu-wap.tplinkcloud.com/";
-    // https://n-euw1-wap-gw.tplinkcloud.com
-    this._baseTapoCareUrl = "https://euw1-app-tapo-care.i.tplinknbu.com";
     this._config = {
+      rawEmail: "",
+      rawPassword: "",
+      email: "",
+      password: "",
       authToken: null,
       timeout: 1e4,
       httpTimeout: 4e3
@@ -328,7 +348,7 @@ var TapoApi = class {
           terminalUUID: uuidv4()
         }
       };
-      const response = yield axios2({
+      const response = yield axios({
         method: "post",
         url: this._baseUrl,
         data: loginRequest
@@ -339,65 +359,204 @@ var TapoApi = class {
     });
     this.setup = (_0) => __async(this, [_0], function* ({ email, password, devices }) {
       const promises = devices.map((device) => __async(this, null, function* () {
-        const deviceKey = yield handshake(device.host);
-        const loginDeviceRequest = {
-          method: "login_device",
-          params: {
-            username: base64Encode(shaDigest(email)),
-            password: base64Encode(password)
-          },
-          requestTimeMils: 0
-        };
-        const loginDeviceResponse = yield securePassthrough(loginDeviceRequest, deviceKey);
-        deviceKey.token = loginDeviceResponse.token;
-        this._devices.set(device.id, deviceKey);
+        const deviceSession = yield this.handshake(device.host);
+        this._devices.set(device.id, deviceSession);
         return;
       }));
-      yield Promise.allSettled(promises);
+      try {
+        const responses = yield Promise.allSettled(promises);
+      } catch (err) {
+        console.error("tapo setup err: ", err);
+      }
       return this._devices;
     });
     // Change state using lightstate
-    this.sendState = (config) => {
+    this.sendState = (config) => __async(this, null, function* () {
       const deviceKey = this._devices.get(config.device.id);
+      if (!deviceKey) {
+        return Promise.resolve(false);
+      }
+      yield this.handshake(deviceKey == null ? void 0 : deviceKey.ip, false);
       let shouldWait = false;
       if (config.fetchConfig && config.fetchConfig.shouldWait) {
         shouldWait = true;
       }
-      if (!deviceKey) {
-        return Promise.resolve(false);
-      }
       const values = config.state.getValues();
-      const deviceRequest = {
+      const deviceRequest = JSON.stringify({
         method: "set_device_info",
-        params: values,
-        terminalUUID: uuidv4()
-      };
-      const encryptedRequest = encrypt(deviceRequest, deviceKey);
-      const securePassthroughRequest = {
-        method: "securePassthrough",
-        params: {
-          request: encryptedRequest
-        }
-      };
-      return fetchWork({
-        url: `http://${deviceKey.deviceIp}/app?token=${deviceKey.token}`,
-        data: {
-          method: "POST",
-          body: securePassthroughRequest,
-          headers: {
-            Cookie: deviceKey.sessionCookie,
-            BypassCookie: deviceKey.sessionCookie
-          }
-        },
-        shouldWait
+        params: values
+        // terminalUUID: uuidv4(),
       });
-    };
+      const requestData = this.session.cipher.encrypt(deviceRequest);
+      const response = yield this.sessionPost(deviceKey.ip, "/request", requestData.encrypted, "arraybuffer", this.session.Cookie, {
+        seq: requestData.seq.toString()
+      });
+      if (response.status !== 200) {
+        throw new Error("[KLAP] Request failed");
+      }
+      const data = JSON.parse(this.session.cipher.decrypt(response.data));
+      return {
+        response,
+        body: data
+      };
+    });
     this.sendPower = (config) => {
       this.sendState({ device: config.device, state: new LightState({ on: config.power }) });
     };
-    this.axiosInstance = axios2.create();
+    this.axiosInstance = axios.create();
     this.axiosInstance.defaults.timeout = (config == null ? void 0 : config.httpTimeout) || 4e3;
     this._config = __spreadValues(__spreadValues({}, this._config), config);
+    this._config.rawEmail = this._config.email;
+    this._config.rawPassword = this._config.password;
+    this._config.email = TpLinkCipher.toBase64(TpLinkCipher.encodeUsername(this._config.email));
+    this._config.password = TpLinkCipher.toBase64(this._config.password);
+    this.terminalUUID = crypto4.randomUUID();
+  }
+  // Helpers
+  sessionPost(deviceIp, path, payload, responseType, cookie, params) {
+    return __async(this, null, function* () {
+      return axios.post(`http://${deviceIp}/app${path}`, payload, {
+        responseType,
+        params,
+        headers: __spreadValues({
+          Accept: "*/*",
+          "Content-Type": "application/octet-stream"
+        }, cookie && {
+          Cookie: cookie
+        }),
+        httpAgent: new http.Agent({
+          keepAlive: false
+        })
+      });
+    });
+  }
+  needsNewHandshake() {
+    if (!this.session) {
+      return true;
+    }
+    if (!this.session.cipher) {
+      return true;
+    }
+    if (this.session.IsExpired) {
+      return true;
+    }
+    if (!this.session.Cookie) {
+      return true;
+    }
+    return false;
+  }
+  handshake(deviceIp, force = false) {
+    return __async(this, null, function* () {
+      if (!this.needsNewHandshake() && !force) {
+        return;
+      }
+      const { localSeed, remoteSeed, authHash } = yield this.firstHandshake(deviceIp);
+      return yield this.secondHandshake(deviceIp, localSeed, remoteSeed, authHash);
+    });
+  }
+  firstHandshake(deviceIp, seed) {
+    return __async(this, null, function* () {
+      var _a;
+      const localSeed = seed ? seed : crypto4.randomBytes(16);
+      const handshake1Result = yield this.sessionPost(deviceIp, "/handshake1", localSeed, "arraybuffer");
+      if (handshake1Result.status !== 200) {
+        throw new Error("Handshake1 failed");
+      }
+      if (handshake1Result.headers["content-length"] !== "48") {
+        throw new Error("Handshake1 failed due to invalid content length");
+      }
+      const cookie = (_a = handshake1Result.headers["set-cookie"]) == null ? void 0 : _a[0];
+      const data = handshake1Result.data;
+      const [cookieValue, timeout] = cookie.split(";");
+      const timeoutValue = timeout.split("=").pop();
+      this.session = new DeviceSession(timeoutValue, deviceIp, cookieValue);
+      const remoteSeed = data.subarray(0, 16);
+      const serverHash = data.subarray(16);
+      console.debug("[KLAP] First handshake decoded successfully:\nRemote Seed:", remoteSeed.toString("hex"), "\nServer Hash:", serverHash.toString("hex"), "\nCookie:", cookieValue);
+      const localHash = this.hashAuth(this._config.rawEmail, this._config.rawPassword);
+      const localAuthHash = this.sha256(Buffer.concat([localSeed, remoteSeed, localHash]));
+      if (Buffer.compare(localAuthHash, serverHash) === 0) {
+        console.debug("[KLAP] Local auth hash matches server hash");
+        return {
+          localSeed,
+          remoteSeed,
+          authHash: localHash
+        };
+      }
+      const emptyHash = this.sha256(Buffer.concat([localSeed, remoteSeed, this.hashAuth("", "")]));
+      if (Buffer.compare(emptyHash, serverHash) === 0) {
+        console.debug("[KLAP] [WARN] Empty auth hash matches server hash");
+        return {
+          localSeed,
+          remoteSeed,
+          authHash: emptyHash
+        };
+      }
+      const testHash = this.sha256(Buffer.concat([localSeed, remoteSeed, this.hashAuth(_TapoApi.TP_TEST_USER, _TapoApi.TP_TEST_PASSWORD)]));
+      if (Buffer.compare(testHash, serverHash) === 0) {
+        console.debug("[KLAP] [WARN] Test auth hash matches server hash");
+        return {
+          localSeed,
+          remoteSeed,
+          authHash: testHash
+        };
+      }
+      this.session = void 0;
+      throw new Error("Failed to verify server hash");
+    });
+  }
+  secondHandshake(deviceIp, localSeed, remoteSeed, authHash) {
+    return __async(this, null, function* () {
+      const localAuthHash = this.sha256(Buffer.concat([remoteSeed, localSeed, authHash]));
+      try {
+        const handshake2Result = yield this.sessionPost(deviceIp, "/handshake2", localAuthHash, "text", this.session.Cookie);
+        if (handshake2Result.status === 200) {
+          console.debug("[KLAP] Second handshake successful");
+          const deviceSession = this.session.completeHandshake(deviceIp, new KlapCipher(localSeed, remoteSeed, authHash));
+          this.session = deviceSession;
+          return deviceSession;
+        }
+        console.warn("[KLAP] Second handshake failed", handshake2Result.data);
+      } catch (e) {
+        console.error("[KLAP] Second handshake failed:", e.response.data || e.message);
+      }
+      this.session = void 0;
+      return void 0;
+    });
+  }
+  sha256(data) {
+    return crypto4.createHash("sha256").update(data).digest();
+  }
+  sha1(data) {
+    return crypto4.createHash("sha1").update(data).digest();
+  }
+  hashAuth(email, password) {
+    return this.sha256(Buffer.concat([this.sha1(Buffer.from(email.normalize("NFKC"))), this.sha1(Buffer.from(password.normalize("NFKC")))]));
+  }
+};
+_TapoApi.TP_TEST_USER = "test@tp-link.net";
+_TapoApi.TP_TEST_PASSWORD = "test";
+var TapoApi = _TapoApi;
+var DeviceSession = class _DeviceSession {
+  constructor(timeout, ip, cookie, cipher) {
+    this.ip = ip;
+    this.cookie = cookie;
+    this.cipher = cipher;
+    this.handshakeCompleted = false;
+    this.rawTimeout = timeout;
+    this.expireAt = new Date(Date.now() + parseInt(timeout) * 1e3);
+    if (cipher) {
+      this.handshakeCompleted = true;
+    }
+  }
+  get IsExpired() {
+    return this.expireAt.getTime() - Date.now() <= 40 * 1e3;
+  }
+  get Cookie() {
+    return this.cookie;
+  }
+  completeHandshake(ip, cipher) {
+    return new _DeviceSession(this.rawTimeout, ip, this.cookie, cipher);
   }
 };
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lumiastream/tapo-cove",
-  "version": "3.11.0",
+  "version": "3.12.1",
   "private": false,
   "license": "GPL",
   "main": "dist/index.js",
@@ -11,17 +11,18 @@
     "lint": "tsc"
   },
   "dependencies": {
-    "@lumiastream/fetch-cove": "^3.11.0",
+    "@lumiastream/fetch-cove": "^3.12.0",
     "@lumiastream/lumia-rgb-types": "^3.11.0",
     "@lumiastream/lumia-rgb-utils": "^3.11.0",
     "axios": "^1.4.0",
+    "crypto": "1.0.1",
     "local-devices": "^4.0.0"
   },
   "devDependencies": {
-    "@types/node": "*",
+    "@types/node": "20.8.7",
     "tsconfig": "*",
     "tsup": "*",
     "typescript": "*"
   },
-  "gitHead": "e1fff4a873e1dd9725e2d22e6ed23fb81569547f"
+  "gitHead": "8b0ab0a76cd60e2e5b79e6279033c53406c3667f"
 }