@tgoliveira/vault-core 0.1.0 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +77 -0
- package/API_REFERENCE.md +196 -26
- package/ARCHITECTURE.md +5 -0
- package/CHANGELOG.md +51 -0
- package/MIGRATION_FROM_LIQSENSE.md +3 -1
- package/PASSKEY_PRF_ENVELOPES.md +2 -1
- package/PASSWORD_ENVELOPES.md +3 -1
- package/README.md +42 -2
- package/RECOVERY_PHRASE.md +2 -1
- package/SECURITY.md +22 -2
- package/dist/browser.d.ts +12 -1
- package/dist/browser.d.ts.map +1 -1
- package/dist/browser.js +46 -18
- package/dist/browser.js.map +1 -1
- package/dist/envelopes/passkey-prf.d.ts +3 -3
- package/dist/envelopes/passkey-prf.d.ts.map +1 -1
- package/dist/envelopes/passkey-prf.js +7 -5
- package/dist/envelopes/passkey-prf.js.map +1 -1
- package/dist/envelopes/password.d.ts +1 -1
- package/dist/envelopes/password.d.ts.map +1 -1
- package/dist/envelopes/password.js +3 -1
- package/dist/envelopes/password.js.map +1 -1
- package/dist/envelopes/recovery.d.ts +2 -2
- package/dist/envelopes/recovery.d.ts.map +1 -1
- package/dist/envelopes/recovery.js +15 -6
- package/dist/envelopes/recovery.js.map +1 -1
- package/dist/kdf/argon2id.d.ts.map +1 -1
- package/dist/kdf/argon2id.js +15 -2
- package/dist/kdf/argon2id.js.map +1 -1
- package/dist/kdf/params.d.ts +24 -0
- package/dist/kdf/params.d.ts.map +1 -1
- package/dist/kdf/params.js +22 -0
- package/dist/kdf/params.js.map +1 -1
- package/dist/payload/encrypted-payload.d.ts +4 -2
- package/dist/payload/encrypted-payload.d.ts.map +1 -1
- package/dist/payload/encrypted-payload.js +3 -1
- package/dist/payload/encrypted-payload.js.map +1 -1
- package/dist/react/session/use-vault-session.d.ts +1 -0
- package/dist/react/session/use-vault-session.d.ts.map +1 -1
- package/dist/react/session/use-vault-session.js +7 -2
- package/dist/react/session/use-vault-session.js.map +1 -1
- package/dist/react/session/vault-session-provider.d.ts +2 -1
- package/dist/react/session/vault-session-provider.d.ts.map +1 -1
- package/dist/react/session/vault-session-provider.js +7 -2
- package/dist/react/session/vault-session-provider.js.map +1 -1
- package/dist/session/auto-lock.d.ts +2 -1
- package/dist/session/auto-lock.d.ts.map +1 -1
- package/dist/session/auto-lock.js +15 -1
- package/dist/session/auto-lock.js.map +1 -1
- package/dist/validation/aad-assert.d.ts +5 -3
- package/dist/validation/aad-assert.d.ts.map +1 -1
- package/dist/validation/aad-assert.js +15 -8
- package/dist/validation/aad-assert.js.map +1 -1
- package/dist/validation/plaintext-reject.d.ts.map +1 -1
- package/dist/validation/plaintext-reject.js +18 -4
- package/dist/validation/plaintext-reject.js.map +1 -1
- package/dist/validation/schemas.d.ts +148 -56
- package/dist/validation/schemas.d.ts.map +1 -1
- package/dist/validation/schemas.js +29 -10
- package/dist/validation/schemas.js.map +1 -1
- package/docs/ADOPTING_VAULT_CORE_IN_EXISTING_APPS.md +575 -0
- package/docs/IMPLEMENTATION_GUIDE.md +577 -0
- package/docs/README.md +30 -0
- package/docs/RELEASING.md +102 -0
- package/package.json +10 -3
package/dist/browser.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"browser.js","sourceRoot":"","sources":["../src/browser.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACrE,OAAO,EACL,uBAAuB,EACvB,kBAAkB,EAClB,uBAAuB,GACxB,MAAM,4BAA4B,CAAC;AAEpC,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,MAAc;IACpE,MAAM,KAAK,GAAG,cAAc,CAAC,aAAa,CAAC,GAAG,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC,CAAC;IAClE,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;AAChD,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,OAAe,EACf,QAAgB;IAEhB,IAAI,OAAO,MAAM,KAAK,WAAW;QAAE,OAAO;IAC1C,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,CAAC,OAAO,CAAC,EAAE,EAAE,IAAI,EAAE,0BAA0B,EAAE,CAAC,CAAC;IACvE,MAAM,GAAG,GAAG,GAAG,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,QAAQ,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,CAAC,IAAI,GAAG,GAAG,CAAC;IAClB,MAAM,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,MAAM,CAAC,KAAK,EAAE,CAAC;IACf,GAAG,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;AAC3B,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,OAAe;IACrD,IAAI,OAAO,MAAM,KAAK,WAAW;QAAE,OAAO;IAC1C,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,QAAQ,EAAE,0CAA0C,CAAC,CAAC;IAC1F,IAAI,CAAC,WAAW;QAAE,OAAO;IACzB,WAAW,CAAC,QAAQ,CAAC,KAAK,CACxB,yEAAyE,UAAU,CAAC,OAAO,CAAC,QAAQ,CACrG,CAAC;IACF,WAAW,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;IAC7B,WAAW,CAAC,KAAK,EAAE,CAAC;IACpB,WAAW,CAAC,KAAK,EAAE,CAAC;AACtB,CAAC;AAED,SAAS,UAAU,CAAC,KAAa;IAC/B,OAAO,KAAK;SACT,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;AAC3B,CAAC;
|
|
1
|
+
{"version":3,"file":"browser.js","sourceRoot":"","sources":["../src/browser.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACrE,OAAO,EACL,uBAAuB,EACvB,kBAAkB,EAClB,uBAAuB,GACxB,MAAM,4BAA4B,CAAC;AAEpC,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,MAAc;IACpE,MAAM,KAAK,GAAG,cAAc,CAAC,aAAa,CAAC,GAAG,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC,CAAC;IAClE,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;AAChD,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,OAAe,EACf,QAAgB;IAEhB,IAAI,OAAO,MAAM,KAAK,WAAW;QAAE,OAAO;IAC1C,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,CAAC,OAAO,CAAC,EAAE,EAAE,IAAI,EAAE,0BAA0B,EAAE,CAAC,CAAC;IACvE,MAAM,GAAG,GAAG,GAAG,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,QAAQ,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,CAAC,IAAI,GAAG,GAAG,CAAC;IAClB,MAAM,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,MAAM,CAAC,KAAK,EAAE,CAAC;IACf,GAAG,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;AAC3B,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,OAAe;IACrD,IAAI,OAAO,MAAM,KAAK,WAAW;QAAE,OAAO;IAC1C,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,QAAQ,EAAE,0CAA0C,CAAC,CAAC;IAC1F,IAAI,CAAC,WAAW;QAAE,OAAO;IACzB,WAAW,CAAC,QAAQ,CAAC,KAAK,CACxB,yEAAyE,UAAU,CAAC,OAAO,CAAC,QAAQ,CACrG,CAAC;IACF,WAAW,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;IAC7B,WAAW,CAAC,KAAK,EAAE,CAAC;IACpB,WAAW,CAAC,KAAK,EAAE,CAAC;AACtB,CAAC;AAED,SAAS,UAAU,CAAC,KAAa;IAC/B,OAAO,KAAK;SACT,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;AAC3B,CAAC;AAID,MAAM,UAAU,yBAAyB,CACvC,aAAqB;IAErB,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,OAAO,YAAY,KAAK,WAAW,EAAE,CAAC;QACzE,OAAO,aAAa,CAAC;IACvB,CAAC;IAED,IAAI,CAAC;QACH,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC7C,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAChC,IAAI,CAAC,GAAG;gBAAE,SAAS;YACnB,IAAI,GAAG,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;gBAClC,OAAO,OAAO,CAAC;YACjB,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,aAAa,CAAC;IACvB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,aAAqB;IAErB,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,OAAO,SAAS,KAAK,WAAW,EAAE,CAAC;QACtE,OAAO,aAAa,CAAC;IACvB,CAAC;IAED,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,IAAI,OAA+C,CAAC;QACpD,IAAI,CAAC;YACH,OAAO,GAAG,SAAS,CAAC,SAAS,EAAE,EAAE,CAAC;QACpC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,CAAC,aAAa,CAAC,CAAC;YACvB,OAAO;QACT,CAAC;QACD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,CAAC,aAAa,CAAC,CAAC;YACvB,OAAO;QACT,CAAC;QACD,KAAK,OAAO;aACT,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE;YAClB,MAAM,UAAU,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,EAAE,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC;YAC9E,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;QAC1C,CAAC,CAAC;aACD,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,oCAAoC,CAAC,aAAqB;IACxE,OAAO,yBAAyB,CAAC,aAAa,CAAC,KAAK,OAAO,CAAC;AAC9D,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iCAAiC,CAAC,aAAqB;IAC3E,OAAO,CAAC,MAAM,sBAAsB,CAAC,aAAa,CAAC,CAAC,KAAK,OAAO,CAAC;AACnE,CAAC;AAED,MAAM,UAAU,yBAAyB;IACvC,MAAM,IAAI,KAAK,CAAC,0EAA0E,CAAC,CAAC;AAC9F,CAAC;AAED,OAAO,EACL,uBAAuB,EACvB,kBAAkB,EAClB,uBAAuB,GACxB,CAAC;AAEF,OAAO,EACL,qBAAqB,EACrB,qBAAqB,EACrB,qBAAqB,EACrB,uBAAuB,EACvB,qBAAqB,EACrB,iBAAiB,EACjB,kBAAkB,EAClB,gBAAgB,EAChB,wBAAwB,EACxB,0BAA0B,EAC1B,wBAAwB,EACxB,0BAA0B,EAC1B,2BAA2B,EAC3B,kBAAkB,EAClB,eAAe,GAEhB,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EAAE,qBAAqB,EAAE,uBAAuB,EAAE,MAAM,mBAAmB,CAAC"}
|
|
@@ -5,14 +5,14 @@ export declare function isPrfExtensionSupported(): boolean;
|
|
|
5
5
|
export declare function extractPasskeyPrfOutput(clientExtensionResults: Record<string, unknown>): Uint8Array | null;
|
|
6
6
|
type WrapScope = Pick<VaultAadScope, "userId" | "resourceId">;
|
|
7
7
|
export declare function createPasskeyPrfEnvelope(vaultKey: CryptoKey, prfOutput: Uint8Array, scope: WrapScope, profile: VaultCryptoProfile, publicMetadata?: Record<string, unknown>): Promise<PasskeyPrfEnvelope>;
|
|
8
|
-
export declare function unwrapVaultKeyFromPasskey(encryptedVaultKey: EncryptedVaultPayload, prfOutput: Uint8Array): Promise<CryptoKey>;
|
|
8
|
+
export declare function unwrapVaultKeyFromPasskey(encryptedVaultKey: EncryptedVaultPayload, prfOutput: Uint8Array, expectedScope: WrapScope, profile: VaultCryptoProfile): Promise<CryptoKey>;
|
|
9
9
|
export declare function unlockWithPasskeyPrfEnvelope(envelope: PasskeyPrfEnvelope | {
|
|
10
10
|
encryptedVaultKey: EncryptedVaultPayload;
|
|
11
|
-
}, prfOutput: Uint8Array | null, options?: {
|
|
11
|
+
}, prfOutput: Uint8Array | null, expectedScope: WrapScope, profile: VaultCryptoProfile, options?: {
|
|
12
12
|
prfRequired?: boolean;
|
|
13
13
|
}): Promise<CryptoKey>;
|
|
14
14
|
/** @deprecated Use unlockWithPasskeyPrfEnvelope */
|
|
15
|
-
export declare function unlockVaultFromPasskeyEnvelope(encryptedVaultKeyOrEnvelope: EncryptedVaultPayload | PasskeyPrfEnvelope, prfOutput: Uint8Array | null, options?: {
|
|
15
|
+
export declare function unlockVaultFromPasskeyEnvelope(encryptedVaultKeyOrEnvelope: EncryptedVaultPayload | PasskeyPrfEnvelope, prfOutput: Uint8Array | null, expectedScope: WrapScope, profile: VaultCryptoProfile, options?: {
|
|
16
16
|
prfRequired?: boolean;
|
|
17
17
|
}): Promise<CryptoKey>;
|
|
18
18
|
/** @deprecated Use createPasskeyPrfEnvelope */
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"passkey-prf.d.ts","sourceRoot":"","sources":["../../src/envelopes/passkey-prf.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAC1F,OAAO,KAAK,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;
|
|
1
|
+
{"version":3,"file":"passkey-prf.d.ts","sourceRoot":"","sources":["../../src/envelopes/passkey-prf.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAC1F,OAAO,KAAK,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAcvE,wBAAgB,kBAAkB,IAAI,OAAO,CAG5C;AAED,wBAAgB,uBAAuB,IAAI,OAAO,CAIjD;AAED,wBAAgB,uBAAuB,CACrC,sBAAsB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC9C,UAAU,GAAG,IAAI,CAKnB;AAaD,KAAK,SAAS,GAAG,IAAI,CAAC,aAAa,EAAE,QAAQ,GAAG,YAAY,CAAC,CAAC;AAE9D,wBAAsB,wBAAwB,CAC5C,QAAQ,EAAE,SAAS,EACnB,SAAS,EAAE,UAAU,EACrB,KAAK,EAAE,SAAS,EAChB,OAAO,EAAE,kBAAkB,EAC3B,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACvC,OAAO,CAAC,kBAAkB,CAAC,CAqB7B;AAED,wBAAsB,yBAAyB,CAC7C,iBAAiB,EAAE,qBAAqB,EACxC,SAAS,EAAE,UAAU,EACrB,aAAa,EAAE,SAAS,EACxB,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,SAAS,CAAC,CAQpB;AAED,wBAAsB,4BAA4B,CAChD,QAAQ,EAAE,kBAAkB,GAAG;IAAE,iBAAiB,EAAE,qBAAqB,CAAA;CAAE,EAC3E,SAAS,EAAE,UAAU,GAAG,IAAI,EAC5B,aAAa,EAAE,SAAS,EACxB,OAAO,EAAE,kBAAkB,EAC3B,OAAO,CAAC,EAAE;IAAE,WAAW,CAAC,EAAE,OAAO,CAAA;CAAE,GAClC,OAAO,CAAC,SAAS,CAAC,CA2BpB;AAED,mDAAmD;AACnD,wBAAsB,8BAA8B,CAClD,2BAA2B,EAAE,qBAAqB,GAAG,kBAAkB,EACvE,SAAS,EAAE,UAAU,GAAG,IAAI,EAC5B,aAAa,EAAE,SAAS,EACxB,OAAO,EAAE,kBAAkB,EAC3B,OAAO,CAAC,EAAE;IAAE,WAAW,CAAC,EAAE,OAAO,CAAA;CAAE,GAClC,OAAO,CAAC,SAAS,CAAC,CAMpB;AAED,+CAA+C;AAC/C,wBAAsB,sBAAsB,CAC1C,QAAQ,EAAE,SAAS,EACnB,SAAS,EAAE,UAAU,EACrB,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,kBAAkB,EAC3B,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACvC,OAAO,CAAC,qBAAqB,CAAC,CAShC;AAED,OAAO,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC"}
|
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
import { PasskeyPrfRequiredError, PasskeyUnlockError } from "../errors/vault-errors.js";
|
|
2
2
|
import { encryptField, decryptField, exportAesKey, importAesKey } from "../crypto/aes-gcm.js";
|
|
3
3
|
import { bytesToBase64Url, base64UrlToBytes, toBufferSource } from "../crypto/encoding.js";
|
|
4
|
+
import { assertVaultKeyAad } from "../validation/aad-assert.js";
|
|
4
5
|
export function isPasskeySupported() {
|
|
5
6
|
return typeof globalThis !== "undefined" &&
|
|
6
7
|
typeof globalThis.PublicKeyCredential !== "undefined";
|
|
@@ -39,15 +40,16 @@ export async function createPasskeyPrfEnvelope(vaultKey, prfOutput, scope, profi
|
|
|
39
40
|
publicMetadata,
|
|
40
41
|
};
|
|
41
42
|
}
|
|
42
|
-
export async function unwrapVaultKeyFromPasskey(encryptedVaultKey, prfOutput) {
|
|
43
|
+
export async function unwrapVaultKeyFromPasskey(encryptedVaultKey, prfOutput, expectedScope, profile) {
|
|
43
44
|
if (prfOutput.byteLength < 32) {
|
|
44
45
|
throw new Error("PRF output must be at least 32 bytes");
|
|
45
46
|
}
|
|
47
|
+
assertVaultKeyAad(expectedScope, encryptedVaultKey, profile);
|
|
46
48
|
const prfKey = await importPrfAsAesKey(prfOutput);
|
|
47
49
|
const keyBytes = base64UrlToBytes(await decryptField(encryptedVaultKey, prfKey));
|
|
48
50
|
return importAesKey(keyBytes);
|
|
49
51
|
}
|
|
50
|
-
export async function unlockWithPasskeyPrfEnvelope(envelope, prfOutput, options) {
|
|
52
|
+
export async function unlockWithPasskeyPrfEnvelope(envelope, prfOutput, expectedScope, profile, options) {
|
|
51
53
|
const prfRequired = options?.prfRequired ?? true;
|
|
52
54
|
if (prfRequired && !prfOutput) {
|
|
53
55
|
throw new PasskeyPrfRequiredError("This passkey requires browser PRF support to unlock your vault. Use your vault password or recovery phrase.");
|
|
@@ -56,18 +58,18 @@ export async function unlockWithPasskeyPrfEnvelope(envelope, prfOutput, options)
|
|
|
56
58
|
throw new PasskeyUnlockError("Could not unlock your vault with this passkey. Use your vault password or recovery phrase.");
|
|
57
59
|
}
|
|
58
60
|
try {
|
|
59
|
-
return await unwrapVaultKeyFromPasskey(envelope.encryptedVaultKey, prfOutput);
|
|
61
|
+
return await unwrapVaultKeyFromPasskey(envelope.encryptedVaultKey, prfOutput, expectedScope, profile);
|
|
60
62
|
}
|
|
61
63
|
catch {
|
|
62
64
|
throw new PasskeyUnlockError("Could not decrypt your vault with this passkey. Use your vault password or recovery phrase.");
|
|
63
65
|
}
|
|
64
66
|
}
|
|
65
67
|
/** @deprecated Use unlockWithPasskeyPrfEnvelope */
|
|
66
|
-
export async function unlockVaultFromPasskeyEnvelope(encryptedVaultKeyOrEnvelope, prfOutput, options) {
|
|
68
|
+
export async function unlockVaultFromPasskeyEnvelope(encryptedVaultKeyOrEnvelope, prfOutput, expectedScope, profile, options) {
|
|
67
69
|
const envelope = "method" in encryptedVaultKeyOrEnvelope
|
|
68
70
|
? encryptedVaultKeyOrEnvelope
|
|
69
71
|
: { encryptedVaultKey: encryptedVaultKeyOrEnvelope, method: "passkey_prf", kdfMetadata: null };
|
|
70
|
-
return unlockWithPasskeyPrfEnvelope(envelope, prfOutput, options);
|
|
72
|
+
return unlockWithPasskeyPrfEnvelope(envelope, prfOutput, expectedScope, profile, options);
|
|
71
73
|
}
|
|
72
74
|
/** @deprecated Use createPasskeyPrfEnvelope */
|
|
73
75
|
export async function wrapVaultKeyForPasskey(vaultKey, prfOutput, userId, resourceId, profile, publicMetadata) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"passkey-prf.js","sourceRoot":"","sources":["../../src/envelopes/passkey-prf.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AACxF,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAC9F,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;
|
|
1
|
+
{"version":3,"file":"passkey-prf.js","sourceRoot":"","sources":["../../src/envelopes/passkey-prf.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AACxF,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAC9F,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAC3F,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAC;AAUhE,MAAM,UAAU,kBAAkB;IAChC,OAAO,OAAO,UAAU,KAAK,WAAW;QACtC,OAAO,UAAU,CAAC,mBAAmB,KAAK,WAAW,CAAC;AAC1D,CAAC;AAED,MAAM,UAAU,uBAAuB;IACrC,IAAI,CAAC,kBAAkB,EAAE;QAAE,OAAO,KAAK,CAAC;IACxC,OAAO,OAAO,mBAAmB,KAAK,WAAW;QAC/C,2BAA2B,IAAI,mBAAmB,CAAC,SAAS,CAAC;AACjE,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,sBAA+C;IAE/C,MAAM,GAAG,GAAI,sBAAoD,CAAC,GAAG,CAAC;IACtE,MAAM,KAAK,GAAG,GAAG,EAAE,OAAO,EAAE,KAAK,CAAC;IAClC,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,UAAU,GAAG,EAAE;QAAE,OAAO,IAAI,CAAC;IACjD,OAAO,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;AAC/B,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,SAAqB;IACpD,MAAM,QAAQ,GAAG,SAAS,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAClF,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC5B,KAAK,EACL,cAAc,CAAC,QAAQ,CAAC,EACxB,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,EAChC,KAAK,EACL,CAAC,SAAS,EAAE,SAAS,CAAC,CACvB,CAAC;AACJ,CAAC;AAID,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,QAAmB,EACnB,SAAqB,EACrB,KAAgB,EAChB,OAA2B,EAC3B,cAAwC;IAExC,IAAI,SAAS,CAAC,UAAU,GAAG,EAAE,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,SAAS,CAAC,CAAC;IAClD,MAAM,iBAAiB,GAAG,MAAM,YAAY,CAC1C,gBAAgB,CAAC,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAC,EAC9C,MAAM,EACN;QACE,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,KAAK,EAAE,WAAW;KACnB,EACD,OAAO,CACR,CAAC;IACF,OAAO;QACL,MAAM,EAAE,aAAa;QACrB,iBAAiB;QACjB,WAAW,EAAE,IAAI;QACjB,cAAc;KACf,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,iBAAwC,EACxC,SAAqB,EACrB,aAAwB,EACxB,OAA2B;IAE3B,IAAI,SAAS,CAAC,UAAU,GAAG,EAAE,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IACD,iBAAiB,CAAC,aAAa,EAAE,iBAAiB,EAAE,OAAO,CAAC,CAAC;IAC7D,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,SAAS,CAAC,CAAC;IAClD,MAAM,QAAQ,GAAG,gBAAgB,CAAC,MAAM,YAAY,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC,CAAC;IACjF,OAAO,YAAY,CAAC,QAAQ,CAAC,CAAC;AAChC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,QAA2E,EAC3E,SAA4B,EAC5B,aAAwB,EACxB,OAA2B,EAC3B,OAAmC;IAEnC,MAAM,WAAW,GAAG,OAAO,EAAE,WAAW,IAAI,IAAI,CAAC;IAEjD,IAAI,WAAW,IAAI,CAAC,SAAS,EAAE,CAAC;QAC9B,MAAM,IAAI,uBAAuB,CAC/B,6GAA6G,CAC9G,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,kBAAkB,CAC1B,4FAA4F,CAC7F,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,OAAO,MAAM,yBAAyB,CACpC,QAAQ,CAAC,iBAAiB,EAC1B,SAAS,EACT,aAAa,EACb,OAAO,CACR,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,kBAAkB,CAC1B,6FAA6F,CAC9F,CAAC;IACJ,CAAC;AACH,CAAC;AAED,mDAAmD;AACnD,MAAM,CAAC,KAAK,UAAU,8BAA8B,CAClD,2BAAuE,EACvE,SAA4B,EAC5B,aAAwB,EACxB,OAA2B,EAC3B,OAAmC;IAEnC,MAAM,QAAQ,GACZ,QAAQ,IAAI,2BAA2B;QACrC,CAAC,CAAC,2BAA2B;QAC7B,CAAC,CAAC,EAAE,iBAAiB,EAAE,2BAA2B,EAAE,MAAM,EAAE,aAAsB,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;IAC5G,OAAO,4BAA4B,CAAC,QAAQ,EAAE,SAAS,EAAE,aAAa,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;AAC5F,CAAC;AAED,+CAA+C;AAC/C,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,QAAmB,EACnB,SAAqB,EACrB,MAAc,EACd,UAAkB,EAClB,OAA2B,EAC3B,cAAwC;IAExC,MAAM,QAAQ,GAAG,MAAM,wBAAwB,CAC7C,QAAQ,EACR,SAAS,EACT,EAAE,MAAM,EAAE,UAAU,EAAE,EACtB,OAAO,EACP,cAAc,CACf,CAAC;IACF,OAAO,QAAQ,CAAC,iBAAiB,CAAC;AACpC,CAAC;AAED,OAAO,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC"}
|
|
@@ -8,7 +8,7 @@ export declare function createPasswordEnvelope(vaultKey: CryptoKey, vaultPasswor
|
|
|
8
8
|
export declare function unlockWithPasswordEnvelope(vaultPassword: string, envelope: PasswordEnvelope | {
|
|
9
9
|
encryptedVaultKey: EncryptedVaultPayload;
|
|
10
10
|
kdfMetadata: KdfMetadata;
|
|
11
|
-
}): Promise<CryptoKey>;
|
|
11
|
+
}, expectedScope: WrapScope, profile: VaultCryptoProfile): Promise<CryptoKey>;
|
|
12
12
|
/** @deprecated Use createPasswordEnvelope */
|
|
13
13
|
export declare function wrapVaultKeyForPassword(vaultKey: CryptoKey, vaultPassword: string, scope: WrapScope, profile: VaultCryptoProfile, salt?: Uint8Array): Promise<{
|
|
14
14
|
encryptedVaultKey: EncryptedVaultPayload;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"password.d.ts","sourceRoot":"","sources":["../../src/envelopes/password.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,mBAAmB,EACnB,qBAAqB,EACrB,WAAW,EACX,gBAAgB,EACjB,MAAM,0BAA0B,CAAC;AAClC,OAAO,KAAK,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;
|
|
1
|
+
{"version":3,"file":"password.d.ts","sourceRoot":"","sources":["../../src/envelopes/password.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,mBAAmB,EACnB,qBAAqB,EACrB,WAAW,EACX,gBAAgB,EACjB,MAAM,0BAA0B,CAAC;AAClC,OAAO,KAAK,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AASvE,KAAK,SAAS,GAAG,IAAI,CAAC,aAAa,EAAE,QAAQ,GAAG,YAAY,CAAC,CAAC;AAuB9D,wBAAsB,sBAAsB,CAC1C,QAAQ,EAAE,SAAS,EACnB,aAAa,EAAE,MAAM,EACrB,KAAK,EAAE,SAAS,EAChB,OAAO,EAAE,kBAAkB,EAC3B,IAAI,CAAC,EAAE,UAAU,GAChB,OAAO,CAAC;IAAE,QAAQ,EAAE,gBAAgB,CAAC;IAAC,WAAW,EAAE,mBAAmB,CAAA;CAAE,CAAC,CAW3E;AAED,wBAAsB,0BAA0B,CAC9C,aAAa,EAAE,MAAM,EACrB,QAAQ,EAAE,gBAAgB,GAAG;IAAE,iBAAiB,EAAE,qBAAqB,CAAC;IAAC,WAAW,EAAE,WAAW,CAAA;CAAE,EACnG,aAAa,EAAE,SAAS,EACxB,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,SAAS,CAAC,CAOpB;AAED,6CAA6C;AAC7C,wBAAsB,uBAAuB,CAC3C,QAAQ,EAAE,SAAS,EACnB,aAAa,EAAE,MAAM,EACrB,KAAK,EAAE,SAAS,EAChB,OAAO,EAAE,kBAAkB,EAC3B,IAAI,CAAC,EAAE,UAAU,GAChB,OAAO,CAAC;IAAE,iBAAiB,EAAE,qBAAqB,CAAC;IAAC,WAAW,EAAE,mBAAmB,CAAA;CAAE,CAAC,CASzF;AAED,iDAAiD;AACjD,eAAO,MAAM,0BAA0B,mCAA6B,CAAC"}
|
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
import { encryptField, decryptField, exportAesKey, importAesKey } from "../crypto/aes-gcm.js";
|
|
2
2
|
import { bytesToBase64Url, base64UrlToBytes } from "../crypto/encoding.js";
|
|
3
3
|
import { deriveVaultPasswordKey, deriveVaultPasswordKeyFromMetadata, } from "../kdf/argon2id.js";
|
|
4
|
+
import { assertVaultKeyAad } from "../validation/aad-assert.js";
|
|
4
5
|
async function wrapVaultKeyWithDerivedKey(vaultKey, derivedKey, scope, profile) {
|
|
5
6
|
return encryptField(bytesToBase64Url(await exportAesKey(vaultKey)), derivedKey, {
|
|
6
7
|
userId: scope.userId,
|
|
@@ -24,10 +25,11 @@ export async function createPasswordEnvelope(vaultKey, vaultPassword, scope, pro
|
|
|
24
25
|
kdfMetadata: metadata,
|
|
25
26
|
};
|
|
26
27
|
}
|
|
27
|
-
export async function unlockWithPasswordEnvelope(vaultPassword, envelope) {
|
|
28
|
+
export async function unlockWithPasswordEnvelope(vaultPassword, envelope, expectedScope, profile) {
|
|
28
29
|
if (envelope.kdfMetadata?.kdf !== "argon2id") {
|
|
29
30
|
throw new Error("Vault password envelope requires Argon2id metadata");
|
|
30
31
|
}
|
|
32
|
+
assertVaultKeyAad(expectedScope, envelope.encryptedVaultKey, profile);
|
|
31
33
|
const derivedKey = await deriveVaultPasswordKeyFromMetadata(vaultPassword, envelope.kdfMetadata);
|
|
32
34
|
return unwrapVaultKeyWithDerivedKey(envelope.encryptedVaultKey, derivedKey);
|
|
33
35
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"password.js","sourceRoot":"","sources":["../../src/envelopes/password.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAC9F,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAC3E,OAAO,EACL,sBAAsB,EACtB,kCAAkC,GACnC,MAAM,oBAAoB,CAAC;
|
|
1
|
+
{"version":3,"file":"password.js","sourceRoot":"","sources":["../../src/envelopes/password.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAC9F,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAC3E,OAAO,EACL,sBAAsB,EACtB,kCAAkC,GACnC,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAC;AAIhE,KAAK,UAAU,0BAA0B,CACvC,QAAmB,EACnB,UAAqB,EACrB,KAAgB,EAChB,OAA2B;IAE3B,OAAO,YAAY,CAAC,gBAAgB,CAAC,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAC,EAAE,UAAU,EAAE;QAC9E,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,KAAK,EAAE,WAAW;KACnB,EAAE,OAAO,CAAC,CAAC;AACd,CAAC;AAED,KAAK,UAAU,4BAA4B,CACzC,iBAAwC,EACxC,UAAqB;IAErB,MAAM,QAAQ,GAAG,gBAAgB,CAAC,MAAM,YAAY,CAAC,iBAAiB,EAAE,UAAU,CAAC,CAAC,CAAC;IACrF,OAAO,YAAY,CAAC,QAAQ,CAAC,CAAC;AAChC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,QAAmB,EACnB,aAAqB,EACrB,KAAgB,EAChB,OAA2B,EAC3B,IAAiB;IAEjB,MAAM,EAAE,GAAG,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,MAAM,sBAAsB,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;IACxF,MAAM,iBAAiB,GAAG,MAAM,0BAA0B,CAAC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;IACjG,OAAO;QACL,QAAQ,EAAE;YACR,MAAM,EAAE,UAAU;YAClB,iBAAiB;YACjB,WAAW,EAAE,QAAQ;SACtB;QACD,WAAW,EAAE,QAAQ;KACtB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,aAAqB,EACrB,QAAmG,EACnG,aAAwB,EACxB,OAA2B;IAE3B,IAAI,QAAQ,CAAC,WAAW,EAAE,GAAG,KAAK,UAAU,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IACD,iBAAiB,CAAC,aAAa,EAAE,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC;IACtE,MAAM,UAAU,GAAG,MAAM,kCAAkC,CAAC,aAAa,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC;IACjG,OAAO,4BAA4B,CAAC,QAAQ,CAAC,iBAAiB,EAAE,UAAU,CAAC,CAAC;AAC9E,CAAC;AAED,6CAA6C;AAC7C,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,QAAmB,EACnB,aAAqB,EACrB,KAAgB,EAChB,OAA2B,EAC3B,IAAiB;IAEjB,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,GAAG,MAAM,sBAAsB,CAC5D,QAAQ,EACR,aAAa,EACb,KAAK,EACL,OAAO,EACP,IAAI,CACL,CAAC;IACF,OAAO,EAAE,iBAAiB,EAAE,QAAQ,CAAC,iBAAiB,EAAE,WAAW,EAAE,CAAC;AACxE,CAAC;AAED,iDAAiD;AACjD,MAAM,CAAC,MAAM,0BAA0B,GAAG,0BAA0B,CAAC"}
|
|
@@ -17,7 +17,7 @@ export declare function normalizeRecoveryPhrase(phrase: string): string;
|
|
|
17
17
|
export declare function validateRecoveryPhraseFormat(phrase: string): boolean;
|
|
18
18
|
export declare function assertRecoveryPhraseConfirmation(originalPhrase: string, confirmationPhrase: string): void;
|
|
19
19
|
export declare function pickRecoveryConfirmationIndices(wordCount: number, count?: number): number[];
|
|
20
|
-
export declare function assertRecoveryPhraseWordConfirmation(originalPhrase: string, answers: Record<number, string
|
|
20
|
+
export declare function assertRecoveryPhraseWordConfirmation(originalPhrase: string, answers: Record<number, string>, requiredIndices?: readonly number[]): void;
|
|
21
21
|
export declare function deriveRecoveryPhraseKey(phrase: string, salt?: Uint8Array): Promise<{
|
|
22
22
|
key: CryptoKey;
|
|
23
23
|
metadata: Argon2idKdfMetadata;
|
|
@@ -32,7 +32,7 @@ export declare function createRecoveryEnvelope(vaultKey: CryptoKey, recoveryPhra
|
|
|
32
32
|
export declare function unlockWithRecoveryEnvelope(recoveryPhrase: string, envelope: RecoveryPhraseEnvelope | {
|
|
33
33
|
encryptedVaultKey: EncryptedVaultPayload;
|
|
34
34
|
kdfMetadata: KdfMetadata;
|
|
35
|
-
}, options?: {
|
|
35
|
+
}, expectedScope: WrapScope, profile: VaultCryptoProfile, options?: {
|
|
36
36
|
expectedWordCount?: RecoveryPhraseWordCount | null;
|
|
37
37
|
}): Promise<CryptoKey>;
|
|
38
38
|
/** @deprecated Use createRecoveryEnvelope */
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"recovery.d.ts","sourceRoot":"","sources":["../../src/envelopes/recovery.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EACV,mBAAmB,EACnB,qBAAqB,EACrB,WAAW,EACX,sBAAsB,EACvB,MAAM,0BAA0B,CAAC;AAClC,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAC;AAC7D,OAAO,KAAK,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;
|
|
1
|
+
{"version":3,"file":"recovery.d.ts","sourceRoot":"","sources":["../../src/envelopes/recovery.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EACV,mBAAmB,EACnB,qBAAqB,EACrB,WAAW,EACX,sBAAsB,EACvB,MAAM,0BAA0B,CAAC;AAClC,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAC;AAC7D,OAAO,KAAK,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAYvE,eAAO,MAAM,+BAA+B,EAAG,0BAAmC,CAAC;AACnF,eAAO,MAAM,kCAAkC,EAAE,uBAA4B,CAAC;AAO9E,KAAK,SAAS,GAAG,IAAI,CAAC,aAAa,EAAE,QAAQ,GAAG,YAAY,CAAC,CAAC;AAE9D,wBAAgB,oBAAoB,CAAC,OAAO,EAAE;IAC5C,SAAS,EAAE,uBAAuB,CAAC;CACpC,GAAG,MAAM,CAMT;AAED,2CAA2C;AAC3C,eAAO,MAAM,sBAAsB,6BAAuB,CAAC;AAE3D,wBAAgB,0BAA0B,CAAC,MAAM,EAAE,MAAM,GAAG,uBAAuB,GAAG,IAAI,CAKzF;AAED,wBAAgB,kCAAkC,CAChD,SAAS,EAAE,uBAAuB,GACjC,MAAM,CAER;AAED,wBAAgB,4BAA4B,CAC1C,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,GAC9C,uBAAuB,GAAG,IAAI,CAIhC;AAED,wBAAgB,+BAA+B,CAC7C,MAAM,EAAE,MAAM,EACd,iBAAiB,CAAC,EAAE,uBAAuB,GAAG,IAAI,GACjD,IAAI,CAYN;AAED,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAO9D;AAED,wBAAgB,4BAA4B,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAMpE;AAED,wBAAgB,gCAAgC,CAC9C,cAAc,EAAE,MAAM,EACtB,kBAAkB,EAAE,MAAM,GACzB,IAAI,CASN;AAED,wBAAgB,+BAA+B,CAC7C,SAAS,EAAE,MAAM,EACjB,KAAK,SAAI,GACR,MAAM,EAAE,CAcV;AAED,wBAAgB,oCAAoC,CAClD,cAAc,EAAE,MAAM,EACtB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC/B,eAAe,CAAC,EAAE,SAAS,MAAM,EAAE,GAClC,IAAI,CA2BN;AAED,wBAAsB,uBAAuB,CAC3C,MAAM,EAAE,MAAM,EACd,IAAI,CAAC,EAAE,UAAU,GAChB,OAAO,CAAC;IAAE,GAAG,EAAE,SAAS,CAAC;IAAC,QAAQ,EAAE,mBAAmB,CAAA;CAAE,CAAC,CAe5D;AAED,wBAAsB,mCAAmC,CACvD,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,mBAAmB,GAC5B,OAAO,CAAC,SAAS,CAAC,CAMpB;AAuBD,wBAAsB,sBAAsB,CAC1C,QAAQ,EAAE,SAAS,EACnB,cAAc,EAAE,MAAM,EACtB,KAAK,EAAE,SAAS,EAChB,OAAO,EAAE,kBAAkB,EAC3B,cAAc,CAAC,EAAE;IAAE,YAAY,EAAE,uBAAuB,CAAA;CAAE,EAC1D,IAAI,CAAC,EAAE,UAAU,GAChB,OAAO,CAAC;IAAE,QAAQ,EAAE,sBAAsB,CAAC;IAAC,WAAW,EAAE,mBAAmB,CAAA;CAAE,CAAC,CAYjF;AAED,wBAAsB,0BAA0B,CAC9C,cAAc,EAAE,MAAM,EACtB,QAAQ,EAAE,sBAAsB,GAAG;IAAE,iBAAiB,EAAE,qBAAqB,CAAC;IAAC,WAAW,EAAE,WAAW,CAAA;CAAE,EACzG,aAAa,EAAE,SAAS,EACxB,OAAO,EAAE,kBAAkB,EAC3B,OAAO,CAAC,EAAE;IAAE,iBAAiB,CAAC,EAAE,uBAAuB,GAAG,IAAI,CAAA;CAAE,GAC/D,OAAO,CAAC,SAAS,CAAC,CAUpB;AAED,6CAA6C;AAC7C,wBAAsB,6BAA6B,CACjD,QAAQ,EAAE,SAAS,EACnB,cAAc,EAAE,MAAM,EACtB,KAAK,EAAE,SAAS,EAChB,OAAO,EAAE,kBAAkB,EAC3B,IAAI,CAAC,EAAE,UAAU,GAChB,OAAO,CAAC;IAAE,iBAAiB,EAAE,qBAAqB,CAAC;IAAC,WAAW,EAAE,mBAAmB,CAAA;CAAE,CAAC,CAUzF;AAED,iDAAiD;AACjD,eAAO,MAAM,gCAAgC,mCAA6B,CAAC"}
|
|
@@ -5,6 +5,7 @@ import { deriveArgon2idAesKey, deriveArgon2idAesKeyFromMetadata, serializeArgon2
|
|
|
5
5
|
import { DEFAULT_ARGON2ID_PARAMS } from "../kdf/params.js";
|
|
6
6
|
import { RecoveryPhraseConfirmationError } from "../errors/vault-errors.js";
|
|
7
7
|
import { encryptField, decryptField, exportAesKey, importAesKey } from "../crypto/aes-gcm.js";
|
|
8
|
+
import { assertVaultKeyAad } from "../validation/aad-assert.js";
|
|
8
9
|
export const RECOVERY_PHRASE_WORDLIST_SOURCE = "BIP39 English (BIP-0039)";
|
|
9
10
|
export const DEFAULT_RECOVERY_PHRASE_WORD_COUNT = 24;
|
|
10
11
|
const STRENGTH_BITS = {
|
|
@@ -88,16 +89,23 @@ export function pickRecoveryConfirmationIndices(wordCount, count = 3) {
|
|
|
88
89
|
}
|
|
89
90
|
return indices.sort((a, b) => a - b);
|
|
90
91
|
}
|
|
91
|
-
export function assertRecoveryPhraseWordConfirmation(originalPhrase, answers) {
|
|
92
|
+
export function assertRecoveryPhraseWordConfirmation(originalPhrase, answers, requiredIndices) {
|
|
92
93
|
const words = normalizeRecoveryPhrase(originalPhrase).split(" ");
|
|
93
94
|
if (!validateRecoveryPhraseFormat(originalPhrase)) {
|
|
94
95
|
throw new RecoveryPhraseConfirmationError("Recovery phrase is not valid");
|
|
95
96
|
}
|
|
96
|
-
|
|
97
|
-
|
|
97
|
+
const indices = requiredIndices ?? pickRecoveryConfirmationIndices(words.length, getRecoveryConfirmationPromptCount(words.length));
|
|
98
|
+
if (indices.length === 0 || new Set(indices).size !== indices.length) {
|
|
99
|
+
throw new RecoveryPhraseConfirmationError("Recovery confirmation indices are invalid");
|
|
100
|
+
}
|
|
101
|
+
for (const index of indices) {
|
|
102
|
+
if (!Number.isInteger(index) || index < 1 || index > words.length) {
|
|
103
|
+
throw new RecoveryPhraseConfirmationError("Recovery confirmation indices are invalid");
|
|
104
|
+
}
|
|
98
105
|
const expected = words[index - 1];
|
|
99
|
-
const
|
|
100
|
-
|
|
106
|
+
const answer = answers[index];
|
|
107
|
+
const given = typeof answer === "string" ? normalizeRecoveryPhrase(answer) : "";
|
|
108
|
+
if (given !== expected) {
|
|
101
109
|
throw new RecoveryPhraseConfirmationError(`Word #${index} does not match your recovery phrase`);
|
|
102
110
|
}
|
|
103
111
|
}
|
|
@@ -147,13 +155,14 @@ export async function createRecoveryEnvelope(vaultKey, recoveryPhrase, scope, pr
|
|
|
147
155
|
kdfMetadata: metadata,
|
|
148
156
|
};
|
|
149
157
|
}
|
|
150
|
-
export async function unlockWithRecoveryEnvelope(recoveryPhrase, envelope, options) {
|
|
158
|
+
export async function unlockWithRecoveryEnvelope(recoveryPhrase, envelope, expectedScope, profile, options) {
|
|
151
159
|
if (options?.expectedWordCount != null) {
|
|
152
160
|
assertRecoveryPhraseUnlockInput(recoveryPhrase, options.expectedWordCount);
|
|
153
161
|
}
|
|
154
162
|
if (envelope.kdfMetadata?.kdf !== "argon2id") {
|
|
155
163
|
throw new Error("Recovery phrase envelope requires Argon2id metadata");
|
|
156
164
|
}
|
|
165
|
+
assertVaultKeyAad(expectedScope, envelope.encryptedVaultKey, profile);
|
|
157
166
|
const derivedKey = await deriveRecoveryPhraseKeyFromMetadata(recoveryPhrase, envelope.kdfMetadata);
|
|
158
167
|
return unwrapVaultKeyWithDerivedKey(envelope.encryptedVaultKey, derivedKey);
|
|
159
168
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"recovery.js","sourceRoot":"","sources":["../../src/envelopes/recovery.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACrF,OAAO,EAAE,QAAQ,EAAE,MAAM,mCAAmC,CAAC;AAS7D,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAC1F,OAAO,EACL,oBAAoB,EACpB,gCAAgC,EAChC,yBAAyB,GAC1B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,+BAA+B,EAAE,MAAM,2BAA2B,CAAC;AAC5E,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;
|
|
1
|
+
{"version":3,"file":"recovery.js","sourceRoot":"","sources":["../../src/envelopes/recovery.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACrF,OAAO,EAAE,QAAQ,EAAE,MAAM,mCAAmC,CAAC;AAS7D,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAC1F,OAAO,EACL,oBAAoB,EACpB,gCAAgC,EAChC,yBAAyB,GAC1B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,+BAA+B,EAAE,MAAM,2BAA2B,CAAC;AAC5E,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAC9F,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAC;AAEhE,MAAM,CAAC,MAAM,+BAA+B,GAAG,0BAAmC,CAAC;AACnF,MAAM,CAAC,MAAM,kCAAkC,GAA4B,EAAE,CAAC;AAE9E,MAAM,aAAa,GAA+C;IAChE,EAAE,EAAE,GAAG;IACP,EAAE,EAAE,GAAG;CACR,CAAC;AAIF,MAAM,UAAU,oBAAoB,CAAC,OAEpC;IACC,MAAM,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;IAC9B,IAAI,SAAS,KAAK,EAAE,IAAI,SAAS,KAAK,EAAE,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;IACD,OAAO,gBAAgB,CAAC,QAAQ,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC,CAAC;AAC9D,CAAC;AAED,2CAA2C;AAC3C,MAAM,CAAC,MAAM,sBAAsB,GAAG,oBAAoB,CAAC;AAE3D,MAAM,UAAU,0BAA0B,CAAC,MAAc;IACvD,MAAM,UAAU,GAAG,uBAAuB,CAAC,MAAM,CAAC,CAAC;IACnD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;IAC3D,IAAI,KAAK,KAAK,EAAE,IAAI,KAAK,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IAC/C,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,kCAAkC,CAChD,SAAkC;IAElC,OAAO,SAAS,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAClC,CAAC;AAED,MAAM,UAAU,4BAA4B,CAC1C,cAA+C;IAE/C,MAAM,GAAG,GAAG,cAAc,EAAE,YAAY,IAAI,cAAc,EAAE,SAAS,CAAC;IACtE,IAAI,GAAG,KAAK,EAAE,IAAI,GAAG,KAAK,EAAE;QAAE,OAAO,GAAG,CAAC;IACzC,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,+BAA+B,CAC7C,MAAc,EACd,iBAAkD;IAElD,MAAM,UAAU,GAAG,uBAAuB,CAAC,MAAM,CAAC,CAAC;IACnD,IAAI,CAAC,4BAA4B,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzE,CAAC;IAED,MAAM,WAAW,GAAG,0BAA0B,CAAC,UAAU,CAAC,CAAC;IAC3D,IAAI,iBAAiB,IAAI,IAAI,IAAI,WAAW,KAAK,iBAAiB,EAAE,CAAC;QACnE,MAAM,IAAI,KAAK,CACb,qBAAqB,iBAAiB,sCAAsC,WAAW,IAAI,sBAAsB,SAAS,CAC3H,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,MAAc;IACpD,OAAO,MAAM;SACV,IAAI,EAAE;SACN,WAAW,EAAE;SACb,KAAK,CAAC,KAAK,CAAC;SACZ,MAAM,CAAC,OAAO,CAAC;SACf,IAAI,CAAC,GAAG,CAAC,CAAC;AACf,CAAC;AAED,MAAM,UAAU,4BAA4B,CAAC,MAAc;IACzD,MAAM,UAAU,GAAG,uBAAuB,CAAC,MAAM,CAAC,CAAC;IACnD,IAAI,CAAC,UAAU;QAAE,OAAO,KAAK,CAAC;IAC9B,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,KAAK,CAAC,MAAM,KAAK,EAAE,IAAI,KAAK,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IAC7D,OAAO,gBAAgB,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;AAChD,CAAC;AAED,MAAM,UAAU,gCAAgC,CAC9C,cAAsB,EACtB,kBAA0B;IAE1B,MAAM,CAAC,GAAG,uBAAuB,CAAC,cAAc,CAAC,CAAC;IAClD,MAAM,CAAC,GAAG,uBAAuB,CAAC,kBAAkB,CAAC,CAAC;IACtD,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACZ,MAAM,IAAI,+BAA+B,CAAC,6CAA6C,CAAC,CAAC;IAC3F,CAAC;IACD,IAAI,CAAC,4BAA4B,CAAC,CAAC,CAAC,EAAE,CAAC;QACrC,MAAM,IAAI,+BAA+B,CAAC,8BAA8B,CAAC,CAAC;IAC5E,CAAC;AACH,CAAC;AAED,MAAM,UAAU,+BAA+B,CAC7C,SAAiB,EACjB,KAAK,GAAG,CAAC;IAET,IAAI,SAAS,GAAG,KAAK,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;IACvD,CAAC;IACD,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,IAAI,GAAG,SAAS,GAAG,IAAI,GAAG,KAAK,GAAG,MAAM,CAAC;IAC7C,OAAO,OAAO,CAAC,MAAM,GAAG,KAAK,EAAE,CAAC;QAC9B,IAAI,GAAG,CAAC,IAAI,GAAG,UAAU,GAAG,KAAK,CAAC,GAAG,UAAU,CAAC;QAChD,MAAM,SAAS,GAAG,CAAC,IAAI,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;QACzC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YACjC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,oCAAoC,CAClD,cAAsB,EACtB,OAA+B,EAC/B,eAAmC;IAEnC,MAAM,KAAK,GAAG,uBAAuB,CAAC,cAAc,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACjE,IAAI,CAAC,4BAA4B,CAAC,cAAc,CAAC,EAAE,CAAC;QAClD,MAAM,IAAI,+BAA+B,CAAC,8BAA8B,CAAC,CAAC;IAC5E,CAAC;IAED,MAAM,OAAO,GAAG,eAAe,IAAI,+BAA+B,CAChE,KAAK,CAAC,MAAM,EACZ,kCAAkC,CAAC,KAAK,CAAC,MAAiC,CAAC,CAC5E,CAAC;IACF,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC;QACrE,MAAM,IAAI,+BAA+B,CAAC,2CAA2C,CAAC,CAAC;IACzF,CAAC;IAED,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;YAClE,MAAM,IAAI,+BAA+B,CAAC,2CAA2C,CAAC,CAAC;QACzF,CAAC;QACD,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;QAClC,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC;QAC9B,MAAM,KAAK,GAAG,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,uBAAuB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAChF,IAAI,KAAK,KAAK,QAAQ,EAAE,CAAC;YACvB,MAAM,IAAI,+BAA+B,CACvC,SAAS,KAAK,sCAAsC,CACrD,CAAC;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,MAAc,EACd,IAAiB;IAEjB,MAAM,UAAU,GAAG,uBAAuB,CAAC,MAAM,CAAC,CAAC;IACnD,IAAI,CAAC,4BAA4B,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC7C,CAAC;IACD,iBAAiB,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IAExC,MAAM,SAAS,GACb,IAAI,IAAI,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,uBAAuB,CAAC,UAAU,CAAC,CAAC,CAAC;IACrF,MAAM,aAAa,GAAG,aAAa,CAAC,UAAU,CAAC,CAAC;IAChD,MAAM,GAAG,GAAG,MAAM,oBAAoB,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;IACjE,OAAO;QACL,GAAG;QACH,QAAQ,EAAE,yBAAyB,CAAC,SAAS,CAAC;KAC/C,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mCAAmC,CACvD,MAAc,EACd,QAA6B;IAE7B,MAAM,UAAU,GAAG,uBAAuB,CAAC,MAAM,CAAC,CAAC;IACnD,IAAI,CAAC,4BAA4B,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC7C,CAAC;IACD,OAAO,gCAAgC,CAAC,aAAa,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,CAAC;AAC/E,CAAC;AAED,KAAK,UAAU,0BAA0B,CACvC,QAAmB,EACnB,UAAqB,EACrB,KAAgB,EAChB,OAA2B;IAE3B,OAAO,YAAY,CAAC,gBAAgB,CAAC,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAC,EAAE,UAAU,EAAE;QAC9E,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,KAAK,EAAE,WAAW;KACnB,EAAE,OAAO,CAAC,CAAC;AACd,CAAC;AAED,KAAK,UAAU,4BAA4B,CACzC,iBAAwC,EACxC,UAAqB;IAErB,MAAM,QAAQ,GAAG,gBAAgB,CAAC,MAAM,YAAY,CAAC,iBAAiB,EAAE,UAAU,CAAC,CAAC,CAAC;IACrF,OAAO,YAAY,CAAC,QAAQ,CAAC,CAAC;AAChC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,QAAmB,EACnB,cAAsB,EACtB,KAAgB,EAChB,OAA2B,EAC3B,cAA0D,EAC1D,IAAiB;IAEjB,MAAM,EAAE,GAAG,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,MAAM,uBAAuB,CAAC,cAAc,EAAE,IAAI,CAAC,CAAC;IAC1F,MAAM,iBAAiB,GAAG,MAAM,0BAA0B,CAAC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;IACjG,OAAO;QACL,QAAQ,EAAE;YACR,MAAM,EAAE,iBAAiB;YACzB,iBAAiB;YACjB,WAAW,EAAE,QAAQ;YACrB,cAAc;SACf;QACD,WAAW,EAAE,QAAQ;KACtB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,cAAsB,EACtB,QAAyG,EACzG,aAAwB,EACxB,OAA2B,EAC3B,OAAgE;IAEhE,IAAI,OAAO,EAAE,iBAAiB,IAAI,IAAI,EAAE,CAAC;QACvC,+BAA+B,CAAC,cAAc,EAAE,OAAO,CAAC,iBAAiB,CAAC,CAAC;IAC7E,CAAC;IACD,IAAI,QAAQ,CAAC,WAAW,EAAE,GAAG,KAAK,UAAU,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzE,CAAC;IACD,iBAAiB,CAAC,aAAa,EAAE,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC;IACtE,MAAM,UAAU,GAAG,MAAM,mCAAmC,CAAC,cAAc,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC;IACnG,OAAO,4BAA4B,CAAC,QAAQ,CAAC,iBAAiB,EAAE,UAAU,CAAC,CAAC;AAC9E,CAAC;AAED,6CAA6C;AAC7C,MAAM,CAAC,KAAK,UAAU,6BAA6B,CACjD,QAAmB,EACnB,cAAsB,EACtB,KAAgB,EAChB,OAA2B,EAC3B,IAAiB;IAEjB,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,GAAG,MAAM,sBAAsB,CAC5D,QAAQ,EACR,cAAc,EACd,KAAK,EACL,OAAO,EACP,SAAS,EACT,IAAI,CACL,CAAC;IACF,OAAO,EAAE,iBAAiB,EAAE,QAAQ,CAAC,iBAAiB,EAAE,WAAW,EAAE,CAAC;AACxE,CAAC;AAED,iDAAiD;AACjD,MAAM,CAAC,MAAM,gCAAgC,GAAG,0BAA0B,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"argon2id.d.ts","sourceRoot":"","sources":["../../src/kdf/argon2id.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAOpE,OAAO,
|
|
1
|
+
{"version":3,"file":"argon2id.d.ts","sourceRoot":"","sources":["../../src/kdf/argon2id.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAOpE,OAAO,EAGL,uBAAuB,EACxB,MAAM,aAAa,CAAC;AAErB,OAAO,EAAE,uBAAuB,EAAE,KAAK,cAAc,EAAE,MAAM,aAAa,CAAC;AAE3E,YAAY,EAAE,mBAAmB,EAAE,CAAC;AAEpC,wBAAgB,yBAAyB,CACvC,IAAI,EAAE,UAAU,EAChB,MAAM,GAAE,IAAI,CAAC,OAAO,uBAAuB,EAAE,QAAQ,GAAG,YAAY,GAAG,aAAa,CAA2B,GAC9G,mBAAmB,CAWrB;AAED,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,mBAAmB,GAAG;IACpE,IAAI,EAAE,UAAU,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;CACrB,CAaA;AAED,wBAAsB,oBAAoB,CACxC,aAAa,EAAE,UAAU,EACzB,IAAI,EAAE,UAAU,EAChB,MAAM,GAAE;IACN,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACK,GAC1B,OAAO,CAAC,SAAS,CAAC,CAwBpB;AAED,wBAAsB,gCAAgC,CACpD,aAAa,EAAE,UAAU,EACzB,QAAQ,EAAE,mBAAmB,GAC5B,OAAO,CAAC,SAAS,CAAC,CAQpB;AAED,wBAAsB,sBAAsB,CAC1C,aAAa,EAAE,MAAM,EACrB,IAAI,CAAC,EAAE,UAAU,GAChB,OAAO,CAAC;IAAE,GAAG,EAAE,SAAS,CAAC;IAAC,QAAQ,EAAE,mBAAmB,CAAA;CAAE,CAAC,CAS5D;AAED,wBAAsB,kCAAkC,CACtD,aAAa,EAAE,MAAM,EACrB,QAAQ,EAAE,mBAAmB,GAC5B,OAAO,CAAC,SAAS,CAAC,CAKpB"}
|
package/dist/kdf/argon2id.js
CHANGED
|
@@ -1,8 +1,10 @@
|
|
|
1
1
|
import { argon2id } from "hash-wasm";
|
|
2
2
|
import { bytesToBase64Url, base64UrlToBytes, toBufferSource, stringToBytes, } from "../crypto/encoding.js";
|
|
3
|
-
import { DEFAULT_ARGON2ID_PARAMS } from "./params.js";
|
|
3
|
+
import { assertSafeArgon2idParams, assertSafeArgon2idSalt, DEFAULT_ARGON2ID_PARAMS, } from "./params.js";
|
|
4
4
|
export { DEFAULT_ARGON2ID_PARAMS } from "./params.js";
|
|
5
5
|
export function serializeArgon2idMetadata(salt, params = DEFAULT_ARGON2ID_PARAMS) {
|
|
6
|
+
assertSafeArgon2idSalt(salt);
|
|
7
|
+
assertSafeArgon2idParams(params);
|
|
6
8
|
return {
|
|
7
9
|
kdf: "argon2id",
|
|
8
10
|
version: "kdf-v1",
|
|
@@ -13,15 +15,26 @@ export function serializeArgon2idMetadata(salt, params = DEFAULT_ARGON2ID_PARAMS
|
|
|
13
15
|
};
|
|
14
16
|
}
|
|
15
17
|
export function parseArgon2idMetadata(metadata) {
|
|
18
|
+
if (metadata.salt.length > 128) {
|
|
19
|
+
throw new Error("Argon2id salt encoding is too large");
|
|
20
|
+
}
|
|
21
|
+
assertSafeArgon2idParams(metadata);
|
|
22
|
+
const salt = base64UrlToBytes(metadata.salt);
|
|
23
|
+
assertSafeArgon2idSalt(salt);
|
|
16
24
|
return {
|
|
17
|
-
salt
|
|
25
|
+
salt,
|
|
18
26
|
memory: metadata.memory,
|
|
19
27
|
iterations: metadata.iterations,
|
|
20
28
|
parallelism: metadata.parallelism,
|
|
21
29
|
};
|
|
22
30
|
}
|
|
23
31
|
export async function deriveArgon2idAesKey(passwordBytes, salt, params = DEFAULT_ARGON2ID_PARAMS) {
|
|
32
|
+
assertSafeArgon2idParams(params);
|
|
33
|
+
assertSafeArgon2idSalt(salt);
|
|
24
34
|
const hashLength = params.hashLength ?? DEFAULT_ARGON2ID_PARAMS.hashLength;
|
|
35
|
+
if (hashLength !== DEFAULT_ARGON2ID_PARAMS.hashLength) {
|
|
36
|
+
throw new Error(`Argon2id hash length must be ${DEFAULT_ARGON2ID_PARAMS.hashLength} bytes`);
|
|
37
|
+
}
|
|
25
38
|
const hash = await argon2id({
|
|
26
39
|
password: passwordBytes,
|
|
27
40
|
salt,
|
package/dist/kdf/argon2id.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"argon2id.js","sourceRoot":"","sources":["../../src/kdf/argon2id.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAErC,OAAO,EACL,gBAAgB,EAChB,gBAAgB,EAChB,cAAc,EACd,aAAa,GACd,MAAM,uBAAuB,CAAC;AAC/B,OAAO,
|
|
1
|
+
{"version":3,"file":"argon2id.js","sourceRoot":"","sources":["../../src/kdf/argon2id.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAErC,OAAO,EACL,gBAAgB,EAChB,gBAAgB,EAChB,cAAc,EACd,aAAa,GACd,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,wBAAwB,EACxB,sBAAsB,EACtB,uBAAuB,GACxB,MAAM,aAAa,CAAC;AAErB,OAAO,EAAE,uBAAuB,EAAuB,MAAM,aAAa,CAAC;AAI3E,MAAM,UAAU,yBAAyB,CACvC,IAAgB,EAChB,SAAwF,uBAAuB;IAE/G,sBAAsB,CAAC,IAAI,CAAC,CAAC;IAC7B,wBAAwB,CAAC,MAAM,CAAC,CAAC;IACjC,OAAO;QACL,GAAG,EAAE,UAAU;QACf,OAAO,EAAE,QAAQ;QACjB,IAAI,EAAE,gBAAgB,CAAC,IAAI,CAAC;QAC5B,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,WAAW,EAAE,MAAM,CAAC,WAAW;KAChC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,QAA6B;IAMjE,IAAI,QAAQ,CAAC,IAAI,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IACD,wBAAwB,CAAC,QAAQ,CAAC,CAAC;IACnC,MAAM,IAAI,GAAG,gBAAgB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC7C,sBAAsB,CAAC,IAAI,CAAC,CAAC;IAC7B,OAAO;QACL,IAAI;QACJ,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,UAAU,EAAE,QAAQ,CAAC,UAAU;QAC/B,WAAW,EAAE,QAAQ,CAAC,WAAW;KAClC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,aAAyB,EACzB,IAAgB,EAChB,SAKI,uBAAuB;IAE3B,wBAAwB,CAAC,MAAM,CAAC,CAAC;IACjC,sBAAsB,CAAC,IAAI,CAAC,CAAC;IAC7B,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,uBAAuB,CAAC,UAAU,CAAC;IAC3E,IAAI,UAAU,KAAK,uBAAuB,CAAC,UAAU,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CAAC,gCAAgC,uBAAuB,CAAC,UAAU,QAAQ,CAAC,CAAC;IAC9F,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC;QAC1B,QAAQ,EAAE,aAAa;QACvB,IAAI;QACJ,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,UAAU,EAAE,MAAM,CAAC,MAAM;QACzB,UAAU;QACV,UAAU,EAAE,QAAQ;KACrB,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC5B,KAAK,EACL,cAAc,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,EACpC,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,EAChC,KAAK,EACL,CAAC,SAAS,EAAE,SAAS,CAAC,CACvB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gCAAgC,CACpD,aAAyB,EACzB,QAA6B;IAE7B,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,WAAW,EAAE,GAAG,qBAAqB,CAAC,QAAQ,CAAC,CAAC;IAClF,OAAO,oBAAoB,CAAC,aAAa,EAAE,IAAI,EAAE;QAC/C,MAAM;QACN,UAAU;QACV,WAAW;QACX,UAAU,EAAE,uBAAuB,CAAC,UAAU;KAC/C,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,aAAqB,EACrB,IAAiB;IAEjB,MAAM,SAAS,GACb,IAAI,IAAI,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,uBAAuB,CAAC,UAAU,CAAC,CAAC,CAAC;IACrF,MAAM,aAAa,GAAG,aAAa,CAAC,aAAa,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IACrE,MAAM,GAAG,GAAG,MAAM,oBAAoB,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;IACjE,OAAO;QACL,GAAG;QACH,QAAQ,EAAE,yBAAyB,CAAC,SAAS,CAAC;KAC/C,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kCAAkC,CACtD,aAAqB,EACrB,QAA6B;IAE7B,OAAO,gCAAgC,CACrC,aAAa,CAAC,aAAa,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,EAC9C,QAAQ,CACT,CAAC;AACJ,CAAC"}
|
package/dist/kdf/params.d.ts
CHANGED
|
@@ -5,5 +5,29 @@ export declare const DEFAULT_ARGON2ID_PARAMS: {
|
|
|
5
5
|
readonly hashLength: 32;
|
|
6
6
|
readonly saltLength: 16;
|
|
7
7
|
};
|
|
8
|
+
export declare const ARGON2ID_LIMITS: {
|
|
9
|
+
readonly memory: {
|
|
10
|
+
readonly min: 8192;
|
|
11
|
+
readonly max: 262144;
|
|
12
|
+
};
|
|
13
|
+
readonly iterations: {
|
|
14
|
+
readonly min: 1;
|
|
15
|
+
readonly max: 10;
|
|
16
|
+
};
|
|
17
|
+
readonly parallelism: {
|
|
18
|
+
readonly min: 1;
|
|
19
|
+
readonly max: 4;
|
|
20
|
+
};
|
|
21
|
+
readonly saltLength: {
|
|
22
|
+
readonly min: 16;
|
|
23
|
+
readonly max: 64;
|
|
24
|
+
};
|
|
25
|
+
};
|
|
8
26
|
export type Argon2idParams = typeof DEFAULT_ARGON2ID_PARAMS;
|
|
27
|
+
export declare function assertSafeArgon2idParams(params: {
|
|
28
|
+
memory: number;
|
|
29
|
+
iterations: number;
|
|
30
|
+
parallelism: number;
|
|
31
|
+
}): void;
|
|
32
|
+
export declare function assertSafeArgon2idSalt(salt: Uint8Array): void;
|
|
9
33
|
//# sourceMappingURL=params.d.ts.map
|
package/dist/kdf/params.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"params.d.ts","sourceRoot":"","sources":["../../src/kdf/params.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,uBAAuB;;;;;;CAM1B,CAAC;AAEX,MAAM,MAAM,cAAc,GAAG,OAAO,uBAAuB,CAAC"}
|
|
1
|
+
{"version":3,"file":"params.d.ts","sourceRoot":"","sources":["../../src/kdf/params.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,uBAAuB;;;;;;CAM1B,CAAC;AAEX,eAAO,MAAM,eAAe;;;;;;;;;;;;;;;;;CAKlB,CAAC;AAEX,MAAM,MAAM,cAAc,GAAG,OAAO,uBAAuB,CAAC;AAE5D,wBAAgB,wBAAwB,CAAC,MAAM,EAAE;IAC/C,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;CACrB,GAAG,IAAI,CAIP;AAED,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,UAAU,GAAG,IAAI,CAS7D"}
|
package/dist/kdf/params.js
CHANGED
|
@@ -5,4 +5,26 @@ export const DEFAULT_ARGON2ID_PARAMS = {
|
|
|
5
5
|
hashLength: 32,
|
|
6
6
|
saltLength: 16,
|
|
7
7
|
};
|
|
8
|
+
export const ARGON2ID_LIMITS = {
|
|
9
|
+
memory: { min: 8192, max: 262144 },
|
|
10
|
+
iterations: { min: 1, max: 10 },
|
|
11
|
+
parallelism: { min: 1, max: 4 },
|
|
12
|
+
saltLength: { min: 16, max: 64 },
|
|
13
|
+
};
|
|
14
|
+
export function assertSafeArgon2idParams(params) {
|
|
15
|
+
assertIntegerInRange("memory", params.memory, ARGON2ID_LIMITS.memory);
|
|
16
|
+
assertIntegerInRange("iterations", params.iterations, ARGON2ID_LIMITS.iterations);
|
|
17
|
+
assertIntegerInRange("parallelism", params.parallelism, ARGON2ID_LIMITS.parallelism);
|
|
18
|
+
}
|
|
19
|
+
export function assertSafeArgon2idSalt(salt) {
|
|
20
|
+
if (salt.byteLength < ARGON2ID_LIMITS.saltLength.min ||
|
|
21
|
+
salt.byteLength > ARGON2ID_LIMITS.saltLength.max) {
|
|
22
|
+
throw new Error(`Argon2id salt length must be between ${ARGON2ID_LIMITS.saltLength.min} and ${ARGON2ID_LIMITS.saltLength.max} bytes`);
|
|
23
|
+
}
|
|
24
|
+
}
|
|
25
|
+
function assertIntegerInRange(name, value, range) {
|
|
26
|
+
if (!Number.isSafeInteger(value) || value < range.min || value > range.max) {
|
|
27
|
+
throw new Error(`Argon2id ${name} must be an integer between ${range.min} and ${range.max}`);
|
|
28
|
+
}
|
|
29
|
+
}
|
|
8
30
|
//# sourceMappingURL=params.js.map
|
package/dist/kdf/params.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"params.js","sourceRoot":"","sources":["../../src/kdf/params.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,uBAAuB,GAAG;IACrC,MAAM,EAAE,KAAK;IACb,UAAU,EAAE,CAAC;IACb,WAAW,EAAE,CAAC;IACd,UAAU,EAAE,EAAE;IACd,UAAU,EAAE,EAAE;CACN,CAAC"}
|
|
1
|
+
{"version":3,"file":"params.js","sourceRoot":"","sources":["../../src/kdf/params.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,uBAAuB,GAAG;IACrC,MAAM,EAAE,KAAK;IACb,UAAU,EAAE,CAAC;IACb,WAAW,EAAE,CAAC;IACd,UAAU,EAAE,EAAE;IACd,UAAU,EAAE,EAAE;CACN,CAAC;AAEX,MAAM,CAAC,MAAM,eAAe,GAAG;IAC7B,MAAM,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,EAAE;IAClC,UAAU,EAAE,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE;IAC/B,WAAW,EAAE,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE;IAC/B,UAAU,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE;CACxB,CAAC;AAIX,MAAM,UAAU,wBAAwB,CAAC,MAIxC;IACC,oBAAoB,CAAC,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC;IACtE,oBAAoB,CAAC,YAAY,EAAE,MAAM,CAAC,UAAU,EAAE,eAAe,CAAC,UAAU,CAAC,CAAC;IAClF,oBAAoB,CAAC,aAAa,EAAE,MAAM,CAAC,WAAW,EAAE,eAAe,CAAC,WAAW,CAAC,CAAC;AACvF,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,IAAgB;IACrD,IACE,IAAI,CAAC,UAAU,GAAG,eAAe,CAAC,UAAU,CAAC,GAAG;QAChD,IAAI,CAAC,UAAU,GAAG,eAAe,CAAC,UAAU,CAAC,GAAG,EAChD,CAAC;QACD,MAAM,IAAI,KAAK,CACb,wCAAwC,eAAe,CAAC,UAAU,CAAC,GAAG,QAAQ,eAAe,CAAC,UAAU,CAAC,GAAG,QAAQ,CACrH,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAC3B,IAAY,EACZ,KAAa,EACb,KAAmC;IAEnC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,KAAK,CAAC,GAAG,IAAI,KAAK,GAAG,KAAK,CAAC,GAAG,EAAE,CAAC;QAC3E,MAAM,IAAI,KAAK,CACb,YAAY,IAAI,+BAA+B,KAAK,CAAC,GAAG,QAAQ,KAAK,CAAC,GAAG,EAAE,CAC5E,CAAC;IACJ,CAAC;AACH,CAAC"}
|
|
@@ -1,5 +1,7 @@
|
|
|
1
1
|
import type { VaultCryptoProfile, VaultAadScope } from "../profile.js";
|
|
2
2
|
import type { EncryptedVaultPayload } from "../validation/schemas.js";
|
|
3
|
-
|
|
4
|
-
export declare function
|
|
3
|
+
type PayloadScope = Pick<VaultAadScope, "userId" | "resourceId">;
|
|
4
|
+
export declare function encryptVaultPayload<T>(payload: T, vaultKey: CryptoKey, scope: PayloadScope, profile: VaultCryptoProfile): Promise<EncryptedVaultPayload>;
|
|
5
|
+
export declare function decryptVaultPayload<T>(encrypted: EncryptedVaultPayload, vaultKey: CryptoKey, expectedScope: PayloadScope, profile: VaultCryptoProfile): Promise<T>;
|
|
6
|
+
export {};
|
|
5
7
|
//# sourceMappingURL=encrypted-payload.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"encrypted-payload.d.ts","sourceRoot":"","sources":["../../src/payload/encrypted-payload.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AACvE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,0BAA0B,CAAC;
|
|
1
|
+
{"version":3,"file":"encrypted-payload.d.ts","sourceRoot":"","sources":["../../src/payload/encrypted-payload.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AACvE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,0BAA0B,CAAC;AAGtE,KAAK,YAAY,GAAG,IAAI,CAAC,aAAa,EAAE,QAAQ,GAAG,YAAY,CAAC,CAAC;AAEjE,wBAAsB,mBAAmB,CAAC,CAAC,EACzC,OAAO,EAAE,CAAC,EACV,QAAQ,EAAE,SAAS,EACnB,KAAK,EAAE,YAAY,EACnB,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,qBAAqB,CAAC,CAMhC;AAED,wBAAsB,mBAAmB,CAAC,CAAC,EACzC,SAAS,EAAE,qBAAqB,EAChC,QAAQ,EAAE,SAAS,EACnB,aAAa,EAAE,YAAY,EAC3B,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,CAAC,CAAC,CAIZ"}
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { encryptField, decryptField } from "../crypto/aes-gcm.js";
|
|
2
2
|
import { parseVaultPayload, serializeVaultPayload } from "../crypto/serialization.js";
|
|
3
|
+
import { assertVaultPayloadAad } from "../validation/aad-assert.js";
|
|
3
4
|
export async function encryptVaultPayload(payload, vaultKey, scope, profile) {
|
|
4
5
|
return encryptField(serializeVaultPayload(payload), vaultKey, {
|
|
5
6
|
userId: scope.userId,
|
|
@@ -7,7 +8,8 @@ export async function encryptVaultPayload(payload, vaultKey, scope, profile) {
|
|
|
7
8
|
field: "vault_payload",
|
|
8
9
|
}, profile);
|
|
9
10
|
}
|
|
10
|
-
export async function decryptVaultPayload(encrypted, vaultKey) {
|
|
11
|
+
export async function decryptVaultPayload(encrypted, vaultKey, expectedScope, profile) {
|
|
12
|
+
assertVaultPayloadAad(expectedScope, encrypted, profile);
|
|
11
13
|
const json = await decryptField(encrypted, vaultKey);
|
|
12
14
|
return parseVaultPayload(json);
|
|
13
15
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"encrypted-payload.js","sourceRoot":"","sources":["../../src/payload/encrypted-payload.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;
|
|
1
|
+
{"version":3,"file":"encrypted-payload.js","sourceRoot":"","sources":["../../src/payload/encrypted-payload.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAGtF,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAC;AAIpE,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,OAAU,EACV,QAAmB,EACnB,KAAmB,EACnB,OAA2B;IAE3B,OAAO,YAAY,CAAC,qBAAqB,CAAC,OAAO,CAAC,EAAE,QAAQ,EAAE;QAC5D,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,KAAK,EAAE,eAAe;KACvB,EAAE,OAAO,CAAC,CAAC;AACd,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,SAAgC,EAChC,QAAmB,EACnB,aAA2B,EAC3B,OAA2B;IAE3B,qBAAqB,CAAC,aAAa,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;IACzD,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IACrD,OAAO,iBAAiB,CAAI,IAAI,CAAC,CAAC;AACpC,CAAC"}
|
|
@@ -2,6 +2,7 @@ import { type VaultSessionConfig } from "../../browser.js";
|
|
|
2
2
|
export type UseVaultSessionOptions = {
|
|
3
3
|
sessionConfig?: VaultSessionConfig;
|
|
4
4
|
registerUnloadGuard?: boolean;
|
|
5
|
+
registerActivityGuard?: boolean;
|
|
5
6
|
};
|
|
6
7
|
export declare function useVaultSession(options?: UseVaultSessionOptions): {
|
|
7
8
|
unlocked: boolean;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"use-vault-session.d.ts","sourceRoot":"","sources":["../../../src/react/session/use-vault-session.ts"],"names":[],"mappings":"AACA,OAAO,
|
|
1
|
+
{"version":3,"file":"use-vault-session.d.ts","sourceRoot":"","sources":["../../../src/react/session/use-vault-session.ts"],"names":[],"mappings":"AACA,OAAO,EAML,KAAK,kBAAkB,EACxB,MAAM,kBAAkB,CAAC;AAG1B,MAAM,MAAM,sBAAsB,GAAG;IACnC,aAAa,CAAC,EAAE,kBAAkB,CAAC;IACnC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,qBAAqB,CAAC,EAAE,OAAO,CAAC;CACjC,CAAC;AAEF,wBAAgB,eAAe,CAAC,OAAO,GAAE,sBAA2B;;;;EAqCnE"}
|
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
import { useCallback, useEffect } from "react";
|
|
2
|
-
import { configureVaultSession, lockVaultSession, registerVaultUnloadGuard, touchVaultSession, } from "../../browser.js";
|
|
2
|
+
import { configureVaultSession, lockVaultSession, registerVaultUnloadGuard, registerVaultActivityGuard, touchVaultSession, } from "../../browser.js";
|
|
3
3
|
import { useVaultUnlocked } from "./use-vault-unlocked.js";
|
|
4
4
|
export function useVaultSession(options = {}) {
|
|
5
|
-
const { sessionConfig, registerUnloadGuard = true } = options;
|
|
5
|
+
const { sessionConfig, registerUnloadGuard = true, registerActivityGuard = true, } = options;
|
|
6
6
|
const unlocked = useVaultUnlocked();
|
|
7
7
|
useEffect(() => {
|
|
8
8
|
if (sessionConfig) {
|
|
@@ -14,6 +14,11 @@ export function useVaultSession(options = {}) {
|
|
|
14
14
|
return;
|
|
15
15
|
return registerVaultUnloadGuard();
|
|
16
16
|
}, [registerUnloadGuard]);
|
|
17
|
+
useEffect(() => {
|
|
18
|
+
if (!registerActivityGuard)
|
|
19
|
+
return;
|
|
20
|
+
return registerVaultActivityGuard();
|
|
21
|
+
}, [registerActivityGuard]);
|
|
17
22
|
const lock = useCallback(() => {
|
|
18
23
|
lockVaultSession();
|
|
19
24
|
}, []);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"use-vault-session.js","sourceRoot":"","sources":["../../../src/react/session/use-vault-session.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,OAAO,EACL,qBAAqB,EACrB,gBAAgB,EAChB,wBAAwB,EACxB,iBAAiB,GAElB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;
|
|
1
|
+
{"version":3,"file":"use-vault-session.js","sourceRoot":"","sources":["../../../src/react/session/use-vault-session.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,OAAO,EACL,qBAAqB,EACrB,gBAAgB,EAChB,wBAAwB,EACxB,0BAA0B,EAC1B,iBAAiB,GAElB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAQ3D,MAAM,UAAU,eAAe,CAAC,UAAkC,EAAE;IAClE,MAAM,EACJ,aAAa,EACb,mBAAmB,GAAG,IAAI,EAC1B,qBAAqB,GAAG,IAAI,GAC7B,GAAG,OAAO,CAAC;IACZ,MAAM,QAAQ,GAAG,gBAAgB,EAAE,CAAC;IAEpC,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,aAAa,EAAE,CAAC;YAClB,qBAAqB,CAAC,aAAa,CAAC,CAAC;QACvC,CAAC;IACH,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC;IAEpB,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,CAAC,mBAAmB;YAAE,OAAO;QACjC,OAAO,wBAAwB,EAAE,CAAC;IACpC,CAAC,EAAE,CAAC,mBAAmB,CAAC,CAAC,CAAC;IAE1B,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,CAAC,qBAAqB;YAAE,OAAO;QACnC,OAAO,0BAA0B,EAAE,CAAC;IACtC,CAAC,EAAE,CAAC,qBAAqB,CAAC,CAAC,CAAC;IAE5B,MAAM,IAAI,GAAG,WAAW,CAAC,GAAG,EAAE;QAC5B,gBAAgB,EAAE,CAAC;IACrB,CAAC,EAAE,EAAE,CAAC,CAAC;IAEP,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE;QAC7B,iBAAiB,EAAE,CAAC;IACtB,CAAC,EAAE,EAAE,CAAC,CAAC;IAEP,OAAO;QACL,QAAQ;QACR,IAAI;QACJ,KAAK;KACN,CAAC;AACJ,CAAC"}
|
|
@@ -4,6 +4,7 @@ export type VaultSessionProviderProps = {
|
|
|
4
4
|
children: ReactNode;
|
|
5
5
|
sessionConfig?: VaultSessionConfig;
|
|
6
6
|
registerUnloadGuard?: boolean;
|
|
7
|
+
registerActivityGuard?: boolean;
|
|
7
8
|
};
|
|
8
|
-
export declare function VaultSessionProvider({ children, sessionConfig, registerUnloadGuard, }: VaultSessionProviderProps): ReactNode;
|
|
9
|
+
export declare function VaultSessionProvider({ children, sessionConfig, registerUnloadGuard, registerActivityGuard, }: VaultSessionProviderProps): ReactNode;
|
|
9
10
|
//# sourceMappingURL=vault-session-provider.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"vault-session-provider.d.ts","sourceRoot":"","sources":["../../../src/react/session/vault-session-provider.tsx"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,SAAS,EAAa,MAAM,OAAO,CAAC;AAClD,OAAO,
|
|
1
|
+
{"version":3,"file":"vault-session-provider.d.ts","sourceRoot":"","sources":["../../../src/react/session/vault-session-provider.tsx"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,SAAS,EAAa,MAAM,OAAO,CAAC;AAClD,OAAO,EAIL,KAAK,kBAAkB,EACxB,MAAM,kBAAkB,CAAC;AAE1B,MAAM,MAAM,yBAAyB,GAAG;IACtC,QAAQ,EAAE,SAAS,CAAC;IACpB,aAAa,CAAC,EAAE,kBAAkB,CAAC;IACnC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,qBAAqB,CAAC,EAAE,OAAO,CAAC;CACjC,CAAC;AAEF,wBAAgB,oBAAoB,CAAC,EACnC,QAAQ,EACR,aAAa,EACb,mBAA0B,EAC1B,qBAA4B,GAC7B,EAAE,yBAAyB,aAkB3B"}
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { useEffect } from "react";
|
|
2
|
-
import { configureVaultSession, registerVaultUnloadGuard, } from "../../browser.js";
|
|
3
|
-
export function VaultSessionProvider({ children, sessionConfig, registerUnloadGuard = true, }) {
|
|
2
|
+
import { configureVaultSession, registerVaultUnloadGuard, registerVaultActivityGuard, } from "../../browser.js";
|
|
3
|
+
export function VaultSessionProvider({ children, sessionConfig, registerUnloadGuard = true, registerActivityGuard = true, }) {
|
|
4
4
|
useEffect(() => {
|
|
5
5
|
if (sessionConfig) {
|
|
6
6
|
configureVaultSession(sessionConfig);
|
|
@@ -11,6 +11,11 @@ export function VaultSessionProvider({ children, sessionConfig, registerUnloadGu
|
|
|
11
11
|
return;
|
|
12
12
|
return registerVaultUnloadGuard();
|
|
13
13
|
}, [registerUnloadGuard]);
|
|
14
|
+
useEffect(() => {
|
|
15
|
+
if (!registerActivityGuard)
|
|
16
|
+
return;
|
|
17
|
+
return registerVaultActivityGuard();
|
|
18
|
+
}, [registerActivityGuard]);
|
|
14
19
|
return children;
|
|
15
20
|
}
|
|
16
21
|
//# sourceMappingURL=vault-session-provider.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"vault-session-provider.js","sourceRoot":"","sources":["../../../src/react/session/vault-session-provider.tsx"],"names":[],"mappings":"AAAA,OAAO,EAAkB,SAAS,EAAE,MAAM,OAAO,CAAC;AAClD,OAAO,EACL,qBAAqB,EACrB,wBAAwB,
|
|
1
|
+
{"version":3,"file":"vault-session-provider.js","sourceRoot":"","sources":["../../../src/react/session/vault-session-provider.tsx"],"names":[],"mappings":"AAAA,OAAO,EAAkB,SAAS,EAAE,MAAM,OAAO,CAAC;AAClD,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,0BAA0B,GAE3B,MAAM,kBAAkB,CAAC;AAS1B,MAAM,UAAU,oBAAoB,CAAC,EACnC,QAAQ,EACR,aAAa,EACb,mBAAmB,GAAG,IAAI,EAC1B,qBAAqB,GAAG,IAAI,GACF;IAC1B,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,aAAa,EAAE,CAAC;YAClB,qBAAqB,CAAC,aAAa,CAAC,CAAC;QACvC,CAAC;IACH,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC;IAEpB,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,CAAC,mBAAmB;YAAE,OAAO;QACjC,OAAO,wBAAwB,EAAE,CAAC;IACpC,CAAC,EAAE,CAAC,mBAAmB,CAAC,CAAC,CAAC;IAE1B,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,CAAC,qBAAqB;YAAE,OAAO;QACnC,OAAO,0BAA0B,EAAE,CAAC;IACtC,CAAC,EAAE,CAAC,qBAAqB,CAAC,CAAC,CAAC;IAE5B,OAAO,QAAQ,CAAC;AAClB,CAAC"}
|
|
@@ -13,6 +13,7 @@ export declare function lockVaultSession(): void;
|
|
|
13
13
|
export declare function lockVaultSessionManually(): void;
|
|
14
14
|
export declare function resetVaultSessionLockState(): void;
|
|
15
15
|
export declare function registerVaultUnloadGuard(): () => void;
|
|
16
|
+
export declare function registerVaultActivityGuard(events?: readonly string[]): () => void;
|
|
16
17
|
export declare function getVaultAutoLockRemainingMs(): number | null;
|
|
17
|
-
export { getSessionVaultKey,
|
|
18
|
+
export { getSessionVaultKey, isVaultUnlocked, } from "./memory-session.js";
|
|
18
19
|
//# sourceMappingURL=auto-lock.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auto-lock.d.ts","sourceRoot":"","sources":["../../src/session/auto-lock.ts"],"names":[],"mappings":"AAGA,MAAM,MAAM,kBAAkB,GAAG;IAC/B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,sBAAsB,CAAC,EAAE,MAAM,MAAM,GAAG,SAAS,CAAC;CACnD,CAAC;
|
|
1
|
+
{"version":3,"file":"auto-lock.d.ts","sourceRoot":"","sources":["../../src/session/auto-lock.ts"],"names":[],"mappings":"AAGA,MAAM,MAAM,kBAAkB,GAAG;IAC/B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,sBAAsB,CAAC,EAAE,MAAM,MAAM,GAAG,SAAS,CAAC;CACnD,CAAC;AASF,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,kBAAkB,GAAG,IAAI,CAEtE;AAmBD,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,IAAI,GAAG,MAAM,IAAI,CAGtE;AAED,wBAAgB,qBAAqB,IAAI,OAAO,CAE/C;AAED,wBAAgB,uBAAuB,IAAI,IAAI,CAK9C;AAED,wBAAgB,qBAAqB,IAAI,IAAI,CAO5C;AAED,wBAAgB,iBAAiB,IAAI,IAAI,CAIxC;AAED,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,SAAS,GAAG,IAAI,CAK5D;AAED,wBAAgB,gBAAgB,IAAI,IAAI,CAMvC;AAED,wBAAgB,wBAAwB,IAAI,IAAI,CAE/C;AAED,wBAAgB,0BAA0B,IAAI,IAAI,CAKjD;AAED,wBAAgB,wBAAwB,IAAI,MAAM,IAAI,CAMrD;AAED,wBAAgB,0BAA0B,CACxC,MAAM,GAAE,SAAS,MAAM,EAA4B,GAClD,MAAM,IAAI,CAYZ;AAED,wBAAgB,2BAA2B,IAAI,MAAM,GAAG,IAAI,CAG3D;AAED,OAAO,EACL,kBAAkB,EAClB,eAAe,GAChB,MAAM,qBAAqB,CAAC"}
|