@tgoliveira/vault-core 0.1.1 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +77 -0
- package/API_REFERENCE.md +196 -26
- package/ARCHITECTURE.md +5 -0
- package/CHANGELOG.md +51 -0
- package/MIGRATION_FROM_LIQSENSE.md +3 -1
- package/PASSKEY_PRF_ENVELOPES.md +2 -1
- package/PASSWORD_ENVELOPES.md +3 -1
- package/README.md +42 -2
- package/RECOVERY_PHRASE.md +2 -1
- package/SECURITY.md +22 -2
- package/dist/browser.d.ts +12 -1
- package/dist/browser.d.ts.map +1 -1
- package/dist/browser.js +46 -18
- package/dist/browser.js.map +1 -1
- package/dist/envelopes/passkey-prf.d.ts +3 -3
- package/dist/envelopes/passkey-prf.d.ts.map +1 -1
- package/dist/envelopes/passkey-prf.js +7 -5
- package/dist/envelopes/passkey-prf.js.map +1 -1
- package/dist/envelopes/password.d.ts +1 -1
- package/dist/envelopes/password.d.ts.map +1 -1
- package/dist/envelopes/password.js +3 -1
- package/dist/envelopes/password.js.map +1 -1
- package/dist/envelopes/recovery.d.ts +2 -2
- package/dist/envelopes/recovery.d.ts.map +1 -1
- package/dist/envelopes/recovery.js +15 -6
- package/dist/envelopes/recovery.js.map +1 -1
- package/dist/kdf/argon2id.d.ts.map +1 -1
- package/dist/kdf/argon2id.js +15 -2
- package/dist/kdf/argon2id.js.map +1 -1
- package/dist/kdf/params.d.ts +24 -0
- package/dist/kdf/params.d.ts.map +1 -1
- package/dist/kdf/params.js +22 -0
- package/dist/kdf/params.js.map +1 -1
- package/dist/payload/encrypted-payload.d.ts +4 -2
- package/dist/payload/encrypted-payload.d.ts.map +1 -1
- package/dist/payload/encrypted-payload.js +3 -1
- package/dist/payload/encrypted-payload.js.map +1 -1
- package/dist/react/session/use-vault-session.d.ts +1 -0
- package/dist/react/session/use-vault-session.d.ts.map +1 -1
- package/dist/react/session/use-vault-session.js +7 -2
- package/dist/react/session/use-vault-session.js.map +1 -1
- package/dist/react/session/vault-session-provider.d.ts +2 -1
- package/dist/react/session/vault-session-provider.d.ts.map +1 -1
- package/dist/react/session/vault-session-provider.js +7 -2
- package/dist/react/session/vault-session-provider.js.map +1 -1
- package/dist/session/auto-lock.d.ts +2 -1
- package/dist/session/auto-lock.d.ts.map +1 -1
- package/dist/session/auto-lock.js +15 -1
- package/dist/session/auto-lock.js.map +1 -1
- package/dist/validation/aad-assert.d.ts +5 -3
- package/dist/validation/aad-assert.d.ts.map +1 -1
- package/dist/validation/aad-assert.js +15 -8
- package/dist/validation/aad-assert.js.map +1 -1
- package/dist/validation/plaintext-reject.d.ts.map +1 -1
- package/dist/validation/plaintext-reject.js +18 -4
- package/dist/validation/plaintext-reject.js.map +1 -1
- package/dist/validation/schemas.d.ts +148 -56
- package/dist/validation/schemas.d.ts.map +1 -1
- package/dist/validation/schemas.js +29 -10
- package/dist/validation/schemas.js.map +1 -1
- package/docs/ADOPTING_VAULT_CORE_IN_EXISTING_APPS.md +575 -0
- package/docs/IMPLEMENTATION_GUIDE.md +577 -0
- package/docs/README.md +30 -0
- package/docs/RELEASING.md +102 -0
- package/package.json +10 -3
|
@@ -5,6 +5,7 @@ let inactivityTimer = null;
|
|
|
5
5
|
let manuallyLocked = false;
|
|
6
6
|
let lastActivityAt = 0;
|
|
7
7
|
const listeners = new Set();
|
|
8
|
+
const DEFAULT_ACTIVITY_EVENTS = ["pointerdown", "keydown", "touchstart", "focus"];
|
|
8
9
|
export function configureVaultSession(config) {
|
|
9
10
|
sessionConfig = config;
|
|
10
11
|
}
|
|
@@ -77,10 +78,23 @@ export function registerVaultUnloadGuard() {
|
|
|
77
78
|
window.addEventListener("pagehide", handler);
|
|
78
79
|
return () => window.removeEventListener("pagehide", handler);
|
|
79
80
|
}
|
|
81
|
+
export function registerVaultActivityGuard(events = DEFAULT_ACTIVITY_EVENTS) {
|
|
82
|
+
if (typeof window === "undefined")
|
|
83
|
+
return () => undefined;
|
|
84
|
+
const handler = () => touchVaultSession();
|
|
85
|
+
for (const event of events) {
|
|
86
|
+
window.addEventListener(event, handler, { passive: true });
|
|
87
|
+
}
|
|
88
|
+
return () => {
|
|
89
|
+
for (const event of events) {
|
|
90
|
+
window.removeEventListener(event, handler);
|
|
91
|
+
}
|
|
92
|
+
};
|
|
93
|
+
}
|
|
80
94
|
export function getVaultAutoLockRemainingMs() {
|
|
81
95
|
if (!isVaultUnlocked() || manuallyLocked || lastActivityAt === 0)
|
|
82
96
|
return null;
|
|
83
97
|
return Math.max(0, getAutoLockTimeoutMs() - (Date.now() - lastActivityAt));
|
|
84
98
|
}
|
|
85
|
-
export { getSessionVaultKey,
|
|
99
|
+
export { getSessionVaultKey, isVaultUnlocked, } from "./memory-session.js";
|
|
86
100
|
//# sourceMappingURL=auto-lock.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auto-lock.js","sourceRoot":"","sources":["../../src/session/auto-lock.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,+BAA+B,EAAE,MAAM,iBAAiB,CAAC;AAClE,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAOrF,IAAI,aAAa,GAAuB,EAAE,CAAC;AAC3C,IAAI,eAAe,GAAyC,IAAI,CAAC;AACjE,IAAI,cAAc,GAAG,KAAK,CAAC;AAC3B,IAAI,cAAc,GAAG,CAAC,CAAC;AACvB,MAAM,SAAS,GAAG,IAAI,GAAG,EAAc,CAAC;
|
|
1
|
+
{"version":3,"file":"auto-lock.js","sourceRoot":"","sources":["../../src/session/auto-lock.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,+BAA+B,EAAE,MAAM,iBAAiB,CAAC;AAClE,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAOrF,IAAI,aAAa,GAAuB,EAAE,CAAC;AAC3C,IAAI,eAAe,GAAyC,IAAI,CAAC;AACjE,IAAI,cAAc,GAAG,KAAK,CAAC;AAC3B,IAAI,cAAc,GAAG,CAAC,CAAC;AACvB,MAAM,SAAS,GAAG,IAAI,GAAG,EAAc,CAAC;AACxC,MAAM,uBAAuB,GAAG,CAAC,aAAa,EAAE,SAAS,EAAE,YAAY,EAAE,OAAO,CAAU,CAAC;AAE3F,MAAM,UAAU,qBAAqB,CAAC,MAA0B;IAC9D,aAAa,GAAG,MAAM,CAAC;AACzB,CAAC;AAED,SAAS,oBAAoB;IAC3B,MAAM,QAAQ,GAAG,aAAa,CAAC,sBAAsB,EAAE,EAAE,CAAC;IAC1D,MAAM,OAAO,GACX,QAAQ;QACR,aAAa,CAAC,eAAe;QAC7B,+BAA+B,CAAC;IAClC,MAAM,WAAW,GACf,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,+BAA+B,CAAC;IACtF,OAAO,WAAW,GAAG,EAAE,GAAG,IAAI,CAAC;AACjC,CAAC;AAED,SAAS,wBAAwB;IAC/B,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,QAAQ,EAAE,CAAC;IACb,CAAC;AACH,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,QAAoB;IACxD,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACxB,OAAO,GAAG,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;AAC1C,CAAC;AAED,MAAM,UAAU,qBAAqB;IACnC,OAAO,cAAc,CAAC;AACxB,CAAC;AAED,MAAM,UAAU,uBAAuB;IACrC,IAAI,eAAe,EAAE,CAAC;QACpB,YAAY,CAAC,eAAe,CAAC,CAAC;QAC9B,eAAe,GAAG,IAAI,CAAC;IACzB,CAAC;AACH,CAAC;AAED,MAAM,UAAU,qBAAqB;IACnC,IAAI,CAAC,eAAe,EAAE,IAAI,cAAc;QAAE,OAAO;IACjD,uBAAuB,EAAE,CAAC;IAC1B,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC5B,eAAe,GAAG,UAAU,CAAC,GAAG,EAAE;QAChC,gBAAgB,EAAE,CAAC;IACrB,CAAC,EAAE,oBAAoB,EAAE,CAAC,CAAC;AAC7B,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,IAAI,eAAe,EAAE,IAAI,CAAC,cAAc,EAAE,CAAC;QACzC,qBAAqB,EAAE,CAAC;IAC1B,CAAC;AACH,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,QAAmB;IACpD,cAAc,GAAG,KAAK,CAAC;IACvB,kBAAkB,CAAC,QAAQ,CAAC,CAAC;IAC7B,qBAAqB,EAAE,CAAC;IACxB,wBAAwB,EAAE,CAAC;AAC7B,CAAC;AAED,MAAM,UAAU,gBAAgB;IAC9B,uBAAuB,EAAE,CAAC;IAC1B,cAAc,GAAG,CAAC,CAAC;IACnB,SAAS,EAAE,CAAC;IACZ,cAAc,GAAG,IAAI,CAAC;IACtB,wBAAwB,EAAE,CAAC;AAC7B,CAAC;AAED,MAAM,UAAU,wBAAwB;IACtC,gBAAgB,EAAE,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,0BAA0B;IACxC,cAAc,GAAG,KAAK,CAAC;IACvB,uBAAuB,EAAE,CAAC;IAC1B,cAAc,GAAG,CAAC,CAAC;IACnB,wBAAwB,EAAE,CAAC;AAC7B,CAAC;AAED,MAAM,UAAU,wBAAwB;IACtC,IAAI,OAAO,MAAM,KAAK,WAAW;QAAE,OAAO,GAAG,EAAE,CAAC,SAAS,CAAC;IAE1D,MAAM,OAAO,GAAG,GAAG,EAAE,CAAC,gBAAgB,EAAE,CAAC;IACzC,MAAM,CAAC,gBAAgB,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IAC7C,OAAO,GAAG,EAAE,CAAC,MAAM,CAAC,mBAAmB,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;AAC/D,CAAC;AAED,MAAM,UAAU,0BAA0B,CACxC,SAA4B,uBAAuB;IAEnD,IAAI,OAAO,MAAM,KAAK,WAAW;QAAE,OAAO,GAAG,EAAE,CAAC,SAAS,CAAC;IAE1D,MAAM,OAAO,GAAG,GAAG,EAAE,CAAC,iBAAiB,EAAE,CAAC;IAC1C,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,CAAC,gBAAgB,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;IAC7D,CAAC;IACD,OAAO,GAAG,EAAE;QACV,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,MAAM,CAAC,mBAAmB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,2BAA2B;IACzC,IAAI,CAAC,eAAe,EAAE,IAAI,cAAc,IAAI,cAAc,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9E,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,oBAAoB,EAAE,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc,CAAC,CAAC,CAAC;AAC7E,CAAC;AAED,OAAO,EACL,kBAAkB,EAClB,eAAe,GAChB,MAAM,qBAAqB,CAAC"}
|
|
@@ -1,5 +1,7 @@
|
|
|
1
1
|
import type { EncryptedVaultPayload } from "./schemas.js";
|
|
2
|
-
import type { VaultCryptoProfile } from "../profile.js";
|
|
3
|
-
|
|
4
|
-
export declare function
|
|
2
|
+
import type { VaultAadScope, VaultCryptoProfile } from "../profile.js";
|
|
3
|
+
type ExpectedScope = Pick<VaultAadScope, "userId" | "resourceId">;
|
|
4
|
+
export declare function assertVaultKeyAad(expectedScope: string | ExpectedScope, payload: EncryptedVaultPayload, profile: VaultCryptoProfile): void;
|
|
5
|
+
export declare function assertVaultPayloadAad(expectedScope: string | ExpectedScope, payload: EncryptedVaultPayload, profile: VaultCryptoProfile): void;
|
|
6
|
+
export {};
|
|
5
7
|
//# sourceMappingURL=aad-assert.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"aad-assert.d.ts","sourceRoot":"","sources":["../../src/validation/aad-assert.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AAC1D,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;
|
|
1
|
+
{"version":3,"file":"aad-assert.d.ts","sourceRoot":"","sources":["../../src/validation/aad-assert.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AAC1D,OAAO,KAAK,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAEvE,KAAK,aAAa,GAAG,IAAI,CAAC,aAAa,EAAE,QAAQ,GAAG,YAAY,CAAC,CAAC;AAQlE,wBAAgB,iBAAiB,CAC/B,aAAa,EAAE,MAAM,GAAG,aAAa,EACrC,OAAO,EAAE,qBAAqB,EAC9B,OAAO,EAAE,kBAAkB,GAC1B,IAAI,CAcN;AAED,wBAAgB,qBAAqB,CACnC,aAAa,EAAE,MAAM,GAAG,aAAa,EACrC,OAAO,EAAE,qBAAqB,EAC9B,OAAO,EAAE,kBAAkB,GAC1B,IAAI,CAcN"}
|
|
@@ -1,28 +1,35 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
1
|
+
function normalizeExpectedScope(scope) {
|
|
2
|
+
return typeof scope === "string"
|
|
3
|
+
? { userId: scope, resourceId: scope }
|
|
4
|
+
: scope;
|
|
5
|
+
}
|
|
6
|
+
export function assertVaultKeyAad(expectedScope, payload, profile) {
|
|
7
|
+
const scope = normalizeExpectedScope(expectedScope);
|
|
8
|
+
if (payload.aad.userId !== scope.userId) {
|
|
3
9
|
throw new Error("Vault key AAD userId mismatch");
|
|
4
10
|
}
|
|
5
|
-
if (payload.aad.resourceId !==
|
|
11
|
+
if (payload.aad.resourceId !== scope.resourceId) {
|
|
6
12
|
throw new Error("Vault key AAD resourceId mismatch");
|
|
7
13
|
}
|
|
8
14
|
if (payload.aad.field !== "vault_key") {
|
|
9
15
|
throw new Error("Vault key AAD field mismatch");
|
|
10
16
|
}
|
|
11
|
-
if (payload.aad.context
|
|
17
|
+
if (payload.aad.context !== profile.aadContextEnvelope) {
|
|
12
18
|
throw new Error("Vault key AAD context mismatch");
|
|
13
19
|
}
|
|
14
20
|
}
|
|
15
|
-
export function assertVaultPayloadAad(
|
|
16
|
-
|
|
21
|
+
export function assertVaultPayloadAad(expectedScope, payload, profile) {
|
|
22
|
+
const scope = normalizeExpectedScope(expectedScope);
|
|
23
|
+
if (payload.aad.userId !== scope.userId) {
|
|
17
24
|
throw new Error("Vault payload AAD userId mismatch");
|
|
18
25
|
}
|
|
19
|
-
if (payload.aad.resourceId !==
|
|
26
|
+
if (payload.aad.resourceId !== scope.resourceId) {
|
|
20
27
|
throw new Error("Vault payload AAD resourceId mismatch");
|
|
21
28
|
}
|
|
22
29
|
if (payload.aad.field !== "vault_payload") {
|
|
23
30
|
throw new Error("Vault payload AAD field mismatch");
|
|
24
31
|
}
|
|
25
|
-
if (payload.aad.context
|
|
32
|
+
if (payload.aad.context !== profile.aadContextVault) {
|
|
26
33
|
throw new Error("Vault payload AAD context mismatch");
|
|
27
34
|
}
|
|
28
35
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"aad-assert.js","sourceRoot":"","sources":["../../src/validation/aad-assert.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"aad-assert.js","sourceRoot":"","sources":["../../src/validation/aad-assert.ts"],"names":[],"mappings":"AAKA,SAAS,sBAAsB,CAAC,KAA6B;IAC3D,OAAO,OAAO,KAAK,KAAK,QAAQ;QAC9B,CAAC,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE;QACtC,CAAC,CAAC,KAAK,CAAC;AACZ,CAAC;AAED,MAAM,UAAU,iBAAiB,CAC/B,aAAqC,EACrC,OAA8B,EAC9B,OAA2B;IAE3B,MAAM,KAAK,GAAG,sBAAsB,CAAC,aAAa,CAAC,CAAC;IACpD,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,KAAK,KAAK,CAAC,UAAU,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;IACvD,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,WAAW,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAClD,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,OAAO,KAAK,OAAO,CAAC,kBAAkB,EAAE,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACpD,CAAC;AACH,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,aAAqC,EACrC,OAA8B,EAC9B,OAA2B;IAE3B,MAAM,KAAK,GAAG,sBAAsB,CAAC,aAAa,CAAC,CAAC;IACpD,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;IACvD,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,KAAK,KAAK,CAAC,UAAU,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,eAAe,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,OAAO,KAAK,OAAO,CAAC,eAAe,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;AACH,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"plaintext-reject.d.ts","sourceRoot":"","sources":["../../src/validation/plaintext-reject.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,gCAAgC,8PAiBnC,CAAC;AAEX,MAAM,MAAM,uBAAuB,GAAG,CAAC,OAAO,gCAAgC,CAAC,CAAC,MAAM,CAAC,CAAC;
|
|
1
|
+
{"version":3,"file":"plaintext-reject.d.ts","sourceRoot":"","sources":["../../src/validation/plaintext-reject.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,gCAAgC,8PAiBnC,CAAC;AAEX,MAAM,MAAM,uBAAuB,GAAG,CAAC,OAAO,gCAAgC,CAAC,CAAC,MAAM,CAAC,CAAC;AAIxF,wBAAgB,0BAA0B,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,GAAG,IAAI,CAsBvF;AAED,wBAAgB,4BAA4B,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAKhF;AAED,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,OAAO,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,KAAK,EAAE,MAAM,EAAE,CAAA;CAAE,CAGvF;AAED,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,OAAO,EAAE,SAAS,GAAE,SAAS,MAAM,EAAkB,GAAG,MAAM,EAAE,CAWtG;AAED,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,GAAE,SAAS,MAAM,EAAkB,GAAG,OAAO,CAErG;AAED,eAAO,MAAM,uBAAuB,yCAAyC,CAAC;AAC9E,eAAO,MAAM,wBAAwB,0CAA0C,CAAC;AAChF,eAAO,MAAM,gCAAgC,kDACI,CAAC;AAClD,eAAO,MAAM,gCAAgC,kDACI,CAAC;AAClD,eAAO,MAAM,sBAAsB,wCAAwC,CAAC;AAC5E,eAAO,MAAM,sBAAsB,wCAAwC,CAAC;AAC5E,eAAO,MAAM,2BAA2B,6CAA6C,CAAC;AACtF,eAAO,MAAM,yBAAyB,2CAA2C,CAAC;AAClF,eAAO,MAAM,qBAAqB,uCAAuC,CAAC;AAC1E,eAAO,MAAM,uBAAuB,yCAAyC,CAAC;AAC9E,eAAO,MAAM,mBAAmB,qCAAqC,CAAC;AAEtE,eAAO,MAAM,aAAa,odAYhB,CAAC"}
|
|
@@ -17,13 +17,27 @@ export const PLAINTEXT_FORBIDDEN_VAULT_FIELDS = [
|
|
|
17
17
|
"content",
|
|
18
18
|
"message",
|
|
19
19
|
];
|
|
20
|
+
const FORBIDDEN_FIELD_SET = new Set(PLAINTEXT_FORBIDDEN_VAULT_FIELDS);
|
|
20
21
|
export function rejectVaultPlaintextFields(body) {
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
22
|
+
const visited = new WeakSet();
|
|
23
|
+
function visit(value, path) {
|
|
24
|
+
if (value === null || typeof value !== "object")
|
|
25
|
+
return null;
|
|
26
|
+
if (visited.has(value))
|
|
27
|
+
return null;
|
|
28
|
+
visited.add(value);
|
|
29
|
+
for (const [field, nestedValue] of Object.entries(value)) {
|
|
30
|
+
const fieldPath = path ? `${path}.${field}` : field;
|
|
31
|
+
if (FORBIDDEN_FIELD_SET.has(field) && nestedValue !== undefined) {
|
|
32
|
+
return `Plaintext field '${field}' is not allowed at '${fieldPath}'`;
|
|
33
|
+
}
|
|
34
|
+
const nestedError = visit(nestedValue, fieldPath);
|
|
35
|
+
if (nestedError)
|
|
36
|
+
return nestedError;
|
|
24
37
|
}
|
|
38
|
+
return null;
|
|
25
39
|
}
|
|
26
|
-
return
|
|
40
|
+
return visit(body, "");
|
|
27
41
|
}
|
|
28
42
|
export function assertNoVaultPlaintextFields(body) {
|
|
29
43
|
const error = rejectVaultPlaintextFields(body);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"plaintext-reject.js","sourceRoot":"","sources":["../../src/validation/plaintext-reject.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,4BAA4B,EAAE,MAAM,2BAA2B,CAAC;AAEzE,MAAM,CAAC,MAAM,gCAAgC,GAAG;IAC9C,eAAe;IACf,sBAAsB;IACtB,UAAU;IACV,gBAAgB;IAChB,eAAe;IACf,cAAc;IACd,WAAW;IACX,kBAAkB;IAClB,aAAa;IACb,aAAa;IACb,cAAc;IACd,mBAAmB;IACnB,OAAO;IACP,MAAM;IACN,SAAS;IACT,SAAS;CACD,CAAC;AAIX,MAAM,UAAU,0BAA0B,CAAC,IAA6B;IACtE,KAAK,
|
|
1
|
+
{"version":3,"file":"plaintext-reject.js","sourceRoot":"","sources":["../../src/validation/plaintext-reject.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,4BAA4B,EAAE,MAAM,2BAA2B,CAAC;AAEzE,MAAM,CAAC,MAAM,gCAAgC,GAAG;IAC9C,eAAe;IACf,sBAAsB;IACtB,UAAU;IACV,gBAAgB;IAChB,eAAe;IACf,cAAc;IACd,WAAW;IACX,kBAAkB;IAClB,aAAa;IACb,aAAa;IACb,cAAc;IACd,mBAAmB;IACnB,OAAO;IACP,MAAM;IACN,SAAS;IACT,SAAS;CACD,CAAC;AAIX,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAS,gCAAgC,CAAC,CAAC;AAE9E,MAAM,UAAU,0BAA0B,CAAC,IAA6B;IACtE,MAAM,OAAO,GAAG,IAAI,OAAO,EAAU,CAAC;IAEtC,SAAS,KAAK,CAAC,KAAc,EAAE,IAAY;QACzC,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QAC7D,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAEnB,KAAK,MAAM,CAAC,KAAK,EAAE,WAAW,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACzD,MAAM,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,KAAK,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC;YACpD,IAAI,mBAAmB,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;gBAChE,OAAO,oBAAoB,KAAK,wBAAwB,SAAS,GAAG,CAAC;YACvE,CAAC;YAED,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;YAClD,IAAI,WAAW;gBAAE,OAAO,WAAW,CAAC;QACtC,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,4BAA4B,CAAC,IAA6B;IACxE,MAAM,KAAK,GAAG,0BAA0B,CAAC,IAAI,CAAC,CAAC;IAC/C,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,IAAI,4BAA4B,CAAC,KAAK,CAAC,CAAC;IAChD,CAAC;AACH,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,IAAa;IACnD,MAAM,KAAK,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;IACrC,OAAO,EAAE,EAAE,EAAE,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC;AAC3C,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,IAAa,EAAE,YAA+B,aAAa;IAC1F,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAElC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC5B,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,KAAa,EAAE,YAA+B,aAAa;IAC1F,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;AAChE,CAAC;AAED,MAAM,CAAC,MAAM,uBAAuB,GAAG,sCAAsC,CAAC;AAC9E,MAAM,CAAC,MAAM,wBAAwB,GAAG,uCAAuC,CAAC;AAChF,MAAM,CAAC,MAAM,gCAAgC,GAC3C,+CAA+C,CAAC;AAClD,MAAM,CAAC,MAAM,gCAAgC,GAC3C,+CAA+C,CAAC;AAClD,MAAM,CAAC,MAAM,sBAAsB,GAAG,qCAAqC,CAAC;AAC5E,MAAM,CAAC,MAAM,sBAAsB,GAAG,qCAAqC,CAAC;AAC5E,MAAM,CAAC,MAAM,2BAA2B,GAAG,0CAA0C,CAAC;AACtF,MAAM,CAAC,MAAM,yBAAyB,GAAG,wCAAwC,CAAC;AAClF,MAAM,CAAC,MAAM,qBAAqB,GAAG,oCAAoC,CAAC;AAC1E,MAAM,CAAC,MAAM,uBAAuB,GAAG,sCAAsC,CAAC;AAC9E,MAAM,CAAC,MAAM,mBAAmB,GAAG,kCAAkC,CAAC;AAEtE,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B,uBAAuB;IACvB,wBAAwB;IACxB,gCAAgC;IAChC,gCAAgC;IAChC,sBAAsB;IACtB,sBAAsB;IACtB,2BAA2B;IAC3B,yBAAyB;IACzB,qBAAqB;IACrB,uBAAuB;IACvB,mBAAmB;CACX,CAAC"}
|
|
@@ -37,12 +37,15 @@ export declare const kdfMetadataSchema: z.ZodObject<{
|
|
|
37
37
|
}, z.core.$strip>;
|
|
38
38
|
export type KdfMetadata = Argon2idKdfMetadata;
|
|
39
39
|
export type VaultEnvelopeMethod = "password" | "recovery_phrase" | "passkey_prf";
|
|
40
|
-
export declare const
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
40
|
+
export declare const passwordEnvelopeSchema: z.ZodObject<{
|
|
41
|
+
kdfMetadata: z.ZodObject<{
|
|
42
|
+
kdf: z.ZodLiteral<"argon2id">;
|
|
43
|
+
version: z.ZodLiteral<"kdf-v1">;
|
|
44
|
+
salt: z.ZodString;
|
|
45
|
+
memory: z.ZodNumber;
|
|
46
|
+
iterations: z.ZodNumber;
|
|
47
|
+
parallelism: z.ZodNumber;
|
|
48
|
+
}, z.core.$strip>;
|
|
46
49
|
encryptedVaultKey: z.ZodObject<{
|
|
47
50
|
version: z.ZodLiteral<"enc-v1">;
|
|
48
51
|
alg: z.ZodLiteral<"AES-GCM">;
|
|
@@ -59,31 +62,139 @@ export declare const storedEnvelopeSchema: z.ZodObject<{
|
|
|
59
62
|
context: z.ZodOptional<z.ZodString>;
|
|
60
63
|
}, z.core.$strip>;
|
|
61
64
|
}, z.core.$strip>;
|
|
62
|
-
|
|
65
|
+
publicMetadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
|
|
66
|
+
method: z.ZodLiteral<"password">;
|
|
67
|
+
}, z.core.$strip>;
|
|
68
|
+
export declare const recoveryPhraseEnvelopeSchema: z.ZodObject<{
|
|
69
|
+
kdfMetadata: z.ZodObject<{
|
|
63
70
|
kdf: z.ZodLiteral<"argon2id">;
|
|
64
71
|
version: z.ZodLiteral<"kdf-v1">;
|
|
65
72
|
salt: z.ZodString;
|
|
66
73
|
memory: z.ZodNumber;
|
|
67
74
|
iterations: z.ZodNumber;
|
|
68
75
|
parallelism: z.ZodNumber;
|
|
69
|
-
}, z.core.$strip
|
|
76
|
+
}, z.core.$strip>;
|
|
77
|
+
encryptedVaultKey: z.ZodObject<{
|
|
78
|
+
version: z.ZodLiteral<"enc-v1">;
|
|
79
|
+
alg: z.ZodLiteral<"AES-GCM">;
|
|
80
|
+
iv: z.ZodString;
|
|
81
|
+
ciphertext: z.ZodString;
|
|
82
|
+
aad: z.ZodObject<{
|
|
83
|
+
userId: z.ZodString;
|
|
84
|
+
resourceId: z.ZodString;
|
|
85
|
+
field: z.ZodEnum<{
|
|
86
|
+
vault_key: "vault_key";
|
|
87
|
+
vault_payload: "vault_payload";
|
|
88
|
+
vault_index: "vault_index";
|
|
89
|
+
}>;
|
|
90
|
+
context: z.ZodOptional<z.ZodString>;
|
|
91
|
+
}, z.core.$strip>;
|
|
92
|
+
}, z.core.$strip>;
|
|
70
93
|
publicMetadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
|
|
94
|
+
method: z.ZodLiteral<"recovery_phrase">;
|
|
71
95
|
}, z.core.$strip>;
|
|
96
|
+
export declare const passkeyPrfEnvelopeSchema: z.ZodObject<{
|
|
97
|
+
kdfMetadata: z.ZodNull;
|
|
98
|
+
encryptedVaultKey: z.ZodObject<{
|
|
99
|
+
version: z.ZodLiteral<"enc-v1">;
|
|
100
|
+
alg: z.ZodLiteral<"AES-GCM">;
|
|
101
|
+
iv: z.ZodString;
|
|
102
|
+
ciphertext: z.ZodString;
|
|
103
|
+
aad: z.ZodObject<{
|
|
104
|
+
userId: z.ZodString;
|
|
105
|
+
resourceId: z.ZodString;
|
|
106
|
+
field: z.ZodEnum<{
|
|
107
|
+
vault_key: "vault_key";
|
|
108
|
+
vault_payload: "vault_payload";
|
|
109
|
+
vault_index: "vault_index";
|
|
110
|
+
}>;
|
|
111
|
+
context: z.ZodOptional<z.ZodString>;
|
|
112
|
+
}, z.core.$strip>;
|
|
113
|
+
}, z.core.$strip>;
|
|
114
|
+
publicMetadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
|
|
115
|
+
method: z.ZodLiteral<"passkey_prf">;
|
|
116
|
+
}, z.core.$strip>;
|
|
117
|
+
export declare const storedEnvelopeSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
|
|
118
|
+
kdfMetadata: z.ZodObject<{
|
|
119
|
+
kdf: z.ZodLiteral<"argon2id">;
|
|
120
|
+
version: z.ZodLiteral<"kdf-v1">;
|
|
121
|
+
salt: z.ZodString;
|
|
122
|
+
memory: z.ZodNumber;
|
|
123
|
+
iterations: z.ZodNumber;
|
|
124
|
+
parallelism: z.ZodNumber;
|
|
125
|
+
}, z.core.$strip>;
|
|
126
|
+
encryptedVaultKey: z.ZodObject<{
|
|
127
|
+
version: z.ZodLiteral<"enc-v1">;
|
|
128
|
+
alg: z.ZodLiteral<"AES-GCM">;
|
|
129
|
+
iv: z.ZodString;
|
|
130
|
+
ciphertext: z.ZodString;
|
|
131
|
+
aad: z.ZodObject<{
|
|
132
|
+
userId: z.ZodString;
|
|
133
|
+
resourceId: z.ZodString;
|
|
134
|
+
field: z.ZodEnum<{
|
|
135
|
+
vault_key: "vault_key";
|
|
136
|
+
vault_payload: "vault_payload";
|
|
137
|
+
vault_index: "vault_index";
|
|
138
|
+
}>;
|
|
139
|
+
context: z.ZodOptional<z.ZodString>;
|
|
140
|
+
}, z.core.$strip>;
|
|
141
|
+
}, z.core.$strip>;
|
|
142
|
+
publicMetadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
|
|
143
|
+
method: z.ZodLiteral<"password">;
|
|
144
|
+
}, z.core.$strip>, z.ZodObject<{
|
|
145
|
+
kdfMetadata: z.ZodObject<{
|
|
146
|
+
kdf: z.ZodLiteral<"argon2id">;
|
|
147
|
+
version: z.ZodLiteral<"kdf-v1">;
|
|
148
|
+
salt: z.ZodString;
|
|
149
|
+
memory: z.ZodNumber;
|
|
150
|
+
iterations: z.ZodNumber;
|
|
151
|
+
parallelism: z.ZodNumber;
|
|
152
|
+
}, z.core.$strip>;
|
|
153
|
+
encryptedVaultKey: z.ZodObject<{
|
|
154
|
+
version: z.ZodLiteral<"enc-v1">;
|
|
155
|
+
alg: z.ZodLiteral<"AES-GCM">;
|
|
156
|
+
iv: z.ZodString;
|
|
157
|
+
ciphertext: z.ZodString;
|
|
158
|
+
aad: z.ZodObject<{
|
|
159
|
+
userId: z.ZodString;
|
|
160
|
+
resourceId: z.ZodString;
|
|
161
|
+
field: z.ZodEnum<{
|
|
162
|
+
vault_key: "vault_key";
|
|
163
|
+
vault_payload: "vault_payload";
|
|
164
|
+
vault_index: "vault_index";
|
|
165
|
+
}>;
|
|
166
|
+
context: z.ZodOptional<z.ZodString>;
|
|
167
|
+
}, z.core.$strip>;
|
|
168
|
+
}, z.core.$strip>;
|
|
169
|
+
publicMetadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
|
|
170
|
+
method: z.ZodLiteral<"recovery_phrase">;
|
|
171
|
+
}, z.core.$strip>, z.ZodObject<{
|
|
172
|
+
kdfMetadata: z.ZodNull;
|
|
173
|
+
encryptedVaultKey: z.ZodObject<{
|
|
174
|
+
version: z.ZodLiteral<"enc-v1">;
|
|
175
|
+
alg: z.ZodLiteral<"AES-GCM">;
|
|
176
|
+
iv: z.ZodString;
|
|
177
|
+
ciphertext: z.ZodString;
|
|
178
|
+
aad: z.ZodObject<{
|
|
179
|
+
userId: z.ZodString;
|
|
180
|
+
resourceId: z.ZodString;
|
|
181
|
+
field: z.ZodEnum<{
|
|
182
|
+
vault_key: "vault_key";
|
|
183
|
+
vault_payload: "vault_payload";
|
|
184
|
+
vault_index: "vault_index";
|
|
185
|
+
}>;
|
|
186
|
+
context: z.ZodOptional<z.ZodString>;
|
|
187
|
+
}, z.core.$strip>;
|
|
188
|
+
}, z.core.$strip>;
|
|
189
|
+
publicMetadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
|
|
190
|
+
method: z.ZodLiteral<"passkey_prf">;
|
|
191
|
+
}, z.core.$strip>], "method">;
|
|
72
192
|
export type VaultEnvelope = z.infer<typeof storedEnvelopeSchema>;
|
|
73
193
|
/** @deprecated Use VaultEnvelope */
|
|
74
194
|
export type StoredEnvelope = VaultEnvelope;
|
|
75
|
-
export type PasswordEnvelope =
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
};
|
|
79
|
-
export type RecoveryPhraseEnvelope = VaultEnvelope & {
|
|
80
|
-
method: "recovery_phrase";
|
|
81
|
-
kdfMetadata: Argon2idKdfMetadata;
|
|
82
|
-
};
|
|
83
|
-
export type PasskeyPrfEnvelope = VaultEnvelope & {
|
|
84
|
-
method: "passkey_prf";
|
|
85
|
-
kdfMetadata: null;
|
|
86
|
-
};
|
|
195
|
+
export type PasswordEnvelope = z.infer<typeof passwordEnvelopeSchema>;
|
|
196
|
+
export type RecoveryPhraseEnvelope = z.infer<typeof recoveryPhraseEnvelopeSchema>;
|
|
197
|
+
export type PasskeyPrfEnvelope = z.infer<typeof passkeyPrfEnvelopeSchema>;
|
|
87
198
|
export { VAULT_CRYPTO_VERSION } from "../constants.js";
|
|
88
199
|
export declare const vaultSetupEnvelopeFieldsSchema: z.ZodObject<{
|
|
89
200
|
cryptoVersion: z.ZodLiteral<"vault-v1">;
|
|
@@ -104,11 +215,14 @@ export declare const vaultSetupEnvelopeFieldsSchema: z.ZodObject<{
|
|
|
104
215
|
}, z.core.$strip>;
|
|
105
216
|
}, z.core.$strip>;
|
|
106
217
|
passwordEnvelope: z.ZodObject<{
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
218
|
+
kdfMetadata: z.ZodObject<{
|
|
219
|
+
kdf: z.ZodLiteral<"argon2id">;
|
|
220
|
+
version: z.ZodLiteral<"kdf-v1">;
|
|
221
|
+
salt: z.ZodString;
|
|
222
|
+
memory: z.ZodNumber;
|
|
223
|
+
iterations: z.ZodNumber;
|
|
224
|
+
parallelism: z.ZodNumber;
|
|
225
|
+
}, z.core.$strip>;
|
|
112
226
|
encryptedVaultKey: z.ZodObject<{
|
|
113
227
|
version: z.ZodLiteral<"enc-v1">;
|
|
114
228
|
alg: z.ZodLiteral<"AES-GCM">;
|
|
@@ -125,22 +239,18 @@ export declare const vaultSetupEnvelopeFieldsSchema: z.ZodObject<{
|
|
|
125
239
|
context: z.ZodOptional<z.ZodString>;
|
|
126
240
|
}, z.core.$strip>;
|
|
127
241
|
}, z.core.$strip>;
|
|
128
|
-
|
|
242
|
+
publicMetadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
|
|
243
|
+
method: z.ZodLiteral<"password">;
|
|
244
|
+
}, z.core.$strip>;
|
|
245
|
+
recoveryEnvelope: z.ZodObject<{
|
|
246
|
+
kdfMetadata: z.ZodObject<{
|
|
129
247
|
kdf: z.ZodLiteral<"argon2id">;
|
|
130
248
|
version: z.ZodLiteral<"kdf-v1">;
|
|
131
249
|
salt: z.ZodString;
|
|
132
250
|
memory: z.ZodNumber;
|
|
133
251
|
iterations: z.ZodNumber;
|
|
134
252
|
parallelism: z.ZodNumber;
|
|
135
|
-
}, z.core.$strip
|
|
136
|
-
publicMetadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
|
|
137
|
-
}, z.core.$strip>;
|
|
138
|
-
recoveryEnvelope: z.ZodObject<{
|
|
139
|
-
method: z.ZodEnum<{
|
|
140
|
-
password: "password";
|
|
141
|
-
recovery_phrase: "recovery_phrase";
|
|
142
|
-
passkey_prf: "passkey_prf";
|
|
143
|
-
}>;
|
|
253
|
+
}, z.core.$strip>;
|
|
144
254
|
encryptedVaultKey: z.ZodObject<{
|
|
145
255
|
version: z.ZodLiteral<"enc-v1">;
|
|
146
256
|
alg: z.ZodLiteral<"AES-GCM">;
|
|
@@ -157,22 +267,11 @@ export declare const vaultSetupEnvelopeFieldsSchema: z.ZodObject<{
|
|
|
157
267
|
context: z.ZodOptional<z.ZodString>;
|
|
158
268
|
}, z.core.$strip>;
|
|
159
269
|
}, z.core.$strip>;
|
|
160
|
-
kdfMetadata: z.ZodNullable<z.ZodObject<{
|
|
161
|
-
kdf: z.ZodLiteral<"argon2id">;
|
|
162
|
-
version: z.ZodLiteral<"kdf-v1">;
|
|
163
|
-
salt: z.ZodString;
|
|
164
|
-
memory: z.ZodNumber;
|
|
165
|
-
iterations: z.ZodNumber;
|
|
166
|
-
parallelism: z.ZodNumber;
|
|
167
|
-
}, z.core.$strip>>;
|
|
168
270
|
publicMetadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
|
|
271
|
+
method: z.ZodLiteral<"recovery_phrase">;
|
|
169
272
|
}, z.core.$strip>;
|
|
170
273
|
passkeyPrfEnvelope: z.ZodOptional<z.ZodNullable<z.ZodObject<{
|
|
171
|
-
|
|
172
|
-
password: "password";
|
|
173
|
-
recovery_phrase: "recovery_phrase";
|
|
174
|
-
passkey_prf: "passkey_prf";
|
|
175
|
-
}>;
|
|
274
|
+
kdfMetadata: z.ZodNull;
|
|
176
275
|
encryptedVaultKey: z.ZodObject<{
|
|
177
276
|
version: z.ZodLiteral<"enc-v1">;
|
|
178
277
|
alg: z.ZodLiteral<"AES-GCM">;
|
|
@@ -189,15 +288,8 @@ export declare const vaultSetupEnvelopeFieldsSchema: z.ZodObject<{
|
|
|
189
288
|
context: z.ZodOptional<z.ZodString>;
|
|
190
289
|
}, z.core.$strip>;
|
|
191
290
|
}, z.core.$strip>;
|
|
192
|
-
kdfMetadata: z.ZodNullable<z.ZodObject<{
|
|
193
|
-
kdf: z.ZodLiteral<"argon2id">;
|
|
194
|
-
version: z.ZodLiteral<"kdf-v1">;
|
|
195
|
-
salt: z.ZodString;
|
|
196
|
-
memory: z.ZodNumber;
|
|
197
|
-
iterations: z.ZodNumber;
|
|
198
|
-
parallelism: z.ZodNumber;
|
|
199
|
-
}, z.core.$strip>>;
|
|
200
291
|
publicMetadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
|
|
292
|
+
method: z.ZodLiteral<"passkey_prf">;
|
|
201
293
|
}, z.core.$strip>>>;
|
|
202
294
|
}, z.core.$strip>;
|
|
203
295
|
//# sourceMappingURL=schemas.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"schemas.d.ts","sourceRoot":"","sources":["../../src/validation/schemas.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;
|
|
1
|
+
{"version":3,"file":"schemas.d.ts","sourceRoot":"","sources":["../../src/validation/schemas.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAMxB,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;iBAWjC,CAAC;AAEH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAC3E,4CAA4C;AAC5C,MAAM,MAAM,gBAAgB,GAAG,qBAAqB,CAAC;AAErD,eAAO,MAAM,yBAAyB;;;;;;;iBAOpC,CAAC;AAEH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAE5E,eAAO,MAAM,iBAAiB;;;;;;;iBAA4B,CAAC;AAC3D,MAAM,MAAM,WAAW,GAAG,mBAAmB,CAAC;AAE9C,MAAM,MAAM,mBAAmB,GAAG,UAAU,GAAG,iBAAiB,GAAG,aAAa,CAAC;AAOjF,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAIjC,CAAC;AAEH,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAIvC,CAAC;AAEH,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;;;iBAInC,CAAC;AAEH,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;6BAI/B,CAAC;AAEH,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AACjE,oCAAoC;AACpC,MAAM,MAAM,cAAc,GAAG,aAAa,CAAC;AAE3C,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AACtE,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAC;AAClF,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAE1E,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAEvD,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAMzC,CAAC"}
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { z } from "zod";
|
|
2
2
|
import { ENCRYPTION_ALG, ENCRYPTION_VERSION } from "../constants.js";
|
|
3
|
+
import { ARGON2ID_LIMITS } from "../kdf/params.js";
|
|
3
4
|
const aadFieldSchema = z.enum(["vault_key", "vault_payload", "vault_index"]);
|
|
4
5
|
export const encryptedPayloadSchema = z.object({
|
|
5
6
|
version: z.literal(ENCRYPTION_VERSION),
|
|
@@ -16,24 +17,42 @@ export const encryptedPayloadSchema = z.object({
|
|
|
16
17
|
export const argon2idKdfMetadataSchema = z.object({
|
|
17
18
|
kdf: z.literal("argon2id"),
|
|
18
19
|
version: z.literal("kdf-v1"),
|
|
19
|
-
salt: z.string().min(1),
|
|
20
|
-
memory: z.number().int().
|
|
21
|
-
iterations: z.number().int().
|
|
22
|
-
parallelism: z.number().int().
|
|
20
|
+
salt: z.string().min(1).max(128),
|
|
21
|
+
memory: z.number().int().min(ARGON2ID_LIMITS.memory.min).max(ARGON2ID_LIMITS.memory.max),
|
|
22
|
+
iterations: z.number().int().min(ARGON2ID_LIMITS.iterations.min).max(ARGON2ID_LIMITS.iterations.max),
|
|
23
|
+
parallelism: z.number().int().min(ARGON2ID_LIMITS.parallelism.min).max(ARGON2ID_LIMITS.parallelism.max),
|
|
23
24
|
});
|
|
24
25
|
export const kdfMetadataSchema = argon2idKdfMetadataSchema;
|
|
25
|
-
|
|
26
|
-
method: z.enum(["password", "recovery_phrase", "passkey_prf"]),
|
|
26
|
+
const envelopeFields = {
|
|
27
27
|
encryptedVaultKey: encryptedPayloadSchema,
|
|
28
|
-
kdfMetadata: kdfMetadataSchema.nullable(),
|
|
29
28
|
publicMetadata: z.record(z.string(), z.unknown()).optional(),
|
|
29
|
+
};
|
|
30
|
+
export const passwordEnvelopeSchema = z.object({
|
|
31
|
+
method: z.literal("password"),
|
|
32
|
+
...envelopeFields,
|
|
33
|
+
kdfMetadata: argon2idKdfMetadataSchema,
|
|
30
34
|
});
|
|
35
|
+
export const recoveryPhraseEnvelopeSchema = z.object({
|
|
36
|
+
method: z.literal("recovery_phrase"),
|
|
37
|
+
...envelopeFields,
|
|
38
|
+
kdfMetadata: argon2idKdfMetadataSchema,
|
|
39
|
+
});
|
|
40
|
+
export const passkeyPrfEnvelopeSchema = z.object({
|
|
41
|
+
method: z.literal("passkey_prf"),
|
|
42
|
+
...envelopeFields,
|
|
43
|
+
kdfMetadata: z.null(),
|
|
44
|
+
});
|
|
45
|
+
export const storedEnvelopeSchema = z.discriminatedUnion("method", [
|
|
46
|
+
passwordEnvelopeSchema,
|
|
47
|
+
recoveryPhraseEnvelopeSchema,
|
|
48
|
+
passkeyPrfEnvelopeSchema,
|
|
49
|
+
]);
|
|
31
50
|
export { VAULT_CRYPTO_VERSION } from "../constants.js";
|
|
32
51
|
export const vaultSetupEnvelopeFieldsSchema = z.object({
|
|
33
52
|
cryptoVersion: z.literal("vault-v1"),
|
|
34
53
|
encryptedBlob: encryptedPayloadSchema,
|
|
35
|
-
passwordEnvelope:
|
|
36
|
-
recoveryEnvelope:
|
|
37
|
-
passkeyPrfEnvelope:
|
|
54
|
+
passwordEnvelope: passwordEnvelopeSchema,
|
|
55
|
+
recoveryEnvelope: recoveryPhraseEnvelopeSchema,
|
|
56
|
+
passkeyPrfEnvelope: passkeyPrfEnvelopeSchema.nullable().optional(),
|
|
38
57
|
});
|
|
39
58
|
//# sourceMappingURL=schemas.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"schemas.js","sourceRoot":"","sources":["../../src/validation/schemas.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;
|
|
1
|
+
{"version":3,"file":"schemas.js","sourceRoot":"","sources":["../../src/validation/schemas.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AACrE,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAEnD,MAAM,cAAc,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,eAAe,EAAE,aAAa,CAAC,CAAC,CAAC;AAE7E,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7C,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC;IACtC,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,cAAc,CAAC;IAC9B,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACrB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7B,GAAG,EAAE,CAAC,CAAC,MAAM,CAAC;QACZ,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE;QACzB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE;QAC7B,KAAK,EAAE,cAAc;QACrB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KAC/B,CAAC;CACH,CAAC,CAAC;AAMH,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,CAAC,MAAM,CAAC;IAChD,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC;IAC1B,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;IAC5B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC;IAChC,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,eAAe,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,eAAe,CAAC,MAAM,CAAC,GAAG,CAAC;IACxF,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,eAAe,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,eAAe,CAAC,UAAU,CAAC,GAAG,CAAC;IACpG,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,eAAe,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,eAAe,CAAC,WAAW,CAAC,GAAG,CAAC;CACxG,CAAC,CAAC;AAIH,MAAM,CAAC,MAAM,iBAAiB,GAAG,yBAAyB,CAAC;AAK3D,MAAM,cAAc,GAAG;IACrB,iBAAiB,EAAE,sBAAsB;IACzC,cAAc,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;CAC7D,CAAC;AAEF,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7C,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC;IAC7B,GAAG,cAAc;IACjB,WAAW,EAAE,yBAAyB;CACvC,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,MAAM,CAAC;IACnD,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,iBAAiB,CAAC;IACpC,GAAG,cAAc;IACjB,WAAW,EAAE,yBAAyB;CACvC,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,wBAAwB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/C,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC;IAChC,GAAG,cAAc;IACjB,WAAW,EAAE,CAAC,CAAC,IAAI,EAAE;CACtB,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,kBAAkB,CAAC,QAAQ,EAAE;IACjE,sBAAsB;IACtB,4BAA4B;IAC5B,wBAAwB;CACzB,CAAC,CAAC;AAUH,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAEvD,MAAM,CAAC,MAAM,8BAA8B,GAAG,CAAC,CAAC,MAAM,CAAC;IACrD,aAAa,EAAE,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC;IACpC,aAAa,EAAE,sBAAsB;IACrC,gBAAgB,EAAE,sBAAsB;IACxC,gBAAgB,EAAE,4BAA4B;IAC9C,kBAAkB,EAAE,wBAAwB,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;CACnE,CAAC,CAAC"}
|