npm - emailengine-app - Versions diffs - 2.65.0 → 2.67.0 - Mend

emailengine-app 2.65.0 → 2.67.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (50) hide show

package/.github/workflows/deploy.yml +8 -8
package/.github/workflows/release.yaml +9 -9
package/.github/workflows/test.yml +2 -2
package/CHANGELOG.md +53 -0
package/bin/emailengine.js +3 -0
package/data/google-crawlers.json +7 -1
package/lib/account.js +35 -29
package/lib/consts.js +5 -0
package/lib/email-client/gmail-client.js +23 -27
package/lib/email-client/imap/mailbox.js +46 -19
package/lib/email-client/imap/sync-operations.js +51 -19
package/lib/email-client/imap-client.js +28 -5
package/lib/email-client/outlook-client.js +155 -1
package/lib/oauth/gmail.js +52 -1
package/lib/passkeys.js +206 -0
package/lib/routes-ui.js +522 -21
package/lib/ui-routes/oauth-routes.js +6 -1
package/package.json +13 -11
package/sbom.json +1 -1
package/static/js/login-passkey.js +75 -0
package/static/js/passkey-register.js +107 -0
package/static/licenses.html +238 -38
package/static/vendor/handlebars/handlebars.min-v4.7.9.js +29 -0
package/static/vendor/simplewebauthn/browser.min.js +2 -0
package/translations/de.mo +0 -0
package/translations/de.po +91 -53
package/translations/en.mo +0 -0
package/translations/en.po +84 -52
package/translations/et.mo +0 -0
package/translations/et.po +95 -60
package/translations/fr.mo +0 -0
package/translations/fr.po +102 -65
package/translations/ja.mo +0 -0
package/translations/ja.po +93 -57
package/translations/messages.pot +101 -76
package/translations/nl.mo +0 -0
package/translations/nl.po +92 -56
package/translations/pl.mo +0 -0
package/translations/pl.po +106 -70
package/views/account/login.hbs +35 -25
package/views/account/password.hbs +4 -4
package/views/account/security.hbs +101 -12
package/views/account/totp.hbs +3 -3
package/views/config/oauth/app.hbs +25 -0
package/views/layout/app.hbs +2 -2
package/views/layout/login.hbs +6 -1
package/views/oauth-scope-error.hbs +29 -0
package/workers/api.js +81 -3
package/workers/imap.js +4 -0
package/static/vendor/handlebars/handlebars.min-v4.7.7.js +0 -29

package/lib/passkeys.js ADDED Viewed

@@ -0,0 +1,206 @@
+'use strict';
+const crypto = require('crypto');
+const { redis } = require('./db');
+const settings = require('./settings');
+const { REDIS_PREFIX, WEBAUTHN_CHALLENGE_TTL } = require('./consts');
+const KEY_PREFIX = `${REDIS_PREFIX}webauthn:`;
+// Passkey data does not require encryption at rest. Unlike TOTP seeds or OAuth
+// client secrets (which are shared secrets), passkeys use public-key cryptography.
+// Only the public key is stored here -- the private key never leaves the
+// authenticator device. An attacker with Redis access cannot use a public key
+// to authenticate, so encrypting it adds no meaningful security.
+function hydrateCredential(data) {
+    if (!data || !data.id) {
+        return null;
+    }
+    data.counter = parseInt(data.counter, 10) || 0;
+    try {
+        data.transports = JSON.parse(data.transports || '[]');
+    } catch (err) {
+        data.transports = [];
+    }
+    return data;
+}
+async function fetchCredentialsBySet(setKey) {
+    let credIds = await redis.smembers(setKey);
+    if (!credIds || !credIds.length) {
+        return [];
+    }
+    let pipeline = redis.pipeline();
+    for (let id of credIds) {
+        pipeline.hgetall(`${KEY_PREFIX}cred:${id}`);
+    }
+    let results = await pipeline.exec();
+    let credentials = [];
+    for (let [err, data] of results) {
+        let cred = !err && hydrateCredential(data);
+        if (cred) {
+            credentials.push(cred);
+        }
+    }
+    return credentials;
+}
+redis.defineCommand('webauthnSaveIfUnderLimit', {
+    numberOfKeys: 3,
+    lua: `
+local userSetKey = KEYS[1]
+local credKey = KEYS[2]
+local allSetKey = KEYS[3]
+local maxCount = tonumber(ARGV[1])
+local credId = ARGV[2]
+local currentCount = redis.call('SCARD', userSetKey)
+if currentCount >= maxCount then
+    return 0
+end
+redis.call('SADD', userSetKey, credId)
+redis.call('SADD', allSetKey, credId)
+redis.call('HSET', credKey, unpack(ARGV, 3))
+return 1
+`
+});
+function serializeCredential({ id, publicKey, counter, transports, name, user }) {
+    return {
+        id,
+        publicKey,
+        counter: String(counter),
+        transports: JSON.stringify(transports || []),
+        name: name || 'Unnamed passkey',
+        user,
+        createdAt: new Date().toISOString()
+    };
+}
+function credentialKeys(id, user) {
+    return {
+        credKey: `${KEY_PREFIX}cred:${id}`,
+        userSetKey: `${KEY_PREFIX}creds:${user}`,
+        allSetKey: `${KEY_PREFIX}all`
+    };
+}
+module.exports = {
+    async getRpConfig() {
+        let serviceUrl = await settings.get('serviceUrl');
+        if (!serviceUrl) {
+            return { rpId: null, origin: null };
+        }
+        let url = new URL(serviceUrl);
+        return { rpId: url.hostname, origin: url.origin };
+    },
+    async storeChallenge(challenge) {
+        let challengeId = crypto.randomBytes(32).toString('hex');
+        await redis.set(`${KEY_PREFIX}challenge:${challengeId}`, challenge, 'EX', WEBAUTHN_CHALLENGE_TTL);
+        return challengeId;
+    },
+    async consumeChallenge(challengeId) {
+        if (!challengeId || typeof challengeId !== 'string') {
+            return null;
+        }
+        let key = `${KEY_PREFIX}challenge:${challengeId}`;
+        let challenge = await redis.getdel(key);
+        return challenge || null;
+    },
+    async saveCredential(cred) {
+        let { credKey, userSetKey, allSetKey } = credentialKeys(cred.id, cred.user);
+        let pipeline = redis.pipeline();
+        pipeline.hset(credKey, serializeCredential(cred));
+        pipeline.sadd(userSetKey, cred.id);
+        pipeline.sadd(allSetKey, cred.id);
+        await pipeline.exec();
+    },
+    async saveCredentialIfUnderLimit(cred, maxCount) {
+        let { credKey, userSetKey, allSetKey } = credentialKeys(cred.id, cred.user);
+        let fields = serializeCredential(cred);
+        let fieldArgs = Object.entries(fields).flat();
+        let added = await redis.webauthnSaveIfUnderLimit(userSetKey, credKey, allSetKey, maxCount, cred.id, ...fieldArgs);
+        return !!added;
+    },
+    async getCredential(credentialId) {
+        if (!credentialId || typeof credentialId !== 'string') {
+            return null;
+        }
+        let data = await redis.hgetall(`${KEY_PREFIX}cred:${credentialId}`);
+        return hydrateCredential(data);
+    },
+    async updateCounter(credentialId, newCounter) {
+        await redis.hset(`${KEY_PREFIX}cred:${credentialId}`, 'counter', String(newCounter));
+    },
+    async listCredentials(user) {
+        let credentials = await fetchCredentialsBySet(`${KEY_PREFIX}creds:${user}`);
+        credentials.sort((a, b) => new Date(b.createdAt) - new Date(a.createdAt));
+        return credentials;
+    },
+    async deleteCredential(credentialId, user) {
+        let cred = await this.getCredential(credentialId);
+        if (!cred) {
+            return false;
+        }
+        if (user && cred.user !== user) {
+            return false;
+        }
+        let pipeline = redis.pipeline();
+        pipeline.del(`${KEY_PREFIX}cred:${credentialId}`);
+        pipeline.srem(`${KEY_PREFIX}all`, credentialId);
+        if (cred.user) {
+            pipeline.srem(`${KEY_PREFIX}creds:${cred.user}`, credentialId);
+        }
+        await pipeline.exec();
+        return true;
+    },
+    async countCredentials(user) {
+        return await redis.scard(`${KEY_PREFIX}creds:${user}`);
+    },
+    async hasPasskeys() {
+        let count = await redis.scard(`${KEY_PREFIX}all`);
+        return count > 0;
+    },
+    async getAllCredentials() {
+        return await fetchCredentialsBySet(`${KEY_PREFIX}all`);
+    },
+    async deleteAllCredentials(user) {
+        let userSetKey = `${KEY_PREFIX}creds:${user}`;
+        let allSetKey = `${KEY_PREFIX}all`;
+        let credIds = await redis.smembers(userSetKey);
+        if (!credIds || !credIds.length) {
+            return 0;
+        }
+        let pipeline = redis.pipeline();
+        for (let id of credIds) {
+            pipeline.del(`${KEY_PREFIX}cred:${id}`);
+            pipeline.srem(allSetKey, id);
+        }
+        pipeline.del(userSetKey);
+        await pipeline.exec();
+        return credIds.length;
+    }
+};