update to systemService and decryptAndMigrate... method

2024-04-23 14:59:49 -07:00 · 2024-04-23 14:59:49 -07:00 · 1b9714bc1c
parent b214061159
commit 1b9714bc1c
4 changed files with 22 additions and 19 deletions
--- a/libs/auth/src/common/services/pin/pin.service.implementation.ts
+++ b/libs/auth/src/common/services/pin/pin.service.implementation.ts
@ -38,7 +38,7 @@ const PIN_KEY_ENCRYPTED_USER_KEY = new UserKeyDefinition<EncryptedString>(
  "pinKeyEncryptedUserKey",
  {
    deserializer: (jsonValue) => jsonValue,
-    clearOn: [], // TODO-rr-bw: verify
+    clearOn: ["logout"], // TODO-rr-bw: verify
  },
 );

@ -198,7 +198,7 @@ export class PinService implements PinServiceAbstraction {

    const pinKey = await this.makePinKey(
      pin,
-      (await firstValueFrom(this.accountService.activeAccount$))?.email, // TODO-rr-bw: verify (could this possibly be different from the UserId passed in?)
+      (await firstValueFrom(this.accountService.activeAccount$))?.email, // TODO-rr-bw: verify (could this user possibly be different from the UserId passed in?)
      await this.stateService.getKdfType({ userId }),
      await this.stateService.getKdfConfig({ userId }),
    );
@ -351,7 +351,6 @@ export class PinService implements PinServiceAbstraction {
  ): Promise<UserKey> {
    this.validateUserId(userId, "Cannot decrypt and migrate oldPinKeyEncryptedMasterKey.");

-    // Decrypt
    const masterKey = await this.decryptMasterKeyWithPin(
      userId,
      pin,
@ -368,21 +367,17 @@ export class PinService implements PinServiceAbstraction {
    );

    const pinKeyEncryptedUserKey = await this.createPinKeyEncryptedUserKey(pin, userKey, userId);
+    await this.storePinKeyEncryptedUserKey(
+      pinKeyEncryptedUserKey,
+      requireMasterPasswordOnClientRestart,
+      userId,
+    );
+
+    const protectedPin = await this.createProtectedPin(pin, userKey);
+    await this.setProtectedPin(protectedPin.encryptedString, userId);

    await this.clearOldPinKeyEncryptedMasterKey(userId);

-    if (requireMasterPasswordOnClientRestart) {
-      await this.setPinKeyEncryptedUserKeyEphemeral(pinKeyEncryptedUserKey, userId);
-    } else {
-      await this.setPinKeyEncryptedUserKey(pinKeyEncryptedUserKey, userId);
-
-      // We previously only set the protected pin if MP on Restart was enabled
-      // now we set it regardless
-      // TODO-rr-bw: based on this comment, shouldn't this code be placed outside the if/else block?
-      const protectedPin = await this.encryptService.encrypt(pin, userKey);
-      await this.setProtectedPin(protectedPin.encryptedString, userId);
-    }
-
    // This also clears the old Biometrics key since the new Biometrics key will
    // be created when the user key is set.
    await this.stateService.setCryptoMasterKeyBiometric(null);
--- a/libs/common/src/auth/services/webauthn-login/webauthn-login-prf-crypto.service.ts
+++ b/libs/common/src/auth/services/webauthn-login/webauthn-login-prf-crypto.service.ts
@ -16,6 +16,7 @@ export class WebAuthnLoginPrfCryptoService implements WebAuthnLoginPrfCryptoServ
    return (await this.stretchKey(new Uint8Array(prf))) as PrfKey;
  }

+  // TODO: use keyGenerationService.stretchKey
  private async stretchKey(key: Uint8Array): Promise<SymmetricCryptoKey> {
    const newKey = new Uint8Array(64);
    const encKey = await this.cryptoFunctionService.hkdfExpand(key, "enc", 32, "sha256");
--- a/libs/common/src/platform/abstractions/key-generation.service.ts
+++ b/libs/common/src/platform/abstractions/key-generation.service.ts
@ -57,5 +57,10 @@ export abstract class KeyGenerationService {
    kdfConfig: KdfConfig,
  ): Promise<SymmetricCryptoKey>;

+  /**
+   * Derives a 64 byte key from a 32 byte key using a key derivation function.
+   * @param key 32 byte key.
+   * @returns 64 byte derived key.
+   */
  abstract stretchKey(key: SymmetricCryptoKey): Promise<SymmetricCryptoKey>;
 }
--- a/libs/common/src/platform/services/system.service.ts
+++ b/libs/common/src/platform/services/system.service.ts
@ -49,11 +49,13 @@ export class SystemService implements SystemServiceAbstraction {
      return;
    }

+    // If there is an active user, check if they have a pinKeyEncryptedUserKeyEphemeral. If so, prevent process reload upon lock.
    const userId = (await firstValueFrom(this.accountService.activeAccount$))?.id;
-    // User has set a PIN, with ask for master password on restart, to protect their vault
-    const ephemeralPin = await this.pinService.getPinKeyEncryptedUserKeyEphemeral(userId);
-    if (ephemeralPin != null) {
-      return;
+    if (userId != null) {
+      const ephemeralPin = await this.pinService.getPinKeyEncryptedUserKeyEphemeral(userId);
+      if (ephemeralPin != null) {
+        return;
+      }
    }

    this.cancelProcessReload();