ente/pkg/sign_in.go

package pkg

import (
	"cli-go/internal"
	"cli-go/internal/api"
	eCrypto "cli-go/internal/crypto"
	"cli-go/pkg/model"
	"cli-go/utils/encoding"
	"context"
	"fmt"
	"log"

	"github.com/kong/go-srp"
)

func (c *ClICtrl) signInViaPassword(ctx context.Context, srpAttr *api.SRPAttributes) (*api.AuthorizationResponse, []byte, error) {
	for {
		// CLI prompt for password
		password, flowErr := internal.GetSensitiveField("Enter password")
		if flowErr != nil {
			return nil, nil, flowErr
		}
		fmt.Println("\nPlease wait authenticating...")
		keyEncKey, err := eCrypto.DeriveArgonKey(password, srpAttr.KekSalt, srpAttr.MemLimit, srpAttr.OpsLimit)
		if err != nil {
			fmt.Printf("error deriving key encryption key: %v", err)
			return nil, nil, err
		}
		loginKey := eCrypto.DeriveLoginKey(keyEncKey)

		srpParams := srp.GetParams(4096)
		identify := []byte(srpAttr.SRPUserID.String())
		salt := encoding.DecodeBase64(srpAttr.SRPSalt)
		clientSecret := srp.GenKey()
		srpClient := srp.NewClient(srpParams, salt, identify, loginKey, clientSecret)
		clientA := srpClient.ComputeA()
		session, err := c.Client.CreateSRPSession(ctx, srpAttr.SRPUserID, encoding.EncodeBase64(clientA))
		if err != nil {
			return nil, nil, err
		}
		serverB := session.SRPB
		srpClient.SetB(encoding.DecodeBase64(serverB))
		clientM := srpClient.ComputeM1()
		authResp, err := c.Client.VerifySRPSession(ctx, srpAttr.SRPUserID, session.SessionID, encoding.EncodeBase64(clientM))
		if err != nil {
			log.Printf("failed to verify %v", err)
			continue
		}
		return authResp, keyEncKey, nil
	}
}

// Parameters:
//   - keyEncKey: key encryption key is derived from user's password. During SRP based login, this key is already derived.
//     So, we can pass it to avoid asking for password again.
func (c *ClICtrl) decryptAccSecretInfo(
	_ context.Context,
	authResp *api.AuthorizationResponse,
	keyEncKey []byte,
) (*model.AccSecretInfo, error) {
	var currentKeyEncKey []byte
	var err error
	var masterKey, secretKey, tokenKey []byte
	var publicKey = encoding.DecodeBase64(authResp.KeyAttributes.PublicKey)
	for {
		if keyEncKey == nil {
			// CLI prompt for password
			password, flowErr := internal.GetSensitiveField("Enter password")
			if flowErr != nil {
				return nil, flowErr
			}
			fmt.Println("\nPlease wait authenticating...")
			currentKeyEncKey, err = eCrypto.DeriveArgonKey(password,
				authResp.KeyAttributes.KEKSalt, authResp.KeyAttributes.MemLimit, authResp.KeyAttributes.OpsLimit)
			if err != nil {
				fmt.Printf("error deriving key encryption key: %v", err)
				return nil, err
			}
		} else {
			currentKeyEncKey = keyEncKey
		}

		encryptedKey := encoding.DecodeBase64(authResp.KeyAttributes.EncryptedKey)
		encryptedKeyNonce := encoding.DecodeBase64(authResp.KeyAttributes.KeyDecryptionNonce)
		masterKey, err = eCrypto.SecretBoxOpen(encryptedKey, encryptedKeyNonce, currentKeyEncKey)
		if err != nil {
			if keyEncKey != nil {
				fmt.Printf("Failed to get key from keyEncryptionKey %s", err)
				return nil, err
			} else {
				fmt.Printf("Incorrect password, error decrypting master key: %v", err)
				continue
			}
		}
		secretKey, err = eCrypto.SecretBoxOpen(
			encoding.DecodeBase64(authResp.KeyAttributes.EncryptedSecretKey),
			encoding.DecodeBase64(authResp.KeyAttributes.SecretKeyDecryptionNonce),
			masterKey,
		)
		if err != nil {
			fmt.Printf("error decrypting master key: %v", err)
			return nil, err
		}
		tokenKey, err = eCrypto.SealedBoxOpen(
			encoding.DecodeBase64(authResp.EncryptedToken),
			publicKey,
			secretKey,
		)
		if err != nil {
			fmt.Printf("error decrypting token: %v", err)
			return nil, err
		}
		break
	}
	return &model.AccSecretInfo{
		MasterKey: masterKey,
		SecretKey: secretKey,
		Token:     tokenKey,
		PublicKey: publicKey,
	}, nil
}

func (c *ClICtrl) validateTOTP(ctx context.Context, authResp *api.AuthorizationResponse) (*api.AuthorizationResponse, error) {
	if !authResp.IsMFARequired() {
		return authResp, nil
	}
	for {
		// CLI prompt for TOTP
		totp, flowErr := internal.GetCode("Enter TOTP", 6)
		if flowErr != nil {
			return nil, flowErr
		}
		totpResp, err := c.Client.VerifyTotp(ctx, authResp.TwoFactorSessionID, totp)
		if err != nil {
			log.Printf("failed to verify %v", err)
			continue
		}
		return totpResp, nil
	}
}

func (c *ClICtrl) validateEmail(ctx context.Context, email string) (*api.AuthorizationResponse, error) {
	err := c.Client.SendEmailOTP(ctx, email)
	if err != nil {
		return nil, err
	}
	for {
		// CLI prompt for OTP
		ott, flowErr := internal.GetCode("Enter OTP", 6)
		if flowErr != nil {
			return nil, flowErr
		}
		authResponse, err := c.Client.VerifyEmail(ctx, email, ott)
		if err != nil {
			log.Printf("failed to verify %v", err)
			continue
		}
		return authResponse, nil
	}
}
Add basic commands for account 2023-09-14 04:20:32 +00:00			`package pkg`

			`import (`
Refactor 2023-09-23 10:45:10 +00:00			`"cli-go/internal"`
Add basic commands for account 2023-09-14 04:20:32 +00:00			`"cli-go/internal/api"`
Minor rename 2023-09-27 02:37:42 +00:00			`eCrypto "cli-go/internal/crypto"`
Refactor 2023-09-23 10:45:10 +00:00			`"cli-go/pkg/model"`
Move encoding utils in separate pkg 2023-09-23 04:05:37 +00:00			`"cli-go/utils/encoding"`
Add basic commands for account 2023-09-14 04:20:32 +00:00			`"context"`
			`"fmt"`
			`"log"`

			`"github.com/kong/go-srp"`
			`)`

Refactor 2023-09-27 05:32:36 +00:00			`func (c ClICtrl) signInViaPassword(ctx context.Context, srpAttr api.SRPAttributes) (*api.AuthorizationResponse, []byte, error) {`
Add basic commands for account 2023-09-14 04:20:32 +00:00			`for {`
			`// CLI prompt for password`
Refactor 2023-09-23 10:45:10 +00:00			`password, flowErr := internal.GetSensitiveField("Enter password")`
Add basic commands for account 2023-09-14 04:20:32 +00:00			`if flowErr != nil {`
			`return nil, nil, flowErr`
			`}`
			`fmt.Println("\nPlease wait authenticating...")`
Minor rename 2023-09-27 02:37:42 +00:00			`keyEncKey, err := eCrypto.DeriveArgonKey(password, srpAttr.KekSalt, srpAttr.MemLimit, srpAttr.OpsLimit)`
Add basic commands for account 2023-09-14 04:20:32 +00:00			`if err != nil {`
			`fmt.Printf("error deriving key encryption key: %v", err)`
			`return nil, nil, err`
			`}`
Minor rename 2023-09-27 02:37:42 +00:00			`loginKey := eCrypto.DeriveLoginKey(keyEncKey)`
Add basic commands for account 2023-09-14 04:20:32 +00:00
			`srpParams := srp.GetParams(4096)`
			`identify := []byte(srpAttr.SRPUserID.String())`
Move encoding utils in separate pkg 2023-09-23 04:05:37 +00:00			`salt := encoding.DecodeBase64(srpAttr.SRPSalt)`
Add basic commands for account 2023-09-14 04:20:32 +00:00			`clientSecret := srp.GenKey()`
			`srpClient := srp.NewClient(srpParams, salt, identify, loginKey, clientSecret)`
			`clientA := srpClient.ComputeA()`
Move encoding utils in separate pkg 2023-09-23 04:05:37 +00:00			`session, err := c.Client.CreateSRPSession(ctx, srpAttr.SRPUserID, encoding.EncodeBase64(clientA))`
Add basic commands for account 2023-09-14 04:20:32 +00:00			`if err != nil {`
			`return nil, nil, err`
			`}`
			`serverB := session.SRPB`
Move encoding utils in separate pkg 2023-09-23 04:05:37 +00:00			`srpClient.SetB(encoding.DecodeBase64(serverB))`
Add basic commands for account 2023-09-14 04:20:32 +00:00			`clientM := srpClient.ComputeM1()`
Move encoding utils in separate pkg 2023-09-23 04:05:37 +00:00			`authResp, err := c.Client.VerifySRPSession(ctx, srpAttr.SRPUserID, session.SessionID, encoding.EncodeBase64(clientM))`
Add basic commands for account 2023-09-14 04:20:32 +00:00			`if err != nil {`
			`log.Printf("failed to verify %v", err)`
			`continue`
			`}`
			`return authResp, keyEncKey, nil`
			`}`
Add support for validating 2FA 2023-09-15 10:47:38 +00:00			`}`
Add basic commands for account 2023-09-14 04:20:32 +00:00
Add support for decrypting masterKey and token 2023-09-21 06:25:40 +00:00			`// Parameters:`
			`// - keyEncKey: key encryption key is derived from user's password. During SRP based login, this key is already derived.`
			`// So, we can pass it to avoid asking for password again.`
Add KeyHolder for keeping in-mem keys 2023-09-22 16:15:01 +00:00			`func (c *ClICtrl) decryptAccSecretInfo(`
Add support for decrypting masterKey and token 2023-09-21 06:25:40 +00:00			`_ context.Context,`
			`authResp *api.AuthorizationResponse,`
			`keyEncKey []byte,`
Refactor 2023-09-23 10:45:10 +00:00			`) (*model.AccSecretInfo, error) {`
Add support for decrypting masterKey and token 2023-09-21 06:25:40 +00:00			`var currentKeyEncKey []byte`
Store both masterKey and secretKey 2023-09-22 12:18:14 +00:00			`var err error`
Bug fixes and support for decrypting collection names 2023-09-22 13:37:12 +00:00			`var masterKey, secretKey, tokenKey []byte`
Store account publicKey 2023-09-23 04:10:54 +00:00			`var publicKey = encoding.DecodeBase64(authResp.KeyAttributes.PublicKey)`
Add support for decrypting masterKey and token 2023-09-21 06:25:40 +00:00			`for {`
			`if keyEncKey == nil {`
			`// CLI prompt for password`
Refactor 2023-09-23 10:45:10 +00:00			`password, flowErr := internal.GetSensitiveField("Enter password")`
Add support for decrypting masterKey and token 2023-09-21 06:25:40 +00:00			`if flowErr != nil {`
Store both masterKey and secretKey 2023-09-22 12:18:14 +00:00			`return nil, flowErr`
Add support for decrypting masterKey and token 2023-09-21 06:25:40 +00:00			`}`
			`fmt.Println("\nPlease wait authenticating...")`
Minor rename 2023-09-27 02:37:42 +00:00			`currentKeyEncKey, err = eCrypto.DeriveArgonKey(password,`
Add support for decrypting masterKey and token 2023-09-21 06:25:40 +00:00			`authResp.KeyAttributes.KEKSalt, authResp.KeyAttributes.MemLimit, authResp.KeyAttributes.OpsLimit)`
			`if err != nil {`
			`fmt.Printf("error deriving key encryption key: %v", err)`
Store both masterKey and secretKey 2023-09-22 12:18:14 +00:00			`return nil, err`
Add support for decrypting masterKey and token 2023-09-21 06:25:40 +00:00			`}`
			`} else {`
			`currentKeyEncKey = keyEncKey`
			`}`

Move encoding utils in separate pkg 2023-09-23 04:05:37 +00:00			`encryptedKey := encoding.DecodeBase64(authResp.KeyAttributes.EncryptedKey)`
			`encryptedKeyNonce := encoding.DecodeBase64(authResp.KeyAttributes.KeyDecryptionNonce)`
Minor rename 2023-09-27 02:37:42 +00:00			`masterKey, err = eCrypto.SecretBoxOpen(encryptedKey, encryptedKeyNonce, currentKeyEncKey)`
Bug fixes and support for decrypting collection names 2023-09-22 13:37:12 +00:00			`if err != nil {`
Add support for decrypting masterKey and token 2023-09-21 06:25:40 +00:00			`if keyEncKey != nil {`
Bug fixes and support for decrypting collection names 2023-09-22 13:37:12 +00:00			`fmt.Printf("Failed to get key from keyEncryptionKey %s", err)`
			`return nil, err`
Add support for decrypting masterKey and token 2023-09-21 06:25:40 +00:00			`} else {`
Bug fixes and support for decrypting collection names 2023-09-22 13:37:12 +00:00			`fmt.Printf("Incorrect password, error decrypting master key: %v", err)`
Add support for decrypting masterKey and token 2023-09-21 06:25:40 +00:00			`continue`
			`}`
			`}`
Minor rename 2023-09-27 02:37:42 +00:00			`secretKey, err = eCrypto.SecretBoxOpen(`
Move encoding utils in separate pkg 2023-09-23 04:05:37 +00:00			`encoding.DecodeBase64(authResp.KeyAttributes.EncryptedSecretKey),`
			`encoding.DecodeBase64(authResp.KeyAttributes.SecretKeyDecryptionNonce),`
Bug fixes and support for decrypting collection names 2023-09-22 13:37:12 +00:00			`masterKey,`
Add support for decrypting masterKey and token 2023-09-21 06:25:40 +00:00			`)`
Bug fixes and support for decrypting collection names 2023-09-22 13:37:12 +00:00			`if err != nil {`
			`fmt.Printf("error decrypting master key: %v", err)`
			`return nil, err`
Add support for decrypting masterKey and token 2023-09-21 06:25:40 +00:00			`}`
Minor rename 2023-09-27 02:37:42 +00:00			`tokenKey, err = eCrypto.SealedBoxOpen(`
Move encoding utils in separate pkg 2023-09-23 04:05:37 +00:00			`encoding.DecodeBase64(authResp.EncryptedToken),`
Store account publicKey 2023-09-23 04:10:54 +00:00			`publicKey,`
Store both masterKey and secretKey 2023-09-22 12:18:14 +00:00			`secretKey,`
Add support for decrypting masterKey and token 2023-09-21 06:25:40 +00:00			`)`
			`if err != nil {`
			`fmt.Printf("error decrypting token: %v", err)`
Store both masterKey and secretKey 2023-09-22 12:18:14 +00:00			`return nil, err`
Add support for decrypting masterKey and token 2023-09-21 06:25:40 +00:00			`}`
			`break`
			`}`
Refactor 2023-09-23 10:45:10 +00:00			`return &model.AccSecretInfo{`
Store both masterKey and secretKey 2023-09-22 12:18:14 +00:00			`MasterKey: masterKey,`
			`SecretKey: secretKey,`
			`Token: tokenKey,`
Store account publicKey 2023-09-23 04:10:54 +00:00			`PublicKey: publicKey,`
Store both masterKey and secretKey 2023-09-22 12:18:14 +00:00			`}, nil`
Add support for decrypting masterKey and token 2023-09-21 06:25:40 +00:00			`}`

Add support for validating 2FA 2023-09-15 10:47:38 +00:00			`func (c ClICtrl) validateTOTP(ctx context.Context, authResp api.AuthorizationResponse) (*api.AuthorizationResponse, error) {`
			`if !authResp.IsMFARequired() {`
			`return authResp, nil`
			`}`
			`for {`
			`// CLI prompt for TOTP`
Refactor 2023-09-23 10:45:10 +00:00			`totp, flowErr := internal.GetCode("Enter TOTP", 6)`
Add support for validating 2FA 2023-09-15 10:47:38 +00:00			`if flowErr != nil {`
			`return nil, flowErr`
			`}`
			`totpResp, err := c.Client.VerifyTotp(ctx, authResp.TwoFactorSessionID, totp)`
			`if err != nil {`
			`log.Printf("failed to verify %v", err)`
			`continue`
			`}`
			`return totpResp, nil`
			`}`
Add basic commands for account 2023-09-14 04:20:32 +00:00			`}`
Improve email verification flow 2023-09-21 03:16:26 +00:00
			`func (c ClICtrl) validateEmail(ctx context.Context, email string) (api.AuthorizationResponse, error) {`
			`err := c.Client.SendEmailOTP(ctx, email)`
			`if err != nil {`
			`return nil, err`
			`}`
			`for {`
			`// CLI prompt for OTP`
Refactor 2023-09-23 10:45:10 +00:00			`ott, flowErr := internal.GetCode("Enter OTP", 6)`
Improve email verification flow 2023-09-21 03:16:26 +00:00			`if flowErr != nil {`
			`return nil, flowErr`
			`}`
			`authResponse, err := c.Client.VerifyEmail(ctx, email, ott)`
			`if err != nil {`
			`log.Printf("failed to verify %v", err)`
			`continue`
			`}`
			`return authResponse, nil`
			`}`
			`}`