146 lines
4.7 KiB
JavaScript
146 lines
4.7 KiB
JavaScript
|
import { UPDATE_VAULT_KEY } from '@/fragments/users'
|
||
|
import { useMutation, useQuery } from '@apollo/client'
|
||
|
import { useMe } from '../me'
|
||
|
import { useToast } from '../toast'
|
||
|
import useIndexedDB, { getDbName } from '../use-indexeddb'
|
||
|
import { useCallback, useEffect, useState } from 'react'
|
||
|
import { E_VAULT_KEY_EXISTS } from '@/lib/error'
|
||
|
import { CLEAR_VAULT, GET_VAULT_ENTRIES } from '@/fragments/vault'
|
||
|
import { toHex } from '@/lib/hex'
|
||
|
import { decryptData, encryptData } from './use-vault'
|
||
|
|
||
|
const useImperativeQuery = (query) => {
|
||
|
const { refetch } = useQuery(query, { skip: true })
|
||
|
|
||
|
const imperativelyCallQuery = (variables) => {
|
||
|
return refetch(variables)
|
||
|
}
|
||
|
|
||
|
return imperativelyCallQuery
|
||
|
}
|
||
|
|
||
|
export function useVaultConfigurator () {
|
||
|
const { me } = useMe()
|
||
|
const toaster = useToast()
|
||
|
const { set, get, remove } = useIndexedDB({ dbName: getDbName(me?.id), storeName: 'vault' })
|
||
|
const [updateVaultKey] = useMutation(UPDATE_VAULT_KEY)
|
||
|
const getVaultEntries = useImperativeQuery(GET_VAULT_ENTRIES)
|
||
|
const [key, setKey] = useState(null)
|
||
|
const [keyHash, setKeyHash] = useState(null)
|
||
|
|
||
|
useEffect(() => {
|
||
|
if (!me) return
|
||
|
(async () => {
|
||
|
try {
|
||
|
let localVaultKey = await get('key')
|
||
|
const localKeyHash = me?.privates?.vaultKeyHash || keyHash
|
||
|
if (localVaultKey?.hash && localVaultKey?.hash !== localKeyHash) {
|
||
|
// If the hash stored in the server does not match the hash of the local key,
|
||
|
// we can tell that the key is outdated (reset by another device or other reasons)
|
||
|
// in this case we clear the local key and let the user re-enter the passphrase
|
||
|
console.log('vault key hash mismatch, clearing local key', localVaultKey?.hash, '!=', localKeyHash)
|
||
|
localVaultKey = null
|
||
|
await remove('key')
|
||
|
}
|
||
|
setKey(localVaultKey)
|
||
|
} catch (e) {
|
||
|
toaster.danger('error loading vault configuration ' + e.message)
|
||
|
}
|
||
|
})()
|
||
|
}, [me?.privates?.vaultKeyHash, keyHash, get, remove])
|
||
|
|
||
|
// clear vault: remove everything and reset the key
|
||
|
const [clearVault] = useMutation(CLEAR_VAULT, {
|
||
|
onCompleted: async () => {
|
||
|
try {
|
||
|
await remove('key')
|
||
|
setKey(null)
|
||
|
setKeyHash(null)
|
||
|
} catch (e) {
|
||
|
toaster.danger('error clearing vault ' + e.message)
|
||
|
}
|
||
|
}
|
||
|
})
|
||
|
|
||
|
// initialize the vault and set a vault key
|
||
|
const setVaultKey = useCallback(async (passphrase) => {
|
||
|
try {
|
||
|
const oldKeyValue = await get('key')
|
||
|
const vaultKey = await deriveKey(me.id, passphrase)
|
||
|
const { data } = await getVaultEntries()
|
||
|
|
||
|
const entries = []
|
||
|
for (const entry of data.getVaultEntries) {
|
||
|
entry.value = await decryptData(oldKeyValue.key, entry.value)
|
||
|
entries.push({ key: entry.key, value: await encryptData(vaultKey.key, entry.value) })
|
||
|
}
|
||
|
|
||
|
await updateVaultKey({
|
||
|
variables: { entries, hash: vaultKey.hash },
|
||
|
onError: (error) => {
|
||
|
const errorCode = error.graphQLErrors[0]?.extensions?.code
|
||
|
if (errorCode === E_VAULT_KEY_EXISTS) {
|
||
|
throw new Error('wrong passphrase')
|
||
|
}
|
||
|
toaster.danger(error.graphQLErrors[0].message)
|
||
|
}
|
||
|
})
|
||
|
setKey(vaultKey)
|
||
|
setKeyHash(vaultKey.hash)
|
||
|
await set('key', vaultKey)
|
||
|
} catch (e) {
|
||
|
toaster.danger('error setting vault key ' + e.message)
|
||
|
}
|
||
|
}, [getVaultEntries, updateVaultKey, set, get, remove])
|
||
|
|
||
|
return [key, setVaultKey, clearVault]
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Derive a key to be used for the vault encryption
|
||
|
* @param {string | number} userId - the id of the user (used for salting)
|
||
|
* @param {string} passphrase - the passphrase to derive the key from
|
||
|
* @returns {Promise<{key: CryptoKey, hash: string, extractable: boolean}>} an un-extractable CryptoKey and its hash
|
||
|
*/
|
||
|
async function deriveKey (userId, passphrase) {
|
||
|
const enc = new TextEncoder()
|
||
|
|
||
|
const keyMaterial = await window.crypto.subtle.importKey(
|
||
|
'raw',
|
||
|
enc.encode(passphrase),
|
||
|
{ name: 'PBKDF2' },
|
||
|
false,
|
||
|
['deriveKey']
|
||
|
)
|
||
|
|
||
|
const key = await window.crypto.subtle.deriveKey(
|
||
|
{
|
||
|
name: 'PBKDF2',
|
||
|
salt: enc.encode(`stacker${userId}`),
|
||
|
// 600,000 iterations is recommended by OWASP
|
||
|
// see https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2
|
||
|
iterations: 600_000,
|
||
|
hash: 'SHA-256'
|
||
|
},
|
||
|
keyMaterial,
|
||
|
{ name: 'AES-GCM', length: 256 },
|
||
|
true,
|
||
|
['encrypt', 'decrypt']
|
||
|
)
|
||
|
|
||
|
const rawKey = await window.crypto.subtle.exportKey('raw', key)
|
||
|
const hash = toHex(await window.crypto.subtle.digest('SHA-256', rawKey))
|
||
|
const unextractableKey = await window.crypto.subtle.importKey(
|
||
|
'raw',
|
||
|
rawKey,
|
||
|
{ name: 'AES-GCM' },
|
||
|
false,
|
||
|
['encrypt', 'decrypt']
|
||
|
)
|
||
|
|
||
|
return {
|
||
|
key: unextractableKey,
|
||
|
hash
|
||
|
}
|
||
|
}
|