Compare commits
9 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| f33fca21d1 | |||
| 5e61688f0c | |||
| 92ad1a5cff | |||
| 66e39a80b5 | |||
| 49fae38b7d | |||
| de3baedf0c | |||
| bbb7acad68 | |||
| cef5e06f0b | |||
| 13436ccedd |
2
.gitignore
vendored
2
.gitignore
vendored
@ -5,3 +5,5 @@
|
||||
/build/classes/kotlin/jvm/main/
|
||||
/build/classes/kotlin/jvm/test/
|
||||
/.idea
|
||||
/.kotlin/
|
||||
/.gigaide/gigaide.properties
|
||||
|
||||
@ -2,7 +2,9 @@
|
||||
|
||||
[](https://opensource.org/licenses/MIT)
|
||||
|
||||
> Current stable version 0.2.3
|
||||
We have moved off github due to growing tensions in the world. Thanks for understanding.
|
||||
|
||||
> Current stable version 0.2.6
|
||||
|
||||
This project targets to provide command set of multiplatform tools to faciliate restore access with non-recoverable passwords by providing a backup `secret` string as the only way to reset the password. It is ready to use in android, web and server apps (native target is not yet supported because of the encryption layer not yet supporting it)
|
||||
|
||||
@ -35,7 +37,7 @@ and add in dependencies like:
|
||||
~~~
|
||||
dependencies {
|
||||
//...
|
||||
implementation("net.sergeych:superlogin:0.2.3")
|
||||
implementation("net.sergeych:superlogin:0.2.6")
|
||||
}
|
||||
~~~
|
||||
|
||||
|
||||
@ -1,15 +1,15 @@
|
||||
plugins {
|
||||
kotlin("multiplatform") version "1.7.21"
|
||||
kotlin("plugin.serialization") version "1.7.21"
|
||||
kotlin("multiplatform") version "2.1.0"
|
||||
kotlin("plugin.serialization") version "2.1.0"
|
||||
`maven-publish`
|
||||
}
|
||||
|
||||
val ktor_version="2.1.1"
|
||||
val ktor_version="2.3.12"
|
||||
val logback_version="1.2.10"
|
||||
|
||||
|
||||
group = "net.sergeych"
|
||||
version = "0.2.2"
|
||||
version = "0.3.2-SNAPSHOT"
|
||||
|
||||
repositories {
|
||||
mavenCentral()
|
||||
@ -23,20 +23,13 @@ repositories {
|
||||
|
||||
|
||||
kotlin {
|
||||
jvm {
|
||||
compilations.all {
|
||||
kotlinOptions.jvmTarget = "1.8"
|
||||
}
|
||||
withJava()
|
||||
testRuns["test"].executionTask.configure {
|
||||
useJUnitPlatform()
|
||||
}
|
||||
}
|
||||
jvmToolchain(17)
|
||||
jvm()
|
||||
js(IR) {
|
||||
browser {
|
||||
commonWebpackConfig {
|
||||
cssSupport.enabled = true
|
||||
}
|
||||
// commonWebpackConfig {
|
||||
// cssSupport.enabled = true
|
||||
// }
|
||||
testTask {
|
||||
useMocha {
|
||||
timeout = "30000"
|
||||
@ -51,9 +44,7 @@ kotlin {
|
||||
val commonMain by getting {
|
||||
dependencies {
|
||||
implementation("org.jetbrains.kotlinx:kotlinx-coroutines-core:1.6.3")
|
||||
api("net.sergeych:unikrypto:1.2.2-SNAPSHOT")
|
||||
api("net.sergeych:parsec3:0.4.3-SNAPSHOT")
|
||||
api("net.sergeych:boss-serialization-mp:0.2.4-SNAPSHOT")
|
||||
api("net.sergeych:parsec3:0.5.3")
|
||||
api("net.sergeych:unikrypto:1.2.5")
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,4 +1,2 @@
|
||||
kotlin.code.style=official
|
||||
kotlin.mpp.enableGranularSourceSetsMetadata=true
|
||||
kotlin.native.enableDependencyPropagation=false
|
||||
kotlin.js.generate.executable.default=false
|
||||
|
||||
2
gradle/wrapper/gradle-wrapper.properties
vendored
2
gradle/wrapper/gradle-wrapper.properties
vendored
@ -1,5 +1,5 @@
|
||||
distributionBase=GRADLE_USER_HOME
|
||||
distributionPath=wrapper/dists
|
||||
distributionUrl=https\://services.gradle.org/distributions/gradle-7.4.2-bin.zip
|
||||
distributionUrl=https\://services.gradle.org/distributions/gradle-8.2-bin.zip
|
||||
zipStoreBase=GRADLE_USER_HOME
|
||||
zipStorePath=wrapper/dists
|
||||
|
||||
@ -19,14 +19,19 @@ data class RegistrationArgs(
|
||||
val packedACO: ByteArray,
|
||||
val extraData: ByteArray? = null
|
||||
) {
|
||||
@Suppress("unused")
|
||||
|
||||
inline fun <reified T>toSuccess(loginToken: ByteArray, extraData: T): AuthenticationResult.Success {
|
||||
return AuthenticationResult.Success(
|
||||
loginName, loginToken, BossEncoder.encode(extraData)
|
||||
)
|
||||
}
|
||||
|
||||
inline fun <reified T>decodeOrNull(): T? = extraData?.let { it.decodeBoss<T>() }
|
||||
inline fun <reified T: Any>decodeOrThrow(): T = extraData?.let { it.decodeBoss<T>() }
|
||||
@Suppress("unused")
|
||||
inline fun <reified T>decodeOrNull(): T? = extraData?.decodeBoss<T>()
|
||||
|
||||
@Suppress("unused")
|
||||
inline fun <reified T: Any>decodeOrThrow(): T = extraData?.decodeBoss<T>()
|
||||
?: throw IllegalArgumentException("missing require extra data of type ${T::class.simpleName}")
|
||||
}
|
||||
|
||||
@ -44,6 +49,11 @@ sealed class AuthenticationResult {
|
||||
@SerialName("LoginUnavailable")
|
||||
object LoginUnavailable: AuthenticationResult()
|
||||
|
||||
@Serializable
|
||||
@SerialName("OtherError")
|
||||
class OtherError(val reason: String,val packedData: ByteArray?=null): AuthenticationResult()
|
||||
|
||||
|
||||
@Serializable
|
||||
@SerialName("LoginIdUnavailable")
|
||||
object LoginIdUnavailable: AuthenticationResult()
|
||||
|
||||
@ -34,6 +34,7 @@ class Registration(
|
||||
val pbkdfRounds: Int = 15000,
|
||||
) : LogTag("SLREG") {
|
||||
|
||||
@Suppress("unused")
|
||||
sealed class Result {
|
||||
/**
|
||||
* Login is already in use or is somehow else invalid
|
||||
@ -53,6 +54,8 @@ class Registration(
|
||||
val encodedData: ByteArray?) : Result() {
|
||||
inline fun <reified D>data() = encodedData?.let { BossDecoder.decodeFrom<D>(it)}
|
||||
}
|
||||
|
||||
class OtherError(val code: String,val packedData: ByteArray?=null): Result()
|
||||
}
|
||||
|
||||
private var lastPasswordHash: ByteArray? = null
|
||||
@ -90,7 +93,7 @@ class Registration(
|
||||
val nonce = adapter.invokeCommand(api.slGetNonce)
|
||||
val loginPrivateKey = deferredLoginKey.await()
|
||||
val spl = SuperloginRestoreAccessPayload(login, loginPrivateKey, dataKey)
|
||||
repeat(10) {
|
||||
repeat(3) {
|
||||
val (restoreKey, restoreData) = AccessControlObject.pack(passwordKeys!!.loginAccessKey, spl)
|
||||
try {
|
||||
val packedArgs = SignedRecord.pack(
|
||||
@ -122,6 +125,8 @@ class Registration(
|
||||
|
||||
AuthenticationResult.LoginUnavailable -> return Result.InvalidLogin
|
||||
|
||||
is AuthenticationResult.OtherError -> return Result.OtherError(result.reason, result.packedData)
|
||||
|
||||
is AuthenticationResult.Success -> {
|
||||
return Result.Success(
|
||||
restoreKey.secret,
|
||||
|
||||
@ -15,8 +15,7 @@ import net.sergeych.mp_tools.globalLaunch
|
||||
import net.sergeych.parsec3.*
|
||||
import net.sergeych.superlogin.*
|
||||
import net.sergeych.superlogin.server.SuperloginRestoreAccessPayload
|
||||
import net.sergeych.unikrypto.SignedRecord
|
||||
import net.sergeych.unikrypto.SymmetricKey
|
||||
import net.sergeych.unikrypto.*
|
||||
import kotlin.reflect.KType
|
||||
import kotlin.reflect.typeOf
|
||||
|
||||
@ -394,7 +393,7 @@ class SuperloginClient<D, S : WithAdapter>(
|
||||
aco.payload.dataStorageKey
|
||||
)
|
||||
// new ACO with a new password key and payload (but the same secret!)
|
||||
var newAco = aco.updatePasswordKey(keys.loginAccessKey).updatePayload(newSlp)
|
||||
val newAco = aco.updatePasswordKey(keys.loginAccessKey).updatePayload(newSlp)
|
||||
// trying to update
|
||||
val result = invoke(
|
||||
serverApi.slChangePasswordAndLogin, ChangePasswordArgs(
|
||||
@ -422,14 +421,18 @@ class SuperloginClient<D, S : WithAdapter>(
|
||||
}
|
||||
|
||||
/**
|
||||
* Change password for a logged-in user using its known password. It is a long operation
|
||||
* Change password for a logged-in user using its known password. It is a long operation.
|
||||
*
|
||||
* @param oldPassword existing password (re-request it from a user!)
|
||||
* @param newPassword new password. we do not chek it but it should be strong - check it on your end
|
||||
* @param newPassword new password. we do not check it, but it should be strong - check it on your end
|
||||
* for example with [net.sergeych.unikrypto.Passwords] tools
|
||||
* @param passwordDerivationParams at this point derivation parameters are alwaus updated so it is possible
|
||||
* @param passwordDerivationParams at this point derivation parameters are always updated so it is possible
|
||||
* to set it to desired
|
||||
* @param loginKeyStrength login key is regenerateed so its strength could be updated here
|
||||
* @return true if the password has been successfully changed
|
||||
* @param loginKeyStrength login key is regenerated so its strength could be updated here
|
||||
*
|
||||
* @return true if the password has been successfully changed, false if the server didn't allow it.
|
||||
*
|
||||
* @throws InvalidPasswordError if the oldPassword is wrong
|
||||
*/
|
||||
suspend fun changePassword(
|
||||
oldPassword: String, newPassword: String,
|
||||
@ -441,10 +444,24 @@ class SuperloginClient<D, S : WithAdapter>(
|
||||
val dp = invoke(serverApi.slRequestDerivationParams, loginName)
|
||||
val keys = DerivedKeys.derive(oldPassword, dp)
|
||||
val data = invoke(serverApi.slRequestACOByLoginName, RequestACOByLoginNameArgs(loginName, keys.loginId))
|
||||
return AccessControlObject.unpackWithKey<SuperloginRestoreAccessPayload>(data.packedACO, keys.loginAccessKey)
|
||||
?.let {
|
||||
changePasswordWithACO(it, newPassword, passwordDerivationParams, loginKeyStrength)
|
||||
} ?: false
|
||||
try {
|
||||
return AccessControlObject.unpackWithKey<SuperloginRestoreAccessPayload>(
|
||||
data.packedACO,
|
||||
keys.loginAccessKey
|
||||
)
|
||||
?.let {
|
||||
changePasswordWithACO(it, newPassword, passwordDerivationParams, loginKeyStrength)
|
||||
} ?: false
|
||||
} catch (e: Exception) {
|
||||
when (e) {
|
||||
is Container.StructureError,
|
||||
is Container.DecryptionError,
|
||||
is EncryptedBinaryStorage.DecryptionFailed ->
|
||||
throw InvalidPasswordError()
|
||||
|
||||
else -> throw e
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
@ -18,7 +18,7 @@ internal class AccessControlObjectTest {
|
||||
val pk1 = SymmetricKeys.random()
|
||||
val pk2 = SymmetricKeys.random()
|
||||
val (rk, packed1) = AccessControlObject.pack(pk1, 117)
|
||||
println(rk.secret)
|
||||
// println(rk.secret)
|
||||
val ac1 = AccessControlObject.unpackWithKey<Int>(packed1,pk1)
|
||||
assertNotNull(ac1)
|
||||
assertEquals(117, ac1.payload)
|
||||
|
||||
@ -59,7 +59,7 @@ data class TestSession(val s: TestStorage) : SLServerSession<TestData>() {
|
||||
}
|
||||
|
||||
override suspend fun loginByToken(token: ByteArray): AuthenticationResult {
|
||||
println("requested login by tokeb ${token.encodeToBase64Compact()}")
|
||||
println("requested login by token ${token.encodeToBase64Compact()}")
|
||||
println(" ${s.byToken[token.toList()]}")
|
||||
println(" ${s.byToken.size} / ${s.byLoginId.size}")
|
||||
|
||||
@ -218,14 +218,15 @@ internal class WsServerKtTest {
|
||||
val api = TestApiServer<WithAdapter>()
|
||||
val slc = SuperloginClient<TestData, S1>(client)
|
||||
assertEquals(LoginState.LoggedOut, slc.state.value)
|
||||
var rt = slc.register("foo", "passwd", TestData("bar!"))
|
||||
var rt = slc.register("foo", "passwd", TestData("bar!"), 2048, 140)
|
||||
val dk1 = slc.dataKey!!
|
||||
assertIs<Registration.Result.Success>(rt)
|
||||
val secret = rt.secret
|
||||
var token = rt.loginToken
|
||||
|
||||
assertFalse(slc.changePassword("wrong", "new"))
|
||||
assertTrue(slc.changePassword("passwd", "newpass1"))
|
||||
assertTrue(slc.changePassword("passwd", "newpass1",
|
||||
PasswordDerivationParams(300), 2048))
|
||||
assertTrue { slc.isLoggedIn }
|
||||
assertEquals("foo", slc.call(api.loginName))
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user