enhance cipher and identity handling with new fields and rate limit adjustments

2026-06-20 21:00:41 +00:00 · 2026-02-07 03:48:08 +08:00
parent 91800f41c5
commit ec9d3b889d
14 changed files with 102 additions and 132 deletions
@@ -97,6 +97,7 @@ export async function handleGetProfile(request: Request, env: Env, userId: strin
    twoFactorEnabled: false,
    key: user.key,
    privateKey: user.privateKey,
+    accountKeys: null,
    securityStamp: user.securityStamp || user.id,
    organizations: [],
    providers: [],
@@ -304,7 +304,7 @@ function formatCipherResponse(cipher: Cipher, attachments: Attachment[]): any {
    id: cipher.id,
    organizationId: null,
    folderId: cipher.folderId,
-    type: cipher.type,
+    type: Number(cipher.type) || 1,
    name: cipher.name,
    notes: cipher.notes,
    favorite: cipher.favorite,
@@ -312,6 +312,7 @@ function formatCipherResponse(cipher: Cipher, attachments: Attachment[]): any {
    card: cipher.card,
    identity: cipher.identity,
    secureNote: cipher.secureNote,
+    sshKey: cipher.sshKey,
    fields: cipher.fields,
    passwordHistory: cipher.passwordHistory,
    reprompt: cipher.reprompt,
@@ -319,9 +320,13 @@ function formatCipherResponse(cipher: Cipher, attachments: Attachment[]): any {
    creationDate: cipher.createdAt,
    revisionDate: cipher.updatedAt,
    deletedDate: cipher.deletedAt,
+    archivedDate: null,
    edit: true,
    viewPassword: true,
-    permissions: null,
+    permissions: {
+      delete: true,
+      restore: true,
+    },
    object: 'cipher',
    collectionIds: [],
    attachments: attachments.length > 0 ? attachments.map(a => ({
@@ -330,8 +335,11 @@ function formatCipherResponse(cipher: Cipher, attachments: Attachment[]): any {
      size: String(a.size),
      sizeName: a.sizeName,
      key: a.key,
+      url: null,
      object: 'attachment',
    })) : null,
+    key: cipher.key,
+    encryptedFor: null,
  };
 }

@@ -13,6 +13,7 @@ function formatAttachments(attachments: Attachment[]): any[] | null {
    size: String(a.size),
    sizeName: a.sizeName,
    key: a.key,
+    url: null,
    object: 'attachment',
  }));
 }
@@ -23,7 +24,7 @@ function cipherToResponse(cipher: Cipher, attachments: Attachment[] = []): Ciphe
    id: cipher.id,
    organizationId: null,
    folderId: cipher.folderId,
-    type: cipher.type,
+    type: Number(cipher.type) || 1,
    name: cipher.name,
    notes: cipher.notes,
    favorite: cipher.favorite,
@@ -31,6 +32,7 @@ function cipherToResponse(cipher: Cipher, attachments: Attachment[] = []): Ciphe
    card: cipher.card,
    identity: cipher.identity,
    secureNote: cipher.secureNote,
+    sshKey: cipher.sshKey,
    fields: cipher.fields,
    passwordHistory: cipher.passwordHistory,
    reprompt: cipher.reprompt,
@@ -38,16 +40,18 @@ function cipherToResponse(cipher: Cipher, attachments: Attachment[] = []): Ciphe
    creationDate: cipher.createdAt,
    revisionDate: cipher.updatedAt,
    deletedDate: cipher.deletedAt,
+    archivedDate: null,
    edit: true,
    viewPassword: true,
    permissions: {
      delete: true,
      restore: true,
-      edit: true,
    },
    object: 'cipher',
    collectionIds: [],
    attachments: formatAttachments(attachments),
+    key: cipher.key,
+    encryptedFor: null,
  };
 }

@@ -103,13 +107,14 @@ export async function handleCreateCipher(request: Request, env: Env, userId: str
  }

  // Handle nested cipher object (from some clients)
-  const cipherData = body.cipher || body;
+  // Android client sends PascalCase "Cipher" for organization ciphers
+  const cipherData = body.Cipher || body.cipher || body;

  const now = new Date().toISOString();
  const cipher: Cipher = {
    id: generateUUID(),
    userId: userId,
-    type: cipherData.type,
+    type: Number(cipherData.type) || 1,
    folderId: cipherData.folderId || null,
    name: cipherData.name,
    notes: cipherData.notes || null,
@@ -118,9 +123,11 @@ export async function handleCreateCipher(request: Request, env: Env, userId: str
    card: cipherData.card || null,
    identity: cipherData.identity || null,
    secureNote: cipherData.secureNote || null,
+    sshKey: cipherData.sshKey || null,
    fields: cipherData.fields || null,
    passwordHistory: cipherData.passwordHistory || null,
    reprompt: cipherData.reprompt || 0,
+    key: cipherData.key || null,
    createdAt: now,
    updatedAt: now,
    deletedAt: null,
@@ -149,11 +156,12 @@ export async function handleUpdateCipher(request: Request, env: Env, userId: str
  }

  // Handle nested cipher object
-  const cipherData = body.cipher || body;
+  // Android client sends PascalCase "Cipher" for organization ciphers
+  const cipherData = body.Cipher || body.cipher || body;

  const cipher: Cipher = {
    ...existingCipher,
-    type: cipherData.type ?? existingCipher.type,
+    type: Number(cipherData.type) || existingCipher.type,
    folderId: cipherData.folderId !== undefined ? cipherData.folderId : existingCipher.folderId,
    name: cipherData.name ?? existingCipher.name,
    notes: cipherData.notes !== undefined ? cipherData.notes : existingCipher.notes,
@@ -162,9 +170,11 @@ export async function handleUpdateCipher(request: Request, env: Env, userId: str
    card: cipherData.card !== undefined ? cipherData.card : existingCipher.card,
    identity: cipherData.identity !== undefined ? cipherData.identity : existingCipher.identity,
    secureNote: cipherData.secureNote !== undefined ? cipherData.secureNote : existingCipher.secureNote,
+    sshKey: cipherData.sshKey !== undefined ? cipherData.sshKey : existingCipher.sshKey,
    fields: cipherData.fields !== undefined ? cipherData.fields : existingCipher.fields,
    passwordHistory: cipherData.passwordHistory !== undefined ? cipherData.passwordHistory : existingCipher.passwordHistory,
    reprompt: cipherData.reprompt ?? existingCipher.reprompt,
+    key: cipherData.key !== undefined ? cipherData.key : existingCipher.key,
    updatedAt: new Date().toISOString(),
  };

@@ -31,22 +31,21 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
      return errorResponse('Email and password are required', 400);
    }

-    // Check if login is rate limited
-    const loginCheck = await rateLimit.checkLoginAttempt(email);
-    if (!loginCheck.allowed) {
-      return errorResponse(
-        `Too many failed login attempts. Try again in ${Math.ceil(loginCheck.retryAfterSeconds! / 60)} minutes.`,
-        429
-      );
-    }
-
    const user = await storage.getUser(email);
    if (!user) {
-      // Record failed attempt even for non-existent user (prevent enumeration)
-      await rateLimit.recordFailedLogin(email);
      return identityErrorResponse('Username or password is incorrect. Try again', 'invalid_grant', 400);
    }

+    // Check if login is rate limited (only after confirming user exists)
+    const loginCheck = await rateLimit.checkLoginAttempt(email);
+    if (!loginCheck.allowed) {
+      return identityErrorResponse(
+        `Too many failed login attempts. Try again in ${Math.ceil(loginCheck.retryAfterSeconds! / 60)} minutes.`,
+        'TooManyRequests',
+        429
+      );
+    }
+
    const valid = await auth.verifyPassword(passwordHash, user.masterPasswordHash);
    if (!valid) {
      // Record failed login attempt
@@ -136,6 +135,16 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
      UserDecryptionOptions: {
        HasMasterPassword: true,
        Object: 'userDecryptionOptions',
+        MasterPasswordUnlock: {
+          Kdf: {
+            KdfType: user.kdfType,
+            Iterations: user.kdfIterations,
+            Memory: user.kdfMemory || null,
+            Parallelism: user.kdfParallelism || null,
+          },
+          MasterKeyEncryptedUserKey: user.key,
+          Salt: user.email.toLowerCase(),
+        },
      },
    };

@@ -134,6 +134,8 @@ export async function handleCiphersImport(request: Request, env: Env, userId: st
        totp: c.login.totp || null,
        autofillOnPageLoad: null,
        fido2Credentials: null,
+        uri: null,
+        passwordRevisionDate: null,
      } : null,
      card: c.card ? {
        cardholderName: c.card.cardholderName || null,
@@ -172,6 +174,8 @@ export async function handleCiphersImport(request: Request, env: Env, userId: st
      })) || null,
      passwordHistory: c.passwordHistory || null,
      reprompt: c.reprompt || 0,
+      sshKey: null,
+      key: null,
      createdAt: now,
      updatedAt: now,
      deletedAt: null,
@@ -11,6 +11,7 @@ function formatAttachments(attachments: Attachment[]): any[] | null {
    size: String(a.size),
    sizeName: a.sizeName,
    key: a.key,
+    url: null,
    object: 'attachment',
  }));
 }
@@ -41,6 +42,7 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr
    twoFactorEnabled: false,
    key: user.key,
    privateKey: user.privateKey,
+    accountKeys: null,
    securityStamp: user.securityStamp || user.id,
    organizations: [],
    providers: [],
@@ -59,7 +61,7 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr
      id: cipher.id,
      organizationId: null,
      folderId: cipher.folderId,
-      type: cipher.type,
+      type: Number(cipher.type) || 1,
      name: cipher.name,
      notes: cipher.notes,
      favorite: cipher.favorite,
@@ -67,6 +69,7 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr
      card: cipher.card,
      identity: cipher.identity,
      secureNote: cipher.secureNote,
+      sshKey: cipher.sshKey,
      fields: cipher.fields,
      passwordHistory: cipher.passwordHistory,
      reprompt: cipher.reprompt,
@@ -74,16 +77,18 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr
      creationDate: cipher.createdAt,
      revisionDate: cipher.updatedAt,
      deletedDate: cipher.deletedAt,
+      archivedDate: null,
      edit: true,
      viewPassword: true,
      permissions: {
        delete: true,
        restore: true,
-        edit: true,
      },
      object: 'cipher',
      collectionIds: [],
      attachments: formatAttachments(attachments),
+      key: cipher.key,
+      encryptedFor: null,
    });
  };

@@ -107,6 +112,18 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr
    },
    policies: [],
    sends: [],
+    userDecryption: {
+      masterPasswordUnlock: {
+        salt: user.email,
+        kdf: {
+          kdfType: user.kdfType,
+          iterations: user.kdfIterations,
+          memory: user.kdfMemory || null,
+          parallelism: user.kdfParallelism || null,
+        },
+        masterKeyEncryptedUserKey: user.key,
+      },
+    },
    object: 'sync',
  };

@@ -3,11 +3,11 @@ import { Env } from '../types';
 // Rate limit configuration
 const CONFIG = {
  // Login attempt limits
-  LOGIN_MAX_ATTEMPTS: 5,           // Max failed login attempts
-  LOGIN_LOCKOUT_MINUTES: 15,       // Lockout duration after max attempts
+  LOGIN_MAX_ATTEMPTS: 15,          // Max failed login attempts
+  LOGIN_LOCKOUT_MINUTES: 5,        // Lockout duration after max attempts
  
  // API rate limits (per minute)
-  API_REQUESTS_PER_MINUTE: 60,     // General API rate limit
+  API_REQUESTS_PER_MINUTE: 300,    // General API rate limit
  API_WINDOW_SECONDS: 60,          // Rate limit window
 };

@@ -54,6 +54,8 @@ export interface CipherLogin {
  totp: string | null;
  autofillOnPageLoad: boolean | null;
  fido2Credentials: any[] | null;
+  uri: string | null;
+  passwordRevisionDate: string | null;
 }

 export interface CipherCard {
@@ -65,6 +67,12 @@ export interface CipherCard {
  code: string | null;
 }

+export interface CipherSshKey {
+  publicKey: string;
+  privateKey: string;
+  keyFingerprint: string;
+}
+
 export interface CipherIdentity {
  title: string | null;
  firstName: string | null;
@@ -114,9 +122,11 @@ export interface Cipher {
  card: CipherCard | null;
  identity: CipherIdentity | null;
  secureNote: CipherSecureNote | null;
+  sshKey: CipherSshKey | null;
  fields: CipherField[] | null;
  passwordHistory: PasswordHistory[] | null;
  reprompt: number;
+  key: string | null;
  createdAt: string;
  updatedAt: string;
  deletedAt: string | null;
@@ -190,20 +200,21 @@ export interface ProfileResponse {
  email: string;
  emailVerified: boolean;
  premium: boolean;
-  premiumFromOrganization: boolean;  // required by mobile client
-  usesKeyConnector: boolean;  // required by mobile client
+  premiumFromOrganization: boolean;
+  usesKeyConnector: boolean;
  masterPasswordHint: string | null;
  culture: string;
  twoFactorEnabled: boolean;
  key: string;
  privateKey: string | null;
+  accountKeys: any | null;
  securityStamp: string;
  organizations: any[];
  providers: any[];
  providerOrganizations: any[];
  forcePasswordReset: boolean;
  avatarColor: string | null;
-  creationDate: string;  // required by mobile client
+  creationDate: string;
  object: string;
 }

@@ -219,6 +230,7 @@ export interface CipherResponse {
  card: CipherCard | null;
  identity: CipherIdentity | null;
  secureNote: CipherSecureNote | null;
+  sshKey: CipherSshKey | null;
  fields: CipherField[] | null;
  passwordHistory: PasswordHistory[] | null;
  reprompt: number;
@@ -226,18 +238,20 @@ export interface CipherResponse {
  creationDate: string;
  revisionDate: string;
  deletedDate: string | null;
+  archivedDate: string | null;
  edit: boolean;
  viewPassword: boolean;
  permissions: CipherPermissions | null;
  object: string;
  collectionIds: string[];
  attachments: any[] | null;
+  key: string | null;
+  encryptedFor: string | null;
 }

 export interface CipherPermissions {
  delete: boolean;
  restore: boolean;
-  edit: boolean;
 }

 export interface FolderResponse {
@@ -255,5 +269,6 @@ export interface SyncResponse {
  domains: any;
  policies: any[];
  sends: any[];
+  userDecryption: any | null;
  object: string;
 }