mirror of
https://github.com/shuaiplus/nodewarden.git
synced 2026-06-20 21:00:41 +00:00
feat: add shared API utilities for handling requests and responses
- Introduced `shared.ts` with utility functions for API interactions, including JSON parsing, error handling, and content disposition parsing. - Added `vault.ts` to manage vault-related operations such as folder and cipher management, including creation, deletion, and bulk operations. - Implemented encryption and decryption methods for secure data handling within the vault. - Created `backup-settings-repair.ts` to automatically repair backup settings for admin profiles if needed.
This commit is contained in:
shuaiplus
@@ -0,0 +1,53 @@
|
||||
import type { AdminInvite, AdminUser, ListResponse } from '../types';
|
||||
import { parseJson, type AuthedFetch } from './shared';
|
||||
|
||||
export async function listAdminUsers(authedFetch: AuthedFetch): Promise<AdminUser[]> {
|
||||
const resp = await authedFetch('/api/admin/users');
|
||||
if (!resp.ok) throw new Error('Failed to load users');
|
||||
const body = await parseJson<ListResponse<AdminUser>>(resp);
|
||||
return body?.data || [];
|
||||
}
|
||||
|
||||
export async function listAdminInvites(authedFetch: AuthedFetch): Promise<AdminInvite[]> {
|
||||
const resp = await authedFetch('/api/admin/invites?includeInactive=true');
|
||||
if (!resp.ok) throw new Error('Failed to load invites');
|
||||
const body = await parseJson<ListResponse<AdminInvite>>(resp);
|
||||
return body?.data || [];
|
||||
}
|
||||
|
||||
export async function createInvite(authedFetch: AuthedFetch, hours: number): Promise<void> {
|
||||
const resp = await authedFetch('/api/admin/invites', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({ expiresInHours: hours }),
|
||||
});
|
||||
if (!resp.ok) throw new Error('Create invite failed');
|
||||
}
|
||||
|
||||
export async function revokeInvite(authedFetch: AuthedFetch, code: string): Promise<void> {
|
||||
const resp = await authedFetch(`/api/admin/invites/${encodeURIComponent(code)}`, { method: 'DELETE' });
|
||||
if (!resp.ok) throw new Error('Revoke invite failed');
|
||||
}
|
||||
|
||||
export async function deleteAllInvites(authedFetch: AuthedFetch): Promise<void> {
|
||||
const resp = await authedFetch('/api/admin/invites', { method: 'DELETE' });
|
||||
if (!resp.ok) throw new Error('Delete all invites failed');
|
||||
}
|
||||
|
||||
export async function setUserStatus(
|
||||
authedFetch: AuthedFetch,
|
||||
userId: string,
|
||||
status: 'active' | 'banned'
|
||||
): Promise<void> {
|
||||
const resp = await authedFetch(`/api/admin/users/${encodeURIComponent(userId)}/status`, {
|
||||
method: 'PUT',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({ status }),
|
||||
});
|
||||
if (!resp.ok) throw new Error('Update user status failed');
|
||||
}
|
||||
|
||||
export async function deleteUser(authedFetch: AuthedFetch, userId: string): Promise<void> {
|
||||
const resp = await authedFetch(`/api/admin/users/${encodeURIComponent(userId)}`, { method: 'DELETE' });
|
||||
if (!resp.ok) throw new Error('Delete user failed');
|
||||
}
|
||||
@@ -0,0 +1,449 @@
|
||||
import { bytesToBase64, decryptBw, encryptBw, hkdfExpand, pbkdf2 } from '../crypto';
|
||||
import { t } from '../i18n';
|
||||
import type { AuthorizedDevice } from '../types';
|
||||
import type {
|
||||
Profile,
|
||||
SessionState,
|
||||
SetupStatusResponse,
|
||||
TokenError,
|
||||
TokenSuccess,
|
||||
WebConfigResponse,
|
||||
} from '../types';
|
||||
import { parseJson, type AuthedFetch, type SessionSetter } from './shared';
|
||||
|
||||
const SESSION_KEY = 'nodewarden.web.session.v4';
|
||||
const DEVICE_IDENTIFIER_KEY = 'nodewarden.web.device.identifier.v1';
|
||||
const TOTP_REMEMBER_TOKEN_KEY = 'nodewarden.web.totp.remember-token.v1';
|
||||
|
||||
export interface PreloginResult {
|
||||
hash: string;
|
||||
masterKey: Uint8Array;
|
||||
kdfIterations: number;
|
||||
}
|
||||
|
||||
export interface PreloginKdfConfig {
|
||||
kdfType: number;
|
||||
kdfIterations: number;
|
||||
kdfMemory: number | null;
|
||||
kdfParallelism: number | null;
|
||||
}
|
||||
|
||||
function randomHex(length: number): string {
|
||||
const bytes = crypto.getRandomValues(new Uint8Array(Math.max(1, Math.ceil(length / 2))));
|
||||
return Array.from(bytes).map((b) => b.toString(16).padStart(2, '0')).join('').slice(0, length);
|
||||
}
|
||||
|
||||
function getOrCreateDeviceIdentifier(): string {
|
||||
const current = (localStorage.getItem(DEVICE_IDENTIFIER_KEY) || '').trim();
|
||||
if (current) return current;
|
||||
const next = `${randomHex(8)}-${randomHex(4)}-${randomHex(4)}-${randomHex(4)}-${randomHex(12)}`;
|
||||
localStorage.setItem(DEVICE_IDENTIFIER_KEY, next);
|
||||
return next;
|
||||
}
|
||||
|
||||
function guessDeviceName(): string {
|
||||
const ua = (typeof navigator !== 'undefined' ? navigator.userAgent : '').toLowerCase();
|
||||
const platform = (typeof navigator !== 'undefined' ? navigator.platform : '').trim();
|
||||
const browser = ua.includes('edg/') ? 'Edge' : ua.includes('chrome/') ? 'Chrome' : ua.includes('firefox/') ? 'Firefox' : ua.includes('safari/') ? 'Safari' : 'Browser';
|
||||
const os = ua.includes('windows') ? 'Windows' : ua.includes('mac os') ? 'macOS' : ua.includes('linux') ? 'Linux' : ua.includes('android') ? 'Android' : ua.includes('iphone') || ua.includes('ipad') ? 'iOS' : platform || 'Unknown OS';
|
||||
return `${browser} on ${os}`.slice(0, 128);
|
||||
}
|
||||
|
||||
function getRememberTwoFactorToken(): string | null {
|
||||
const token = (localStorage.getItem(TOTP_REMEMBER_TOKEN_KEY) || '').trim();
|
||||
return token || null;
|
||||
}
|
||||
|
||||
function saveRememberTwoFactorToken(token: string | undefined): void {
|
||||
const normalized = String(token || '').trim();
|
||||
if (!normalized) return;
|
||||
localStorage.setItem(TOTP_REMEMBER_TOKEN_KEY, normalized);
|
||||
}
|
||||
|
||||
function clearRememberTwoFactorToken(): void {
|
||||
localStorage.removeItem(TOTP_REMEMBER_TOKEN_KEY);
|
||||
}
|
||||
|
||||
export function loadSession(): SessionState | null {
|
||||
try {
|
||||
const raw = localStorage.getItem(SESSION_KEY);
|
||||
if (!raw) return null;
|
||||
const parsed = JSON.parse(raw) as SessionState;
|
||||
if (!parsed.accessToken || !parsed.refreshToken) return null;
|
||||
return {
|
||||
accessToken: parsed.accessToken,
|
||||
refreshToken: parsed.refreshToken,
|
||||
email: parsed.email,
|
||||
};
|
||||
} catch {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
export function saveSession(session: SessionState | null): void {
|
||||
if (!session) {
|
||||
localStorage.removeItem(SESSION_KEY);
|
||||
return;
|
||||
}
|
||||
const persisted: SessionState = {
|
||||
accessToken: session.accessToken,
|
||||
refreshToken: session.refreshToken,
|
||||
email: session.email,
|
||||
};
|
||||
localStorage.setItem(SESSION_KEY, JSON.stringify(persisted));
|
||||
}
|
||||
|
||||
export async function getSetupStatus(): Promise<SetupStatusResponse> {
|
||||
const resp = await fetch('/setup/status');
|
||||
const body = await parseJson<SetupStatusResponse>(resp);
|
||||
return { registered: !!body?.registered };
|
||||
}
|
||||
|
||||
export async function getWebConfig(): Promise<WebConfigResponse> {
|
||||
const resp = await fetch('/api/web/config');
|
||||
return (await parseJson<WebConfigResponse>(resp)) || {};
|
||||
}
|
||||
|
||||
export function getCurrentDeviceIdentifier(): string {
|
||||
return (localStorage.getItem(DEVICE_IDENTIFIER_KEY) || '').trim();
|
||||
}
|
||||
|
||||
export async function deriveLoginHash(email: string, password: string, fallbackIterations: number): Promise<PreloginResult> {
|
||||
const pre = await fetch('/identity/accounts/prelogin', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({ email: email.toLowerCase() }),
|
||||
});
|
||||
if (!pre.ok) throw new Error('prelogin failed');
|
||||
const data = (await parseJson<{ kdfIterations?: number }>(pre)) || {};
|
||||
const iterations = Number(data.kdfIterations || fallbackIterations);
|
||||
const masterKey = await pbkdf2(password, email.toLowerCase(), iterations, 32);
|
||||
const hash = await pbkdf2(masterKey, password, 1, 32);
|
||||
return { hash: bytesToBase64(hash), masterKey, kdfIterations: iterations };
|
||||
}
|
||||
|
||||
export async function getPreloginKdfConfig(email: string, fallbackIterations: number): Promise<PreloginKdfConfig> {
|
||||
const normalized = String(email || '').trim().toLowerCase();
|
||||
if (!normalized) throw new Error('Email is required');
|
||||
const pre = await fetch('/identity/accounts/prelogin', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({ email: normalized }),
|
||||
});
|
||||
if (!pre.ok) throw new Error('prelogin failed');
|
||||
const data = (await parseJson<{ kdf?: number; kdfIterations?: number; kdfMemory?: number | null; kdfParallelism?: number | null }>(pre)) || {};
|
||||
return {
|
||||
kdfType: Number(data.kdf ?? 0) || 0,
|
||||
kdfIterations: Number(data.kdfIterations || fallbackIterations),
|
||||
kdfMemory: data.kdfMemory == null ? null : Number(data.kdfMemory),
|
||||
kdfParallelism: data.kdfParallelism == null ? null : Number(data.kdfParallelism),
|
||||
};
|
||||
}
|
||||
|
||||
export async function loginWithPassword(
|
||||
email: string,
|
||||
passwordHash: string,
|
||||
options?: {
|
||||
totpCode?: string;
|
||||
rememberDevice?: boolean;
|
||||
useRememberToken?: boolean;
|
||||
}
|
||||
): Promise<TokenSuccess | TokenError> {
|
||||
const body = new URLSearchParams();
|
||||
body.set('grant_type', 'password');
|
||||
body.set('username', email.toLowerCase());
|
||||
body.set('password', passwordHash);
|
||||
body.set('scope', 'api offline_access');
|
||||
body.set('deviceIdentifier', getOrCreateDeviceIdentifier());
|
||||
body.set('deviceName', guessDeviceName());
|
||||
body.set('deviceType', '14');
|
||||
|
||||
const rememberedToken = options?.useRememberToken ? getRememberTwoFactorToken() : null;
|
||||
if (rememberedToken) {
|
||||
body.set('twoFactorProvider', '5');
|
||||
body.set('twoFactorToken', rememberedToken);
|
||||
} else if (options?.totpCode) {
|
||||
body.set('twoFactorProvider', '0');
|
||||
body.set('twoFactorToken', options.totpCode);
|
||||
if (options.rememberDevice) {
|
||||
body.set('twoFactorRemember', '1');
|
||||
}
|
||||
}
|
||||
const resp = await fetch('/identity/connect/token', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
|
||||
body: body.toString(),
|
||||
});
|
||||
const json = (await parseJson<TokenSuccess & TokenError>(resp)) || {};
|
||||
if (resp.ok) {
|
||||
saveRememberTwoFactorToken((json as TokenSuccess).TwoFactorToken);
|
||||
} else if (rememberedToken) {
|
||||
clearRememberTwoFactorToken();
|
||||
}
|
||||
if (!resp.ok) return json;
|
||||
return json;
|
||||
}
|
||||
|
||||
export async function refreshAccessToken(refreshToken: string): Promise<TokenSuccess | null> {
|
||||
const body = new URLSearchParams();
|
||||
body.set('grant_type', 'refresh_token');
|
||||
body.set('refresh_token', refreshToken);
|
||||
const resp = await fetch('/identity/connect/token', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
|
||||
body: body.toString(),
|
||||
});
|
||||
if (!resp.ok) return null;
|
||||
const json = await parseJson<TokenSuccess>(resp);
|
||||
return json || null;
|
||||
}
|
||||
|
||||
export async function registerAccount(args: {
|
||||
email: string;
|
||||
name: string;
|
||||
password: string;
|
||||
inviteCode?: string;
|
||||
fallbackIterations: number;
|
||||
}): Promise<{ ok: true } | { ok: false; message: string }> {
|
||||
try {
|
||||
const { email, name, password, inviteCode, fallbackIterations } = args;
|
||||
const masterKey = await pbkdf2(password, email, fallbackIterations, 32);
|
||||
const masterHash = await pbkdf2(masterKey, password, 1, 32);
|
||||
const encKey = await hkdfExpand(masterKey, 'enc', 32);
|
||||
const macKey = await hkdfExpand(masterKey, 'mac', 32);
|
||||
const sym = crypto.getRandomValues(new Uint8Array(64));
|
||||
const encryptedVaultKey = await encryptBw(sym, encKey, macKey);
|
||||
|
||||
const keyPair = await crypto.subtle.generateKey(
|
||||
{
|
||||
name: 'RSA-OAEP',
|
||||
modulusLength: 2048,
|
||||
publicExponent: new Uint8Array([1, 0, 1]),
|
||||
hash: 'SHA-1',
|
||||
},
|
||||
true,
|
||||
['encrypt', 'decrypt']
|
||||
);
|
||||
const publicKey = new Uint8Array(await crypto.subtle.exportKey('spki', keyPair.publicKey));
|
||||
const privateKey = new Uint8Array(await crypto.subtle.exportKey('pkcs8', keyPair.privateKey));
|
||||
const encryptedPrivateKey = await encryptBw(privateKey, sym.slice(0, 32), sym.slice(32, 64));
|
||||
|
||||
const resp = await fetch('/api/accounts/register', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({
|
||||
email: email.toLowerCase(),
|
||||
name,
|
||||
masterPasswordHash: bytesToBase64(masterHash),
|
||||
key: encryptedVaultKey,
|
||||
kdf: 0,
|
||||
kdfIterations: fallbackIterations,
|
||||
inviteCode: inviteCode || undefined,
|
||||
keys: {
|
||||
publicKey: bytesToBase64(publicKey),
|
||||
encryptedPrivateKey,
|
||||
},
|
||||
}),
|
||||
});
|
||||
|
||||
if (!resp.ok) {
|
||||
const json = await parseJson<TokenError>(resp);
|
||||
return { ok: false, message: json?.error_description || json?.error || 'Register failed' };
|
||||
}
|
||||
return { ok: true };
|
||||
} catch (error) {
|
||||
return { ok: false, message: error instanceof Error ? error.message : 'Register failed' };
|
||||
}
|
||||
}
|
||||
|
||||
export function createAuthedFetch(getSession: () => SessionState | null, setSession: SessionSetter) {
|
||||
return async function authedFetch(input: string, init: RequestInit = {}): Promise<Response> {
|
||||
const session = getSession();
|
||||
if (!session?.accessToken) throw new Error('Unauthorized');
|
||||
const headers = new Headers(init.headers || {});
|
||||
headers.set('Authorization', `Bearer ${session.accessToken}`);
|
||||
|
||||
let resp = await fetch(input, { ...init, headers });
|
||||
if (resp.status !== 401 || !session.refreshToken) return resp;
|
||||
|
||||
const refreshed = await refreshAccessToken(session.refreshToken);
|
||||
if (!refreshed?.access_token) {
|
||||
setSession(null);
|
||||
throw new Error('Session expired');
|
||||
}
|
||||
|
||||
const nextSession: SessionState = {
|
||||
...session,
|
||||
accessToken: refreshed.access_token,
|
||||
refreshToken: refreshed.refresh_token || session.refreshToken,
|
||||
};
|
||||
setSession(nextSession);
|
||||
saveSession(nextSession);
|
||||
|
||||
const retryHeaders = new Headers(init.headers || {});
|
||||
retryHeaders.set('Authorization', `Bearer ${nextSession.accessToken}`);
|
||||
resp = await fetch(input, { ...init, headers: retryHeaders });
|
||||
return resp;
|
||||
};
|
||||
}
|
||||
|
||||
export async function getProfile(authedFetch: AuthedFetch): Promise<Profile> {
|
||||
const resp = await authedFetch('/api/accounts/profile');
|
||||
if (!resp.ok) throw new Error('Failed to load profile');
|
||||
const body = await parseJson<Profile>(resp);
|
||||
if (!body) throw new Error('Invalid profile');
|
||||
return body;
|
||||
}
|
||||
|
||||
export async function unlockVaultKey(profileKey: string, masterKey: Uint8Array): Promise<{ symEncKey: string; symMacKey: string }> {
|
||||
const encKey = await hkdfExpand(masterKey, 'enc', 32);
|
||||
const macKey = await hkdfExpand(masterKey, 'mac', 32);
|
||||
const keyBytes = await decryptBw(profileKey, encKey, macKey);
|
||||
if (!keyBytes || keyBytes.length < 64) throw new Error('Invalid profile key');
|
||||
return {
|
||||
symEncKey: bytesToBase64(keyBytes.slice(0, 32)),
|
||||
symMacKey: bytesToBase64(keyBytes.slice(32, 64)),
|
||||
};
|
||||
}
|
||||
|
||||
export async function changeMasterPassword(
|
||||
authedFetch: AuthedFetch,
|
||||
args: {
|
||||
email: string;
|
||||
currentPassword: string;
|
||||
newPassword: string;
|
||||
currentIterations: number;
|
||||
profileKey: string;
|
||||
}
|
||||
): Promise<void> {
|
||||
const current = await deriveLoginHash(args.email, args.currentPassword, args.currentIterations);
|
||||
const oldEnc = await hkdfExpand(current.masterKey, 'enc', 32);
|
||||
const oldMac = await hkdfExpand(current.masterKey, 'mac', 32);
|
||||
const userSym = await decryptBw(args.profileKey, oldEnc, oldMac);
|
||||
const nextMasterKey = await pbkdf2(args.newPassword, args.email, current.kdfIterations, 32);
|
||||
const nextHash = await pbkdf2(nextMasterKey, args.newPassword, 1, 32);
|
||||
const nextEnc = await hkdfExpand(nextMasterKey, 'enc', 32);
|
||||
const nextMac = await hkdfExpand(nextMasterKey, 'mac', 32);
|
||||
const newKey = await encryptBw(userSym.slice(0, 64), nextEnc, nextMac);
|
||||
|
||||
const resp = await authedFetch('/api/accounts/password', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({
|
||||
currentPasswordHash: current.hash,
|
||||
newMasterPasswordHash: bytesToBase64(nextHash),
|
||||
newKey,
|
||||
kdf: 0,
|
||||
kdfIterations: current.kdfIterations,
|
||||
}),
|
||||
});
|
||||
if (!resp.ok) throw new Error('Change master password failed');
|
||||
}
|
||||
|
||||
export async function setTotp(
|
||||
authedFetch: AuthedFetch,
|
||||
payload: { enabled: boolean; token?: string; secret?: string; masterPasswordHash?: string }
|
||||
): Promise<void> {
|
||||
const resp = await authedFetch('/api/accounts/totp', {
|
||||
method: 'PUT',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify(payload),
|
||||
});
|
||||
if (!resp.ok) {
|
||||
const body = await parseJson<TokenError>(resp);
|
||||
throw new Error(body?.error_description || body?.error || 'TOTP update failed');
|
||||
}
|
||||
}
|
||||
|
||||
export async function verifyMasterPassword(
|
||||
authedFetch: AuthedFetch,
|
||||
masterPasswordHash: string
|
||||
): Promise<void> {
|
||||
const resp = await authedFetch('/api/accounts/verify-password', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({ masterPasswordHash }),
|
||||
});
|
||||
if (!resp.ok) {
|
||||
const body = await parseJson<TokenError>(resp);
|
||||
throw new Error(body?.error_description || body?.error || 'Master password verify failed');
|
||||
}
|
||||
}
|
||||
|
||||
export async function getTotpStatus(authedFetch: AuthedFetch): Promise<{ enabled: boolean }> {
|
||||
const resp = await authedFetch('/api/accounts/totp');
|
||||
if (!resp.ok) throw new Error('Failed to load TOTP status');
|
||||
const body = (await parseJson<{ enabled?: boolean }>(resp)) || {};
|
||||
return { enabled: !!body.enabled };
|
||||
}
|
||||
|
||||
export async function getTotpRecoveryCode(
|
||||
authedFetch: AuthedFetch,
|
||||
masterPasswordHash: string
|
||||
): Promise<string> {
|
||||
const resp = await authedFetch('/api/accounts/totp/recovery-code', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({ masterPasswordHash }),
|
||||
});
|
||||
if (!resp.ok) {
|
||||
const body = await parseJson<TokenError>(resp);
|
||||
throw new Error(body?.error_description || body?.error || 'Failed to get recovery code');
|
||||
}
|
||||
const body = (await parseJson<{ code?: string }>(resp)) || {};
|
||||
return String(body.code || '');
|
||||
}
|
||||
|
||||
export async function recoverTwoFactor(
|
||||
email: string,
|
||||
masterPasswordHash: string,
|
||||
recoveryCode: string
|
||||
): Promise<{ newRecoveryCode?: string }> {
|
||||
const resp = await fetch('/identity/accounts/recover-2fa', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({
|
||||
email: email.toLowerCase().trim(),
|
||||
masterPasswordHash,
|
||||
recoveryCode,
|
||||
}),
|
||||
});
|
||||
if (!resp.ok) {
|
||||
const body = await parseJson<TokenError>(resp);
|
||||
throw new Error(body?.error_description || body?.error || 'Recover 2FA failed');
|
||||
}
|
||||
return (await parseJson<{ newRecoveryCode?: string }>(resp)) || {};
|
||||
}
|
||||
|
||||
export async function getAuthorizedDevices(authedFetch: AuthedFetch): Promise<AuthorizedDevice[]> {
|
||||
const resp = await authedFetch('/api/devices/authorized');
|
||||
if (!resp.ok) throw new Error(t('txt_load_devices_failed'));
|
||||
const body = await parseJson<{ object: 'list'; data: AuthorizedDevice[] }>(resp);
|
||||
return body?.data || [];
|
||||
}
|
||||
|
||||
export async function revokeAuthorizedDeviceTrust(
|
||||
authedFetch: AuthedFetch,
|
||||
deviceIdentifier: string
|
||||
): Promise<void> {
|
||||
const resp = await authedFetch(`/api/devices/authorized/${encodeURIComponent(deviceIdentifier)}`, { method: 'DELETE' });
|
||||
if (!resp.ok) throw new Error(t('txt_revoke_device_trust_failed'));
|
||||
}
|
||||
|
||||
export async function revokeAllAuthorizedDeviceTrust(authedFetch: AuthedFetch): Promise<void> {
|
||||
const resp = await authedFetch('/api/devices/authorized', { method: 'DELETE' });
|
||||
if (!resp.ok) throw new Error(t('txt_revoke_all_device_trust_failed'));
|
||||
}
|
||||
|
||||
export async function deleteAuthorizedDevice(
|
||||
authedFetch: AuthedFetch,
|
||||
deviceIdentifier: string
|
||||
): Promise<void> {
|
||||
const resp = await authedFetch(`/api/devices/${encodeURIComponent(deviceIdentifier)}`, { method: 'DELETE' });
|
||||
if (!resp.ok) throw new Error(t('txt_remove_device_failed'));
|
||||
}
|
||||
|
||||
export async function deleteAllAuthorizedDevices(authedFetch: AuthedFetch): Promise<void> {
|
||||
const resp = await authedFetch('/api/devices', { method: 'DELETE' });
|
||||
if (!resp.ok) throw new Error(t('txt_remove_all_devices_failed'));
|
||||
}
|
||||
@@ -0,0 +1,255 @@
|
||||
import { t } from '../i18n';
|
||||
import type {
|
||||
BackupDestinationConfig,
|
||||
BackupDestinationRecord,
|
||||
BackupDestinationType,
|
||||
BackupRuntimeState,
|
||||
BackupScheduleConfig,
|
||||
BackupSettings as AdminBackupSettings,
|
||||
E3BackupDestination,
|
||||
WebDavBackupDestination,
|
||||
} from '@shared/backup-schema';
|
||||
import {
|
||||
parseContentDispositionFileName,
|
||||
parseErrorMessage,
|
||||
parseJson,
|
||||
type AuthedFetch,
|
||||
} from './shared';
|
||||
|
||||
export type {
|
||||
BackupDestinationConfig,
|
||||
BackupDestinationRecord,
|
||||
BackupDestinationType,
|
||||
BackupRuntimeState,
|
||||
BackupScheduleConfig,
|
||||
AdminBackupSettings,
|
||||
E3BackupDestination,
|
||||
WebDavBackupDestination,
|
||||
};
|
||||
|
||||
export interface BackupSettingsPortableWrap {
|
||||
userId: string;
|
||||
wrappedKey: string;
|
||||
}
|
||||
|
||||
export interface BackupSettingsPortablePayload {
|
||||
iv: string;
|
||||
ciphertext: string;
|
||||
wraps: BackupSettingsPortableWrap[];
|
||||
}
|
||||
|
||||
export interface BackupSettingsRepairStateResponse {
|
||||
object: 'backup-settings-repair';
|
||||
needsRepair: boolean;
|
||||
portable: BackupSettingsPortablePayload | null;
|
||||
}
|
||||
|
||||
export interface AdminBackupRunResponse {
|
||||
object: 'backup-run';
|
||||
result: {
|
||||
fileName: string;
|
||||
fileSize: number;
|
||||
provider: string;
|
||||
remotePath: string;
|
||||
};
|
||||
settings: AdminBackupSettings;
|
||||
}
|
||||
|
||||
export interface RemoteBackupItem {
|
||||
path: string;
|
||||
name: string;
|
||||
isDirectory: boolean;
|
||||
size: number | null;
|
||||
modifiedAt: string | null;
|
||||
}
|
||||
|
||||
export interface RemoteBackupBrowserResponse {
|
||||
object: 'backup-remote-browser';
|
||||
destinationId: string;
|
||||
destinationName: string;
|
||||
provider: BackupDestinationType;
|
||||
currentPath: string;
|
||||
parentPath: string | null;
|
||||
items: RemoteBackupItem[];
|
||||
}
|
||||
|
||||
export interface AdminBackupImportCounts {
|
||||
config: number;
|
||||
users: number;
|
||||
userRevisions: number;
|
||||
folders: number;
|
||||
ciphers: number;
|
||||
attachments: number;
|
||||
sends: number;
|
||||
attachmentFiles: number;
|
||||
sendFiles: number;
|
||||
}
|
||||
|
||||
export interface AdminBackupImportResponse {
|
||||
object: 'instance-backup-import';
|
||||
imported: AdminBackupImportCounts;
|
||||
}
|
||||
|
||||
export interface AdminBackupExportPayload {
|
||||
fileName: string;
|
||||
mimeType: string;
|
||||
bytes: Uint8Array;
|
||||
}
|
||||
|
||||
export async function exportAdminBackup(authedFetch: AuthedFetch): Promise<AdminBackupExportPayload> {
|
||||
const resp = await authedFetch('/api/admin/backup/export', { method: 'POST' });
|
||||
if (!resp.ok) throw new Error(await parseErrorMessage(resp, t('txt_backup_export_failed')));
|
||||
|
||||
const mimeType = String(resp.headers.get('Content-Type') || 'application/zip').trim() || 'application/zip';
|
||||
const fileName = parseContentDispositionFileName(resp, 'nodewarden_backup.zip');
|
||||
const bytes = new Uint8Array(await resp.arrayBuffer());
|
||||
return { fileName, mimeType, bytes };
|
||||
}
|
||||
|
||||
export async function getAdminBackupSettings(authedFetch: AuthedFetch): Promise<AdminBackupSettings> {
|
||||
const resp = await authedFetch('/api/admin/backup/settings', { method: 'GET' });
|
||||
if (!resp.ok) throw new Error(await parseErrorMessage(resp, t('txt_backup_settings_load_failed')));
|
||||
const body = await parseJson<AdminBackupSettings>(resp);
|
||||
if (!Array.isArray(body?.destinations)) throw new Error(t('txt_backup_settings_invalid_response'));
|
||||
return body;
|
||||
}
|
||||
|
||||
export async function saveAdminBackupSettings(
|
||||
authedFetch: AuthedFetch,
|
||||
settings: AdminBackupSettings
|
||||
): Promise<AdminBackupSettings> {
|
||||
const resp = await authedFetch('/api/admin/backup/settings', {
|
||||
method: 'PUT',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify(settings),
|
||||
});
|
||||
if (!resp.ok) throw new Error(await parseErrorMessage(resp, t('txt_backup_settings_save_failed')));
|
||||
const body = await parseJson<AdminBackupSettings>(resp);
|
||||
if (!Array.isArray(body?.destinations)) throw new Error(t('txt_backup_settings_invalid_response'));
|
||||
return body;
|
||||
}
|
||||
|
||||
export async function getAdminBackupSettingsRepairState(
|
||||
authedFetch: AuthedFetch
|
||||
): Promise<BackupSettingsRepairStateResponse> {
|
||||
const resp = await authedFetch('/api/admin/backup/settings/repair', { method: 'GET' });
|
||||
if (!resp.ok) throw new Error(await parseErrorMessage(resp, t('txt_backup_settings_load_failed')));
|
||||
const body = await parseJson<BackupSettingsRepairStateResponse>(resp);
|
||||
if (!body || typeof body.needsRepair !== 'boolean') {
|
||||
throw new Error(t('txt_backup_settings_invalid_response'));
|
||||
}
|
||||
return body;
|
||||
}
|
||||
|
||||
export async function repairAdminBackupSettings(
|
||||
authedFetch: AuthedFetch,
|
||||
settings: AdminBackupSettings
|
||||
): Promise<AdminBackupSettings> {
|
||||
const resp = await authedFetch('/api/admin/backup/settings/repair', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify(settings),
|
||||
});
|
||||
if (!resp.ok) throw new Error(await parseErrorMessage(resp, t('txt_backup_settings_save_failed')));
|
||||
const body = await parseJson<AdminBackupSettings>(resp);
|
||||
if (!Array.isArray(body?.destinations)) throw new Error(t('txt_backup_settings_invalid_response'));
|
||||
return body;
|
||||
}
|
||||
|
||||
export async function runAdminBackupNow(
|
||||
authedFetch: AuthedFetch,
|
||||
destinationId?: string | null
|
||||
): Promise<AdminBackupRunResponse> {
|
||||
const resp = await authedFetch('/api/admin/backup/run', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify(destinationId ? { destinationId } : {}),
|
||||
});
|
||||
if (!resp.ok) throw new Error(await parseErrorMessage(resp, t('txt_backup_remote_run_failed')));
|
||||
const body = await parseJson<AdminBackupRunResponse>(resp);
|
||||
if (!body?.result || !body?.settings) throw new Error(t('txt_backup_remote_run_invalid_response'));
|
||||
return body;
|
||||
}
|
||||
|
||||
export async function listRemoteBackups(
|
||||
authedFetch: AuthedFetch,
|
||||
destinationId: string,
|
||||
path: string = ''
|
||||
): Promise<RemoteBackupBrowserResponse> {
|
||||
const params = new URLSearchParams();
|
||||
params.set('destinationId', destinationId);
|
||||
if (path) params.set('path', path);
|
||||
const query = `?${params.toString()}`;
|
||||
const resp = await authedFetch(`/api/admin/backup/remote${query}`, { method: 'GET' });
|
||||
if (!resp.ok) throw new Error(await parseErrorMessage(resp, t('txt_backup_remote_load_failed')));
|
||||
const body = await parseJson<RemoteBackupBrowserResponse>(resp);
|
||||
if (!body?.items || typeof body.currentPath !== 'string' || !body.destinationId) throw new Error(t('txt_backup_remote_invalid_response'));
|
||||
return body;
|
||||
}
|
||||
|
||||
export async function downloadRemoteBackup(
|
||||
authedFetch: AuthedFetch,
|
||||
destinationId: string,
|
||||
path: string
|
||||
): Promise<AdminBackupExportPayload> {
|
||||
const params = new URLSearchParams();
|
||||
params.set('destinationId', destinationId);
|
||||
params.set('path', path);
|
||||
const resp = await authedFetch(`/api/admin/backup/remote/download?${params.toString()}`, { method: 'GET' });
|
||||
if (!resp.ok) throw new Error(await parseErrorMessage(resp, t('txt_backup_remote_download_failed')));
|
||||
const mimeType = String(resp.headers.get('Content-Type') || 'application/zip').trim() || 'application/zip';
|
||||
const fileName = parseContentDispositionFileName(resp, 'nodewarden_remote_backup.zip');
|
||||
const bytes = new Uint8Array(await resp.arrayBuffer());
|
||||
return { fileName, mimeType, bytes };
|
||||
}
|
||||
|
||||
export async function deleteRemoteBackup(
|
||||
authedFetch: AuthedFetch,
|
||||
destinationId: string,
|
||||
path: string
|
||||
): Promise<void> {
|
||||
const params = new URLSearchParams();
|
||||
params.set('destinationId', destinationId);
|
||||
params.set('path', path);
|
||||
const resp = await authedFetch(`/api/admin/backup/remote/file?${params.toString()}`, { method: 'DELETE' });
|
||||
if (!resp.ok) throw new Error(await parseErrorMessage(resp, t('txt_backup_remote_delete_failed')));
|
||||
}
|
||||
|
||||
export async function restoreRemoteBackup(
|
||||
authedFetch: AuthedFetch,
|
||||
destinationId: string,
|
||||
path: string,
|
||||
replaceExisting: boolean = false
|
||||
): Promise<AdminBackupImportResponse> {
|
||||
const resp = await authedFetch('/api/admin/backup/remote/restore', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({ destinationId, path, replaceExisting }),
|
||||
});
|
||||
if (!resp.ok) throw new Error(await parseErrorMessage(resp, t('txt_backup_remote_restore_failed')));
|
||||
const body = await parseJson<AdminBackupImportResponse>(resp);
|
||||
if (!body?.imported) throw new Error(t('txt_backup_remote_restore_invalid_response'));
|
||||
return body;
|
||||
}
|
||||
|
||||
export async function importAdminBackup(
|
||||
authedFetch: AuthedFetch,
|
||||
file: File,
|
||||
replaceExisting: boolean = false
|
||||
): Promise<AdminBackupImportResponse> {
|
||||
const formData = new FormData();
|
||||
formData.set('file', file, file.name || 'nodewarden_backup.zip');
|
||||
if (replaceExisting) {
|
||||
formData.set('replaceExisting', '1');
|
||||
}
|
||||
|
||||
const resp = await authedFetch('/api/admin/backup/import', {
|
||||
method: 'POST',
|
||||
body: formData,
|
||||
});
|
||||
if (!resp.ok) throw new Error(await parseErrorMessage(resp, t('txt_backup_import_failed')));
|
||||
|
||||
const body = await parseJson<AdminBackupImportResponse>(resp);
|
||||
if (!body?.imported) throw new Error(t('txt_backup_import_invalid_response'));
|
||||
return body;
|
||||
}
|
||||
@@ -0,0 +1,322 @@
|
||||
import { base64ToBytes, bytesToBase64, decryptBw, decryptBwFileData, decryptStr, encryptBw, encryptBwFileData, hkdf, pbkdf2 } from '../crypto';
|
||||
import type { Send, SendDraft, SessionState } from '../types';
|
||||
import { chunkArray, createApiError, parseErrorMessage, parseJson, type AuthedFetch } from './shared';
|
||||
|
||||
function toIsoDateFromDays(value: string, required: boolean): string | null {
|
||||
const raw = String(value || '').trim();
|
||||
if (!raw) {
|
||||
if (required) throw new Error('Deletion days is required');
|
||||
return null;
|
||||
}
|
||||
const n = Number(raw);
|
||||
if (!Number.isFinite(n) || n < 0) {
|
||||
if (required) throw new Error('Invalid deletion days');
|
||||
throw new Error('Invalid expiration days');
|
||||
}
|
||||
if (!required && n === 0) return null;
|
||||
const date = new Date(Date.now() + Math.floor(n) * 24 * 60 * 60 * 1000);
|
||||
return date.toISOString();
|
||||
}
|
||||
|
||||
function bytesToBase64Url(bytes: Uint8Array): string {
|
||||
return bytesToBase64(bytes).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/g, '');
|
||||
}
|
||||
|
||||
function base64UrlToBytes(value: string): Uint8Array {
|
||||
const raw = value.replace(/-/g, '+').replace(/_/g, '/');
|
||||
const padded = raw + '='.repeat((4 - (raw.length % 4)) % 4);
|
||||
return base64ToBytes(padded);
|
||||
}
|
||||
|
||||
const SEND_KEY_SALT = 'bitwarden-send';
|
||||
const SEND_KEY_PURPOSE = 'send';
|
||||
const SEND_KEY_SEED_BYTES = 16;
|
||||
const SEND_PASSWORD_ITERATIONS = 100000;
|
||||
|
||||
async function encryptTextValue(value: string, enc: Uint8Array, mac: Uint8Array): Promise<string | null> {
|
||||
const s = String(value || '');
|
||||
if (!s.trim()) return null;
|
||||
return encryptBw(new TextEncoder().encode(s), enc, mac);
|
||||
}
|
||||
|
||||
async function toSendKeyParts(sendKeyMaterial: Uint8Array): Promise<{ enc: Uint8Array; mac: Uint8Array }> {
|
||||
if (sendKeyMaterial.length >= 64) {
|
||||
return { enc: sendKeyMaterial.slice(0, 32), mac: sendKeyMaterial.slice(32, 64) };
|
||||
}
|
||||
const derived = await hkdf(sendKeyMaterial, SEND_KEY_SALT, SEND_KEY_PURPOSE, 64);
|
||||
return { enc: derived.slice(0, 32), mac: derived.slice(32, 64) };
|
||||
}
|
||||
|
||||
async function hashSendPasswordB64(password: string, sendKeyMaterial: Uint8Array): Promise<string> {
|
||||
const hash = await pbkdf2(password, sendKeyMaterial, SEND_PASSWORD_ITERATIONS, 32);
|
||||
return bytesToBase64(hash);
|
||||
}
|
||||
|
||||
function parseMaxAccessCountRaw(value: string): number | null {
|
||||
const raw = String(value || '').trim();
|
||||
if (!raw) return null;
|
||||
const n = Number(raw);
|
||||
if (!Number.isFinite(n) || n < 0) throw new Error('Invalid max access count');
|
||||
return Math.floor(n);
|
||||
}
|
||||
|
||||
export async function getSends(authedFetch: AuthedFetch): Promise<Send[]> {
|
||||
const resp = await authedFetch('/api/sends');
|
||||
if (!resp.ok) throw new Error('Failed to load sends');
|
||||
const body = await parseJson<{ object: 'list'; data: Send[] }>(resp);
|
||||
return body?.data || [];
|
||||
}
|
||||
|
||||
export async function createSend(
|
||||
authedFetch: AuthedFetch,
|
||||
session: SessionState,
|
||||
draft: SendDraft
|
||||
): Promise<Send> {
|
||||
if (!session.symEncKey || !session.symMacKey) throw new Error('Vault key unavailable');
|
||||
const userEnc = base64ToBytes(session.symEncKey);
|
||||
const userMac = base64ToBytes(session.symMacKey);
|
||||
const sendKeyMaterial = crypto.getRandomValues(new Uint8Array(SEND_KEY_SEED_BYTES));
|
||||
const sendKeyForUser = await encryptBw(sendKeyMaterial, userEnc, userMac);
|
||||
const sendKey = await toSendKeyParts(sendKeyMaterial);
|
||||
const nameCipher = await encryptTextValue(draft.name || '', sendKey.enc, sendKey.mac);
|
||||
const notesCipher = await encryptTextValue(draft.notes || '', sendKey.enc, sendKey.mac);
|
||||
|
||||
const deletionIso = toIsoDateFromDays(draft.deletionDays, true)!;
|
||||
const expirationIso = toIsoDateFromDays(draft.expirationDays, false);
|
||||
const maxAccessCount = parseMaxAccessCountRaw(draft.maxAccessCount);
|
||||
const password = String(draft.password || '');
|
||||
const passwordHash = password ? await hashSendPasswordB64(password, sendKeyMaterial) : null;
|
||||
|
||||
if (draft.type === 'text') {
|
||||
const text = String(draft.text || '').trim();
|
||||
if (!text) throw new Error('Send text is required');
|
||||
const textCipher = await encryptTextValue(text, sendKey.enc, sendKey.mac);
|
||||
|
||||
const payload = {
|
||||
type: 0,
|
||||
name: nameCipher,
|
||||
notes: notesCipher,
|
||||
key: sendKeyForUser,
|
||||
text: {
|
||||
text: textCipher,
|
||||
hidden: false,
|
||||
},
|
||||
maxAccessCount,
|
||||
password: passwordHash,
|
||||
hideEmail: false,
|
||||
disabled: !!draft.disabled,
|
||||
deletionDate: deletionIso,
|
||||
expirationDate: expirationIso,
|
||||
};
|
||||
|
||||
const resp = await authedFetch('/api/sends', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify(payload),
|
||||
});
|
||||
if (!resp.ok) throw new Error(await parseErrorMessage(resp, 'Create send failed'));
|
||||
const body = await parseJson<Send>(resp);
|
||||
if (!body?.id) throw new Error('Create send failed');
|
||||
return body;
|
||||
}
|
||||
|
||||
if (!draft.file) throw new Error('File is required');
|
||||
const fileNameCipher = await encryptTextValue(draft.file.name, sendKey.enc, sendKey.mac);
|
||||
if (!fileNameCipher) throw new Error('Invalid file name');
|
||||
const plainFileBytes = new Uint8Array(await draft.file.arrayBuffer());
|
||||
const encryptedFileBytes = await encryptBwFileData(plainFileBytes, sendKey.enc, sendKey.mac);
|
||||
|
||||
const fileResp = await authedFetch('/api/sends/file/v2', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({
|
||||
type: 1,
|
||||
name: nameCipher,
|
||||
notes: notesCipher,
|
||||
key: sendKeyForUser,
|
||||
file: {
|
||||
fileName: fileNameCipher,
|
||||
},
|
||||
fileLength: encryptedFileBytes.byteLength,
|
||||
maxAccessCount,
|
||||
password: passwordHash,
|
||||
hideEmail: false,
|
||||
disabled: !!draft.disabled,
|
||||
deletionDate: deletionIso,
|
||||
expirationDate: expirationIso,
|
||||
}),
|
||||
});
|
||||
if (!fileResp.ok) throw new Error(await parseErrorMessage(fileResp, 'Create file send failed'));
|
||||
|
||||
const uploadInfo = await parseJson<{ url?: string; sendResponse?: Send }>(fileResp);
|
||||
const uploadUrl = uploadInfo?.url;
|
||||
if (!uploadUrl) throw new Error('Create file send failed: missing upload URL');
|
||||
|
||||
const formData = new FormData();
|
||||
const encryptedBlob = new Blob([encryptedFileBytes as unknown as BlobPart], { type: 'application/octet-stream' });
|
||||
formData.set('data', encryptedBlob, fileNameCipher);
|
||||
const uploadResp = await authedFetch(uploadUrl, {
|
||||
method: 'POST',
|
||||
body: formData,
|
||||
});
|
||||
if (!uploadResp.ok) throw new Error(await parseErrorMessage(uploadResp, 'Upload send file failed'));
|
||||
if (!uploadInfo?.sendResponse?.id) throw new Error('Create file send failed');
|
||||
return uploadInfo.sendResponse;
|
||||
}
|
||||
|
||||
export async function updateSend(
|
||||
authedFetch: AuthedFetch,
|
||||
session: SessionState,
|
||||
send: Send,
|
||||
draft: SendDraft
|
||||
): Promise<Send> {
|
||||
if (!session.symEncKey || !session.symMacKey) throw new Error('Vault key unavailable');
|
||||
if (!send.key) throw new Error('Send key unavailable');
|
||||
const userEnc = base64ToBytes(session.symEncKey);
|
||||
const userMac = base64ToBytes(session.symMacKey);
|
||||
const sendKeyMaterial = await decryptBw(send.key, userEnc, userMac);
|
||||
const sendKey = await toSendKeyParts(sendKeyMaterial);
|
||||
const nameCipher = await encryptTextValue(draft.name || '', sendKey.enc, sendKey.mac);
|
||||
const notesCipher = await encryptTextValue(draft.notes || '', sendKey.enc, sendKey.mac);
|
||||
|
||||
const deletionIso = toIsoDateFromDays(draft.deletionDays, true)!;
|
||||
const expirationIso = toIsoDateFromDays(draft.expirationDays, false);
|
||||
const maxAccessCount = parseMaxAccessCountRaw(draft.maxAccessCount);
|
||||
|
||||
if (draft.type === 'file' && draft.file) {
|
||||
throw new Error('Updating file content is not supported yet');
|
||||
}
|
||||
|
||||
const textCipher = await encryptTextValue(String(draft.text || ''), sendKey.enc, sendKey.mac);
|
||||
|
||||
const passwordRaw = String(draft.password || '');
|
||||
const passwordHash = passwordRaw ? await hashSendPasswordB64(passwordRaw, sendKeyMaterial) : null;
|
||||
|
||||
const payload = {
|
||||
id: send.id,
|
||||
type: draft.type === 'file' ? 1 : 0,
|
||||
name: nameCipher,
|
||||
notes: notesCipher,
|
||||
key: send.key,
|
||||
text: {
|
||||
text: textCipher,
|
||||
hidden: false,
|
||||
},
|
||||
maxAccessCount,
|
||||
password: passwordHash,
|
||||
hideEmail: false,
|
||||
disabled: !!draft.disabled,
|
||||
deletionDate: deletionIso,
|
||||
expirationDate: expirationIso,
|
||||
};
|
||||
|
||||
const resp = await authedFetch(`/api/sends/${encodeURIComponent(send.id)}`, {
|
||||
method: 'PUT',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify(payload),
|
||||
});
|
||||
if (!resp.ok) throw new Error(await parseErrorMessage(resp, 'Update send failed'));
|
||||
const body = await parseJson<Send>(resp);
|
||||
if (!body?.id) throw new Error('Update send failed');
|
||||
return body;
|
||||
}
|
||||
|
||||
export async function deleteSend(authedFetch: AuthedFetch, sendId: string): Promise<void> {
|
||||
const resp = await authedFetch(`/api/sends/${encodeURIComponent(sendId)}`, { method: 'DELETE' });
|
||||
if (!resp.ok) throw new Error(await parseErrorMessage(resp, 'Delete send failed'));
|
||||
}
|
||||
|
||||
export async function bulkDeleteSends(authedFetch: AuthedFetch, ids: string[]): Promise<void> {
|
||||
const uniqueIds = Array.from(new Set(ids.map((id) => String(id || '').trim()).filter(Boolean)));
|
||||
for (const chunk of chunkArray(uniqueIds, 200)) {
|
||||
const resp = await authedFetch('/api/sends/delete', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({ ids: chunk }),
|
||||
});
|
||||
if (!resp.ok) throw new Error('Bulk delete sends failed');
|
||||
}
|
||||
}
|
||||
|
||||
async function buildPublicSendAccessPayload(password?: string, keyPart?: string | null): Promise<Record<string, unknown>> {
|
||||
const payload: Record<string, unknown> = {};
|
||||
const plainPassword = String(password || '').trim();
|
||||
if (!plainPassword) return payload;
|
||||
|
||||
if (keyPart) {
|
||||
try {
|
||||
const sendKeyMaterial = base64UrlToBytes(keyPart);
|
||||
const passwordHashB64 = await hashSendPasswordB64(plainPassword, sendKeyMaterial);
|
||||
payload.passwordHash = passwordHashB64;
|
||||
payload.password_hash_b64 = passwordHashB64;
|
||||
payload.passwordHashB64 = passwordHashB64;
|
||||
} catch {
|
||||
// Key material invalid; server will reject as unauthorized.
|
||||
}
|
||||
}
|
||||
return payload;
|
||||
}
|
||||
|
||||
export async function accessPublicSend(accessId: string, keyPart?: string | null, password?: string): Promise<any> {
|
||||
const payload = await buildPublicSendAccessPayload(password, keyPart);
|
||||
const resp = await fetch(`/api/sends/access/${encodeURIComponent(accessId)}`, {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify(payload),
|
||||
});
|
||||
if (!resp.ok) {
|
||||
const message = await parseErrorMessage(resp, 'Failed to access send');
|
||||
throw createApiError(message, resp.status);
|
||||
}
|
||||
return (await parseJson<any>(resp)) || null;
|
||||
}
|
||||
|
||||
export async function accessPublicSendFile(sendId: string, fileId: string, keyPart?: string | null, password?: string): Promise<string> {
|
||||
const payload = await buildPublicSendAccessPayload(password, keyPart);
|
||||
const resp = await fetch(`/api/sends/${encodeURIComponent(sendId)}/access/file/${encodeURIComponent(fileId)}`, {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify(payload),
|
||||
});
|
||||
if (!resp.ok) {
|
||||
const message = await parseErrorMessage(resp, 'Failed to access send file');
|
||||
throw createApiError(message, resp.status);
|
||||
}
|
||||
const body = await parseJson<{ url?: string }>(resp);
|
||||
if (!body?.url) throw new Error('Missing file URL');
|
||||
return body.url;
|
||||
}
|
||||
|
||||
export async function decryptPublicSend(accessData: any, urlSafeKey: string): Promise<any> {
|
||||
const sendKeyMaterial = base64UrlToBytes(urlSafeKey);
|
||||
const sendKey = await toSendKeyParts(sendKeyMaterial);
|
||||
const out: any = { ...accessData };
|
||||
out.decName = await decryptStr(accessData?.name || '', sendKey.enc, sendKey.mac);
|
||||
if (accessData?.text?.text) {
|
||||
out.decText = await decryptStr(accessData.text.text, sendKey.enc, sendKey.mac);
|
||||
}
|
||||
if (accessData?.file?.fileName) {
|
||||
try {
|
||||
out.decFileName = await decryptStr(accessData.file.fileName, sendKey.enc, sendKey.mac);
|
||||
} catch {
|
||||
out.decFileName = String(accessData.file.fileName);
|
||||
}
|
||||
}
|
||||
return out;
|
||||
}
|
||||
|
||||
export async function decryptPublicSendFileBytes(
|
||||
encryptedBytes: ArrayBuffer | Uint8Array,
|
||||
urlSafeKey: string
|
||||
): Promise<Uint8Array> {
|
||||
const sendKeyMaterial = base64UrlToBytes(urlSafeKey);
|
||||
const sendKey = await toSendKeyParts(sendKeyMaterial);
|
||||
const encrypted = encryptedBytes instanceof Uint8Array ? encryptedBytes : new Uint8Array(encryptedBytes);
|
||||
return decryptBwFileData(encrypted, sendKey.enc, sendKey.mac);
|
||||
}
|
||||
|
||||
export function buildSendShareKey(sendKeyEncrypted: string, userEncB64: string, userMacB64: string): Promise<string> {
|
||||
const userEnc = base64ToBytes(userEncB64);
|
||||
const userMac = base64ToBytes(userMacB64);
|
||||
return decryptBw(sendKeyEncrypted, userEnc, userMac).then((keyMaterial) => bytesToBase64Url(keyMaterial));
|
||||
}
|
||||
@@ -0,0 +1,60 @@
|
||||
import { t } from '../i18n';
|
||||
import type { SessionState, TokenError } from '../types';
|
||||
|
||||
export type AuthedFetch = (input: string, init?: RequestInit) => Promise<Response>;
|
||||
export type SessionSetter = (next: SessionState | null) => void;
|
||||
|
||||
export const BULK_API_CHUNK_SIZE = 200;
|
||||
|
||||
export function chunkArray<T>(items: T[], size: number): T[][] {
|
||||
if (items.length <= size) return [items];
|
||||
const chunks: T[][] = [];
|
||||
for (let i = 0; i < items.length; i += size) {
|
||||
chunks.push(items.slice(i, i + size));
|
||||
}
|
||||
return chunks;
|
||||
}
|
||||
|
||||
export async function parseJson<T>(response: Response): Promise<T | null> {
|
||||
const text = await response.text();
|
||||
if (!text) return null;
|
||||
try {
|
||||
return JSON.parse(text) as T;
|
||||
} catch {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
export function parseContentDispositionFileName(response: Response, fallback: string): string {
|
||||
const header = String(response.headers.get('Content-Disposition') || '').trim();
|
||||
if (!header) return fallback;
|
||||
|
||||
const utf8Match = header.match(/filename\*\s*=\s*UTF-8''([^;]+)/i);
|
||||
if (utf8Match?.[1]) {
|
||||
try {
|
||||
return decodeURIComponent(utf8Match[1]);
|
||||
} catch {
|
||||
// Ignore malformed filename*= values and fall back to the plain filename.
|
||||
}
|
||||
}
|
||||
|
||||
const plainMatch = header.match(/filename\s*=\s*"([^"]+)"|filename\s*=\s*([^;]+)/i);
|
||||
const raw = plainMatch?.[1] || plainMatch?.[2] || '';
|
||||
const normalized = String(raw).trim().replace(/^"+|"+$/g, '');
|
||||
return normalized || fallback;
|
||||
}
|
||||
|
||||
export async function parseErrorMessage(resp: Response, fallback: string): Promise<string> {
|
||||
const body = await parseJson<TokenError>(resp);
|
||||
return body?.error_description || body?.error || fallback;
|
||||
}
|
||||
|
||||
export function createApiError(message: string, status?: number): Error & { status?: number } {
|
||||
const error = new Error(message) as Error & { status?: number };
|
||||
if (status !== undefined) error.status = status;
|
||||
return error;
|
||||
}
|
||||
|
||||
export function requiredError(messageKey: string): never {
|
||||
throw new Error(t(messageKey));
|
||||
}
|
||||
@@ -0,0 +1,686 @@
|
||||
import { base64ToBytes, decryptBw, decryptBwFileData, decryptStr, encryptBw, encryptBwFileData } from '../crypto';
|
||||
import type {
|
||||
Cipher,
|
||||
Folder,
|
||||
ListResponse,
|
||||
SessionState,
|
||||
VaultDraft,
|
||||
VaultDraftField,
|
||||
} from '../types';
|
||||
import {
|
||||
BULK_API_CHUNK_SIZE,
|
||||
chunkArray,
|
||||
parseErrorMessage,
|
||||
parseJson,
|
||||
type AuthedFetch,
|
||||
} from './shared';
|
||||
|
||||
export async function getFolders(authedFetch: AuthedFetch): Promise<Folder[]> {
|
||||
const resp = await authedFetch('/api/folders');
|
||||
if (!resp.ok) throw new Error('Failed to load folders');
|
||||
const body = await parseJson<ListResponse<Folder>>(resp);
|
||||
return body?.data || [];
|
||||
}
|
||||
|
||||
export async function createFolder(
|
||||
authedFetch: AuthedFetch,
|
||||
session: SessionState,
|
||||
name: string
|
||||
): Promise<{ id: string; name?: string | null }> {
|
||||
if (!session.symEncKey || !session.symMacKey) throw new Error('Vault key unavailable');
|
||||
const enc = base64ToBytes(session.symEncKey);
|
||||
const mac = base64ToBytes(session.symMacKey);
|
||||
const encryptedName = await encryptBw(new TextEncoder().encode(name), enc, mac);
|
||||
const resp = await authedFetch('/api/folders', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({ name: encryptedName }),
|
||||
});
|
||||
if (!resp.ok) throw new Error('Create folder failed');
|
||||
const body = await parseJson<{ id?: string; name?: string | null }>(resp);
|
||||
if (!body?.id) throw new Error('Create folder failed');
|
||||
return { id: body.id, name: body.name ?? null };
|
||||
}
|
||||
|
||||
export async function encryptFolderImportName(session: SessionState, name: string): Promise<string> {
|
||||
if (!session.symEncKey || !session.symMacKey) throw new Error('Vault key unavailable');
|
||||
const enc = base64ToBytes(session.symEncKey);
|
||||
const mac = base64ToBytes(session.symMacKey);
|
||||
return encryptBw(new TextEncoder().encode(name), enc, mac);
|
||||
}
|
||||
|
||||
export async function deleteFolder(authedFetch: AuthedFetch, folderId: string): Promise<void> {
|
||||
const id = String(folderId || '').trim();
|
||||
if (!id) throw new Error('Folder id is required');
|
||||
const resp = await authedFetch(`/api/folders/${encodeURIComponent(id)}`, {
|
||||
method: 'DELETE',
|
||||
});
|
||||
if (!resp.ok) throw new Error('Delete folder failed');
|
||||
}
|
||||
|
||||
export async function bulkDeleteFolders(authedFetch: AuthedFetch, ids: string[]): Promise<void> {
|
||||
const uniqueIds = Array.from(new Set(ids.map((id) => String(id || '').trim()).filter(Boolean)));
|
||||
for (const chunk of chunkArray(uniqueIds, BULK_API_CHUNK_SIZE)) {
|
||||
const resp = await authedFetch('/api/folders/delete', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({ ids: chunk }),
|
||||
});
|
||||
if (!resp.ok) throw new Error('Bulk delete folders failed');
|
||||
}
|
||||
}
|
||||
|
||||
export async function updateFolder(
|
||||
authedFetch: AuthedFetch,
|
||||
session: SessionState,
|
||||
folderId: string,
|
||||
name: string
|
||||
): Promise<void> {
|
||||
const id = String(folderId || '').trim();
|
||||
if (!id) throw new Error('Folder id is required');
|
||||
if (!session.symEncKey || !session.symMacKey) throw new Error('Vault key unavailable');
|
||||
const enc = base64ToBytes(session.symEncKey);
|
||||
const mac = base64ToBytes(session.symMacKey);
|
||||
const encryptedName = await encryptBw(new TextEncoder().encode(name), enc, mac);
|
||||
const resp = await authedFetch(`/api/folders/${encodeURIComponent(id)}`, {
|
||||
method: 'PUT',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({ name: encryptedName }),
|
||||
});
|
||||
if (!resp.ok) throw new Error('Update folder failed');
|
||||
}
|
||||
|
||||
export async function getCiphers(authedFetch: AuthedFetch): Promise<Cipher[]> {
|
||||
const resp = await authedFetch('/api/ciphers?deleted=true');
|
||||
if (!resp.ok) throw new Error('Failed to load ciphers');
|
||||
const body = await parseJson<ListResponse<Cipher>>(resp);
|
||||
return body?.data || [];
|
||||
}
|
||||
|
||||
export interface CiphersImportPayload {
|
||||
ciphers: Array<Record<string, unknown>>;
|
||||
folders: Array<{ name: string }>;
|
||||
folderRelationships: Array<{ key: number; value: number }>;
|
||||
}
|
||||
|
||||
export interface ImportedCipherMapEntry {
|
||||
index: number;
|
||||
sourceId: string | null;
|
||||
id: string;
|
||||
}
|
||||
|
||||
export async function importCiphers(
|
||||
authedFetch: AuthedFetch,
|
||||
payload: CiphersImportPayload,
|
||||
options?: { returnCipherMap?: boolean }
|
||||
): Promise<ImportedCipherMapEntry[] | null> {
|
||||
const returnCipherMap = !!options?.returnCipherMap;
|
||||
const url = returnCipherMap ? '/api/ciphers/import?returnCipherMap=1' : '/api/ciphers/import';
|
||||
const totalItems = (payload.folders?.length || 0) + (payload.ciphers?.length || 0);
|
||||
const responses: ImportedCipherMapEntry[] = [];
|
||||
const folderChunkSize = Math.min(BULK_API_CHUNK_SIZE, Math.max(0, BULK_API_CHUNK_SIZE - 1));
|
||||
|
||||
if (totalItems <= BULK_API_CHUNK_SIZE || payload.folders.length > folderChunkSize) {
|
||||
const resp = await authedFetch(url, {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify(payload),
|
||||
});
|
||||
if (!resp.ok) throw new Error(await parseErrorMessage(resp, 'Import failed'));
|
||||
if (!returnCipherMap) return null;
|
||||
const body =
|
||||
(await parseJson<{
|
||||
cipherMap?: Array<{ index?: number; sourceId?: string | null; id?: string }>;
|
||||
}>(resp)) || {};
|
||||
if (!Array.isArray(body.cipherMap)) return [];
|
||||
for (const row of body.cipherMap) {
|
||||
const index = Number(row?.index);
|
||||
const id = String(row?.id || '').trim();
|
||||
if (!Number.isFinite(index) || !id) continue;
|
||||
const sourceRaw = String(row?.sourceId || '').trim();
|
||||
responses.push({
|
||||
index,
|
||||
id,
|
||||
sourceId: sourceRaw || null,
|
||||
});
|
||||
}
|
||||
return responses;
|
||||
}
|
||||
|
||||
const folders = payload.folders || [];
|
||||
const relationshipsByCipher = new Map<number, number | null>();
|
||||
for (const relation of payload.folderRelationships || []) {
|
||||
relationshipsByCipher.set(Number(relation.key), Number(relation.value));
|
||||
}
|
||||
|
||||
for (const cipherChunkStart of Array.from({ length: Math.ceil(payload.ciphers.length / BULK_API_CHUNK_SIZE) }, (_, i) => i * BULK_API_CHUNK_SIZE)) {
|
||||
const cipherChunk = payload.ciphers.slice(cipherChunkStart, cipherChunkStart + BULK_API_CHUNK_SIZE);
|
||||
const usedFolderIndices = Array.from(
|
||||
new Set(
|
||||
cipherChunk
|
||||
.map((_, localIndex) => relationshipsByCipher.get(cipherChunkStart + localIndex))
|
||||
.filter((value): value is number => Number.isFinite(value as number) && (value as number) >= 0)
|
||||
)
|
||||
);
|
||||
const folderIndexMap = new Map<number, number>();
|
||||
const chunkFolders = usedFolderIndices.map((folderIndex, localIndex) => {
|
||||
folderIndexMap.set(folderIndex, localIndex);
|
||||
return folders[folderIndex];
|
||||
});
|
||||
const chunkRelationships = cipherChunk
|
||||
.map((_, localIndex) => {
|
||||
const originalCipherIndex = cipherChunkStart + localIndex;
|
||||
const originalFolderIndex = relationshipsByCipher.get(originalCipherIndex);
|
||||
if (!Number.isFinite(originalFolderIndex as number)) return null;
|
||||
const localFolderIndex = folderIndexMap.get(Number(originalFolderIndex));
|
||||
if (!Number.isFinite(localFolderIndex as number)) return null;
|
||||
return { key: localIndex, value: Number(localFolderIndex) };
|
||||
})
|
||||
.filter((value): value is { key: number; value: number } => !!value);
|
||||
|
||||
const resp = await authedFetch(url, {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({
|
||||
ciphers: cipherChunk,
|
||||
folders: chunkFolders,
|
||||
folderRelationships: chunkRelationships,
|
||||
}),
|
||||
});
|
||||
if (!resp.ok) throw new Error(await parseErrorMessage(resp, 'Import failed'));
|
||||
if (!returnCipherMap) continue;
|
||||
const body =
|
||||
(await parseJson<{
|
||||
cipherMap?: Array<{ index?: number; sourceId?: string | null; id?: string }>;
|
||||
}>(resp)) || {};
|
||||
for (const row of body.cipherMap || []) {
|
||||
const localIndex = Number(row?.index);
|
||||
const id = String(row?.id || '').trim();
|
||||
if (!Number.isFinite(localIndex) || !id) continue;
|
||||
const sourceRaw = String(row?.sourceId || '').trim();
|
||||
responses.push({
|
||||
index: cipherChunkStart + localIndex,
|
||||
id,
|
||||
sourceId: sourceRaw || null,
|
||||
});
|
||||
}
|
||||
}
|
||||
return returnCipherMap ? responses : null;
|
||||
}
|
||||
|
||||
export interface AttachmentDownloadInfo {
|
||||
id: string;
|
||||
url: string;
|
||||
fileName: string | null;
|
||||
key: string | null;
|
||||
size: string | null;
|
||||
sizeName: string | null;
|
||||
}
|
||||
|
||||
export async function getAttachmentDownloadInfo(
|
||||
authedFetch: AuthedFetch,
|
||||
cipherId: string,
|
||||
attachmentId: string
|
||||
): Promise<AttachmentDownloadInfo> {
|
||||
const resp = await authedFetch(`/api/ciphers/${encodeURIComponent(cipherId)}/attachment/${encodeURIComponent(attachmentId)}`);
|
||||
if (!resp.ok) throw new Error(await parseErrorMessage(resp, 'Failed to load attachment'));
|
||||
const body =
|
||||
(await parseJson<{
|
||||
id?: string;
|
||||
url?: string;
|
||||
fileName?: string | null;
|
||||
key?: string | null;
|
||||
size?: string | null;
|
||||
sizeName?: string | null;
|
||||
}>(resp)) || {};
|
||||
const id = String(body.id || attachmentId || '').trim();
|
||||
const url = String(body.url || '').trim();
|
||||
if (!id || !url) throw new Error('Invalid attachment download response');
|
||||
return {
|
||||
id,
|
||||
url,
|
||||
fileName: body.fileName ?? null,
|
||||
key: body.key ?? null,
|
||||
size: body.size ?? null,
|
||||
sizeName: body.sizeName ?? null,
|
||||
};
|
||||
}
|
||||
|
||||
function looksLikeCipherString(value: unknown): boolean {
|
||||
return /^\d+\.[A-Za-z0-9+/=]+\|[A-Za-z0-9+/=]+(?:\|[A-Za-z0-9+/=]+)?$/.test(String(value || '').trim());
|
||||
}
|
||||
|
||||
export async function uploadCipherAttachment(
|
||||
authedFetch: AuthedFetch,
|
||||
session: SessionState,
|
||||
cipherId: string,
|
||||
file: File,
|
||||
cipherForKey?: Cipher | null
|
||||
): Promise<void> {
|
||||
if (!session.symEncKey || !session.symMacKey) throw new Error('Vault key unavailable');
|
||||
const id = String(cipherId || '').trim();
|
||||
if (!id) throw new Error('Cipher id is required');
|
||||
if (!file) throw new Error('File is required');
|
||||
|
||||
const userEnc = base64ToBytes(session.symEncKey);
|
||||
const userMac = base64ToBytes(session.symMacKey);
|
||||
const itemKeys = await getCipherKeys(cipherForKey || null, userEnc, userMac);
|
||||
|
||||
const encryptedFileName = await encryptTextValue(file.name, itemKeys.enc, itemKeys.mac);
|
||||
if (!encryptedFileName) throw new Error('Invalid attachment name');
|
||||
|
||||
const attachmentRawKey = crypto.getRandomValues(new Uint8Array(64));
|
||||
const attachmentWrappedKey = await encryptBw(attachmentRawKey, itemKeys.enc, itemKeys.mac);
|
||||
const fileBytes = new Uint8Array(await file.arrayBuffer());
|
||||
const encryptedBytes = await encryptBwFileData(fileBytes, attachmentRawKey.slice(0, 32), attachmentRawKey.slice(32, 64));
|
||||
|
||||
const metaResp = await authedFetch(`/api/ciphers/${encodeURIComponent(id)}/attachment/v2`, {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({
|
||||
fileName: encryptedFileName,
|
||||
key: attachmentWrappedKey,
|
||||
fileSize: encryptedBytes.byteLength,
|
||||
}),
|
||||
});
|
||||
if (!metaResp.ok) throw new Error(await parseErrorMessage(metaResp, 'Create attachment failed'));
|
||||
|
||||
const meta =
|
||||
(await parseJson<{
|
||||
attachmentId?: string;
|
||||
url?: string;
|
||||
}>(metaResp)) || {};
|
||||
const attachmentId = String(meta.attachmentId || '').trim();
|
||||
const uploadUrl = String(meta.url || '').trim();
|
||||
if (!attachmentId || !uploadUrl) throw new Error('Create attachment failed');
|
||||
|
||||
const payload = new ArrayBuffer(encryptedBytes.byteLength);
|
||||
new Uint8Array(payload).set(encryptedBytes);
|
||||
const formData = new FormData();
|
||||
formData.set('data', new Blob([payload], { type: 'application/octet-stream' }), encryptedFileName);
|
||||
|
||||
const uploadResp = await authedFetch(uploadUrl, {
|
||||
method: 'POST',
|
||||
body: formData,
|
||||
});
|
||||
if (!uploadResp.ok) {
|
||||
try {
|
||||
await authedFetch(`/api/ciphers/${encodeURIComponent(id)}/attachment/${encodeURIComponent(attachmentId)}`, { method: 'DELETE' });
|
||||
} catch {
|
||||
// ignore rollback failure
|
||||
}
|
||||
throw new Error(await parseErrorMessage(uploadResp, 'Upload attachment failed'));
|
||||
}
|
||||
}
|
||||
|
||||
export async function deleteCipherAttachment(
|
||||
authedFetch: AuthedFetch,
|
||||
cipherId: string,
|
||||
attachmentId: string
|
||||
): Promise<void> {
|
||||
const cid = String(cipherId || '').trim();
|
||||
const aid = String(attachmentId || '').trim();
|
||||
if (!cid || !aid) throw new Error('Attachment id is required');
|
||||
const resp = await authedFetch(`/api/ciphers/${encodeURIComponent(cid)}/attachment/${encodeURIComponent(aid)}`, {
|
||||
method: 'DELETE',
|
||||
});
|
||||
if (!resp.ok) throw new Error(await parseErrorMessage(resp, 'Delete attachment failed'));
|
||||
}
|
||||
|
||||
export async function downloadCipherAttachmentDecrypted(
|
||||
authedFetch: AuthedFetch,
|
||||
session: SessionState,
|
||||
cipher: Cipher,
|
||||
attachmentId: string
|
||||
): Promise<{ fileName: string; bytes: Uint8Array }> {
|
||||
if (!session.symEncKey || !session.symMacKey) throw new Error('Vault key unavailable');
|
||||
const cid = String(cipher?.id || '').trim();
|
||||
const aid = String(attachmentId || '').trim();
|
||||
if (!cid || !aid) throw new Error('Attachment id is required');
|
||||
|
||||
const info = await getAttachmentDownloadInfo(authedFetch, cid, aid);
|
||||
const rawResp = await fetch(info.url, { cache: 'no-store' });
|
||||
if (!rawResp.ok) throw new Error('Download attachment failed');
|
||||
const encryptedBytes = new Uint8Array(await rawResp.arrayBuffer());
|
||||
|
||||
const userEnc = base64ToBytes(session.symEncKey);
|
||||
const userMac = base64ToBytes(session.symMacKey);
|
||||
const itemKeys = await getCipherKeys(cipher, userEnc, userMac);
|
||||
|
||||
let fileEnc = itemKeys.enc;
|
||||
let fileMac = itemKeys.mac;
|
||||
const keyCipher = String(info.key || '').trim();
|
||||
if (keyCipher && looksLikeCipherString(keyCipher)) {
|
||||
try {
|
||||
const fileRawKey = await decryptBw(keyCipher, itemKeys.enc, itemKeys.mac);
|
||||
if (fileRawKey.length >= 64) {
|
||||
fileEnc = fileRawKey.slice(0, 32);
|
||||
fileMac = fileRawKey.slice(32, 64);
|
||||
}
|
||||
} catch {
|
||||
// fallback to item key
|
||||
}
|
||||
}
|
||||
|
||||
const plainBytes = await decryptBwFileData(encryptedBytes, fileEnc, fileMac);
|
||||
|
||||
const fileNameRaw = String(info.fileName || '').trim();
|
||||
let fileName = fileNameRaw || `attachment-${aid}`;
|
||||
if (fileNameRaw && looksLikeCipherString(fileNameRaw)) {
|
||||
try {
|
||||
fileName = (await decryptStr(fileNameRaw, itemKeys.enc, itemKeys.mac)) || fileName;
|
||||
} catch {
|
||||
// keep fallback name
|
||||
}
|
||||
}
|
||||
|
||||
return { fileName, bytes: plainBytes };
|
||||
}
|
||||
|
||||
function asNullable(v: string): string | null {
|
||||
const s = String(v || '').trim();
|
||||
return s ? s : null;
|
||||
}
|
||||
|
||||
function parseFieldType(v: number | string): 0 | 1 | 2 | 3 {
|
||||
if (typeof v === 'number') {
|
||||
if (v === 1 || v === 2 || v === 3) return v;
|
||||
return 0;
|
||||
}
|
||||
const s = String(v).trim().toLowerCase();
|
||||
if (s === '1' || s === 'hidden') return 1;
|
||||
if (s === '2' || s === 'boolean' || s === 'checkbox') return 2;
|
||||
if (s === '3' || s === 'linked' || s === 'link') return 3;
|
||||
return 0;
|
||||
}
|
||||
|
||||
async function encryptTextValue(value: string, enc: Uint8Array, mac: Uint8Array): Promise<string | null> {
|
||||
const s = String(value || '');
|
||||
if (!s.trim()) return null;
|
||||
return encryptBw(new TextEncoder().encode(s), enc, mac);
|
||||
}
|
||||
|
||||
async function encryptCustomFields(
|
||||
fields: VaultDraftField[],
|
||||
enc: Uint8Array,
|
||||
mac: Uint8Array
|
||||
): Promise<Array<{ type: number; name: string | null; value: string | null }>> {
|
||||
const out: Array<{ type: number; name: string | null; value: string | null }> = [];
|
||||
for (const field of fields || []) {
|
||||
const label = String(field.label || '').trim();
|
||||
if (!label) continue;
|
||||
out.push({
|
||||
type: parseFieldType(field.type),
|
||||
name: await encryptTextValue(label, enc, mac),
|
||||
value: await encryptTextValue(String(field.value || ''), enc, mac),
|
||||
});
|
||||
}
|
||||
return out;
|
||||
}
|
||||
|
||||
async function encryptUris(uris: string[], enc: Uint8Array, mac: Uint8Array): Promise<Array<{ uri: string | null; match: null }>> {
|
||||
const out: Array<{ uri: string | null; match: null }> = [];
|
||||
for (const uri of uris || []) {
|
||||
const trimmed = String(uri || '').trim();
|
||||
if (!trimmed) continue;
|
||||
out.push({ uri: await encryptTextValue(trimmed, enc, mac), match: null });
|
||||
}
|
||||
return out;
|
||||
}
|
||||
|
||||
function toIsoDateOrNow(value: unknown): string {
|
||||
const raw = String(value ?? '').trim();
|
||||
if (!raw) return new Date().toISOString();
|
||||
const parsed = new Date(raw);
|
||||
if (!Number.isFinite(parsed.getTime())) return new Date().toISOString();
|
||||
return parsed.toISOString();
|
||||
}
|
||||
|
||||
async function encryptMaybeFidoValue(
|
||||
value: unknown,
|
||||
enc: Uint8Array,
|
||||
mac: Uint8Array,
|
||||
fallback = ''
|
||||
): Promise<string> {
|
||||
const normalized = String(value ?? '').trim() || fallback;
|
||||
if (looksLikeCipherString(normalized)) return normalized;
|
||||
return encryptBw(new TextEncoder().encode(normalized), enc, mac);
|
||||
}
|
||||
|
||||
async function encryptMaybeNullableFidoValue(
|
||||
value: unknown,
|
||||
enc: Uint8Array,
|
||||
mac: Uint8Array
|
||||
): Promise<string | null> {
|
||||
const normalized = String(value ?? '').trim();
|
||||
if (!normalized) return null;
|
||||
if (looksLikeCipherString(normalized)) return normalized;
|
||||
return encryptBw(new TextEncoder().encode(normalized), enc, mac);
|
||||
}
|
||||
|
||||
async function normalizeFido2Credentials(
|
||||
credentials: Array<Record<string, unknown>> | null | undefined,
|
||||
enc: Uint8Array,
|
||||
mac: Uint8Array
|
||||
): Promise<Array<Record<string, unknown>> | null> {
|
||||
if (!Array.isArray(credentials) || credentials.length === 0) return null;
|
||||
const out: Array<Record<string, unknown>> = [];
|
||||
for (const credential of credentials) {
|
||||
if (!credential || typeof credential !== 'object') continue;
|
||||
out.push({
|
||||
credentialId: await encryptMaybeFidoValue(credential.credentialId, enc, mac),
|
||||
keyType: await encryptMaybeFidoValue(credential.keyType, enc, mac, 'public-key'),
|
||||
keyAlgorithm: await encryptMaybeFidoValue(credential.keyAlgorithm, enc, mac, 'ECDSA'),
|
||||
keyCurve: await encryptMaybeFidoValue(credential.keyCurve, enc, mac, 'P-256'),
|
||||
keyValue: await encryptMaybeFidoValue(credential.keyValue, enc, mac),
|
||||
rpId: await encryptMaybeFidoValue(credential.rpId, enc, mac),
|
||||
rpName: await encryptMaybeNullableFidoValue(credential.rpName, enc, mac),
|
||||
userHandle: await encryptMaybeNullableFidoValue(credential.userHandle, enc, mac),
|
||||
userName: await encryptMaybeNullableFidoValue(credential.userName, enc, mac),
|
||||
userDisplayName: await encryptMaybeNullableFidoValue(credential.userDisplayName, enc, mac),
|
||||
counter: await encryptMaybeFidoValue(credential.counter, enc, mac, '0'),
|
||||
discoverable: await encryptMaybeFidoValue(credential.discoverable, enc, mac, 'false'),
|
||||
creationDate: toIsoDateOrNow(credential.creationDate),
|
||||
});
|
||||
}
|
||||
return out.length ? out : null;
|
||||
}
|
||||
|
||||
async function getCipherKeys(
|
||||
cipher: Cipher | null,
|
||||
userEnc: Uint8Array,
|
||||
userMac: Uint8Array
|
||||
): Promise<{ enc: Uint8Array; mac: Uint8Array; key: string | null }> {
|
||||
if (cipher?.key) {
|
||||
try {
|
||||
const raw = await decryptBw(cipher.key, userEnc, userMac);
|
||||
if (raw.length >= 64) return { enc: raw.slice(0, 32), mac: raw.slice(32, 64), key: cipher.key };
|
||||
} catch {
|
||||
// use user key
|
||||
}
|
||||
}
|
||||
return { enc: userEnc, mac: userMac, key: null };
|
||||
}
|
||||
|
||||
async function buildCipherPayload(
|
||||
session: SessionState,
|
||||
draft: VaultDraft,
|
||||
cipher: Cipher | null
|
||||
): Promise<Record<string, unknown>> {
|
||||
if (!session.symEncKey || !session.symMacKey) throw new Error('Vault key unavailable');
|
||||
const userEnc = base64ToBytes(session.symEncKey);
|
||||
const userMac = base64ToBytes(session.symMacKey);
|
||||
const keys = await getCipherKeys(cipher, userEnc, userMac);
|
||||
const type = Number(draft.type || cipher?.type || 1);
|
||||
|
||||
const payload: Record<string, unknown> = {
|
||||
type,
|
||||
favorite: !!draft.favorite,
|
||||
folderId: asNullable(draft.folderId),
|
||||
reprompt: draft.reprompt ? 1 : 0,
|
||||
name: await encryptTextValue(draft.name, keys.enc, keys.mac),
|
||||
notes: await encryptTextValue(draft.notes, keys.enc, keys.mac),
|
||||
login: null,
|
||||
card: null,
|
||||
identity: null,
|
||||
secureNote: null,
|
||||
sshKey: null,
|
||||
fields: await encryptCustomFields(draft.customFields || [], keys.enc, keys.mac),
|
||||
};
|
||||
|
||||
if (cipher?.id) {
|
||||
payload.id = cipher.id;
|
||||
payload.key = keys.key;
|
||||
}
|
||||
|
||||
if (type === 1) {
|
||||
const existingFido2 =
|
||||
cipher?.login && Array.isArray((cipher.login as any).fido2Credentials)
|
||||
? (cipher.login as any).fido2Credentials
|
||||
: draft.loginFido2Credentials;
|
||||
payload.login = {
|
||||
username: await encryptTextValue(draft.loginUsername, keys.enc, keys.mac),
|
||||
password: await encryptTextValue(draft.loginPassword, keys.enc, keys.mac),
|
||||
totp: await encryptTextValue(draft.loginTotp, keys.enc, keys.mac),
|
||||
fido2Credentials: await normalizeFido2Credentials(existingFido2, keys.enc, keys.mac),
|
||||
uris: await encryptUris(draft.loginUris || [], keys.enc, keys.mac),
|
||||
};
|
||||
} else if (type === 3) {
|
||||
payload.card = {
|
||||
cardholderName: await encryptTextValue(draft.cardholderName, keys.enc, keys.mac),
|
||||
number: await encryptTextValue(draft.cardNumber, keys.enc, keys.mac),
|
||||
brand: await encryptTextValue(draft.cardBrand, keys.enc, keys.mac),
|
||||
expMonth: await encryptTextValue(draft.cardExpMonth, keys.enc, keys.mac),
|
||||
expYear: await encryptTextValue(draft.cardExpYear, keys.enc, keys.mac),
|
||||
code: await encryptTextValue(draft.cardCode, keys.enc, keys.mac),
|
||||
};
|
||||
} else if (type === 4) {
|
||||
payload.identity = {
|
||||
title: await encryptTextValue(draft.identTitle, keys.enc, keys.mac),
|
||||
firstName: await encryptTextValue(draft.identFirstName, keys.enc, keys.mac),
|
||||
middleName: await encryptTextValue(draft.identMiddleName, keys.enc, keys.mac),
|
||||
lastName: await encryptTextValue(draft.identLastName, keys.enc, keys.mac),
|
||||
username: await encryptTextValue(draft.identUsername, keys.enc, keys.mac),
|
||||
company: await encryptTextValue(draft.identCompany, keys.enc, keys.mac),
|
||||
ssn: await encryptTextValue(draft.identSsn, keys.enc, keys.mac),
|
||||
passportNumber: await encryptTextValue(draft.identPassportNumber, keys.enc, keys.mac),
|
||||
licenseNumber: await encryptTextValue(draft.identLicenseNumber, keys.enc, keys.mac),
|
||||
email: await encryptTextValue(draft.identEmail, keys.enc, keys.mac),
|
||||
phone: await encryptTextValue(draft.identPhone, keys.enc, keys.mac),
|
||||
address1: await encryptTextValue(draft.identAddress1, keys.enc, keys.mac),
|
||||
address2: await encryptTextValue(draft.identAddress2, keys.enc, keys.mac),
|
||||
address3: await encryptTextValue(draft.identAddress3, keys.enc, keys.mac),
|
||||
city: await encryptTextValue(draft.identCity, keys.enc, keys.mac),
|
||||
state: await encryptTextValue(draft.identState, keys.enc, keys.mac),
|
||||
postalCode: await encryptTextValue(draft.identPostalCode, keys.enc, keys.mac),
|
||||
country: await encryptTextValue(draft.identCountry, keys.enc, keys.mac),
|
||||
};
|
||||
} else if (type === 5) {
|
||||
const encryptedFingerprint = await encryptTextValue(draft.sshFingerprint, keys.enc, keys.mac);
|
||||
payload.sshKey = {
|
||||
privateKey: await encryptTextValue(draft.sshPrivateKey, keys.enc, keys.mac),
|
||||
publicKey: await encryptTextValue(draft.sshPublicKey, keys.enc, keys.mac),
|
||||
keyFingerprint: encryptedFingerprint,
|
||||
fingerprint: encryptedFingerprint,
|
||||
};
|
||||
} else if (type === 2) {
|
||||
payload.secureNote = { type: 0 };
|
||||
}
|
||||
|
||||
return payload;
|
||||
}
|
||||
|
||||
export async function buildCipherImportPayload(session: SessionState, draft: VaultDraft): Promise<Record<string, unknown>> {
|
||||
return buildCipherPayload(session, draft, null);
|
||||
}
|
||||
|
||||
export async function createCipher(
|
||||
authedFetch: AuthedFetch,
|
||||
session: SessionState,
|
||||
draft: VaultDraft
|
||||
): Promise<{ id: string }> {
|
||||
const payload = await buildCipherPayload(session, draft, null);
|
||||
|
||||
const resp = await authedFetch('/api/ciphers', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify(payload),
|
||||
});
|
||||
if (!resp.ok) throw new Error('Create item failed');
|
||||
const body = await parseJson<{ id?: string }>(resp);
|
||||
if (!body?.id) throw new Error('Create item failed');
|
||||
return { id: body.id };
|
||||
}
|
||||
|
||||
export async function updateCipher(
|
||||
authedFetch: AuthedFetch,
|
||||
session: SessionState,
|
||||
cipher: Cipher,
|
||||
draft: VaultDraft
|
||||
): Promise<void> {
|
||||
const payload = await buildCipherPayload(session, draft, cipher);
|
||||
|
||||
const resp = await authedFetch(`/api/ciphers/${encodeURIComponent(cipher.id)}`, {
|
||||
method: 'PUT',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify(payload),
|
||||
});
|
||||
if (!resp.ok) throw new Error('Update item failed');
|
||||
}
|
||||
|
||||
export async function deleteCipher(authedFetch: AuthedFetch, cipherId: string): Promise<void> {
|
||||
const resp = await authedFetch(`/api/ciphers/${encodeURIComponent(cipherId)}`, { method: 'DELETE' });
|
||||
if (!resp.ok) throw new Error('Delete item failed');
|
||||
}
|
||||
|
||||
export async function bulkDeleteCiphers(authedFetch: AuthedFetch, ids: string[]): Promise<void> {
|
||||
const uniqueIds = Array.from(new Set(ids.map((id) => String(id || '').trim()).filter(Boolean)));
|
||||
for (const chunk of chunkArray(uniqueIds, BULK_API_CHUNK_SIZE)) {
|
||||
const resp = await authedFetch('/api/ciphers/delete', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({ ids: chunk }),
|
||||
});
|
||||
if (!resp.ok) throw new Error('Bulk delete failed');
|
||||
}
|
||||
}
|
||||
|
||||
export async function bulkPermanentDeleteCiphers(authedFetch: AuthedFetch, ids: string[]): Promise<void> {
|
||||
const uniqueIds = Array.from(new Set(ids.map((id) => String(id || '').trim()).filter(Boolean)));
|
||||
for (const chunk of chunkArray(uniqueIds, BULK_API_CHUNK_SIZE)) {
|
||||
const resp = await authedFetch('/api/ciphers/delete-permanent', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({ ids: chunk }),
|
||||
});
|
||||
if (!resp.ok) throw new Error('Bulk permanent delete failed');
|
||||
}
|
||||
}
|
||||
|
||||
export async function bulkRestoreCiphers(authedFetch: AuthedFetch, ids: string[]): Promise<void> {
|
||||
const uniqueIds = Array.from(new Set(ids.map((id) => String(id || '').trim()).filter(Boolean)));
|
||||
for (const chunk of chunkArray(uniqueIds, BULK_API_CHUNK_SIZE)) {
|
||||
const resp = await authedFetch('/api/ciphers/restore', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({ ids: chunk }),
|
||||
});
|
||||
if (!resp.ok) throw new Error('Bulk restore failed');
|
||||
}
|
||||
}
|
||||
|
||||
export async function bulkMoveCiphers(
|
||||
authedFetch: AuthedFetch,
|
||||
ids: string[],
|
||||
folderId: string | null
|
||||
): Promise<void> {
|
||||
const uniqueIds = Array.from(new Set(ids.map((id) => String(id || '').trim()).filter(Boolean)));
|
||||
for (const chunk of chunkArray(uniqueIds, BULK_API_CHUNK_SIZE)) {
|
||||
const resp = await authedFetch('/api/ciphers/move', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({ ids: chunk, folderId }),
|
||||
});
|
||||
if (!resp.ok) throw new Error('Bulk move failed');
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user