From 042cfffbe80a55297d1f6ab78c33cec04bf18012 Mon Sep 17 00:00:00 2001 From: ansuz Date: Mon, 16 Dec 2019 09:38:36 -0500 Subject: [PATCH] use APIs instead of creating invitations inline --- www/common/invitation.js | 88 ++++++++++++++++------------------------ www/teams/inner.js | 17 ++------ 2 files changed, 40 insertions(+), 65 deletions(-) diff --git a/www/common/invitation.js b/www/common/invitation.js index 0bad771de..72655c60a 100644 --- a/www/common/invitation.js +++ b/www/common/invitation.js @@ -1,78 +1,62 @@ (function () { -var factory = function (Hash, Nacl/*, Util, Cred, nThen */) { +var factory = function (Hash, Nacl, Scrypt/*, Util, Cred, nThen */) { var Invite = {}; - /* XXX ansuz - inner invitation components + Invite.deriveSeeds = function (seed) { + // take the hash of the provided seed + var u8_seed = Nacl.hash(Nacl.util.decodeBase64(seed)); - * create an invitation link - * derive secrets from a v2 link and password - * split hash into two preseeds - * preseed1 => preview hash - * scrypt(scrypt_seed) => b64_bytes - * preview an invitation link - * get preview hash from invitation link - * decrypt an invitation link - * (slowly) get b64_bytes from hash + // hash the first half again for scrypt's input + var subseed1 = Nacl.hash(u8_seed.subarray(0, 32)); + // hash the remainder for the invite content + var subseed2 = Nacl.hash(u8_seed.subarray(32)); - */ - - Invite.deriveSeeds = function (key) { - var seeds = {}; - -/* - var preview_channel; - var preview_cryptKey; -*/ - var preview_secrets; - (function () { - var b64_seed = key; - if (typeof(b64_seed) !== 'string') { - return console.error('invite seed is not a string'); - } - - var u8_seed = Nacl.util.decodeBase64(b64_seed); - var step1 = Nacl.hash(u8_seed); - seeds.scrypt = Nacl.util.encodeBase64(step1.subarray(0, 32)); - - var preview_hash = '#/2/invite/view/' + - Nacl.util.encodeBase64(step1.subarray(32, 50)).replace('/', '-') - + '/'; + return { + scrypt: Nacl.util.encodeBase64(subseed1), + preview: Nacl.util.encodeBase64(subseed2), + }; + }; - preview_secrets = Hash.getSecrets('pad', preview_hash); - }()); - return seeds; + Invite.derivePreviewHash = function (seeds) { + return '#/2/invite/view/' + + Nacl.util.encodeBase64(seeds.preview.slice(0, 18)).replace('/', '-') + + '/'; }; - // seed => bytes64 - Invite.deriveBytes = function (scrypt_seed, cb) { - // XXX do scrypt stuff... - cb = cb; + Invite.derivePreviewSecrets = function (seeds) { + return Hash.getSecrets('pad', Invite.derivePreviewHash(seeds)); }; - Invite.derivePreviewHash = function (preview_seed) { - preview_seed = preview_seed; + Invite.deriveSalt = function (password, instance_salt) { + return (password || '') + (instance_salt || ''); }; + // seed => bytes64 + Invite.deriveBytes = function (scrypt_seed, salt, cb) { + Scrypt(scrypt_seed, + salt, + 8, // memoryCost (n) + 1024, // block size parameter (r) + 192, // dkLen + 200, // interruptStep + cb, + 'base64'); // format, could be 'base64' + }; return Invite; }; if (typeof(module) !== 'undefined' && module.exports) { module.exports = factory( require("../common-hash"), require("tweetnacl/nacl-fast"), - require("../common-util"), - require("../common-credential.js"), - require("nthen") + require("scrypt-async") ); } else if ((typeof(define) !== 'undefined' && define !== null) && (define.amd !== null)) { define([ '/common/common-hash.js', - '/common/common-util.js', - '/common/common-credential.js', - '/bower_components/nthen/index.js', '/bower_components/tweetnacl/nacl-fast.min.js', - ], function (Hash, Util, Cred, nThen) { - return factory(Hash, window.nacl, Util, Cred, nThen); + '/bower_components/scrypt_async/scrypt-async.min.js', + ], function (Hash /*, Nacl, Scrypt */) { + return factory(Hash, window.nacl, window.Scrypt); }); } }()); diff --git a/www/teams/inner.js b/www/teams/inner.js index 6b8fb35e7..07f27b09f 100644 --- a/www/teams/inner.js +++ b/www/teams/inner.js @@ -18,7 +18,6 @@ define([ '/common/invitation.js', '/customize/messages.js', - '/bower_components/scrypt-async/scrypt-async.min.js', 'css!/bower_components/bootstrap/dist/css/bootstrap.min.css', 'css!/bower_components/components-font-awesome/css/font-awesome.min.css', 'less!/teams/app-team.less', @@ -45,7 +44,6 @@ define([ var APP = {}; var driveAPP = {}; //var SHARED_FOLDER_NAME = Messages.fm_sharedFolderName; - var Scrypt = window.scrypt; var copyObjectValue = function (objRef, objToCopy) { for (var k in objRef) { delete objRef[k]; } @@ -1062,17 +1060,10 @@ define([ ])); setTimeout(waitFor(), 150); }).nThen(function (waitFor) { - // XXX ansuz InviteInner.deriveBytes - Scrypt(seeds.scrypt, - (pw || '') + (AppConfig.loginSalt || ''), // salt - 8, // memoryCost (n) - 1024, // block size parameter (r) - 192, // dkLen - 200, // interruptStep - waitFor(function (_bytes) { - bytes64 = _bytes; - }), - 'base64'); // format, could be 'base64' + var salt = InviteInner.deriveSalt(pw, AppConfig.loginSalt); + InviteInner.deriveBytes(seeds.scrypt, salt, waitFor(function (bytes) { + bytes64 = bytes; + })); }).nThen(function (waitFor) { APP.module.execCommand('GET_LINK_DATA', { bytes64: bytes64,