max / synckit-client

7.6 KB · 225 lines History Blame Raw

1	use bytes::Bytes;
2	use std::sync::Arc;
3	use tracing::instrument;
4
5	use crate::{
6	crypto,
7	error::Result,
8	keystore,
9	types::*,
10	};
11
12	use super::SyncKitClient;
13	use super::helpers::check_response;
14
15	impl SyncKitClient {
16	/// Check if the server has an encrypted master key for this user.
17	#[instrument(skip(self))]
18	pub async fn has_server_key(&self) -> Result<bool> {
19	let (url, token) = self.key_url_and_token()?;
20
21	let result = self
22	.retry_request(\|\| {
23	let req = self.http.get(url).bearer_auth(&token);
24	async move {
25	let resp = req.send().await?;
26	match resp.status().as_u16() {
27	200 \| 404 => Ok(resp),
28	status => {
29	let message = resp.text().await.unwrap_or_default();
30	Err(crate::error::SyncKitError::Server { status, message })
31	}
32	}
33	}
34	})
35	.await?;
36
37	Ok(result.status().as_u16() == 200)
38	}
39
40	/// First device: generate a new master key, encrypt it, push to server, cache in keychain.
41	#[instrument(skip(self, password))]
42	pub async fn setup_encryption_new(&self, password: &str) -> Result<()> {
43	let (app_id, user_id) = self.require_session_ids()?;
44
45	let master_key = crypto::generate_master_key();
46	let envelope = crypto::wrap_master_key(&master_key, password)?;
47
48	// Push to server
49	self.put_server_key(&envelope).await?;
50
51	// Cache in OS keychain
52	keystore::store_key(app_id, user_id, &master_key)?;
53
54	// Store in memory
55	*self.master_key.write() = Some(crypto::ZeroizeOnDrop(master_key));
56
57	tracing::info!("New master key generated and stored");
58	Ok(())
59	}
60
61	/// Second device: pull encrypted master key from server, decrypt with password, cache.
62	#[instrument(skip(self, password))]
63	pub async fn setup_encryption_existing(&self, password: &str) -> Result<()> {
64	let (app_id, user_id) = self.require_session_ids()?;
65
66	let envelope_json = self.get_server_key().await?;
67	let master_key = crypto::unwrap_master_key(&envelope_json, password)?;
68
69	// Cache in OS keychain
70	keystore::store_key(app_id, user_id, &master_key)?;
71
72	// Store in memory
73	*self.master_key.write() = Some(crypto::ZeroizeOnDrop(master_key));
74
75	tracing::info!("Master key recovered from server");
76	Ok(())
77	}
78
79	/// Subsequent launches: try to load the master key from the OS keychain.
80	/// Returns true if a key was found.
81	pub fn try_load_key_from_keychain(&self) -> Result<bool> {
82	let (app_id, user_id) = self.require_session_ids()?;
83
84	if let Some(key) = keystore::load_key(app_id, user_id)? {
85	*self.master_key.write() = Some(crypto::ZeroizeOnDrop(key));
86	tracing::info!("Master key loaded from keychain");
87	Ok(true)
88	} else {
89	Ok(false)
90	}
91	}
92
93	/// Change the encryption password. Always validates the old password
94	/// against the server envelope before re-encrypting with the new password.
95	///
96	/// Even when the master key is cached in memory (normal case -- user is
97	/// logged in), the old password is verified by attempting to unwrap the
98	/// server envelope. This prevents an attacker with session access from
99	/// changing the password without knowing the current one.
100	#[instrument(skip(self, old_password, new_password))]
101	pub async fn change_password(
102	&self,
103	old_password: &str,
104	new_password: &str,
105	) -> Result<()> {
106	// Always fetch the envelope from the server and verify old_password
107	// can decrypt it, regardless of whether we have a cached key.
108	let envelope_json = self.get_server_key().await?;
109	let verified_key = crypto::verify_password_against_envelope(
110	&envelope_json,
111	old_password,
112	)?;
113
114	let master_key = crypto::ZeroizeOnDrop(verified_key);
115
116	// Re-wrap with new password (generates fresh random salt)
117	let new_envelope = crypto::wrap_master_key(&master_key, new_password)?;
118
119	self.put_server_key(&new_envelope).await?;
120
121	tracing::info!("Encryption password changed");
122	Ok(())
123	}
124
125	/// Build the key endpoint URL and extract the bearer token.
126	pub(super) fn key_url_and_token(&self) -> Result<(&str, Arc<String>)> {
127	let token = self.require_token()?;
128	Ok((&self.endpoints.keys, token))
129	}
130
131	/// Upload the encrypted master key envelope to the server (PUT /api/sync/keys).
132	pub(super) async fn put_server_key(&self, envelope_json: &str) -> Result<()> {
133	let (url, token) = self.key_url_and_token()?;
134
135	let body = Bytes::from(serde_json::to_vec(&PutKeyRequest {
136	encrypted_key: envelope_json.to_string(),
137	})?);
138
139	self.retry_request(\|\| {
140	let req = self
141	.http
142	.put(url)
143	.bearer_auth(&token)
144	.header("content-type", "application/json")
145	.body(body.clone());
146	async move { check_response(req.send().await?).await }
147	})
148	.await?;
149	Ok(())
150	}
151
152	/// Download the encrypted master key envelope from the server (GET /api/sync/keys).
153	pub(super) async fn get_server_key(&self) -> Result<String> {
154	let (url, token) = self.key_url_and_token()?;
155
156	let resp = self
157	.retry_request(\|\| {
158	let req = self.http.get(url).bearer_auth(&token);
159	async move { check_response(req.send().await?).await }
160	})
161	.await?;
162	let key_resp: GetKeyResponse = resp.json().await?;
163	Ok(key_resp.encrypted_key)
164	}
165	}
166
167	#[cfg(test)]
168	mod tests {
169	use crate::error::SyncKitError;
170
171	use super::*;
172
173	fn test_config() -> super::super::SyncKitConfig {
174	super::super::SyncKitConfig {
175	server_url: "https://example.com".to_string(),
176	api_key: "test-api-key-123".to_string(),
177	}
178	}
179
180	fn test_ids() -> (uuid::Uuid, uuid::Uuid) {
181	(
182	uuid::Uuid::parse_str("550e8400-e29b-41d4-a716-446655440000").unwrap(),
183	uuid::Uuid::parse_str("6ba7b810-9dad-11d1-80b4-00c04fd430c8").unwrap(),
184	)
185	}
186
187	#[test]
188	fn key_url_and_token_builds_correct_url() {
189	let client = SyncKitClient::new(test_config());
190	let (app_id, user_id) = test_ids();
191	client.restore_session("bearer-token", user_id, app_id);
192
193	let (url, token) = client.key_url_and_token().unwrap();
194	assert_eq!(url, "https://example.com/api/sync/keys");
195	assert_eq!(*token, "bearer-token");
196	}
197
198	#[test]
199	fn key_url_and_token_fails_without_session() {
200	let client = SyncKitClient::new(test_config());
201	let err = client.key_url_and_token().unwrap_err();
202	assert!(matches!(err, SyncKitError::NotAuthenticated));
203	}
204
205	// ── Key types ──
206
207	#[test]
208	fn put_key_request_serialization() {
209	let req = PutKeyRequest {
210	encrypted_key: "envelope-json-here".to_string(),
211	};
212
213	let json = serde_json::to_string(&req).unwrap();
214	let parsed: serde_json::Value = serde_json::from_str(&json).unwrap();
215	assert_eq!(parsed["encrypted_key"], "envelope-json-here");
216	}
217
218	#[test]
219	fn get_key_response_deserialization() {
220	let json = r#"{"encrypted_key": "{\"v\":1,\"salt\":\"...\",\"nonce\":\"...\",\"ciphertext\":\"...\"}"}"#;
221	let resp: GetKeyResponse = serde_json::from_str(json).unwrap();
222	assert!(resp.encrypted_key.contains("\"v\":1"));
223	}
224	}
225