hydroxide-push/protonmail/auth.go

package protonmail

import (
	"encoding/base64"
	"errors"
	"net/http"
	"strings"
	"time"

	"golang.org/x/crypto/openpgp"
)

type authInfoReq struct {
	ClientID     string
	ClientSecret string
	Username     string
}

type AuthInfo struct {
	TwoFactor       int
	version         int
	modulus         string
	serverEphemeral string
	salt            string
	srpSession      string
}

type AuthInfoResp struct {
	resp
	AuthInfo
	Version         int
	Modulus         string
	ServerEphemeral string
	Salt            string
	SRPSession      string
}

func (resp *AuthInfoResp) authInfo() *AuthInfo {
	info := &resp.AuthInfo
	info.version = resp.Version
	info.modulus = resp.Modulus
	info.serverEphemeral = resp.ServerEphemeral
	info.salt = resp.Salt
	info.srpSession = resp.SRPSession
	return info
}

func (c *Client) AuthInfo(username string) (*AuthInfo, error) {
	reqData := &authInfoReq{
		ClientID:     c.ClientID,
		ClientSecret: c.ClientSecret,
		Username:     username,
	}

	req, err := c.newJSONRequest(http.MethodPost, "/auth/info", reqData)
	if err != nil {
		return nil, err
	}

	var respData AuthInfoResp
	if err := c.doJSON(req, &respData); err != nil {
		return nil, err
	}

	return respData.authInfo(), nil
}

type authReq struct {
	ClientID        string
	ClientSecret    string
	Username        string
	SRPSession      string
	ClientEphemeral string
	ClientProof     string
	TwoFactorCode   string
}

type PasswordMode int

const (
	PasswordSingle PasswordMode = 1
	PasswordTwo                 = 2
)

type Auth struct {
	ExpiresAt    time.Time
	Scope        string
	UID          string `json:"Uid"`
	RefreshToken string
	EventID      string
	PasswordMode PasswordMode

	accessToken string
	privateKey  string
	keySalt     string
}

type authResp struct {
	resp
	Auth
	ExpiresIn   int
	AccessToken string
	TokenType   string
	ServerProof string
	PrivateKey  string
	KeySalt     string
}

func (resp *authResp) auth() *Auth {
	auth := &resp.Auth
	auth.ExpiresAt = time.Now().Add(time.Duration(resp.ExpiresIn) * time.Second)
	auth.accessToken = resp.AccessToken
	auth.privateKey = resp.PrivateKey
	auth.keySalt = resp.KeySalt
	return auth
}

func (c *Client) Auth(username, password, twoFactorCode string, info *AuthInfo) (*Auth, error) {
	if info == nil {
		var err error
		if info, err = c.AuthInfo(username); err != nil {
			return nil, err
		}
	}

	proofs, err := srp([]byte(password), info)
	if err != nil {
		return nil, err
	}

	reqData := &authReq{
		ClientID:        c.ClientID,
		ClientSecret:    c.ClientSecret,
		Username:        username,
		SRPSession:      info.srpSession,
		ClientEphemeral: base64.StdEncoding.EncodeToString(proofs.clientEphemeral),
		ClientProof:     base64.StdEncoding.EncodeToString(proofs.clientProof),
		TwoFactorCode:   twoFactorCode,
	}

	req, err := c.newJSONRequest(http.MethodPost, "/auth", reqData)
	if err != nil {
		return nil, err
	}

	var respData authResp
	if err := c.doJSON(req, &respData); err != nil {
		return nil, err
	}

	if err := proofs.VerifyServerProof(respData.ServerProof); err != nil {
		return nil, err
	}

	return respData.auth(), nil
}

type authRefreshReq struct {
	ClientID     string
	UID          string `json:"Uid"`
	RefreshToken string

	// Unused but required
	ResponseType string
	GrantType    string
	RedirectURI  string
	State        string
}

func (c *Client) AuthRefresh(expiredAuth *Auth) (*Auth, error) {
	reqData := &authRefreshReq{
		ClientID:     c.ClientID,
		UID:          expiredAuth.UID,
		RefreshToken: expiredAuth.RefreshToken,
	}

	req, err := c.newJSONRequest(http.MethodPost, "/auth/refresh", reqData)
	if err != nil {
		return nil, err
	}

	var respData authResp
	if err := c.doJSON(req, &respData); err != nil {
		return nil, err
	}

	auth := respData.auth()
	//auth.EventID = expiredAuth.EventID
	auth.PasswordMode = expiredAuth.PasswordMode
	return auth, nil
}

func (c *Client) Unlock(auth *Auth, passphrase string) (openpgp.EntityList, error) {
	passphraseBytes := []byte(passphrase)
	if auth.PasswordMode == PasswordSingle {
		keySalt, err := base64.StdEncoding.DecodeString(auth.keySalt)
		if err != nil {
			return nil, err
		}

		passphraseBytes, err = computeKeyPassword(passphraseBytes, keySalt)
		if err != nil {
			return nil, err
		}
	}

	keyRing, err := openpgp.ReadArmoredKeyRing(strings.NewReader(auth.privateKey))
	if err != nil {
		return nil, err
	}
	if len(keyRing) == 0 {
		return nil, errors.New("auth key ring is empty")
	}

	for _, e := range keyRing {
		if err := e.PrivateKey.Decrypt(passphraseBytes); err != nil {
			return nil, err
		}
	}

	c.uid = auth.UID
	c.accessToken = auth.accessToken
	c.keyRing = keyRing
	return keyRing, nil
}

func (c *Client) Logout() error {
	req, err := c.newRequest(http.MethodDelete, "/auth", nil)
	if err != nil {
		return err
	}

	if err := c.doJSON(req, nil); err != nil {
		return err
	}

	c.uid = ""
	c.accessToken = ""
	c.keyRing = nil
	return nil
}
Add authentication support 2017-08-22 01:04:16 +03:00			`package protonmail`

			`import (`
			`"encoding/base64"`
Add Client.Unlock 2017-08-22 11:36:43 +03:00			`"errors"`
Add authentication support 2017-08-22 01:04:16 +03:00			`"net/http"`
Add Client.Unlock 2017-08-22 11:36:43 +03:00			`"strings"`
Change Client.AuthRefresh to take an Auth 2017-08-22 13:23:58 +03:00			`"time"`
Add authentication support 2017-08-22 01:04:16 +03:00
Add Client.Unlock 2017-08-22 11:36:43 +03:00			`"golang.org/x/crypto/openpgp"`
Add authentication support 2017-08-22 01:04:16 +03:00			`)`

			`type authInfoReq struct {`
go fmt 2017-08-22 11:16:20 +03:00			`ClientID string`
Add authentication support 2017-08-22 01:04:16 +03:00			`ClientSecret string`
go fmt 2017-08-22 11:16:20 +03:00			`Username string`
Add authentication support 2017-08-22 01:04:16 +03:00			`}`

Add AuthInfoResp.authInfo 2017-08-22 10:21:50 +03:00			`type AuthInfo struct {`
go fmt 2017-08-22 11:16:20 +03:00			`TwoFactor int`
			`version int`
			`modulus string`
Add AuthInfoResp.authInfo 2017-08-22 10:21:50 +03:00			`serverEphemeral string`
go fmt 2017-08-22 11:16:20 +03:00			`salt string`
			`srpSession string`
Add AuthInfoResp.authInfo 2017-08-22 10:21:50 +03:00			`}`

Add authentication support 2017-08-22 01:04:16 +03:00			`type AuthInfoResp struct {`
			`resp`
Add AuthInfoResp.authInfo 2017-08-22 10:21:50 +03:00			`AuthInfo`
go fmt 2017-08-22 11:16:20 +03:00			`Version int`
			`Modulus string`
Add authentication support 2017-08-22 01:04:16 +03:00			`ServerEphemeral string`
go fmt 2017-08-22 11:16:20 +03:00			`Salt string`
			`SRPSession string`
Add authentication support 2017-08-22 01:04:16 +03:00			`}`

Add AuthInfoResp.authInfo 2017-08-22 10:21:50 +03:00			`func (resp AuthInfoResp) authInfo() AuthInfo {`
			`info := &resp.AuthInfo`
			`info.version = resp.Version`
			`info.modulus = resp.Modulus`
			`info.serverEphemeral = resp.ServerEphemeral`
			`info.salt = resp.Salt`
			`info.srpSession = resp.SRPSession`
			`return info`
Add authentication support 2017-08-22 01:04:16 +03:00			`}`

			`func (c Client) AuthInfo(username string) (AuthInfo, error) {`
			`reqData := &authInfoReq{`
go fmt 2017-08-22 11:16:20 +03:00			`ClientID: c.ClientID,`
Add authentication support 2017-08-22 01:04:16 +03:00			`ClientSecret: c.ClientSecret,`
go fmt 2017-08-22 11:16:20 +03:00			`Username: username,`
Add authentication support 2017-08-22 01:04:16 +03:00			`}`

			`req, err := c.newJSONRequest(http.MethodPost, "/auth/info", reqData)`
			`if err != nil {`
			`return nil, err`
			`}`

			`var respData AuthInfoResp`
			`if err := c.doJSON(req, &respData); err != nil {`
			`return nil, err`
			`}`

Add AuthInfoResp.authInfo 2017-08-22 10:21:50 +03:00			`return respData.authInfo(), nil`
Add authentication support 2017-08-22 01:04:16 +03:00			`}`

			`type authReq struct {`
go fmt 2017-08-22 11:16:20 +03:00			`ClientID string`
			`ClientSecret string`
			`Username string`
			`SRPSession string`
Add authentication support 2017-08-22 01:04:16 +03:00			`ClientEphemeral string`
go fmt 2017-08-22 11:16:20 +03:00			`ClientProof string`
			`TwoFactorCode string`
Add authentication support 2017-08-22 01:04:16 +03:00			`}`

			`type PasswordMode int`

			`const (`
			`PasswordSingle PasswordMode = 1`
go fmt 2017-08-22 11:16:20 +03:00			`PasswordTwo = 2`
Add authentication support 2017-08-22 01:04:16 +03:00			`)`

Add Auth, add computeKeyPassword 2017-08-22 10:41:47 +03:00			`type Auth struct {`
Change Client.AuthRefresh to take an Auth 2017-08-22 13:23:58 +03:00			`ExpiresAt time.Time`
go fmt 2017-08-22 11:16:20 +03:00			`Scope string`
			UID string `json:"Uid"`
Add authentication support 2017-08-22 01:04:16 +03:00			`RefreshToken string`
go fmt 2017-08-22 11:16:20 +03:00			`EventID string`
Add authentication support 2017-08-22 01:04:16 +03:00			`PasswordMode PasswordMode`
Add Auth, add computeKeyPassword 2017-08-22 10:41:47 +03:00
Add Client.Unlock 2017-08-22 11:36:43 +03:00			`accessToken string`
			`privateKey string`
			`keySalt string`
Add Auth, add computeKeyPassword 2017-08-22 10:41:47 +03:00			`}`

			`type authResp struct {`
			`resp`
			`Auth`
Change Client.AuthRefresh to take an Auth 2017-08-22 13:23:58 +03:00			`ExpiresIn int`
Add Client.Unlock 2017-08-22 11:36:43 +03:00			`AccessToken string`
			`TokenType string`
Add Auth, add computeKeyPassword 2017-08-22 10:41:47 +03:00			`ServerProof string`
go fmt 2017-08-22 11:16:20 +03:00			`PrivateKey string`
			`KeySalt string`
Add authentication support 2017-08-22 01:04:16 +03:00			`}`

Add Auth, add computeKeyPassword 2017-08-22 10:41:47 +03:00			`func (resp authResp) auth() Auth {`
			`auth := &resp.Auth`
Change Client.AuthRefresh to take an Auth 2017-08-22 13:23:58 +03:00			`auth.ExpiresAt = time.Now().Add(time.Duration(resp.ExpiresIn) * time.Second)`
Add Client.Unlock 2017-08-22 11:36:43 +03:00			`auth.accessToken = resp.AccessToken`
Add Auth, add computeKeyPassword 2017-08-22 10:41:47 +03:00			`auth.privateKey = resp.PrivateKey`
			`auth.keySalt = resp.KeySalt`
			`return auth`
			`}`

			`func (c Client) Auth(username, password, twoFactorCode string, info AuthInfo) (*Auth, error) {`
Add authentication support 2017-08-22 01:04:16 +03:00			`if info == nil {`
			`var err error`
			`if info, err = c.AuthInfo(username); err != nil {`
Add Auth, add computeKeyPassword 2017-08-22 10:41:47 +03:00			`return nil, err`
Add authentication support 2017-08-22 01:04:16 +03:00			`}`
			`}`

			`proofs, err := srp([]byte(password), info)`
			`if err != nil {`
Add Auth, add computeKeyPassword 2017-08-22 10:41:47 +03:00			`return nil, err`
Add authentication support 2017-08-22 01:04:16 +03:00			`}`

			`reqData := &authReq{`
go fmt 2017-08-22 11:16:20 +03:00			`ClientID: c.ClientID,`
			`ClientSecret: c.ClientSecret,`
			`Username: username,`
			`SRPSession: info.srpSession,`
Add authentication support 2017-08-22 01:04:16 +03:00			`ClientEphemeral: base64.StdEncoding.EncodeToString(proofs.clientEphemeral),`
go fmt 2017-08-22 11:16:20 +03:00			`ClientProof: base64.StdEncoding.EncodeToString(proofs.clientProof),`
			`TwoFactorCode: twoFactorCode,`
Add authentication support 2017-08-22 01:04:16 +03:00			`}`

			`req, err := c.newJSONRequest(http.MethodPost, "/auth", reqData)`
			`if err != nil {`
Add Auth, add computeKeyPassword 2017-08-22 10:41:47 +03:00			`return nil, err`
Add authentication support 2017-08-22 01:04:16 +03:00			`}`

			`var respData authResp`
			`if err := c.doJSON(req, &respData); err != nil {`
Add Auth, add computeKeyPassword 2017-08-22 10:41:47 +03:00			`return nil, err`
Add authentication support 2017-08-22 01:04:16 +03:00			`}`

			`if err := proofs.VerifyServerProof(respData.ServerProof); err != nil {`
Add Auth, add computeKeyPassword 2017-08-22 10:41:47 +03:00			`return nil, err`
Add authentication support 2017-08-22 01:04:16 +03:00			`}`

Add Auth, add computeKeyPassword 2017-08-22 10:41:47 +03:00			`return respData.auth(), nil`
Add authentication support 2017-08-22 01:04:16 +03:00			`}`
Add Client.Unlock 2017-08-22 11:36:43 +03:00
Add Client.AuthRefresh 2017-08-22 11:51:48 +03:00			`type authRefreshReq struct {`
Add more contacts API endpoints 2017-08-22 14:22:27 +03:00			`ClientID string`
			UID string `json:"Uid"`
Add Client.AuthRefresh 2017-08-22 11:51:48 +03:00			`RefreshToken string`
Fix Client.AuthRefresh 2017-08-22 13:07:31 +03:00
			`// Unused but required`
			`ResponseType string`
Add more contacts API endpoints 2017-08-22 14:22:27 +03:00			`GrantType string`
			`RedirectURI string`
			`State string`
Add Client.AuthRefresh 2017-08-22 11:51:48 +03:00			`}`

Change Client.AuthRefresh to take an Auth 2017-08-22 13:23:58 +03:00			`func (c Client) AuthRefresh(expiredAuth Auth) (*Auth, error) {`
Add Client.AuthRefresh 2017-08-22 11:51:48 +03:00			`reqData := &authRefreshReq{`
Add more contacts API endpoints 2017-08-22 14:22:27 +03:00			`ClientID: c.ClientID,`
			`UID: expiredAuth.UID,`
			`RefreshToken: expiredAuth.RefreshToken,`
Add Client.AuthRefresh 2017-08-22 11:51:48 +03:00			`}`

			`req, err := c.newJSONRequest(http.MethodPost, "/auth/refresh", reqData)`
			`if err != nil {`
			`return nil, err`
			`}`

			`var respData authResp`
			`if err := c.doJSON(req, &respData); err != nil {`
			`return nil, err`
			`}`

Change Client.AuthRefresh to take an Auth 2017-08-22 13:23:58 +03:00			`auth := respData.auth()`
			`//auth.EventID = expiredAuth.EventID`
			`auth.PasswordMode = expiredAuth.PasswordMode`
			`return auth, nil`
Add Client.AuthRefresh 2017-08-22 11:51:48 +03:00			`}`

			`func (c Client) Unlock(auth Auth, passphrase string) (openpgp.EntityList, error) {`
			`passphraseBytes := []byte(passphrase)`
Add Client.Unlock 2017-08-22 11:36:43 +03:00			`if auth.PasswordMode == PasswordSingle {`
			`keySalt, err := base64.StdEncoding.DecodeString(auth.keySalt)`
			`if err != nil {`
			`return nil, err`
			`}`

Add Client.AuthRefresh 2017-08-22 11:51:48 +03:00			`passphraseBytes, err = computeKeyPassword(passphraseBytes, keySalt)`
Add Client.Unlock 2017-08-22 11:36:43 +03:00			`if err != nil {`
			`return nil, err`
			`}`
			`}`

			`keyRing, err := openpgp.ReadArmoredKeyRing(strings.NewReader(auth.privateKey))`
			`if err != nil {`
			`return nil, err`
			`}`
			`if len(keyRing) == 0 {`
			`return nil, errors.New("auth key ring is empty")`
			`}`

			`for _, e := range keyRing {`
Add Client.AuthRefresh 2017-08-22 11:51:48 +03:00			`if err := e.PrivateKey.Decrypt(passphraseBytes); err != nil {`
Add Client.Unlock 2017-08-22 11:36:43 +03:00			`return nil, err`
			`}`
			`}`

			`c.uid = auth.UID`
			`c.accessToken = auth.accessToken`
			`c.keyRing = keyRing`
			`return keyRing, nil`
			`}`
Add Client.Logout 2017-08-22 12:19:21 +03:00
			`func (c *Client) Logout() error {`
			`req, err := c.newRequest(http.MethodDelete, "/auth", nil)`
			`if err != nil {`
			`return err`
			`}`

			`if err := c.doJSON(req, nil); err != nil {`
			`return err`
			`}`

			`c.uid = ""`
			`c.accessToken = ""`
			`c.keyRing = nil`
			`return nil`
			`}`