get pubkey and encrypt password on login (#1965)

* get pubkey and encrypt password on login * only encrypt password if insecure context * fix logic * fix secure context conditional * get-pubkey to auth api * save two lines * feat: Add the backend to the ui (#1968) * hide app show if insecure and update copy for LAN * show install progress when insecure and prevent backup and restore * ask remove USB Co-authored-by: Matt Hill <matthewonthemoon@gmail.com> Co-authored-by: J M <2364004+Blu-J@users.noreply.github.com>
2026-03-30 04:01:58 +00:00 · 2022-11-26 09:47:00 -07:00
parent bd4c431eb4
commit 9146c31abf
24 changed files with 381 additions and 170 deletions
--- a/backend/src/context/cli.rs
+++ b/backend/src/context/cli.rs
@@ -7,6 +7,7 @@ use std::sync::Arc;
 use clap::ArgMatches;
 use color_eyre::eyre::eyre;
 use cookie_store::CookieStore;
+use josekit::jwk::Jwk;
 use reqwest::Proxy;
 use reqwest_cookie_store::CookieStoreMutex;
 use rpc_toolkit::reqwest::{Client, Url};
@@ -18,6 +19,8 @@ use tracing::instrument;
 use crate::util::config::{load_config_from_paths, local_config_path};
 use crate::ResultExt;

+use super::setup::CURRENT_SECRET;
+
 #[derive(Debug, Default, Deserialize)]
 #[serde(rename_all = "kebab-case")]
 pub struct CliContextConfig {
@@ -126,6 +129,11 @@ impl CliContext {
        })))
    }
 }
+impl AsRef<Jwk> for CliContext {
+    fn as_ref(&self) -> &Jwk {
+        &*CURRENT_SECRET
+    }
+}
 impl std::ops::Deref for CliContext {
    type Target = CliContextSeed;
    fn deref(&self) -> &Self::Target {
--- a/backend/src/context/rpc.rs
+++ b/backend/src/context/rpc.rs
@@ -8,6 +8,7 @@ use std::time::Duration;

 use bollard::Docker;
 use helpers::to_tmp_path;
+use josekit::jwk::Jwk;
 use patch_db::json_ptr::JsonPointer;
 use patch_db::{DbHandle, LockReceipt, LockType, PatchDb, Revision};
 use reqwest::Url;
@@ -36,6 +37,8 @@ use crate::status::{MainStatus, Status};
 use crate::util::config::load_config_from_paths;
 use crate::{Error, ErrorKind, ResultExt};

+use super::setup::CURRENT_SECRET;
+
 #[derive(Debug, Default, Deserialize)]
 #[serde(rename_all = "kebab-case")]
 pub struct RpcContextConfig {
@@ -134,6 +137,7 @@ pub struct RpcContextSeed {
    pub open_authed_websockets: Mutex<BTreeMap<HashSessionToken, Vec<oneshot::Sender<()>>>>,
    pub rpc_stream_continuations: Mutex<BTreeMap<RequestGuid, RpcContinuation>>,
    pub wifi_manager: Option<Arc<RwLock<WpaCli>>>,
+    pub current_secret: Arc<Jwk>,
 }

 pub struct RpcCleanReceipts {
@@ -269,6 +273,16 @@ impl RpcContext {
            wifi_manager: base
                .wifi_interface
                .map(|i| Arc::new(RwLock::new(WpaCli::init(i)))),
+            current_secret: Arc::new(
+                Jwk::generate_ec_key(josekit::jwk::alg::ec::EcCurve::P256).map_err(|e| {
+                    tracing::debug!("{:?}", e);
+                    tracing::error!("Couldn't generate ec key");
+                    Error::new(
+                        color_eyre::eyre::eyre!("Couldn't generate ec key"),
+                        crate::ErrorKind::Unknown,
+                    )
+                })?,
+            ),
        });

        let res = Self(seed);
@@ -424,6 +438,11 @@ impl RpcContext {
        }
    }
 }
+impl AsRef<Jwk> for RpcContext {
+    fn as_ref(&self) -> &Jwk {
+        &*CURRENT_SECRET
+    }
+}
 impl Context for RpcContext {}
 impl Deref for RpcContext {
    type Target = RpcContextSeed;
--- a/backend/src/context/setup.rs
+++ b/backend/src/context/setup.rs
@@ -22,6 +22,14 @@ use crate::setup::{password_hash, SetupStatus};
 use crate::util::config::load_config_from_paths;
 use crate::{Error, ResultExt};

+lazy_static::lazy_static! {
+    pub static ref CURRENT_SECRET: Jwk = Jwk::generate_ec_key(josekit::jwk::alg::ec::EcCurve::P256).unwrap_or_else(|e| {
+        tracing::debug!("{:?}", e);
+        tracing::error!("Couldn't generate ec key");
+        panic!("Couldn't generate ec key")
+    });
+}
+
 #[derive(Clone, Serialize, Deserialize)]
 #[serde(rename_all = "kebab-case")]
 pub struct SetupResult {
@@ -69,9 +77,6 @@ pub struct SetupContextSeed {
    pub migration_prefetch_rows: usize,
    pub shutdown: Sender<()>,
    pub datadir: PathBuf,
-    /// Used to encrypt for hidding from snoopers for setups create password
-    /// Set via path
-    pub current_secret: Arc<Jwk>,
    pub selected_v2_drive: RwLock<Option<PathBuf>>,
    pub cached_product_key: RwLock<Option<Arc<String>>>,
    pub setup_status: RwLock<Option<Result<SetupStatus, RpcError>>>,
@@ -80,7 +85,7 @@ pub struct SetupContextSeed {

 impl AsRef<Jwk> for SetupContextSeed {
    fn as_ref(&self) -> &Jwk {
-        &self.current_secret
+        &*CURRENT_SECRET
    }
 }

@@ -99,16 +104,6 @@ impl SetupContext {
            migration_prefetch_rows: cfg.migration_prefetch_rows.unwrap_or(100_000),
            shutdown,
            datadir,
-            current_secret: Arc::new(
-                Jwk::generate_ec_key(josekit::jwk::alg::ec::EcCurve::P256).map_err(|e| {
-                    tracing::debug!("{:?}", e);
-                    tracing::error!("Couldn't generate ec key");
-                    Error::new(
-                        color_eyre::eyre::eyre!("Couldn't generate ec key"),
-                        crate::ErrorKind::Unknown,
-                    )
-                })?,
-            ),
            selected_v2_drive: RwLock::new(None),
            cached_product_key: RwLock::new(None),
            setup_status: RwLock::new(None),