Page MenuHomePhabricator
Differential D5738

[keyserver] APIs for starting client side of PAKE login
ClosedPublic
Actions

Authored by varun on Nov 28 2022, 7:47 AM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Mar 3, 4:03 AM
Unknown Object (File)
Mon, Mar 3, 3:54 AM
Unknown Object (File)
Thu, Feb 27, 11:41 AM
Unknown Object (File)
Tue, Feb 25, 6:23 AM
Unknown Object (File)
Feb 17 2025, 3:44 PM
Unknown Object (File)
Feb 17 2025, 3:44 PM
Unknown Object (File)
Feb 12 2025, 8:28 PM
Unknown Object (File)
Feb 12 2025, 8:28 PM
View All Files
Subscribers
ashoat
bartek

Details

Reviewers
tomek
bartek
jon
Commits
rCOMMcaa99e1a7aa0: [keyserver] APIs for starting client side of PAKE login
Summary

using Neon to surface the Rust opaque-ke "client login start" API to Node.js, along with some getters

Test Plan

called the new APIs from a Node module and confirmed the results

Diff Detail

Repository
rCOMM Comm
Branch
master
Lint
No Lint Coverage
Unit
No Test Coverage

Event Timeline

varun created this revision.Nov 28 2022, 7:47 AM
Herald added a subscriber: ashoat. · View Herald TranscriptNov 28 2022, 7:47 AM
varun added a parent revision: D5737: [keyserver] more APIs for finishing client side of PAKE registration.Nov 28 2022, 7:57 AM
varun added a child revision: D5739: [keyserver] APIs for finishing client side of PAKE login.
Harbormaster completed remote builds in B13790: Diff 18881.Nov 28 2022, 8:01 AM
varun requested review of this revision.Nov 28 2022, 8:01 AM
atul added a reviewer: bartek.Nov 28 2022, 2:53 PM
atul added a subscriber: bartek.

(Think it probably makes sense to add @bartek to your Rust diffs even if he doesn't have full context on identity stuff? CC @ashoat @tomek who probably have a better idea)

atul resigned from this revision.Nov 28 2022, 3:53 PM

Don't have context + enough rust knowledge here

varun updated this revision to Diff 18994.Nov 29 2022, 11:32 PM

change js functions to camelCase

Harbormaster failed remote builds in B13870: Diff 18994!Nov 29 2022, 11:33 PM
varun edited reviewers, added: jon; removed: atul. varun added 2 blocking reviewer(s): tomek, bartek.Nov 29 2022, 11:35 PM
varun updated this revision to Diff 18999.Nov 29 2022, 11:49 PM

rebase

Harbormaster completed remote builds in B13875: Diff 18999.Nov 30 2022, 12:01 AM
tomek accepted this revision.Nov 30 2022, 5:27 AM
tomek added inline comments.
keyserver/addons/opaque-ke-node/src/lib.rs
154–177 ↗(On Diff #18999)

These two seem to be almost identical. Can we somehow share the logic between them?

bartek accepted this revision.Nov 30 2022, 5:44 AM
bartek added inline comments.
keyserver/addons/opaque-ke-node/src/lib.rs
154–177 ↗(On Diff #18999)

I'm wondering if it would be worth implementing this API in a more object-oriented way.

// in JS, instead of
const startResult = clientLoginStart(...);
const loginStateArray = getLoginStartStateArray(startResult);
const loginMessageArray = getLoginStartMessageArray(startResult);

// do this
const startResult = clientLoginStart(...);
const loginStateArray = startResult.getStateArray();
const loginMessageArray = startResult.getMessageArray();

But not sure how could this affect the complexity/readibility of this code and if it is even convenient to mix JsBox and JsObject

jon accepted this revision.Nov 30 2022, 11:47 AM

I think the object oriented way is a bit cleaner, especially if everything needs to go through a context object anyway.

Personally I'm not a fan of get in method names, generally it's implied.

This revision is now accepted and ready to land.Nov 30 2022, 11:47 AM
varun added inline comments.Nov 30 2022, 1:00 PM
keyserver/addons/opaque-ke-node/src/lib.rs
154–177 ↗(On Diff #18999)

I wanted to do this in a more object-oriented way, but I couldn't figure out how to get data from a JsBox on the javascript side

154–177 ↗(On Diff #18999)

These two seem to be almost identical. Can we somehow share the logic between them?

Can't think of a good way besides introducing an enum as a function param, but that adds a different kind of complexity...

https://linear.app/comm/issue/ENG-2384/improve-the-opaque-ke-node-library

varun added a comment.Nov 30 2022, 1:01 PM
In D5738#172368, @jon wrote:

I think the object oriented way is a bit cleaner, especially if everything needs to go through a context object anyway.

Personally I'm not a fan of get in method names, generally it's implied.

https://linear.app/comm/issue/ENG-2384/improve-the-opaque-ke-node-library

Closed by commit rCOMMcaa99e1a7aa0: [keyserver] APIs for starting client side of PAKE login (authored by varun). · Explain WhyNov 30 2022, 1:04 PM
This revision was automatically updated to reflect the committed changes.
varun added a commit: rCOMMcaa99e1a7aa0: [keyserver] APIs for starting client side of PAKE login.

Revision Contents
Changeset List

PathSize
keyserver/
addons/
opaque-ke-node/
src/
61 lines

Diff 18881

View Options

keyserver/addons/opaque-ke-node/src/lib.rs

syntax = "proto3"; syntax = "proto3";
package identity; package identity;
service IdentityService { service IdentityService {
rpc AuthenticateUser(stream AuthenticationRequest) returns (stream AuthenticationResponse) {} // Called by user to register with the Identity Service (PAKE only)
rpc RegisterUser(stream RegistrationRequest) returns (RegistrationResponse) {}
// Called by user to create an active session and get an access token
rpc LoginUser(stream LoginRequest) returns (LoginResponse) {}
// Called by other services to get a user's token
rpc GetUserToken(GetUserTokenRequest) returns (GetUserTokenResponse) {}
} }
// Helper types // Helper types
message PakeRegistrationRequestAndUserID { message PakeRegistrationRequestAndUserID {
string userID = 1; string userID = 1;
bytes pakeRegistrationRequest = 2; bytes pakeRegistrationRequest = 2;
} }
message PakeAuthenticationRequestData { message pakeCredentialRequestAndUserID {
string userID = 1;
bytes pakeCredentialRequest = 2;
}
message PakeLoginRequest {
oneof data { oneof data {
PakeRegistrationRequestAndUserID pakeRegistrationRequestAndUserID = 1; pakeCredentialRequestAndUserID pakeCredentialRequestAndUserID = 1;
bytes pakeRegistrationUpload = 2; bytes pakeCredentialFinalization = 2;
bytes pakeCredentialRequest = 3;
bytes pakeCredentialFinalization = 4;
bytes pakeClientMAC = 5;
} }
} }
message WalletAuthenticationRequestData { message PakeLoginResponse {
bytes pakeCredentialResponse = 1;
}
message WalletLoginRequest {
string userID = 1; string userID = 1;
string walletAddress = 2; string walletAddress = 2;
bytes signedMessage = 3; bytes signedMessage = 3;
} }
message WalletAuthenticationResponseData { message WalletLoginResponse {
bool success = 1; bytes token = 1;
} }
message PakeAuthenticationResponseData { // RegisterUser
message RegistrationRequest {
oneof data { oneof data {
bytes pakeRegistrationResponse = 1; PakeRegistrationRequestAndUserID pakeRegistrationRequestAndUserID = 1;
bool pakeRegistrationSuccess = 2; bytes pakeRegistrationUpload = 2;
bytes pakeCredentialResponse = 3;
bytes pakeServerMAC = 4;
} }
} }
// AuthenticateUser message RegistrationResponse {
bytes pakeRegistrationResponse = 1;
}
// LoginUser
message AuthenticationRequest { message LoginRequest {
oneof data { oneof data {
PakeAuthenticationRequestData pakeAuthenticationRequestData = 1; PakeLoginRequest pakeLoginRequest = 1;
WalletAuthenticationRequestData walletAuthenticationRequestData = 2; WalletLoginRequest walletLoginRequest = 2;
} }
} }
message AuthenticationResponse { message LoginResponse {
oneof data { oneof data {
PakeAuthenticationResponseData pakeAuthenticationResponseData = 1; PakeLoginResponse pakeLoginResponse = 1;
WalletAuthenticationResponseData walletAuthenticationResponseData = 2; WalletLoginResponse walletLoginResponse = 2;
} }
} }
// GetUserToken
message GetUserTokenRequest {
string userID = 1;
}
message GetUserTokenResponse {
bytes token = 2;
}
/**
* Database - Structure:
* token
* userID[PK] string
* created timestamp
* token bytes
* registrationData bytes
* valid boolean
*/
/**
* Database - Description:
* token - tokens assigned to users along with the data necessary to retrieve
* them
* `created` - when the token was created
* `registrationData` - serialized data described by one of the
* following structures
* { authType: 'password', pakePasswordCiphertext: string }
* { authType: 'wallet', walletAddress: string }
* `valid` - false if the token has been revoked
*/