mirror of
https://github.com/Termix-SSH/Termix.git
synced 2026-07-16 05:13:36 +00:00
e9e30cd318
* Guacd, Docker-Compose, RDP (#475) * fix select edit host but not update view (#438) * fix: Checksum issue with chocolatey * fix: Remove homebrew old stuff * Add Korean translation (#439) Co-authored-by: 송준우 <2484@coreit.co.kr> * feat: Automate flatpak * fix: Add imagemagik to electron builder to resolve build error * fix: Build error with runtime repo flag * fix: Flatpak runtime error and install freedesktop ver warning * fix: Flatpak runtime error and install freedesktop ver warning * feat: Re-add homebrew cask and move scripts to backend * fix: No sandbox flag issue * fix: Change name for electron macos cask output * fix: Sandbox error with Linux * fix: Remove comming soon for app stores in readme * Adding Comment at the end of the public_key on the host on deploy (#440) * Add termix.rb Cask file * Update Termix to version 1.9.0 with new checksum * Update README to remove 'coming soon' notes * -Add New Interface for Credential DB -Add Credential Name as a comment into the server authorized_key file --------- Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com> * Sudo auto fill password (#441) * Add termix.rb Cask file * Update Termix to version 1.9.0 with new checksum * Update README to remove 'coming soon' notes * Feature Sudo password auto-fill; * Fix locale json shema; --------- Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com> * Added Italian Language; (#445) * Add termix.rb Cask file * Update Termix to version 1.9.0 with new checksum * Update README to remove 'coming soon' notes * Added Italian Language; --------- Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com> * Auto collapse snippet folders (#448) * Add termix.rb Cask file * Update Termix to version 1.9.0 with new checksum * Update README to remove 'coming soon' notes * feat: Add collapsable snippets (customizable in user profile) * Translations (#447) * Add termix.rb Cask file * Update Termix to version 1.9.0 with new checksum * Update README to remove 'coming soon' notes * Added Italian Language; * Fix translations; Removed duplicate keys, synchronised other languages using English as the source, translated added keys, fixed inaccurate translations. --------- Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com> * Remove PTY-level keepalive (#449) * Add termix.rb Cask file * Update Termix to version 1.9.0 with new checksum * Update README to remove 'coming soon' notes * Remove PTY-level keepalive to prevent unwanted terminal output; use SSH-level keepalive instead --------- Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com> * feat: add Guacamole support for RDP, VNC, and Telnet connections - Implemented WebSocket support for Guacamole in Nginx configuration. - Added REST API endpoints for generating connection tokens and checking guacd status. - Created Guacamole server using guacamole-lite for handling connections. - Developed frontend components for testing RDP/VNC connections and displaying the remote session. - Updated package dependencies to include guacamole-common-js and guacamole-lite. - Enhanced logging for Guacamole operations. * feat: enhance Guacamole support with RDP and VNC connection settings and UI updates * feat: Seperate server stats and tunnel management (improved both UI's) then started initial docker implementation * fix: finalize adding docker to db * fix: merge syntax errors * feat: implement mouse coordinate adjustment based on scale factor in GuacamoleDisplay * feat: add TypeScript definitions for guacamole-common-js module * feat: enhance Mouse.State constructor to accept optional parameters and object destructuring * feat: Add support for RDP and VNC connections in SSH host management - Introduced connectionType field to differentiate between SSH, RDP, VNC, and Telnet in host data structures. - Updated backend routes to handle RDP/VNC specific fields: domain, security, and ignoreCert. - Enhanced the HostManagerEditor to include RDP/VNC specific settings and authentication options. - Implemented token retrieval for RDP/VNC connections using Guacamole API. - Updated UI components to reflect connection type changes and provide appropriate connection buttons. - Removed the GuacamoleTestDialog component as its functionality is integrated into the HostManagerEditor. - Adjusted the TopNavbar and Host components to accommodate new connection types and their respective actions. * feat: Enhance Guacamole integration with extended configuration options - Added detailed Guacamole configuration interface for RDP/VNC/Telnet connections, including display, audio, performance, and session settings. - Implemented logging for token requests and received options for better debugging. - Updated HostManagerEditor to support new Guacamole configuration fields with validation and default values. - Integrated Guacamole configuration parsing in HostManagerViewer and Host components. - Enhanced API requests to include extended Guacamole configuration parameters in the token request. - Refactored code to convert camelCase configuration keys to kebab-case for compatibility with Guacamole API. * feat: merge guacd into 2.0.0 and improve UI for host manager and made general bug fixes --------- Co-authored-by: Tran Trung Kien <kientt13.7@gmail.com> Co-authored-by: LukeGus <bugattiguy527@gmail.com> Co-authored-by: junu <bigdwarf_@naver.com> Co-authored-by: 송준우 <2484@coreit.co.kr> Co-authored-by: SlimGary <trash.slim@gmail.com> Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com> Co-authored-by: Nunzio Marfè <nunzio.marfe@protonmail.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> * feat: rename api routes and files * feat: improve guacd ui/backend * feat: improve guacd ui/backend * fix: state persistance issues causing refresh * feat: improge guacd connections, fixed telnet not opening, and improved general guacd integration * feat: continue improving integration also with bug fixes * Merge 2.0.0 with 2.0.0 that includes bug fixes (#620) * Guacd, Docker-Compose, RDP (#475) * fix select edit host but not update view (#438) * fix: Checksum issue with chocolatey * fix: Remove homebrew old stuff * Add Korean translation (#439) Co-authored-by: 송준우 <2484@coreit.co.kr> * feat: Automate flatpak * fix: Add imagemagik to electron builder to resolve build error * fix: Build error with runtime repo flag * fix: Flatpak runtime error and install freedesktop ver warning * fix: Flatpak runtime error and install freedesktop ver warning * feat: Re-add homebrew cask and move scripts to backend * fix: No sandbox flag issue * fix: Change name for electron macos cask output * fix: Sandbox error with Linux * fix: Remove comming soon for app stores in readme * Adding Comment at the end of the public_key on the host on deploy (#440) * Add termix.rb Cask file * Update Termix to version 1.9.0 with new checksum * Update README to remove 'coming soon' notes * -Add New Interface for Credential DB -Add Credential Name as a comment into the server authorized_key file --------- Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com> * Sudo auto fill password (#441) * Add termix.rb Cask file * Update Termix to version 1.9.0 with new checksum * Update README to remove 'coming soon' notes * Feature Sudo password auto-fill; * Fix locale json shema; --------- Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com> * Added Italian Language; (#445) * Add termix.rb Cask file * Update Termix to version 1.9.0 with new checksum * Update README to remove 'coming soon' notes * Added Italian Language; --------- Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com> * Auto collapse snippet folders (#448) * Add termix.rb Cask file * Update Termix to version 1.9.0 with new checksum * Update README to remove 'coming soon' notes * feat: Add collapsable snippets (customizable in user profile) * Translations (#447) * Add termix.rb Cask file * Update Termix to version 1.9.0 with new checksum * Update README to remove 'coming soon' notes * Added Italian Language; * Fix translations; Removed duplicate keys, synchronised other languages using English as the source, translated added keys, fixed inaccurate translations. --------- Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com> * Remove PTY-level keepalive (#449) * Add termix.rb Cask file * Update Termix to version 1.9.0 with new checksum * Update README to remove 'coming soon' notes * Remove PTY-level keepalive to prevent unwanted terminal output; use SSH-level keepalive instead --------- Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com> * feat: add Guacamole support for RDP, VNC, and Telnet connections - Implemented WebSocket support for Guacamole in Nginx configuration. - Added REST API endpoints for generating connection tokens and checking guacd status. - Created Guacamole server using guacamole-lite for handling connections. - Developed frontend components for testing RDP/VNC connections and displaying the remote session. - Updated package dependencies to include guacamole-common-js and guacamole-lite. - Enhanced logging for Guacamole operations. * feat: enhance Guacamole support with RDP and VNC connection settings and UI updates * feat: Seperate server stats and tunnel management (improved both UI's) then started initial docker implementation * fix: finalize adding docker to db * fix: merge syntax errors * feat: implement mouse coordinate adjustment based on scale factor in GuacamoleDisplay * feat: add TypeScript definitions for guacamole-common-js module * feat: enhance Mouse.State constructor to accept optional parameters and object destructuring * feat: Add support for RDP and VNC connections in SSH host management - Introduced connectionType field to differentiate between SSH, RDP, VNC, and Telnet in host data structures. - Updated backend routes to handle RDP/VNC specific fields: domain, security, and ignoreCert. - Enhanced the HostManagerEditor to include RDP/VNC specific settings and authentication options. - Implemented token retrieval for RDP/VNC connections using Guacamole API. - Updated UI components to reflect connection type changes and provide appropriate connection buttons. - Removed the GuacamoleTestDialog component as its functionality is integrated into the HostManagerEditor. - Adjusted the TopNavbar and Host components to accommodate new connection types and their respective actions. * feat: Enhance Guacamole integration with extended configuration options - Added detailed Guacamole configuration interface for RDP/VNC/Telnet connections, including display, audio, performance, and session settings. - Implemented logging for token requests and received options for better debugging. - Updated HostManagerEditor to support new Guacamole configuration fields with validation and default values. - Integrated Guacamole configuration parsing in HostManagerViewer and Host components. - Enhanced API requests to include extended Guacamole configuration parameters in the token request. - Refactored code to convert camelCase configuration keys to kebab-case for compatibility with Guacamole API. * feat: merge guacd into 2.0.0 and improve UI for host manager and made general bug fixes --------- Co-authored-by: Tran Trung Kien <kientt13.7@gmail.com> Co-authored-by: LukeGus <bugattiguy527@gmail.com> Co-authored-by: junu <bigdwarf_@naver.com> Co-authored-by: 송준우 <2484@coreit.co.kr> Co-authored-by: SlimGary <trash.slim@gmail.com> Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com> Co-authored-by: Nunzio Marfè <nunzio.marfe@protonmail.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> * feat: rename api routes and files * feat: improve guacd ui/backend * feat: improve guacd ui/backend * fix: state persistance issues causing refresh * feat: improge guacd connections, fixed telnet not opening, and improved general guacd integration * feat: continue improving integration also with bug fixes --------- Co-authored-by: Wesley Reid <starhound@lostsouls.org> Co-authored-by: Tran Trung Kien <kientt13.7@gmail.com> Co-authored-by: junu <bigdwarf_@naver.com> Co-authored-by: 송준우 <2484@coreit.co.kr> Co-authored-by: SlimGary <trash.slim@gmail.com> Co-authored-by: Nunzio Marfè <nunzio.marfe@protonmail.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> * feat: allow customizing guacd backened url * fix: ssh route mistmatching and guacamole url not changing * chore: increment ver * feat: change default to work with default compose, added splits creen support, updated readmes * fix: linux app not starting due to better sqlite isuses, improved copy/paste system so no context menu, added oidc remember me toggle, improved OS detection for sessions, flatpak invalid key, and sharing hosts with other users errors * fix: global settings not setting * chore: update compose * feat: improve the global status input * chore: cleanup files * chore: update export/improt with new host fields * fix: file manager and docker not loading properly --------- Co-authored-by: Wesley Reid <starhound@lostsouls.org> Co-authored-by: Tran Trung Kien <kientt13.7@gmail.com> Co-authored-by: junu <bigdwarf_@naver.com> Co-authored-by: 송준우 <2484@coreit.co.kr> Co-authored-by: SlimGary <trash.slim@gmail.com> Co-authored-by: Nunzio Marfè <nunzio.marfe@protonmail.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
633 lines
16 KiB
TypeScript
633 lines
16 KiB
TypeScript
import crypto from "crypto";
|
|
import { getDb } from "../database/db/index.js";
|
|
import { settings } from "../database/db/schema.js";
|
|
import { eq } from "drizzle-orm";
|
|
import { databaseLogger } from "./logger.js";
|
|
|
|
interface KEKSalt {
|
|
salt: string;
|
|
iterations: number;
|
|
algorithm: string;
|
|
createdAt: string;
|
|
}
|
|
|
|
interface EncryptedDEK {
|
|
data: string;
|
|
iv: string;
|
|
tag: string;
|
|
algorithm: string;
|
|
createdAt: string;
|
|
}
|
|
|
|
interface UserSession {
|
|
dataKey: Buffer;
|
|
expiresAt: number;
|
|
lastActivity?: number;
|
|
}
|
|
|
|
class UserCrypto {
|
|
private static instance: UserCrypto;
|
|
private userSessions: Map<string, UserSession> = new Map();
|
|
private sessionExpiredCallback?: (userId: string) => void;
|
|
|
|
private static readonly PBKDF2_ITERATIONS = 100000;
|
|
private static readonly KEK_LENGTH = 32;
|
|
private static readonly DEK_LENGTH = 32;
|
|
|
|
private constructor() {
|
|
setInterval(
|
|
() => {
|
|
this.cleanupExpiredSessions();
|
|
},
|
|
5 * 60 * 1000,
|
|
);
|
|
}
|
|
|
|
static getInstance(): UserCrypto {
|
|
if (!this.instance) {
|
|
this.instance = new UserCrypto();
|
|
}
|
|
return this.instance;
|
|
}
|
|
|
|
setSessionExpiredCallback(callback: (userId: string) => void): void {
|
|
this.sessionExpiredCallback = callback;
|
|
}
|
|
|
|
async setupUserEncryption(userId: string, password: string): Promise<void> {
|
|
const kekSalt = await this.generateKEKSalt();
|
|
await this.storeKEKSalt(userId, kekSalt);
|
|
|
|
const KEK = this.deriveKEK(password, kekSalt);
|
|
const DEK = crypto.randomBytes(UserCrypto.DEK_LENGTH);
|
|
const encryptedDEK = this.encryptDEK(DEK, KEK);
|
|
await this.storeEncryptedDEK(userId, encryptedDEK);
|
|
|
|
KEK.fill(0);
|
|
DEK.fill(0);
|
|
}
|
|
|
|
async setupOIDCUserEncryption(
|
|
userId: string,
|
|
sessionDurationMs: number,
|
|
): Promise<void> {
|
|
const existingEncryptedDEK = await this.getEncryptedDEK(userId);
|
|
|
|
let DEK: Buffer;
|
|
|
|
if (existingEncryptedDEK) {
|
|
const systemKey = this.deriveOIDCSystemKey(userId);
|
|
DEK = this.decryptDEK(existingEncryptedDEK, systemKey);
|
|
systemKey.fill(0);
|
|
} else {
|
|
DEK = crypto.randomBytes(UserCrypto.DEK_LENGTH);
|
|
const systemKey = this.deriveOIDCSystemKey(userId);
|
|
|
|
try {
|
|
const encryptedDEK = this.encryptDEK(DEK, systemKey);
|
|
await this.storeEncryptedDEK(userId, encryptedDEK);
|
|
|
|
const storedEncryptedDEK = await this.getEncryptedDEK(userId);
|
|
if (
|
|
storedEncryptedDEK &&
|
|
storedEncryptedDEK.data !== encryptedDEK.data
|
|
) {
|
|
DEK.fill(0);
|
|
DEK = this.decryptDEK(storedEncryptedDEK, systemKey);
|
|
} else if (!storedEncryptedDEK) {
|
|
throw new Error("Failed to store and retrieve user encryption key.");
|
|
}
|
|
} finally {
|
|
systemKey.fill(0);
|
|
}
|
|
}
|
|
|
|
const now = Date.now();
|
|
this.userSessions.set(userId, {
|
|
dataKey: Buffer.from(DEK),
|
|
expiresAt: now + sessionDurationMs,
|
|
});
|
|
|
|
DEK.fill(0);
|
|
}
|
|
|
|
async authenticateUser(
|
|
userId: string,
|
|
password: string,
|
|
sessionDurationMs: number,
|
|
): Promise<boolean> {
|
|
try {
|
|
const kekSalt = await this.getKEKSalt(userId);
|
|
if (!kekSalt) return false;
|
|
|
|
const KEK = this.deriveKEK(password, kekSalt);
|
|
const encryptedDEK = await this.getEncryptedDEK(userId);
|
|
if (!encryptedDEK) {
|
|
KEK.fill(0);
|
|
return false;
|
|
}
|
|
|
|
const DEK = this.decryptDEK(encryptedDEK, KEK);
|
|
KEK.fill(0);
|
|
|
|
if (!DEK || DEK.length === 0) {
|
|
databaseLogger.error("DEK is empty or invalid after decryption", {
|
|
operation: "user_crypto_auth_debug",
|
|
userId,
|
|
dekLength: DEK ? DEK.length : 0,
|
|
});
|
|
return false;
|
|
}
|
|
|
|
const now = Date.now();
|
|
|
|
const oldSession = this.userSessions.get(userId);
|
|
if (oldSession) {
|
|
oldSession.dataKey.fill(0);
|
|
}
|
|
|
|
this.userSessions.set(userId, {
|
|
dataKey: Buffer.from(DEK),
|
|
expiresAt: now + sessionDurationMs,
|
|
});
|
|
|
|
DEK.fill(0);
|
|
|
|
return true;
|
|
} catch (error) {
|
|
databaseLogger.warn("User authentication failed", {
|
|
operation: "user_crypto_auth_failed",
|
|
userId,
|
|
error: error instanceof Error ? error.message : "Unknown",
|
|
});
|
|
return false;
|
|
}
|
|
}
|
|
|
|
async authenticateOIDCUser(
|
|
userId: string,
|
|
sessionDurationMs: number,
|
|
): Promise<boolean> {
|
|
try {
|
|
const oidcEncryptedDEK = await this.getOIDCEncryptedDEK(userId);
|
|
|
|
if (oidcEncryptedDEK) {
|
|
const systemKey = this.deriveOIDCSystemKey(userId);
|
|
const DEK = this.decryptDEK(oidcEncryptedDEK, systemKey);
|
|
systemKey.fill(0);
|
|
|
|
if (!DEK || DEK.length === 0) {
|
|
databaseLogger.error(
|
|
"Failed to decrypt OIDC DEK for dual-auth user",
|
|
{
|
|
operation: "oidc_auth_dual_decrypt_failed",
|
|
userId,
|
|
},
|
|
);
|
|
return false;
|
|
}
|
|
|
|
const now = Date.now();
|
|
const oldSession = this.userSessions.get(userId);
|
|
if (oldSession) {
|
|
oldSession.dataKey.fill(0);
|
|
}
|
|
|
|
this.userSessions.set(userId, {
|
|
dataKey: Buffer.from(DEK),
|
|
expiresAt: now + sessionDurationMs,
|
|
});
|
|
|
|
DEK.fill(0);
|
|
return true;
|
|
}
|
|
|
|
const kekSalt = await this.getKEKSalt(userId);
|
|
const encryptedDEK = await this.getEncryptedDEK(userId);
|
|
|
|
if (!kekSalt || !encryptedDEK) {
|
|
await this.setupOIDCUserEncryption(userId, sessionDurationMs);
|
|
return true;
|
|
}
|
|
|
|
const systemKey = this.deriveOIDCSystemKey(userId);
|
|
const DEK = this.decryptDEK(encryptedDEK, systemKey);
|
|
systemKey.fill(0);
|
|
|
|
if (!DEK || DEK.length === 0) {
|
|
await this.setupOIDCUserEncryption(userId, sessionDurationMs);
|
|
return true;
|
|
}
|
|
|
|
const now = Date.now();
|
|
|
|
const oldSession = this.userSessions.get(userId);
|
|
if (oldSession) {
|
|
oldSession.dataKey.fill(0);
|
|
}
|
|
|
|
this.userSessions.set(userId, {
|
|
dataKey: Buffer.from(DEK),
|
|
expiresAt: now + sessionDurationMs,
|
|
});
|
|
|
|
DEK.fill(0);
|
|
|
|
return true;
|
|
} catch (error) {
|
|
databaseLogger.error("OIDC authentication failed", error, {
|
|
operation: "oidc_auth_error",
|
|
userId,
|
|
error: error instanceof Error ? error.message : "Unknown",
|
|
});
|
|
await this.setupOIDCUserEncryption(userId, sessionDurationMs);
|
|
return true;
|
|
}
|
|
}
|
|
|
|
getUserDataKey(userId: string): Buffer | null {
|
|
const session = this.userSessions.get(userId);
|
|
if (!session) {
|
|
return null;
|
|
}
|
|
|
|
const now = Date.now();
|
|
|
|
if (now > session.expiresAt) {
|
|
this.userSessions.delete(userId);
|
|
session.dataKey.fill(0);
|
|
if (this.sessionExpiredCallback) {
|
|
this.sessionExpiredCallback(userId);
|
|
}
|
|
return null;
|
|
}
|
|
|
|
return session.dataKey;
|
|
}
|
|
|
|
logoutUser(userId: string): void {
|
|
const session = this.userSessions.get(userId);
|
|
if (session) {
|
|
session.dataKey.fill(0);
|
|
this.userSessions.delete(userId);
|
|
}
|
|
}
|
|
|
|
isUserUnlocked(userId: string): boolean {
|
|
return this.getUserDataKey(userId) !== null;
|
|
}
|
|
|
|
async changeUserPassword(
|
|
userId: string,
|
|
oldPassword: string,
|
|
newPassword: string,
|
|
): Promise<boolean> {
|
|
try {
|
|
const isValid = await this.validatePassword(userId, oldPassword);
|
|
if (!isValid) return false;
|
|
|
|
const kekSalt = await this.getKEKSalt(userId);
|
|
if (!kekSalt) return false;
|
|
|
|
const oldKEK = this.deriveKEK(oldPassword, kekSalt);
|
|
const encryptedDEK = await this.getEncryptedDEK(userId);
|
|
if (!encryptedDEK) return false;
|
|
|
|
const DEK = this.decryptDEK(encryptedDEK, oldKEK);
|
|
|
|
const newKekSalt = await this.generateKEKSalt();
|
|
const newKEK = this.deriveKEK(newPassword, newKekSalt);
|
|
|
|
const newEncryptedDEK = this.encryptDEK(DEK, newKEK);
|
|
|
|
await this.storeKEKSalt(userId, newKekSalt);
|
|
await this.storeEncryptedDEK(userId, newEncryptedDEK);
|
|
|
|
const { saveMemoryDatabaseToFile } =
|
|
await import("../database/db/index.js");
|
|
await saveMemoryDatabaseToFile();
|
|
|
|
oldKEK.fill(0);
|
|
newKEK.fill(0);
|
|
DEK.fill(0);
|
|
|
|
return true;
|
|
} catch (error) {
|
|
databaseLogger.error("Password change failed", error, {
|
|
operation: "password_change_error",
|
|
userId,
|
|
error: error instanceof Error ? error.message : "Unknown error",
|
|
});
|
|
return false;
|
|
}
|
|
}
|
|
|
|
async resetUserPasswordWithPreservedDEK(
|
|
userId: string,
|
|
newPassword: string,
|
|
): Promise<boolean> {
|
|
try {
|
|
const existingDEK = this.getUserDataKey(userId);
|
|
if (!existingDEK) {
|
|
return false;
|
|
}
|
|
|
|
const newKekSalt = await this.generateKEKSalt();
|
|
const newKEK = this.deriveKEK(newPassword, newKekSalt);
|
|
|
|
const newEncryptedDEK = this.encryptDEK(existingDEK, newKEK);
|
|
|
|
await this.storeKEKSalt(userId, newKekSalt);
|
|
await this.storeEncryptedDEK(userId, newEncryptedDEK);
|
|
|
|
const { saveMemoryDatabaseToFile } =
|
|
await import("../database/db/index.js");
|
|
await saveMemoryDatabaseToFile();
|
|
|
|
newKEK.fill(0);
|
|
|
|
const session = this.userSessions.get(userId);
|
|
if (session) {
|
|
session.lastActivity = Date.now();
|
|
}
|
|
|
|
return true;
|
|
} catch (error) {
|
|
databaseLogger.error("Password reset with preserved DEK failed", error, {
|
|
operation: "password_reset_preserve_error",
|
|
userId,
|
|
error: error instanceof Error ? error.message : "Unknown error",
|
|
});
|
|
return false;
|
|
}
|
|
}
|
|
|
|
async convertToOIDCEncryption(userId: string): Promise<void> {
|
|
try {
|
|
const existingEncryptedDEK = await this.getEncryptedDEK(userId);
|
|
const existingKEKSalt = await this.getKEKSalt(userId);
|
|
|
|
if (!existingEncryptedDEK && !existingKEKSalt) {
|
|
databaseLogger.warn("No existing encryption to convert for user", {
|
|
operation: "convert_to_oidc_encryption_skip",
|
|
userId,
|
|
});
|
|
return;
|
|
}
|
|
|
|
const existingDEK = this.getUserDataKey(userId);
|
|
|
|
if (!existingDEK) {
|
|
throw new Error(
|
|
"Cannot convert to OIDC encryption - user session not active. Please log in with password first.",
|
|
);
|
|
}
|
|
|
|
const systemKey = this.deriveOIDCSystemKey(userId);
|
|
const oidcEncryptedDEK = this.encryptDEK(existingDEK, systemKey);
|
|
systemKey.fill(0);
|
|
|
|
const key = `user_encrypted_dek_oidc_${userId}`;
|
|
const value = JSON.stringify(oidcEncryptedDEK);
|
|
|
|
const { getDb } = await import("../database/db/index.js");
|
|
const { settings } = await import("../database/db/schema.js");
|
|
const { eq } = await import("drizzle-orm");
|
|
|
|
const existing = await getDb()
|
|
.select()
|
|
.from(settings)
|
|
.where(eq(settings.key, key));
|
|
|
|
if (existing.length > 0) {
|
|
await getDb()
|
|
.update(settings)
|
|
.set({ value })
|
|
.where(eq(settings.key, key));
|
|
} else {
|
|
await getDb().insert(settings).values({ key, value });
|
|
}
|
|
|
|
databaseLogger.info(
|
|
"Converted user encryption to dual-auth (password + OIDC)",
|
|
{
|
|
operation: "convert_to_oidc_encryption_preserved",
|
|
userId,
|
|
},
|
|
);
|
|
|
|
const { saveMemoryDatabaseToFile } =
|
|
await import("../database/db/index.js");
|
|
await saveMemoryDatabaseToFile();
|
|
} catch (error) {
|
|
databaseLogger.error("Failed to convert to OIDC encryption", error, {
|
|
operation: "convert_to_oidc_encryption_error",
|
|
userId,
|
|
error: error instanceof Error ? error.message : "Unknown error",
|
|
});
|
|
throw error;
|
|
}
|
|
}
|
|
|
|
private async validatePassword(
|
|
userId: string,
|
|
password: string,
|
|
): Promise<boolean> {
|
|
try {
|
|
const kekSalt = await this.getKEKSalt(userId);
|
|
if (!kekSalt) return false;
|
|
|
|
const KEK = this.deriveKEK(password, kekSalt);
|
|
const encryptedDEK = await this.getEncryptedDEK(userId);
|
|
if (!encryptedDEK) return false;
|
|
|
|
const DEK = this.decryptDEK(encryptedDEK, KEK);
|
|
|
|
KEK.fill(0);
|
|
DEK.fill(0);
|
|
|
|
return true;
|
|
} catch {
|
|
return false;
|
|
}
|
|
}
|
|
|
|
private cleanupExpiredSessions(): void {
|
|
const now = Date.now();
|
|
const expiredUsers: string[] = [];
|
|
|
|
for (const [userId, session] of this.userSessions.entries()) {
|
|
if (now > session.expiresAt) {
|
|
session.dataKey.fill(0);
|
|
expiredUsers.push(userId);
|
|
}
|
|
}
|
|
|
|
expiredUsers.forEach((userId) => {
|
|
this.userSessions.delete(userId);
|
|
});
|
|
}
|
|
|
|
private async generateKEKSalt(): Promise<KEKSalt> {
|
|
return {
|
|
salt: crypto.randomBytes(32).toString("hex"),
|
|
iterations: UserCrypto.PBKDF2_ITERATIONS,
|
|
algorithm: "pbkdf2-sha256",
|
|
createdAt: new Date().toISOString(),
|
|
};
|
|
}
|
|
|
|
private deriveKEK(password: string, kekSalt: KEKSalt): Buffer {
|
|
return crypto.pbkdf2Sync(
|
|
password,
|
|
Buffer.from(kekSalt.salt, "hex"),
|
|
kekSalt.iterations,
|
|
UserCrypto.KEK_LENGTH,
|
|
"sha256",
|
|
);
|
|
}
|
|
|
|
private deriveOIDCSystemKey(userId: string): Buffer {
|
|
const systemSecret =
|
|
process.env.OIDC_SYSTEM_SECRET || "termix-oidc-system-secret-default";
|
|
const salt = Buffer.from(userId, "utf8");
|
|
return crypto.pbkdf2Sync(
|
|
systemSecret,
|
|
salt,
|
|
100000,
|
|
UserCrypto.KEK_LENGTH,
|
|
"sha256",
|
|
);
|
|
}
|
|
|
|
private encryptDEK(dek: Buffer, kek: Buffer): EncryptedDEK {
|
|
const iv = crypto.randomBytes(16);
|
|
const cipher = crypto.createCipheriv("aes-256-gcm", kek, iv);
|
|
|
|
let encrypted = cipher.update(dek);
|
|
encrypted = Buffer.concat([encrypted, cipher.final()]);
|
|
const tag = cipher.getAuthTag();
|
|
|
|
return {
|
|
data: encrypted.toString("hex"),
|
|
iv: iv.toString("hex"),
|
|
tag: tag.toString("hex"),
|
|
algorithm: "aes-256-gcm",
|
|
createdAt: new Date().toISOString(),
|
|
};
|
|
}
|
|
|
|
private decryptDEK(encryptedDEK: EncryptedDEK, kek: Buffer): Buffer {
|
|
const decipher = crypto.createDecipheriv(
|
|
"aes-256-gcm",
|
|
kek,
|
|
Buffer.from(encryptedDEK.iv, "hex"),
|
|
);
|
|
|
|
decipher.setAuthTag(Buffer.from(encryptedDEK.tag, "hex"));
|
|
let decrypted = decipher.update(Buffer.from(encryptedDEK.data, "hex"));
|
|
decrypted = Buffer.concat([decrypted, decipher.final()]);
|
|
|
|
return decrypted;
|
|
}
|
|
|
|
private async storeKEKSalt(userId: string, kekSalt: KEKSalt): Promise<void> {
|
|
const key = `user_kek_salt_${userId}`;
|
|
const value = JSON.stringify(kekSalt);
|
|
|
|
const existing = await getDb()
|
|
.select()
|
|
.from(settings)
|
|
.where(eq(settings.key, key));
|
|
|
|
if (existing.length > 0) {
|
|
await getDb()
|
|
.update(settings)
|
|
.set({ value })
|
|
.where(eq(settings.key, key));
|
|
} else {
|
|
await getDb().insert(settings).values({ key, value });
|
|
}
|
|
}
|
|
|
|
private async getKEKSalt(userId: string): Promise<KEKSalt | null> {
|
|
try {
|
|
const key = `user_kek_salt_${userId}`;
|
|
const result = await getDb()
|
|
.select()
|
|
.from(settings)
|
|
.where(eq(settings.key, key));
|
|
|
|
if (result.length === 0) {
|
|
return null;
|
|
}
|
|
|
|
return JSON.parse(result[0].value);
|
|
} catch {
|
|
return null;
|
|
}
|
|
}
|
|
|
|
private async storeEncryptedDEK(
|
|
userId: string,
|
|
encryptedDEK: EncryptedDEK,
|
|
): Promise<void> {
|
|
const key = `user_encrypted_dek_${userId}`;
|
|
const value = JSON.stringify(encryptedDEK);
|
|
|
|
const existing = await getDb()
|
|
.select()
|
|
.from(settings)
|
|
.where(eq(settings.key, key));
|
|
|
|
if (existing.length > 0) {
|
|
await getDb()
|
|
.update(settings)
|
|
.set({ value })
|
|
.where(eq(settings.key, key));
|
|
} else {
|
|
await getDb().insert(settings).values({ key, value });
|
|
}
|
|
}
|
|
|
|
private async getEncryptedDEK(userId: string): Promise<EncryptedDEK | null> {
|
|
try {
|
|
const key = `user_encrypted_dek_${userId}`;
|
|
const result = await getDb()
|
|
.select()
|
|
.from(settings)
|
|
.where(eq(settings.key, key));
|
|
|
|
if (result.length === 0) {
|
|
return null;
|
|
}
|
|
|
|
return JSON.parse(result[0].value);
|
|
} catch {
|
|
return null;
|
|
}
|
|
}
|
|
|
|
private async getOIDCEncryptedDEK(
|
|
userId: string,
|
|
): Promise<EncryptedDEK | null> {
|
|
try {
|
|
const key = `user_encrypted_dek_oidc_${userId}`;
|
|
const result = await getDb()
|
|
.select()
|
|
.from(settings)
|
|
.where(eq(settings.key, key));
|
|
|
|
if (result.length === 0) {
|
|
return null;
|
|
}
|
|
|
|
return JSON.parse(result[0].value);
|
|
} catch {
|
|
return null;
|
|
}
|
|
}
|
|
}
|
|
|
|
export { UserCrypto, type KEKSalt, type EncryptedDEK };
|