import { WsJsonClient } from './ws-client.js?v=20260405171816'; import { bytesToBase64, deriveEd25519FromPassword, exportEd25519PublicKeyB64, exportPkcs8B64, generateEd25519Pair, importPkcs8Ed25519, randomBase64, sha256Bytes, signBytes, signBase64, utf8Bytes, } from './crypto-utils.js?v=20260405171816'; import { loadEncryptedUserSecrets, loadSessionMaterial, saveEncryptedUserSecrets, saveSessionMaterial, } from './key-vault.js?v=20260405171816'; const BCH_SUFFIX = '001'; function normalizeServerUrl(url) { const value = (url || '').trim(); if (!value) return 'wss://shineup.me/ws'; if (value.startsWith('ws://') || value.startsWith('wss://')) return value; if (value.startsWith('https://') || value.startsWith('http://')) { return `${value.replace(/^http/, 'ws').replace(/\/$/, '')}/ws`; } return value; } function opError(op, response) { const message = response?.payload?.message || response?.message || 'Неизвестная ошибка сервера'; const code = response?.payload?.code || response?.code || 'UNKNOWN'; const error = new Error(`${op}: ${message} (${code})`); error.op = op; error.code = code; error.status = response?.status || 0; return error; } function makeClientInfo() { const ua = navigator.userAgent || 'unknown'; return ua.slice(0, 50); } function hexToBytes(hex) { const clean = String(hex || '').trim().toLowerCase(); if (!clean || clean.length % 2 !== 0) throw new Error('Некорректный hex'); const out = new Uint8Array(clean.length / 2); for (let i = 0; i < out.length; i += 1) { out[i] = Number.parseInt(clean.slice(i * 2, i * 2 + 2), 16); } return out; } function concatBytes(...chunks) { const total = chunks.reduce((sum, chunk) => sum + chunk.length, 0); const out = new Uint8Array(total); let offset = 0; chunks.forEach((chunk) => { out.set(chunk, offset); offset += chunk.length; }); return out; } function int32Bytes(value) { const bytes = new Uint8Array(4); const view = new DataView(bytes.buffer); view.setInt32(0, Number(value), false); return bytes; } function int16Bytes(value) { const bytes = new Uint8Array(2); const view = new DataView(bytes.buffer); view.setUint16(0, Number(value), false); return bytes; } function int64Bytes(value) { const bytes = new Uint8Array(8); const view = new DataView(bytes.buffer); view.setBigInt64(0, BigInt(value), false); return bytes; } function makeUserParamBodyBytes({ lineCode, prevLineNumber, prevLineHashHex, thisLineNumber, key, value }) { const keyBytes = utf8Bytes(String(key || '')); const valueBytes = utf8Bytes(String(value || '')); const prevHashBytes = hexToBytes(prevLineHashHex); if (!keyBytes.length || !valueBytes.length) throw new Error('Пустые key/value для блока параметра'); if (prevHashBytes.length !== 32) throw new Error('prevLineHash должен быть 32 байта'); return concatBytes( int32Bytes(lineCode), int32Bytes(prevLineNumber), prevHashBytes, int32Bytes(thisLineNumber), int16Bytes(keyBytes.length), keyBytes, int16Bytes(valueBytes.length), valueBytes, ); } export class AuthService { constructor(serverUrl) { this.serverUrl = normalizeServerUrl(serverUrl); this.ws = new WsJsonClient(this.serverUrl); } async reconnect(serverUrl) { const normalized = normalizeServerUrl(serverUrl); if (normalized === this.serverUrl) return; this.ws.close(); this.serverUrl = normalized; this.ws = new WsJsonClient(this.serverUrl); } async getUser(login) { const response = await this.ws.request('GetUser', { login }); if (response.status !== 200) throw opError('GetUser', response); return response.payload || {}; } async ensureLoginFree(login) { const payload = await this.getUser(login); return payload.exists !== true; } async derivePasswordKeyBundle(password) { if (!password) throw new Error('Введите пароль'); const rootPair = await deriveEd25519FromPassword(password, 'root.key'); const blockchainPair = await deriveEd25519FromPassword(password, 'bch.key'); const devicePair = await deriveEd25519FromPassword(password, 'dev.key'); return { rootPair, blockchainPair, devicePair }; } async createAuthSession(login, keyBundle) { const cleanLogin = (login || '').trim(); if (!cleanLogin) throw new Error('Введите логин'); const sessionPair = await generateEd25519Pair(); const sessionKeyPub = await exportEd25519PublicKeyB64(sessionPair.publicKey); const sessionKey = `ed25519/${sessionKeyPub}`; const storagePwd = randomBase64(32); const challengeResp = await this.ws.request('AuthChallenge', { login: cleanLogin }); if (challengeResp.status !== 200) throw opError('AuthChallenge', challengeResp); const authNonce = challengeResp?.payload?.authNonce; if (!authNonce) throw new Error('AuthChallenge: сервер не вернул authNonce'); const timeMs = Date.now(); const preimage = `AUTH_CREATE_SESSION:${cleanLogin}:${sessionKey}:${storagePwd}:${timeMs}:${authNonce}`; const signatureB64 = await signBase64(keyBundle.devicePair.privateKey, preimage); const createResp = await this.ws.request('CreateAuthSession', { login: cleanLogin, storagePwd, sessionKey, timeMs, authNonce, deviceKey: keyBundle.devicePair.publicKeyB64, signatureB64, clientInfo: makeClientInfo(), }); if (createResp.status !== 200) throw opError('CreateAuthSession', createResp); const sessionId = createResp?.payload?.sessionId; if (!sessionId) throw new Error('CreateAuthSession: не вернулся sessionId'); return { login: cleanLogin, sessionId, storagePwd, sessionMaterial: { sessionId, sessionKey, sessionPrivPkcs8: await exportPkcs8B64(sessionPair.privateKey), }, }; } async registerUser(login, password) { const cleanLogin = (login || '').trim(); if (!cleanLogin) throw new Error('Введите логин'); if (!password) throw new Error('Введите пароль'); const isFree = await this.ensureLoginFree(cleanLogin); if (!isFree) throw new Error('Этот логин уже занят'); const keyBundle = await this.derivePasswordKeyBundle(password); const addResp = await this.ws.request('AddUser', { login: cleanLogin, blockchainName: `${cleanLogin}-${BCH_SUFFIX}`, solanaKey: keyBundle.rootPair.publicKeyB64, blockchainKey: keyBundle.blockchainPair.publicKeyB64, deviceKey: keyBundle.devicePair.publicKeyB64, bchLimit: 1000000, }); if (addResp.status !== 200) throw opError('AddUser', addResp); const session = await this.createAuthSession(cleanLogin, keyBundle); return { ...session, keyBundle }; } async createSessionForExistingUser(login, password) { const cleanLogin = (login || '').trim(); if (!cleanLogin) throw new Error('Введите логин'); if (!password) throw new Error('Введите пароль'); const user = await this.getUser(cleanLogin); if (!user.exists) throw new Error('Пользователь не найден'); const keyBundle = await this.derivePasswordKeyBundle(password); const session = await this.createAuthSession(cleanLogin, keyBundle); return { ...session, keyBundle }; } async persistSelectedKeys(login, storagePwd, keyBundle, saveOptions = { saveRoot: true, saveBlockchain: true }) { const secrets = { deviceKey: keyBundle.devicePair.privatePkcs8B64 }; if (saveOptions.saveRoot) secrets.rootKey = keyBundle.rootPair.privatePkcs8B64; if (saveOptions.saveBlockchain) secrets.blockchainKey = keyBundle.blockchainPair.privatePkcs8B64; await saveEncryptedUserSecrets(login, storagePwd, secrets); } async persistSessionMaterial(login, sessionMaterial) { await saveSessionMaterial(login, sessionMaterial); } async resumeSession(login, preferredSessionId = '') { const cleanLogin = (login || '').trim(); if (!cleanLogin) throw new Error('Нет login для авто-входа'); const sessionMaterial = await loadSessionMaterial(cleanLogin); if (!sessionMaterial?.sessionId || !sessionMaterial?.sessionKey || !sessionMaterial?.sessionPrivPkcs8) { throw new Error('На устройстве нет сохраненного ключа сессии'); } const targetSessionId = preferredSessionId || sessionMaterial.sessionId; const privateKey = await importPkcs8Ed25519(sessionMaterial.sessionPrivPkcs8); const challengeResp = await this.ws.request('SessionChallenge', { sessionId: targetSessionId }); if (challengeResp.status !== 200) throw opError('SessionChallenge', challengeResp); const nonce = challengeResp?.payload?.nonce; if (!nonce) throw new Error('SessionChallenge: не вернулся nonce'); const timeMs = Date.now(); const preimage = `SESSION_LOGIN:${targetSessionId}:${timeMs}:${nonce}`; const signatureB64 = await signBase64(privateKey, preimage); const loginResp = await this.ws.request('SessionLogin', { sessionId: targetSessionId, sessionKey: sessionMaterial.sessionKey, timeMs, signatureB64, clientInfo: makeClientInfo(), }); if (loginResp.status !== 200) throw opError('SessionLogin', loginResp); const storagePwd = loginResp?.payload?.storagePwd; if (!storagePwd) throw new Error('SessionLogin: не вернулся storagePwd'); return { login: cleanLogin, sessionId: targetSessionId, storagePwd, }; } async listSessions() { const response = await this.ws.request('ListSessions', {}); if (response.status !== 200) throw opError('ListSessions', response); return response?.payload?.sessions || []; } async closeSession(sessionId) { const response = await this.ws.request('CloseActiveSession', { sessionId }); if (response.status !== 200) throw opError('CloseActiveSession', response); } async listSubscriptionsFeed(login, limit = 200) { const response = await this.ws.request('ListSubscriptionsFeed', { login, limit }); if (response.status !== 200) throw opError('ListSubscriptionsFeed', response); return response.payload || {}; } async getChannelMessages(channel, limit = 200, sort = 'asc') { const response = await this.ws.request('GetChannelMessages', { channel, limit, sort }); if (response.status !== 200) throw opError('GetChannelMessages', response); return response.payload || {}; } async getMessageThread(message, depthUp = 20, depthDown = 2, limitChildrenPerNode = 50) { const response = await this.ws.request('GetMessageThread', { message, depthUp, depthDown, limitChildrenPerNode }); if (response.status !== 200) throw opError('GetMessageThread', response); return response.payload || {}; } onEvent(op, handler) { return this.ws.onEvent(op, handler); } async upsertPushToken({ tokenId, token, provider = 'fcm', platform = 'web', userAgent = navigator.userAgent || '' }) { const response = await this.ws.request('UpsertPushToken', { tokenId, token, provider, platform, userAgent }); if (response.status !== 200) throw opError('UpsertPushToken', response); return response.payload || {}; } async sendDirectMessage(toLogin, text) { const response = await this.ws.request('SendDirectMessage', { toLogin, text }); if (response.status !== 200) throw opError('SendDirectMessage', response); return response.payload || {}; } async ackIncomingMessage(eventId, messageId) { const response = await this.ws.request('AckIncomingMessage', { eventId, messageId }); if (response.status !== 200) throw opError('AckIncomingMessage', response); return response.payload || {}; } async listContacts() { const response = await this.ws.request('ListContacts', {}); if (response.status !== 200) throw opError('ListContacts', response); return response.payload || {}; } async addCloseFriend(toLogin) { const response = await this.ws.request('AddCloseFriend', { toLogin }); if (response.status !== 200) throw opError('AddCloseFriend', response); return response.payload || {}; } async getUserConnectionsGraph(login) { const response = await this.ws.request('GetUserConnectionsGraph', { login }); if (response.status !== 200) throw opError('GetUserConnectionsGraph', response); return response.payload || {}; } async searchUsers(prefix) { const response = await this.ws.request('SearchUsers', { prefix }); if (response.status !== 200) throw opError('SearchUsers', response); return response.payload?.logins || []; } async getUserParam(login, param) { const cleanLogin = (login || '').trim(); const cleanParam = (param || '').trim(); if (!cleanLogin || !cleanParam) throw new Error('Не переданы login/param'); const response = await this.ws.request('GetUserParam', { login: cleanLogin, param: cleanParam }); if (response.status === 200) return response.payload || {}; if (response.status === 404 || response.status === 204) return {}; throw opError('GetUserParam', response); } async addBlockUserParam({ login, param, value, storagePwd }) { const cleanLogin = (login || '').trim(); const cleanParam = (param || '').trim(); const cleanValue = String(value ?? '').trim(); if (!cleanLogin || !cleanParam) throw new Error('Не переданы login/param.'); if (!cleanValue) throw new Error('Значение параметра не может быть пустым.'); if (!storagePwd) throw new Error('Не передан storagePwd для подписи AddBlock.'); const user = await this.getUser(cleanLogin); const blockchainName = String(user?.blockchainName || `${cleanLogin}-${BCH_SUFFIX}`).trim(); const savedKeys = await loadEncryptedUserSecrets(cleanLogin, storagePwd); const blockchainPrivatePkcs8 = savedKeys?.blockchainKey; if (!blockchainPrivatePkcs8) { throw new Error('На устройстве нет сохраненного приватного blockchainKey'); } const privateKey = await importPkcs8Ed25519(blockchainPrivatePkcs8); const tryAdd = async (cursor) => { const blockNumber = Number(cursor?.serverLastGlobalNumber ?? -1) + 1; const prevBlockHash = String(cursor?.serverLastGlobalHash || '0'.repeat(64)); const bodyBytes = makeUserParamBodyBytes({ lineCode: Number(cursor?.serverLastGlobalNumber ?? 0), prevLineNumber: Number(cursor?.serverLastGlobalNumber ?? 0), prevLineHashHex: prevBlockHash, thisLineNumber: 1, key: cleanParam, value: cleanValue, }); const preimage = concatBytes( int16Bytes(0), hexToBytes(prevBlockHash), int32Bytes(2 + 32 + 4 + 4 + 8 + 2 + 2 + 2 + bodyBytes.length), int32Bytes(blockNumber), int64Bytes(Math.floor(Date.now() / 1000)), int16Bytes(4), int16Bytes(1), int16Bytes(1), bodyBytes, ); const hash32 = await sha256Bytes(preimage); const signatureBytes = await signBytes(privateKey, hash32); const fullBlock = concatBytes(preimage, int16Bytes(0x0100), signatureBytes); const response = await this.ws.request('AddBlock', { blockchainName, blockNumber, prevBlockHash, blockBytesB64: bytesToBase64(fullBlock), }); return response; }; let cursor = { serverLastGlobalNumber: -1, serverLastGlobalHash: '0'.repeat(64) }; let response = await tryAdd(cursor); if (response.status !== 200) { const knownNum = Number(response?.payload?.serverLastGlobalNumber); const knownHash = String(response?.payload?.serverLastGlobalHash || ''); if (Number.isFinite(knownNum) && knownHash.length === 64) { cursor = { serverLastGlobalNumber: knownNum, serverLastGlobalHash: knownHash }; response = await tryAdd(cursor); } } if (response.status !== 200) throw opError('AddBlock', response); return response.payload || {}; } async reportClientError(details) { try { const response = await this.ws.request('ClientErrorLog', details || {}, 3000); return response?.status === 200; } catch { return false; } } close() { this.ws.close(); } }