import { WsJsonClient } from './ws-client.js?v=20260327192619'; import { deriveEd25519FromPassword, exportEd25519PublicKeyB64, exportPkcs8B64, generateEd25519Pair, importPkcs8Ed25519, randomBase64, signBase64, } from './crypto-utils.js?v=20260327192619'; import { loadEncryptedUserSecrets, loadSessionMaterial, saveEncryptedUserSecrets, saveSessionMaterial, } from './key-vault.js?v=20260327192619'; const BCH_SUFFIX = '001'; function normalizeServerUrl(url) { const value = (url || '').trim(); if (!value) return 'wss://shineup.me/ws'; if (value.startsWith('ws://') || value.startsWith('wss://')) return value; if (value.startsWith('https://') || value.startsWith('http://')) { return `${value.replace(/^http/, 'ws').replace(/\/$/, '')}/ws`; } return value; } function opError(op, response) { const message = response?.payload?.message || response?.message || 'Неизвестная ошибка сервера'; const code = response?.payload?.code || response?.code || 'UNKNOWN'; return new Error(`${op}: ${message} (${code})`); } function makeClientInfo() { const ua = navigator.userAgent || 'unknown'; return ua.slice(0, 50); } export class AuthService { constructor(serverUrl) { this.serverUrl = normalizeServerUrl(serverUrl); this.ws = new WsJsonClient(this.serverUrl); } async reconnect(serverUrl) { const normalized = normalizeServerUrl(serverUrl); if (normalized === this.serverUrl) return; this.ws.close(); this.serverUrl = normalized; this.ws = new WsJsonClient(this.serverUrl); } async getUser(login) { const response = await this.ws.request('GetUser', { login }); if (response.status !== 200) throw opError('GetUser', response); return response.payload || {}; } async ensureLoginFree(login) { const payload = await this.getUser(login); return payload.exists !== true; } async register(login, password, saveOptions = { saveRoot: true, saveBlockchain: true, saveDevice: true }) { const cleanLogin = (login || '').trim(); if (!cleanLogin) throw new Error('Введите логин'); if (!password) throw new Error('Введите пароль'); const isFree = await this.ensureLoginFree(cleanLogin); if (!isFree) throw new Error('Этот логин уже занят'); const storagePwd = randomBase64(32); const rootPair = await deriveEd25519FromPassword(password, 'root.key'); const blockchainPair = await deriveEd25519FromPassword(password, 'bch.key'); const devicePair = await deriveEd25519FromPassword(password, 'dev.key'); const sessionPair = await generateEd25519Pair(); const sessionKeyPub = await exportEd25519PublicKeyB64(sessionPair.publicKey); const sessionKey = `ed25519/${sessionKeyPub}`; const addResp = await this.ws.request('AddUser', { login: cleanLogin, blockchainName: `${cleanLogin}-${BCH_SUFFIX}`, solanaKey: rootPair.publicKeyB64, blockchainKey: blockchainPair.publicKeyB64, deviceKey: devicePair.publicKeyB64, bchLimit: 1000000, }); if (addResp.status !== 200) throw opError('AddUser', addResp); const challengeResp = await this.ws.request('AuthChallenge', { login: cleanLogin }); if (challengeResp.status !== 200) throw opError('AuthChallenge', challengeResp); const authNonce = challengeResp?.payload?.authNonce; if (!authNonce) throw new Error('AuthChallenge: сервер не вернул authNonce'); const timeMs = Date.now(); const preimage = `AUTH_CREATE_SESSION:${cleanLogin}:${sessionKey}:${storagePwd}:${timeMs}:${authNonce}`; const signatureB64 = await signBase64(devicePair.privateKey, preimage); const createResp = await this.ws.request('CreateAuthSession', { login: cleanLogin, storagePwd, sessionKey, timeMs, authNonce, deviceKey: devicePair.publicKeyB64, signatureB64, clientInfo: makeClientInfo(), }); if (createResp.status !== 200) throw opError('CreateAuthSession', createResp); const sessionId = createResp?.payload?.sessionId; if (!sessionId) throw new Error('CreateAuthSession: не вернулся sessionId'); const secrets = { deviceKey: devicePair.privatePkcs8B64, }; if (saveOptions.saveRoot) { secrets.rootKey = rootPair.privatePkcs8B64; } if (saveOptions.saveBlockchain) { secrets.blockchainKey = blockchainPair.privatePkcs8B64; } await saveEncryptedUserSecrets(cleanLogin, storagePwd, secrets); await saveSessionMaterial(cleanLogin, { sessionId, sessionKey, sessionPrivPkcs8: await exportPkcs8B64(sessionPair.privateKey), }); return { login: cleanLogin, sessionId, storagePwd, }; } async login(login, password) { const cleanLogin = (login || '').trim(); if (!cleanLogin) throw new Error('Введите логин'); if (!password) throw new Error('Введите пароль'); const user = await this.getUser(cleanLogin); if (!user.exists) throw new Error('Пользователь не найден'); const sessionMaterial = await loadSessionMaterial(cleanLogin); if (!sessionMaterial?.sessionId || !sessionMaterial?.sessionKey || !sessionMaterial?.sessionPrivPkcs8) { throw new Error('На устройстве отсутствует ключ сессии. Нужна регистрация на этом устройстве.'); } await deriveEd25519FromPassword(password, 'root.key'); await deriveEd25519FromPassword(password, 'bch.key'); await deriveEd25519FromPassword(password, 'dev.key'); const privateKey = await importPkcs8Ed25519(sessionMaterial.sessionPrivPkcs8); const challengeResp = await this.ws.request('SessionChallenge', { sessionId: sessionMaterial.sessionId }); if (challengeResp.status !== 200) throw opError('SessionChallenge', challengeResp); const nonce = challengeResp?.payload?.nonce; if (!nonce) throw new Error('SessionChallenge: не вернулся nonce'); const timeMs = Date.now(); const preimage = `SESSION_LOGIN:${sessionMaterial.sessionId}:${timeMs}:${nonce}`; const signatureB64 = await signBase64(privateKey, preimage); const loginResp = await this.ws.request('SessionLogin', { sessionId: sessionMaterial.sessionId, sessionKey: sessionMaterial.sessionKey, timeMs, signatureB64, clientInfo: makeClientInfo(), }); if (loginResp.status !== 200) throw opError('SessionLogin', loginResp); const storagePwd = loginResp?.payload?.storagePwd; if (!storagePwd) throw new Error('SessionLogin: не вернулся storagePwd'); await loadEncryptedUserSecrets(cleanLogin, storagePwd); return { login: cleanLogin, sessionId: sessionMaterial.sessionId, storagePwd, }; } async listSessions() { const response = await this.ws.request('ListSessions', {}); if (response.status !== 200) throw opError('ListSessions', response); return response?.payload?.sessions || []; } async closeSession(sessionId) { const response = await this.ws.request('CloseActiveSession', { sessionId }); if (response.status !== 200) throw opError('CloseActiveSession', response); } close() { this.ws.close(); } }