Green: unseal shared collection keys with the account keypair

decryptCollection now takes the full key material {masterKey,
publicKey, secretKey} and dispatches on keyDecryptionNonce: present
means an owned collection (secretbox under the master key), absent
means a shared collection (sealed box to our public key). Client
already held the keypair for unsealing the auth token, so it just
passes it through.
This commit is contained in:
2026-06-10 11:46:51 -07:00
parent 59e0aa7d47
commit 15d2effc2d
6 changed files with 53 additions and 11 deletions

View File

@@ -25,7 +25,10 @@ const main = async () => {
process.exit(1);
}
const { masterKey, token } = await unwrapAuth(challenge.response, PASSWORD);
const { masterKey, secretKey, publicKey, token } = await unwrapAuth(
challenge.response,
PASSWORD,
);
api.setAuthToken(token);
console.log("Logged in, user ID:", challenge.response.id);
@@ -37,7 +40,7 @@ const main = async () => {
const userID = challenge.response.id;
const collections = rawCollections.map((raw) =>
decryptCollection(raw, masterKey, userID),
decryptCollection(raw, { masterKey, publicKey, secretKey }, userID),
);
console.log(`${collections.length} collection(s):`);