sneak/quak
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Phase 3a red: auth.unwrapAuth tests and stub

Browse Source 
Tests for the password-only decryption chain that follows a successful
login (SRP or email OTP, with or without 2FA). The unwrap covers:
  password -> KEK (Argon2id) -> masterKey (secretbox) ->
  secretKey (secretbox) -> tokenBytes (sealed box) -> base64url token

Each test builds a synthetic AuthorizationResponse using libsodium
directly and asserts unwrapAuth recovers the inputs byte for byte. The
test file also functions as the canonical description of the protocol.

Adds src/auth/types.ts with KeyAttributes, SRPAttributes,
AuthorizationResponse, and LoginChallenge declarations matching the
README's API reference. src/auth/unwrap.ts is the throwing stub; the
real implementation lands next.
This commit is contained in:
Jeffrey Paul
2026-05-11 00:58:27 -07:00
parent 2e2238fa5f
commit 6386a0ec9f
3 changed files with 313 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
src/auth/unwrap.ts Normal file
View File

@@ -0,0 +1,17 @@
// Stub: see the README "Development workflow" section for TDD policy.
import type { AuthorizationResponse } from "./types.js";
export interface UnwrapResult {
masterKey: Uint8Array;
secretKey: Uint8Array;
publicKey: Uint8Array;
token: string;
}
export const unwrapAuth = async (
_response: AuthorizationResponse,
_password: string,
): Promise<UnwrapResult> => {
throw new Error("auth.unwrapAuth not implemented");
};