sneak/quak
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Phase 3a green: implement auth.unwrapAuth

Browse Source 
The implementation is exactly the decryption chain documented in the
test file: deriveKEK -> decryptBox(masterKey) -> decryptBox(secretKey)
-> decryptSealed(token) -> toBase64URL. Errors from the underlying
crypto primitives propagate; the only added validation is the up-front
check that the response actually contains both keyAttributes and
encryptedToken (caller bug if not).

Also re-exports the auth/unwrap and auth/types public surface from
src/index.ts.

All 38 tests pass; make check and make docker are green.
This commit is contained in:
Jeffrey Paul
2026-05-11 00:59:43 -07:00
parent 6386a0ec9f
commit 78fdabe54a
3 changed files with 64 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@@ -611,8 +611,10 @@ Phase 3: SRP + auth
- [ ] `beginLogin(email, password)` returning a `LoginChallenge`
- [ ] `requestEmailOTP` and `submitEmailOTP` for accounts without SRP
- [ ] `submitTOTP(sessionID, code)`
- [ ] `unwrapAuth(response, password)` returning master key, secret key, public
key, and decrypted token
- [x] `unwrapAuth(response, password)` returning master key, secret key, public
key, and decrypted token (URL-safe-no-padding base64)
- [x] `src/auth/types.ts` with `KeyAttributes`, `SRPAttributes`,
`AuthorizationResponse`, and `LoginChallenge`
- [ ] Tests against recorded HTTP fixtures
Phase 4: HTTP client + endpoints