send all generations of user keys to an invited device to ensure it can decrypt all generations of team keys and the complete team graph

michaelkamphausen · HerbCaudill · commit 41b060896b51 · 2024-09-24T14:27:35.000+02:00
diff --git a/packages/auth/src/connection/Connection.ts b/packages/auth/src/connection/Connection.ts
@@ -1,6 +1,6 @@
 /* eslint-disable object-shorthand */
 import { EventEmitter } from '@herbcaudill/eventemitter42'
-import type { DecryptFnParams } from '@localfirst/crdx'
+import type { DecryptFnParams, KeysetWithSecrets } from '@localfirst/crdx'
 import {
   generateMessage,
   headsAreEqual,
@@ -214,21 +214,26 @@ export class Connection extends EventEmitter<ConnectionEvents> {
           const { device, invitationSeed } = context
           assert(invitationSeed)
 
-          const user =
-            context.user ??
-            // If we're joining as a new device for an existing member, we won't have a user object
-            // yet, so we need to get those from the graph. We use the invitation seed to generate
-            // the starter keys for the new device. We can use these to unlock a lockbox on the team
-            // graph that contains our user keys.
-            getDeviceUserFromGraph({ serializedGraph, teamKeyring, invitationSeed })
-
+          let user = context.user
+          let allUserKeys: KeysetWithSecrets[] | undefined = undefined
+
+          // If we're joining as a new device for an existing member, we won't have a user object
+          // and all generations of existing user keys yet, so we need to get those from the graph. 
+          // We use the invitation seed to generate the starter keys for the new device. We can use 
+          // these to unlock the lockboxes on the team graph that contain our user keys.
+          if (!user) {
+            const userWithKeys = getDeviceUserFromGraph({ serializedGraph, teamKeyring, invitationSeed })
+            user = userWithKeys.user
+            allUserKeys = userWithKeys.allUserKeys
+          }
+          
           // When admitting us, our peer added our user to the team graph. We've been given the
           // serialized and encrypted graph, and the team keyring. We can now decrypt the graph and
           // reconstruct the team in order to join it.
           const team = new Team({ source: serializedGraph, context: { user, device }, teamKeyring })
 
           // We join the team, which adds our device to the team graph.
-          team.join(teamKeyring)
+          team.join(teamKeyring, allUserKeys)
           this.emit('joined', { team, user, teamKeyring })
           return { user, team }
         }),
diff --git a/packages/auth/src/connection/getDeviceUserFromGraph.ts b/packages/auth/src/connection/getDeviceUserFromGraph.ts
@@ -1,4 +1,4 @@
-import type { Keyring, UserWithSecrets } from '@localfirst/crdx'
+import type { Keyring, KeysetWithSecrets, UserWithSecrets } from '@localfirst/crdx'
 import { assert } from '@localfirst/shared'
 import { generateProof } from 'invitation/generateProof.js'
 import { generateStarterKeys } from 'invitation/generateStarterKeys.js'
@@ -11,7 +11,9 @@ const { USER } = KeyType
 /**
  * If we're joining as a new device for an existing member, we don't have a user object yet, so we
  * need to get those from the graph. We use the invitation seed to generate the starter keys for the
- * new device. We can use these to unlock a lockbox on the team graph that contains our user keys.
+ * new device. We can use these to unlock the lockboxes on the team graph that contain our user keys.
+ * Because we need all user key generations to decrypt the team graph, we return all of them along
+ * with the user object that contains only the latest keys generation.
  */
 export const getDeviceUserFromGraph = ({
   serializedGraph,
@@ -21,7 +23,10 @@ export const getDeviceUserFromGraph = ({
   serializedGraph: Uint8Array
   teamKeyring: Keyring
   invitationSeed: string
-}): UserWithSecrets => {
+}): {
+  user: UserWithSecrets, 
+  allUserKeys: KeysetWithSecrets[]
+} => {
   const starterKeys = generateStarterKeys(invitationSeed)
   const invitationId = generateProof(invitationSeed).id
   const state = getTeamState(serializedGraph, teamKeyring)
@@ -32,11 +37,15 @@ export const getDeviceUserFromGraph = ({
   const { userName } = select.member(state, userId)
   assert(userName) // this user must exist in the team graph
 
-  const userKeys = select.keys(state, starterKeys, { type: USER, name: userId })
-
-  return {
+  const allUserKeys = select.keyMap(state, starterKeys)[USER]?.[userId]
+  const user = {
     userName,
     userId,
-    keys: userKeys,
+    keys: allUserKeys.at(-1)
+  }
+
+  return {
+    user,
+    allUserKeys
   }
 }
diff --git a/packages/auth/src/team/Team.ts b/packages/auth/src/team/Team.ts
@@ -505,7 +505,8 @@ export class Team extends EventEmitter<TeamEvents> {
     // a lockbox that can be opened by an ephemeral keyset generated from the secret invitation
     // seed.
     const starterKeys = invitations.generateStarterKeys(seed)
-    const lockboxUserKeysForDeviceStarterKeys = lockbox.create(this.context.user.keys, starterKeys)
+    const lockboxesUserKeysForDeviceStarterKeys = this.allUserKeys()
+      .map(keys => lockbox.create(keys, starterKeys))
 
     const { id } = invitation
 
@@ -514,7 +515,7 @@ export class Team extends EventEmitter<TeamEvents> {
       type: 'INVITE_DEVICE',
       payload: {
         invitation,
-        lockboxes: [lockboxUserKeysForDeviceStarterKeys],
+        lockboxes: lockboxesUserKeysForDeviceStarterKeys,
       },
     })
 
@@ -603,20 +604,20 @@ export class Team extends EventEmitter<TeamEvents> {
   }
 
   /** Once the new member has received the graph and can instantiate the team, they call this to add their device. */
-  public join = (teamKeyring: Keyring) => {
+  public join = (teamKeyring: Keyring, allUserKeys = [this.context.user.keys]) => {
     assert(!this.isServer, "Can't join as member on server")
 
-    const { user, device } = this.context
+    const { device } = this.context
     const teamKeys = getLatestGeneration(teamKeyring)
 
-    const lockboxUserKeysForDevice = lockbox.create(user.keys, device.keys)
+    const lockboxesUserKeysForDevice = allUserKeys.map(keys => lockbox.create(keys, device.keys))
 
     this.dispatch(
       {
         type: 'ADD_DEVICE',
         payload: {
           device: redactDevice(device),
-          lockboxes: [lockboxUserKeysForDevice],
+          lockboxes: lockboxesUserKeysForDevice,
         },
       },
       teamKeys
@@ -762,6 +763,9 @@ export class Team extends EventEmitter<TeamEvents> {
   public keys = (scope: KeyMetadata | KeyScope) =>
     select.keys(this.state, this.context.device.keys, scope)
 
+  public allUserKeys = (userId = this.userId) =>
+    select.keyMap(this.state, this.context.device.keys)[USER]?.[userId] || []
+
   /** Returns the keys for the given role. */
   public roleKeys = (roleName: string, generation?: number) =>
     this.keys({ type: KeyType.ROLE, name: roleName, generation })
diff --git a/packages/auth/src/team/test/invitations.test.ts b/packages/auth/src/team/test/invitations.test.ts
@@ -1,6 +1,6 @@
 import { createKeyset, type UnixTimestamp } from '@localfirst/crdx'
 import { signatures } from '@localfirst/crypto'
-import { redactDevice, type FirstUseDevice } from 'index.js'
+import { redactDevice, Team, type FirstUseDevice } from 'index.js'
 import { generateProof } from 'invitation/index.js'
 import * as teams from 'team/index.js'
 import { KeyType } from 'util/index.js'
@@ -287,7 +287,7 @@ describe('Team', () => {
 
           // To do that, she uses the invitation seed to generate starter keys, which she can use to
           // unlock a lockbox stored on the graph containing her user keys.
-          const aliceUser = teams.getDeviceUserFromGraph({
+          const { user: aliceUser } = teams.getDeviceUserFromGraph({
             serializedGraph,
             teamKeyring,
             invitationSeed: seed,
@@ -353,6 +353,94 @@ describe('Team', () => {
           // 🦹‍♀️ GRRR I would've got away with it too, if it weren't for you meddling cryptographic algorithms!
           expect(submitBadProof).toThrow('Signature provided is not valid')
         })
+
+        it('an invited device needs access to all generations of user and team keys', () => {
+          const { alice: aliceLaptop } = setup('alice')
+          const alicePhone = aliceLaptop.phone!
+
+          const changeKeys = () => {
+            const newKeys = { type: KeyType.USER, name: aliceLaptop.userId }
+            aliceLaptop.team.changeKeys(createKeyset(newKeys))
+          }
+
+          // Alice rotates her keys two times
+          changeKeys()
+          changeKeys()
+
+          // key rotation results in two new keys generations for team keys, admin keys and alice user keys
+          expect(aliceLaptop.team.teamKeys().generation).toBe(2)
+          expect(aliceLaptop.team.adminKeys().generation).toBe(2)
+          expect(aliceLaptop.team.members(aliceLaptop.userId).keys.generation).toBe(2)
+          expect(aliceLaptop.user.keys.generation).toBe(2)
+          expect(Object.values(aliceLaptop.team.teamKeyring())).toHaveLength(3)
+          expect(aliceLaptop.team.allUserKeys()).toHaveLength(3)
+          // 3 times 3 generations of team keys, admin keys, alice user keys
+          expect(aliceLaptop.team.state.lockboxes.length).toBe(9)
+
+          // 💻 on her laptop, Alice generates an invitation for her phone
+          const { seed } = aliceLaptop.team.inviteDevice()
+
+          // 📱 Alice's phone uses the seed to generate her proof of invitation and sends it to the laptop
+          const proofOfInvitation = generateProof(seed)
+
+          // 💻 Alice's laptop verifies the proof
+          aliceLaptop.team.admitDevice(proofOfInvitation, redactDevice(alicePhone))
+
+          // 👍 The proof was good, so the laptop sends the phone the team's graph and keyring
+          const serializedGraph = aliceLaptop.team.save()
+          const teamKeyring = aliceLaptop.team.teamKeyring()
+
+          // 📱 Alice's phone needs to get her user keys.
+
+          // Alice's laptop also sends all generations of user keys in encrypted lockboxes for each key,
+          // which Alice's phone decrypts using her starter keys generated from the invitation seed.
+          // Alice's phone needs every generation of user keys to unlock every generation of team keys so
+          // the phone can decrypt the whole team graph using all the secret keys of the team keys generations.
+          const { user: aliceUser, allUserKeys } = teams.getDeviceUserFromGraph({
+            serializedGraph,
+            teamKeyring,
+            invitationSeed: seed,
+          })
+
+          // on invitation creation, Alice's laptop added 3 lockboxes to send 3 generations of user keys 
+          // to Alice's phone using the starter keys for encryption
+          expect(aliceLaptop.team.state.lockboxes.length).toBe(12)
+
+          const phoneTeam = new Team({ 
+            source: serializedGraph, 
+            context: { user: aliceUser, device: alicePhone }, 
+            teamKeyring
+          })
+          phoneTeam.join(teamKeyring, allUserKeys)
+
+          // ✅ Now Alice has 💻📱 two devices on the signature chain
+          expect(phoneTeam.members(aliceLaptop.userId).devices).toHaveLength(2)
+          expect(aliceLaptop.team.members(aliceLaptop.userId).devices).toHaveLength(2)
+
+          // Alice's phone added 3 more lockboxes for 3 generations of user keys while joining, 
+          // this time using it's own secret device keys for encryption
+          expect(phoneTeam.state.lockboxes.length).toBe(15)
+
+          // Alice's phone has all user keys and team keys generations, the latest admin keys, 
+          // and the latest user keys generation stored on it's member object
+          expect(Object.values(phoneTeam.teamKeyring())).toHaveLength(3)
+          expect(phoneTeam.allUserKeys()).toHaveLength(3)
+          expect(phoneTeam.adminKeys().generation).toBe(2)
+          expect(phoneTeam.members(aliceLaptop.userId).keys.generation).toBe(2)
+
+          const serializedPhoneTeam = phoneTeam.save()
+
+          // In case some keys went missing while serializing and deserializing 
+          // the phone's local context, some required keys wouldn't be available to decrypt, 
+          // resulting in the error "Can't decrypt link: don't have the correct keyset"
+          expect(() => 
+            new Team({
+              source: serializedPhoneTeam,
+              context: { user: aliceUser, device: alicePhone },
+              teamKeyring: phoneTeam.teamKeyring()
+            })
+          ).not.toThrow()
+        })
       })
     })
   })
