Remove masterPassword from Credentials rest

Fixes #336

source/core/VaultManager.ts

@@ -165,6 +165,7 @@ export class VaultManager extends EventEmitter {
  /**
  * Fetch all currently available Live Snapshots of vaults
  * @returns An array of snapshot objects
+ * @deprecated Will be removed in next major - insecure
  */
  getLiveSnapshots(): Array<VaultLiveSnapshot> {
  return this.unlockedSources.map((source) => source.getLiveSnapshot());
@@ -353,6 +354,7 @@ export class VaultManager extends EventEmitter {
  /**
  * Restore all sources from snapshots that were taken previously
  * @param snapshots An array of snapshot objects
+ * @deprecated Will be removed in next major - insecure
  */
  async restoreLiveSnapshots(snapshots: Array<VaultLiveSnapshot>) {
  await Promise.all(

source/core/VaultSource.ts

@@ -3,7 +3,8 @@ import { ChannelQueue } from "@buttercup/channel-queue";
 import { Layerr } from "layerr";
 import { Vault } from "./Vault.js";
 import { Credentials } from "../credentials/Credentials.js";
-import { getCredentials, setCredentials } from "../credentials/channel.js";
+import { getCredentials, setCredentials } from "../credentials/memory/credentials.js";
+import { getMasterPassword, setMasterPassword } from "../credentials/memory/password.js";
 import { getUniqueID } from "../tools/encoding.js";
 import {
  getSourceOfflineArchive,
@@ -17,8 +18,8 @@ import { TextDatasource } from "../datasources/TextDatasource.js";
 import { VaultManager } from "./VaultManager.js";
 import { convertFormatAVault } from "../io/formatB/conversion.js";
 import { VaultFormatB } from "../index.common.js";
-import { VaultFormatID, VaultLiveSnapshot, VaultSourceID, VaultSourceStatus } from "../types.js";
 import { getFormatForID } from "../io/formatRouter.js";
+import { VaultFormatID, VaultLiveSnapshot, VaultSourceID, VaultSourceStatus } from "../types.js";
 
 interface StateChangeEnqueuedFunction {
  (): void | Promise<any>;
@@ -272,8 +273,8 @@ export class VaultSource extends EventEmitter {
  await this.unlock(Credentials.fromPassword(oldPassword));
  } else {
  // Unlocked, so check password..
- const credentials = getCredentials((<Credentials>this._credentials).id);
- if (credentials.masterPassword !== oldPassword) {
+ const masterPassword = getMasterPassword((<Credentials>this._credentials).id);
+ if (masterPassword !== oldPassword) {
  throw new Error("Old password does not match current unlocked instance value");
  }
  // ..and then update
@@ -296,8 +297,7 @@ export class VaultSource extends EventEmitter {
  this._credentials as Credentials,
  oldPassword
  );
- const newCreds = getCredentials(newCredentials.id);
- newCreds.masterPassword = newPassword;
+ setMasterPassword(newCredentials.id, newPassword);
  await this._updateVaultCredentials(newCredentials);
  // Re-lock if it was locked earlier
  if (wasLocked) {
@@ -385,19 +385,23 @@ export class VaultSource extends EventEmitter {
  /**
  * Get a live snapshot of the current unlocked state
  * @returns A snapshot object
+ * @deprecated Will be removed in next major - insecure
  */
  getLiveSnapshot(): VaultLiveSnapshot {
  if (this.status !== VaultSourceStatus.Unlocked) {
  throw new Layerr("Not possible to fetch live snapshot: Vault is not unlocked");
  }
- const credentials = getCredentials((this._credentials as Credentials).id);
+ const credentialsID = (this._credentials as Credentials).id;
+ const credentials = getCredentials(credentialsID);
  if (!credentials) {
  throw new Layerr("Failed fetching live snapshot: Invalid credentials data");
  }
+ const masterPassword = getMasterPassword(credentialsID);
  return {
  credentials,
  formatID: this.vault._format.getFormat().getFormatID(),
  formatSource: this.vault._format.source,
+ masterPassword,
  sourceID: this.id,
  version: "1a"
  };
@@ -533,6 +537,7 @@ export class VaultSource extends EventEmitter {
  /**
  * Restore unlocked state from a live snapshot
  * @param snapshot The snapshot taken previously
+ * @deprecated Will be removed in next major - insecure
  */
  async restoreFromLiveSnapshot(snapshot: VaultLiveSnapshot): Promise<void> {
  if (this.status !== VaultSourceStatus.Locked) {
@@ -546,12 +551,12 @@ export class VaultSource extends EventEmitter {
  // Setup credentials and datasource
  const credentials = (this._credentials = new Credentials(
  snapshot.credentials.data,
- snapshot.credentials.masterPassword
+ snapshot.masterPassword
  ));
  setCredentials(credentials.id, snapshot.credentials);
  // Initialise datasource
  const datasource = (this._datasource = credentialsToDatasource(
- Credentials.fromCredentials(credentials, snapshot.credentials.masterPassword)
+ Credentials.fromCredentials(credentials, snapshot.masterPassword)
  ));
  datasource.sourceID = this.id;
  // Setup vault
@@ -650,7 +655,7 @@ export class VaultSource extends EventEmitter {
  `Failed unlocking source: Source in invalid state (${this.status}): ${this.id}`
  );
  }
- const { masterPassword } = getCredentials(vaultCredentials.id);
+ const masterPassword = getMasterPassword(vaultCredentials.id);
  const originalCredentials = this._credentials;
  this._status = VaultSource.STATUS_PENDING;
  await this._enqueueStateChange(async () => {
@@ -813,7 +818,7 @@ export class VaultSource extends EventEmitter {
  `Failed updating source credentials: Source is not unlocked: ${this.id}`
  );
  }
- const { masterPassword } = getCredentials((<Credentials>this._credentials).id);
+ const masterPassword = getMasterPassword((<Credentials>this._credentials).id);
  this._credentials = Credentials.fromCredentials(
  this._datasource.credentials,
  masterPassword

source/credentials/Credentials.ts

@@ -1,6 +1,7 @@
 import { generateUUID } from "../tools/uuid.js";
-import { credentialsAllowsPurpose, getCredentials, setCredentials } from "./channel.js";
+import { credentialsAllowsPurpose, getCredentials, setCredentials } from "./memory/credentials.js";
 import { getSharedAppEnv } from "../env/appEnv.js";
+import { getMasterPassword, setMasterPassword } from "./memory/password.js";
 import { CredentialsData, CredentialsPayload, DatasourceConfiguration } from "../types.js";
 
 /**
@@ -85,7 +86,8 @@ export class Credentials {
  throw new Error("Master password is required for credentials cloning");
  }
  const credentialsData = getCredentials(credentials.id);
- if (credentialsData.masterPassword !== masterPassword) {
+ const credentialsPassword = getMasterPassword(credentials.id);
+ if (credentialsPassword !== masterPassword) {
  throw new Error("Master password does not match that of the credentials to be cloned");
  }
  const newData = JSON.parse(JSON.stringify(credentialsData.data));
@@ -134,29 +136,27 @@ export class Credentials {
  * @param masterPassword The password for decryption
  * @returns A promise that resolves with the new instance
  */
- static fromSecureString(content: string, masterPassword: string): Promise<Credentials> {
+ static async fromSecureString(content: string, masterPassword: string): Promise<Credentials> {
  const decrypt = getSharedAppEnv().getProperty("crypto/v1/decryptText");
- return decrypt(unsignEncryptedContent(content), masterPassword)
- .then((decryptedContent: string) => JSON.parse(decryptedContent))
- .then((credentialsData: any) => {
- // Handle compatibility updates for legacy credentials
- if (credentialsData.datasource) {
- if (typeof credentialsData.datasource === "string") {
- credentialsData.datasource = JSON.parse(credentialsData.datasource);
- }
- // Move username and password INTO the datasource config, as
- // they relate to the remote connection/source
- if (credentialsData.username) {
- credentialsData.datasource.username = credentialsData.username;
- delete credentialsData.username;
- }
- if (credentialsData.password) {
- credentialsData.datasource.password = credentialsData.password;
- delete credentialsData.password;
- }
- }
- return new Credentials(credentialsData, masterPassword);
- });
+ const decryptedContent = await decrypt(unsignEncryptedContent(content), masterPassword);
+ const credentialsData = JSON.parse(decryptedContent);
+ // Handle compatibility updates for legacy credentials
+ if (credentialsData.datasource) {
+ if (typeof credentialsData.datasource === "string") {
+ credentialsData.datasource = JSON.parse(credentialsData.datasource);
+ }
+ // Move username and password INTO the datasource config, as
+ // they relate to the remote connection/source
+ if (credentialsData.username) {
+ credentialsData.datasource.username = credentialsData.username;
+ delete credentialsData.username;
+ }
+ if (credentialsData.password) {
+ credentialsData.datasource.password = credentialsData.password;
+ delete credentialsData.password;
+ }
+ }
+ return new Credentials(credentialsData, masterPassword);
  }
 
  /**
@@ -190,10 +190,10 @@ export class Credentials {
  });
  setCredentials(id, {
  data: obj,
- masterPassword,
  purposes: Credentials.allPurposes(),
  open: false
  });
+ setMasterPassword(id, masterPassword);
  }
 
  /**
@@ -279,7 +279,8 @@ export class Credentials {
  throw new Error("Credential purposes don't allow for secure exports");
  }
  const encrypt = getSharedAppEnv().getProperty("crypto/v1/encryptText");
- const { data, masterPassword } = getCredentials(this.id);
+ const { data } = getCredentials(this.id);
+ const masterPassword = getMasterPassword(this.id);
  if (typeof masterPassword !== "string") {
  throw new Error(
  "Cannot convert Credentials to string: master password was not set or is invalid"

source/credentials/channel.ts → source/credentials/memory/credentials.ts

@@ -1,6 +1,6 @@
-import { CredentialsPayload } from "../types.js";
+import { CredentialsPayload } from "../../types.js";
 
-const __store = {};
+const __store: Record<string, CredentialsPayload | null> = {};
 
 export function credentialsAllowsPurpose(id: string, purpose: string): boolean {
  const { purposes } = getCredentials(id);

source/credentials/memory/password.ts

@@ -0,0 +1,14 @@
+const __store: Record<string, string | null> = {};
+
+export function getMasterPassword(id: string): string | null {
+ return __store[id] || null;
+}
+
+export function removeMasterPassword(id: string) {
+ __store[id] = null;
+ delete __store[id];
+}
+
+export function setMasterPassword(id: string, value: string) {
+ __store[id] = value;
+}

source/datasources/DropboxDatasource.ts

@@ -1,7 +1,7 @@
 import { TextDatasource } from "./TextDatasource.js";
 import { fireInstantiationHandlers, registerDatasource } from "./register.js";
 import { Credentials } from "../credentials/Credentials.js";
-import { getCredentials } from "../credentials/channel.js";
+import { getCredentials } from "../credentials/memory/credentials.js";
 import { getSharedAppEnv } from "../env/appEnv.js";
 import {
  DatasourceConfigurationDropbox,

source/datasources/FileDatasource.ts

@@ -4,7 +4,7 @@ import pify from "pify";
 import { TextDatasource } from "./TextDatasource.js";
 import { fireInstantiationHandlers, registerDatasource } from "./register.js";
 import { Credentials } from "../credentials/Credentials.js";
-import { getCredentials } from "../credentials/channel.js";
+import { getCredentials } from "../credentials/memory/credentials.js";
 import { ATTACHMENT_EXT } from "../tools/attachments.js";
 import {
  AttachmentDetails,

source/datasources/GoogleDriveDatasource.ts

@@ -4,8 +4,8 @@ import DatasourceAuthManager from "./DatasourceAuthManager.js";
 import { TextDatasource } from "./TextDatasource.js";
 import { fireInstantiationHandlers, registerDatasource } from "./register.js";
 import { Credentials } from "../credentials/Credentials.js";
-import { getCredentials } from "../credentials/channel.js";
-import { DatasourceConfigurationGoogleDrive } from "../types.js";
+import { getCredentials } from "../credentials/memory/credentials.js";
+import { DatasourceConfigurationGoogleDrive, DatasourceLoadedData, History } from "../types.js";
 
 const DATASOURCE_TYPE = "googledrive";
 
@@ -23,7 +23,7 @@ export default class GoogleDriveDatasource extends TextDatasource {
 
  /**
  * Datasource for Google Drive connections
- * @param {Credentials} credentials The credentials instance with which to
+ * @param credentials The credentials instance with which to
  * configure the datasource with
  */
  constructor(credentials: Credentials) {
@@ -57,11 +57,11 @@ export default class GoogleDriveDatasource extends TextDatasource {
 
  /**
  * Load an archive from the datasource
- * @param {Credentials} credentials The credentials for decryption
- * @returns {Promise.<LoadedVaultData>} A promise that resolves archive history
+ * @param credentials The credentials for decryption
+ * @returns A promise that resolves archive history
  * @memberof GoogleDriveDatasource
  */
- load(credentials, hasAuthed = false) {
+ load(credentials: Credentials, hasAuthed: boolean = false): Promise<DatasourceLoadedData> {
  if (this.hasContent) {
  return super.load(credentials);
  }
@@ -89,12 +89,12 @@ export default class GoogleDriveDatasource extends TextDatasource {
 
  /**
  * Save an archive using the datasource
- * @param {Array.<String>} history The archive history to save
- * @param {Credentials} credentials The credentials to save with
- * @returns {Promise} A promise that resolves when saving has completed
+ * @param history The archive history to save
+ * @param credentials The credentials to save with
+ * @returns A promise that resolves when saving has completed
  * @memberof GoogleDriveDatasource
  */
- save(history, credentials, hasAuthed = false) {
+ save(history: History, credentials: Credentials, hasAuthed: boolean = false) {
  return super
  .save(history, credentials)
  .then((encryptedContent) => this.client.putFileContents(encryptedContent, this.fileID))
@@ -116,7 +116,7 @@ export default class GoogleDriveDatasource extends TextDatasource {
 
  /**
  * Whether or not the datasource supports bypassing remote fetch operations
- * @returns {Boolean} True if content can be set to bypass fetch operations,
+ * @returns True if content can be set to bypass fetch operations,
  * false otherwise
  * @memberof GoogleDriveDatasource
  */

source/datasources/MemoryDatasource.ts

@@ -1,7 +1,7 @@
 import { TextDatasource } from "./TextDatasource.js";
 import { fireInstantiationHandlers, registerDatasource } from "./register.js";
 import { Credentials } from "../credentials/Credentials.js";
-import { getCredentials } from "../credentials/channel.js";
+import { getCredentials } from "../credentials/memory/credentials.js";
 import {
  AttachmentDetails,
  BufferLike,

source/datasources/TextDatasource.ts

@@ -1,7 +1,7 @@
 import EventEmitter from "eventemitter3";
 import hash from "hash.js";
 import { Credentials } from "../credentials/Credentials.js";
-import { credentialsAllowsPurpose, getCredentials } from "../credentials/channel.js";
+import { credentialsAllowsPurpose, getCredentials } from "../credentials/memory/credentials.js";
 import { detectFormat, getFormatForID } from "../io/formatRouter.js";
 import { fireInstantiationHandlers, registerDatasource } from "./register.js";
 import {

source/datasources/WebDAVDatasource.ts

@@ -4,7 +4,7 @@ import { TextDatasource } from "./TextDatasource.js";
 import { fireInstantiationHandlers, registerDatasource } from "./register.js";
 import { getSharedAppEnv } from "../env/appEnv.js";
 import { Credentials } from "../credentials/Credentials.js";
-import { getCredentials } from "../credentials/channel.js";
+import { getCredentials } from "../credentials/memory/credentials.js";
 import { ATTACHMENT_EXT } from "../tools/attachments.js";
 import {
  AttachmentDetails,

source/datasources/register.ts

@@ -1,4 +1,5 @@
-import { getCredentials } from "../credentials/channel.js";
+import { getCredentials } from "../credentials/memory/credentials.js";
+import { getMasterPassword } from "../credentials/memory/password.js";
 import { Credentials } from "../credentials/Credentials.js";
 import { TextDatasource } from "./TextDatasource.js";
 
@@ -61,9 +62,9 @@ export function prepareDatasourceCredentials(
  typeOverride: string = null
 ): Credentials {
  const {
- data: { datasource },
- masterPassword
+ data: { datasource }
  } = getCredentials(credentials.id);
+ const masterPassword = getMasterPassword(credentials.id);
  const datasourceType = typeOverride || datasource.type || "";
  const { open = false } = __datasourceFlags[datasourceType] || {};
  if (!open) {

source/io/VaultFormatA.ts

@@ -43,7 +43,7 @@ import VaultComparator from "./formatA/VaultComparator.js";
 import { getSharedAppEnv } from "../env/appEnv.js";
 import { decodeStringValue, isEncoded } from "../tools/encoding.js";
 import { generateUUID } from "../tools/uuid.js";
-import { getCredentials } from "../credentials/channel.js";
+import { getMasterPassword } from "../credentials/memory/password.js";
 import { historyArrayToString, historyStringToArray } from "./common.js";
 import { smartStripRemovedAssets } from "./formatA/merge.js";
 import {
@@ -99,7 +99,7 @@ export class VaultFormatA extends VaultFormat {
  static async encodeRaw(rawContent: History, credentials: Credentials): Promise<string> {
  const compress = getSharedAppEnv().getProperty("compression/v1/compressText");
  const encrypt = getSharedAppEnv().getProperty("crypto/v1/encryptText");
- const { masterPassword } = getCredentials(credentials.id);
+ const masterPassword = getMasterPassword(credentials.id);
  return Promise.resolve()
  .then(() => historyArrayToString(rawContent))
  .then((history) => compress(history))
@@ -152,7 +152,7 @@ export class VaultFormatA extends VaultFormat {
  static parseEncrypted(encryptedContent: string, credentials: Credentials): Promise<History> {
  const decompress = getSharedAppEnv().getProperty("compression/v1/decompressText");
  const decrypt = getSharedAppEnv().getProperty("crypto/v1/decryptText");
- const { masterPassword } = getCredentials(credentials.id);
+ const masterPassword = getMasterPassword(credentials.id);
  return Promise.resolve()
  .then(() => {
  if (!hasValidSignature(encryptedContent)) {