Implement User-based API Keys (#197)

* Added support for authenticating with an API key

* added api service methods for user api keys

* fixed a copy/pasted api endpoint url

* Let toIdentityToken() use a a prestored client_id in place of the application client_id if one exists

* Allowed for api key auth in the cli

* Removed some commented out code commited for apiKey auth

* Cleanup for ApiKey auth in the CLI

* Removed cli prefix from client_crendential auth types

* Removed ClientPrefix conditional from decoded token getters

* Update src/services/api.service.ts

Co-authored-by: Kyle Spearrin <kspearrin@users.noreply.github.com>

* formatting

* changed command from login --apiKey to login --apikey

Co-authored-by: Kyle Spearrin <kspearrin@users.noreply.github.com>

src/abstractions/api.service.ts

@@ -153,6 +153,8 @@ export abstract class ApiService {
     postAccountRecoverDeleteToken: (request: VerifyDeleteRecoverRequest) => Promise<any>;
     postAccountKdf: (request: KdfRequest) => Promise<any>;
     getEnterprisePortalSignInToken: () => Promise<string>;
+    postUserApiKey: (id: string, request: PasswordVerificationRequest) => Promise<ApiKeyResponse>;
+    postUserRotateApiKey: (id: string, request: PasswordVerificationRequest) => Promise<ApiKeyResponse>;
 
     getFolder: (id: string) => Promise<FolderResponse>;
     postFolder: (request: FolderRequest) => Promise<FolderResponse>;

src/abstractions/auth.service.ts

@@ -9,21 +9,27 @@ export abstract class AuthService {
     code: string;
     codeVerifier: string;
     ssoRedirectUrl: string;
+    clientId: string;
+    clientSecret: string;
     twoFactorProvidersData: Map<TwoFactorProviderType, { [key: string]: string; }>;
     selectedTwoFactorProviderType: TwoFactorProviderType;
 
     logIn: (email: string, masterPassword: string) => Promise<AuthResult>;
     logInSso: (code: string, codeVerifier: string, redirectUrl: string) => Promise<AuthResult>;
+    logInApiKey: (clientId: string, clientSecret: string) => Promise<AuthResult>;
     logInTwoFactor: (twoFactorProvider: TwoFactorProviderType, twoFactorToken: string,
         remember?: boolean) => Promise<AuthResult>;
     logInComplete: (email: string, masterPassword: string, twoFactorProvider: TwoFactorProviderType,
         twoFactorToken: string, remember?: boolean) => Promise<AuthResult>;
     logInSsoComplete: (code: string, codeVerifier: string, redirectUrl: string,
         twoFactorProvider: TwoFactorProviderType, twoFactorToken: string, remember?: boolean) => Promise<AuthResult>;
+    logInApiKeyComplete: (clientId: string, clientSecret: string, twoFactorProvider: TwoFactorProviderType,
+        twoFactorToken: string, remember?: boolean) => Promise<AuthResult>;
     logOut: (callback: Function) => void;
     getSupportedTwoFactorProviders: (win: Window) => any[];
     getDefaultTwoFactorProvider: (u2fSupported: boolean) => TwoFactorProviderType;
     makePreloginKey: (masterPassword: string, email: string) => Promise<SymmetricCryptoKey>;
+    authingWithApiKey: () => boolean;
     authingWithSso: () => boolean;
     authingWithPassword: () => boolean;
 }

src/angular/components/two-factor.component.ts

@@ -8,7 +8,6 @@ import {
     Router,
 } from '@angular/router';
 
-import { DeviceType } from '../../enums/deviceType';
 import { TwoFactorProviderType } from '../../enums/twoFactorProviderType';
 
 import { TwoFactorEmailRequest } from '../../models/request/twoFactorEmailRequest';
@@ -59,8 +58,7 @@ export class TwoFactorComponent implements OnInit, OnDestroy {
     }
 
     async ngOnInit() {
-        if ((!this.authService.authingWithSso() && !this.authService.authingWithPassword()) ||
+        if (!this.authing || this.authService.twoFactorProvidersData == null) {
-            this.authService.twoFactorProvidersData == null) {
             this.router.navigate([this.loginRoute]);
             return;
         }
@@ -75,7 +73,7 @@ export class TwoFactorComponent implements OnInit, OnDestroy {
             }
         });
 
-        if (this.authService.authingWithSso()) {
+        if (this.needsLock) {
             this.successRoute = 'lock';
         }
 
@@ -246,4 +244,12 @@ export class TwoFactorComponent implements OnInit, OnDestroy {
             this.u2f.cleanup();
         }
     }
+
+    get authing(): boolean {
+        return this.authService.authingWithPassword() || this.authService.authingWithSso() || this.authService.authingWithApiKey()
+    }
+
+    get needsLock(): boolean {
+        return this.authService.authingWithSso() || this.authService.authingWithApiKey();
+    }
 }

src/cli/commands/login.command.ts

@@ -46,7 +46,38 @@ export class LoginCommand {
 
         let ssoCodeVerifier: string = null;
         let ssoCode: string = null;
-        if (cmd.sso != null && this.canInteract) {
+
+        let clientId: string = null;
+        let clientSecret: string = null;
+
+        if (cmd.apikey != null) {
+            const storedClientId: string = process.env.BW_CLIENTID;
+            const storedClientSecret: string = process.env.BW_CLIENTSECRET;
+            if (storedClientId == null) {
+                if (this.canInteract) {
+                    const answer: inquirer.Answers = await inquirer.createPromptModule({ output: process.stderr })({
+                        type: 'input',
+                        name: 'clientId',
+                        message: 'client_id:',
+                    });
+                    clientId = answer.clientId;
+                } else {
+                    clientId = null;
+                }
+            } else {
+                clientId = storedClientId;
+            }
+            if (this.canInteract && storedClientSecret == null) {
+                const answer: inquirer.Answers = await inquirer.createPromptModule({ output: process.stderr })({
+                    type: 'input',
+                    name: 'clientSecret',
+                    message: 'client_secret:',
+                });
+                clientSecret = answer.clientSecret;
+            } else {
+                clientSecret = storedClientSecret;
+            }
+        } else if (cmd.sso != null && this.canInteract) {
             const passwordOptions: any = {
                 type: 'password',
                 length: 64,
@@ -117,7 +148,10 @@ export class LoginCommand {
 
             let response: AuthResult = null;
             if (twoFactorToken != null && twoFactorMethod != null) {
-                if (ssoCode != null && ssoCodeVerifier != null) {
+                if (clientId != null && clientSecret != null) {
+                    response = await this.authService.logInApiKeyComplete(clientId, clientSecret, twoFactorMethod,
+                        twoFactorToken, false);
+                } else if (ssoCode != null && ssoCodeVerifier != null) {
                     response = await this.authService.logInSsoComplete(ssoCode, ssoCodeVerifier, this.ssoRedirectUri,
                         twoFactorMethod, twoFactorToken, false);
                 } else {
@@ -125,9 +159,10 @@ export class LoginCommand {
                         twoFactorToken, false);
                 }
             } else {
-                if (ssoCode != null && ssoCodeVerifier != null) {
+                if (clientId != null && clientSecret != null) {
+                    response = await this.authService.logInApiKey(clientId, clientSecret);
+                } else if (ssoCode != null && ssoCodeVerifier != null) {
                     response = await this.authService.logInSso(ssoCode, ssoCodeVerifier, this.ssoRedirectUri);
-
                 } else {
                     response = await this.authService.logIn(email, password);
                 }

src/models/request/tokenRequest.ts

@@ -8,12 +8,14 @@ export class TokenRequest {
     code: string;
     codeVerifier: string;
     redirectUri: string;
+    clientId: string;
+    clientSecret: string;
     token: string;
     provider: TwoFactorProviderType;
     remember: boolean;
     device?: DeviceRequest;
 
-    constructor(credentials: string[], codes: string[], provider: TwoFactorProviderType,
+    constructor(credentials: string[], codes: string[], clientIdClientSecret: string[], provider: TwoFactorProviderType,
         token: string, remember: boolean, device?: DeviceRequest) {
         if (credentials != null && credentials.length > 1) {
             this.email = credentials[0];
@@ -22,6 +24,9 @@ export class TokenRequest {
             this.code = codes[0];
             this.codeVerifier = codes[1];
             this.redirectUri = codes[2];
+        } else if (clientIdClientSecret != null && clientIdClientSecret.length > 1) {
+            this.clientId = clientIdClientSecret[0]
+            this.clientSecret = clientIdClientSecret[1]
         }
         this.token = token;
         this.provider = provider;
@@ -35,7 +40,11 @@ export class TokenRequest {
             client_id: clientId,
         };
 
-        if (this.masterPasswordHash != null && this.email != null) {
+        if (this.clientSecret != null) {
+            obj.scope = 'api';
+            obj.grant_type = 'client_credentials';
+            obj.client_secret = this.clientSecret;
+        } else if (this.masterPasswordHash != null && this.email != null) {
             obj.grant_type = 'password';
             obj.username = this.email;
             obj.password = this.masterPasswordHash;

src/services/api.service.ts

@@ -179,7 +179,7 @@ export class ApiService implements ApiServiceAbstraction {
             headers.set('User-Agent', this.customUserAgent);
         }
         const response = await this.fetch(new Request(this.identityBaseUrl + '/connect/token', {
-            body: this.qsStringify(request.toIdentityToken(this.platformUtilsService.identityClientId)),
+            body: this.qsStringify(request.toIdentityToken(request.clientId ?? this.platformUtilsService.identityClientId)),
             credentials: this.getCredentials(),
             cache: 'no-store',
             headers: headers,
@@ -360,6 +360,16 @@ export class ApiService implements ApiServiceAbstraction {
         return this.send('GET', '/accounts/sso/user-identifier', null, true, true);
     }
 
+    async postUserApiKey(id: string, request: PasswordVerificationRequest): Promise<ApiKeyResponse> {
+        const r = await this.send('POST', '/accounts/api-key', request, true, true);
+        return new ApiKeyResponse(r);
+    }
+
+    async postUserRotateApiKey(id: string, request: PasswordVerificationRequest): Promise<ApiKeyResponse> {
+        const r = await this.send('POST', '/accounts/rotate-api-key', request, true, true);
+        return new ApiKeyResponse(r);
+    }
+
     // Folder APIs
 
     async getFolder(id: string): Promise<FolderResponse> {

src/services/auth.service.ts

@@ -9,7 +9,6 @@ import { KeysRequest } from '../models/request/keysRequest';
 import { PreloginRequest } from '../models/request/preloginRequest';
 import { TokenRequest } from '../models/request/tokenRequest';
 
-import { ErrorResponse } from '../models/response/errorResponse';
 import { IdentityTokenResponse } from '../models/response/identityTokenResponse';
 import { IdentityTwoFactorResponse } from '../models/response/identityTwoFactorResponse';
 
@@ -81,6 +80,8 @@ export class AuthService implements AuthServiceAbstraction {
     code: string;
     codeVerifier: string;
     ssoRedirectUrl: string;
+    clientId: string;
+    clientSecret: string;
     twoFactorProvidersData: Map<TwoFactorProviderType, { [key: string]: string; }>;
     selectedTwoFactorProviderType: TwoFactorProviderType = null;
 
@@ -118,19 +119,27 @@ export class AuthService implements AuthServiceAbstraction {
         this.selectedTwoFactorProviderType = null;
         const key = await this.makePreloginKey(masterPassword, email);
         const hashedPassword = await this.cryptoService.hashPassword(masterPassword, key);
-        return await this.logInHelper(email, hashedPassword, null, null, null, key,
+        return await this.logInHelper(email, hashedPassword, null, null, null, null, null,
-            null, null, null);
+            key, null, null, null);
     }
 
     async logInSso(code: string, codeVerifier: string, redirectUrl: string): Promise<AuthResult> {
         this.selectedTwoFactorProviderType = null;
-        return await this.logInHelper(null, null, code, codeVerifier, redirectUrl, null, null, null, null);
+        return await this.logInHelper(null, null, code, codeVerifier, redirectUrl, null, null,
+            null, null, null, null);
+    }
+
+    async logInApiKey(clientId: string, clientSecret: string): Promise<AuthResult> {
+        this.selectedTwoFactorProviderType = null;
+        return await this.logInHelper(null, null, null, null, null, clientId, clientSecret,
+            null, null, null, null);
     }
 
     async logInTwoFactor(twoFactorProvider: TwoFactorProviderType, twoFactorToken: string,
         remember?: boolean): Promise<AuthResult> {
         return await this.logInHelper(this.email, this.masterPasswordHash, this.code, this.codeVerifier,
-            this.ssoRedirectUrl, this.key, twoFactorProvider, twoFactorToken, remember);
+            this.ssoRedirectUrl, this.clientId, this.clientSecret, this.key, twoFactorProvider,
+            twoFactorToken, remember);
     }
 
     async logInComplete(email: string, masterPassword: string, twoFactorProvider: TwoFactorProviderType,
@@ -138,14 +147,21 @@ export class AuthService implements AuthServiceAbstraction {
         this.selectedTwoFactorProviderType = null;
         const key = await this.makePreloginKey(masterPassword, email);
         const hashedPassword = await this.cryptoService.hashPassword(masterPassword, key);
-        return await this.logInHelper(email, hashedPassword, null, null, null, key, twoFactorProvider, twoFactorToken,
+        return await this.logInHelper(email, hashedPassword, null, null, null, null, null, key,
-            remember);
+            twoFactorProvider, twoFactorToken, remember);
     }
 
     async logInSsoComplete(code: string, codeVerifier: string, redirectUrl: string,
         twoFactorProvider: TwoFactorProviderType, twoFactorToken: string, remember?: boolean): Promise<AuthResult> {
         this.selectedTwoFactorProviderType = null;
         return await this.logInHelper(null, null, code, codeVerifier, redirectUrl, null,
+            null, null, twoFactorProvider, twoFactorToken, remember);
+    }
+
+    async logInApiKeyComplete(clientId: string, clientSecret: string, twoFactorProvider: TwoFactorProviderType,
+        twoFactorToken: string, remember?: boolean): Promise<AuthResult> {
+        this.selectedTwoFactorProviderType = null;
+        return await this.logInHelper(null, null, null, null, null, clientId, clientSecret, null,
             twoFactorProvider, twoFactorToken, remember);
     }
 
@@ -233,6 +249,10 @@ export class AuthService implements AuthServiceAbstraction {
         return this.cryptoService.makeKey(masterPassword, email, kdf, kdfIterations);
     }
 
+    authingWithApiKey(): boolean {
+        return this.clientId != null && this.clientSecret != null;
+    }
+
     authingWithSso(): boolean {
         return this.code != null && this.codeVerifier != null && this.ssoRedirectUrl != null;
     }
@@ -242,14 +262,16 @@ export class AuthService implements AuthServiceAbstraction {
     }
 
     private async logInHelper(email: string, hashedPassword: string, code: string, codeVerifier: string,
-        redirectUrl: string, key: SymmetricCryptoKey, twoFactorProvider?: TwoFactorProviderType,
+        redirectUrl: string, clientId: string, clientSecret: string, key: SymmetricCryptoKey,
-        twoFactorToken?: string, remember?: boolean): Promise<AuthResult> {
+        twoFactorProvider?: TwoFactorProviderType, twoFactorToken?: string, remember?: boolean): Promise<AuthResult> {
         const storedTwoFactorToken = await this.tokenService.getTwoFactorToken(email);
         const appId = await this.appIdService.getAppId();
         const deviceRequest = new DeviceRequest(appId, this.platformUtilsService);
 
         let emailPassword: string[] = [];
         let codeCodeVerifier: string[] = [];
+        let clientIdClientSecret: string[] = [];
+
         if (email != null && hashedPassword != null) {
             emailPassword = [email, hashedPassword];
         } else {
@@ -260,16 +282,22 @@ export class AuthService implements AuthServiceAbstraction {
         } else {
             codeCodeVerifier = null;
         }
+        if (clientId != null && clientSecret != null) {
+            clientIdClientSecret = [clientId, clientSecret]
+        } else {
+            clientIdClientSecret = null;
+        }
 
         let request: TokenRequest;
         if (twoFactorToken != null && twoFactorProvider != null) {
-            request = new TokenRequest(emailPassword, codeCodeVerifier, twoFactorProvider, twoFactorToken, remember,
+            request = new TokenRequest(emailPassword, codeCodeVerifier, clientIdClientSecret, twoFactorProvider,
-                deviceRequest);
+                twoFactorToken, remember, deviceRequest);
         } else if (storedTwoFactorToken != null) {
-            request = new TokenRequest(emailPassword, codeCodeVerifier, TwoFactorProviderType.Remember,
+            request = new TokenRequest(emailPassword, codeCodeVerifier, clientIdClientSecret, TwoFactorProviderType.Remember,
                 storedTwoFactorToken, false, deviceRequest);
         } else {
-            request = new TokenRequest(emailPassword, codeCodeVerifier, null, null, false, deviceRequest);
+            request = new TokenRequest(emailPassword, codeCodeVerifier, clientIdClientSecret, null,
+                null, false, deviceRequest);
         }
 
         const response = await this.apiService.postIdentityToken(request);
@@ -286,6 +314,8 @@ export class AuthService implements AuthServiceAbstraction {
             this.code = code;
             this.codeVerifier = codeVerifier;
             this.ssoRedirectUrl = redirectUrl;
+            this.clientId = clientId;
+            this.clientSecret = clientSecret;
             this.key = this.setCryptoKeys ? key : null;
             this.twoFactorProvidersData = twoFactorResponse.twoFactorProviders2;
             result.twoFactorProviders = twoFactorResponse.twoFactorProviders2;
@@ -343,6 +373,8 @@ export class AuthService implements AuthServiceAbstraction {
         this.code = null;
         this.codeVerifier = null;
         this.ssoRedirectUrl = null;
+        this.clientId = null;
+        this.clientSecret = null;
         this.twoFactorProvidersData = null;
         this.selectedTwoFactorProviderType = null;
     }