always return KdfMemory and KdfParallelism

the client will ignore the value of theses fields in case of `PBKDF2` (whether they are unset or left from trying out `Argon2id` as KDF). with `Argon2id` those fields should never be `null` but always in a valid state. if they are `null` (how would that even happen?) the client still assumes default values for `Argon2id` (i.e. m=64 and p=4) and if they are set to something else login will fail anyway.
2 years ago · 0daaa9b175
parent 525e6bb65a
commit 0daaa9b175
3 changed files with 14 additions and 38 deletions
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@ -803,16 +803,13 @@ pub async fn _prelogin(data: JsonUpcase<PreloginData>, mut conn: DbConn) -> Json
        None => (User::CLIENT_KDF_TYPE_DEFAULT, User::CLIENT_KDF_ITER_DEFAULT, None, None),
    };

-    let mut result = json!({
+    let result = json!({
        "Kdf": kdf_type,
        "KdfIterations": kdf_iter,
+        "KdfMemory": kdf_mem,
+        "KdfParallelism": kdf_para,
    });

-    if kdf_type == UserKdfType::Argon2id as i32 {
-        result["KdfMemory"] = Value::Number(kdf_mem.expect("Argon2 memory parameter is required.").into());
-        result["KdfParallelism"] = Value::Number(kdf_para.expect("Argon2 parallelism parameter is required.").into());
-    }
-
    Json(result)
 }

--- a/src/api/core/emergency_access.rs
+++ b/src/api/core/emergency_access.rs
@ -628,21 +628,15 @@ async fn takeover_emergency_access(emer_id: String, headers: Headers, mut conn:
        None => err!("Grantor user not found."),
    };

-    let mut result = json!({
+    let result = json!({
        "Kdf": grantor_user.client_kdf_type,
        "KdfIterations": grantor_user.client_kdf_iter,
+        "KdfMemory": grantor_user.client_kdf_memory,
+        "KdfParallelism": grantor_user.client_kdf_parallelism,
        "KeyEncrypted": &emergency_access.key_encrypted,
        "Object": "emergencyAccessTakeover",
    });

-    if grantor_user.client_kdf_type == UserKdfType::Argon2id as i32 {
-        result["KdfMemory"] =
-            Value::Number(grantor_user.client_kdf_memory.expect("Argon2 memory parameter is required.").into());
-        result["KdfParallelism"] = Value::Number(
-            grantor_user.client_kdf_parallelism.expect("Argon2 parallelism parameter is required.").into(),
-        );
-    }
-
    Ok(Json(result))
 }

--- a/src/api/identity.rs
+++ b/src/api/identity.rs
@ -107,7 +107,7 @@ async fn _refresh_login(data: ConnectData, conn: &mut DbConn) -> JsonResult {
    let (access_token, expires_in) = device.refresh_tokens(&user, orgs, scope_vec);
    device.save(conn).await?;

-    let mut result = json!({
+    let result = json!({
        "access_token": access_token,
        "expires_in": expires_in,
        "token_type": "Bearer",
@ -117,18 +117,13 @@ async fn _refresh_login(data: ConnectData, conn: &mut DbConn) -> JsonResult {

        "Kdf": user.client_kdf_type,
        "KdfIterations": user.client_kdf_iter,
+        "KdfMemory": user.client_kdf_memory,
+        "KdfParallelism": user.client_kdf_parallelism,
        "ResetMasterPassword": false, // TODO: according to official server seems something like: user.password_hash.is_empty(), but would need testing
        "scope": scope,
        "unofficialServer": true,
    });

-    if user.client_kdf_type == UserKdfType::Argon2id as i32 {
-        result["KdfMemory"] =
-            Value::Number(user.client_kdf_memory.expect("Argon2 memory parameter is required.").into());
-        result["KdfParallelism"] =
-            Value::Number(user.client_kdf_parallelism.expect("Argon2 parallelism parameter is required.").into());
-    }
-
    Ok(Json(result))
 }

@ -260,6 +255,8 @@ async fn _password_login(

        "Kdf": user.client_kdf_type,
        "KdfIterations": user.client_kdf_iter,
+        "KdfMemory": user.client_kdf_memory,
+        "KdfParallelism": user.client_kdf_parallelism,
        "ResetMasterPassword": false,// TODO: Same as above
        "scope": scope,
        "unofficialServer": true,
@ -269,13 +266,6 @@ async fn _password_login(
        result["TwoFactorToken"] = Value::String(token);
    }

-    if user.client_kdf_type == UserKdfType::Argon2id as i32 {
-        result["KdfMemory"] =
-            Value::Number(user.client_kdf_memory.expect("Argon2 memory parameter is required.").into());
-        result["KdfParallelism"] =
-            Value::Number(user.client_kdf_parallelism.expect("Argon2 parallelism parameter is required.").into());
-    }
-
    info!("User {} logged in successfully. IP: {}", username, ip.ip);
    Ok(Json(result))
 }
@ -360,7 +350,7 @@ async fn _api_key_login(

    // Note: No refresh_token is returned. The CLI just repeats the
    // client_credentials login flow when the existing token expires.
-    let mut result = json!({
+    let result = json!({
        "access_token": access_token,
        "expires_in": expires_in,
        "token_type": "Bearer",
@ -369,18 +359,13 @@ async fn _api_key_login(

        "Kdf": user.client_kdf_type,
        "KdfIterations": user.client_kdf_iter,
+        "KdfMemory": user.client_kdf_memory,
+        "KdfParallelism": user.client_kdf_parallelism,
        "ResetMasterPassword": false, // TODO: Same as above
        "scope": scope,
        "unofficialServer": true,
    });

-    if user.client_kdf_type == UserKdfType::Argon2id as i32 {
-        result["KdfMemory"] =
-            Value::Number(user.client_kdf_memory.expect("Argon2 memory parameter is required.").into());
-        result["KdfParallelism"] =
-            Value::Number(user.client_kdf_parallelism.expect("Argon2 parallelism parameter is required.").into());
-    }
-
    Ok(Json(result))
 }