diff --git a/src/modules/auth/confidential-sso/index.ts b/src/modules/auth/confidential-sso/index.ts index bc9bc50..c347850 100644 --- a/src/modules/auth/confidential-sso/index.ts +++ b/src/modules/auth/confidential-sso/index.ts @@ -20,6 +20,7 @@ export const doConfidentialSSOVerification = async ({ requestedLogin }: Confiden ...api, path: 'authentication/RequestLogin2', payload: { login: requestedLogin }, + authentication: { type: 'app' }, }); const { idpAuthorizeUrl, spCallbackUrl, teamUuid, domainName } = requestLoginResponse; @@ -56,6 +57,7 @@ export const doConfidentialSSOVerification = async ({ requestedLogin }: Confiden ...api, path: 'authentication/ConfirmLogin2', payload: { teamUuid, domainName, samlResponse }, + authentication: { type: 'app' }, }); const ssoVerificationResult = await performSSOVerification({ diff --git a/src/modules/tunnel-api-connect/steps/sendSecureContent.ts b/src/modules/tunnel-api-connect/steps/sendSecureContent.ts index 3a90f77..a1bd9c0 100644 --- a/src/modules/tunnel-api-connect/steps/sendSecureContent.ts +++ b/src/modules/tunnel-api-connect/steps/sendSecureContent.ts @@ -4,7 +4,7 @@ import type { SecureContentRequest, SecureContentResponse, SendSecureContentPara import { SecureTunnelNotInitialized, SendSecureContentDataDecryptionError } from '../errors.js'; import type { ApiConnectInternalParams, ApiData, ApiRequestsDefault } from '../types.js'; import { TypeCheck } from '../../typecheck/index.js'; -import { requestAppApi } from '../../../requestApi.js'; +import { requestAppApi, requestTeamApi, requestUserApi } from '../../../requestApi.js'; const verifySendSecureBodySchemaValidator = new TypeCheck(secureContentBodyDataSchema); @@ -24,19 +24,45 @@ export const sendSecureContent = async ( throw new SecureTunnelNotInitialized(); } - const { path, clientStateIn, clientStateOut, payload } = params; + const { path, clientStateIn, clientStateOut, payload: rawPayload, authentication = { type: 'app' } } = params; const { tunnelUuid } = apiData.clientHello; - const encryptedData = encryptData(clientStateOut, payload); + const encryptedData = encryptData(clientStateOut, rawPayload); - const response = await requestAppApi({ - path, - payload: { - encryptedData: sodium.to_hex(encryptedData), - tunnelUuid, - } satisfies SecureContentRequest, - isNitroEncryptionService: true, - }); + const payload = { + encryptedData: sodium.to_hex(encryptedData), + tunnelUuid, + } satisfies SecureContentRequest; + + let response: SecureContentResponse; + + switch (authentication.type) { + case 'userDevice': + response = await requestUserApi({ + path, + payload, + isNitroEncryptionService: true, + deviceKeys: authentication.deviceKeys, + login: authentication.login, + }); + break; + case 'teamDevice': + response = await requestTeamApi({ + path, + payload, + isNitroEncryptionService: true, + teamDeviceKeys: authentication.teamDeviceKeys, + teamUuid: authentication.teamUuid, + }); + break; + case 'app': + response = await requestAppApi({ + path, + payload, + isNitroEncryptionService: true, + }); + break; + } const body = verifySendSecureBodySchemaValidator.validate(response); if (body instanceof Error) { diff --git a/src/modules/tunnel-api-connect/steps/types.ts b/src/modules/tunnel-api-connect/steps/types.ts index fa0c2ce..ee27587 100644 --- a/src/modules/tunnel-api-connect/steps/types.ts +++ b/src/modules/tunnel-api-connect/steps/types.ts @@ -25,11 +25,33 @@ export interface TerminateHelloRequest { tunnelUuid: string; } +interface AppAuthenticationParams { + type: 'app'; +} + +interface UserDeviceAuthenticationParams { + type: 'userDevice'; + login: string; + deviceKeys: { accessKey: string; secretKey: string }; +} + +interface TeamDeviceAuthenticationParams { + type: 'teamDevice'; + teamUuid: string; + teamDeviceKeys: { accessKey: string; secretKey: string }; +} + +export type AuthenticationParams = + | AppAuthenticationParams + | UserDeviceAuthenticationParams + | TeamDeviceAuthenticationParams; + export interface SendSecureContentParams { path: R['path']; clientStateIn: sodium.StateAddress; clientStateOut: sodium.StateAddress; payload: R['input']; + authentication?: AuthenticationParams; } export interface TerminateHelloParams { diff --git a/src/modules/tunnel-api-connect/types.ts b/src/modules/tunnel-api-connect/types.ts index 317a88a..ff37971 100644 --- a/src/modules/tunnel-api-connect/types.ts +++ b/src/modules/tunnel-api-connect/types.ts @@ -48,7 +48,7 @@ export interface ApiConnect { makeOrRefreshSession: (params: RefreshSessionParams) => Promise; /** Reinitialize the tunnel when the session has expired (cookie) */ sendSecureContent: ( - params: Pick, 'path' | 'payload'> + params: Pick, 'path' | 'payload' | 'authentication'> ) => Promise; } diff --git a/src/requestApi.ts b/src/requestApi.ts index 7399a50..40c11d7 100644 --- a/src/requestApi.ts +++ b/src/requestApi.ts @@ -101,6 +101,7 @@ export interface RequestUserApi { accessKey: string; secretKey: string; }; + isNitroEncryptionService?: boolean; } export const requestUserApi = async (params: RequestUserApi): Promise => { @@ -124,6 +125,7 @@ export interface RequestTeamApi { accessKey: string; secretKey: string; }; + isNitroEncryptionService?: boolean; } export const requestTeamApi = async (params: RequestTeamApi): Promise => {