duckduckgo · brindy · Mar 31, 2023 · Mar 20, 2023 · Mar 21, 2023 · Mar 22, 2023
diff --git a/Package.resolved b/Package.resolved
@@ -68,8 +68,8 @@
       "kind" : "remoteSourceControl",
       "location" : "https://github.com/duckduckgo/sync_crypto",
       "state" : {
-        "revision" : "df751674ee842d129c50a183668b033d02c2980d",
-        "version" : "0.0.1"
+        "revision" : "2ab6ab6f0f96b259c14c2de3fc948935fc16ac78",
+        "version" : "0.2.0"
       }
     },
     {

diff --git a/Package.swift b/Package.swift
@@ -29,7 +29,7 @@ let package = Package(
         .package(url: "https://github.com/duckduckgo/duckduckgo-autofill.git", exact: "6.4.3"),
         .package(url: "https://github.com/duckduckgo/GRDB.swift.git", exact: "2.0.0"),
         .package(url: "https://github.com/duckduckgo/TrackerRadarKit", exact: "1.2.1"),
-        .package(url: "https://github.com/duckduckgo/sync_crypto", exact: "0.0.1"),
+        .package(url: "https://github.com/duckduckgo/sync_crypto", exact: "0.2.0"),
         .package(url: "https://github.com/gumob/PunycodeSwift.git", exact: "2.1.0"),
         .package(url: "https://github.com/duckduckgo/content-scope-scripts", exact: "4.4.4"),
         .package(url: "https://github.com/duckduckgo/privacy-dashboard", exact: "1.4.0"),

diff --git a/Sources/DDGSync/DDGSync.swift b/Sources/DDGSync/DDGSync.swift
@@ -65,6 +65,22 @@ public class DDGSync: DDGSyncing {
         updateIsAuthenticated()
     }
 
+    public func remoteConnect() throws -> RemoteConnecting {
+        guard try dependencies.secureStore.account() == nil else {
+            throw SyncError.accountAlreadyExists
+        }
+        let info = try dependencies.crypter.prepareForConnect()
+        return try dependencies.createRemoteConnector(info)
+    }
+
+    public func transmitRecoveryKey(_ connectCode: SyncCode.ConnectCode) async throws {
+        guard try dependencies.secureStore.account() != nil else {
+            throw SyncError.accountNotFound
+        }
+
+        try await dependencies.createRecoveryKeyTransmitter().send(connectCode)
+    }
+
     public func sender() throws -> UpdatesSending {
         return try dependencies.createUpdatesSender(persistence)
     }

diff --git a/Sources/DDGSync/DDGSyncing.swift b/Sources/DDGSync/DDGSyncing.swift
@@ -58,6 +58,16 @@ public protocol DDGSyncing {
      */
     func login(_ recoveryKey: SyncCode.RecoveryKey, deviceName: String, deviceType: String) async throws
 
+    /**
+    Returns a device id and temporary secret key ready for display then polls the end point for a recovery key.
+     */
+    func remoteConnect() throws -> RemoteConnecting
+
+    /**
+     Sends this device's recovery key to the server encrypted using supplied key
+     */
+    func transmitRecoveryKey(_ connectCode: SyncCode.ConnectCode) async throws
+
     /**
     Creates an atomic sender.  Add items to the sender and then call send to send them all in a single PATCH.  Will automatically re-try if there is a network failure.
      */
@@ -155,3 +165,11 @@ public struct SavedSiteFolder: Codable {
     }
 
 }
+
+public protocol RemoteConnecting {
+
+    var code: String { get }
+
+    func fetchRecoveryKey() async throws -> SyncCode.RecoveryKey?
+
+}
diff --git a/Sources/DDGSync/SyncError.swift b/Sources/DDGSync/SyncError.swift
@@ -36,6 +36,9 @@ public enum SyncError: Error {
 
     case failedToEncryptValue(_ message: String)
     case failedToDecryptValue(_ message: String)
+    case failedToPrepareForConnect(_ message: String)
+    case failedToOpenSealedBox(_ message: String)
+    case failedToSealData(_ message: String)
 
     case failedToWriteSecureStore(status: OSStatus)
     case failedToReadSecureStore(status: OSStatus)

diff --git a/Sources/DDGSync/SyncModels.swift b/Sources/DDGSync/SyncModels.swift
@@ -19,7 +19,7 @@
 
 import Foundation
 
-public struct SyncAccount: Codable {
+public struct SyncAccount: Codable, Sendable {
     public let deviceId: String
     public let deviceName: String
     public let deviceType: String
@@ -40,7 +40,7 @@ public struct SyncAccount: Codable {
     }
 }
 
-public struct RegisteredDevice: Codable {
+public struct RegisteredDevice: Codable, Sendable {
     public let id: String
     public let name: String
     public let type: String
@@ -60,6 +60,17 @@ public struct ExtractedLoginInfo {
     public let stretchedPrimaryKey: Data
 }
 
+public struct ConnectInfo {
+    public let deviceID: String
+    public let publicKey: Data
+    public let secretKey: Data
+}
+
+public struct LoginResult: Sendable {
+    let account: SyncAccount
+    let devices: [RegisteredDevice]
+}
+
 public struct SyncCode: Codable {
 
     public enum Base64Error: Error {

diff --git a/Sources/DDGSync/internal/AccountManager.swift b/Sources/DDGSync/internal/AccountManager.swift
@@ -78,7 +78,7 @@ struct AccountManager: AccountManaging {
                            token: result.token)
     }
 
-    func login(_ recoveryKey: SyncCode.RecoveryKey, deviceName: String, deviceType: String) async throws -> (account: SyncAccount, devices: [RegisteredDevice]) {
+    func login(_ recoveryKey: SyncCode.RecoveryKey, deviceName: String, deviceType: String) async throws -> LoginResult {
         let deviceId = UUID().uuidString
 
         let recoveryInfo = try crypter.extractLoginInfo(recoveryKey: recoveryKey)
@@ -93,9 +93,7 @@ struct AccountManager: AccountManaging {
             deviceType: encryptedDeviceType
         )
 
-        guard let paramJson = try? JSONEncoder.snakeCaseKeys.encode(params) else {
-            fatalError()
-        }
+        let paramJson = try JSONEncoder.snakeCaseKeys.encode(params)
 
         let request = api.createRequest(
             url: endpoints.login,
@@ -125,17 +123,17 @@ struct AccountManager: AccountManaging {
 
         let secretKey = try crypter.extractSecretKey(protectedSecretKey: protectedSecretKey, stretchedPrimaryKey: recoveryInfo.stretchedPrimaryKey)
 
-        return try (
+        return LoginResult(
             account: SyncAccount(
-                deviceId: deviceId,
+                deviceId: params.deviceId,
                 deviceName: deviceName,
                 deviceType: deviceType,
                 userId: recoveryInfo.userId,
                 primaryKey: recoveryInfo.primaryKey,
                 secretKey: secretKey,
                 token: token
             ),
-            devices: result.devices.map {
+            devices: try result.devices.map {
                 RegisteredDevice(
                     id: $0.deviceId,
                     name: try crypter.base64DecodeAndDecrypt($0.deviceName, using: recoveryInfo.primaryKey),

diff --git a/Sources/DDGSync/internal/Crypter.swift b/Sources/DDGSync/internal/Crypter.swift
@@ -130,6 +130,43 @@ struct Crypter: Crypting {
         return Data(secretKeyBytes)
     }
 
+    func prepareForConnect() throws -> ConnectInfo {
+        var publicKeyBytes = [UInt8](repeating: 0, count:  Int(DDGSYNCCRYPTO_PUBLIC_KEY_SIZE.rawValue))
+        var secretKeyBytes = [UInt8](repeating: 0, count: Int(DDGSYNCCRYPTO_PRIVATE_KEY_SIZE.rawValue))
+        let result = ddgSyncPrepareForConnect(&publicKeyBytes, &secretKeyBytes)
+        guard DDGSYNCCRYPTO_OK == result else {
+            throw SyncError.failedToPrepareForConnect("ddgSyncPrepareForConnect failed: \(result)")
+        }
+        return ConnectInfo(deviceID: UUID().uuidString,
+                           publicKey: Data(publicKeyBytes),
+                           secretKey: Data(secretKeyBytes))
+    }
+
+    func seal(_ data: Data, secretKey: Data) throws -> Data {
+        var rawBytes = data.safeBytes
+        var secretKeyBytes = secretKey.safeBytes
+        var encryptedBytes = [UInt8](repeating: 0, count: rawBytes.count + Int(DDGSYNCCRYPTO_SEAL_EXTRA_BYTES_SIZE.rawValue))
+        let result = ddgSyncSeal(&encryptedBytes, &secretKeyBytes, &rawBytes, UInt64(rawBytes.count))
+        guard DDGSYNCCRYPTO_OK == result else {
+            throw SyncError.failedToSealData("ddgSyncSeal failed: \(result)")
+        }
+        return Data(encryptedBytes)
+    }
+
+    func unseal(encryptedData: Data, publicKey: Data, secretKey: Data) throws -> Data {
+        var encryptedBytes = encryptedData.safeBytes
+        var rawBytes = [UInt8](repeating: 0, count: encryptedBytes.count - Int(DDGSYNCCRYPTO_SEAL_EXTRA_BYTES_SIZE.rawValue))
+
+        var publicKeyBytes = publicKey.safeBytes
+        var secretKeyBytes = secretKey.safeBytes
+
+        let result = ddgSyncSealOpen(&encryptedBytes, UInt64(encryptedBytes.count), &publicKeyBytes, &secretKeyBytes, &rawBytes)
+        guard DDGSYNCCRYPTO_OK == result else {
+            throw SyncError.failedToOpenSealedBox("ddgSyncSealOpen failed: \(result)")
+        }
+        return Data(rawBytes)
+    }
+
 }
 
 extension Data {

diff --git a/Sources/DDGSync/internal/Endpoints.swift b/Sources/DDGSync/internal/Endpoints.swift
@@ -23,6 +23,7 @@ struct Endpoints {
     let signup: URL
     let login: URL
     let logoutDevice: URL
+    let connect: URL
 
     /// Optionally has the data type(s) appended to it, e.g. `sync/bookmarks`, `sync/type1,type2,type3`
     let syncGet: URL
@@ -33,6 +34,8 @@ struct Endpoints {
         signup = baseUrl.appendingPathComponent("sync/signup")
         login = baseUrl.appendingPathComponent("sync/login")
         logoutDevice = baseUrl.appendingPathComponent("sync/logout-device")
+        connect = baseUrl.appendingPathComponent("sync/connect")
+
         syncGet = baseUrl.appendingPathComponent("sync")
         syncPatch = baseUrl.appendingPathComponent("sync/data")
     }

diff --git a/Sources/DDGSync/internal/ProductionDependencies.swift b/Sources/DDGSync/internal/ProductionDependencies.swift
@@ -53,6 +53,10 @@ struct ProductionDependencies: SyncDependencies {
         responseHandler = ResponseHandler(persistence: persistence, crypter: crypter)
     }
 
+    func createRemoteConnector(_ info: ConnectInfo) throws -> RemoteConnecting {
+        return try RemoteConnector(account: account, crypter: crypter, api: api, endpoints: endpoints, storage: secureStore, connectInfo: info)
+    }
+
     func createUpdatesSender(_ persistence: LocalDataPersisting) throws -> UpdatesSending {
         return UpdatesSender(fileStorageUrl: fileStorageUrl, persistence: persistence, dependencies: self)
     }
@@ -61,4 +65,8 @@ struct ProductionDependencies: SyncDependencies {
         return UpdatesFetcher(persistence: persistence, dependencies: self)
     }
 
+    func createRecoveryKeyTransmitter() throws -> RecoveryKeyTransmitting {
+        return RecoveryKeyTransmitter(endpoints: endpoints, api: api, storage: secureStore, crypter: crypter)
+    }
+
 }
diff --git a/Sources/DDGSync/internal/RecoveryKeyTransmitter.swift b/Sources/DDGSync/internal/RecoveryKeyTransmitter.swift
@@ -0,0 +1,63 @@
+//
+//  RecoveryKeyTransmitter.swift
+//  DuckDuckGo
+//
+//  Copyright © 2023 DuckDuckGo. All rights reserved.
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//  http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+//
+
+import Foundation
+import os
+
+struct RecoveryKeyTransmitter: RecoveryKeyTransmitting {
+
+    let endpoints: Endpoints
+    let api: RemoteAPIRequestCreating
+    let storage: SecureStoring
+    let crypter: Crypting
+
+    func send(_ code: SyncCode.ConnectCode) async throws {
+        guard let account = try storage.account() else {
+            throw SyncError.accountNotFound
+        }
+
+        guard let token = try storage.account()?.token else {
+            throw SyncError.noToken
+        }
+
+        let recoveryKey = try JSONEncoder.snakeCaseKeys.encode(
+            SyncCode.RecoveryKey(userId: account.userId, primaryKey: account.primaryKey)
+        )
+
+        let encryptedRecoveryKey = try crypter.seal(recoveryKey, secretKey: code.secretKey)
+
+        let body = try JSONEncoder.snakeCaseKeys.encode(
+            ConnectRequest(deviceId: code.deviceId, encryptedRecoveryKey: encryptedRecoveryKey)
+        )
+
+        let request = api.createRequest(url: endpoints.connect,
+                                        method: .POST,
+                                        headers: ["Authorization": "Bearer \(token)"],
+                                        parameters: [:],
+                                        body: body,
+                                        contentType: "application/json")
+        _ = try await request.execute()
+    }
+
+    struct ConnectRequest: Encodable {
+        let deviceId: String
+        let encryptedRecoveryKey: Data
+    }
+
+}