fix: Split client/server signup entities

- Helps with knowing what goes where - Avoids decrypting pre-encrypted data - Fixes a huge security flaw where both master shards were sent to the server BREAKING CHANGE: createSignupEntities return value
chiffre-io · May 10, 2020 · 2dbb25a · 2dbb25a
1 parent 11ef960
commit 2dbb25a
Showing 1 changed file with 14 additions and 6 deletions.
diff --git a/src/account.ts b/src/account.ts
@@ -18,12 +18,20 @@ export async function createSignupEntities(username: string, password: string) {
   const unlockedKeychain = createKeychain()
   const lockedKeychain = await lockKeychain(unlockedKeychain, keychainKey)
   return {
-    ...srpEntities,
-    masterSalt,
-    shards,
-    keychainKey: encryptedKeychainKey,
-    keychain: {
-      ...lockedKeychain
+    client: {
+      masterKey,
+      keychainKey,
+      unlockedKeychain,
+      masterKeyShard: shards[0]
+    },
+    server: {
+      ...srpEntities,
+      masterSalt,
+      masterKeyShard: shards[1],
+      keychainKey: encryptedKeychainKey,
+      keychain: {
+        ...lockedKeychain
+      }
     }
   }
 }