Authentication Flow

[jj10133]

Hi @M3DZIK I would like to ask you the entire authentication flow, so at this stage I assume we have register and pre-login(I don't get this part). So it is that we are getting a session id? If so when is the timeout for it? Just trying to implement the auth part first but wanna understand from your perspective.

[M3DZIK]

Pre-login returns a argon2id parameters (such as memory, iterations etc.) and the server public key

https://docs.librepass.org/api/auth/#pre-login

[jj10133]

is there a discord server? we can all chat?

[M3DZIK]

do you have signal or telegram?

[jj10133]

yes or keet

[jj10133]

I saw that you're storing locally the ciphers, question on syncing side? Are we allowing user the edit data locally and then handle the syncing? If so what if we're having multiple devices how are are we doing the sync based on the timestamps of db of each devices?

[M3DZIK]

using lastSyncTimestamp that is stored on local device and contains timestamp (in seconds) of last synchronization

https://docs.librepass.org/api/cipher/#sync-ciphers

[jj10133]

Sorry another question on android side, are we using Android's keystore api? or just using room db

[jj10133]

At this stage where are we storing the secret key like on android side? On device?

[M3DZIK]

password hash computed by argon2 is a x25519 private key

[jj10133]

Ohk sorry was looking now at go crypto lib implementation which hash-wasm used it for... So just to make things clear we get this key I still don't understand deep down how to it retrieves the public key from it?

[M3DZIK]

Ohk sorry was looking now at go crypto lib implementation which hash-wasm used it for... So just to make things clear we get this key I still don't understand deep down how to it retrieves the public key from it?

Using publicFromPrivate function that using x25519 crypto

Java:

JavaScript:

[jj10133]

Like I meant the internals of it, mathematically but yeah the above helped me

[jj10133]

more question, just found out of 1password not storing the secret key on keychain, so I'm just thinking where we want to store this key? How're you storing the secret key in android? Where exactly is this place?

[jj10133]

aahhh coool now I get this one

[jj10133]

Let's say you forget your master password then? Could I still get my passwords? No right

[M3DZIK]

If you forget password, then unfortunately you will lost your data. Therefore, it is recommended to set password hint.

[jj10133]

can we not do something combine password + random key (generated) during the x25519 keypair using seed? then user to save this somewhere secure and give them a pdf?

[M3DZIK]

can we not do something combine password + random key (generated) during the x25519 keypair using seed? then user to save this somewhere secure and give them a pdf?

Argon2id is secure enough.

Using a random key stored by the user in a file on their device would makeing LibrePass much more difficult.

[M3DZIK]

At this stage where are we storing the secret key like on android side? On device?

https://github.com/LibrePass/LibrePass-Android/blob/45da6753574281f6acddad954435e2be524253db/app/src/main/java/dev/medzik/librepass/android/data/Credentials.kt#L8-L24

[jj10133]

Thanks @M3DZIK was like we could starting make issues and roadmap such that people know what feature we working on and also we split work to get more done quickly?