feat(enrolledDevice): add the authentication flow in the framework

arenault-dashlane · arenault-dashlane · commit 3d4c58d0e54d · 2025-10-08T14:17:14.000+02:00
- Init the retrieval of the keys in the environement
- Parse the base64 string
- Add a RegEx parser based on the expected format
- Update the authentication to support EnrolledDevice type
- Inject the Nitro secret in the payload when targeting NodeWS Proxy
diff --git a/src/errors.ts b/src/errors.ts
@@ -4,12 +4,24 @@ export class CouldNotFindTeamCredentialsError extends Error {
     }
 }
 
+export class CouldNotFindEnrolledTeamDeviceCredentialsError extends Error {
+    constructor() {
+        super('Could not find enrolled team device credentials');
+    }
+}
+
 export class TeamCredentialsWrongFormatError extends Error {
     constructor() {
         super('Team credentials has a wrong format');
     }
 }
 
+export class EnrolledTeamDeviceCredentialsWrongFormatError extends Error {
+    constructor() {
+        super('Enrolled team device credentials has a wrong format');
+    }
+}
+
 export class DeviceCredentialsWrongFormatError extends Error {
     constructor() {
         super('Device credentials has a wrong format');
diff --git a/src/index.ts b/src/index.ts
@@ -4,7 +4,12 @@ import process from 'process';
 
 import { cliVersionToString, CLI_VERSION } from './cliVersion.js';
 import { rootCommands } from './commands/index.js';
-import { initDeviceCredentials, initStagingCheck, initTeamDeviceCredentials } from './utils/index.js';
+import {
+    initDeviceCredentials,
+    initEnrolledTeamDeviceCredentials,
+    initStagingCheck,
+    initTeamDeviceCredentials,
+} from './utils/index.js';
 import { errorColor, initLogger } from './logger.js';
 
 process.removeAllListeners('warning');
@@ -16,6 +21,7 @@ initLogger({ debugLevel });
 initStagingCheck();
 initTeamDeviceCredentials();
 initDeviceCredentials();
+initEnrolledTeamDeviceCredentials();
 
 const program = new Command();
 
diff --git a/src/modules/tunnel-api-connect/steps/sendSecureContent.ts b/src/modules/tunnel-api-connect/steps/sendSecureContent.ts
@@ -4,7 +4,7 @@ import type { SecureContentRequest, SecureContentResponse, SendSecureContentPara
 import { SecureTunnelNotInitialized, SendSecureContentDataDecryptionError } from '../errors.js';
 import type { ApiConnectInternalParams, ApiData, ApiRequestsDefault } from '../types.js';
 import { TypeCheck } from '../../typecheck/index.js';
-import { requestAppApi, requestTeamApi, requestUserApi } from '../../../requestApi.js';
+import { requestAppApi, requestEnrolledDeviceApi, requestTeamApi, requestUserApi } from '../../../requestApi.js';
 
 const verifySendSecureBodySchemaValidator = new TypeCheck<SecureContentResponse>(secureContentBodyDataSchema);
 
@@ -27,7 +27,18 @@ export const sendSecureContent = async <R extends ApiRequestsDefault>(
     const { path, clientStateIn, clientStateOut, payload: rawPayload, authentication = { type: 'app' } } = params;
     const { tunnelUuid } = apiData.clientHello;
 
-    const encryptedData = encryptData(clientStateOut, rawPayload);
+    // We assume that this section of the code will only be calling NodeWS Proxy with this authentication
+    // Inject the enrolledDeviceSecretKey when targeting NodeWS Enclave Proxy authentification
+    // to provide Nitro specific key
+    let injectedPayload = rawPayload;
+    if (authentication.type === 'enrolledDevice') {
+        injectedPayload = {
+            ...(typeof rawPayload === 'object' ? rawPayload : {}),
+            enrolledDeviceSecretKey: authentication.enrolledTeamDeviceKeys.nitroDeviceSecretKey,
+        };
+    }
+
+    const encryptedData = encryptData(clientStateOut, injectedPayload);
 
     const payload = {
         encryptedData: sodium.to_hex(encryptedData),
@@ -55,6 +66,14 @@ export const sendSecureContent = async <R extends ApiRequestsDefault>(
                 teamUuid: authentication.teamUuid,
             });
             break;
+        case 'enrolledDevice':
+            response = await requestEnrolledDeviceApi<SecureContentResponse>({
+                path,
+                payload,
+                isNitroEncryptionService: true,
+                enrolledTeamDeviceKeys: authentication.enrolledTeamDeviceKeys,
+            });
+            break;
         case 'app':
             response = await requestAppApi<SecureContentResponse>({
                 path,
diff --git a/src/modules/tunnel-api-connect/steps/types.ts b/src/modules/tunnel-api-connect/steps/types.ts
@@ -42,10 +42,21 @@ interface TeamDeviceAuthenticationParams {
     teamDeviceKeys: { accessKey: string; secretKey: string };
 }
 
+interface EnrolledDeviceAuthenticationParams {
+    type: 'enrolledDevice';
+    enrolledTeamDeviceKeys: {
+        nodeWSAccessKey: string;
+        nitroDeviceAccessKey: string;
+        nitroDeviceSecretKey: string;
+        secretKey: string;
+    };
+}
+
 export type AuthenticationParams =
     | AppAuthenticationParams
     | UserDeviceAuthenticationParams
-    | TeamDeviceAuthenticationParams;
+    | TeamDeviceAuthenticationParams
+    | EnrolledDeviceAuthenticationParams;
 
 export interface SendSecureContentParams<R extends ApiRequestsDefault> {
     path: R['path'];
diff --git a/src/requestApi.ts b/src/requestApi.ts
@@ -133,3 +133,26 @@ export const requestTeamApi = async <T>(params: RequestTeamApi): Promise<T> => {
         },
     });
 };
+
+export interface RequestEnrolledDeviceApi {
+    payload: Record<string, unknown>;
+    path: string;
+    isNitroEncryptionService?: boolean;
+    enrolledTeamDeviceKeys: {
+        nodeWSAccessKey: string;
+        nitroDeviceAccessKey: string;
+        secretKey: string;
+    };
+}
+
+export const requestEnrolledDeviceApi = async <T>(params: RequestEnrolledDeviceApi): Promise<T> => {
+    const { enrolledTeamDeviceKeys, ...otherParams } = params;
+    return requestApi({
+        ...otherParams,
+        authentication: {
+            type: 'enrolledDevice',
+            ...dashlaneApiKeys,
+            ...enrolledTeamDeviceKeys,
+        },
+    });
+};
diff --git a/src/types.ts b/src/types.ts
@@ -25,6 +25,17 @@ export interface TeamDeviceCredentials {
     secretKey: string;
 }
 
+export interface EnrolledTeamDeviceCredentials {
+    // Node WS Access Key
+    nodeWSAccessKey: string;
+    // Node WS Secret Key
+    secretKey: string;
+    // Nitro Access Key
+    nitroDeviceAccessKey: string;
+    // Nitro Secret Key
+    nitroDeviceSecretKey: string;
+}
+
 export interface DeviceCredentials {
     login: string;
     accessKey: string;
diff --git a/src/utils/enrolledTeamDeviceCredentials.ts b/src/utils/enrolledTeamDeviceCredentials.ts
@@ -0,0 +1,45 @@
+import {
+    CouldNotFindEnrolledTeamDeviceCredentialsError,
+    EnrolledTeamDeviceCredentialsWrongFormatError,
+} from '../errors.js';
+import { EnrolledTeamDeviceCredentials } from '../types.js';
+
+let enrolledTeamDeviceCredentials: EnrolledTeamDeviceCredentials | null = null;
+
+const validateEnrolledDeviceKeys = (keys: string) =>
+    new RegExp(
+        /(DASH_EDWSA_[a-zA-Z0-9_-]{64})-(DASH_EDWSS_[a-zA-Z0-9_-]{64})-(DASH_EDNTA_[a-zA-Z0-9_-]{64})-(DASH_EDNTS_[a-zA-Z0-9_-]{64})/
+    ).exec(keys);
+
+export const initEnrolledTeamDeviceCredentials = (): EnrolledTeamDeviceCredentials | null => {
+    const { DASHLANE_ENROLLED_TEAM_DEVICE_KEYS } = process.env;
+
+    if (DASHLANE_ENROLLED_TEAM_DEVICE_KEYS) {
+        // Parsing the base64 string
+        const parsedString = Buffer.from(DASHLANE_ENROLLED_TEAM_DEVICE_KEYS, 'base64').toString('utf-8');
+        // Validating the keys
+        const parsedKeys = validateEnrolledDeviceKeys(parsedString);
+
+        if (!parsedKeys) {
+            throw new EnrolledTeamDeviceCredentialsWrongFormatError();
+        }
+
+        const [nodeWSAccessKey, secretKey, nitroDeviceAccessKey, nitroDeviceSecretKey] = parsedKeys.slice(1);
+        enrolledTeamDeviceCredentials = {
+            nodeWSAccessKey,
+            secretKey,
+            nitroDeviceAccessKey,
+            nitroDeviceSecretKey,
+        };
+    }
+
+    return enrolledTeamDeviceCredentials;
+};
+
+export const getEnrolledTeamDeviceCredentials = (): EnrolledTeamDeviceCredentials => {
+    if (!enrolledTeamDeviceCredentials) {
+        throw new CouldNotFindEnrolledTeamDeviceCredentialsError();
+    }
+
+    return enrolledTeamDeviceCredentials;
+};
diff --git a/src/utils/index.ts b/src/utils/index.ts
@@ -8,3 +8,4 @@ export * from './secretTransformation.js';
 export * from './stagingCheck.js';
 export * from './strings.js';
 export * from './teamDeviceCredentials.js';
+export * from './enrolledTeamDeviceCredentials.js';

Original file line number	Diff line number	Diff line change
`@@ -4,12 +4,24 @@ export class CouldNotFindTeamCredentialsError extends Error {`
`4`	`4`	`}`
`5`	`5`	`}`
`6`	`6`
	`7`	`+export class CouldNotFindEnrolledTeamDeviceCredentialsError extends Error {`
	`8`	`+ constructor() {`
	`9`	`+ super('Could not find enrolled team device credentials');`
	`10`	`+ }`
	`11`	`+}`
	`12`	`+`
`7`	`13`	`export class TeamCredentialsWrongFormatError extends Error {`
`8`	`14`	`constructor() {`
`9`	`15`	`super('Team credentials has a wrong format');`
`10`	`16`	`}`
`11`	`17`	`}`
`12`	`18`
	`19`	`+export class EnrolledTeamDeviceCredentialsWrongFormatError extends Error {`
	`20`	`+ constructor() {`
	`21`	`+ super('Enrolled team device credentials has a wrong format');`
	`22`	`+ }`
	`23`	`+}`
	`24`	`+`
`13`	`25`	`export class DeviceCredentialsWrongFormatError extends Error {`
`14`	`26`	`constructor() {`
`15`	`27`	`super('Device credentials has a wrong format');`