Migrate to service device keys format (#220)

Corentin Mors · web-flow · commit d71249b85e29 · 2024-03-15T17:06:36.000+01:00
Following an internal ADR (Architecture Decision Record), I'm updating
the non-interactive device registration and usage to a new format.
diff --git a/documentation/pages/personal/devices.mdx b/documentation/pages/personal/devices.mdx
@@ -64,14 +64,17 @@ This will create a new device named `my_server` and will print the device creden
 Save them in a safe place (like in a secure note), as you won't be able to retrieve them later.
 Run the suggested commands on your target device (your server or CI) to set the device credentials as environment variables.
 
+```sh 
+export DASHLANE_SERVICE_DEVICE_KEYS=dls_[deviceAccessKey]_[payload]
+```
+
+On Windows, you can use the `set` command instead of `export`.
+
 ```sh
-export DASHLANE_DEVICE_ACCESS_KEY=bdd5[..redacted..]6eb
-export DASHLANE_DEVICE_SECRET_KEY=99f7d9bd547c0[..redacted..]c93fa2118cdf7e3d0
-export DASHLANE_LOGIN=email@domain.com
-export DASHLANE_MASTER_PASSWORD=<insert your master password here>
+set DASHLANE_SERVICE_DEVICE_KEYS=dls_[deviceAccessKey]_[payload]
 ```
 
-Please, replace `<insert your master password here>` with your actual master password.
+<Callout emoji="ℹ️">The token you'll get is starting by `dls` in order to be easily identified by scanning tools.</Callout>
 
 <Callout type="warning" emoji="⚠️">
     OTP at each login and SSO are not supported for non-interactive devices. We recommend creating a dedicated Dashlane
diff --git a/src/command-handlers/devices.ts b/src/command-handlers/devices.ts
@@ -97,7 +97,7 @@ export async function removeAllDevices(devices: string[] | null, options: { all:
 
 export const registerNonInteractiveDevice = async (deviceName: string, options: { json: boolean }) => {
     const {
-        localConfiguration: { login },
+        localConfiguration: { login, masterPassword },
         db,
     } = await connectAndPrepare({ autoSync: false });
 
@@ -116,19 +116,25 @@ export const registerNonInteractiveDevice = async (deviceName: string, options:
         deviceName: `Non-Interactive - ${deviceName}`,
     });
 
+    const serviceDeviceKeysPayload = {
+        login,
+        deviceSecretKey,
+        masterPassword,
+    };
+
+    const serviceDeviceKeysPayloadB64 = Buffer.from(JSON.stringify(serviceDeviceKeysPayload)).toString('base64');
+
+    const serviceDeviceKeys = `dls_${deviceAccessKey}_${serviceDeviceKeysPayloadB64}`;
+
     if (options.json) {
         console.log(
             JSON.stringify({
-                DASHLANE_DEVICE_ACCESS_KEY: deviceAccessKey,
-                DASHLANE_DEVICE_SECRET_KEY: deviceSecretKey,
+                DASHLANE_SERVICE_DEVICE_KEYS: serviceDeviceKeys,
             })
         );
     } else {
-        winston.info('The device credentials have been generated, save and run the following commands to export them:');
-        console.log(`export DASHLANE_DEVICE_ACCESS_KEY=${deviceAccessKey}`);
-        console.log(`export DASHLANE_DEVICE_SECRET_KEY=${deviceSecretKey}`);
-        console.log(`export DASHLANE_LOGIN=${login}`);
-        console.log(`export DASHLANE_MASTER_PASSWORD=<insert your master password here>`);
+        winston.info('The device credentials have been generated, save and run the following command to export them:');
+        console.log(`export DASHLANE_SERVICE_DEVICE_KEYS=${serviceDeviceKeys}`);
     }
 
     db.close();
diff --git a/src/errors.ts b/src/errors.ts
@@ -10,6 +10,12 @@ export class TeamCredentialsWrongFormatError extends Error {
     }
 }
 
+export class DeviceCredentialsWrongFormatError extends Error {
+    constructor() {
+        super('Device credentials has a wrong format');
+    }
+}
+
 export class InvalidDashlanePathError extends Error {
     constructor() {
         super('Invalid Dashlane path');
diff --git a/src/utils/deviceCredentials.ts b/src/utils/deviceCredentials.ts
@@ -1,16 +1,28 @@
+import { DeviceCredentialsWrongFormatError } from '../errors';
 import { DeviceCredentials } from '../types';
 
 let deviceCredentials: DeviceCredentials | null = null;
 
 export const initDeviceCredentials = (): DeviceCredentials | null => {
-    const { DASHLANE_DEVICE_ACCESS_KEY, DASHLANE_DEVICE_SECRET_KEY, DASHLANE_LOGIN, DASHLANE_MASTER_PASSWORD } =
-        process.env;
-    if (DASHLANE_DEVICE_ACCESS_KEY && DASHLANE_DEVICE_SECRET_KEY && DASHLANE_LOGIN && DASHLANE_MASTER_PASSWORD) {
+    const { DASHLANE_SERVICE_DEVICE_KEYS } = process.env;
+    if (DASHLANE_SERVICE_DEVICE_KEYS) {
+        if (!DASHLANE_SERVICE_DEVICE_KEYS.startsWith('dls_')) {
+            throw new DeviceCredentialsWrongFormatError();
+        }
+
+        const [accessKey, payloadB64] = DASHLANE_SERVICE_DEVICE_KEYS.split('_').slice(1);
+
+        const payload = JSON.parse(Buffer.from(payloadB64, 'base64').toString('utf-8')) as {
+            login: string;
+            deviceSecretKey: string;
+            masterPassword: string;
+        };
+
         deviceCredentials = {
-            login: DASHLANE_LOGIN,
-            accessKey: DASHLANE_DEVICE_ACCESS_KEY,
-            secretKey: DASHLANE_DEVICE_SECRET_KEY,
-            masterPassword: DASHLANE_MASTER_PASSWORD,
+            login: payload.login,
+            accessKey,
+            secretKey: payload.deviceSecretKey,
+            masterPassword: payload.masterPassword,
         };
     }
     return deviceCredentials;

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,12 @@ export class TeamCredentialsWrongFormatError extends Error {`
`10`	`10`	`}`
`11`	`11`	`}`
`12`	`12`
	`13`	`+export class DeviceCredentialsWrongFormatError extends Error {`
	`14`	`+ constructor() {`
	`15`	`+ super('Device credentials has a wrong format');`
	`16`	`+ }`
	`17`	`+}`
	`18`	`+`
`13`	`19`	`export class InvalidDashlanePathError extends Error {`
`14`	`20`	`constructor() {`
`15`	`21`	`super('Invalid Dashlane path');`