1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
|
use std::{io, path::PathBuf};
use clap::Parser;
use eyre::{Context, Result, bail};
use tokio::{fs::File, io::AsyncWriteExt};
use crate::atuin_client::{
auth::{self, AuthResponse},
encryption::{decode_key, load_key},
record::sqlite_store::SqliteStore,
record::store::Store,
record::sync::{self, SyncError},
settings::{Settings, SyncAuth},
};
use rpassword::prompt_password;
#[derive(Parser, Debug)]
pub(crate) struct Cmd {
#[clap(long, short)]
pub(crate) username: Option<String>,
#[clap(long, short)]
pub(crate) password: Option<String>,
/// The encryption key for your account
#[clap(long, short)]
pub(crate) key: Option<String>,
/// The two-factor authentication code for your account, if any
#[clap(long, short)]
pub(crate) totp_code: Option<String>,
#[clap(long, hide = true)]
pub(crate) from_registration: bool,
}
fn get_input() -> Result<String> {
let mut input = String::new();
io::stdin().read_line(&mut input)?;
Ok(input.trim_end_matches(&['\r', '\n'][..]).to_string())
}
impl Cmd {
pub(crate) async fn run(&self, settings: &Settings, store: &SqliteStore) -> Result<()> {
match settings.resolve_sync_auth().await {
SyncAuth::Legacy { .. } => {
println!("You are logged in to your sync server.");
println!("Run 'atuin logout' to log out.");
return Ok(());
}
SyncAuth::NotLoggedIn { .. } => {}
}
self.run_legacy_login(settings, store).await?;
verify_key_against_remote(settings).await
}
/// Legacy login: always prompt for username/password interactively
/// (or accept them via flags).
async fn run_legacy_login(&self, settings: &Settings, store: &SqliteStore) -> Result<()> {
let username = or_user_input(self.username.clone(), "username");
let password = self.password.clone().unwrap_or_else(read_user_password);
self.prompt_and_store_key(settings, store).await?;
let client = auth::auth_client(settings).await;
let response = client.login(&username, &password).await?;
match response {
AuthResponse::Success { session, .. } => {
Settings::meta_store().await?.save_session(&session).await?;
}
AuthResponse::TwoFactorRequired => {
// Legacy server doesn't support 2FA, so this shouldn't happen.
bail!("unexpected two-factor requirement from legacy server");
}
}
println!("Logged in!");
Ok(())
}
async fn prompt_and_store_key(&self, settings: &Settings, store: &SqliteStore) -> Result<()> {
let key_path = settings.key_path.as_str();
let key_path = PathBuf::from(key_path);
println!("IMPORTANT");
println!(
"If you are already logged in on another machine, you must ensure that the key you use here is the same as the key you used there."
);
println!("You can find your key by running 'atuin key' on the other machine.");
println!("Do not share this key with anyone.");
println!("\nRead more here: https://docs.atuin.sh/guide/sync/#login \n");
let key = or_user_input(
self.key.clone(),
"encryption key [blank to use existing key file]",
);
if key.is_empty() {
if key_path.exists() {
let bytes = fs_err::read_to_string(&key_path).context(format!(
"Existing key file at '{}' could not be read",
key_path.to_string_lossy()
))?;
if decode_key(bytes).is_err() {
bail!(format!(
"The key in existing key file at '{}' is invalid",
key_path.to_string_lossy()
));
}
} else {
panic!(
"No key provided and no existing key file found. Please use 'atuin key' on your other machine, or recover your key from a backup"
)
}
} else if !key_path.exists() {
if decode_key(key.clone()).is_err() {
bail!("The specified key is invalid");
}
let mut file = File::create(&key_path).await?;
file.write_all(key.as_bytes()).await?;
} else {
// we now know that the user has logged in specifying a key, AND that the key path
// exists
// 1. check if the saved key and the provided key match. if so, nothing to do.
// 2. if not, re-encrypt the local history and overwrite the key
let current_key: [u8; 32] = load_key(settings)?.into();
let encoded = key.clone(); // gonna want to save it in a bit
let new_key: [u8; 32] = decode_key(key)
.context("Could not decode provided key; is not valid base64-encoded key")?
.into();
if new_key != current_key {
println!("\nRe-encrypting local store with new key");
store.re_encrypt(¤t_key, &new_key).await?;
println!("Writing new key");
let mut file = File::create(&key_path).await?;
file.write_all(encoded.as_bytes()).await?;
}
}
Ok(())
}
}
async fn verify_key_against_remote(settings: &Settings) -> Result<()> {
let key: [u8; 32] = load_key(settings)
.context("could not load encryption key for verification")?
.into();
let client = sync::build_client(settings).await?;
let remote_index = match client.record_status().await {
Ok(idx) => idx,
Err(e) => {
tracing::warn!("could not fetch remote status to verify key: {e}");
return Ok(());
}
};
match sync::check_encryption_key(&client, &remote_index, &key).await {
Ok(()) => Ok(()),
Err(SyncError::WrongKey) => {
// Roll back the saved session so the user is not left in a
// half-authenticated state with a key that can't read the data.
if let Ok(meta) = Settings::meta_store().await {
let _ = meta.delete_session().await;
}
crate::print_error::print_error(
"Wrong encryption key",
"The encryption key on this machine does not match the data on the server. \
You have been logged out.\n\n\
To fix this, find your existing key by running `atuin key` on a machine that \
already syncs successfully, then run `atuin login` again here with that key.",
);
std::process::exit(1);
}
Err(e) => {
// Non-key error (e.g. transient network issue). Don't fail the
// login — the user is authenticated and can sync later when the
// network recovers.
tracing::warn!("could not verify encryption key against remote: {e}");
Ok(())
}
}
}
pub(super) fn or_user_input(value: Option<String>, name: &'static str) -> String {
value.unwrap_or_else(|| read_user_input(name))
}
pub(super) fn read_user_password() -> String {
let password = prompt_password("Please enter password: ");
password.expect("Failed to read from input")
}
fn read_user_input(name: &'static str) -> String {
eprint!("Please enter {name}: ");
get_input().expect("Failed to read from input")
}
|
