Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Session login, not fully working yet #36

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Session login, not fully working yet #36

wants to merge 2 commits into from

Conversation

DarkFighterLuke
Copy link
Contributor

@DarkFighterLuke DarkFighterLuke commented Jul 12, 2021
edited
Loading

In the past four days I've lost my mind trying to figure out Mega SDK's internals.
I managed to write a new function to login using session key. It works fine, but it's not complete yet, because no master key is retrieved in session login, so node attributes can't be decrypted.

As I said in #35 , I would like some help to solve this issue.
Hope someone will collaborate.

@figgyc
Copy link

figgyc commented Jul 19, 2021

Hi Luke, I'm interested in this too, although I don't know much about the megasdk either.
I did have a look though - I think this is where the session key is created: https://github.com/meganz/sdk/blob/b1499910f17ad8d58595badb81f4e0bd5a38fb00/src/megaclient.cpp#L9436
I think what that means is that the master key is encrypted using the session key? Not sure though, maybe you know though because you've spent more time on this than I have.

@DarkFighterLuke
Copy link
Contributor Author

I'm very happy that someone else is interested in this feature, so thank you for you contribute, I very appreciate it!
The line you linked is from the method dumpSession which returns the session key stored in the class, which is not the master key.
I can't figure out how the master key is obtained and if it has an encryption pass using the session key (I think it would be useless).

I have some clues about the place where the master key is retrieved, but I can't understand the process related to encryption and decryption implemented in the SDK.
However, I show you what I discovered, maybe it can help. Printing JSON messages sent in requests, I discovered that when I call MegaApi::fetchNodes a request containing a command named uga is made. This command is used to retrieve user attributes specified using ua JSON key.
Here is what requests contain:

"a":"uga","u":"YOUR_USER_ID","ua":"*keyring","v":1
"a":"uga","u":"YOUR_USER_ID","ua":"+puEd255","v":1
"a":"uga","u":"YOUR_USER_ID","ua":"+puCu255","v":1
"a":"uga","u":"YOUR_USER_ID","ua":"+sigCu255","v":1
"a":"uga","u":"YOUR_USER_ID","ua":"+sigPubk","v":1
"a":"uga","u":"YOUR_USER_ID","ua":"*!authring","v":1
"a":"uga","u":"YOUR_USER_ID","ua":"*!authRSA","v":1
"a":"uga","u":"YOUR_USER_ID","ua":"*!authCu255","v":1

So 8 requests are made, each one containing one of the lines above.
The received request is processed by this method https://github.com/meganz/sdk/blob/master/src/commands.cpp#L3022.
Basically this method calls MegaClient::initializeKeys : https://github.com/meganz/sdk/blob/master/src/megaclient.cpp#L12335.
Here is where I am lost, I can't figure out what is done and if I am in the right place.

I hope this could be helpful to someone.

@DarkFighterLuke DarkFighterLuke mentioned this pull request Aug 14, 2021
Open
@ncw
Copy link
Collaborator

ncw commented Sep 13, 2021

In the fast four days I've lost my mind trying to figure out Mega SDK's internals.

My feeling exactly when looking at their C++ code!

I managed to write a new function to login using session key. It works fine, but it's not complete yet, because no master key is retrieved in session login, so node attributes can't be decrypted.

I'm not clear on what this is for. Where do you get a session key from?

@DarkFighterLuke
Copy link
Contributor Author

I'm very happy that you answered to that PR!

My feeling exactly when looking at their C++ code!

I dont' feel alone anymore. 😆

I'm not clear on what this is for. Where do you get a session key from?

So, imagine that an application needs to have some kind of persistence for some reason (for example for uploading content without asking for user credentials each time). It is super useful to have a session key, which can be retrieved when logged in a session, so that the user has to type credentials the first time only. In any subsequent access to the account, the user has nothing to do, because the application will login using the session key previously retrieved.

@a5r0n
Copy link

a5r0n commented Dec 6, 2021
edited
Loading

I'm not clear on what this is for. Where do you get a session key from?

the session key is like use token, u can revoke tho and so on.
u can generate one by login with MEGAcmd and call the session command

the actual thing in this PR what i'm looking for in this PR, it's the ability to use shared folders.
i manage to login to folder, and get the files nodes, but the attributes are empty, so i guess something with the decryption didn't work..

@DarkFighterLuke
Copy link
Contributor Author

DarkFighterLuke commented Dec 6, 2021
edited
Loading

the actual thing in this PR, it's the ability to use shared folders.

No, the actual thing in this PR is to use the authentication with session token. At the moment, I have implemented the authentication, but when you try to get your files it will be impossible, because no decryption key is retrieved (as opposed to what happens with email+psw[+OTP] authentication).
So the real problem at the moment is to retrieve the decryption key to decrypt your files.
If only Mega would provide a better documentation on all the process with some schematics...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@DarkFighterLuke @figgyc @ncw @a5r0n