(Feature) Allow user-device and team-device auth for calls through secure tunnel

src/modules/auth/confidential-sso/index.ts

@@ -20,6 +20,7 @@ export const doConfidentialSSOVerification = async ({ requestedLogin }: Confiden
         ...api,
         path: 'authentication/RequestLogin2',
         payload: { login: requestedLogin },
+        authentication: { type: 'app' },
     });
 
     const { idpAuthorizeUrl, spCallbackUrl, teamUuid, domainName } = requestLoginResponse;
@@ -56,6 +57,7 @@ export const doConfidentialSSOVerification = async ({ requestedLogin }: Confiden
         ...api,
         path: 'authentication/ConfirmLogin2',
         payload: { teamUuid, domainName, samlResponse },
+        authentication: { type: 'app' },
     });
 
     const ssoVerificationResult = await performSSOVerification({

src/modules/tunnel-api-connect/steps/sendSecureContent.ts

@@ -4,7 +4,7 @@ import type { SecureContentRequest, SecureContentResponse, SendSecureContentPara
 import { SecureTunnelNotInitialized, SendSecureContentDataDecryptionError } from '../errors.js';
 import type { ApiConnectInternalParams, ApiData, ApiRequestsDefault } from '../types.js';
 import { TypeCheck } from '../../typecheck/index.js';
-import { requestAppApi } from '../../../requestApi.js';
+import { requestAppApi, requestTeamApi, requestUserApi } from '../../../requestApi.js';
 
 const verifySendSecureBodySchemaValidator = new TypeCheck<SecureContentResponse>(secureContentBodyDataSchema);
 
@@ -24,19 +24,45 @@ export const sendSecureContent = async <R extends ApiRequestsDefault>(
         throw new SecureTunnelNotInitialized();
     }
 
-    const { path, clientStateIn, clientStateOut, payload } = params;
+    const { path, clientStateIn, clientStateOut, payload: rawPayload, authentication = { type: 'app' } } = params;
     const { tunnelUuid } = apiData.clientHello;
 
-    const encryptedData = encryptData(clientStateOut, payload);
+    const encryptedData = encryptData(clientStateOut, rawPayload);
 
-    const response = await requestAppApi<SecureContentResponse>({
-        path,
-        payload: {
-            encryptedData: sodium.to_hex(encryptedData),
-            tunnelUuid,
-        } satisfies SecureContentRequest,
-        isNitroEncryptionService: true,
-    });
+    const payload = {
+        encryptedData: sodium.to_hex(encryptedData),
+        tunnelUuid,
+    } satisfies SecureContentRequest;
+
+    let response: SecureContentResponse;
+
+    switch (authentication.type) {
+        case 'userDevice':
+            response = await requestUserApi<SecureContentResponse>({
+                path,
+                payload,
+                isNitroEncryptionService: true,
+                deviceKeys: authentication.deviceKeys,
+                login: authentication.login,
+            });
+            break;
+        case 'teamDevice':
+            response = await requestTeamApi<SecureContentResponse>({
+                path,
+                payload,
+                isNitroEncryptionService: true,
+                teamDeviceKeys: authentication.teamDeviceKeys,
+                teamUuid: authentication.teamUuid,
+            });
+            break;
+        case 'app':
+            response = await requestAppApi<SecureContentResponse>({
+                path,
+                payload,
+                isNitroEncryptionService: true,
+            });
+            break;
+    }
 
     const body = verifySendSecureBodySchemaValidator.validate(response);
     if (body instanceof Error) {

src/modules/tunnel-api-connect/steps/types.ts

@@ -25,11 +25,33 @@ export interface TerminateHelloRequest {
     tunnelUuid: string;
 }
 
+interface AppAuthenticationParams {
+    type: 'app';
+}
+
+interface UserDeviceAuthenticationParams {
+    type: 'userDevice';
+    login: string;
+    deviceKeys: { accessKey: string; secretKey: string };
+}
+
+interface TeamDeviceAuthenticationParams {
+    type: 'teamDevice';
+    teamUuid: string;
+    teamDeviceKeys: { accessKey: string; secretKey: string };
+}
+
+export type AuthenticationParams =
+    | AppAuthenticationParams
+    | UserDeviceAuthenticationParams
+    | TeamDeviceAuthenticationParams;
+
 export interface SendSecureContentParams<R extends ApiRequestsDefault> {
     path: R['path'];
     clientStateIn: sodium.StateAddress;
     clientStateOut: sodium.StateAddress;
     payload: R['input'];
+    authentication?: AuthenticationParams;
 }
 
 export interface TerminateHelloParams {

src/modules/tunnel-api-connect/types.ts

@@ -48,7 +48,7 @@ export interface ApiConnect {
     makeOrRefreshSession: (params: RefreshSessionParams) => Promise<void>;
     /** Reinitialize the tunnel when the session has expired (cookie) */
     sendSecureContent: <R extends ApiRequestsDefault>(
-        params: Pick<SendSecureContentParams<R>, 'path' | 'payload'>
+        params: Pick<SendSecureContentParams<R>, 'path' | 'payload' | 'authentication'>
     ) => Promise<R['output']>;
 }
 

src/requestApi.ts

@@ -101,6 +101,7 @@ export interface RequestUserApi {
         accessKey: string;
         secretKey: string;
     };
+    isNitroEncryptionService?: boolean;
 }
 
 export const requestUserApi = async <T>(params: RequestUserApi): Promise<T> => {
@@ -124,6 +125,7 @@ export interface RequestTeamApi {
         accessKey: string;
         secretKey: string;
     };
+    isNitroEncryptionService?: boolean;
 }
 
 export const requestTeamApi = async <T>(params: RequestTeamApi): Promise<T> => {