하나의 공개 키로 여러 계정에 로그인할 수 있도록 구현

2025-12-15 22:38:47 +00:00 · 2024-12-29 01:37:44 +09:00
parent c16abca832
commit af51f04b94
7 changed files with 131 additions and 71 deletions
--- a/src/lib/modules/crypto.ts
+++ b/src/lib/modules/crypto.ts
@@ -0,0 +1,50 @@
+export type RSAKeyType = "public" | "private";
+
+export const generateRSAKeyPair = async () => {
+  const keyPair = await window.crypto.subtle.generateKey(
+    {
+      name: "RSA-OAEP",
+      modulusLength: 4096,
+      publicExponent: new Uint8Array([1, 0, 1]),
+      hash: "SHA-256",
+    } satisfies RsaHashedKeyGenParams,
+    true,
+    ["encrypt", "decrypt"],
+  );
+  return keyPair;
+};
+
+export const makeRSAKeyNonextractable = async (key: CryptoKey, type: RSAKeyType) => {
+  const format = type === "public" ? "spki" : "pkcs8";
+  const keyUsage = type === "public" ? "encrypt" : "decrypt";
+  return await window.crypto.subtle.importKey(
+    format,
+    await window.crypto.subtle.exportKey(format, key),
+    {
+      name: "RSA-OAEP",
+      hash: "SHA-256",
+    } satisfies RsaHashedImportParams,
+    false,
+    [keyUsage],
+  );
+};
+
+export const exportRSAKeyToBase64 = async (key: CryptoKey, type: RSAKeyType) => {
+  const exportedKey = await window.crypto.subtle.exportKey(
+    type === "public" ? "spki" : "pkcs8",
+    key,
+  );
+  return btoa(String.fromCharCode(...new Uint8Array(exportedKey)));
+};
+
+export const decryptRSACiphertext = async (ciphertext: string, privateKey: CryptoKey) => {
+  const ciphertextBuffer = Uint8Array.from(atob(ciphertext), (c) => c.charCodeAt(0));
+  const plaintext = await window.crypto.subtle.decrypt(
+    {
+      name: "RSA-OAEP",
+    } satisfies RsaOaepParams,
+    privateKey,
+    ciphertextBuffer,
+  );
+  return btoa(String.fromCharCode(...new Uint8Array(plaintext)));
+};
--- a/src/lib/server/db/client.ts
+++ b/src/lib/server/db/client.ts
@@ -17,6 +17,10 @@ export const getClientByPubKey = async (pubKey: string) => {
  return clients[0] ?? null;
 };

+export const createUserClient = async (userId: number, clientId: number) => {
+  await db.insert(userClient).values({ userId, clientId }).execute();
+};
+
 export const getUserClient = async (userId: number, clientId: number) => {
  const userClients = await db
    .select()
--- a/src/lib/server/services/key.ts
+++ b/src/lib/server/services/key.ts
@@ -5,6 +5,8 @@ import { promisify } from "util";
 import {
  createClient,
  getClientByPubKey,
+  createUserClient,
+  getUserClient,
  createUserClientChallenge,
  getUserClientChallenge,
  setUserClientStateToPending,
@@ -25,20 +27,30 @@ const generateChallenge = async (userId: number, ip: string, clientId: number, p
 };

 export const registerPubKey = async (userId: number, ip: string, pubKey: string) => {
-  if (await getClientByPubKey(pubKey)) {
-    error(409, "Public key already registered");
+  const client = await getClientByPubKey(pubKey);
+  let clientId;
+
+  if (client) {
+    const userClient = await getUserClient(userId, client.id);
+    if (userClient) {
+      error(409, "Public key already registered");
+    }
+
+    await createUserClient(userId, client.id);
+    clientId = client.id;
+  } else {
+    const pubKeyPem = `-----BEGIN PUBLIC KEY-----\n${pubKey}\n-----END PUBLIC KEY-----`;
+    const pubKeyObject = createPublicKey(pubKeyPem);
+    if (
+      pubKeyObject.asymmetricKeyType !== "rsa" ||
+      pubKeyObject.asymmetricKeyDetails?.modulusLength !== 4096
+    ) {
+      error(400, "Invalid public key");
+    }
+
+    clientId = await createClient(pubKey, userId);
  }

-  const pubKeyPem = `-----BEGIN PUBLIC KEY-----\n${pubKey}\n-----END PUBLIC KEY-----`;
-  const pubKeyObject = createPublicKey(pubKeyPem);
-  if (
-    pubKeyObject.asymmetricKeyType !== "rsa" ||
-    pubKeyObject.asymmetricKeyDetails?.modulusLength !== 4096
-  ) {
-    error(400, "Invalid public key");
-  }
-
-  const clientId = await createClient(pubKey, userId);
  return await generateChallenge(userId, ip, clientId, pubKey);
 };