internxt · TamaraFinogina · Oct 14, 2025 · Oct 14, 2025 · Oct 15, 2025 · Oct 17, 2025
@@ -15,6 +15,7 @@
     "@reduxjs/toolkit": "^1.6.0",
     "@sentry/react": "^8.55.0",
     "@sentry/tracing": "^7.120.3",
+    "@serenity-kit/opaque": "^0.9.0",
     "@stripe/react-stripe-js": "^2.7.1",
     "@stripe/stripe-js": "^3.5.0",
     "@typeform/embed-react": "^1.19.0",
@@ -39,6 +40,7 @@
     "i18next": "^22.4.9",
     "i18next-browser-languagedetector": "^7.2.0",
     "idb": "^6.1.5",
+    "internxt-crypto": "0.0.8-alpha",
     "js-file-download": "^0.4.12",
     "lint-staged": "^13.1.0",
     "lodash": "^4.17.21",

diff --git a/src/app/auth/components/LogIn/LogIn.tsx b/src/app/auth/components/LogIn/LogIn.tsx
@@ -11,7 +11,7 @@ import { twoFactorRegexPattern } from 'app/core/services/validation.service';
 import { RootState } from 'app/store';
 import { useAppDispatch } from 'app/store/hooks';
 import { userActions } from 'app/store/slices/user';
-import authService, { authenticateUser, is2FANeeded } from '../../services/auth.service';
+import authService, { authenticateUser } from '../../services/auth.service';
 
 import { UserSettings } from '@internxt/sdk/dist/shared/types/userSettings';
 import { WarningCircle } from '@phosphor-icons/react';
@@ -29,6 +29,7 @@ import TextInput from '../TextInput/TextInput';
 import { AuthMethodTypes } from 'app/payment/types';
 import vpnAuthService from 'app/auth/services/vpnAuth.service';
 import envService from 'app/core/services/env.service';
+import { logInOpaque, is2FAorOpaqueNeeded } from '../../services/auth.opaque';
 
 const showNotification = ({ text, isError }: { text: string; isError: boolean }) => {
   notificationsService.show({
@@ -168,7 +169,7 @@ export default function LogIn(): JSX.Element {
     const { email, password } = formData;
 
     try {
-      const isTfaEnabled = await is2FANeeded(email);
+      const { tfaEnabled: isTfaEnabled, opaqueLogin } = await is2FAorOpaqueNeeded(email);
 
       if (!isTfaEnabled || showTwoFactor) {
         const loginType: 'desktop' | 'web' = isUniversalLinkMode ? 'desktop' : 'web';
@@ -181,7 +182,7 @@ export default function LogIn(): JSX.Element {
           loginType,
         };
 
-        const { token, user, mnemonic } = await authenticateUser(authParams);
+        const { token, user, mnemonic } = await (opaqueLogin ? logInOpaque(authParams) : authenticateUser(authParams));
         handleSuccessfulAuth(token, user, mnemonic);
       } else {
         setShowTwoFactor(true);

diff --git a/src/app/auth/services/auth.crypto.test.ts b/src/app/auth/services/auth.crypto.test.ts
@@ -0,0 +1,20 @@
+import { describe, expect, it } from 'vitest';
+import { generateUserSecrets, encryptUserKeysAndMnemonic, decryptUserKeysAndMnemonic } from './auth.crypto';
+
+describe('Test auth crypto functions', () => {
+  it('test enc/dec of user sercrets', async () => {
+    const { keys, mnemonic } = await generateUserSecrets();
+    const exportKey = 'Srp6AzybbyludWuaVwGoHa1C2H0Qtv7JR0sKGLSWe8Ho8_q9hezfYD2RYb9IUrW999pH4VlABgDLse484zAapg';
+
+    const { encMnemonic, encKeys } = await encryptUserKeysAndMnemonic(keys, mnemonic, exportKey);
+
+    const { keys: dec_keys, mnemonic: dec_mnemonic } = await decryptUserKeysAndMnemonic(
+      encMnemonic,
+      encKeys,
+      exportKey,
+    );
+
+    expect(keys).toStrictEqual(dec_keys);
+    expect(mnemonic).toEqual(dec_mnemonic);
+  });
+});
diff --git a/src/app/auth/services/auth.crypto.ts b/src/app/auth/services/auth.crypto.ts
@@ -0,0 +1,92 @@
+import { symmetric, utils, deriveKey } from 'internxt-crypto';
+import { UserKeys } from '@internxt/sdk';
+
+import { generateNewKeys } from 'app/crypto/services/pgp.service';
+export async function encryptUserKeysAndMnemonic(
+  userKeys: UserKeys,
+  mnemonic: string,
+  exportKey: string,
+): Promise<{ encMnemonic: string; encKeys: UserKeys }> {
+  const cryptoKey = await symmetric.deriveSymmetricCryptoKey(exportKey);
+  const key = utils.UTF8ToUint8(userKeys.ecc.privateKey);
+  const encPrivateKey = await symmetric.encryptSymmetrically(cryptoKey, key, 'user-private-key');
+  const keyKyber = utils.base64ToUint8Array(userKeys.kyber.privateKey);
+  const encPrivateKyberKey = await symmetric.encryptSymmetrically(cryptoKey, keyKyber, 'user-private-kyber-key');
+  const mnemonicArray = utils.UTF8ToUint8(mnemonic);
+  const mnemonicCipher = await symmetric.encryptSymmetrically(cryptoKey, mnemonicArray, 'user-mnemonic');
+  const encMnemonic = utils.ciphertextToBase64(mnemonicCipher);
+
+  const encKeys: UserKeys = {
+    ecc: {
+      privateKey: utils.ciphertextToBase64(encPrivateKey),
+      publicKey: userKeys.ecc.publicKey,
+    },
+    kyber: {
+      privateKey: utils.ciphertextToBase64(encPrivateKyberKey),
+      publicKey: userKeys.kyber.publicKey,
+    },
+  };
+  return { encMnemonic, encKeys };
+}
+
+export async function decryptUserKeysAndMnemonic(
+  encMnemonic: string,
+  encKeys: UserKeys,
+  exportKey: string,
+): Promise<{ keys: UserKeys; mnemonic: string }> {
+  const cryptoKey = await symmetric.deriveSymmetricCryptoKey(exportKey);
+  const encKey = utils.base64ToCiphertext(encKeys.ecc.privateKey);
+  const privateKey = await symmetric.decryptSymmetrically(cryptoKey, encKey, 'user-private-key');
+  const encKyberKey = utils.base64ToCiphertext(encKeys.kyber.privateKey);
+  const privateKyberKey = await symmetric.decryptSymmetrically(cryptoKey, encKyberKey, 'user-private-kyber-key');
+  const encMnemonicArray = utils.base64ToCiphertext(encMnemonic);
+  const mnemonicArray = await symmetric.decryptSymmetrically(cryptoKey, encMnemonicArray, 'user-mnemonic');
+  const mnemonic = utils.uint8ToUTF8(mnemonicArray);
+
+  const keys: UserKeys = {
+    ecc: {
+      privateKey: utils.uint8ToUTF8(privateKey),
+      publicKey: encKeys.ecc.publicKey,
+    },
+    kyber: {
+      privateKey: utils.uint8ArrayToBase64(privateKyberKey),
+      publicKey: encKeys.kyber.publicKey,
+    },
+  };
+  return { keys, mnemonic };
+}
+
+export const encryptSessionKey = async (
+  password: string,
+  sessionKey: string,
+): Promise<{ sessionKeyEnc: string; salt: string }> => {
+  const { key, salt } = await deriveKey.getKeyFromPassword(password);
+  const cryptoKey = await symmetric.importSymmetricCryptoKey(key);
+  const sessionKeyArray = utils.base64ToUint8Array(sessionKey);
+  const sessionKeyEncCipher = await symmetric.encryptSymmetrically(cryptoKey, sessionKeyArray, 'UserSessionKey');
+  const sessionKeyEnc = utils.ciphertextToBase64(sessionKeyEncCipher);
+  return { sessionKeyEnc, salt };
+};
+
+export const decryptSessionKey = async (password: string, sessionKeyEnc: string, salt: string): Promise<string> => {
+  const keyBytes = await deriveKey.getKeyFromPasswordAndSalt(password, salt);
+  const key = await symmetric.importSymmetricCryptoKey(keyBytes);
+  const sessionKeyCipher = utils.base64ToCiphertext(sessionKeyEnc);
+  const sessionKeyArray = await symmetric.decryptSymmetrically(key, sessionKeyCipher, 'UserSessionKey');
+  const sessionKey = utils.uint8ArrayToBase64(sessionKeyArray);
+  const urlSafeSessionKey = sessionKey.replace(/\+/g, '-').replace(/\//g, '_').replace(/=$/, '').replace(/=$/, '');
+  return urlSafeSessionKey;
+};
+
+export const generateUserSecrets = async (): Promise<{ keys: UserKeys; mnemonic: string }> => {
+  const mnemonic = utils.genMnemonic(256);
+  const { privateKeyArmored, publicKeyArmored, publicKyberKeyBase64, privateKyberKeyBase64 } = await generateNewKeys();
+  const keys: UserKeys = {
+    ecc: { privateKey: privateKeyArmored, publicKey: publicKeyArmored },
+    kyber: {
+      privateKey: privateKyberKeyBase64,
+      publicKey: publicKyberKeyBase64,
+    },
+  };
+  return { keys, mnemonic };
+};