store download & add key

cmd/dkl-local-server/secret-store.go

@@ -1,14 +1,12 @@
 package main
 
 import (
-	"crypto/rand"
-	"encoding/base32"
 	"encoding/json"
 	"log"
 	"net/http"
 	"os"
 	"path/filepath"
-    "sort"
+	"sort"
 	"strings"
 	"sync"
 
@@ -20,7 +18,8 @@ import (
 
 var secStore *secretstore.Store
 
-func secStorePath(name string) string { return filepath.Join(*dataDir, "secrets", name) }
+func secStoreRoot() string            { return filepath.Join(*dataDir, "secrets") }
+func secStorePath(name string) string { return filepath.Join(secStoreRoot(), name) }
 func secKeysStorePath() string        { return secStorePath(".keys") }
 
 func openSecretStore() {
@@ -64,7 +63,7 @@ var (
 	ErrInvalidPassphrase    = httperr.NewStd(http.StatusBadRequest, 2, "invalid passphrase")
 )
 
-func unlockSecretStore(passphrase []byte) *httperr.Error {
+func unlockSecretStore(passphrase []byte) (err httperr.Error) {
 	unlockMutex.Lock()
 	defer unlockMutex.Unlock()
 
@@ -75,7 +74,7 @@ func unlockSecretStore(passphrase []byte) *httperr.Error {
 	if secStore.IsNew() {
 		err := secStore.Init(passphrase)
 		if err != nil {
-			return httperr.New(http.StatusInternalServerError, err)
+			return httperr.Internal(err)
 		}
 
 		err = secStore.SaveTo(secKeysStorePath())
@@ -83,7 +82,7 @@ func unlockSecretStore(passphrase []byte) *httperr.Error {
 			log.Print("secret store save error: ", err)
 			secStore.Close()
 
-			return httperr.New(http.StatusInternalServerError, err)
+			return httperr.Internal(err)
 		}
 
 	} else {
@@ -98,25 +97,21 @@ func unlockSecretStore(passphrase []byte) *httperr.Error {
 			log.Print("failed to read admin token: ", err)
 			secStore.Close()
 
-			return httperr.New(http.StatusInternalServerError, err)
+			return httperr.Internal(err)
 		}
 
-		randBytes := make([]byte, 32)
-		_, err := rand.Read(randBytes)
+		token, err = newToken(32)
 		if err != nil {
-			log.Print("rand read error: ", err)
 			secStore.Close()
-
-			return httperr.New(http.StatusInternalServerError, err)
+			return httperr.Internal(err)
 		}
 
-		token = base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString(randBytes)
 		err = writeSecret("admin-token", token)
 		if err != nil {
 			log.Print("write error: ", err)
 			secStore.Close()
 
-			return httperr.New(http.StatusInternalServerError, err)
+			return httperr.Internal(err)
 		}
 
 		log.Print("wrote new admin token")
@@ -124,6 +119,18 @@ func unlockSecretStore(passphrase []byte) *httperr.Error {
 
 	*adminToken = token
 
+	{
+		token, err := newToken(16)
+		if err != nil {
+			secStore.Close()
+			return httperr.Internal(err)
+		}
+
+		wState.Change(func(v *State) {
+			v.Store.DownloadToken = token
+		})
+	}
+
 	wPublicState.Change(func(v *PublicState) {
 		v.Store.New = false
 		v.Store.Open = true
@@ -132,7 +139,7 @@ func unlockSecretStore(passphrase []byte) *httperr.Error {
 	go updateState()
 	go migrateSecrets()
 
-	return nil
+	return
 }
 
 func readSecret(name string, value any) (err error) {
@@ -179,12 +186,12 @@ func writeSecret(name string, value any) (err error) {
 	}
 
 	err = os.Rename(f.Name(), secStorePath(name+".data"))
-    if err != nil {
-    return
-    }
+	if err != nil {
+		return
+	}
 
-    go updateState()
-    return
+	go updateState()
+	return
 }
 
 var secL sync.Mutex
@@ -255,7 +262,7 @@ func (s KVSecrets[T]) Keys(prefix string) (keys []string, err error) {
 		keys = append(keys, k[len(prefix):])
 	}
 
-    sort.Strings(keys)
+	sort.Strings(keys)
 
 	return
 }