Merge branch 'develop' into feature/uvf

# Conflicts:
#	backend/src/main/java/org/cryptomator/hub/entities/User.java
#	backend/src/main/resources/org/cryptomator/hub/flyway/ERM.png
#	frontend/src/common/crypto.ts
#	frontend/src/components/CreateVault.vue
#	frontend/src/components/GrantPermissionDialog.vue
#	frontend/src/components/InitialSetup.vue
#	frontend/src/components/ManageSetupCode.vue
#	frontend/src/components/RecoverVaultDialog.vue
#	frontend/src/components/RegenerateSetupCodeDialog.vue
#	frontend/src/components/VaultDetails.vue
#	frontend/test/common/crypto.spec.ts

backend/src/main/java/org/cryptomator/hub/api/DeviceResource.java

@@ -24,7 +24,6 @@
 import org.cryptomator.hub.entities.LegacyAccessToken;
 import org.cryptomator.hub.entities.LegacyDevice;
 import org.cryptomator.hub.entities.User;
-import org.cryptomator.hub.entities.events.DeviceRemovedEvent;
 import org.cryptomator.hub.entities.events.EventLogger;
 import org.cryptomator.hub.validation.NoHtmlOrScriptChars;
 import org.cryptomator.hub.validation.OnlyBase64Chars;
@@ -102,7 +101,7 @@ public Response createOrUpdate(@Valid @NotNull DeviceDto dto, @PathParam("device
 		}
 		device.setName(dto.name);
 		device.setPublickey(dto.publicKey);
-		device.setUserPrivateKey(dto.userPrivateKey);
+		device.setUserPrivateKeys(dto.userPrivateKeys);
 
 		try {
 			deviceRepo.persistAndFlush(device);
@@ -173,12 +172,12 @@ public record DeviceDto(@JsonProperty("id") @ValidId String id,
 							@JsonProperty("name") @NoHtmlOrScriptChars @NotBlank String name,
 							@JsonProperty("type") Device.Type type,
 							@JsonProperty("publicKey") @NotNull @OnlyBase64Chars String publicKey,
-							@JsonProperty("userPrivateKey") @NotNull @ValidJWE String userPrivateKey,
+							@JsonProperty("userPrivateKey") @NotNull @ValidJWE String userPrivateKeys, // singular name for history reasons (don't break client compatibility)
 							@JsonProperty("owner") @ValidId String ownerId,
 							@JsonProperty("creationTime") Instant creationTime) {
 
 		public static DeviceDto fromEntity(Device entity) {
-			return new DeviceDto(entity.getId(), entity.getName(), entity.getType(), entity.getPublickey(), entity.getUserPrivateKey(), entity.getOwner().getId(), entity.getCreationTime().truncatedTo(ChronoUnit.MILLIS));
+			return new DeviceDto(entity.getId(), entity.getName(), entity.getType(), entity.getPublickey(), entity.getUserPrivateKeys(), entity.getOwner().getId(), entity.getCreationTime().truncatedTo(ChronoUnit.MILLIS));
 		}
 
 	}

backend/src/main/java/org/cryptomator/hub/api/UserDto.java

@@ -14,24 +14,34 @@ public final class UserDto extends AuthorityDto {
 	public final String email;
 	@JsonProperty("devices")
 	public final Set<DeviceResource.DeviceDto> devices;
-	@JsonProperty("publicKey")
-	public final String publicKey;
-	@JsonProperty("privateKey")
-	public final String privateKey;
+	@JsonProperty("ecdhPublicKey")
+	public final String ecdhPublicKey;
+	@JsonProperty("ecdsaPublicKey")
+	public final String ecdsaPublicKey;
+	@JsonProperty("privateKey") // singular name for history reasons (don't break client compatibility)
+	public final String privateKeys;
 	@JsonProperty("setupCode")
 	public final String setupCode;
 
+	@Deprecated
+	@JsonProperty("publicKey")
+	public final String legacyEcdhPublicKey;
+
 	UserDto(@JsonProperty("id") String id, @JsonProperty("name") String name, @JsonProperty("pictureUrl") String pictureUrl, @JsonProperty("email") String email, @JsonProperty("devices") Set<DeviceResource.DeviceDto> devices,
-			@Nullable @JsonProperty("publicKey") @OnlyBase64Chars String publicKey, @Nullable @JsonProperty("privateKey") @ValidJWE String privateKey, @Nullable @JsonProperty("setupCode") @ValidJWE String setupCode) {
+			@Nullable @JsonProperty("ecdhPublicKey") @OnlyBase64Chars String ecdhPublicKey, @Nullable @JsonProperty("ecdsaPublicKey") @OnlyBase64Chars String ecdsaPublicKey, @Nullable @JsonProperty("privateKeys") @ValidJWE String privateKeys, @Nullable @JsonProperty("setupCode") @ValidJWE String setupCode) {
 		super(id, Type.USER, name, pictureUrl);
 		this.email = email;
 		this.devices = devices;
-		this.publicKey = publicKey;
-		this.privateKey = privateKey;
+		this.ecdhPublicKey = ecdhPublicKey;
+		this.ecdsaPublicKey = ecdsaPublicKey;
+		this.privateKeys = privateKeys;
 		this.setupCode = setupCode;
+
+		// duplicate fields to maintain backwards compatibility:
+		this.legacyEcdhPublicKey = ecdhPublicKey;
 	}
 
 	public static UserDto justPublicInfo(User user) {
-		return new UserDto(user.getId(), user.getName(), user.getPictureUrl(), user.getEmail(), Set.of(), user.getPublicKey(), null, null);
+		return new UserDto(user.getId(), user.getName(), user.getPictureUrl(), user.getEmail(), Set.of(), user.getEcdhPublicKey(), user.getEcdsaPublicKey(),null, null);
 	}
 }

backend/src/main/java/org/cryptomator/hub/api/UsersResource.java

@@ -20,7 +20,6 @@
 import org.cryptomator.hub.entities.User;
 import org.cryptomator.hub.entities.Vault;
 import org.cryptomator.hub.entities.events.EventLogger;
-import org.cryptomator.hub.entities.events.VaultAccessGrantedEvent;
 import org.eclipse.microprofile.jwt.JsonWebToken;
 import org.eclipse.microprofile.openapi.annotations.Operation;
 import org.eclipse.microprofile.openapi.annotations.responses.APIResponse;
@@ -71,14 +70,37 @@ public Response putMe(@Nullable @Valid UserDto dto) {
 		user.setPictureUrl(jwt.getClaim("picture"));
 		user.setEmail(jwt.getClaim("email"));
 		if (dto != null) {
-			user.setPublicKey(dto.publicKey);
-			user.setPrivateKey(dto.privateKey);
+			user.setEcdhPublicKey(dto.ecdhPublicKey);
+			user.setEcdsaPublicKey(dto.ecdsaPublicKey);
+			user.setPrivateKeys(dto.privateKeys);
 			user.setSetupCode(dto.setupCode);
+			updateDevices(user, dto);
 		}
 		userRepo.persist(user);
 		return Response.created(URI.create(".")).build();
 	}
 
+	/**
+	 * Updates those devices that are present in both the entity and the DTO. No devices are added or removed.
+	 *
+	 * @param userEntity The persistent entity
+	 * @param userDto    The DTO
+	 */
+	private void updateDevices(User userEntity, UserDto userDto) {
+		var devices = userEntity.devices.stream().collect(Collectors.toUnmodifiableMap(Device::getId, Function.identity()));
+		var updatedDevices = userDto.devices.stream()
+				.filter(d -> devices.containsKey(d.id())) // only look at DTOs for which we find a matching existing entity
+				.map(dto -> {
+					var device = devices.get(dto.id());
+					device.setType(dto.type());
+					device.setName(dto.name());
+					device.setPublickey(dto.publicKey());
+					device.setUserPrivateKeys(dto.userPrivateKeys());
+					return device;
+				});
+		deviceRepo.persist(updatedDevices);
+	}
+
 	@POST
 	@Path("/me/access-tokens")
 	@RolesAllowed("user")
@@ -117,9 +139,9 @@ public Response updateMyAccessTokens(@NotNull Map<UUID, String> tokens) {
 	@APIResponse(responseCode = "404", description = "no user matching the subject of the JWT passed as Bearer Token")
 	public UserDto getMe(@QueryParam("withDevices") boolean withDevices) {
 		User user = userRepo.findById(jwt.getSubject());
-		Function<Device, DeviceResource.DeviceDto> mapDevices = d -> new DeviceResource.DeviceDto(d.getId(), d.getName(), d.getType(), d.getPublickey(), d.getUserPrivateKey(), d.getOwner().getId(), d.getCreationTime().truncatedTo(ChronoUnit.MILLIS));
+		Function<Device, DeviceResource.DeviceDto> mapDevices = d -> new DeviceResource.DeviceDto(d.getId(), d.getName(), d.getType(), d.getPublickey(), d.getUserPrivateKeys(), d.getOwner().getId(), d.getCreationTime().truncatedTo(ChronoUnit.MILLIS));
 		var devices = withDevices ? user.devices.stream().map(mapDevices).collect(Collectors.toSet()) : Set.<DeviceResource.DeviceDto>of();
-		return new UserDto(user.getId(), user.getName(), user.getPictureUrl(), user.getEmail(), devices, user.getPublicKey(), user.getPrivateKey(), user.getSetupCode());
+		return new UserDto(user.getId(), user.getName(), user.getPictureUrl(), user.getEmail(), devices, user.getEcdhPublicKey(), user.getEcdsaPublicKey(), user.getPrivateKeys(), user.getSetupCode());
 	}
 
 	@POST
@@ -131,8 +153,8 @@ public UserDto getMe(@QueryParam("withDevices") boolean withDevices) {
 	@APIResponse(responseCode = "204", description = "deleted keys, devices and access permissions")
 	public Response resetMe() {
 		User user = userRepo.findById(jwt.getSubject());
-		user.setPublicKey(null);
-		user.setPrivateKey(null);
+		user.setEcdhPublicKey(null);
+		user.setPrivateKeys(null);
 		user.setSetupCode(null);
 		userRepo.persist(user);
 		deviceRepo.deleteByOwner(user.getId());

backend/src/main/java/org/cryptomator/hub/api/VaultResource.java

@@ -320,7 +320,7 @@ public Response unlock(@PathParam("vaultId") UUID vaultId, @QueryParam("evenIfAr
 		}
 
 		var user = userRepo.findById(jwt.getSubject());
-		if (user.getPublicKey() == null) {
+		if (user.getEcdhPublicKey() == null) {
 			throw new ActionRequiredException("User account not initialized.");
 		}
 

backend/src/main/java/org/cryptomator/hub/entities/Device.java

@@ -56,8 +56,8 @@ public enum Type {
 	@Column(name = "publickey", nullable = false)
 	private String publickey;
 
-	@Column(name = "user_privatekey", nullable = false)
-	private String userPrivateKey;
+	@Column(name = "user_privatekeys", nullable = false)
+	private String userPrivateKeys;
 
 	@Column(name = "creation_time", nullable = false)
 	private Instant creationTime;
@@ -102,12 +102,12 @@ public void setPublickey(String publickey) {
 		this.publickey = publickey;
 	}
 
-	public String getUserPrivateKey() {
-		return userPrivateKey;
+	public String getUserPrivateKeys() {
+		return userPrivateKeys;
 	}
 
-	public void setUserPrivateKey(String userPrivateKey) {
-		this.userPrivateKey = userPrivateKey;
+	public void setUserPrivateKeys(String userPrivateKeys) {
+		this.userPrivateKeys = userPrivateKeys;
 	}
 
 	public Instant getCreationTime() {
@@ -126,7 +126,7 @@ public String toString() {
 				", name='" + name + '\'' +
 				", type='" + type + '\'' +
 				", publickey='" + publickey + '\'' +
-				", userPrivateKey='" + userPrivateKey + '\'' +
+				", userPrivateKey='" + userPrivateKeys + '\'' +
 				", creationTime='" + creationTime + '\'' +
 				'}';
 	}
@@ -141,13 +141,13 @@ public boolean equals(Object o) {
 				&& Objects.equals(this.name, other.name)
 				&& Objects.equals(this.type, other.type)
 				&& Objects.equals(this.publickey, other.publickey)
-				&& Objects.equals(this.userPrivateKey, other.userPrivateKey)
+				&& Objects.equals(this.userPrivateKeys, other.userPrivateKeys)
 				&& Objects.equals(this.creationTime, other.creationTime);
 	}
 
 	@Override
 	public int hashCode() {
-		return Objects.hash(id, owner, name, type, publickey, userPrivateKey, creationTime);
+		return Objects.hash(id, owner, name, type, publickey, userPrivateKeys, creationTime);
 	}
 
 	@ApplicationScoped

backend/src/main/java/org/cryptomator/hub/entities/EffectiveVaultAccess.java

@@ -71,7 +71,7 @@ SELECT count(DISTINCT u)
 		FROM EffectiveVaultAccess eva
 			INNER JOIN User u ON u.id = eva.id.authorityId
 			LEFT JOIN AccessToken token ON token.id.vaultId = eva.id.vaultId AND token.id.userId = eva.id.authorityId
-			WHERE eva.id.vaultId = :vaultId AND token.vault IS NULL AND u.publicKey IS NOT NULL
+			WHERE eva.id.vaultId = :vaultId AND token.vault IS NULL AND u.ecdhPublicKey IS NOT NULL
 		"""
 )
 public class EffectiveVaultAccess {

backend/src/main/java/org/cryptomator/hub/entities/User.java

@@ -40,11 +40,14 @@ public class User extends Authority {
 	@Column(name = "email")
 	private String email;
 
-	@Column(name = "publickey")
-	private String publicKey;
+	@Column(name = "ecdh_publickey")
+	private String ecdhPublicKey;
 
-	@Column(name = "privatekey")
-	private String privateKey;
+	@Column(name = "ecdsa_publickey")
+	private String ecdsaPublicKey;
+
+	@Column(name = "privatekeys")
+	private String privateKeys;
 
 	@Column(name = "setupcode")
 	private String setupCode;
@@ -65,20 +68,28 @@ public void setEmail(String email) {
 		this.email = email;
 	}
 
-	public String getPublicKey() {
-		return publicKey;
+	public String getEcdhPublicKey() {
+		return ecdhPublicKey;
+	}
+
+	public void setEcdhPublicKey(String ecdhPublicKey) {
+		this.ecdhPublicKey = ecdhPublicKey;
+	}
+
+	public String getEcdsaPublicKey() {
+		return ecdsaPublicKey;
 	}
 
-	public void setPublicKey(String publicKey) {
-		this.publicKey = publicKey;
+	public void setEcdsaPublicKey(String ecdsaPublicKey) {
+		this.ecdsaPublicKey = ecdsaPublicKey;
 	}
 
-	public String getPrivateKey() {
-		return privateKey;
+	public String getPrivateKeys() {
+		return privateKeys;
 	}
 
-	public void setPrivateKey(String privateKey) {
-		this.privateKey = privateKey;
+	public void setPrivateKeys(String privateKeys) {
+		this.privateKeys = privateKeys;
 	}
 
 	public String getSetupCode() {
@@ -119,14 +130,15 @@ public boolean equals(Object o) {
 		return super.equals(that) //
 				&& Objects.equals(pictureUrl, that.pictureUrl) //
 				&& Objects.equals(email, that.email) //
-				&& Objects.equals(publicKey, that.publicKey) //
-				&& Objects.equals(privateKey, that.privateKey) //
+				&& Objects.equals(ecdhPublicKey, that.ecdhPublicKey) //
+				&& Objects.equals(ecdsaPublicKey, that.ecdsaPublicKey) //
+				&& Objects.equals(privateKeys, that.privateKeys) //
 				&& Objects.equals(setupCode, that.setupCode);
 	}
 
 	@Override
 	public int hashCode() {
-		return Objects.hash(super.getId(), pictureUrl, email, publicKey, privateKey, setupCode);
+		return Objects.hash(super.getId(), pictureUrl, email, ecdhPublicKey, privateKeys, setupCode);
 	}
 
 	@ApplicationScoped

backend/src/main/resources/application.properties

@@ -33,7 +33,7 @@ hub.keycloak.oidc.cryptomator-client-id=cryptomator
 %dev.quarkus.keycloak.devservices.start-command=start-dev
 %dev.quarkus.keycloak.devservices.port=8180
 %dev.quarkus.keycloak.devservices.service-name=quarkus-cryptomator-hub
-%dev.quarkus.keycloak.devservices.image-name=ghcr.io/cryptomator/keycloak:23.0.7
+%dev.quarkus.keycloak.devservices.image-name=ghcr.io/cryptomator/keycloak:24.0.4
 %dev.quarkus.oidc.devui.grant.type=code
 # OIDC will be mocked during unit tests. Use fake auth url to prevent dev services to start:
 %test.quarkus.oidc.auth-server-url=http://localhost:43210/dev/null

backend/src/main/resources/dev-realm.json

@@ -49,6 +49,8 @@
   "users": [
     {
       "username": "admin",
+      "firstName": "admin",
+      "lastName": "admin",
       "email": "admin@localhost",
       "enabled": true,
       "attributes": {
@@ -66,39 +68,56 @@
     },
     {
       "username": "alice",
+      "firstName": "alice",
+      "lastName": "alice",
+      "email": "alice@localhost",
       "enabled": true,
       "credentials": [{"type": "password", "value": "asd"}],
       "realmRoles": ["user"]
     },
     {
       "username": "bob",
+      "firstName": "bob",
+      "lastName": "bob",
+      "email": "bob@localhost",
       "enabled": true,
       "credentials": [{"type": "password", "value": "asd"}],
       "realmRoles": ["user"]
     },
     {
       "username": "carol",
+      "firstName": "carol",
+      "lastName": "carol",
+      "email": "carol@localhost",
       "enabled": true,
       "credentials": [{"type": "password", "value": "asd"}],
       "realmRoles": ["user"],
       "groups" : [ "/groupies" ]
     },
     {
       "username": "dave",
+      "firstName": "dave",
+      "lastName": "dave",
+      "email": "dave@localhost",
       "enabled": true,
       "credentials": [{"type": "password", "value": "asd"}],
       "realmRoles": ["user"],
       "groups" : [ "/groupies" ]
     },
     {
       "username": "erin",
+      "firstName": "erin",
+      "lastName": "erin",
+      "email": "erin@localhost",
       "enabled": true,
       "credentials": [{"type": "password", "value": "asd"}],
       "realmRoles": ["user"],
       "groups" : [ "/groupies" ]
     },
     {
       "username": "syncer",
+      "firstName": "syncer",
+      "lastName": "syncer",
       "email": "syncer@localhost",
       "enabled": true,
       "attributes": {
@@ -227,4 +246,4 @@
   "browserSecurityHeaders": {
     "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self' http://localhost:*; object-src 'none';"
   }
-}
+}

backend/src/main/resources/org/cryptomator/hub/flyway/V15__User_ECDSA.sql

@@ -0,0 +1,4 @@
+ALTER TABLE "user_details" RENAME COLUMN "publickey" TO "ecdh_publickey";
+ALTER TABLE "user_details" RENAME COLUMN "privatekey" TO "privatekeys";
+ALTER TABLE "user_details" ADD "ecdsa_publickey" VARCHAR;
+ALTER TABLE "device" RENAME COLUMN "user_privatekey" TO "user_privatekeys";