about app api keys and sessions

[masterkain]

hello,
the mega documentation states that you need an api key to call the API, but this gem doesn't seem to provide a way to include it in requests; it's working though, so I don't understand if it's mandatory or not, do you have any more info about that?

about sessions: I saw other libraries (php, etc.) providing a way to represent and persist the session to be able to reconstruct it when needed. Do you have more information about mega sessions to share, how they roughly work, if they expire, etc.?

thanks

[topac]

the mega documentation states that you need an api key to call the API,

Hi, regarding the api key, I think that (at the moment) it simply allows you to skip the classic authentication step which involves sending your email and an hash of your password. Maybe they will add more features like effective granular permissions, analytics, expire time, etc.

Do you have more information about mega sessions to share, how they roughly work, if they expire, etc.?

A session is composed of 3 elements

• master_key
• rsa_private_key
• session_id

They can be saved anywhere an reused without the need to re-authenticate.

To understand this values, you need to understand what happens when you create an account and when your login with that account.

When you create an account on mega, the browser (client-side) computes the following parameters:

• pass_hash1, (an hash of your password)
• rsa_private_key + rsa_public_key (randomly generated)
• master_key (128 bit, randomly generated)

Then it send to the mega server this values:

• email (your email)
• user_hash1 (an hash of your email+password)
• rsa_public_key (in clear)
• encrypted_master_key (which is the master_key encrypted with pass_hash1)
• encrypted_rsa_private_key (which is the rsa_private_key encrypted with master_key)

When you login you send to the mega servers:

• email
• user_hash1

If mega find your account, meaning that it finds the combination email+user_hash1 in its database it sends you this values:

• encrypted_master_key
• encrypted_rsa_private_key
• encrypted_session_id (encrypted with your rsa_public_key)

Now, it should clear how to obtain the session values...

• Decrypt encrypted_master_key with pass_hash1 to obtain master_key
• Decrypt encrypted_rsa_private_key with master_key to obtain rsa_private_key
• Decrypt encrypted_session_id with rsa_private_key to obtain session_id

All this mechanism is to ensure that mega never knows your real password and your rsa private key.

And now, the game is on! With this values you can query for the files metadata/content and decrypt them.

if they expire, etc.?

As far as I know, sessions lasts forever.

PS: Can you explain better your use-case scenario and how persisting a session can help your work?
Maybe I can help you implementing it.

[masterkain]

many thanks for the time spent writing down how it works, I can describe my use case but I prefer doing it in private -- are you italian by any chance?

[topac]

@masterkain yes

[masterkain]

can't contact on github, can you please send a ping to masterkain@gmail.com or @masterkain on twitter? thanks!