feat(recovery): send backup public keys for validation during account recovery

Author: Dougama

package.json

@@ -8,7 +8,7 @@
     "@iconscout/react-unicons": "^1.1.6",
     "@internxt/css-config": "1.1.0",
     "@internxt/lib": "1.4.1",
-    "@internxt/sdk": "=1.11.17",
+    "@internxt/sdk": "=1.12.0",
     "@internxt/ui": "0.1.1",
     "@phosphor-icons/react": "^2.1.7",
     "@popperjs/core": "^2.11.6",

src/services/auth.service.test.ts

@@ -687,7 +687,7 @@ describe('updateCredentialsWithToken', () => {
     expect(keys).toBeUndefined();
   });
 
-  it('should successfully update credentials with token and with backup data (ECC only)', async () => {
+  it('should not send keys when backup data has no publicKeys (legacy backup)', async () => {
     const mockToken = 'test-reset-token';
     const mockNewPassword = 'newPassword123';
     const mockMnemonic =
@@ -721,13 +721,10 @@ describe('updateCredentialsWithToken', () => {
     expect(encryptedPassword).toBeDefined();
     expect(encryptedSalt).toBeDefined();
     expect(encryptedMnemonic).toBeDefined();
-    expect(keys).toBeDefined();
-
-    expect(keys.ecc).toBe('mock-encrypted-data');
-    expect(keys.kyber).toBeUndefined();
+    expect(keys).toBeUndefined();
   });
 
-  it('should successfully update credentials with token and with backup data (ECC and Kyber)', async () => {
+  it('should send both private and public keys when backup data has publicKeys', async () => {
     const mockToken = 'test-reset-token';
     const mockNewPassword = 'newPassword123';
     const mockMnemonic =
@@ -739,6 +736,10 @@ describe('updateCredentialsWithToken', () => {
         ecc: 'test-ecc-private-key',
         kyber: 'test-kyber-private-key',
       },
+      publicKeys: {
+        ecc: 'test-ecc-public-key',
+        kyber: 'test-kyber-public-key',
+      },
     };
 
     (validateMnemonic as any).mockReturnValue(true);
@@ -763,8 +764,12 @@ describe('updateCredentialsWithToken', () => {
     expect(encryptedMnemonic).toBeDefined();
     expect(keys).toBeDefined();
 
-    expect(keys.ecc).toBe('mock-encrypted-data');
-    expect(keys.kyber).toBe('mock-encrypted-data');
+    expect(keys.private.ecc).toBe('mock-encrypted-data');
+    expect(keys.private.kyber).toBe('mock-encrypted-data');
+    expect(keys.public).toEqual({
+      ecc: 'test-ecc-public-key',
+      kyber: 'test-kyber-public-key',
+    });
   });
 
   it('should throw an error when mnemonic is invalid', async () => {

src/services/auth.service.ts

@@ -339,14 +339,22 @@ export const updateCredentialsWithToken = async (
 
   const authClient = SdkFactory.getNewApiInstance().createAuthClient();
 
-  const keys =
+  const privateKeys =
     encryptedEccPrivateKey || encryptedKyberPrivateKey
       ? {
           ecc: encryptedEccPrivateKey,
           kyber: encryptedKyberPrivateKey,
         }
       : undefined;
 
+  const keys =
+    privateKeys && backupData?.publicKeys
+      ? {
+          private: privateKeys,
+          public: backupData?.publicKeys,
+        }
+      : undefined;
+
   return authClient.changePasswordWithLinkV2(
     token,
     encryptedHashedNewPassword,

src/utils/backupKeyUtils.ts

@@ -16,6 +16,9 @@ import { encryptMessageWithPublicKey, hybridEncryptMessageWithPublicKey } from '
  * @property {Object} keys - The user's encryption keys
  * @property {string} keys.ecc - The user's ECC private key
  * @property {string} keys.kyber - The user's Kyber private key
+ * @property {Object} [publicKeys] - The user's public keys (for backup validation)
+ * @property {string} [publicKeys.ecc] - The user's ECC public key
+ * @property {string} [publicKeys.kyber] - The user's Kyber public key
  */
 export interface BackupData {
   mnemonic: string;
@@ -24,6 +27,10 @@ export interface BackupData {
     ecc: string;
     kyber: string;
   };
+  publicKeys?: {
+    ecc?: string;
+    kyber?: string;
+  };
 }
 
 /**
@@ -49,6 +56,10 @@ export function handleExportBackupKey(translate) {
         ecc: user.keys?.ecc?.privateKey || user.privateKey,
         kyber: user.keys?.kyber?.privateKey || '',
       },
+      publicKeys: {
+        ecc: user.keys?.ecc?.publicKey || '',
+        kyber: user.keys?.kyber?.publicKey || '',
+      },
     };
 
     const backupContent = JSON.stringify(backupData, null, 2);
@@ -84,6 +95,12 @@ export const detectBackupKeyFormat = (
           ecc: parsedData.keys.ecc,
           kyber: parsedData.keys.kyber,
         },
+        publicKeys: parsedData.publicKeys
+          ? {
+              ecc: parsedData.publicKeys.ecc,
+              kyber: parsedData.publicKeys.kyber,
+            }
+          : undefined,
       };
       return {
         type: 'new',

yarn.lock

@@ -1906,10 +1906,10 @@
   version "1.0.2"
   resolved "https://codeload.github.com/internxt/prettier-config/tar.gz/9fa74e9a2805e1538b50c3809324f1c9d0f3e4f9"
 
-"@internxt/sdk@=1.11.17":
-  version "1.11.17"
-  resolved "https://registry.yarnpkg.com/@internxt/sdk/-/sdk-1.11.17.tgz#2f5bdada5d3cbf5cfc685a21c24b5df3ff51d8c8"
-  integrity sha512-91iEUvZizlwX6KBEFJ3JdFiGrhMBQ9R54sTc3Pei9QtV2FYTU8nTVEPYAg39tLOGzT/kVuplYOtBxfk6wFtSDA==
+"@internxt/sdk@=1.12.0":
+  version "1.12.0"
+  resolved "https://npm.pkg.github.com/download/@internxt/sdk/1.12.0/9555d9e53cc9ee728e5c56746a969a4d61792e5a#9555d9e53cc9ee728e5c56746a969a4d61792e5a"
+  integrity sha512-W5DS3ligEoE7YSuqKBh9dzVMpTPa+1LGJAGfGP+51zJZ8KfzeDDVBgaNRxTwBnbUYNZ3nvQJkA28AN6Vk8TqQA==
   dependencies:
     axios "1.13.2"
     uuid "11.1.0"