Session login, not fully working yet

[DarkFighterLuke]

In the past four days I've lost my mind trying to figure out Mega SDK's internals.
I managed to write a new function to login using session key. It works fine, but it's not complete yet, because no master key is retrieved in session login, so node attributes can't be decrypted.

As I said in #35 , I would like some help to solve this issue.
Hope someone will collaborate.

[figgyc]

Hi Luke, I'm interested in this too, although I don't know much about the megasdk either.
I did have a look though - I think this is where the session key is created: https://github.com/meganz/sdk/blob/b1499910f17ad8d58595badb81f4e0bd5a38fb00/src/megaclient.cpp#L9436
I think what that means is that the master key is encrypted using the session key? Not sure though, maybe you know though because you've spent more time on this than I have.

[DarkFighterLuke]

I'm very happy that someone else is interested in this feature, so thank you for you contribute, I very appreciate it!
The line you linked is from the method dumpSession which returns the session key stored in the class, which is not the master key.
I can't figure out how the master key is obtained and if it has an encryption pass using the session key (I think it would be useless).

I have some clues about the place where the master key is retrieved, but I can't understand the process related to encryption and decryption implemented in the SDK.
However, I show you what I discovered, maybe it can help. Printing JSON messages sent in requests, I discovered that when I call MegaApi::fetchNodes a request containing a command named uga is made. This command is used to retrieve user attributes specified using ua JSON key.
Here is what requests contain:

"a":"uga","u":"YOUR_USER_ID","ua":"*keyring","v":1
"a":"uga","u":"YOUR_USER_ID","ua":"+puEd255","v":1
"a":"uga","u":"YOUR_USER_ID","ua":"+puCu255","v":1
"a":"uga","u":"YOUR_USER_ID","ua":"+sigCu255","v":1
"a":"uga","u":"YOUR_USER_ID","ua":"+sigPubk","v":1
"a":"uga","u":"YOUR_USER_ID","ua":"*!authring","v":1
"a":"uga","u":"YOUR_USER_ID","ua":"*!authRSA","v":1
"a":"uga","u":"YOUR_USER_ID","ua":"*!authCu255","v":1

So 8 requests are made, each one containing one of the lines above.
The received request is processed by this method https://github.com/meganz/sdk/blob/master/src/commands.cpp#L3022.
Basically this method calls MegaClient::initializeKeys : https://github.com/meganz/sdk/blob/master/src/megaclient.cpp#L12335.
Here is where I am lost, I can't figure out what is done and if I am in the right place.

I hope this could be helpful to someone.

[ncw]

In the fast four days I've lost my mind trying to figure out Mega SDK's internals.

My feeling exactly when looking at their C++ code!

I managed to write a new function to login using session key. It works fine, but it's not complete yet, because no master key is retrieved in session login, so node attributes can't be decrypted.

I'm not clear on what this is for. Where do you get a session key from?

[DarkFighterLuke]

I'm very happy that you answered to that PR!

My feeling exactly when looking at their C++ code!

I dont' feel alone anymore. 😆

I'm not clear on what this is for. Where do you get a session key from?

So, imagine that an application needs to have some kind of persistence for some reason (for example for uploading content without asking for user credentials each time). It is super useful to have a session key, which can be retrieved when logged in a session, so that the user has to type credentials the first time only. In any subsequent access to the account, the user has nothing to do, because the application will login using the session key previously retrieved.

[a5r0n]

I'm not clear on what this is for. Where do you get a session key from?

the session key is like use token, u can revoke tho and so on.
u can generate one by login with MEGAcmd and call the session command

the actual thing in this PR what i'm looking for in this PR, it's the ability to use shared folders.
i manage to login to folder, and get the files nodes, but the attributes are empty, so i guess something with the decryption didn't work..

[DarkFighterLuke]

the actual thing in this PR, it's the ability to use shared folders.

No, the actual thing in this PR is to use the authentication with session token. At the moment, I have implemented the authentication, but when you try to get your files it will be impossible, because no decryption key is retrieved (as opposed to what happens with email+psw[+OTP] authentication).
So the real problem at the moment is to retrieve the decryption key to decrypt your files.
If only Mega would provide a better documentation on all the process with some schematics...