1 files changed, 19 insertions, 22 deletions

diff --git a/src/api/auth/account.rs b/src/api/auth/account.rs
index 0f12d49..c0c2099 100644
--- a/src/api/auth/account.rs
+++ b/src/api/auth/account.rs
@@ -11,6 +11,7 @@ use serde::{Deserialize, Serialize};
 use validator::Validate;
 
 use crate::api::{Empty, EMPTY};
+use crate::crypto::{KeyFetchToken, SessionToken};
 use crate::db::{Db, DbConn};
 use crate::mailer::Mailer;
 use crate::push::PushClient;
@@ -21,7 +22,7 @@ use crate::{
     api::{auth, serialize_dt},
     auth::{AuthSource, Authenticated},
     crypto::{AuthPW, KeyBundle, KeyFetchReq, SecretBytes, SessionCredentials},
-    types::{HawkKey, KeyFetchID, OauthToken, SecretKey, SessionID, User, UserID, VerifyHash},
+    types::{HawkKey, KeyFetchID, OauthToken, SecretKey, User, UserID, VerifyHash},
 };
 
 // TODO better error handling
@@ -52,9 +53,9 @@ pub(crate) struct Create {
 #[serde(deny_unknown_fields)]
 pub(crate) struct CreateResp {
     uid: UserID,
-    sessionToken: SecretBytes<32>,
+    sessionToken: SessionToken,
     #[serde(skip_serializing_if = "Option::is_none")]
-    keyFetchToken: Option<SecretBytes<32>>,
+    keyFetchToken: Option<KeyFetchToken>,
     #[serde(serialize_with = "serialize_dt")]
     authAt: DateTime<Utc>,
     // MISSING verificationMethod
@@ -94,17 +95,16 @@ pub(crate) async fn create(
     let auth_salt = SaltString::generate(rand::rngs::OsRng);
     let stretched = data.authPW.stretch(auth_salt.as_salt())?;
     let verify_hash = stretched.verify_hash();
-    let session_token = SecretBytes::generate();
-    let session = SessionCredentials::derive(&session_token);
+    let session_token = SessionToken::generate();
+    let session = SessionCredentials::derive_from(&session_token);
     let key_fetch_token = if keys {
-        let key_fetch_token = SecretBytes::generate();
-        let req = KeyFetchReq::from_token(&key_fetch_token);
+        let key_fetch_token = KeyFetchToken::generate();
+        let req = KeyFetchReq::derive_from(&key_fetch_token);
         let wrapped = req.derive_resp().wrap_keys(&KeyBundle {
             ka: ka.clone(),
             wrap_kb: stretched.decrypt_wwkb(&wrapwrap_kb),
         });
-        db.add_key_fetch(KeyFetchID(req.token_id.0), &HawkKey(req.req_hmac_key.0), &wrapped)
-            .await?;
+        db.add_key_fetch(req.token_id, &HawkKey(req.req_hmac_key.0), &wrapped).await?;
         Some(key_fetch_token)
     } else {
         None
@@ -120,12 +120,11 @@ pub(crate) async fn create(
             verified: false,
         })
         .await?;
-    let session_id = SessionID(session.token_id.0);
     let auth_at = db
-        .add_session(session_id.clone(), &uid, HawkKey(session.req_hmac_key.0), false, None)
+        .add_session(session.token_id.clone(), &uid, HawkKey(session.req_hmac_key.0), false, None)
         .await?;
     let verify_code = hex::encode(&SecretBytes::<16>::generate().0);
-    db.add_verify_code(&uid, &session_id, &verify_code).await?;
+    db.add_verify_code(&uid, &session.token_id, &verify_code).await?;
     // NOTE we send the email in this context rather than a spawn to signal
     // send errors to the client.
     mailer.send_account_verify(&uid, &data.email, &verify_code).await.map_err(|e| {
@@ -161,9 +160,9 @@ pub(crate) struct Login {
 #[serde(deny_unknown_fields)]
 pub(crate) struct LoginResp {
     uid: UserID,
-    sessionToken: SecretBytes<32>,
+    sessionToken: SessionToken,
     #[serde(skip_serializing_if = "Option::is_none")]
-    keyFetchToken: Option<SecretBytes<32>>,
+    keyFetchToken: Option<KeyFetchToken>,
     // MISSING verificationMethod
     // MISSING verificationReason
     // NOTE this is the *account* verified status, not the session status.
@@ -200,27 +199,25 @@ pub(crate) async fn login(
         return Err(auth::Error::IncorrectPassword);
     }
 
-    let session_token = SecretBytes::generate();
-    let session = SessionCredentials::derive(&session_token);
+    let session_token = SessionToken::generate();
+    let session = SessionCredentials::derive_from(&session_token);
     let key_fetch_token = if keys {
-        let key_fetch_token = SecretBytes::generate();
-        let req = KeyFetchReq::from_token(&key_fetch_token);
+        let key_fetch_token = KeyFetchToken::generate();
+        let req = KeyFetchReq::derive_from(&key_fetch_token);
         let wrapped = req.derive_resp().wrap_keys(&KeyBundle {
             ka: SecretBytes(user.ka.0),
             wrap_kb: stretched.decrypt_wwkb(&SecretBytes(user.wrapwrap_kb.0)),
         });
-        db.add_key_fetch(KeyFetchID(req.token_id.0), &HawkKey(req.req_hmac_key.0), &wrapped)
-            .await?;
+        db.add_key_fetch(req.token_id, &HawkKey(req.req_hmac_key.0), &wrapped).await?;
         Some(key_fetch_token)
     } else {
         None
     };
 
-    let session_id = SessionID(session.token_id.0);
     let verify_code = format!("{:06}", thread_rng().gen_range(0..=999999));
     let auth_at = db
         .add_session(
-            session_id.clone(),
+            session.token_id.clone(),
             &uid,
             HawkKey(session.req_hmac_key.0),
             false,