# Internxt Auth Analysis: Web vs CLI vs Rclone ## Core Finding: Client Identification Determines Access The backend server blocks certain account tiers based on **client identification**: | Client | clientName | Login Method | Endpoint | Status for restricted tiers | |--------|------------|--------------|----------|-----------------------------| | **drive-web** | `drive-web` | `login()` | `/auth/login` | ✅ Allowed | | **drive-desktop** | `drive-desktop` | `login()` | `/auth/login` | ✅ Allowed | | **internxt-cli** | `internxt-cli` | `loginAccess()` | `/auth/login/access` | ❌ Blocked | | **rclone** | (rclone-adapter) | loginAccess-like | `/auth/login/access` | ❌ Blocked | ## Sources ### drive-web ([auth.service.ts](drive-web/src/services/auth.service.ts)) ```typescript const getAuthClient = (authType: 'web' | 'desktop') => { const AUTH_CLIENT = { web: SdkFactory.getNewApiInstance().createAuthClient(), // clientName: "drive-web" desktop: SdkFactory.getNewApiInstance().createDesktopAuthClient(), // clientName: "drive-desktop" }; return AUTH_CLIENT[authType]; }; // Login with authClient.login() - NOT loginAccess() return authClient.login(loginDetails, cryptoProvider) ``` - **createAuthClient()**: `clientName: packageJson.name` = `"drive-web"` - **createDesktopAuthClient()**: `clientName: "drive-desktop"` - **Method**: `login()` (not `loginAccess`) ### CLI ([auth.service.ts](https://github.com/internxt/cli/blob/main/src/services/auth.service.ts)) ```typescript const authClient = SdkManager.instance.getAuth(); const data = await authClient.loginAccess(loginDetails, CryptoService.cryptoProvider); ``` - **getAppDetails()**: `clientName: packageJson.clientName` = `"internxt-cli"` (from [package.json](https://github.com/internxt/cli/blob/main/package.json)) - **Method**: `loginAccess()` (not `login`) ### SDK Factory ([drive-web](drive-web/src/app/core/factory/sdk/index.ts)) ```typescript private static getAppDetails(): AppDetails { return { clientName: packageJson.name, // "drive-web" clientVersion: packageJson.version, customHeaders, }; } private static getDesktopAppDetails(): AppDetails { return { clientName: 'drive-desktop', clientVersion: packageJson.version, }; } ``` ## Solution for WebDAV Wrapper **Strategy:** Configure the auth client to identify as `drive-web` and use `login()` instead of `loginAccess()`. 1. Use **@internxt/sdk** with `Auth.client(apiUrl, appDetails, apiSecurity)` 2. Set **appDetails**: `{ clientName: "drive-web", clientVersion: "1.0" }` 3. Call **login()** (not `loginAccess()`) 4. Implement CryptoProvider like in drive-web (passToHash, decryptText, getKeys, parseAndDecryptUserKeys) ## Dependencies for WebDAV Wrapper - `@internxt/sdk` (version 1.13.x or compatible – drive-web uses 1.13.2) - `@internxt/lib` (for aes, Crypto) - Crypto logic from drive-web: `app/crypto/services/keys.service`, `app/crypto/services/utils` - Keys format: ECC + Kyber (post-quantum) ## Current Status (as of analysis) - **CRYPTO_SECRET**: Correct (salt decryption OK with `6KYQBP847D4ATSFA`) - **loginWithoutKeys**: Still returns "Wrong login credentials" – backend may reject this flow for certain account types (e.g. mailbox.org partner) - **login() with keys**: Kyber-WASM fails under Windows (`@dashlane/pqc-kem-kyber512-node`) ## Next Steps 1. **Test approach B**: Browser-based token extraction – log in via web, read session token from localStorage/DevTools, use in wrapper 2. **login() under Linux**: Kyber package may work under Linux 3. **Internxt support**: Ask whether partner accounts (mailbox.org) use different auth flows ## CRYPTO_SECRET and API URL From [internxt/cli .env.template](https://github.com/internxt/cli/blob/main/.env.template): - **DRIVE_API_URL**: `https://gateway.internxt.com/drive` - **APP_CRYPTO_SECRET**: `6KYQBP847D4ATSFA` The PoC uses these values as fallback.