Add support for encrypted second password hashes

docs/schema/CreateFamilyByMailTokenRequest.schema.json

@@ -5,7 +5,7 @@
       "type": "string"
     },
     "parentPassword": {
-      "$ref": "#/definitions/ParentPassword"
+      "$ref": "#/definitions/PlaintextParentPassword"
     },
     "parentDevice": {
       "$ref": "#/definitions/NewDeviceInfo"
@@ -30,7 +30,7 @@
     "timeZone"
   ],
   "definitions": {
-    "ParentPassword": {
+    "PlaintextParentPassword": {
       "type": "object",
       "properties": {
         "hash": {
@@ -49,7 +49,7 @@
         "secondHash",
         "secondSalt"
       ],
-      "title": "ParentPassword"
+      "title": "PlaintextParentPassword"
     },
     "NewDeviceInfo": {
       "type": "object",

docs/schema/README.md

@@ -56,19 +56,19 @@
 
 *   [DeviceDataStatus](./clientpullchangesrequest-definitions-devicedatastatus.md) – `https://timelimit.io/ClientPullChangesRequest#/definitions/DeviceDataStatus`
 
+*   [EncryptableParentPassword](./serializedchildaction-definitions-encryptableparentpassword.md) – `https://timelimit.io/SerializedChildAction#/definitions/EncryptableParentPassword`
+
+*   [EncryptableParentPassword](./serializedparentaction-definitions-encryptableparentpassword.md) – `https://timelimit.io/SerializedParentAction#/definitions/EncryptableParentPassword`
+
 *   [NewDeviceInfo](./createfamilybymailtokenrequest-definitions-newdeviceinfo.md) – `https://timelimit.io/CreateFamilyByMailTokenRequest#/definitions/NewDeviceInfo`
 
 *   [NewDeviceInfo](./registerchilddevicerequest-definitions-newdeviceinfo.md) – `https://timelimit.io/RegisterChildDeviceRequest#/definitions/NewDeviceInfo`
 
 *   [NewDeviceInfo](./signintofamilyrequest-definitions-newdeviceinfo.md) – `https://timelimit.io/SignIntoFamilyRequest#/definitions/NewDeviceInfo`
 
-*   [ParentPassword](./createfamilybymailtokenrequest-definitions-parentpassword.md) – `https://timelimit.io/CreateFamilyByMailTokenRequest#/definitions/ParentPassword`
+*   [PlaintextParentPassword](./createfamilybymailtokenrequest-definitions-plaintextparentpassword.md) – `https://timelimit.io/CreateFamilyByMailTokenRequest#/definitions/PlaintextParentPassword`
 
-*   [ParentPassword](./recoverparentpasswordrequest-definitions-parentpassword.md) – `https://timelimit.io/RecoverParentPasswordRequest#/definitions/ParentPassword`
+*   [PlaintextParentPassword](./recoverparentpasswordrequest-definitions-plaintextparentpassword.md) – `https://timelimit.io/RecoverParentPasswordRequest#/definitions/PlaintextParentPassword`
-
-*   [ParentPassword](./serializedchildaction-definitions-parentpassword.md) – `https://timelimit.io/SerializedChildAction#/definitions/ParentPassword`
-
-*   [ParentPassword](./serializedparentaction-definitions-parentpassword.md) – `https://timelimit.io/SerializedParentAction#/definitions/ParentPassword`
 
 *   [SerialiezdTriedDisablingDeviceAdminAction](./serializedapplogicaction-definitions-serialiezdtrieddisablingdeviceadminaction.md) – `https://timelimit.io/SerializedAppLogicAction#/definitions/SerialiezdTriedDisablingDeviceAdminAction`
 

docs/schema/RecoverParentPasswordRequest.schema.json

@@ -5,7 +5,7 @@
       "type": "string"
     },
     "password": {
-      "$ref": "#/definitions/ParentPassword"
+      "$ref": "#/definitions/PlaintextParentPassword"
     }
   },
   "additionalProperties": false,
@@ -14,7 +14,7 @@
     "password"
   ],
   "definitions": {
-    "ParentPassword": {
+    "PlaintextParentPassword": {
       "type": "object",
       "properties": {
         "hash": {
@@ -33,7 +33,7 @@
         "secondHash",
         "secondSalt"
       ],
-      "title": "ParentPassword"
+      "title": "PlaintextParentPassword"
     }
   },
   "$schema": "http://json-schema.org/draft-07/schema#",

docs/schema/SerializedChildAction.schema.json

@@ -18,7 +18,7 @@
           ]
         },
         "password": {
-          "$ref": "#/definitions/ParentPassword"
+          "$ref": "#/definitions/EncryptableParentPassword"
         }
       },
       "additionalProperties": false,
@@ -28,7 +28,7 @@
       ],
       "title": "SerializedChildChangePasswordAction"
     },
-    "ParentPassword": {
+    "EncryptableParentPassword": {
       "type": "object",
       "properties": {
         "hash": {
@@ -39,6 +39,9 @@
         },
         "secondSalt": {
           "type": "string"
+        },
+        "encrypted": {
+          "type": "boolean"
         }
       },
       "additionalProperties": false,
@@ -47,7 +50,7 @@
         "secondHash",
         "secondSalt"
       ],
-      "title": "ParentPassword"
+      "title": "EncryptableParentPassword"
     },
     "SerializedChildSignInAction": {
       "type": "object",

docs/schema/SerializedParentAction.schema.json

@@ -221,7 +221,7 @@
           "type": "string"
         },
         "password": {
-          "$ref": "#/definitions/ParentPassword"
+          "$ref": "#/definitions/EncryptableParentPassword"
         },
         "timeZone": {
           "type": "string"
@@ -237,7 +237,7 @@
       ],
       "title": "SerializedAddUserAction"
     },
-    "ParentPassword": {
+    "EncryptableParentPassword": {
       "type": "object",
       "properties": {
         "hash": {
@@ -248,6 +248,9 @@
         },
         "secondSalt": {
           "type": "string"
+        },
+        "encrypted": {
+          "type": "boolean"
         }
       },
       "additionalProperties": false,
@@ -256,7 +259,7 @@
         "secondHash",
         "secondSalt"
       ],
-      "title": "ParentPassword"
+      "title": "EncryptableParentPassword"
     },
     "SerializedChangeParentPasswordAction": {
       "type": "object",
@@ -721,7 +724,7 @@
           "type": "string"
         },
         "newPassword": {
-          "$ref": "#/definitions/ParentPassword"
+          "$ref": "#/definitions/EncryptableParentPassword"
         }
       },
       "additionalProperties": false,

docs/schema/createfamilybymailtokenrequest-definitions-plaintextparentpassword-properties-hash.md

@@ -0,0 +1,15 @@
+# Untitled string in CreateFamilyByMailTokenRequest Schema
+
+```txt
+https://timelimit.io/CreateFamilyByMailTokenRequest#/definitions/PlaintextParentPassword/properties/hash
+```
+
+
+
+| Abstract            | Extensible | Status         | Identifiable            | Custom Properties | Additional Properties | Access Restrictions | Defined In                                                                                                        |
+| :------------------ | :--------- | :------------- | :---------------------- | :---------------- | :-------------------- | :------------------ | :---------------------------------------------------------------------------------------------------------------- |
+| Can be instantiated | No         | Unknown status | Unknown identifiability | Forbidden         | Allowed               | none                | [CreateFamilyByMailTokenRequest.schema.json\*](CreateFamilyByMailTokenRequest.schema.json "open original schema") |
+
+## hash Type
+
+`string`

docs/schema/createfamilybymailtokenrequest-definitions-plaintextparentpassword-properties-secondhash.md

@@ -0,0 +1,15 @@
+# Untitled string in CreateFamilyByMailTokenRequest Schema
+
+```txt
+https://timelimit.io/CreateFamilyByMailTokenRequest#/definitions/PlaintextParentPassword/properties/secondHash
+```
+
+
+
+| Abstract            | Extensible | Status         | Identifiable            | Custom Properties | Additional Properties | Access Restrictions | Defined In                                                                                                        |
+| :------------------ | :--------- | :------------- | :---------------------- | :---------------- | :-------------------- | :------------------ | :---------------------------------------------------------------------------------------------------------------- |
+| Can be instantiated | No         | Unknown status | Unknown identifiability | Forbidden         | Allowed               | none                | [CreateFamilyByMailTokenRequest.schema.json\*](CreateFamilyByMailTokenRequest.schema.json "open original schema") |
+
+## secondHash Type
+
+`string`

docs/schema/createfamilybymailtokenrequest-definitions-plaintextparentpassword-properties-secondsalt.md

@@ -0,0 +1,15 @@
+# Untitled string in CreateFamilyByMailTokenRequest Schema
+
+```txt
+https://timelimit.io/CreateFamilyByMailTokenRequest#/definitions/PlaintextParentPassword/properties/secondSalt
+```
+
+
+
+| Abstract            | Extensible | Status         | Identifiable            | Custom Properties | Additional Properties | Access Restrictions | Defined In                                                                                                        |
+| :------------------ | :--------- | :------------- | :---------------------- | :---------------- | :-------------------- | :------------------ | :---------------------------------------------------------------------------------------------------------------- |
+| Can be instantiated | No         | Unknown status | Unknown identifiability | Forbidden         | Allowed               | none                | [CreateFamilyByMailTokenRequest.schema.json\*](CreateFamilyByMailTokenRequest.schema.json "open original schema") |
+
+## secondSalt Type
+
+`string`

docs/schema/createfamilybymailtokenrequest-definitions-plaintextparentpassword.md

@@ -0,0 +1,77 @@
+# PlaintextParentPassword Schema
+
+```txt
+https://timelimit.io/CreateFamilyByMailTokenRequest#/definitions/PlaintextParentPassword
+```
+
+
+
+| Abstract            | Extensible | Status         | Identifiable | Custom Properties | Additional Properties | Access Restrictions | Defined In                                                                                                        |
+| :------------------ | :--------- | :------------- | :----------- | :---------------- | :-------------------- | :------------------ | :---------------------------------------------------------------------------------------------------------------- |
+| Can be instantiated | No         | Unknown status | No           | Forbidden         | Forbidden             | none                | [CreateFamilyByMailTokenRequest.schema.json\*](CreateFamilyByMailTokenRequest.schema.json "open original schema") |
+
+## PlaintextParentPassword Type
+
+`object` ([PlaintextParentPassword](createfamilybymailtokenrequest-definitions-plaintextparentpassword.md))
+
+# PlaintextParentPassword Properties
+
+| Property                  | Type     | Required | Nullable       | Defined by                                                                                                                                                                                                                                     |
+| :------------------------ | :------- | :------- | :------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [hash](#hash)             | `string` | Required | cannot be null | [CreateFamilyByMailTokenRequest](createfamilybymailtokenrequest-definitions-plaintextparentpassword-properties-hash.md "https://timelimit.io/CreateFamilyByMailTokenRequest#/definitions/PlaintextParentPassword/properties/hash")             |
+| [secondHash](#secondhash) | `string` | Required | cannot be null | [CreateFamilyByMailTokenRequest](createfamilybymailtokenrequest-definitions-plaintextparentpassword-properties-secondhash.md "https://timelimit.io/CreateFamilyByMailTokenRequest#/definitions/PlaintextParentPassword/properties/secondHash") |
+| [secondSalt](#secondsalt) | `string` | Required | cannot be null | [CreateFamilyByMailTokenRequest](createfamilybymailtokenrequest-definitions-plaintextparentpassword-properties-secondsalt.md "https://timelimit.io/CreateFamilyByMailTokenRequest#/definitions/PlaintextParentPassword/properties/secondSalt") |
+
+## hash
+
+
+
+`hash`
+
+*   is required
+
+*   Type: `string`
+
+*   cannot be null
+
+*   defined in: [CreateFamilyByMailTokenRequest](createfamilybymailtokenrequest-definitions-plaintextparentpassword-properties-hash.md "https://timelimit.io/CreateFamilyByMailTokenRequest#/definitions/PlaintextParentPassword/properties/hash")
+
+### hash Type
+
+`string`
+
+## secondHash
+
+
+
+`secondHash`
+
+*   is required
+
+*   Type: `string`
+
+*   cannot be null
+
+*   defined in: [CreateFamilyByMailTokenRequest](createfamilybymailtokenrequest-definitions-plaintextparentpassword-properties-secondhash.md "https://timelimit.io/CreateFamilyByMailTokenRequest#/definitions/PlaintextParentPassword/properties/secondHash")
+
+### secondHash Type
+
+`string`
+
+## secondSalt
+
+
+
+`secondSalt`
+
+*   is required
+
+*   Type: `string`
+
+*   cannot be null
+
+*   defined in: [CreateFamilyByMailTokenRequest](createfamilybymailtokenrequest-definitions-plaintextparentpassword-properties-secondsalt.md "https://timelimit.io/CreateFamilyByMailTokenRequest#/definitions/PlaintextParentPassword/properties/secondSalt")
+
+### secondSalt Type
+
+`string`

docs/schema/createfamilybymailtokenrequest.md

@@ -17,9 +17,9 @@ https://timelimit.io/CreateFamilyByMailTokenRequest
 # CreateFamilyByMailTokenRequest Properties
 
 | Property                          | Type     | Required | Nullable       | Defined by                                                                                                                                                                               |
-| :-------------------------------- | :------- | :------- | :------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| :-------------------------------- | :------- | :------- | :------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | [mailAuthToken](#mailauthtoken)   | `string` | Required | cannot be null | [CreateFamilyByMailTokenRequest](createfamilybymailtokenrequest-properties-mailauthtoken.md "https://timelimit.io/CreateFamilyByMailTokenRequest#/properties/mailAuthToken")             |
-| [parentPassword](#parentpassword) | `object` | Required | cannot be null | [CreateFamilyByMailTokenRequest](createfamilybymailtokenrequest-definitions-parentpassword.md "https://timelimit.io/CreateFamilyByMailTokenRequest#/properties/parentPassword") |
+| [parentPassword](#parentpassword) | `object` | Required | cannot be null | [CreateFamilyByMailTokenRequest](createfamilybymailtokenrequest-definitions-plaintextparentpassword.md "https://timelimit.io/CreateFamilyByMailTokenRequest#/properties/parentPassword") |
 | [parentDevice](#parentdevice)     | `object` | Required | cannot be null | [CreateFamilyByMailTokenRequest](createfamilybymailtokenrequest-definitions-newdeviceinfo.md "https://timelimit.io/CreateFamilyByMailTokenRequest#/properties/parentDevice")             |
 | [deviceName](#devicename)         | `string` | Required | cannot be null | [CreateFamilyByMailTokenRequest](createfamilybymailtokenrequest-properties-devicename.md "https://timelimit.io/CreateFamilyByMailTokenRequest#/properties/deviceName")                   |
 | [timeZone](#timezone)             | `string` | Required | cannot be null | [CreateFamilyByMailTokenRequest](createfamilybymailtokenrequest-properties-timezone.md "https://timelimit.io/CreateFamilyByMailTokenRequest#/properties/timeZone")                       |
@@ -51,15 +51,15 @@ https://timelimit.io/CreateFamilyByMailTokenRequest
 
 *   is required
 
-*   Type: `object` ([ParentPassword](createfamilybymailtokenrequest-definitions-parentpassword.md))
+*   Type: `object` ([PlaintextParentPassword](createfamilybymailtokenrequest-definitions-plaintextparentpassword.md))
 
 *   cannot be null
 
-*   defined in: [CreateFamilyByMailTokenRequest](createfamilybymailtokenrequest-definitions-parentpassword.md "https://timelimit.io/CreateFamilyByMailTokenRequest#/properties/parentPassword")
+*   defined in: [CreateFamilyByMailTokenRequest](createfamilybymailtokenrequest-definitions-plaintextparentpassword.md "https://timelimit.io/CreateFamilyByMailTokenRequest#/properties/parentPassword")
 
 ### parentPassword Type
 
-`object` ([ParentPassword](createfamilybymailtokenrequest-definitions-parentpassword.md))
+`object` ([PlaintextParentPassword](createfamilybymailtokenrequest-definitions-plaintextparentpassword.md))
 
 ## parentDevice
 
@@ -135,19 +135,19 @@ https://timelimit.io/CreateFamilyByMailTokenRequest
 
 # CreateFamilyByMailTokenRequest Definitions
 
-## Definitions group ParentPassword
+## Definitions group PlaintextParentPassword
 
 Reference this group by using
 
 ```json
-{"$ref":"https://timelimit.io/CreateFamilyByMailTokenRequest#/definitions/ParentPassword"}
+{"$ref":"https://timelimit.io/CreateFamilyByMailTokenRequest#/definitions/PlaintextParentPassword"}
 ```
 
 | Property                  | Type     | Required | Nullable       | Defined by                                                                                                                                                                                                                                     |
-| :------------------------ | :------- | :------- | :------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| :------------------------ | :------- | :------- | :------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| [hash](#hash)             | `string` | Required | cannot be null | [CreateFamilyByMailTokenRequest](createfamilybymailtokenrequest-definitions-parentpassword-properties-hash.md "https://timelimit.io/CreateFamilyByMailTokenRequest#/definitions/ParentPassword/properties/hash")             |
+| [hash](#hash)             | `string` | Required | cannot be null | [CreateFamilyByMailTokenRequest](createfamilybymailtokenrequest-definitions-plaintextparentpassword-properties-hash.md "https://timelimit.io/CreateFamilyByMailTokenRequest#/definitions/PlaintextParentPassword/properties/hash")             |
-| [secondHash](#secondhash) | `string` | Required | cannot be null | [CreateFamilyByMailTokenRequest](createfamilybymailtokenrequest-definitions-parentpassword-properties-secondhash.md "https://timelimit.io/CreateFamilyByMailTokenRequest#/definitions/ParentPassword/properties/secondHash") |
+| [secondHash](#secondhash) | `string` | Required | cannot be null | [CreateFamilyByMailTokenRequest](createfamilybymailtokenrequest-definitions-plaintextparentpassword-properties-secondhash.md "https://timelimit.io/CreateFamilyByMailTokenRequest#/definitions/PlaintextParentPassword/properties/secondHash") |
-| [secondSalt](#secondsalt) | `string` | Required | cannot be null | [CreateFamilyByMailTokenRequest](createfamilybymailtokenrequest-definitions-parentpassword-properties-secondsalt.md "https://timelimit.io/CreateFamilyByMailTokenRequest#/definitions/ParentPassword/properties/secondSalt") |
+| [secondSalt](#secondsalt) | `string` | Required | cannot be null | [CreateFamilyByMailTokenRequest](createfamilybymailtokenrequest-definitions-plaintextparentpassword-properties-secondsalt.md "https://timelimit.io/CreateFamilyByMailTokenRequest#/definitions/PlaintextParentPassword/properties/secondSalt") |
 
 ### hash
 
@@ -161,7 +161,7 @@ Reference this group by using
 
 *   cannot be null
 
-*   defined in: [CreateFamilyByMailTokenRequest](createfamilybymailtokenrequest-definitions-parentpassword-properties-hash.md "https://timelimit.io/CreateFamilyByMailTokenRequest#/definitions/ParentPassword/properties/hash")
+*   defined in: [CreateFamilyByMailTokenRequest](createfamilybymailtokenrequest-definitions-plaintextparentpassword-properties-hash.md "https://timelimit.io/CreateFamilyByMailTokenRequest#/definitions/PlaintextParentPassword/properties/hash")
 
 #### hash Type
 
@@ -179,7 +179,7 @@ Reference this group by using
 
 *   cannot be null
 
-*   defined in: [CreateFamilyByMailTokenRequest](createfamilybymailtokenrequest-definitions-parentpassword-properties-secondhash.md "https://timelimit.io/CreateFamilyByMailTokenRequest#/definitions/ParentPassword/properties/secondHash")
+*   defined in: [CreateFamilyByMailTokenRequest](createfamilybymailtokenrequest-definitions-plaintextparentpassword-properties-secondhash.md "https://timelimit.io/CreateFamilyByMailTokenRequest#/definitions/PlaintextParentPassword/properties/secondHash")
 
 #### secondHash Type
 
@@ -197,7 +197,7 @@ Reference this group by using
 
 *   cannot be null
 
-*   defined in: [CreateFamilyByMailTokenRequest](createfamilybymailtokenrequest-definitions-parentpassword-properties-secondsalt.md "https://timelimit.io/CreateFamilyByMailTokenRequest#/definitions/ParentPassword/properties/secondSalt")
+*   defined in: [CreateFamilyByMailTokenRequest](createfamilybymailtokenrequest-definitions-plaintextparentpassword-properties-secondsalt.md "https://timelimit.io/CreateFamilyByMailTokenRequest#/definitions/PlaintextParentPassword/properties/secondSalt")
 
 #### secondSalt Type
 

docs/schema/recoverparentpasswordrequest-definitions-plaintextparentpassword-properties-hash.md

@@ -0,0 +1,15 @@
+# Untitled string in RecoverParentPasswordRequest Schema
+
+```txt
+https://timelimit.io/RecoverParentPasswordRequest#/definitions/PlaintextParentPassword/properties/hash
+```
+
+
+
+| Abstract            | Extensible | Status         | Identifiable            | Custom Properties | Additional Properties | Access Restrictions | Defined In                                                                                                    |
+| :------------------ | :--------- | :------------- | :---------------------- | :---------------- | :-------------------- | :------------------ | :------------------------------------------------------------------------------------------------------------ |
+| Can be instantiated | No         | Unknown status | Unknown identifiability | Forbidden         | Allowed               | none                | [RecoverParentPasswordRequest.schema.json\*](RecoverParentPasswordRequest.schema.json "open original schema") |
+
+## hash Type
+
+`string`

docs/schema/recoverparentpasswordrequest-definitions-plaintextparentpassword-properties-secondhash.md

@@ -0,0 +1,15 @@
+# Untitled string in RecoverParentPasswordRequest Schema
+
+```txt
+https://timelimit.io/RecoverParentPasswordRequest#/definitions/PlaintextParentPassword/properties/secondHash
+```
+
+
+
+| Abstract            | Extensible | Status         | Identifiable            | Custom Properties | Additional Properties | Access Restrictions | Defined In                                                                                                    |
+| :------------------ | :--------- | :------------- | :---------------------- | :---------------- | :-------------------- | :------------------ | :------------------------------------------------------------------------------------------------------------ |
+| Can be instantiated | No         | Unknown status | Unknown identifiability | Forbidden         | Allowed               | none                | [RecoverParentPasswordRequest.schema.json\*](RecoverParentPasswordRequest.schema.json "open original schema") |
+
+## secondHash Type
+
+`string`

docs/schema/recoverparentpasswordrequest-definitions-plaintextparentpassword-properties-secondsalt.md

@@ -0,0 +1,15 @@
+# Untitled string in RecoverParentPasswordRequest Schema
+
+```txt
+https://timelimit.io/RecoverParentPasswordRequest#/definitions/PlaintextParentPassword/properties/secondSalt
+```
+
+
+
+| Abstract            | Extensible | Status         | Identifiable            | Custom Properties | Additional Properties | Access Restrictions | Defined In                                                                                                    |
+| :------------------ | :--------- | :------------- | :---------------------- | :---------------- | :-------------------- | :------------------ | :------------------------------------------------------------------------------------------------------------ |
+| Can be instantiated | No         | Unknown status | Unknown identifiability | Forbidden         | Allowed               | none                | [RecoverParentPasswordRequest.schema.json\*](RecoverParentPasswordRequest.schema.json "open original schema") |
+
+## secondSalt Type
+
+`string`

docs/schema/recoverparentpasswordrequest-definitions-plaintextparentpassword.md

@@ -0,0 +1,77 @@
+# PlaintextParentPassword Schema
+
+```txt
+https://timelimit.io/RecoverParentPasswordRequest#/definitions/PlaintextParentPassword
+```
+
+
+
+| Abstract            | Extensible | Status         | Identifiable | Custom Properties | Additional Properties | Access Restrictions | Defined In                                                                                                    |
+| :------------------ | :--------- | :------------- | :----------- | :---------------- | :-------------------- | :------------------ | :------------------------------------------------------------------------------------------------------------ |
+| Can be instantiated | No         | Unknown status | No           | Forbidden         | Forbidden             | none                | [RecoverParentPasswordRequest.schema.json\*](RecoverParentPasswordRequest.schema.json "open original schema") |
+
+## PlaintextParentPassword Type
+
+`object` ([PlaintextParentPassword](recoverparentpasswordrequest-definitions-plaintextparentpassword.md))
+
+# PlaintextParentPassword Properties
+
+| Property                  | Type     | Required | Nullable       | Defined by                                                                                                                                                                                                                               |
+| :------------------------ | :------- | :------- | :------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [hash](#hash)             | `string` | Required | cannot be null | [RecoverParentPasswordRequest](recoverparentpasswordrequest-definitions-plaintextparentpassword-properties-hash.md "https://timelimit.io/RecoverParentPasswordRequest#/definitions/PlaintextParentPassword/properties/hash")             |
+| [secondHash](#secondhash) | `string` | Required | cannot be null | [RecoverParentPasswordRequest](recoverparentpasswordrequest-definitions-plaintextparentpassword-properties-secondhash.md "https://timelimit.io/RecoverParentPasswordRequest#/definitions/PlaintextParentPassword/properties/secondHash") |
+| [secondSalt](#secondsalt) | `string` | Required | cannot be null | [RecoverParentPasswordRequest](recoverparentpasswordrequest-definitions-plaintextparentpassword-properties-secondsalt.md "https://timelimit.io/RecoverParentPasswordRequest#/definitions/PlaintextParentPassword/properties/secondSalt") |
+
+## hash
+
+
+
+`hash`
+
+*   is required
+
+*   Type: `string`
+
+*   cannot be null
+
+*   defined in: [RecoverParentPasswordRequest](recoverparentpasswordrequest-definitions-plaintextparentpassword-properties-hash.md "https://timelimit.io/RecoverParentPasswordRequest#/definitions/PlaintextParentPassword/properties/hash")
+
+### hash Type
+
+`string`
+
+## secondHash
+
+
+
+`secondHash`
+
+*   is required
+
+*   Type: `string`
+
+*   cannot be null
+
+*   defined in: [RecoverParentPasswordRequest](recoverparentpasswordrequest-definitions-plaintextparentpassword-properties-secondhash.md "https://timelimit.io/RecoverParentPasswordRequest#/definitions/PlaintextParentPassword/properties/secondHash")
+
+### secondHash Type
+
+`string`
+
+## secondSalt
+
+
+
+`secondSalt`
+
+*   is required
+
+*   Type: `string`
+
+*   cannot be null
+
+*   defined in: [RecoverParentPasswordRequest](recoverparentpasswordrequest-definitions-plaintextparentpassword-properties-secondsalt.md "https://timelimit.io/RecoverParentPasswordRequest#/definitions/PlaintextParentPassword/properties/secondSalt")
+
+### secondSalt Type
+
+`string`

docs/schema/recoverparentpasswordrequest.md

@@ -17,9 +17,9 @@ https://timelimit.io/RecoverParentPasswordRequest
 # RecoverParentPasswordRequest Properties
 
 | Property                        | Type     | Required | Nullable       | Defined by                                                                                                                                                                   |
-| :------------------------------ | :------- | :------- | :------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| :------------------------------ | :------- | :------- | :------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | [mailAuthToken](#mailauthtoken) | `string` | Required | cannot be null | [RecoverParentPasswordRequest](recoverparentpasswordrequest-properties-mailauthtoken.md "https://timelimit.io/RecoverParentPasswordRequest#/properties/mailAuthToken")       |
-| [password](#password)           | `object` | Required | cannot be null | [RecoverParentPasswordRequest](recoverparentpasswordrequest-definitions-parentpassword.md "https://timelimit.io/RecoverParentPasswordRequest#/properties/password")    |
+| [password](#password)           | `object` | Required | cannot be null | [RecoverParentPasswordRequest](recoverparentpasswordrequest-definitions-plaintextparentpassword.md "https://timelimit.io/RecoverParentPasswordRequest#/properties/password") |
 
 ## mailAuthToken
 
@@ -47,31 +47,31 @@ https://timelimit.io/RecoverParentPasswordRequest
 
 *   is required
 
-*   Type: `object` ([ParentPassword](recoverparentpasswordrequest-definitions-parentpassword.md))
+*   Type: `object` ([PlaintextParentPassword](recoverparentpasswordrequest-definitions-plaintextparentpassword.md))
 
 *   cannot be null
 
-*   defined in: [RecoverParentPasswordRequest](recoverparentpasswordrequest-definitions-parentpassword.md "https://timelimit.io/RecoverParentPasswordRequest#/properties/password")
+*   defined in: [RecoverParentPasswordRequest](recoverparentpasswordrequest-definitions-plaintextparentpassword.md "https://timelimit.io/RecoverParentPasswordRequest#/properties/password")
 
 ### password Type
 
-`object` ([ParentPassword](recoverparentpasswordrequest-definitions-parentpassword.md))
+`object` ([PlaintextParentPassword](recoverparentpasswordrequest-definitions-plaintextparentpassword.md))
 
 # RecoverParentPasswordRequest Definitions
 
-## Definitions group ParentPassword
+## Definitions group PlaintextParentPassword
 
 Reference this group by using
 
 ```json
-{"$ref":"https://timelimit.io/RecoverParentPasswordRequest#/definitions/ParentPassword"}
+{"$ref":"https://timelimit.io/RecoverParentPasswordRequest#/definitions/PlaintextParentPassword"}
 ```
 
 | Property                  | Type     | Required | Nullable       | Defined by                                                                                                                                                                                                                               |
-| :------------------------ | :------- | :------- | :------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| :------------------------ | :------- | :------- | :------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| [hash](#hash)             | `string` | Required | cannot be null | [RecoverParentPasswordRequest](recoverparentpasswordrequest-definitions-parentpassword-properties-hash.md "https://timelimit.io/RecoverParentPasswordRequest#/definitions/ParentPassword/properties/hash")             |
+| [hash](#hash)             | `string` | Required | cannot be null | [RecoverParentPasswordRequest](recoverparentpasswordrequest-definitions-plaintextparentpassword-properties-hash.md "https://timelimit.io/RecoverParentPasswordRequest#/definitions/PlaintextParentPassword/properties/hash")             |
-| [secondHash](#secondhash) | `string` | Required | cannot be null | [RecoverParentPasswordRequest](recoverparentpasswordrequest-definitions-parentpassword-properties-secondhash.md "https://timelimit.io/RecoverParentPasswordRequest#/definitions/ParentPassword/properties/secondHash") |
+| [secondHash](#secondhash) | `string` | Required | cannot be null | [RecoverParentPasswordRequest](recoverparentpasswordrequest-definitions-plaintextparentpassword-properties-secondhash.md "https://timelimit.io/RecoverParentPasswordRequest#/definitions/PlaintextParentPassword/properties/secondHash") |
-| [secondSalt](#secondsalt) | `string` | Required | cannot be null | [RecoverParentPasswordRequest](recoverparentpasswordrequest-definitions-parentpassword-properties-secondsalt.md "https://timelimit.io/RecoverParentPasswordRequest#/definitions/ParentPassword/properties/secondSalt") |
+| [secondSalt](#secondsalt) | `string` | Required | cannot be null | [RecoverParentPasswordRequest](recoverparentpasswordrequest-definitions-plaintextparentpassword-properties-secondsalt.md "https://timelimit.io/RecoverParentPasswordRequest#/definitions/PlaintextParentPassword/properties/secondSalt") |
 
 ### hash
 
@@ -85,7 +85,7 @@ Reference this group by using
 
 *   cannot be null
 
-*   defined in: [RecoverParentPasswordRequest](recoverparentpasswordrequest-definitions-parentpassword-properties-hash.md "https://timelimit.io/RecoverParentPasswordRequest#/definitions/ParentPassword/properties/hash")
+*   defined in: [RecoverParentPasswordRequest](recoverparentpasswordrequest-definitions-plaintextparentpassword-properties-hash.md "https://timelimit.io/RecoverParentPasswordRequest#/definitions/PlaintextParentPassword/properties/hash")
 
 #### hash Type
 
@@ -103,7 +103,7 @@ Reference this group by using
 
 *   cannot be null
 
-*   defined in: [RecoverParentPasswordRequest](recoverparentpasswordrequest-definitions-parentpassword-properties-secondhash.md "https://timelimit.io/RecoverParentPasswordRequest#/definitions/ParentPassword/properties/secondHash")
+*   defined in: [RecoverParentPasswordRequest](recoverparentpasswordrequest-definitions-plaintextparentpassword-properties-secondhash.md "https://timelimit.io/RecoverParentPasswordRequest#/definitions/PlaintextParentPassword/properties/secondHash")
 
 #### secondHash Type
 
@@ -121,7 +121,7 @@ Reference this group by using
 
 *   cannot be null
 
-*   defined in: [RecoverParentPasswordRequest](recoverparentpasswordrequest-definitions-parentpassword-properties-secondsalt.md "https://timelimit.io/RecoverParentPasswordRequest#/definitions/ParentPassword/properties/secondSalt")
+*   defined in: [RecoverParentPasswordRequest](recoverparentpasswordrequest-definitions-plaintextparentpassword-properties-secondsalt.md "https://timelimit.io/RecoverParentPasswordRequest#/definitions/PlaintextParentPassword/properties/secondSalt")
 
 #### secondSalt Type
 

docs/schema/serializedchildaction-definitions-encryptableparentpassword-properties-encrypted.md

@@ -0,0 +1,15 @@
+# Untitled boolean in SerializedChildAction Schema
+
+```txt
+https://timelimit.io/SerializedChildAction#/definitions/EncryptableParentPassword/properties/encrypted
+```
+
+
+
+| Abstract            | Extensible | Status         | Identifiable            | Custom Properties | Additional Properties | Access Restrictions | Defined In                                                                                      |
+| :------------------ | :--------- | :------------- | :---------------------- | :---------------- | :-------------------- | :------------------ | :---------------------------------------------------------------------------------------------- |
+| Can be instantiated | No         | Unknown status | Unknown identifiability | Forbidden         | Allowed               | none                | [SerializedChildAction.schema.json\*](SerializedChildAction.schema.json "open original schema") |
+
+## encrypted Type
+
+`boolean`

docs/schema/serializedchildaction-definitions-encryptableparentpassword-properties-hash.md

@@ -0,0 +1,15 @@
+# Untitled string in SerializedChildAction Schema
+
+```txt
+https://timelimit.io/SerializedChildAction#/definitions/EncryptableParentPassword/properties/hash
+```
+
+
+
+| Abstract            | Extensible | Status         | Identifiable            | Custom Properties | Additional Properties | Access Restrictions | Defined In                                                                                      |
+| :------------------ | :--------- | :------------- | :---------------------- | :---------------- | :-------------------- | :------------------ | :---------------------------------------------------------------------------------------------- |
+| Can be instantiated | No         | Unknown status | Unknown identifiability | Forbidden         | Allowed               | none                | [SerializedChildAction.schema.json\*](SerializedChildAction.schema.json "open original schema") |
+
+## hash Type
+
+`string`

docs/schema/serializedchildaction-definitions-encryptableparentpassword-properties-secondhash.md

@@ -0,0 +1,15 @@
+# Untitled string in SerializedChildAction Schema
+
+```txt
+https://timelimit.io/SerializedChildAction#/definitions/EncryptableParentPassword/properties/secondHash
+```
+
+
+
+| Abstract            | Extensible | Status         | Identifiable            | Custom Properties | Additional Properties | Access Restrictions | Defined In                                                                                      |
+| :------------------ | :--------- | :------------- | :---------------------- | :---------------- | :-------------------- | :------------------ | :---------------------------------------------------------------------------------------------- |
+| Can be instantiated | No         | Unknown status | Unknown identifiability | Forbidden         | Allowed               | none                | [SerializedChildAction.schema.json\*](SerializedChildAction.schema.json "open original schema") |
+
+## secondHash Type
+
+`string`

docs/schema/serializedchildaction-definitions-encryptableparentpassword-properties-secondsalt.md

@@ -0,0 +1,15 @@
+# Untitled string in SerializedChildAction Schema
+
+```txt
+https://timelimit.io/SerializedChildAction#/definitions/EncryptableParentPassword/properties/secondSalt
+```
+
+
+
+| Abstract            | Extensible | Status         | Identifiable            | Custom Properties | Additional Properties | Access Restrictions | Defined In                                                                                      |
+| :------------------ | :--------- | :------------- | :---------------------- | :---------------- | :-------------------- | :------------------ | :---------------------------------------------------------------------------------------------- |
+| Can be instantiated | No         | Unknown status | Unknown identifiability | Forbidden         | Allowed               | none                | [SerializedChildAction.schema.json\*](SerializedChildAction.schema.json "open original schema") |
+
+## secondSalt Type
+
+`string`

docs/schema/serializedchildaction-definitions-encryptableparentpassword.md

@@ -0,0 +1,96 @@
+# EncryptableParentPassword Schema
+
+```txt
+https://timelimit.io/SerializedChildAction#/definitions/EncryptableParentPassword
+```
+
+
+
+| Abstract            | Extensible | Status         | Identifiable | Custom Properties | Additional Properties | Access Restrictions | Defined In                                                                                      |
+| :------------------ | :--------- | :------------- | :----------- | :---------------- | :-------------------- | :------------------ | :---------------------------------------------------------------------------------------------- |
+| Can be instantiated | No         | Unknown status | No           | Forbidden         | Forbidden             | none                | [SerializedChildAction.schema.json\*](SerializedChildAction.schema.json "open original schema") |
+
+## EncryptableParentPassword Type
+
+`object` ([EncryptableParentPassword](serializedchildaction-definitions-encryptableparentpassword.md))
+
+# EncryptableParentPassword Properties
+
+| Property                  | Type      | Required | Nullable       | Defined by                                                                                                                                                                                                              |
+| :------------------------ | :-------- | :------- | :------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [hash](#hash)             | `string`  | Required | cannot be null | [SerializedChildAction](serializedchildaction-definitions-encryptableparentpassword-properties-hash.md "https://timelimit.io/SerializedChildAction#/definitions/EncryptableParentPassword/properties/hash")             |
+| [secondHash](#secondhash) | `string`  | Required | cannot be null | [SerializedChildAction](serializedchildaction-definitions-encryptableparentpassword-properties-secondhash.md "https://timelimit.io/SerializedChildAction#/definitions/EncryptableParentPassword/properties/secondHash") |
+| [secondSalt](#secondsalt) | `string`  | Required | cannot be null | [SerializedChildAction](serializedchildaction-definitions-encryptableparentpassword-properties-secondsalt.md "https://timelimit.io/SerializedChildAction#/definitions/EncryptableParentPassword/properties/secondSalt") |
+| [encrypted](#encrypted)   | `boolean` | Optional | cannot be null | [SerializedChildAction](serializedchildaction-definitions-encryptableparentpassword-properties-encrypted.md "https://timelimit.io/SerializedChildAction#/definitions/EncryptableParentPassword/properties/encrypted")   |
+
+## hash
+
+
+
+`hash`
+
+*   is required
+
+*   Type: `string`
+
+*   cannot be null
+
+*   defined in: [SerializedChildAction](serializedchildaction-definitions-encryptableparentpassword-properties-hash.md "https://timelimit.io/SerializedChildAction#/definitions/EncryptableParentPassword/properties/hash")
+
+### hash Type
+
+`string`
+
+## secondHash
+
+
+
+`secondHash`
+
+*   is required
+
+*   Type: `string`
+
+*   cannot be null
+
+*   defined in: [SerializedChildAction](serializedchildaction-definitions-encryptableparentpassword-properties-secondhash.md "https://timelimit.io/SerializedChildAction#/definitions/EncryptableParentPassword/properties/secondHash")
+
+### secondHash Type
+
+`string`
+
+## secondSalt
+
+
+
+`secondSalt`
+
+*   is required
+
+*   Type: `string`
+
+*   cannot be null
+
+*   defined in: [SerializedChildAction](serializedchildaction-definitions-encryptableparentpassword-properties-secondsalt.md "https://timelimit.io/SerializedChildAction#/definitions/EncryptableParentPassword/properties/secondSalt")
+
+### secondSalt Type
+
+`string`
+
+## encrypted
+
+
+
+`encrypted`
+
+*   is optional
+
+*   Type: `boolean`
+
+*   cannot be null
+
+*   defined in: [SerializedChildAction](serializedchildaction-definitions-encryptableparentpassword-properties-encrypted.md "https://timelimit.io/SerializedChildAction#/definitions/EncryptableParentPassword/properties/encrypted")
+
+### encrypted Type
+
+`boolean`

docs/schema/serializedchildaction-definitions-serializedchildchangepasswordaction.md

@@ -19,7 +19,7 @@ https://timelimit.io/SerializedChildAction#/definitions/SerializedChildChangePas
 | Property              | Type     | Required | Nullable       | Defined by                                                                                                                                                                                                                      |
 | :-------------------- | :------- | :------- | :------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
 | [type](#type)         | `string` | Required | cannot be null | [SerializedChildAction](serializedchildaction-definitions-serializedchildchangepasswordaction-properties-type.md "https://timelimit.io/SerializedChildAction#/definitions/SerializedChildChangePasswordAction/properties/type") |
-| [password](#password) | `object` | Required | cannot be null | [SerializedChildAction](serializedchildaction-definitions-parentpassword.md "https://timelimit.io/SerializedChildAction#/definitions/SerializedChildChangePasswordAction/properties/password")                                  |
+| [password](#password) | `object` | Required | cannot be null | [SerializedChildAction](serializedchildaction-definitions-encryptableparentpassword.md "https://timelimit.io/SerializedChildAction#/definitions/SerializedChildChangePasswordAction/properties/password")                       |
 
 ## type
 
@@ -55,12 +55,12 @@ https://timelimit.io/SerializedChildAction#/definitions/SerializedChildChangePas
 
 *   is required
 
-*   Type: `object` ([ParentPassword](serializedchildaction-definitions-parentpassword.md))
+*   Type: `object` ([EncryptableParentPassword](serializedchildaction-definitions-encryptableparentpassword.md))
 
 *   cannot be null
 
-*   defined in: [SerializedChildAction](serializedchildaction-definitions-parentpassword.md "https://timelimit.io/SerializedChildAction#/definitions/SerializedChildChangePasswordAction/properties/password")
+*   defined in: [SerializedChildAction](serializedchildaction-definitions-encryptableparentpassword.md "https://timelimit.io/SerializedChildAction#/definitions/SerializedChildChangePasswordAction/properties/password")
 
 ### password Type
 
-`object` ([ParentPassword](serializedchildaction-definitions-parentpassword.md))
+`object` ([EncryptableParentPassword](serializedchildaction-definitions-encryptableparentpassword.md))

docs/schema/serializedchildaction.md

@@ -33,7 +33,7 @@ Reference this group by using
 | Property              | Type     | Required | Nullable       | Defined by                                                                                                                                                                                                                      |
 | :-------------------- | :------- | :------- | :------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
 | [type](#type)         | `string` | Required | cannot be null | [SerializedChildAction](serializedchildaction-definitions-serializedchildchangepasswordaction-properties-type.md "https://timelimit.io/SerializedChildAction#/definitions/SerializedChildChangePasswordAction/properties/type") |
-| [password](#password) | `object` | Required | cannot be null | [SerializedChildAction](serializedchildaction-definitions-parentpassword.md "https://timelimit.io/SerializedChildAction#/definitions/SerializedChildChangePasswordAction/properties/password")                                  |
+| [password](#password) | `object` | Required | cannot be null | [SerializedChildAction](serializedchildaction-definitions-encryptableparentpassword.md "https://timelimit.io/SerializedChildAction#/definitions/SerializedChildChangePasswordAction/properties/password")                       |
 
 ### type
 
@@ -69,29 +69,30 @@ Reference this group by using
 
 *   is required
 
-*   Type: `object` ([ParentPassword](serializedchildaction-definitions-parentpassword.md))
+*   Type: `object` ([EncryptableParentPassword](serializedchildaction-definitions-encryptableparentpassword.md))
 
 *   cannot be null
 
-*   defined in: [SerializedChildAction](serializedchildaction-definitions-parentpassword.md "https://timelimit.io/SerializedChildAction#/definitions/SerializedChildChangePasswordAction/properties/password")
+*   defined in: [SerializedChildAction](serializedchildaction-definitions-encryptableparentpassword.md "https://timelimit.io/SerializedChildAction#/definitions/SerializedChildChangePasswordAction/properties/password")
 
 #### password Type
 
-`object` ([ParentPassword](serializedchildaction-definitions-parentpassword.md))
+`object` ([EncryptableParentPassword](serializedchildaction-definitions-encryptableparentpassword.md))
 
-## Definitions group ParentPassword
+## Definitions group EncryptableParentPassword
 
 Reference this group by using
 
 ```json
-{"$ref":"https://timelimit.io/SerializedChildAction#/definitions/ParentPassword"}
+{"$ref":"https://timelimit.io/SerializedChildAction#/definitions/EncryptableParentPassword"}
 ```
 
 | Property                  | Type      | Required | Nullable       | Defined by                                                                                                                                                                                                              |
-| :------------------------ | :------- | :------- | :------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| :------------------------ | :-------- | :------- | :------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| [hash](#hash)             | `string` | Required | cannot be null | [SerializedChildAction](serializedchildaction-definitions-parentpassword-properties-hash.md "https://timelimit.io/SerializedChildAction#/definitions/ParentPassword/properties/hash")             |
+| [hash](#hash)             | `string`  | Required | cannot be null | [SerializedChildAction](serializedchildaction-definitions-encryptableparentpassword-properties-hash.md "https://timelimit.io/SerializedChildAction#/definitions/EncryptableParentPassword/properties/hash")             |
-| [secondHash](#secondhash) | `string` | Required | cannot be null | [SerializedChildAction](serializedchildaction-definitions-parentpassword-properties-secondhash.md "https://timelimit.io/SerializedChildAction#/definitions/ParentPassword/properties/secondHash") |
+| [secondHash](#secondhash) | `string`  | Required | cannot be null | [SerializedChildAction](serializedchildaction-definitions-encryptableparentpassword-properties-secondhash.md "https://timelimit.io/SerializedChildAction#/definitions/EncryptableParentPassword/properties/secondHash") |
-| [secondSalt](#secondsalt) | `string` | Required | cannot be null | [SerializedChildAction](serializedchildaction-definitions-parentpassword-properties-secondsalt.md "https://timelimit.io/SerializedChildAction#/definitions/ParentPassword/properties/secondSalt") |
+| [secondSalt](#secondsalt) | `string`  | Required | cannot be null | [SerializedChildAction](serializedchildaction-definitions-encryptableparentpassword-properties-secondsalt.md "https://timelimit.io/SerializedChildAction#/definitions/EncryptableParentPassword/properties/secondSalt") |
+| [encrypted](#encrypted)   | `boolean` | Optional | cannot be null | [SerializedChildAction](serializedchildaction-definitions-encryptableparentpassword-properties-encrypted.md "https://timelimit.io/SerializedChildAction#/definitions/EncryptableParentPassword/properties/encrypted")   |
 
 ### hash
 
@@ -105,7 +106,7 @@ Reference this group by using
 
 *   cannot be null
 
-*   defined in: [SerializedChildAction](serializedchildaction-definitions-parentpassword-properties-hash.md "https://timelimit.io/SerializedChildAction#/definitions/ParentPassword/properties/hash")
+*   defined in: [SerializedChildAction](serializedchildaction-definitions-encryptableparentpassword-properties-hash.md "https://timelimit.io/SerializedChildAction#/definitions/EncryptableParentPassword/properties/hash")
 
 #### hash Type
 
@@ -123,7 +124,7 @@ Reference this group by using
 
 *   cannot be null
 
-*   defined in: [SerializedChildAction](serializedchildaction-definitions-parentpassword-properties-secondhash.md "https://timelimit.io/SerializedChildAction#/definitions/ParentPassword/properties/secondHash")
+*   defined in: [SerializedChildAction](serializedchildaction-definitions-encryptableparentpassword-properties-secondhash.md "https://timelimit.io/SerializedChildAction#/definitions/EncryptableParentPassword/properties/secondHash")
 
 #### secondHash Type
 
@@ -141,12 +142,30 @@ Reference this group by using
 
 *   cannot be null
 
-*   defined in: [SerializedChildAction](serializedchildaction-definitions-parentpassword-properties-secondsalt.md "https://timelimit.io/SerializedChildAction#/definitions/ParentPassword/properties/secondSalt")
+*   defined in: [SerializedChildAction](serializedchildaction-definitions-encryptableparentpassword-properties-secondsalt.md "https://timelimit.io/SerializedChildAction#/definitions/EncryptableParentPassword/properties/secondSalt")
 
 #### secondSalt Type
 
 `string`
 
+### encrypted
+
+
+
+`encrypted`
+
+*   is optional
+
+*   Type: `boolean`
+
+*   cannot be null
+
+*   defined in: [SerializedChildAction](serializedchildaction-definitions-encryptableparentpassword-properties-encrypted.md "https://timelimit.io/SerializedChildAction#/definitions/EncryptableParentPassword/properties/encrypted")
+
+#### encrypted Type
+
+`boolean`
+
 ## Definitions group SerializedChildSignInAction
 
 Reference this group by using

docs/schema/serializedparentaction-definitions-encryptableparentpassword-properties-encrypted.md

@@ -0,0 +1,15 @@
+# Untitled boolean in SerializedParentAction Schema
+
+```txt
+https://timelimit.io/SerializedParentAction#/definitions/EncryptableParentPassword/properties/encrypted
+```
+
+
+
+| Abstract            | Extensible | Status         | Identifiable            | Custom Properties | Additional Properties | Access Restrictions | Defined In                                                                                        |
+| :------------------ | :--------- | :------------- | :---------------------- | :---------------- | :-------------------- | :------------------ | :------------------------------------------------------------------------------------------------ |
+| Can be instantiated | No         | Unknown status | Unknown identifiability | Forbidden         | Allowed               | none                | [SerializedParentAction.schema.json\*](SerializedParentAction.schema.json "open original schema") |
+
+## encrypted Type
+
+`boolean`

docs/schema/serializedparentaction-definitions-encryptableparentpassword-properties-hash.md

@@ -0,0 +1,15 @@
+# Untitled string in SerializedParentAction Schema
+
+```txt
+https://timelimit.io/SerializedParentAction#/definitions/EncryptableParentPassword/properties/hash
+```
+
+
+
+| Abstract            | Extensible | Status         | Identifiable            | Custom Properties | Additional Properties | Access Restrictions | Defined In                                                                                        |
+| :------------------ | :--------- | :------------- | :---------------------- | :---------------- | :-------------------- | :------------------ | :------------------------------------------------------------------------------------------------ |
+| Can be instantiated | No         | Unknown status | Unknown identifiability | Forbidden         | Allowed               | none                | [SerializedParentAction.schema.json\*](SerializedParentAction.schema.json "open original schema") |
+
+## hash Type
+
+`string`

docs/schema/serializedparentaction-definitions-encryptableparentpassword-properties-secondhash.md

@@ -0,0 +1,15 @@
+# Untitled string in SerializedParentAction Schema
+
+```txt
+https://timelimit.io/SerializedParentAction#/definitions/EncryptableParentPassword/properties/secondHash
+```
+
+
+
+| Abstract            | Extensible | Status         | Identifiable            | Custom Properties | Additional Properties | Access Restrictions | Defined In                                                                                        |
+| :------------------ | :--------- | :------------- | :---------------------- | :---------------- | :-------------------- | :------------------ | :------------------------------------------------------------------------------------------------ |
+| Can be instantiated | No         | Unknown status | Unknown identifiability | Forbidden         | Allowed               | none                | [SerializedParentAction.schema.json\*](SerializedParentAction.schema.json "open original schema") |
+
+## secondHash Type
+
+`string`

docs/schema/serializedparentaction-definitions-encryptableparentpassword-properties-secondsalt.md

@@ -0,0 +1,15 @@
+# Untitled string in SerializedParentAction Schema
+
+```txt
+https://timelimit.io/SerializedParentAction#/definitions/EncryptableParentPassword/properties/secondSalt
+```
+
+
+
+| Abstract            | Extensible | Status         | Identifiable            | Custom Properties | Additional Properties | Access Restrictions | Defined In                                                                                        |
+| :------------------ | :--------- | :------------- | :---------------------- | :---------------- | :-------------------- | :------------------ | :------------------------------------------------------------------------------------------------ |
+| Can be instantiated | No         | Unknown status | Unknown identifiability | Forbidden         | Allowed               | none                | [SerializedParentAction.schema.json\*](SerializedParentAction.schema.json "open original schema") |
+
+## secondSalt Type
+
+`string`

docs/schema/serializedparentaction-definitions-encryptableparentpassword.md

@@ -0,0 +1,96 @@
+# EncryptableParentPassword Schema
+
+```txt
+https://timelimit.io/SerializedParentAction#/definitions/SerializedSetChildPasswordAction/properties/newPassword
+```
+
+
+
+| Abstract            | Extensible | Status         | Identifiable | Custom Properties | Additional Properties | Access Restrictions | Defined In                                                                                        |
+| :------------------ | :--------- | :------------- | :----------- | :---------------- | :-------------------- | :------------------ | :------------------------------------------------------------------------------------------------ |
+| Can be instantiated | No         | Unknown status | No           | Forbidden         | Forbidden             | none                | [SerializedParentAction.schema.json\*](SerializedParentAction.schema.json "open original schema") |
+
+## newPassword Type
+
+`object` ([EncryptableParentPassword](serializedparentaction-definitions-encryptableparentpassword.md))
+
+# newPassword Properties
+
+| Property                  | Type      | Required | Nullable       | Defined by                                                                                                                                                                                                                 |
+| :------------------------ | :-------- | :------- | :------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [hash](#hash)             | `string`  | Required | cannot be null | [SerializedParentAction](serializedparentaction-definitions-encryptableparentpassword-properties-hash.md "https://timelimit.io/SerializedParentAction#/definitions/EncryptableParentPassword/properties/hash")             |
+| [secondHash](#secondhash) | `string`  | Required | cannot be null | [SerializedParentAction](serializedparentaction-definitions-encryptableparentpassword-properties-secondhash.md "https://timelimit.io/SerializedParentAction#/definitions/EncryptableParentPassword/properties/secondHash") |
+| [secondSalt](#secondsalt) | `string`  | Required | cannot be null | [SerializedParentAction](serializedparentaction-definitions-encryptableparentpassword-properties-secondsalt.md "https://timelimit.io/SerializedParentAction#/definitions/EncryptableParentPassword/properties/secondSalt") |
+| [encrypted](#encrypted)   | `boolean` | Optional | cannot be null | [SerializedParentAction](serializedparentaction-definitions-encryptableparentpassword-properties-encrypted.md "https://timelimit.io/SerializedParentAction#/definitions/EncryptableParentPassword/properties/encrypted")   |
+
+## hash
+
+
+
+`hash`
+
+*   is required
+
+*   Type: `string`
+
+*   cannot be null
+
+*   defined in: [SerializedParentAction](serializedparentaction-definitions-encryptableparentpassword-properties-hash.md "https://timelimit.io/SerializedParentAction#/definitions/EncryptableParentPassword/properties/hash")
+
+### hash Type
+
+`string`
+
+## secondHash
+
+
+
+`secondHash`
+
+*   is required
+
+*   Type: `string`
+
+*   cannot be null
+
+*   defined in: [SerializedParentAction](serializedparentaction-definitions-encryptableparentpassword-properties-secondhash.md "https://timelimit.io/SerializedParentAction#/definitions/EncryptableParentPassword/properties/secondHash")
+
+### secondHash Type
+
+`string`
+
+## secondSalt
+
+
+
+`secondSalt`
+
+*   is required
+
+*   Type: `string`
+
+*   cannot be null
+
+*   defined in: [SerializedParentAction](serializedparentaction-definitions-encryptableparentpassword-properties-secondsalt.md "https://timelimit.io/SerializedParentAction#/definitions/EncryptableParentPassword/properties/secondSalt")
+
+### secondSalt Type
+
+`string`
+
+## encrypted
+
+
+
+`encrypted`
+
+*   is optional
+
+*   Type: `boolean`
+
+*   cannot be null
+
+*   defined in: [SerializedParentAction](serializedparentaction-definitions-encryptableparentpassword-properties-encrypted.md "https://timelimit.io/SerializedParentAction#/definitions/EncryptableParentPassword/properties/encrypted")
+
+### encrypted Type
+
+`boolean`

docs/schema/serializedparentaction-definitions-serializedadduseraction.md

@@ -22,7 +22,7 @@ https://timelimit.io/SerializedParentAction#/definitions/SerializedAddUserAction
 | [name](#name)         | `string` | Required | cannot be null | [SerializedParentAction](serializedparentaction-definitions-serializedadduseraction-properties-name.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedAddUserAction/properties/name")         |
 | [userType](#usertype) | `string` | Required | cannot be null | [SerializedParentAction](serializedparentaction-definitions-serializedadduseraction-properties-usertype.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedAddUserAction/properties/userType") |
 | [userId](#userid)     | `string` | Required | cannot be null | [SerializedParentAction](serializedparentaction-definitions-serializedadduseraction-properties-userid.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedAddUserAction/properties/userId")     |
-| [password](#password) | `object` | Optional | cannot be null | [SerializedParentAction](serializedparentaction-definitions-parentpassword.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedAddUserAction/properties/password")                              |
+| [password](#password) | `object` | Optional | cannot be null | [SerializedParentAction](serializedparentaction-definitions-encryptableparentpassword.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedAddUserAction/properties/password")                   |
 | [timeZone](#timezone) | `string` | Required | cannot be null | [SerializedParentAction](serializedparentaction-definitions-serializedadduseraction-properties-timezone.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedAddUserAction/properties/timeZone") |
 
 ## type
@@ -122,15 +122,15 @@ https://timelimit.io/SerializedParentAction#/definitions/SerializedAddUserAction
 
 *   is optional
 
-*   Type: `object` ([ParentPassword](serializedparentaction-definitions-parentpassword.md))
+*   Type: `object` ([EncryptableParentPassword](serializedparentaction-definitions-encryptableparentpassword.md))
 
 *   cannot be null
 
-*   defined in: [SerializedParentAction](serializedparentaction-definitions-parentpassword.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedAddUserAction/properties/password")
+*   defined in: [SerializedParentAction](serializedparentaction-definitions-encryptableparentpassword.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedAddUserAction/properties/password")
 
 ### password Type
 
-`object` ([ParentPassword](serializedparentaction-definitions-parentpassword.md))
+`object` ([EncryptableParentPassword](serializedparentaction-definitions-encryptableparentpassword.md))
 
 ## timeZone
 

docs/schema/serializedparentaction-definitions-serializedsetchildpasswordaction.md

@@ -20,7 +20,7 @@ https://timelimit.io/SerializedParentAction#/definitions/SerializedSetChildPassw
 | :-------------------------- | :------- | :------- | :------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | [type](#type)               | `string` | Required | cannot be null | [SerializedParentAction](serializedparentaction-definitions-serializedsetchildpasswordaction-properties-type.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedSetChildPasswordAction/properties/type")       |
 | [childId](#childid)         | `string` | Required | cannot be null | [SerializedParentAction](serializedparentaction-definitions-serializedsetchildpasswordaction-properties-childid.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedSetChildPasswordAction/properties/childId") |
-| [newPassword](#newpassword) | `object` | Required | cannot be null | [SerializedParentAction](serializedparentaction-definitions-parentpassword.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedSetChildPasswordAction/properties/newPassword")                                  |
+| [newPassword](#newpassword) | `object` | Required | cannot be null | [SerializedParentAction](serializedparentaction-definitions-encryptableparentpassword.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedSetChildPasswordAction/properties/newPassword")                       |
 
 ## type
 
@@ -74,12 +74,12 @@ https://timelimit.io/SerializedParentAction#/definitions/SerializedSetChildPassw
 
 *   is required
 
-*   Type: `object` ([ParentPassword](serializedparentaction-definitions-parentpassword.md))
+*   Type: `object` ([EncryptableParentPassword](serializedparentaction-definitions-encryptableparentpassword.md))
 
 *   cannot be null
 
-*   defined in: [SerializedParentAction](serializedparentaction-definitions-parentpassword.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedSetChildPasswordAction/properties/newPassword")
+*   defined in: [SerializedParentAction](serializedparentaction-definitions-encryptableparentpassword.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedSetChildPasswordAction/properties/newPassword")
 
 ### newPassword Type
 
-`object` ([ParentPassword](serializedparentaction-definitions-parentpassword.md))
+`object` ([EncryptableParentPassword](serializedparentaction-definitions-encryptableparentpassword.md))

docs/schema/serializedparentaction.md

@@ -297,7 +297,7 @@ Reference this group by using
 | [name](#name)         | `string` | Required | cannot be null | [SerializedParentAction](serializedparentaction-definitions-serializedadduseraction-properties-name.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedAddUserAction/properties/name")         |
 | [userType](#usertype) | `string` | Required | cannot be null | [SerializedParentAction](serializedparentaction-definitions-serializedadduseraction-properties-usertype.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedAddUserAction/properties/userType") |
 | [userId](#userid)     | `string` | Required | cannot be null | [SerializedParentAction](serializedparentaction-definitions-serializedadduseraction-properties-userid.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedAddUserAction/properties/userId")     |
-| [password](#password) | `object` | Optional | cannot be null | [SerializedParentAction](serializedparentaction-definitions-parentpassword.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedAddUserAction/properties/password")                              |
+| [password](#password) | `object` | Optional | cannot be null | [SerializedParentAction](serializedparentaction-definitions-encryptableparentpassword.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedAddUserAction/properties/password")                   |
 | [timeZone](#timezone) | `string` | Required | cannot be null | [SerializedParentAction](serializedparentaction-definitions-serializedadduseraction-properties-timezone.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedAddUserAction/properties/timeZone") |
 
 ### type
@@ -397,15 +397,15 @@ Reference this group by using
 
 *   is optional
 
-*   Type: `object` ([ParentPassword](serializedparentaction-definitions-parentpassword.md))
+*   Type: `object` ([EncryptableParentPassword](serializedparentaction-definitions-encryptableparentpassword.md))
 
 *   cannot be null
 
-*   defined in: [SerializedParentAction](serializedparentaction-definitions-parentpassword.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedAddUserAction/properties/password")
+*   defined in: [SerializedParentAction](serializedparentaction-definitions-encryptableparentpassword.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedAddUserAction/properties/password")
 
 #### password Type
 
-`object` ([ParentPassword](serializedparentaction-definitions-parentpassword.md))
+`object` ([EncryptableParentPassword](serializedparentaction-definitions-encryptableparentpassword.md))
 
 ### timeZone
 
@@ -425,19 +425,20 @@ Reference this group by using
 
 `string`
 
-## Definitions group ParentPassword
+## Definitions group EncryptableParentPassword
 
 Reference this group by using
 
 ```json
-{"$ref":"https://timelimit.io/SerializedParentAction#/definitions/ParentPassword"}
+{"$ref":"https://timelimit.io/SerializedParentAction#/definitions/EncryptableParentPassword"}
 ```
 
 | Property                  | Type      | Required | Nullable       | Defined by                                                                                                                                                                                                                 |
-| :------------------------ | :------- | :------- | :------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| :------------------------ | :-------- | :------- | :------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| [hash](#hash)             | `string` | Required | cannot be null | [SerializedParentAction](serializedparentaction-definitions-parentpassword-properties-hash.md "https://timelimit.io/SerializedParentAction#/definitions/ParentPassword/properties/hash")             |
+| [hash](#hash)             | `string`  | Required | cannot be null | [SerializedParentAction](serializedparentaction-definitions-encryptableparentpassword-properties-hash.md "https://timelimit.io/SerializedParentAction#/definitions/EncryptableParentPassword/properties/hash")             |
-| [secondHash](#secondhash) | `string` | Required | cannot be null | [SerializedParentAction](serializedparentaction-definitions-parentpassword-properties-secondhash.md "https://timelimit.io/SerializedParentAction#/definitions/ParentPassword/properties/secondHash") |
+| [secondHash](#secondhash) | `string`  | Required | cannot be null | [SerializedParentAction](serializedparentaction-definitions-encryptableparentpassword-properties-secondhash.md "https://timelimit.io/SerializedParentAction#/definitions/EncryptableParentPassword/properties/secondHash") |
-| [secondSalt](#secondsalt) | `string` | Required | cannot be null | [SerializedParentAction](serializedparentaction-definitions-parentpassword-properties-secondsalt.md "https://timelimit.io/SerializedParentAction#/definitions/ParentPassword/properties/secondSalt") |
+| [secondSalt](#secondsalt) | `string`  | Required | cannot be null | [SerializedParentAction](serializedparentaction-definitions-encryptableparentpassword-properties-secondsalt.md "https://timelimit.io/SerializedParentAction#/definitions/EncryptableParentPassword/properties/secondSalt") |
+| [encrypted](#encrypted)   | `boolean` | Optional | cannot be null | [SerializedParentAction](serializedparentaction-definitions-encryptableparentpassword-properties-encrypted.md "https://timelimit.io/SerializedParentAction#/definitions/EncryptableParentPassword/properties/encrypted")   |
 
 ### hash
 
@@ -451,7 +452,7 @@ Reference this group by using
 
 *   cannot be null
 
-*   defined in: [SerializedParentAction](serializedparentaction-definitions-parentpassword-properties-hash.md "https://timelimit.io/SerializedParentAction#/definitions/ParentPassword/properties/hash")
+*   defined in: [SerializedParentAction](serializedparentaction-definitions-encryptableparentpassword-properties-hash.md "https://timelimit.io/SerializedParentAction#/definitions/EncryptableParentPassword/properties/hash")
 
 #### hash Type
 
@@ -469,7 +470,7 @@ Reference this group by using
 
 *   cannot be null
 
-*   defined in: [SerializedParentAction](serializedparentaction-definitions-parentpassword-properties-secondhash.md "https://timelimit.io/SerializedParentAction#/definitions/ParentPassword/properties/secondHash")
+*   defined in: [SerializedParentAction](serializedparentaction-definitions-encryptableparentpassword-properties-secondhash.md "https://timelimit.io/SerializedParentAction#/definitions/EncryptableParentPassword/properties/secondHash")
 
 #### secondHash Type
 
@@ -487,12 +488,30 @@ Reference this group by using
 
 *   cannot be null
 
-*   defined in: [SerializedParentAction](serializedparentaction-definitions-parentpassword-properties-secondsalt.md "https://timelimit.io/SerializedParentAction#/definitions/ParentPassword/properties/secondSalt")
+*   defined in: [SerializedParentAction](serializedparentaction-definitions-encryptableparentpassword-properties-secondsalt.md "https://timelimit.io/SerializedParentAction#/definitions/EncryptableParentPassword/properties/secondSalt")
 
 #### secondSalt Type
 
 `string`
 
+### encrypted
+
+
+
+`encrypted`
+
+*   is optional
+
+*   Type: `boolean`
+
+*   cannot be null
+
+*   defined in: [SerializedParentAction](serializedparentaction-definitions-encryptableparentpassword-properties-encrypted.md "https://timelimit.io/SerializedParentAction#/definitions/EncryptableParentPassword/properties/encrypted")
+
+#### encrypted Type
+
+`boolean`
+
 ## Definitions group SerializedChangeParentPasswordAction
 
 Reference this group by using
@@ -2093,7 +2112,7 @@ Reference this group by using
 | :-------------------------- | :------- | :------- | :------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | [type](#type-18)            | `string` | Required | cannot be null | [SerializedParentAction](serializedparentaction-definitions-serializedsetchildpasswordaction-properties-type.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedSetChildPasswordAction/properties/type")       |
 | [childId](#childid-3)       | `string` | Required | cannot be null | [SerializedParentAction](serializedparentaction-definitions-serializedsetchildpasswordaction-properties-childid.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedSetChildPasswordAction/properties/childId") |
-| [newPassword](#newpassword) | `object` | Required | cannot be null | [SerializedParentAction](serializedparentaction-definitions-parentpassword.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedSetChildPasswordAction/properties/newPassword")                                  |
+| [newPassword](#newpassword) | `object` | Required | cannot be null | [SerializedParentAction](serializedparentaction-definitions-encryptableparentpassword.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedSetChildPasswordAction/properties/newPassword")                       |
 
 ### type
 
@@ -2147,15 +2166,15 @@ Reference this group by using
 
 *   is required
 
-*   Type: `object` ([ParentPassword](serializedparentaction-definitions-parentpassword.md))
+*   Type: `object` ([EncryptableParentPassword](serializedparentaction-definitions-encryptableparentpassword.md))
 
 *   cannot be null
 
-*   defined in: [SerializedParentAction](serializedparentaction-definitions-parentpassword.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedSetChildPasswordAction/properties/newPassword")
+*   defined in: [SerializedParentAction](serializedparentaction-definitions-encryptableparentpassword.md "https://timelimit.io/SerializedParentAction#/definitions/SerializedSetChildPasswordAction/properties/newPassword")
 
 #### newPassword Type
 
-`object` ([ParentPassword](serializedparentaction-definitions-parentpassword.md))
+`object` ([EncryptableParentPassword](serializedparentaction-definitions-encryptableparentpassword.md))
 
 ## Definitions group SerializedSetConsiderRebootManipulationAction
 

package-lock.json

@@ -35,7 +35,7 @@
         "@types/express": "^4.17.9",
         "@types/http-errors": "^1.8.0",
         "@types/lodash": "^4.14.166",
-        "@types/node": "^14.14.16",
+        "@types/node": "^16.11.59",
         "@types/nodemailer": "^6.4.4",
         "@types/umzug": "^2.3.0",
         "@typescript-eslint/eslint-plugin": "^5.10.0",
@@ -407,9 +407,9 @@
       "integrity": "sha512-iiUgKzV9AuaEkZqkOLDIvlQiL6ltuZd9tGcW3gwpnX8JbuiuhFlEGmmFXEXkN50Cvq7Os88IY2v0dkDqXYWVgA=="
     },
     "node_modules/@types/node": {
-      "version": "14.18.9",
+      "version": "16.11.59",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-14.18.9.tgz",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-16.11.59.tgz",
-      "integrity": "sha512-j11XSuRuAlft6vLDEX4RvhqC0KxNxx6QIyMXNb0vHHSNPXTPeiy3algESWmOOIzEtiEL0qiowPU3ewW9hHVa7Q=="
+      "integrity": "sha512-6u+36Dj3aDzhfBVUf/mfmc92OEdzQ2kx2jcXGdigfl70E/neV21ZHE6UCz4MDzTRcVqGAM27fk+DLXvyDsn3Jw=="
     },
     "node_modules/@types/nodemailer": {
       "version": "6.4.4",
@@ -2463,6 +2463,11 @@
         "node": ">= 10.13"
       }
     },
+    "node_modules/mariadb/node_modules/@types/node": {
+      "version": "14.18.29",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-14.18.29.tgz",
+      "integrity": "sha512-LhF+9fbIX4iPzhsRLpK5H7iPdvW8L4IwGciXQIOEcuF62+9nw/VQVsOViAOOGxY3OlOKGLFv0sWwJXdwQeTn6A=="
+    },
     "node_modules/mariadb/node_modules/iconv-lite": {
       "version": "0.6.3",
       "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.6.3.tgz",
@@ -4831,12 +4836,6 @@
         "typescript-json-schema": "bin/typescript-json-schema"
       }
     },
-    "node_modules/typescript-json-schema/node_modules/@types/node": {
-      "version": "16.11.21",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-16.11.21.tgz",
-      "integrity": "sha512-Pf8M1XD9i1ksZEcCP8vuSNwooJ/bZapNmIzpmsMaL+jMI+8mEYU3PKvs+xDNuQcJWF/x24WzY4qxLtB0zNow9A==",
-      "dev": true
-    },
     "node_modules/typescript-json-schema/node_modules/typescript": {
       "version": "4.4.4",
       "resolved": "https://registry.npmjs.org/typescript/-/typescript-4.4.4.tgz",
@@ -5641,9 +5640,9 @@
       "integrity": "sha512-iiUgKzV9AuaEkZqkOLDIvlQiL6ltuZd9tGcW3gwpnX8JbuiuhFlEGmmFXEXkN50Cvq7Os88IY2v0dkDqXYWVgA=="
     },
     "@types/node": {
-      "version": "14.18.9",
+      "version": "16.11.59",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-14.18.9.tgz",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-16.11.59.tgz",
-      "integrity": "sha512-j11XSuRuAlft6vLDEX4RvhqC0KxNxx6QIyMXNb0vHHSNPXTPeiy3algESWmOOIzEtiEL0qiowPU3ewW9hHVa7Q=="
+      "integrity": "sha512-6u+36Dj3aDzhfBVUf/mfmc92OEdzQ2kx2jcXGdigfl70E/neV21ZHE6UCz4MDzTRcVqGAM27fk+DLXvyDsn3Jw=="
     },
     "@types/nodemailer": {
       "version": "6.4.4",
@@ -7180,6 +7179,11 @@
         "please-upgrade-node": "^3.2.0"
       },
       "dependencies": {
+        "@types/node": {
+          "version": "14.18.29",
+          "resolved": "https://registry.npmjs.org/@types/node/-/node-14.18.29.tgz",
+          "integrity": "sha512-LhF+9fbIX4iPzhsRLpK5H7iPdvW8L4IwGciXQIOEcuF62+9nw/VQVsOViAOOGxY3OlOKGLFv0sWwJXdwQeTn6A=="
+        },
         "iconv-lite": {
           "version": "0.6.3",
           "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.6.3.tgz",
@@ -8841,12 +8845,6 @@
         "yargs": "^17.1.1"
       },
       "dependencies": {
-        "@types/node": {
-          "version": "16.11.21",
-          "resolved": "https://registry.npmjs.org/@types/node/-/node-16.11.21.tgz",
-          "integrity": "sha512-Pf8M1XD9i1ksZEcCP8vuSNwooJ/bZapNmIzpmsMaL+jMI+8mEYU3PKvs+xDNuQcJWF/x24WzY4qxLtB0zNow9A==",
-          "dev": true
-        },
         "typescript": {
           "version": "4.4.4",
           "resolved": "https://registry.npmjs.org/typescript/-/typescript-4.4.4.tgz",

package.json

@@ -36,7 +36,7 @@
     "@types/express": "^4.17.9",
     "@types/http-errors": "^1.8.0",
     "@types/lodash": "^4.14.166",
-    "@types/node": "^14.14.16",
+    "@types/node": "^16.11.59",
     "@types/nodemailer": "^6.4.4",
     "@types/umzug": "^2.3.0",
     "@typescript-eslint/eslint-plugin": "^5.10.0",

src/action/adduser.ts

@@ -1,6 +1,6 @@
 /*
  * server component for the TimeLimit App
- * Copyright (C) 2019 - 2020 Jonas Lochmann
+ * Copyright (C) 2019 - 2022 Jonas Lochmann
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -15,7 +15,7 @@
  * along with this program.  If not, see <https://www.gnu.org/licenses/>.
  */
 
-import { assertParentPasswordValid, ParentPassword, ParentPasswordValidationException } from '../api/schema'
+import { assertParentPasswordValid, EncryptableParentPassword, ParentPasswordValidationException } from '../api/schema'
 import { ParentAction } from './basetypes'
 import { InvalidActionParameterException } from './meta/exception'
 import { assertIdWithinFamily } from './meta/util'
@@ -26,14 +26,14 @@ export class AddUserAction extends ParentAction {
   readonly userId: string
   readonly name: string
   readonly userType: 'parent' | 'child'
-  readonly password?: ParentPassword
+  readonly password?: EncryptableParentPassword
   readonly timeZone: string
 
   constructor ({ userId, name, userType, password, timeZone }: {
     userId: string
     name: string
     userType: 'parent' | 'child'
-    password?: ParentPassword
+    password?: EncryptableParentPassword
     timeZone: string
   }) {
     super()
@@ -85,6 +85,6 @@ export interface SerializedAddUserAction {
   name: string
   userType: 'parent' | 'child'
   userId: string
-  password?: ParentPassword
+  password?: EncryptableParentPassword
   timeZone: string
 }

src/action/childchangepassword.ts

@@ -1,6 +1,6 @@
 /*
  * server component for the TimeLimit App
- * Copyright (C) 2019 - 2020 Jonas Lochmann
+ * Copyright (C) 2019 - 2022 Jonas Lochmann
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -15,17 +15,17 @@
  * along with this program.  If not, see <https://www.gnu.org/licenses/>.
  */
 
-import { assertParentPasswordValid, ParentPassword, ParentPasswordValidationException } from '../api/schema'
+import { assertParentPasswordValid, EncryptableParentPassword, ParentPasswordValidationException } from '../api/schema'
 import { ChildAction } from './basetypes'
 import { InvalidActionParameterException } from './meta/exception'
 
 const actionType = 'ChildChangePasswordAction'
 
 export class ChildChangePasswordAction extends ChildAction {
-  readonly password: ParentPassword
+  readonly password: EncryptableParentPassword
 
   constructor ({ password }: {
-    password: ParentPassword
+    password: EncryptableParentPassword
   }) {
     super()
 
@@ -50,5 +50,5 @@ export class ChildChangePasswordAction extends ChildAction {
 
 export interface SerializedChildChangePasswordAction {
   type: 'CHILD_CHANGE_PASSWORD'
-  password: ParentPassword
+  password: EncryptableParentPassword
 }

src/action/setchildpassword.ts

@@ -1,6 +1,6 @@
 /*
  * server component for the TimeLimit App
- * Copyright (C) 2019 - 2020 Jonas Lochmann
+ * Copyright (C) 2019 - 2022 Jonas Lochmann
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -15,7 +15,7 @@
  * along with this program.  If not, see <https://www.gnu.org/licenses/>.
  */
 
-import { assertParentPasswordValid, ParentPassword, ParentPasswordValidationException } from '../api/schema'
+import { assertParentPasswordValid, EncryptableParentPassword, ParentPasswordValidationException } from '../api/schema'
 import { ParentAction } from './basetypes'
 import { InvalidActionParameterException } from './meta/exception'
 import { assertIdWithinFamily } from './meta/util'
@@ -24,11 +24,11 @@ const actionType = 'SetChildPasswordAction'
 
 export class SetChildPasswordAction extends ParentAction {
   readonly childUserId: string
-  readonly newPassword: ParentPassword
+  readonly newPassword: EncryptableParentPassword
 
   constructor ({ childUserId, newPassword }: {
     childUserId: string
-    newPassword: ParentPassword
+    newPassword: EncryptableParentPassword
   }) {
     super()
 
@@ -60,5 +60,5 @@ export class SetChildPasswordAction extends ParentAction {
 export interface SerializedSetChildPasswordAction {
   type: 'SET_CHILD_PASSWORD'
   childId: string
-  newPassword: ParentPassword
+  newPassword: EncryptableParentPassword
 }

src/api/schema.ts

@@ -1,6 +1,6 @@
 /*
  * server component for the TimeLimit App
- * Copyright (C) 2019 - 2021 Jonas Lochmann
+ * Copyright (C) 2019 - 2022 Jonas Lochmann
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -44,18 +44,33 @@ export interface NewDeviceInfo {
   model: string
 }
 
-export interface ParentPassword {
+export interface PlaintextParentPassword {
   hash: string
   secondHash: string
   secondSalt: string
 }
 
-export const assertParentPasswordValid = (password: ParentPassword) => {
+export interface EncryptableParentPassword {
+  hash: string
+  secondHash: string
+  secondSalt: string
+  encrypted?: boolean
+}
+
+export const assertPlaintextParentPasswordValid = (password: PlaintextParentPassword) => {
+  assertParentPasswordValid({ ...password, encrypted: false })
+}
+
+export const assertParentPasswordValid = (password: EncryptableParentPassword) => {
   if (password.hash === '' || password.secondHash === '' || password.secondSalt === '') {
     throw new ParentPasswordValidationException('missing fields at parent password')
   }
 
-  if (!(optionalPasswordRegex.test(password.hash) && optionalPasswordRegex.test(password.secondHash) && optionalSaltRegex.test(password.secondSalt))) {
+  if (!(optionalPasswordRegex.test(password.hash) && optionalSaltRegex.test(password.secondSalt))) {
+    throw new ParentPasswordValidationException('invalid parent password')
+  }
+
+  if (!password.encrypted && !optionalPasswordRegex.test(password.secondHash)) {
     throw new ParentPasswordValidationException('invalid parent password')
   }
 }
@@ -64,7 +79,7 @@ export class ParentPasswordValidationException extends Error {}
 
 export interface CreateFamilyByMailTokenRequest {
   mailAuthToken: string
-  parentPassword: ParentPassword
+  parentPassword: PlaintextParentPassword
   parentDevice: NewDeviceInfo
   deviceName: string
   timeZone: string
@@ -79,7 +94,7 @@ export interface SignIntoFamilyRequest {
 
 export interface RecoverParentPasswordRequest {
   mailAuthToken: string
-  password: ParentPassword
+  password: PlaintextParentPassword
 }
 
 export interface RegisterChildDeviceRequest {

src/api/validator.ts

@@ -124,7 +124,7 @@ const definitions = {
     },
     "additionalProperties": false
   },
-  "ParentPassword": {
+  "PlaintextParentPassword": {
     "type": "object",
     "properties": {
       "hash": {
@@ -232,7 +232,7 @@ const definitions = {
         "type": "string"
       },
       "password": {
-        "$ref": "#/definitions/ParentPassword"
+        "$ref": "#/definitions/EncryptableParentPassword"
       },
       "timeZone": {
         "type": "string"
@@ -247,6 +247,29 @@ const definitions = {
       "userType"
     ]
   },
+  "EncryptableParentPassword": {
+    "type": "object",
+    "properties": {
+      "hash": {
+        "type": "string"
+      },
+      "secondHash": {
+        "type": "string"
+      },
+      "secondSalt": {
+        "type": "string"
+      },
+      "encrypted": {
+        "type": "boolean"
+      }
+    },
+    "additionalProperties": false,
+    "required": [
+      "hash",
+      "secondHash",
+      "secondSalt"
+    ]
+  },
   "SerializedChangeParentPasswordAction": {
     "type": "object",
     "properties": {
@@ -694,7 +717,7 @@ const definitions = {
         "type": "string"
       },
       "newPassword": {
-        "$ref": "#/definitions/ParentPassword"
+        "$ref": "#/definitions/EncryptableParentPassword"
       }
     },
     "additionalProperties": false,
@@ -1931,7 +1954,7 @@ const definitions = {
         ]
       },
       "password": {
-        "$ref": "#/definitions/ParentPassword"
+        "$ref": "#/definitions/EncryptableParentPassword"
       }
     },
     "additionalProperties": false,
@@ -2787,7 +2810,7 @@ export const isCreateFamilyByMailTokenRequest: (value: unknown) => value is Crea
       "type": "string"
     },
     "parentPassword": {
-      "$ref": "#/definitions/ParentPassword"
+      "$ref": "#/definitions/PlaintextParentPassword"
     },
     "parentDevice": {
       "$ref": "#/definitions/NewDeviceInfo"
@@ -2843,7 +2866,7 @@ export const isRecoverParentPasswordRequest: (value: unknown) => value is Recove
       "type": "string"
     },
     "password": {
-      "$ref": "#/definitions/ParentPassword"
+      "$ref": "#/definitions/PlaintextParentPassword"
     }
   },
   "additionalProperties": false,

src/function/dh/decrypt.ts

@@ -0,0 +1,125 @@
+/*
+ * server component for the TimeLimit App
+ * Copyright (C) 2019 - 2022 Jonas Lochmann
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, version 3 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import * as Sequelize from 'sequelize'
+import { createDecipheriv, createPrivateKey, createPublicKey, diffieHellman } from 'crypto'
+import { Database } from '../../database'
+import { calculateExpireTime } from '../../database/devicedhkey'
+import { isVersionId } from '../../util/token'
+
+export async function decrypt({
+  database, transaction, familyId, deviceId, encryptedData, authData
+}: {
+  database: Database
+  transaction: Sequelize.Transaction
+  familyId: string
+  deviceId: string
+  encryptedData: string
+  authData: Buffer
+}) {
+  const parts = encryptedData.split('.')
+
+  if (parts.length !== 3) throw new MalformedDataDecryptException('expected three parts')
+
+  const ivAndEncrypted = Buffer.from(parts[0], 'base64')
+  const otherPublicKey = Buffer.from(parts[1], 'base64')
+  const keyId = parts[2]
+
+  if (ivAndEncrypted.length < 12 + 16) throw new MalformedDataDecryptException('too short for iv and auth tag')
+
+  if (!isVersionId(keyId)) throw new KeyNotFoundDecryptException('invalid key id')
+
+  const databaseKeyEntry = await database.deviceDhKey.findOne({
+    where: {
+      familyId,
+      deviceId,
+      version: keyId
+    },
+    transaction
+  })
+
+  if (!databaseKeyEntry) throw new KeyNotFoundDecryptException('private key not found')
+
+  if (databaseKeyEntry.expireAt === null) {
+    databaseKeyEntry.expireAt = calculateExpireTime(BigInt(Date.now())).toString(10)
+    await databaseKeyEntry.save({ transaction })
+  } else {
+    if (BigInt(databaseKeyEntry.expireAt) < BigInt(Date.now())) throw new KeyExpiredDecryptException()
+  }
+
+  const privateKey = (() => {
+    try {
+      return createPrivateKey({
+        key: databaseKeyEntry.privateKey,
+        format: 'der',
+        type: 'pkcs8'
+      })
+    } catch (ex) {
+      throw new MalformedPrivateKeyException()
+    }
+  })()
+
+  const decodedOtherPublicKey = (() => {
+    try {
+      return createPublicKey({
+        key: otherPublicKey,
+        format: 'der',
+        type: 'spki'
+      })
+    } catch (ex) {
+      throw new MalformedPublicKeyException()
+    }
+  })()
+
+  const sharedSecret = (() => {
+    try {
+      return diffieHellman({
+        privateKey,
+        publicKey: decodedOtherPublicKey
+      })
+    } catch (ex) {
+      throw new MalformedNoMatchingKeysException()
+    }
+  })()
+
+  try {
+    const decipher = createDecipheriv('aes-128-gcm', sharedSecret.slice(0, 16), ivAndEncrypted.slice(0, 12), {
+      authTagLength: 16
+    })
+
+    decipher.setAuthTag(ivAndEncrypted.slice(ivAndEncrypted.length - 16, ivAndEncrypted.length))
+    decipher.setAAD(authData)
+
+    const decryptedData = Buffer.concat([
+      decipher.update(ivAndEncrypted.slice(12, ivAndEncrypted.length - 16)),
+      decipher.final()
+    ])
+
+    return decryptedData
+  } catch (ex) {
+    throw new MalformedAuthenticationException()
+  }
+}
+
+export class DecryptException extends Error {}
+class MalformedDataDecryptException extends DecryptException { constructor(message: string) { super('malformed data: ' + message) } }
+class MalformedPrivateKeyException extends DecryptException { constructor() { super('private key') } }
+class MalformedPublicKeyException extends DecryptException { constructor() { super('public key') } }
+class MalformedNoMatchingKeysException extends DecryptException { constructor() { super('no matching keys') } }
+class MalformedAuthenticationException extends DecryptException { constructor() { super('authentication data') } }
+class KeyExpiredDecryptException extends DecryptException { constructor() { super('key expired') } }
+class KeyNotFoundDecryptException extends DecryptException { constructor(message: string) { super('key not found: ' + message) } }

src/function/dh/genkey.ts

@@ -0,0 +1,38 @@
+/*
+ * server component for the TimeLimit App
+ * Copyright (C) 2019 - 2022 Jonas Lochmann
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, version 3 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { generateKeyPair } from 'crypto'
+import { promisify } from 'util'
+
+const generateKeyPairAsync = promisify(generateKeyPair)
+
+export async function generateDhKeypair() {
+  return await generateKeyPairAsync(
+    'ec',
+    {
+      namedCurve: 'prime256v1',
+      publicKeyEncoding: {
+        type: 'spki',
+        format: 'der'
+      },
+      privateKeyEncoding: {
+        type: 'pkcs8',
+        format: 'der'
+      }
+    }
+  )
+}

src/function/dh/index.ts

@@ -0,0 +1,20 @@
+/*
+ * server component for the TimeLimit App
+ * Copyright (C) 2019 - 2022 Jonas Lochmann
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, version 3 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+export { decrypt } from './decrypt'
+export { generateDhKeypair } from './genkey'
+export { decryptParentPassword } from './parentpassword'

src/function/dh/parentpassword.ts

@@ -0,0 +1,56 @@
+/*
+ * server component for the TimeLimit App
+ * Copyright (C) 2019 - 2022 Jonas Lochmann
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, version 3 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { Cache } from '../sync/apply-actions/cache'
+import { ApplyActionException } from '../sync/apply-actions/exception'
+import {
+  EncryptableParentPassword, assertParentPasswordValid,
+  PlaintextParentPassword, ParentPasswordValidationException
+} from '../../api/schema'
+import { decrypt, DecryptException } from './decrypt'
+
+export async function decryptParentPassword({ cache, password } : {
+  cache: Cache
+  password: EncryptableParentPassword
+}): Promise<PlaintextParentPassword> {
+  if (!password.encrypted) return password
+
+  try {
+    const secondHash = (await decrypt({
+      database: cache.database,
+      transaction: cache.transaction,
+      familyId: cache.familyId,
+      deviceId: cache.deviceId,
+      encryptedData: password.secondHash,
+      authData: Buffer.from(`ParentPassword:${password.hash}:${password.secondSalt}`, 'ascii')
+    })).toString('ascii')
+
+    const result: PlaintextParentPassword = {
+      hash: password.hash,
+      secondSalt: password.secondSalt,
+      secondHash
+    }
+
+    assertParentPasswordValid(result)
+
+    return result
+  } catch (ex) {
+    if (ex instanceof DecryptException) throw new ApplyActionException({ staticMessage: ex.message })
+    else if (ex instanceof ParentPasswordValidationException) throw new ApplyActionException({ staticMessage: 'invalid encrypted parent password' })
+    else throw ex
+  }
+}

src/function/parent/create-family.ts

@@ -16,7 +16,7 @@
  */
 
 import { Conflict } from 'http-errors'
-import { NewDeviceInfo, ParentPassword } from '../../api/schema'
+import { NewDeviceInfo, PlaintextParentPassword, assertPlaintextParentPasswordValid } from '../../api/schema'
 import { Database } from '../../database'
 import { maxMailNotificationFlags } from '../../database/user'
 import {
@@ -29,12 +29,14 @@ export const createFamily = async ({ database, mailAuthToken, firstParentDevice,
   database: Database,
   mailAuthToken: string,
   firstParentDevice: NewDeviceInfo,
-  password: ParentPassword,
+  password: PlaintextParentPassword,
   timeZone: string,
   parentName: string,
   deviceName: string
   // no transaction here because this is directly called from an API endpoint
 }) => {
+  assertPlaintextParentPasswordValid(password)
+
   return database.transaction(async (transaction) => {
     const now = Date.now().toString(10)
     const mailInfo = await requireMailAndLocaleByAuthToken({ database, mailAuthToken, transaction, invalidate: true })

src/function/parent/recover-parent-password.ts

@@ -16,7 +16,7 @@
  */
 
 import { Conflict } from 'http-errors'
-import { ParentPassword } from '../../api/schema'
+import { PlaintextParentPassword, assertPlaintextParentPasswordValid } from '../../api/schema'
 import { Database } from '../../database'
 import { sendPasswordRecoveryUsedMail } from '../../util/mail'
 import { generateVersionId } from '../../util/token'
@@ -27,10 +27,12 @@ import { notifyClientsAboutChangesDelayed } from '../websocket'
 export const recoverParentPassword = async ({ database, websocket, password, mailAuthToken }: {
   database: Database
   websocket: WebsocketApi
-  password: ParentPassword
+  password: PlaintextParentPassword
   mailAuthToken: string
   // no transaction here because this is directly called from an API endpoint
 }) => {
+  assertPlaintextParentPasswordValid(password)
+
   await database.transaction(async (transaction) => {
     const mailInfo = await requireMailAndLocaleByAuthToken({ mailAuthToken, database, transaction, invalidate: true })
 

src/function/sync/apply-actions/cache.ts

@@ -1,6 +1,6 @@
 /*
  * server component for the TimeLimit App
- * Copyright (C) 2019 - 2020 Jonas Lochmann
+ * Copyright (C) 2019 - 2022 Jonas Lochmann
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -27,6 +27,7 @@ import { InvalidChildActionIntegrityValue } from './exception/integrity'
 
 export class Cache {
   readonly familyId: string
+  readonly deviceId: string
   readonly hasFullVersion: boolean
   transaction: Sequelize.Transaction
   readonly database: Database
@@ -46,14 +47,16 @@ export class Cache {
   invalidiateDeviceList = false
   areChangesImportant = false
 
-  constructor ({ familyId, hasFullVersion, database, transaction, connectedDevicesManager }: {
+  constructor ({ familyId, deviceId, hasFullVersion, database, transaction, connectedDevicesManager }: {
     familyId: string
+    deviceId: string
     hasFullVersion: boolean
     database: Database
     transaction: Sequelize.Transaction
     connectedDevicesManager: VisibleConnectedDevicesManager
   }) {
     this.familyId = familyId
+    this.deviceId = deviceId
     this.hasFullVersion = hasFullVersion || config.alwaysPro
     this.database = database
     this.transaction = transaction

src/function/sync/apply-actions/dispatch-child-action/childchangepassword.ts

@@ -1,6 +1,6 @@
 /*
  * server component for the TimeLimit App
- * Copyright (C) 2019 - 2021 Jonas Lochmann
+ * Copyright (C) 2019 - 2022 Jonas Lochmann
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -18,6 +18,7 @@
 import { ChildChangePasswordAction } from '../../../../action'
 import { Cache } from '../cache'
 import { SourceUserNotFoundException } from '../exception/illegal-state'
+import { decryptParentPassword } from '../../../dh'
 
 export const dispatchChildChangePassword = async ({ action, childUserId, cache }: {
   action: ChildChangePasswordAction
@@ -37,9 +38,11 @@ export const dispatchChildChangePassword = async ({ action, childUserId, cache }
     throw new SourceUserNotFoundException()
   }
 
-  childEntry.passwordHash = action.password.hash
+  const newPassword = await decryptParentPassword({ cache, password: action.password })
-  childEntry.secondPasswordSalt = action.password.secondSalt
+
-  childEntry.secondPasswordHash = action.password.secondHash
+  childEntry.passwordHash = newPassword.hash
+  childEntry.secondPasswordSalt = newPassword.secondSalt
+  childEntry.secondPasswordHash = newPassword.secondHash
 
   await childEntry.save({ transaction: cache.transaction })
 

src/function/sync/apply-actions/dispatch-parent-action/adduser.ts

@@ -1,6 +1,6 @@
 /*
  * server component for the TimeLimit App
- * Copyright (C) 2019 - 2020 Jonas Lochmann
+ * Copyright (C) 2019 - 2022 Jonas Lochmann
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -16,21 +16,27 @@
  */
 
 import { AddUserAction } from '../../../../action'
+import { decryptParentPassword } from '../../../dh'
 import { Cache } from '../cache'
 
 export async function dispatchAddUser ({ action, cache }: {
   action: AddUserAction
   cache: Cache
 }) {
+  const password =
+    action.password ?
+    await decryptParentPassword({ cache, password: action.password }) :
+    null
+
   await cache.database.user.create({
     familyId: cache.familyId,
     userId: action.userId,
     type: action.userType,
     name: action.name,
     timeZone: action.timeZone,
-    passwordHash: action.password ? action.password.hash : '',
+    passwordHash: password ? password.hash : '',
-    secondPasswordHash: action.password ? action.password.secondHash : '',
+    secondPasswordHash: password ? password.secondHash : '',
-    secondPasswordSalt: action.password ? action.password.secondSalt : '',
+    secondPasswordSalt: password ? password.secondSalt : '',
     mail: '',
     disableTimelimitsUntil: '0',
     currentDevice: '',

src/function/sync/apply-actions/dispatch-parent-action/setchildpassword.ts

@@ -1,6 +1,6 @@
 /*
  * server component for the TimeLimit App
- * Copyright (C) 2019 - 2021 Jonas Lochmann
+ * Copyright (C) 2019 - 2022 Jonas Lochmann
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -18,6 +18,7 @@
 import { SetChildPasswordAction } from '../../../../action'
 import { Cache } from '../cache'
 import { MissingUserException } from '../exception/missing-item'
+import { decryptParentPassword } from '../../../dh'
 
 export async function dispatchSetChildPassword ({ action, cache }: {
   action: SetChildPasswordAction
@@ -36,9 +37,11 @@ export async function dispatchSetChildPassword ({ action, cache }: {
     throw new MissingUserException()
   }
 
-  childEntry.passwordHash = action.newPassword.hash
+  const newPassword = await decryptParentPassword({ cache, password: action.newPassword })
-  childEntry.secondPasswordSalt = action.newPassword.secondSalt
+
-  childEntry.secondPasswordHash = action.newPassword.secondHash
+  childEntry.passwordHash = newPassword.hash
+  childEntry.secondPasswordSalt = newPassword.secondSalt
+  childEntry.secondPasswordHash = newPassword.secondHash
 
   await childEntry.save({ transaction: cache.transaction })
 

src/function/sync/apply-actions/index.ts

@@ -1,6 +1,6 @@
 /*
  * server component for the TimeLimit App
- * Copyright (C) 2019 - 2020 Jonas Lochmann
+ * Copyright (C) 2019 - 2022 Jonas Lochmann
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -54,6 +54,7 @@ export const applyActionsFromDevice = async ({ database, request, websocket, con
       hasFullVersion: baseInfo.hasFullVersion,
       transaction,
       familyId: baseInfo.familyId,
+      deviceId: baseInfo.deviceId,
       connectedDevicesManager
     })
 

src/function/sync/get-server-data-status/dh-keys.ts

@@ -21,11 +21,8 @@ import { config, calculateExpireTime } from '../../../database/devicedhkey'
 import { ServerDhKey } from '../../../object/serverdatastatus'
 import { generateVersionId } from '../../../util/token'
 import { EventHandler } from '../../../monitoring/eventhandler'
+import { generateDhKeypair } from '../../../function/dh'
 import { FamilyEntry } from './family-entry'
-import { generateKeyPair } from 'crypto'
-import { promisify } from 'util'
-
-const generateKeyPairAsync = promisify(generateKeyPair)
 
 export async function getDeviceDhKeys ({
   database, transaction, familyEntry, deviceId, lastVersionId, eventHandler
@@ -56,20 +53,7 @@ export async function getDeviceDhKeys ({
     eventHandler.countEvent('getDeviceDhKeys:needsNewKey')
 
     const newVersion = generateVersionId()
-    const newKeypair = await generateKeyPairAsync(
+    const newKeypair = await generateDhKeypair()
-      'ec',
-      {
-        namedCurve: 'prime256v1',
-        publicKeyEncoding: {
-          type: 'spki',
-          format: 'der'
-        },
-        privateKeyEncoding: {
-          type: 'pkcs8',
-          format: 'der'
-        }
-      }
-    )
 
     if (savedData.length >= 8) {
       eventHandler.countEvent('getDeviceDhKeys:gc')

src/util/token.ts

@@ -46,5 +46,8 @@ export const assertIdWithinFamily = (id: string) => {
 }
 
 export const generateVersionId = randomString.bind(null, defaultAlphabet, 4)
+
+export const isVersionId = (id: string) => id.length === 4 && /^[a-zA-Z0-9]+$/.test(id)
+
 export const generateFamilyId = randomString.bind(null, defaultAlphabet, 10)
 export const generatePurchaseId = randomString.bind(null, defaultAlphabet, 10)