From 01aebbf69de322888dfabf19e84d0d67ed3152de Mon Sep 17 00:00:00 2001 From: Jakob Ackermann Date: Thu, 2 Feb 2023 12:00:47 +0000 Subject: [PATCH] Merge pull request #11559 from overleaf/jpa-access-token-encryptor-remove-v1 [access-token-encryptor] drop support for legacy v1 token scheme GitOrigin-RevId: 2d32453ad38119fa45cfd77463091f2c91dfe647 --- .../lib/js/AccessTokenEncryptor.js | 32 ++----------------- .../test/unit/js/AccessTokenEncryptorTests.js | 14 ++++---- 2 files changed, 10 insertions(+), 36 deletions(-) diff --git a/libraries/access-token-encryptor/lib/js/AccessTokenEncryptor.js b/libraries/access-token-encryptor/lib/js/AccessTokenEncryptor.js index aa5ca0168d..5e4140d426 100644 --- a/libraries/access-token-encryptor/lib/js/AccessTokenEncryptor.js +++ b/libraries/access-token-encryptor/lib/js/AccessTokenEncryptor.js @@ -3,9 +3,6 @@ const logger = require('@overleaf/logger') const ALGORITHM = 'aes-256-ctr' -const keyFn = (password, salt, callback) => - crypto.pbkdf2(password, salt, 10000, 64, 'sha1', callback) - const keyFn32 = (password, salt, keyLength, callback) => crypto.pbkdf2(password, salt, 10000, 32, 'sha1', callback) @@ -61,35 +58,10 @@ class AccessTokenEncryptor { if (!password || password.length < 16) { return callback(new Error('invalid password')) } - - if (iv) { - this.decryptToJsonV2(password, salt, cipherText, iv, callback) - } else { - this.decryptToJsonV1(password, salt, cipherText, callback) + if (!iv) { + return callback(new Error('token scheme v1 is not supported anymore')) } - } - decryptToJsonV1(password, salt, cipherText, callback) { - keyFn(password, Buffer.from(salt, 'hex'), (err, key) => { - let json - if (err) { - logger.err({ err }, 'error getting Fn key') - return callback(err) - } - // eslint-disable-next-line n/no-deprecated-api - const decipher = crypto.createDecipher(ALGORITHM, key) - const dec = - decipher.update(cipherText, 'base64', 'utf8') + decipher.final('utf8') - try { - json = JSON.parse(dec) - } catch (e) { - return callback(new Error('error decrypting token')) - } - callback(null, json, true) - }) - } - - decryptToJsonV2(password, salt, cipherText, iv, callback) { keyFn32(password, Buffer.from(salt, 'hex'), 32, (err, key) => { let json if (err) { diff --git a/libraries/access-token-encryptor/test/unit/js/AccessTokenEncryptorTests.js b/libraries/access-token-encryptor/test/unit/js/AccessTokenEncryptorTests.js index 2dab88b12a..6ce394805e 100644 --- a/libraries/access-token-encryptor/test/unit/js/AccessTokenEncryptorTests.js +++ b/libraries/access-token-encryptor/test/unit/js/AccessTokenEncryptorTests.js @@ -72,18 +72,20 @@ describe('AccessTokenEncryptor', function () { }) }) - it('should decrypt an 2015 string to get the same object', function (done) { + it('should not be able to decrypt 2015 string', function (done) { this.encryptor.decryptToJson(this.encrypted2015, (err, decrypted) => { - expect(err).to.be.null - expect(decrypted).to.deep.equal(this.testObject) + expect(err).to.exist + expect(err.message).to.equal('token scheme v1 is not supported anymore') + expect(decrypted).to.not.exist done() }) }) - it('should decrypt an 2016 string to get the same object', function (done) { + it('should not be able to decrypt a 2016 string', function (done) { this.encryptor.decryptToJson(this.encrypted2016, (err, decrypted) => { - expect(err).to.be.null - expect(decrypted).to.deep.equal(this.testObject) + expect(err).to.exist + expect(err.message).to.equal('token scheme v1 is not supported anymore') + expect(decrypted).to.not.exist done() }) })