mirror of
https://github.com/overleaf/overleaf.git
synced 2024-10-17 21:05:04 -04:00
01aebbf69d
[access-token-encryptor] drop support for legacy v1 token scheme GitOrigin-RevId: 2d32453ad38119fa45cfd77463091f2c91dfe647
89 lines
2.4 KiB
JavaScript
89 lines
2.4 KiB
JavaScript
const crypto = require('crypto')
|
|
const logger = require('@overleaf/logger')
|
|
|
|
const ALGORITHM = 'aes-256-ctr'
|
|
|
|
const keyFn32 = (password, salt, keyLength, callback) =>
|
|
crypto.pbkdf2(password, salt, 10000, 32, 'sha1', callback)
|
|
|
|
class AccessTokenEncryptor {
|
|
constructor(settings) {
|
|
this.settings = settings
|
|
this.cipherLabel = this.settings.cipherLabel
|
|
if (this.cipherLabel && this.cipherLabel.match(/:/)) {
|
|
throw Error('cipherLabel must not contain a colon (:)')
|
|
}
|
|
|
|
this.cipherPassword = this.settings.cipherPasswords[this.cipherLabel]
|
|
if (!this.cipherPassword) {
|
|
throw Error('cipherPassword not set')
|
|
}
|
|
if (this.cipherPassword.length < 16) {
|
|
throw Error('cipherPassword too short')
|
|
}
|
|
}
|
|
|
|
encryptJson(json, callback) {
|
|
const string = JSON.stringify(json)
|
|
crypto.randomBytes(32, (err, bytes) => {
|
|
if (err) {
|
|
return callback(err)
|
|
}
|
|
const salt = bytes.slice(0, 16)
|
|
const iv = bytes.slice(16, 32)
|
|
|
|
keyFn32(this.cipherPassword, salt, 32, (err, key) => {
|
|
if (err) {
|
|
logger.err({ err }, 'error getting Fn key')
|
|
return callback(err)
|
|
}
|
|
|
|
const cipher = crypto.createCipheriv(ALGORITHM, key, iv)
|
|
const crypted =
|
|
cipher.update(string, 'utf8', 'base64') + cipher.final('base64')
|
|
|
|
callback(
|
|
null,
|
|
`${this.cipherLabel}:${salt.toString('hex')}:${crypted}:${iv.toString(
|
|
'hex'
|
|
)}`
|
|
)
|
|
})
|
|
})
|
|
}
|
|
|
|
decryptToJson(encryptedJson, callback) {
|
|
const [label, salt, cipherText, iv] = encryptedJson.split(':', 4)
|
|
const password = this.settings.cipherPasswords[label]
|
|
if (!password || password.length < 16) {
|
|
return callback(new Error('invalid password'))
|
|
}
|
|
if (!iv) {
|
|
return callback(new Error('token scheme v1 is not supported anymore'))
|
|
}
|
|
|
|
keyFn32(password, Buffer.from(salt, 'hex'), 32, (err, key) => {
|
|
let json
|
|
if (err) {
|
|
logger.err({ err }, 'error getting Fn key')
|
|
return callback(err)
|
|
}
|
|
|
|
const decipher = crypto.createDecipheriv(
|
|
ALGORITHM,
|
|
key,
|
|
Buffer.from(iv, 'hex')
|
|
)
|
|
const dec =
|
|
decipher.update(cipherText, 'base64', 'utf8') + decipher.final('utf8')
|
|
try {
|
|
json = JSON.parse(dec)
|
|
} catch (e) {
|
|
return callback(new Error('error decrypting token'))
|
|
}
|
|
callback(null, json)
|
|
})
|
|
}
|
|
}
|
|
|
|
module.exports = AccessTokenEncryptor
|