mirror of
https://github.com/overleaf/overleaf.git
synced 2024-10-24 21:12:38 -04:00
fc34b41b5b
* Fixup typos * Promisify `getPendingUser` * Promisify `getPendingUserWithExpectations` * Add promises to `AccessTokenEncryptor` * Promisify `TwoFactorAuthenticationHandler` * Promisify/Expressify `TwoFactorAuthenticationController` * Centralise `unprocessableEntity` error handling into a function * Fixup: entralise `unprocessableEntity` error handling into a function Avoid "responding to the query twice" * Remove unnecessary try/catch * Fixup: Add `async` to AccessTokenEncryptor promises * Add tests on `AccessTokenEncryptor.promises` * Revert "Fixup: entralise `unprocessableEntity` error handling into a function" This reverts commit 23bd9d73260733062908b98961846733c61171e9. * Revert "Centralise `unprocessableEntity` error handling into a function" This reverts commit 197ca3da02412d5224d411b29df1d7b9e5327d01. GitOrigin-RevId: 1a2864d28e87fd5e48cd3723a3da8047b79a1596
164 lines
4.3 KiB
JavaScript
164 lines
4.3 KiB
JavaScript
const { promisify } = require('util')
|
|
const crypto = require('crypto')
|
|
|
|
const ALGORITHM = 'aes-256-ctr'
|
|
|
|
const cryptoHkdf = promisify(crypto.hkdf)
|
|
const cryptoRandomBytes = promisify(crypto.randomBytes)
|
|
|
|
class AbstractAccessTokenScheme {
|
|
constructor(cipherLabel, cipherPassword) {
|
|
this.cipherLabel = cipherLabel
|
|
this.cipherPassword = cipherPassword
|
|
}
|
|
|
|
/**
|
|
* @param {Object} json
|
|
* @return {Promise<string>}
|
|
*/
|
|
async encryptJson(json) {
|
|
throw new Error('encryptJson is not implemented')
|
|
}
|
|
|
|
/**
|
|
* @param {string} encryptedJson
|
|
* @return {Promise<Object>}
|
|
*/
|
|
async decryptToJson(encryptedJson) {
|
|
throw new Error('decryptToJson is not implemented')
|
|
}
|
|
}
|
|
|
|
class AccessTokenSchemeWithGenericKeyFn extends AbstractAccessTokenScheme {
|
|
/**
|
|
* @param {Buffer} salt
|
|
* @return {Promise<Buffer>}
|
|
*/
|
|
async keyFn(salt) {
|
|
throw new Error('keyFn is not implemented')
|
|
}
|
|
|
|
async encryptJson(json) {
|
|
const plainText = JSON.stringify(json)
|
|
|
|
const bytes = await cryptoRandomBytes(32)
|
|
const salt = bytes.slice(0, 16)
|
|
const iv = bytes.slice(16, 32)
|
|
const key = await this.keyFn(salt)
|
|
|
|
const cipher = crypto.createCipheriv(ALGORITHM, key, iv)
|
|
const cipherText =
|
|
cipher.update(plainText, 'utf8', 'base64') + cipher.final('base64')
|
|
|
|
return [
|
|
this.cipherLabel,
|
|
salt.toString('hex'),
|
|
cipherText,
|
|
iv.toString('hex'),
|
|
].join(':')
|
|
}
|
|
|
|
async decryptToJson(encryptedJson) {
|
|
const [, salt, cipherText, iv] = encryptedJson.split(':', 4)
|
|
const key = await this.keyFn(Buffer.from(salt, 'hex'))
|
|
|
|
const decipher = crypto.createDecipheriv(
|
|
ALGORITHM,
|
|
key,
|
|
Buffer.from(iv, 'hex')
|
|
)
|
|
const plainText =
|
|
decipher.update(cipherText, 'base64', 'utf8') + decipher.final('utf8')
|
|
try {
|
|
return JSON.parse(plainText)
|
|
} catch (e) {
|
|
throw new Error('error decrypting token')
|
|
}
|
|
}
|
|
}
|
|
|
|
class AccessTokenSchemeV3 extends AccessTokenSchemeWithGenericKeyFn {
|
|
async keyFn(salt) {
|
|
const optionalInfo = ''
|
|
return await cryptoHkdf(
|
|
'sha512',
|
|
this.cipherPassword,
|
|
salt,
|
|
optionalInfo,
|
|
32
|
|
)
|
|
}
|
|
}
|
|
|
|
class AccessTokenEncryptor {
|
|
constructor(settings) {
|
|
/**
|
|
* @type {Map<string, AbstractAccessTokenScheme>}
|
|
*/
|
|
this.schemeByCipherLabel = new Map()
|
|
for (const cipherLabel of Object.keys(settings.cipherPasswords)) {
|
|
if (!cipherLabel) {
|
|
throw new Error('cipherLabel cannot be empty')
|
|
}
|
|
if (cipherLabel.match(/:/)) {
|
|
throw new Error(
|
|
`cipherLabel must not contain a colon (:), got ${cipherLabel}`
|
|
)
|
|
}
|
|
const [, version] = cipherLabel.split('-')
|
|
if (!version) {
|
|
throw new Error(
|
|
`cipherLabel must contain version suffix (e.g. 2042.1-v42), got ${cipherLabel}`
|
|
)
|
|
}
|
|
|
|
const cipherPassword = settings.cipherPasswords[cipherLabel]
|
|
if (!cipherPassword) {
|
|
throw new Error(`cipherPasswords['${cipherLabel}'] is missing`)
|
|
}
|
|
if (cipherPassword.length < 16) {
|
|
throw new Error(`cipherPasswords['${cipherLabel}'] is too short`)
|
|
}
|
|
|
|
let scheme
|
|
switch (version) {
|
|
case 'v3':
|
|
scheme = new AccessTokenSchemeV3(cipherLabel, cipherPassword)
|
|
break
|
|
default:
|
|
throw new Error(`unknown version '${version}' for ${cipherLabel}`)
|
|
}
|
|
this.schemeByCipherLabel.set(cipherLabel, scheme)
|
|
}
|
|
|
|
/** @type {AbstractAccessTokenScheme} */
|
|
this.defaultScheme = this.schemeByCipherLabel.get(settings.cipherLabel)
|
|
if (!this.defaultScheme) {
|
|
throw new Error(`unknown default cipherLabel ${settings.cipherLabel}`)
|
|
}
|
|
}
|
|
|
|
promises = {
|
|
encryptJson: async json => await this.defaultScheme.encryptJson(json),
|
|
decryptToJson: async encryptedJson => {
|
|
const [label] = encryptedJson.split(':', 1)
|
|
const scheme = this.schemeByCipherLabel.get(label)
|
|
if (!scheme) {
|
|
throw new Error('unknown access-token-encryptor label ' + label)
|
|
}
|
|
return await scheme.decryptToJson(encryptedJson)
|
|
},
|
|
}
|
|
|
|
encryptJson(json, callback) {
|
|
this.promises.encryptJson(json).then(s => callback(null, s), callback)
|
|
}
|
|
|
|
decryptToJson(encryptedJson, callback) {
|
|
this.promises
|
|
.decryptToJson(encryptedJson)
|
|
.then(o => callback(null, o), callback)
|
|
}
|
|
}
|
|
|
|
module.exports = AccessTokenEncryptor
|