overleaf/libraries/access-token-encryptor/lib/js/AccessTokenEncryptor.js
Antoine Clausse fc34b41b5b [web] Promisify two-factor-authentication (#19004)
* Fixup typos

* Promisify `getPendingUser`

* Promisify `getPendingUserWithExpectations`

* Add promises to `AccessTokenEncryptor`

* Promisify `TwoFactorAuthenticationHandler`

* Promisify/Expressify `TwoFactorAuthenticationController`

* Centralise `unprocessableEntity` error handling into a function

* Fixup: entralise `unprocessableEntity` error handling into a function

Avoid "responding to the query twice"

* Remove unnecessary try/catch

* Fixup: Add `async` to AccessTokenEncryptor promises

* Add tests on `AccessTokenEncryptor.promises`

* Revert "Fixup: entralise `unprocessableEntity` error handling into a function"

This reverts commit 23bd9d73260733062908b98961846733c61171e9.

* Revert "Centralise `unprocessableEntity` error handling into a function"

This reverts commit 197ca3da02412d5224d411b29df1d7b9e5327d01.

GitOrigin-RevId: 1a2864d28e87fd5e48cd3723a3da8047b79a1596
2024-06-26 08:05:06 +00:00

164 lines
4.3 KiB
JavaScript

const { promisify } = require('util')
const crypto = require('crypto')
const ALGORITHM = 'aes-256-ctr'
const cryptoHkdf = promisify(crypto.hkdf)
const cryptoRandomBytes = promisify(crypto.randomBytes)
class AbstractAccessTokenScheme {
constructor(cipherLabel, cipherPassword) {
this.cipherLabel = cipherLabel
this.cipherPassword = cipherPassword
}
/**
* @param {Object} json
* @return {Promise<string>}
*/
async encryptJson(json) {
throw new Error('encryptJson is not implemented')
}
/**
* @param {string} encryptedJson
* @return {Promise<Object>}
*/
async decryptToJson(encryptedJson) {
throw new Error('decryptToJson is not implemented')
}
}
class AccessTokenSchemeWithGenericKeyFn extends AbstractAccessTokenScheme {
/**
* @param {Buffer} salt
* @return {Promise<Buffer>}
*/
async keyFn(salt) {
throw new Error('keyFn is not implemented')
}
async encryptJson(json) {
const plainText = JSON.stringify(json)
const bytes = await cryptoRandomBytes(32)
const salt = bytes.slice(0, 16)
const iv = bytes.slice(16, 32)
const key = await this.keyFn(salt)
const cipher = crypto.createCipheriv(ALGORITHM, key, iv)
const cipherText =
cipher.update(plainText, 'utf8', 'base64') + cipher.final('base64')
return [
this.cipherLabel,
salt.toString('hex'),
cipherText,
iv.toString('hex'),
].join(':')
}
async decryptToJson(encryptedJson) {
const [, salt, cipherText, iv] = encryptedJson.split(':', 4)
const key = await this.keyFn(Buffer.from(salt, 'hex'))
const decipher = crypto.createDecipheriv(
ALGORITHM,
key,
Buffer.from(iv, 'hex')
)
const plainText =
decipher.update(cipherText, 'base64', 'utf8') + decipher.final('utf8')
try {
return JSON.parse(plainText)
} catch (e) {
throw new Error('error decrypting token')
}
}
}
class AccessTokenSchemeV3 extends AccessTokenSchemeWithGenericKeyFn {
async keyFn(salt) {
const optionalInfo = ''
return await cryptoHkdf(
'sha512',
this.cipherPassword,
salt,
optionalInfo,
32
)
}
}
class AccessTokenEncryptor {
constructor(settings) {
/**
* @type {Map<string, AbstractAccessTokenScheme>}
*/
this.schemeByCipherLabel = new Map()
for (const cipherLabel of Object.keys(settings.cipherPasswords)) {
if (!cipherLabel) {
throw new Error('cipherLabel cannot be empty')
}
if (cipherLabel.match(/:/)) {
throw new Error(
`cipherLabel must not contain a colon (:), got ${cipherLabel}`
)
}
const [, version] = cipherLabel.split('-')
if (!version) {
throw new Error(
`cipherLabel must contain version suffix (e.g. 2042.1-v42), got ${cipherLabel}`
)
}
const cipherPassword = settings.cipherPasswords[cipherLabel]
if (!cipherPassword) {
throw new Error(`cipherPasswords['${cipherLabel}'] is missing`)
}
if (cipherPassword.length < 16) {
throw new Error(`cipherPasswords['${cipherLabel}'] is too short`)
}
let scheme
switch (version) {
case 'v3':
scheme = new AccessTokenSchemeV3(cipherLabel, cipherPassword)
break
default:
throw new Error(`unknown version '${version}' for ${cipherLabel}`)
}
this.schemeByCipherLabel.set(cipherLabel, scheme)
}
/** @type {AbstractAccessTokenScheme} */
this.defaultScheme = this.schemeByCipherLabel.get(settings.cipherLabel)
if (!this.defaultScheme) {
throw new Error(`unknown default cipherLabel ${settings.cipherLabel}`)
}
}
promises = {
encryptJson: async json => await this.defaultScheme.encryptJson(json),
decryptToJson: async encryptedJson => {
const [label] = encryptedJson.split(':', 1)
const scheme = this.schemeByCipherLabel.get(label)
if (!scheme) {
throw new Error('unknown access-token-encryptor label ' + label)
}
return await scheme.decryptToJson(encryptedJson)
},
}
encryptJson(json, callback) {
this.promises.encryptJson(json).then(s => callback(null, s), callback)
}
decryptToJson(encryptedJson, callback) {
this.promises
.decryptToJson(encryptedJson)
.then(o => callback(null, o), callback)
}
}
module.exports = AccessTokenEncryptor