overleaf/libraries/access-token-encryptor/lib/js/AccessTokenEncryptor.js
Jakob Ackermann 01aebbf69d Merge pull request #11559 from overleaf/jpa-access-token-encryptor-remove-v1
[access-token-encryptor] drop support for legacy v1 token scheme

GitOrigin-RevId: 2d32453ad38119fa45cfd77463091f2c91dfe647
2023-02-02 18:22:42 +00:00

89 lines
2.4 KiB
JavaScript

const crypto = require('crypto')
const logger = require('@overleaf/logger')
const ALGORITHM = 'aes-256-ctr'
const keyFn32 = (password, salt, keyLength, callback) =>
crypto.pbkdf2(password, salt, 10000, 32, 'sha1', callback)
class AccessTokenEncryptor {
constructor(settings) {
this.settings = settings
this.cipherLabel = this.settings.cipherLabel
if (this.cipherLabel && this.cipherLabel.match(/:/)) {
throw Error('cipherLabel must not contain a colon (:)')
}
this.cipherPassword = this.settings.cipherPasswords[this.cipherLabel]
if (!this.cipherPassword) {
throw Error('cipherPassword not set')
}
if (this.cipherPassword.length < 16) {
throw Error('cipherPassword too short')
}
}
encryptJson(json, callback) {
const string = JSON.stringify(json)
crypto.randomBytes(32, (err, bytes) => {
if (err) {
return callback(err)
}
const salt = bytes.slice(0, 16)
const iv = bytes.slice(16, 32)
keyFn32(this.cipherPassword, salt, 32, (err, key) => {
if (err) {
logger.err({ err }, 'error getting Fn key')
return callback(err)
}
const cipher = crypto.createCipheriv(ALGORITHM, key, iv)
const crypted =
cipher.update(string, 'utf8', 'base64') + cipher.final('base64')
callback(
null,
`${this.cipherLabel}:${salt.toString('hex')}:${crypted}:${iv.toString(
'hex'
)}`
)
})
})
}
decryptToJson(encryptedJson, callback) {
const [label, salt, cipherText, iv] = encryptedJson.split(':', 4)
const password = this.settings.cipherPasswords[label]
if (!password || password.length < 16) {
return callback(new Error('invalid password'))
}
if (!iv) {
return callback(new Error('token scheme v1 is not supported anymore'))
}
keyFn32(password, Buffer.from(salt, 'hex'), 32, (err, key) => {
let json
if (err) {
logger.err({ err }, 'error getting Fn key')
return callback(err)
}
const decipher = crypto.createDecipheriv(
ALGORITHM,
key,
Buffer.from(iv, 'hex')
)
const dec =
decipher.update(cipherText, 'base64', 'utf8') + decipher.final('utf8')
try {
json = JSON.parse(dec)
} catch (e) {
return callback(new Error('error decrypting token'))
}
callback(null, json)
})
}
}
module.exports = AccessTokenEncryptor