mirror of
https://github.com/overleaf/overleaf.git
synced 2025-01-01 10:51:15 +00:00
b30d838c49
[access-token-encryptor] drop support for encryption scheme v2 GitOrigin-RevId: b720997e01239a7b6443138c68485d5ab0c813ed
147 lines
4 KiB
JavaScript
147 lines
4 KiB
JavaScript
const { promisify } = require('util')
|
|
const crypto = require('crypto')
|
|
|
|
const ALGORITHM = 'aes-256-ctr'
|
|
|
|
const cryptoHkdf = promisify(crypto.hkdf)
|
|
const cryptoRandomBytes = promisify(crypto.randomBytes)
|
|
|
|
class AbstractAccessTokenScheme {
|
|
constructor(cipherLabel, cipherPassword) {
|
|
this.cipherLabel = cipherLabel
|
|
this.cipherPassword = cipherPassword
|
|
}
|
|
|
|
/**
|
|
* @param {Object} json
|
|
* @return {Promise<string>}
|
|
*/
|
|
async encryptJson(json) {
|
|
throw new Error('encryptJson is not implemented')
|
|
}
|
|
|
|
/**
|
|
* @param {string} encryptedJson
|
|
* @return {Promise<Object>}
|
|
*/
|
|
async decryptToJson(encryptedJson) {
|
|
throw new Error('decryptToJson is not implemented')
|
|
}
|
|
}
|
|
|
|
class AccessTokenSchemeWithGenericKeyFn extends AbstractAccessTokenScheme {
|
|
/**
|
|
* @param {Buffer} salt
|
|
* @return {Promise<Buffer>}
|
|
*/
|
|
async keyFn(salt) {
|
|
throw new Error('keyFn is not implemented')
|
|
}
|
|
|
|
async encryptJson(json) {
|
|
const plainText = JSON.stringify(json)
|
|
|
|
const bytes = await cryptoRandomBytes(32)
|
|
const salt = bytes.slice(0, 16)
|
|
const iv = bytes.slice(16, 32)
|
|
const key = await this.keyFn(salt)
|
|
|
|
const cipher = crypto.createCipheriv(ALGORITHM, key, iv)
|
|
const cipherText =
|
|
cipher.update(plainText, 'utf8', 'base64') + cipher.final('base64')
|
|
|
|
return [
|
|
this.cipherLabel,
|
|
salt.toString('hex'),
|
|
cipherText,
|
|
iv.toString('hex'),
|
|
].join(':')
|
|
}
|
|
|
|
async decryptToJson(encryptedJson) {
|
|
const [, salt, cipherText, iv] = encryptedJson.split(':', 4)
|
|
const key = await this.keyFn(Buffer.from(salt, 'hex'))
|
|
|
|
const decipher = crypto.createDecipheriv(
|
|
ALGORITHM,
|
|
key,
|
|
Buffer.from(iv, 'hex')
|
|
)
|
|
const plainText =
|
|
decipher.update(cipherText, 'base64', 'utf8') + decipher.final('utf8')
|
|
try {
|
|
return JSON.parse(plainText)
|
|
} catch (e) {
|
|
throw new Error('error decrypting token')
|
|
}
|
|
}
|
|
}
|
|
|
|
class AccessTokenSchemeV3 extends AccessTokenSchemeWithGenericKeyFn {
|
|
async keyFn(salt) {
|
|
const optionalInfo = ''
|
|
return cryptoHkdf('sha512', this.cipherPassword, salt, optionalInfo, 32)
|
|
}
|
|
}
|
|
|
|
class AccessTokenEncryptor {
|
|
constructor(settings) {
|
|
this.schemeByCipherLabel = new Map()
|
|
for (const cipherLabel of Object.keys(settings.cipherPasswords)) {
|
|
if (!cipherLabel) {
|
|
throw new Error('cipherLabel cannot be empty')
|
|
}
|
|
if (cipherLabel.match(/:/)) {
|
|
throw new Error(
|
|
`cipherLabel must not contain a colon (:), got ${cipherLabel}`
|
|
)
|
|
}
|
|
const [, version] = cipherLabel.split('-')
|
|
if (!version) {
|
|
throw new Error(
|
|
`cipherLabel must contain version suffix (e.g. 2042.1-v42), got ${cipherLabel}`
|
|
)
|
|
}
|
|
|
|
const cipherPassword = settings.cipherPasswords[cipherLabel]
|
|
if (!cipherPassword) {
|
|
throw new Error(`cipherPasswords['${cipherLabel}'] is missing`)
|
|
}
|
|
if (cipherPassword.length < 16) {
|
|
throw new Error(`cipherPasswords['${cipherLabel}'] is too short`)
|
|
}
|
|
|
|
let scheme
|
|
switch (version) {
|
|
case 'v3':
|
|
scheme = new AccessTokenSchemeV3(cipherLabel, cipherPassword)
|
|
break
|
|
default:
|
|
throw new Error(`unknown version '${version}' for ${cipherLabel}`)
|
|
}
|
|
this.schemeByCipherLabel.set(cipherLabel, scheme)
|
|
}
|
|
|
|
this.defaultScheme = this.schemeByCipherLabel.get(settings.cipherLabel)
|
|
if (!this.defaultScheme) {
|
|
throw new Error(`unknown default cipherLabel ${settings.cipherLabel}`)
|
|
}
|
|
}
|
|
|
|
encryptJson(json, callback) {
|
|
this.defaultScheme.encryptJson(json).then(s => callback(null, s), callback)
|
|
}
|
|
|
|
decryptToJson(encryptedJson, callback) {
|
|
const [label] = encryptedJson.split(':', 1)
|
|
const scheme = this.schemeByCipherLabel.get(label)
|
|
if (!scheme) {
|
|
return callback(
|
|
new Error('unknown access-token-encryptor label ' + label)
|
|
)
|
|
}
|
|
scheme.decryptToJson(encryptedJson).then(o => callback(null, o), callback)
|
|
}
|
|
}
|
|
|
|
module.exports = AccessTokenEncryptor
|