verdaccio/packages/auth/src/legacy-token.ts

import {
  BinaryToTextEncoding,
  CharacterEncoding,
  createCipheriv,
  createDecipheriv,
  randomBytes,
} from 'crypto';
import buildDebug from 'debug';

import { TOKEN_VALID_LENGTH } from '@verdaccio/config';

const debug = buildDebug('verdaccio:auth:token:legacy');

export const defaultAlgorithm = process.env.VERDACCIO_LEGACY_ALGORITHM || 'aes-256-ctr';
const inputEncoding: CharacterEncoding = 'utf8';
const outputEncoding: BinaryToTextEncoding = 'hex';
// For AES, this is always 16
const IV_LENGTH = 16;
// Must be 256 bits (32 characters)
// https://stackoverflow.com/questions/50963160/invalid-key-length-in-crypto-createcipheriv#50963356
const VERDACCIO_LEGACY_ENCRYPTION_KEY = process.env.VERDACCIO_LEGACY_ENCRYPTION_KEY;

export function aesEncrypt(value: string, key: string): string | void {
  // https://nodejs.org/api/crypto.html#crypto_crypto_createcipher_algorithm_password_options
  // https://www.grainger.xyz/changing-from-cipher-to-cipheriv/
  debug('encrypt %o', value);
  debug('algorithm %o', defaultAlgorithm);
  const iv = Buffer.from(randomBytes(IV_LENGTH));
  const secretKey = VERDACCIO_LEGACY_ENCRYPTION_KEY || key;
  const isKeyValid = secretKey?.length === TOKEN_VALID_LENGTH;
  debug('length secret key %o', secretKey?.length);
  debug('is valid secret %o', isKeyValid);
  if (!value || !secretKey || !isKeyValid) {
    return;
  }

  const cipher = createCipheriv(defaultAlgorithm, secretKey, iv);
  let encrypted = cipher.update(value, inputEncoding, outputEncoding);
  // @ts-ignore
  encrypted += cipher.final(outputEncoding);
  const token = `${iv.toString('hex')}:${encrypted.toString()}`;
  debug('token generated successfully');
  return Buffer.from(token).toString('base64');
}

export function aesDecrypt(value: string, key: string): string | void {
  try {
    const buff = Buffer.from(value, 'base64');
    const textParts = buff.toString().split(':');

    // extract the IV from the first half of the value
    // @ts-ignore
    const IV = Buffer.from(textParts.shift(), outputEncoding);
    // extract the encrypted text without the IV
    const encryptedText = Buffer.from(textParts.join(':'), outputEncoding);
    const secretKey = VERDACCIO_LEGACY_ENCRYPTION_KEY || key;
    // decipher the string
    const decipher = createDecipheriv(defaultAlgorithm, secretKey, IV);
    // FIXME: fix type here should allow Buffer
    let decrypted = decipher.update(encryptedText as any, outputEncoding, inputEncoding);
    decrypted += decipher.final(inputEncoding);
    debug('token decrypted successfully');
    return decrypted.toString();
  } catch (_: any) {
    return;
  }
}
feat: improve legacy token signature by removing deprecated crypto.cr… (#1953) * feat: improve legacy token signature by removing deprecated crypto.createDecipher * fix: wrong reference * chore: add debug 2020-10-03 05:47:04 -07:00			`import {`
chore: consistency core dependencies (#2878) * chore: group patch minor updates * chore: use node 16 instead 14 * fix types * fix types 2022-01-09 16:30:35 +01:00			`BinaryToTextEncoding,`
			`CharacterEncoding,`
feat: improve legacy token signature by removing deprecated crypto.cr… (#1953) * feat: improve legacy token signature by removing deprecated crypto.createDecipher * fix: wrong reference * chore: add debug 2020-10-03 05:47:04 -07:00			`createCipheriv,`
			`createDecipheriv,`
			`randomBytes,`
			`} from 'crypto';`
			`import buildDebug from 'debug';`

#2606 add prettier plugin sort imports (#2607) * #2606 add prettier plugin sort imprts * #2606 update pnpm-lock.yaml * #2606 update eslint rules * #2606 fixes website directory formatting Co-authored-by: Ayush Sharma <ayush.sharma@trivago.com> 2021-10-29 17:33:05 +02:00			`import { TOKEN_VALID_LENGTH } from '@verdaccio/config';`

feat: improve legacy token signature by removing deprecated crypto.cr… (#1953) * feat: improve legacy token signature by removing deprecated crypto.createDecipher * fix: wrong reference * chore: add debug 2020-10-03 05:47:04 -07:00			`const debug = buildDebug('verdaccio:auth:token:legacy');`

			`export const defaultAlgorithm = process.env.VERDACCIO_LEGACY_ALGORITHM \|\| 'aes-256-ctr';`
chore: consistency core dependencies (#2878) * chore: group patch minor updates * chore: use node 16 instead 14 * fix types * fix types 2022-01-09 16:30:35 +01:00			`const inputEncoding: CharacterEncoding = 'utf8';`
			`const outputEncoding: BinaryToTextEncoding = 'hex';`
feat: improve legacy token signature by removing deprecated crypto.cr… (#1953) * feat: improve legacy token signature by removing deprecated crypto.createDecipher * fix: wrong reference * chore: add debug 2020-10-03 05:47:04 -07:00			`// For AES, this is always 16`
			`const IV_LENGTH = 16;`
			`// Must be 256 bits (32 characters)`
			`// https://stackoverflow.com/questions/50963160/invalid-key-length-in-crypto-createcipheriv#50963356`
			`const VERDACCIO_LEGACY_ENCRYPTION_KEY = process.env.VERDACCIO_LEGACY_ENCRYPTION_KEY;`

			`export function aesEncrypt(value: string, key: string): string \| void {`
			`// https://nodejs.org/api/crypto.html#crypto_crypto_createcipher_algorithm_password_options`
			`// https://www.grainger.xyz/changing-from-cipher-to-cipheriv/`
			`debug('encrypt %o', value);`
			`debug('algorithm %o', defaultAlgorithm);`
			`const iv = Buffer.from(randomBytes(IV_LENGTH));`
			`const secretKey = VERDACCIO_LEGACY_ENCRYPTION_KEY \|\| key;`
			`const isKeyValid = secretKey?.length === TOKEN_VALID_LENGTH;`
			`debug('length secret key %o', secretKey?.length);`
			`debug('is valid secret %o', isKeyValid);`
			`if (!value \|\| !secretKey \|\| !isKeyValid) {`
			`return;`
			`}`

			`const cipher = createCipheriv(defaultAlgorithm, secretKey, iv);`
			`let encrypted = cipher.update(value, inputEncoding, outputEncoding);`
			`// @ts-ignore`
			`encrypted += cipher.final(outputEncoding);`
			const token = `${iv.toString('hex')}:${encrypted.toString()}`;
			`debug('token generated successfully');`
			`return Buffer.from(token).toString('base64');`
			`}`

			`export function aesDecrypt(value: string, key: string): string \| void {`
			`try {`
			`const buff = Buffer.from(value, 'base64');`
			`const textParts = buff.toString().split(':');`

			`// extract the IV from the first half of the value`
			`// @ts-ignore`
			`const IV = Buffer.from(textParts.shift(), outputEncoding);`
			`// extract the encrypted text without the IV`
			`const encryptedText = Buffer.from(textParts.join(':'), outputEncoding);`
			`const secretKey = VERDACCIO_LEGACY_ENCRYPTION_KEY \|\| key;`
			`// decipher the string`
			`const decipher = createDecipheriv(defaultAlgorithm, secretKey, IV);`
chore: consistency core dependencies (#2878) * chore: group patch minor updates * chore: use node 16 instead 14 * fix types * fix types 2022-01-09 16:30:35 +01:00			`// FIXME: fix type here should allow Buffer`
			`let decrypted = decipher.update(encryptedText as any, outputEncoding, inputEncoding);`
feat: improve legacy token signature by removing deprecated crypto.cr… (#1953) * feat: improve legacy token signature by removing deprecated crypto.createDecipher * fix: wrong reference * chore: add debug 2020-10-03 05:47:04 -07:00			`decrypted += decipher.final(inputEncoding);`
			`debug('token decrypted successfully');`
			`return decrypted.toString();`
Update & make dependency versions consistent in packages/* (#2393) * docs: improve pnpm development setup info in CONTRIBUTING.md * build: make dependency versions consistent in packages/* Updated to latest minor/patch versions; left major version unchanged for now Did not change react dependencies in ui-theme package Added .project file for Eclipse IDE users * revert: rollback @changesets dep versions & maintain kleur v3.0.3 2021-08-30 15:49:08 +09:30			`} catch (_: any) {`
feat: improve legacy token signature by removing deprecated crypto.cr… (#1953) * feat: improve legacy token signature by removing deprecated crypto.createDecipher * fix: wrong reference * chore: add debug 2020-10-03 05:47:04 -07:00			`return;`
			`}`
			`}`