Merge pull request #4742 from overleaf/jpa-modernize-access-token-encryptor

[misc] modernize access token encryptor GitOrigin-RevId: 178fe2ee2f97f2b3816e480b6283fdb127eb72d6
2026-05-23 17:19:37 +02:00 · 2021-08-16 11:54:39 +02:00
parent 2ce94153d4
commit 0ecd6f34ff
8 changed files with 3864 additions and 263 deletions
--- a/libraries/access-token-encryptor/lib/js/AccessTokenEncryptor.js
+++ b/libraries/access-token-encryptor/lib/js/AccessTokenEncryptor.js
@@ -1,104 +1,117 @@
-// TODO: This file was created by bulk-decaffeinate.
-// Sanity-check the conversion and remove this comment.
-/*
- * decaffeinate suggestions:
- * DS101: Remove unnecessary use of Array.from
- * DS102: Remove unnecessary code created because of implicit returns
- * DS207: Consider shorter variations of null checks
- * Full docs: https://github.com/decaffeinate/decaffeinate/blob/master/docs/suggestions.md
- */
-const crypto = require('crypto');
+const crypto = require('crypto')
+const logger = require('logger-sharelatex')

-const Buffer = require('buffer').Buffer;
+const ALGORITHM = 'aes-256-ctr'

-const ALGORITHM = 'aes-256-ctr';
+const keyFn = (password, salt, callback) =>
+  crypto.pbkdf2(password, salt, 10000, 64, 'sha1', callback)

-const keyFn = (password, salt, callback)=> crypto.pbkdf2(password, salt, 10000, 64, 'sha1', callback);
-
-const keyFn32 = (password, salt, keyLength, callback)=> crypto.pbkdf2(password, salt, 10000, 32, 'sha1', callback);
+const keyFn32 = (password, salt, keyLength, callback) =>
+  crypto.pbkdf2(password, salt, 10000, 32, 'sha1', callback)

 class AccessTokenEncryptor {
+  constructor(settings) {
+    this.settings = settings
+    this.cipherLabel = this.settings.cipherLabel
+    if (this.cipherLabel && this.cipherLabel.match(/:/)) {
+      throw Error('cipherLabel must not contain a colon (:)')
+    }

-	constructor(settings) {
+    this.cipherPassword = this.settings.cipherPasswords[this.cipherLabel]
+    if (!this.cipherPassword) {
+      throw Error('cipherPassword not set')
+    }
+    if (this.cipherPassword.length < 16) {
+      throw Error('cipherPassword too short')
+    }
+  }

-		this.settings = settings;
-		this.cipherLabel = this.settings.cipherLabel;
-		if (this.cipherLabel != null ? this.cipherLabel.match(/:/) : undefined) { throw Error("cipherLabel must not contain a colon (:)"); }
+  encryptJson(json, callback) {
+    const string = JSON.stringify(json)
+    crypto.randomBytes(32, (err, bytes) => {
+      if (err) {
+        return callback(err)
+      }
+      const salt = bytes.slice(0, 16)
+      const iv = bytes.slice(16, 32)

-		this.cipherPassword = this.settings.cipherPasswords[this.cipherLabel];
-		if ((this.cipherPassword == null)) { throw Error("cipherPassword not set"); }
-		if (this.cipherPassword.length < 16) { throw Error("cipherPassword too short"); }
-	}
+      keyFn32(this.cipherPassword, salt, 32, (err, key) => {
+        if (err) {
+          logger.err({ err }, 'error getting Fn key')
+          return callback(err)
+        }

-	encryptJson(json, callback) {
-		const string = JSON.stringify(json);
-		return crypto.randomBytes(32, (err, bytes) => {
-			if (err) { return callback(err); }
-			const salt = bytes.slice(0, 16);
-			const iv = bytes.slice(16, 32);
+        const cipher = crypto.createCipheriv(ALGORITHM, key, iv)
+        const crypted =
+          cipher.update(string, 'utf8', 'base64') + cipher.final('base64')

-			return keyFn32(this.cipherPassword, salt, 32, (err, key) => {
-				if (err != null) {
-					logger.err({err}, "error getting Fn key");
-					return callback(err);
-				}
+        callback(
+          null,
+          `${this.cipherLabel}:${salt.toString('hex')}:${crypted}:${iv.toString(
+            'hex'
+          )}`
+        )
+      })
+    })
+  }

-				const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
-				const crypted = cipher.update(string, 'utf8', 'base64') + cipher.final('base64');
+  decryptToJson(encryptedJson, callback) {
+    const [label, salt, cipherText, iv] = encryptedJson.split(':', 4)
+    const password = this.settings.cipherPasswords[label]
+    if (!password || password.length < 16) {
+      return callback(new Error('invalid password'))
+    }

-				return callback(null, `${this.cipherLabel}:${salt.toString('hex')}:${crypted}:${iv.toString('hex')}`);
-			});
-		});
-	}
+    if (iv) {
+      this.decryptToJsonV2(password, salt, cipherText, iv, callback)
+    } else {
+      this.decryptToJsonV1(password, salt, cipherText, callback)
+    }
+  }

-	decryptToJson(encryptedJson, callback) {
-		const [label, salt, cipherText, iv] = Array.from(encryptedJson.split(':', 4));
-		const password = this.settings.cipherPasswords[label];
-		if ((password == null) || (password.length < 16)) { return callback(new Error("invalid password")); }
+  decryptToJsonV1(password, salt, cipherText, callback) {
+    keyFn(password, Buffer.from(salt, 'hex'), (err, key) => {
+      let json
+      if (err) {
+        logger.err({ err }, 'error getting Fn key')
+        return callback(err)
+      }
+      // eslint-disable-next-line node/no-deprecated-api
+      const decipher = crypto.createDecipher(ALGORITHM, key)
+      const dec =
+        decipher.update(cipherText, 'base64', 'utf8') + decipher.final('utf8')
+      try {
+        json = JSON.parse(dec)
+      } catch (e) {
+        return callback(new Error('error decrypting token'))
+      }
+      callback(null, json, true)
+    })
+  }

-		if (iv) {
-			return this.decryptToJsonV2(password, salt, cipherText, iv, callback);
-		} else {
-			return this.decryptToJsonV1(password, salt, cipherText, callback);
-		}
-	}
+  decryptToJsonV2(password, salt, cipherText, iv, callback) {
+    keyFn32(password, Buffer.from(salt, 'hex'), 32, (err, key) => {
+      let json
+      if (err) {
+        logger.err({ err }, 'error getting Fn key')
+        return callback(err)
+      }

-	decryptToJsonV1(password, salt, cipherText, callback) {
-		return keyFn(password, Buffer.from(salt, 'hex'), (err, key) => {
-			let json;
-			if (err != null) {
-				logger.err({err}, "error getting Fn key");
-				return callback(err);
-			}
-			const decipher = crypto.createDecipher(ALGORITHM, key);
-			const dec = decipher.update(cipherText, 'base64', 'utf8') + decipher.final('utf8');
-			try {
-				json = JSON.parse(dec);
-			} catch (e) {
-				return callback(new Error("error decrypting token"));
-			}
-			return callback(null, json, true);
-		});
-	}
-
-	decryptToJsonV2(password, salt, cipherText, iv, callback) {
-		return keyFn32(password, Buffer.from(salt, 'hex'), 32, (err, key) => {
-			let json;
-			if (err != null) {
-				logger.err({err}, "error getting Fn key");
-				return callback(err);
-			}
-
-			const decipher = crypto.createDecipheriv(ALGORITHM, key, Buffer.from(iv, 'hex'));
-			const dec = decipher.update(cipherText, 'base64', 'utf8') + decipher.final('utf8');
-			try {
-				json = JSON.parse(dec);
-			} catch (e) {
-				return callback(new Error("error decrypting token"));
-			}
-			return callback(null, json);
-		});
-	}
+      const decipher = crypto.createDecipheriv(
+        ALGORITHM,
+        key,
+        Buffer.from(iv, 'hex')
+      )
+      const dec =
+        decipher.update(cipherText, 'base64', 'utf8') + decipher.final('utf8')
+      try {
+        json = JSON.parse(dec)
+      } catch (e) {
+        return callback(new Error('error decrypting token'))
+      }
+      callback(null, json)
+    })
+  }
 }

-module.exports = AccessTokenEncryptor;
+module.exports = AccessTokenEncryptor