forked from electrode-io/electrode-csrf-jwt
-
Notifications
You must be signed in to change notification settings - Fork 0
/
hash-token-engine.js
139 lines (112 loc) · 3.81 KB
/
hash-token-engine.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
"use strict";
/* eslint-disable no-magic-numbers */
/*
* This is a Token Engine (experimental) that instead of using JWT, it uses SHA (256)
* and a large (1024+ bytes) secret to verify the tokens. The tokens are not encrypted.
* The idea is that it's not that important if they are not because anyone can openly
* get valid tokens by making a GET request anyways. What's important is the browser
* restriction on XSS access to read/write cookies and setting HTTP headers.
*
* The implementation:
*
* - contentA = payload + timeStamp + uuid1
* - shaContent = contentA + secret
* - shaKey = uuid2
* - shaSum = sha256(shaContent + shaKey)
* => headerToken = contentA + shaSum
* => cookieToken = shaKey
*
* This also allows the cookieToken to be just a relatively smaller UUID compare to
* a long JWT token.
*
* Of course this means the tokens cannot contain any sensitive info.
*/
const crypto = require("crypto");
const assert = require("assert");
const getIdGenerator = require("./get-id-generators");
const pkg = require("../package.json");
const ms = require("ms");
const { MISSING_TOKEN, INVALID_TOKEN, BAD_TOKEN } = require("./errors");
const encodePayload = payload => {
return Buffer.from(JSON.stringify(payload)).toString("base64");
};
const decodePayload = epayload => {
return epayload ? JSON.parse(Buffer.from(epayload, "base64").toString()) : {};
};
const version = "1";
class HashTokenEngine {
constructor(options) {
const secret = `${pkg.name} ShaTokenEngine: you should set a 1024+ bytes secret`;
this._uuidGen = getIdGenerator(options.uuidGen);
assert(this._uuidGen(), "UUID generator must not return falsy values");
this._secret = options.secret || secret;
if (this._secret.length < 1024) {
console.error(secret); // eslint-disable-line
}
this._expiresIn = options.expiresIn || "1h";
this._hashAlgo = options.hashAlgo || "sha256";
}
_calcContentSum(content) {
const hash = crypto.createHash(this._hashAlgo);
hash.update(content);
return hash.digest("base64");
}
_encode(content, shaKey) {
const contentFull = `${content}-${this._secret}-${shaKey}`;
const shaSum = this._calcContentSum(contentFull);
return { header: `${content}.${shaSum}`, cookie: shaKey };
}
create(payload) {
payload = payload ? encodePayload(payload) : "";
const nowSec = Math.floor(Date.now() / 1000).toString(36);
const uuid = this._uuidGen();
const contentPart1 = `${version}.${nowSec}.${this._expiresIn}.${payload}.${uuid}`;
return this._encode(contentPart1, this._uuidGen());
}
_verifyTokens(parts, shaKey) {
const getExpireTime = (timeSec, expiresIn) => {
const expiresMs = ms(expiresIn);
return parseInt(timeSec, 36) * 1000 + expiresMs;
};
if (
parts[0] !== version ||
parts.length < 6 ||
getExpireTime(parts[1], parts[2]) < Date.now()
) {
return false;
}
const content = `${version}.${parts[1]}.${parts[2]}.${parts[3]}.${parts[4]}-${
this._secret
}-${shaKey}`;
const shaSum = this._calcContentSum(content);
if (shaSum !== parts[5]) {
return false;
}
return true;
}
verify(header, cookie) {
let error;
if (!header || !cookie) {
error = new Error(MISSING_TOKEN);
} else {
try {
const parts = header.split(".");
if (!this._verifyTokens(parts, cookie)) {
error = new Error(INVALID_TOKEN);
} else {
const payload = decodePayload(parts[3]);
header = Object.assign({ type: "header", uuid: parts[4] }, payload);
cookie = Object.assign({ type: "cookie", uuid: parts[4] }, payload);
}
} catch (e) {
error = new Error(BAD_TOKEN);
}
}
return {
error,
header,
cookie
};
}
}
module.exports = HashTokenEngine;