UNPKG

@authcube/pst

Version:

Typescript library implementing Private State Token API (https://wicg.github.io/trust-token-api/)

github.com/authcube/pst

authcube/pst

153 lines (110 loc) 4.67 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
# Private State Tokens Typescript library implementing Private State Token API (https://wicg.github.io/trust-token-api/) This library depends on [Cloudflare's voprf-ts](https://github.com/cloudflare/voprf-ts) tested implementation to compute the Scalars and transformations. # Security Disclaimer 🚨 This library is offered as-is, and without a guarantee. Therefore, it is expected that changes in the code, repository, and API occur in the future. We recommend to take caution before using this library in a production application since part of its content is experimental. All security issues must be reported, please notify us immediately. ## Install Dependencies and Build ``` npm install npm run build ``` ## Sample Issuer > Sample has been built using Express Library - Start Sample Server ``` npm run example ``` - Running with Docker - build ``` docker-compose build ``` - start ``` docker-compose up ``` #### Running with Static Key-Pair and Expiration - Generate up to 6 KeyPairs ``` node bin/voprf_gen_keys.cjs 1 node bin/voprf_gen_keys.cjs 2 # Keep creating until node bin/voprf_gen_keys.cjs 6 ``` - Export Keys as Environment Variables ``` export PRIVATE_KEY1=<BASE64 PRIVATE KEY 1 GENERATED PREVIOUSLY> export PUBLIC_KEY1=<BASE64 PUBLIC KEY 1 GENERATED PREVIOUSLY> export PRIVATE_KEY2=<BASE64 PRIVATE KEY 2 GENERATED PREVIOUSLY> export PUBLIC_KEY2=<BASE64 PUBLIC KEY 2 GENERATED PREVIOUSLY> # Keep defining until PRIVATE_KEY6 and PUBLIC_KEY6 ``` - Export Key Expiration as Environment Variable ``` export EXPIRY1=1709509052048 export EXPIRY2=1709994102048 # Keep defining until EXPIRY6 ``` > If running with **Docker** define those variables in docker-compose.yaml or -e argument for docker inline ### Endpoints - Key Commitment Endpoint ``` curl http://localhost:3000/.well-known/trust-token/key-commitment ``` ## Resources, Libraries and Specs: - [Google Privacy Sandbox - Private State Tokens](https://developers.google.com/privacy-sandbox/protections/private-state-tokens) - [Private State Tokens API Spec](https://wicg.github.io/trust-token-api/) - [Privacy Pass Issuance Protocol Spec](https://www.ietf.org/archive/id/draft-ietf-privacypass-protocol-10.html) - [Oblivious Pseudorandom Functions (OPRFs) Spec](https://www.ietf.org/archive/id/draft-irtf-cfrg-voprf-21.html) - [Batched Tokens Issuance Protocol Spec](https://www.ietf.org/archive/id/draft-robert-privacypass-batched-tokens-01.html) - [CloudFlare - Privacy Pass TypeScript Library](https://github.com/cloudflare/privacypass-ts/) - [CloudFlare - VOPRF TypeScript Library](https://github.com/cloudflare/voprf-ts) ## How to use this library ### Token Issuance To issue a token, you must check for the request header `sec-private-state-token`, after verify it is present and it is not null or empty you can use the Issuer class like the code bellow: ```typescript import { PSTRedeemer, PSTResources } from "@authcube/pst"; const sec_private_state_token = req.headers[ "sec-private-state-token" ] as string; if (sec_private_state_token && !sec_private_state_token.match(BASE64FORMAT)) { return res.sendStatus(400); } try { let issuer = await PSTResources.getIssuer(); const token = await issuer.issueToken(sec_private_state_token); res.statusCode = 200; res.setHeader("Content-Type", "text/html"); res.append("sec-private-state-token", token); res.setHeader("Sec-Private-State-Token", token); res.write("Issuing tokens."); res.send(); return res.end(); } catch (e: any) { // deal with the error as you see fit console.error("Error issuing PST", e); return res.sendStatus(500); } ``` ### Token Redeemption To redeem an issued token the process is similar, your endpoint must check for the request header `sec-private-state-token`, if it is present and it is not null or empty you can proceed to the redeemption ```typescript import { PSTRedeemer, PSTResources } from "@authcube/pst"; try { const redemptionToken = req.headers["sec-private-state-token"] as string; if (redemptionToken && !redemptionToken.match(BASE64FORMAT)) { return res.sendStatus(400); } const redeemer = new PSTRedeemer(); // This call will throw an Error if the token is invalid const resToken = await redeemer.redeemToken(redemptionToken); res.statusCode = 200; res.setHeader("Access-Control-Allow-Origin", "*"); res.append("sec-private-state-token", resToken); res.write("Token redeemed."); return res.send(); } catch (e) { // deal with the error as you see fit console.error(`Error on redemption: ${e}`); return res.sendStatus(400); } ```