@worker-tools/signed-cookie-store
Version:
A partial implementation of the Cookie Store API that transparently signs and verifies cookies via the Web Cryptography API.
172 lines • 9.1 kB
JavaScript
;
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __exportStar = (this && this.__exportStar) || function(m, exports) {
for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
};
var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
if (kind === "m") throw new TypeError("Private method is not writable");
if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
};
var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
};
var _SignedCookieStore_store, _SignedCookieStore_keyring, _SignedCookieStore_key, _SignedCookieStore_verify, _SignedCookieStore_sign;
Object.defineProperty(exports, "__esModule", { value: true });
exports.SignedCookieStore = void 0;
__exportStar(require("cookie-store-interface"), exports);
const typed_array_utils_1 = require("typed-array-utils");
const base64_encoding_1 = require("base64-encoding");
const EXT = '.sig';
const secretToUint8Array = (secret) => typeof secret === 'string'
? new TextEncoder().encode(secret)
: (0, typed_array_utils_1.bufferSourceToUint8Array)(secret);
/**
* # Signed Cookie Store
* A partial implementation of the [Cookie Store API](https://wicg.github.io/cookie-store)
* that transparently signs and verifies cookies via the Web Cryptography API.
*
* This is likely only useful in server-side implementations,
* but written in a platform-agnostic way.
*/
class SignedCookieStore {
constructor(store, key, opts = {}) {
var _a;
_SignedCookieStore_store.set(this, void 0);
_SignedCookieStore_keyring.set(this, void 0);
_SignedCookieStore_key.set(this, void 0);
_SignedCookieStore_verify.set(this, async (cookie, sigCookie) => {
for (const key of __classPrivateFieldGet(this, _SignedCookieStore_keyring, "f")) {
const signature = new base64_encoding_1.Base64Decoder().decode(sigCookie.value);
const message = new TextEncoder().encode([cookie.name, cookie.value].join('='));
const ok = await crypto.subtle.verify('HMAC', key, signature, message);
if (ok)
return true;
}
return false;
});
_SignedCookieStore_sign.set(this, async (name, value) => {
const message = new TextEncoder().encode([name, value].join('='));
const signature = await crypto.subtle.sign('HMAC', __classPrivateFieldGet(this, _SignedCookieStore_key, "f"), message);
return new base64_encoding_1.Base64Encoder({ url: true }).encode(signature);
}
/**
* @throws if the signature doesn't match.
* @returns null when the signature cookie is missing.
*/
);
__classPrivateFieldSet(this, _SignedCookieStore_store, store, "f");
__classPrivateFieldSet(this, _SignedCookieStore_key, key, "f");
__classPrivateFieldSet(this, _SignedCookieStore_keyring, [key, ...(_a = opts.keyring) !== null && _a !== void 0 ? _a : []], "f");
}
/**
* A helper function to derive a crypto key from a passphrase.
*/
static async deriveCryptoKey(opts) {
var _a, _b, _c, _d, _e;
if (!opts.secret)
throw Error('Secret missing');
const passphraseKey = await (opts.format === 'jwk'
? crypto.subtle.importKey('jwk', opts.secret, 'PBKDF2', false, ['deriveKey'])
: crypto.subtle.importKey((_a = opts.format) !== null && _a !== void 0 ? _a : 'raw', secretToUint8Array(opts.secret), 'PBKDF2', false, ['deriveKey', 'deriveBits']));
const key = await crypto.subtle.deriveKey({
name: 'PBKDF2',
iterations: (_b = opts.iterations) !== null && _b !== void 0 ? _b : 999,
hash: (_c = opts.hash) !== null && _c !== void 0 ? _c : 'SHA-256',
salt: opts.salt
? (0, typed_array_utils_1.bufferSourceToUint8Array)(opts.salt)
: new base64_encoding_1.Base64Decoder().decode('o0kcRbdpRH+H/WQzPI028A==')
}, passphraseKey, {
name: 'HMAC',
hash: (_d = opts.hmacHash) !== null && _d !== void 0 ? _d : 'SHA-256',
length: (_e = opts.length) !== null && _e !== void 0 ? _e : 128
}, false, ['sign', 'verify']);
return key;
}
async get(name) {
if (typeof name !== 'string')
throw Error('Overload not implemented.');
const [cookie, sigCookie] = await Promise.all([
__classPrivateFieldGet(this, _SignedCookieStore_store, "f").get(name),
__classPrivateFieldGet(this, _SignedCookieStore_store, "f").get(`${name}${EXT}`),
]);
if (!cookie || !sigCookie)
return null;
const ok = await __classPrivateFieldGet(this, _SignedCookieStore_verify, "f").call(this, cookie, sigCookie);
if (!ok)
throw Error('No key in the keyring can verify signature!');
return cookie;
}
async getAll(name) {
if (name != null)
throw Error('Overload not implemented.');
const all = await __classPrivateFieldGet(this, _SignedCookieStore_store, "f").getAll();
const sigCookies = all.filter(x => x.name.endsWith(EXT));
const list = [];
for (const sigCookie of sigCookies) {
const name = sigCookie.name;
const baseCookieName = name.substring(0, name.length - EXT.length);
const cookie = await this.get(baseCookieName);
if (cookie)
list.push(cookie);
}
return list;
}
async set(options, value) {
var _a;
const [name, val] = typeof options === 'string'
? [options, value !== null && value !== void 0 ? value : '']
: [options.name, (_a = options.value) !== null && _a !== void 0 ? _a : ''];
if (name.endsWith(EXT))
throw new Error('Illegal name');
const signature = await __classPrivateFieldGet(this, _SignedCookieStore_sign, "f").call(this, name, val);
const sigCookieName = `${name}${EXT}`;
if (typeof options === 'string') {
await Promise.all([
__classPrivateFieldGet(this, _SignedCookieStore_store, "f").set(options, val),
__classPrivateFieldGet(this, _SignedCookieStore_store, "f").set(sigCookieName, signature),
]);
}
else {
// deno-lint-ignore no-unused-vars
const { name, value, ...init } = options;
await Promise.all([
__classPrivateFieldGet(this, _SignedCookieStore_store, "f").set(options),
__classPrivateFieldGet(this, _SignedCookieStore_store, "f").set({ ...init, name: sigCookieName, value: signature }),
]);
}
}
async delete(name) {
if (typeof name !== 'string')
throw Error('Overload not implemented.');
await Promise.all([
__classPrivateFieldGet(this, _SignedCookieStore_store, "f").delete(name),
__classPrivateFieldGet(this, _SignedCookieStore_store, "f").delete(`${name}${EXT}`),
]);
}
addEventListener(...args) {
return __classPrivateFieldGet(this, _SignedCookieStore_store, "f").addEventListener(...args);
}
dispatchEvent(event) {
return __classPrivateFieldGet(this, _SignedCookieStore_store, "f").dispatchEvent(event);
}
removeEventListener(...args) {
return __classPrivateFieldGet(this, _SignedCookieStore_store, "f").removeEventListener(...args);
}
}
exports.SignedCookieStore = SignedCookieStore;
_SignedCookieStore_store = new WeakMap(), _SignedCookieStore_keyring = new WeakMap(), _SignedCookieStore_key = new WeakMap(), _SignedCookieStore_verify = new WeakMap(), _SignedCookieStore_sign = new WeakMap();
//# sourceMappingURL=index.js.map