From 8f8504810a8358111fca1338651cbc2e7b1901bf Mon Sep 17 00:00:00 2001 From: Amish Shah Date: Mon, 14 Dec 2015 18:28:27 +0000 Subject: [PATCH] Privacy improvement over token caching e-mail is no longer visible in caches --- lib/Util/TokenCacher.js | 20 +++++++++++++------- src/Util/TokenCacher.js | 21 ++++++++++++++------- 2 files changed, 27 insertions(+), 14 deletions(-) diff --git a/lib/Util/TokenCacher.js b/lib/Util/TokenCacher.js index 3ab84f265..a09bbf127 100644 --- a/lib/Util/TokenCacher.js +++ b/lib/Util/TokenCacher.js @@ -21,10 +21,14 @@ var _crypto = require("crypto"); var _crypto2 = _interopRequireDefault(_crypto); -var savePaths = [process.env.APPDATA || (process.platform == 'darwin' ? process.env.HOME + 'Library/Preference' : '/var/local'), process.env[process.platform == 'win32' ? 'USERPROFILE' : 'HOME']]; +var savePaths = [process.env.APPDATA || (process.platform == "darwin" ? process.env.HOME + "Library/Preference" : "/var/local"), process.env[process.platform == "win32" ? "USERPROFILE" : "HOME"], process.cwd()]; var algo = "aes-256-ctr"; +function secureEmail(email, password) { + return new Buffer(_crypto2["default"].createHash("sha256").update(email + password, "utf8").digest()).toString("hex"); +} + var TokenCacher = (function (_EventEmitter) { _inherits(TokenCacher, _EventEmitter); @@ -40,10 +44,10 @@ var TokenCacher = (function (_EventEmitter) { } TokenCacher.prototype.setToken = function setToken(email, password, token) { - console.log("wanting to cache", token); + email = secureEmail(email, password); var cipher = _crypto2["default"].createCipher(algo, password); - var crypted = cipher.update("valid" + token, 'utf8', 'hex'); - crypted += cipher.final('hex'); + var crypted = cipher.update("valid" + token, "utf8", "hex"); + crypted += cipher.final("hex"); this.data[email] = crypted; this.save(); }; @@ -54,15 +58,17 @@ var TokenCacher = (function (_EventEmitter) { TokenCacher.prototype.getToken = function getToken(email, password) { + email = secureEmail(email, password); + if (this.data[email]) { try { var decipher = _crypto2["default"].createDecipher(algo, password); - var dec = decipher.update(this.data[email], "hex", 'utf8'); - dec += decipher.final('utf8'); + var dec = decipher.update(this.data[email], "hex", "utf8"); + dec += decipher.final("utf8"); return dec.indexOf("valid") === 0 ? dec.substr(5) : false; } catch (e) { - console.log(e); + // not a valid token return null; } } else { diff --git a/src/Util/TokenCacher.js b/src/Util/TokenCacher.js index 508b2476c..ea07bc5ac 100644 --- a/src/Util/TokenCacher.js +++ b/src/Util/TokenCacher.js @@ -6,12 +6,17 @@ import EventEmitter from "events"; import crypto from "crypto"; var savePaths = [ - process.env.APPDATA || (process.platform == 'darwin' ? process.env.HOME + 'Library/Preference' : '/var/local'), - process.env[(process.platform == 'win32') ? 'USERPROFILE' : 'HOME'] + process.env.APPDATA || (process.platform == "darwin" ? process.env.HOME + "Library/Preference" : "/var/local"), + process.env[(process.platform == "win32") ? "USERPROFILE" : "HOME"], + process.cwd() ]; var algo = "aes-256-ctr"; +function secureEmail(email, password) { + return new Buffer(crypto.createHash("sha256").update(email + password, "utf8").digest()).toString("hex"); +} + export default class TokenCacher extends EventEmitter { constructor(client, options) { @@ -24,10 +29,10 @@ export default class TokenCacher extends EventEmitter { } setToken(email, password, token) { - console.log("wanting to cache", token); + email = secureEmail(email, password); var cipher = crypto.createCipher(algo, password) - var crypted = cipher.update("valid" + token, 'utf8', 'hex') - crypted += cipher.final('hex'); + var crypted = cipher.update("valid" + token, "utf8", "hex") + crypted += cipher.final("hex"); this.data[email] = crypted; this.save(); } @@ -38,12 +43,14 @@ export default class TokenCacher extends EventEmitter { getToken(email, password) { + email = secureEmail(email, password); + if (this.data[email]) { try { var decipher = crypto.createDecipher(algo, password) - var dec = decipher.update(this.data[email], "hex", 'utf8'); - dec += decipher.final('utf8'); + var dec = decipher.update(this.data[email], "hex", "utf8"); + dec += decipher.final("utf8"); return (dec.indexOf("valid") === 0 ? dec.substr(5) : false); } catch (e) { // not a valid token