Privacy improvement over token caching

e-mail is no longer visible in caches

lib/Util/TokenCacher.js

@@ -21,10 +21,14 @@ var _crypto = require("crypto");
 
 var _crypto2 = _interopRequireDefault(_crypto);
 
-var savePaths = [process.env.APPDATA || (process.platform == 'darwin' ? process.env.HOME + 'Library/Preference' : '/var/local'), process.env[process.platform == 'win32' ? 'USERPROFILE' : 'HOME']];
+var savePaths = [process.env.APPDATA || (process.platform == "darwin" ? process.env.HOME + "Library/Preference" : "/var/local"), process.env[process.platform == "win32" ? "USERPROFILE" : "HOME"], process.cwd()];
 
 var algo = "aes-256-ctr";
 
+function secureEmail(email, password) {
+	return new Buffer(_crypto2["default"].createHash("sha256").update(email + password, "utf8").digest()).toString("hex");
+}
+
 var TokenCacher = (function (_EventEmitter) {
 	_inherits(TokenCacher, _EventEmitter);
 
@@ -40,10 +44,10 @@ var TokenCacher = (function (_EventEmitter) {
 	}
 
 	TokenCacher.prototype.setToken = function setToken(email, password, token) {
-		console.log("wanting to cache", token);
+		email = secureEmail(email, password);
 		var cipher = _crypto2["default"].createCipher(algo, password);
-		var crypted = cipher.update("valid" + token, 'utf8', 'hex');
+		var crypted = cipher.update("valid" + token, "utf8", "hex");
-		crypted += cipher.final('hex');
+		crypted += cipher.final("hex");
 		this.data[email] = crypted;
 		this.save();
 	};
@@ -54,15 +58,17 @@ var TokenCacher = (function (_EventEmitter) {
 
 	TokenCacher.prototype.getToken = function getToken(email, password) {
 
+		email = secureEmail(email, password);
+
 		if (this.data[email]) {
 
 			try {
 				var decipher = _crypto2["default"].createDecipher(algo, password);
-				var dec = decipher.update(this.data[email], "hex", 'utf8');
+				var dec = decipher.update(this.data[email], "hex", "utf8");
-				dec += decipher.final('utf8');
+				dec += decipher.final("utf8");
 				return dec.indexOf("valid") === 0 ? dec.substr(5) : false;
 			} catch (e) {
-				console.log(e);
+				// not a valid token
 				return null;
 			}
 		} else {

src/Util/TokenCacher.js

@@ -6,12 +6,17 @@ import EventEmitter from "events";
 import crypto from "crypto";
 
 var savePaths = [
-	process.env.APPDATA || (process.platform == 'darwin' ? process.env.HOME + 'Library/Preference' : '/var/local'),
+	process.env.APPDATA || (process.platform == "darwin" ? process.env.HOME + "Library/Preference" : "/var/local"),
-	process.env[(process.platform == 'win32') ? 'USERPROFILE' : 'HOME']
+	process.env[(process.platform == "win32") ? "USERPROFILE" : "HOME"],
+	process.cwd()
 ];
 
 var algo = "aes-256-ctr";
 
+function secureEmail(email, password) {
+	return new Buffer(crypto.createHash("sha256").update(email + password, "utf8").digest()).toString("hex");
+}
+
 export default class TokenCacher extends EventEmitter {
 
 	constructor(client, options) {
@@ -24,10 +29,10 @@ export default class TokenCacher extends EventEmitter {
 	}
 
 	setToken(email, password, token) {
-		console.log("wanting to cache", token);
+		email = secureEmail(email, password);
 		var cipher = crypto.createCipher(algo, password)
-		var crypted = cipher.update("valid" + token, 'utf8', 'hex')
+		var crypted = cipher.update("valid" + token, "utf8", "hex")
-		crypted += cipher.final('hex');
+		crypted += cipher.final("hex");
 		this.data[email] = crypted;
 		this.save();
 	}
@@ -38,12 +43,14 @@ export default class TokenCacher extends EventEmitter {
 
 	getToken(email, password) {
 
+		email = secureEmail(email, password);
+
 		if (this.data[email]) {
 
 			try {
 				var decipher = crypto.createDecipher(algo, password)
-				var dec = decipher.update(this.data[email], "hex", 'utf8');
+				var dec = decipher.update(this.data[email], "hex", "utf8");
-				dec += decipher.final('utf8');
+				dec += decipher.final("utf8");
 				return (dec.indexOf("valid") === 0 ? dec.substr(5) : false);
 			} catch (e) {
 				// not a valid token