MirrorSave
/
budibase
mirror of https://github.com/Budibase/budibase.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Using 10K iteration string stretching for encryption.

This commit is contained in:
Michael Drury 2022-02-14 21:37:40 +00:00
parent df4af0fb9a
commit 02479e4112
2 changed files with 19 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
packages/backend-core/src/middleware/authenticated.js
View File

@ -23,9 +23,10 @@ async function checkApiKey(apiKey, populateUser) {
if (apiKey === env.INTERNAL_API_KEY) { if (apiKey === env.INTERNAL_API_KEY) {
return { valid: true } return { valid: true }
} }
apiKey = decrypt(apiKey) const decrypted = decrypt(apiKey)
const tenantId = apiKey.split(SEPARATOR)[0] const tenantId = decrypted.split(SEPARATOR)[0]
const db = getGlobalDB(tenantId) const db = getGlobalDB(tenantId)
// api key is encrypted in the database
const userId = await queryGlobalView( const userId = await queryGlobalView(
ViewNames.BY_API_KEY, ViewNames.BY_API_KEY,
{ {

26
packages/backend-core/src/security/encryption.js
View File

@ -3,24 +3,30 @@ const env = require("../environment")
const ALGO = "aes-256-ctr" const ALGO = "aes-256-ctr"
const SECRET = env.JWT_SECRET const SECRET = env.JWT_SECRET
const SEPARATOR = "/" const SEPARATOR = "-"
const ITERATIONS = 10000
const RANDOM_BYTES = 16
const STRETCH_LENGTH = 32
function stretchString(string, salt) {
return crypto.pbkdf2Sync(string, salt, ITERATIONS, STRETCH_LENGTH, "sha512")
}
exports.encrypt = input => { exports.encrypt = input => {
const random = crypto.randomBytes(16) const salt = crypto.randomBytes(RANDOM_BYTES)
const cipher = crypto.createCipheriv(ALGO, SECRET, random) const stretched = stretchString(SECRET, salt)
const cipher = crypto.createCipheriv(ALGO, stretched, salt)
const base = cipher.update(input) const base = cipher.update(input)
const final = cipher.final() const final = cipher.final()
const encrypted = Buffer.concat([base, final]).toString("hex") const encrypted = Buffer.concat([base, final]).toString("hex")
return `${random.toString("hex")}${SEPARATOR}${encrypted}` return `${salt.toString("hex")}${SEPARATOR}${encrypted}`
} }
exports.decrypt = input => { exports.decrypt = input => {
const [random, encrypted] = input.split(SEPARATOR) const [salt, encrypted] = input.split(SEPARATOR)
const decipher = crypto.createDecipheriv( const saltBuffer = Buffer.from(salt, "hex")
ALGO, const stretched = stretchString(SECRET, saltBuffer)
SECRET, const decipher = crypto.createDecipheriv(ALGO, stretched, saltBuffer)
Buffer.from(random, "hex")
)
const base = decipher.update(Buffer.from(encrypted, "hex")) const base = decipher.update(Buffer.from(encrypted, "hex"))
const final = decipher.final() const final = decipher.final()
return Buffer.concat([base, final]).toString() return Buffer.concat([base, final]).toString()