@appconda/nextjs 1.0.86 → 1.0.88

package/src/lib/crypto.ts

@@ -0,0 +1,103 @@
+import crypto from "crypto";
+import { createCipheriv, createDecipheriv, createHash, createHmac, randomBytes } from "crypto";
+import { getEnv } from "./env";
+
+
+const ALGORITHM = "aes256";
+const INPUT_ENCODING = "utf8";
+const OUTPUT_ENCODING = "hex";
+const BUFFER_ENCODING = getEnv().ENCRYPTION_KEY!.length === 32 ? "latin1" : "hex";
+const IV_LENGTH = 16; // AES blocksize
+
+/**
+ *
+ * @param text Value to be encrypted
+ * @param key Key used to encrypt value must be 32 bytes for AES256 encryption algorithm
+ *
+ * @returns Encrypted value using key
+ */
+export const symmetricEncrypt = (text: string, key: string) => {
+  const _key = Buffer.from(key, BUFFER_ENCODING);
+  const iv = crypto.randomBytes(IV_LENGTH);
+
+  // @ts-ignore -- the package needs to be built
+  const cipher = crypto.createCipheriv(ALGORITHM, _key, iv);
+  let ciphered = cipher.update(text, INPUT_ENCODING, OUTPUT_ENCODING);
+  ciphered += cipher.final(OUTPUT_ENCODING);
+  const ciphertext = iv.toString(OUTPUT_ENCODING) + ":" + ciphered;
+
+  return ciphertext;
+};
+
+/**
+ *
+ * @param text Value to decrypt
+ * @param key Key used to decrypt value must be 32 bytes for AES256 encryption algorithm
+ */
+export const symmetricDecrypt = (text: string, key: string) => {
+  const _key = Buffer.from(key, BUFFER_ENCODING);
+
+  const components = text.split(":");
+  const iv_from_ciphertext = Buffer.from(components.shift() || "", OUTPUT_ENCODING);
+  // @ts-ignore -- the package needs to be built
+  const decipher = crypto.createDecipheriv(ALGORITHM, _key, iv_from_ciphertext);
+  let deciphered = decipher.update(components.join(":"), OUTPUT_ENCODING, INPUT_ENCODING);
+  deciphered += decipher.final(INPUT_ENCODING);
+
+  return deciphered;
+};
+
+export const getHash = (key: string): string => createHash("sha256").update(key).digest("hex");
+
+// create an aes128 encryption function
+export const encryptAES128 = (encryptionKey: string, data: string): string => {
+  // @ts-ignore -- the package needs to be built
+  const cipher = createCipheriv("aes-128-ecb", Buffer.from(encryptionKey, "base64"), "");
+  let encrypted = cipher.update(data, "utf-8", "hex");
+  encrypted += cipher.final("hex");
+  return encrypted;
+};
+// create an aes128 decryption function
+export const decryptAES128 = (encryptionKey: string, data: string): string => {
+  // @ts-ignore -- the package needs to be built
+  const cipher = createDecipheriv("aes-128-ecb", Buffer.from(encryptionKey, "base64"), "");
+  let decrypted = cipher.update(data, "hex", "utf-8");
+  decrypted += cipher.final("utf-8");
+  return decrypted;
+};
+
+export const generateLocalSignedUrl = (
+  fileName: string,
+  environmentId: string,
+  fileType: string
+): { signature: string; uuid: string; timestamp: number } => {
+  const uuid = randomBytes(16).toString("hex");
+  const timestamp = Date.now();
+  const data = `${uuid}:${fileName}:${environmentId}:${fileType}:${timestamp}`;
+  const signature = createHmac("sha256", getEnv().ENCRYPTION_KEY!).update(data).digest("hex");
+  return { signature, uuid, timestamp };
+};
+
+export const validateLocalSignedUrl = (
+  uuid: string,
+  fileName: string,
+  environmentId: string,
+  fileType: string,
+  timestamp: number,
+  signature: string,
+  secret: string
+): boolean => {
+  const data = `${uuid}:${fileName}:${environmentId}:${fileType}:${timestamp}`;
+  const expectedSignature = createHmac("sha256", secret).update(data).digest("hex");
+
+  if (expectedSignature !== signature) {
+    return false;
+  }
+
+  // valid for 5 minutes
+  if (Date.now() - timestamp > 1000 * 60 * 5) {
+    return false;
+  }
+
+  return true;
+};

package/src/lib/env.ts

@@ -16,6 +16,8 @@ export const getEnv = (() => {
                     APPCONDA_CLIENT_ENDPOINT: z.string(),
                     _SERVICE_TOKEN: z.string(),
                     ENTERPRISE_LICENSE_KEY: z.string(),
+                    NEXTAUTH_SECRET: z.string().min(1),
+                    ENCRYPTION_KEY: z.string().length(64).or(z.string().length(32)),
                     /* AI_AZURE_LLM_API_KEY: z.string().optional(),
                     AI_AZURE_EMBEDDINGS_DEPLOYMENT_ID: z.string().optional(),
                     AI_AZURE_LLM_DEPLOYMENT_ID: z.string().optional(),
@@ -35,7 +37,7 @@ export const getEnv = (() => {
                     E2E_TESTING: z.enum(["1", "0"]).optional(),
                     EMAIL_AUTH_DISABLED: z.enum(["1", "0"]).optional(),
                     EMAIL_VERIFICATION_DISABLED: z.enum(["1", "0"]).optional(),
-                    ENCRYPTION_KEY: z.string().length(64).or(z.string().length(32)),
+                   
                     ENTERPRISE_LICENSE_KEY: z.string().optional(),
                     FORMBRICKS_ENCRYPTION_KEY: z.string().length(24).or(z.string().length(0)).optional(),
                     GITHUB_ID: z.string().optional(),
@@ -57,7 +59,7 @@ export const getEnv = (() => {
                     INTERCOM_SECRET_KEY: z.string().optional(),
                     IS_FORMBRICKS_CLOUD: z.enum(["1", "0"]).optional(),
                     MAIL_FROM: z.string().email().optional(),
-                    NEXTAUTH_SECRET: z.string().min(1),
+                    
                     NOTION_OAUTH_CLIENT_ID: z.string().optional(),
                     NOTION_OAUTH_CLIENT_SECRET: z.string().optional(),
                     OIDC_CLIENT_ID: z.string().optional(),
@@ -122,6 +124,8 @@ export const getEnv = (() => {
                     APPCONDA_CLIENT_ENDPOINT: process.env.APPCONDA_CLIENT_ENDPOINT,
                     _SERVICE_TOKEN: process.env._SERVICE_TOKEN,
                     ENTERPRISE_LICENSE_KEY: process.env.ENTERPRISE_LICENSE_KEY,
+                    NEXTAUTH_SECRET: process.env.NEXTAUTH_SECRET,
+                    ENCRYPTION_KEY: process.env.ENCRYPTION_KEY,
                 },
             });
             console.log(env);

package/src/lib/index.ts

@@ -0,0 +1 @@
+export * from "./jwt";

package/src/lib/jwt.ts

@@ -0,0 +1,113 @@
+import jwt, { JwtPayload } from "jsonwebtoken";
+import { symmetricDecrypt, symmetricEncrypt } from "./crypto";
+import { getEnv } from "./env";
+
+export const createToken = (userId: string, userEmail: string, options = {}): string => {
+  const encryptedUserId = symmetricEncrypt(userId, getEnv().ENCRYPTION_KEY);
+  return jwt.sign({ id: encryptedUserId }, getEnv().NEXTAUTH_SECRET + userEmail, options);
+};
+export const createTokenForLinkSurvey = (surveyId: string, userEmail: string): string => {
+  const encryptedEmail = symmetricEncrypt(userEmail, getEnv().ENCRYPTION_KEY);
+  return jwt.sign({ email: encryptedEmail }, getEnv().NEXTAUTH_SECRET + surveyId);
+};
+
+export const createEmailToken = (email: string): string => {
+  const encryptedEmail = symmetricEncrypt(email, getEnv().ENCRYPTION_KEY);
+  return jwt.sign({ email: encryptedEmail }, getEnv().NEXTAUTH_SECRET);
+};
+
+export const getEmailFromEmailToken = (token: string): string => {
+  const payload = jwt.verify(token, getEnv().NEXTAUTH_SECRET) as JwtPayload;
+  try {
+    // Try to decrypt first (for newer tokens)
+    const decryptedEmail = symmetricDecrypt(payload.email, getEnv().ENCRYPTION_KEY);
+    return decryptedEmail;
+  } catch {
+    // If decryption fails, return the original email (for older tokens)
+    return payload.email;
+  }
+};
+
+export const createInviteToken = (inviteId: string, email: string, options = {}): string => {
+  const encryptedInviteId = symmetricEncrypt(inviteId, getEnv().ENCRYPTION_KEY);
+  const encryptedEmail = symmetricEncrypt(email, getEnv().ENCRYPTION_KEY);
+  return jwt.sign({ inviteId: encryptedInviteId, email: encryptedEmail }, getEnv().NEXTAUTH_SECRET, options);
+};
+
+export const verifyTokenForLinkSurvey = (token: string, surveyId: string): string | null => {
+  try {
+    const { email } = jwt.verify(token, getEnv().NEXTAUTH_SECRET + surveyId) as JwtPayload;
+    try {
+      // Try to decrypt first (for newer tokens)
+      const decryptedEmail = symmetricDecrypt(email, getEnv().ENCRYPTION_KEY);
+      return decryptedEmail;
+    } catch {
+      // If decryption fails, return the original email (for older tokens)
+      return email;
+    }
+  } catch (err) {
+    return null;
+  }
+};
+
+export const verifyToken = async (token: string): Promise<JwtPayload> => {
+  // First decode to get the ID
+  const decoded = jwt.decode(token);
+  const payload: JwtPayload = decoded as JwtPayload;
+
+  const { id } = payload;
+  if (!id) {
+    throw new Error("Token missing required field: id");
+  }
+
+  // Try to decrypt the ID (for newer tokens), if it fails use the ID as-is (for older tokens)
+  let decryptedId: string;
+  try {
+    decryptedId = symmetricDecrypt(id, getEnv().ENCRYPTION_KEY);
+  } catch {
+    decryptedId = id;
+  }
+
+  // If no email provided, look up the user
+  const foundUser = null;/* await prisma.user.findUnique({
+    where: { id: decryptedId },
+  }); */
+
+  if (!foundUser) {
+    throw new Error("User not found");
+  }
+
+  const userEmail = foundUser.email;
+
+  return { id: decryptedId, email: userEmail };
+};
+
+export const verifyInviteToken = (token: string): { inviteId: string; email: string } => {
+  try {
+    const decoded = jwt.decode(token);
+    const payload: JwtPayload = decoded as JwtPayload;
+
+    const { inviteId, email } = payload;
+
+    let decryptedInviteId: string;
+    let decryptedEmail: string;
+
+    try {
+      // Try to decrypt first (for newer tokens)
+      decryptedInviteId = symmetricDecrypt(inviteId, getEnv().ENCRYPTION_KEY);
+      decryptedEmail = symmetricDecrypt(email, getEnv().ENCRYPTION_KEY);
+    } catch {
+      // If decryption fails, use original values (for older tokens)
+      decryptedInviteId = inviteId;
+      decryptedEmail = email;
+    }
+
+    return {
+      inviteId: decryptedInviteId,
+      email: decryptedEmail,
+    };
+  } catch (error) {
+    console.error(`Error verifying invite token: ${error}`);
+    throw new Error("Invalid or expired invite token");
+  }
+};