@mybucks.online/core 1.0.12 → 1.1.0

package/index.js

@@ -3,6 +3,7 @@ import { ethers } from "ethers";
 import scryptJS from "scrypt-js";
 import { nanoid } from "nanoid";
 import { TronWeb } from "tronweb";
+import zxcvbn from "zxcvbn";
 
 const { scrypt } = scryptJS;
 const abi = new ethers.AbiCoder();
@@ -16,17 +17,28 @@ const HASH_OPTIONS = {
 
 /**
  * This function computes the scrypt hash using provided passphrase and pin inputs.
+ * Passphrase and pin are validated with zxcvbn; weak values are rejected (returns "").
  *
- * @param {*} passphrase
- * @param {*} pin
+ * @param {*} passphrase - Must have zxcvbn score >= 3
+ * @param {*} pin - Must have zxcvbn score >= 1
  * @param {*} cb a callback function designed to receive the progress updates during the scrypt hashing process.
- * @returns hash result as string format
+ * @returns hash result as string format, or "" if passphrase/pin missing or too weak
  */
 export async function generateHash(passphrase, pin, cb = () => {}) {
   if (!passphrase || !pin) {
     return "";
   }
 
+  const passphraseResult = zxcvbn(passphrase);
+  if (passphraseResult.score < 3) {
+    return "";
+  }
+
+  const pinResult = zxcvbn(pin);
+  if (pinResult.score < 1) {
+    return "";
+  }
+
   const salt = `${passphrase.slice(-4)}${pin}`;
 
   const passwordBuffer = Buffer.from(passphrase);
@@ -87,12 +99,14 @@ const NETWORKS = [
   "tron",
 ];
 /**
- * This function generates a transfer-link by combining credentials and randomly generated padding.
- * The transfer-link introduces a nice feature that enables the transfer of full ownership of a wallet account.
- * @param {*} passphrase
- * @param {*} pin
+ * This function generates a transfer-link token by encoding passphrase and PIN by Base64 and adding random padding.
+ * The transfer-link enables users to send their full ownership of a wallet account to another user for gifting or airdropping.
+ * Passphrase and PIN are validated with zxcvbn; weak values are rejected (returns null).
+ *
+ * @param {*} passphrase - Must have zxcvbn score >= 3
+ * @param {*} PIN - Must have zxcvbn score >= 1
  * @param {*} network ethereum | polygon | arbitrum | optimism | bsc | avalanche | base | tron
- * @returns A string formatted as a transfer-link token, which can be appended to `https://app.mybucks.online?wallet=`
+ * @returns A string formatted as a transfer-link token, which can be appended to `https://app.mybucks.online#wallet=`, or null if invalid/weak
  */
 export function generateToken(passphrase, pin, network) {
   if (!passphrase || !pin || !network) {
@@ -102,6 +116,13 @@ export function generateToken(passphrase, pin, network) {
     return null;
   }
 
+  if (zxcvbn(passphrase).score < 3) {
+    return null;
+  }
+  if (zxcvbn(pin).score < 1) {
+    return null;
+  }
+
   const merged = Buffer.from(
     passphrase + URL_DELIMITER + pin + URL_DELIMITER + network,
     "utf-8"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mybucks.online/core",
-  "version": "1.0.12",
+  "version": "1.1.0",
   "description": "Core module of Mybucks.online Crypto Wallet",
   "main": "index.js",
   "type": "module",
@@ -38,6 +38,7 @@
     "ethers": "^6.13.5",
     "nanoid": "^5.0.9",
     "scrypt-js": "^3.0.1",
-    "tronweb": "^6.0.1"
+    "tronweb": "^6.0.1",
+    "zxcvbn": "^4.4.2"
   }
 }

package/test/index.test.js

@@ -29,6 +29,40 @@ describe("generateHash", () => {
     assert.strictEqual(hash, "");
   });
 
+  test("should return empty string for weak passphrase (zxcvbn score < 3)", async () => {
+    const weakPassphrases = [
+      "password",
+      "asdfasdf",
+      "123123123",
+      "P@ssw0rd",
+      "London123",
+      "oxford2024",
+      "John19821012",
+      "asdfASDFaSdf",
+      "qwerqwerqwer",
+      "1234567890",
+      "Julia18921012",
+    ];
+    for (const passphrase of weakPassphrases) {
+      const hash = await generateHash(passphrase, DEMO_PIN);
+      assert.strictEqual(hash, "");
+    }
+  });
+
+  test("should return empty string for weak pin (zxcvbn score < 1)", async () => {
+    const weakPins = [
+      "111111",
+      "111111111111111",
+      "12341234",
+      "aaaaaaaaaa",
+      "asdfasdf",
+    ];
+    for (const pin of weakPins) {
+      const hash = await generateHash(DEMO_PASSPHRASE, pin);
+      assert.strictEqual(hash, "", `Expected "" for weak pin "${pin}"`);
+    }
+  });
+
   test("should return scrypt hash result", async () => {
     const hash = await generateHash(DEMO_PASSPHRASE, DEMO_PIN);
     assert.strictEqual(hash, DEMO_HASH);
@@ -71,6 +105,42 @@ describe("generateToken", () => {
     assert.strictEqual(generateToken("passphrase", "123456", "invalid"), null);
   });
 
+  test("should return null for weak passphrase (zxcvbn score < 3)", () => {
+    const weakPassphrases = [
+      "password",
+      "asdfasdf",
+      "123123123",
+      "P@ssw0rd",
+      "London123",
+      "oxford2024",
+      "asdfASDFaSdf",
+      "qwerqwerqwer",
+      "1234567890",
+    ];
+    for (const passphrase of weakPassphrases) {
+      assert.strictEqual(
+        generateToken(passphrase, DEMO_PIN, DEMO_NETWORK),
+        null
+      );
+    }
+  });
+
+  test("should return null for weak pin (zxcvbn score < 1)", () => {
+    const weakPins = [
+      "111111",
+      "111111111111111",
+      "12341234",
+      "aaaaaaaaaa",
+      "asdfasdf",
+    ];
+    for (const pin of weakPins) {
+      assert.strictEqual(
+        generateToken(DEMO_PASSPHRASE, pin, DEMO_NETWORK),
+        null
+      );
+    }
+  });
+
   test("should return valid token", async () => {
     const token = generateToken(DEMO_PASSPHRASE, DEMO_PIN, DEMO_NETWORK);