@naturalcycles/nodejs-lib 13.7.2 → 13.8.0

package/dist/security/crypto.util.d.ts

@@ -32,3 +32,16 @@ export declare function decryptString(str: Base64String, secretKeyBuffer: Buffer
  * Output is base64 string.
  */
 export declare function encryptString(str: string, secretKeyBuffer: Buffer): Base64String;
+/**
+ * Wraps `crypto.timingSafeEqual` and allows it to be used with String inputs:
+ *
+ * 1. Does length check first and short-circuits on length mismatch. Because `crypto.timingSafeEqual` only works with same-length inputs.
+ *
+ * Relevant read:
+ * https://medium.com/nerd-for-tech/checking-api-key-without-shooting-yourself-in-the-foot-javascript-nodejs-f271e47bb428
+ * https://codahale.com/a-lesson-in-timing-attacks/
+ * https://github.com/suryagh/tsscmp/blob/master/lib/index.js
+ *
+ * Returns true if inputs are equal, false otherwise.
+ */
+export declare function timingSafeStringEqual(s1: string | undefined, s2: string | undefined): boolean;

package/dist/security/crypto.util.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.encryptString = exports.decryptString = exports.encryptObject = exports.decryptObject = exports.decryptRandomIVBuffer = exports.encryptRandomIVBuffer = void 0;
+exports.timingSafeStringEqual = exports.encryptString = exports.decryptString = exports.encryptObject = exports.decryptObject = exports.decryptRandomIVBuffer = exports.encryptRandomIVBuffer = void 0;
 const tslib_1 = require("tslib");
 const node_crypto_1 = tslib_1.__importDefault(require("node:crypto"));
 const js_lib_1 = require("@naturalcycles/js-lib");
@@ -88,3 +88,21 @@ function getCryptoParams(secretKeyBuffer) {
     const iv = (0, hash_util_1.md5AsBuffer)(Buffer.concat([secretKeyBuffer, key]));
     return { key, iv };
 }
+/**
+ * Wraps `crypto.timingSafeEqual` and allows it to be used with String inputs:
+ *
+ * 1. Does length check first and short-circuits on length mismatch. Because `crypto.timingSafeEqual` only works with same-length inputs.
+ *
+ * Relevant read:
+ * https://medium.com/nerd-for-tech/checking-api-key-without-shooting-yourself-in-the-foot-javascript-nodejs-f271e47bb428
+ * https://codahale.com/a-lesson-in-timing-attacks/
+ * https://github.com/suryagh/tsscmp/blob/master/lib/index.js
+ *
+ * Returns true if inputs are equal, false otherwise.
+ */
+function timingSafeStringEqual(s1, s2) {
+    if (s1 === undefined || s2 === undefined || s1.length !== s2.length)
+        return false;
+    return node_crypto_1.default.timingSafeEqual(Buffer.from(s1), Buffer.from(s2));
+}
+exports.timingSafeStringEqual = timingSafeStringEqual;

package/dist/stream/ndjson/ndjsonMap.js

@@ -10,7 +10,7 @@ const __1 = require("../..");
  * Zips output file automatically, if it ends with `.gz`.
  */
 async function ndjsonMap(mapper, opt) {
-    const { inputFilePath, outputFilePath, logEveryOutput = 100000, limitInput, limitOutput } = opt;
+    const { inputFilePath, outputFilePath, logEveryOutput = 100_000, limitInput, limitOutput } = opt;
     (0, __1.requireFileToExist)(inputFilePath);
     console.log({
         inputFilePath,

package/dist/stream/transform/transformLogProgress.js

@@ -14,7 +14,7 @@ const inspectOpt = {
  * Pass-through transform that optionally logs progress.
  */
 function transformLogProgress(opt = {}) {
-    const { metric = 'progress', heapTotal: logHeapTotal = false, heapUsed: logHeapUsed = false, rss: logRss = true, peakRSS: logPeakRSS = true, logRPS = true, logEvery = 1000, logSizes = false, logSizesBuffer = 100000, logZippedSizes = false, batchSize = 1, extra, logger = console, } = opt;
+    const { metric = 'progress', heapTotal: logHeapTotal = false, heapUsed: logHeapUsed = false, rss: logRss = true, peakRSS: logPeakRSS = true, logRPS = true, logEvery = 1000, logSizes = false, logSizesBuffer = 100_000, logZippedSizes = false, batchSize = 1, extra, logger = console, } = opt;
     const logProgress = opt.logProgress !== false && logEvery !== 0; // true by default
     const logEvery10 = logEvery * 10;
     const started = Date.now();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@naturalcycles/nodejs-lib",
-  "version": "13.7.2",
+  "version": "13.8.0",
   "scripts": {
     "prepare": "husky install",
     "docs-serve": "vuepress dev docs",
@@ -35,7 +35,7 @@
     "yargs": "^17.0.0"
   },
   "devDependencies": {
-    "@naturalcycles/bench-lib": "^1.0.7",
+    "@naturalcycles/bench-lib": "^2.0.0",
     "@naturalcycles/dev-lib": "^13.0.0",
     "@types/node": "^20.1.0",
     "@types/yargs": "^16.0.0",

package/src/csv/csvReader.ts

@@ -48,7 +48,7 @@ export function csvStringParse<T extends AnyObject = any>(
 
   return arr.map(row => {
     // eslint-disable-next-line unicorn/no-array-reduce
-    return header!.reduce((obj, col, i) => {
+    return header.reduce((obj, col, i) => {
       ;(obj as any)[col] = row[i]
       return obj
     }, {} as T)

package/src/security/crypto.util.ts

@@ -93,3 +93,20 @@ function getCryptoParams(secretKeyBuffer: Buffer): { key: Buffer; iv: Buffer } {
   const iv = md5AsBuffer(Buffer.concat([secretKeyBuffer, key]))
   return { key, iv }
 }
+
+/**
+ * Wraps `crypto.timingSafeEqual` and allows it to be used with String inputs:
+ *
+ * 1. Does length check first and short-circuits on length mismatch. Because `crypto.timingSafeEqual` only works with same-length inputs.
+ *
+ * Relevant read:
+ * https://medium.com/nerd-for-tech/checking-api-key-without-shooting-yourself-in-the-foot-javascript-nodejs-f271e47bb428
+ * https://codahale.com/a-lesson-in-timing-attacks/
+ * https://github.com/suryagh/tsscmp/blob/master/lib/index.js
+ *
+ * Returns true if inputs are equal, false otherwise.
+ */
+export function timingSafeStringEqual(s1: string | undefined, s2: string | undefined): boolean {
+  if (s1 === undefined || s2 === undefined || s1.length !== s2.length) return false
+  return crypto.timingSafeEqual(Buffer.from(s1), Buffer.from(s2))
+}