@open-mercato/core 0.6.6-develop.5412.1.e2a52b14f0 → 0.6.6-develop.5431.1.384a97c7a2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -2,17 +2,17 @@ import { createHmac, timingSafeEqual } from "node:crypto";
|
|
|
2
2
|
const DEV_ONLY_SECRET = "om-consent-integrity-dev-only-secret";
|
|
3
3
|
let missingSecretWarned = false;
|
|
4
4
|
function getSecret() {
|
|
5
|
-
const secret = process.env.CONSENT_INTEGRITY_SECRET || process.env.NEXTAUTH_SECRET;
|
|
5
|
+
const secret = process.env.CONSENT_INTEGRITY_SECRET || process.env.AUTH_SECRET || process.env.NEXTAUTH_SECRET || process.env.JWT_SECRET;
|
|
6
6
|
if (!secret) {
|
|
7
7
|
if (process.env.NODE_ENV === "production") {
|
|
8
8
|
throw new Error(
|
|
9
|
-
"[consentIntegrity] No CONSENT_INTEGRITY_SECRET/NEXTAUTH_SECRET set. Refusing to compute or verify consent integrity hashes in production without a real secret."
|
|
9
|
+
"[consentIntegrity] No CONSENT_INTEGRITY_SECRET/AUTH_SECRET/NEXTAUTH_SECRET/JWT_SECRET set. Refusing to compute or verify consent integrity hashes in production without a real secret."
|
|
10
10
|
);
|
|
11
11
|
}
|
|
12
12
|
if (!missingSecretWarned) {
|
|
13
13
|
missingSecretWarned = true;
|
|
14
14
|
console.warn(
|
|
15
|
-
"[consentIntegrity] No CONSENT_INTEGRITY_SECRET/NEXTAUTH_SECRET set \u2014 using insecure dev-only default. Set a secret before deploying to production."
|
|
15
|
+
"[consentIntegrity] No CONSENT_INTEGRITY_SECRET/AUTH_SECRET/NEXTAUTH_SECRET/JWT_SECRET set \u2014 using insecure dev-only default. Set a secret before deploying to production."
|
|
16
16
|
);
|
|
17
17
|
}
|
|
18
18
|
return DEV_ONLY_SECRET;
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"version": 3,
|
|
3
3
|
"sources": ["../../../../src/modules/auth/lib/consentIntegrity.ts"],
|
|
4
|
-
"sourcesContent": ["import { createHmac, timingSafeEqual } from 'node:crypto'\n\ntype ConsentHashInput = {\n userId: string\n consentType: string\n isGranted: boolean\n grantedAt: Date | string | null | undefined\n withdrawnAt?: Date | string | null | undefined\n ipAddress: string | null | undefined\n source: string | null | undefined\n}\n\nconst DEV_ONLY_SECRET = 'om-consent-integrity-dev-only-secret'\nlet missingSecretWarned = false\n\nfunction getSecret(): string {\n const secret = process.env.CONSENT_INTEGRITY_SECRET || process.env.NEXTAUTH_SECRET\n if (!secret) {\n if (process.env.NODE_ENV === 'production') {\n throw new Error(\n '[consentIntegrity] No CONSENT_INTEGRITY_SECRET/NEXTAUTH_SECRET set. ' +\n 'Refusing to compute or verify consent integrity hashes in production without a real secret.',\n )\n }\n if (!missingSecretWarned) {\n missingSecretWarned = true\n console.warn(\n '[consentIntegrity] No CONSENT_INTEGRITY_SECRET/NEXTAUTH_SECRET set \u2014 ' +\n 'using insecure dev-only default. Set a secret before deploying to production.',\n )\n }\n return DEV_ONLY_SECRET\n }\n return secret\n}\n\nfunction normalizeDate(date: Date | string | null | undefined): string {\n if (!date) return ''\n const d = typeof date === 'string' ? new Date(date) : date\n return d.toISOString()\n}\n\nexport function computeConsentIntegrityHash(input: ConsentHashInput): string {\n const payload = [\n input.userId,\n input.consentType,\n String(input.isGranted),\n normalizeDate(input.grantedAt),\n normalizeDate(input.withdrawnAt),\n input.ipAddress ?? '',\n input.source ?? '',\n ].join('|')\n\n return createHmac('sha256', getSecret()).update(payload).digest('hex')\n}\n\nexport function verifyConsentIntegrityHash(input: ConsentHashInput, hash: string | null | undefined): boolean {\n if (!hash) return false\n const expected = computeConsentIntegrityHash(input)\n if (expected.length !== hash.length) return false\n return timingSafeEqual(Buffer.from(expected), Buffer.from(hash))\n}\n"],
|
|
5
|
-
"mappings": "AAAA,SAAS,YAAY,uBAAuB;AAY5C,MAAM,kBAAkB;AACxB,IAAI,sBAAsB;AAE1B,SAAS,YAAoB;AAC3B,QAAM,SAAS,QAAQ,IAAI,
|
|
4
|
+
"sourcesContent": ["import { createHmac, timingSafeEqual } from 'node:crypto'\n\ntype ConsentHashInput = {\n userId: string\n consentType: string\n isGranted: boolean\n grantedAt: Date | string | null | undefined\n withdrawnAt?: Date | string | null | undefined\n ipAddress: string | null | undefined\n source: string | null | undefined\n}\n\nconst DEV_ONLY_SECRET = 'om-consent-integrity-dev-only-secret'\nlet missingSecretWarned = false\n\nfunction getSecret(): string {\n const secret = process.env.CONSENT_INTEGRITY_SECRET\n || process.env.AUTH_SECRET\n || process.env.NEXTAUTH_SECRET\n || process.env.JWT_SECRET\n if (!secret) {\n if (process.env.NODE_ENV === 'production') {\n throw new Error(\n '[consentIntegrity] No CONSENT_INTEGRITY_SECRET/AUTH_SECRET/NEXTAUTH_SECRET/JWT_SECRET set. ' +\n 'Refusing to compute or verify consent integrity hashes in production without a real secret.',\n )\n }\n if (!missingSecretWarned) {\n missingSecretWarned = true\n console.warn(\n '[consentIntegrity] No CONSENT_INTEGRITY_SECRET/AUTH_SECRET/NEXTAUTH_SECRET/JWT_SECRET set \u2014 ' +\n 'using insecure dev-only default. Set a secret before deploying to production.',\n )\n }\n return DEV_ONLY_SECRET\n }\n return secret\n}\n\nfunction normalizeDate(date: Date | string | null | undefined): string {\n if (!date) return ''\n const d = typeof date === 'string' ? new Date(date) : date\n return d.toISOString()\n}\n\nexport function computeConsentIntegrityHash(input: ConsentHashInput): string {\n const payload = [\n input.userId,\n input.consentType,\n String(input.isGranted),\n normalizeDate(input.grantedAt),\n normalizeDate(input.withdrawnAt),\n input.ipAddress ?? '',\n input.source ?? '',\n ].join('|')\n\n return createHmac('sha256', getSecret()).update(payload).digest('hex')\n}\n\nexport function verifyConsentIntegrityHash(input: ConsentHashInput, hash: string | null | undefined): boolean {\n if (!hash) return false\n const expected = computeConsentIntegrityHash(input)\n if (expected.length !== hash.length) return false\n return timingSafeEqual(Buffer.from(expected), Buffer.from(hash))\n}\n"],
|
|
5
|
+
"mappings": "AAAA,SAAS,YAAY,uBAAuB;AAY5C,MAAM,kBAAkB;AACxB,IAAI,sBAAsB;AAE1B,SAAS,YAAoB;AAC3B,QAAM,SAAS,QAAQ,IAAI,4BACtB,QAAQ,IAAI,eACZ,QAAQ,IAAI,mBACZ,QAAQ,IAAI;AACjB,MAAI,CAAC,QAAQ;AACX,QAAI,QAAQ,IAAI,aAAa,cAAc;AACzC,YAAM,IAAI;AAAA,QACR;AAAA,MAEF;AAAA,IACF;AACA,QAAI,CAAC,qBAAqB;AACxB,4BAAsB;AACtB,cAAQ;AAAA,QACN;AAAA,MAEF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEA,SAAS,cAAc,MAAgD;AACrE,MAAI,CAAC,KAAM,QAAO;AAClB,QAAM,IAAI,OAAO,SAAS,WAAW,IAAI,KAAK,IAAI,IAAI;AACtD,SAAO,EAAE,YAAY;AACvB;AAEO,SAAS,4BAA4B,OAAiC;AAC3E,QAAM,UAAU;AAAA,IACd,MAAM;AAAA,IACN,MAAM;AAAA,IACN,OAAO,MAAM,SAAS;AAAA,IACtB,cAAc,MAAM,SAAS;AAAA,IAC7B,cAAc,MAAM,WAAW;AAAA,IAC/B,MAAM,aAAa;AAAA,IACnB,MAAM,UAAU;AAAA,EAClB,EAAE,KAAK,GAAG;AAEV,SAAO,WAAW,UAAU,UAAU,CAAC,EAAE,OAAO,OAAO,EAAE,OAAO,KAAK;AACvE;AAEO,SAAS,2BAA2B,OAAyB,MAA0C;AAC5G,MAAI,CAAC,KAAM,QAAO;AAClB,QAAM,WAAW,4BAA4B,KAAK;AAClD,MAAI,SAAS,WAAW,KAAK,OAAQ,QAAO;AAC5C,SAAO,gBAAgB,OAAO,KAAK,QAAQ,GAAG,OAAO,KAAK,IAAI,CAAC;AACjE;",
|
|
6
6
|
"names": []
|
|
7
7
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@open-mercato/core",
|
|
3
|
-
"version": "0.6.6-develop.
|
|
3
|
+
"version": "0.6.6-develop.5431.1.384a97c7a2",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"main": "./dist/index.js",
|
|
6
6
|
"scripts": {
|
|
@@ -245,16 +245,16 @@
|
|
|
245
245
|
"zod": "^4.4.3"
|
|
246
246
|
},
|
|
247
247
|
"peerDependencies": {
|
|
248
|
-
"@open-mercato/ai-assistant": "0.6.6-develop.
|
|
249
|
-
"@open-mercato/shared": "0.6.6-develop.
|
|
250
|
-
"@open-mercato/ui": "0.6.6-develop.
|
|
248
|
+
"@open-mercato/ai-assistant": "0.6.6-develop.5431.1.384a97c7a2",
|
|
249
|
+
"@open-mercato/shared": "0.6.6-develop.5431.1.384a97c7a2",
|
|
250
|
+
"@open-mercato/ui": "0.6.6-develop.5431.1.384a97c7a2",
|
|
251
251
|
"react": "^19.0.0",
|
|
252
252
|
"react-dom": "^19.0.0"
|
|
253
253
|
},
|
|
254
254
|
"devDependencies": {
|
|
255
|
-
"@open-mercato/ai-assistant": "0.6.6-develop.
|
|
256
|
-
"@open-mercato/shared": "0.6.6-develop.
|
|
257
|
-
"@open-mercato/ui": "0.6.6-develop.
|
|
255
|
+
"@open-mercato/ai-assistant": "0.6.6-develop.5431.1.384a97c7a2",
|
|
256
|
+
"@open-mercato/shared": "0.6.6-develop.5431.1.384a97c7a2",
|
|
257
|
+
"@open-mercato/ui": "0.6.6-develop.5431.1.384a97c7a2",
|
|
258
258
|
"@testing-library/dom": "^10.4.1",
|
|
259
259
|
"@testing-library/jest-dom": "^6.9.1",
|
|
260
260
|
"@testing-library/react": "^16.3.1",
|
|
@@ -14,18 +14,21 @@ const DEV_ONLY_SECRET = 'om-consent-integrity-dev-only-secret'
|
|
|
14
14
|
let missingSecretWarned = false
|
|
15
15
|
|
|
16
16
|
function getSecret(): string {
|
|
17
|
-
const secret = process.env.CONSENT_INTEGRITY_SECRET
|
|
17
|
+
const secret = process.env.CONSENT_INTEGRITY_SECRET
|
|
18
|
+
|| process.env.AUTH_SECRET
|
|
19
|
+
|| process.env.NEXTAUTH_SECRET
|
|
20
|
+
|| process.env.JWT_SECRET
|
|
18
21
|
if (!secret) {
|
|
19
22
|
if (process.env.NODE_ENV === 'production') {
|
|
20
23
|
throw new Error(
|
|
21
|
-
'[consentIntegrity] No CONSENT_INTEGRITY_SECRET/NEXTAUTH_SECRET set. ' +
|
|
24
|
+
'[consentIntegrity] No CONSENT_INTEGRITY_SECRET/AUTH_SECRET/NEXTAUTH_SECRET/JWT_SECRET set. ' +
|
|
22
25
|
'Refusing to compute or verify consent integrity hashes in production without a real secret.',
|
|
23
26
|
)
|
|
24
27
|
}
|
|
25
28
|
if (!missingSecretWarned) {
|
|
26
29
|
missingSecretWarned = true
|
|
27
30
|
console.warn(
|
|
28
|
-
'[consentIntegrity] No CONSENT_INTEGRITY_SECRET/NEXTAUTH_SECRET set — ' +
|
|
31
|
+
'[consentIntegrity] No CONSENT_INTEGRITY_SECRET/AUTH_SECRET/NEXTAUTH_SECRET/JWT_SECRET set — ' +
|
|
29
32
|
'using insecure dev-only default. Set a secret before deploying to production.',
|
|
30
33
|
)
|
|
31
34
|
}
|