npm - @raytio/core - Versions diffs - 11.0.0 → 11.2.0 - Mend

@raytio/core 11.0.0 → 11.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (54) hide show

package/dist/verifications/verifyCheck/operations/__tests__/checkOwnVerification.test.js CHANGED Viewed

@@ -7,8 +7,9 @@ const __1 = require("..");
 const util_1 = require("../../../../util");
 const checkOwnVerification_1 = require("../checkOwnVerification");
 const sampleBundle_json_1 = __importDefault(require("./sampleBundle.json"));
-Reflect.set(global, "fetch", jest.fn().mockResolvedValue({
-    text: async () => `-----BEGIN PUBLIC KEY-----
+global.fetch = jest.fn().mockImplementation(async (url) => ({
+    text: async () => url.endsWith("raytio.pem")
+        ? `-----BEGIN PUBLIC KEY-----
 MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAn9QtCqYa3H3ipFFU0xP3
 n6r7KHS3GMbh0h/xzel57HhCIaXDYjUeUtgUNtzm+uElb/qzGn50xQRzVqO32vKB
 ZAW2kYyZ2+R5ruk9CSxr7K4Vk1FtDMcUCzqxm0eycFD2xbLsN3feRc3BMjfdaQ7P
@@ -21,10 +22,29 @@ Gut0BoM+DIwDu0uZaUprz7fSgNmYHHEiIFbOMVHiOn8oZAZbJXXbUbFIUYXA8u9+
 J1Z+QEpgw+rhGzOf/TSeHfMC9nNbWgYglluAJusWf2XwG/t/VlhtzviHCVGEL7HQ
 jQE5DrM7vaTg6Gu9bjKuoeLIRzbOYK6qAWFoa0CLcN84PLjhDSRw2duatP08hcWg
 jTgOkLWnBFE7NyRU93uPp68CAwEAAQ==
+-----END PUBLIC KEY-----`
+        : `-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgee+uBOgOsbwjMvGN1/H
+qpGXGJLol0Pc2KhI1fh1NBq+UGhk8PqgDd5wHZikbmrtVkvp/maIh+mbIdehY/RC
+ftMylvebCf4Qf+5SWzQsmB1o6nBUbwJzYE2XyvxRiNLhdIeE+GgfdpA5S3l0cDJ5
+B/1TagITmQUjThwTxDYZ6jlGJJ4NSjqlqeQrHhGWRLVQPWU8bYysX3jt3/uiv4tS
+n3TheLGY1TMlbFrVF2Spv1WxuqMZ4bX1mIotK3yEB3TaZSZaOwlUcEZ4xY+J4Vl+
+ZlrOgYbmzFd7UFh9UZbYZUkNSEfddEnFNFlFG3YQVt8UAumPBVJELdjiaRjTj/K4
+62GAFyOcbcw9wcl69fPBnieBo2m2Dqf6U3wcrnvTnkMwjCewWXCH6FdbC4OllBZV
+Nrfn6zf9yX0J8ZEDEcw9ZsNLVkyl2U+Ya/h5CQt43ip/1eNM5LpTbfqBTtAH7iUO
+4L9rxuSJFA2Q9kZfof6kYO9EGgMFB+GM47/Q068+IiTpifvPno4ilnowyS4hbLiy
+Os2yudW79flaz0a7rq5dLdSg9Mm5k7ETBm7WguDcocaiETmuYTJT2PozAGOC3+EP
+w5N7mQff4ecx/880FWYKQmU9Asav1V49DWSnG0ZXQ7U24dG8ANeAgKddDviJGlsh
+SsjKrz8LJqeoNQu30iSGZhUCAwEAAQ==
 -----END PUBLIC KEY-----`,
 }));
 describe("checkOwnVerification", () => {
-    it("works for a real PO", async () => {
+    it.each `
+    keyId                       | result
+    ${undefined}                | ${true}
+    ${"whatever/raytio"}        | ${true}
+    ${"whatever/somethingElse"} | ${false}
+  `("returns $result for a PO with keyId=$keyId", async ({ keyId, result }) => {
         //
         // This is an important integration test from ca. 2021-12-02.
         // If it is failing, it means our code no longer matches the
@@ -54,7 +74,13 @@ describe("checkOwnVerification", () => {
         };
         const value = "NZ Limited Company";
         const userId = "fd9c4903-65c2-4b75-b454-4fda6b682f3e"; // for 27july21 🦈
-        expect(await (0, checkOwnVerification_1.checkOwnVerification)({ value, signature, userId, verObject })).toBe(true);
+        expect(await (0, checkOwnVerification_1.checkOwnVerification)({
+            value,
+            signature,
+            userId,
+            verObject,
+            keyId,
+        })).toBe(result);
     });
     it("errors if you forget to supply the uId", async () => {
         await expect(() => (0, checkOwnVerification_1.checkOwnVerification)({
@@ -62,8 +88,22 @@ describe("checkOwnVerification", () => {
             signature: "",
             userId: "",
             verObject: {},
+            keyId: undefined,
         })).rejects.toThrow(new Error("No userId supplied"));
     });
+    it.each `
+    keyId
+    ${"../../malicious.pem"}
+    ${"https://example.com/malicious.pem"}
+  `("errors if you supply an invalid keyId", async ({ keyId }) => {
+        await expect(() => (0, checkOwnVerification_1.checkOwnVerification)({
+            value: "whatever",
+            signature: "whatever",
+            userId: "whatever",
+            verObject: {},
+            keyId,
+        })).rejects.toThrow(new Error("Invalid key ID"));
+    });
 });
 describe("checkSignature", () => {
     it("works", async () => {
@@ -86,6 +126,6 @@ describe("checkSignature", () => {
 });
 describe("checkJsonSignature", () => {
     it("can verify a bundled verification", async () => {
-        expect(await (0, __1.checkJsonSignature)(sampleBundle_json_1.default.data, sampleBundle_json_1.default.signature)).toBe(true);
+        expect(await (0, __1.checkJsonSignature)(sampleBundle_json_1.default.data, sampleBundle_json_1.default.signature, sampleBundle_json_1.default.key_id)).toBe(true);
     });
 });

package/dist/verifications/verifyCheck/operations/__tests__/sampleBundle.json CHANGED Viewed

@@ -39,5 +39,6 @@
         },
         "valid_until": "2022-03-13T02:26:20.468171"
     },
+    "key_id": "any string/raytio",
     "signature": "AiWWrL+S1paYOqJiOtU3qwLTCkkZjwDq3FuHl7oy14IATYOhCeHLf+ca44X1Wc6pYpTQckjKnJZL\nkfgiwNE97aymWIOc+ZZGEb5YhXRNO+inTV4k5zppaDN3n3YAGzn7zMxleh3+opzJqncNaJtpZ0Wv\na9Pu/m4WjyT5ee3Myz6VOOMuVkcaTL4FD8XT7NdCh0ybRevAZ5R9xl0YuWMhvNpf3P6ieTikHXYN\nkKbPTnAhNdBmqV4njSIR66M82Ek0d9VcsX4zhmlhpdCmGRlXLgHEyMCF4iHlCIxSeKtGaOm2QK2R\nOV/lN3VScDNWyD8lPBipcj++5ZGII6BnFFG8LlT3gY/Y/wt8KeH/xgdu0a7Lt6J/BOiGLFfscUmb\nH5K5t48gnQ5BQS+Cf/yhayMV49LlGiK9m1iPlbmuJH1L2/ZM+iLsIrSTGCU0Rpbkw7qvm0dkUNYf\nhvlj/RnUxcy0Lr/84CzLvBhFMmBX+RHlcPrCWpIiibsdaD81kRyvLY2TASLFTeHajfr+UvtP3LVs\n8NGwRQHd6c2/ptxv3ERRUnDtNASatsLe67ZHg9SeF3BDhMHZwU1neYyrBI1TMECasFli5rP5gviq\nC8ZwFQ9lnDDTidWBF8GjRl6ope4wIuNBBkOsIIeyqIJE5BRUH4LhVUnN1be696uCKnWOyOo7fkc=\n"
 }

package/dist/verifications/verifyCheck/operations/checkOwnVerification.d.ts CHANGED Viewed

@@ -4,12 +4,13 @@ type SingleVerToCheck = {
     signature: string;
     userId: UId;
     value: unknown;
+    keyId: string | undefined;
 };
 /**
  * checks that a json object was signed by the provided signature. Unless you're
  * dealing with bundled verifications, you should use `getOwnRealVerifications`
  * or `getSomeoneElsesRealVerifications` instead.
  */
-export declare const checkJsonSignature: (data: unknown, signature: string) => Promise<boolean>;
-export declare const checkOwnVerification: ({ verObject, signature, userId, value, }: SingleVerToCheck) => Promise<boolean>;
+export declare const checkJsonSignature: (data: unknown, signature: string, keyId: string | undefined) => Promise<boolean>;
+export declare const checkOwnVerification: ({ verObject, signature, userId, value, keyId, }: SingleVerToCheck) => Promise<boolean>;
 export {};

package/dist/verifications/verifyCheck/operations/checkOwnVerification.js CHANGED Viewed

@@ -2,14 +2,14 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.checkOwnVerification = exports.checkJsonSignature = exports.checkSignature = void 0;
 const util_1 = require("../../../util");
-let cache;
+const cache = {};
 const base64ToArrayBuffer = (str) => Uint8Array.from(atob(str), c => c.charCodeAt(0));
-async function getJwk() {
+async function getJwk(keyUrl) {
     // eslint-disable-next-line fp/no-mutation
-    cache || (cache = fetch("https://api-docs.rayt.io/lookups/raytio.pem")
+    cache[keyUrl] || (cache[keyUrl] = fetch(keyUrl)
         .then(r => r.text())
         .then(pem => crypto.subtle.importKey("spki", base64ToArrayBuffer(pem.split("-----")[2].trim()), { name: "RSA-PSS", hash: "SHA-512" }, false, ["verify"])));
-    return cache;
+    return cache[keyUrl];
 }
 /** @internal exported only for tests */
 async function checkSignature(publicCryptoKey, signature, data) {
@@ -24,16 +24,23 @@ exports.checkSignature = checkSignature;
  * dealing with bundled verifications, you should use `getOwnRealVerifications`
  * or `getSomeoneElsesRealVerifications` instead.
  */
-const checkJsonSignature = async (data, signature) => {
-    const jwk = await getJwk();
+const checkJsonSignature = async (data, signature, keyId) => {
+    const keyFileName = keyId ? keyId.split("/")[1] : "raytio";
+    // don't allow any special characters, e.g. to prevent
+    // someone using a keyID of  "../../someOtherFile"
+    if (!keyFileName || /[^\w-]/.test(keyFileName)) {
+        throw new Error("Invalid key ID");
+    }
+    const keyUrl = `https://api-docs.rayt.io/lookups/${keyFileName}.pem`;
+    const jwk = await getJwk(keyUrl);
     const stringified = (0, util_1.canonicalJsonify)(data);
     const result = await checkSignature(jwk, signature, stringified);
     return result;
 };
 exports.checkJsonSignature = checkJsonSignature;
-const checkOwnVerification = async ({ verObject, signature, userId, value, }) => {
+const checkOwnVerification = async ({ verObject, signature, userId, value, keyId, }) => {
     if (!userId)
         throw new Error("No userId supplied");
-    return (0, exports.checkJsonSignature)(Object.assign(Object.assign({}, verObject), { sub: userId, value }), signature);
+    return (0, exports.checkJsonSignature)(Object.assign(Object.assign({}, verObject), { sub: userId, value }), signature, keyId);
 };
 exports.checkOwnVerification = checkOwnVerification;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@raytio/core",
-  "version": "11.0.0",
+  "version": "11.2.0",
   "license": "MIT",
   "main": "index",
   "types": "index",
@@ -17,13 +17,13 @@
   },
   "dependencies": {
     "@raytio/maxcryptor": "3.1.0",
-    "@raytio/types": "7.1.0",
+    "@raytio/types": "7.2.0",
     "ramda": "0.29.0"
   },
   "devDependencies": {
-    "@types/ramda": "0.28.24",
-    "jest": "29.5.0",
-    "ts-jest": "29.1.0"
+    "@types/ramda": "0.29.2",
+    "jest": "29.6.1",
+    "ts-jest": "29.1.1"
   },
   "jest": {
     "transform": {