npm - @riocrypto/common-server - Versions diffs - 1.0.2803 → 1.0.2806 - Mend

@riocrypto/common-server 1.0.2803 → 1.0.2806

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/build/middlewares/auth-context.js +2 -2
package/build/middlewares/authorize.d.ts +1 -0
package/build/middlewares/authorize.js +68 -36
package/build/middlewares/verify-csrf-token.js +2 -2
package/build/models/user.d.ts +15 -3
package/build/models/user.js +14 -0
package/package.json +2 -2

package/build/middlewares/auth-context.js CHANGED Viewed

@@ -28,7 +28,7 @@ const authContextMiddleware = (req, res, next, mongoose) => __awaiter(void 0, vo
                 cachedAdminSecret = yield secret_manager_client_1.secretManagerClient.getSecretValue("ADMIN_ACCESS_TOKEN_SECRET");
             }
             if (cachedAdminSecret) {
-                const decoded = jsonwebtoken_1.default.verify(adminAccessToken, cachedAdminSecret);
+                const decoded = jsonwebtoken_1.default.verify(adminAccessToken, cachedAdminSecret, { algorithms: ["HS256"] });
                 const AdminAuth = (0, admin_auth_1.buildAdminAuth)(mongoose);
                 const adminAuth = yield AdminAuth.findById(decoded.id);
                 if (adminAuth) {
@@ -48,7 +48,7 @@ const authContextMiddleware = (req, res, next, mongoose) => __awaiter(void 0, vo
                 cachedUserSecret = yield secret_manager_client_1.secretManagerClient.getSecretValue("ACCESS_TOKEN_SECRET");
             }
             if (cachedUserSecret) {
-                const decoded = jsonwebtoken_1.default.verify(accessToken, cachedUserSecret);
+                const decoded = jsonwebtoken_1.default.verify(accessToken, cachedUserSecret, { algorithms: ["HS256"] });
                 const Auth = (0, auth_1.buildAuth)(mongoose);
                 const auth = yield Auth.findById(decoded.id);
                 if (auth) {

package/build/middlewares/authorize.d.ts CHANGED Viewed

@@ -21,4 +21,5 @@ declare global {
         }
     }
 }
+export declare const isTokenVersionAccepted: (payloadVersion: number | undefined, recordVersion: number | undefined) => boolean;
 export declare const authorize: (req: Request, res: Response, next: NextFunction, mongoose: Mongoose, authorizationTypes: AuthorizationType[]) => Promise<void>;

package/build/middlewares/authorize.js CHANGED Viewed

@@ -12,7 +12,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.authorize = void 0;
+exports.authorize = exports.isTokenVersionAccepted = void 0;
 const crypto_1 = __importDefault(require("crypto"));
 const user_1 = require("../models/user");
 const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
@@ -22,10 +22,42 @@ const apiKey_1 = require("../services/apiKey");
 const secret_manager_client_1 = require("../clients/secret-manager-client");
 const admin_auth_1 = require("../models/admin-auth");
 const logger_1 = __importDefault(require("../services/logger"));
+// Decide whether a JWT's `tokenVersion` claim is acceptable against the
+// current server-side version on the auth record.
+//
+// - Token has a version AND server has a version: must match. This is the
+//   normal path now that `default: 0` is in the schema; every signed token
+//   in the last 24h (the refresh-token TTL) carries a version.
+// - Token has NO version but server has one: REJECT. A pre-versioning token
+//   used against a versioned account bypasses logout / password-reset
+//   invalidation. With 24h max token life this branch is empty in practice
+//   once the change has been deployed for a day, but the rejection closes
+//   the bypass for any straggler.
+// - Token has a version but server doesn't: accept. Only happens if the
+//   schema default never persisted on a particular legacy doc; not exploitable.
+// - Both undefined: accept (pure legacy).
+const isTokenVersionAccepted = (payloadVersion, recordVersion) => {
+    if (payloadVersion === undefined && recordVersion === undefined)
+        return true;
+    if (payloadVersion === undefined && recordVersion !== undefined)
+        return false;
+    if (payloadVersion !== undefined && recordVersion === undefined)
+        return true;
+    return payloadVersion === recordVersion;
+};
+exports.isTokenVersionAccepted = isTokenVersionAccepted;
 const authorize = (req, res, next, mongoose, authorizationTypes) => __awaiter(void 0, void 0, void 0, function* () {
     var _a, _b, _c;
     // Prepare promises for parallel execution
     const promises = [];
+    // Constant-time comparison of two arbitrary-length strings. Hashing both
+    // sides to a fixed 32-byte digest before timingSafeEqual avoids the length
+    // short-circuit that would otherwise leak the expected secret's length.
+    const constantTimeStringEqual = (a, b) => {
+        const aHash = crypto_1.default.createHash("sha256").update(a).digest();
+        const bHash = crypto_1.default.createHash("sha256").update(b).digest();
+        return crypto_1.default.timingSafeEqual(aHash, bHash);
+    };
     // Check for cluster API key - only if needed
     if (authorizationTypes.includes(common_1.AuthorizationType.Cluster)) {
         const apiKey = req.header("x-cluster-api-key");
@@ -35,8 +67,7 @@ const authorize = (req, res, next, mongoose, authorizationTypes) => __awaiter(vo
                 if (!CLUSTER_API_KEY) {
                     throw new common_1.SecretManagerError();
                 }
-                if (apiKey.length === CLUSTER_API_KEY.length &&
-                    crypto_1.default.timingSafeEqual(Buffer.from(apiKey), Buffer.from(CLUSTER_API_KEY))) {
+                if (constantTimeStringEqual(apiKey, CLUSTER_API_KEY)) {
                     req.validClusterApiKey = true;
                 }
             }))());
@@ -51,8 +82,7 @@ const authorize = (req, res, next, mongoose, authorizationTypes) => __awaiter(vo
                 if (!GENESIS_ADMIN_KEY) {
                     throw new common_1.SecretManagerError();
                 }
-                if (apiKey.length === GENESIS_ADMIN_KEY.length &&
-                    crypto_1.default.timingSafeEqual(Buffer.from(apiKey), Buffer.from(GENESIS_ADMIN_KEY))) {
+                if (constantTimeStringEqual(apiKey, GENESIS_ADMIN_KEY)) {
                     req.validGenisisAdminKey = true;
                 }
             }))());
@@ -67,8 +97,7 @@ const authorize = (req, res, next, mongoose, authorizationTypes) => __awaiter(vo
                 if (!FX_PRICE_PUSHER_API_KEY) {
                     throw new common_1.SecretManagerError();
                 }
-                if (fxPricePusherApiKey.length === FX_PRICE_PUSHER_API_KEY.length &&
-                    crypto_1.default.timingSafeEqual(Buffer.from(fxPricePusherApiKey), Buffer.from(FX_PRICE_PUSHER_API_KEY))) {
+                if (constantTimeStringEqual(fxPricePusherApiKey, FX_PRICE_PUSHER_API_KEY)) {
                     req.validFXPricePusherApiKey = true;
                 }
             }))());
@@ -110,18 +139,19 @@ const authorize = (req, res, next, mongoose, authorizationTypes) => __awaiter(vo
                     if (!ADMIN_ACCESS_TOKEN_SECRET) {
                         throw new Error("Unable to get ADMIN_ACCESS_TOKEN_SECRET");
                     }
-                    const payload = jsonwebtoken_1.default.verify(adminAccessToken, ADMIN_ACCESS_TOKEN_SECRET);
+                    const payload = jsonwebtoken_1.default.verify(adminAccessToken, ADMIN_ACCESS_TOKEN_SECRET, { algorithms: ["HS256"] });
                     const adminAuth = yield AdminAuth.findById(payload.id);
                     if (adminAuth) {
-                        // Check if token version matches (for server-side invalidation)
-                        if (payload.tokenVersion !== undefined &&
-                            adminAuth.tokenVersion !== undefined) {
-                            if (payload.tokenVersion === adminAuth.tokenVersion) {
-                                req.adminAuth = adminAuth;
-                            }
-                        }
-                        else {
-                            // Backward compatibility for tokens without version
+                        // Token version invalidation:
+                        // - Both defined and equal: accept.
+                        // - Token has no version but server does: reject. This blocks
+                        //   pre-versioning tokens from bypassing logout/password-reset
+                        //   invalidation after the server adopted versioning. Refresh
+                        //   tokens are 24h max, so by the time this middleware ships
+                        //   widely there are no such tokens in the wild.
+                        // - Both undefined (pure legacy with default never applied):
+                        //   accept.
+                        if ((0, exports.isTokenVersionAccepted)(payload.tokenVersion, adminAuth.tokenVersion)) {
                             req.adminAuth = adminAuth;
                         }
                     }
@@ -152,7 +182,10 @@ const authorize = (req, res, next, mongoose, authorizationTypes) => __awaiter(vo
                         const auth = yield Auth.findOne({
                             "apiKeys.value": hashedApiKey,
                         });
-                        if (auth) {
+                        // Disabled auths must not authenticate even with a previously
+                        // issued API key, so that disabling an account is a real kill
+                        // switch and not just a session terminator.
+                        if (auth && !auth.isDisabled) {
                             req.auth = auth;
                             authId = auth.id;
                         }
@@ -169,22 +202,13 @@ const authorize = (req, res, next, mongoose, authorizationTypes) => __awaiter(vo
                         if (!ACCESS_TOKEN_SECRET) {
                             throw new common_1.SecretManagerError();
                         }
-                        const payload = jsonwebtoken_1.default.verify(accessToken, ACCESS_TOKEN_SECRET);
+                        const payload = jsonwebtoken_1.default.verify(accessToken, ACCESS_TOKEN_SECRET, { algorithms: ["HS256"] });
                         const auth = yield Auth.findById(payload.id);
-                        if (auth && !auth.isDisabled) {
-                            // Check if token version matches (for server-side invalidation)
-                            if (payload.tokenVersion !== undefined &&
-                                auth.tokenVersion !== undefined) {
-                                if (payload.tokenVersion === auth.tokenVersion) {
-                                    req.auth = auth;
-                                    authId = auth.id;
-                                }
-                            }
-                            else {
-                                // Backward compatibility for tokens without version
-                                req.auth = auth;
-                                authId = auth.id;
-                            }
+                        if (auth &&
+                            !auth.isDisabled &&
+                            (0, exports.isTokenVersionAccepted)(payload.tokenVersion, auth.tokenVersion)) {
+                            req.auth = auth;
+                            authId = auth.id;
                         }
                     }
                     catch (err) {
@@ -233,10 +257,18 @@ const authorize = (req, res, next, mongoose, authorizationTypes) => __awaiter(vo
                     if (!AUTH_MISSING_2FA_SECRET) {
                         return;
                     }
-                    const payload = jsonwebtoken_1.default.verify(authMissing2FAToken, AUTH_MISSING_2FA_SECRET);
+                    const payload = jsonwebtoken_1.default.verify(authMissing2FAToken, AUTH_MISSING_2FA_SECRET, { algorithms: ["HS256"] });
                     const Auth = yield (0, auth_1.buildAuth)(mongoose);
                     const auth = yield Auth.findById(payload.id);
-                    if (auth && !auth.isDisabled) {
+                    // Token-version invalidation only fires once the issuance side
+                    // (issueAuthMissing2FACookies) actually signs `tokenVersion` into
+                    // the payload. Until that lands, enforce only `isDisabled`. The
+                    // token is 10 minutes max, so attackers can't ride a stale one
+                    // for long even without the version check.
+                    if (auth &&
+                        !auth.isDisabled &&
+                        (payload.tokenVersion === undefined ||
+                            (0, exports.isTokenVersionAccepted)(payload.tokenVersion, auth.tokenVersion))) {
                         req.auth = auth;
                         req.isAuthMissing2FA = true;
                     }
@@ -263,7 +295,7 @@ const authorize = (req, res, next, mongoose, authorizationTypes) => __awaiter(vo
                     if (!INDICATIVE_PAGE_TOKEN_SECRET) {
                         return;
                     }
-                    const payload = jsonwebtoken_1.default.verify(token, INDICATIVE_PAGE_TOKEN_SECRET);
+                    const payload = jsonwebtoken_1.default.verify(token, INDICATIVE_PAGE_TOKEN_SECRET, { algorithms: ["HS256"] });
                     if (payload.email && payload.pageId) {
                         req.indicativeQuoteAuth = {
                             email: payload.email,

package/build/middlewares/verify-csrf-token.js CHANGED Viewed

@@ -40,8 +40,8 @@ const verifyCsrfToken = (req, res, next) => __awaiter(void 0, void 0, void 0, fu
             return res.status(403).json({ error: "CSRF token missing" });
         }
         try {
-            jsonwebtoken_1.default.verify(csrfToken, CSRF_TOKEN_SECRET);
-            next(); // Token is valid, proceed to the next middleware
+            jsonwebtoken_1.default.verify(csrfToken, CSRF_TOKEN_SECRET, { algorithms: ["HS256"] });
+            next();
         }
         catch (err) {
             return res.status(403).json({ error: "Invalid CSRF token" });

package/build/models/user.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { OnboardingStatus, PlatformFeeRange, UserAttribute, UserType, CountryOfOrigin, Country, Fiat, Side, Crypto, DeferredPaymentType, MexicoInvoicingMethod } from "@riocrypto/common";
+import { OnboardingStatus, PlatformFeeRange, UserAttribute, UserType, CountryOfOrigin, Country, Fiat, Side, Crypto, DeferredPaymentType, MexicoInvoicingMethod, ColombiaInvoicingMethod } from "@riocrypto/common";
 import { Mongoose, Model, Document, HydratedDocument } from "mongoose";
 interface UserAttrs {
     createdAt: Date;
@@ -87,13 +87,19 @@ interface UserAttrs {
         country?: CountryOfOrigin;
     };
     invoicing?: {
-        MX: {
+        MX?: {
             method?: MexicoInvoicingMethod;
             fiscalName?: string;
             fiscalRegimenCode?: number;
             taxId?: string;
             postalCode?: string;
         };
+        CO?: {
+            method?: ColombiaInvoicingMethod;
+            fiscalName?: string;
+            taxId?: string;
+            postalCode?: string;
+        };
     };
     quotationTime?: number;
     referrerId?: string;
@@ -245,13 +251,19 @@ interface UserDoc extends Document {
         country?: CountryOfOrigin;
     };
     invoicing?: {
-        MX: {
+        MX?: {
             method?: MexicoInvoicingMethod;
             fiscalName?: string;
             taxId?: string;
             fiscalRegimenCode?: number;
             postalCode?: string;
         };
+        CO?: {
+            method?: ColombiaInvoicingMethod;
+            fiscalName?: string;
+            taxId?: string;
+            postalCode?: string;
+        };
     };
     quotationTime?: number;
     referrerId?: string;

package/build/models/user.js CHANGED Viewed

@@ -299,6 +299,20 @@ const buildUser = (mongoose) => {
                     type: String,
                 },
             },
+            CO: {
+                method: {
+                    type: String,
+                },
+                fiscalName: {
+                    type: String,
+                },
+                taxId: {
+                    type: String,
+                },
+                postalCode: {
+                    type: String,
+                },
+            },
         },
         businessData: {
             type: Object,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@riocrypto/common-server",
-  "version": "1.0.2803",
+  "version": "1.0.2806",
   "description": "",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
@@ -28,7 +28,7 @@
     "@google-cloud/secret-manager": "^5.6.0",
     "@google-cloud/storage": "^7.19.0",
     "@hyperdx/node-opentelemetry": "^0.10.3",
-    "@riocrypto/common": "1.0.2604",
+    "@riocrypto/common": "1.0.2608",
     "@slack/web-api": "^7.15.0",
     "@types/express": "^4.17.25",
     "axios": "1.16.0",