npm - @rpcbase/server - Versions diffs - 0.460.0 → 0.462.0 - Mend

@rpcbase/server 0.460.0 → 0.462.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.d.ts +1 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +177 -2
package/dist/passwordHashStorage.d.ts +11 -0
package/dist/passwordHashStorage.d.ts.map +1 -0
package/dist/passwordHashStorage.test.d.ts +2 -0
package/dist/passwordHashStorage.test.d.ts.map +1 -0
package/package.json +11 -1

package/dist/index.d.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 export * from './initServer';
 export * from './getDerivedKey';
 export * from './hashPassword';
+export * from './passwordHashStorage';
 export * from './ssrMiddleware';
 export * from './email';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,cAAc,CAAA;AAC5B,cAAc,iBAAiB,CAAA;AAC/B,cAAc,gBAAgB,CAAA;AAC9B,cAAc,iBAAiB,CAAA;AAC/B,cAAc,SAAS,CAAA"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,cAAc,CAAA;AAC5B,cAAc,iBAAiB,CAAA;AAC/B,cAAc,gBAAgB,CAAA;AAC9B,cAAc,uBAAuB,CAAA;AACrC,cAAc,iBAAiB,CAAA;AAC/B,cAAc,SAAS,CAAA"}

package/dist/index.js CHANGED Viewed

@@ -9,7 +9,7 @@ import { createReadStream, readFileSync } from "node:fs";
 import { createInterface } from "node:readline";
 import { AsyncLocalStorage } from "node:async_hooks";
 import assert$1 from "assert";
-import { hkdfSync, scrypt } from "crypto";
+import crypto, { hkdfSync, scrypt } from "crypto";
 import { createProxyMiddleware } from "http-proxy-middleware";
 import fs from "node:fs/promises";
 import { Transform } from "node:stream";
@@ -3401,6 +3401,179 @@ async function hashPassword(password, salt) {
   });
   return derivedKey;
 }
+const DEFAULT_SCRYPT_N = 8192;
+const DEFAULT_SCRYPT_R = 8;
+const DEFAULT_SCRYPT_P = 4;
+const DEFAULT_SCRYPT_KEYLEN = 64;
+const DEFAULT_SCRYPT_SALT_BYTES = 16;
+const DEFAULT_SCRYPT_MAXMEM_BYTES = 256 * 1024 * 1024;
+const MAX_SCRYPT_MAXMEM_BYTES = 1024 * 1024 * 1024;
+const MAX_SCRYPT_N = 1048576;
+const MAX_SCRYPT_R = 64;
+const MAX_SCRYPT_P = 16;
+const MAX_SCRYPT_KEYLEN = 128;
+const MAX_SCRYPT_SALT_BYTES = 64;
+const parseEnvInt = (value) => {
+  if (typeof value !== "string") return void 0;
+  const trimmed = value.trim();
+  if (!trimmed) return void 0;
+  const parsed = Number(trimmed);
+  if (!Number.isSafeInteger(parsed)) return void 0;
+  return parsed;
+};
+const isPowerOfTwo = (value) => (value & value - 1) === 0;
+const estimateScryptMemoryBytes = ({ N, r, p }) => {
+  return 128 * r * (N + p);
+};
+const validateScryptParams = (params) => {
+  const { N, r, p, keylen, saltBytes, maxmemBytes } = params;
+  if (!Number.isSafeInteger(N) || N < 2 || N > MAX_SCRYPT_N || !isPowerOfTwo(N)) {
+    return { ok: false, error: "invalid_scrypt_N" };
+  }
+  if (!Number.isSafeInteger(r) || r < 1 || r > MAX_SCRYPT_R) {
+    return { ok: false, error: "invalid_scrypt_r" };
+  }
+  if (!Number.isSafeInteger(p) || p < 1 || p > MAX_SCRYPT_P) {
+    return { ok: false, error: "invalid_scrypt_p" };
+  }
+  if (!Number.isSafeInteger(keylen) || keylen < 16 || keylen > MAX_SCRYPT_KEYLEN) {
+    return { ok: false, error: "invalid_scrypt_keylen" };
+  }
+  if (!Number.isSafeInteger(saltBytes) || saltBytes < 8 || saltBytes > MAX_SCRYPT_SALT_BYTES) {
+    return { ok: false, error: "invalid_scrypt_salt_bytes" };
+  }
+  if (!Number.isSafeInteger(maxmemBytes) || maxmemBytes < 16 * 1024 * 1024 || maxmemBytes > MAX_SCRYPT_MAXMEM_BYTES) {
+    return { ok: false, error: "invalid_scrypt_maxmem" };
+  }
+  const estimatedMem = estimateScryptMemoryBytes({ N, r, p });
+  if (estimatedMem > maxmemBytes) {
+    return { ok: false, error: "scrypt_params_exceed_maxmem" };
+  }
+  return { ok: true };
+};
+const getCurrentMaxmemBytes = (opts) => {
+  const envMaxmemBytes = parseEnvInt(process.env.RB_PASSWORD_SCRYPT_MAXMEM_BYTES);
+  const maxmemBytes = opts?.maxmemBytes ?? envMaxmemBytes ?? DEFAULT_SCRYPT_MAXMEM_BYTES;
+  if (!Number.isSafeInteger(maxmemBytes) || maxmemBytes < 16 * 1024 * 1024 || maxmemBytes > MAX_SCRYPT_MAXMEM_BYTES) {
+    throw new Error("invalid_scrypt_maxmem");
+  }
+  return maxmemBytes;
+};
+const getCurrentScryptParams = (opts) => {
+  const envN = parseEnvInt(process.env.RB_PASSWORD_SCRYPT_N);
+  const envR = parseEnvInt(process.env.RB_PASSWORD_SCRYPT_R);
+  const envP = parseEnvInt(process.env.RB_PASSWORD_SCRYPT_P);
+  const envKeylen = parseEnvInt(process.env.RB_PASSWORD_SCRYPT_KEYLEN);
+  const envSaltBytes = parseEnvInt(process.env.RB_PASSWORD_SCRYPT_SALT_BYTES);
+  const params = {
+    N: opts?.N ?? envN ?? DEFAULT_SCRYPT_N,
+    r: opts?.r ?? envR ?? DEFAULT_SCRYPT_R,
+    p: opts?.p ?? envP ?? DEFAULT_SCRYPT_P,
+    keylen: opts?.keylen ?? envKeylen ?? DEFAULT_SCRYPT_KEYLEN,
+    saltBytes: opts?.saltBytes ?? envSaltBytes ?? DEFAULT_SCRYPT_SALT_BYTES,
+    maxmemBytes: getCurrentMaxmemBytes(opts)
+  };
+  const validated = validateScryptParams(params);
+  if (!validated.ok) {
+    throw new Error(validated.error);
+  }
+  return params;
+};
+const scryptAsync = async (password, salt, params) => {
+  const { N, r, p, keylen, maxmemBytes } = params;
+  return await new Promise((resolve, reject) => {
+    crypto.scrypt(password, salt, keylen, { N, r, p, maxmem: maxmemBytes }, (err, derivedKey) => {
+      if (err) {
+        reject(err);
+        return;
+      }
+      resolve(derivedKey);
+    });
+  });
+};
+const base64Regex = /^[A-Za-z0-9+/]+={0,2}$/;
+const parseB64 = (value) => {
+  if (!value) return null;
+  if (!base64Regex.test(value)) return null;
+  if (value.length % 4 !== 0) return null;
+  const buf = Buffer.from(value, "base64");
+  if (buf.length === 0) return null;
+  if (buf.toString("base64") !== value) return null;
+  return buf;
+};
+const MAX_STORED_PASSWORD_LENGTH = 1024;
+const MAX_STORED_PASSWORD_SECTION_LENGTH = 256;
+const parseStoredScryptHash = (stored) => {
+  if (stored.length > MAX_STORED_PASSWORD_LENGTH) return null;
+  const parts = stored.split("$");
+  if (parts.length !== 5) return null;
+  if (parts[0] !== "" || parts[1] !== "scrypt") return null;
+  const paramsStr = parts[2];
+  const saltB64 = parts[3];
+  const dkB64 = parts[4];
+  if (paramsStr.length > MAX_STORED_PASSWORD_SECTION_LENGTH) return null;
+  if (saltB64.length > MAX_STORED_PASSWORD_SECTION_LENGTH) return null;
+  if (dkB64.length > MAX_STORED_PASSWORD_SECTION_LENGTH) return null;
+  const kvPairs = paramsStr.split(",").filter(Boolean);
+  if (kvPairs.length === 0) return null;
+  const params = /* @__PURE__ */ new Map();
+  for (const pair of kvPairs) {
+    const idx = pair.indexOf("=");
+    if (idx <= 0 || idx === pair.length - 1) return null;
+    const key = pair.slice(0, idx);
+    const valueRaw = pair.slice(idx + 1);
+    if (!/^[a-zA-Z0-9]+$/.test(key)) return null;
+    if (params.has(key)) return null;
+    const value = Number(valueRaw);
+    if (!Number.isSafeInteger(value)) return null;
+    params.set(key, value);
+  }
+  const N = params.get("N");
+  const r = params.get("r");
+  const p = params.get("p");
+  const keylen = params.get("keylen");
+  if (N === void 0 || r === void 0 || p === void 0 || keylen === void 0) return null;
+  if (params.size !== 4) return null;
+  const salt = parseB64(saltB64);
+  const dk = parseB64(dkB64);
+  if (!salt || !dk) return null;
+  if (dk.length !== keylen) return null;
+  if (salt.length < 8 || salt.length > MAX_SCRYPT_SALT_BYTES) return null;
+  if (dk.length < 16 || dk.length > MAX_SCRYPT_KEYLEN) return null;
+  const currentMaxmemBytes = getCurrentMaxmemBytes();
+  const validated = validateScryptParams({
+    N,
+    r,
+    p,
+    keylen,
+    saltBytes: salt.length,
+    maxmemBytes: currentMaxmemBytes
+  });
+  if (!validated.ok) return null;
+  return { N, r, p, keylen, salt, dk };
+};
+async function hashPasswordForStorage(password, opts) {
+  const { N, r, p, keylen, saltBytes, maxmemBytes } = getCurrentScryptParams(opts);
+  const salt = crypto.randomBytes(saltBytes);
+  const dk = await scryptAsync(password, salt, { N, r, p, keylen, maxmemBytes });
+  const saltB64 = salt.toString("base64");
+  const dkB64 = dk.toString("base64");
+  return `$scrypt$N=${N},r=${r},p=${p},keylen=${keylen}$${saltB64}$${dkB64}`;
+}
+async function verifyPasswordFromStorage(password, stored) {
+  const parsed = parseStoredScryptHash(stored);
+  if (!parsed) return false;
+  const { N, r, p, keylen, salt, dk } = parsed;
+  const maxmemBytes = getCurrentMaxmemBytes();
+  let derivedKey;
+  try {
+    derivedKey = await scryptAsync(password, salt, { N, r, p, keylen, maxmemBytes });
+  } catch {
+    return false;
+  }
+  if (derivedKey.length !== dk.length) return false;
+  return crypto.timingSafeEqual(dk, derivedKey);
+}
 function createLocation(current, to, state = null, key) {
   const location = {
     pathname: current,
@@ -3795,7 +3968,9 @@ const sendEmail = async (params) => {
 export {
   getDerivedKey,
   hashPassword,
+  hashPasswordForStorage,
   initServer,
   sendEmail,
-  ssrMiddleware
+  ssrMiddleware,
+  verifyPasswordFromStorage
 };

package/dist/passwordHashStorage.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+export type HashPasswordForStorageOptions = Partial<{
+    N: number;
+    r: number;
+    p: number;
+    keylen: number;
+    saltBytes: number;
+    maxmemBytes: number;
+}>;
+export declare function hashPasswordForStorage(password: string, opts?: HashPasswordForStorageOptions): Promise<string>;
+export declare function verifyPasswordFromStorage(password: string, stored: string): Promise<boolean>;
+//# sourceMappingURL=passwordHashStorage.d.ts.map

package/dist/passwordHashStorage.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"passwordHashStorage.d.ts","sourceRoot":"","sources":["../src/passwordHashStorage.ts"],"names":[],"mappings":"AAiBA,MAAM,MAAM,6BAA6B,GAAG,OAAO,CAAC;IAClD,CAAC,EAAE,MAAM,CAAA;IACT,CAAC,EAAE,MAAM,CAAA;IACT,CAAC,EAAE,MAAM,CAAA;IACT,MAAM,EAAE,MAAM,CAAA;IACd,SAAS,EAAE,MAAM,CAAA;IACjB,WAAW,EAAE,MAAM,CAAA;CACpB,CAAC,CAAA;AA4MF,wBAAsB,sBAAsB,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,6BAA6B,GAAG,OAAO,CAAC,MAAM,CAAC,CAUpH;AAED,wBAAsB,yBAAyB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAiBlG"}

package/dist/passwordHashStorage.test.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=passwordHashStorage.test.d.ts.map

package/dist/passwordHashStorage.test.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"passwordHashStorage.test.d.ts","sourceRoot":"","sources":["../src/passwordHashStorage.test.ts"],"names":[],"mappings":""}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@rpcbase/server",
-  "version": "0.460.0",
+  "version": "0.462.0",
   "type": "module",
   "files": [
     "dist"
@@ -9,6 +9,7 @@
   "types": "./dist/index.d.ts",
   "scripts": {
     "build": "wireit",
+    "test": "wireit",
     "release": "wireit"
   },
   "wireit": {
@@ -30,6 +31,15 @@
       "command": "../../node_modules/.bin/vite build --watch",
       "service": true
     },
+    "test": {
+      "command": "../../node_modules/.bin/vitest run --config ../../pkg/test/src/vitest.config.mjs --passWithNoTests",
+      "files": [
+        "src/**/*",
+        "tsconfig.json",
+        "../../scripts/tsconfig.pkg.json"
+      ],
+      "dependencies": []
+    },
     "release": {
       "command": "../../scripts/publish.js",
       "dependencies": [