@salesforce/core 6.6.0 → 6.7.1

package/lib/crypto/crypto.d.ts

@@ -21,6 +21,7 @@ export declare class Crypto extends AsyncOptionalCreatable<CryptoOptions> {
      * @ignore
      */
     constructor(options?: CryptoOptions);
+    private static unsetCryptoVersion;
     /**
      * Encrypts text. Returns the encrypted string or undefined if no string was passed.
      *
@@ -45,10 +46,15 @@ export declare class Crypto extends AsyncOptionalCreatable<CryptoOptions> {
      * Clears the crypto state. This should be called in a finally block.
      */
     close(): void;
+    isV2Crypto(): boolean;
     /**
      * Initialize async components.
      */
     protected init(): Promise<void>;
+    private encryptV1;
+    private encryptV2;
+    private decryptV1;
+    private decryptV2;
     private getKeyChain;
 }
 export {};

package/lib/crypto/crypto.js

@@ -37,23 +37,96 @@ const node_path_1 = require("node:path");
 const ts_types_1 = require("@salesforce/ts-types");
 const kit_1 = require("@salesforce/kit");
 const logger_1 = require("../logger/logger");
+const lifecycleEvents_1 = require("../lifecycleEvents");
 const messages_1 = require("../messages");
 const cache_1 = require("../util/cache");
 const global_1 = require("../global");
+const sfError_1 = require("../sfError");
 const keyChain_1 = require("./keyChain");
 const secureBuffer_1 = require("./secureBuffer");
 const TAG_DELIMITER = ':';
-const BYTE_COUNT_FOR_IV = 6;
+const IV_BYTES = {
+    v1: 6,
+    v2: 12,
+};
+const ENCODING = {
+    v1: 'utf8',
+    v2: 'hex',
+};
+const KEY_SIZE = {
+    v1: 16,
+    v2: 32,
+};
 const ALGO = 'aes-256-gcm';
 const AUTH_TAG_LENGTH = 32;
 const ENCRYPTED_CHARS = /[a-f0-9]/;
 const KEY_NAME = 'sfdx';
 const ACCOUNT = 'local';
+let cryptoLogger;
+const getCryptoLogger = () => {
+    cryptoLogger ??= logger_1.Logger.childFromRoot('crypto');
+    return cryptoLogger;
+};
+const getCryptoV2EnvVar = () => {
+    let sfCryptoV2 = process.env.SF_CRYPTO_V2?.toLowerCase();
+    if (sfCryptoV2 !== undefined) {
+        getCryptoLogger().debug(`SF_CRYPTO_V2=${sfCryptoV2}`);
+        // normalize all values that aren't "true" to be "false"
+        if (sfCryptoV2 !== 'true') {
+            sfCryptoV2 = 'false';
+        }
+    }
+    return sfCryptoV2;
+};
+let cryptoVersion;
+const getCryptoVersion = () => {
+    if (!cryptoVersion) {
+        // This only happens when generating a new key, so use the env var
+        // and (for now) default to 'v1'.
+        cryptoVersion = getCryptoV2EnvVar() === 'true' ? 'v2' : 'v1';
+    }
+    return cryptoVersion;
+};
+// Detect the crypto version based on the password (key) length.
+// This happens once per process.
+const detectCryptoVersion = (pwd) => {
+    if (!cryptoVersion) {
+        // check the env var to see if it's set
+        const sfCryptoV2 = getCryptoV2EnvVar();
+        // Password length of 64 is v2 crypto and uses hex encoding.
+        // Password length of 32 is v1 crypto and uses utf8 encoding.
+        if (pwd?.length === KEY_SIZE.v2 * 2) {
+            cryptoVersion = 'v2';
+            getCryptoLogger().debug('Using v2 crypto');
+            if (sfCryptoV2 === 'false') {
+                getCryptoLogger().warn(messages.getMessage('v1CryptoWithV2KeyWarning'));
+            }
+        }
+        else if (pwd?.length === KEY_SIZE.v1 * 2) {
+            cryptoVersion = 'v1';
+            getCryptoLogger().debug('Using v1 crypto');
+            if (sfCryptoV2 === 'true') {
+                getCryptoLogger().warn(messages.getMessage('v2CryptoWithV1KeyWarning'));
+            }
+        }
+        else {
+            getCryptoLogger().debug("crypto key doesn't match v1 or v2. using SF_CRYPTO_V2.");
+            getCryptoVersion();
+        }
+        void lifecycleEvents_1.Lifecycle.getInstance().emitTelemetry({
+            eventName: 'crypto_version',
+            library: 'sfdx-core',
+            function: 'detectCryptoVersion',
+            cryptoVersion, // 'v1' or 'v2'
+            cryptoEnvVar: sfCryptoV2, // 'true' or 'false' or 'undefined'
+        });
+    }
+};
 ;
-const messages = new messages_1.Messages('@salesforce/core', 'encryption', new Map([["invalidEncryptedFormatError", "The encrypted data is not properly formatted."], ["invalidEncryptedFormatError.actions", ["If attempting to create a scratch org then re-authorize. Otherwise create a new scratch org."]], ["authDecryptError", "Failed to decipher auth data. reason: %s."], ["unsupportedOperatingSystemError", "Unsupported Operating System: %s"], ["missingCredentialProgramError", "Unable to find required security software: %s"], ["credentialProgramAccessError", "Unable to execute security software: %s"], ["passwordRetryError", "Failed to get the password after %i retries."], ["passwordRequiredError", "A password is required."], ["keyChainServiceRequiredError", "Unable to get or set a keychain value without a service name."], ["keyChainAccountRequiredError", "Unable to get or set a keychain value without an account name."], ["keyChainUserCanceledError", "User canceled authentication."], ["keychainPasswordCreationError", "Failed to create a password in the keychain."], ["genericKeychainServiceError", "The service and account specified in %s do not match the version of the toolbelt."], ["genericKeychainServiceError.actions", ["Check your toolbelt version and re-auth."]], ["genericKeychainInvalidPermsError", "Invalid file permissions for secret file"], ["genericKeychainInvalidPermsError.actions", ["Ensure the file %s has the file permission octal value of %s."]], ["passwordNotFoundError", "Could not find password.\n%s"], ["passwordNotFoundError.actions", ["Ensure a valid password is returned with the following command: [%s]"]], ["setCredentialError", "Command failed with response:\n%s"], ["setCredentialError.actions", ["Determine why this command failed to set an encryption key for user %s: [%s]."]], ["macKeychainOutOfSync", "We\u2019ve encountered an error with the Mac keychain being out of sync with your `sfdx` credentials. To fix the problem, sync your credentials by authenticating into your org again using the auth commands."]]));
-const makeSecureBuffer = (password) => {
+const messages = new messages_1.Messages('@salesforce/core', 'encryption', new Map([["invalidEncryptedFormatError", "The encrypted data is not properly formatted."], ["invalidEncryptedFormatError.actions", ["If attempting to create a scratch org then re-authorize. Otherwise create a new scratch org."]], ["authDecryptError", "Failed to decipher auth data. reason: %s."], ["unsupportedOperatingSystemError", "Unsupported Operating System: %s"], ["missingCredentialProgramError", "Unable to find required security software: %s"], ["credentialProgramAccessError", "Unable to execute security software: %s"], ["passwordRetryError", "Failed to get the password after %i retries."], ["passwordRequiredError", "A password is required."], ["keyChainServiceRequiredError", "Unable to get or set a keychain value without a service name."], ["keyChainAccountRequiredError", "Unable to get or set a keychain value without an account name."], ["keyChainUserCanceledError", "User canceled authentication."], ["keychainPasswordCreationError", "Failed to create a password in the keychain."], ["genericKeychainServiceError", "The service and account specified in %s do not match the version of the toolbelt."], ["genericKeychainServiceError.actions", ["Check your toolbelt version and re-auth."]], ["genericKeychainInvalidPermsError", "Invalid file permissions for secret file"], ["genericKeychainInvalidPermsError.actions", ["Ensure the file %s has the file permission octal value of %s."]], ["passwordNotFoundError", "Could not find password.\n%s"], ["passwordNotFoundError.actions", ["Ensure a valid password is returned with the following command: [%s]"]], ["setCredentialError", "Command failed with response:\n%s"], ["setCredentialError.actions", ["Determine why this command failed to set an encryption key for user %s: [%s]."]], ["macKeychainOutOfSync", "We\u2019ve encountered an error with the Mac keychain being out of sync with your `sfdx` credentials. To fix the problem, sync your credentials by authenticating into your org again using the auth commands."], ["v1CryptoWithV2KeyWarning", "The SF_CRYPTO_V2 environment variable was set to \"false\" but a v2 crypto key was detected. v1 crypto can only be used with a v1 key. Unset the SF_CRYPTO_V2 environment variable."], ["v2CryptoWithV1KeyWarning", "SF_CRYPTO_V2 was set to \"true\" but a v1 crypto key was detected. v2 crypto can only be used with a v2 key. To generate a v2 key:\n\n1. Logout of all orgs: `sf org logout --all`\n2. Delete the sfdx keychain entry (account: local, service: sfdx). If `SF_USE_GENERIC_UNIX_KEYCHAIN=true` env var is set, you can delete the `key.json` file.\n3. Set `SF_CRYPTO_V2=true` env var.\n4. Re-Authenticate with your orgs using the CLI org login commands."]]));
+const makeSecureBuffer = (password, encoding) => {
     const newSb = new secureBuffer_1.SecureBuffer();
-    newSb.consume(Buffer.from((0, ts_types_1.ensure)(password), 'utf8'));
+    newSb.consume(Buffer.from(password, encoding));
     return newSb;
 };
 /**
@@ -74,14 +147,19 @@ const keychainPromises = {
             return new Promise((resolve, reject) => _keychain.getPassword({ service, account }, (err, password) => {
                 if (err)
                     return reject(err);
-                cache_1.Cache.set(cacheKey, makeSecureBuffer(password));
-                return resolve({ username: account, password: (0, ts_types_1.ensure)(password) });
+                const pwd = (0, ts_types_1.ensure)(password, 'Expected the keychain password to be set');
+                detectCryptoVersion(pwd);
+                cache_1.Cache.set(cacheKey, makeSecureBuffer(pwd, ENCODING[getCryptoVersion()]));
+                return resolve({ username: account, password: pwd });
             }));
         }
         else {
-            const pw = sb.value((buffer) => buffer.toString('utf8'));
-            cache_1.Cache.set(cacheKey, makeSecureBuffer(pw));
-            return new Promise((resolve) => resolve({ username: account, password: (0, ts_types_1.ensure)(pw) }));
+            // If the password is cached, we know the crypto version and encoding because it was
+            // detected by the non-cache code path just above this.
+            const encoding = ENCODING[getCryptoVersion()];
+            const pwd = (0, ts_types_1.ensure)(sb.value((buffer) => buffer.toString(encoding)), 'Expected the keychain password to be set');
+            cache_1.Cache.set(cacheKey, makeSecureBuffer(pwd, encoding));
+            return new Promise((resolve) => resolve({ username: account, password: pwd }));
         }
     },
     /**
@@ -116,6 +194,11 @@ class Crypto extends kit_1.AsyncOptionalCreatable {
         this.key = new secureBuffer_1.SecureBuffer();
         this.options = options ?? {};
     }
+    // @ts-expect-error only for test access
+    // eslint-disable-next-line class-methods-use-this
+    static unsetCryptoVersion() {
+        cryptoVersion = undefined;
+    }
     encrypt(text) {
         if (text == null) {
             return;
@@ -123,14 +206,13 @@ class Crypto extends kit_1.AsyncOptionalCreatable {
         if (this.key == null) {
             throw messages.createError('keychainPasswordCreationError');
         }
-        const iv = crypto.randomBytes(BYTE_COUNT_FOR_IV).toString('hex');
-        return this.key.value((buffer) => {
-            const cipher = crypto.createCipheriv(ALGO, buffer.toString('utf8'), iv);
-            let encrypted = cipher.update(text, 'utf8', 'hex');
-            encrypted += cipher.final('hex');
-            const tag = cipher.getAuthTag().toString('hex');
-            return `${iv}${encrypted}${TAG_DELIMITER}${tag}`;
-        });
+        // When everything is v2, we can remove the else
+        if (this.isV2Crypto()) {
+            return this.encryptV2(text);
+        }
+        else {
+            return this.encryptV1(text);
+        }
     }
     decrypt(text) {
         if (text == null) {
@@ -140,27 +222,13 @@ class Crypto extends kit_1.AsyncOptionalCreatable {
         if (tokens.length !== 2) {
             throw messages.createError('invalidEncryptedFormatError');
         }
-        const tag = tokens[1];
-        const iv = tokens[0].substring(0, BYTE_COUNT_FOR_IV * 2);
-        const secret = tokens[0].substring(BYTE_COUNT_FOR_IV * 2, tokens[0].length);
-        return this.key.value((buffer) => {
-            const decipher = crypto.createDecipheriv(ALGO, buffer.toString('utf8'), iv);
-            let dec;
-            try {
-                decipher.setAuthTag(Buffer.from(tag, 'hex'));
-                dec = decipher.update(secret, 'hex', 'utf8');
-                dec += decipher.final('utf8');
-            }
-            catch (err) {
-                const error = messages.createError('authDecryptError', [err.message], [], err);
-                const useGenericUnixKeychain = kit_1.env.getBoolean('SF_USE_GENERIC_UNIX_KEYCHAIN') || kit_1.env.getBoolean('USE_GENERIC_UNIX_KEYCHAIN');
-                if (os.platform() === 'darwin' && !useGenericUnixKeychain) {
-                    error.actions = [messages.getMessage('macKeychainOutOfSync')];
-                }
-                throw error;
-            }
-            return dec;
-        });
+        // When everything is v2, we can remove the else
+        if (this.isV2Crypto()) {
+            return this.decryptV2(tokens);
+        }
+        else {
+            return this.decryptV1(tokens);
+        }
     }
     /**
      * Takes a best guess if the value provided was encrypted by {@link Crypto.encrypt} by
@@ -181,7 +249,7 @@ class Crypto extends kit_1.AsyncOptionalCreatable {
         const tag = tokens[1];
         const value = tokens[0];
         return (tag.length === AUTH_TAG_LENGTH &&
-            value.length >= BYTE_COUNT_FOR_IV &&
+            value.length >= IV_BYTES[getCryptoVersion()] &&
             ENCRYPTED_CHARS.test(tag) &&
             ENCRYPTED_CHARS.test(tokens[0]));
     }
@@ -193,33 +261,39 @@ class Crypto extends kit_1.AsyncOptionalCreatable {
             this.key.clear();
         }
     }
+    // eslint-disable-next-line class-methods-use-this
+    isV2Crypto() {
+        return getCryptoVersion() === 'v2';
+    }
     /**
      * Initialize async components.
      */
     async init() {
-        const logger = await logger_1.Logger.child('crypto');
         if (!this.options.platform) {
             this.options.platform = os.platform();
         }
-        logger.debug(`retryStatus: ${this.options.retryStatus}`);
         this.noResetOnClose = !!this.options.noResetOnClose;
         try {
-            this.key.consume(Buffer.from((await keychainPromises.getPassword(await this.getKeyChain(this.options.platform), KEY_NAME, ACCOUNT))
-                .password, 'utf8'));
+            const keyChain = await this.getKeyChain(this.options.platform);
+            const pwd = (await keychainPromises.getPassword(keyChain, KEY_NAME, ACCOUNT)).password;
+            // The above line ensures the crypto version is detected and set so we can rely on it now.
+            this.key.consume(Buffer.from(pwd, ENCODING[getCryptoVersion()]));
         }
         catch (err) {
             // No password found
             if (err.name === 'PasswordNotFoundError') {
                 // If we already tried to create a new key then bail.
                 if (this.options.retryStatus === 'KEY_SET') {
-                    logger.debug('a key was set but the retry to get the password failed.');
+                    getCryptoLogger().debug('a key was set but the retry to get the password failed.');
                     throw err;
                 }
                 else {
-                    logger.debug('password not found in keychain attempting to created one and re-init.');
+                    getCryptoLogger().debug(`password not found in keychain. Creating new one (Crypto ${getCryptoVersion()}) and re-init.`);
                 }
-                const key = crypto.randomBytes(Math.ceil(16)).toString('hex');
-                // Create a new password in the KeyChain.
+                // 2/6/2024: This generates a new key using the crypto version based on the SF_CRYPTO_V2 env var.
+                // Sometime in the future we could hardcode this to be `KEY_SIZE.v2` so that it becomes the default.
+                const key = crypto.randomBytes(KEY_SIZE[getCryptoVersion()]).toString('hex');
+                // Set the new password in the KeyChain.
                 await keychainPromises.setPassword((0, ts_types_1.ensure)(this.options.keychain), KEY_NAME, ACCOUNT, key);
                 return this.init();
             }
@@ -228,6 +302,68 @@ class Crypto extends kit_1.AsyncOptionalCreatable {
             }
         }
     }
+    encryptV1(text) {
+        const iv = crypto.randomBytes(IV_BYTES.v1).toString('hex');
+        return this.key.value((buffer) => {
+            const cipher = crypto.createCipheriv(ALGO, buffer.toString('utf8'), iv);
+            let encrypted = cipher.update(text, 'utf8', 'hex');
+            encrypted += cipher.final('hex');
+            const tag = cipher.getAuthTag().toString('hex');
+            return `${iv}${encrypted}${TAG_DELIMITER}${tag}`;
+        });
+    }
+    encryptV2(text) {
+        const iv = crypto.randomBytes(IV_BYTES.v2);
+        return this.key.value((buffer) => {
+            const cipher = crypto.createCipheriv(ALGO, buffer, iv);
+            const ivHex = iv.toString('hex');
+            let encrypted = cipher.update(text, 'utf8', 'hex');
+            encrypted += cipher.final('hex');
+            const tag = cipher.getAuthTag().toString('hex');
+            return `${ivHex}${encrypted}${TAG_DELIMITER}${tag}`;
+        });
+    }
+    decryptV1(tokens) {
+        const tag = tokens[1];
+        const iv = tokens[0].substring(0, IV_BYTES.v1 * 2);
+        const secret = tokens[0].substring(IV_BYTES.v1 * 2, tokens[0].length);
+        return this.key.value((buffer) => {
+            const decipher = crypto.createDecipheriv(ALGO, buffer.toString('utf8'), iv);
+            try {
+                decipher.setAuthTag(Buffer.from(tag, 'hex'));
+                return `${decipher.update(secret, 'hex', 'utf8')}${decipher.final('utf8')}`;
+            }
+            catch (err) {
+                const error = messages.createError('authDecryptError', [err.message], [], err);
+                const useGenericUnixKeychain = kit_1.env.getBoolean('SF_USE_GENERIC_UNIX_KEYCHAIN') || kit_1.env.getBoolean('USE_GENERIC_UNIX_KEYCHAIN');
+                if (os.platform() === 'darwin' && !useGenericUnixKeychain) {
+                    error.actions = [messages.getMessage('macKeychainOutOfSync')];
+                }
+                throw error;
+            }
+        });
+    }
+    decryptV2(tokens) {
+        const tag = tokens[1];
+        const iv = tokens[0].substring(0, IV_BYTES.v2 * 2);
+        const secret = tokens[0].substring(IV_BYTES.v2 * 2, tokens[0].length);
+        return this.key.value((buffer) => {
+            const decipher = crypto.createDecipheriv(ALGO, buffer, Buffer.from(iv, 'hex'));
+            try {
+                decipher.setAuthTag(Buffer.from(tag, 'hex'));
+                return `${decipher.update(secret, 'hex', 'utf8')}${decipher.final('utf8')}`;
+            }
+            catch (_err) {
+                const err = ((0, ts_types_1.isString)(_err) ? sfError_1.SfError.wrap(_err) : _err);
+                const error = messages.createError('authDecryptError', [err.message], [], err);
+                const useGenericUnixKeychain = kit_1.env.getBoolean('SF_USE_GENERIC_UNIX_KEYCHAIN') || kit_1.env.getBoolean('USE_GENERIC_UNIX_KEYCHAIN');
+                if (os.platform() === 'darwin' && !useGenericUnixKeychain) {
+                    error.actions = [messages.getMessage('macKeychainOutOfSync')];
+                }
+                throw error;
+            }
+        });
+    }
     async getKeyChain(platform) {
         if (!this.options.keychain) {
             this.options.keychain = await (0, keyChain_1.retrieveKeychain)(platform);

package/lib/crypto/keyChain.js

@@ -12,7 +12,7 @@ const logger_1 = require("../logger/logger");
 const messages_1 = require("../messages");
 const keyChainImpl_1 = require("./keyChainImpl");
 ;
-const messages = new messages_1.Messages('@salesforce/core', 'encryption', new Map([["invalidEncryptedFormatError", "The encrypted data is not properly formatted."], ["invalidEncryptedFormatError.actions", ["If attempting to create a scratch org then re-authorize. Otherwise create a new scratch org."]], ["authDecryptError", "Failed to decipher auth data. reason: %s."], ["unsupportedOperatingSystemError", "Unsupported Operating System: %s"], ["missingCredentialProgramError", "Unable to find required security software: %s"], ["credentialProgramAccessError", "Unable to execute security software: %s"], ["passwordRetryError", "Failed to get the password after %i retries."], ["passwordRequiredError", "A password is required."], ["keyChainServiceRequiredError", "Unable to get or set a keychain value without a service name."], ["keyChainAccountRequiredError", "Unable to get or set a keychain value without an account name."], ["keyChainUserCanceledError", "User canceled authentication."], ["keychainPasswordCreationError", "Failed to create a password in the keychain."], ["genericKeychainServiceError", "The service and account specified in %s do not match the version of the toolbelt."], ["genericKeychainServiceError.actions", ["Check your toolbelt version and re-auth."]], ["genericKeychainInvalidPermsError", "Invalid file permissions for secret file"], ["genericKeychainInvalidPermsError.actions", ["Ensure the file %s has the file permission octal value of %s."]], ["passwordNotFoundError", "Could not find password.\n%s"], ["passwordNotFoundError.actions", ["Ensure a valid password is returned with the following command: [%s]"]], ["setCredentialError", "Command failed with response:\n%s"], ["setCredentialError.actions", ["Determine why this command failed to set an encryption key for user %s: [%s]."]], ["macKeychainOutOfSync", "We\u2019ve encountered an error with the Mac keychain being out of sync with your `sfdx` credentials. To fix the problem, sync your credentials by authenticating into your org again using the auth commands."]]));
+const messages = new messages_1.Messages('@salesforce/core', 'encryption', new Map([["invalidEncryptedFormatError", "The encrypted data is not properly formatted."], ["invalidEncryptedFormatError.actions", ["If attempting to create a scratch org then re-authorize. Otherwise create a new scratch org."]], ["authDecryptError", "Failed to decipher auth data. reason: %s."], ["unsupportedOperatingSystemError", "Unsupported Operating System: %s"], ["missingCredentialProgramError", "Unable to find required security software: %s"], ["credentialProgramAccessError", "Unable to execute security software: %s"], ["passwordRetryError", "Failed to get the password after %i retries."], ["passwordRequiredError", "A password is required."], ["keyChainServiceRequiredError", "Unable to get or set a keychain value without a service name."], ["keyChainAccountRequiredError", "Unable to get or set a keychain value without an account name."], ["keyChainUserCanceledError", "User canceled authentication."], ["keychainPasswordCreationError", "Failed to create a password in the keychain."], ["genericKeychainServiceError", "The service and account specified in %s do not match the version of the toolbelt."], ["genericKeychainServiceError.actions", ["Check your toolbelt version and re-auth."]], ["genericKeychainInvalidPermsError", "Invalid file permissions for secret file"], ["genericKeychainInvalidPermsError.actions", ["Ensure the file %s has the file permission octal value of %s."]], ["passwordNotFoundError", "Could not find password.\n%s"], ["passwordNotFoundError.actions", ["Ensure a valid password is returned with the following command: [%s]"]], ["setCredentialError", "Command failed with response:\n%s"], ["setCredentialError.actions", ["Determine why this command failed to set an encryption key for user %s: [%s]."]], ["macKeychainOutOfSync", "We\u2019ve encountered an error with the Mac keychain being out of sync with your `sfdx` credentials. To fix the problem, sync your credentials by authenticating into your org again using the auth commands."], ["v1CryptoWithV2KeyWarning", "The SF_CRYPTO_V2 environment variable was set to \"false\" but a v2 crypto key was detected. v1 crypto can only be used with a v1 key. Unset the SF_CRYPTO_V2 environment variable."], ["v2CryptoWithV1KeyWarning", "SF_CRYPTO_V2 was set to \"true\" but a v1 crypto key was detected. v2 crypto can only be used with a v2 key. To generate a v2 key:\n\n1. Logout of all orgs: `sf org logout --all`\n2. Delete the sfdx keychain entry (account: local, service: sfdx). If `SF_USE_GENERIC_UNIX_KEYCHAIN=true` env var is set, you can delete the `key.json` file.\n3. Set `SF_CRYPTO_V2=true` env var.\n4. Re-Authenticate with your orgs using the CLI org login commands."]]));
 /**
  * Gets the os level keychain impl.
  *

package/lib/crypto/keyChainImpl.js

@@ -41,7 +41,7 @@ const kit_1 = require("@salesforce/kit");
 const global_1 = require("../global");
 const messages_1 = require("../messages");
 ;
-const messages = new messages_1.Messages('@salesforce/core', 'encryption', new Map([["invalidEncryptedFormatError", "The encrypted data is not properly formatted."], ["invalidEncryptedFormatError.actions", ["If attempting to create a scratch org then re-authorize. Otherwise create a new scratch org."]], ["authDecryptError", "Failed to decipher auth data. reason: %s."], ["unsupportedOperatingSystemError", "Unsupported Operating System: %s"], ["missingCredentialProgramError", "Unable to find required security software: %s"], ["credentialProgramAccessError", "Unable to execute security software: %s"], ["passwordRetryError", "Failed to get the password after %i retries."], ["passwordRequiredError", "A password is required."], ["keyChainServiceRequiredError", "Unable to get or set a keychain value without a service name."], ["keyChainAccountRequiredError", "Unable to get or set a keychain value without an account name."], ["keyChainUserCanceledError", "User canceled authentication."], ["keychainPasswordCreationError", "Failed to create a password in the keychain."], ["genericKeychainServiceError", "The service and account specified in %s do not match the version of the toolbelt."], ["genericKeychainServiceError.actions", ["Check your toolbelt version and re-auth."]], ["genericKeychainInvalidPermsError", "Invalid file permissions for secret file"], ["genericKeychainInvalidPermsError.actions", ["Ensure the file %s has the file permission octal value of %s."]], ["passwordNotFoundError", "Could not find password.\n%s"], ["passwordNotFoundError.actions", ["Ensure a valid password is returned with the following command: [%s]"]], ["setCredentialError", "Command failed with response:\n%s"], ["setCredentialError.actions", ["Determine why this command failed to set an encryption key for user %s: [%s]."]], ["macKeychainOutOfSync", "We\u2019ve encountered an error with the Mac keychain being out of sync with your `sfdx` credentials. To fix the problem, sync your credentials by authenticating into your org again using the auth commands."]]));
+const messages = new messages_1.Messages('@salesforce/core', 'encryption', new Map([["invalidEncryptedFormatError", "The encrypted data is not properly formatted."], ["invalidEncryptedFormatError.actions", ["If attempting to create a scratch org then re-authorize. Otherwise create a new scratch org."]], ["authDecryptError", "Failed to decipher auth data. reason: %s."], ["unsupportedOperatingSystemError", "Unsupported Operating System: %s"], ["missingCredentialProgramError", "Unable to find required security software: %s"], ["credentialProgramAccessError", "Unable to execute security software: %s"], ["passwordRetryError", "Failed to get the password after %i retries."], ["passwordRequiredError", "A password is required."], ["keyChainServiceRequiredError", "Unable to get or set a keychain value without a service name."], ["keyChainAccountRequiredError", "Unable to get or set a keychain value without an account name."], ["keyChainUserCanceledError", "User canceled authentication."], ["keychainPasswordCreationError", "Failed to create a password in the keychain."], ["genericKeychainServiceError", "The service and account specified in %s do not match the version of the toolbelt."], ["genericKeychainServiceError.actions", ["Check your toolbelt version and re-auth."]], ["genericKeychainInvalidPermsError", "Invalid file permissions for secret file"], ["genericKeychainInvalidPermsError.actions", ["Ensure the file %s has the file permission octal value of %s."]], ["passwordNotFoundError", "Could not find password.\n%s"], ["passwordNotFoundError.actions", ["Ensure a valid password is returned with the following command: [%s]"]], ["setCredentialError", "Command failed with response:\n%s"], ["setCredentialError.actions", ["Determine why this command failed to set an encryption key for user %s: [%s]."]], ["macKeychainOutOfSync", "We\u2019ve encountered an error with the Mac keychain being out of sync with your `sfdx` credentials. To fix the problem, sync your credentials by authenticating into your org again using the auth commands."], ["v1CryptoWithV2KeyWarning", "The SF_CRYPTO_V2 environment variable was set to \"false\" but a v2 crypto key was detected. v1 crypto can only be used with a v1 key. Unset the SF_CRYPTO_V2 environment variable."], ["v2CryptoWithV1KeyWarning", "SF_CRYPTO_V2 was set to \"true\" but a v1 crypto key was detected. v2 crypto can only be used with a v2 key. To generate a v2 key:\n\n1. Logout of all orgs: `sf org logout --all`\n2. Delete the sfdx keychain entry (account: local, service: sfdx). If `SF_USE_GENERIC_UNIX_KEYCHAIN=true` env var is set, you can delete the `key.json` file.\n3. Set `SF_CRYPTO_V2=true` env var.\n4. Re-Authenticate with your orgs using the CLI org login commands."]]));
 const GET_PASSWORD_RETRY_COUNT = 3;
 /**
  * Helper to reduce an array of cli args down to a presentable string for logging.

package/lib/org/authInfo.js

@@ -210,8 +210,10 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
      * @param options The options to generate the URL.
      */
     static getAuthorizationUrl(options, oauth2) {
-        // Always use a verifier for enhanced security
-        options.useVerifier = true;
+        // Unless explicitly turned off, use a code verifier for enhanced security
+        if (options.useVerifier !== false) {
+            options.useVerifier = true;
+        }
         const oauth2Verifier = oauth2 ?? new jsforce_1.OAuth2(options);
         // The state parameter allows the redirectUri callback listener to ignore request
         // that don't contain the state value.

package/lib/util/lockRetryOptions.js

@@ -8,9 +8,9 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.lockRetryOptions = exports.lockOptions = void 0;
 // docs: https://github.com/moxystudio/node-proper-lockfile
-exports.lockOptions = { stale: 10000 };
+exports.lockOptions = { stale: 10_000 };
 exports.lockRetryOptions = {
     ...exports.lockOptions,
-    retries: { retries: 10, maxTimeout: 1000, factor: 2 },
+    retries: { retries: 10, maxTimeout: 1_000, factor: 2 },
 };
 //# sourceMappingURL=lockRetryOptions.js.map

package/lib/util/time.js

@@ -8,6 +8,6 @@ exports.nowBigInt = void 0;
  * For full license text, see LICENSE.txt file in the repo root or https://opensource.org/licenses/BSD-3-Clause
  */
 const node_perf_hooks_1 = require("node:perf_hooks");
-const nowBigInt = () => BigInt((node_perf_hooks_1.performance.now() + node_perf_hooks_1.performance.timeOrigin) * 1000000);
+const nowBigInt = () => BigInt((node_perf_hooks_1.performance.now() + node_perf_hooks_1.performance.timeOrigin) * 1_000_000);
 exports.nowBigInt = nowBigInt;
 //# sourceMappingURL=time.js.map

package/lib/webOAuthServer.js

@@ -155,6 +155,9 @@ class WebOAuthServer extends kit_1.AsyncCreatable {
             this.oauthConfig.loginUrl = authInfo_1.AuthInfo.getDefaultInstanceUrl();
         if (!this.oauthConfig.redirectUri)
             this.oauthConfig.redirectUri = `http://localhost:${port}/OauthRedirect`;
+        // Unless explicitly turned off, use a code verifier as a best practice
+        if (this.oauthConfig.useVerifier !== false)
+            this.oauthConfig.useVerifier = true;
         this.webServer = await WebServer.create({ port });
         this.oauth2 = new jsforce_1.OAuth2(this.oauthConfig);
         this.authUrl = authInfo_1.AuthInfo.getAuthorizationUrl(this.oauthConfig, this.oauth2);
@@ -250,6 +253,7 @@ class WebOAuthServer extends kit_1.AsyncCreatable {
             this.logger.debug(`oauthConfig.loginUrl: ${this.oauthConfig.loginUrl}`);
             this.logger.debug(`oauthConfig.clientId: ${this.oauthConfig.clientId}`);
             this.logger.debug(`oauthConfig.redirectUri: ${this.oauthConfig.redirectUri}`);
+            this.logger.debug(`oauthConfig.useVerifier: ${this.oauthConfig.useVerifier}`);
             return authCode;
         }
         return null;

package/messages/encryption.md

@@ -83,3 +83,16 @@ Command failed with response:
 # macKeychainOutOfSync
 
 We’ve encountered an error with the Mac keychain being out of sync with your `sfdx` credentials. To fix the problem, sync your credentials by authenticating into your org again using the auth commands.
+
+# v1CryptoWithV2KeyWarning
+
+The SF_CRYPTO_V2 environment variable was set to "false" but a v2 crypto key was detected. v1 crypto can only be used with a v1 key. Unset the SF_CRYPTO_V2 environment variable.
+
+# v2CryptoWithV1KeyWarning
+
+SF_CRYPTO_V2 was set to "true" but a v1 crypto key was detected. v2 crypto can only be used with a v2 key. To generate a v2 key:
+
+1. Logout of all orgs: `sf org logout --all`
+2. Delete the sfdx keychain entry (account: local, service: sfdx). If `SF_USE_GENERIC_UNIX_KEYCHAIN=true` env var is set, you can delete the `key.json` file.
+3. Set `SF_CRYPTO_V2=true` env var.
+4. Re-Authenticate with your orgs using the CLI org login commands.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@salesforce/core",
-  "version": "6.6.0",
+  "version": "6.7.1",
   "description": "Core libraries to interact with SFDX projects, orgs, and APIs.",
   "main": "lib/exported",
   "types": "lib/exported.d.ts",
@@ -62,13 +62,13 @@
     "@salesforce/ts-sinon": "^1.4.19",
     "@types/benchmark": "^2.1.5",
     "@types/chai-string": "^1.4.5",
-    "@types/jsonwebtoken": "9.0.5",
+    "@types/jsonwebtoken": "9.0.6",
     "@types/proper-lockfile": "^4.1.4",
     "benchmark": "^2.1.4",
     "chai-string": "^1.5.0",
     "ts-node": "^10.9.2",
     "ts-patch": "^3.1.1",
-    "typescript": "^5.3.3"
+    "typescript": "^5.4.2"
   },
   "repository": {
     "type": "git",