@workos-inc/node 7.49.0 → 7.50.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/vault/cryptography/decrypt.d.ts +1 -1
- package/lib/vault/cryptography/decrypt.js +5 -3
- package/lib/vault/cryptography/encrypt.d.ts +1 -1
- package/lib/vault/cryptography/encrypt.js +4 -2
- package/lib/vault/vault-live-test.spec.js +15 -0
- package/lib/vault/vault.d.ts +2 -2
- package/lib/vault/vault.js +4 -4
- package/lib/workos.js +1 -1
- package/package.json +1 -1
|
@@ -5,5 +5,5 @@ export interface Decoded {
|
|
|
5
5
|
keys: string;
|
|
6
6
|
ciphertext: Buffer;
|
|
7
7
|
}
|
|
8
|
-
export declare const decrypt: (payload: string | Decoded, dataKey: string) => string;
|
|
8
|
+
export declare const decrypt: (payload: string | Decoded, dataKey: string, aad: string) => string;
|
|
9
9
|
export declare const decode: (payload: string) => Decoded;
|
|
@@ -6,14 +6,16 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
6
6
|
exports.decode = exports.decrypt = void 0;
|
|
7
7
|
const crypto_1 = __importDefault(require("crypto"));
|
|
8
8
|
const leb_1 = require("leb");
|
|
9
|
-
const decrypt = (payload, dataKey) => {
|
|
9
|
+
const decrypt = (payload, dataKey, aad) => {
|
|
10
10
|
if (typeof payload === 'string') {
|
|
11
11
|
payload = (0, exports.decode)(payload);
|
|
12
12
|
}
|
|
13
13
|
const { iv, tag, ciphertext } = payload;
|
|
14
14
|
const key = Buffer.from(dataKey, 'base64');
|
|
15
|
-
const decipher = crypto_1.default
|
|
16
|
-
|
|
15
|
+
const decipher = crypto_1.default
|
|
16
|
+
.createDecipheriv('aes-256-gcm', key, iv)
|
|
17
|
+
.setAAD(Buffer.from(aad))
|
|
18
|
+
.setAuthTag(tag);
|
|
17
19
|
const decrypted = decipher.update(ciphertext, undefined, 'utf-8') + decipher.final('utf-8');
|
|
18
20
|
return decrypted;
|
|
19
21
|
};
|
|
@@ -1 +1 @@
|
|
|
1
|
-
export declare const encrypt: (data: string, dataKey: string, encryptedKeys: string) => string;
|
|
1
|
+
export declare const encrypt: (data: string, dataKey: string, encryptedKeys: string, aad: string) => string;
|
|
@@ -6,13 +6,15 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
6
6
|
exports.encrypt = void 0;
|
|
7
7
|
const crypto_1 = __importDefault(require("crypto"));
|
|
8
8
|
const leb_1 = require("leb");
|
|
9
|
-
const encrypt = (data, dataKey, encryptedKeys) => {
|
|
9
|
+
const encrypt = (data, dataKey, encryptedKeys, aad) => {
|
|
10
10
|
// encrypt using the returned data key
|
|
11
11
|
const key = Buffer.from(dataKey, 'base64');
|
|
12
12
|
const keyBlob = Buffer.from(encryptedKeys, 'base64');
|
|
13
13
|
const prefixLen = (0, leb_1.encodeUInt32)(keyBlob.length);
|
|
14
14
|
const iv = crypto_1.default.randomBytes(32);
|
|
15
|
-
const cipher = crypto_1.default
|
|
15
|
+
const cipher = crypto_1.default
|
|
16
|
+
.createCipheriv('aes-256-gcm', key, iv)
|
|
17
|
+
.setAAD(Buffer.from(aad));
|
|
16
18
|
const ciphertext = Buffer.concat([
|
|
17
19
|
cipher.update(data, 'utf8'),
|
|
18
20
|
cipher.final(),
|
|
@@ -241,5 +241,20 @@ describe.skip('Vault Live Test', () => {
|
|
|
241
241
|
const decrypted = yield workos.vault.decrypt(encrypted);
|
|
242
242
|
expect(decrypted).toBe(superObject);
|
|
243
243
|
}));
|
|
244
|
+
it('authenticates additional data', () => __awaiter(void 0, void 0, void 0, function* () {
|
|
245
|
+
const data = 'hot water freezes faster than cold water';
|
|
246
|
+
const keyContext = { everything: 'everywhere' };
|
|
247
|
+
const aad = 'seq1';
|
|
248
|
+
const encrypted = yield workos.vault.encrypt(data, keyContext, aad);
|
|
249
|
+
const decrypted = yield workos.vault.decrypt(encrypted, aad);
|
|
250
|
+
expect(decrypted).toBe(data);
|
|
251
|
+
}));
|
|
252
|
+
it('fails with invalid AD', () => __awaiter(void 0, void 0, void 0, function* () {
|
|
253
|
+
const data = 'hot water freezes faster than cold water';
|
|
254
|
+
const keyContext = { everything: 'everywhere' };
|
|
255
|
+
const aad = 'seq1';
|
|
256
|
+
const encrypted = yield workos.vault.encrypt(data, keyContext, aad);
|
|
257
|
+
yield expect(() => workos.vault.decrypt(encrypted)).rejects.toThrow('unable to authenticate data');
|
|
258
|
+
}));
|
|
244
259
|
});
|
|
245
260
|
});
|
package/lib/vault/vault.d.ts
CHANGED
|
@@ -14,8 +14,8 @@ export declare class Vault {
|
|
|
14
14
|
deleteObject(options: DeleteObjectOptions): Promise<void>;
|
|
15
15
|
createDataKey(options: CreateDataKeyOptions): Promise<DataKeyPair>;
|
|
16
16
|
decryptDataKey(options: DecryptDataKeyOptions): Promise<DataKey>;
|
|
17
|
-
encrypt(data: string, context: KeyContext): Promise<string>;
|
|
18
|
-
decrypt(encryptedData: string): Promise<string>;
|
|
17
|
+
encrypt(data: string, context: KeyContext, associatedData?: string): Promise<string>;
|
|
18
|
+
decrypt(encryptedData: string, associatedData?: string): Promise<string>;
|
|
19
19
|
createSecret: (options: CreateObjectOptions) => Promise<ObjectMetadata>;
|
|
20
20
|
listSecrets: (options?: PaginationOptions | undefined) => Promise<List<ObjectDigest>>;
|
|
21
21
|
listSecretVersions: (options: ReadObjectOptions) => Promise<ObjectVersion[]>;
|
package/lib/vault/vault.js
CHANGED
|
@@ -106,19 +106,19 @@ class Vault {
|
|
|
106
106
|
return (0, vault_key_serializer_1.deserializeDecryptDataKeyResponse)(data);
|
|
107
107
|
});
|
|
108
108
|
}
|
|
109
|
-
encrypt(data, context) {
|
|
109
|
+
encrypt(data, context, associatedData) {
|
|
110
110
|
return __awaiter(this, void 0, void 0, function* () {
|
|
111
111
|
const { dataKey, encryptedKeys } = yield this.createDataKey({
|
|
112
112
|
context,
|
|
113
113
|
});
|
|
114
|
-
return (0, encrypt_1.encrypt)(data, dataKey.key, encryptedKeys);
|
|
114
|
+
return (0, encrypt_1.encrypt)(data, dataKey.key, encryptedKeys, associatedData || '');
|
|
115
115
|
});
|
|
116
116
|
}
|
|
117
|
-
decrypt(encryptedData) {
|
|
117
|
+
decrypt(encryptedData, associatedData) {
|
|
118
118
|
return __awaiter(this, void 0, void 0, function* () {
|
|
119
119
|
const decoded = (0, decrypt_1.decode)(encryptedData);
|
|
120
120
|
const dataKey = yield this.decryptDataKey({ keys: decoded.keys });
|
|
121
|
-
return (0, decrypt_1.decrypt)(decoded, dataKey.key);
|
|
121
|
+
return (0, decrypt_1.decrypt)(decoded, dataKey.key, associatedData || '');
|
|
122
122
|
});
|
|
123
123
|
}
|
|
124
124
|
}
|
package/lib/workos.js
CHANGED
|
@@ -31,7 +31,7 @@ const widgets_1 = require("./widgets/widgets");
|
|
|
31
31
|
const actions_1 = require("./actions/actions");
|
|
32
32
|
const vault_1 = require("./vault/vault");
|
|
33
33
|
const conflict_exception_1 = require("./common/exceptions/conflict.exception");
|
|
34
|
-
const VERSION = '7.
|
|
34
|
+
const VERSION = '7.50.0';
|
|
35
35
|
const DEFAULT_HOSTNAME = 'api.workos.com';
|
|
36
36
|
const HEADER_AUTHORIZATION = 'Authorization';
|
|
37
37
|
const HEADER_IDEMPOTENCY_KEY = 'Idempotency-Key';
|
package/package.json
CHANGED