jamdesk 1.1.21 → 1.1.23

package/vendored/shared/auth-cookie.ts

@@ -0,0 +1,163 @@
+/**
+ * Edge-safe auth cookie signing and verification.
+ *
+ * Uses Web Crypto (crypto.subtle) which works in both Vercel Edge Runtime
+ * and Node.js v15+. Never import Node 'crypto' here — middleware-helpers.ts
+ * is a hard rule about not importing Node modules from edge-bound code.
+ *
+ * Payload binds slug + host + version + expiresAt. Host binding is
+ * essential to prevent cross-host cookie replay between a project
+ * subdomain (acme.jamdesk.app) and a custom domain mirror (docs.acme.com)
+ * when they share a project slug and version number.
+ *
+ * Cannot reuse shared/crypto-helpers.ts:secretsEqual because that helper
+ * uses Node `crypto.createHmac` for its HMAC-then-timingSafeEqual trick —
+ * which is not available in Edge runtime. This module reimplements a
+ * minimal constant-time compare over Uint8Array outputs from Web Crypto.
+ *
+ * Cookie wire format:
+ *   base64url(`v1.${version}.${expiresAt}.${base64url(HMAC_SHA256(`v1|${slug}|${host}|${version}|${expiresAt}`, secret))}`)
+ *
+ * The "v1" prefix on both the HMAC input and the body makes it safe to
+ * rotate the payload format in the future without silently accepting old
+ * cookies with a different binding.
+ */
+
+const FORMAT_VERSION = 'v1';
+
+export interface AuthCookiePayload {
+  slug: string;
+  host: string;
+  version: number;
+  expiresAt: number; // ms since epoch
+}
+
+export interface VerifyExpectation {
+  slug: string;
+  host: string;
+  version: number;
+}
+
+export interface VerifyResult {
+  valid: boolean;
+  expiresAt?: number;
+}
+
+function base64url(bytes: Uint8Array): string {
+  // Build the binary string with a loop instead of `String.fromCharCode(...bytes)` —
+  // the spread form blows the call stack on large buffers (~65k args on V8).
+  let bin = '';
+  for (let i = 0; i < bytes.length; i++) bin += String.fromCharCode(bytes[i]);
+  return btoa(bin).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+
+function fromBase64url(s: string): Uint8Array {
+  // Reject any character outside the base64url alphabet before handing to atob,
+  // whose tolerance for bad input varies across runtimes.
+  if (!/^[A-Za-z0-9_-]*$/.test(s)) {
+    throw new Error('invalid base64url');
+  }
+  const pad = s.length % 4 === 0 ? '' : '='.repeat(4 - (s.length % 4));
+  const bin = atob(s.replace(/-/g, '+').replace(/_/g, '/') + pad);
+  const bytes = new Uint8Array(bin.length);
+  for (let i = 0; i < bin.length; i++) bytes[i] = bin.charCodeAt(i);
+  return bytes;
+}
+
+async function importKey(secret: string): Promise<CryptoKey> {
+  return crypto.subtle.importKey(
+    'raw',
+    new TextEncoder().encode(secret),
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    ['sign', 'verify']
+  );
+}
+
+async function hmac(secret: string, data: string): Promise<Uint8Array> {
+  const key = await importKey(secret);
+  const sig = await crypto.subtle.sign('HMAC', key, new TextEncoder().encode(data));
+  return new Uint8Array(sig);
+}
+
+/**
+ * Constant-time compare over Uint8Arrays. Cannot reuse shared/crypto-helpers.ts:secretsEqual
+ * because that helper uses Node `crypto.createHmac` which is not available in Edge runtime.
+ */
+function constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
+  return diff === 0;
+}
+
+function buildSignInput(
+  slug: string,
+  host: string,
+  version: number,
+  expiresAt: number
+): string {
+  // Use a delimiter that cannot appear in slug or host (both are bounded to
+  // [a-z0-9.-]) — '|' guarantees no field boundary ambiguity.
+  return `${FORMAT_VERSION}|${slug}|${host}|${version}|${expiresAt}`;
+}
+
+/**
+ * Sign a cookie payload. Returns the full cookie value string to put in Set-Cookie.
+ */
+export async function signAuthCookie(
+  payload: AuthCookiePayload,
+  secret: string
+): Promise<string> {
+  const sig = await hmac(
+    secret,
+    buildSignInput(payload.slug, payload.host, payload.version, payload.expiresAt)
+  );
+  // Body carries only the fields the client needs to decode; slug and host
+  // are known at verify time from the request itself, so they're not transmitted.
+  const body = `${FORMAT_VERSION}.${payload.version}.${payload.expiresAt}.${base64url(sig)}`;
+  return base64url(new TextEncoder().encode(body));
+}
+
+/**
+ * Verify a cookie value against the expected slug, host, and version.
+ * Returns { valid: false } on any failure (including malformed input).
+ */
+export async function verifyAuthCookie(
+  cookie: string,
+  expected: VerifyExpectation,
+  secret: string
+): Promise<VerifyResult> {
+  try {
+    if (!cookie) return { valid: false };
+    const bodyBytes = fromBase64url(cookie);
+    const body = new TextDecoder().decode(bodyBytes);
+    const parts = body.split('.');
+    if (parts.length !== 4) return { valid: false };
+
+    const [formatVersion, versionStr, expiresAtStr, sigB64] = parts;
+    if (formatVersion !== FORMAT_VERSION) return { valid: false };
+
+    const version = Number(versionStr);
+    const expiresAt = Number(expiresAtStr);
+    // Use isSafeInteger to reject floats, Infinity, NaN, and scientific notation
+    // like "1e100" — our version and expiresAt fields are always integers.
+    if (!Number.isSafeInteger(version) || !Number.isSafeInteger(expiresAt)) {
+      return { valid: false };
+    }
+
+    if (version !== expected.version) return { valid: false };
+    if (expiresAt <= Date.now()) return { valid: false };
+
+    const expectedSig = await hmac(
+      secret,
+      buildSignInput(expected.slug, expected.host, version, expiresAt)
+    );
+    const actualSig = fromBase64url(sigB64);
+    if (!constantTimeEqual(expectedSig, actualSig)) return { valid: false };
+
+    return { valid: true, expiresAt };
+  } catch {
+    return { valid: false };
+  }
+}