Generate separate private key encrypt keys for each prompt

2021-01-19 20:56:57 +01:00 · 2021-01-19 20:56:57 +01:00 · cc10ff441f
commit cc10ff441f
parent c1c6812180
5 changed files with 11 additions and 4 deletions
--- a/backend/src/routes/oauth2/authorize.ts
+++ b/backend/src/routes/oauth2/authorize.ts
@ -7,6 +7,7 @@ import { ParamError, ScopeError } from '../../errors';
 import type { MyFastifyInstance, StudentsMode } from '../../types';

 import {
+  createKey,
  getSessionData, isObject, parseScopeParam, validateOptionalParam, validateParam,
 } from '../../utils';

@ -79,6 +80,7 @@ export default function registerAuthorize(server: MyFastifyInstance): void {
            value: request.query.code_challenge,
          },
          studentsMode,
+          promptSecret: createKey(),
        });

        await reply.redirect(urlJoin(websitePrefix, `/authenticate-prompt?prompt_id=${promptId}`));
--- a/backend/src/routes/website-api/resolvers/login-resolver.ts
+++ b/backend/src/routes/website-api/resolvers/login-resolver.ts
@ -6,7 +6,7 @@ import {
  Arg, Ctx, Mutation, Resolver,
 } from 'type-graphql';
 import {
-  encryptSymmetrical, encryptWithPublicKey, generatePrivatePublicPair, isObject, requireEnvHex,
+  encryptSymmetrical, encryptWithPublicKey, generatePrivatePublicPair, isObject,
 } from '../../../utils';
 import { InvalidVulcanCredentialsError, UnknownPromptError } from '../errors';
 import LoginResult from '../models/login-result';
@ -39,7 +39,7 @@ export default class LoginResolver {
    const { privateKey, publicKey } = await generatePrivatePublicPair();
    const encryptedPrivateKey = encryptSymmetrical(
      privateKey,
-      requireEnvHex('CREDENTIALS_PRIVATE_KEY_ENCRYPT_KEY'),
+      prompt.promptSecret,
    );
    const encryptedPassword = encryptWithPublicKey(password, publicKey);
    console.log(diaryList.map((e) => e.serialized.info));
--- a/backend/src/types.ts
+++ b/backend/src/types.ts
@ -24,6 +24,7 @@ export interface Prompt {
    method: 'plain' | 'S256';
  };
  studentsMode: StudentsMode;
+  promptSecret: Buffer;
  loginInfo?: {
    host: string;
    username: string;
--- a/backend/src/utils/crypto.ts
+++ b/backend/src/utils/crypto.ts
@ -18,6 +18,10 @@ export function generatePrivatePublicPair(): Promise<{
  });
 }

+export function createKey(): Buffer {
+  return crypto.randomBytes(32);
+}
+
 export function encryptSymmetrical(value: string, key: Buffer): string {
  const ivBuffer = crypto.randomBytes(16);
  const cipher = crypto.createCipheriv('aes-256-cbc', key, ivBuffer);
--- a/backend/src/utils/index.ts
+++ b/backend/src/utils/index.ts
@ -11,8 +11,8 @@ export function requireEnv(name: string): string {
  return value;
 }

-export function requireEnvHex(name: string): Buffer {
-  return Buffer.from(requireEnv(name), 'hex');
+export function requireEnvBase64(name: string): Buffer {
+  return Buffer.from(requireEnv(name), 'base64');
 }

 export function parseIntStrict(value: string, radix = 10): number {