search

sjudson / paseto.js

PASETO: Platform-Agnostic Security Tokens
MIT License
269 stars 16 forks source link

Custom symetric key doesn't seem to work, no output [Question] #14

Closed Extarys closed 5 years ago

Extarys commented 5 years ago

I'm trying to generate a key and use that for the token, but everything below the encrypt method doesn't work.

"paseto.js": "^0.1.3",

const crypto = require("crypto")
const Paseto = require("paseto.js")
const uuid = require("uuid/v4")

async function generateToken() {
    const message = {
        tokenId: uuid(), // Token Id
    }

    // Generate key
    //const key = crypto.randomBytes(32)

    const keyRaw = Buffer.from(
        "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef",
        "hex"
    )

    const sk = new Paseto.SymmetricKey(new Paseto.V2())

    await sk.inject(keyRaw)
        console.log(sk) // <-- output key object
    const encoder = sk.protocol()

    const token = await encoder.encrypt(message, sk)

        // No output below --v--
    console.log(message)
    console.log(token)

    return token
}
generateToken()

Output:

# node auth.js 
SymmetricKey {
  INFO_ENCRYPTION: 'paseto-encryption-key',
  INFO_AUTHENTICATION: 'paseto-auth-key-for-aead',
  _protocol: V2 { _repr: 'v2', _constants: { SYMMETRIC_KEY_BYTES: 32 } },
  _key:
   <Buffer de ad be ef de ad be ef de ad be ef de ad be ef de ad be ef de ad be ef de ad be ef de ad be ef> }

It may just be me but I find it as difficult as JWT to use for now :laughing:

solancer commented 5 years ago

@Extarys even I'm facing the same issue, apparently this lib doesn't support encryption of json/objects only simple string works.

Extarys commented 5 years ago

@solancer thanks I feel less alone. In the mean time I switched to branca, way easier to implement. For now it will do the job:

function encodeToken(key, payload) {
    const branca = require("branca")(key)

    payload.tid = payload.tid ? payload.tid : uuid()

    if (payload.exp) {
        payload.exp = payload.iat + payload.exp * 60
    } else {
        payload.ext = 60 * 60 * 24 // Default 1 day
    }

    return branca.encode(notepack.encode(payload))
}

I use notepack as it produce a shorter output and is the fastest library out there. I will try notepack with paseto eventually but I don't see the need to rush.

I will try a string instead once I have a shorter to-do list :)

neodon commented 5 years ago

It does appear that encoder.encrypt accepts a string or buffer and doesn't automatically encode other types for you. I think this makes sense given PASETO's goal, which is to provide Platform-Agnostic Security Tokens. Adding stringification via JSON.stringify, notepack, etc. might be too opinionated for this project.

Can you confirm if replacing const token = await encoder.encrypt(message, sk) with const token = await encoder.encrypt(JSON.stringify(message), sk) resolves this issue? You can even use notepack there because encrypt() accepts a string or a buffer.

Extarys commented 5 years ago

Thanks @neodon I cannot believe I fall for this and didn't think about providing a simple string. I guess I'm just used of using JSON for everything.

sjudson commented 5 years ago

@Extarys - At the moment I don't have support for JSON encoding directly, but it is intended at some point. My time to maintain this library has fallen off to some minimum maintenance, but I'm hoping to find a window at some point to drop it in.

Extarys commented 5 years ago

I understand. But now that we found why it wasn't working, it's quite easy to implement how we want to convert our object to a string on our end.

Thanks for the time you put into this library, I understand the time constraint.