Cannot resolve dependency '../build/Release/extcrypto_addon'

sjudson / paseto.js

PASETO: Platform-Agnostic Security Tokens

MIT License

269 stars 16 forks source link

Cannot resolve dependency '../build/Release/extcrypto_addon' #9

Closed davidperrenoud closed 5 years ago

davidperrenoud commented 5 years ago

When compiling for the browser using Parcel I get the error:

🚨  ./node_modules/paseto.js/extcrypto/index.js:1:35: 
Cannot resolve dependency '../build/Release/extcrypto_addon' at './node_modules/paseto.js/build/Release/extcrypto_addon'

Would it be possible to make the import of extcrypto_addon conditional at compile time for the browser?

Some V2 functions seem to work fine when I comment the extcrypto_addon line, thanks to Parcel's automatic import of node-libs-browser.

sjudson commented 5 years ago

Although as noted in the readme I intend to add browser support for public token verification in the near future, at present paseto.js is for server-side runtimes only. I strongly recommend you do not use this library in the browser at present. As such, I'm going to close this issue. If this problem arises when I add browser support I will deal with it then.

Thanks for reporting the issue.

davidperrenoud commented 5 years ago

Do you mean that there are some major security concerns when using this library in the browser? As far as I understand, only the crypto.randomBytes function is needed for V2 tokens which can be trivially implemented in recent browsers.

sjudson commented 5 years ago

Yes, there are major security concerns with doing any sort of cryptography in the browser, this library included. As noted I do intend limited support just for public token verification through a special API for the browser. But the library in its current form should only be used server side.

grempe commented 5 years ago

I would like to implement a server-side use of Paseto in the context of a Cloudflare Worker. Paseto, especially for simple verification of v2 tokens, is a perfect fit for performing the first line of auth at the edge of the network. However, the v8 runtime that Cloudflare provides access to within a worker will not allow compilation of code. If there were a variant of the lib that allowed disabling of the compilation (its only used in the context of a v1 token I believe) that would be great. As it is now its not possible to do so without forking the lib.

More about Cloudflare workers and the context they have available.

https://workers.cloudflare.com/ https://workers.cloudflare.com/docs/reference/runtime/apis/web-crypto/ https://workers.cloudflare.com/docs/reference/workers-concepts/security/

It would be great if you could think of a way to allow Paseto to work in this scenario.

Cheers