feat: uses create(de)Cipheriv instead of deprecated methods

BREAKING CHANGE: min node is 12.14.x, upgrades internal dependencies and hardens minimum
shared secret requirements. Introduces new token format of <version><iv><payload>, so that
in the future breaking changes are easier to mitigate. For back-compatibility introduces
ability to specify legacy secret with a length of 24, which is supported by createCipher/createDecipher.

Author: AVVS

.eslintrc

@@ -1,7 +1,6 @@
 {
   "extends": "makeomatic",
-  "parser": "babel-eslint",
   "rules": {
     "object-curly-newline": 0
-    }
+  }
 }

.mdeprc

@@ -1,3 +1,5 @@
 {
-  "node": "10.16.0"
+  "node": "12.14.1",
+  "auto_compose": true,
+  "with_local_compose": true
 }

.mocharc.json

@@ -0,0 +1,5 @@
+{
+  "require": "@babel/register",
+  "timeout": 10000,
+  "bail": true
+}

.releaserc.json

@@ -1,5 +1,5 @@
 {
-  "branch": "master",
+  "branches": ["master"],
   "analyzeCommits": {
     "preset": "angular",
     "releaseRules": [

README.md

@@ -40,7 +40,7 @@ const tokenManager = new TokenManager({
   },
   encrypt: {
     algorithm: 'aes256',
-    sharedSecret: Buffer.from('incredibly-long-secret'),
+    sharedSecret: Buffer.from('incredibly-long-secret-ooooohooo'),
   },
 });
 ```

package.json

@@ -30,43 +30,42 @@
   },
   "homepage": "https://github.com/makeomatic/ms-token#readme",
   "peerDependencies": {
-    "ioredis": "3.x.x || 4.x.x"
+    "ioredis": "4.x.x"
   },
   "engine": {
-    "node": ">= 8.9.0"
+    "node": ">= 12.14.0"
   },
   "devDependencies": {
-    "@babel/cli": "^7.4.4",
-    "@babel/core": "^7.4.5",
-    "@babel/plugin-proposal-class-properties": "^7.4.4",
-    "@babel/plugin-proposal-object-rest-spread": "^7.4.4",
-    "@babel/plugin-transform-strict-mode": "^7.2.0",
-    "@babel/register": "^7.4.4",
-    "@makeomatic/deploy": "^8.4.4",
-    "babel-eslint": "^10.0.2",
-    "babel-plugin-istanbul": "^5.1.4",
-    "codecov": "^3.5.0",
-    "cross-env": "^5.2.0",
-    "eslint": "^6.0.1",
-    "eslint-config-makeomatic": "^3.0.0",
-    "eslint-plugin-import": "^2.18.0",
-    "eslint-plugin-mocha": "^5.3.0",
+    "@babel/cli": "^7.8.3",
+    "@babel/core": "^7.8.3",
+    "@babel/plugin-proposal-class-properties": "^7.8.3",
+    "@babel/plugin-proposal-object-rest-spread": "^7.8.3",
+    "@babel/plugin-transform-strict-mode": "^7.8.3",
+    "@babel/register": "^7.8.3",
+    "@makeomatic/deploy": "^10.0.1",
+    "babel-plugin-istanbul": "^6.0.0",
+    "codecov": "^3.6.2",
+    "cross-env": "^6.0.3",
+    "eslint": "^6.8.0",
+    "eslint-config-makeomatic": "^4.0.0",
+    "eslint-plugin-import": "^2.20.0",
+    "eslint-plugin-mocha": "^6.2.2",
     "eslint-plugin-promise": "^4.2.1",
-    "ioredis": "^4.10.0",
-    "mocha": "^6.1.4",
-    "nyc": "^14.1.1",
-    "rimraf": "^2.6.3"
+    "ioredis": "^4.14.1",
+    "mocha": "^7.0.0",
+    "nyc": "^15.0.0",
+    "rimraf": "^3.0.0"
   },
   "dependencies": {
-    "@hapi/joi": "^15.0.0",
-    "base64-url": "^2.2.2",
-    "chance": "^1.0.18",
+    "@hapi/joi": "^17.1.0",
+    "base64-url": "^2.3.3",
+    "chance": "^1.1.4",
     "get-value": "^3.0.1",
-    "glob": "^7.1.4",
+    "glob": "^7.1.6",
     "is": "^3.3.0",
     "lodash.compact": "^3.0.1",
     "lodash.omit": "^4.5.0",
-    "uuid": "^3.3.2"
+    "uuid": "^3.4.0"
   },
   "files": [
     "src/",

src/actions/create.js

@@ -23,17 +23,19 @@ const schema = Joi
         .min(0)
         .max(Joi.ref('ttl')),
       Joi.boolean()
-        .only(true)
+        .valid(true)
     ),
 
     metadata: Joi.any(),
 
+    legacy: Joi.boolean().default(false),
+
     secret: Joi.alternatives()
       .try(
         Joi.boolean(),
         Joi.object({
           type: Joi.string()
-            .only(['alphabet', 'number', 'uuid'])
+            .valid('alphabet', 'number', 'uuid')
             .required(),
 
           alphabet: Joi.any()
@@ -45,16 +47,16 @@ const schema = Joi
 
           length: Joi.any()
             .when('type', {
-              is: Joi.string().only(['alphabet', 'number']),
+              is: Joi.string().valid('alphabet', 'number'),
               then: Joi.number().integer().min(1).required(),
               otherwise: Joi.forbidden(),
             }),
 
           encrypt: Joi.boolean()
             .when('type', {
               is: 'uuid',
-              then: Joi.default(true),
-              otherwise: Joi.default(false),
+              then: Joi.any().default(true),
+              otherwise: Joi.any().default(false),
             }),
         })
       )
@@ -63,7 +65,7 @@ const schema = Joi
     regenerate: Joi.boolean()
       .when('secret', {
         is: false,
-        then: Joi.only(false),
+        then: Joi.valid(false),
         otherwise: Joi.optional(),
       }),
   })
@@ -96,7 +98,7 @@ function getSecret(_secret) {
 module.exports = async function create(args) {
   const opts = Joi.attempt(args, schema);
 
-  const { action, id, ttl, metadata } = opts;
+  const { action, id, ttl, metadata, legacy } = opts;
   const throttle = getThrottle(opts.throttle, ttl);
   const uid = opts.regenerate ? uuid.v4() : false;
   const secret = getSecret(opts.secret);
@@ -125,7 +127,7 @@ module.exports = async function create(args) {
 
   if (secret) {
     settings.secret = secret;
-    output.secret = crypto.secret(this.encrypt, secret, { id, action, uid });
+    output.secret = await crypto.secret(this.encrypt, secret, { id, action, uid }, legacy);
   }
 
   await this.backend.create(settings, output);

src/actions/info.js

@@ -42,7 +42,7 @@ const schema = Joi.alternatives()
         .required(),
 
       encrypt: Joi.bool()
-        .only(true)
+        .valid(true)
         .required(),
     }),
 
@@ -59,7 +59,7 @@ const schema = Joi.alternatives()
         .required(),
 
       encrypt: Joi.bool()
-        .only(false)
+        .valid(false)
         .required(),
     })
   );

src/actions/regenerate.js

@@ -18,7 +18,7 @@ const schema = Joi.alternatives()
   );
 
 // helper function used to generate new secret
-const generateSecret = encrypt => (id, action, uid, secret) => (
+const generateSecret = (encrypt) => async (id, action, uid, secret) => (
   crypto.secret(encrypt, secret, { id, action, uid })
 );
 

src/actions/verify.js

@@ -33,15 +33,6 @@ const optsSchema = Joi.object({
     .default({}),
 });
 
-/**
- * Enriches error and includes args into it
- * @param  {Error} e
- */
-function enrichError(e) {
-  e.args = this;
-  throw e;
-}
-
 /**
  * Parses input options
  * @param  {Function}
@@ -83,12 +74,13 @@ function assertControlOptions(args, opts) {
  * @param  {Object} [_opts={}]
  * @return {Promise}
  */
-module.exports = async function create(_args, _opts = {}) {
+module.exports = async function verify(_args, _opts = {}) {
   const { args, opts } = parseInput(this.decrypt, _args, _opts);
   assertControlOptions(args, opts);
   try {
     return await this.backend.verify(args, opts);
   } catch (e) {
-    return enrichError.call(args, e);
+    e.args = args;
+    throw e;
   }
 };

src/backends/redis/redis.js

@@ -31,24 +31,14 @@ class RedisBackend {
     }
   }
 
-  static RESERVED_PROPS = {
-    id: String,
-    action: String,
-    secret: String,
-    uid: String,
-    created: Number,
-    verified: Number,
-    isFirstVerification: Boolean,
-    throttleKey: String,
-  };
-
-  // static instance of error
-  static Unauthorized = new Error(403);
-
   // quick helpers
-  static serialize = data => JSON.stringify(data);
+  static serialize(data) {
+    return JSON.stringify(data);
+  }
 
-  static deserialize = data => JSON.parse(data);
+  static deserialize(data) {
+    return JSON.parse(data);
+  }
 
   // redis key helpers
   key(...args) {
@@ -116,7 +106,7 @@ class RedisBackend {
     const { id, action, uid } = data;
     const secretSettings = RedisBackend.deserialize(data.settings);
     const oldSecret = data.secret;
-    const newSecret = updateSecret(id, action, uid, secretSettings);
+    const newSecret = await updateSecret(id, action, uid, secretSettings);
 
     // redis keys
     const idKey = this.key(action, id);
@@ -212,4 +202,18 @@ class RedisBackend {
   }
 }
 
+RedisBackend.RESERVED_PROPS = {
+  id: String,
+  action: String,
+  secret: String,
+  uid: String,
+  created: Number,
+  verified: Number,
+  isFirstVerification: Boolean,
+  throttleKey: String,
+};
+
+// static instance of error
+RedisBackend.Unauthorized = new Error(403);
+
 module.exports = RedisBackend;

src/defaults.js

@@ -1,49 +1,50 @@
 const Joi = require('@hapi/joi');
+const Redis = require('ioredis');
 const glob = require('glob');
 const path = require('path');
 const pkg = require('../package.json');
 
 const backends = glob
   .sync('*', { cwd: path.join(__dirname, 'backends') })
-  .map(filename => path.basename(filename, '.js'));
-
-const schema = Joi
-  .object({
-    backend: {
-      name: Joi.string()
-        .only(backends)
-        .required(),
-
-      connection: Joi.any()
-        .required()
-        .when('name', {
-          is: 'redis',
-          then: Joi.lazy(() => {
-            const Redis = require('ioredis');
-
-            return Joi.alternatives()
-              .try(
-                Joi.object().type(Redis),
-                Joi.object().type(Redis.Cluster)
-              );
-          }),
-        }),
-
-      prefix: Joi.string()
-        .default(`{ms-token!${pkg.version}}`),
-    },
-
-    encrypt: {
-
-      algorithm: Joi.string()
-        .required(),
-
-      sharedSecret: Joi.binary()
-        .encoding('utf8')
-        .min(24)
-        .required(),
-    },
-  })
-  .requiredKeys(['', 'backend', 'encrypt']);
-
-module.exports = opts => Joi.attempt(opts, schema);
+  .map((filename) => path.basename(filename, '.js'));
+
+const secret = Joi.binary()
+  .encoding('utf8')
+  .required();
+
+const schema = Joi.object({
+  backend: Joi.object({
+    name: Joi.string()
+      .valid(...backends)
+      .required(),
+
+    connection: Joi.any()
+      .required()
+      .when('name', {
+        is: 'redis',
+        then: Joi.alternatives().try(
+          Joi.object().instance(Redis),
+          Joi.object().instance(Redis.Cluster)
+        ),
+      }),
+
+    prefix: Joi.string()
+      .default(`{ms-token!${pkg.version}}`),
+  }).required(),
+
+  encrypt: Joi.object({
+
+    algorithm: Joi.string()
+      .required(),
+
+    sharedSecret: Joi.alternatives().try(
+      secret.min(32),
+      Joi.object({
+        legacy: secret.min(24),
+        current: secret.min(32),
+      })
+    ).required(),
+  }).required(),
+}).required();
+
+module.exports = (opts) => Joi.attempt(opts, schema);