New Research: Supply Chain Attack on Axios Pulls Malicious Dependency from npm.Details →
@mailchain/api
Advanced tools
@mailchain/api - npm Package Compare versions
@@ -1,2 +0,2 @@ | ||
| export { AddressEncodingEnum, AddressesApi, AddressesApiAxiosParamCreator, AddressesApiFactory, AddressesApiFp, AuthApi, AuthApiAxiosParamCreator, AuthApiFactory, AuthApiFp, ContractCallMethodEnum, EncryptedAccountSecretEncryptionKindEnum, EncryptedAccountSecretSecretKindEnum, GetUsernameAvailableResponseBodyReasonEnum, IdentityKeysApi, IdentityKeysApiAxiosParamCreator, IdentityKeysApiFactory, IdentityKeysApiFp, ImageKindEnum, InboxApi, InboxApiAxiosParamCreator, InboxApiFactory, InboxApiFp, MessagingKeysApi, MessagingKeysApiAxiosParamCreator, MessagingKeysApiFactory, MessagingKeysApiFp, PrivateKeyCurveEnum, PrivateKeyEncodingEnum, PublicKeyCurveEnum, PublicKeyEncodingEnum, PutEncryptedMessageRequestBodyFolderEnum, PutUserSettingRequestBodyGroupEnum, PutUserSettingRequestBodyKindEnum, RegisteredKeyProofSigningMethodEnum, SettingGroupEnum, SettingKindEnum, TransportApi, TransportApiAxiosParamCreator, TransportApiFactory, TransportApiFp, UserApi, UserApiAxiosParamCreator, UserApiFactory, UserApiFp, UsersApi, UsersApiAxiosParamCreator, UsersApiFactory, UsersApiFp, VersionApi, VersionApiAxiosParamCreator, VersionApiFactory, VersionApiFp } from './api.js'; | ||
| export { AddressEncodingEnum, AddressesApi, AddressesApiAxiosParamCreator, AddressesApiFactory, AddressesApiFp, AuthApi, AuthApiAxiosParamCreator, AuthApiFactory, AuthApiFp, ContractCallMethodEnum, EncryptedAccountSecretEncryptionKindEnum, EncryptedAccountSecretSecretKindEnum, GetUsernameAvailableResponseBodyReasonEnum, IdentityKeysApi, IdentityKeysApiAxiosParamCreator, IdentityKeysApiFactory, IdentityKeysApiFp, ImageKindEnum, InboxApi, InboxApiAxiosParamCreator, InboxApiFactory, InboxApiFp, MessageKindEnum, MessagingKeysApi, MessagingKeysApiAxiosParamCreator, MessagingKeysApiFactory, MessagingKeysApiFp, PrivateKeyCurveEnum, PrivateKeyEncodingEnum, PublicKeyCurveEnum, PublicKeyEncodingEnum, PutEncryptedMessageRequestBodyFolderEnum, PutEncryptedMessageRequestBodyKindEnum, PutUserSettingRequestBodyGroupEnum, PutUserSettingRequestBodyKindEnum, RegisteredKeyProofSigningMethodEnum, SettingGroupEnum, SettingKindEnum, TransportApi, TransportApiAxiosParamCreator, TransportApiFactory, TransportApiFp, UserApi, UserApiAxiosParamCreator, UserApiFactory, UserApiFp, UsersApi, UsersApiAxiosParamCreator, UsersApiFactory, UsersApiFp, VersionApi, VersionApiAxiosParamCreator, VersionApiFactory, VersionApiFp } from './api.js'; | ||
| export { Configuration } from './configuration.js'; |
+1
-1
@@ -5,5 +5,5 @@ export { createAxiosConfiguration } from './axios/config.js'; | ||
| export { getAddressFromApiResponse } from './helpers/address.js'; | ||
| export { AddressEncodingEnum, AddressesApi, AddressesApiAxiosParamCreator, AddressesApiFactory, AddressesApiFp, AuthApi, AuthApiAxiosParamCreator, AuthApiFactory, AuthApiFp, ContractCallMethodEnum, EncryptedAccountSecretEncryptionKindEnum, EncryptedAccountSecretSecretKindEnum, GetUsernameAvailableResponseBodyReasonEnum, IdentityKeysApi, IdentityKeysApiAxiosParamCreator, IdentityKeysApiFactory, IdentityKeysApiFp, ImageKindEnum, InboxApi, InboxApiAxiosParamCreator, InboxApiFactory, InboxApiFp, MessagingKeysApi, MessagingKeysApiAxiosParamCreator, MessagingKeysApiFactory, MessagingKeysApiFp, PrivateKeyCurveEnum, PrivateKeyEncodingEnum, PublicKeyCurveEnum, PublicKeyEncodingEnum, PutEncryptedMessageRequestBodyFolderEnum, PutUserSettingRequestBodyGroupEnum, PutUserSettingRequestBodyKindEnum, RegisteredKeyProofSigningMethodEnum, SettingGroupEnum, SettingKindEnum, TransportApi, TransportApiAxiosParamCreator, TransportApiFactory, TransportApiFp, UserApi, UserApiAxiosParamCreator, UserApiFactory, UserApiFp, UsersApi, UsersApiAxiosParamCreator, UsersApiFactory, UsersApiFp, VersionApi, VersionApiAxiosParamCreator, VersionApiFactory, VersionApiFp } from './api/api.js'; | ||
| export { AddressEncodingEnum, AddressesApi, AddressesApiAxiosParamCreator, AddressesApiFactory, AddressesApiFp, AuthApi, AuthApiAxiosParamCreator, AuthApiFactory, AuthApiFp, ContractCallMethodEnum, EncryptedAccountSecretEncryptionKindEnum, EncryptedAccountSecretSecretKindEnum, GetUsernameAvailableResponseBodyReasonEnum, IdentityKeysApi, IdentityKeysApiAxiosParamCreator, IdentityKeysApiFactory, IdentityKeysApiFp, ImageKindEnum, InboxApi, InboxApiAxiosParamCreator, InboxApiFactory, InboxApiFp, MessageKindEnum, MessagingKeysApi, MessagingKeysApiAxiosParamCreator, MessagingKeysApiFactory, MessagingKeysApiFp, PrivateKeyCurveEnum, PrivateKeyEncodingEnum, PublicKeyCurveEnum, PublicKeyEncodingEnum, PutEncryptedMessageRequestBodyFolderEnum, PutEncryptedMessageRequestBodyKindEnum, PutUserSettingRequestBodyGroupEnum, PutUserSettingRequestBodyKindEnum, RegisteredKeyProofSigningMethodEnum, SettingGroupEnum, SettingKindEnum, TransportApi, TransportApiAxiosParamCreator, TransportApiFactory, TransportApiFp, UserApi, UserApiAxiosParamCreator, UserApiFactory, UserApiFp, UsersApi, UsersApiAxiosParamCreator, UsersApiFactory, UsersApiFp, VersionApi, VersionApiAxiosParamCreator, VersionApiFactory, VersionApiFp } from './api/api.js'; | ||
| export { Configuration } from './api/configuration.js'; | ||
| export { createPayloadSegment, signJWT, verifyJWT } from './jwt/jwt.js'; | ||
| export { getAxiosWithSigner } from './axios/axios.js'; |
@@ -30,2 +30,3 @@ 'use strict'; | ||
| exports.InboxApiFp = api.InboxApiFp; | ||
| exports.MessageKindEnum = api.MessageKindEnum; | ||
| exports.MessagingKeysApi = api.MessagingKeysApi; | ||
@@ -40,2 +41,3 @@ exports.MessagingKeysApiAxiosParamCreator = api.MessagingKeysApiAxiosParamCreator; | ||
| exports.PutEncryptedMessageRequestBodyFolderEnum = api.PutEncryptedMessageRequestBodyFolderEnum; | ||
| exports.PutEncryptedMessageRequestBodyKindEnum = api.PutEncryptedMessageRequestBodyKindEnum; | ||
| exports.PutUserSettingRequestBodyGroupEnum = api.PutUserSettingRequestBodyGroupEnum; | ||
@@ -42,0 +44,0 @@ exports.PutUserSettingRequestBodyKindEnum = api.PutUserSettingRequestBodyKindEnum; |
+2
-0
@@ -41,2 +41,3 @@ 'use strict'; | ||
| exports.InboxApiFp = api.InboxApiFp; | ||
| exports.MessageKindEnum = api.MessageKindEnum; | ||
| exports.MessagingKeysApi = api.MessagingKeysApi; | ||
@@ -51,2 +52,3 @@ exports.MessagingKeysApiAxiosParamCreator = api.MessagingKeysApiAxiosParamCreator; | ||
| exports.PutEncryptedMessageRequestBodyFolderEnum = api.PutEncryptedMessageRequestBodyFolderEnum; | ||
| exports.PutEncryptedMessageRequestBodyKindEnum = api.PutEncryptedMessageRequestBodyKindEnum; | ||
| exports.PutUserSettingRequestBodyGroupEnum = api.PutUserSettingRequestBodyGroupEnum; | ||
@@ -53,0 +55,0 @@ exports.PutUserSettingRequestBodyKindEnum = api.PutUserSettingRequestBodyKindEnum; |
+3
-3
| { | ||
| "name": "@mailchain/api", | ||
| "version": "0.25.0", | ||
| "version": "0.26.0", | ||
| "description": "Mailchain api tools", | ||
@@ -20,4 +20,4 @@ "license": "Apache-2.0", | ||
| "dependencies": { | ||
| "@mailchain/crypto": "0.25.0", | ||
| "@mailchain/encoding": "0.25.0", | ||
| "@mailchain/crypto": "0.26.0", | ||
| "@mailchain/encoding": "0.26.0", | ||
| "@noble/hashes": "^1.3.0", | ||
@@ -24,0 +24,0 @@ "axios": "1.3.4", |
| export { createSignedToken, createTokenPayload, getAxiosWithSigner, verifySignedToken } from './jwt.js'; |
| import { encodeBase64UrlSafe, decodeUtf8, encodeUtf8, decodeBase64UrlSafe } from '@mailchain/encoding'; | ||
| import globalAxios from 'axios'; | ||
| import isArrayBuffer from 'lodash/isArrayBuffer'; | ||
| async function createSignedToken(requestKey, payload, exp) { | ||
| const headerSegment = encodeBase64UrlSafe(decodeUtf8(JSON.stringify({ alg: 'EdDSA', typ: 'JWT' }))); | ||
| const payloadSegment = encodeBase64UrlSafe(decodeUtf8(JSON.stringify({ ...payload, exp }))); | ||
| const headerAndSegment = `${headerSegment}.${payloadSegment}`; | ||
| const signedToken = await requestKey.sign(decodeUtf8(headerAndSegment)); | ||
| const signatureSegment = encodeBase64UrlSafe(signedToken); | ||
| return `${headerAndSegment}.${signatureSegment}`; | ||
| } | ||
| async function verifySignedToken(token, publicKey) { | ||
| const [headerSegment, payloadSegment, signatureSegment] = token.split('.'); | ||
| if (!headerSegment || !payloadSegment || !signatureSegment) { | ||
| return false; | ||
| } | ||
| const header = JSON.parse(encodeUtf8(decodeBase64UrlSafe(headerSegment))); | ||
| const signature = decodeBase64UrlSafe(signatureSegment); | ||
| if (header.alg !== 'EdDSA') { | ||
| return false; | ||
| } | ||
| const headerAndSegment = `${headerSegment}.${payloadSegment}`; | ||
| return publicKey.verify(decodeUtf8(headerAndSegment), signature); | ||
| } | ||
| const getAxiosWithSigner = (requestKey) => { | ||
| const axiosInstance = globalAxios.create(); | ||
| axiosInstance.interceptors.request.use(async (request) => { | ||
| if (request.headers) { | ||
| const expires = Math.floor(Date.now() / 1000 + 60 * 5); // 5 mins | ||
| const tokenPayload = createTokenPayload(new URL(request?.url ?? ''), request.method?.toUpperCase() ?? '', request.data); | ||
| const token = await createSignedToken(requestKey, tokenPayload, expires); | ||
| request.headers.Authorization = `vapid t=${token}, k=${encodeBase64UrlSafe(requestKey.publicKey.bytes)}`; | ||
| } | ||
| return request; | ||
| }); | ||
| return axiosInstance; | ||
| }; | ||
| function createTokenPayload(url, method, data) { | ||
| let len; | ||
| // Taking code from https://github.com/axios/axios/blob/main/lib/adapters/http.js#L186-L198 to calculate content length how axios does it | ||
| if (data != null && ['POST', 'PUT', 'PATCH'].some((m) => m === method.toUpperCase())) { | ||
| if (Buffer.isBuffer(data)) { | ||
| len = data.length; | ||
| } | ||
| else if (isArrayBuffer(data)) { | ||
| len = Buffer.byteLength(new Uint8Array(data)); | ||
| } | ||
| else if (typeof data === 'string') { | ||
| len = Buffer.byteLength(data, 'utf-8'); | ||
| } | ||
| else if (toString.call(data) === '[object Uint8Array]') { | ||
| len = data.length; | ||
| } | ||
| else { | ||
| len = Buffer.byteLength(JSON.stringify(data)); | ||
| } | ||
| } | ||
| else { | ||
| len = 0; | ||
| } | ||
| return { | ||
| m: method.toUpperCase(), | ||
| url: url.pathname, | ||
| len, | ||
| aud: url.host, | ||
| q: url.search.length > 1 ? url.search.replace(/^\?/, '') : undefined, | ||
| }; | ||
| } | ||
| export { createSignedToken, createTokenPayload, getAxiosWithSigner, verifySignedToken }; |
| 'use strict'; | ||
| var jwt = require('./jwt.js'); | ||
| exports.createSignedToken = jwt.createSignedToken; | ||
| exports.createTokenPayload = jwt.createTokenPayload; | ||
| exports.getAxiosWithSigner = jwt.getAxiosWithSigner; | ||
| exports.verifySignedToken = jwt.verifySignedToken; |
| 'use strict'; | ||
| var encoding = require('@mailchain/encoding'); | ||
| var globalAxios = require('axios'); | ||
| var isArrayBuffer = require('lodash/isArrayBuffer'); | ||
| async function createSignedToken(requestKey, payload, exp) { | ||
| const headerSegment = encoding.encodeBase64UrlSafe(encoding.decodeUtf8(JSON.stringify({ alg: 'EdDSA', typ: 'JWT' }))); | ||
| const payloadSegment = encoding.encodeBase64UrlSafe(encoding.decodeUtf8(JSON.stringify({ ...payload, exp }))); | ||
| const headerAndSegment = `${headerSegment}.${payloadSegment}`; | ||
| const signedToken = await requestKey.sign(encoding.decodeUtf8(headerAndSegment)); | ||
| const signatureSegment = encoding.encodeBase64UrlSafe(signedToken); | ||
| return `${headerAndSegment}.${signatureSegment}`; | ||
| } | ||
| async function verifySignedToken(token, publicKey) { | ||
| const [headerSegment, payloadSegment, signatureSegment] = token.split('.'); | ||
| if (!headerSegment || !payloadSegment || !signatureSegment) { | ||
| return false; | ||
| } | ||
| const header = JSON.parse(encoding.encodeUtf8(encoding.decodeBase64UrlSafe(headerSegment))); | ||
| const signature = encoding.decodeBase64UrlSafe(signatureSegment); | ||
| if (header.alg !== 'EdDSA') { | ||
| return false; | ||
| } | ||
| const headerAndSegment = `${headerSegment}.${payloadSegment}`; | ||
| return publicKey.verify(encoding.decodeUtf8(headerAndSegment), signature); | ||
| } | ||
| const getAxiosWithSigner = (requestKey) => { | ||
| const axiosInstance = globalAxios.create(); | ||
| axiosInstance.interceptors.request.use(async (request) => { | ||
| if (request.headers) { | ||
| const expires = Math.floor(Date.now() / 1000 + 60 * 5); // 5 mins | ||
| const tokenPayload = createTokenPayload(new URL(request?.url ?? ''), request.method?.toUpperCase() ?? '', request.data); | ||
| const token = await createSignedToken(requestKey, tokenPayload, expires); | ||
| request.headers.Authorization = `vapid t=${token}, k=${encoding.encodeBase64UrlSafe(requestKey.publicKey.bytes)}`; | ||
| } | ||
| return request; | ||
| }); | ||
| return axiosInstance; | ||
| }; | ||
| function createTokenPayload(url, method, data) { | ||
| let len; | ||
| // Taking code from https://github.com/axios/axios/blob/main/lib/adapters/http.js#L186-L198 to calculate content length how axios does it | ||
| if (data != null && ['POST', 'PUT', 'PATCH'].some((m) => m === method.toUpperCase())) { | ||
| if (Buffer.isBuffer(data)) { | ||
| len = data.length; | ||
| } | ||
| else if (isArrayBuffer(data)) { | ||
| len = Buffer.byteLength(new Uint8Array(data)); | ||
| } | ||
| else if (typeof data === 'string') { | ||
| len = Buffer.byteLength(data, 'utf-8'); | ||
| } | ||
| else if (toString.call(data) === '[object Uint8Array]') { | ||
| len = data.length; | ||
| } | ||
| else { | ||
| len = Buffer.byteLength(JSON.stringify(data)); | ||
| } | ||
| } | ||
| else { | ||
| len = 0; | ||
| } | ||
| return { | ||
| m: method.toUpperCase(), | ||
| url: url.pathname, | ||
| len, | ||
| aud: url.host, | ||
| q: url.search.length > 1 ? url.search.replace(/^\?/, '') : undefined, | ||
| }; | ||
| } | ||
| exports.createSignedToken = createSignedToken; | ||
| exports.createTokenPayload = createTokenPayload; | ||
| exports.getAxiosWithSigner = getAxiosWithSigner; | ||
| exports.verifySignedToken = verifySignedToken; |
| export * from './jwt'; |
| import { AxiosInstance } from 'axios'; | ||
| import { ED25519PublicKey, SignerWithPublicKey } from '@mailchain/crypto'; | ||
| export declare function createSignedToken(requestKey: SignerWithPublicKey, payload: TokenPayload, exp: number): Promise<string>; | ||
| export declare function verifySignedToken(token: string, publicKey: ED25519PublicKey): Promise<boolean>; | ||
| export declare const getAxiosWithSigner: (requestKey: SignerWithPublicKey) => AxiosInstance; | ||
| type TokenPayload = { | ||
| /** The HTTP method */ | ||
| m: string; | ||
| /** pathname */ | ||
| url: string; | ||
| /** The length of the data payload of the request */ | ||
| len: number; | ||
| /** host */ | ||
| aud: string; | ||
| /** query params */ | ||
| q?: string; | ||
| }; | ||
| export declare function createTokenPayload(url: URL, method: string, data: unknown): TokenPayload; | ||
| export {}; |
| export {}; |
Sorry, the diff of this file is too big to display
Sorry, the diff of this file is too big to display
Sorry, the diff of this file is too big to display
New alerts
Long strings
Supply chain riskContains long string literals, which may be a sign of obfuscated or packed code.
Found 1 instance in 1 package
Fixed alerts
Long strings
Supply chain riskContains long string literals, which may be a sign of obfuscated or packed code.
Found 1 instance in 1 package
Worsened metrics
- Total package byte prevSize
727690
-0.68%- Number of package files
60
-10.45%- Lines of code
14942
-0.84%Dependency changes
+ Added
@mailchain/crypto@0.26.0(transitive)+ Added
@mailchain/encoding@0.26.0(transitive)- Removed
@mailchain/crypto@0.25.0(transitive)- Removed
@mailchain/encoding@0.25.0(transitive)Updated
@mailchain/crypto@0.26.0Updated
@mailchain/encoding@0.26.0