@strivve/strivve-sdk - npm Package Compare versions

Comparing version 3.0.1 to 3.0.3

lib/cardsavr/CardsavrJSLibrary-2.0.js

@@ -85,8 +85,8 @@ "use strict";
 var package_json_1 = require("../../package.json");
-//import { HttpsProxyAgent } from "https-proxy-agent";
+var https_proxy_agent_1 = require("https-proxy-agent");
 var CardsavrSession = /** @class */ (function () {
     function CardsavrSession(baseUrl, sessionKey, appName, rejectUnauthorized, cardsavrCert, proxy, debug) {
+        var _this = this;
         if (rejectUnauthorized === void 0) { rejectUnauthorized = true; }
         if (debug === void 0) { debug = false; }
-        var _this = this;
         this.setSessionHeaders = function (headersObject) {
@@ -172,3 +172,3 @@ Object.assign(_this._headers, headersObject);
                             agent = (this._proxy) ?
-                                /*new HttpsProxyAgent(this._proxy) */ undefined :
+                                new https_proxy_agent_1.HttpsProxyAgent(this._proxy) :
                                 new https_1.Agent(__assign({ rejectUnauthorized: this._rejectUnauthorized }, (this._cardsavrCert && { ca: this._cardsavrCert })));
@@ -175,0 +175,0 @@ config = Object.assign(config, {

lib/cardsavr/CardsavrSessionCrypto.d.ts

@@ -12,3 +12,3 @@ /// <reference types="node" />
     static decryptResponse(key: string, body: any): Promise<any>;
-    static decryptAES256(b64cipherText: string, b64IV: string, b64Key: string): Promise<any>;
+    static decryptAES256(b64cipherText: string, b64IV: string, b64Key: string, alg?: string): Promise<any>;
 }
@@ -15,0 +15,0 @@ export declare class Signing {

lib/cardsavr/CardsavrSessionCrypto.js

@@ -190,7 +190,3 @@ "use strict";
                         stringParts = body.encrypted_body.split("$");
-                        if (stringParts[1].length != 16) {
-                            // Not a proper 16-byte base64-encoded IV
-                            throw new Error("Response body is not properly encrypted.");
-                        }
-                        req = this.decryptAES256(stringParts[0], stringParts[1], key);
+                        req = this.decryptAES256(stringParts[0], stringParts[1], key, stringParts[2]);
                         return [4 /*yield*/, req];
@@ -202,11 +198,16 @@ case 1: return [2 /*return*/, _a.sent()];
     };
-    Encryption.decryptAES256 = function (b64cipherText, b64IV, b64Key) {
+    Encryption.decryptAES256 = function (b64cipherText, b64IV, b64Key, alg) {
         return __awaiter(this, void 0, void 0, function () {
-            var binaryEncryptionKey, encrypted_buf, _a, encoded, auth_tag, iv, decryptor, decryptedJSON, decryptedString, decryptKey, clearTextBuffer, clearText;
+            var predicted_alg, binaryEncryptionKey, iv, encrypted_buf, _a, encoded, auth_tag, decryptor, decryptedJSON, decryptedString, ALG, decryptKey, clearTextBuffer, clearText;
             return __generator(this, function (_b) {
                 switch (_b.label) {
                     case 0:
+                        predicted_alg = b64IV.length === 16 ? "aes-256-gcm" : (b64IV.length === 24 ? "aes-256-cbc" : undefined);
+                        if (!predicted_alg || (alg && alg != predicted_alg)) {
+                            // Not a proper length for base64-encoded IV, doesn't care about alg, not supported except in-browser
+                            throw new Error("Response body is not properly encrypted.");
+                        }
                         if (!!browserCrypto) return [3 /*break*/, 1];
-                        binaryEncryptionKey = Buffer.alloc(32);
-                        binaryEncryptionKey.write(b64Key, "base64");
+                        binaryEncryptionKey = Buffer.from(b64Key, "base64");
+                        iv = Buffer.from(b64IV, "base64");
                         encrypted_buf = Buffer.from(b64cipherText, "base64");
@@ -217,4 +218,3 @@ _a = [
                         ], encoded = _a[0], auth_tag = _a[1];
-                        iv = Buffer.from(b64IV, "base64");
-                        decryptor = crypto.createDecipheriv("aes-256-gcm", binaryEncryptionKey, iv);
+                        decryptor = crypto.createDecipheriv(predicted_alg, binaryEncryptionKey, iv);
                         decryptor.setAuthTag(auth_tag);
@@ -224,7 +224,9 @@ decryptedJSON = Buffer.concat([decryptor.update(encoded), decryptor.final()]);
                         return [2 /*return*/, JSON.parse(decryptedString)];
-                    case 1: return [4 /*yield*/, browserCrypto.subtle.importKey("raw", WebConversions.base64ToArrayBuffer(b64Key), "AES-GCM", false, ["decrypt"])];
+                    case 1:
+                        ALG = predicted_alg.replace("-256-", "-").toUpperCase();
+                        return [4 /*yield*/, browserCrypto.subtle.importKey("raw", WebConversions.base64ToArrayBuffer(b64Key), ALG, false, ["decrypt"])];
                     case 2:
                         decryptKey = _b.sent();
                         return [4 /*yield*/, browserCrypto.subtle.decrypt({
-                                name: "AES-GCM",
+                                name: ALG,
                                 iv: WebConversions.base64ToArrayBuffer(b64IV)
@@ -231,0 +233,0 @@ }, decryptKey,

package.json

 {
   "name": "@strivve/strivve-sdk",
-  "version": "3.0.1",
+  "version": "3.0.3",
   "description": "",
@@ -49,2 +49,3 @@ "directories": {
     "eslint": "^8.52.0",
+    "https-proxy-agent": "^7.0.2",
     "log-timestamp": "^0.3.0",
@@ -51,0 +52,0 @@ "net": "^1.0.2",

src/cardsavr/CardsavrJSLibrary-2.0.ts

@@ -11,3 +11,3 @@ "use strict";
 import {version} from "../../package.json";
-//import { HttpsProxyAgent } from "https-proxy-agent";
+import { HttpsProxyAgent } from "https-proxy-agent";
 
@@ -131,3 +131,3 @@ export class CardsavrSession {
             const agent = (this._proxy) ?
-                /*new HttpsProxyAgent(this._proxy) */ undefined :
+                new HttpsProxyAgent(this._proxy) :
                 new HTTPSAgent({
@@ -134,0 +134,0 @@ rejectUnauthorized : this._rejectUnauthorized,

src/cardsavr/CardsavrSessionCrypto.ts

@@ -154,10 +154,11 @@ import * as crypto from "crypto";
 
+        const predicted_alg = b64IV.length === 16 ? "aes-256-gcm" : (b64IV.length === 24 ? "aes-256-cbc" : undefined);
+        if (!predicted_alg || (alg && alg != predicted_alg)) {
+            // Not a proper length for base64-encoded IV, doesn't care about alg, not supported except in-browser
+            throw new Error("Response body is not properly encrypted.");
+        }
+
         if (!browserCrypto) {
 
             // decryption has support for both gcm and cdc for backward compatibility (CU config.json)
-            const predicted_alg = b64IV.length === 16 ? "aes-256-gcm" : (b64IV.length === 24 ? "aes-256-cbc" : undefined);
-            if (!predicted_alg || (alg && alg != predicted_alg)) {
-                // Not a proper 16-byte base64-encoded IV, doesn't care about alg, not supported except in-browser
-                throw new Error("Response body is not properly encrypted.");
-            }
             const binaryEncryptionKey = Buffer.from(b64Key, "base64");
@@ -167,9 +168,8 @@ const iv = Buffer.from(b64IV, "base64");
 
-            const [encoded, auth_tag] = predicted_alg === "aes-256-gcm" ? [
+            const [encoded, auth_tag] = [
                 encrypted_buf.subarray(0, encrypted_buf.length - 16), 
-                encrypted_buf.subarray(encrypted_buf.length - 16, encrypted_buf.length)
-            ] : [encrypted_buf, Buffer.from("")];
+                encrypted_buf.subarray(encrypted_buf.length - 16, encrypted_buf.length)];
 
             const decryptor = crypto.createDecipheriv(predicted_alg, binaryEncryptionKey, iv);
-            if (auth_tag) { (decryptor as crypto.DecipherGCM).setAuthTag(auth_tag); }
+            (decryptor as crypto.DecipherGCM).setAuthTag(auth_tag);
             
@@ -182,11 +182,7 @@ const decryptedJSON = Buffer.concat([decryptor.update(encoded), decryptor.final()]);
 
-            if (b64IV.length !== 16) {
-                // Not a proper 16-byte base64-encoded IV, doesn't care about alg, not supported except in-browser
-                throw new Error("Response body is not properly encrypted.");
-            }
-
+            const ALG = predicted_alg.replace("-256-", "-").toUpperCase();
             const decryptKey = await browserCrypto.subtle.importKey(
                 "raw",
                 WebConversions.base64ToArrayBuffer(b64Key),
-                "AES-GCM",
+                ALG,
                 false, ["decrypt"]
@@ -196,3 +192,3 @@ );
             const clearTextBuffer = await browserCrypto.subtle.decrypt({
-                    name : "AES-GCM",
+                    name : ALG,
                     iv : WebConversions.base64ToArrayBuffer(b64IV)
@@ -199,0 +195,0 @@ },

src/tsconfig.json

@@ -8,3 +8,3 @@ {
         "outDir": "../lib/",
-//        "rootDir": ".",
+        "rootDir": ".",
         "esModuleInterop": true,  
@@ -11,0 +11,0 @@ "strict": true,

tsconfig.json

@@ -8,3 +8,3 @@ {
         "outDir": ".",
-//        "rootDir": ".",
+        "rootDir": ".",
         "esModuleInterop": true,  
@@ -11,0 +11,0 @@ "strict": true,

New alerts

Network access

Supply chain risk

This module accesses the network.

Found 1 instance in 1 package

Worsened metrics

Total package byte prevSize

710422

decreased by-1.87%

Dependency count

7

increased by16.67%

Number of package files

89

decreased by-7.29%

Lines of code

11537

decreased by-2.51%

Number of medium supply chain risk alerts

3

increased by50%

Dependency changes

• + Addedhttps-proxy-agent@^7.0.2

• + Addedagent-base@7.1.1(transitive)

• + Addedhttps-proxy-agent@7.0.4(transitive)