Security News
tea.xyz Spam Plagues npm and RubyGems Package Registries
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
node-laravel-encryptor
Advanced tools
Changelog
v2.0.2
Readme
NodeJS version of Laravel's Encrypter Class, tested 5.4.30 to 6.0 Illuminate/Encryption/Encrypter.php
With this module you can create the encrypted payload for a cookie from Node Js and be read by Laravel.
You can use it too as standalone module to encrypt and decrypt data with verified signature.
If you use this module as standalone, AKA without Laravel
backend involve in your scenarios you can use native node JSON lib
to serialize
the data before ciphering it.
>=v8.16.1 (npm v6.4.1)
>=5.4.30
$> npm i node-laravel-encryptor
const {Encryptor} = require('node-laravel-encryptor');
let encryptor = new Encryptor({
key: 'Laravel APP_KEY without base64:',
});
encryptor
.encrypt({foo: 'bar'})
.then(enc => console.log(encryptor.decrypt(enc)));
const enc = encryptor.encryptSync({foo: 'bar'});
console.log(encryptor.decrypt(enc));
Decrypt is always in sync mode.
<php>
|<json>
|<custom>
Encryptor let you chose between php-serialize
npm package or JSON
node native implementation to serialize the data out of the box.
If you need to use other serialize library, like mspack
or any other custom lib, Encryptor let you inject, at the constructor or at runtime with
setSerializerDriver(your_lib)
, your custom Serializer Class.
If you use this module with the intend to be able to read and write ciphered data to/from Laravel you should instance Encryptor class without any
serialize_mode
option, just the defaults.
If you use this module without any Laravel Backend involve you should use json mode, instance Encryptor class with
serialize_mode:'json'
.
Encryptor will serialize only if data to cipher is an object.
You can force serialize if Encryptor class is using serialize_mode:'php'
to be able to serialize data to send back to Laravel if needed
const encryptor = new Encryptor({key});
const encryptor1 = new Encryptor({key, serialize_mode: 'php'});
encryptor and encryptor1 just do the same, initialize Encryptor class with serialize mode to 'php'
Encryptor defaults serialize data with
php-serialize
driver to be compliant with Laravel
serialize_mode:'php'
If data needs to be serialized but it's not an object (because Laravel is serializing everything)
you can force Encryptor.encrypt()
to serialize data.
const encryptor = new Encryptor({key}); //serialize_mode = 'php'
encryptor.encrypt('foo', true) //foo now is encrypted and serialized
const encryptor = new Encryptor({key, serialize_mode: 'json'});
Your custom Serializer must implement this two methods:
export interface Serialize_Interface {
serialize(data: any): string;
unSerialize(data: string): any;
}
<object>
{key, key_length}
<string>
APP_KEY without base64:
<number>
[optional] [default] <64>
values 32|64 for aes-[128]-cbc aes-[256]-cbc<string>
[optional] [default] <php>
values <php>
|<json>
class to serialize
[optional]Will encrypt data with MAC signature, and return a Promise with encrypted base64 string.
With force_serialize
(only apply with serialize_mode:'php'
) you can force Encryptor to serialize data
before cipher even if data is not an object.
force_serialize
, will not take any effect if Encryptor is using other serializer driver than php-serialize
module.
<string>
|<object>
|<number>
<boolean>
[optional]<string>
base64 json encoded object {iv, value, mac}
Will decrypt data with MAC signature verification, and return original data.
<string>
|<object>
|<number>
<string>
|<object>
Will encrypt data with MAC signature, and return encrypted base64 string.
With force_serialize
(only apply with serialize_mode:'php'
) you can force Encryptor to serialize data
before cipher even if data is not an object.
force_serialize
, will not take any effect if Encryptor is using other serializer driver than php-serialize
module.
<string>
|<object>
|<number>
<boolean>
[optional]<string>
base64 json encoded object {iv, value, mac}
Encrypt and Decrypt methods will serialize or unserialize data if needed.
Will inject custom serializer driver to Encryptor Class
object class serialize module
<void>
Will generate valid App_key a la Laravel
<number>
[optional], default 32<string>
base64will decipher data
<string>
base64 encoded key<string>
|<object>
|<number>
<string>
base64will cipher data
<string>
base64 encoded key<string>
|<object>
|<number>
<function>
optional callback<string>
base64To be able to run PHP test
you should install:
>= 7.1.3
$> npm run test
Testing node Laravel Encryptor
Test Encryptor Cipher/Decipher serialize_mode: Native JSON
✓ should cipher and decipher text
✓ should cipher and decipher object
✓ should cipher and decipher with no key_length defined
✓ should cipher and decipher a number
✓ should cipher and decipher Sync Mode
Test Encryptor Cipher/Decipher serialize_mode: PHP Serialize
✓ should cipher and decipher text
✓ should cipher and decipher object
✓ should cipher and decipher with no key_length defined
✓ should cipher and decipher a number
✓ should cipher and decipher Sync Mode
Test Encryptor static methods
✓ should generate a valid App key
✓ should Cipher/deCipher correctly using static Encryptor methods
✓ should Cipher correctly using static Encryptor method with callback function
Test Encryptor Class Errors
✓ should throw 'EncryptorError' Error Type
✓ should throw 'encrypt no data given' EncryptorError when data to encrypt is null
✓ should throw 'decrypt no data given' EncryptorError when data to decrypt is null
✓ should throw 'not valid Key' EncryptorError when key not valid
✓ should throw 'no app key given' EncryptorError when null options
✓ should throw 'not valid algorithm' EncryptorError when algorithm not valid
✓ should throw 'not valid Json' EncryptorError when decipher not valid payload
✓ should throw 'invalid MAC signature' EncryptorError when deciphering tampered signature
✓ should throw 'invalid Payload' EncryptorError when decipher cannot validate payload
✓ should throw 'invalid iv length' EncryptorError when deciphering with invalid IV
✓ should throw 'validateSerializerDriver' EncryptorError when custom serializer driver not implements Serializer interface
✓ should throw 'Serializer Encryptor Class unknown option' EncryptorError when options.serialize_mode != json/php
Test Encryptor Class Serialize driver injection
✓ should set serialized_mode to php-serialized if no serialize_mode given
✓ should force serialize data input when serializer driver is php-serialized and data is not an object
✓ should inject custom serializer driver in constructor
✓ should inject custom serializer driver at runtime
✓ should use injected serializer driver to serialize/deserialize data
Test Encryptor compatibility with Laravel Illuminate/Encryption/Encrypter
✓ should decipher data at Laravel correctly with serialize_mode php (60ms)
✓ should decipher from Laravel correctly with serialize_mode php (56ms)
✓ should decipher data, Sync Mode, at Laravel correctly with serialize_mode php (58ms)
Test integration with Express cookie
✓ should create one request to Express aSync Mode, receive cookie and decipher (39ms)
✓ should create one request to Express Sync Mode, receive cookie and decipher
35 passing (296ms)
In order to run Artillery integration test and stress test with aSync|Sync mode we have
to install artillery and artillery expect plugin.
$> npm install -g artillery artillery-plugin-expect
$> npm run artillery_server_async
$> npm run artillery_expect
All virtual users finished
Summary report @ 11:28:45(+0200) 2019-09-21
Scenarios launched: 110
Scenarios completed: 110
Requests completed: 1100
RPS sent: 105.77
Request latency:
min: 0.8
max: 14.4
median: 1.2
p95: 2
p99: 3.5
Scenario counts:
Integration Test, parallel request: 110 (100%)
Codes:
200: 1100
$> npm run artillery_server_sync
$> npm run artillery_expect
All virtual users finished
Summary report @ 11:31:09(+0200) 2019-09-21
Scenarios launched: 110
Scenarios completed: 110
Requests completed: 1100
RPS sent: 105.87
Request latency:
min: 1
max: 27.3
median: 1.4
p95: 2.2
p99: 3.9
Scenario counts:
Integration Test, parallel request: 110 (100%)
Codes:
200: 1100
$> npm run artillery_server_async
$> npm run artillery_server_sync
$> npm run artillery
All virtual users finished
Summary report @ 11:20:34(+0200) 2019-09-21
Scenarios launched: 4220
Scenarios completed: 4220
Requests completed: 4220
RPS sent: 17.52
Request latency:
min: 1.1
max: 30.3
median: 1.9
p95: 3
p99: 4.8
Scenario counts:
stress test: 4220 (100%)
Codes:
200: 4220
All virtual users finished
Summary report @ 11:15:31(+0200) 2019-09-21
Scenarios launched: 4220
Scenarios completed: 4220
Requests completed: 4220
RPS sent: 17.52
Request latency:
min: 1.1
max: 30.6
median: 1.9
p95: 2.9
p99: 4.7
Scenario counts:
stress test: 4220 (100%)
Codes:
200: 4220
Blocking the Event Loop: Node core modules
Several Node core modules have synchronous expensive APIs, including:
Encryption Compression File system Child process
These APIs are expensive, because they involve significant computation (encryption, compression), require I/O (file I/O), or potentially both (child process). These APIs are intended for scripting convenience, but are not intended for use in the server context. If you execute them on the Event Loop, they will take far longer to complete than a typical JavaScript instruction, blocking the Event Loop.
In a server, you should not use the following synchronous APIs from these modules:
Encryption: crypto.randomBytes (synchronous version)
Laravel only allows AES-128-CBC
AES-256-CBC
.
If no algorithm is defined default is AES-256-CBC
{
"iv": "iv in base64",
"value": "encrypted data",
"mac": "Hash HMAC signature"
}
Pull requests are welcome!
FAQs
node version Laravel Illuminate/Encryption/Encrypter.php
The npm package node-laravel-encryptor receives a total of 347 weekly downloads. As such, node-laravel-encryptor popularity was classified as not popular.
We found that node-laravel-encryptor demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.