Fix for auth/refreshToken encoding

Author: pkarw

src/api/user.js

@@ -1,4 +1,4 @@
-import { apiStatus } from '../lib/util';
+import { apiStatus, encryptToken, decryptToken } from '../lib/util';
 import { Router } from 'express';
 import PlatformFactory from '../platform/factory';
 import jwt from 'jwt-simple';
@@ -68,12 +68,12 @@ export default ({config, db}) => {
 			 */
 			if (config.usePriceTiers) {
 				userProxy.me(result).then((resultMe) => {
-					apiStatus(res, result, 200, {refreshToken: jwt.encode(req.body, config.authHashSecret ? config.authHashSecret : config.objHashSecret)});
+					apiStatus(res, result, 200, {refreshToken: encryptToken(jwt.encode(req.body, config.authHashSecret ? config.authHashSecret : config.objHashSecret), config.authHashSecret ? config.authHashSecret : config.objHashSecret)});
 				}).catch(err => {
 					apiStatus(res, err, 500);
 				})
 			} else {
-        apiStatus(res, result, 200, {refreshToken: jwt.encode(req.body, config.authHashSecret ? config.authHashSecret : config.objHashSecret)});
+        apiStatus(res, result, 200, {refreshToken: encryptToken(jwt.encode(req.body, config.authHashSecret ? config.authHashSecret : config.objHashSecret), config.authHashSecret ? config.authHashSecret : config.objHashSecret)});
 			}
 		}).catch(err => {
 			apiStatus(res, err, 500);
@@ -89,13 +89,16 @@ export default ({config, db}) => {
 		if (!req.body || !req.body.refreshToken) {
 			return apiStatus(res, 'No refresh token provided', 500);
 		}
-
-		const decodedToken = jwt.decode(req.body ? req.body.refreshToken : '', config.authHashSecret ? config.authHashSecret : config.objHashSecret)
-		if (!decodedToken) {
-			return apiStatus(res, 'Invalid refresh token provided', 500);
+		try {
+			const decodedToken = jwt.decode(req.body ? decryptToken(req.body.refreshToken, config.authHashSecret ? config.authHashSecret : config.objHashSecret) : '', config.authHashSecret ? config.authHashSecret : config.objHashSecret)
+			if (!decodedToken) {
+				return apiStatus(res, 'Invalid refresh token provided', 500);
+			}
+		} catch (err) {
+			return apiStatus(res, err.message, 500);
 		}
 		userProxy.login(decodedToken).then((result) => {
-			apiStatus(res, result, 200, {refreshToken: jwt.encode(decodedToken, config.authHashSecret ? config.authHashSecret : config.objHashSecret)});
+			apiStatus(res, result, 200, {refreshToken: encryptToken(jwt.encode(decodedToken, config.authHashSecret ? config.authHashSecret : config.objHashSecret), config.authHashSecret ? config.authHashSecret : config.objHashSecret)});
 		}).catch(err => {
 			apiStatus(res, err, 500);
 		})

src/lib/util.js

@@ -1,4 +1,7 @@
 import config from 'config';
+import crypto from 'crypto';
+const algorithm = 'aes-256-ctr';
+
 /**	Creates a callback that proxies node callback style arguments to an Express Response object.
  *	@param {express.Response} res	Express HTTP Response
  *	@param {number} [status=200]	Status code to send on success
@@ -42,3 +45,17 @@ export function apiStatus(res, result = 'OK', code = 200, meta = null) {
 	res.status(code).json(apiResult);
 	return result;
 }
+
+export function encryptToken(textToken, secret) {
+	const cipher = crypto.createCipher(algorithm, secret)
+	let crypted = cipher.update(textToken, 'utf8',  'hex')
+	crypted += cipher.final('hex');
+	return crypted;
+}
+
+export function decryptToken(textToken, secret) {
+	const decipher = crypto.createDecipher(algorithm, secret)
+	let dec = decipher.update(textToken, 'hex', 'utf8')
+	dec += decipher.final('utf8');
+	return dec;	
+}

yarn.lock

@@ -84,7 +84,7 @@ ajv@^5.2.3, ajv@^5.3.0:
     fast-json-stable-stringify "^2.0.0"
     json-schema-traverse "^0.3.0"
 
-ajv@^6.4.0, ajv@^6.5.5:
+ajv@^6.4.0:
   version "6.6.1"
   resolved "https://registry.yarnpkg.com/ajv/-/ajv-6.6.1.tgz#6360f5ed0d80f232cc2b294c362d5dc2e538dd61"
   dependencies:
@@ -93,6 +93,15 @@ ajv@^6.4.0, ajv@^6.5.5:
     json-schema-traverse "^0.4.1"
     uri-js "^4.2.2"
 
+ajv@^6.5.5:
+  version "6.10.0"
+  resolved "https://registry.yarnpkg.com/ajv/-/ajv-6.10.0.tgz#90d0d54439da587cd7e843bfb7045f50bd22bdf1"
+  dependencies:
+    fast-deep-equal "^2.0.1"
+    fast-json-stable-stringify "^2.0.0"
+    json-schema-traverse "^0.4.1"
+    uri-js "^4.2.2"
+
 align-text@^0.1.1, align-text@^0.1.3:
   version "0.1.4"
   resolved "https://registry.yarnpkg.com/align-text/-/align-text-0.1.4.tgz#0cd90a561093f35d0a99256c22b7069433fad117"
@@ -282,7 +291,7 @@ async@^2.0.1, async@^2.5, async@^2.6:
 
 async@~1.0.0:
   version "1.0.0"
-  resolved "http://registry.npmjs.org/async/-/async-1.0.0.tgz#f8fc04ca3a13784ade9e1641af98578cfbd647a9"
+  resolved "https://registry.yarnpkg.com/async/-/async-1.0.0.tgz#f8fc04ca3a13784ade9e1641af98578cfbd647a9"
 
 asynckit@^0.4.0:
   version "0.4.0"
@@ -1357,7 +1366,7 @@ color@^3.1.0:
 
 colors@1.0.x:
   version "1.0.3"
-  resolved "http://registry.npmjs.org/colors/-/colors-1.0.3.tgz#0433f44d809680fdeb60ed260f1b0c262e82a40b"
+  resolved "https://registry.yarnpkg.com/colors/-/colors-1.0.3.tgz#0433f44d809680fdeb60ed260f1b0c262e82a40b"
 
 combined-stream@^1.0.6, combined-stream@~1.0.6:
   version "1.0.7"
@@ -3080,8 +3089,8 @@ magento2-rest-client@0.0.2:
     winston "^2.2.0"
 
 "magento2-rest-client@github:DivanteLtd/magento2-rest-client":
-  version "0.0.7"
-  resolved "https://codeload.github.com/DivanteLtd/magento2-rest-client/tar.gz/77b217ba140a1bc484697e1d141676b8b5c83933"
+  version "0.0.8"
+  resolved "https://codeload.github.com/DivanteLtd/magento2-rest-client/tar.gz/30a67752e65a8d02eac3c7caa1ace51ea2c5f815"
   dependencies:
     humps "^1.1.0"
     oauth-1.0a "^1.0.1"
@@ -3181,7 +3190,17 @@ migrate@^1.6.2:
   version "1.37.0"
   resolved "https://registry.yarnpkg.com/mime-db/-/mime-db-1.37.0.tgz#0b6a0ce6fdbe9576e25f1f2d2fde8830dc0ad0d8"
 
-mime-types@^2.1.12, mime-types@^2.1.18, mime-types@~2.1.18, mime-types@~2.1.19:
+mime-db@~1.38.0:
+  version "1.38.0"
+  resolved "https://registry.yarnpkg.com/mime-db/-/mime-db-1.38.0.tgz#1a2aab16da9eb167b49c6e4df2d9c68d63d8e2ad"
+
+mime-types@^2.1.12, mime-types@~2.1.19:
+  version "2.1.22"
+  resolved "https://registry.yarnpkg.com/mime-types/-/mime-types-2.1.22.tgz#fe6b355a190926ab7698c9a0556a11199b2199bd"
+  dependencies:
+    mime-db "~1.38.0"
+
+mime-types@^2.1.18, mime-types@~2.1.18:
   version "2.1.21"
   resolved "https://registry.yarnpkg.com/mime-types/-/mime-types-2.1.21.tgz#28995aa1ecb770742fe6ae7e58f9181c744b3f96"
   dependencies:
@@ -4648,8 +4667,8 @@ sprintf-js@~1.0.2:
   resolved "http://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz#04e6926f662895354f3dd015203633b857297e2c"
 
 sshpk@^1.7.0:
-  version "1.15.2"
-  resolved "https://registry.yarnpkg.com/sshpk/-/sshpk-1.15.2.tgz#c946d6bd9b1a39d0e8635763f5242d6ed6dcb629"
+  version "1.16.1"
+  resolved "https://registry.yarnpkg.com/sshpk/-/sshpk-1.16.1.tgz#fb661c0bef29b39db40769ee39fa70093d6f6877"
   dependencies:
     asn1 "~0.2.3"
     assert-plus "^1.0.0"