diff --git a/package-lock.json b/package-lock.json index f4b88700ab..f9d1b6aa0f 100644 --- a/package-lock.json +++ b/package-lock.json @@ -16,7 +16,7 @@ "license": "ISC", "dependencies": { "@babel/runtime": "^7.15.4", - "futoin-hkdf": "^1.4.2", + "@panva/hkdf": "^1.0.0", "jose": "^4.1.2", "oauth": "^0.9.15", "openid-client": "^5.0.1", @@ -2962,6 +2962,14 @@ "integrity": "sha512-Aq58f5HiWdyDlFffbbSjAlv596h/cOnt2DO1w3DOC7OJ5EHs0hd/nycJfiu9RJbT6Yk6F1knnRRXNSpxoIVZ9Q==", "dev": true }, + "node_modules/@panva/hkdf": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/@panva/hkdf/-/hkdf-1.0.0.tgz", + "integrity": "sha512-xPlCwVdEGjGObIn+s1jV0WNDm2fRBtf9j/F+TlQ+AgrkJTOLLK6mQ8iVqRZ6m/cnSdN+sbtp1GoXfWwqruHjTQ==", + "funding": { + "url": "https://github.com/sponsors/panva" + } + }, "node_modules/@sinonjs/commons": { "version": "1.8.3", "resolved": "https://registry.npmjs.org/@sinonjs/commons/-/commons-1.8.3.tgz", @@ -6877,14 +6885,6 @@ "integrity": "sha1-GwqzvVU7Kg1jmdKcDj6gslIHgyc=", "dev": true }, - "node_modules/futoin-hkdf": { - "version": "1.4.2", - "resolved": "https://registry.npmjs.org/futoin-hkdf/-/futoin-hkdf-1.4.2.tgz", - "integrity": "sha512-2BggwLEJOTfXzKq4Tl2bIT37p0IqqKkblH4e0cMp2sXTdmwg/ADBKMxvxaEytYYcgdxgng8+acsi3WgMVUl6CQ==", - "engines": { - "node": ">=8" - } - }, "node_modules/gensync": { "version": "1.0.0-beta.2", "resolved": "https://registry.npmjs.org/gensync/-/gensync-1.0.0-beta.2.tgz", @@ -16885,6 +16885,11 @@ "integrity": "sha512-Aq58f5HiWdyDlFffbbSjAlv596h/cOnt2DO1w3DOC7OJ5EHs0hd/nycJfiu9RJbT6Yk6F1knnRRXNSpxoIVZ9Q==", "dev": true }, + "@panva/hkdf": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/@panva/hkdf/-/hkdf-1.0.0.tgz", + "integrity": "sha512-xPlCwVdEGjGObIn+s1jV0WNDm2fRBtf9j/F+TlQ+AgrkJTOLLK6mQ8iVqRZ6m/cnSdN+sbtp1GoXfWwqruHjTQ==" + }, "@sinonjs/commons": { "version": "1.8.3", "resolved": "https://registry.npmjs.org/@sinonjs/commons/-/commons-1.8.3.tgz", @@ -19896,11 +19901,6 @@ "integrity": "sha1-GwqzvVU7Kg1jmdKcDj6gslIHgyc=", "dev": true }, - "futoin-hkdf": { - "version": "1.4.2", - "resolved": "https://registry.npmjs.org/futoin-hkdf/-/futoin-hkdf-1.4.2.tgz", - "integrity": "sha512-2BggwLEJOTfXzKq4Tl2bIT37p0IqqKkblH4e0cMp2sXTdmwg/ADBKMxvxaEytYYcgdxgng8+acsi3WgMVUl6CQ==" - }, "gensync": { "version": "1.0.0-beta.2", "resolved": "https://registry.npmjs.org/gensync/-/gensync-1.0.0-beta.2.tgz", diff --git a/package.json b/package.json index cffdd2d811..65a7662b8b 100644 --- a/package.json +++ b/package.json @@ -61,7 +61,7 @@ "license": "ISC", "dependencies": { "@babel/runtime": "^7.15.4", - "futoin-hkdf": "^1.4.2", + "@panva/hkdf": "^1.0.0", "jose": "^4.1.2", "oauth": "^0.9.15", "openid-client": "^5.0.1", diff --git a/src/jwt/index.ts b/src/jwt/index.ts index f545e114ce..0eb0d43b0d 100644 --- a/src/jwt/index.ts +++ b/src/jwt/index.ts @@ -1,5 +1,5 @@ -import crypto from "crypto" import { EncryptJWT, jwtDecrypt } from "jose" +import hkdf from '@panva/hkdf' import { v4 as uuid } from "uuid" import { NextApiRequest } from "next" import type { JWT, JWTDecodeParams, JWTEncodeParams, JWTOptions } from "./types" @@ -21,7 +21,7 @@ export async function encode({ .setProtectedHeader({ alg: "dir", enc: "A256GCM" }) .setIssuedAt() .setExpirationTime(now() + maxAge) - .setJti(crypto.randomUUID ? crypto.randomUUID() : uuid()) + .setJti(uuid()) .encrypt(encryptionSecret) } @@ -99,33 +99,12 @@ export async function getToken( } } -/** Do the better hkdf of Node.js one added in `v15.0.0` and Third Party one */ -async function hkdf(secret, { byteLength, encryptionInfo, digest = "sha256" }) { - if (crypto.hkdf) { - return await new Promise((resolve, reject) => { - crypto.hkdf( - digest, - secret, - Buffer.alloc(0), - encryptionInfo, - byteLength, - (err, derivedKey) => { - if (err) reject(err) - else resolve(Buffer.from(derivedKey)) - } - ) - }) - } - // eslint-disable-next-line @typescript-eslint/no-var-requires - return require("futoin-hkdf")(secret, byteLength, { - info: encryptionInfo, - hash: digest, - }) -} - async function getDerivedEncryptionKey(secret) { - return await hkdf(secret, { - byteLength: 32, - encryptionInfo: "NextAuth.js Generated Encryption Key", - }) + return await hkdf( + 'sha256', + secret, + "", + "NextAuth.js Generated Encryption Key", + 32 + ) }