Merge pull request #3032 from gradido/sodium-native-new-pr

refactor(backend): sodium native with types
2025-12-13 07:45:54 +00:00 · 2023-06-15 14:45:03 +02:00 · 2023-06-15 14:45:03 +02:00 · 6be103e6b3
commit 6be103e6b3
parent 68706e41ae f179cff2cf
6 changed files with 52 additions and 22 deletions
--- a/backend/.eslintrc.js
+++ b/backend/.eslintrc.js
@ -25,10 +25,12 @@ module.exports = {
      },
      node: true,
    },
+    // the parser cannot handle the split sodium import
+    'import/ignore': ['sodium-native'],
  },
  rules: {
    'no-console': 'error',
-    camelcase: ['error', { allow: ['FederationClient_*'] }],
+    camelcase: ['error', { allow: ['FederationClient_*', 'crypto_*', 'randombytes_random'] }],
    'no-debugger': 'error',
    'prettier/prettier': [
      'error',
@ -58,7 +60,10 @@ module.exports = {
    'import/no-dynamic-require': 'error',
    'import/no-internal-modules': 'off',
    'import/no-relative-packages': 'error',
-    'import/no-relative-parent-imports': ['error', { ignore: ['@/*', 'random-bigint'] }],
+    'import/no-relative-parent-imports': [
+      'error',
+      { ignore: ['@/*', 'random-bigint', 'sodium-native'] },
+    ],
    'import/no-self-import': 'error',
    'import/no-unresolved': 'error',
    'import/no-useless-path-segments': 'error',
--- a/backend/@types/sodium-native/index.d.ts
+++ b/backend/@types/sodium-native/index.d.ts
@ -0,0 +1,8 @@
+// eslint-disable-next-line import/no-unresolved
+export * from '@/node_modules/@types/sodium-native'
+
+declare module 'sodium-native' {
+  export function crypto_hash_sha512_init(state: Buffer, key?: Buffer, outlen?: Buffer): void
+  export function crypto_hash_sha512_update(state: Buffer, input: Buffer): void
+  export function crypto_hash_sha512_final(state: Buffer, out: Buffer): void
+}
--- a/backend/package.json
+++ b/backend/package.json
@ -55,6 +55,7 @@
    "@types/lodash.clonedeep": "^4.5.6",
    "@types/node": "^16.10.3",
    "@types/nodemailer": "^6.4.4",
+    "@types/sodium-native": "^2.3.5",
    "@types/uuid": "^8.3.4",
    "@typescript-eslint/eslint-plugin": "^5.57.1",
    "@typescript-eslint/parser": "^5.57.1",
--- a/backend/src/graphql/resolver/UserResolver.ts
+++ b/backend/src/graphql/resolver/UserResolver.ts
@ -71,15 +71,13 @@ import { hasElopageBuys } from '@/util/hasElopageBuys'
 import { getTimeDurationObject, printTimeDuration } from '@/util/time'

 import random from 'random-bigint'
+import { randombytes_random } from 'sodium-native'

 import { FULL_CREATION_AVAILABLE } from './const/const'
 import { getUserCreations } from './util/creations'
 import { findUserByIdentifier } from './util/findUserByIdentifier'
 import { validateAlias } from './util/validateAlias'

-// eslint-disable-next-line @typescript-eslint/no-var-requires, import/no-commonjs
-const sodium = require('sodium-native')
-
 const LANGUAGES = ['de', 'en', 'es', 'fr', 'nl']
 const DEFAULT_LANGUAGE = 'de'
 const isLanguage = (language: string): boolean => {
@ -237,7 +235,7 @@ export class UserResolver {
        // TODO: this is unsecure, but the current implementation of the login server. This way it can be queried if the user with given EMail is existent.

        const user = new User(communityDbUser)
-        user.id = sodium.randombytes_random() % (2048 * 16) // TODO: for a better faking derive id from email so that it will be always the same id when the same email comes in?
+        user.id = randombytes_random() % (2048 * 16) // TODO: for a better faking derive id from email so that it will be always the same id when the same email comes in?
        user.gradidoID = uuidv4()
        user.firstName = firstName
        user.lastName = lastName
--- a/backend/src/password/EncryptorUtils.ts
+++ b/backend/src/password/EncryptorUtils.ts
@ -10,8 +10,19 @@ import { CONFIG } from '@/config'
 import { LogError } from '@/server/LogError'
 import { backendLogger as logger } from '@/server/logger'

-// eslint-disable-next-line @typescript-eslint/no-var-requires, import/no-commonjs
-const sodium = require('sodium-native')
+import {
+  crypto_shorthash_KEYBYTES,
+  crypto_box_SEEDBYTES,
+  crypto_hash_sha512_init,
+  crypto_hash_sha512_update,
+  crypto_hash_sha512_final,
+  crypto_hash_sha512_BYTES,
+  crypto_hash_sha512_STATEBYTES,
+  crypto_shorthash_BYTES,
+  crypto_pwhash_SALTBYTES,
+  crypto_pwhash,
+  crypto_shorthash,
+} from 'sodium-native'

 // We will reuse this for changePassword
 export const isValidPassword = (password: string): boolean => {
@ -22,36 +33,36 @@ export const SecretKeyCryptographyCreateKey = (salt: string, password: string):
  logger.trace('SecretKeyCryptographyCreateKey...')
  const configLoginAppSecret = Buffer.from(CONFIG.LOGIN_APP_SECRET, 'hex')
  const configLoginServerKey = Buffer.from(CONFIG.LOGIN_SERVER_KEY, 'hex')
-  if (configLoginServerKey.length !== sodium.crypto_shorthash_KEYBYTES) {
+  if (configLoginServerKey.length !== crypto_shorthash_KEYBYTES) {
    throw new LogError(
      'ServerKey has an invalid size',
      configLoginServerKey.length,
-      sodium.crypto_shorthash_KEYBYTES,
+      crypto_shorthash_KEYBYTES,
    )
  }

-  const state = Buffer.alloc(sodium.crypto_hash_sha512_STATEBYTES)
-  sodium.crypto_hash_sha512_init(state)
-  sodium.crypto_hash_sha512_update(state, Buffer.from(salt))
-  sodium.crypto_hash_sha512_update(state, configLoginAppSecret)
-  const hash = Buffer.alloc(sodium.crypto_hash_sha512_BYTES)
-  sodium.crypto_hash_sha512_final(state, hash)
+  const state = Buffer.alloc(crypto_hash_sha512_STATEBYTES)
+  crypto_hash_sha512_init(state)
+  crypto_hash_sha512_update(state, Buffer.from(salt))
+  crypto_hash_sha512_update(state, configLoginAppSecret)
+  const hash = Buffer.alloc(crypto_hash_sha512_BYTES)
+  crypto_hash_sha512_final(state, hash)

-  const encryptionKey = Buffer.alloc(sodium.crypto_box_SEEDBYTES)
+  const encryptionKey = Buffer.alloc(crypto_box_SEEDBYTES)
  const opsLimit = 10
  const memLimit = 33554432
  const algo = 2
-  sodium.crypto_pwhash(
+  crypto_pwhash(
    encryptionKey,
    Buffer.from(password),
-    hash.slice(0, sodium.crypto_pwhash_SALTBYTES),
+    hash.slice(0, crypto_pwhash_SALTBYTES),
    opsLimit,
    memLimit,
    algo,
  )

-  const encryptionKeyHash = Buffer.alloc(sodium.crypto_shorthash_BYTES)
-  sodium.crypto_shorthash(encryptionKeyHash, encryptionKey, configLoginServerKey)
+  const encryptionKeyHash = Buffer.alloc(crypto_shorthash_BYTES)
+  crypto_shorthash(encryptionKeyHash, encryptionKey, configLoginServerKey)

  return [encryptionKeyHash, encryptionKey]
 }
--- a/backend/yarn.lock
+++ b/backend/yarn.lock
@ -1181,6 +1181,13 @@
    "@types/mime" "^1"
    "@types/node" "*"

+"@types/sodium-native@^2.3.5":
+  version "2.3.5"
+  resolved "https://registry.yarnpkg.com/@types/sodium-native/-/sodium-native-2.3.5.tgz#5d2681e7b6b67bcbdc63cfb133e303ec9e942e43"
+  integrity sha512-a3DAIpW8+36XAY8aIR36JBQQsfOabxHuJwx11DL/PTvnbwEWPAXW66b8QbMi0r2vUnkOfREsketxdvjBmQxqDQ==
+  dependencies:
+    "@types/node" "*"
+
 "@types/stack-utils@^2.0.0":
  version "2.0.1"
  resolved "https://registry.yarnpkg.com/@types/stack-utils/-/stack-utils-2.0.1.tgz#20f18294f797f2209b5f65c8e3b5c8e8261d127c"
@ -3645,7 +3652,7 @@ graceful-fs@^4.1.6, graceful-fs@^4.2.0:
  integrity sha512-9ByhssR2fPVsNZj478qUUbKfmL0+t5BDVyjShtyZZLiK7ZDAArFFfopyOTj0M05wE2tJPisA4iTnnXl2YoPvOA==

 "gradido-database@file:../database":
-  version "1.20.0"
+  version "1.21.0"
  dependencies:
    "@types/uuid" "^8.3.4"
    cross-env "^7.0.3"