Encrypt and Decrypt Backup Codes

stanleyowen · May 8, 2021 · 76c0d96 · 76c0d96
1 parent 2c95f6e
commit 76c0d96
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 13 deletions.
diff --git a/server/lib/crypto.js b/server/lib/crypto.js
@@ -1,18 +1,19 @@
 const crypto = require('crypto');
 const algorithm = 'aes-256-cbc';
-const secretKey1 = process.env.SECRET_KEY_1;
-const secretKey2 = process.env.SECRET_KEY_2;
-const secretKey3 = process.env.SECRET_KEY_3;
+const secretKey1 = process.env.SECRET_KEY_1; // Account Session and Todo Data
+const secretKey2 = process.env.SECRET_KEY_2; // OTP Verification Code
+const secretKey3 = process.env.SECRET_KEY_3; // Forgot Password Credentials
+const secretKey4 = process.env.SECRET_KEY_4; // Backup Codes Credentials
 const iv = crypto.randomBytes(16);
 
 const encrypt = (text, method) => {
-    let cipher = crypto.createCipheriv(algorithm, Buffer.from(String(method) === '1' ? secretKey1 : String(method) === '2' ? secretKey2 : secretKey3), iv);
+    let cipher = crypto.createCipheriv(algorithm, Buffer.from(String(method) === '1' ? secretKey1 : String(method) === '2' ? secretKey2 : String(method) === '3' ? secretKey3 : secretKey4), iv);
     let encrypted = Buffer.concat([cipher.update(text), cipher.final()]);
     return { iv: iv.toString('hex'), data: encrypted.toString('hex') };
 }
-   
+
 const decrypt = (hash, method) => {
-    let decipher = crypto.createDecipheriv(algorithm, Buffer.from(String(method) === '1' ? secretKey1 : String(method) === '2' ? secretKey2 : secretKey3), Buffer.from(hash.iv, 'hex'));
+    let decipher = crypto.createDecipheriv(algorithm, Buffer.from(String(method) === '1' ? secretKey1 : String(method) === '2' ? secretKey2 : String(method) === '3' ? secretKey3 : secretKey4), Buffer.from(hash.iv, 'hex'));
     let decrypted = Buffer.concat([decipher.update(Buffer.from(hash.data, 'hex')), decipher.final()]);;
     return decrypted.toString();
 }

diff --git a/server/lib/passport.js b/server/lib/passport.js
@@ -434,7 +434,7 @@ passport.use('generateToken', new localStrategy({ usernameField: 'email', passwo
         else if(user){
             if(regenerate || !user.security['2FA']){
                 let backupCodes = [];
-                for (let x=0; x<10; x++) backupCodes.push(crypto.randomInt(Math.pow(10, 8-1), Math.pow(10, 8)).toString())
+                for (let x=0; x<10; x++) backupCodes.push(encrypt((crypto.randomInt(Math.pow(10, 8-1), Math.pow(10, 8)).toString()), 4))
                 user.security['backup-codes'].valid = backupCodes;
                 user.security['backup-codes'].invalid = [];
                 user.save();

diff --git a/server/models/users.model.js b/server/models/users.model.js
@@ -44,8 +44,8 @@ const userSchema = new Schema ({
             default: false,
             required: true
         }, 'backup-codes': {
-            valid: [{ type: String }],
-            invalid: [{ type: String }]
+            valid: [{ type: Object }],
+            invalid: [{ type: Object }]
         }
     }
 }, {

diff --git a/server/routes/users.route.js b/server/routes/users.route.js
@@ -3,7 +3,7 @@ const passport = require('passport');
 const router = require('express').Router();
 const rateLimit = require('express-rate-limit');
 
-const { encrypt } = require('../lib/crypto');
+const { encrypt, decrypt } = require('../lib/crypto');
 const MSG_DESC = require('../lib/callback');
 let RevokedToken = require('../models/revoke-token.model');
 let User = require('../models/users.model');
@@ -89,7 +89,10 @@ router.get('/user', async (req, res, next) => {
         if(err) return res.status(500).send(JSON.stringify({status: 500, message: MSG_DESC[0], 'XSRF-TOKEN': req.csrfToken()}, null, 2));
         else if(info && info.status === 302) return res.status(info.status).send(JSON.stringify({...info, credentials: user, 'XSRF-TOKEN': req.csrfToken()}, null, 2));
         else if(info && (info.status ? info.status >= 300 ? true : false : true)) return res.status(info.status ? info.status : info.status = 400).send(JSON.stringify({...info, 'XSRF-TOKEN': req.csrfToken()}, null, 2));
-        else if(user) return res.send(JSON.stringify({
+        else if(user){
+            user.security['backup-codes'].valid = user.security['backup-codes'].valid.map(a => { return(decrypt(a, 4)) })
+            user.security['backup-codes'].invalid = user.security['backup-codes'].invalid.map(a => { return(decrypt(a, 4)) })
+            return res.send(JSON.stringify({
                 status: 200,
                 message: MSG_DESC[5],
                 credentials: {
@@ -98,9 +101,10 @@ router.get('/user', async (req, res, next) => {
                     authenticated: true,
                     thirdParty: user.thirdParty,
                     verified: user.verified,
-                    security: user.security
+                    security: user.security,
                 }, 'XSRF-TOKEN': req.csrfToken()
-            }, null, 2));
+            }, null, 2))
+        }
         else return res.status(504).send(JSON.stringify({ status: 504, message: MSG_DESC[34], 'XSRF-TOKEN': req.csrfToken() }, null, 2));
     })(req, res, next)
 })