Rename password to encryptionKey when derived key is used

Author: hlxid

nodecg-io-core/dashboard/crypto.ts

@@ -2,18 +2,18 @@ import {
     PersistentData,
     EncryptedData,
     decryptData,
-    deriveEncryptionSecret,
+    deriveEncryptionKey,
     reEncryptData,
 } from "nodecg-io-core/extension/persistenceManager";
 import { EventEmitter } from "events";
 import { ObjectMap, ServiceInstance, ServiceDependency, Service } from "nodecg-io-core/extension/service";
 import { isLoaded } from "./authentication";
-import { PasswordMessage } from "nodecg-io-core/extension/messageManager";
+import { AuthenticationMessage } from "nodecg-io-core/extension/messageManager";
 import cryptoJS from "crypto-js";
 
 const encryptedData = nodecg.Replicant<EncryptedData>("encryptedConfig");
 let services: Service<unknown, never>[] | undefined;
-let password: string | undefined;
+let encryptionKey: string | undefined;
 
 /**
  * Layer between the actual dashboard and `PersistentData`.
@@ -47,20 +47,21 @@ class Config extends EventEmitter {
 }
 export const config = new Config();
 
-// Update the decrypted copy of the data once the encrypted version changes (if a password is available).
+// Update the decrypted copy of the data once the encrypted version changes (if a encryption key is available).
 // This ensures that the decrypted data is always up-to-date.
 encryptedData.on("change", updateDecryptedData);
 
 /**
  * Sets the passed password to be used by the crypto module.
- * Will try to decrypt encrypted data to tell whether the password is correct,
- * if it is wrong the internal password will be set to undefined.
+ * Uses the password to derive a decryption secret and then tries to decrypt
+ * the encrypted data to tell whether the password is correct.
+ * If it is wrong the internal encryption key will be set to undefined.
  * Returns whether the password is correct.
  * @param pw the password which should be set.
  */
 export async function setPassword(pw: string): Promise<boolean> {
     await Promise.all([
-        // Ensures that the `encryptedData` has been declared because it is needed by `setPassword()`
+        // Ensures that the `encryptedData` has been declared because it is needed to get the encrypted config.
         // This is especially needed when handling a re-connect as the replicant takes time to declare
         // and the password check is usually faster than that.
         NodeCG.waitForReplicants(encryptedData),
@@ -73,7 +74,7 @@ export async function setPassword(pw: string): Promise<boolean> {
 
     const salt = encryptedData.value.salt ?? cryptoJS.lib.WordArray.random(128 / 8).toString(cryptoJS.enc.Hex);
     if (encryptedData.value.salt === undefined) {
-        const newSecret = deriveEncryptionSecret(pw, salt);
+        const newSecret = deriveEncryptionKey(pw, salt);
 
         if (encryptedData.value.cipherText !== undefined) {
             const newSecretWordArray = cryptoJS.enc.Hex.parse(newSecret);
@@ -83,52 +84,55 @@ export async function setPassword(pw: string): Promise<boolean> {
         encryptedData.value.salt = salt;
     }
 
-    password = deriveEncryptionSecret(pw, salt);
+    encryptionKey = deriveEncryptionKey(pw, salt);
 
-    // Load framework, returns false if not already loaded and password is wrong
+    // Load framework, returns false if not already loaded and password/encryption key is wrong
     if ((await loadFramework()) === false) return false;
 
     if (encryptedData.value) {
         updateDecryptedData(encryptedData.value);
-        // Password is unset by `updateDecryptedData` if it is wrong.
-        // This may happen if the framework was already loaded and `loadFramework` didn't check the password.
-        if (password === undefined) {
+        // encryption key is unset by `updateDecryptedData` if it is wrong.
+        // This may happen if the framework was already loaded and `loadFramework` didn't check the password/encryption key.
+        if (encryptionKey === undefined) {
             return false;
         }
     }
 
     return true;
 }
 
-export async function sendAuthenticatedMessage<V>(messageName: string, message: Partial<PasswordMessage>): Promise<V> {
-    if (password === undefined) throw "No password available";
+export async function sendAuthenticatedMessage<V>(
+    messageName: string,
+    message: Partial<AuthenticationMessage>,
+): Promise<V> {
+    if (encryptionKey === undefined) throw "Can't send authenticated message: crypto module not authenticated";
     const msgWithAuth = Object.assign({}, message);
-    msgWithAuth.password = password;
+    msgWithAuth.encryptionKey = encryptionKey;
     return await nodecg.sendMessage(messageName, msgWithAuth);
 }
 
 /**
- * Returns whether a password has been set in the crypto module aka. whether it is authenticated.
+ * Returns whether a password derived encryption key has been set in the crypto module aka. whether it is authenticated.
  */
 export function isPasswordSet(): boolean {
-    return password !== undefined;
+    return encryptionKey !== undefined;
 }
 
 /**
- * Decrypts the passed data using the global password variable and saves it into `ConfigData`.
- * Unsets the password if its wrong and also forwards `undefined` to `ConfigData` if the password is unset.
+ * Decrypts the passed data using the global encryptionKey variable and saves it into `ConfigData`.
+ * Unsets the encryption key if its wrong and also forwards `undefined` to `ConfigData` if the encryption key is unset.
  * @param data the data that should be decrypted.
  */
 function updateDecryptedData(data: EncryptedData): void {
     let result: PersistentData | undefined = undefined;
-    if (password !== undefined && data.cipherText) {
-        const passwordWordArray = cryptoJS.enc.Hex.parse(password);
+    if (encryptionKey !== undefined && data.cipherText) {
+        const passwordWordArray = cryptoJS.enc.Hex.parse(encryptionKey);
         const res = decryptData(data.cipherText, passwordWordArray, data.iv);
         if (!res.failed) {
             result = res.result;
         } else {
-            // Password is wrong
-            password = undefined;
+            // Secret is wrong
+            encryptionKey = undefined;
         }
     }
 
@@ -159,7 +163,7 @@ async function loadFramework(): Promise<boolean> {
     if (await isLoaded()) return true;
 
     try {
-        await nodecg.sendMessage("load", { password });
+        await nodecg.sendMessage("load", { encryptionKey });
         return true;
     } catch {
         return false;

nodecg-io-core/extension/messageManager.ts

@@ -5,25 +5,25 @@ import { BundleManager } from "./bundleManager";
 import { PersistenceManager } from "./persistenceManager";
 import { ServiceManager } from "./serviceManager";
 
-export interface PasswordMessage {
-    password: string;
+export interface AuthenticationMessage {
+    encryptionKey: string;
 }
 
-export interface UpdateInstanceConfigMessage extends PasswordMessage {
+export interface UpdateInstanceConfigMessage extends AuthenticationMessage {
     instanceName: string;
     config: unknown;
 }
 
-export interface CreateServiceInstanceMessage extends PasswordMessage {
+export interface CreateServiceInstanceMessage extends AuthenticationMessage {
     serviceType: string;
     instanceName: string;
 }
 
-export interface DeleteServiceInstanceMessage extends PasswordMessage {
+export interface DeleteServiceInstanceMessage extends AuthenticationMessage {
     instanceName: string;
 }
 
-export interface SetServiceDependencyMessage extends PasswordMessage {
+export interface SetServiceDependencyMessage extends AuthenticationMessage {
     bundleName: string;
     instanceName: string | undefined;
     serviceType: string;
@@ -82,8 +82,8 @@ export class MessageManager {
             return success(this.persist.isLoaded());
         });
 
-        this.listen("load", async (msg: PasswordMessage) => {
-            return this.persist.load(msg.password);
+        this.listen("load", async (msg: AuthenticationMessage) => {
+            return this.persist.load(msg.encryptionKey);
         });
 
         this.listen("getServices", async () => {
@@ -113,12 +113,12 @@ export class MessageManager {
         });
     }
 
-    private listenWithAuth<M extends PasswordMessage, V>(
+    private listenWithAuth<M extends AuthenticationMessage, V>(
         messageName: string,
         cb: (msg: M) => Promise<Result<V>>,
     ): void {
         this.listen(messageName, async (msg: M) => {
-            if (this.persist.checkPassword(msg.password)) {
+            if (this.persist.checkEncryptionKey(msg.encryptionKey)) {
                 return cb(msg);
             } else {
                 return error("The password is invalid");

nodecg-io-core/extension/persistenceManager.ts

@@ -33,20 +33,21 @@ export interface EncryptedData {
 }
 
 /**
- * Decrypts the passed encrypted data using the passed password.
- * If the password is wrong, an error will be returned.
+ * Decrypts the passed encrypted data using the passed encryption key.
+ * If the encryption key is wrong, an error will be returned.
  *
  * @param cipherText the ciphertext that needs to be decrypted.
- * @param password the password for the encrypted data.
+ * @param encryptionKey the encryption key for the encrypted data.
+ * @param iv the initialization vector for the encrypted data.
  */
 export function decryptData(
     cipherText: string,
-    password: string | crypto.lib.WordArray,
+    encryptionKey: string | crypto.lib.WordArray,
     iv: string | undefined,
 ): Result<PersistentData> {
     try {
         const ivWordArray = iv ? crypto.enc.Hex.parse(iv) : undefined;
-        const decryptedBytes = crypto.AES.decrypt(cipherText, password, { iv: ivWordArray });
+        const decryptedBytes = crypto.AES.decrypt(cipherText, encryptionKey, { iv: ivWordArray });
         const decryptedText = decryptedBytes.toString(crypto.enc.Utf8);
         const data: PersistentData = JSON.parse(decryptedText);
         return success(data);
@@ -55,14 +56,14 @@ export function decryptData(
     }
 }
 
-export function encryptData(data: PersistentData, password: string | crypto.lib.WordArray): [string, string] {
+export function encryptData(data: PersistentData, encryptionKey: crypto.lib.WordArray): [string, string] {
     const iv = crypto.lib.WordArray.random(16);
     const ivText = iv.toString();
-    const encrypted = crypto.AES.encrypt(JSON.stringify(data), password, { iv });
+    const encrypted = crypto.AES.encrypt(JSON.stringify(data), encryptionKey, { iv });
     return [encrypted.toString(), ivText];
 }
 
-export function deriveEncryptionSecret(password: string, salt: string | undefined): string {
+export function deriveEncryptionKey(password: string, salt: string | undefined): string {
     if (salt === undefined) {
         return password;
     }
@@ -80,7 +81,7 @@ export function deriveEncryptionSecret(password: string, salt: string | undefine
 export function reEncryptData(
     data: EncryptedData,
     oldSecret: string | crypto.lib.WordArray,
-    newSecret: string | crypto.lib.WordArray,
+    newSecret: crypto.lib.WordArray,
 ): Result<void> {
     if (data.cipherText === undefined) {
         return error("Cannot re-encrypt empty cipher text.");
@@ -101,7 +102,7 @@ export function reEncryptData(
  * Manages encrypted persistence of data that is held by the instance and bundle managers.
  */
 export class PersistenceManager {
-    private password: string | undefined;
+    private encryptionKey: string | undefined;
     // We store the encrypted data in a replicant, because writing files in a NodeCG bundle isn't very clean
     // and the bundle config is read-only. It is only in encrypted form, so it is OK to be accessible in the browser.
     private encryptedData: ReplicantServer<EncryptedData>;
@@ -120,38 +121,38 @@ export class PersistenceManager {
     }
 
     /**
-     * Checks whether the passed password is correct. Only works if already loaded and a password is already set.
-     * @param password the password which should be checked for correctness
+     * Checks whether the passed encryption key is correct. Only works if already loaded and a encryption key is already set.
+     * @param encryptionKey the encryption key which should be checked for correctness
      */
-    checkPassword(password: string): boolean {
+    checkEncryptionKey(encryptionKey: string): boolean {
         if (this.isLoaded()) {
-            return this.password === password;
+            return this.encryptionKey === encryptionKey;
         } else {
             return false;
         }
     }
 
     /**
-     * Returns if the locally stored configuration has been loaded and a password has been set.
+     * Returns if the locally stored configuration has been loaded and a encryption key has been set.
      */
     isLoaded(): boolean {
-        return this.password !== undefined;
+        return this.encryptionKey !== undefined;
     }
 
     /**
      * Returns whether this is the first startup aka. whether any encrypted data has been saved.
-     * If this returns true {{@link load}} will accept any password and use it to encrypt the configuration.
+     * If this returns true {@link load} will accept any encryption key and use it to encrypt the configuration.
      */
     isFirstStartup(): boolean {
         return this.encryptedData.value.cipherText === undefined;
     }
 
     /**
-     * Decrypts and loads the locally stored configuration using the passed password.
-     * @param password the password of the encrypted config.
-     * @return success if the password was correct and loading has been successful and an error if the password is wrong.
+     * Decrypts and loads the locally stored configuration using the passed encryption key.
+     * @param encryptionKey the encryption key of the encrypted config.
+     * @return success if the encryption key was correct and loading has been successful and an error if the encryption key is wrong.
      */
-    async load(password: string): Promise<Result<void>> {
+    async load(encryptionKey: string): Promise<Result<void>> {
         if (this.isLoaded()) {
             return error("Config has already been decrypted and loaded.");
         }
@@ -160,19 +161,19 @@ export class PersistenceManager {
             // No encrypted data has been saved, probably because this is the first startup.
             // Therefore nothing needs to be decrypted, and we write an empty config to disk.
             this.nodecg.log.info("No saved configuration found, creating a empty one.");
-            this.password = password;
+            this.encryptionKey = encryptionKey;
             this.save();
         } else {
             // Decrypt config
             this.nodecg.log.info("Decrypting and loading saved configuration.");
-            const passwordWordArray = crypto.enc.Hex.parse(password);
+            const encryptionKeyArr = crypto.enc.Hex.parse(encryptionKey);
             const data = decryptData(
                 this.encryptedData.value.cipherText,
-                passwordWordArray,
+                encryptionKeyArr,
                 this.encryptedData.value.iv,
             );
             if (data.failed) {
-                this.nodecg.log.error("Could not decrypt configuration: password is invalid.");
+                this.nodecg.log.error("Could not decrypt configuration: encryption key is invalid.");
                 return data;
             }
 
@@ -183,8 +184,8 @@ export class PersistenceManager {
             this.saveAfterServiceInstancesLoaded(promises);
         }
 
-        // Save password, used in save() function
-        this.password = password;
+        // Save encryption key, used in save() function
+        this.encryptionKey = encryptionKey;
 
         // Register handlers to save when something changes
         this.instances.on("change", () => this.save());
@@ -258,8 +259,8 @@ export class PersistenceManager {
      * Encrypts and saves current state to the persistent replicant.
      */
     save(): void {
-        // Check if we have a password to encrypt the data with.
-        if (this.password === undefined) {
+        // Check if we have a encryption key to encrypt the data with.
+        if (this.encryptionKey === undefined) {
             return;
         }
 
@@ -270,8 +271,8 @@ export class PersistenceManager {
         };
 
         // Encrypt and save data to persistent replicant.
-        const passwordWordArray = crypto.enc.Hex.parse(this.password);
-        const [cipherText, iv] = encryptData(data, passwordWordArray);
+        const encryptionKeyArr = crypto.enc.Hex.parse(this.encryptionKey);
+        const [cipherText, iv] = encryptData(data, encryptionKeyArr);
         this.encryptedData.value.cipherText = cipherText;
         this.encryptedData.value.iv = iv;
     }
@@ -353,7 +354,7 @@ export class PersistenceManager {
                     const salt =
                         this.encryptedData.value.salt ?? crypto.lib.WordArray.random(128 / 8).toString(crypto.enc.Hex);
                     if (this.encryptedData.value.salt === undefined) {
-                        const newSecret = deriveEncryptionSecret(password, salt);
+                        const newSecret = deriveEncryptionKey(password, salt);
 
                         if (this.encryptedData.value.cipherText !== undefined) {
                             const newSecretWordArray = crypto.enc.Hex.parse(newSecret);
@@ -363,8 +364,8 @@ export class PersistenceManager {
                         this.encryptedData.value.salt = salt;
                     }
 
-                    const encryptionSecret = deriveEncryptionSecret(password, salt);
-                    const loadResult = await this.load(encryptionSecret);
+                    const encryptionKey = deriveEncryptionKey(password, salt);
+                    const loadResult = await this.load(encryptionKey);
 
                     if (!loadResult.failed) {
                         this.nodecg.log.info("Automatic login successful.");