Add warnOnInsecureuserIdentifierKey

razor-x · razor-x · commit d0830fa5ee6d · 2023-10-05T16:04:07.000-07:00
diff --git a/generate-routes.ts b/generate-routes.ts
@@ -240,6 +240,7 @@ import type {
 } from '@seamapi/types/connect'
 import type { SetNonNullable } from 'type-fest'
 
+import { warnOnInsecureuserIdentifierKey } from './auth.js'
 import {
   type Client,
   type ClientOptions,
diff --git a/src/lib/seam/connect/auth.ts b/src/lib/seam/connect/auth.ts
@@ -46,6 +46,12 @@ const getAuthHeadersForApiKey = ({
     )
   }
 
+  if (isPublishableKey(apiKey)) {
+    throw new SeamHttpInvalidTokenError(
+      'A Publishable Key cannot be used as an apiKey',
+    )
+  }
+
   if (!isSeamToken(apiKey)) {
     throw new SeamHttpInvalidTokenError(
       `Unknown or invalid apiKey format, expected token to start with ${tokenPrefix}`,
@@ -72,6 +78,12 @@ const getAuthHeadersForClientSessionToken = ({
     )
   }
 
+  if (isPublishableKey(clientSessionToken)) {
+    throw new SeamHttpInvalidTokenError(
+      'A Publishable Key cannot be used as a clientSessionToken',
+    )
+  }
+
   if (!isClientSessionToken(clientSessionToken)) {
     throw new SeamHttpInvalidTokenError(
       `Unknown or invalid clientSessionToken format, expected token to start with ${clientSessionTokenPrefix}`,
@@ -85,6 +97,30 @@ const getAuthHeadersForClientSessionToken = ({
 }
 
 const getAuthHeadersForPublishableKey = (publishableKey: string): Headers => {
+  if (isJwt(publishableKey)) {
+    throw new SeamHttpInvalidTokenError(
+      'A JWT cannot be used as a publishableKey',
+    )
+  }
+
+  if (isAccessToken(publishableKey)) {
+    throw new SeamHttpInvalidTokenError(
+      'An Access Token cannot be used as a publishableKey',
+    )
+  }
+
+  if (isClientSessionToken(publishableKey)) {
+    throw new SeamHttpInvalidTokenError(
+      'A Client Session Token Key cannot be used as a publishableKey',
+    )
+  }
+
+  if (!isPublishableKey(publishableKey)) {
+    throw new SeamHttpInvalidTokenError(
+      `Unknown or invalid publishableKey format, expected token to start with ${publishableKeyTokenPrefix}`,
+    )
+  }
+
   return {
     'seam-publishable-key': publishableKey,
   }
@@ -98,10 +134,29 @@ export class SeamHttpInvalidTokenError extends Error {
   }
 }
 
+export const warnOnInsecureuserIdentifierKey = (
+  userIdentifierKey: string,
+): void => {
+  if (isEmail(userIdentifierKey)) {
+    // eslint-disable-next-line no-console
+    console.warn(
+      ...[
+        'Using an email for the userIdentifierKey is insecure and may return an error in the future!',
+        'This is insecure because an email is common knowledge or easily guessed.',
+        'Use something with sufficient entropy known only to the owner of the client session.',
+        'For help choosing a user identifier key see',
+        'https://docs.seam.co/latest/seam-components/overview/get-started-with-client-side-components#3-select-a-user-identifier-key',
+      ],
+    )
+  }
+}
+
 const tokenPrefix = 'seam_'
 
 const clientSessionTokenPrefix = 'seam_cst'
 
+const publishableKeyTokenPrefix = 'seam_pk'
+
 const isClientSessionToken = (token: string): boolean =>
   token.startsWith(clientSessionTokenPrefix)
 
@@ -110,3 +165,10 @@ const isAccessToken = (token: string): boolean => token.startsWith('seam_at')
 const isJwt = (token: string): boolean => token.startsWith('ey')
 
 const isSeamToken = (token: string): boolean => token.startsWith(tokenPrefix)
+
+const isPublishableKey = (token: string): boolean =>
+  token.startsWith(publishableKeyTokenPrefix)
+
+// SOURCE: https://stackoverflow.com/a/46181
+const isEmail = (value: string): boolean =>
+  /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(value)
diff --git a/src/lib/seam/connect/routes/access-codes-unmanaged.ts b/src/lib/seam/connect/routes/access-codes-unmanaged.ts
@@ -23,6 +23,7 @@ import {
 } from 'lib/seam/connect/options.js'
 import { parseOptions } from 'lib/seam/connect/parse-options.js'
 
+import { warnOnInsecureuserIdentifierKey } from './auth.js'
 import { SeamHttpClientSessions } from './client-sessions.js'
 
 export class SeamHttpAccessCodesUnmanaged {
@@ -74,6 +75,7 @@ export class SeamHttpAccessCodesUnmanaged {
     userIdentifierKey: string,
     options: ClientOptions = {},
   ): Promise<SeamHttpAccessCodesUnmanaged> {
+    warnOnInsecureuserIdentifierKey(userIdentifierKey)
     const clientOptions = parseOptions({ ...options, publishableKey })
     const client = createClient(clientOptions)
     const clientSessions = SeamHttpClientSessions.fromClient(client)
diff --git a/src/lib/seam/connect/routes/access-codes.ts b/src/lib/seam/connect/routes/access-codes.ts
@@ -24,6 +24,7 @@ import {
 import { parseOptions } from 'lib/seam/connect/parse-options.js'
 
 import { SeamHttpAccessCodesUnmanaged } from './access-codes-unmanaged.js'
+import { warnOnInsecureuserIdentifierKey } from './auth.js'
 import { SeamHttpClientSessions } from './client-sessions.js'
 
 export class SeamHttpAccessCodes {
@@ -75,6 +76,7 @@ export class SeamHttpAccessCodes {
     userIdentifierKey: string,
     options: ClientOptions = {},
   ): Promise<SeamHttpAccessCodes> {
+    warnOnInsecureuserIdentifierKey(userIdentifierKey)
     const clientOptions = parseOptions({ ...options, publishableKey })
     const client = createClient(clientOptions)
     const clientSessions = SeamHttpClientSessions.fromClient(client)
diff --git a/src/lib/seam/connect/routes/acs-access-groups.ts b/src/lib/seam/connect/routes/acs-access-groups.ts
@@ -23,6 +23,7 @@ import {
 } from 'lib/seam/connect/options.js'
 import { parseOptions } from 'lib/seam/connect/parse-options.js'
 
+import { warnOnInsecureuserIdentifierKey } from './auth.js'
 import { SeamHttpClientSessions } from './client-sessions.js'
 
 export class SeamHttpAcsAccessGroups {
@@ -74,6 +75,7 @@ export class SeamHttpAcsAccessGroups {
     userIdentifierKey: string,
     options: ClientOptions = {},
   ): Promise<SeamHttpAcsAccessGroups> {
+    warnOnInsecureuserIdentifierKey(userIdentifierKey)
     const clientOptions = parseOptions({ ...options, publishableKey })
     const client = createClient(clientOptions)
     const clientSessions = SeamHttpClientSessions.fromClient(client)
diff --git a/src/lib/seam/connect/routes/acs-credentials.ts b/src/lib/seam/connect/routes/acs-credentials.ts
@@ -23,6 +23,7 @@ import {
 } from 'lib/seam/connect/options.js'
 import { parseOptions } from 'lib/seam/connect/parse-options.js'
 
+import { warnOnInsecureuserIdentifierKey } from './auth.js'
 import { SeamHttpClientSessions } from './client-sessions.js'
 
 export class SeamHttpAcsCredentials {
@@ -74,6 +75,7 @@ export class SeamHttpAcsCredentials {
     userIdentifierKey: string,
     options: ClientOptions = {},
   ): Promise<SeamHttpAcsCredentials> {
+    warnOnInsecureuserIdentifierKey(userIdentifierKey)
     const clientOptions = parseOptions({ ...options, publishableKey })
     const client = createClient(clientOptions)
     const clientSessions = SeamHttpClientSessions.fromClient(client)
diff --git a/src/lib/seam/connect/routes/acs-systems.ts b/src/lib/seam/connect/routes/acs-systems.ts
@@ -23,6 +23,7 @@ import {
 } from 'lib/seam/connect/options.js'
 import { parseOptions } from 'lib/seam/connect/parse-options.js'
 
+import { warnOnInsecureuserIdentifierKey } from './auth.js'
 import { SeamHttpClientSessions } from './client-sessions.js'
 
 export class SeamHttpAcsSystems {
@@ -74,6 +75,7 @@ export class SeamHttpAcsSystems {
     userIdentifierKey: string,
     options: ClientOptions = {},
   ): Promise<SeamHttpAcsSystems> {
+    warnOnInsecureuserIdentifierKey(userIdentifierKey)
     const clientOptions = parseOptions({ ...options, publishableKey })
     const client = createClient(clientOptions)
     const clientSessions = SeamHttpClientSessions.fromClient(client)
diff --git a/src/lib/seam/connect/routes/acs-users.ts b/src/lib/seam/connect/routes/acs-users.ts
@@ -23,6 +23,7 @@ import {
 } from 'lib/seam/connect/options.js'
 import { parseOptions } from 'lib/seam/connect/parse-options.js'
 
+import { warnOnInsecureuserIdentifierKey } from './auth.js'
 import { SeamHttpClientSessions } from './client-sessions.js'
 
 export class SeamHttpAcsUsers {
@@ -74,6 +75,7 @@ export class SeamHttpAcsUsers {
     userIdentifierKey: string,
     options: ClientOptions = {},
   ): Promise<SeamHttpAcsUsers> {
+    warnOnInsecureuserIdentifierKey(userIdentifierKey)
     const clientOptions = parseOptions({ ...options, publishableKey })
     const client = createClient(clientOptions)
     const clientSessions = SeamHttpClientSessions.fromClient(client)
diff --git a/src/lib/seam/connect/routes/acs.ts b/src/lib/seam/connect/routes/acs.ts
@@ -24,6 +24,7 @@ import { SeamHttpAcsAccessGroups } from './acs-access-groups.js'
 import { SeamHttpAcsCredentials } from './acs-credentials.js'
 import { SeamHttpAcsSystems } from './acs-systems.js'
 import { SeamHttpAcsUsers } from './acs-users.js'
+import { warnOnInsecureuserIdentifierKey } from './auth.js'
 import { SeamHttpClientSessions } from './client-sessions.js'
 
 export class SeamHttpAcs {
@@ -75,6 +76,7 @@ export class SeamHttpAcs {
     userIdentifierKey: string,
     options: ClientOptions = {},
   ): Promise<SeamHttpAcs> {
+    warnOnInsecureuserIdentifierKey(userIdentifierKey)
     const clientOptions = parseOptions({ ...options, publishableKey })
     const client = createClient(clientOptions)
     const clientSessions = SeamHttpClientSessions.fromClient(client)
diff --git a/src/lib/seam/connect/routes/action-attempts.ts b/src/lib/seam/connect/routes/action-attempts.ts
@@ -23,6 +23,7 @@ import {
 } from 'lib/seam/connect/options.js'
 import { parseOptions } from 'lib/seam/connect/parse-options.js'
 
+import { warnOnInsecureuserIdentifierKey } from './auth.js'
 import { SeamHttpClientSessions } from './client-sessions.js'
 
 export class SeamHttpActionAttempts {
@@ -74,6 +75,7 @@ export class SeamHttpActionAttempts {
     userIdentifierKey: string,
     options: ClientOptions = {},
   ): Promise<SeamHttpActionAttempts> {
+    warnOnInsecureuserIdentifierKey(userIdentifierKey)
     const clientOptions = parseOptions({ ...options, publishableKey })
     const client = createClient(clientOptions)
     const clientSessions = SeamHttpClientSessions.fromClient(client)
diff --git a/src/lib/seam/connect/routes/client-sessions.ts b/src/lib/seam/connect/routes/client-sessions.ts
@@ -23,6 +23,8 @@ import {
 } from 'lib/seam/connect/options.js'
 import { parseOptions } from 'lib/seam/connect/parse-options.js'
 
+import { warnOnInsecureuserIdentifierKey } from './auth.js'
+
 export class SeamHttpClientSessions {
   client: Client
 
@@ -72,6 +74,7 @@ export class SeamHttpClientSessions {
     userIdentifierKey: string,
     options: ClientOptions = {},
   ): Promise<SeamHttpClientSessions> {
+    warnOnInsecureuserIdentifierKey(userIdentifierKey)
     const clientOptions = parseOptions({ ...options, publishableKey })
     const client = createClient(clientOptions)
     const clientSessions = SeamHttpClientSessions.fromClient(client)
diff --git a/src/lib/seam/connect/routes/connect-webviews.ts b/src/lib/seam/connect/routes/connect-webviews.ts
@@ -27,6 +27,7 @@ import {
 } from 'lib/seam/connect/options.js'
 import { parseOptions } from 'lib/seam/connect/parse-options.js'
 
+import { warnOnInsecureuserIdentifierKey } from './auth.js'
 import { SeamHttpClientSessions } from './client-sessions.js'
 
 export class SeamHttpConnectWebviews {
@@ -78,6 +79,7 @@ export class SeamHttpConnectWebviews {
     userIdentifierKey: string,
     options: ClientOptions = {},
   ): Promise<SeamHttpConnectWebviews> {
+    warnOnInsecureuserIdentifierKey(userIdentifierKey)
     const clientOptions = parseOptions({ ...options, publishableKey })
     const client = createClient(clientOptions)
     const clientSessions = SeamHttpClientSessions.fromClient(client)
diff --git a/src/lib/seam/connect/routes/connected-accounts.ts b/src/lib/seam/connect/routes/connected-accounts.ts
@@ -27,6 +27,7 @@ import {
 } from 'lib/seam/connect/options.js'
 import { parseOptions } from 'lib/seam/connect/parse-options.js'
 
+import { warnOnInsecureuserIdentifierKey } from './auth.js'
 import { SeamHttpClientSessions } from './client-sessions.js'
 
 export class SeamHttpConnectedAccounts {
@@ -78,6 +79,7 @@ export class SeamHttpConnectedAccounts {
     userIdentifierKey: string,
     options: ClientOptions = {},
   ): Promise<SeamHttpConnectedAccounts> {
+    warnOnInsecureuserIdentifierKey(userIdentifierKey)
     const clientOptions = parseOptions({ ...options, publishableKey })
     const client = createClient(clientOptions)
     const clientSessions = SeamHttpClientSessions.fromClient(client)
diff --git a/src/lib/seam/connect/routes/devices-unmanaged.ts b/src/lib/seam/connect/routes/devices-unmanaged.ts
@@ -23,6 +23,7 @@ import {
 } from 'lib/seam/connect/options.js'
 import { parseOptions } from 'lib/seam/connect/parse-options.js'
 
+import { warnOnInsecureuserIdentifierKey } from './auth.js'
 import { SeamHttpClientSessions } from './client-sessions.js'
 
 export class SeamHttpDevicesUnmanaged {
@@ -74,6 +75,7 @@ export class SeamHttpDevicesUnmanaged {
     userIdentifierKey: string,
     options: ClientOptions = {},
   ): Promise<SeamHttpDevicesUnmanaged> {
+    warnOnInsecureuserIdentifierKey(userIdentifierKey)
     const clientOptions = parseOptions({ ...options, publishableKey })
     const client = createClient(clientOptions)
     const clientSessions = SeamHttpClientSessions.fromClient(client)
diff --git a/src/lib/seam/connect/routes/devices.ts b/src/lib/seam/connect/routes/devices.ts
@@ -23,6 +23,7 @@ import {
 } from 'lib/seam/connect/options.js'
 import { parseOptions } from 'lib/seam/connect/parse-options.js'
 
+import { warnOnInsecureuserIdentifierKey } from './auth.js'
 import { SeamHttpClientSessions } from './client-sessions.js'
 import { SeamHttpDevicesUnmanaged } from './devices-unmanaged.js'
 
@@ -75,6 +76,7 @@ export class SeamHttpDevices {
     userIdentifierKey: string,
     options: ClientOptions = {},
   ): Promise<SeamHttpDevices> {
+    warnOnInsecureuserIdentifierKey(userIdentifierKey)
     const clientOptions = parseOptions({ ...options, publishableKey })
     const client = createClient(clientOptions)
     const clientSessions = SeamHttpClientSessions.fromClient(client)
diff --git a/src/lib/seam/connect/routes/events.ts b/src/lib/seam/connect/routes/events.ts
@@ -23,6 +23,7 @@ import {
 } from 'lib/seam/connect/options.js'
 import { parseOptions } from 'lib/seam/connect/parse-options.js'
 
+import { warnOnInsecureuserIdentifierKey } from './auth.js'
 import { SeamHttpClientSessions } from './client-sessions.js'
 
 export class SeamHttpEvents {
@@ -74,6 +75,7 @@ export class SeamHttpEvents {
     userIdentifierKey: string,
     options: ClientOptions = {},
   ): Promise<SeamHttpEvents> {
+    warnOnInsecureuserIdentifierKey(userIdentifierKey)
     const clientOptions = parseOptions({ ...options, publishableKey })
     const client = createClient(clientOptions)
     const clientSessions = SeamHttpClientSessions.fromClient(client)
diff --git a/src/lib/seam/connect/routes/locks.ts b/src/lib/seam/connect/routes/locks.ts
@@ -23,6 +23,7 @@ import {
 } from 'lib/seam/connect/options.js'
 import { parseOptions } from 'lib/seam/connect/parse-options.js'
 
+import { warnOnInsecureuserIdentifierKey } from './auth.js'
 import { SeamHttpClientSessions } from './client-sessions.js'
 
 export class SeamHttpLocks {
@@ -74,6 +75,7 @@ export class SeamHttpLocks {
     userIdentifierKey: string,
     options: ClientOptions = {},
   ): Promise<SeamHttpLocks> {
+    warnOnInsecureuserIdentifierKey(userIdentifierKey)
     const clientOptions = parseOptions({ ...options, publishableKey })
     const client = createClient(clientOptions)
     const clientSessions = SeamHttpClientSessions.fromClient(client)
diff --git a/src/lib/seam/connect/routes/noise-sensors-noise-thresholds.ts b/src/lib/seam/connect/routes/noise-sensors-noise-thresholds.ts
@@ -23,6 +23,7 @@ import {
 } from 'lib/seam/connect/options.js'
 import { parseOptions } from 'lib/seam/connect/parse-options.js'
 
+import { warnOnInsecureuserIdentifierKey } from './auth.js'
 import { SeamHttpClientSessions } from './client-sessions.js'
 
 export class SeamHttpNoiseSensorsNoiseThresholds {
@@ -74,6 +75,7 @@ export class SeamHttpNoiseSensorsNoiseThresholds {
     userIdentifierKey: string,
     options: ClientOptions = {},
   ): Promise<SeamHttpNoiseSensorsNoiseThresholds> {
+    warnOnInsecureuserIdentifierKey(userIdentifierKey)
     const clientOptions = parseOptions({ ...options, publishableKey })
     const client = createClient(clientOptions)
     const clientSessions = SeamHttpClientSessions.fromClient(client)
diff --git a/src/lib/seam/connect/routes/noise-sensors.ts b/src/lib/seam/connect/routes/noise-sensors.ts
@@ -20,6 +20,7 @@ import {
 } from 'lib/seam/connect/options.js'
 import { parseOptions } from 'lib/seam/connect/parse-options.js'
 
+import { warnOnInsecureuserIdentifierKey } from './auth.js'
 import { SeamHttpClientSessions } from './client-sessions.js'
 import { SeamHttpNoiseSensorsNoiseThresholds } from './noise-sensors-noise-thresholds.js'
 
@@ -72,6 +73,7 @@ export class SeamHttpNoiseSensors {
     userIdentifierKey: string,
     options: ClientOptions = {},
   ): Promise<SeamHttpNoiseSensors> {
+    warnOnInsecureuserIdentifierKey(userIdentifierKey)
     const clientOptions = parseOptions({ ...options, publishableKey })
     const client = createClient(clientOptions)
     const clientSessions = SeamHttpClientSessions.fromClient(client)
diff --git a/src/lib/seam/connect/routes/thermostats-climate-setting-schedules.ts b/src/lib/seam/connect/routes/thermostats-climate-setting-schedules.ts
@@ -23,6 +23,7 @@ import {
 } from 'lib/seam/connect/options.js'
 import { parseOptions } from 'lib/seam/connect/parse-options.js'
 
+import { warnOnInsecureuserIdentifierKey } from './auth.js'
 import { SeamHttpClientSessions } from './client-sessions.js'
 
 export class SeamHttpThermostatsClimateSettingSchedules {
@@ -74,6 +75,7 @@ export class SeamHttpThermostatsClimateSettingSchedules {
     userIdentifierKey: string,
     options: ClientOptions = {},
   ): Promise<SeamHttpThermostatsClimateSettingSchedules> {
+    warnOnInsecureuserIdentifierKey(userIdentifierKey)
     const clientOptions = parseOptions({ ...options, publishableKey })
     const client = createClient(clientOptions)
     const clientSessions = SeamHttpClientSessions.fromClient(client)
diff --git a/src/lib/seam/connect/routes/thermostats.ts b/src/lib/seam/connect/routes/thermostats.ts
diff --git a/src/lib/seam/connect/routes/webhooks.ts b/src/lib/seam/connect/routes/webhooks.ts
diff --git a/src/lib/seam/connect/routes/workspaces.ts b/src/lib/seam/connect/routes/workspaces.ts
diff --git a/src/lib/seam/connect/seam-http.ts b/src/lib/seam/connect/seam-http.ts
