Migrate urlsafe-base64 to be internal to web-push and switch to Buffer.from (#813)

Fixes #785

Co-authored-by: Dan Lee <[email protected]>

Author: haouarihk

package-lock.json

@@ -33,8 +33,7 @@
     "http_ece": "1.1.0",
     "https-proxy-agent": "^5.0.0",
     "jws": "^4.0.0",
-    "minimist": "^1.2.5",
-    "urlsafe-base64": "^1.0.0"
+    "minimist": "^1.2.5"
   },
   "devDependencies": {
     "chromedriver": "101.0.0",

package.json

@@ -2,7 +2,7 @@
 
 const crypto = require('crypto');
 const ece = require('http_ece');
-const urlBase64 = require('urlsafe-base64');
+const urlBase64Helper = require('./urlsafe-base64-helper');
 
 const encrypt = function(userPublicKey, userAuth, payload, contentEncoding) {
   if (!userPublicKey) {
@@ -13,7 +13,7 @@ const encrypt = function(userPublicKey, userAuth, payload, contentEncoding) {
     throw new Error('The subscription p256dh value must be a string.');
   }
 
-  if (urlBase64.decode(userPublicKey).length !== 65) {
+  if (urlBase64Helper.decode(userPublicKey).length !== 65) {
     throw new Error('The subscription p256dh value should be 65 bytes long.');
   }
 
@@ -25,7 +25,7 @@ const encrypt = function(userPublicKey, userAuth, payload, contentEncoding) {
     throw new Error('The subscription auth key must be a string.');
   }
 
-  if (urlBase64.decode(userAuth).length < 16) {
+  if (urlBase64Helper.decode(userAuth).length < 16) {
     throw new Error('The subscription auth key should be at least 16 '
     + 'bytes long');
   }
@@ -41,7 +41,7 @@ const encrypt = function(userPublicKey, userAuth, payload, contentEncoding) {
   const localCurve = crypto.createECDH('prime256v1');
   const localPublicKey = localCurve.generateKeys();
 
-  const salt = urlBase64.encode(crypto.randomBytes(16));
+  const salt = urlBase64Helper.encode(crypto.randomBytes(16));
 
   const cipherText = ece.encrypt(payload, {
     version: contentEncoding,

src/encryption-helper.js

@@ -0,0 +1,32 @@
+// Largely ported from https://github.com/RGBboy/urlsafe-base64
+
+'use strict';
+
+function encode(buffer) {
+   return buffer.toString('base64')
+    .replace(/\+/g, '-') // Convert '+' to '-'
+    .replace(/\//g, '_') // Convert '/' to '_'
+    .replace(/=+$/, ''); // Remove ending '='
+}
+
+function decode(base64) {
+   // Add removed at end '='
+  base64 += Array(5 - (base64.length % 4)).join('=');
+
+  base64 = base64
+    .replace(/-/g, '+') // Convert '-' to '+'
+    .replace(/_/g, '/'); // Convert '_' to '/'
+
+  // change from urlsafe-base64 since new Buffer() is deprecated
+  return Buffer.from(base64, 'base64');
+}
+
+function validate(base64) {
+   return /^[A-Za-z0-9\-_]+$/.test(base64);
+ }
+
+module.exports = {
+   encode: encode,
+   decode: decode,
+   validate: validate
+};

src/urlsafe-base64-helper.js

@@ -1,12 +1,12 @@
 'use strict';
 
 const crypto = require('crypto');
-const urlBase64 = require('urlsafe-base64');
 const asn1 = require('asn1.js');
 const jws = require('jws');
 const { URL } = require('url');
 
 const WebPushConstants = require('./web-push-constants.js');
+const urlBase64Helper = require('./urlsafe-base64-helper');
 
 /**
  * DEFAULT_EXPIRATION is set to seconds in 12 hours
@@ -60,8 +60,8 @@ function generateVAPIDKeys() {
   }
 
   return {
-    publicKey: urlBase64.encode(publicKeyBuffer),
-    privateKey: urlBase64.encode(privateKeyBuffer)
+    publicKey: urlBase64Helper.encode(publicKeyBuffer),
+    privateKey: urlBase64Helper.encode(privateKeyBuffer)
   };
 }
 
@@ -100,11 +100,11 @@ function validatePublicKey(publicKey) {
     + 'encoded string.');
   }
 
-  if (!urlBase64.validate(publicKey)) {
+  if (!urlBase64Helper.validate(publicKey)) {
     throw new Error('Vapid public key must be a URL safe Base 64 (without "=")');
   }
 
-  publicKey = urlBase64.decode(publicKey);
+  publicKey = urlBase64Helper.decode(publicKey);
 
   if (publicKey.length !== 65) {
     throw new Error('Vapid public key should be 65 bytes long when decoded.');
@@ -121,11 +121,11 @@ function validatePrivateKey(privateKey) {
     + 'encoded string.');
   }
 
-  if (!urlBase64.validate(privateKey)) {
+  if (!urlBase64Helper.validate(privateKey)) {
     throw new Error('Vapid private key must be a URL safe Base 64 (without "=")');
   }
 
-  privateKey = urlBase64.decode(privateKey);
+  privateKey = urlBase64Helper.decode(privateKey);
 
   if (privateKey.length !== 32) {
     throw new Error('Vapid private key should be 32 bytes long when decoded.');
@@ -203,7 +203,7 @@ function getVapidHeaders(audience, subject, publicKey, privateKey, contentEncodi
   validatePublicKey(publicKey);
   validatePrivateKey(privateKey);
 
-  privateKey = urlBase64.decode(privateKey);
+  privateKey = urlBase64Helper.decode(privateKey);
 
   if (expiration) {
     validateExpiration(expiration);

src/vapid-helper.js

@@ -1,13 +1,13 @@
 'use strict';
 
-const urlBase64 = require('urlsafe-base64');
 const url = require('url');
 const https = require('https');
 
 const WebPushError = require('./web-push-error.js');
 const vapidHelper = require('./vapid-helper.js');
 const encryptionHelper = require('./encryption-helper.js');
 const webPushConstants = require('./web-push-constants.js');
+const urlBase64Helper = require('./urlsafe-base64-helper');
 
 // Default TTL is four weeks.
 const DEFAULT_TTL = 2419200;
@@ -189,7 +189,7 @@ WebPushLib.prototype.generateRequestDetails = function(subscription, payload, op
       }
 
       if (options.topic) {
-        if (!urlBase64.validate(options.topic)) {
+        if (!urlBase64Helper.validate(options.topic)) {
           throw new Error('Unsupported characters set use the URL or filename-safe Base64 characters set');
         }
         if (options.topic.length > 32) {
@@ -251,7 +251,7 @@ WebPushLib.prototype.generateRequestDetails = function(subscription, payload, op
       } else if (contentEncoding === webPushConstants.supportedContentEncodings.AES_GCM) {
         requestDetails.headers['Content-Encoding'] = webPushConstants.supportedContentEncodings.AES_GCM;
         requestDetails.headers.Encryption = 'salt=' + encrypted.salt;
-        requestDetails.headers['Crypto-Key'] = 'dh=' + urlBase64.encode(encrypted.localPublicKey);
+        requestDetails.headers['Crypto-Key'] = 'dh=' + urlBase64Helper.encode(encrypted.localPublicKey);
       }
 
       requestPayload = encrypted.cipherText;

src/web-push-lib.js

@@ -8,8 +8,8 @@
   }
 
   const assert = require('assert');
-  const urlBase64 = require('urlsafe-base64');
   const spawn = require('child_process').spawn;
+  const urlBase64Helper = require('../src/urlsafe-base64-helper');
 
   const cliPath = 'src/cli.js';
 
@@ -147,13 +147,13 @@
             return line.indexOf('Public Key:') !== -1;
           });
           const publicKey = lines[publicKeyTitleIndex + 1].trim();
-          assert.equal(urlBase64.decode(publicKey).length, 65);
+          assert.equal(urlBase64Helper.decode(publicKey).length, 65);
 
           const privateKeyTitleIndex = lines.findIndex(function(line) {
             return line.indexOf('Private Key:') !== -1;
           });
           const privateKey = lines[privateKeyTitleIndex + 1].trim();
-          assert.equal(urlBase64.decode(privateKey).length, 32);
+          assert.equal(urlBase64Helper.decode(privateKey).length, 32);
           resolve();
         });
       });
@@ -185,8 +185,8 @@
           assert(vapidKeys.publicKey);
           assert(vapidKeys.privateKey);
 
-          assert.equal(urlBase64.decode(vapidKeys.privateKey).length, 32);
-          assert.equal(urlBase64.decode(vapidKeys.publicKey).length, 65);
+          assert.equal(urlBase64Helper.decode(vapidKeys.privateKey).length, 32);
+          assert.equal(urlBase64Helper.decode(vapidKeys.publicKey).length, 65);
 
           resolve();
         });

test/test-cli.js

@@ -3,12 +3,12 @@
 const assert = require('assert');
 const crypto = require('crypto');
 const webPush = require('../src/index');
+const urlBase64Helper = require('../src/urlsafe-base64-helper');
 const ece = require('http_ece');
-const urlBase64 = require('urlsafe-base64');
 
 const userCurve = crypto.createECDH('prime256v1');
-const VALID_PUBLIC_KEY = urlBase64.encode(userCurve.generateKeys());
-const VALID_AUTH = urlBase64.encode(crypto.randomBytes(16));
+const VALID_PUBLIC_KEY = urlBase64Helper.encode(userCurve.generateKeys());
+const VALID_AUTH = urlBase64Helper.encode(crypto.randomBytes(16));
 
 suite('Test Encryption Helpers', function() {
   test('is defined', function() {
@@ -20,7 +20,7 @@ suite('Test Encryption Helpers', function() {
 
     return ece.decrypt(encrypted.cipherText, {
       version: contentEncoding,
-      dh: urlBase64.encode(encrypted.localPublicKey),
+      dh: urlBase64Helper.encode(encrypted.localPublicKey),
       privateKey: userCurve,
       salt: encrypted.salt,
       authSecret: VALID_AUTH