diff --git a/backend/app.js b/backend/app.js index 59f7def20..49a576b61 100644 --- a/backend/app.js +++ b/backend/app.js @@ -1,3 +1,4 @@ +const csrf = require('csrf'); const express = require('express'); const bodyParser = require('body-parser'); const fileUpload = require('express-fileupload'); @@ -9,6 +10,17 @@ const log = require('./logger').express; * App */ const app = express(); + +// CSRF Protection +const csrfProtection = csrf({ + cookie: { + httpOnly: true, + secure: process.env.NODE_ENV === 'production', + sameSite: 'strict' + } +}); +app.use(csrfProtection); + app.use(fileUpload()); app.use(bodyParser.json()); app.use(bodyParser.urlencoded({extended: true})); diff --git a/node_modules/.package-lock.json b/node_modules/.package-lock.json new file mode 100644 index 000000000..da702b0ba --- /dev/null +++ b/node_modules/.package-lock.json @@ -0,0 +1,52 @@ +{ + "name": "af0f0ff7-5c7b-4767-b452-d03b3bc50d59", + "lockfileVersion": 3, + "requires": true, + "packages": { + "node_modules/csrf": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/csrf/-/csrf-3.1.0.tgz", + "integrity": "sha512-uTqEnCvWRk042asU6JtapDTcJeeailFy4ydOQS28bj1hcLnYRiqi8SsD2jS412AY1I/4qdOwWZun774iqywf9w==", + "dependencies": { + "rndm": "1.2.0", + "tsscmp": "1.0.6", + "uid-safe": "2.1.5" + }, + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/random-bytes": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/random-bytes/-/random-bytes-1.0.0.tgz", + "integrity": "sha512-iv7LhNVO047HzYR3InF6pUcUsPQiHTM1Qal51DcGSuZFBil1aBBWG5eHPNek7bvILMaYJ/8RU1e8w1AMdHmLQQ==", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/rndm": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/rndm/-/rndm-1.2.0.tgz", + "integrity": "sha512-fJhQQI5tLrQvYIYFpOnFinzv9dwmR7hRnUz1XqP3OJ1jIweTNOd6aTO4jwQSgcBSFUB+/KHJxuGneime+FdzOw==" + }, + "node_modules/tsscmp": { + "version": "1.0.6", + "resolved": "https://registry.npmjs.org/tsscmp/-/tsscmp-1.0.6.tgz", + "integrity": "sha512-LxhtAkPDTkVCMQjt2h6eBVY28KCjikZqZfMcC15YBeNjkgUpdCfBu5HoiOTDu86v6smE8yOjyEktJ8hlbANHQA==", + "engines": { + "node": ">=0.6.x" + } + }, + "node_modules/uid-safe": { + "version": "2.1.5", + "resolved": "https://registry.npmjs.org/uid-safe/-/uid-safe-2.1.5.tgz", + "integrity": "sha512-KPHm4VL5dDXKz01UuEd88Df+KzynaohSL9fBh096KWAxSKZQDI2uBrVqtvRM4rwrIrRRKsdLNML/lnaaVSRioA==", + "dependencies": { + "random-bytes": "~1.0.0" + }, + "engines": { + "node": ">= 0.8" + } + } + } +} diff --git a/node_modules/csrf/HISTORY.md b/node_modules/csrf/HISTORY.md new file mode 100644 index 000000000..f3c0bb386 --- /dev/null +++ b/node_modules/csrf/HISTORY.md @@ -0,0 +1,113 @@ +3.1.0 / 2019-04-09 +================== + + * Include a TypeScript definition file + * deps: tsscmp@1.0.6 + - Use `crypto.timingSafeEqual` when available + * deps: uid-safe@2.1.5 + - perf: remove only trailing `=` + +3.0.6 / 2017-03-14 +================== + + * Remove `base64-url` dependency + +3.0.5 / 2017-03-07 +================== + + * deps: uid-safe@2.1.4 + - Remove `base64-url` dependency + +3.0.4 / 2016-11-13 +================== + + * deps: base64-url@1.3.3 + * deps: uid-safe@2.1.3 + - deps: base64-url@1.3.3 + +3.0.3 / 2016-05-26 +================== + + * deps: tsscmp@1.0.5 + +3.0.2 / 2016-05-22 +================== + + * Use `tsscmp` module for timing-safe token verification + * deps: base64-url@1.2.2 + * deps: uid-safe@2.1.1 + - deps: base64-url@1.2.2 + +3.0.1 / 2016-01-28 +================== + + * deps: rndm@1.2.0 + * deps: uid-safe@2.1.0 + - Use `random-bytes` for byte source + +3.0.0 / 2015-05-09 +================== + + * Remove `tokenize` export + * Remove `tokenize` option + * Return a prototype-based object rather than functions + - This means the resulting functions need to be called as methods + * Throw when missing secret to `tokens.create()` + * deps: uid-safe@~2.0.0 + - Use global `Promise` when returning a promise + +2.0.7 / 2015-05-03 +================== + + * Fix compatibility with `crypto.DEFAULT_ENCODING` global changes + +2.0.6 / 2015-02-13 +================== + + * deps: base64-url@1.2.1 + * deps: uid-safe@~1.1.0 + - Use `crypto.randomBytes`, if available + - deps: base64-url@1.2.1 + +2.0.5 / 2015-01-31 +================== + + * deps: base64-url@1.2.0 + * deps: uid-safe@~1.0.3 + - Fix error branch that would throw + - deps: base64-url@1.2.0 + +2.0.4 / 2015-01-08 +================== + + * deps: uid-safe@~1.0.2 + - Remove dependency on `mz` + +2.0.3 / 2014-12-30 +================== + + * Slight speed improvement for `verify` + * deps: base64-url@1.1.0 + * deps: rndm@~1.1.0 + +2.0.2 / 2014-11-09 +================== + + * deps: scmp@1.0.0 + +2.0.1 / 2014-08-22 +================== + + * Rename module to `csrf` + +2.0.0 / 2014-06-18 +================== + + * Use `uid-safe` module + * Use `base64-url` module + * Remove sync `.secret()` -- use `.secretSync()` instead + +1.0.4 / 2014-06-11 +================== + + * Make sure CSRF tokens are URL safe diff --git a/node_modules/csrf/LICENSE b/node_modules/csrf/LICENSE new file mode 100644 index 000000000..6b774b4b3 --- /dev/null +++ b/node_modules/csrf/LICENSE @@ -0,0 +1,22 @@ +The MIT License (MIT) + +Copyright (c) 2014 Jonathan Ong +Copyright (c) 2015 Douglas Christopher Wilson + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/node_modules/csrf/README.md b/node_modules/csrf/README.md new file mode 100644 index 000000000..d8d9f8b34 --- /dev/null +++ b/node_modules/csrf/README.md @@ -0,0 +1,143 @@ +# CSRF + +[![NPM Version][npm-version-image]][npm-url] +[![NPM Downloads][npm-downloads-image]][npm-url] +[![Node.js Version][node-image]][node-url] +[![Build Status][travis-image]][travis-url] +[![Test Coverage][coveralls-image]][coveralls-url] + +Logic behind CSRF token creation and verification. + +Read [Understanding-CSRF](https://github.com/pillarjs/understanding-csrf) +for more information on CSRF. Use this module to create custom CSRF middleware. + +Looking for a CSRF framework for your favorite framework that uses this +module? + + * Express/connect: [csurf](https://www.npmjs.com/package/csurf) or + [alt-xsrf](https://www.npmjs.com/package/alt-xsrf) + * Koa: [koa-csrf](https://www.npmjs.com/package/koa-csrf) or + [koa-atomic-session](https://www.npmjs.com/package/koa-atomic-session) + +### Install + +```sh +$ npm install csrf +``` + +### TypeScript + +This module includes a [TypeScript](https://www.typescriptlang.org/) +declaration file to enable auto complete in compatible editors and type +information for TypeScript projects. + +## API + + + +```js +var Tokens = require('csrf') +``` + +### new Tokens([options]) + +Create a new token generation/verification instance. The `options` argument is +optional and will just use all defaults if missing. + +#### Options + +Tokens accepts these properties in the options object. + +##### saltLength + +The length of the internal salt to use, in characters. Internally, the salt +is a base 62 string. Defaults to `8` characters. + +##### secretLength + +The length of the secret to generate, in bytes. Note that the secret is +passed around base-64 encoded and that this length refers to the underlying +bytes, not the length of the base-64 string. Defaults to `18` bytes. + +#### tokens.create(secret) + +Create a new CSRF token attached to the given `secret`. The `secret` is a +string, typically generated from the `tokens.secret()` or `tokens.secretSync()` +methods. This token is what you should add into HTML `
` blocks and +expect the user's browser to provide back. + + + +```js +var secret = tokens.secretSync() +var token = tokens.create(secret) +``` + +#### tokens.secret(callback) + +Asynchronously create a new `secret`, which is a string. The secret is to +be kept on the server, typically stored in a server-side session for the +user. The secret should be at least per user. + + + +```js +tokens.secret(function (err, secret) { + if (err) throw err + // do something with the secret +}) +``` + +#### tokens.secret() + +Asynchronously create a new `secret` and return a `Promise`. Please see +`tokens.secret(callback)` documentation for full details. + +**Note**: To use promises in Node.js _prior to 0.12_, promises must be +"polyfilled" using `global.Promise = require('bluebird')`. + + + +```js +tokens.secret().then(function (secret) { + // do something with the secret +}) +``` + +#### tokens.secretSync() + +A synchronous version of `tokens.secret(callback)`. Please see +`tokens.secret(callback)` documentation for full details. + + + +```js +var secret = tokens.secretSync() +``` + +#### tokens.verify(secret, token) + +Check whether a CSRF token is valid for the given `secret`, returning +a Boolean. + + + +```js +if (!tokens.verify(secret, token)) { + throw new Error('invalid token!') +} +``` + +## License + +[MIT](LICENSE) + +[coveralls-image]: https://badgen.net/coveralls/c/github/pillarjs/csrf/master +[coveralls-url]: https://coveralls.io/r/pillarjs/csrf?branch=master +[node-image]: https://badgen.net/npm/node/csrf +[node-url]: https://nodejs.org/en/download +[npm-downloads-image]: https://badgen.net/npm/dm/csrf +[npm-url]: https://npmjs.org/package/csrf +[npm-version-image]: https://badgen.net/npm/v/csrf +[travis-image]: https://badgen.net/travis/pillarjs/csrf/master +[travis-url]: https://travis-ci.org/pillarjs/csrf diff --git a/node_modules/csrf/index.d.ts b/node_modules/csrf/index.d.ts new file mode 100644 index 000000000..2377f878d --- /dev/null +++ b/node_modules/csrf/index.d.ts @@ -0,0 +1,48 @@ +declare class Tokens { + /** + * Token generation/verification class. + */ + constructor(options?: Tokens.Options); + + /** + * Create a new CSRF token. + */ + create(secret: string): string; + + /** + * Create a new secret key. + */ + secret(): Promise; + + /** + * Create a new secret key. + */ + secret(callback: Tokens.SecretCallback): void; + + /** + * Create a new secret key synchronously. + */ + secretSync(): string; + + /** + * Verify if a given token is valid for a given secret. + */ + verify(secret: string, token: string): boolean; +} + +declare namespace Tokens { + export type SecretCallback = (err: Error | null, secret: string) => void; + + export interface Options { + /** + * The string length of the salt (default: 8) + */ + saltLength?: number; + /** + * The byte length of the secret key (default: 18) + */ + secretLength?: number; + } +} + +export = Tokens; diff --git a/node_modules/csrf/index.js b/node_modules/csrf/index.js new file mode 100644 index 000000000..78babe17e --- /dev/null +++ b/node_modules/csrf/index.js @@ -0,0 +1,159 @@ +/*! + * csrf + * Copyright(c) 2014 Jonathan Ong + * Copyright(c) 2015 Douglas Christopher Wilson + * MIT Licensed + */ + +'use strict' + +/** + * Module dependencies. + * @private + */ + +var rndm = require('rndm') +var uid = require('uid-safe') +var compare = require('tsscmp') +var crypto = require('crypto') + +/** + * Module variables. + * @private + */ + +var EQUAL_GLOBAL_REGEXP = /=/g +var PLUS_GLOBAL_REGEXP = /\+/g +var SLASH_GLOBAL_REGEXP = /\//g + +/** + * Module exports. + * @public + */ + +module.exports = Tokens + +/** + * Token generation/verification class. + * + * @param {object} [options] + * @param {number} [options.saltLength=8] The string length of the salt + * @param {number} [options.secretLength=18] The byte length of the secret key + * @public + */ + +function Tokens (options) { + if (!(this instanceof Tokens)) { + return new Tokens(options) + } + + var opts = options || {} + + var saltLength = opts.saltLength !== undefined + ? opts.saltLength + : 8 + + if (typeof saltLength !== 'number' || !isFinite(saltLength) || saltLength < 1) { + throw new TypeError('option saltLength must be finite number > 1') + } + + var secretLength = opts.secretLength !== undefined + ? opts.secretLength + : 18 + + if (typeof secretLength !== 'number' || !isFinite(secretLength) || secretLength < 1) { + throw new TypeError('option secretLength must be finite number > 1') + } + + this.saltLength = saltLength + this.secretLength = secretLength +} + +/** + * Create a new CSRF token. + * + * @param {string} secret The secret for the token. + * @public + */ + +Tokens.prototype.create = function create (secret) { + if (!secret || typeof secret !== 'string') { + throw new TypeError('argument secret is required') + } + + return this._tokenize(secret, rndm(this.saltLength)) +} + +/** + * Create a new secret key. + * + * @param {function} [callback] + * @public + */ + +Tokens.prototype.secret = function secret (callback) { + return uid(this.secretLength, callback) +} + +/** + * Create a new secret key synchronously. + * @public + */ + +Tokens.prototype.secretSync = function secretSync () { + return uid.sync(this.secretLength) +} + +/** + * Tokenize a secret and salt. + * @private + */ + +Tokens.prototype._tokenize = function tokenize (secret, salt) { + return salt + '-' + hash(salt + '-' + secret) +} + +/** + * Verify if a given token is valid for a given secret. + * + * @param {string} secret + * @param {string} token + * @public + */ + +Tokens.prototype.verify = function verify (secret, token) { + if (!secret || typeof secret !== 'string') { + return false + } + + if (!token || typeof token !== 'string') { + return false + } + + var index = token.indexOf('-') + + if (index === -1) { + return false + } + + var salt = token.substr(0, index) + var expected = this._tokenize(secret, salt) + + return compare(token, expected) +} + +/** + * Hash a string with SHA1, returning url-safe base64 + * @param {string} str + * @private + */ + +function hash (str) { + return crypto + .createHash('sha1') + .update(str, 'ascii') + .digest('base64') + .replace(PLUS_GLOBAL_REGEXP, '-') + .replace(SLASH_GLOBAL_REGEXP, '_') + .replace(EQUAL_GLOBAL_REGEXP, '') +} diff --git a/node_modules/csrf/package.json b/node_modules/csrf/package.json new file mode 100644 index 000000000..d357e8258 --- /dev/null +++ b/node_modules/csrf/package.json @@ -0,0 +1,51 @@ +{ + "name": "csrf", + "description": "primary logic behind csrf tokens", + "version": "3.1.0", + "author": "Jonathan Ong (http://jongleberry.com)", + "contributors": [ + "Douglas Christopher Wilson " + ], + "license": "MIT", + "repository": "pillarjs/csrf", + "dependencies": { + "rndm": "1.2.0", + "tsscmp": "1.0.6", + "uid-safe": "2.1.5" + }, + "devDependencies": { + "beautify-benchmark": "0.2.4", + "benchmark": "2.1.4", + "bluebird": "3.5.4", + "eslint": "5.16.0", + "eslint-config-standard": "12.0.0", + "eslint-plugin-import": "2.16.0", + "eslint-plugin-markdown": "1.0.0", + "eslint-plugin-node": "8.0.1", + "eslint-plugin-promise": "4.1.1", + "eslint-plugin-standard": "4.0.0", + "istanbul": "0.4.5", + "mocha": "6.1.2" + }, + "files": [ + "LICENSE", + "HISTORY.md", + "README.md", + "index.d.ts", + "index.js" + ], + "engines": { + "node": ">= 0.8" + }, + "scripts": { + "bench": "node benchmark/index.js", + "lint": "eslint --plugin markdown --ext js,md .", + "test": "mocha --trace-deprecation --reporter spec --bail --check-leaks test/", + "test-cov": "istanbul cover node_modules/mocha/bin/_mocha -- --trace-deprecation --reporter dot --check-leaks test/", + "test-travis": "istanbul cover node_modules/mocha/bin/_mocha --report lcovonly -- --trace-deprecation --reporter spec --check-leaks test/" + }, + "keywords": [ + "csrf", + "tokens" + ] +} diff --git a/node_modules/random-bytes/HISTORY.md b/node_modules/random-bytes/HISTORY.md new file mode 100644 index 000000000..8cabd9dd6 --- /dev/null +++ b/node_modules/random-bytes/HISTORY.md @@ -0,0 +1,4 @@ +1.0.0 / 2016-01-17 +================== + + * Initial release diff --git a/node_modules/random-bytes/LICENSE b/node_modules/random-bytes/LICENSE new file mode 100644 index 000000000..c24dbe38e --- /dev/null +++ b/node_modules/random-bytes/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2016 Douglas Christopher Wilson + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/node_modules/random-bytes/README.md b/node_modules/random-bytes/README.md new file mode 100644 index 000000000..df5aaccd9 --- /dev/null +++ b/node_modules/random-bytes/README.md @@ -0,0 +1,77 @@ +# random-bytes + +[![NPM Version][npm-image]][npm-url] +[![NPM Downloads][downloads-image]][downloads-url] +[![Node.js Version][node-version-image]][node-version-url] +[![Build Status][travis-image]][travis-url] +[![Test Coverage][coveralls-image]][coveralls-url] + +Generate strong pseudo-random bytes. + +This module is a simple wrapper around the Node.js core `crypto.randomBytes` API, +with the following additions: + + * A `Promise` interface for environments with promises. + * For Node.js versions that do not wait for the PRNG to be seeded, this module + will wait a bit. + +## Installation + +```sh +$ npm install random-bytes +``` + +## API + +```js +var randomBytes = require('random-bytes') +``` + +### randomBytes(size, callback) + +Generates strong pseudo-random bytes. The `size` argument is a number indicating +the number of bytes to generate. + +```js +randomBytes(12, function (error, bytes) { + if (error) throw error + // do something with the bytes +}) +``` + +### randomBytes(size) + +Generates strong pseudo-random bytes and return a `Promise`. The `size` argument is +a number indicating the number of bytes to generate. + +**Note**: To use promises in Node.js _prior to 0.12_, promises must be +"polyfilled" using `global.Promise = require('bluebird')`. + +```js +randomBytes(18).then(function (string) { + // do something with the string +}) +``` + +### randomBytes.sync(size) + +A synchronous version of above. + +```js +var bytes = randomBytes.sync(18) +``` + +## License + +[MIT](LICENSE) + +[npm-image]: https://img.shields.io/npm/v/random-bytes.svg +[npm-url]: https://npmjs.org/package/random-bytes +[node-version-image]: https://img.shields.io/node/v/random-bytes.svg +[node-version-url]: http://nodejs.org/download/ +[travis-image]: https://img.shields.io/travis/crypto-utils/random-bytes/master.svg +[travis-url]: https://travis-ci.org/crypto-utils/random-bytes +[coveralls-image]: https://img.shields.io/coveralls/crypto-utils/random-bytes/master.svg +[coveralls-url]: https://coveralls.io/r/crypto-utils/random-bytes?branch=master +[downloads-image]: https://img.shields.io/npm/dm/random-bytes.svg +[downloads-url]: https://npmjs.org/package/random-bytes diff --git a/node_modules/random-bytes/index.js b/node_modules/random-bytes/index.js new file mode 100644 index 000000000..9ad930f75 --- /dev/null +++ b/node_modules/random-bytes/index.js @@ -0,0 +1,101 @@ +/*! + * random-bytes + * Copyright(c) 2016 Douglas Christopher Wilson + * MIT Licensed + */ + +'use strict' + +/** + * Module dependencies. + * @private + */ + +var crypto = require('crypto') + +/** + * Module variables. + * @private + */ + +var generateAttempts = crypto.randomBytes === crypto.pseudoRandomBytes ? 1 : 3 + +/** + * Module exports. + * @public + */ + +module.exports = randomBytes +module.exports.sync = randomBytesSync + +/** + * Generates strong pseudo-random bytes. + * + * @param {number} size + * @param {function} [callback] + * @return {Promise} + * @public + */ + +function randomBytes(size, callback) { + // validate callback is a function, if provided + if (callback !== undefined && typeof callback !== 'function') { + throw new TypeError('argument callback must be a function') + } + + // require the callback without promises + if (!callback && !global.Promise) { + throw new TypeError('argument callback is required') + } + + if (callback) { + // classic callback style + return generateRandomBytes(size, generateAttempts, callback) + } + + return new Promise(function executor(resolve, reject) { + generateRandomBytes(size, generateAttempts, function onRandomBytes(err, str) { + if (err) return reject(err) + resolve(str) + }) + }) +} + +/** + * Generates strong pseudo-random bytes sync. + * + * @param {number} size + * @return {Buffer} + * @public + */ + +function randomBytesSync(size) { + var err = null + + for (var i = 0; i < generateAttempts; i++) { + try { + return crypto.randomBytes(size) + } catch (e) { + err = e + } + } + + throw err +} + +/** + * Generates strong pseudo-random bytes. + * + * @param {number} size + * @param {number} attempts + * @param {function} callback + * @private + */ + +function generateRandomBytes(size, attempts, callback) { + crypto.randomBytes(size, function onRandomBytes(err, buf) { + if (!err) return callback(null, buf) + if (!--attempts) return callback(err) + setTimeout(generateRandomBytes.bind(null, size, attempts, callback), 10) + }) +} diff --git a/node_modules/random-bytes/package.json b/node_modules/random-bytes/package.json new file mode 100644 index 000000000..c67e0e818 --- /dev/null +++ b/node_modules/random-bytes/package.json @@ -0,0 +1,36 @@ +{ + "name": "random-bytes", + "description": "URL and cookie safe UIDs", + "version": "1.0.0", + "contributors": [ + "Douglas Christopher Wilson " + ], + "license": "MIT", + "repository": "crypto-utils/random-bytes", + "devDependencies": { + "bluebird": "3.1.1", + "istanbul": "0.4.2", + "mocha": "2.3.4", + "proxyquire": "1.2.0" + }, + "files": [ + "LICENSE", + "HISTORY.md", + "README.md", + "index.js" + ], + "engines": { + "node": ">= 0.8" + }, + "scripts": { + "test": "mocha --trace-deprecation --reporter spec --bail --check-leaks test/", + "test-cov": "istanbul cover node_modules/mocha/bin/_mocha -- --trace-deprecation --reporter dot --check-leaks test/", + "test-travis": "istanbul cover node_modules/mocha/bin/_mocha --report lcovonly -- --trace-deprecation --reporter spec --check-leaks test/" + }, + "keywords": [ + "bytes", + "generator", + "random", + "safe" + ] +} diff --git a/node_modules/rndm/LICENSE b/node_modules/rndm/LICENSE new file mode 100644 index 000000000..a7ae8ee9b --- /dev/null +++ b/node_modules/rndm/LICENSE @@ -0,0 +1,22 @@ + +The MIT License (MIT) + +Copyright (c) 2014 Jonathan Ong me@jongleberry.com + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/node_modules/rndm/README.md b/node_modules/rndm/README.md new file mode 100644 index 000000000..504b1fdcb --- /dev/null +++ b/node_modules/rndm/README.md @@ -0,0 +1,27 @@ + +# RNDM + +Random string generator. +Basically `Math.random().toString(36).slice(2)`, +but with both upper and lower case letters and arbitrary lengths. +Useful for creating fast, not cryptographically secure salts. + +## API + +```js +// base62 by default +var rndm = require('rndm') +var salt = rndm(16) +``` + +### var salt = rndm(length) + +### var salt = rndm.base62(length) + +### var salt = rndm.base36(length) + +### var salt = rndm.base10(length) + +### var random = rndm.create(characters) + +Create a new random generator with custom characters. diff --git a/node_modules/rndm/index.js b/node_modules/rndm/index.js new file mode 100644 index 000000000..24b0ebb5b --- /dev/null +++ b/node_modules/rndm/index.js @@ -0,0 +1,25 @@ + +var assert = require('assert') + +var base62 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789' +var base36 = 'abcdefghijklmnopqrstuvwxyz0123456789' +var base10 = '0123456789' + +exports = module.exports = create(base62) +exports.base62 = exports +exports.base36 = create(base36) +exports.base10 = create(base10) + +exports.create = create + +function create(chars) { + assert(typeof chars === 'string', 'the list of characters must be a string!') + var length = Buffer.byteLength(chars) + return function rndm(len) { + len = len || 10 + assert(typeof len === 'number' && len >= 0, 'the length of the random string must be a number!') + var salt = '' + for (var i = 0; i < len; i++) salt += chars[Math.floor(length * Math.random())] + return salt + } +} diff --git a/node_modules/rndm/package.json b/node_modules/rndm/package.json new file mode 100644 index 000000000..7a3635df3 --- /dev/null +++ b/node_modules/rndm/package.json @@ -0,0 +1,32 @@ +{ + "name": "rndm", + "description": "random string generator", + "version": "1.2.0", + "author": { + "name": "Jonathan Ong", + "email": "me@jongleberry.com", + "url": "http://jongleberry.com", + "twitter": "https://twitter.com/jongleberry" + }, + "license": "MIT", + "devDependencies": { + "mocha": "2", + "istanbul": "0" + }, + "repository": "crypto-utils/rndm", + "scripts": { + "test": "mocha", + "test-cov": "istanbul cover node_modules/mocha/bin/_mocha -- --reporter dot", + "test-travis": "istanbul cover node_modules/mocha/bin/_mocha --report lcovonly -- --reporter dot" + }, + "keywords": [ + "random", + "number", + "generator", + "uid", + "id" + ], + "files": [ + "index.js" + ] +} diff --git a/node_modules/tsscmp/.travis.yml b/node_modules/tsscmp/.travis.yml new file mode 100644 index 000000000..83e0a6b5f --- /dev/null +++ b/node_modules/tsscmp/.travis.yml @@ -0,0 +1,18 @@ +language: node_js +node_js: + - "10.5" + - "9.11" + - "8.11" + - "7.10" + - "6" + - "5" + - "5.1" + - "4" + - "4.2" + - "4.1" + - "4.0" + - "0.12" + - "0.11" + - "0.10" + - "0.8" + \ No newline at end of file diff --git a/node_modules/tsscmp/LICENSE b/node_modules/tsscmp/LICENSE new file mode 100644 index 000000000..a4bf47cf2 --- /dev/null +++ b/node_modules/tsscmp/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2016 + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/node_modules/tsscmp/README.md b/node_modules/tsscmp/README.md new file mode 100644 index 000000000..756cd12ef --- /dev/null +++ b/node_modules/tsscmp/README.md @@ -0,0 +1,48 @@ +# Timing safe string compare using double HMAC + +[![Node.js Version](https://img.shields.io/node/v/tsscmp.svg?style=flat-square)](https://nodejs.org/en/download) +[![npm](https://img.shields.io/npm/v/tsscmp.svg?style=flat-square)](https://npmjs.org/package/tsscmp) +[![NPM Downloads](https://img.shields.io/npm/dm/tsscmp.svg?style=flat-square)](https://npmjs.org/package/tsscmp) +[![Build Status](https://img.shields.io/travis/suryagh/tsscmp/master.svg?style=flat-square)](https://travis-ci.org/suryagh/tsscmp) +[![Build Status](https://img.shields.io/appveyor/ci/suryagh/tsscmp/master.svg?style=flat-square&label=windows)](https://ci.appveyor.com/project/suryagh/tsscmp) +[![Dependency Status](http://img.shields.io/david/suryagh/tsscmp.svg?style=flat-square)](https://david-dm.org/suryagh/tsscmp) +[![npm-license](http://img.shields.io/npm/l/tsscmp.svg?style=flat-square)](LICENSE) + + +Prevents [timing attacks](http://codahale.com/a-lesson-in-timing-attacks/) using Brad Hill's +[Double HMAC pattern](https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verification/) +to perform secure string comparison. Double HMAC avoids the timing atacks by blinding the +timing channel using random time per attempt comparison against iterative brute force attacks. + + +## Install + +``` +npm install tsscmp +``` +## Why +To compare secret values like **authentication tokens**, **passwords** or +**capability urls** so that timing information is not +leaked to the attacker. + +## Example + +```js +var timingSafeCompare = require('tsscmp'); + +var sessionToken = '127e6fbfe24a750e72930c'; +var givenToken = '127e6fbfe24a750e72930c'; + +if (timingSafeCompare(sessionToken, givenToken)) { + console.log('good token'); +} else { + console.log('bad token'); +} +``` +##License: +[MIT](LICENSE) + +**Credits to:** [@jsha](https://github.com/jsha) | +[@bnoordhuis](https://github.com/bnoordhuis) | +[@suryagh](https://github.com/suryagh) | + \ No newline at end of file diff --git a/node_modules/tsscmp/appveyor.yml b/node_modules/tsscmp/appveyor.yml new file mode 100644 index 000000000..8d4c99cc0 --- /dev/null +++ b/node_modules/tsscmp/appveyor.yml @@ -0,0 +1,29 @@ +# Test against this version of Node.js +environment: + matrix: + # nodejs_version: "0.6" not supported in Windows x86 + - nodejs_version: "0.8" + - nodejs_version: "0.10" + - nodejs_version: "0.11" + - nodejs_version: "0.12" + - nodejs_version: "4.0" + - nodejs_version: "5.0" + - nodejs_version: "6.0" + +# Install scripts. (runs after repo cloning) +install: + # Get the latest stable version of Node.js or io.js + - ps: Install-Product node $env:nodejs_version + # install modules + - npm install + +# Post-install test scripts. +test_script: + # Output useful info for debugging. + - node --version + - npm --version + # run tests + - npm test + +# Don't actually build. +build: off diff --git a/node_modules/tsscmp/lib/index.js b/node_modules/tsscmp/lib/index.js new file mode 100644 index 000000000..9b530dfda --- /dev/null +++ b/node_modules/tsscmp/lib/index.js @@ -0,0 +1,38 @@ +'use strict'; + +// Implements Brad Hill's Double HMAC pattern from +// https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verification/. +// The approach is similar to the node's native implementation of timing safe buffer comparison that will be available on v6+. +// https://github.com/nodejs/node/issues/3043 +// https://github.com/nodejs/node/pull/3073 + +var crypto = require('crypto'); + +function bufferEqual(a, b) { + if (a.length !== b.length) { + return false; + } + // `crypto.timingSafeEqual` was introduced in Node v6.6.0 + // + if (crypto.timingSafeEqual) { + return crypto.timingSafeEqual(a, b); + } + for (var i = 0; i < a.length; i++) { + if (a[i] !== b[i]) { + return false; + } + } + return true; +} + +function timeSafeCompare(a, b) { + var sa = String(a); + var sb = String(b); + var key = crypto.pseudoRandomBytes(32); + var ah = crypto.createHmac('sha256', key).update(sa).digest(); + var bh = crypto.createHmac('sha256', key).update(sb).digest(); + + return bufferEqual(ah, bh) && a === b; +} + +module.exports = timeSafeCompare; diff --git a/node_modules/tsscmp/package.json b/node_modules/tsscmp/package.json new file mode 100644 index 000000000..9e5bf420b --- /dev/null +++ b/node_modules/tsscmp/package.json @@ -0,0 +1,29 @@ +{ + "name": "tsscmp", + "version": "1.0.6", + "description": "Timing safe string compare using double HMAC", + "main": "lib/index.js", + "dependencies": {}, + "devDependencies": {}, + "scripts": { + "test": "node test/unit && node test/benchmark" + }, + "repository": { + "type": "git", + "url": "https://github.com/suryagh/tsscmp.git" + }, + "keywords": [ + "timing safe string compare", + "double hmac string compare", + "safe string compare", + "hmac" + ], + "author": "suryagh", + "publishConfig": { + "registry": "https://registry.npmjs.org" + }, + "engines": { + "node": ">=0.6.x" + }, + "license": "MIT" +} diff --git a/node_modules/tsscmp/test/benchmark/index.js b/node_modules/tsscmp/test/benchmark/index.js new file mode 100644 index 000000000..70cd7c99a --- /dev/null +++ b/node_modules/tsscmp/test/benchmark/index.js @@ -0,0 +1,30 @@ +'use strict'; + +var timeSafeCompare = require('../../lib/index'); + +function random(length) { + + length = length || 32; + var result = ""; + var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-+/*[]{}-=\|;\':\"<>?,./"; + + for( var i=0; i < length; i++ ){ + result += possible.charAt(Math.floor(Math.random() * possible.length)); + } + return result; +} + +function run(count) { + count = count || 100*1000; + console.log('benchmark count: ' + count/1000 + 'k'); + console.time('benchmark'); + + while(count--){ + timeSafeCompare(random(), random()); + } + console.timeEnd('benchmark'); +} + +run(100000); + +module.exports = run; diff --git a/node_modules/tsscmp/test/unit/index.js b/node_modules/tsscmp/test/unit/index.js new file mode 100644 index 000000000..8d4181286 --- /dev/null +++ b/node_modules/tsscmp/test/unit/index.js @@ -0,0 +1,69 @@ +'use strict'; + +var assert = require('assert'); +var timeSafeCompare = require('../../lib/index'); + +process.on('error', function (e) { + console.log('caught: ' + e); +}); + +function testEqual(a, b) { + assert(timeSafeCompare(a, b)); + + // lets also do a parity check with the strict equal to operator + assert(a === b); +} + +function testNotEqual(a, b) { + assert(!timeSafeCompare(a, b)); + + // lets also do a parity check with the strict not equal to operator + assert(a !== b); +} + +// note: lets also make sure tsscmp can be inline replaced for any types - +// just incase if anyone is interested + +// positive tests +testEqual('127e6fbfe24a750e72930c220a8e138275656b8e5d8f48a98c3c92df2caba935', + '127e6fbfe24a750e72930c220a8e138275656b8e5d8f48a98c3c92df2caba935', + 'test '); +testEqual('a', 'a'); +testEqual('', ''); +testEqual(undefined, undefined); +testEqual(true, true); +testEqual(false, false); +(function () { + var a = { a: 1 }; + testEqual(a, a); +})(); +(function () { + function f1() { return 1; }; + testEqual(f1, f1); +})(); + +// negative tests +testNotEqual(''); +testNotEqual('a', 'b'); +testNotEqual('a', 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'); +testNotEqual('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa', 'a'); +testNotEqual('alpha', 'beta'); +testNotEqual(false, true); +testNotEqual(false, undefined); +testNotEqual(function () { }, function () { }); +testNotEqual({}, {}); +testNotEqual({ a: 1 }, { a: 1 }); +testNotEqual({ a: 1 }, { a: 2 }); +testNotEqual([1, 2], [1, 2]); +testNotEqual([1, 2], [1, 2, 3]); +(function () { + var a = { p: 1 }; + var b = { p: 1 }; + testNotEqual(a, b); +})(); +(function () { + function f1() { return 1; }; + function f2() { return 1; }; + testNotEqual(f1, f2); +})(); +console.log('Success: all tests complete.'); diff --git a/node_modules/uid-safe/HISTORY.md b/node_modules/uid-safe/HISTORY.md new file mode 100644 index 000000000..3ec249f94 --- /dev/null +++ b/node_modules/uid-safe/HISTORY.md @@ -0,0 +1,61 @@ +2.1.5 / 2017-08-02 +================== + + * perf: remove only trailing `=` + +2.1.4 / 2017-03-02 +================== + + * Remove `base64-url` dependency + +2.1.3 / 2016-10-30 +================== + + * deps: base64-url@1.3.3 + +2.1.2 / 2016-08-15 +================== + + * deps: base64-url@1.3.2 + +2.1.1 / 2016-05-04 +================== + + * deps: base64-url@1.2.2 + +2.1.0 / 2016-01-17 +================== + + * Use `random-bytes` for byte source + +2.0.0 / 2015-05-08 +================== + + * Use global `Promise` when returning a promise + +1.1.0 / 2015-02-01 +================== + + * Use `crypto.randomBytes`, if available + * deps: base64-url@1.2.1 + +1.0.3 / 2015-01-31 +================== + + * Fix error branch that would throw + * deps: base64-url@1.2.0 + +1.0.2 / 2015-01-08 +================== + + * Remove dependency on `mz` + +1.0.1 / 2014-06-18 +================== + + * Remove direct `bluebird` dependency + +1.0.0 / 2014-06-18 +================== + + * Initial release diff --git a/node_modules/uid-safe/LICENSE b/node_modules/uid-safe/LICENSE new file mode 100644 index 000000000..c4b8a4959 --- /dev/null +++ b/node_modules/uid-safe/LICENSE @@ -0,0 +1,22 @@ +The MIT License (MIT) + +Copyright (c) 2014 Jonathan Ong +Copyright (c) 2015-2017 Douglas Christopher Wilson + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/node_modules/uid-safe/README.md b/node_modules/uid-safe/README.md new file mode 100644 index 000000000..fa02be87d --- /dev/null +++ b/node_modules/uid-safe/README.md @@ -0,0 +1,77 @@ +# uid-safe + +[![NPM Version][npm-image]][npm-url] +[![NPM Downloads][downloads-image]][downloads-url] +[![Node.js Version][node-version-image]][node-version-url] +[![Build Status][travis-image]][travis-url] +[![Test Coverage][coveralls-image]][coveralls-url] + +URL and cookie safe UIDs + +Create cryptographically secure UIDs safe for both cookie and URL usage. +This is in contrast to modules such as [rand-token](https://www.npmjs.com/package/rand-token) +and [uid2](https://www.npmjs.com/package/uid2) whose UIDs are actually skewed +due to the use of `%` and unnecessarily truncate the UID. +Use this if you could still use UIDs with `-` and `_` in them. + +## Installation + +```sh +$ npm install uid-safe +``` + +## API + +```js +var uid = require('uid-safe') +``` + +### uid(byteLength, callback) + +Asynchronously create a UID with a specific byte length. Because `base64` +encoding is used underneath, this is not the string length. For example, +to create a UID of length 24, you want a byte length of 18. + +```js +uid(18, function (err, string) { + if (err) throw err + // do something with the string +}) +``` + +### uid(byteLength) + +Asynchronously create a UID with a specific byte length and return a +`Promise`. + +**Note**: To use promises in Node.js _prior to 0.12_, promises must be +"polyfilled" using `global.Promise = require('bluebird')`. + +```js +uid(18).then(function (string) { + // do something with the string +}) +``` + +### uid.sync(byteLength) + +A synchronous version of above. + +```js +var string = uid.sync(18) +``` + +## License + +[MIT](LICENSE) + +[npm-image]: https://img.shields.io/npm/v/uid-safe.svg +[npm-url]: https://npmjs.org/package/uid-safe +[node-version-image]: https://img.shields.io/node/v/uid-safe.svg +[node-version-url]: https://nodejs.org/en/download/ +[travis-image]: https://img.shields.io/travis/crypto-utils/uid-safe/master.svg +[travis-url]: https://travis-ci.org/crypto-utils/uid-safe +[coveralls-image]: https://img.shields.io/coveralls/crypto-utils/uid-safe/master.svg +[coveralls-url]: https://coveralls.io/r/crypto-utils/uid-safe?branch=master +[downloads-image]: https://img.shields.io/npm/dm/uid-safe.svg +[downloads-url]: https://npmjs.org/package/uid-safe diff --git a/node_modules/uid-safe/index.js b/node_modules/uid-safe/index.js new file mode 100644 index 000000000..18e849211 --- /dev/null +++ b/node_modules/uid-safe/index.js @@ -0,0 +1,107 @@ +/*! + * uid-safe + * Copyright(c) 2014 Jonathan Ong + * Copyright(c) 2015-2017 Douglas Christopher Wilson + * MIT Licensed + */ + +'use strict' + +/** + * Module dependencies. + * @private + */ + +var randomBytes = require('random-bytes') + +/** + * Module variables. + * @private + */ + +var EQUAL_END_REGEXP = /=+$/ +var PLUS_GLOBAL_REGEXP = /\+/g +var SLASH_GLOBAL_REGEXP = /\//g + +/** + * Module exports. + * @public + */ + +module.exports = uid +module.exports.sync = uidSync + +/** + * Create a unique ID. + * + * @param {number} length + * @param {function} [callback] + * @return {Promise} + * @public + */ + +function uid (length, callback) { + // validate callback is a function, if provided + if (callback !== undefined && typeof callback !== 'function') { + throw new TypeError('argument callback must be a function') + } + + // require the callback without promises + if (!callback && !global.Promise) { + throw new TypeError('argument callback is required') + } + + if (callback) { + // classic callback style + return generateUid(length, callback) + } + + return new Promise(function executor (resolve, reject) { + generateUid(length, function onUid (err, str) { + if (err) return reject(err) + resolve(str) + }) + }) +} + +/** + * Create a unique ID sync. + * + * @param {number} length + * @return {string} + * @public + */ + +function uidSync (length) { + return toString(randomBytes.sync(length)) +} + +/** + * Generate a unique ID string. + * + * @param {number} length + * @param {function} callback + * @private + */ + +function generateUid (length, callback) { + randomBytes(length, function (err, buf) { + if (err) return callback(err) + callback(null, toString(buf)) + }) +} + +/** + * Change a Buffer into a string. + * + * @param {Buffer} buf + * @return {string} + * @private + */ + +function toString (buf) { + return buf.toString('base64') + .replace(EQUAL_END_REGEXP, '') + .replace(PLUS_GLOBAL_REGEXP, '-') + .replace(SLASH_GLOBAL_REGEXP, '_') +} diff --git a/node_modules/uid-safe/package.json b/node_modules/uid-safe/package.json new file mode 100644 index 000000000..9d9ea4c69 --- /dev/null +++ b/node_modules/uid-safe/package.json @@ -0,0 +1,46 @@ +{ + "name": "uid-safe", + "description": "URL and cookie safe UIDs", + "version": "2.1.5", + "contributors": [ + "Douglas Christopher Wilson ", + "Jonathan Ong (http://jongleberry.com)" + ], + "license": "MIT", + "repository": "crypto-utils/uid-safe", + "dependencies": { + "random-bytes": "~1.0.0" + }, + "devDependencies": { + "bluebird": "3.5.0", + "eslint": "3.19.0", + "eslint-config-standard": "10.2.1", + "eslint-plugin-import": "2.7.0", + "eslint-plugin-node": "5.1.1", + "eslint-plugin-promise": "3.5.0", + "eslint-plugin-standard": "3.0.1", + "istanbul": "0.4.5", + "mocha": "2.5.3" + }, + "files": [ + "LICENSE", + "HISTORY.md", + "README.md", + "index.js" + ], + "engines": { + "node": ">= 0.8" + }, + "scripts": { + "lint": "eslint .", + "test": "mocha --trace-deprecation --reporter spec --bail --check-leaks test/", + "test-cov": "istanbul cover node_modules/mocha/bin/_mocha -- --trace-deprecation --reporter dot --check-leaks test/", + "test-travis": "istanbul cover node_modules/mocha/bin/_mocha --report lcovonly -- --trace-deprecation --reporter spec --check-leaks test/" + }, + "keywords": [ + "random", + "generator", + "uid", + "safe" + ] +} diff --git a/package-lock.json b/package-lock.json new file mode 100644 index 000000000..a666ca97d --- /dev/null +++ b/package-lock.json @@ -0,0 +1,57 @@ +{ + "name": "af0f0ff7-5c7b-4767-b452-d03b3bc50d59", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "dependencies": { + "csrf": "^3.1.0" + } + }, + "node_modules/csrf": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/csrf/-/csrf-3.1.0.tgz", + "integrity": "sha512-uTqEnCvWRk042asU6JtapDTcJeeailFy4ydOQS28bj1hcLnYRiqi8SsD2jS412AY1I/4qdOwWZun774iqywf9w==", + "dependencies": { + "rndm": "1.2.0", + "tsscmp": "1.0.6", + "uid-safe": "2.1.5" + }, + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/random-bytes": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/random-bytes/-/random-bytes-1.0.0.tgz", + "integrity": "sha512-iv7LhNVO047HzYR3InF6pUcUsPQiHTM1Qal51DcGSuZFBil1aBBWG5eHPNek7bvILMaYJ/8RU1e8w1AMdHmLQQ==", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/rndm": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/rndm/-/rndm-1.2.0.tgz", + "integrity": "sha512-fJhQQI5tLrQvYIYFpOnFinzv9dwmR7hRnUz1XqP3OJ1jIweTNOd6aTO4jwQSgcBSFUB+/KHJxuGneime+FdzOw==" + }, + "node_modules/tsscmp": { + "version": "1.0.6", + "resolved": "https://registry.npmjs.org/tsscmp/-/tsscmp-1.0.6.tgz", + "integrity": "sha512-LxhtAkPDTkVCMQjt2h6eBVY28KCjikZqZfMcC15YBeNjkgUpdCfBu5HoiOTDu86v6smE8yOjyEktJ8hlbANHQA==", + "engines": { + "node": ">=0.6.x" + } + }, + "node_modules/uid-safe": { + "version": "2.1.5", + "resolved": "https://registry.npmjs.org/uid-safe/-/uid-safe-2.1.5.tgz", + "integrity": "sha512-KPHm4VL5dDXKz01UuEd88Df+KzynaohSL9fBh096KWAxSKZQDI2uBrVqtvRM4rwrIrRRKsdLNML/lnaaVSRioA==", + "dependencies": { + "random-bytes": "~1.0.0" + }, + "engines": { + "node": ">= 0.8" + } + } + } +} diff --git a/package.json b/package.json new file mode 100644 index 000000000..a117d0f39 --- /dev/null +++ b/package.json @@ -0,0 +1,5 @@ +{ + "dependencies": { + "csrf": "^3.1.0" + } +}