Encrypted Current User in browser (#1036)

* Encrypted user (currentUser) -still need jest test

* all 'npm test' tests passed successfully

* secret variable, tests improvement, only browser

* fix conflicts

* improve test and cleanup

* improve coverage

Co-authored-by: Diamond Lewis <[email protected]>

Author: macarthuror

integration/test/ParseUserTest.js

@@ -936,6 +936,32 @@ describe('Parse User', () => {
     expect(user.get('authData').facebook.id).toBe('test');
   });
 
+  it('can encrypt user', async () => {
+    Parse.User.enableUnsafeCurrentUser();
+    Parse.enableEncryptedUser();
+    Parse.secret = 'My Secret Key';
+    const user = new Parse.User();
+    user.setUsername('usernameENC');
+    user.setPassword('passwordENC');
+    await user.signUp();
+
+    const path = Parse.Storage.generatePath('currentUser');
+    const encryptedUser = Parse.Storage.getItem(path);
+
+    const crypto = Parse.CoreManager.getCryptoController();
+    const decryptedUser = crypto.decrypt(encryptedUser, Parse.CoreManager.get('ENCRYPTED_KEY'));
+    expect(JSON.parse(decryptedUser).objectId).toBe(user.id);
+
+    const currentUser = Parse.User.current();
+    expect(currentUser).toEqual(user);
+
+    const currentUserAsync = await Parse.User.currentAsync();
+    expect(currentUserAsync).toEqual(user);
+    await Parse.User.logOut();
+    Parse.CoreManager.set('ENCRYPTED_USER', false);
+    Parse.CoreManager.set('ENCRYPTED_KEY', null);
+  });
+
   it('fix GHSA-wvh7-5p38-2qfc', async () => {
     Parse.User.enableUnsafeCurrentUser();
     const user = new Parse.User();

package-lock.json

@@ -31,6 +31,7 @@
   "dependencies": {
     "@babel/runtime": "7.7.7",
     "@babel/runtime-corejs3": "7.7.7",
+    "crypto-js": "3.1.9-1",
     "uuid": "3.3.3",
     "ws": "7.2.1",
     "xmlhttprequest": "1.8.0"

package.json

@@ -33,6 +33,10 @@ type ConfigController = {
   get: () => Promise;
   save: (attrs: { [key: string]: any }) => Promise;
 };
+type CryptoController = {
+  encrypt: (obj: any, secretKey: string) => string;
+  decrypt: (encryptedText: string, secretKey: any) => string;
+};
 type FileController = {
   saveFile: (name: string, source: FileSource, options: FullOptions) => Promise;
   saveBase64: (name: string, source: FileSource, options: FullOptions) => Promise;
@@ -176,13 +180,15 @@ const config: Config & { [key: string]: mixed } = {
   SERVER_AUTH_TYPE: null,
   SERVER_AUTH_TOKEN: null,
   LIVEQUERY_SERVER_URL: null,
+  ENCRYPTED_KEY: null,
   VERSION: 'js' + require('../package.json').version,
   APPLICATION_ID: null,
   JAVASCRIPT_KEY: null,
   MASTER_KEY: null,
   USE_MASTER_KEY: false,
   PERFORM_USER_REWRITE: true,
-  FORCE_REVOCABLE_SESSION: false
+  FORCE_REVOCABLE_SESSION: false,
+  ENCRYPTED_USER: false
 };
 
 function requireMethods(name: string, methods: Array<string>, controller: any) {
@@ -234,6 +240,15 @@ module.exports = {
     return config['ConfigController'];
   },
 
+  setCryptoController(controller: CryptoController) {
+    requireMethods('CryptoController', ['encrypt', 'decrypt'], controller);
+    config['CryptoController'] = controller;
+  },
+
+  getCryptoController(): CryptoController {
+    return config['CryptoController'];
+  },
+
   setFileController(controller: FileController) {
     requireMethods('FileController', ['saveFile', 'saveBase64'], controller);
     config['FileController'] = controller;

src/CoreManager.js

@@ -0,0 +1,16 @@
+import AES from 'crypto-js/aes';
+import ENC from 'crypto-js/enc-utf8';
+
+const CryptoController = {
+  encrypt(obj: any, secretKey: string): ?string {
+    const encrypted = AES.encrypt(JSON.stringify(obj), secretKey);
+    return encrypted.toString();
+  },
+
+  decrypt(encryptedText: string, secretKey: string): ?string {
+    const decryptedStr = AES.decrypt(encryptedText, secretKey).toString(ENC);
+    return decryptedStr;
+  },
+};
+
+module.exports = CryptoController;

src/CryptoController.js

@@ -10,6 +10,7 @@
 import decode from './decode';
 import encode from './encode';
 import CoreManager from './CoreManager';
+import CryptoController from './CryptoController';
 import InstallationController from './InstallationController';
 import * as ParseOp from './ParseOp';
 import RESTController from './RESTController';
@@ -169,6 +170,34 @@ Object.defineProperty(Parse, 'liveQueryServerURL', {
     CoreManager.set('LIVEQUERY_SERVER_URL', value);
   }
 });
+
+/**
+ * @member Parse.encryptedUser
+ * @type boolean
+ * @static
+ */
+Object.defineProperty(Parse, 'encryptedUser', {
+  get() {
+    return CoreManager.get('ENCRYPTED_USER');
+  },
+  set(value) {
+    CoreManager.set('ENCRYPTED_USER', value);
+  }
+});
+
+/**
+ * @member Parse.secret
+ * @type string
+ * @static
+ */
+Object.defineProperty(Parse, 'secret', {
+  get() {
+    return CoreManager.get('ENCRYPTED_KEY');
+  },
+  set(value) {
+    CoreManager.set('ENCRYPTED_KEY', value);
+  }
+});
 /* End setters */
 
 Parse.ACL = require('./ParseACL').default;
@@ -255,6 +284,27 @@ Parse.dumpLocalDatastore = function() {
     return Parse.LocalDatastore._getAllContents();
   }
 }
+
+/**
+ * Enable the current user encryption.
+ * This must be called before login any user.
+ *
+ * @static
+ */
+Parse.enableEncryptedUser = function() {
+  Parse.encryptedUser = true;
+}
+
+/**
+ * Flag that indicates whether Encrypted User is enabled.
+ *
+ * @static
+ */
+Parse.isEncryptedUserEnabled = function() {
+  return Parse.encryptedUser;
+}
+
+CoreManager.setCryptoController(CryptoController);
 CoreManager.setInstallationController(InstallationController);
 CoreManager.setRESTController(RESTController);
 

src/Parse.js

@@ -872,8 +872,13 @@ const DefaultController = {
     delete json.password;
 
     json.className = '_User';
+    let userData = JSON.stringify(json);
+    if (CoreManager.get('ENCRYPTED_USER')) {
+      const crypto = CoreManager.getCryptoController();
+      userData = crypto.encrypt(json, CoreManager.get('ENCRYPTED_KEY'))
+    }
     return Storage.setItemAsync(
-      path, JSON.stringify(json)
+      path, userData
     ).then(() => {
       return user;
     });
@@ -918,6 +923,10 @@ const DefaultController = {
       currentUserCache = null;
       return null;
     }
+    if (CoreManager.get('ENCRYPTED_USER')) {
+      const crypto = CoreManager.getCryptoController();
+      userData = crypto.decrypt(userData, CoreManager.get('ENCRYPTED_KEY'));
+    }
     userData = JSON.parse(userData);
     if (!userData.className) {
       userData.className = '_User';
@@ -954,6 +963,10 @@ const DefaultController = {
         currentUserCache = null;
         return Promise.resolve(null);
       }
+      if (CoreManager.get('ENCRYPTED_USER')) {
+        const crypto = CoreManager.getCryptoController();
+        userData = crypto.decrypt(userData.toString(), CoreManager.get('ENCRYPTED_KEY'));
+      }
       userData = JSON.parse(userData);
       if (!userData.className) {
         userData.className = '_User';

src/ParseUser.js

@@ -8,8 +8,10 @@
  */
 
 jest.dontMock('../CoreManager');
+jest.dontMock('../CryptoController');
 jest.dontMock('../Parse');
 jest.dontMock('../LocalDatastore');
+jest.dontMock('crypto-js/aes');
 
 const CoreManager = require('../CoreManager');
 const Parse = require('../Parse');
@@ -109,4 +111,19 @@ describe('Parse module', () => {
     LDS = await Parse.dumpLocalDatastore();
     expect(LDS).toEqual({ key: 'value' });
   });
+
+  it('can enable encrypter CurrentUser', () => {
+    jest.spyOn(console, 'log').mockImplementationOnce(() => {});
+    process.env.PARSE_BUILD = 'browser';
+    Parse.encryptedUser = false;
+    Parse.enableEncryptedUser();
+    expect(Parse.encryptedUser).toBe(true);
+    expect(Parse.isEncryptedUserEnabled()).toBe(true);
+  });
+
+  it('can set an encrypt token as String', () => {
+    Parse.secret = 'My Super secret key';
+    expect(CoreManager.get('ENCRYPTED_KEY')).toBe('My Super secret key');
+    expect(Parse.secret).toBe('My Super secret key');
+  });
 });