Merge pull request #1 from drophive/feature/synchronous-support

✨ Add synchronous support
dcangulo · Aug 21, 2020 · dfce592 · dfce592
2 parents 5d977ac + 0284eaf
commit dfce592
Show file tree

Hide file tree

Showing 15 changed files with 176 additions and 60 deletions.
diff --git a/CHANGELOGS.md b/CHANGELOGS.md
@@ -0,0 +1,6 @@
+# Changelogs
+## 2.0.0
+* Added synchronous support.
+
+## 1.0.0
+* Initial release.
diff --git a/README.md b/README.md
@@ -5,39 +5,56 @@
 
 Proof Key for Code Exchange (PKCE) challenge generator for React Native.
 
-This module uses [`crypto.randomBytes`](https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback) for web and [`react-native-randombytes`](https://github.com/mvayngrib/react-native-randombytes) for native apps.
-
 ## Installation
-### Native (iOS / Android)
+### Web / iOS / Android
 ```bash
-yarn add react-native-pkce-challenge react-native-randombytes
-cd ios; pod install; cd .. # iOS Only
+yarn add react-native-pkce-challenge
 ```
 
-### Web
+If you're going to use `asyncPkceChallenge` on **iOS/Android** you also need to do the following.
 ```bash
-yarn add react-native-pkce-challenge
+yarn add react-native-randombytes
+
+cd ios; pod install; cd .. # iOS Only
 ```
 
 ## Usage
+### Asynchronous (Recommended for iOS/Android)
 ```js
-import pkceChallenge from 'react-native-pkce-challenge'
+import {asyncPkceChallenge} from 'react-native-pkce-challenge'
 
-const challenge = await pkceChallenge()
+const challenge = await asyncPkceChallenge()
 ```
 
-It will return:
+The asynchronous module uses asynchronous [`crypto.randomBytes`](https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback) for web and [`react-native-randombytes`](https://github.com/mvayngrib/react-native-randombytes) for native apps.
+
+### Synchronous (Not recommended for iOS/Android)
+```js
+import {pkceChallenge} from 'react-native-pkce-challenge'
+
+const challenge = pkceChallenge()
+```
+
+The synchronous module uses synchronous [`crypto.randomBytes`](https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback) for web and [`CryptoJS.lib.WordArray.random`](https://cryptojs.gitbook.io/docs/) for native apps.
+
+The constant `challenge` will hold an object like the following:
 ```js
 {
   codeChallenge: 'XsRstqNrXT76Iop3uMoyyCQmaGthJbKKJwXBSoQXaRk',
   codeVerifier: 'OZOHUwLddiPyTFJulnUYnU9jsf7oyULflbFpwj40bE9S77iaeisGvzvaVvvPE7oO-xaV4skxwKDFBBV7JofVNxCgUSauqUDVcVjggE4-M6zthVUmeUrSAHatmIBm_P0_'
 }
 ```
 
-## Test
-```bash
-yarn test
-```
+### Why asynchronous is recommended for iOS/Android?
+[CryptoJS (version 3.3.0)](https://github.com/brix/crypto-js/tree/3.3.0) uses `Math.random()` which gives an output that is not cryptographically secure. [Click this for more info.](https://security.stackexchange.com/questions/181580/why-is-math-random-not-designed-to-be-cryptographically-secure.)
+
+In web this is not a problem since we are using [`crypto.randomBytes`](https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback) which can give us cryptographically secure values.
+
+## Upgrading
+See [UPGRADING.md](UPGRADING.md)
+
+## Changelogs
+See [CHANGELOGS.md](CHANGELOGS.md)
 
 ## References
 * https://github.com/crouchcd/pkce-challenge

diff --git a/UPGRADING.md b/UPGRADING.md
@@ -0,0 +1,10 @@
+# Upgrading
+## From 1.0.0 to 2.0.0
+Change:
+```js
+import pkceChallenge from 'react-native-pkce-challenge'
+```
+To:
+```js
+import {asyncPkceChallenge} from 'react-native-pkce-challenge'
+```
diff --git a/index.js b/index.js
@@ -1,3 +1,7 @@
-const pkceChallenge = require('./src/pkce-challenge')
+const asyncPkceChallenge = require('./src/async-pkce-challenge')
+const pkceChallenge = require('./src/sync-pkce-challenge')
 
-module.exports = pkceChallenge
+module.exports = {
+  asyncPkceChallenge: asyncPkceChallenge,
+  pkceChallenge: pkceChallenge
+}
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "react-native-pkce-challenge",
-  "version": "1.0.0",
+  "version": "2.0.0",
   "description": "Proof Key for Code Exchange (PKCE) challenge generator for React Native",
   "license": "MIT",
   "homepage": "https://github.com/drophive/react-native-pkce-challenge#readme",

diff --git a/src/async-pkce-challenge.js b/src/async-pkce-challenge.js
@@ -0,0 +1,25 @@
+const {base64UrlEncode, generateChallenge} = require('./common')
+const generateRandomBytes = require('./async-random-bytes')
+
+function generateVerifier() {
+  return new Promise(function(resolve, reject) {
+    generateRandomBytes().then(function(bytes) {
+      resolve(base64UrlEncode(bytes))
+    })
+  })
+}
+
+function asyncPkceChallenge() {
+  return new Promise(function(resolve, reject) {
+    generateVerifier().then(function(verifier) {
+      const challenge = generateChallenge(verifier)
+
+      resolve({
+        codeChallenge: challenge,
+        codeVerifier: verifier
+      })
+    })
+  })
+}
+
+module.exports = asyncPkceChallenge
diff --git a/src/random-bytes.js → src/async-random-bytes.js b/src/random-bytes.js → src/async-random-bytes.js
diff --git a/src/random-bytes.native.js → src/async-random-bytes.native.js b/src/random-bytes.native.js → src/async-random-bytes.native.js
diff --git a/src/common.js b/src/common.js
@@ -0,0 +1,19 @@
+const CryptoJS = require('crypto-js')
+
+function base64UrlEncode(str) {
+  return str
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=/g, '')
+}
+
+function generateChallenge(verifier) {
+  const hash = CryptoJS.SHA256(verifier).toString(CryptoJS.enc.Base64)
+
+  return base64UrlEncode(hash)
+}
+
+module.exports = {
+  base64UrlEncode: base64UrlEncode,
+  generateChallenge: generateChallenge
+}
diff --git a/src/pkce-challenge.js b/src/pkce-challenge.js
diff --git a/src/sync-pkce-challenge.js b/src/sync-pkce-challenge.js
@@ -0,0 +1,20 @@
+const {base64UrlEncode, generateChallenge} = require('./common')
+const generateRandomBytes = require('./sync-random-bytes')
+
+function generateVerifier() {
+  const bytes = generateRandomBytes()
+
+  return base64UrlEncode(bytes)
+}
+
+function pkceChallenge() {
+  const verifier = generateVerifier()
+  const challenge = generateChallenge(verifier)
+
+  return {
+    codeChallenge: challenge,
+    codeVerifier: verifier
+  }
+}
+
+module.exports = pkceChallenge
diff --git a/src/sync-random-bytes.js b/src/sync-random-bytes.js
@@ -0,0 +1,10 @@
+const randomBytes = require('crypto').randomBytes
+
+function generateRandomBytes() {
+  const buffer = randomBytes(96)
+  const bytes = buffer.toString('base64')
+
+  return bytes
+}
+
+module.exports = generateRandomBytes
diff --git a/src/sync-random-bytes.native.js b/src/sync-random-bytes.native.js
@@ -0,0 +1,10 @@
+const CryptoJS = require('crypto-js')
+
+function generateRandomBytes() {
+  const buffer = CryptoJS.lib.WordArray.random(96)
+  const bytes = buffer.toString(CryptoJS.enc.Base64)
+
+  return bytes
+}
+
+module.exports = generateRandomBytes
diff --git a/tests/index.test.js → tests/async-pkce-challenge.test.js b/tests/index.test.js → tests/async-pkce-challenge.test.js
@@ -1,15 +1,15 @@
 const {test} = require('tap')
-const pkceChallenge = require('../index')
+const {asyncPkceChallenge} = require('../index')
 
 test('Verifier length must be 128 characters', function(t) {
-  pkceChallenge().then(function(challenge) {
+  asyncPkceChallenge().then(function(challenge) {
     t.is(challenge.codeVerifier.length, 128)
     t.end()
   })
 })
 
 test('Challenge length must be 43 characters', function(t) {
-  pkceChallenge().then(function(challenge) {
+  asyncPkceChallenge().then(function(challenge) {
     t.is(challenge.codeChallenge.length, 43)
     t.end()
   })
@@ -18,14 +18,14 @@ test('Challenge length must be 43 characters', function(t) {
 test('Verifier must match the pattern', function(t) {
   const pattern = /^[A-Za-z\d\-._~]{43,128}$/
 
-  pkceChallenge().then(function(challenge) {
+  asyncPkceChallenge().then(function(challenge) {
     t.match(challenge.codeVerifier, pattern)
     t.end()
   })
 })
 
 test('Challenge must not have [=+/]', function(t) {
-  pkceChallenge().then(function(challenge) {
+  asyncPkceChallenge().then(function(challenge) {
     t.doesNotHave(challenge.codeChallenge, '=')
     t.doesNotHave(challenge.codeChallenge, '+')
     t.doesNotHave(challenge.codeChallenge, '/')

diff --git a/tests/sync-pkce-challenge.test.js b/tests/sync-pkce-challenge.test.js
@@ -0,0 +1,33 @@
+const {test} = require('tap')
+const {pkceChallenge} = require('../index')
+
+test('Verifier length must be 128 characters', function(t) {
+  const challenge = pkceChallenge()
+
+  t.is(challenge.codeVerifier.length, 128)
+  t.end()
+})
+
+test('Challenge length must be 43 characters', function(t) {
+  const challenge = pkceChallenge()
+
+  t.is(challenge.codeChallenge.length, 43)
+  t.end()
+})
+
+test('Verifier must match the pattern', function(t) {
+  const pattern = /^[A-Za-z\d\-._~]{43,128}$/
+  const challenge = pkceChallenge()
+
+  t.match(challenge.codeVerifier, pattern)
+  t.end()
+})
+
+test('Challenge must not have [=+/]', function(t) {
+  const challenge = pkceChallenge()
+
+  t.doesNotHave(challenge.codeChallenge, '=')
+  t.doesNotHave(challenge.codeChallenge, '+')
+  t.doesNotHave(challenge.codeChallenge, '/')
+  t.end()
+})