nitram509 / macaroons.js Goto Github PK

I don't know anything about how macaroons work, but I just read this on Hacker News.

    /* XXX get some random bytes instead */
    var enc_plaintext:Buffer = new Buffer(MacaroonsConstants.MACAROON_HASH_BYTES);
    enc_plaintext.fill(0);

Maybe it is safe, but as depicted does not inspire confidence.

Also, a few lines later it seems to use a nonce filled with zeros, which is contrary to the concept of a nonce.

Sorry to bother again (though, there's way more where this comes from; I'm going to be using macaroons.js in a production environment soon), but could we get updated to 0.3.5 and tagged with 0.3.5 so npm picks it up?

I've added the module to my project:
yarn add macaroons.js

And the module gets added and I can use it in my Components:

import { MacaroonsBuilder } from 'macaroons.js';
...
    let macaroon = MacaroonsBuilder.create('http://localhost:4200', 'apples', 'working-ui');

But when I go to build the project I get

ERROR in ./node_modules/macaroons.js/lib/CryptoTools.js
Module not found: Error: Can't resolve 'crypto' in '\node_modules\macaroons.js\lib'

I've tried patching with the following approach: angular/angular-cli#1548 (comment)

But so far no luck.

$ ng -version
Angular CLI: 6.0.8
Node: 10.4.1
OS: win32 x64
Angular: 6.0.5
... animations, common, compiler, compiler-cli, core, forms
... http, language-service, platform-browser
... platform-browser-dynamic, router

Package                           Version
-----------------------------------------------------------
@angular-devkit/architect         0.6.8
@angular-devkit/build-angular     0.6.8
@angular-devkit/build-optimizer   0.6.8
@angular-devkit/core              0.6.8
@angular-devkit/schematics        0.6.8
@angular/cdk                      6.2.1
@angular/cli                      6.0.8
@angular/material                 6.2.1
@ngtools/webpack                  6.0.8
@schematics/angular               0.6.8
@schematics/update                0.6.8
rxjs                              6.2.1
typescript                        2.7.2
webpack                           4.8.3

OS: Windows 10
Node Version: v10.4.1

Master is still tagged with 0.3.2 as the latest, so npm isn't picking up the changes in 0.3.3.

To get around it right now, I'm using

...
"macaroons.js": "[email protected]:nitram509/macaroons.js#8a2360893008b8e0f0af45c18a1e58adb5ac8fed",
...

in the package.json to specify the master commit.

It doesn't appear that MacaroonsConstants is exported by the main module -- so you can't access it as indicated in the README.

Macaroons are serialized, using Base64 URL safe encoding RFC 4648. This way you can very easily append it to query string within URIs.

As far as I can tell, they're not. You seem to have some extra line prefixes in addition (packet headers for annotation). This resulted in hours of debugging for us because we assumed we could use the serialized data across lanugages/libaries by URL and Base64 decoding macaroons.

It would be useful to future devs if there was some sort of warning in the readme.

Any guidance about using this within a browser session to e.g. attenuate a server-supplied macaroon?

I just wanted to say THANK YOU!

First - For having a working implementation of awesome macaroons.
Second - For having it written in Typescript.

YOU.ARE.AWESOME!

I've been using this library in a project of mine lsat-js which is an authentication scheme that leverages macaroons. It's been great so far, especially with the TS support.

Unfortunately, I ran into a problem when interacting with other libraries. It was discovered recently that certain macaroons were unable to be decoded by the lsat-js library that were originally encoded in and able to be decoded by other implementations.

With this sample base64 encoded macaroon:

AgESMy4xMzYuMTc4LjE1OjM0MjM4AkIAAD2b0rX78LATiVo8bKgHuurefeF5OeX2H5ZuacBIK3+RAR1PKU1oZpfCZFib4zdDoj0pOpgPmhtuzNllU+y//D0AAAYgcWFs9FIteCzpCcEPSwmXKBpcx97hyL5Yt99cbLjRHzU=

I am able to decode in this js macaroon implementation (link) which maintains compatibility with several other implementations. This was also generated and verified in a golang package.

Unfortunately, using MacaroonsBuilder.deserialize I get this error (with stack trace):

     RangeError [ERR_INVALID_OPT_VALUE]: The value "-1" is invalid for option "size"
      at Function.alloc (buffer.js:278:3)
      at Function.MacaroonsDeSerializer.readPacket (node_modules/macaroons.js/lib/MacaroonsDeSerializer.js:87:27)
      at Function.MacaroonsDeSerializer.deserializeStream (node_modules/macaroons.js/lib/MacaroonsDeSerializer.js:25:58)
      at Function.MacaroonsDeSerializer.deserialize (node_modules/macaroons.js/lib/MacaroonsDeSerializer.js:16:38)
      at Function.MacaroonsBuilder.deserialize (node_modules/macaroons.js/lib/MacaroonsBuilder.js:33:38)

I was wondering if this was a known incompatibility if maybe the split from the specs was deliberate, and if not if there was some way to patch it?

It does look like there's a comment to catch the type of situation that's happening here (see here) but it's not getting caught and the buffer is allocated with size of -1.

Thanks!

I mean can you create a macaroon which has a 3rd party caveat which also has a 3rd party caveat using this library? I've been trying to do this for a little while.