Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add migrateToSecureLegacySignature property #4621

Merged
merged 5 commits into from May 5, 2024
Merged

feat: add migrateToSecureLegacySignature property #4621

merged 5 commits into from May 5, 2024

Conversation

juanpicado
Copy link
Member

@juanpicado juanpicado commented May 5, 2024
edited

After Node.js 22 the API crypto.createCipher is not longer available and leads to crash the server due there is no fallback available to the new and modern crypto.createCipheriv for legacy token signature. Due might be a breaking change force all users to restore tokens and update the database secret manually, the new property migrateToSecureLegacySignature

security:    
  api:
    migrateToSecureLegacySignature: true

It allows users to migrate automatically to the new tokens signature, older configurations still running in Node.js 21 or lower would see a warning in the console.

(node:18981) [VERWAR007] VerdaccioDeprecation: the secret length is too long, it must be 32 characters long, please consider generate a new one 
  Learn more at https://verdaccio.org/docs/configuration/#.verdaccio-db
(Use `node --trace-warnings ...` to show where the warning was created)
 info --- config file  - /Users/user/.config/verdaccio/config.yaml
 info --- the "crypt" algorithm is deprecated consider switch to "bcrypt" in the configuration file. Read the documentation for additional details
 info --- using htpasswd file: /Users/user/.config/verdaccio/htpasswd
 info --- plugin successfully loaded: verdaccio-htpasswd
 info --- plugin successfully loaded: verdaccio-audit
 warn --- http address - http://localhost:4873/ - verdaccio/5.30.3

If any user upgrades to Node.js 22 or higher will be force to update the token and will start using the new legacy signature token which is secure due tokens have salt and are never equal.

info --- config file  - /Users/user/.config/verdaccio/config.yaml
 fatal--- uncaught exception, please report this
Error: Invalid storage secret key length, must be 32 characters long but is 64. 
            The secret length in Node.js 22 or higher must be 32 characters long. Please consider generate a new one. 
            Learn more at https://verdaccio.org/docs/configuration/#.verdaccio-db
    at Config.checkSecretKey (/Users/user/projects/verdaccio.5.x/.yarn/cache/@verdaccio-config-npm-0.0.0-20240505134815-1b8406e5a2-6a5cb3a4b4.zip/node_modules/@verdaccio/config/src/config.ts:198:17)

@gitguardian GitGuardian
Copy link

gitguardian bot commented May 5, 2024
edited

⚠️ GitGuardian has uncovered 8 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secrets in your pull request
GitGuardian id GitGuardian status Secret Commit Filename
10791281 Triggered Generic High Entropy Secret d0c68d8 packages/config/test/config.spec.ts View secret
10791281 Triggered Generic High Entropy Secret d0c68d8 packages/config/test/config.spec.ts View secret
10791281 Triggered Generic High Entropy Secret d0c68d8 packages/config/test/config.spec.ts View secret
10791281 Triggered Generic High Entropy Secret d0c68d8 packages/config/test/config.spec.ts View secret
10791281 Triggered Generic High Entropy Secret aeb9cb2 packages/config/test/config.spec.ts View secret
10791281 Triggered Generic High Entropy Secret aeb9cb2 packages/config/test/config.spec.ts View secret
10791281 Triggered Generic High Entropy Secret aeb9cb2 packages/config/test/config.spec.ts View secret
10791282 Triggered Generic High Entropy Secret d0c68d8 packages/auth/test/auth.spec.ts View secret
🛠 Guidelines to remediate hardcoded secrets
  1. Understand the implications of revoking this secret by investigating where it is used in your code.
  2. Replace and store your secrets safely. Learn here the best practices.
  3. Revoke and rotate these secrets.
  4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

@juanpicado juanpicado force-pushed the migrateToSecureLegacySignature-prop branch from df0301a to ba179bc Compare May 5, 2024 09:38
@juanpicado juanpicado force-pushed the migrateToSecureLegacySignature-prop branch from ba179bc to d0c68d8 Compare May 5, 2024 10:35
@juanpicado juanpicado mentioned this pull request May 5, 2024
Merged
@juanpicado juanpicado marked this pull request as ready for review May 5, 2024 14:24
@juanpicado juanpicado merged commit bd8703e into master May 5, 2024
44 checks passed
@delete-merged-branch delete-merged-branch bot deleted the migrateToSecureLegacySignature-prop branch May 5, 2024 14:53
@juanpicado juanpicado mentioned this pull request May 5, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
5.x branch 6.x branch feat: breaking-change topic: signature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

nodejs 22.0.0 and npm login fails
1 participant
@juanpicado