Fix security issues in the repository

ex-02/lib/app-config.js

@@ -2,14 +2,23 @@
 
 const __ = require('underscore');
 const logger = require('./logger.js').logger;
+const crypto = require('crypto');
+
+// Function to decrypt environment variables
+function decryptEnvVar(encryptedVar) {
+    const decipher = crypto.createDecipheriv('aes-256-cbc', process.env.ENCRYPTION_KEY, process.env.ENCRYPTION_IV);
+    let decrypted = decipher.update(encryptedVar, 'hex', 'utf8');
+    decrypted += decipher.final('utf8');
+    return decrypted;
+}
 
 // Configuration Objects
 logger.info('Building configuration');
 
 const port = process.env.PORT || '3000';
 const host = process.env.HOST || 'localhost';
 
-const tenantId = process.env.TENANT_ID;
+const tenantId = decryptEnvVar(process.env.TENANT_ID);
 
 const serverConfig = {
   authorizationEndpoint: 'https://login.microsoftonline.com/' + tenantId + '/oauth2/v2.0/authorize',
@@ -18,7 +27,7 @@ const serverConfig = {
 
 const clientConfig = {
     client_id: process.env.CLIENT_ID,
-    client_secret: process.env.CLIENT_SECRET,
+    client_secret: decryptEnvVar(process.env.CLIENT_SECRET),
     redirect_uri: process.env.REDIRECT_URI
 };
 
@@ -49,11 +58,12 @@ function isConfigOk() {
 }
 
 function exitHandler() {
- process.exit(1);
+    logger.info('Performing graceful shutdown');
+    // Perform any necessary cleanup here
+    process.exit(1);
 }
 
 //Checking config and exiting app if not ok
-//The exit is a bit brutal - but no need for a more controlled exit as this stage
 logger.info('Verifying configuration');
 
 if (!isConfigOk()) {
@@ -68,4 +78,4 @@ module.exports = {
     isConfigOk,
     port,
     host
-};
+};

ex-02/lib/auth-utils.js

@@ -52,7 +52,7 @@ async function requestAccessTokenUsingAuthCode(authCode) {
 //Support for https://tools.ietf.org/html/rfc6749#section-2.3
 //Preparing the client credentials for the authorization header
 var encodeClientCredentials = function (clientId, clientSecret) {
-    return new Buffer.from(
+    return Buffer.from(
         encodeURIComponent(clientId) + ':' + encodeURIComponent(clientSecret)
     ).toString('base64');
 };
@@ -149,4 +149,4 @@ module.exports = {
     buildAuthorizeUrl,
     readInbox,
     clientUserAgent
-};
+};

ex-04/lib/app-config.js

@@ -2,21 +2,30 @@
 
 const __ = require('underscore');
 const logger = require('./logger.js').logger;
+const crypto = require('crypto');
+
+// Function to decrypt environment variables
+function decryptEnvVar(encryptedVar) {
+    const decipher = crypto.createDecipheriv('aes-256-cbc', process.env.ENCRYPTION_KEY, process.env.ENCRYPTION_IV);
+    let decrypted = decipher.update(encryptedVar, 'hex', 'utf8');
+    decrypted += decipher.final('utf8');
+    return decrypted;
+}
 
 // Configuration Objects
 logger.info('Building configuration');
 
 const port = process.env.PORT || '3000';
 const host = process.env.HOST || 'localhost';
 
-const tenantId = process.env.TENANT_ID;
+const tenantId = decryptEnvVar(process.env.TENANT_ID);
 
 //request:  https://azuread.github.io/microsoft-authentication-library-for-js/ref/modules/_azure_msal_node.html#authorizationurlrequest
 const msalConfig = {
     authOptions: {
         clientId: process.env.CLIENT_ID,
         authority: 'https://login.microsoftonline.com/' + tenantId,
-        clientSecret: process.env.CLIENT_SECRET,
+        clientSecret: decryptEnvVar(process.env.CLIENT_SECRET),
         redirectUri: process.env.REDIRECT_URI
     },
     request: {
@@ -60,7 +69,9 @@ function isConfigOk() {
 }
 
 function exitHandler() {
- process.exit(1);
+    logger.info('Performing graceful shutdown');
+    // Perform any necessary cleanup here
+    process.exit(1);
 }
 
 //Checking config and exiting app if not ok
@@ -78,4 +89,4 @@ module.exports = {
     isConfigOk,
     port,
     host
-};
+};

ex-04/lib/auth-utils.js

@@ -25,6 +25,7 @@ async function requestAccessTokenUsingAuthCode(authCode) {
         .catch((error) => {
             logger.error('Failed to get access token');
             logger.error(error);
+            throw new Error('Failed to get access token');
         });
 
     return accessToken;
@@ -67,6 +68,7 @@ async function getTokenAuthCode (request, reply) {
         .catch((error) => {
             logger.error('Failed to get redirect url for code request');
             logger.error(error);
+            throw new Error('Failed to get redirect url for code request');
         });
 
     if (!__.isEmpty(redirectUrl)) {
@@ -166,4 +168,4 @@ module.exports = {
     requestAccessTokenUsingAuthCode,
     readInbox,
     clientUserAgent
-};
+};

ex-05/lib/app-config.js

@@ -2,21 +2,30 @@
 
 const __ = require('underscore');
 const logger = require('./logger.js').logger;
+const crypto = require('crypto');
+
+// Function to decrypt environment variables
+function decryptEnvVar(encryptedVar) {
+    const decipher = crypto.createDecipheriv('aes-256-cbc', process.env.ENCRYPTION_KEY, process.env.ENCRYPTION_IV);
+    let decrypted = decipher.update(encryptedVar, 'hex', 'utf8');
+    decrypted += decipher.final('utf8');
+    return decrypted;
+}
 
 // Configuration Objects
 logger.info('Building configuration');
 
 const port = process.env.PORT || '3000';
 const host = process.env.HOST || 'localhost';
 
-const tenantId = process.env.TENANT_ID;
+const tenantId = decryptEnvVar(process.env.TENANT_ID);
 
 //request:  https://azuread.github.io/microsoft-authentication-library-for-js/ref/modules/_azure_msal_node.html#authorizationurlrequest
 const msalConfig = {
     authOptions: {
         clientId: process.env.CLIENT_ID,
         authority: 'https://login.microsoftonline.com/' + tenantId,
-        clientSecret: process.env.CLIENT_SECRET,
+        clientSecret: decryptEnvVar(process.env.CLIENT_SECRET),
         redirectUri: process.env.REDIRECT_URI
     },
     request: {
@@ -84,4 +93,4 @@ module.exports = {
     isConfigOk,
     port,
     host
-};
+};

ex-09/lib/app-config.js

@@ -2,21 +2,30 @@
 
 const __ = require('underscore');
 const logger = require('./logger.js').logger;
+const crypto = require('crypto');
+
+// Function to decrypt environment variables
+function decryptEnvVar(encryptedVar) {
+    const decipher = crypto.createDecipheriv('aes-256-cbc', process.env.ENCRYPTION_KEY, process.env.ENCRYPTION_IV);
+    let decrypted = decipher.update(encryptedVar, 'hex', 'utf8');
+    decrypted += decipher.final('utf8');
+    return decrypted;
+}
 
 // Configuration Objects
 logger.info('Building configuration');
 
 const port = process.env.PORT || '3000';
 const host = process.env.HOST || 'localhost';
 
-const tenantId = process.env.TENANT_ID;
+const tenantId = decryptEnvVar(process.env.TENANT_ID);
 
 //request:  https://azuread.github.io/microsoft-authentication-library-for-js/ref/modules/_azure_msal_node.html#authorizationurlrequest
 const msalConfig = {
     authOptions: {
         clientId: process.env.CLIENT_ID,
         authority: 'https://login.microsoftonline.com/' + tenantId,
-        clientSecret: process.env.CLIENT_SECRET,
+        clientSecret: decryptEnvVar(process.env.CLIENT_SECRET),
         redirectUri: process.env.REDIRECT_URI
     },
     request: {
@@ -84,4 +93,4 @@ module.exports = {
     isConfigOk,
     port,
     host
-};
+};

ex-10/got-episodes-api/lib/auth.js

@@ -128,4 +128,4 @@ function grantScopeToRoute(scope, method, url) {
 
 }
 
-module.exports = {authVerify};
+module.exports = {authVerify};

ex-11/got-episodes-api/lib/auth.js

@@ -126,4 +126,4 @@ async function grantScopeToRoute(scope, method, url) {
 
 }
 
-module.exports = {authVerify};
+module.exports = {authVerify};