I have a project where I want to encrypt a streaming input to a streaming output, without having to hold the entire large buffer in memory at any given time. I noticed that this fernet library does not seem to support this currently (though please correct me if I am wrong on this).

I plan to hack together a solution that uses this library as much as possible, but does support streaming encryption. If I do so, are you interested in considering such a feature for merging back into the main library?

If so, I can try to put together a pull request for it. If not, I'll save my time and just get my own application working.

Hi,
First, thanks for your work releasing this lib.

I have a problem when decoding, it work for a few minutes (not exactly sure how much) but then after a while I got an TTL error. I am decoding a password multiple time so it may be the cause?

Here is my code :

let fernet_secret = new fernet.Secret(decryption_key),
        token = new fernet.Token({
            secret: fernet_secret,
            token: encrypted_password,
            ttl: ttl
        });

(at first I didn't set the ttl but I did it to test)
Here is the console log of the token after I created it :

token :  { secret:
   Secret {
     signingKeyHex: '22ed0b5d53898da008764e3351446b82',
     signingKey: { words: [Array], sigBytes: 16 },
     encryptionKeyHex: 'b74e36fa19fb0e1b3d87f7a36367c839',
     encryptionKey: { words: [Array], sigBytes: 16 } },
  ttl: 1652,
  message: undefined,
  cipherText: undefined,
  token: 'gAAAAABcRvXJncYHU1x5WsOQdoq0F5b5x0bAonutMiDqxS7IbZHBHUGWt3BukIhSAZp8tzfzMSRcUJMvjHiM_e-8hrViBYFrFw==',
  version: 128,
  optsIV: undefined,
  maxClockSkew: 60,
  time: { words: [ 0, 1548156260 ], sigBytes: 8 } }

And here is the error on the decode:

Error: Invalid Token: TTL
    at Token.decodeToken [as decode] (/project/node_modules/fernet/lib/token.js:65:15)
    at decrypt (/project/dist/functions.js:123:18)
    at Object.exports.get_password (/project/dist/functions.js:171:40)
    at <anonymous>
    at process._tickCallback (internal/process/next_tick.js:118:7)
/project/node_modules/fernet/lib/token.js:6

Can you tell me more about the ttl? What is it's purpose? The duration of the validity for the Token just created? The duration for a password to be decoded? (which is why I tried to add the TTL manually, same TTL as the one I choose for this password).

Cheer

Hi 👋
Would it be possible to upgrade the crypto-js library that is being used in this library?
The current one seems to have a High-risk vul

Thanks!

I encrypted some data using Fernet from Cryptography Python package. I was able to decrypt some short messages, but for larger messages I got a "Error: Malformed UTF-8 data" error raised from Object.stringify in crypto-js core.js.

As a workaround I had to abandon the fernet.js library and wrote a decrypt function myself. Its totally untested, but seems to decrypt. I tried to follow the pattern outlined in Python's implementation. For anyone else working around the same issue here is a gist with my node Fernet decrypt function

In crypto-browserify, the random number generator has now been merged with the main index.js. Please update the link to:
https://github.com/crypto-browserify/crypto-browserify/blob/master/index.js

so npm page leads straight to this repo

Are you interested in a contribution to add an index.d.ts to this package to include Typescript types, so that Typescript users can use your library out of the box?

If so, I can try to contribute some Typescript definitions back here after I write them.

Hello there

I audited the code because the interface is weird; generally, generating a secure random in javascript is a blocking operation, and fernet.js generate IVs without exposing the async interface.

Turns out you are using the blocking version of randomBytes (https://github.com/csquared/fernet.js/blob/2eaa1c/fernet.js#L49).

Consider switching to the promisified version.

const asyncRandomBytes = promisify(randomBytes); // declaration
await asyncRandomBytes(128 / 8); // usage

But probably require a major version bump because the interface will be changed.
What are your takes on this?

It looks like this implementation parses the version byte
and then ignores it. It should reject an otherwise valid
token if the version byte is not 0x80.

You might want to reject tokens that appear to be generated
far in the future. This can't happen in normal practice, and
usually means there's substantial clock skew.

The go implementation does this with a hard-coded constant
https://github.com/fernet/fernet-go/blob/54c3c8f/fernet.go#L70
https://github.com/fernet/fernet-go/blob/54c3c8f/fernet.go#L32
(not configurable).

This isn't required by the spec, but personally I think it's a
usefully defensive thing to check.

Hello,
I am using Fernet for Python but im trying to decrypt it from angular2 app. The decryption is not working and it gives me error

handleError TypeError: Cannot read property 'sigBytes' of undefined
    at Object.init (http://localhost:8100/build/js/app.bundle.js:68362:21)
    at http://localhost:8100/build/js/app.bundle.js:67958:25
    at Function.createHmac (http://localhost:8100/build/js/app.bundle.js:74924:12)
    at Object.decodeToken [as decode] (http://localhost:8100/build/js/app.bundle.js:75037:32)
    at FeedRequestProvider.ApiHelper.decrypt (http://localhost:8100/build/js/app.bundle.js:3925:28)
    at MapSubscriber.project (http://localhost:8100/build/js/app.bundle.js:4083:27)
    at MapSubscriber._next (http://localhost:8100/build/js/app.bundle.js:143244:35)
    at MapSubscriber.Subscriber.next (http://localhost:8100/build/js/app.bundle.js:136995:18)
    at XMLHttpRequest.onLoad (http://localhost:8100/build/js/app.bundle.js:46134:38)
    at ZoneDelegate.invokeTask (http://localhost:8100/build/js/zone.js:356:38)

This is the code im using to decrypt,

decrypt(response):string {
        console.log('DECRYPTING...');
        console.log(response.text());
        var token = new this.fernet.Token({
            secret: this.key,
            token: response.text()
        })

        let buffer = token.decode();
        console.log('fernet', buffer);

Can you please let me know where i am doing this wrong?

Thanks

Could we decrypt messages that are encrypted with https://cryptography.io/en/latest/fernet/?

https://github.com/csquared/fernet.js/blob/7bc5801/lib/token.js#L64
appears to be a short-circuit comparison. The spec requires the
comparison to be done in constant time, independent of the
contents of the inputs.

The go implementation does this with a library function:
https://github.com/fernet/fernet-go/blob/54c3c8f/fernet.go#L76
and the ruby implementation does it with a loop:
https://github.com/fernet/fernet-rb/blob/9190f48/lib/fernet/verifier.rb#L69

cc @tmaher @hgmnz @will

Hello, I am trying to implement fernet js into my react application but I get errors.

Uncaught (in promise) ReferenceError: Buffer is not defined
at Object.validate [as decode] (urlsafe-base64.js:61:1)
at Function.decode64 [as decode64toHex] (fernet.js:35:1)
at new Secret (secret.js:4:1

Thanks!

Hey @csquared, thanks for doing MR #13 -- can you also publish the update to NPM? I think the package.json is already bumped, so just publishing should be sufficient.

Thanks, and thanks for the node implementation of this. =)

Is this reliably random?
https://github.com/csquared/fernet.js/blob/190d151/fernet.js#L52

Apparently randomness is the primary difficulty (or impossibility)
of doing reliable crypto in javascript. So this is worth extra attention.

http://www.matasano.com/articles/javascript-cryptography/

cc @tmaher @will

Hello,
I see that fernet.js (as well as fernetBrowser.js) contains require, etc. so this won't be accepted by the browsers if I just do

<script src="fernetBrowser.js"></script>

and copy the fernetBrowser.js file...

Could you just add a few lines in the README to explain how to "compile" / "transpile" / "pack" (?) the code (if needed?), and which tools are required for that.

Thank you in advance.