To carry out an unauthenticated request, 3 headers are required, X-Scope-Id
and X-Encrypted-Key
and X-Encrypted-User
.
X-Scope-Id
is the ID of the application's scope under which the user's account is being registered or authenticated. You can read more about Configuring your scope . Once you've set up your scope and have the ID you can simply past it in the request header here.
To setup an X-Encrypted-Key
you need to generate a random AES Key, and then RSA encrypt it with the secure enclaves public key, we'll use TypeScript for the example below.
Here we setup a cryptoObj
that can work in both browser and server environments and then a function to generate an AES Key.
Copy const cryptoObj = typeof window !== "undefined" ? window .crypto : crypto;
export const generateAesKey = async () => {
const cryptoKey = await cryptoObj . subtle .generateKey (
{
name : "AES-GCM" ,
length : 256 ,
} ,
true ,
[ "encrypt" , "decrypt" ]
);
return await cryptoObj . subtle .exportKey ( "raw" , cryptoKey);
};
Next we setup two function an encrypt
function, which we then use in our rsaEncrypt
function.
Copy const encrypt = async (algo , key , data) => {
try {
const encryptedResult = await cryptoObj . subtle .encrypt (algo , key , data);
return encryptedResult;
} catch (error) {
console .error ( "Encryption error:" , error);
throw error;
}
};
const rsaEncrypt = async (
plainText : string ,
encryptionKey : BufferSource ,
keyFormat : "spki" = "spki" ,
hashName : "SHA-256" = "SHA-256"
) => {
if ( ! encryptionKey) {
throw Error ( "Encryption key not initialized" );
}
const encoder = new TextEncoder ();
const data = encoder .encode (plainText);
let cryptoKey : CryptoKey ;
let encrypted : ArrayBuffer ;
try {
cryptoKey = await importKey (
keyFormat ,
encryptionKey ,
{ name : "RSA-OAEP" , hash : { name : hashName } } ,
[ "encrypt" ]
);
encrypted = await encrypt ({ name : "RSA-OAEP" } , cryptoKey , data);
return btoa ( String . fromCharCode .apply ( null , new Uint8Array (encrypted)));
} catch (error) {
console .error ( "RSA-OAEP Encryption error:" , error);
throw error;
}
};
export const aesEncrypt = async (
plainText : string ,
encryptionKey : BufferSource ,
keyFormat : "raw" = "raw" ,
keyLength : number = 256
) => {
if ( ! encryptionKey) {
throw Error ( "Encryption key not initialized" );
}
const encoder = new TextEncoder ();
const data = encoder .encode (plainText);
let cryptoKey : CryptoKey ;
let encrypted : ArrayBuffer ;
try {
cryptoKey = await importKey (keyFormat , encryptionKey , { name : "AES-GCM" , length : keyLength } , [
"encrypt" ,
]);
const iv = cryptoObj .getRandomValues ( new Uint8Array ( 12 )); // Initialization vector
encrypted = await encrypt ({ name : "AES-GCM" , iv } , cryptoKey , data);
const combined = new Uint8Array ( iv . length + encrypted .byteLength);
combined .set (iv , 0 );
combined .set ( new Uint8Array (encrypted) , iv . length );
return btoa ( String . fromCharCode .apply ( null , combined));
} catch (error) {
console .error ( "AES-GCM Encryption error:" , error);
throw error;
}
};
With these function setup, we are able to generate our AES key, and then RSA Encrypt it using the public key of the secure enclave.
Copy const enclavePublicKey =
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvQOa1gkatuN6KjaS4KEWsVZAN9i4Cf0j9jlmBW5RwCJ3Bxo32McP7axt4Ev6sMWM24lpCgXgu68S9KBYRcrcEB6dRcaupFGd+ER7M518fiJ0VtCZ+XRnmwn9fqEvotp9DPZOysJkUQ60kugCRKwNvfZzAFcDiubwiqsUY2sCm943a/u9Hym51SEetG+ZFPJZFOBqwRSGkOgGZ+9Ac7ITE+bWLCZk9DlzRu+BIoDOFzXZIn+/0a0X8BnLtRY4g50aew4J+4OllQagBbhYnPMvYExYIEUx6bdjQicw0Js6s2pHr+SFAX23kQtbVOVxb5+KEGp1d+6Q4Gx7FBoyWI5qPQIDAQAB" ;
const aesKey = await generateAesKey ();
const aesKeyBytes = new Uint8Array (aesKey);
const aesKeyString = btoa ( String .fromCharCode ( ... aesKeyBytes));
const encryptedAesKey = await rsaEncrypt (aesKeyString , enclavePublicKey);
const userDetails = {
username : "john_doe" ,
userDisplayName : "john_doe_crypto" ,
};
const encryptedUser = await aesEncrypt ( JSON .stringify (userDetails) , aesKey);
Now you have your encryptedAesKey
and encryptedUser
you can use this value as the value in the request header as X-Encrypted-Key
. With X-Scope-Id, X-Encrypted-User
and X-Encrypted-Key
setup, you can now start interacting with Passport API to register and authenticate users.
Last updated 8 months ago