CHAI
/
chtech-anythingllm
4
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
26 Commits
1 Branch
0 Tags
235 MiB
Tree: 976b377185
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '976b377185'
${ noResults }
chtech-anythingllm/server/utils/comKey/index.js

86 lines
3.0 KiB
Raw Normal View History

first commit
11 months ago
  1. const crypto = require("crypto");
  2. const fs = require("fs");
  3. const path = require("path");
  4. const keyPath =
  5. process.env.NODE_ENV === "development"
  6. ? path.resolve(__dirname, `../../storage/comkey`)
  7. : path.resolve(
  8. process.env.STORAGE_DIR ?? path.resolve(__dirname, `../../storage`),
  9. `comkey`
  10. );
  12. // What does this class do?
  13. // This class generates a hashed version of some text (typically a JSON payload) using a rolling RSA key
  14. // that can then be appended as a header value to do integrity checking on a payload. Given the
  15. // nature of this class and that keys are rolled constantly, this protects the request
  16. // integrity of requests sent to the collector as only the server can sign these requests.
  17. // This keeps accidental misconfigurations of AnythingLLM that leaving port 8888 open from
  18. // being abused or SSRF'd by users scraping malicious sites who have a loopback embedded in a <script>, for example.
  19. // Since each request to the collector must be signed to be valid, unsigned requests directly to the collector
  20. // will be dropped and must go through the /server endpoint directly.
  21. class CommunicationKey {
  22. #privKeyName = "ipc-priv.pem";
  23. #pubKeyName = "ipc-pub.pem";
  24. #storageLoc = keyPath;
  26. // Init the class and determine if keys should be rolled.
  27. // This typically occurs on boot up so key is fresh each boot.
  28. constructor(generate = false) {
  29. if (generate) this.#generate();
  30. }
  32. log(text, ...args) {
  33. console.log(`\x1b[36m[CommunicationKey]\x1b[0m ${text}`, ...args);
  34. }
  36. #readPrivateKey() {
  37. return fs.readFileSync(path.resolve(this.#storageLoc, this.#privKeyName));
  38. }
  40. #generate() {
  41. const keyPair = crypto.generateKeyPairSync("rsa", {
  42. modulusLength: 2048,
  43. publicKeyEncoding: {
  44. type: "pkcs1",
  45. format: "pem",
  46. },
  47. privateKeyEncoding: {
  48. type: "pkcs1",
  49. format: "pem",
  50. },
  51. });
  53. if (!fs.existsSync(this.#storageLoc))
  54. fs.mkdirSync(this.#storageLoc, { recursive: true });
  55. fs.writeFileSync(
  56. `${path.resolve(this.#storageLoc, this.#privKeyName)}`,
  57. keyPair.privateKey
  58. );
  59. fs.writeFileSync(
  60. `${path.resolve(this.#storageLoc, this.#pubKeyName)}`,
  61. keyPair.publicKey
  62. );
  63. this.log(
  64. "RSA key pair generated for signed payloads within AnythingLLM services."
  65. );
  66. }
  68. // This instance of ComKey on server is intended for generation of Priv/Pub key for signing and decoding.
  69. // this resource is shared with /collector/ via a class of the same name in /utils which does decoding/verification only
  70. // while this server class only does signing with the private key.
  71. sign(textData = "") {
  72. return crypto
  73. .sign("RSA-SHA256", Buffer.from(textData), this.#readPrivateKey())
  74. .toString("hex");
  75. }
  77. // Use the rolling priv-key to encrypt arbitrary data that is text
  78. // returns the encrypted content as a base64 string.
  79. encrypt(textData = "") {
  80. return crypto
  81. .privateEncrypt(this.#readPrivateKey(), Buffer.from(textData, "utf-8"))
  82. .toString("base64");
  83. }
  84. }
  86. module.exports = { CommunicationKey };