Fix Vault crypto implementation for edge runtime compatibility (#1269)

Author: nicknisi

src/common/crypto/crypto-provider.ts

@@ -35,4 +35,51 @@ export abstract class CryptoProvider {
    * Cryptographically determine whether two signatures are equal
    */
   abstract secureCompare(stringA: string, stringB: string): Promise<boolean>;
+
+  /**
+   * Encrypts data using AES-256-GCM algorithm.
+   *
+   * @param plaintext The data to encrypt
+   * @param key The encryption key (should be 32 bytes for AES-256)
+   * @param iv Optional initialization vector (if not provided, a random one will be generated)
+   * @param aad Optional additional authenticated data
+   * @returns Object containing the encrypted ciphertext, the IV used, and the authentication tag
+   */
+  abstract encrypt(
+    plaintext: Uint8Array,
+    key: Uint8Array,
+    iv?: Uint8Array,
+    aad?: Uint8Array,
+  ): Promise<{
+    ciphertext: Uint8Array;
+    iv: Uint8Array;
+    tag: Uint8Array;
+  }>;
+
+  /**
+   * Decrypts data that was encrypted using AES-256-GCM algorithm.
+   *
+   * @param ciphertext The encrypted data
+   * @param key The decryption key (must be the same key used for encryption)
+   * @param iv The initialization vector used during encryption
+   * @param tag The authentication tag produced during encryption
+   * @param aad Optional additional authenticated data (must match what was used during encryption)
+   * @returns The decrypted data
+   * @throws Will throw an error if authentication fails or the data has been tampered with
+   */
+  abstract decrypt(
+    ciphertext: Uint8Array,
+    key: Uint8Array,
+    iv: Uint8Array,
+    tag: Uint8Array,
+    aad?: Uint8Array,
+  ): Promise<Uint8Array>;
+
+  /**
+   * Generates cryptographically secure random bytes.
+   *
+   * @param length The number of random bytes to generate
+   * @returns A Uint8Array containing the random bytes
+   */
+  abstract randomBytes(length: number): Uint8Array;
 }

src/common/crypto/node-crypto-provider.ts

@@ -1,4 +1,4 @@
-import * as crypto from 'node:crypto';
+import * as crypto from 'crypto';
 import { CryptoProvider } from './crypto-provider';
 
 /**
@@ -18,7 +18,7 @@ export class NodeCryptoProvider extends CryptoProvider {
     payload: string,
     secret: string,
   ): Promise<string> {
-    const signature = await this.computeHMACSignature(payload, secret);
+    const signature = this.computeHMACSignature(payload, secret);
     return signature;
   }
 
@@ -39,4 +39,61 @@ export class NodeCryptoProvider extends CryptoProvider {
     // Perform a constant time comparison
     return crypto.timingSafeEqual(hmacA, hmacB);
   }
+
+  async encrypt(
+    plaintext: Uint8Array,
+    key: Uint8Array,
+    iv?: Uint8Array,
+    aad?: Uint8Array,
+  ): Promise<{
+    ciphertext: Uint8Array;
+    iv: Uint8Array;
+    tag: Uint8Array;
+  }> {
+    const actualIv = iv || crypto.randomBytes(32);
+    const cipher = crypto.createCipheriv('aes-256-gcm', key, actualIv);
+
+    if (aad) {
+      cipher.setAAD(Buffer.from(aad));
+    }
+
+    const ciphertext = Buffer.concat([
+      cipher.update(Buffer.from(plaintext)),
+      cipher.final(),
+    ]);
+
+    const tag = cipher.getAuthTag();
+
+    return {
+      ciphertext: new Uint8Array(ciphertext),
+      iv: new Uint8Array(actualIv),
+      tag: new Uint8Array(tag),
+    };
+  }
+
+  async decrypt(
+    ciphertext: Uint8Array,
+    key: Uint8Array,
+    iv: Uint8Array,
+    tag: Uint8Array,
+    aad?: Uint8Array,
+  ): Promise<Uint8Array> {
+    const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
+    decipher.setAuthTag(Buffer.from(tag));
+
+    if (aad) {
+      decipher.setAAD(Buffer.from(aad));
+    }
+
+    const decrypted = Buffer.concat([
+      decipher.update(Buffer.from(ciphertext)),
+      decipher.final(),
+    ]);
+
+    return new Uint8Array(decrypted);
+  }
+
+  randomBytes(length: number): Uint8Array {
+    return new Uint8Array(crypto.randomBytes(length));
+  }
 }

src/common/crypto/subtle-crypto-provider.ts

@@ -79,6 +79,100 @@ export class SubtleCryptoProvider extends CryptoProvider {
 
     return equal;
   }
+
+  async encrypt(
+    plaintext: Uint8Array,
+    key: Uint8Array,
+    iv?: Uint8Array,
+    aad?: Uint8Array,
+  ): Promise<{
+    ciphertext: Uint8Array;
+    iv: Uint8Array;
+    tag: Uint8Array;
+  }> {
+    const actualIv = iv || crypto.getRandomValues(new Uint8Array(32));
+
+    const cryptoKey = await this.subtleCrypto.importKey(
+      'raw',
+      key,
+      { name: 'AES-GCM' },
+      false,
+      ['encrypt'],
+    );
+
+    const encryptParams: AesGcmParams = {
+      name: 'AES-GCM',
+      iv: actualIv,
+    };
+
+    if (aad) {
+      encryptParams.additionalData = aad;
+    }
+
+    const encryptedData = await this.subtleCrypto.encrypt(
+      encryptParams,
+      cryptoKey,
+      plaintext,
+    );
+
+    const encryptedBytes = new Uint8Array(encryptedData);
+
+    // Extract tag (last 16 bytes)
+    const tagSize = 16;
+    const tagStart = encryptedBytes.length - tagSize;
+    const tag = encryptedBytes.slice(tagStart);
+    const ciphertext = encryptedBytes.slice(0, tagStart);
+
+    return {
+      ciphertext,
+      iv: actualIv,
+      tag,
+    };
+  }
+
+  async decrypt(
+    ciphertext: Uint8Array,
+    key: Uint8Array,
+    iv: Uint8Array,
+    tag: Uint8Array,
+    aad?: Uint8Array,
+  ): Promise<Uint8Array> {
+    // SubtleCrypto expects tag to be appended to ciphertext for AES-GCM
+    const combinedData = new Uint8Array(ciphertext.length + tag.length);
+    combinedData.set(ciphertext, 0);
+    combinedData.set(tag, ciphertext.length);
+
+    const cryptoKey = await this.subtleCrypto.importKey(
+      'raw',
+      key,
+      { name: 'AES-GCM' },
+      false,
+      ['decrypt'],
+    );
+
+    const decryptParams: AesGcmParams = {
+      name: 'AES-GCM',
+      iv,
+    };
+
+    if (aad) {
+      decryptParams.additionalData = aad;
+    }
+
+    const decryptedData = await this.subtleCrypto.decrypt(
+      decryptParams,
+      cryptoKey,
+      combinedData,
+    );
+
+    return new Uint8Array(decryptedData);
+  }
+
+  randomBytes(length: number): Uint8Array {
+    const bytes = new Uint8Array(length);
+    crypto.getRandomValues(bytes);
+    return bytes;
+  }
 }
 
 // Cached mapping of byte to hex representation. We do this once to avoid re-

src/common/utils/base64.ts

@@ -0,0 +1,49 @@
+/**
+ * Cross-runtime compatible base64 encoding/decoding utilities
+ * that work in both Node.js and browser environments
+ */
+
+/**
+ * Converts a base64 string to a Uint8Array
+ */
+export function base64ToUint8Array(base64: string): Uint8Array {
+  // In browsers and modern Node.js
+  if (typeof atob === 'function') {
+    const binary = atob(base64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+  }
+  // Node.js fallback using Buffer
+  else if (typeof Buffer !== 'undefined') {
+    return new Uint8Array(Buffer.from(base64, 'base64'));
+  }
+  // Fallback implementation if neither is available
+  else {
+    throw new Error('No base64 decoding implementation available');
+  }
+}
+
+/**
+ * Converts a Uint8Array to a base64 string
+ */
+export function uint8ArrayToBase64(bytes: Uint8Array): string {
+  // In browsers and modern Node.js
+  if (typeof btoa === 'function') {
+    let binary = '';
+    for (let i = 0; i < bytes.byteLength; i++) {
+      binary += String.fromCharCode(bytes[i]);
+    }
+    return btoa(binary);
+  }
+  // Node.js fallback using Buffer
+  else if (typeof Buffer !== 'undefined') {
+    return Buffer.from(bytes).toString('base64');
+  }
+  // Fallback implementation if neither is available
+  else {
+    throw new Error('No base64 encoding implementation available');
+  }
+}

src/index.ts

@@ -54,6 +54,10 @@ class WorkOSNode extends WorkOS {
 
   /** @override */
   createWebhookClient(): Webhooks {
+    return new Webhooks(this.getCryptoProvider());
+  }
+
+  override getCryptoProvider(): CryptoProvider {
     let cryptoProvider: CryptoProvider;
 
     if (typeof crypto !== 'undefined' && typeof crypto.subtle !== 'undefined') {
@@ -62,20 +66,12 @@ class WorkOSNode extends WorkOS {
       cryptoProvider = new NodeCryptoProvider();
     }
 
-    return new Webhooks(cryptoProvider);
+    return cryptoProvider;
   }
 
   /** @override */
   createActionsClient(): Actions {
-    let cryptoProvider: CryptoProvider;
-
-    if (typeof crypto !== 'undefined' && typeof crypto.subtle !== 'undefined') {
-      cryptoProvider = new SubtleCryptoProvider();
-    } else {
-      cryptoProvider = new NodeCryptoProvider();
-    }
-
-    return new Actions(cryptoProvider);
+    return new Actions(this.getCryptoProvider());
   }
 
   /** @override */

src/index.worker.ts

@@ -1,4 +1,5 @@
 import { Actions } from './actions/actions';
+import { CryptoProvider } from './common/crypto/crypto-provider';
 import { SubtleCryptoProvider } from './common/crypto/subtle-crypto-provider';
 import { EdgeIronSessionProvider } from './common/iron-session/edge-iron-session-provider';
 import { IronSessionProvider } from './common/iron-session/iron-session-provider';
@@ -45,6 +46,10 @@ class WorkOSWorker extends WorkOS {
     return new Webhooks(cryptoProvider);
   }
 
+  override getCryptoProvider(): CryptoProvider {
+    return new SubtleCryptoProvider();
+  }
+
   /** @override */
   createActionsClient(): Actions {
     const cryptoProvider = new SubtleCryptoProvider();