fix: change api to send/receive password directly

src/routes/v2/authenticatedSites/settings.js

@@ -101,12 +101,11 @@ class SettingsRouter {
     const { error } = UpdateRepoPasswordRequestSchema.validate(req.body)
     if (error) throw new BadRequestError(error.message)
 
-    const { encryptedPassword, iv, enablePassword } = body
+    const { password, enablePassword } = body
     const passwordRes = await this.settingsService.updatePassword(
       userWithSiteSessionData,
       {
-        encryptedPassword,
-        iv,
+        password,
         enablePassword,
       }
     )

src/services/configServices/SettingsService.js

@@ -3,6 +3,8 @@ const Bluebird = require("bluebird")
 const _ = require("lodash")
 const { okAsync, errAsync } = require("neverthrow")
 
+const { decryptPassword } = require("@root/utils/crypto-utils")
+
 class SettingsService {
   constructor({
     configYmlService,
@@ -56,16 +58,14 @@ class SettingsService {
     if (siteInfo.isErr()) {
       // Missing site indicating netlify site - return special result
       return okAsync({
-        encryptedPassword: "",
-        iv: "",
+        password: "",
         isAmplifySite: false,
       })
     }
     const { id, isPrivate } = siteInfo.value
     if (!isPrivate)
       return okAsync({
-        encryptedPassword: "",
-        iv: "",
+        password: "",
         isAmplifySite: true,
       })
 
@@ -74,9 +74,12 @@ class SettingsService {
     )
     if (deploymentInfo.isErr()) return deploymentInfo
 
+    const password = decryptPassword(
+      deploymentInfo.value.encryptedPassword,
+      deploymentInfo.value.encryptionIv
+    )
     return okAsync({
-      encryptedPassword: deploymentInfo.value.encryptedPassword,
-      iv: deploymentInfo.value.encryptionIv,
+      password,
       isAmplifySite: true,
     })
   }
@@ -154,7 +157,7 @@ class SettingsService {
     }
   }
 
-  async updatePassword(sessionData, { encryptedPassword, iv, enablePassword }) {
+  async updatePassword(sessionData, { password, enablePassword }) {
     const { siteName } = sessionData
     const siteInfo = await this.sitesService.getBySiteName(siteName)
     if (siteInfo.isErr()) {
@@ -179,8 +182,7 @@ class SettingsService {
     }
     return this.deploymentsService.updateAmplifyPassword(
       siteName,
-      encryptedPassword,
-      iv,
+      password,
       enablePassword
     )
   }

src/services/identity/DeploymentsService.ts

@@ -8,7 +8,7 @@ import { Deployment, Repo, Site } from "@database/models"
 import { NotFoundError } from "@root/errors/NotFoundError"
 import { AmplifyError, AmplifyInfo } from "@root/types/index"
 import { Brand } from "@root/types/util"
-import { decryptPassword } from "@root/utils/crypto-utils"
+import { decryptPassword, encryptPassword } from "@root/utils/crypto-utils"
 import DeploymentClient from "@services/identity/DeploymentClient"
 
 type deploymentsCreateParamsType = Partial<Deployment> & {
@@ -132,8 +132,7 @@ class DeploymentsService {
 
   updateAmplifyPassword = async (
     repoName: string,
-    encryptedPassword: string,
-    iv: string,
+    password: string,
     enablePassword: boolean
   ) => {
     const deploymentInfo = await this.repository.findOne({
@@ -163,10 +162,18 @@ class DeploymentsService {
         ""
       )
     } else {
-      const decryptedPassword = decryptPassword(encryptedPassword, iv)
+      const {
+        encryptedPassword: oldEncryptedPassword,
+        encryptionIv: oldIv,
+      } = deploymentInfo
+      if (
+        !!oldEncryptedPassword &&
+        decryptPassword(oldEncryptedPassword, oldIv) === oldEncryptedPassword
+      )
+        return okAsync("")
       updateAppInput = this.deploymentClient.generateUpdatePasswordInput(
         appId,
-        decryptedPassword
+        password
       )
     }
     const updateResp = await this.deploymentClient.sendUpdateApp(updateAppInput)
@@ -184,6 +191,7 @@ class DeploymentsService {
         { where: { id } }
       )
     } else {
+      const { encryptedPassword, iv } = encryptPassword(password)
       await this.repository.update(
         {
           encryptedPassword,

src/utils/crypto-utils.ts

@@ -1,16 +1,33 @@
-import { createDecipheriv } from "crypto"
+import { createCipheriv, createDecipheriv, randomBytes } from "crypto"
 
 import { config } from "@config/config"
 
-const ALGORITHM = "aes-256-cbc"
+const ENCRYPTION_ALGORITHM = "aes-256-cbc"
+
+export const encryptPassword = (
+  password: string
+): {
+  encryptedPassword: string
+  iv: string
+} => {
+  const SECRET_KEY = Buffer.from(
+    config.get("aws.amplify.passwordSecretKey"),
+    "hex"
+  )
+  const iv = randomBytes(16)
+  const decipher = createCipheriv(ENCRYPTION_ALGORITHM, SECRET_KEY, iv)
+  let encryptedPassword = decipher.update(password, "utf8", "hex")
+  encryptedPassword += decipher.final("hex")
+  return { encryptedPassword, iv: iv.toString("hex") }
+}
 
 export const decryptPassword = (encryptedPassword: string, iv: string) => {
   const SECRET_KEY = Buffer.from(
     config.get("aws.amplify.passwordSecretKey"),
     "hex"
   )
   const decipher = createDecipheriv(
-    ALGORITHM,
+    ENCRYPTION_ALGORITHM,
     SECRET_KEY,
     Buffer.from(iv, "hex")
   )

src/validators/RequestSchema.js

@@ -276,8 +276,7 @@ const UpdateSettingsRequestSchema = Joi.object().keys({
 })
 
 const UpdateRepoPasswordRequestSchema = Joi.object().keys({
-  encryptedPassword: Joi.string(),
-  iv: Joi.string(),
+  password: Joi.string(),
   enablePassword: Joi.boolean(),
 })