Merge branch 'feature/api-key' into feature/rotate-api-key

Author: briskt

apikey.go

@@ -105,14 +105,13 @@ func (k *ApiKey) DecryptData(ciphertext []byte) ([]byte, error) {
 		return nil, err
 	}
 
-	// plaintext will hold decrypted content, it must be at least as long
-	// as ciphertext or decryption process will panic
-	plaintext := make([]byte, len(ciphertext))
+	// plaintext must be as long as ciphertext minus the length of the IV, which is the same as the AES block size
+	plaintext := make([]byte, len(ciphertext)-aes.BlockSize)
 
-	// get iv from encrypted content
+	// the IV (initialization vector) is the first BlockSize bytes in the encrypted content
 	iv := ciphertext[:aes.BlockSize]
 
-	// use CTR to decrypt content
+	// use CTR to decrypt content, which starts BlockSize bytes into the ciphertext
 	stream := cipher.NewCTR(block, iv)
 	stream.XORKeyStream(plaintext, ciphertext[aes.BlockSize:])
 

apikey_test.go

@@ -99,14 +99,12 @@ func TestApiKey_EncryptDecrypt(t *testing.T) {
 		name      string
 		secret    string
 		plaintext []byte
-		want      []byte
 		wantErr   bool
 	}{
 		{
 			name:      "test encrypt/decrypt",
 			secret:    "ED86600E-3DBF-4C23-A0DA-9C55D448",
 			plaintext: []byte("this is a plaintext string to be encrypted"),
-			want:      []byte("this is a plaintext string to be encrypted"),
 			wantErr:   false,
 		},
 	}
@@ -131,8 +129,8 @@ func TestApiKey_EncryptDecrypt(t *testing.T) {
 				return
 			}
 
-			if !bytes.Equal(tt.plaintext, tt.want) {
-				t.Errorf("results from decypt do not match expected. Got: %s, wanted: %s", decrypted, tt.want)
+			if !bytes.Equal(tt.plaintext, decrypted) {
+				t.Errorf("results from decypt do not match expected. Got: %s, wanted: %s", decrypted, tt.plaintext)
 				return
 			}
 		})

lambda/main.go

@@ -7,6 +7,7 @@ import (
 	"io"
 	"log"
 	"net/http"
+	"net/url"
 	"os"
 	"strings"
 
@@ -156,6 +157,7 @@ func httpRequestFromProxyRequest(ctx context.Context, req events.APIGatewayProxy
 	for k, v := range req.Headers {
 		headers.Set(k, v)
 	}
+	requestURL, _ := url.Parse(req.Path)
 	r := &http.Request{
 		Method:        req.HTTPMethod,
 		ProtoMinor:    0,
@@ -164,6 +166,7 @@ func httpRequestFromProxyRequest(ctx context.Context, req events.APIGatewayProxy
 		ContentLength: int64(len(req.Body)),
 		RemoteAddr:    req.RequestContext.Identity.SourceIP,
 		RequestURI:    req.Path,
+		URL:           requestURL,
 	}
 	return r.WithContext(ctx)
 }

webauthnuser.go

@@ -1,7 +1,6 @@
 package mfa
 
 import (
-	"bytes"
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/json"
@@ -223,9 +222,6 @@ func (u *WebauthnUser) Load() error {
 			return errors.Wrap(err, "failed to decrypt encrypted session data")
 		}
 
-		// decryption process includes extra/invalid \x00 character, so trim it out
-		plain = bytes.Trim(plain, "\x00")
-
 		// unmarshal decrypted session data into SessionData
 		var sd webauthn.SessionData
 		err = json.Unmarshal(plain, &sd)
@@ -243,9 +239,6 @@ func (u *WebauthnUser) Load() error {
 			return errors.Wrap(err, "failed to decrypt encrypted credential data")
 		}
 
-		// decryption process includes extra/invalid \x00 character, so trim it out
-		dec = bytes.Trim(dec, "\x00")
-
 		// unmarshal decrypted session data into Credentials
 		var creds []webauthn.Credential
 		err = json.Unmarshal(dec, &creds)
@@ -429,11 +422,6 @@ func (u *WebauthnUser) WebAuthnCredentials() []webauthn.Credential {
 		return nil
 	}
 
-	// decryption process includes extra/invalid \x00 character, so trim it out
-	// at some point early in dev this was needed, but in testing recently it doesn't
-	// make a difference. Leaving commented out for now until we know 100% it's not needed
-	// credId = bytes.Trim(credId, "\x00")
-
 	decodedCredId, err := base64.RawURLEncoding.DecodeString(string(credId))
 	if err != nil {
 		log.Println("error decoding credential id:", err)