Important: This documentation covers Yarn 1 (Classic).
For Yarn 2+ docs and migration guide, see yarnpkg.com.

Package detail

@metamask/browser-passworder

MetaMask81.8kISC6.0.0TypeScript support: included

A simple browserifiable module for password-encrypting JS objects.

Browser, password, encryption, browserify

readme

Browser Passworder

A simple module for encrypting & decrypting JavaScript objects with a password in the browser.

Serializes the encrypted payload as a string of text for easy storage.

Uses browser native crypto to be the lightest possible module you can have, with the most vetted internals you could ask for (the real guts here are implemented by the browser provider).

Installation

You need to have Node.js installed.

yarn add @metamask/browser-passworder

Usage

const { strict: assert } = require('assert');
const passworder = require('browser-passworder');

const secrets = { coolStuff: 'all', ssn: 'livin large' };
const password = 'hunter55';

passworder
  .encrypt(password, secrets)
  .then(function (blob) {
    return passworder.decrypt(password, blob);
  })
  .then(function (result) {
    assert.deepEqual(result, secrets);
  });

There are also some more advanced internal methods you can choose to use, but that's the basic version of it.

The most advanced alternate usage would be if you want to cache the password-derived key to speed up performance for many encryptions/decryptions with the same password.

Details

The serialized text is stored as a JSON blob that includes three base64-encoded fields, data, iv, and salt, none of which you need to worry about.

A key is derived from the password using PBKDF2 with a salt sampled from crypto.getRandomValues(). The data is encrypted using the AES-GCM algorithm with an initialization vector sampled from crypto.getRandomValues().

Contributing

Setup

  • Install Node.js version 18
    • If you are using nvm (recommended) running nvm use will automatically choose the right node version for you.
  • Install Yarn v3
  • Run yarn install to install dependencies and run any required post-install scripts

Testing and Linting

Run yarn test to run the tests once.

Run yarn lint to run the linter, or run yarn lint:fix to run the linter and fix any automatically fixable issues.

Release & Publishing

The project follows the same release process as the other libraries in the MetaMask organization. The GitHub Actions action-create-release-pr and action-publish-release are used to automate the release process; see those repositories for more information about how they work.

  1. Choose a release version.

    • The release version should be chosen according to SemVer. Analyze the changes to see whether they include any breaking changes, new features, or deprecations, then choose the appropriate SemVer version. See the SemVer specification for more information.

  2. If this release is backporting changes onto a previous release, then ensure there is a major version branch for that version (e.g. 1.x for a v1 backport release).

    • The major version branch should be set to the most recent release with that major version. For example, when backporting a v1.0.2 release, you'd want to ensure there was a 1.x branch that was set to the v1.0.1 tag.

  3. Trigger the workflow_dispatch event manually for the Create Release Pull Request action to create the release PR.

    • For a backport release, the base branch should be the major version branch that you ensured existed in step 2. For a normal release, the base branch should be the main branch for that repository (which should be the default value).
    • This should trigger the action-create-release-pr workflow to create the release PR.

  4. Update the changelog to move each change entry into the appropriate change category (See here for the full list of change categories, and the correct ordering), and edit them to be more easily understood by users of the package.

    • Generally any changes that don't affect consumers of the package (e.g. lockfile changes or development environment changes) are omitted. Exceptions may be made for changes that might be of interest despite not having an effect upon the published package (e.g. major test improvements, security improvements, improved documentation, etc.).
    • Try to explain each change in terms that users of the package would understand (e.g. avoid referencing internal variables/concepts).
    • Consolidate related changes into one change entry if it makes it easier to explain.
    • Run yarn auto-changelog validate --rc to check that the changelog is correctly formatted.

  5. Review and QA the release.

    • If changes are made to the base branch, the release branch will need to be updated with these changes and review/QA will need to restart again. As such, it's probably best to avoid merging other PRs into the base branch while review is underway.

  6. Squash & Merge the release.

    • This should trigger the action-publish-release workflow to tag the final release commit and publish the release on GitHub.

  7. Publish the release on npm.

    • Wait for the publish-release GitHub Action workflow to finish. This should trigger a second job (publish-npm), which will wait for a run approval by the npm publishers team.
    • Approve the publish-npm job (or ask somebody on the npm publishers team to approve it for you).
    • Once the publish-npm job has finished, check npm to verify that it has been published.

changelog

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

Unreleased

6.0.0

Changed

  • BREAKING: Increase minimum Node.js version to ^18.18 (#66)
  • Bump @metamask/utils from ^9.0.0 to ^11.0.1 (#67)

5.0.1

Changed

  • Bump @metamask/utils from ^8.2.0 to ^9.0.0 (#63)

5.0.0

Changed

  • BREAKING: Increase minimum Node.js version to 16; recommended to 18 (#52)
  • Use globalThis over global and window (#60)

4.3.0

Added

  • Added isVaultUpdated function to verify if a given vault was encrypted with the target encryption parameters. (#53)
  • Added optional targetDerivationParams argument to updateVault and updateVaultWithDetail. (#55)
    • This argument allows to specify the desired parameters to use

4.2.0

Added

  • Support key derivation options (#49)
    • Added EncryptionKey type to hold a CryptoKey along with its derivation parameters.
    • Added ExportedEncryptionKey type to hold a JsonWebKey along with its derivation parameters.
    • Added Optional keyMetadata property of type KeyDerivationOptions to EncryptionResult.
    • Added Optional opts argument to keyFromPassword to specify algorithm and parameters to be used in the key derivation. Defaults to PBKDF2 with 900.000 iterations.(https://github.com/MetaMask/browser-passworder/pull/49))
    • Added iterations argument to keyFromPassword function.
    • Added optional keyDerivationOptions argument to encrypt and encryptWithDetail to specify algorithm and parameters to be used in the key Defaults to PBKDF2 at 900.000 iterations.
  • Added updateVaultWithDetail function to update existing vault and exported key with a safer encryption method if available (#49)
  • Added updateVault function to update existing vault string with a safer encryption method if available (#49)

Changed

  • Add optional parameters and properties to support custom derivation options (#49)
    • encrypt method accepts both EncryptionKey and CryptoKey types as key argument.
    • encryptWithKey method accepts both EncryptionKey and CryptoKey types as key argument.
    • decrypt method accepts both EncryptionKey and CryptoKey types as key argument.
    • decryptWithKey method accepts both EncryptionKey and CryptoKey types as key argument.
    • importKey method returns a CryptoKey when a JWK string is passed, or an EncryptionKey when an ExportedEncryptionKey string is passed.
    • exportKey method accepts both EncryptionKey and CryptoKey types as key argument, and returns an ExportedEncryptionKey for the former and a JsonWebKey for the latter.
  • Pin TypeScript version to ~4.8.4 (#50)

4.1.0

Changed

  • Export data types (#45)
    • This module now exports the following date types: DetailedEncryptionResult, DetailedDecryptResult, and EncryptionResult

4.0.2

Fixed

  • Restore derived key default exportable to false, provide option to make exportable (#38)
    • keyFromPassword will now default to generating a non-exportable key, just as it had prior to v4.
    • This removes an unintended breaking change from v4

4.0.1

Fixed

  • Fix publishing script (#35)
    • No functional changes from v4.0.0. This just makes it possible to publish to npm again. v4.0.0 was not published.

4.0.0

Added

  • Allow decrypting and encrypting with exported and imported keys (#29)

Changed

  • BREAKING: Set minimum Node.js version to v14 (#24)

3.0.0

Added

  • Add LICENSE file (#1)
    • Previous versions were listed as being licensed as ISC, but the file was missing.

Changed

  • BREAKING: Rename package from browser-passworder to @metamask/browser-passworder (#14)
  • BREAKING: Set minimum Node.js version to v12 (#9)
  • Convert to TypeScript (#6)
  • Remove browserify-unibabel dependency (#13)