Crypto Module
const crypto = require('@arangodb/crypto')
The crypto module provides implementations of various hashing algorithms as well as cryptography related functions.
Nonces
These functions deal with cryptographic nonces.
For single server use only.
createNonce
crypto.createNonce(): string
Creates a cryptographic nonce consisting of the first 32 bits of a timestamp and 64 bit of randomness.
The nonce is held in memory for approximately one hour by the server.
Returns the created nonce as base64-encoded string.
checkAndMarkNonce
crypto.checkAndMarkNonce(nonce): void
Checks if the nonce is valid and marks it as used.
Arguments
-
nonce:
string
The nonce to check and mark.
Returns true
if the supplied nonce was issued by the server and not marked
before, otherwise false
.
Random values
The following functions deal with generating random values.
rand
crypto.rand(): number
Generates a random integer that may be positive, negative or even zero.
Returns the generated number.
genRandomAlphaNumbers
crypto.genRandomAlphaNumbers(length): string
Generates a string of random alphabetical characters and digits.
Arguments
-
length:
number
The length of the string to generate.
Returns the generated string.
genRandomNumbers
crypto.genRandomNumbers(length): string
Generates a string of random digits.
Arguments
-
length:
number
The length of the string to generate.
Returns the generated string.
genRandomSalt
crypto.genRandomSalt(length): string
Generates a string of random (printable) ASCII characters.
Arguments
-
length:
number
The length of the string to generate.
Returns the generated string.
genRandomBytes
crypto.genRandomBytes(length): Buffer
Generates a buffer of random bytes.
Arguments
-
length:
number
The length of the buffer to generate.
Returns the generated buffer.
uuidv4
crypto.uuidv4(): string
Generates a random UUID v4 string.
Returns the generated UUID string.
JSON Web Tokens (JWT)
These methods implement the JSON Web Token standard.
jwtEncode
crypto.jwtEncode(key, message, algorithm): string
Generates a JSON Web Token for the given message.
Arguments
-
key:
string | null
The secret cryptographic key to be used to sign the message using the given algorithm. Note that this function will raise an error if the key is omitted but the algorithm expects a key, and also if the algorithm does not expect a key but a key is provided (e.g. when using
"none"
). -
message:
string
Message to be encoded as JWT. Note that the message will only be base64-encoded and signed, not encrypted. Do not store sensitive information in tokens unless they will only be handled by trusted parties.
-
algorithm:
string
Name of the algorithm to use for signing the message, e.g.
"HS512"
.
Returns the JSON Web Token.
jwtDecode
crypto.jwtDecode(key, token, noVerify): string | null
Arguments
-
key:
string | null
The secret cryptographic key that was used to sign the message using the algorithm indicated by the token. Note that this function will raise an error if the key is omitted but the algorithm expects a key.
If the algorithm does not expect a key but a key is provided, the token will fail to verify.
-
token:
string
The token to decode.
Note that the function will raise an error if the token is malformed (e.g. does not have exactly three segments).
-
noVerify:
boolean
(Default:false
)Whether verification should be skipped. If this is set to
true
the signature of the token will not be verified. Otherwise the function will raise an error if the signature cannot be verified using the given key.
Returns the decoded JSON message or null
if no token is provided.
jwtAlgorithms
A helper object containing the supported JWT algorithms. Each attribute name corresponds to a JWT alg
and the value is an object with sign
and verify
methods.
jwtCanonicalAlgorithmName
crypto.jwtCanonicalAlgorithmName(name): string
A helper function that translates a JWT alg
value found in a JWT header into the canonical name of the algorithm in jwtAlgorithms
. Raises an error if no algorithm with a matching name is found.
Arguments
-
name:
string
Algorithm name to look up.
Returns the canonical name for the algorithm.
Hashing algorithms
md5
crypto.md5(message): string
Hashes the given message using the MD5 algorithm.
Arguments
-
message:
string
The message to hash.
Returns the cryptographic hash.
sha1
crypto.sha1(message): string
Hashes the given message using the SHA-1 algorithm.
Arguments
-
message:
string
The message to hash.
Returns the cryptographic hash.
sha224
crypto.sha224(message): string
Hashes the given message using the SHA-224 algorithm.
Arguments
-
message:
string
The message to hash.
Returns the cryptographic hash.
sha256
crypto.sha256(message): string
Hashes the given message using the SHA-256 algorithm.
Arguments
-
message:
string
The message to hash.
Returns the cryptographic hash.
sha384
crypto.sha384(message): string
Hashes the given message using the SHA-384 algorithm.
Arguments
-
message:
string
The message to hash.
Returns the cryptographic hash.
sha512
crypto.sha512(message): string
Hashes the given message using the SHA-512 algorithm.
Arguments
-
message:
string
The message to hash.
Returns the cryptographic hash.
Miscellaneous
constantEquals
crypto.constantEquals(str1, str2): boolean
Compares two strings. This function iterates over the entire length of both strings and can help making certain timing attacks harder.
Arguments
-
str1:
string
The first string to compare.
-
str2:
string
The second string to compare.
Returns true
if the strings are equal, false
otherwise.
pbkdf2
crypto.pbkdf2(salt, password, iterations, keyLength): string
Generates a PBKDF2-HMAC-SHA1 hash of the given password.
Arguments
-
salt:
string
The cryptographic salt to hash the password with.
-
password:
string
The message or password to hash.
-
iterations:
number
The number of iterations. This should be a very high number. OWASP recommended 64000 iterations in 2012 and recommends doubling that number every two years.
When using PBKDF2 for password hashes it is also recommended to add a random value (typically between 0 and 32000) to that number that is different for each user.
-
keyLength:
number
The key length.
Returns the cryptographic hash.
hmac
crypto.hmac(key, message, algorithm): string
Generates an HMAC hash of the given message.
Arguments
-
key:
string
The cryptographic key to use to hash the message.
-
message:
string
The message to hash.
-
algorithm:
string
The name of the algorithm to use.
Returns the cryptographic hash.