Cannot resolve dependency '../build/Release/extcrypto_addon'

Question

Cannot resolve dependency '../build/Release/extcrypto_addon'

Closed this issue 6 years ago · 4 comments

When compiling for the browser using Parcel I get the error:

🚨  ./node_modules/paseto.js/extcrypto/index.js:1:35: 
Cannot resolve dependency '../build/Release/extcrypto_addon' at './node_modules/paseto.js/build/Release/extcrypto_addon'

Would it be possible to make the import of extcrypto_addon conditional at compile time for the browser?

Some V2 functions seem to work fine when I comment the extcrypto_addon line, thanks to Parcel's automatic import of node-libs-browser.

Answer 1 · 2018-11-21T13:51:36.000Z

Although as noted in the readme I intend to add browser support for public token verification in the near future, at present paseto.js is for server-side runtimes only. I strongly recommend you do not use this library in the browser at present. As such, I'm going to close this issue. If this problem arises when I add browser support I will deal with it then.

Thanks for reporting the issue.

Answer 2 · 2018-11-21T14:59:08.000Z

Do you mean that there are some major security concerns when using this library in the browser? As far as I understand, only the crypto.randomBytes function is needed for V2 tokens which can be trivially implemented in recent browsers.

Answer 3 · 2018-11-21T21:17:10.000Z

Yes, there are major security concerns with doing any sort of cryptography in the browser, this library included. As noted I do intend limited support just for public token verification through a special API for the browser. But the library in its current form should only be used server side.

Answer 4 · 2019-06-27T04:30:24.000Z

I would like to implement a server-side use of Paseto in the context of a Cloudflare Worker. Paseto, especially for simple verification of v2 tokens, is a perfect fit for performing the first line of auth at the edge of the network. However, the v8 runtime that Cloudflare provides access to within a worker will not allow compilation of code. If there were a variant of the lib that allowed disabling of the compilation (its only used in the context of a v1 token I believe) that would be great. As it is now its not possible to do so without forking the lib.

More about Cloudflare workers and the context they have available.

https://workers.cloudflare.com/
https://workers.cloudflare.com/docs/reference/runtime/apis/web-crypto/
https://workers.cloudflare.com/docs/reference/workers-concepts/security/

It would be great if you could think of a way to allow Paseto to work in this scenario.

Cheers