algolia · TorbjornHoltmon · Dec 14, 2024 · Dec 14, 2024 · Dec 14, 2024 · Dec 14, 2024
diff --git a/packages/algoliasearch/__tests__/algoliasearch.fetch.test.ts b/packages/algoliasearch/__tests__/algoliasearch.fetch.test.ts
@@ -3,6 +3,7 @@ import { expect, test, vi } from 'vitest';
 import { LogLevelEnum } from '../../client-common/src/types';
 import { createConsoleLogger } from '../../logger-console/src/logger';
 import { algoliasearch, apiClientVersion } from '../builds/fetch';
+import { algoliasearch as node_algoliasearch } from '../builds/node';
 
 test('sets the ua', () => {
   const client = algoliasearch('APP_ID', 'API_KEY');
@@ -16,12 +17,24 @@ test('forwards node search helpers', () => {
   const client = algoliasearch('APP_ID', 'API_KEY');
   expect(client.generateSecuredApiKey).not.toBeUndefined();
   expect(client.getSecuredApiKeyRemainingValidity).not.toBeUndefined();
-  expect(() => {
-    const resp = client.generateSecuredApiKey({ parentApiKey: 'foo', restrictions: { validUntil: 200 } });
+  expect(async () => {
+    const resp = await client.generateSecuredApiKey({ parentApiKey: 'foo', restrictions: { validUntil: 200 } });
     client.getSecuredApiKeyRemainingValidity({ securedApiKey: resp });
   }).not.toThrow();
 });
 
+test('web crypto implementation gives the same result as node crypto', async () => {
+  const client = algoliasearch('APP_ID', 'API_KEY');
+  const nodeClient = node_algoliasearch('APP_ID', 'API_KEY');
+  const resp = await client.generateSecuredApiKey({ parentApiKey: 'foo-bar', restrictions: { validUntil: 200 } });
+  const nodeResp = await nodeClient.generateSecuredApiKey({
+    parentApiKey: 'foo-bar',
+    restrictions: { validUntil: 200 },
+  });
+
+  expect(resp).toEqual(nodeResp);
+});
+
 test('with logger', () => {
   vi.spyOn(console, 'debug');
   vi.spyOn(console, 'info');

diff --git a/packages/algoliasearch/__tests__/algoliasearch.node.test.ts b/packages/algoliasearch/__tests__/algoliasearch.node.test.ts
@@ -18,8 +18,8 @@ test('forwards node search helpers', () => {
   const client = algoliasearch('APP_ID', 'API_KEY');
   expect(client.generateSecuredApiKey).not.toBeUndefined();
   expect(client.getSecuredApiKeyRemainingValidity).not.toBeUndefined();
-  expect(() => {
-    const resp = client.generateSecuredApiKey({ parentApiKey: 'foo', restrictions: { validUntil: 200 } });
+  expect(async () => {
+    const resp = await client.generateSecuredApiKey({ parentApiKey: 'foo', restrictions: { validUntil: 200 } });
     client.getSecuredApiKeyRemainingValidity({ securedApiKey: resp });
   }).not.toThrow();
 });

diff --git a/packages/client-search/builds/fetch.ts b/packages/client-search/builds/fetch.ts
@@ -19,7 +19,26 @@ import type {
   SearchClientNodeHelpers,
 } from '../model';
 
-import { createHmac } from 'node:crypto';
+async function getCryptoKey(secret: string): Promise<CryptoKey> {
+  const secretBuf = new TextEncoder().encode(secret);
+  return await crypto.subtle.importKey('raw', secretBuf, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+}
+
+async function generateHmacHex(cryptoKey: CryptoKey, queryParameters: string): Promise<string> {
+  const encoder = new TextEncoder();
+  const queryParametersUint8Array = encoder.encode(queryParameters);
+  const signature = await crypto.subtle.sign('HMAC', cryptoKey, queryParametersUint8Array);
+  return Array.from(new Uint8Array(signature))
+    .map((b) => b.toString(16).padStart(2, '0'))
+    .join('');
+}
+
+async function generateBase64Hmac(parentApiKey: string, queryParameters: string): Promise<string> {
+  const crypotKey = await getCryptoKey(parentApiKey);
+  const hmacHex = await generateHmacHex(crypotKey, queryParameters);
+  const combined = hmacHex + queryParameters;
+  return btoa(combined);
+}
 
 export function searchClient(appId: string, apiKey: string, options?: ClientOptions): SearchClient {
   if (!appId || typeof appId !== 'string') {
@@ -55,7 +74,10 @@ export function searchClient(appId: string, apiKey: string, options?: ClientOpti
      * @param generateSecuredApiKey.parentApiKey - The base API key from which to generate the new secured one.
      * @param generateSecuredApiKey.restrictions - A set of properties defining the restrictions of the secured API key.
      */
-    generateSecuredApiKey: ({ parentApiKey, restrictions = {} }: GenerateSecuredApiKeyOptions): string => {
+    generateSecuredApiKey: async ({
+      parentApiKey,
+      restrictions = {},
+    }: GenerateSecuredApiKeyOptions): Promise<string> => {
       let mergedRestrictions = restrictions;
       if (restrictions.searchParams) {
         // merge searchParams with the root restrictions
@@ -78,9 +100,7 @@ export function searchClient(appId: string, apiKey: string, options?: ClientOpti
         );
 
       const queryParameters = serializeQueryParameters(mergedRestrictions);
-      return Buffer.from(
-        createHmac('sha256', parentApiKey).update(queryParameters).digest('hex') + queryParameters,
-      ).toString('base64');
+      return generateBase64Hmac(parentApiKey, queryParameters);
     },
 
     /**
@@ -91,7 +111,7 @@ export function searchClient(appId: string, apiKey: string, options?: ClientOpti
      * @param getSecuredApiKeyRemainingValidity.securedApiKey - The secured API key generated with the `generateSecuredApiKey` method.
      */
     getSecuredApiKeyRemainingValidity: ({ securedApiKey }: GetSecuredApiKeyRemainingValidityOptions): number => {
-      const decodedString = Buffer.from(securedApiKey, 'base64').toString('ascii');
+      const decodedString = atob(securedApiKey);
       const regex = /validUntil=(\d+)/;
       const match = decodedString.match(regex);
 

diff --git a/packages/client-search/builds/node.ts b/packages/client-search/builds/node.ts
@@ -56,7 +56,10 @@ export function searchClient(appId: string, apiKey: string, options?: ClientOpti
      * @param generateSecuredApiKey.parentApiKey - The base API key from which to generate the new secured one.
      * @param generateSecuredApiKey.restrictions - A set of properties defining the restrictions of the secured API key.
      */
-    generateSecuredApiKey: ({ parentApiKey, restrictions = {} }: GenerateSecuredApiKeyOptions): string => {
+    generateSecuredApiKey: async ({
+      parentApiKey,
+      restrictions = {},
+    }: GenerateSecuredApiKeyOptions): Promise<string> => {
       let mergedRestrictions = restrictions;
       if (restrictions.searchParams) {
         // merge searchParams with the root restrictions

diff --git a/packages/client-search/model/clientMethodProps.ts b/packages/client-search/model/clientMethodProps.ts
@@ -820,7 +820,7 @@ export type GetSecuredApiKeyRemainingValidityOptions = {
 };
 
 export type SearchClientNodeHelpers = {
-  generateSecuredApiKey: (opts: GenerateSecuredApiKeyOptions) => string;
+  generateSecuredApiKey: (opts: GenerateSecuredApiKeyOptions) => Promise<string>;
   getSecuredApiKeyRemainingValidity: (opts: GetSecuredApiKeyRemainingValidityOptions) => number;
 };