refactor: use private instance fields where possible

Author: panva

lib/errors.js

@@ -35,18 +35,19 @@ class JOSEError extends Error {
 }
 
 const isMulti = e => e instanceof JOSEMultiError
-const ERRORS = Symbol('ERRORS')
 class JOSEMultiError extends JOSEError {
+  #errors
+
   constructor (errors) {
     super()
     let i
     while ((i = errors.findIndex(isMulti)) && i !== -1) {
       errors.splice(i, 1, ...errors[i])
     }
-    this[ERRORS] = errors
+    this.#errors = errors
   }
   * [Symbol.iterator] () {
-    for (const error of this[ERRORS]) {
+    for (const error of this.#errors) {
       yield error
     }
   }

lib/jwe/encrypt.js

@@ -15,15 +15,16 @@ const serializers = require('./serializers')
 const generateCEK = require('./generate_cek')
 const validateHeaders = require('./validate_headers')
 
-const AAD = Symbol('AAD')
-const CEK = Symbol('CEK')
-const CLEARTEXT = Symbol('CLEARTEXT')
 const PROCESS_RECIPIENT = Symbol('PROCESS_RECIPIENT')
-const PROTECTED = Symbol('PROTECTED')
-const RECIPIENTS = Symbol('RECIPIENTS')
-const UNPROTECTED = Symbol('UNPROTECTED')
 
 class Encrypt {
+  #aad
+  #cek
+  #unprotected
+  #protected
+  #cleartext
+  #recipients
+
   constructor (cleartext, protectedHeader, unprotectedHeader, aad) {
     if (!Buffer.isBuffer(cleartext) && typeof cleartext !== 'string') {
       throw new TypeError('cleartext argument must be a Buffer or a string')
@@ -43,13 +44,11 @@ class Encrypt {
       throw new TypeError('unprotectedHeader argument must be a plain object when provided')
     }
 
-    Object.assign(this, {
-      [CLEARTEXT]: cleartext,
-      [RECIPIENTS]: [],
-      [PROTECTED]: protectedHeader ? deepClone(protectedHeader) : undefined,
-      [UNPROTECTED]: unprotectedHeader ? deepClone(unprotectedHeader) : undefined,
-      [AAD]: aad
-    })
+    this.#recipients = []
+    this.#cleartext = cleartext
+    this.#aad = aad
+    this.#unprotected = unprotectedHeader ? deepClone(unprotectedHeader) : undefined
+    this.#protected = protectedHeader ? deepClone(protectedHeader) : undefined
   }
 
   /*
@@ -64,7 +63,7 @@ class Encrypt {
       throw new TypeError('header argument must be a plain object when provided')
     }
 
-    this[RECIPIENTS].push({
+    this.#recipients.push({
       key,
       header: header ? deepClone(header) : undefined
     })
@@ -76,7 +75,9 @@ class Encrypt {
    * @private
    */
   [PROCESS_RECIPIENT] (recipient) {
-    const { [PROTECTED]: protectedHeader, [UNPROTECTED]: unprotectedHeader, [RECIPIENTS]: { length: recipientCount } } = this
+    const unprotectedHeader = this.#unprotected
+    const protectedHeader = this.#protected
+    const { length: recipientCount } = this.#recipients
 
     const jweHeader = {
       ...protectedHeader,
@@ -107,7 +108,7 @@ class Encrypt {
         if (protectedHeader) {
           protectedHeader.alg = alg
         } else {
-          this[PROTECTED] = { alg }
+          this.#protected = { alg }
         }
       } else {
         if (recipient.header) {
@@ -122,11 +123,11 @@ class Encrypt {
     let generatedHeader
 
     if (key.kty === 'oct' && alg === 'dir') {
-      this[CEK] = importKey(key[KEYOBJECT], { use: 'enc', alg: enc })
+      this.#cek = importKey(key[KEYOBJECT], { use: 'enc', alg: enc })
     } else {
-      ({ wrapped, header: generatedHeader } = wrapKey(alg, key, this[CEK][KEYOBJECT].export(), { enc, alg }))
+      ({ wrapped, header: generatedHeader } = wrapKey(alg, key, this.#cek[KEYOBJECT].export(), { enc, alg }))
       if (alg === 'ECDH-ES') {
-        this[CEK] = importKey(createSecretKey(wrapped), { use: 'enc', alg: enc })
+        this.#cek = importKey(createSecretKey(wrapped), { use: 'enc', alg: enc })
       }
     }
 
@@ -150,58 +151,58 @@ class Encrypt {
       throw new TypeError('serialization must be one of "compact", "flattened", "general"')
     }
 
-    if (!this[RECIPIENTS].length) {
+    if (!this.#recipients.length) {
       throw new JWEInvalid('missing recipients')
     }
 
-    serializer.validate(this[PROTECTED], this[UNPROTECTED], this[AAD], this[RECIPIENTS])
+    serializer.validate(this.#protected, this.#unprotected, this.#aad, this.#recipients)
 
-    let enc = validateHeaders(this[PROTECTED], this[UNPROTECTED], this[RECIPIENTS], false, this[PROTECTED] ? this[PROTECTED].crit : undefined)
+    let enc = validateHeaders(this.#protected, this.#unprotected, this.#recipients, false, this.#protected ? this.#protected.crit : undefined)
     if (!enc) {
       enc = 'A128CBC-HS256'
-      if (this[PROTECTED]) {
-        this[PROTECTED].enc = enc
+      if (this.#protected) {
+        this.#protected.enc = enc
       } else {
-        this[PROTECTED] = { enc }
+        this.#protected = { enc }
       }
     }
     const final = {}
-    this[CEK] = generateCEK(enc)
+    this.#cek = generateCEK(enc)
 
-    this[RECIPIENTS].forEach(this[PROCESS_RECIPIENT].bind(this))
+    this.#recipients.forEach(this[PROCESS_RECIPIENT].bind(this))
 
     const iv = generateIV(enc)
     final.iv = base64url.encodeBuffer(iv)
 
-    if (this[RECIPIENTS].length === 1 && this[RECIPIENTS][0].generatedHeader) {
-      const [{ generatedHeader }] = this[RECIPIENTS]
-      delete this[RECIPIENTS][0].generatedHeader
-      this[PROTECTED] = Object.assign({}, this[PROTECTED], generatedHeader)
+    if (this.#recipients.length === 1 && this.#recipients[0].generatedHeader) {
+      const [{ generatedHeader }] = this.#recipients
+      delete this.#recipients[0].generatedHeader
+      this.#protected = Object.assign({}, this.#protected, generatedHeader)
     }
 
-    if (this[PROTECTED]) {
-      final.protected = base64url.JSON.encode(this[PROTECTED])
+    if (this.#protected) {
+      final.protected = base64url.JSON.encode(this.#protected)
     }
-    final.unprotected = this[UNPROTECTED]
+    final.unprotected = this.#unprotected
 
     let aad
-    if (this[AAD]) {
-      final.aad = base64url.encode(this[AAD])
+    if (this.#aad) {
+      final.aad = base64url.encode(this.#aad)
       aad = Buffer.concat([Buffer.from(final.protected || ''), Buffer.from('.'), Buffer.from(final.aad)])
     } else {
       aad = Buffer.from(final.protected || '')
     }
 
-    let cleartext = this[CLEARTEXT]
-    if (this[PROTECTED] && 'zip' in this[PROTECTED]) {
+    let cleartext = this.#cleartext
+    if (this.#protected && 'zip' in this.#protected) {
       cleartext = deflateRawSync(cleartext)
     }
 
-    const { ciphertext, tag } = encrypt(enc, this[CEK], cleartext, { iv, aad })
+    const { ciphertext, tag } = encrypt(enc, this.#cek, cleartext, { iv, aad })
     final.tag = base64url.encodeBuffer(tag)
     final.ciphertext = base64url.encodeBuffer(ciphertext)
 
-    return serializer(final, this[RECIPIENTS])
+    return serializer(final, this.#recipients)
   }
 }
 

lib/jwks/keystore.js

@@ -3,8 +3,6 @@ const { generate, generateSync } = require('../jwk/generate')
 const Key = require('../jwk/key/base')
 const importKey = require('../jwk/import')
 
-const KEYS = Symbol('keys')
-
 const keyscore = (key, { alg, kid, use }) => {
   let score = 0
 
@@ -24,6 +22,8 @@ const keyscore = (key, { alg, kid, use }) => {
 }
 
 class KeyStore {
+  #keys
+
   constructor (...keys) {
     while (keys.some(Array.isArray)) {
       keys = keys.flat()
@@ -32,7 +32,7 @@ class KeyStore {
       throw new TypeError('all keys must be an instances of a key instantiated by JWK.importKey')
     }
 
-    Object.defineProperty(this, KEYS, { value: new Set(keys) })
+    this.#keys = new Set(keys);
   }
 
   static fromJWKS (jwks) {
@@ -46,7 +46,7 @@ class KeyStore {
   }
 
   all ({ alg, kid, use, kty, operation } = {}) {
-    return [...this[KEYS]]
+    return [...this.#keys]
       .filter((key) => {
         let candidate = true
 
@@ -80,31 +80,31 @@ class KeyStore {
       throw new TypeError('key must be an instance of a key instantiated by JWK.importKey')
     }
 
-    this[KEYS].add(key)
+    this.#keys.add(key)
   }
 
   remove (key) {
     if (!(key instanceof Key)) {
       throw new TypeError('key must be an instance of a key instantiated by JWK.importKey')
     }
 
-    this[KEYS].delete(key)
+    this.#keys.delete(key)
   }
 
   toJWKS (priv = false) {
-    return { keys: [...this[KEYS].values()].map(key => key.toJWK(priv)) }
+    return { keys: [...this.#keys.values()].map(key => key.toJWK(priv)) }
   }
 
   async generate (...args) {
-    this[KEYS].add(await generate(...args))
+    this.#keys.add(await generate(...args))
   }
 
   generateSync (...args) {
-    this[KEYS].add(generateSync(...args))
+    this.#keys.add(generateSync(...args))
   }
 
   get size () {
-    return this[KEYS].size
+    return this.#keys.size
   }
 }
 

lib/jws/sign.js

@@ -8,12 +8,13 @@ const { check, sign } = require('../jwa')
 
 const serializers = require('./serializers')
 
-const RECIPIENTS = Symbol('RECIPIENTS')
-const PAYLOAD = Symbol('PAYLOAD')
 const PROCESS_RECIPIENT = Symbol('PROCESS_RECIPIENT')
-const B64 = Symbol('b64')
 
 class Sign {
+  #b64
+  #payload
+  #recipients
+
   constructor (payload) {
     if (typeof payload === 'string') {
       payload = base64url.encode(payload)
@@ -25,10 +26,8 @@ class Sign {
       throw new TypeError('payload argument must be a Buffer, string or an object')
     }
 
-    Object.assign(this, {
-      [PAYLOAD]: payload,
-      [RECIPIENTS]: []
-    })
+    this.#payload = payload
+    this.#recipients = []
   }
 
   /*
@@ -51,7 +50,7 @@ class Sign {
       throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint')
     }
 
-    this[RECIPIENTS].push({
+    this.#recipients.push({
       key,
       protectedHeader: protectedHeader ? deepClone(protectedHeader) : undefined,
       unprotectedHeader: unprotectedHeader ? deepClone(unprotectedHeader) : undefined
@@ -89,19 +88,19 @@ class Sign {
     }
 
     if (joseHeader.protected.crit && joseHeader.protected.crit.includes('b64')) {
-      if (B64 in this && this[B64] !== joseHeader.protected.b64) {
+      if (this.#b64 !== undefined && this.#b64 !== joseHeader.protected.b64) {
         throw new JWSInvalid('the "b64" Header Parameter value MUST be the same for all recipients')
       } else {
-        this[B64] = joseHeader.protected.b64
+        this.#b64 = joseHeader.protected.b64
       }
       if (!joseHeader.protected.b64) {
-        this[PAYLOAD] = base64url.decode(this[PAYLOAD])
+        this.#payload = base64url.decode(this.#payload)
       }
     }
 
     recipient.header = unprotectedHeader
     recipient.protected = Object.keys(joseHeader.protected).length ? base64url.JSON.encode(joseHeader.protected) : ''
-    recipient.signature = base64url.encodeBuffer(sign(alg, key, Buffer.from(`${recipient.protected}.${this[PAYLOAD]}`)))
+    recipient.signature = base64url.encodeBuffer(sign(alg, key, Buffer.from(`${recipient.protected}.${this.#payload}`)))
   }
 
   /*
@@ -113,15 +112,15 @@ class Sign {
       throw new TypeError('serialization must be one of "compact", "flattened", "general"')
     }
 
-    if (!this[RECIPIENTS].length) {
+    if (!this.#recipients.length) {
       throw new JWSInvalid('missing recipients')
     }
 
-    serializer.validate(this, this[RECIPIENTS])
+    serializer.validate(this, this.#recipients)
 
-    this[RECIPIENTS].forEach(this[PROCESS_RECIPIENT].bind(this))
+    this.#recipients.forEach(this[PROCESS_RECIPIENT].bind(this))
 
-    return serializer(this[PAYLOAD], this[RECIPIENTS])
+    return serializer(this.#payload, this.#recipients)
   }
 }