not biggest deal in the world, but would nice to have the browser tests running on CI again

We currently initialize all workers whenever any workers are needed.

Conflux uses a ponyfill for Safari transform streams. Is this an applicable solution for Penumbra .encrypt?

@eligrey could you please run some tests on the dev or prod environment to verify that penumbra is working in the following browsers:

• safari
• firefox
• brave

would also be great to have some tests back online for this.

Right now we're skipping the authtag verification step, which is a tiny security flaw, because it doesn't verify the signature (see step 3 below), meaning Transcend could tamper with the encrypted bytes passed through (which, worst case, just breaks the file).

All we need to do is:

1. set the authtag on the decipher object. This is done.
2. decrypt all the data This is done.
3. then verify the signature with decipher.final. This has to happen after decryption. I think new TransformStream takes a close argument where this may be possible.

This is good to do, because...

• in the future we might add AAD like the User ID to federate files with coreIdentifiers.
• people using this package for data that has more serious implications of tampering (i.e. where they're somehow vulnerable to a chosen ciphertext attack)

Would be nice to outline at high level what project does. Maybe outline of default cryptography operations

iz very sad

We should try to Webpack the Penumbra Worker threads. I'll close this issue once my 3.0 API PR lands.

We should upgrade to Snowpack + Webpack 5 and distribute builds as ECMAScript modules. This may enable us to reference Web Worker URLs without having to inline workers into Blob URIs.

Webpack 5 adds support for this native Worker loader syntax:

new Worker(new URL("./worker.js", import.meta.url))

We should standardize a way to declare worker script locations. We will have three worker scripts: one for decryption (implementing penumbra methods), one for zipping (through conflux), and one for streamsaver.

We have a few possible options:

1. Require that ./penumbra-decrypt.worker.js and ./penumbra-zip.worker.js are present wherever Penumbra is used. (we're going to do this by default if no configuration is set)
2. Allow Penumbra consumers to configure worker script locations through Penumbra API (e.g. Penumbra.setWorkerLocation('/worker-scripts/'))
3. Allow configuration through script element (e.g. <script src="penumbra.js" data-worker-dir="/worker-scripts/"/> or maybe <script src="penumbra.js" data-workers='{"decrypt":"https://example.com/decryption.worker.js","zip":"/worker-scripts/zip.worker.js"}"/>)
4. Hardcode decryption and zipping worker locations and host them ourselves.
5. Allow configuration through <link rel="penumbra" data-config="..."> (placed before the Penumbra script element)

I installed the npm package and after calling any function from penumbra I got the error is Uncaught (in promise) TypeError: _transcend_io_penumbra__WEBPACK_IMPORTED_MODULE_2___default.a.saveZip is not a function, I tried to copy penumbra files from it's build folder to my project's build folder as the developers wrote in the manual, but still no luck. I am sorry for this "issue", because it should not be the issue, it is mostly my misunderstanding of the propper way I should use the package, but how can I make it work?
My webpack.conf.js

const path = require("path");
const CopyPlugin = require("copy-webpack-plugin");
const fs = require("fs");
const PENUMBRA_DIRECTORY = path.join(__dirname, "node_modules", "@transcend-io/penumbra", "build");
module.exports = {
    plugins: [
        new CopyPlugin({
            patterns: fs
                .readdirSync(PENUMBRA_DIRECTORY)
                .filter((fil) => fil.indexOf(".") > 0)
                .map((fil) => ({
                    from: `${PENUMBRA_DIRECTORY}/${fil}`,
                    to: `${"dist"}/${fil}`,
                })),
        }),
    ],
    entry: ["babel-polyfill", "./app/app.jsx"],
    mode: "development",
    output: {
        filename: "./main.js",
    },
    devServer: {
        contentBase: path.join(__dirname, "dist"),
        compress: true,
        port: 4000,
        watchContentBase: true,
        progress: true,
    },
    module: {
        rules: [
            {
                test: /\.m?js$/,
                exclude: /(node_modules|bower_components)/,
                use: {
                    loader: "babel-loader",
                },
            },
            {
                test: /\.css$/,
                loader: "style-loader!css-loader",
            },
            {
                test: /\.(png|svg|jpg|gif)$/,
                use: ["file-loader"],
            },
            { test: /\.jsx?$/, exclude: /(node_modules|bower_components)/, loader: "babel-loader" },
            {
                test: /\.txt$/,
                use: "raw-loader",
            },
        ],
    },
};

package.json

{
  "name": "reactapp",
  "version": "1.0.0",
  "description": "React app",
  "main": "./app/app.js",
  "scripts": {
    "dev": "webpack-dev-server",
    "start": "webpack"
  },
  "author": "Me",
  "license": "ISC",
  "devDependencies": {
    "@babel/core": "^7.8.4",
    "@babel/preset-env": "^7.8.4",
    "@babel/preset-react": "^7.8.3",
    "babel-core": "^6.26.3",
    "babel-loader": "^8.0.6",
    "babel-polyfill": "^6.26.0",
    "babel-preset-es2015": "^6.24.1",
    "babel-preset-stage-0": "^6.24.1",
    "css-loader": "^3.4.2",
    "raw-loader": "^4.0.0",
    "style-loader": "^1.1.3",
    "webpack": "^4.46.0",
    "webpack-cli": "^3.3.11",
    "webpack-dev-server": "^3.11.2"
  },
  "dependencies": {
    "@babel/plugin-proposal-class-properties": "^7.13.0",
    "@transcend-io/penumbra": "^5.0.4",
    "bootstrap": "^4.4.1",
    "copy-webpack-plugin": "^6.2.1",
    "fs": "0.0.1-security",
    "react": "^16.12.0",
    "react-dom": "^16.12.0",
    "react-dropzone": "^10.2.1",
    "socket.io-client": "^3.1.2"
  },
  "babel": {
    "presets": [
      "@babel/env",
      "@babel/react"
    ],
    "plugins": [
      [
        "@babel/plugin-proposal-class-properties",
        {
          "loose": true
        }
      ]
    ]
  }
}

app.jsx

import React, { Component } from "react";
import ReactDOM from "react-dom";
import ItemsList from "./components/ItemsList.jsx";
const propsValues = {
    title: "Menu",
    items: ["Samsung Galaxy Note20", "Apple iPhone 12 Pro", "Google Pixel 5", "Huawei P40 Pro", "OnePlus 8 Pro", "Asus Zenfone 7 Pro"],
};
ReactDOM.render(<ItemsList data={propsValues} />, document.querySelector("#root"));

ItemsList.jsx

import React, { Component } from "react";
import SearchPlugin from "./SearchPlugin.jsx";
import penumbra from "@transcend-io/penumbra";
class ItemsList extends React.Component {
    constructor(props) {
        super(props);
        this.state = { items: this.props.data.items };

        this.filterList = this.filterList.bind(this);
    }
    async componentDidMount() {
        const cacheBuster = Math.random().toString(10).slice(2);
        const files = [
            {
                url: "https://s3-us-west-2.amazonaws.com/bencmbrook/tortoise.jpg.enc",
                name: "tortoise.jpg",
                mimetype: "image/jpeg",
                decryptionOptions: {
                    key: "vScyqmJKqGl73mJkuwm/zPBQk0wct9eQ5wPE8laGcWM=",
                    iv: "6lNU+2vxJw6SFgse",
                    authTag: "ELry8dZ3djg8BRB+7TyXZA==",
                },
            },
        ];
        const writer = penumbra.saveZip();
        await writer.write(...(await penumbra.get(...files)));
        await writer.close();
    }
    filterList(text) {
        var filteredList = this.props.data.items.filter(function (item) {
            return item.toLowerCase().search(text.toLowerCase()) !== -1;
        });
        this.setState({ items: filteredList });
    }

    render() {
        return (
            <div>
                <h2>{this.props.data.title}</h2>
                <SearchPlugin filter={this.filterList} />
                <ul>
                    {this.state.items.map(function (item) {
                        return <li key={item}>{item}</li>;
                    })}
                </ul>
            </div>
        );
    }
}

export default ItemsList;

https://github.com/transcend-io/conflux

Needs at least a writablestream polyfill

Should we use the same test stack as Conflux?
transcend-io/conflux#19

It would be cool if visitors to Privacy Centers with previous access requests can continue viewing their export, even after it's gone from our systems.

IndexedDB allows for Blob storage. Could be interesting.

(A) Is this a worthwhile feature?
(B) Does it belong here or in the Privacy Center code?

is getTextOrURI supposed to be a Promise<>[] not Promise<[]> —- this through me off during implementation

We should update our karma tests to use Safari 14 once supported by BrowserStack

I think there's something wrong with the build or the instructions (maybe a dependency?). I tried to use this, but no matter what I tried I got the above error. Even just doing import { penumbra } from '@transcend-io/penumbra'; in a webpack/React app or adding the pre-built build/penumbra.js to an HTML page a results in the error.

Penumbra should offer an option to use multiple job execution threads/workers for improved performance.

This will require a major refactor touching streaming, error handling, and a new job API model. Fixing this could unburden much of penumbra's tech debt.

• Use an adaptive worker pool
• Improve job API model

Penumbra should have an option for configuring the streamsaver HTML endpoint. This should improve security by allowing library users to self-host the endpoint instead of having to rely on our hardcoded endpoint.

About 1/5th of the time Chrome doesn't run any Penumbra tests and the CI needs to be re-triggered to pass.

I'm not sure if there is anything that we can do to improve this on our end.

Couple of things to fix:

• Error indicators on README need to be fixed
• Issues could be cleaned up a tiny bit

We should benchmark the time it takes to decrypt and download encrypted files. We still need to decide on a benchmarking framework.

Some unsolicited testing: I was waiting for a call and had a few min so checked out the latest on Transcend and saw this new repo, so I gave it a try.

Downloading the patreon video crashed intermittently in Firefox. I couldn't capture a crash, but here's the performance profile and a screenshot. Are web workers being used in the demo?

profile.json.zip

Maintenance for this open-source library.

Same logic for fetch to src or string for non-encrypted files may be useful as the helper functions can be shared

The solution is to add initialized = false to the end of cleanup() in src/workers.ts. This will be fixed in my conflux integration branch.

In order to reduce the worker script bundle size, we should look into porting our Node crypto usage to WebCrypto. This is a low priority task.

Right now Penumbra bundles StreamSaver.js and implements a download function and a display function.

Should Penumbra be just about returning a ReadableStream of deciphered data? After all, these ReadableStreams are what we'd want to use as input to conflux..

fetchAndDecipher is the bread and butter of Penumbra. The repo description is "Fetch and decrypt files in the browser" - that's this function.

downloadEncryptedFile and getDecryptedContent (and their helpers) are just use cases that extend fetchAndDecipher to download the file or display it in the DOM

Perhaps we break out these specific use-cases into another file?

https://github.com/openpgpjs/openpgpjs#browser

looks like you can use threads and streams?

We should add basic tests in penumbra and also consider integrating with heavier browser-based frameworks (like cypress) in the long-run.

@eligrey

This should play nicely with React. The only issue I can think of is the memory leak, which can be solved by returning a cleanup function that can be called when you are done with your connections:

    const preconnect_cleanup = preconnect(origin);
    await makeRequestsToOrigin(...);
    preconnect_cleanup();

Originally posted by @eligrey in #20

@bencmbrook:

We might want to do that by default upon completion of a download. After a URL has been downloaded, call

cleanupHint(href)

It wouldn't account for fetching multiple times (would anyone want to?), but we could have an override option on the RemoteResource object, or just be opinionated about it (personally, idc)

We should inline our worker script so that the entry bundle can instantiate penumbra workers without any external URL references.

We can do this by adding a build step to compile the worker script and expose this through process.env (or similar) for embedding by Webpack. This embedded minified worker script could be allocated to a Blob URI at runtime and used for worker instantiation.

Lets users play videos and other media before it's fully decrypted :)

https://developer.mozilla.org/en-US/docs/Web/API/MediaStream

E.g. this https://github.com/CookPete/react-player takes a MediaStream as input

• This likely implies that Penumbra is broken for all of 2.x -- premature merge of #20?

• Build dir now looks like this which won't in browsers (it's probably fine for Transcend since we use Webpack to recompile it anyway)
  

I'd actually prefer to receive an array of promises, rather than a promise of an array. This allows us to display files as they're ready. The user can always call Promise.all if they want them all at once.

Current return:
Promise<PenumbraTextOrURI[]>

Proposed:
Promise<PenumbraTextOrURI>[]

This is as simple as returning the array rather than the Promise.all here

Note the demo is able to do this because I worked around it by calling getTextOrURI many times with arr length of 1

Currently defaults to development-style bundles: https://github.com/transcend-io/penumbra/blob/master/webpack.config.js

Should read NODE_ENV

penumbra.saveZip() is currently unimplemented. Our goal is to implement this using Conflux. After this is implemented, penumbra.save() can auto-zip when there are multiple files to save.

Related Issues

• https://github.com/transcend-io/main/issues/3581

Can we write decrypted streams to IndexedDB? This can be a nice way of implementing "prefetch". Files that aren't yet needed can be fetched, decrypted, put into IndexedDB, then pulled out when needed (e.g. when arriving at that page).

Similar to penumbra.zip, penumbra.encrypt and penumbra.decrypt should take an optional AbortController signal so that individual long-running jobs can be cancelled.

We could add an optional resources field onto ZipOptions consisting of uninitialized RemoteResource descriptors. A Service Worker could handle downloading these resources with Background Fetch which enables us to create rich download UIs and persistent downloads that continue when the tab is closed.

Rich download UI example screenshot:

Background Fetch example (from https://developers.google.com/web/updates/2018/12/background-fetch)

navigator.serviceWorker.ready.then(async (swReg) => {
  const bgFetch = await swReg.backgroundFetch.fetch('my-fetch', ['/ep-5.mp3', 'ep-5-artwork.jpg'], {
    title: 'Episode 5: Interesting things.',
    icons: [{
      sizes: '300x300',
      src: '/ep-5-icon.png',
      type: 'image/png',
    }],
    downloadTotal: 60 * 1024 * 1024,
  });
});

Limitations

This feature might not be compatible with use cases that involve an unknown amount of async paginated resources.

The new API will incorporate file zipping and saving now, since we’re building everything to be streamable and all performed inside a Service Worker.

Maybe it's a chainable thing?

fetchManyAndDecrypt(resources).save()
fetchManyAndDecrypt(resources).getTextOrURI()
fetchAndDecrypt(resource).save()
fetchAndDecrypt(resource).getTextOrURI()

@giacaglia @eligrey

Fetching, decrypting, zipping, and saving will start to get really slow when we start incorporating large files.

This is because (A) Safari doesn't support WriteStreams and (B) JSZip reads files into a Blob (i.e. fully into memory) rather than a stream.

I'm working on a streaming zip alternative based on this issue (which might encourage the community to build a library we're building an open source package with Jimmy Warting). I'm also working on bundling a service worker option into Penumbra, but it should be done on privacy-page so the .zip bundling is done on the SW as well.

While these are good speedups, a simpler solution is to offload this processing to a Service Worker so it doesn't block the DOM thread.

The service worker should do everything until the final output - so it fetches, decrypts, zips, and then sends the final output to the DOM thread for use (often a stream of data - e.g. the final zip - or otherwise an output, like a string of decrypted text, or the src of an object URI for media).

This was done successfully with Penumbra here using Comlink:

• penumbra/example/decryption.worker.js

  Lines 1 to 20 in c9a5feb

  	import { getDecryptedContent, downloadEncryptedFile } from '../dist/index';
  	import * as Comlink from 'comlink';
  	const myValue = 43;
  	class PenumbraSW {
  	getDecryptedContent(...args) {
  	return getDecryptedContent(...args);
  	}
  	downloadEncryptedFile(...args) {
  	return downloadEncryptedFile(...args);
  	}
  	logSomething() {
  	console.log(`my value = ${myValue}`);
  	}
  	}
  	Comlink.expose(PenumbraSW);

• penumbra/example/example.js

  Lines 19 to 23 in c9a5feb

  	const Penumbra = USE_SERVICE_WORKER
  	? // Offload penumbra processing to service worker
  	Comlink.wrap(
  	new Worker('./decryption.worker.js', { type: 'module' })
  	)

• penumbra/example/example.js

  Lines 61 to 63 in c9a5feb

  	new Penumbra()
  	.then(instance => instance.getDecryptedContent(url, file.key, file.iv, file.authTag, file.mime))
  	.then(url => (image.src = url));

• penumbra/example/webpack.config.js

  Lines 21 to 25 in c9a5feb

  	plugins: [
  	new WorkerPlugin({
  	globalObject: false
  	})
  	],

Opening Penumbra worker JS files sometimes crashes VS Code TypeScript integration. To fix this, we should port all JS to TS.

These ordered arguments that are getting too long. Time for an options object.

This is a placeholder issue. It corresponds to this work: #124

When you look at our demo website, notice how much faster the 'explosions' are when you click immediately after load with Penumbra versus immediately after load with Web Crypto.

Should document that this is built for AES 256 in the GCM mode of operation. Can also consider taking algorithm as a parameter to Penumbra.

since penumbra requires some webpack config, would be nice to bundle this as a small plugin with penumbra so anyone can just import the config and have penumbra working

Just wondering, are there plans to support encrypt on Safari? What's missing about it?

Also, what's the role of authTag? Which algorithms are used for encryption/decryption? It would be great to have some docs about all that. Given the lack of encryption support on Safari, I was thinking about encrypting server side (e.g., with AES CTR + IV + Key derived from PBKDF2), but I can't seem to find a way to decrypt a file encrypted like that.