Hello sir,
I was using the original pagecrypt and just came across your version of pagecrypt and i must say it is worth using.Now i want to use it in my personal site but the only problem is lack of dark mode.So can you please add dark-mode to login page and all other area?

This would simplify usage and improve IDE support.

The following can be simplified, from this:

To this:

const parts = location.href.split('#')
pwd.value = parts[1]
history.replaceState(null, '', parts[0])

This works because location.href.split('#') always returns the href without the URL hash, no matter if it is present or not.

Use the code samples from upcoming blog post about pagecrypt.

This way, one could have control over how secure against bruteforce attacks the generated page is!

• Add -m, --message option to the CLI
• Add message parameter to the main encryption JS API:s

message will be a string that should be HTML-sanitized to prevent potential XSS attacks.

npx pagecrypt index.html index_encrypt.html test
file:///home/ansible/node_modules/pagecrypt/cli.js:23
var crypto = await loadCrypto();
^^^^^

SyntaxError: Unexpected reserved word
at Loader.moduleStrategy (internal/modules/esm/translators.js:133:18)
at async link (internal/modules/esm/module_job.js:42:21)
npm ERR! code 1
npm ERR! path /home/ansible/pagecrypt
npm ERR! command failed
npm ERR! command sh -c pagecrypt "index.html" "index_encrypt.html" "test"

npm ERR! A complete log of this run can be found in:
npm ERR! /home/ansible/.npm/_logs/2021-12-23T12_13_17_224Z-debug.log

This feature would simplify the implementation of #15.

Browser support is good. Furthermore, in October 2021, the upcoming Node.js 16 LTS release, means the Web Crypto API will get good support for servers too.

This is required to improve accessibility.

Another improvement that could be made along with this change would be to also set the outer document title, to show the title in the web browser tab when the page has been decrypted. This will make it easier to understand the app content.

We might no longer need the https setup since localhost URL:s are considered secure contexts for development.

I have problem on static sites of rendar using react. It shows white page ...

I got two errors on console

GET https://test.onrender.com/%PUBLIC_URL%/manifest.json 400
manifest.json:1 Manifest: Line: 1, column: 1, Syntax error.

Can you help me or Have another way?

Node version 16.19.0
script
"build": "react-scripts build && pagecrypt public/index.html build/index.html password",

Improve TypeScript definition exports based on feedback from https://publint.dev/[email protected]

Currently, the decrypt-template.html contains about 75% unused code that is shipped to production but not actually used for the simple login page.

This needs to be fixed to improve performance. The Pagecrypt decrypt-template.html wrapper should be as thin as possible.

Hello !

Thanks for that project ! (:
I use it to protect a simple static site with 2 pages. So I encrypt the 2 pages by executing pagecrypt twice with the same password. But when I browse to the pages, it asks me the password in every page.
If I understand well, it's because there is one key saved in the SessionStore, and I have two keys for the same password.

Would it be possible to either:

• Save multiple keys for same domain in session ?
• Being able in the CLI to encrypt two pages with the same key ?

Thanks for your help (:
A

First of all, thank you for this really cool package!

I have a small suggestion: The UX is slightly confusing currently in mobile phones. Once I enter the password, I usually hit "done" which closes the mobile keyboard - but doesn't submit the input. It would be really nice if you can submit the form on focusout of the input.

Better - add capability to customize the template

Up until this point, pagecrypt has used the srcdoc attribute om <iframe> elements. This has mostly worked well for simple apps and websites, but severely limited advanced apps to use pagecrypt.

By removing the <iframe> and also stop using the srcdoc attribute, we could bypass these restrictions.

This would enable apps to use the full web platform instead of just using a small subset, which in turn would would make pagecrypt more valuable. For example, this would enable developers to deploy SPA:s with routing and similar features currently not supported in the <iframe> when using srcdoc.

Need to investigate potential solutions further, but here are some initial ideas:

• document.write() (might have issues with injecting script)
• explore iframe sandbox properties to allow other features. allow-same-origin combined with allow-scripts are worth trying.
• Explore ways to make the iframe part of the parent document
• Explore other ways to remove the original page and completely rewrite it.
• the DOMParser API looks promising to parse an entire document and replace with inline scripts. Need to test for advanced features though.

How it should work:

On DOMContentLoaded:

if sessionStorage.key:
  try decrypting (call decrypt as if the user had submitted the form immediately on pageload)
  if successful:
    show result
  else
    show regular password prompt like nothing happened

After successful decryption:

sessionStorage.key = key

then continue loading payload like normal

One issue is that the decrypt template is rendering in a weird way when loading the encrypted page. Seems like one of the SVGs is off, and might need styling in a way that doesn't cause the rendering glitch. This needs to be fixed before we can make a new release.

With a closer look, it seems like Vite is trying to move the inlined CSS and JS out into separate modules at dev or build time. That could be causing the CSS to show up later and thus causing the rendering issue. We need to check if this behavior can be disabled for the vite dev server or vite build.

While we're at it, it would be good to update dependencies too.

I would suggest to try to make it so, that this tool is referenced on the original repo of Max Laumeister.
I've actually "ported" Max's tool to nodejs, and wanted to contribute it back to his repo and publish the package to npm, and then only I noticed that the name was already taken. That's how I found out about your (way) more elaborate nodejs implementation of this tool.
This would also gain this tool some visibility!

Also update the attribution link to link to the public webpage instead of the GitHub repo.

Some ideas / potential solutions to test:
1. Use external <script> that can be async or defered. Won't work since it will break the single input HTML -> single output HTML which is a main feature of pagecrypt.
2. Inline payload as a<p class="hidden"> instead of as a <script> (to prevent the script from blocking render). Then load the data on the DOMContentLoaded event and start decoding the base64 data.

Since automated password generation is required in all 4 current pagecrypt use cases, it might be a good idea to add it to the core library, to reduce the need for external dependencies.

This basic password generator implements the main features of generate-password except the strict mode. However, with sufficient password length, this shouldn't be any problem.

This implementation also seems to be faster compared to generate-password, since it uses fewer operations.

const crypto = require('crypto')

function generatePassword(
    length = 40,
    characters = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz',
) {
    return Array.from(crypto.randomFillSync(new Uint32Array(length)))
        .map((x) => characters[x % characters.length])
        .join('')
}

console.log(generatePassword(80))

How to implement

• If included, this needs to be opt-in only.
• Default CLI + JS API:s should remain unchanged
• Maybe include options object for JS API, and a -g [length] / --generate [length] flag

Ref: render-examples/pagecrypt#1

Node version 19 was released last week, and there appears to be a difference in how the loadCrypto function is evaluated.

In Node 16, for example, this condition is not evaluated and crypto is loaded dynamically. However, in Node 19, it appears that the condition is evaluated, producing the ReferenceError: window is not defined message. I'm unsure if this is a bug in Node 19 or if it's an intentional breaking change.

This is the output when running the CLI using Node 19:

file:///Users/pagecrypt/cli.js:16
const crypto2 = window.crypto || globalThis.crypto;
                    ^
ReferenceError: window is not defined

This issue can be avoided by using another preview server.

1. Add sirv-cli as dev dependency by running npm i -D sirv-cli

2. Replace vite preview with sirv-cli in the serve npm script

// package.json

"scripts": {
    "serve": "sirv web/build --http2 --key priv.pem --cert cert.pem"
}

While the current implementation using PBKDF2 is good for the current threat model, argon2 is more resistant towards GPU brute forcing attacks. Argon2 could thus increase security of encrypted pages.

However, since my use cases are well served by PBKDF2 hashing, this is not a top priority for me at the moment. If someone wants this to be implemented, you're welcome to submit a PR and we can work from there.

One question to think about is whether we should switch to argon2 for all hashing, or allow users to choose if they want to use PBKDF2 or argon2. Perhaps we could use different decryption templates (including different scripts) for the different hashing algorithms. This would add complexity, but could be useful for users who are OK with PBKDF2 and don't need argon2.

To implement this, these libraries might be useful:

Browser: https://github.com/antelle/argon2-browser
Node.js https://github.com/ranisalt/node-argon2
Deno: Not sure, but since https://github.com/antelle/argon2-browser supports WASM, it might be able to run in Deno and similar environments.

Maybe this sounds foolish but is it possible to decrypt the page automatically if the correct password is set in URL.

e.g.

• https://example.com/?password=secret
• https://example.com/encrypted.html?pw=s3cr3t

Why replace node-forge?

• To reduce the size of decrypt-template.html. Currently it's shipping 4x the amount of code compared to cryptojs
• Although node-forge has greatly improved performance compared to cryptojs, it's still slower than native crypto API:s. Replacing node-forge would reduce browser support, but that won't be a problem since we're targeting modern browsers, which has 95% support for web crypto as of 2021-04-23

TODO:

• Show the loading spinner and hide the password input while decrypting.
• If successful, proceed to the app
• If failure, show error. Then let the user try again and show the loading spinner again.

This is wrong: https://github.com/Greenheart/pagecrypt/blob/main/src/core.ts#L93

Reference: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Remainder

Solution:

• Update comment to use correct term, remainder operator

We need to investigate if there are any benefits to waiting 1000 ms before showing the decrypted page. For example, it might help with loading the iframe in the background, improving the perceived performance since it might have loaded in the background instead of being shown as a white page to users.

If we don't get any benetfits from the delay, removing it would improve UX.

By removing the success status message, we could also delete some parts of the decrypt template:

• success helper
• some tailwind classes won't be used anymore
• The unlocked icon won't be used anymore and can be removed
• If we don't swap between icons, the code toggling .hidden for icons could be removed too.

All in all, this would save about 4 kb from the decrypt template.

https://en.m.wikipedia.org/wiki/URI_fragment

This would allow sharing a link to an encrypted page without requiring the user to enter the password manually.

Would require a known hostname, but this would allow power users to use pagecrypt apps more easily

See updated docstring here:

It's also important to enforce the max length of the character set = 256 characters. This should likely be in the docstring too, so we could update generatePassword() too to reflect that.

test all usage alternatives:
  test CLI
  test JS `encrypt()`
  test JS `encryptHTML()`

test all options
- for CLI
- for `encrypt()`
- for `encryptHTML()`

Use regular script to generate the test payloads, and then use cypress to verify results.

First of all thanks for pagecrypt. The tool is great and I love it!

I'm writing a pretty minimal landing page for my html ebook:

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8" />
    <style>
      body {
        width: 100%;
        padding: 0;
        margin: 0;
      }
      .title-page {
        height: 100vh;
        display: flex;
        justify-content: center;
        align-items: center;
        flex-direction: column;
      }
      .title {
        font-size: 8em;
      }
      .title-page > .author {
        font-size: 3em;
      }
      .title-page > .date {
        font-size: 3em;
      }
    </style>
  </head>
  <body>
    <div class="title-page">
      <p class="title">$title$</p>
      <p class="author">$author$</p>
      <p class="date">$date$</p>
    </div>
    <div class="wrapper">$body$</div>
  </body>
</html>

It looks like this (on a mobile device):

After encrypting (and decrypting in the browser) the captions are way bigger:

Upon inspecting the elements the styles seem correct. I'm running the encryption with npx pagecrypt example.html example_crypt.html pass. Any idea what's causing the issue and how to circumvent it?

pagecrypt index.html encrypted.html password

🔐 Encrypting index.html → encrypted.html with 🔑: password
(node:1608) UnhandledPromiseRejectionWarning: TypeError: Cannot read property 'getRandomValues' of undefined
    at getEncryptedPayload (...*/node_modules/pagecrypt/cli.js:61:31)
    at encryptHTML (...*/node_modules/pagecrypt/cli.js:74:100)
    at encryptFile (...*/node_modules/pagecrypt/cli.js:98:16)
    at async encrypt (...*/node_modules/pagecrypt/cli.js:107:21)
    at async ...*/node_modules/pagecrypt/cli.js:129:5
(Use `node --trace-warnings ...` to show where the warning was created)
(node:1608) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 2)     
(node:1608) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

Am I missing something?

Add option to use a custom HTML template, and use the JS decryption code together with any html template that provides the right elements like a password form.

Or export the decryption helpers and let users create custom templates with more control.

If anyone wants this feature, feel free to submit a PR implementing this! 😊

Notes from initial research:

• To allow custom HTML templates to be provided, they need to contain a few key elements used by pagecrypt (like the <pre> element for writing/reading the encrypted data), and a script tag to handle the decryption logic.
• The core decrypt library need to be updated to support custom HTML templates, as well as adding test coverage.
• Ideally, this should be possible to accomplish without breaking changes to other use cases, but we'll see.
• An interesting approach might be to move decrypt functionality to the core pagecrypt library. This could then be reusable utility functions that could be imported into custom templates as well as the official HTML template. This would need to be documented in the README to be easy to use.
• By moving the core encryption and decryption logic into the same library, we would be able to reuse the critical config and make it easier to keep them in sync.
• The core decryption functionality is really just decryptFile({ salt, iv, ciphertext }, password) which would expose a simple API. Or perhaps even better decryptFile(encryptedBase64Data, password), and letting the core decrypt function take care of base64 conversion, parsing the raw bytes, and then decrypting. This would be a nice separation between presentation and decryption logic.
• A question is what to do with magic link support (a core feature) and sessionStorage support for caching keys during the same session. Perhaps there is a way to allow users to implement these features for their custom templates in some way.
• Based on https://github.com/frehner/modern-guide-to-packaging-js-library, maybe we don't have to ship custom HTML but only custom CSS could be enough. Though it might be nice with full control of the HTML and CSS

Similar to what I've recently used in https://github.com/Greenheart/idg.tools, pnpm might help simplify the maintenance of this library.

Details:

https://stackoverflow.com/questions/18189187/stop-url-parameters-being-added-on-submit-of-form

We don't really care too much about including the password as fragment. We do however care a lot about using the fragments as they are normally used: linking to specific parts of the page. Because of the current mechanism, we no longer have the option. The fragment is getting removed from the URL.