Secure session

Author: tuhinpal

.gitignore

@@ -18,4 +18,10 @@ public/*
 !public/readme.txt
 session/assets/qr.svg
 .wwebjs_auth/*
-session.zip
+.wwebjs_auth
+session.zip
+session.txt
+session-output/*
+session-output
+session
+session.secure

README.md

@@ -9,7 +9,7 @@
 
 <p align="center">
 <a href="https://github.com/tuhinpal/WhatsBot/releases">
-    <img src="https://shields.io/badge/WHATSBOT-Version--1.6.0-red?logo=whatsapp&style=for-the-badge"
+    <img src="https://shields.io/badge/WHATSBOT-Version--3.0.0-red?logo=whatsapp&style=for-the-badge"
          alt="Version"></a><br>
    <a href="https://github.com/tuhinpal/WhatsBot/wiki">
  <img src="https://shields.io/badge/WIKI-red?style=for-the-badge" alt="Wiki"></a>
@@ -64,7 +64,7 @@
 ### Deploy :
 
 [![Deploy with Heroku](https://www.herokucdn.com/deploy/button.svg "Deploy with Heroku")](https://heroku.com/deploy?template=https://github.com/tuhinpal/WhatsBot "Deploy with Heroku")<br>
-[![Deploy on Railway](https://railway.app/button.svg)](https://railway.app/new/template?template=https%3A%2F%2Fgithub.com%2Ftuhinpal%2FWhatsBot&plugins=mongodb&envs=SESSION%2CPMPERMIT_ENABLED%2CDEFAULT_TR_LANG%2CENABLE_DELETE_ALERT%2COCR_SPACE_API_KEY&optionalEnvs=OCR_SPACE_API_KEY&SESSIONDesc=Puppeteer+Session.+Ge+it+by+running+genToken.js&PMPERMIT_ENABLEDDesc=Enable+Pmpermit+write+true+or+false+only&DEFAULT_TR_LANGDesc=Default+Translation+Language&ENABLE_DELETE_ALERTDesc=If+true+and+if+someone+delete+message+in+PM%2C+Bot+will+send+the+deleted+message+in+that+chat+%28Exclude+Media%29&OCR_SPACE_API_KEYDesc=Get+it+from+https%3A%2F%2Focr.space%2FOCRAPI&PMPERMIT_ENABLEDDefault=true&DEFAULT_TR_LANGDefault=en&referralCode=tuhin)
+[![Deploy on Railway](https://railway.app/button.svg)](https://railway.app/new/template/RTyLts?referralCode=tuhin)
 
 ### Commands :
 

app.json

@@ -6,6 +6,14 @@
   "keywords": ["whatsbot", "whatsapp-bot", "whatsapp"],
   "stack": "container",
   "env": {
+    "SESSION_KEY": {
+      "description": "Session encryption password",
+      "value": ""
+    },
+    "SESSION_URL": {
+      "description": "session.secure public url (It is safe because it is encrypted, But still if you want maybe you can create some sort of authorization stuff)",
+      "value": ""
+    },
     "PMPERMIT_ENABLED": {
       "description": "Enable Pmpermit write true or false only",
       "value": "true"

config.js

@@ -3,6 +3,7 @@ const fs = require("fs");
 require("dotenv").config();
 
 module.exports = {
+  session_key: process.env.SESSION_KEY,
   pmpermit_enabled: process.env.PMPERMIT_ENABLED || "true",
   mongodb_url: process.env.MONGODB_URL || process.env.MONGO_URL || "",
   default_tr_lang: process.env.DEFAULT_TR_LANG || "en",

example.env

@@ -1,3 +1,4 @@
+SESSION_KEY="tuhin"
 PMPERMIT_ENABLED = 'true'
 MONGODB_URL = '' 
 DEFAULT_TR_LANG = 'en'

examples/example.env.md

@@ -5,7 +5,8 @@ The `.env` file is used to initialize all enviroment variables in the developmen
 Create the `.env` file in the root of your app and add your variables and values to it. These are all the variables that are needed by WhatsBot. Description about these can be found in [app.json](./app.json).
 
 ```env
-SESSION = ""
+SESSION_KEY=""
+SESSION_URL=""
 PMPERMIT_ENABLED = ""
 MONGODB_URL = ""
 YT_DATA_API_KEY = ""
@@ -19,13 +20,15 @@ It is not mandatory to add all the variables in the `.env` file. Most of these h
 At the bare minimum, you need to initialize atleast the following variables to make it work in your local environment.
 
 ```env
-SESSION = ""
+SESSION_KEY = ""
 MONGODB_URL = ""
 YT_DATA_API_KEY = ""
 OCR_SPACE_API_KEY = ""
 ```
 
-- SESSION : Puppeteer Session. Get it by running genToken.js. As getToken.js creates a session.json file, this might not be necessary in a local environment as this variable has a fallback to the session.json file. It is mentioned here as it is the most inportant information needed by the bot to work.
+- SESSION_KEY : Your `session.secure` encryption key.
+
+- SESSION_URL : You can retrieve your session from an public hosted endpoint, This is just a file and this is secured with `SESSION_KEY`. Don't put it if you are using VPS or your Local machine.
 
 - YT_DATA_API_KEY : Youtube DATA API key, grab it from <https:/>/cloud.google.com>.
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "whatsbot",
-  "version": "2.1.1",
+  "version": "3.0.0",
   "description": "Plugable U***b*t for WhatsApp",
   "main": "main.js",
   "scripts": {
@@ -23,6 +23,7 @@
   "dependencies": {
     "@iamtraction/google-translate": "^1.1.2",
     "adm-zip": "^0.5.9",
+    "aes-encrypt-stream": "^0.2.0",
     "axios": "^0.21.0",
     "child_process": "^1.0.2",
     "dotenv": "^10.0.0",

session/genToken.js

@@ -1,13 +1,32 @@
 const { Client, LocalAuth } = require("whatsapp-web.js");
 const qrcode = require("qrcode-terminal");
 const { write, clean } = require("./manage");
+const readline = require("readline");
 
 clean();
+
 const client = new Client({
   puppeteer: { headless: true, args: ["--no-sandbox"] },
   authStrategy: new LocalAuth({ clientId: "whatsbot" }),
 });
-client.initialize();
+
+let password = null;
+
+const rl = readline.createInterface({
+  input: process.stdin,
+  output: process.stdout,
+});
+
+rl.question(
+  "Enter password to encrypt session (You need to put this in ENV): ",
+  (answer) => {
+    password = answer;
+    console.log("Password set to:", password);
+    console.log("Generating QR Code...");
+    rl.close();
+    client.initialize();
+  }
+);
 
 client.on("qr", (qr) => {
   console.log(`Scan this QR Code and copy the JSON\n`);
@@ -20,7 +39,7 @@ client.on("ready", () => {
   // wait because filesystem is busy
   setTimeout(async () => {
     console.log("Session has been created");
-    await write();
+    await write(password);
     process.exit();
   }, 3000);
 });

session/manage.js

@@ -1,5 +1,14 @@
 const fs = require("fs");
 const AdmZip = require("adm-zip");
+const {
+  createEncryptStream,
+  setPassword,
+  createDecryptStream,
+} = require("aes-encrypt-stream");
+const crypto = require("crypto");
+const config = require("../config");
+const axios = require("axios");
+require("dotenv").config();
 
 let base = `${__dirname}/../.wwebjs_auth/`;
 
@@ -21,26 +30,72 @@ module.exports = {
       }
     } catch (_) {}
   },
-  write: async function write() {
+  write: async function write(password) {
     excludedDir.forEach((dir) => {
       try {
         fs.rmSync(`${base}${dir}/`, { recursive: true });
       } catch (_) {}
     });
     const zip = new AdmZip();
     zip.addLocalFolder(base);
-    await zip.writeZipPromise(`${__dirname}/../session.zip`);
+    await zip.writeZipPromise(`${__dirname}/temp.zip`);
+    setPassword(getCipherKey(password));
+    await new Promise((resolve) => {
+      createEncryptStream(fs.createReadStream(`${__dirname}/temp.zip`))
+        .pipe(fs.createWriteStream(`${__dirname}/../session.secure`))
+        .on("finish", () => {
+          resolve();
+        });
+    });
+    fs.unlinkSync(`${__dirname}/temp.zip`);
   },
-  replicate: function replicate() {
+  replicate: async function replicate() {
     try {
-      let zipped = fs.readFileSync(`${__dirname}/../session.zip`);
-      let unzip = new AdmZip(zipped);
+      setPassword(getCipherKey(config.session_key));
+      await new Promise((resolve) => {
+        fs.createReadStream(`${__dirname}/../session.secure`)
+          .pipe(
+            createDecryptStream(fs.createWriteStream(`${__dirname}/temp.zip`))
+          )
+          .on("finish", () => {
+            resolve();
+          });
+      });
+
+      let unzip = new AdmZip(fs.readFileSync(`${__dirname}/temp.zip`));
       unzip.extractAllToAsync(base, true);
       console.log("Session files replicated");
     } catch (error) {
       throw new Error(
-        `Session file not found or corrupted. ${error.toString()}`
+        `Session file not found, corrupted or password not matched. ${error.toString()}`
+      );
+    } finally {
+      try {
+        fs.unlinkSync(`${__dirname}/temp.zip`);
+      } catch (_) {}
+    }
+  },
+  fetchSession: async function fetchSession() {
+    try {
+      if (process.env.SESSION_URL) {
+        let response = await axios.get(process.env.SESSION_URL, {
+          responseType: "arraybuffer",
+        });
+        fs.writeFileSync(`${__dirname}/../session.secure`, response.data, {
+          encoding: "binary",
+        });
+        console.log("Session file fetched from", process.env.SESSION_URL);
+      } else {
+        console.log("Using local session");
+      }
+    } catch (error) {
+      throw new Error(
+        `Session fetching failed. If you are using Local machine or VPS please remove 'SESSION_URL' from Enviroment Variable. ${error.toString()}`
       );
     }
   },
 };
+
+function getCipherKey(password) {
+  return crypto.createHash("sha256").update(password).digest();
+}

startProcess.js

@@ -1,11 +1,15 @@
-const { replicate, clean } = require("./session/manage");
+const { replicate, clean, fetchSession } = require("./session/manage");
 
-try {
-  clean();
-  replicate();
-  setTimeout(() => {
-    require("./main");
-  }, 2000);
-} catch (error) {
-  console.error(error?.message);
+async function main() {
+  try {
+    clean();
+    await fetchSession();
+    await replicate();
+    setTimeout(() => {
+      require("./main");
+    }, 2000);
+  } catch (error) {
+    console.error(error?.message);
+  }
 }
+main();