diff --git a/README.md b/README.md
index bf16790..07667a9 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,33 @@
# 🔐 PageCrypt - Password Protected Single Page Applications and HTML files
+This fork adds the ability to encrypt entire directories to password-protect an entire static site hosted on a static site host, e.g. Amazon S3 or Google Cloud Storage or Github Pages.
+
+It does so by caching the password entered the first time, to use it again for all other pages a user may visit, and caching the derived keys per file in localStorage to speed up decryption.
+
+## Installation:
+
+```sh
+npm i -D https://github.com/souramoo/pagecrypt/releases/download/6.2.1/pagecrypt-6.2.1.tgz
+```
+
+## Usage for whole directories:
+
+Assuming you have a directory `src/` to encrypt and an empty target directory `dist/`...
+
+```sh
+PASSWORD=hunter2
+dir=$(pwd)
+cd src
+find . -name "*.html" -print -exec npx pagecrypt {} ${dir}/dist/{} ${PASSWORD} \;
+cd ..
+```
+
+You should now be able to publish the contents of `dist/` :)
+
+This should also work in cloud CI workflows to automatically password protect deployments.
+
+# Original description
+
> Easily add client-side password-protection to your Single Page Applications and HTML files.
Inspired by [MaxLaumeister/PageCrypt](https://github.com/MaxLaumeister/PageCrypt), but rewritten to use native `Web Crypto API` and greatly improve UX + security. Thanks for sharing an excellent starting point to create this tool!
@@ -9,7 +37,7 @@ Inspired by [MaxLaumeister/PageCrypt](https://github.com/MaxLaumeister/PageCrypt
**NOTE: Make sure you are using Node.js v16 or newer.**
```sh
-npm i -D pagecrypt
+npm i -D https://github.com/souramoo/pagecrypt/releases/download/6.2.0/pagecrypt-6.2.0.tgz
```
There are 4 different ways to use `pagecrypt`:
@@ -175,7 +203,7 @@ Since this magic link feature is using the [URI Fragment](https://en.m.wikipedia
- Most importantly, think twice about what kinds of sites and apps you publish to the open internet, even if they are encrypted.
- If you use the magic link to login, beware that the password remains as a history entry! Feel free to submit a PR if you know a workaround for this!
-- Also keep in mind that the `sessionStorage` saves the encryption key (which is derived from the password) until the browser is restarted. This is what allows the rapid page reloads during the same session - at the cost of decreasing the security on your local device.
+- Also keep in mind that the `localStorage` saves the encryption key (which is derived from the password). This is what allows the rapid page reloads during the same session - at the cost of decreasing the security on your local device.
- Only share magic links via secure channels, such as E2E-encrypted chats and emails.
- `pagecrypt` only encrypts the contents of a single HTML file, so try to inline as much JS, CSS and other sensitive assets into this HTML file as possible. If you're unable to inline all sensitive assets, you can hide your other assets by placing them on another server, and then only reference the external resources within the `pagecrypt` protected HTML file instead. Of course, these could in turn be protected or hidden if you need to. If executed correctly, this allows you to completely hide what your webpage or app is about by only deploying a single HTML file to the public web. Neat!
diff --git a/package.json b/package.json
index 385ea37..d6c512d 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
{
"name": "pagecrypt",
- "version": "6.1.1",
+ "version": "6.2.1",
"description": "Easily add client-side password-protection to your Single Page Applications and HTML files.",
"main": "src/index.ts",
"type": "module",
diff --git a/src/decrypt-template.html b/src/decrypt-template.html
index 1ca3b83..bb66ede 100644
--- a/src/decrypt-template.html
+++ b/src/decrypt-template.html
@@ -5,7 +5,7 @@
Protected Page
-
+
diff --git a/test/package.json b/test/package.json
index f53a93c..a6d84aa 100644
--- a/test/package.json
+++ b/test/package.json
@@ -10,5 +10,8 @@
"test:cli-iterations": "pagecrypt test.html out-cli-iterations.html eRx1sD0LrHTNubycv1IYgyNqU3Qc9GKPGcl3XT63JG7djgMxU9etkVNcK5Hak5GWDzm4mx6AQFlpOPsY --iterations 3e6",
"test:cli-gen-iterations": "pagecrypt test.html out-cli-gen-iterations.html eRx1sD0LrHTNubycv1IYgyNqU3Qc9GKPGcl3XT63JG7djgMxU9etkVNcK5Hak5GWDzm4mx6AQFlpOPsY --generate-password 59 --iterations 2500000",
"test:verify": "vite"
+ },
+ "dependencies": {
+ "pagecrypt": "file:../dist/pagecrypt-6.2.1.tgz"
}
}
diff --git a/web/decrypt.ts b/web/decrypt.ts
index 080ba62..785c6f2 100644
--- a/web/decrypt.ts
+++ b/web/decrypt.ts
@@ -28,6 +28,10 @@ document.addEventListener('DOMContentLoaded', async () => {
iv = bytes.slice(32, 32 + 16)
ciphertext = bytes.slice(32 + 16)
+ const pwdOld = localStorage.getItem('pwd')
+ if (pwdOld) {
+ pwd.value = pwdOld
+ }
/**
* Allow passwords to be automatically provided via the URI Fragment.
* This greatly improves UX by clicking links instead of having to copy and paste the password manually.
@@ -44,7 +48,7 @@ document.addEventListener('DOMContentLoaded', async () => {
history.replaceState(null, '', url.toString())
}
- if (sessionStorage.k || pwd.value) {
+ if (localStorage.getItem(window.location.href) || pwd.value) {
await decrypt()
} else {
hide(load)
@@ -107,10 +111,20 @@ async function decrypt() {
show(form)
header.classList.replace('hidden', 'flex')
- if (sessionStorage.k) {
+ let automatic = false
+
+ if (localStorage.getItem('pwd')) {
+ // Delete invalid password
+ localStorage.removeItem('pwd')
+ automatic = true
+ }
+ if (localStorage.getItem(window.location.href)) {
// Delete invalid key
- sessionStorage.removeItem('k')
- } else {
+ localStorage.removeItem(window.location.href)
+ automatic = true
+ }
+
+ if (!automatic) {
// Only show when user actually entered a password themselves.
error('Wrong password.')
}
@@ -162,17 +176,34 @@ async function decryptFile(
) {
const decoder = new TextDecoder()
- const key = sessionStorage.k
- ? await importKey(JSON.parse(sessionStorage.k))
- : await deriveKey(salt, password, iterations)
+ let k = localStorage.getItem(window.location.href)
+ let key: CryptoKey | null
+ let data = new Uint8Array()
- const data = new Uint8Array(
- await subtle.decrypt({ name: 'AES-GCM', iv }, key, ciphertext),
- )
- if (!data) throw 'Malformed data'
+ try {
+ key = k
+ ? await importKey(JSON.parse(k))
+ : await deriveKey(salt, password, iterations)
+ data = new Uint8Array(
+ await subtle.decrypt({ name: 'AES-GCM', iv }, key, ciphertext),
+ )
+ if (!data) throw 'Malformed data'
+ } catch (e) {
+ // Delete invalid key and try a saved password
+ localStorage.removeItem(window.location.href)
+ key = await deriveKey(salt, password, iterations)
+
+ data = new Uint8Array(
+ await subtle.decrypt({ name: 'AES-GCM', iv }, key, ciphertext),
+ )
+ }
// If no exception were thrown, decryption succeded and we can save the key.
- sessionStorage.k = JSON.stringify(await subtle.exportKey('jwk', key))
+ localStorage.setItem(
+ window.location.href,
+ JSON.stringify(await subtle.exportKey('jwk', key)),
+ )
+ localStorage.setItem('pwd', password)
return decoder.decode(data)
}