feat(api): add CryptoService for secret encryption (MS22-P1b)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
This commit is contained in:
82
apps/api/src/crypto/crypto.service.ts
Normal file
82
apps/api/src/crypto/crypto.service.ts
Normal file
@@ -0,0 +1,82 @@
|
||||
import { Injectable } from "@nestjs/common";
|
||||
import { ConfigService } from "@nestjs/config";
|
||||
import { createCipheriv, createDecipheriv, hkdfSync, randomBytes } from "crypto";
|
||||
|
||||
const ALGORITHM = "aes-256-gcm";
|
||||
const ENCRYPTED_PREFIX = "enc:";
|
||||
const IV_LENGTH = 12;
|
||||
const AUTH_TAG_LENGTH = 16;
|
||||
const DERIVED_KEY_LENGTH = 32;
|
||||
const HKDF_SALT = "mosaic.crypto.v1";
|
||||
const HKDF_INFO = "mosaic-db-secret-encryption";
|
||||
|
||||
@Injectable()
|
||||
export class CryptoService {
|
||||
private readonly key: Buffer;
|
||||
|
||||
constructor(private readonly config: ConfigService) {
|
||||
const secret = this.config.get<string>("MOSAIC_SECRET_KEY");
|
||||
|
||||
if (!secret) {
|
||||
throw new Error("MOSAIC_SECRET_KEY environment variable is required");
|
||||
}
|
||||
|
||||
if (secret.length < 32) {
|
||||
throw new Error("MOSAIC_SECRET_KEY must be at least 32 characters");
|
||||
}
|
||||
|
||||
this.key = Buffer.from(
|
||||
hkdfSync(
|
||||
"sha256",
|
||||
Buffer.from(secret, "utf8"),
|
||||
Buffer.from(HKDF_SALT, "utf8"),
|
||||
Buffer.from(HKDF_INFO, "utf8"),
|
||||
DERIVED_KEY_LENGTH
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
encrypt(plaintext: string): string {
|
||||
const iv = randomBytes(IV_LENGTH);
|
||||
const cipher = createCipheriv(ALGORITHM, this.key, iv);
|
||||
const ciphertext = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
|
||||
const authTag = cipher.getAuthTag();
|
||||
const payload = Buffer.concat([iv, ciphertext, authTag]).toString("base64");
|
||||
|
||||
return `${ENCRYPTED_PREFIX}${payload}`;
|
||||
}
|
||||
|
||||
decrypt(encrypted: string): string {
|
||||
if (!this.isEncrypted(encrypted)) {
|
||||
throw new Error("Value is not encrypted");
|
||||
}
|
||||
|
||||
const payloadBase64 = encrypted.slice(ENCRYPTED_PREFIX.length);
|
||||
|
||||
try {
|
||||
const payload = Buffer.from(payloadBase64, "base64");
|
||||
if (payload.length < IV_LENGTH + AUTH_TAG_LENGTH) {
|
||||
throw new Error("Encrypted payload is too short");
|
||||
}
|
||||
|
||||
const iv = payload.subarray(0, IV_LENGTH);
|
||||
const authTag = payload.subarray(payload.length - AUTH_TAG_LENGTH);
|
||||
const ciphertext = payload.subarray(IV_LENGTH, payload.length - AUTH_TAG_LENGTH);
|
||||
|
||||
const decipher = createDecipheriv(ALGORITHM, this.key, iv);
|
||||
decipher.setAuthTag(authTag);
|
||||
|
||||
return Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString("utf8");
|
||||
} catch {
|
||||
throw new Error("Failed to decrypt value");
|
||||
}
|
||||
}
|
||||
|
||||
isEncrypted(value: string): boolean {
|
||||
return value.startsWith(ENCRYPTED_PREFIX);
|
||||
}
|
||||
|
||||
generateToken(): string {
|
||||
return randomBytes(32).toString("hex");
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user