@be-link/shield-for-tcb-node-sdk 1.0.19 → 1.0.21

package/modules/config/serviceV2.d.ts

@@ -6,6 +6,7 @@ import BaseService from '../BaseService';
  */
 export declare class ConfigServiceV2 extends BaseService implements ServiceV2.ConfigController {
     protected prefixUrl: string;
+    private callEncryptedConfig;
     /**
      * 获取单个配置
      * @param req 请求参数

package/modules/config/serviceV2.js

@@ -6,6 +6,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.backendConfigServiceV2 = exports.ConfigServiceV2 = void 0;
 const http_1 = require("../../utils/http");
 const cloudFunctionHttp_1 = require("../../utils/cloudFunctionHttp");
+const encryption_1 = require("../../utils/encryption");
 const BaseService_1 = __importDefault(require("../BaseService"));
 /**
  * V2 配置服务
@@ -16,15 +17,32 @@ class ConfigServiceV2 extends BaseService_1.default {
         super(...arguments);
         this.prefixUrl = '/shield/v2/config';
     }
+    async callEncryptedConfig(path, req, fallbackData) {
+        const keyId = (0, encryption_1.getKeyId)();
+        const enhancedReq = keyId ? { ...req, encryption: { version: 1, keyId } } : req;
+        const response = await (0, http_1.callApiFull)(this.getApiUrlV2(path), enhancedReq).catch(() => ({
+            success: false,
+            data: fallbackData,
+            requestId: '',
+            message: '',
+            errorType: '',
+            encryption: undefined,
+        }));
+        if (response.encryption?.version && typeof response.data === 'string') {
+            return (0, encryption_1.decryptPayload)(response.data);
+        }
+        if ((0, encryption_1.isEncryptionAvailable)()) {
+            throw new Error('Encrypted response required but server returned plaintext');
+        }
+        return response.data;
+    }
     /**
      * 获取单个配置
      * @param req 请求参数
      * @returns 配置数据，如果配置不存在返回 null
      */
     fetchConfig(req) {
-        return (0, http_1.callApi)(this.getApiUrlV2('/fetch'), req, {
-            skipErrorHandling: true,
-        }).catch(() => null);
+        return this.callEncryptedConfig('/fetch', req, null);
     }
     /**
      * 批量获取配置
@@ -32,7 +50,7 @@ class ConfigServiceV2 extends BaseService_1.default {
      * @returns 配置数据映射
      */
     fetchConfigs(req) {
-        return (0, http_1.callApi)(this.getApiUrlV2('/fetch-batch'), req).catch(() => ({}));
+        return this.callEncryptedConfig('/fetch-batch', req, {});
     }
     /**
      * 云函数单 Key 配置读取

package/modules/config/typesV2.d.ts

@@ -18,6 +18,10 @@ export declare namespace ServiceV2 {
         }
     }
     namespace Request {
+        interface EncryptionRequest {
+            version: number;
+            keyId: string;
+        }
         /**
          * 获取单个配置请求参数
          */
@@ -25,6 +29,7 @@ export declare namespace ServiceV2 {
             service: string;
             key: string;
             env?: string;
+            encryption?: EncryptionRequest;
         }
         /**
          * 批量获取配置请求参数
@@ -33,6 +38,7 @@ export declare namespace ServiceV2 {
             service: string;
             keys?: string[];
             env?: string;
+            encryption?: EncryptionRequest;
         }
         /**
          * 获取服务列表请求参数

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@be-link/shield-for-tcb-node-sdk",
-  "version": "1.0.19",
+  "version": "1.0.21",
   "description": "ShieldForTCB Node.js SDK",
   "main": "index.js",
   "types": "index.d.ts",

package/utils/encryption.d.ts

@@ -0,0 +1,3 @@
+export declare function isEncryptionAvailable(): boolean;
+export declare function getKeyId(): string | null;
+export declare function decryptPayload(encryptedBase64: string): any;

package/utils/encryption.js

@@ -0,0 +1,40 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isEncryptionAvailable = isEncryptionAvailable;
+exports.getKeyId = getKeyId;
+exports.decryptPayload = decryptPayload;
+const crypto_1 = __importDefault(require("crypto"));
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 12;
+const AUTH_TAG_LENGTH = 16;
+function getDecryptionKey() {
+    const keyB64 = process.env.SHIELD_ENCRYPTION_KEY;
+    if (!keyB64)
+        return null;
+    return Buffer.from(keyB64, 'base64');
+}
+function isEncryptionAvailable() {
+    return !!process.env.SHIELD_ENCRYPTION_KEY;
+}
+function getKeyId() {
+    const key = getDecryptionKey();
+    if (!key)
+        return null;
+    return crypto_1.default.createHash('sha256').update(key).digest('hex').slice(0, 8);
+}
+function decryptPayload(encryptedBase64) {
+    const key = getDecryptionKey();
+    if (!key)
+        throw new Error('SHIELD_ENCRYPTION_KEY not configured');
+    const data = Buffer.from(encryptedBase64, 'base64');
+    const iv = data.subarray(0, IV_LENGTH);
+    const authTag = data.subarray(data.length - AUTH_TAG_LENGTH);
+    const ciphertext = data.subarray(IV_LENGTH, data.length - AUTH_TAG_LENGTH);
+    const decipher = crypto_1.default.createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    return JSON.parse(decrypted.toString('utf8'));
+}

package/utils/http.d.ts

@@ -1,10 +1,22 @@
-type CallApiOptions = {
+export type ResponseData = {
+    data: any;
+    success: boolean;
+    requestId: string;
+    message: string;
+    errorType: string;
+    encryption?: {
+        version: number;
+        keyId: string;
+    };
+};
+export type CallApiOptions = {
     skipErrorHandling?: boolean;
 };
 type GetApiOptions = {
     skipErrorHandling?: boolean;
 };
 export declare function callApi<T extends (args: any) => Promise<any>>(url: string, request?: Parameters<T>[0], options?: CallApiOptions): Promise<Awaited<ReturnType<T>>>;
+export declare function callApiFull<TRequest = any>(url: string, request?: TRequest, options?: CallApiOptions): Promise<ResponseData>;
 /**
  * GET 请求 API
  */

package/utils/http.js

@@ -37,6 +37,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.callApi = callApi;
+exports.callApiFull = callApiFull;
 exports.getApi = getApi;
 const axios_1 = __importDefault(require("axios"));
 const uuid_1 = require("uuid");
@@ -100,6 +101,32 @@ async function callApi(url, request, options) {
         throw error;
     }
 }
+async function callApiFull(url, request, options) {
+    const requestId = (0, uuid_1.v4)();
+    try {
+        console.info(`准备发起shield-for-tcb请求[${requestId}]: ${url}, 参数: ${JSON.stringify(request)}`);
+        const response = await axios_1.default.post(url, request || {}, {
+            headers: { 'x-request-id': requestId, 'content-type': 'application/json' },
+        });
+        return response.data;
+    }
+    catch (error) {
+        if (options && options.skipErrorHandling) {
+            throw error;
+        }
+        const axiosError = error;
+        if (axiosError.response) {
+            const response = axiosError.response;
+            const data = response.data;
+            console.error(`shield-for-tcb 异常: ${axiosError.message}, requestId: ${requestId}`);
+            console.info('响应信息', data.message);
+            console.error('异常堆栈', JSON.stringify(error.stack));
+            throw axiosError;
+        }
+        console.error(`shield-for-tcb 未知异常: ${axiosError.message}`, error.stack);
+        throw error;
+    }
+}
 /**
  * GET 请求 API
  */