@dynamatix/gb-schemas 0.16.3 → 0.17.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/utils/encryption.js +23 -11
package/package.json
CHANGED
package/utils/encryption.js
CHANGED
|
@@ -3,40 +3,52 @@ import dotenv from 'dotenv';
|
|
|
3
3
|
|
|
4
4
|
dotenv.config();
|
|
5
5
|
|
|
6
|
-
const SECRET_KEY = Buffer.from(process.env.ENCRYPTION_KEY, 'hex');
|
|
7
|
-
const IV_LENGTH = 16;
|
|
6
|
+
const SECRET_KEY = Buffer.from(process.env.ENCRYPTION_KEY, 'hex'); // 32 bytes for AES-256
|
|
7
|
+
const IV_LENGTH = 16; // AES-GCM IV length
|
|
8
|
+
const EXCLUDED_COLLECTIONS = process.env.EXCLUDED_COLLECTIONS?.split(",") || []; // Excluded collections from encryption
|
|
9
|
+
|
|
10
|
+
// Encrypt an object (ignores _id and fields from excluded collections)
|
|
11
|
+
export const encryptObject = (obj, collectionName) => {
|
|
12
|
+
// Skip encryption if the collection is excluded
|
|
13
|
+
if (EXCLUDED_COLLECTIONS.includes(collectionName)) {
|
|
14
|
+
return obj;
|
|
15
|
+
}
|
|
8
16
|
|
|
9
|
-
// Encrypt an object (ignores _id)
|
|
10
|
-
export const encryptObject = (obj) => {
|
|
11
17
|
if (!obj || typeof obj !== "object") return obj;
|
|
12
18
|
let encryptedObj = {};
|
|
13
19
|
|
|
14
20
|
for (const key in obj) {
|
|
15
21
|
if (key === "_id") {
|
|
16
|
-
encryptedObj[key] = obj[key];
|
|
22
|
+
encryptedObj[key] = obj[key]; // Don't encrypt _id
|
|
17
23
|
} else {
|
|
18
|
-
const iv = crypto.randomBytes(IV_LENGTH);
|
|
24
|
+
const iv = crypto.randomBytes(IV_LENGTH); // Generate IV
|
|
19
25
|
const cipher = crypto.createCipheriv("aes-256-gcm", SECRET_KEY, iv);
|
|
20
26
|
|
|
21
27
|
let encrypted = cipher.update(JSON.stringify(obj[key]), 'utf8', 'hex');
|
|
22
28
|
encrypted += cipher.final('hex');
|
|
23
29
|
|
|
24
|
-
const authTag = cipher.getAuthTag().toString('hex');
|
|
30
|
+
const authTag = cipher.getAuthTag().toString('hex'); // Get auth tag for integrity check
|
|
25
31
|
|
|
26
32
|
encryptedObj[key] = `${iv.toString('hex')}:${authTag}:${encrypted}`;
|
|
27
33
|
}
|
|
28
34
|
}
|
|
35
|
+
|
|
29
36
|
return encryptedObj;
|
|
30
37
|
};
|
|
31
38
|
|
|
32
|
-
// Decrypt an object (ignores _id)
|
|
33
|
-
export const decryptObject = (obj) => {
|
|
39
|
+
// Decrypt an object (ignores _id and fields from excluded collections)
|
|
40
|
+
export const decryptObject = (obj, collectionName) => {
|
|
41
|
+
// Skip decryption if the collection is excluded
|
|
42
|
+
if (EXCLUDED_COLLECTIONS.includes(collectionName)) {
|
|
43
|
+
return obj;
|
|
44
|
+
}
|
|
45
|
+
|
|
34
46
|
if (!obj || typeof obj !== "object") return obj;
|
|
35
47
|
let decryptedObj = {};
|
|
36
48
|
|
|
37
49
|
for (const key in obj) {
|
|
38
50
|
if (key === "_id") {
|
|
39
|
-
decryptedObj[key] = obj[key];
|
|
51
|
+
decryptedObj[key] = obj[key]; // Don't decrypt _id
|
|
40
52
|
} else {
|
|
41
53
|
try {
|
|
42
54
|
const [ivHex, authTagHex, encryptedData] = obj[key].split(':');
|
|
@@ -51,7 +63,7 @@ export const decryptObject = (obj) => {
|
|
|
51
63
|
|
|
52
64
|
decryptedObj[key] = JSON.parse(decrypted);
|
|
53
65
|
} catch (error) {
|
|
54
|
-
decryptedObj[key] = obj[key];
|
|
66
|
+
decryptedObj[key] = obj[key]; // Return original if decryption fails
|
|
55
67
|
}
|
|
56
68
|
}
|
|
57
69
|
}
|