@growy/strapi-plugin-encrypted-field 2.3.3 → 2.4.1

package/CHANGELOG.md

@@ -0,0 +1,101 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+## [2.4.1] - 2026-02-26
+
+### Changed
+- Updated Node.js engine requirement to support version 23.x.x.
+
+## [2.4.0] - 2026-02-26
+
+### Added
+- Key rotation script (`scripts/rotate-key.js`) for re-encrypting data when changing the encryption key.
+- CHANGELOG.md with full version history.
+- Documented `uniqueField` limitation in README (unique constraints don't work on encrypted fields due to random IV).
+
+### Changed
+- All server-side error messages and logs translated to English for global developer audience.
+- `description` fields in `package.json` translated to English.
+- `repository.url` fixed via `npm pkg fix` (normalized to `git+https://` format).
+
+### Fixed
+- `strapi.config.get()` path updated from deprecated `plugin.encrypted-field` to Strapi v5 convention `plugin::encrypted-field`.
+
+## [2.3.3] - 2026-02-26
+
+### Changed
+- README rewritten in English for global npm community adoption.
+- Removed unused `admin/src/pages/` directory.
+
+## [2.3.2] - 2026-02-26
+
+### Changed
+- Restored detailed technical documentation in README (API examples, key management warnings, regex validation guide).
+
+## [2.3.1] - 2026-02-26
+
+### Changed
+- README converted to bilingual format (EN/ES).
+- Removed unused server directories (`content-types`, `controllers`, `routes`, `services`).
+- Added `.npmignore` for cleaner npm package.
+
+## [2.3.0] - 2026-02-26
+
+### Added
+- Multi-language support (i18n): English and Spanish translations for admin UI.
+- Encryption key caching in memory for improved performance.
+- `inputSize` configuration for resizable inputs in Content-Type Builder.
+- Plugin `config` block with `default` and `validator` (Strapi v5 standard).
+- `@strapi/design-system` and `react` as `peerDependencies`.
+
+### Changed
+- Refactored lifecycle hooks (`bootstrap.js`): extracted shared `processEncryption` and `processDecryption` functions to eliminate code duplication.
+- Simplified `registerTrads` to native Strapi v5 async/await pattern.
+
+### Fixed
+- Decrypt middleware now resolves the root entity `modelUid` from the API request path, fixing a bug where top-level encrypted fields were not decrypted in API responses.
+
+## [2.2.1] - 2025-10-14
+
+### Added
+- Visibility toggle (show/hide) and copy-to-clipboard controls with confirmation notifications in admin UI.
+
+### Changed
+- Updated README with improved documentation and package metadata.
+
+## [2.0.4] - 2025-10-13
+
+### Removed
+- Placeholder field option removed after multiple iterations.
+
+## [2.0.3] - 2025-10-13
+
+### Fixed
+- Set predefined placeholder and removed customization option.
+
+## [2.0.1] - 2025-10-13
+
+### Added
+- Nested component support for encryption/decryption at any depth.
+- Decrypt middleware for API responses.
+- Regex and length validation before encryption.
+
+### Changed
+- Simplified encrypted field UI.
+- Improved props handling in Input component.
+- Field type changed to `string`.
+- Removed unnecessary code comments.
+
+## [1.0.1] - 2025-10-13
+
+### Added
+- Package exports configuration for Strapi v5.
+
+## [1.0.0] - 2025-10-13
+
+### Added
+- Initial release.
+- Custom field "Encrypted Text" for Content-Type Builder.
+- AES-256-GCM encryption/decryption.
+- Basic admin panel input component.

package/README.md

@@ -201,12 +201,22 @@ apiKey: "sk-1234567890abcdef"
 
 ### Best Practices
 
-1. **Key rotation**: Plan a periodic rotation process
+1. **Key rotation**: Use the included rotation script (see below)
 2. **Environment separation**: Use different keys per dev/staging/prod
 3. **Auditing**: Monitor encryption/decryption error logs
 4. **Key backup**: Keep secure copies of keys in multiple locations
 5. **Private fields**: Mark sensitive fields as "private" to exclude them from the public API
 
+### Key Rotation
+
+If you need to change your encryption key, use the included rotation script to re-encrypt existing data:
+
+```bash
+node scripts/rotate-key.js --old=<CURRENT_64_CHAR_KEY> --new=<NEW_64_CHAR_KEY>
+```
+
+The script reads encrypted values from stdin, decrypts with the old key, and re-encrypts with the new key. See the script output for database-specific integration examples (PostgreSQL, etc.).
+
 ## Use Cases
 
 - 🔑 Third-party API Keys
@@ -221,6 +231,7 @@ apiKey: "sk-1234567890abcdef"
 - ❌ **Search**: Cannot search by encrypted fields (data is encrypted in DB)
 - ❌ **Sorting**: Cannot sort by encrypted fields
 - ❌ **Filters**: Cannot apply direct filters on encrypted fields
+- ❌ **Unique constraint**: Strapi's unique validation will not work correctly on encrypted fields because each encryption produces a different ciphertext (random IV)
 - ⚠️ **Performance**: Encryption/decryption adds minimal overhead (~1-2ms per operation)
 - ⚠️ **Key synchronization**: All environments sharing the same DB must use the same key
 

package/package.json

@@ -1,11 +1,11 @@
 {
   "name": "@growy/strapi-plugin-encrypted-field",
-  "version": "2.3.3",
-  "description": "Campo personalizado de texto cifrado para Strapi",
+  "version": "2.4.1",
+  "description": "Custom encrypted text field plugin for Strapi using AES-256-GCM",
   "strapi": {
     "name": "encrypted-field",
     "displayName": "Encrypted Field",
-    "description": "Agrega un campo de texto cifrado con AES-256-GCM",
+    "description": "Adds an AES-256-GCM encrypted text field",
     "kind": "plugin"
   },
   "dependencies": {},
@@ -27,7 +27,7 @@
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/ZahirElIsaac/strapi-campo-encriptado.git"
+    "url": "git+https://github.com/ZahirElIsaac/strapi-campo-encriptado.git"
   },
   "contributors": [
     {
@@ -35,7 +35,7 @@
     }
   ],
   "engines": {
-    "node": ">=18.0.0 <=22.x.x",
+    "node": ">=18.0.0 <=23.x.x",
     "npm": ">=6.0.0"
   },
   "license": "MIT",

package/scripts/rotate-key.js

@@ -0,0 +1,117 @@
+#!/usr/bin/env node
+
+const crypto = require('crypto');
+const readline = require('readline');
+
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 12;
+const AUTH_TAG_LENGTH = 16;
+
+function parseKey(hexKey) {
+    if (!hexKey || typeof hexKey !== 'string' || hexKey.length !== 64) {
+        throw new Error(`Key must be exactly 64 hexadecimal characters. Got: ${hexKey?.length || 0}`);
+    }
+    if (!/^[0-9a-fA-F]{64}$/.test(hexKey)) {
+        throw new Error('Key must contain only hexadecimal characters (0-9, a-f, A-F)');
+    }
+    return Buffer.from(hexKey, 'hex');
+}
+
+function decryptWithKey(encryptedText, keyBuffer) {
+    const parts = encryptedText.split(':');
+    if (parts.length !== 3) return null;
+
+    const [ivHex, authTagHex, encrypted] = parts;
+    if (ivHex.length !== IV_LENGTH * 2 || authTagHex.length !== AUTH_TAG_LENGTH * 2) return null;
+
+    const iv = Buffer.from(ivHex, 'hex');
+    const authTag = Buffer.from(authTagHex, 'hex');
+    const decipher = crypto.createDecipheriv(ALGORITHM, keyBuffer, iv);
+    decipher.setAuthTag(authTag);
+
+    let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+    decrypted += decipher.final('utf8');
+    return decrypted;
+}
+
+function encryptWithKey(text, keyBuffer) {
+    const iv = crypto.randomBytes(IV_LENGTH);
+    const cipher = crypto.createCipheriv(ALGORITHM, keyBuffer, iv);
+
+    let encrypted = cipher.update(text, 'utf8', 'hex');
+    encrypted += cipher.final('hex');
+    const authTag = cipher.getAuthTag();
+
+    return `${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted}`;
+}
+
+async function main() {
+    const args = process.argv.slice(2);
+    const oldKeyArg = args.find((a) => a.startsWith('--old='));
+    const newKeyArg = args.find((a) => a.startsWith('--new='));
+
+    if (!oldKeyArg || !newKeyArg) {
+        console.error('Usage: node scripts/rotate-key.js --old=<OLD_KEY> --new=<NEW_KEY>');
+        console.error('Keys must be 64-character hexadecimal strings.');
+        console.error('\nGenerate a new key with:');
+        console.error('  node -e "console.log(require(\'crypto\').randomBytes(32).toString(\'hex\'))"');
+        process.exit(1);
+    }
+
+    const oldKey = oldKeyArg.split('=')[1];
+    const newKey = newKeyArg.split('=')[1];
+
+    let oldKeyBuffer, newKeyBuffer;
+    try {
+        oldKeyBuffer = parseKey(oldKey);
+        newKeyBuffer = parseKey(newKey);
+    } catch (error) {
+        console.error(`Key validation error: ${error.message}`);
+        process.exit(1);
+    }
+
+    if (oldKey === newKey) {
+        console.error('Old and new keys are identical. Aborting.');
+        process.exit(1);
+    }
+
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    const question = (q) => new Promise((resolve) => rl.question(q, resolve));
+
+    console.log('\n🔑 Encrypted Field - Key Rotation Tool');
+    console.log('━'.repeat(45));
+    console.log('\nThis script reads encrypted values from stdin (one per line),');
+    console.log('decrypts them with the OLD key, and re-encrypts with the NEW key.');
+    console.log('\nTo use with a database, export the encrypted column values,');
+    console.log('pipe them through this script, and update the database.\n');
+    console.log('Example with PostgreSQL:');
+    console.log('  psql -t -A -c "SELECT id, api_key FROM users WHERE api_key IS NOT NULL" |\\');
+    console.log('  while IFS="|" read id val; do');
+    console.log('    newval=$(echo "$val" | node scripts/rotate-key.js --old=X --new=Y)');
+    console.log('    psql -c "UPDATE users SET api_key=\'$newval\' WHERE id=$id"');
+    console.log('  done\n');
+    console.log('Paste encrypted values (one per line). Press Ctrl+D when done:\n');
+
+    rl.on('line', (line) => {
+        const trimmed = line.trim();
+        if (!trimmed) return;
+
+        try {
+            const decrypted = decryptWithKey(trimmed, oldKeyBuffer);
+            if (decrypted === null) {
+                console.error(`SKIP (not encrypted format): ${trimmed.substring(0, 30)}...`);
+                return;
+            }
+            const reEncrypted = encryptWithKey(decrypted, newKeyBuffer);
+            console.log(reEncrypted);
+        } catch (error) {
+            console.error(`ERROR: ${error.message} | Input: ${trimmed.substring(0, 30)}...`);
+        }
+    });
+
+    rl.on('close', () => {
+        console.error('\n✅ Key rotation complete.');
+    });
+}
+
+main();

package/server/bootstrap.js

@@ -17,7 +17,7 @@ function processEncryption(event, strapi) {
 
     const validation = validateValue(value, attribute);
     if (!validation.valid) {
-      throw new Error(`Validación fallida para el campo "${key}": ${validation.error}`);
+      throw new Error(`Validation failed for field "${key}": ${validation.error}`);
     }
 
     data[key] = encrypt(value, strapi);

package/server/middlewares/decrypt.js

@@ -50,7 +50,7 @@ module.exports = (config, { strapi }) => {
             try {
               obj[key] = decrypt(obj[key], strapi);
             } catch (error) {
-              strapi.log.error(`Error descifrando campo ${key}: ${error.message}`);
+              strapi.log.error(`Decryption error on field ${key}: ${error.message}`);
             }
           }
         }

package/server/utils/crypto.js

@@ -9,10 +9,10 @@ let _cachedKey = null;
 let _cachedKeySource = null;
 
 function getEncryptionKey(strapi) {
-  const key = process.env.ENCRYPTION_KEY || strapi?.config?.get('plugin.encrypted-field.encryptionKey');
+  const key = process.env.ENCRYPTION_KEY || strapi?.config?.get('plugin::encrypted-field.encryptionKey');
 
   if (!key) {
-    const errorMsg = '⚠️  ENCRYPTION_KEY no configurada. Debe establecer una clave de 64 caracteres hexadecimales en las variables de entorno o configuración de Strapi.';
+    const errorMsg = '⚠️  ENCRYPTION_KEY not configured. You must set a 64-character hexadecimal key in environment variables or Strapi configuration.';
     if (strapi?.log?.error) {
       strapi.log.error(errorMsg);
     }
@@ -24,11 +24,11 @@ function getEncryptionKey(strapi) {
   }
 
   if (typeof key !== 'string' || key.length !== 64) {
-    throw new Error(`ENCRYPTION_KEY debe tener exactamente 64 caracteres hexadecimales (32 bytes). Actual: ${key?.length || 0}`);
+    throw new Error(`ENCRYPTION_KEY must be exactly 64 hexadecimal characters (32 bytes). Current: ${key?.length || 0}`);
   }
 
   if (!/^[0-9a-fA-F]{64}$/.test(key)) {
-    throw new Error('ENCRYPTION_KEY debe contener solo caracteres hexadecimales (0-9, a-f, A-F)');
+    throw new Error('ENCRYPTION_KEY must contain only hexadecimal characters (0-9, a-f, A-F)');
   }
 
   _cachedKey = Buffer.from(key, 'hex');
@@ -54,7 +54,7 @@ function encrypt(text, strapi) {
     return `${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted}`;
   } catch (error) {
     if (strapi?.log?.error) {
-      strapi.log.error(`Error al cifrar: ${error.message}`);
+      strapi.log.error(`Encryption error: ${error.message}`);
     }
     throw error;
   }
@@ -88,7 +88,7 @@ function decrypt(encryptedText, strapi) {
     return decrypted;
   } catch (error) {
     if (strapi?.log?.debug) {
-      strapi.log.debug(`Error al descifrar: ${error.message}. Retornando texto original.`);
+      strapi.log.debug(`Decryption error: ${error.message}. Returning original text.`);
     }
     return encryptedText;
   }
@@ -102,7 +102,7 @@ function validateValue(value, attribute) {
   if (typeof value !== 'string') {
     return {
       valid: false,
-      error: 'El valor debe ser una cadena de texto'
+      error: 'Value must be a string'
     };
   }
 
@@ -112,13 +112,13 @@ function validateValue(value, attribute) {
       if (!regex.test(value)) {
         return {
           valid: false,
-          error: `El valor no cumple con el patrón de validación: ${attribute.regex}`
+          error: `Value does not match the validation pattern: ${attribute.regex}`
         };
       }
     } catch (error) {
       return {
         valid: false,
-        error: `Patrón regex inválido: ${error.message}`
+        error: `Invalid regex pattern: ${error.message}`
       };
     }
   }
@@ -126,14 +126,14 @@ function validateValue(value, attribute) {
   if (attribute.maxLength && value.length > attribute.maxLength) {
     return {
       valid: false,
-      error: `El valor excede la longitud máxima de ${attribute.maxLength} caracteres`
+      error: `Value exceeds maximum length of ${attribute.maxLength} characters`
     };
   }
 
   if (attribute.minLength && value.length < attribute.minLength) {
     return {
       valid: false,
-      error: `El valor debe tener al menos ${attribute.minLength} caracteres`
+      error: `Value must be at least ${attribute.minLength} characters`
     };
   }