@model-ts/dynamodb 0.2.0 → 1.1.0

package/src/client.ts

@@ -79,6 +79,12 @@ export interface ClientProps
     ServiceConfigurationOptions,
     ClientApiVersions {
   tableName: string
+
+  /**
+   * The encryption key used to encrypt cursors using AES-256-CTR.
+   * Must be a 32 character string, 256 bits.
+   */
+  cursorEncryptionKey?: Buffer
 }
 
 export interface Key {
@@ -90,9 +96,11 @@ export class Client {
   tableName: string
   documentClient: DocumentClient
   dataLoader: DataLoader<GetOperation<Decodable>, DynamoDBModelInstance, string>
+  cursorEncryptionKey?: Buffer
 
   constructor(props: ClientProps) {
     this.tableName = props?.tableName
+    this.cursorEncryptionKey = props?.cursorEncryptionKey
     this.documentClient = new DocumentClient(props)
     this.dataLoader = new DataLoader<
       GetOperation<Decodable>,
@@ -189,7 +197,7 @@ export class Client {
     const { Item } = await this.documentClient
       .get({
         TableName: this.tableName,
-        Key: key,
+        Key: { PK: key.PK, SK: key.SK },
         ...params,
       })
       .promise()
@@ -494,7 +502,16 @@ export class Client {
         ...params,
         // Fetch one additional item to test for a next page
         Limit: limit + 1,
-        ExclusiveStartKey: cursor ? decodeDDBCursor(cursor) : undefined,
+        ExclusiveStartKey: cursor
+          ? decodeDDBCursor(
+              cursor,
+              // GSI1 is the inverse index and uses PK and SK (switched around)
+              params.IndexName && params.IndexName !== "GSI1"
+                ? (params.IndexName as "GSI2" | "GSI3" | "GSI4" | "GSI5")
+                : undefined,
+              this.cursorEncryptionKey
+            )
+          : undefined,
         ScanIndexForward: direction === PaginationDirection.FORWARD,
       },
       { results: model }
@@ -509,13 +526,7 @@ export class Client {
     // Build edges
     const edges = slice.map((item: any) => ({
       node: item,
-      cursor: encodeDDBCursor(
-        item,
-        // GSI1 is the inverse index and uses PK and SK (switched around)
-        params.IndexName && params.IndexName !== "GSI1"
-          ? (params.IndexName as "GSI2" | "GSI3")
-          : undefined
-      ),
+      cursor: encodeDDBCursor(item, this.cursorEncryptionKey),
     }))
 
     return {

package/src/dynamodb-model.ts

@@ -11,6 +11,10 @@ export interface DynamoDBModelInstance extends ModelInstance<string, any> {
     GSI2SK?: string
     GSI3PK?: string
     GSI3SK?: string
+    GSI4PK?: string
+    GSI4SK?: string
+    GSI5PK?: string
+    GSI5SK?: string
   }
 
   PK: string

package/src/pagination.ts

@@ -1,5 +1,9 @@
+import crypto from "crypto"
 import { PaginationError } from "./errors"
 
+const SIV = "Q05yyCR+0tyWl6glrZhlNw=="
+const ENCRYPTION_ALG = "aes-256-ctr"
+
 export interface PageInfo {
   hasPreviousPage: boolean
   hasNextPage: boolean
@@ -71,6 +75,47 @@ export function decodePagination(pagination: PaginationInput): {
   }
 }
 
+/**
+ * Utility function to encrypt a cursor with AES-256-CTR, but uses a
+ * synthetic initialization vector (SIV) to ensure that the same cursor
+ * produces the same encrypted value.
+ */
+const encryptCursor = (key: Buffer, cursor: string) => {
+  const cipher = crypto.createCipheriv(
+    ENCRYPTION_ALG,
+    key,
+    Buffer.from(SIV, "base64")
+  )
+
+  const encrypted = Buffer.concat([cipher.update(cursor), cipher.final()])
+
+  return encrypted.toString("base64")
+}
+
+/**
+ * Utility function to decrypt a cursor with AES-256-CTR, but uses a
+ * synthetic initialization vector (SIV) to ensure that the same cursor
+ * produces the same encrypted value.
+ */
+const decryptCursor = (key: Buffer, encryptedCursor: string) => {
+  try {
+    const decipher = crypto.createDecipheriv(
+      ENCRYPTION_ALG,
+      key,
+      Buffer.from(SIV, "base64")
+    )
+
+    const decrypted = Buffer.concat([
+      decipher.update(Buffer.from(encryptedCursor, "base64")),
+      decipher.final(),
+    ]).toString()
+
+    return decrypted
+  } catch (error) {
+    return null
+  }
+}
+
 export const encodeDDBCursor = (
   {
     PK,
@@ -95,21 +140,10 @@ export const encodeDDBCursor = (
     GSI5PK?: string
     GSI5SK?: string
   },
-  index?: "GSI2" | "GSI3" | "GSI4" | "GSI5"
-) =>
-  index === "GSI2"
-    ? Buffer.from(JSON.stringify({ PK, SK, GSI2PK, GSI2SK })).toString("base64")
-    : index === "GSI3"
-    ? Buffer.from(JSON.stringify({ PK, SK, GSI3PK, GSI3SK })).toString("base64")
-    : index === "GSI4"
-    ? Buffer.from(JSON.stringify({ PK, SK, GSI4PK, GSI4SK })).toString("base64")
-    : index === "GSI5"
-    ? Buffer.from(JSON.stringify({ PK, SK, GSI5PK, GSI5SK })).toString("base64")
-    : Buffer.from(JSON.stringify({ PK, SK })).toString("base64")
-
-export const decodeDDBCursor = (encoded: string) => {
-  try {
-    const {
+  encryptionKey?: Buffer
+) => {
+  const cursor = Buffer.from(
+    JSON.stringify({
       PK,
       SK,
       GSI2PK,
@@ -120,11 +154,26 @@ export const decodeDDBCursor = (encoded: string) => {
       GSI4SK,
       GSI5PK,
       GSI5SK,
-    } = JSON.parse(Buffer.from(encoded, "base64").toString())
+    })
+  ).toString("base64")
 
-    if (typeof PK !== "string" || typeof SK !== "string") throw new Error()
+  if (encryptionKey) return encryptCursor(encryptionKey, cursor)
+
+  return cursor
+}
+
+export const decodeDDBCursor = (
+  encoded: string,
+  index?: "GSI2" | "GSI3" | "GSI4" | "GSI5",
+  encryptionKey?: Buffer
+) => {
+  try {
+    const json = encryptionKey ? decryptCursor(encryptionKey, encoded) : encoded
+    // const json = encoded
+
+    if (!json) throw new Error("Couldn't decrypt cursor")
 
-    return {
+    const {
       PK,
       SK,
       GSI2PK,
@@ -135,7 +184,15 @@ export const decodeDDBCursor = (encoded: string) => {
       GSI4SK,
       GSI5PK,
       GSI5SK,
-    }
+    } = JSON.parse(Buffer.from(json, "base64").toString())
+
+    if (typeof PK !== "string" || typeof SK !== "string") throw new Error()
+
+    if (!index) return { PK, SK }
+    if (index === "GSI2") return { PK, SK, GSI2PK, GSI2SK }
+    if (index === "GSI3") return { PK, SK, GSI3PK, GSI3SK }
+    if (index === "GSI4") return { PK, SK, GSI4PK, GSI4SK }
+    if (index === "GSI5") return { PK, SK, GSI5PK, GSI5SK }
   } catch (error) {
     throw new PaginationError("Couldn't decode cursor")
   }

package/src/provider.ts

@@ -17,7 +17,7 @@ import {
 import { OutputOf, TypeOf, ModelOf } from "@model-ts/core"
 import { RaceConditionError } from "./errors"
 import { absurd } from "fp-ts/lib/function"
-import { PaginationInput } from "./pagination"
+import { encodeDDBCursor, PaginationInput } from "./pagination"
 
 export interface DynamoDBInternals<M extends Decodable> {
   __dynamoDBDecode(
@@ -524,6 +524,9 @@ export const getProvider = (client: Client) => {
           GSI5SK: this.GSI5SK,
         }
       },
+      cursor<T extends DynamoDBModelInstance>(this: T) {
+        return encodeDDBCursor(this.keys(), client.cursorEncryptionKey)
+      },
       put<T extends DynamoDBModelInstance>(
         this: T,
         params?: Omit<
@@ -621,7 +624,7 @@ export const getProvider = (client: Client) => {
         return client.get<M>({
           _model: this,
           _operation: "get",
-          key,
+          key: { PK: key.PK, SK: key.SK },
           ...params,
         })
       },