@syncular/client-plugin-encryption 0.0.1-60

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (13) hide show
  1. package/dist/index.d.ts +78 -0
  2. package/dist/index.d.ts.map +1 -0
  3. package/dist/index.js +713 -0
  4. package/dist/index.js.map +1 -0
  5. package/dist/key-sharing.d.ts +124 -0
  6. package/dist/key-sharing.d.ts.map +1 -0
  7. package/dist/key-sharing.js +408 -0
  8. package/dist/key-sharing.js.map +1 -0
  9. package/package.json +65 -0
  10. package/src/__tests__/key-sharing.test.ts +193 -0
  11. package/src/__tests__/refresh-encrypted-fields.test.ts +182 -0
  12. package/src/index.ts +1011 -0
  13. package/src/key-sharing.ts +555 -0
package/dist/index.d.ts ADDED
@@ -0,0 +1,78 @@
1
+ import type { SyncClientDb, SyncClientPlugin, SyncClientPluginContext, SyncEngine } from '@syncular/client';
2
+ import { type Kysely } from 'kysely';
3
+ export * from './key-sharing';
4
+ type FieldDecryptionErrorMode = 'throw' | 'keepCiphertext';
5
+ interface FieldEncryptionRule {
6
+ scope: string;
7
+ /**
8
+ * Optional table selector. Strongly recommended for correctness:
9
+ * - Push/incremental changes have a table name.
10
+ * - Snapshot rows often do not; if omitted, the plugin must be able to infer it.
11
+ */
12
+ table?: string;
13
+ /** Column names to encrypt/decrypt */
14
+ fields: string[];
15
+ /**
16
+ * Row id column in snapshot row objects (defaults to "id").
17
+ * Push/incremental changes use the protocol `row_id` and ignore this.
18
+ */
19
+ rowIdField?: string;
20
+ }
21
+ export interface FieldEncryptionKeys {
22
+ /**
23
+ * Resolve a 32-byte symmetric key for a given key id.
24
+ * Throws (or rejects) when the key is unavailable.
25
+ */
26
+ getKey: (kid: string) => Uint8Array | Promise<Uint8Array>;
27
+ /**
28
+ * Select which key id to use when encrypting new values.
29
+ * Defaults to "default".
30
+ */
31
+ getEncryptionKid?: (ctx: SyncClientPluginContext, args: {
32
+ scope: string;
33
+ table: string;
34
+ rowId: string;
35
+ field: string;
36
+ }) => string | Promise<string>;
37
+ }
38
+ interface FieldEncryptionPluginOptions {
39
+ name?: string;
40
+ rules: FieldEncryptionRule[];
41
+ keys: FieldEncryptionKeys;
42
+ /**
43
+ * Controls what happens when ciphertext is present but decryption fails
44
+ * (unknown key, bad AAD, corrupted data).
45
+ */
46
+ decryptionErrorMode?: FieldDecryptionErrorMode;
47
+ /**
48
+ * Envelope prefix written into the DB. Changing this breaks decryption
49
+ * for existing rows.
50
+ */
51
+ envelopePrefix?: string;
52
+ }
53
+ interface RefreshEncryptedFieldsTarget {
54
+ scope: string;
55
+ table: string;
56
+ fields?: string[];
57
+ }
58
+ export interface RefreshEncryptedFieldsResult {
59
+ tablesProcessed: number;
60
+ rowsScanned: number;
61
+ rowsUpdated: number;
62
+ fieldsUpdated: number;
63
+ }
64
+ export interface FieldEncryptionPluginRefreshRequest<DB extends SyncClientDb = SyncClientDb> {
65
+ db: Kysely<DB>;
66
+ engine?: Pick<SyncEngine<DB>, 'recordLocalMutations'>;
67
+ targets?: RefreshEncryptedFieldsTarget[];
68
+ ctx?: Partial<SyncClientPluginContext>;
69
+ }
70
+ export interface FieldEncryptionPlugin extends SyncClientPlugin {
71
+ refreshEncryptedFields: <DB extends SyncClientDb = SyncClientDb>(options: FieldEncryptionPluginRefreshRequest<DB>) => Promise<RefreshEncryptedFieldsResult>;
72
+ }
73
+ export declare function createStaticFieldEncryptionKeys(args: {
74
+ keys: Record<string, Uint8Array | string>;
75
+ encryptionKid?: string;
76
+ }): FieldEncryptionKeys;
77
+ export declare function createFieldEncryptionPlugin(pluginOptions: FieldEncryptionPluginOptions): FieldEncryptionPlugin;
78
+ //# sourceMappingURL=index.d.ts.map
package/dist/index.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,YAAY,EACZ,gBAAgB,EAChB,uBAAuB,EACvB,UAAU,EACX,MAAM,kBAAkB,CAAC;AAO1B,OAAO,EAAE,KAAK,MAAM,EAAO,MAAM,QAAQ,CAAC;AAG1C,cAAc,eAAe,CAAC;AAI9B,KAAK,wBAAwB,GAAG,OAAO,GAAG,gBAAgB,CAAC;AAE3D,UAAU,mBAAmB;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd;;;;OAIG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,sCAAsC;IACtC,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,mBAAmB;IAClC;;;OAGG;IACH,MAAM,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAC1D;;;OAGG;IACH,gBAAgB,CAAC,EAAE,CACjB,GAAG,EAAE,uBAAuB,EAC5B,IAAI,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,KACjE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CAC/B;AAED,UAAU,4BAA4B;IACpC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,mBAAmB,EAAE,CAAC;IAC7B,IAAI,EAAE,mBAAmB,CAAC;IAC1B;;;OAGG;IACH,mBAAmB,CAAC,EAAE,wBAAwB,CAAC;IAC/C;;;OAGG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,UAAU,4BAA4B;IACpC,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,MAAM,WAAW,4BAA4B;IAC3C,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;CACvB;AAeD,MAAM,WAAW,mCAAmC,CAClD,EAAE,SAAS,YAAY,GAAG,YAAY;IAEtC,EAAE,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;IACf,MAAM,CAAC,EAAE,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,EAAE,sBAAsB,CAAC,CAAC;IACtD,OAAO,CAAC,EAAE,4BAA4B,EAAE,CAAC;IACzC,GAAG,CAAC,EAAE,OAAO,CAAC,uBAAuB,CAAC,CAAC;CACxC;AAED,MAAM,WAAW,qBAAsB,SAAQ,gBAAgB;IAC7D,sBAAsB,EAAE,CAAC,EAAE,SAAS,YAAY,GAAG,YAAY,EAC7D,OAAO,EAAE,mCAAmC,CAAC,EAAE,CAAC,KAC7C,OAAO,CAAC,4BAA4B,CAAC,CAAC;CAC5C;AAgKD,wBAAgB,+BAA+B,CAAC,IAAI,EAAE;IACpD,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CAAC,CAAC;IAC1C,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,GAAG,mBAAmB,CAiBtB;AAghBD,wBAAgB,2BAA2B,CACzC,aAAa,EAAE,4BAA4B,GAC1C,qBAAqB,CA8LvB"}