@syncular/client-plugin-encryption 0.0.1 → 0.0.2-126

package/src/__tests__/scope-resolution.test.ts

@@ -0,0 +1,202 @@
+import { describe, expect, test } from 'bun:test';
+import type {
+  SyncPullRequest,
+  SyncPullResponse,
+  SyncPushRequest,
+  SyncPushResponse,
+} from '@syncular/core';
+import {
+  createFieldEncryptionPlugin,
+  createStaticFieldEncryptionKeys,
+  generateSymmetricKey,
+} from '../index';
+
+const keyId = 'scope-resolution';
+const keys = createStaticFieldEncryptionKeys({
+  keys: { [keyId]: generateSymmetricKey() },
+  encryptionKid: keyId,
+});
+
+const plugin = createFieldEncryptionPlugin({
+  rules: [
+    {
+      scope: 'workspace_tasks',
+      table: 'tasks',
+      fields: ['title'],
+    },
+  ],
+  keys,
+});
+
+const context = { actorId: 'actor-1', clientId: 'client-1' };
+
+async function buildEncryptedTitle(): Promise<string> {
+  const request: SyncPushRequest = {
+    clientId: 'client-1',
+    clientCommitId: 'commit-1',
+    schemaVersion: 1,
+    operations: [
+      {
+        table: 'tasks',
+        row_id: 'task-1',
+        op: 'upsert',
+        payload: {
+          id: 'task-1',
+          title: 'Secret title',
+        },
+        base_version: null,
+      },
+    ],
+  };
+
+  const encrypted = await plugin.beforePush!(context, request);
+  const encryptedTitle = encrypted.operations[0]?.payload?.title;
+  if (typeof encryptedTitle !== 'string') {
+    throw new Error('Expected encrypted title to be a string');
+  }
+  return encryptedTitle;
+}
+
+describe('Field encryption scope/table resolution', () => {
+  test('encrypts beforePush when rule scope differs from operation table', async () => {
+    const request: SyncPushRequest = {
+      clientId: 'client-1',
+      clientCommitId: 'commit-1',
+      schemaVersion: 1,
+      operations: [
+        {
+          table: 'tasks',
+          row_id: 'task-1',
+          op: 'upsert',
+          payload: {
+            id: 'task-1',
+            title: 'Secret title',
+            completed: false,
+          },
+          base_version: null,
+        },
+      ],
+    };
+
+    const encrypted = await plugin.beforePush!(context, request);
+    const payload = encrypted.operations[0]?.payload;
+    const encryptedTitle = payload?.title;
+
+    expect(typeof encryptedTitle).toBe('string');
+    expect(encryptedTitle).not.toBe('Secret title');
+    expect(String(encryptedTitle).startsWith('dgsync:e2ee:1:')).toBe(true);
+    expect(payload?.completed).toBe(false);
+  });
+
+  test('decrypts afterPush conflict rows with scope/table mismatch rules', async () => {
+    const encryptedTitle = await buildEncryptedTitle();
+
+    const request: SyncPushRequest = {
+      clientId: 'client-1',
+      clientCommitId: 'commit-2',
+      schemaVersion: 1,
+      operations: [
+        {
+          table: 'tasks',
+          row_id: 'task-1',
+          op: 'upsert',
+          payload: {
+            id: 'task-1',
+            title: 'Secret title',
+          },
+          base_version: null,
+        },
+      ],
+    };
+
+    const response: SyncPushResponse = {
+      ok: true,
+      status: 'rejected',
+      results: [
+        {
+          opIndex: 0,
+          status: 'conflict',
+          message: 'conflict',
+          server_version: 2,
+          server_row: {
+            id: 'task-1',
+            title: encryptedTitle,
+          },
+        },
+      ],
+    };
+
+    const next = await plugin.afterPush!(context, { request, response });
+    const conflict = next.results[0];
+
+    if (!conflict || conflict.status !== 'conflict') {
+      throw new Error('Expected conflict result in afterPush response');
+    }
+    if (!('server_row' in conflict)) {
+      throw new Error('Expected conflict server_row in afterPush response');
+    }
+    if (
+      typeof conflict.server_row !== 'object' ||
+      conflict.server_row === null ||
+      Array.isArray(conflict.server_row)
+    ) {
+      throw new Error('Expected conflict server_row to be an object');
+    }
+    expect(conflict.server_row.title).toBe('Secret title');
+  });
+
+  test('decrypts incremental pull rows when change.table is the scope name', async () => {
+    const encryptedTitle = await buildEncryptedTitle();
+
+    const request: SyncPullRequest = {
+      clientId: 'client-1',
+      limitCommits: 50,
+      subscriptions: [],
+    };
+
+    const response: SyncPullResponse = {
+      ok: true,
+      subscriptions: [
+        {
+          id: 'workspace-sub',
+          status: 'active',
+          scopes: {},
+          bootstrap: false,
+          nextCursor: 1,
+          commits: [
+            {
+              commitSeq: 1,
+              createdAt: new Date(0).toISOString(),
+              actorId: 'actor-1',
+              changes: [
+                {
+                  table: 'workspace_tasks',
+                  row_id: 'task-1',
+                  op: 'upsert',
+                  row_json: {
+                    id: 'task-1',
+                    title: encryptedTitle,
+                  },
+                  row_version: 2,
+                  scopes: {},
+                },
+              ],
+            },
+          ],
+        },
+      ],
+    };
+
+    const next = await plugin.afterPull!(context, { request, response });
+    const change =
+      next.subscriptions[0]?.commits[0]?.changes[0]?.row_json ?? null;
+    if (
+      typeof change !== 'object' ||
+      change === null ||
+      Array.isArray(change)
+    ) {
+      throw new Error('Expected decrypted change row_json object');
+    }
+    expect(change.title).toBe('Secret title');
+  });
+});

package/src/crypto-utils.test.ts

@@ -0,0 +1,84 @@
+import { afterEach, describe, expect, test } from 'bun:test';
+import {
+  base64ToBytes,
+  base64UrlToBytes,
+  bytesToBase64,
+  bytesToBase64Url,
+  hexToBytes,
+  randomBytes,
+} from './crypto-utils';
+
+let originalBuffer: typeof Buffer | undefined;
+let bufferOverridden = false;
+
+function disableBufferRuntime(): void {
+  originalBuffer = globalThis.Buffer;
+  Object.defineProperty(globalThis, 'Buffer', {
+    value: undefined,
+    writable: true,
+    configurable: true,
+  });
+  bufferOverridden = true;
+}
+
+function restoreBufferRuntime(): void {
+  if (!bufferOverridden) return;
+  Object.defineProperty(globalThis, 'Buffer', {
+    value: originalBuffer,
+    writable: true,
+    configurable: true,
+  });
+  bufferOverridden = false;
+}
+
+afterEach(() => {
+  restoreBufferRuntime();
+});
+
+describe('crypto-utils', () => {
+  test('encodes and decodes base64 payloads', () => {
+    const bytes = new Uint8Array([0, 1, 2, 253, 254, 255]);
+    const encoded = bytesToBase64(bytes);
+    const decoded = base64ToBytes(encoded);
+    expect(decoded).toEqual(bytes);
+  });
+
+  test('encodes and decodes base64url payloads', () => {
+    const bytes = new Uint8Array([0, 1, 2, 253, 254, 255]);
+    const encoded = bytesToBase64Url(bytes);
+    const decoded = base64UrlToBytes(encoded);
+    expect(decoded).toEqual(bytes);
+  });
+
+  test('rejects malformed base64 inputs', () => {
+    expect(() => base64ToBytes('@@@@')).toThrow('Invalid base64 string');
+    expect(() => base64UrlToBytes('@@@@')).toThrow('Invalid base64url string');
+  });
+
+  test('works when Buffer is unavailable', () => {
+    disableBufferRuntime();
+
+    const bytes = new Uint8Array([0, 1, 2, 253, 254, 255]);
+    const encoded = bytesToBase64(bytes);
+    const decoded = base64ToBytes(encoded);
+    expect(decoded).toEqual(bytes);
+
+    const encodedUrl = bytesToBase64Url(bytes);
+    const decodedUrl = base64UrlToBytes(encodedUrl);
+    expect(decodedUrl).toEqual(bytes);
+  });
+
+  test('parses hex strings', () => {
+    expect(hexToBytes('00a1ff')).toEqual(new Uint8Array([0, 161, 255]));
+    expect(() => hexToBytes('0')).toThrow(
+      'Invalid hex string (length must be even)'
+    );
+    expect(() => hexToBytes('zz')).toThrow('Invalid hex string');
+  });
+
+  test('creates random byte arrays', () => {
+    const bytes = randomBytes(32);
+    expect(bytes).toBeInstanceOf(Uint8Array);
+    expect(bytes.length).toBe(32);
+  });
+});

package/src/crypto-utils.ts

@@ -0,0 +1,125 @@
+const BASE64_CHARS =
+  'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
+const BASE64_LOOKUP = new Uint8Array(256);
+
+for (let i = 0; i < BASE64_CHARS.length; i++) {
+  BASE64_LOOKUP[BASE64_CHARS.charCodeAt(i)] = i;
+}
+
+const BASE64_PATTERN =
+  /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/;
+const BASE64_URL_PATTERN = /^[A-Za-z0-9_-]*$/;
+
+export function randomBytes(length: number): Uint8Array {
+  const cryptoObj = globalThis.crypto;
+  if (!cryptoObj?.getRandomValues) {
+    throw new Error(
+      'Secure random generator is not available (crypto.getRandomValues). ' +
+        'Ensure you are running in a secure context or polyfill crypto.'
+    );
+  }
+  const out = new Uint8Array(length);
+  cryptoObj.getRandomValues(out);
+  return out;
+}
+
+export function bytesToBase64(bytes: Uint8Array): string {
+  if (typeof Buffer !== 'undefined') {
+    return Buffer.from(bytes).toString('base64');
+  }
+
+  let result = '';
+  const len = bytes.length;
+  const remainder = len % 3;
+
+  for (let i = 0; i < len - remainder; i += 3) {
+    const a = bytes[i]!;
+    const b = bytes[i + 1]!;
+    const c = bytes[i + 2]!;
+    result +=
+      BASE64_CHARS.charAt((a >> 2) & 0x3f) +
+      BASE64_CHARS.charAt(((a << 4) | (b >> 4)) & 0x3f) +
+      BASE64_CHARS.charAt(((b << 2) | (c >> 6)) & 0x3f) +
+      BASE64_CHARS.charAt(c & 0x3f);
+  }
+
+  if (remainder === 1) {
+    const a = bytes[len - 1]!;
+    result +=
+      BASE64_CHARS.charAt((a >> 2) & 0x3f) +
+      BASE64_CHARS.charAt((a << 4) & 0x3f) +
+      '==';
+  } else if (remainder === 2) {
+    const a = bytes[len - 2]!;
+    const b = bytes[len - 1]!;
+    result +=
+      BASE64_CHARS.charAt((a >> 2) & 0x3f) +
+      BASE64_CHARS.charAt(((a << 4) | (b >> 4)) & 0x3f) +
+      BASE64_CHARS.charAt((b << 2) & 0x3f) +
+      '=';
+  }
+
+  return result;
+}
+
+export function base64ToBytes(base64: string): Uint8Array {
+  if (!BASE64_PATTERN.test(base64)) {
+    throw new Error('Invalid base64 string');
+  }
+
+  if (typeof Buffer !== 'undefined') {
+    return new Uint8Array(Buffer.from(base64, 'base64'));
+  }
+
+  const len = base64.length;
+  let padding = 0;
+  if (base64[len - 1] === '=') padding++;
+  if (base64[len - 2] === '=') padding++;
+
+  const outputLen = (len * 3) / 4 - padding;
+  const out = new Uint8Array(outputLen);
+
+  let outIdx = 0;
+  for (let i = 0; i < len; i += 4) {
+    const a = BASE64_LOOKUP[base64.charCodeAt(i)]!;
+    const b = BASE64_LOOKUP[base64.charCodeAt(i + 1)]!;
+    const c = BASE64_LOOKUP[base64.charCodeAt(i + 2)]!;
+    const d = BASE64_LOOKUP[base64.charCodeAt(i + 3)]!;
+
+    out[outIdx++] = (a << 2) | (b >> 4);
+    if (outIdx < outputLen) out[outIdx++] = ((b << 4) | (c >> 2)) & 0xff;
+    if (outIdx < outputLen) out[outIdx++] = ((c << 6) | d) & 0xff;
+  }
+
+  return out;
+}
+
+export function bytesToBase64Url(bytes: Uint8Array): string {
+  return bytesToBase64(bytes)
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=+$/g, '');
+}
+
+export function base64UrlToBytes(base64url: string): Uint8Array {
+  if (!BASE64_URL_PATTERN.test(base64url)) {
+    throw new Error('Invalid base64url string');
+  }
+  const base64 = base64url.replace(/-/g, '+').replace(/_/g, '/');
+  const padded = base64 + '==='.slice((base64.length + 3) % 4);
+  return base64ToBytes(padded);
+}
+
+export function hexToBytes(hex: string): Uint8Array {
+  const normalized = hex.trim().toLowerCase();
+  if (normalized.length % 2 !== 0) {
+    throw new Error('Invalid hex string (length must be even)');
+  }
+  const out = new Uint8Array(normalized.length / 2);
+  for (let i = 0; i < out.length; i++) {
+    const byte = Number.parseInt(normalized.slice(i * 2, i * 2 + 2), 16);
+    if (!Number.isFinite(byte)) throw new Error('Invalid hex string');
+    out[i] = byte;
+  }
+  return out;
+}