abler-api 1.0.78 → 1.0.80

package/dist/cjs/pp-util.js

@@ -291,6 +291,12 @@ class apiUtil$2 {
     };
   };
   static appAsPrefix = '?';
+  static cekEncryptOptions = {
+    algorithm: "aes-256-gcm",
+    // iv: 随机
+    encryptEncoding: "base64",
+    decryptEncoding: "utf8"
+  };
 
   // static apiCallRecSaver;
 
@@ -1362,32 +1368,155 @@ class apiUtil$2 {
   static corsCheckOrigin(origin, callback) {
     callback(null, apiUtil$2.isOriginAllowed(origin));
   }
+  static async restoreObj(key) {
+    return kvStorage.restoreObj(key).catch(() => null);
+  }
+
+  //#region ==== CEK 加解密及签名 ====
+
+  // 应用配置:
+  // appSetting:
+  //      e2eEncryptionNeeded
+  //      cekRotateTime
+  // errCfg:
+  //      ACCESS_REFUSED
+  //      CEK_EXPIRED
+  //      PUBLIC_ENCRYPT_FAIL
+  //      DECRYPT_FAIL
+  // dbSql
+  //      APP_QUERY
+
+  static async rotateCek(req) {
+    try {
+      const appInfo = req.appInfo;
+      const apiKey = appInfo.apiKey;
+      let cek = null;
+      if (appSetting.e2eEncryptionNeeded) {
+        await this.storePreviousCek(apiKey, req);
+        // 生成新的CEK
+        cek = await this.generateCek(appInfo, req);
+        console.log("已生成新的CEK", cek);
+      }
+      let result = this.apiSuccess(cek, req);
+      delete result.message; //减少数据尺寸，否则数据太长无法用公钥加密
+      delete result._elapse;
+      // options._res.publicKey = appInfo.publicKey; // 设置用于加密结果的公钥
+      return result;
+    } catch (e) {
+      return apiUtil$2.apiFail(e, req);
+    }
+  }
+  static cekExpired(cek) {
+    return new Date().valueOf() >= cek.expireAt;
+  }
   static validCek(cek, checkExpired = true) {
     if (!cek) {
-      throw [errCfg.ACCESS_REFUSED, t("CEK(内容加密密钥)尚未申请或已过期")];
+      throw [this.errCfg.CEK_EXPIRED, t("或尚未申请")];
     }
-    if (checkExpired && new Date().valueOf() >= cek.expireAt) {
-      throw errCfg.CEK_EXPIRED;
+    if (checkExpired && this.cekExpired(cek)) {
+      throw this.errCfg.CEK_EXPIRED;
     }
   }
+  static encryptContentText(contentText, cek) {
+    return ppCrypto.encryptData(contentText, cek.key, this.cekEncryptOptions);
+  }
   static encryptContent(content, cek) {
-    return ppCrypto.encryptData(content, cek.key, 'base64');
+    // let contentText = commonUtil.orderedJsonStringify(content);
+    let contentText = JSON.stringify(content);
+    return this.encryptContentText(contentText, cek);
+  }
+  static encryptResponseContent(response, result) {
+    if (!appSetting.e2eEncryptionNeeded) {
+      if (response.traceId) {
+        console.log(1, response.traceId, 'Response:', result);
+      }
+      return result;
+    }
+    if (response.traceId) {
+      console.log(1, response.traceId, 'Response before encrypt:', result);
+    }
+    const {
+      publicKey,
+      cek
+    } = response;
+    if (cek) {
+      if (response.newCek) {
+        result.newCek = response.newCek;
+      }
+      if (response.traceId) {
+        console.log(1, response.traceId, 'CEK:', cek);
+      }
+      result = {
+        encryptedContent: this.encryptContent(result, cek)
+      };
+    } else if (publicKey) {
+      if (response.traceId) {
+        console.log(1, response.traceId, 'PUBLIC KEY:', publicKey);
+      }
+      const message = Buffer.from(JSON.stringify(result), "utf8");
+      try {
+        result = ppCrypto.rsaEncrypt({
+          publicKey,
+          message
+        });
+      } catch (e) {
+        result = apiUtil$2.apiFail([errCfg.PUBLIC_ENCRYPT_FAIL, e.message], response.req);
+      }
+    }
+    if (response.traceId) {
+      console.log(1, response.traceId, 'Response after encrypt:', result);
+    }
+    return result;
   }
-  static decryptContent(content, cek) {
+  static decryptContentText(content, cek) {
     this.validCek(cek);
     try {
-      const result = ppCrypto.decryptData(content, cek.key, 'base64', 'utf8');
-      if (result.startsWith('{') || result.startsWith('[')) {
-        return JSON.parse(result);
-      }
-      return result;
+      return ppCrypto.decryptData(content, cek.key, this.cekEncryptOptions);
     } catch (e) {
-      throw [errCfg.DECRYPT_FAIL, e.message];
+      // console.log("内容", content);
+      // const req = RequestContext.get('req');
+      // console.log("headers", req.headers);
+      // console.error(e);
+      throw [this.errCfg.DECRYPT_FAIL, e.message];
     }
   }
-  static decryptRequestContent(req, res) {
+  static decryptContent(content, cek) {
+    let contentText = this.decryptContentText(content, cek);
+    if (contentText.startsWith('{') || contentText.startsWith('[')) {
+      return JSON.parse(contentText);
+    }
+    return contentText;
+  }
+
+  // static decryptRequestContent(req, res) {
+  //     if (!appSetting.e2eEncryptionNeeded)
+  //         return;
+  //     let params = apiUtil.extractParams(req);
+  //     if (params.encryptedContent) {
+  //         if (['DELETE', 'GET'].contains(req.method)) {
+  //             params.encryptedContent = decodeURIComponent(params.encryptedContent);
+  //         }
+  //         if (!req.appInfo) {
+  //             throw t('应用系统信息未知');
+  //         }
+  //         const decryptedContent = apiUtil.decryptContent(params.encryptedContent, req.appInfo.cek);
+  //         delete params.encryptedContent;
+  //         Object.assign(req.params, decryptedContent);
+  //     }
+  //     if (res) {
+  //         apiUtil.validCek(req.appInfo.cek);
+  //         res.cek = req.appInfo.cek; // 设置用于对称加密的CEK
+  //     }
+  // }
+
+  static async decryptRequestContent(req, res) {
     if (!appSetting.e2eEncryptionNeeded) return;
+    const appInfo = req.appInfo;
     let params = apiUtil$2.extractParams(req);
+    if (req.traceId) {
+      console.log(1, req.traceId, 'Request Params before decrypt:', params);
+      console.log(1, req.traceId, 'CEK:', appInfo.cek);
+    }
     if (params.encryptedContent) {
       if (['DELETE', 'GET'].contains(req.method)) {
         params.encryptedContent = decodeURIComponent(params.encryptedContent);
@@ -1395,23 +1524,67 @@ class apiUtil$2 {
       if (!req.appInfo) {
         throw t('应用系统信息未知');
       }
-      const decryptedContent = apiUtil$2.decryptContent(params.encryptedContent, req.appInfo.cek);
+      let decryptedContent;
+      try {
+        if (req.traceId) {
+          const dataText = this.decryptContentText(params.encryptedContent, appInfo.cek);
+          console.log(1, req.traceId, 'Decrypted text:', dataText);
+        }
+        decryptedContent = this.decryptContent(params.encryptedContent, appInfo.cek);
+      } catch (e) {
+        let cek = appInfo.cek;
+        console.log("解密失败 CEK", cek?.key, new Date(cek?.expireAt).format('MM.dd hh:mm:ss'));
+        // 尝试用前一个 CEK 解密
+        const previousCek = await this.restorePreviousCek(appInfo.apiKey, req);
+        if (!previousCek) {
+          throw e;
+        }
+        cek = previousCek;
+        console.log("换用前任 CEK", cek.key, new Date(cek.expireAt).format('MM.dd hh:mm:ss'));
+        try {
+          decryptedContent = this.decryptContent(params.encryptedContent, cek);
+          if (res) {
+            res.newCek = appInfo.cek;
+          }
+          appInfo.cek = cek;
+        } catch (e) {
+          console.log("换用前任解密依然失败", "ApiKey", appInfo.apiKey, "x-api-key", req.headers["x-api-key"] || req.headers["api-key"]);
+          throw e;
+        }
+      }
       delete params.encryptedContent;
-      Object.assign(req.params, decryptedContent);
+      Object.assign(params, decryptedContent);
+    }
+    if (req.traceId) {
+      console.log(1, req.traceId, 'Request Params after decrypt:', params);
     }
     if (res) {
-      apiUtil$2.validCek(req.appInfo.cek);
-      res.cek = req.appInfo.cek; // 设置用于对称加密的CEK
+      this.validCek(appInfo.cek);
+      res.cek = appInfo.cek; // 设置用于对称加密的CEK
     }
   }
-  static async restoreObj(key) {
-    return kvStorage.restoreObj(key).catch(() => null);
+  static async storePreviousCek(apiKey, req) {
+    let cekKey = this.cekStoreKey(apiKey, req);
+    const previousCek = await this.restoreObj(cekKey);
+    if (previousCek && !this.cekExpired(previousCek)) {
+      // 轮换期间保留旧版本一段时间
+      cekKey += "_p";
+      await kvStorage.storeObj(cekKey, previousCek, appSetting.cekRotateTime);
+    }
+  }
+  static async restorePreviousCek(apiKey, req) {
+    let cekKey = this.cekStoreKey(apiKey, req) + "_p";
+    return await this.restoreObj(cekKey);
   }
   static cekStoreKey(apiKey, req) {
-    return `cek_${this.appAsPrefix}_${apiKey}_${apiUtil$2.getClientIp(req)}`;
+    //     return `cek_${this.appAsPrefix}_${apiKey}_${apiUtil.getClientIp(req)}`
+    let key = `cek_${this.appAsPrefix}_${apiKey}`;
+    if (req?.apiClientId) {
+      return `${key}@${req.apiClientId}`;
+    }
+    return key;
   }
   static async generateCek(appInfo, req, key) {
-    //todo: 检查既有 cek
     let t = new Date().valueOf();
     const cek = {
       key: key || ppUtil$3.newGuid() + ppUtil$3.newGuid(),
@@ -1605,6 +1778,8 @@ class apiUtil$2 {
 
   //#endregion
 
+  //#endregion
+
   //region ====中间件
 
   /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "abler-api",
-  "version": "1.0.78",
+  "version": "1.0.80",
   "description": "API服务相关工具",
   "main": "./dist/cjs/pp-util.js",
   "-module": "./dist/es/pp-util.js",
@@ -15,13 +15,13 @@
   "author": "peng_peng",
   "license": "ISC",
   "dependencies": {
-    "abler-db": "^1.0.86",
-    "abler-i18n": "^1.0.21",
-    "abler-messenger": "^1.1.41",
-    "abler-net": "^1.0.42",
-    "abler-util": "^1.0.40",
+    "abler-db": "^1.0.88",
+    "abler-i18n": "^1.0.22",
+    "abler-messenger": "^1.1.43",
+    "abler-net": "^1.0.44",
+    "abler-util": "^1.0.42",
     "basic-auth": "^2.0.1",
     "node-cron": "^3.0.1"
   },
-  "gitHead": "5ceb8a2723650bc8c2a3a8c200c1e7441db9dda5"
+  "gitHead": "24a18765761c03e679c089ea9c0c6eb255ea95e6"
 }