meyi-vault-server 1.0.0

package/src/utils/auth.mjs

@@ -0,0 +1,60 @@
+import { eq, and, isNull, or, sql, gt } from 'drizzle-orm'
+import { vaultVaults, vaultGrants, vaultGroups, vaultEntries } from '../database/schema.mjs'
+
+/**
+ * Checks if a user has access to a vault.
+ * @returns {Promise<{ access: boolean, isOwner: boolean, vault: any }>}
+ */
+export async function checkVaultAccess(db, vaultId, user, requireOwner = false) {
+  const [vault] = await db.select().from(vaultVaults).where(eq(vaultVaults.id, vaultId))
+  if (!vault) return { access: false, isOwner: false, vault: null }
+
+  const isOwner = vault.owner_id === user.id || user.role === 'admin'
+  if (isOwner) return { access: true, isOwner: true, vault }
+
+  if (requireOwner) return { access: false, isOwner: false, vault }
+
+  // Check for any active grant for this user that covers this vault or any children
+  // To handle child-level grants properly, we find all grants for this user
+  // that are either for this vault OR for groups/entries within this vault.
+  
+  const activeGrants = await db.select().from(vaultGrants).where(
+    and(
+      eq(vaultGrants.grantee_id, user.id),
+      isNull(vaultGrants.revoked_at),
+      or(
+        isNull(vaultGrants.expires_at),
+        gt(vaultGrants.expires_at, sql`now()`)
+      )
+    )
+  )
+
+  // Filter grants that belong to this vault
+  for (const grant of activeGrants) {
+    if (grant.scope === 'vault' && grant.scope_id === vaultId) return { access: true, isOwner: false, vault }
+    
+    // Check if it's a child resource of this vault
+    const grantVaultId = await getVaultIdForScope(db, grant.scope, grant.scope_id)
+    if (grantVaultId === vaultId) return { access: true, isOwner: false, vault }
+  }
+
+  return { access: false, isOwner: false, vault }
+}
+
+/**
+ * Finds the vaultId for a given scope and id.
+ */
+export async function getVaultIdForScope(db, scope, id) {
+  if (scope === 'vault') return id
+  if (scope === 'group') {
+    const [g] = await db.select().from(vaultGroups).where(eq(vaultGroups.id, id))
+    return g?.vault_id
+  }
+  if (scope === 'entry') {
+    const [e] = await db.select().from(vaultEntries).where(eq(vaultEntries.id, id))
+    if (!e) return null
+    const [g] = await db.select().from(vaultGroups).where(eq(vaultGroups.id, e.group_id))
+    return g?.vault_id
+  }
+  return null
+}

package/src/utils/crypto.mjs

@@ -0,0 +1,97 @@
+/**
+ * AES-256-GCM encryption utilities.
+ *
+ * Design decisions:
+ * - AES-256-GCM provides authenticated encryption — gives both
+ *   confidentiality AND integrity. A tampered ciphertext will throw
+ *   on decrypt rather than silently return garbage.
+ * - 12-byte IV is the NIST-recommended length for GCM. Generates a
+ *   fresh random IV per encryption — never reuse under the same key.
+ * - 16-byte (128-bit) auth tag — maximum GCM tag length.
+ * - All binary values stored as base64 strings for safe JSON/DB transport.
+ * - Key stored as a 64-char hex string (32 bytes).
+ */
+
+import { createCipheriv, createDecipheriv, randomBytes } from 'crypto'
+
+/**
+ * Generate a new random AES-256 vault key.
+ * Returns a 64-character hex string.
+ */
+export function generateVaultKey() {
+  return randomBytes(32).toString('hex')
+}
+
+/**
+ * Encrypt a UTF-8 plaintext string.
+ * @param {string} plaintext
+ * @param {string} keyHex  64-char hex string (32 bytes)
+ * @returns {{ encrypted_data: string, iv: string, auth_tag: string }}
+ */
+export function encrypt(plaintext, keyHex) {
+  const key = Buffer.from(keyHex, 'hex')
+  if (key.length !== 32) throw new Error('AES key must be 32 bytes (64 hex chars)')
+
+  const iv = randomBytes(12) // 96-bit IV — NIST recommended for GCM
+  const cipher = createCipheriv('aes-256-gcm', key, iv, { authTagLength: 16 })
+
+  const ciphertext = Buffer.concat([
+    cipher.update(plaintext, 'utf8'),
+    cipher.final(),
+  ])
+
+  return {
+    encrypted_data: ciphertext.toString('base64'),
+    iv: iv.toString('base64'),
+    auth_tag: cipher.getAuthTag().toString('base64'),
+  }
+}
+
+/**
+ * Decrypt AES-256-GCM ciphertext.
+ * Throws ERR_CRYPTO_INVALID_AUTH_TAG if the data was tampered with.
+ *
+ * @param {string} encryptedData  base64 ciphertext
+ * @param {string} iv             base64 12-byte IV
+ * @param {string} authTag        base64 16-byte GCM auth tag
+ * @param {string} keyHex         64-char hex string
+ * @returns {string}              decrypted UTF-8 string
+ */
+export function decrypt(encryptedData, iv, authTag, keyHex) {
+  const key = Buffer.from(keyHex, 'hex')
+  if (key.length !== 32) throw new Error('AES key must be 32 bytes')
+
+  const decipher = createDecipheriv(
+    'aes-256-gcm',
+    key,
+    Buffer.from(iv, 'base64'),
+    { authTagLength: 16 }
+  )
+  // Must set auth tag before final() — throws if tampered
+  decipher.setAuthTag(Buffer.from(authTag, 'base64'))
+
+  return Buffer.concat([
+    decipher.update(Buffer.from(encryptedData, 'base64')),
+    decipher.final(), // ← throws if auth tag mismatch
+  ]).toString('utf8')
+}
+
+/**
+ * Convert an expiresIn shorthand to a future Date.
+ * Returns null if no expiry requested.
+ *
+ * @param {'1h'|'8h'|'24h'|'7d'|'30d'|null} expiresIn
+ * @returns {Date|null}
+ */
+export function expiresInToDate(expiresIn) {
+  if (!expiresIn) return null
+  const seconds = { '1h': 3600, '8h': 28800, '24h': 86400, '7d': 604800, '30d': 2592000 }
+  
+  if (seconds[expiresIn]) {
+    return new Date(Date.now() + seconds[expiresIn] * 1000)
+  }
+
+  // Try parsing as ISO string for custom dates
+  const date = new Date(expiresIn)
+  return isNaN(date.getTime()) ? null : date
+}