budibase/packages/backend-core/src/security/encryption.ts

import crypto from "crypto"
import env from "../environment"

const ALGO = "aes-256-ctr"
const SEPARATOR = "-"
const ITERATIONS = 10000
const RANDOM_BYTES = 16
const STRETCH_LENGTH = 32

export enum SecretOption {
  API = "api",
  ENCRYPTION = "encryption",
}

function getSecret(secretOption: SecretOption): string {
  let secret, secretName
  switch (secretOption) {
    case SecretOption.ENCRYPTION:
      secret = env.ENCRYPTION_KEY
      secretName = "ENCRYPTION_KEY"
      break
    case SecretOption.API:
    default:
      secret = env.API_ENCRYPTION_KEY
      secretName = "API_ENCRYPTION_KEY"
      break
  }
  if (!secret) {
    throw new Error(`Secret "${secretName}" has not been set in environment.`)
  }
  return secret
}

function stretchString(string: string, salt: Buffer) {
  return crypto.pbkdf2Sync(string, salt, ITERATIONS, STRETCH_LENGTH, "sha512")
}

export function encrypt(
  input: string,
  secretOption: SecretOption = SecretOption.API
) {
  const salt = crypto.randomBytes(RANDOM_BYTES)
  const stretched = stretchString(getSecret(secretOption), salt)
  const cipher = crypto.createCipheriv(ALGO, stretched, salt)
  const base = cipher.update(input)
  const final = cipher.final()
  const encrypted = Buffer.concat([base, final]).toString("hex")
  return `${salt.toString("hex")}${SEPARATOR}${encrypted}`
}

export function decrypt(
  input: string,
  secretOption: SecretOption = SecretOption.API
) {
  const [salt, encrypted] = input.split(SEPARATOR)
  const saltBuffer = Buffer.from(salt, "hex")
  const stretched = stretchString(getSecret(secretOption), saltBuffer)
  const decipher = crypto.createDecipheriv(ALGO, stretched, saltBuffer)
  const base = decipher.update(Buffer.from(encrypted, "hex"))
  const final = decipher.final()
  return Buffer.concat([base, final]).toString()
}
Complete conversion of backend-core to Typescript. 2022-11-24 19:48:51 +01:00			`import crypto from "crypto"`
			`import env from "../environment"`
Adding basic encrypt/decrypt pathway. 2022-02-14 19:32:09 +01:00
			`const ALGO = "aes-256-ctr"`
Using 10K iteration string stretching for encryption. 2022-02-14 22:37:40 +01:00			`const SEPARATOR = "-"`
			`const ITERATIONS = 10000`
			`const RANDOM_BYTES = 16`
			`const STRETCH_LENGTH = 32`

Some type updates and an improvement to encryption to allow selecting the secret from an option list. 2023-01-16 19:15:43 +01:00			`export enum SecretOption {`
Rotatable secrets (#9982) * Rotatable secrets * Set new api encryption key var * Lint * Use fallback keys instead of array * Point api encryption key to dedicated value * Add API_ENCRYPTION_KEY to cli * Lint + add api encryption key to env files 2023-03-13 16:02:59 +01:00			`API = "api",`
Some type updates and an improvement to encryption to allow selecting the secret from an option list. 2023-01-16 19:15:43 +01:00			`ENCRYPTION = "encryption",`
			`}`

			`function getSecret(secretOption: SecretOption): string {`
			`let secret, secretName`
			`switch (secretOption) {`
			`case SecretOption.ENCRYPTION:`
			`secret = env.ENCRYPTION_KEY`
			`secretName = "ENCRYPTION_KEY"`
			`break`
Rotatable secrets (#9982) * Rotatable secrets * Set new api encryption key var * Lint * Use fallback keys instead of array * Point api encryption key to dedicated value * Add API_ENCRYPTION_KEY to cli * Lint + add api encryption key to env files 2023-03-13 16:02:59 +01:00			`case SecretOption.API:`
Some type updates and an improvement to encryption to allow selecting the secret from an option list. 2023-01-16 19:15:43 +01:00			`default:`
Rotatable secrets (#9982) * Rotatable secrets * Set new api encryption key var * Lint * Use fallback keys instead of array * Point api encryption key to dedicated value * Add API_ENCRYPTION_KEY to cli * Lint + add api encryption key to env files 2023-03-13 16:02:59 +01:00			`secret = env.API_ENCRYPTION_KEY`
			`secretName = "API_ENCRYPTION_KEY"`
Some type updates and an improvement to encryption to allow selecting the secret from an option list. 2023-01-16 19:15:43 +01:00			`break`
			`}`
			`if (!secret) {`
			throw new Error(`Secret "${secretName}" has not been set in environment.`)
			`}`
			`return secret`
			`}`

Complete conversion of backend-core to Typescript. 2022-11-24 19:48:51 +01:00			`function stretchString(string: string, salt: Buffer) {`
Using 10K iteration string stretching for encryption. 2022-02-14 22:37:40 +01:00			`return crypto.pbkdf2Sync(string, salt, ITERATIONS, STRETCH_LENGTH, "sha512")`
			`}`
Adding basic encrypt/decrypt pathway. 2022-02-14 19:32:09 +01:00
Some type updates and an improvement to encryption to allow selecting the secret from an option list. 2023-01-16 19:15:43 +01:00			`export function encrypt(`
			`input: string,`
Rotatable secrets (#9982) * Rotatable secrets * Set new api encryption key var * Lint * Use fallback keys instead of array * Point api encryption key to dedicated value * Add API_ENCRYPTION_KEY to cli * Lint + add api encryption key to env files 2023-03-13 16:02:59 +01:00			`secretOption: SecretOption = SecretOption.API`
Some type updates and an improvement to encryption to allow selecting the secret from an option list. 2023-01-16 19:15:43 +01:00			`) {`
Using 10K iteration string stretching for encryption. 2022-02-14 22:37:40 +01:00			`const salt = crypto.randomBytes(RANDOM_BYTES)`
Some type updates and an improvement to encryption to allow selecting the secret from an option list. 2023-01-16 19:15:43 +01:00			`const stretched = stretchString(getSecret(secretOption), salt)`
Using 10K iteration string stretching for encryption. 2022-02-14 22:37:40 +01:00			`const cipher = crypto.createCipheriv(ALGO, stretched, salt)`
Adding basic encrypt/decrypt pathway. 2022-02-14 19:32:09 +01:00			`const base = cipher.update(input)`
			`const final = cipher.final()`
			`const encrypted = Buffer.concat([base, final]).toString("hex")`
Using 10K iteration string stretching for encryption. 2022-02-14 22:37:40 +01:00			return `${salt.toString("hex")}${SEPARATOR}${encrypted}`
Adding basic encrypt/decrypt pathway. 2022-02-14 19:32:09 +01:00			`}`

Some type updates and an improvement to encryption to allow selecting the secret from an option list. 2023-01-16 19:15:43 +01:00			`export function decrypt(`
			`input: string,`
Rotatable secrets (#9982) * Rotatable secrets * Set new api encryption key var * Lint * Use fallback keys instead of array * Point api encryption key to dedicated value * Add API_ENCRYPTION_KEY to cli * Lint + add api encryption key to env files 2023-03-13 16:02:59 +01:00			`secretOption: SecretOption = SecretOption.API`
Some type updates and an improvement to encryption to allow selecting the secret from an option list. 2023-01-16 19:15:43 +01:00			`) {`
Using 10K iteration string stretching for encryption. 2022-02-14 22:37:40 +01:00			`const [salt, encrypted] = input.split(SEPARATOR)`
			`const saltBuffer = Buffer.from(salt, "hex")`
Some type updates and an improvement to encryption to allow selecting the secret from an option list. 2023-01-16 19:15:43 +01:00			`const stretched = stretchString(getSecret(secretOption), saltBuffer)`
Using 10K iteration string stretching for encryption. 2022-02-14 22:37:40 +01:00			`const decipher = crypto.createDecipheriv(ALGO, stretched, saltBuffer)`
Adding basic encrypt/decrypt pathway. 2022-02-14 19:32:09 +01:00			`const base = decipher.update(Buffer.from(encrypted, "hex"))`
			`const final = decipher.final()`
			`return Buffer.concat([base, final]).toString()`
			`}`