From 92d457ac004dc5395dd2054fd6e6badc566b58b7 Mon Sep 17 00:00:00 2001 From: mike12345567 Date: Mon, 14 Feb 2022 18:32:09 +0000 Subject: [PATCH] Adding basic encrypt/decrypt pathway. --- packages/backend-core/encryption.js | 1 + .../src/middleware/authenticated.js | 2 ++ .../backend-core/src/security/encryption.js | 27 +++++++++++++++++++ .../worker/src/api/controllers/global/self.js | 7 ++--- 4 files changed, 34 insertions(+), 3 deletions(-) create mode 100644 packages/backend-core/encryption.js create mode 100644 packages/backend-core/src/security/encryption.js diff --git a/packages/backend-core/encryption.js b/packages/backend-core/encryption.js new file mode 100644 index 0000000000..4ccb6e3a99 --- /dev/null +++ b/packages/backend-core/encryption.js @@ -0,0 +1 @@ +module.exports = require("./src/security/encryption") diff --git a/packages/backend-core/src/middleware/authenticated.js b/packages/backend-core/src/middleware/authenticated.js index 2d24f7fb21..0cb56b5b69 100644 --- a/packages/backend-core/src/middleware/authenticated.js +++ b/packages/backend-core/src/middleware/authenticated.js @@ -6,6 +6,7 @@ const { buildMatcherRegex, matches } = require("./matchers") const env = require("../environment") const { SEPARATOR, ViewNames, queryGlobalView } = require("../../db") const { getGlobalDB } = require("../tenancy") +const { decrypt } = require("../security/encryption") function finalise( ctx, @@ -22,6 +23,7 @@ async function checkApiKey(apiKey, populateUser) { if (apiKey === env.INTERNAL_API_KEY) { return { valid: true } } + apiKey = decrypt(apiKey) const tenantId = apiKey.split(SEPARATOR)[0] const db = getGlobalDB(tenantId) const userId = await queryGlobalView( diff --git a/packages/backend-core/src/security/encryption.js b/packages/backend-core/src/security/encryption.js new file mode 100644 index 0000000000..8bb7def541 --- /dev/null +++ b/packages/backend-core/src/security/encryption.js @@ -0,0 +1,27 @@ +const crypto = require("crypto") +const env = require("../environment") + +const ALGO = "aes-256-ctr" +const SECRET = env.JWT_SECRET +const SEPARATOR = "/" + +exports.encrypt = input => { + const random = crypto.randomBytes(16) + const cipher = crypto.createCipheriv(ALGO, SECRET, random) + const base = cipher.update(input) + const final = cipher.final() + const encrypted = Buffer.concat([base, final]).toString("hex") + return `${random.toString("hex")}${SEPARATOR}${encrypted}` +} + +exports.decrypt = input => { + const [random, encrypted] = input.split(SEPARATOR) + const decipher = crypto.createDecipheriv( + ALGO, + SECRET, + Buffer.from(random, "hex") + ) + const base = decipher.update(Buffer.from(encrypted, "hex")) + const final = decipher.final() + return Buffer.concat([base, final]).toString() +} diff --git a/packages/worker/src/api/controllers/global/self.js b/packages/worker/src/api/controllers/global/self.js index 26e07e63bb..ea29c496e8 100644 --- a/packages/worker/src/api/controllers/global/self.js +++ b/packages/worker/src/api/controllers/global/self.js @@ -2,11 +2,12 @@ const { getGlobalDB, getTenantId } = require("@budibase/backend-core/tenancy") const { generateDevInfoID, SEPARATOR } = require("@budibase/backend-core/db") const { user: userCache } = require("@budibase/backend-core/cache") const { hash, platformLogout } = require("@budibase/backend-core/utils") +const { encrypt } = require("@budibase/backend-core/encryption") const { newid } = require("@budibase/backend-core/utils") const { getUser } = require("../../utilities") function newApiKey() { - return hash(`${getTenantId()}${SEPARATOR}${newid()}`) + return encrypt(`${getTenantId()}${SEPARATOR}${newid()}`) } function cleanupDevInfo(info) { @@ -25,7 +26,7 @@ exports.generateAPIKey = async ctx => { } catch (err) { devInfo = { _id: id, userId: ctx.user._id } } - devInfo.apiKey = newApiKey() + devInfo.apiKey = await newApiKey() await db.put(devInfo) ctx.body = cleanupDevInfo(devInfo) } @@ -40,7 +41,7 @@ exports.fetchAPIKey = async ctx => { devInfo = { _id: id, userId: ctx.user._id, - apiKey: newApiKey(), + apiKey: await newApiKey(), } await db.put(devInfo) }