Initial
This commit is contained in:
35
server/services/cryptoStore.js
Normal file
35
server/services/cryptoStore.js
Normal file
@@ -0,0 +1,35 @@
|
||||
import crypto from 'node:crypto';
|
||||
import { config } from '../config.js';
|
||||
|
||||
function keyBuffer() {
|
||||
// Derive fixed-length AES key material from the configured secret-like environment value.
|
||||
return crypto.createHash('sha256').update(config.credentialStoreKey).digest();
|
||||
}
|
||||
|
||||
export function encryptSecret(value = '') {
|
||||
// AES-GCM stores cipher text plus IV/tag so reads can expose metadata without returning secrets.
|
||||
const iv = crypto.randomBytes(12);
|
||||
const cipher = crypto.createCipheriv('aes-256-gcm', keyBuffer(), iv);
|
||||
const encrypted = Buffer.concat([cipher.update(String(value), 'utf8'), cipher.final()]);
|
||||
const tag = cipher.getAuthTag();
|
||||
return {
|
||||
cipher: encrypted.toString('base64'),
|
||||
iv: iv.toString('base64'),
|
||||
tag: tag.toString('base64')
|
||||
};
|
||||
}
|
||||
|
||||
export function decryptSecret(record) {
|
||||
// Missing cipher fields mean the credential has no retrievable secret rather than throwing.
|
||||
if (!record?.secret_cipher || !record?.secret_iv || !record?.secret_tag) return '';
|
||||
const decipher = crypto.createDecipheriv(
|
||||
'aes-256-gcm',
|
||||
keyBuffer(),
|
||||
Buffer.from(record.secret_iv, 'base64')
|
||||
);
|
||||
decipher.setAuthTag(Buffer.from(record.secret_tag, 'base64'));
|
||||
return Buffer.concat([
|
||||
decipher.update(Buffer.from(record.secret_cipher, 'base64')),
|
||||
decipher.final()
|
||||
]).toString('utf8');
|
||||
}
|
||||
Reference in New Issue
Block a user