36 lines
1.3 KiB
JavaScript
36 lines
1.3 KiB
JavaScript
import crypto from 'node:crypto';
|
|
import { config } from '../config.js';
|
|
|
|
function keyBuffer() {
|
|
// Derive fixed-length AES key material from the configured secret-like environment value.
|
|
return crypto.createHash('sha256').update(config.credentialStoreKey).digest();
|
|
}
|
|
|
|
export function encryptSecret(value = '') {
|
|
// AES-GCM stores cipher text plus IV/tag so reads can expose metadata without returning secrets.
|
|
const iv = crypto.randomBytes(12);
|
|
const cipher = crypto.createCipheriv('aes-256-gcm', keyBuffer(), iv);
|
|
const encrypted = Buffer.concat([cipher.update(String(value), 'utf8'), cipher.final()]);
|
|
const tag = cipher.getAuthTag();
|
|
return {
|
|
cipher: encrypted.toString('base64'),
|
|
iv: iv.toString('base64'),
|
|
tag: tag.toString('base64')
|
|
};
|
|
}
|
|
|
|
export function decryptSecret(record) {
|
|
// Missing cipher fields mean the credential has no retrievable secret rather than throwing.
|
|
if (!record?.secret_cipher || !record?.secret_iv || !record?.secret_tag) return '';
|
|
const decipher = crypto.createDecipheriv(
|
|
'aes-256-gcm',
|
|
keyBuffer(),
|
|
Buffer.from(record.secret_iv, 'base64')
|
|
);
|
|
decipher.setAuthTag(Buffer.from(record.secret_tag, 'base64'));
|
|
return Buffer.concat([
|
|
decipher.update(Buffer.from(record.secret_cipher, 'base64')),
|
|
decipher.final()
|
|
]).toString('utf8');
|
|
}
|