Enable encryption of secret config data in DB.

Author: valera-rozuvan

.vercelignore

@@ -0,0 +1 @@
+api/dist

api/app/config/get_app_config.ts

@@ -1,6 +1,6 @@
-import { DB, CError, disableApiRequestsHere } from '../../tools'
+import { DB, CError, disableApiRequestsHere, decryptText } from '../../tools'
 import { IAppConfig, IAppConfigDbItem } from '../../types'
-import { ROOMS_DB_NAME } from '../../constants'
+import { ROOMS_DB_NAME, ENV_ENCRYPTION_DETAILS } from '../../constants'
 
 export default disableApiRequestsHere
 
@@ -36,6 +36,7 @@ async function getAppConfig(): Promise<IAppConfig> {
         _id: 0,
         key: 1,
         value: 1,
+        encrypted: 1,
       },
     }
 
@@ -46,7 +47,13 @@ async function getAppConfig(): Promise<IAppConfig> {
     }
 
     await cursor.forEach((item: IAppConfigDbItem) => {
-      appConfig[item.key] = item.value
+      let value = item.value
+
+      if (item.encrypted === true) {
+        value = decryptText(ENV_ENCRYPTION_DETAILS, value)
+      }
+
+      appConfig[item.key] = value
     })
   } catch (err) {
     throw new CError(500, 'Something went wrong while getting app config.')

api/constants/app.ts

@@ -9,6 +9,9 @@ const COMMIT_SHA: string = process.env.VERCEL_GITHUB_COMMIT_SHA || '{commit_hash
 
 const APP_VERSION = `${COMMIT_REF}:${COMMIT_SHA}`
 
+const ENV_ENCRYPTION_DETAILS: string = process.env.ENV_ENCRYPTION_DETAILS || '{commit_hash}'
+
 export {
   APP_VERSION,
+  ENV_ENCRYPTION_DETAILS,
 }

api/constants/index.ts

@@ -6,6 +6,7 @@ export default disableApiRequestsHere
 
 export {
   APP_VERSION,
+  ENV_ENCRYPTION_DETAILS,
 } from './app'
 
 export {

api/tools/crypto.ts

@@ -0,0 +1,36 @@
+import * as crypto from 'crypto'
+
+import { disableApiRequestsHere } from '../tools'
+
+export default disableApiRequestsHere
+
+/* --------------- internal API methods/structure below --------------- */
+
+function encryptText(encryptionDetails: string, text: string): string {
+  const [algorithm, secretKeyRaw, ivRaw] = encryptionDetails.split(':')
+
+  const secretKey = crypto.createHash('sha256').update(String(secretKeyRaw)).digest('base64').substr(0, 32)
+  const iv = Buffer.from(ivRaw, 'hex')
+
+  const cipher = crypto.createCipheriv(algorithm, secretKey, iv);
+  const encrypted = Buffer.concat([cipher.update(text), cipher.final()]);
+
+  return encrypted.toString('hex')
+}
+
+function decryptText(encryptionDetails: string, hash: string): string {
+  const [algorithm, secretKeyRaw, ivRaw] = encryptionDetails.split(':')
+
+  const secretKey = crypto.createHash('sha256').update(String(secretKeyRaw)).digest('base64').substr(0, 32)
+  const iv = Buffer.from(ivRaw, 'hex')
+
+  const decipher = crypto.createDecipheriv(algorithm, secretKey, iv);
+  const decrpyted = Buffer.concat([decipher.update(Buffer.from(hash, 'hex')), decipher.final()]);
+
+  return decrpyted.toString()
+}
+
+export {
+  encryptText,
+  decryptText,
+}

api/tools/index.ts

@@ -48,3 +48,8 @@ export {
 export {
   AppConfig,
 } from './app_config'
+
+export {
+  encryptText,
+  decryptText,
+} from './crypto'

api/types/app_config.ts

@@ -24,6 +24,7 @@ interface IAppConfig extends IObjectHash {
 interface IAppConfigDbItem {
   key: string
   value: string
+  encrypted: boolean
 }
 
 export {