k1nq/TREK
1
0
Fork 0
mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-19 13:21:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(server): encrypt api keys

Browse Source
This commit is contained in:
David Moll
2026-03-31 09:00:35 +02:00
parent 069fd99341
commit 990e804bd3
3 changed files with 116 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/src/services/apiKeyCrypto.ts
+43
View File
@@ -0,0 +1,43 @@
import * as crypto from 'crypto';
import { JWT_SECRET } from '../config';
const ENCRYPTED_PREFIX = 'enc:v1:';
function get_key() {
return crypto.createHash('sha256').update(`${JWT_SECRET}:api_keys:v1`).digest();
}
export function encrypt_api_key(plain: unknown) {
const iv = crypto.randomBytes(12);
const cipher = crypto.createCipheriv('aes-256-gcm', get_key(), iv);
const enc = Buffer.concat([cipher.update(String(plain), 'utf8'), cipher.final()]);
const tag = cipher.getAuthTag();
const blob = Buffer.concat([iv, tag, enc]).toString('base64');
return `${ENCRYPTED_PREFIX}${blob}`;
}
export function decrypt_api_key(value: unknown) {
if (!value) return null;
if (typeof value !== 'string') return null;
if (!value.startsWith(ENCRYPTED_PREFIX)) return value; // legacy plaintext
const blob = value.slice(ENCRYPTED_PREFIX.length);
try {
const buf = Buffer.from(blob, 'base64');
const iv = buf.subarray(0, 12);
const tag = buf.subarray(12, 28);
const enc = buf.subarray(28);
const decipher = crypto.createDecipheriv('aes-256-gcm', get_key(), iv);
decipher.setAuthTag(tag);
return Buffer.concat([decipher.update(enc), decipher.final()]).toString('utf8');
} catch {
return null;
}
}
export function maybe_encrypt_api_key(value: unknown) {
const trimmed = String(value || '').trim();
if (!trimmed) return null;
if (trimmed.startsWith(ENCRYPTED_PREFIX)) return trimmed;
return encrypt_api_key(trimmed);
}