Domů Procházet Nápověda
Registrovat se Přihlásit se
benjamin.harris
/
social-media-manager
1
0
Rozštěpit 0
Soubory Úkoly 0 Pull Requesty 0 Wiki
Strom: 379b68e4b6
Větve Značky
social-media-ma...
/
services
/
utils
/
crypto.js

crypto.js 2.5 KB
Historie Surový

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263 
  1. const { createCipheriv, createDecipheriv, randomBytes } = require('crypto');
    2. 

  2. const { createLogger } = require('./logger');
    3. 

  3. 

  4. const ALGORITHM = 'aes-256-gcm';
    5. 

  5. const ENC_PREFIX = 'ENC:v1:';
    6. 

  6. const log = createLogger('crypto');
    7. 

  7. 

  8. function _getKey() {
    9. 

  9.   const keyHex = process.env.ENCRYPTION_KEY;
    10. 

  10.   if (!keyHex || keyHex.length !== 64) return null;
    11. 

  11.   return Buffer.from(keyHex, 'hex');
    12. 

  12. }
    13. 

  13. 

  14. // Returns the ciphertext string, or plaintext if key not configured.
    15. 

  15. function encryptToken(plaintext) {
    16. 

  16.   if (!plaintext) return plaintext;
    17. 

  17.   if (String(plaintext).startsWith(ENC_PREFIX)) return plaintext; // already encrypted
    18. 

  18.   const key = _getKey();
    19. 

  19.   if (!key) return plaintext;
    20. 

  20. 

  21.   const iv = randomBytes(12);
    22. 

  22.   const cipher = createCipheriv(ALGORITHM, key, iv);
    23. 

  23.   const encrypted = Buffer.concat([cipher.update(String(plaintext), 'utf8'), cipher.final()]);
    24. 

  24.   const tag = cipher.getAuthTag();
    25. 

  25.   return `${ENC_PREFIX}${iv.toString('hex')}:${tag.toString('hex')}:${encrypted.toString('hex')}`;
    26. 

  26. }
    27. 

  27. 

  28. // Returns decrypted plaintext, or the original value if not encrypted.
    29. 

  29. // Returns null and logs an error if decryption fails.
    30. 

  30. function decryptToken(value) {
    31. 

  31.   if (!value) return value;
    32. 

  32.   if (!String(value).startsWith(ENC_PREFIX)) return value; // plaintext passthrough (legacy data)
    33. 

  33. 

  34.   const key = _getKey();
    35. 

  35.   if (!key) {
    36. 

  36.     log.error({ action: 'decrypt', outcome: 'failure', err: 'ENCRYPTION_KEY not set — cannot decrypt stored token' });
    37. 

  37.     return null;
    38. 

  38.   }
    39. 

  39. 

  40.   try {
    41. 

  41.     const parts = String(value).slice(ENC_PREFIX.length).split(':');
    42. 

  42.     if (parts.length !== 3) throw new Error('malformed ciphertext');
    43. 

  43.     const [ivHex, tagHex, ciphertextHex] = parts;
    44. 

  44.     const iv = Buffer.from(ivHex, 'hex');
    45. 

  45.     const tag = Buffer.from(tagHex, 'hex');
    46. 

  46.     const ciphertext = Buffer.from(ciphertextHex, 'hex');
    47. 

  47.     const decipher = createDecipheriv(ALGORITHM, key, iv);
    48. 

  48.     decipher.setAuthTag(tag);
    49. 

  49.     return Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString('utf8');
    50. 

  50.   } catch (err) {
    51. 

  51.     log.error({ action: 'decrypt', outcome: 'failure', err: err.message });
    52. 

  52.     return null;
    53. 

  53.   }
    54. 

  54. }
    55. 

  55. 

  56. // Log a startup warning when no key is configured so operators notice.
    57. 

  57. function warnIfNoKey(serviceName) {
    58. 

  58.   if (!_getKey()) {
    59. 

  59.     log.warn({ action: 'startup_check', service: serviceName, outcome: 'warning', err: 'ENCRYPTION_KEY is not set — tokens will be stored in plaintext. Generate a key with: node -e "console.log(require(\'crypto\').randomBytes(32).toString(\'hex\'))"' });
    60. 

  60.   }
    61. 

  61. }
    62. 

  62. 

  63. module.exports = { encryptToken, decryptToken, warnIfNoKey };
    64.