testing encryption

diggerhq · Jul 24, 2024 · 1f015f4 · 1f015f4
1 parent 20d560e
commit 1f015f4
Show file tree

Hide file tree

Showing 5 changed files with 61 additions and 0 deletions.
diff --git a/package.json b/package.json
@@ -102,6 +102,7 @@
     "class-variance-authority": "^0.7.0",
     "clsx": "^2.1.0",
     "cmdk": "^1.0.0",
+    "crypto": "^1.0.1",
     "crypto-js": "^4.1.1",
     "d3-scale": "^4.0.2",
     "date-fns": "^3.3.1",

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/...pages)/(application-pages)/project/[projectSlug]/(specific-project-pages)/tfvars/page.tsx b/...pages)/(application-pages)/project/[projectSlug]/(specific-project-pages)/tfvars/page.tsx
@@ -26,6 +26,8 @@ export default async function TFVarsPage({ params }: { params: unknown }) {
     const { projectSlug } = projectSlugParamSchema.parse(params);
     const project = await getSlimProjectBySlug(projectSlug);
     const tfvars = await getTFVarsByProjectId(project.id);
+    const MASTER_PASSWORD = process.env.MASTER_PASSWORD || 'digger-password';
+    const ENCRYPTION_SALT = process.env.ENCRYPTION_SALT || 'digger-salt';
 
     return (
         <div className="flex flex-col space-y-4 max-w-5xl mt-2">

diff --git a/src/data/admin/encryption.ts b/src/data/admin/encryption.ts
@@ -0,0 +1,39 @@
+import {
+  createCipheriv,
+  createDecipheriv,
+  pbkdf2Sync,
+  randomBytes,
+} from 'crypto';
+
+function deriveKey(password: string, salt: string): Buffer {
+  return pbkdf2Sync(password, salt, 100000, 32, 'sha256');
+}
+
+function encrypt(
+  text: string,
+  ENCRYPTION_SALT: string,
+  MASTER_PASSWORD: string,
+): { iv: string; encryptedData: string } {
+  const iv = randomBytes(16);
+  const key = deriveKey(MASTER_PASSWORD, ENCRYPTION_SALT);
+  const cipher = createCipheriv('aes-256-cbc', key, iv);
+  let encrypted = cipher.update(text, 'utf8', 'hex');
+  encrypted += cipher.final('hex');
+  return {
+    iv: iv.toString('hex'),
+    encryptedData: encrypted,
+  };
+}
+
+function decrypt(
+  iv: string,
+  encryptedData: string,
+  ENCRYPTION_SALT: string,
+  MASTER_PASSWORD: string,
+): string {
+  const key = deriveKey(MASTER_PASSWORD, ENCRYPTION_SALT);
+  const decipher = createDecipheriv('aes-256-cbc', key, Buffer.from(iv, 'hex'));
+  let decrypted = decipher.update(encryptedData, 'hex', 'utf8');
+  decrypted += decipher.final('utf8');
+  return decrypted;
+}
diff --git a/supabase/migrations/20240724080812_project_vars_table.sql b/supabase/migrations/20240724080812_project_vars_table.sql
@@ -0,0 +1,10 @@
+CREATE TABLE encrypted_env_vars (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    project_id UUID NOT NULL,
+    name VARCHAR(255) NOT NULL,
+    encrypted_value BYTEA NOT NULL,
+    iv BYTEA NOT NULL,
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT now() NOT NULL,
+    updated_at TIMESTAMP WITH TIME ZONE DEFAULT now() NOT NULL,
+    FOREIGN KEY (project_id) REFERENCES projects (id) ON DELETE CASCADE
+);