fix(sec): add encryption tag to db

pezzolabs · Apr 28, 2024 · 7dec36e · 7dec36e
1 parent 8a02fa4
commit 7dec36e
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 5 deletions.
diff --git a/...ver/prisma/migrations/20240428124644_add_tag_to_provider_api_key_encryption/migration.sql b/...ver/prisma/migrations/20240428124644_add_tag_to_provider_api_key_encryption/migration.sql
@@ -0,0 +1,8 @@
+/*
+  Warnings:
+
+  - Added the required column `encryptionTag` to the `ProviderApiKey` table without a default value. This is not possible if the table is not empty.
+
+*/
+-- AlterTable
+ALTER TABLE "ProviderApiKey" ADD COLUMN     "encryptionTag" TEXT NOT NULL;
diff --git a/apps/server/src/app/credentials/provider-api-keys.service.ts b/apps/server/src/app/credentials/provider-api-keys.service.ts
@@ -2,7 +2,6 @@ import { Injectable } from "@nestjs/common";
 import { PrismaService } from "../prisma.service";
 import { EncryptionService } from "../encryption/encryption.service";
 import { ProviderApiKey } from "@prisma/client";
-import { StringFilter } from "../../@generated/prisma/string-filter.input";
 
 @Injectable()
 export class ProviderApiKeysService {
@@ -21,7 +20,8 @@ export class ProviderApiKeysService {
   async decryptProviderApiKey(key: ProviderApiKey): Promise<string> {
     const decrypted = await this.encryptionService.decrypt(
       key.encryptedData,
-      key.encryptedDataKey
+      key.encryptedDataKey,
+      key.encryptionTag
     );
     return decrypted;
   }
@@ -42,7 +42,7 @@ export class ProviderApiKeysService {
       where: { provider, organizationId },
     });
 
-    const { encryptedData, encryptedDataKey } =
+    const { encryptedData, encryptedDataKey, encryptionTag } =
       await this.encryptionService.encrypt(value);
 
     const censoredValue = this.censorApiKey(value);
@@ -55,6 +55,7 @@ export class ProviderApiKeysService {
         data: {
           encryptedData,
           encryptedDataKey,
+          encryptionTag,
           censoredValue,
         },
       });
@@ -67,6 +68,7 @@ export class ProviderApiKeysService {
         provider,
         encryptedData,
         encryptedDataKey,
+        encryptionTag,
         censoredValue,
         organizationId,
       },

diff --git a/apps/server/src/app/encryption/encryption.service.ts b/apps/server/src/app/encryption/encryption.service.ts
@@ -48,7 +48,7 @@ export class EncryptionService {
   async encrypt(data: string): Promise<{
     encryptedData: string;
     encryptedDataKey: string;
-    tag: string; // Include the authentication tag in the encryption result
+    encryptionTag: string;
   }> {
     this.logger.info("Encrypting data");
 
@@ -61,7 +61,7 @@ export class EncryptionService {
     return {
       encryptedData: Buffer.concat([iv, encrypted]).toString("hex"),
       encryptedDataKey: Buffer.from(dataKey.ciphertext).toString("base64"),
-      tag: cipher.getAuthTag().toString("hex"), // Store the tag for verification during decryption
+      encryptionTag: cipher.getAuthTag().toString("hex"), // Store the tag for verification during decryption
     };
   }