feat: add encrypted kind

zenstackhq · Dec 20, 2024 · 23a06cc · 23a06cc
1 parent b41fd93
commit 23a06cc
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 3 deletions.
diff --git a/packages/runtime/src/enhancements/node/create-enhancement.ts b/packages/runtime/src/enhancements/node/create-enhancement.ts
@@ -14,13 +14,14 @@ import { withJsonProcessor } from './json-processor';
 import { Logger } from './logger';
 import { withOmit } from './omit';
 import { withPassword } from './password';
+import { withEncrypted } from './encrypted';
 import { policyProcessIncludeRelationPayload, withPolicy } from './policy';
 import type { PolicyDef } from './types';
 
 /**
  * All enhancement kinds
  */
-const ALL_ENHANCEMENTS: EnhancementKind[] = ['password', 'omit', 'policy', 'validation', 'delegate'];
+const ALL_ENHANCEMENTS: EnhancementKind[] = ['password', 'omit', 'policy', 'validation', 'delegate', 'encrypted'];
 
 /**
  * Options for {@link createEnhancement}
@@ -100,6 +101,7 @@ export function createEnhancement<DbClient extends object>(
     }
 
     const hasPassword = allFields.some((field) => field.attributes?.some((attr) => attr.name === '@password'));
+    const hasEncrypted = allFields.some((field) => field.attributes?.some((attr) => attr.name === '@encrypted'));
     const hasOmit = allFields.some((field) => field.attributes?.some((attr) => attr.name === '@omit'));
     const hasDefaultAuth = allFields.some((field) => field.defaultValueProvider);
     const hasTypeDefField = allFields.some((field) => field.isTypeDef);
@@ -120,13 +122,18 @@ export function createEnhancement<DbClient extends object>(
         }
     }
 
-    // password enhancement must be applied prior to policy because it changes then length of the field
+    // password and encrypted enhancement must be applied prior to policy because it changes then length of the field
     // and can break validation rules like `@length`
     if (hasPassword && kinds.includes('password')) {
         // @password proxy
         result = withPassword(result, options);
     }
 
+    if (hasEncrypted && kinds.includes('encrypted')) {
+        // @encrypted proxy
+        result = withEncrypted(result, options);
+    }
+
     // 'policy' and 'validation' enhancements are both enabled by `withPolicy`
     if (kinds.includes('policy') || kinds.includes('validation')) {
         result = withPolicy(result, options, context);

diff --git a/packages/runtime/src/types.ts b/packages/runtime/src/types.ts
@@ -145,7 +145,7 @@ export type EnhancementContext<User extends AuthUser = AuthUser> = {
 /**
  * Kinds of enhancements to `PrismaClient`
  */
-export type EnhancementKind = 'password' | 'omit' | 'policy' | 'validation' | 'delegate';
+export type EnhancementKind = 'password' | 'omit' | 'policy' | 'validation' | 'delegate' | 'encrypted';
 
 /**
  * Function for transforming errors.

diff --git a/packages/schema/src/res/stdlib.zmodel b/packages/schema/src/res/stdlib.zmodel
@@ -552,6 +552,14 @@ attribute @@auth() @@@supportTypeDef
  */
 attribute @password(saltLength: Int?, salt: String?) @@@targetField([StringField])
 
+
+/**
+ * Indicates that the field is encrypted when storing in the DB and should be decrypted when read
+ * 
+ * ZenStack uses the Web Crypto API to encrypt and decrypt the field. 
+ */
+attribute @encrypted(secret: String) @@@targetField([StringField])
+
 /**
  * Indicates that the field should be omitted when read from the generated services.
  */