From eb4b2daaaba66fc61a5b21167273f09d973f9d20 Mon Sep 17 00:00:00 2001 From: Owen Date: Fri, 3 Apr 2026 17:59:21 -0400 Subject: [PATCH] Use the right encryption --- .../lib/logStreaming/LogStreamingManager.ts | 27 +++++-------------- .../createEventStreamingDestination.ts | 12 ++++----- .../listEventStreamingDestinations.ts | 19 +++---------- .../updateEventStreamingDestination.ts | 14 +++++----- 4 files changed, 21 insertions(+), 51 deletions(-) diff --git a/server/private/lib/logStreaming/LogStreamingManager.ts b/server/private/lib/logStreaming/LogStreamingManager.ts index a531d9b80..39eae031a 100644 --- a/server/private/lib/logStreaming/LogStreamingManager.ts +++ b/server/private/lib/logStreaming/LogStreamingManager.ts @@ -23,8 +23,8 @@ import { } from "@server/db"; import logger from "@server/logger"; import { and, eq, gt, desc, max, sql } from "drizzle-orm"; -import { decryptData } from "@server/lib/encryption"; -import privateConfig from "#private/lib/config"; +import { decrypt } from "@server/lib/crypto"; +import config from "@server/lib/config"; import { LogType, LOG_TYPES, @@ -36,21 +36,6 @@ import { LogDestinationProvider } from "./providers/LogDestinationProvider"; import { HttpLogDestination } from "./providers/HttpLogDestination"; import type { EventStreamingDestination } from "@server/db"; -// --------------------------------------------------------------------------- -// Encryption helpers -// --------------------------------------------------------------------------- - -let encryptionKey: Buffer | undefined; - -function getEncryptionKey(): Buffer { - if (!encryptionKey) { - const keyHex = - privateConfig.getRawPrivateConfig().server.encryption_key; - encryptionKey = Buffer.from(keyHex, "hex"); - } - return encryptionKey; -} - // --------------------------------------------------------------------------- // Configuration // --------------------------------------------------------------------------- @@ -290,10 +275,10 @@ export class LogStreamingManager { } // Decrypt and parse config – skip destination if either step fails - let config: HttpConfig; + let configFromDb: HttpConfig; try { - const decryptedConfig = decryptData(dest.config, getEncryptionKey()); - config = JSON.parse(decryptedConfig) as HttpConfig; + const decryptedConfig = decrypt(dest.config, config.getRawConfig().server.secret!); + configFromDb = JSON.parse(decryptedConfig) as HttpConfig; } catch (err) { logger.error( `LogStreamingManager: destination ${dest.destinationId} has invalid or undecryptable config`, @@ -302,7 +287,7 @@ export class LogStreamingManager { return; } - const provider = this.createProvider(dest.type, config); + const provider = this.createProvider(dest.type, configFromDb); if (!provider) { logger.warn( `LogStreamingManager: unsupported destination type "${dest.type}" ` + diff --git a/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts b/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts index 19a39a03d..bef7ba7e9 100644 --- a/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts +++ b/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts @@ -22,8 +22,8 @@ import createHttpError from "http-errors"; import logger from "@server/logger"; import { fromError } from "zod-validation-error"; import { OpenAPITags, registry } from "@server/openApi"; -import { encryptData } from "@server/lib/encryption"; -import privateConfig from "#private/lib/config"; +import { encrypt } from "@server/lib/crypto"; +import config from "@server/lib/config"; const paramsSchema = z.strictObject({ orgId: z.string().nonempty() @@ -89,12 +89,10 @@ export async function createEventStreamingDestination( ); } - const { type, config, enabled } = parsedBody.data; + const { type, config: configToSet, enabled } = parsedBody.data; - const encryptionKeyHex = - privateConfig.getRawPrivateConfig().server.encryption_key; - const encryptionKey = Buffer.from(encryptionKeyHex, "hex"); - const encryptedConfig = encryptData(config, encryptionKey); + const key = config.getRawConfig().server.secret!; + const encryptedConfig = encrypt(configToSet, key); const now = Date.now(); diff --git a/server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts b/server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts index 46cfb6b9c..ac3f14e62 100644 --- a/server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts +++ b/server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts @@ -22,19 +22,8 @@ import logger from "@server/logger"; import { fromError } from "zod-validation-error"; import { OpenAPITags, registry } from "@server/openApi"; import { eq, sql } from "drizzle-orm"; -import { decryptData } from "@server/lib/encryption"; -import privateConfig from "#private/lib/config"; - -let encryptionKey: Buffer; - -function getEncryptionKey(): Buffer { - if (!encryptionKey) { - const keyHex = - privateConfig.getRawPrivateConfig().server.encryption_key; - encryptionKey = Buffer.from(keyHex, "hex"); - } - return encryptionKey; -} +import { decrypt } from "@server/lib/crypto"; +import config from "@server/lib/config"; const paramsSchema = z.strictObject({ orgId: z.string().nonempty() @@ -134,10 +123,10 @@ export async function listEventStreamingDestinations( .from(eventStreamingDestinations) .where(eq(eventStreamingDestinations.orgId, orgId)); - const key = getEncryptionKey(); + const key = config.getRawConfig().server.secret!; const decryptedList = list.map((dest) => { try { - return { ...dest, config: decryptData(dest.config, key) }; + return { ...dest, config: decrypt(dest.config, key) }; } catch (err) { logger.error( `listEventStreamingDestinations: failed to decrypt config for destination ${dest.destinationId}`, diff --git a/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts b/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts index 1f7cb1007..24dc68aef 100644 --- a/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts +++ b/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts @@ -22,9 +22,8 @@ import logger from "@server/logger"; import { fromError } from "zod-validation-error"; import { OpenAPITags, registry } from "@server/openApi"; import { and, eq } from "drizzle-orm"; -import { encryptData } from "@server/lib/encryption"; -import privateConfig from "#private/lib/config"; - +import { encrypt } from "@server/lib/crypto"; +import config from "@server/lib/config"; const paramsSchema = z .object({ @@ -112,17 +111,16 @@ export async function updateEventStreamingDestination( ); } - const { type, config, enabled, sendAccessLogs, sendActionLogs, sendConnectionLogs, sendRequestLogs } = parsedBody.data; + const { type, config: configToUpdate, enabled, sendAccessLogs, sendActionLogs, sendConnectionLogs, sendRequestLogs } = parsedBody.data; const updateData: Record = { updatedAt: Date.now() }; if (type !== undefined) updateData.type = type; - if (config !== undefined) { - const encryptionKeyHex = privateConfig.getRawPrivateConfig().server.encryption_key; - const encryptionKey = Buffer.from(encryptionKeyHex, "hex"); - updateData.config = encryptData(config, encryptionKey); + if (configToUpdate !== undefined) { + const key = config.getRawConfig().server.secret!; + updateData.config = encrypt(configToUpdate, key); } if (enabled !== undefined) updateData.enabled = enabled; if (sendAccessLogs !== undefined) updateData.sendAccessLogs = sendAccessLogs;