Use the right encryption

2026-04-04 17:06:37 +00:00 · 2026-04-03 17:59:21 -04:00
parent 8cbc8dec89
commit eb4b2daaab
4 changed files with 21 additions and 51 deletions
--- a/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts
+++ b/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts
@@ -22,8 +22,8 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
-import { encryptData } from "@server/lib/encryption";
-import privateConfig from "#private/lib/config";
+import { encrypt } from "@server/lib/crypto";
+import config from "@server/lib/config";

 const paramsSchema = z.strictObject({
    orgId: z.string().nonempty()
@@ -89,12 +89,10 @@ export async function createEventStreamingDestination(
            );
        }

-        const { type, config, enabled } = parsedBody.data;
+        const { type, config: configToSet, enabled } = parsedBody.data;

-        const encryptionKeyHex =
-            privateConfig.getRawPrivateConfig().server.encryption_key;
-        const encryptionKey = Buffer.from(encryptionKeyHex, "hex");
-        const encryptedConfig = encryptData(config, encryptionKey);
+        const key = config.getRawConfig().server.secret!;
+        const encryptedConfig = encrypt(configToSet, key);

        const now = Date.now();

--- a/server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts
+++ b/server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts
@@ -22,19 +22,8 @@ import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { eq, sql } from "drizzle-orm";
-import { decryptData } from "@server/lib/encryption";
-import privateConfig from "#private/lib/config";
-
-let encryptionKey: Buffer;
-
-function getEncryptionKey(): Buffer {
-    if (!encryptionKey) {
-        const keyHex =
-            privateConfig.getRawPrivateConfig().server.encryption_key;
-        encryptionKey = Buffer.from(keyHex, "hex");
-    }
-    return encryptionKey;
-}
+import { decrypt } from "@server/lib/crypto";
+import config from "@server/lib/config";

 const paramsSchema = z.strictObject({
    orgId: z.string().nonempty()
@@ -134,10 +123,10 @@ export async function listEventStreamingDestinations(
            .from(eventStreamingDestinations)
            .where(eq(eventStreamingDestinations.orgId, orgId));

-        const key = getEncryptionKey();
+        const key = config.getRawConfig().server.secret!;
        const decryptedList = list.map((dest) => {
            try {
-                return { ...dest, config: decryptData(dest.config, key) };
+                return { ...dest, config: decrypt(dest.config, key) };
            } catch (err) {
                logger.error(
                    `listEventStreamingDestinations: failed to decrypt config for destination ${dest.destinationId}`,
--- a/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts
+++ b/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts
@@ -22,9 +22,8 @@ import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { and, eq } from "drizzle-orm";
-import { encryptData } from "@server/lib/encryption";
-import privateConfig from "#private/lib/config";
-
+import { encrypt } from "@server/lib/crypto";
+import config from "@server/lib/config";

 const paramsSchema = z
    .object({
@@ -112,17 +111,16 @@ export async function updateEventStreamingDestination(
            );
        }

-        const { type, config, enabled, sendAccessLogs, sendActionLogs, sendConnectionLogs, sendRequestLogs } = parsedBody.data;
+        const { type, config: configToUpdate, enabled, sendAccessLogs, sendActionLogs, sendConnectionLogs, sendRequestLogs } = parsedBody.data;

        const updateData: Record<string, unknown> = {
            updatedAt: Date.now()
        };

        if (type !== undefined) updateData.type = type;
-        if (config !== undefined) {
-            const encryptionKeyHex = privateConfig.getRawPrivateConfig().server.encryption_key;
-            const encryptionKey = Buffer.from(encryptionKeyHex, "hex");
-            updateData.config = encryptData(config, encryptionKey);
+        if (configToUpdate !== undefined) {
+            const key = config.getRawConfig().server.secret!;
+            updateData.config = encrypt(configToUpdate, key);
        }
        if (enabled !== undefined) updateData.enabled = enabled;
        if (sendAccessLogs !== undefined) updateData.sendAccessLogs = sendAccessLogs;