Use the right encryption

2026-04-04 08:56:37 +00:00 · 2026-04-03 17:59:21 -04:00
parent 8cbc8dec89
commit eb4b2daaab
4 changed files with 21 additions and 51 deletions
--- a/server/private/lib/logStreaming/LogStreamingManager.ts
+++ b/server/private/lib/logStreaming/LogStreamingManager.ts
@@ -23,8 +23,8 @@ import {
 } from "@server/db";
 import logger from "@server/logger";
 import { and, eq, gt, desc, max, sql } from "drizzle-orm";
-import { decryptData } from "@server/lib/encryption";
-import privateConfig from "#private/lib/config";
+import { decrypt } from "@server/lib/crypto";
+import config from "@server/lib/config";
 import {
    LogType,
    LOG_TYPES,
@@ -36,21 +36,6 @@ import { LogDestinationProvider } from "./providers/LogDestinationProvider";
 import { HttpLogDestination } from "./providers/HttpLogDestination";
 import type { EventStreamingDestination } from "@server/db";

-// ---------------------------------------------------------------------------
-// Encryption helpers
-// ---------------------------------------------------------------------------
-
-let encryptionKey: Buffer | undefined;
-
-function getEncryptionKey(): Buffer {
-    if (!encryptionKey) {
-        const keyHex =
-            privateConfig.getRawPrivateConfig().server.encryption_key;
-        encryptionKey = Buffer.from(keyHex, "hex");
-    }
-    return encryptionKey;
-}
-
 // ---------------------------------------------------------------------------
 // Configuration
 // ---------------------------------------------------------------------------
@@ -290,10 +275,10 @@ export class LogStreamingManager {
        }

        // Decrypt and parse config – skip destination if either step fails
-        let config: HttpConfig;
+        let configFromDb: HttpConfig;
        try {
-            const decryptedConfig = decryptData(dest.config, getEncryptionKey());
-            config = JSON.parse(decryptedConfig) as HttpConfig;
+            const decryptedConfig = decrypt(dest.config, config.getRawConfig().server.secret!);
+            configFromDb = JSON.parse(decryptedConfig) as HttpConfig;
        } catch (err) {
            logger.error(
                `LogStreamingManager: destination ${dest.destinationId} has invalid or undecryptable config`,
@@ -302,7 +287,7 @@ export class LogStreamingManager {
            return;
        }

-        const provider = this.createProvider(dest.type, config);
+        const provider = this.createProvider(dest.type, configFromDb);
        if (!provider) {
            logger.warn(
                `LogStreamingManager: unsupported destination type "${dest.type}" ` +
--- a/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts
+++ b/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts
@@ -22,8 +22,8 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
-import { encryptData } from "@server/lib/encryption";
-import privateConfig from "#private/lib/config";
+import { encrypt } from "@server/lib/crypto";
+import config from "@server/lib/config";

 const paramsSchema = z.strictObject({
    orgId: z.string().nonempty()
@@ -89,12 +89,10 @@ export async function createEventStreamingDestination(
            );
        }

-        const { type, config, enabled } = parsedBody.data;
+        const { type, config: configToSet, enabled } = parsedBody.data;

-        const encryptionKeyHex =
-            privateConfig.getRawPrivateConfig().server.encryption_key;
-        const encryptionKey = Buffer.from(encryptionKeyHex, "hex");
-        const encryptedConfig = encryptData(config, encryptionKey);
+        const key = config.getRawConfig().server.secret!;
+        const encryptedConfig = encrypt(configToSet, key);

        const now = Date.now();

--- a/server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts
+++ b/server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts
@@ -22,19 +22,8 @@ import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { eq, sql } from "drizzle-orm";
-import { decryptData } from "@server/lib/encryption";
-import privateConfig from "#private/lib/config";
-
-let encryptionKey: Buffer;
-
-function getEncryptionKey(): Buffer {
-    if (!encryptionKey) {
-        const keyHex =
-            privateConfig.getRawPrivateConfig().server.encryption_key;
-        encryptionKey = Buffer.from(keyHex, "hex");
-    }
-    return encryptionKey;
-}
+import { decrypt } from "@server/lib/crypto";
+import config from "@server/lib/config";

 const paramsSchema = z.strictObject({
    orgId: z.string().nonempty()
@@ -134,10 +123,10 @@ export async function listEventStreamingDestinations(
            .from(eventStreamingDestinations)
            .where(eq(eventStreamingDestinations.orgId, orgId));

-        const key = getEncryptionKey();
+        const key = config.getRawConfig().server.secret!;
        const decryptedList = list.map((dest) => {
            try {
-                return { ...dest, config: decryptData(dest.config, key) };
+                return { ...dest, config: decrypt(dest.config, key) };
            } catch (err) {
                logger.error(
                    `listEventStreamingDestinations: failed to decrypt config for destination ${dest.destinationId}`,
--- a/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts
+++ b/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts
@@ -22,9 +22,8 @@ import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { and, eq } from "drizzle-orm";
-import { encryptData } from "@server/lib/encryption";
-import privateConfig from "#private/lib/config";
-
+import { encrypt } from "@server/lib/crypto";
+import config from "@server/lib/config";

 const paramsSchema = z
    .object({
@@ -112,17 +111,16 @@ export async function updateEventStreamingDestination(
            );
        }

-        const { type, config, enabled, sendAccessLogs, sendActionLogs, sendConnectionLogs, sendRequestLogs } = parsedBody.data;
+        const { type, config: configToUpdate, enabled, sendAccessLogs, sendActionLogs, sendConnectionLogs, sendRequestLogs } = parsedBody.data;

        const updateData: Record<string, unknown> = {
            updatedAt: Date.now()
        };

        if (type !== undefined) updateData.type = type;
-        if (config !== undefined) {
-            const encryptionKeyHex = privateConfig.getRawPrivateConfig().server.encryption_key;
-            const encryptionKey = Buffer.from(encryptionKeyHex, "hex");
-            updateData.config = encryptData(config, encryptionKey);
+        if (configToUpdate !== undefined) {
+            const key = config.getRawConfig().server.secret!;
+            updateData.config = encrypt(configToUpdate, key);
        }
        if (enabled !== undefined) updateData.enabled = enabled;
        if (sendAccessLogs !== undefined) updateData.sendAccessLogs = sendAccessLogs;