Skip to content

Commit

Permalink
fix(encryption): decrypt fields in nested read results (#1934)
Browse files Browse the repository at this point in the history
  • Loading branch information
@ymc9
ymc9 authored Jan 2, 2025
1 parent b477ad8 commit 2eecae5
Show file tree
Hide file tree
Showing 2 changed files with 64 additions and 17 deletions.
28 changes: 18 additions & 10 deletions packages/runtime/src/enhancements/node/encryption.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -138,21 +138,29 @@ class EncryptedHandler extends DefaultPrismaProxyHandler {
const realModel = this.queryUtils.getDelegateConcreteModel(model, entityData);

for (const field of getModelFields(entityData)) {
const fieldInfo = await resolveField(this.options.modelMeta, realModel, field);
// Don't decrypt null, undefined or empty string values
if (!entityData[field]) continue;

const fieldInfo = await resolveField(this.options.modelMeta, realModel, field);
if (!fieldInfo) {
continue;
}

const shouldDecrypt = fieldInfo.attributes?.find((attr) => attr.name === '@encrypted');
if (shouldDecrypt) {
// Don't decrypt null, undefined or empty string values
if (!entityData[field]) continue;

try {
entityData[field] = await this.decrypt(fieldInfo, entityData[field]);
} catch (error) {
this.logger.warn(`Decryption failed, keeping original value: ${error}`);
if (fieldInfo.isDataModel) {
const items =
fieldInfo.isArray && Array.isArray(entityData[field]) ? entityData[field] : [entityData[field]];
for (const item of items) {
// recurse
await this.doPostProcess(item, fieldInfo.type);
}
} else {
const shouldDecrypt = fieldInfo.attributes?.find((attr) => attr.name === '@encrypted');
if (shouldDecrypt) {
try {
entityData[field] = await this.decrypt(fieldInfo, entityData[field]);
} catch (error) {
this.logger.warn(`Decryption failed, keeping original value: ${error}`);
}
}
}
}
Expand Down
53 changes: 46 additions & 7 deletions tests/integration/tests/enhancements/with-encrypted/with-encrypted.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,6 @@ describe('Encrypted test', () => {
model User {
id String @id @default(cuid())
encrypted_value String @encrypted()
@@allow('all', true)
}`,
{
enhancements: ['encryption'],
Expand Down Expand Up @@ -62,15 +60,59 @@ describe('Encrypted test', () => {
expect(rawRead.encrypted_value).not.toBe('abc123');
});

it('Decrypts nested fields', async () => {
const { enhance, prisma } = await loadSchema(
`
model User {
id String @id @default(cuid())
posts Post[]
}
model Post {
id String @id @default(cuid())
title String @encrypted()
author User @relation(fields: [authorId], references: [id])
authorId String
}
`,
{
enhancements: ['encryption'],
enhanceOptions: {
encryption: { encryptionKey },
},
}
);

const db = enhance();

const create = await db.user.create({
data: {
id: '1',
posts: { create: { title: 'Post1' } },
},
include: { posts: true },
});
expect(create.posts[0].title).toBe('Post1');

const read = await db.user.findUnique({
where: {
id: '1',
},
include: { posts: true },
});
expect(read.posts[0].title).toBe('Post1');

const rawRead = await prisma.user.findUnique({ where: { id: '1' }, include: { posts: true } });
expect(rawRead.posts[0].title).not.toBe('Post1');
});

it('Multi-field encryption test', async () => {
const { enhance } = await loadSchema(
`
model User {
id String @id @default(cuid())
x1 String @encrypted()
x2 String @encrypted()
@@allow('all', true)
}`,
{
enhancements: ['encryption'],
Expand Down Expand Up @@ -105,8 +147,6 @@ describe('Encrypted test', () => {
model User {
id String @id @default(cuid())
encrypted_value String @encrypted()
@@allow('all', true)
}`);

const sudoDb = enhance(undefined, { kinds: [] });
Expand Down Expand Up @@ -203,7 +243,6 @@ describe('Encrypted test', () => {
model User {
id String @id @default(cuid())
encrypted_value String @encrypted() @length(0, 6)
@@allow('all', true)
}`,
{
Expand Down

0 comments on commit 2eecae5

Please sign in to comment.