packages/lib/server-only/crypto/decrypt.ts

import { DOCUMENSO_ENCRYPTION_SECONDARY_KEY } from '@documenso/lib/constants/crypto';
import { ZEncryptedDataSchema } from '@documenso/lib/server-only/crypto/encrypt';
import { symmetricDecrypt } from '@documenso/lib/universal/crypto';

/**
 * Decrypt the passed in data. This uses the secondary encrypt key for miscellaneous data.
 *
 * @param encryptedData The data encrypted with the `encryptSecondaryData` function.
 * @returns The decrypted value, or `null` if the data is invalid or expired.
 */
export const decryptSecondaryData = (encryptedData: string): string | null => {
  if (!DOCUMENSO_ENCRYPTION_SECONDARY_KEY) {
    throw new Error('Missing encryption key');
  }

  const decryptedBufferValue = symmetricDecrypt({
    key: DOCUMENSO_ENCRYPTION_SECONDARY_KEY,
    data: encryptedData,
  });

  const decryptedValue = Buffer.from(decryptedBufferValue).toString('utf-8');
  const result = ZEncryptedDataSchema.safeParse(JSON.parse(decryptedValue));

  if (!result.success) {
    return null;
  }

  if (result.data.expiresAt !== undefined && result.data.expiresAt < Date.now()) {
    return null;
  }

  return result.data.data;
};
feat: add server crypto (#863) ## Description Currently we are required to ensure PII data is not passed around in search parameters and in the open for GDPR reasons. Allowing us to encrypt and decrypt values with expiry dates will allow us to ensure this doesn't happen. ## Changes Made - Added TPRC router for encryption method ## Testing Performed - Tested encrypting and decrypting data with and without `expiredAt` - Tested via directly accessing API and also via trpc in react components - Tested parsing en email search param in a page and decrypting it successfully ## Checklist - [X] I have tested these changes locally and they work as expected. - [X] I have followed the project's coding style guidelines. 2024-01-25 16:07:57 +11:00			`import { DOCUMENSO_ENCRYPTION_SECONDARY_KEY } from '@documenso/lib/constants/crypto';`
			`import { ZEncryptedDataSchema } from '@documenso/lib/server-only/crypto/encrypt';`
			`import { symmetricDecrypt } from '@documenso/lib/universal/crypto';`

			`/**`
			`* Decrypt the passed in data. This uses the secondary encrypt key for miscellaneous data.`
			`*`
			* @param encryptedData The data encrypted with the `encryptSecondaryData` function.
			* @returns The decrypted value, or `null` if the data is invalid or expired.
			`*/`
			`export const decryptSecondaryData = (encryptedData: string): string \| null => {`
			`if (!DOCUMENSO_ENCRYPTION_SECONDARY_KEY) {`
			`throw new Error('Missing encryption key');`
			`}`

			`const decryptedBufferValue = symmetricDecrypt({`
			`key: DOCUMENSO_ENCRYPTION_SECONDARY_KEY,`
			`data: encryptedData,`
			`});`

			`const decryptedValue = Buffer.from(decryptedBufferValue).toString('utf-8');`
			`const result = ZEncryptedDataSchema.safeParse(JSON.parse(decryptedValue));`

			`if (!result.success) {`
			`return null;`
			`}`

			`if (result.data.expiresAt !== undefined && result.data.expiresAt < Date.now()) {`
			`return null;`
			`}`

			`return result.data.data;`
			`};`