-
-
Notifications
You must be signed in to change notification settings - Fork 663
feat(encryption): add AES-SIV support and legacy blind-index errors #5044
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| /* | ||
| * @adonisjs/core | ||
| * | ||
| * (c) AdonisJS | ||
| * | ||
| * For the full copyright and license information, please view the LICENSE | ||
| * file that was distributed with this source code. | ||
| */ | ||
|
|
||
| /** | ||
| * AES-SIV encryption driver implementation. | ||
| * | ||
| * This driver provides deterministic authenticated encryption using AES-SIV | ||
| * (Synthetic Initialization Vector). It is useful when you need equality | ||
| * queries over encrypted values while preserving authenticity guarantees. | ||
| * | ||
| * @example | ||
| * ```ts | ||
| * const driver = new AESSIV({ | ||
| * id: 'app', | ||
| * key: 'your-256-bit-key-here' | ||
| * }) | ||
| * | ||
| * const encrypted = driver.encrypt('sensitive data') | ||
| * const decrypted = driver.decrypt(encrypted) | ||
| * ``` | ||
| */ | ||
| export { AESSIV } from '@boringnode/encryption/drivers/aes_siv' |
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -16,6 +16,7 @@ import type { | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| EncryptOptions, | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| } from '@boringnode/encryption/types' | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| import { errors } from '@boringnode/encryption' | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| import { E_LEGACY_BLIND_INDEX_NOT_SUPPORTED } from '../errors.ts' | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| /** | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| * Configuration for the Legacy encryption driver. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
@@ -183,4 +184,18 @@ export class Legacy extends BaseDriver implements EncryptionDriverContract { | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| return null | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| } | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| } | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| /** | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| * Legacy driver does not support blind indexes. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| */ | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| blindIndex(_payload: any, _purpose: string): string { | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| throw new E_LEGACY_BLIND_INDEX_NOT_SUPPORTED() | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| } | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| /** | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| * Legacy driver does not support blind indexes. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| */ | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| blindIndexes(_payload: any, _purpose: string): string[] { | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Comment on lines
+191
to
+198
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| blindIndex(_payload: any, _purpose: string): string { | |
| throw new E_LEGACY_BLIND_INDEX_NOT_SUPPORTED() | |
| } | |
| /** | |
| * Legacy driver does not support blind indexes. | |
| */ | |
| blindIndexes(_payload: any, _purpose: string): string[] { | |
| blindIndex(_payload: unknown, _purpose: string): string { | |
| throw new E_LEGACY_BLIND_INDEX_NOT_SUPPORTED() | |
| } | |
| /** | |
| * Legacy driver does not support blind indexes. | |
| */ | |
| blindIndexes(_payload: unknown, _purpose: string): string[] { |
Copilot
AI
Feb 7, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using any for _payload weakens type-safety for callers and makes it easier to accidentally pass unsupported values without compiler feedback. If the contract allows it, prefer unknown (or a narrower union) for _payload since the method intentionally does not consume it.
| blindIndex(_payload: any, _purpose: string): string { | |
| throw new E_LEGACY_BLIND_INDEX_NOT_SUPPORTED() | |
| } | |
| /** | |
| * Legacy driver does not support blind indexes. | |
| */ | |
| blindIndexes(_payload: any, _purpose: string): string[] { | |
| blindIndex(_payload: unknown, _purpose: string): string { | |
| throw new E_LEGACY_BLIND_INDEX_NOT_SUPPORTED() | |
| } | |
| /** | |
| * Legacy driver does not support blind indexes. | |
| */ | |
| blindIndexes(_payload: unknown, _purpose: string): string[] { |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| /* | ||
| * @adonisjs/core | ||
| * | ||
| * (c) AdonisJS | ||
| * | ||
| * For the full copyright and license information, please view the LICENSE | ||
| * file that was distributed with this source code. | ||
| */ | ||
|
|
||
| import { createError } from '../../src/exceptions.ts' | ||
| import { errors as boringnodeErrors } from '@boringnode/encryption' | ||
|
|
||
| /** | ||
| * Raised when attempting to compute blind indexes using the legacy driver. | ||
| */ | ||
| export const E_LEGACY_BLIND_INDEX_NOT_SUPPORTED = createError( | ||
| 'Blind indexes are not supported by the legacy encryption driver', | ||
| 'E_LEGACY_BLIND_INDEX_NOT_SUPPORTED' | ||
| ) | ||
|
Comment on lines
+16
to
+19
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Shouldn't it be called |
||
|
|
||
| /** | ||
| * Encryption errors exposed by this package. | ||
| */ | ||
| export const errors = { | ||
| ...boringnodeErrors, | ||
| E_LEGACY_BLIND_INDEX_NOT_SUPPORTED, | ||
| } | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -272,3 +272,23 @@ test.group('Legacy | defineConfig', () => { | |
| assert.deepEqual(config.list.legacy.keys, [SECRET_KEY]) | ||
| }) | ||
| }) | ||
|
|
||
| test.group('Legacy | blind indexes', () => { | ||
| test('throw when computing blind index', ({ assert }) => { | ||
| const encryption = new Legacy({ key: SECRET_KEY }) | ||
|
|
||
| assert.throws( | ||
| () => encryption.blindIndex('foo@example.com', 'users.email'), | ||
| 'Blind indexes are not supported by the legacy encryption driver' | ||
| ) | ||
|
Comment on lines
+280
to
+283
|
||
| }) | ||
|
|
||
| test('throw when computing blind indexes', ({ assert }) => { | ||
| const encryption = new Legacy({ key: SECRET_KEY }) | ||
|
|
||
| assert.throws( | ||
| () => encryption.blindIndexes('foo@example.com', 'users.email'), | ||
| 'Blind indexes are not supported by the legacy encryption driver' | ||
| ) | ||
|
Comment on lines
+289
to
+292
|
||
| }) | ||
| }) | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using
.filter((key) => !!key)does not reliably narrow the array type in TypeScript, which can leavekeystyped as(string | undefined)[]even ifEncryptionConfigexpectsstring[]. Use a type-predicate filter (e.g.(key): key is string => Boolean(key)) or avoid filtering entirely ifconfig.keyis required.