trilium/src/services/protected_session.js

"use strict";

const utils = require('./utils');
const dataEncryptionService = require('./data_encryption');
const cls = require('./cls');

const dataKeyMap = {};

function setDataKey(decryptedDataKey) {
    const protectedSessionId = utils.randomSecureToken(32);

    dataKeyMap[protectedSessionId] = Array.from(decryptedDataKey); // can't store buffer in session

    return protectedSessionId;
}

function setProtectedSessionId(req) {
    cls.namespace.set('protectedSessionId', req.headers.protected_session_id);
}

function getProtectedSessionId() {
    return cls.namespace.get('protectedSessionId');
}

function getDataKey() {
    const protectedSessionId = getProtectedSessionId();

    return dataKeyMap[protectedSessionId];
}

function isProtectedSessionAvailable() {
    const protectedSessionId = getProtectedSessionId();

    return !!dataKeyMap[protectedSessionId];
}

function decryptNoteTitle(noteId, encryptedTitle) {
    const dataKey = getDataKey();

    try {
        const iv = dataEncryptionService.noteTitleIv(noteId);

        return dataEncryptionService.decryptString(dataKey, iv, encryptedTitle);
    }
    catch (e) {
        e.message = `Cannot decrypt note title for noteId=${noteId}: ` + e.message;
        throw e;
    }
}

function decryptNote(note) {
    const dataKey = getDataKey();

    if (!note.isProtected) {
        return;
    }

    try {
        if (note.title) {
            note.title = dataEncryptionService.decryptString(dataKey, dataEncryptionService.noteTitleIv(note.noteId), note.title);
        }

        if (note.content) {
            const contentIv = dataEncryptionService.noteContentIv(note.noteId);

            if (note.type === 'file') {
                note.content = dataEncryptionService.decrypt(dataKey, contentIv, note.content);
            }
            else {
                note.content = dataEncryptionService.decryptString(dataKey, contentIv, note.content);
            }
        }
    }
    catch (e) {
        e.message = `Cannot decrypt note for noteId=${note.noteId}: ` + e.message;
        throw e;
    }
}

function decryptNotes(notes) {
    for (const note of notes) {
        decryptNote(note);
    }
}

function decryptNoteRevision(hist) {
    const dataKey = getDataKey();

    if (!hist.isProtected) {
        return;
    }

    if (hist.title) {
        hist.title = dataEncryptionService.decryptString(dataKey, dataEncryptionService.noteTitleIv(hist.noteRevisionId), hist.title);
    }

    if (hist.content) {
        hist.content = dataEncryptionService.decryptString(dataKey, dataEncryptionService.noteContentIv(hist.noteRevisionId), hist.content);
    }
}

function encryptNote(note) {
    const dataKey = getDataKey();

    note.title = dataEncryptionService.encrypt(dataKey, dataEncryptionService.noteTitleIv(note.noteId), note.title);
    note.content = dataEncryptionService.encrypt(dataKey, dataEncryptionService.noteContentIv(note.noteId), note.content);
}

function encryptNoteRevision(revision) {
    const dataKey = getDataKey();

    revision.title = dataEncryptionService.encrypt(dataKey, dataEncryptionService.noteTitleIv(revision.noteRevisionId), revision.title);
    revision.content = dataEncryptionService.encrypt(dataKey, dataEncryptionService.noteContentIv(revision.noteRevisionId), revision.content);
}

module.exports = {
    setDataKey,
    getDataKey,
    isProtectedSessionAvailable,
    decryptNoteTitle,
    decryptNote,
    decryptNotes,
    decryptNoteRevision,
    encryptNote,
    encryptNoteRevision,
    setProtectedSessionId
};
server side WIP - saving encrypted note now works, changing terminology of "encrypted note" to "protected note" 2017-11-15 10:54:12 +08:00			`"use strict";`

refactoring of password change and preparations for server side encryption 2017-11-10 12:25:23 +08:00			`const utils = require('./utils');`
refactored backend to use new naming convention for modules 2018-04-02 09:27:46 +08:00			`const dataEncryptionService = require('./data_encryption');`
removed dataKey where it's not necessary anymore (use of CLS instead) 2018-03-31 20:53:52 +08:00			`const cls = require('./cls');`
refactoring of password change and preparations for server side encryption 2017-11-10 12:25:23 +08:00
refactored backend to use new naming convention for modules 2018-04-02 09:27:46 +08:00			`const dataKeyMap = {};`

autocomplete supports encrypted notes now as well 2018-04-20 12:12:01 +08:00			`function setDataKey(decryptedDataKey) {`
removed dataKey where it's not necessary anymore (use of CLS instead) 2018-03-31 20:53:52 +08:00			`const protectedSessionId = utils.randomSecureToken(32);`
refactoring of password change and preparations for server side encryption 2017-11-10 12:25:23 +08:00
removed dataKey where it's not necessary anymore (use of CLS instead) 2018-03-31 20:53:52 +08:00			`dataKeyMap[protectedSessionId] = Array.from(decryptedDataKey); // can't store buffer in session`

			`return protectedSessionId;`
refactoring of password change and preparations for server side encryption 2017-11-10 12:25:23 +08:00			`}`

removed dataKey where it's not necessary anymore (use of CLS instead) 2018-03-31 20:53:52 +08:00			`function setProtectedSessionId(req) {`
			`cls.namespace.set('protectedSessionId', req.headers.protected_session_id);`
server side WIP - saving encrypted note now works, changing terminology of "encrypted note" to "protected note" 2017-11-15 10:54:12 +08:00			`}`

removed dataKey where it's not necessary anymore (use of CLS instead) 2018-03-31 20:53:52 +08:00			`function getProtectedSessionId() {`
			`return cls.namespace.get('protectedSessionId');`
			`}`
refactoring / unification of note encryption / decryption 2018-01-25 11:13:41 +08:00
removed dataKey where it's not necessary anymore (use of CLS instead) 2018-03-31 20:53:52 +08:00			`function getDataKey() {`
			`const protectedSessionId = getProtectedSessionId();`
server side encryption WIP 2017-11-11 11:55:19 +08:00
removed dataKey where it's not necessary anymore (use of CLS instead) 2018-03-31 20:53:52 +08:00			`return dataKeyMap[protectedSessionId];`
support encryption for files, closes #60 2018-02-24 11:58:24 +08:00			`}`

autocomplete supports encrypted notes now as well 2018-04-20 12:12:01 +08:00			`function isProtectedSessionAvailable() {`
			`const protectedSessionId = getProtectedSessionId();`
server side WIP - saving encrypted note now works, changing terminology of "encrypted note" to "protected note" 2017-11-15 10:54:12 +08:00
removed dataKey where it's not necessary anymore (use of CLS instead) 2018-03-31 20:53:52 +08:00			`return !!dataKeyMap[protectedSessionId];`
server side WIP - saving encrypted note now works, changing terminology of "encrypted note" to "protected note" 2017-11-15 10:54:12 +08:00			`}`

autocomplete supports encrypted notes now as well 2018-04-20 12:12:01 +08:00			`function decryptNoteTitle(noteId, encryptedTitle) {`
			`const dataKey = getDataKey();`

exceptions on decryption 2018-08-28 03:58:02 +08:00			`try {`
			`const iv = dataEncryptionService.noteTitleIv(noteId);`
autocomplete supports encrypted notes now as well 2018-04-20 12:12:01 +08:00
exceptions on decryption 2018-08-28 03:58:02 +08:00			`return dataEncryptionService.decryptString(dataKey, iv, encryptedTitle);`
			`}`
			`catch (e) {`
			e.message = `Cannot decrypt note title for noteId=${noteId}: ` + e.message;
			`throw e;`
			`}`
autocomplete supports encrypted notes now as well 2018-04-20 12:12:01 +08:00			`}`

removed dataKey where it's not necessary anymore (use of CLS instead) 2018-03-31 20:53:52 +08:00			`function decryptNote(note) {`
			`const dataKey = getDataKey();`
refactoring / unification of note encryption / decryption 2018-01-25 11:13:41 +08:00
renamed db columns to camelCase 2018-01-29 08:30:14 +08:00			`if (!note.isProtected) {`
refactoring / unification of note encryption / decryption 2018-01-25 11:13:41 +08:00			`return;`
			`}`

exceptions on decryption 2018-08-28 03:58:02 +08:00			`try {`
			`if (note.title) {`
			`note.title = dataEncryptionService.decryptString(dataKey, dataEncryptionService.noteTitleIv(note.noteId), note.title);`
			`}`
refactoring / unification of note encryption / decryption 2018-01-25 11:13:41 +08:00
exceptions on decryption 2018-08-28 03:58:02 +08:00			`if (note.content) {`
			`const contentIv = dataEncryptionService.noteContentIv(note.noteId);`
support encryption for files, closes #60 2018-02-24 11:58:24 +08:00
exceptions on decryption 2018-08-28 03:58:02 +08:00			`if (note.type === 'file') {`
			`note.content = dataEncryptionService.decrypt(dataKey, contentIv, note.content);`
			`}`
			`else {`
			`note.content = dataEncryptionService.decryptString(dataKey, contentIv, note.content);`
			`}`
support encryption for files, closes #60 2018-02-24 11:58:24 +08:00			`}`
refactoring / unification of note encryption / decryption 2018-01-25 11:13:41 +08:00			`}`
exceptions on decryption 2018-08-28 03:58:02 +08:00			`catch (e) {`
			e.message = `Cannot decrypt note for noteId=${note.noteId}: ` + e.message;
			`throw e;`
			`}`
refactoring / unification of note encryption / decryption 2018-01-25 11:13:41 +08:00			`}`

removed dataKey where it's not necessary anymore (use of CLS instead) 2018-03-31 20:53:52 +08:00			`function decryptNotes(notes) {`
refactoring / unification of note encryption / decryption 2018-01-25 11:13:41 +08:00			`for (const note of notes) {`
removed dataKey where it's not necessary anymore (use of CLS instead) 2018-03-31 20:53:52 +08:00			`decryptNote(note);`
refactoring / unification of note encryption / decryption 2018-01-25 11:13:41 +08:00			`}`
			`}`

removed dataKey where it's not necessary anymore (use of CLS instead) 2018-03-31 20:53:52 +08:00			`function decryptNoteRevision(hist) {`
			`const dataKey = getDataKey();`
refactoring / unification of note encryption / decryption 2018-01-25 11:13:41 +08:00
renamed db columns to camelCase 2018-01-29 08:30:14 +08:00			`if (!hist.isProtected) {`
refactoring / unification of note encryption / decryption 2018-01-25 11:13:41 +08:00			`return;`
			`}`

renamed db columns to camelCase 2018-01-29 08:30:14 +08:00			`if (hist.title) {`
refactored backend to use new naming convention for modules 2018-04-02 09:27:46 +08:00			`hist.title = dataEncryptionService.decryptString(dataKey, dataEncryptionService.noteTitleIv(hist.noteRevisionId), hist.title);`
refactoring / unification of note encryption / decryption 2018-01-25 11:13:41 +08:00			`}`

renamed db columns to camelCase 2018-01-29 08:30:14 +08:00			`if (hist.content) {`
refactored backend to use new naming convention for modules 2018-04-02 09:27:46 +08:00			`hist.content = dataEncryptionService.decryptString(dataKey, dataEncryptionService.noteContentIv(hist.noteRevisionId), hist.content);`
refactoring / unification of note encryption / decryption 2018-01-25 11:13:41 +08:00			`}`
			`}`

removed dataKey where it's not necessary anymore (use of CLS instead) 2018-03-31 20:53:52 +08:00			`function encryptNote(note) {`
			`const dataKey = getDataKey();`
refactoring / unification of note encryption / decryption 2018-01-25 11:13:41 +08:00
refactored backend to use new naming convention for modules 2018-04-02 09:27:46 +08:00			`note.title = dataEncryptionService.encrypt(dataKey, dataEncryptionService.noteTitleIv(note.noteId), note.title);`
			`note.content = dataEncryptionService.encrypt(dataKey, dataEncryptionService.noteContentIv(note.noteId), note.content);`
refactoring / unification of note encryption / decryption 2018-01-25 11:13:41 +08:00			`}`

removed dataKey where it's not necessary anymore (use of CLS instead) 2018-03-31 20:53:52 +08:00			`function encryptNoteRevision(revision) {`
			`const dataKey = getDataKey();`
refactoring / unification of note encryption / decryption 2018-01-25 11:13:41 +08:00
refactored backend to use new naming convention for modules 2018-04-02 09:27:46 +08:00			`revision.title = dataEncryptionService.encrypt(dataKey, dataEncryptionService.noteTitleIv(revision.noteRevisionId), revision.title);`
			`revision.content = dataEncryptionService.encrypt(dataKey, dataEncryptionService.noteContentIv(revision.noteRevisionId), revision.content);`
refactoring / unification of note encryption / decryption 2018-01-25 11:13:41 +08:00			`}`

refactoring of password change and preparations for server side encryption 2017-11-10 12:25:23 +08:00			`module.exports = {`
			`setDataKey,`
server side WIP - saving encrypted note now works, changing terminology of "encrypted note" to "protected note" 2017-11-15 10:54:12 +08:00			`getDataKey,`
refactoring / unification of note encryption / decryption 2018-01-25 11:13:41 +08:00			`isProtectedSessionAvailable,`
autocomplete supports encrypted notes now as well 2018-04-20 12:12:01 +08:00			`decryptNoteTitle,`
refactoring / unification of note encryption / decryption 2018-01-25 11:13:41 +08:00			`decryptNote,`
			`decryptNotes,`
refactored all mentions of "history" to "revision" 2018-03-26 08:52:38 +08:00			`decryptNoteRevision,`
refactoring / unification of note encryption / decryption 2018-01-25 11:13:41 +08:00			`encryptNote,`
removed dataKey where it's not necessary anymore (use of CLS instead) 2018-03-31 20:53:52 +08:00			`encryptNoteRevision,`
			`setProtectedSessionId`
refactoring of password change and preparations for server side encryption 2017-11-10 12:25:23 +08:00			`};`