trilium/services/protected_session.js

"use strict";

const utils = require('./utils');
const data_encryption = require('./data_encryption');
const session = {};

function setDataKey(req, decryptedDataKey) {
    session.decryptedDataKey = Array.from(decryptedDataKey); // can't store buffer in session
    session.protectedSessionId = utils.randomSecureToken(32);

    return session.protectedSessionId;
}

function getProtectedSessionId(req) {
    return req.headers.protected_session_id;
}

/**
 * @param obj - can be either array, in that case it's considered to be already dataKey and we just return it
 *              if it's not a array, we consider it a request object and try to pull dataKey based on the session id header
 */
function getDataKey(obj) {
    if (!obj || obj.constructor.name === 'Array') {
        return obj;
    }

    const protectedSessionId = getProtectedSessionId(obj);

    if (protectedSessionId && session.protectedSessionId === protectedSessionId) {
        return session.decryptedDataKey;
    }
    else {
        return null;
    }
}

function isProtectedSessionAvailable(req) {
    const protectedSessionId = getProtectedSessionId(req);

    return protectedSessionId && session.protectedSessionId === protectedSessionId;
}

function decryptNote(dataKey, note) {
    dataKey = getDataKey(dataKey);

    if (!note.is_protected) {
        return;
    }

    if (note.note_title) {
        note.note_title = data_encryption.decryptString(dataKey, data_encryption.noteTitleIv(note.note_id), note.note_title);
    }

    if (note.note_text) {
        note.note_text = data_encryption.decryptString(dataKey, data_encryption.noteTextIv(note.note_id), note.note_text);
    }
}

function decryptNotes(dataKey, notes) {
    dataKey = getDataKey(dataKey);

    for (const note of notes) {
        decryptNote(dataKey, note);
    }
}

function decryptNoteHistoryRow(dataKey, hist) {
    dataKey = getDataKey(dataKey);

    if (!hist.is_protected) {
        return;
    }

    if (hist.note_title) {
        hist.note_title = data_encryption.decryptString(dataKey, data_encryption.noteTitleIv(hist.note_history_id), hist.note_title);
    }

    if (hist.note_text) {
        hist.note_text = data_encryption.decryptString(dataKey, data_encryption.noteTextIv(hist.note_history_id), hist.note_text);
    }
}

function decryptNoteHistoryRows(dataKey, historyRows) {
    dataKey = getDataKey(dataKey);

    for (const hist of historyRows) {
        decryptNoteHistoryRow(dataKey, hist);
    }
}

function encryptNote(dataKey, note) {
    dataKey = getDataKey(dataKey);

    note.note_title = data_encryption.encrypt(dataKey, data_encryption.noteTitleIv(note.note_id), note.note_title);
    note.note_text = data_encryption.encrypt(dataKey, data_encryption.noteTextIv(note.note_id), note.note_text);
}

function encryptNoteHistoryRow(dataKey, history) {
    dataKey = getDataKey(dataKey);

    history.note_title = data_encryption.encrypt(dataKey, data_encryption.noteTitleIv(history.note_history_id), history.note_title);
    history.note_text = data_encryption.encrypt(dataKey, data_encryption.noteTextIv(history.note_history_id), history.note_text);
}

module.exports = {
    setDataKey,
    getDataKey,
    isProtectedSessionAvailable,
    decryptNote,
    decryptNotes,
    decryptNoteHistoryRow,
    decryptNoteHistoryRows,
    encryptNote,
    encryptNoteHistoryRow
};
server side WIP - saving encrypted note now works, changing terminology of "encrypted note" to "protected note" 2017-11-15 10:54:12 +08:00			`"use strict";`

refactoring of password change and preparations for server side encryption 2017-11-10 12:25:23 +08:00			`const utils = require('./utils');`
refactoring / unification of note encryption / decryption 2018-01-25 11:13:41 +08:00			`const data_encryption = require('./data_encryption');`
more complete support for network-less electron frontend-backend communication including protected session 2017-11-30 12:30:35 +08:00			`const session = {};`
refactoring of password change and preparations for server side encryption 2017-11-10 12:25:23 +08:00
			`function setDataKey(req, decryptedDataKey) {`
more complete support for network-less electron frontend-backend communication including protected session 2017-11-30 12:30:35 +08:00			`session.decryptedDataKey = Array.from(decryptedDataKey); // can't store buffer in session`
			`session.protectedSessionId = utils.randomSecureToken(32);`
refactoring of password change and preparations for server side encryption 2017-11-10 12:25:23 +08:00
more complete support for network-less electron frontend-backend communication including protected session 2017-11-30 12:30:35 +08:00			`return session.protectedSessionId;`
refactoring of password change and preparations for server side encryption 2017-11-10 12:25:23 +08:00			`}`

server side WIP - saving encrypted note now works, changing terminology of "encrypted note" to "protected note" 2017-11-15 10:54:12 +08:00			`function getProtectedSessionId(req) {`
per-browser source id so we support having notecase opened in multiple tabs/windows 2017-12-17 09:48:34 +08:00			`return req.headers.protected_session_id;`
server side WIP - saving encrypted note now works, changing terminology of "encrypted note" to "protected note" 2017-11-15 10:54:12 +08:00			`}`

refactoring / unification of note encryption / decryption 2018-01-25 11:13:41 +08:00			`/**`
			`* @param obj - can be either array, in that case it's considered to be already dataKey and we just return it`
			`* if it's not a array, we consider it a request object and try to pull dataKey based on the session id header`
			`*/`
			`function getDataKey(obj) {`
			`if (!obj \|\| obj.constructor.name === 'Array') {`
			`return obj;`
			`}`

			`const protectedSessionId = getProtectedSessionId(obj);`
server side encryption WIP 2017-11-11 11:55:19 +08:00
more complete support for network-less electron frontend-backend communication including protected session 2017-11-30 12:30:35 +08:00			`if (protectedSessionId && session.protectedSessionId === protectedSessionId) {`
			`return session.decryptedDataKey;`
refactoring of password change and preparations for server side encryption 2017-11-10 12:25:23 +08:00			`}`
			`else {`
			`return null;`
			`}`
			`}`

server side WIP - saving encrypted note now works, changing terminology of "encrypted note" to "protected note" 2017-11-15 10:54:12 +08:00			`function isProtectedSessionAvailable(req) {`
			`const protectedSessionId = getProtectedSessionId(req);`

more complete support for network-less electron frontend-backend communication including protected session 2017-11-30 12:30:35 +08:00			`return protectedSessionId && session.protectedSessionId === protectedSessionId;`
server side WIP - saving encrypted note now works, changing terminology of "encrypted note" to "protected note" 2017-11-15 10:54:12 +08:00			`}`

refactoring / unification of note encryption / decryption 2018-01-25 11:13:41 +08:00			`function decryptNote(dataKey, note) {`
			`dataKey = getDataKey(dataKey);`

			`if (!note.is_protected) {`
			`return;`
			`}`

			`if (note.note_title) {`
			`note.note_title = data_encryption.decryptString(dataKey, data_encryption.noteTitleIv(note.note_id), note.note_title);`
			`}`

			`if (note.note_text) {`
			`note.note_text = data_encryption.decryptString(dataKey, data_encryption.noteTextIv(note.note_id), note.note_text);`
			`}`
			`}`

			`function decryptNotes(dataKey, notes) {`
			`dataKey = getDataKey(dataKey);`

			`for (const note of notes) {`
			`decryptNote(dataKey, note);`
			`}`
			`}`

			`function decryptNoteHistoryRow(dataKey, hist) {`
			`dataKey = getDataKey(dataKey);`

			`if (!hist.is_protected) {`
			`return;`
			`}`

			`if (hist.note_title) {`
			`hist.note_title = data_encryption.decryptString(dataKey, data_encryption.noteTitleIv(hist.note_history_id), hist.note_title);`
			`}`

			`if (hist.note_text) {`
			`hist.note_text = data_encryption.decryptString(dataKey, data_encryption.noteTextIv(hist.note_history_id), hist.note_text);`
			`}`
			`}`

			`function decryptNoteHistoryRows(dataKey, historyRows) {`
			`dataKey = getDataKey(dataKey);`

			`for (const hist of historyRows) {`
			`decryptNoteHistoryRow(dataKey, hist);`
			`}`
			`}`

			`function encryptNote(dataKey, note) {`
			`dataKey = getDataKey(dataKey);`

			`note.note_title = data_encryption.encrypt(dataKey, data_encryption.noteTitleIv(note.note_id), note.note_title);`
			`note.note_text = data_encryption.encrypt(dataKey, data_encryption.noteTextIv(note.note_id), note.note_text);`
			`}`

			`function encryptNoteHistoryRow(dataKey, history) {`
			`dataKey = getDataKey(dataKey);`

			`history.note_title = data_encryption.encrypt(dataKey, data_encryption.noteTitleIv(history.note_history_id), history.note_title);`
			`history.note_text = data_encryption.encrypt(dataKey, data_encryption.noteTextIv(history.note_history_id), history.note_text);`
			`}`

refactoring of password change and preparations for server side encryption 2017-11-10 12:25:23 +08:00			`module.exports = {`
			`setDataKey,`
server side WIP - saving encrypted note now works, changing terminology of "encrypted note" to "protected note" 2017-11-15 10:54:12 +08:00			`getDataKey,`
refactoring / unification of note encryption / decryption 2018-01-25 11:13:41 +08:00			`isProtectedSessionAvailable,`
			`decryptNote,`
			`decryptNotes,`
			`decryptNoteHistoryRow,`
			`decryptNoteHistoryRows,`
			`encryptNote,`
			`encryptNoteHistoryRow`
refactoring of password change and preparations for server side encryption 2017-11-10 12:25:23 +08:00			`};`