feat: add prisma-field-encryption to api

.env.example

@@ -36,6 +36,9 @@ AUTH_REGISTER_ENABLED=true
 AUTH_SOLANA_ADMIN_IDS=
 # Enable login with Solana
 AUTH_SOLANA_ENABLED=true
+# Set Cloak keychain and master key (generate with `pnpm cloak generate` or visit https://cloak.47ng.com in a private window)
+CLOAK_MASTER_KEY=
+CLOAK_KEYCHAIN=
 # Domains to allow cookies for (comma-separated)
 COOKIE_DOMAINS=localhost,127.0.0.1
 # URL of the database to connect to

libs/api/core/data-access/src/lib/api-core-prisma-client.ts

@@ -1,13 +1,20 @@
 import { PrismaClient } from '@prisma/client'
 import { pagination } from 'prisma-extension-pagination'
+import { fieldEncryptionExtension } from 'prisma-field-encryption'
 
-export const prismaClient = new PrismaClient().$extends(
-  pagination({
-    pages: {
-      includePageCount: true,
-      limit: 10,
-    },
-  }),
-)
+export const prismaClient = new PrismaClient()
+  .$extends(
+    fieldEncryptionExtension({
+      encryptionKey: process.env['CLOAK_MASTER_KEY'],
+    }),
+  )
+  .$extends(
+    pagination({
+      pages: {
+        includePageCount: true,
+        limit: 10,
+      },
+    }),
+  )
 
 export type ApiCorePrismaClient = typeof prismaClient

libs/api/core/data-access/src/lib/api-core-provision.service.ts

@@ -1,8 +1,8 @@
 import { Injectable, Logger } from '@nestjs/common'
 import { OnEvent } from '@nestjs/event-emitter'
 import { Prisma, UserStatus } from '@prisma/client'
-import { CORE_APP_STARTED } from './api-core.events'
 import { fakeUsers, provisionUsers } from './api-core-provision-data'
+import { CORE_APP_STARTED } from './api-core.events'
 import { ApiCoreService } from './api-core.service'
 import { hashPassword } from './helpers/hash-validate-password'
 import { slugifyId } from './helpers/slugify-id'

libs/api/core/data-access/src/lib/config/validation-schema.ts

@@ -28,8 +28,13 @@ export const validationSchema = Joi.object({
   // Solana Authentication
   AUTH_SOLANA_ADMIN_IDS: Joi.string(),
   AUTH_SOLANA_ENABLED: Joi.boolean().default(true),
+  // Cloak
+  CLOAK_MASTER_KEY: Joi.string().required().error(new Error(`CLOAK_MASTER_KEY is required.`)),
+  CLOAK_KEYCHAIN: Joi.string().required().error(new Error(`CLOAK_KEYCHAIN is required.`)),
+  // Cookie
   COOKIE_NAME: Joi.string().default('__session'),
   COOKIE_SECURE: Joi.boolean().default(true),
+  // Database
   DATABASE_PROVISION: Joi.boolean().default(false),
   DATABASE_RANDOM_DATA: Joi.boolean().default(false),
   DATABASE_RESET: Joi.boolean().default(false),

package.json

@@ -90,6 +90,7 @@
     "passport-jwt": "^4.0.1",
     "passport-twitter": "^1.0.4",
     "prisma-extension-pagination": "^0.6.0",
+    "prisma-field-encryption": "^1.5.2",
     "react": "18.2.0",
     "react-dom": "18.2.0",
     "react-router-dom": "6.21.1",
@@ -102,6 +103,7 @@
     "zod": "^3.22.4"
   },
   "devDependencies": {
+    "@47ng/cloak": "^1.1.0",
     "@babel/core": "^7.23.7",
     "@babel/preset-react": "^7.23.3",
     "@faker-js/faker": "^8.3.1",

prisma/schema.prisma

@@ -14,8 +14,8 @@ model Identity {
   provider     IdentityProvider
   providerId   String
   name         String?
-  accessToken  String?
-  refreshToken String?
+  accessToken  String? /// @encrypted
+  refreshToken String? /// @encrypted
   profile      Json?
   verified     Boolean             @default(false)
   owner        User                @relation(fields: [ownerId], references: [id], onDelete: Cascade)
@@ -46,7 +46,7 @@ model User {
   avatarUrl  String?
   developer  Boolean    @default(false)
   name       String?
-  password   String?
+  password   String? /// @encrypted
   role       UserRole   @default(User)
   status     UserStatus @default(Created)
   username   String     @unique