Run hook before response is sent but already processed.

[edmondsylar]

hello. I'm wondering if it is possible to take action on a get request after its been processed but before the data is returned to the user. Senario I have a hook that encrypts all my data in a POST request before its actually processed and stored in the database, but now I need to decrypt that same data when requested by a user from. I have been working with a very basic or method where I had to decrypting the data from controllers but the method is a little lengthy and hectic and the same all through, Is there a way I could have a function that I call on every GET request before the data is returned to the user but after fetching it from the database?

Thanks in advance

[sailsbot]

@edmondsylar Thanks for posting! We'll take a look as soon as possible.

In the mean time, there are a few ways you can help speed things along:

• look for a workaround. (Even if it's just temporary, sharing your solution can save someone else a lot of time and effort.)
• tell us why this issue is important to you and your team. What are you trying to accomplish? (Submissions with a little bit of human context tend to be easier to understand and faster to resolve.)
• make sure you've provided clear instructions on how to reproduce the bug from a clean install.
• double-check that you've provided all of the requested version and dependency information. (Some of this info might seem irrelevant at first, like which database adapter you're using, but we ask that you include it anyway. Oftentimes an issue is caused by a confluence of unexpected factors, and it can save everybody a ton of time to know all the details up front.)
• read the code of conduct.
• if appropriate, ask your business to sponsor your issue. (Open source is our passion, and our core maintainers volunteer many of their nights and weekends working on Sails. But you only get so many nights and weekends in life, and stuff gets done a lot faster when you can work on it during normal daylight hours.)
• let us know if you are using a 3rd party plugin; whether that's a database adapter, a non-standard view engine, or any other dependency maintained by someone other than our core team. (Besides the name of the 3rd party package, it helps to include the exact version you're using. If you're unsure, check out this list of all the core packages we maintain.)

  ---

Please remember: never post in a public forum if you believe you've found a genuine security vulnerability. Instead, disclose it responsibly.

For help with questions about Sails, click here.

[edmondsylar]

I Have actually figured out a way that I could accomplish this without using hooks. I have modified my model's page to look like this

/**

• Default model settings
• (sails.config.models)
• Your default, project-wide model settings. Can also be overridden on a
• per-model basis by setting a top-level properties in the model definition.
• For details about all available model settings, see:
• https://sailsjs.com/config/models
• For more general background on Sails model settings, and how to configure
• them on a project-wide or per-model basis, see:
• https://sailsjs.com/docs/concepts/models-and-orm/model-settings */

module.exports.models = {

/***

• *
• Whether model methods like .create() and .update() should ignore *
• (and refuse to persist) unrecognized data-- i.e. properties other than *
• those explicitly defined by attributes in the model definition. *
• *
• To ease future maintenance of your code base, it is usually a good idea *
• to set this to true. *
• *

• Note that schema: false is not supported by every database. *

• For example, if you are using a SQL database, then relevant models *

• are always effectively schema: true. And if no schema setting is *

• provided whatsoever, the behavior is left up to the database adapter. *

•                                                                    *

• For more info, see: *

• https://sailsjs.com/docs/concepts/orm/model-settings#?schema *

• * ***/

  // schema: true,

  /***

• *
• How and whether Sails will attempt to automatically rebuild the *
• tables/collections/etc. in your schema. *
• *

• Note that, when running in a production environment, this will be *

• automatically set to migrate: 'safe', no matter what you configure *

• here. This is a failsafe to prevent Sails from accidentally running *

• auto-migrations on your production database. *

•                                                                    *

• For more info, see: *

• https://sailsjs.com/docs/concepts/orm/model-settings#?migrate *

• * ***/

  // migrate: 'alter',

  /***

• *
• Base attributes that are included in all of your models by default. *
• By convention, this is your primary key attribute (id), as well as two *
• other timestamp attributes for tracking when records were last created *
• or updated. *
• *

• For more info, see: *

• https://sailsjs.com/docs/concepts/orm/model-settings#?attributes *

• * ***/

  attributes: { createdAt: { type: 'number', autoCreatedAt: true, }, updatedAt: { type: 'number', autoUpdatedAt: true, }, id: { type: 'number', autoIncrement: true, }, //-------------------------------------------------------------------------- // /\ Using MongoDB? // || Replace id above with this instead: // // // id: { type: 'string', columnName: '_id' }, // // // Plus, don't forget to configure MongoDB as your default datastore: // https://sailsjs.com/docs/tutorials/using-mongo-db //-------------------------------------------------------------------------- },

  customToJSON: function () { var keys = Object.keys(this); keys.forEach(element => { this['process'] = 'encryption can happen here.'; });

  return _.omit(this, ['password', 'id']); },

  beforeCreate:function(valuesToSet, proceed){ /**

  • Function to eliminate the fields specified in the {fieldsToEliminate} array
  • and create a new array of fields to be encrypted.
  • The reason for elimincating these particular fields is because they are defined with a particular
  • datatype and incase we encrypt them, we will have an error, but still I think its good to have this

  • function since we might need to eliminate some fields when encrypting our data. */ cleanUp=(arr)=> { var newArray = []; const fieldsToEliminate = ['updatedAt', 'id', 'createdAt'];

    arr.forEach(element => { if (!fieldsToEliminate.includes(element)) { newArray.unshift(element); } });

    return newArray; }

  var keys = cleanUp(Object.keys(valuesToSet)); keys.forEach(element => { valuesToSet[element] = null; });

  return proceed() },

  /**

• *
• The set of DEKs (data encryption keys) for at-rest encryption. *
• i.e. when encrypting/decrypting data for attributes with encrypt: true. *
• *

• The default DEK is used for all new encryptions, but multiple DEKs *

• can be configured to allow for key rotation. In production, be sure to *

• manage these keys like you would any other sensitive credential. *

• *

• For more info, see: *

• https://sailsjs.com/docs/concepts/orm/model-settings#?dataEncryptionKeys *

• * **/

  dataEncryptionKeys: { default: 'UYVCo+v+/Mf5dtLAhroe858zCcg8Dj1h18sclIThZg0=' },

  /***

• *
• Whether or not implicit records for associations should be cleaned up *
• automatically using the built-in polyfill. This is especially useful *
• during development with sails-disk. *
• *
• Depending on which databases you're using, you may want to disable this *
• polyfill in your production environment. *
• *
• (For production configuration, see config/env/production.js.) *

• * ***/

  cascadeOnDestroy: true

}; This works but then creates an issue when querying with a post request.

[eashaw]

Hey @edmondsylar, I'm not sure I understand your use case, why are you encrypting data before your app runs its other business logic?

[rachaelshaw]

@edmondsylar if I'm understanding you right, it's technically possible to do this in a hook

[edmondsylar]

@eashaw Currently I don't know of any other way I can pull it off, haven't used the framework for too long but the essence is to have all the data in my database encrypted just as an extra layer of security for my app data,

If there is a way that I can have this implemented differently, please it would surely be a pleasure if you helped

[edmondsylar]

@rachaelshaw Yes, My first attempt was in a hook and i was modifying the data from the request as it comes in but I failed to decrypt the data from the request before I could send it back to the user that's why I decided do it no the model instead

Again am not sure if this is the best way I can do this but am open to suggestions.

[eashaw]

Ni @edmondsylar, can you tell me more about your use case? You might not want at-rest encryption.

[edmondsylar]

@eashaw I simply want to have all the data in my database to be encrypted, which I have achieved using beforeCreate callback function on the main model configuration file. So currently I want to know if there is a way I can execute a function when the data is being fetched, I have tried embedding my logic in the customToJSON function but its not executed, don't know why, tho when I try the same in a different sails App it works, I don't know why it doesn't apply in my main application.

[eashaw]

Hello @edmondsylar, I'm not sure what kind of app you’re working on, and what the security requirements might be, but I would strongly encourage you to take a step back and reconsider whether encryption-at-rest for all of your project’s data is actually needed; this type of approach comes with a lot of overhead and extra complexity that just isn’t necessary for the majority of apps (In case you haven’t gone through these yet: it may help to take a look at the security and deployment docs.)

[edmondsylar]

@eashaw I hadn't surely gone through the security docs for sailsjs but am going to take some time off and check them, The encryption-at-rest is really required for the kind of application am working on, though I have come to find that this kind of methodology might not be very popular because am really not getting much information about it.

but again to answer your question, yes, the data encryption is super relevant for me in this application.

[eashaw]

@edmondsylar How do you intend to query on an encrypted primary key?

[edmondsylar]

My primary keys which in this case are auto increments are actually not encrypted but just in case I was to encrypt them, It still would work since even my query is made with encrypted data, I have a function that encrypts all data that comes in from get requests.

The only issue is that I managed to achieve this using a policy which I surely don't think is a very smart move but its the only one I could get to work, And now I have a problem that I can't call more than one policy one a specific set of routes,

Example '*' : ['policy-one', 'policy-two', ...] I don't know if this is possible but if so, please help out with a fix

[eashaw]

Hi @edmondsylar, you should be able to link multiple policies on an action. If you're seeing issues with the documented usage would you mind creating a minimal repo reproducing the issue you are seeing with multiple policies?

[edmondsylar]

Looking into this ASAP and reverting, Am going to go through my use case and see if am doing it right because I have the same exact implementation that the document suggests.