search

wheresvic / mongoose-field-encryption

A simple symmetric encryption plugin for individual fields. Dependency free, only mongoose peer dependency.
MIT License
74 stars 32 forks source link

encryptedField value does not change when decrypting #77

Open Yeh35 opened 2 years ago

Yeh35 commented 2 years ago

hello. First of all, I am not good at English. If you don't understand, please tell me again.

While using the plugin, I found an issue where field values were not encrypted and stored when empty. After that, even if I add a value to the field and store it, there is no encryption and the plaintext is stored.

image During encryption, encryptField was changed to true value even if the value was empty, but in decryption, even if the value was empty, it did not change to false.

The code I modified is to change encryptedField to false even if the value is empty when decrypting.

then have a nice day

wheresvic commented 2 years ago

Hi @Yeh35

Thank you very much for taking the time to make this change! I am curious about this use case - if the field is empty then it really should not encrypt anything. How do you manage to encrypt the field and then put data into it?

Would you be able to provide some code of your use case?

Thanks!

Yeh35 commented 2 years ago

Hi @wheresvic here is the code.


import Mongoose from "mongoose";
import { fieldEncryption } from "mongoose-field-encryption"

const host = "<Yser MongoDB URL>"
Mongoose.connect(host); // 

/**
 * This is for test code
 */
const testSchema = new Mongoose.Schema({
  user_mobile: { type: String, required: false, default : "" },
});

testSchema.plugin(fieldEncryption, { 
  fields: ["user_mobile"], 
  secret: "Yq3t6w9z$C&F)J@McQfTjWnZr4u7x!A%", // testting key
  useAes256Ctr : true, 
});

const testModel = Mongoose.model("testDocument", testSchema);

const newTest = new testModel({user_mobile : ""}); // If you store the first value empty
await newTest.save(); 

var findedModel = await testModel.findById(newTest.id); 

// From then on, it is stored in the DB as plaintext
findedModel.user_mobile = "010-1234-5678";
await findedModel.save();

this is MongoDB data image

wheresvic commented 1 year ago

Hi @Yeh35

I see the issue but I think that this is a very convoluted use case. If you want to make a dummy marker I would actually recommend that you use some constant like 000-000-000 as a marker rather than an empty value. Encryption on an empty value does not make any sense!

wheresvic commented 1 year ago

Hi @Yeh35

I added a test to encrypt an empty value, change it and it is recording the change correctly: https://github.com/wheresvic/mongoose-field-encryption/blob/99d9499e6a52e7d7fd5d9fc2b7f4ad6de296022c/test/test-db.js#L688

So I do not see how the existing code is broken in this case either. It would be helpful if you could add a test to document the incorrect behavior.

Thanks!

DilipCoder commented 1 year ago

Hi, same issue is happening for decryptFields as well. the query returns mongodb model which is not being override for encrypted field. Screenshot 2023-03-21 at 11 35 59 AM

in mongoose-encryption-field. decryptedValue is correct but assigning value to object attribute is not being changed. check the terminal log.

Screenshot 2023-03-21 at 11 52 46 AM
wheresvic commented 1 year ago

@DilipCoder @Yeh35

Version 6.3.0 comes with a configuration option to encrypt null values or not. So you can set this option to true and not have it encrypt null values.