wheresvic / mongoose-field-encryption

A simple symmetric encryption plugin for individual fields. Dependency free, only mongoose peer dependency.
MIT License
74 stars 32 forks source link
encrypted-fields encryption mongoose node-js nodejs

mongoose-field-encryption

Build Status Coverage Status

A zero dependency simple symmetric encryption plugin for individual fields. The goal of this plugin is to encrypt data but still allow searching over fields with string values. This plugin relies on the Node crypto module. Encryption and decryption happen transparently during save and find.

While this plugin works on individual fields of any type, note that for non-string fields, the original value is set to undefined after encryption. This is because if the schema has defined a field as an array, it would not be possible to replace it with a string value.

As of the stable 2.3.0 release, this plugin requires provision of a custom salt generation function (which would always provide a constant salt given the secret) in order to retain symmetric decryption capability.

Also consider mongoose-encryption if you are looking to encrypt the entire document.

How it works

Encryption is performed using AES-256-CBC. To encrypt, the relevant fields are encrypted with the provided secret + random salt (or a custom salt via the provided saltGenerator function). The generated salt and the resulting encrypted value is concatenated together using a : character and the final string is put in place of the actual value for string values. An extra boolean field with the prefix __enc_ is added to the document which indicates if the provided field is encrypted or not.

Fields which are either objects or of a different type are converted to strings using JSON.stringify and the value stored in an extra marker field of type string with a naming scheme of __enc_ as prefix and _d as suffix on the original field name. The original field is then set to undefined. Please note that this might break any custom validation and application of this plugin on non-string fields needs to be done with care.

Requirements

Installation

npm install mongoose-field-encryption --save-exact

Security Notes

Usage

Basic

For example, given a schema as follows:

const mongoose = require("mongoose");
const mongooseFieldEncryption = require("mongoose-field-encryption").fieldEncryption;
const Schema = mongoose.Schema;

const PostSchema = new Schema({
  title: String,
  message: String,
  references: {
    author: String,
    date: Date,
  },
});

PostSchema.plugin(mongooseFieldEncryption, { 
  fields: ["message", "references"], 
  secret: "some secret key",
  saltGenerator: function (secret) {
    return "1234567890123456"; 
    // should ideally use the secret to return a string of length 16, 
    // default = `const defaultSaltGenerator = secret => crypto.randomBytes(16);`, 
    // see options for more details
  },
});

const Post = mongoose.model("Post", PostSchema);

const post = new Post({ title: "some text", message: "hello all" });

post.save(function (err) {
  console.log(post.title); // some text (only the message field was set to be encrypted via options)
  console.log(post.message); // a9ad74603a91a2e97a803a367ab4e04d:93c64bf4c279d282deeaf738fabebe89
  console.log(post.__enc_message); // true
});

The resulting documents will have the following format:

{
  _id: ObjectId,
  title: String,
  message: String, // encrypted salt and hex value as string, e.g. 9d6a0ca4ac2c80fc84df0a06de36b548:cee57185fed78c055ed31ca6a8be9bf20d303283200a280d0f4fc8a92902e0c1
  __enc_message: true, // boolean marking if the field is encrypted or not
  references: undefined, // encrypted object set to undefined
  __enc_references: true, // boolean marking if the field is encrypted or not
  __enc_references_d: String // encrypted salt and hex object value as string, e.g. 6df2171f25fd1d32adc4a4059f867a82:5909152856cf9cdb7dc32c6af321c8fe69390c359c6b19d967eaa6e7a0a97216
}

find works transparently and you can make new documents as normal, but you should not use the lean option on a find if you want the fields of the document to be decrypted. findOne, findById and save also all work as normal. updateOne works only for string fields and you would also need to manually set the __enc_ field value to false if you're updating an encrypted field. Currently updateMany is not supported.

From the mongoose package documentation: Note that findAndUpdate/Remove do not execute any hooks or validation before making the change in the database. If you need hooks and validation, first query for the document and then save it.

Note that as of 1.2.0 release, support for findOneAndUpdate has also been added. Note that you would need to specifically set the encryption field marker for it to be encrypted. For example:

Post.findOneAndUpdate({ _id: postId }, { $set: { message: "snoop", __enc_message: false } });

The above also works for non-string fields. See changelog for more details.

Also note that if you manually set the value __enc_ prefix field to true then the encryption is not run on the corresponding field and this may result in the plain value being stored in the db.

Search over encrypted fields

Note that in order to use this option a fixed salt generator must be provided. See example as follows:

const messageSchema = new Schema({
  title: String,
  message: String,
  name: String,
});

messageSchema.plugin(mongooseFieldEncryption, {
  fields: ["message", "name"],
  secret: "some secret key",
  saltGenerator: function (secret) {
    return "1234567890123456";
    // should ideally use the secret to return a string of length 16, 
    // default = `const defaultSaltGenerator = secret => crypto.randomBytes(16);`, 
    // see options for more details
  },
});

const title = "some text";
const name = "victor";
const message = "hello all";

const Message = mongoose.model("Message", messageSchema);

const messageToSave = new Message({ title, message, name });
await messageToSave.save();

// note that we are only providing the field we would like to search with
const messageToSearchWith = new Message({ name });
messageToSearchWith.encryptFieldsSync();

// `messageToSearchWith.name` contains the encrypted string text
const results = await Message.find({ name: messageToSearchWith.name });

// results is an array of length 1 (assuming that there is only 1 message with the name "victor" in the collection)
// and the message in the results array corresponds to the one saved previously

Options

Static methods

For performance reasons, once the document has been encrypted, it remains so. The following methods are thus added to the schema:

Multiple calls to the above methods have no effect, i.e. once a field is encrypted and the __enc_ marker field value is set to true then the ecrypt operation is ignored. Same for the decrypt operation. Of course if the field markers have been removed via the stripEncryptionFieldMarkers() call, then the encryption will be executed if invoked.

Searching

To enable searching over the encrypted fields the encrypt and decrypt methods have also been exposed (see test/test-manual-encryption for detailed usage).

const fieldEncryption = require('mongoose-field-encryption');

const defaultSaltGenerator = (secret) => crypto.randomBytes(16);
const _hash = (secret) => crypto.createHash("sha256").update(secret).digest("hex").substring(0, 32);
const encrypted = fieldEncryption.encrypt('some text', _hash('secret')), defaultSaltGenerator);
const decrypted = fieldEncryption.decrypt(encrypted, _hash('secret'))); // decrypted = 'some text'

encryption of nested fields

Note that while this plugin is designed to encrypt only top level fields, nested fields can be easily encrypted by creating a mongoose schema for the nested objects and adding the plugin to them.

See comment for discussion: https://github.com/wheresvic/mongoose-field-encryption/issues/34#issuecomment-577383776.

Please also note that this example is provided as a best-effort basis and this plugin does not take responsibility for what quirks mongoose might bring if you use this feature.

See relevant test in test/test-db.js:

// subdocument encryption

const UserExtraSchema = new mongoose.Schema({
  city: { type: String },
  country: { type: String },
  address: { type: String },
  postalCode: { type: String },
});

UserExtraSchema.plugin(fieldEncryptionPlugin, {
  fields: ["address"],
  secret: "icanhazcheeseburger",
  saltGenerator: (secret) => secret.slice(0, 16),
});

const UserSchema = new mongoose.Schema(
  {
    name: { type: String, required: true },
    surname: { type: String, required: true },
    email: { type: String, required: true },
    extra: UserExtraSchema,
  },
  { collection: "users" }
);

UserSchema.plugin(fieldEncryptionPlugin, {
  fields: ["name", "surname"],
  secret: "icanhazcheeseburger",
  saltGenerator: (secret) => secret.slice(0, 16),
});

const UserModel = mongoose.model("User", UserSchema);

Development

As of version 3.0.5, one can setup a local development mongodb instance using docker:

Feel free to make changes to the default docker configuration as required.

Testing

  1. Install dependencies with npm install and install mongo if you don't have it yet.
  2. Start mongo via docker-compose up under the development folder.
  3. Run tests with npm run test:auth. Additionally you can pass your own mongodb uri as an environment variable if you would like to test against your own database, for e.g. URI='mongodb://username:password@127.0.0.1:27017/mongoose-field-encryption-test' npm test

Publishing

release-it

release-it patch,minor,major

Manual

Changelog

7.0.1

7.0.0

6.3.0

6.2.0

6.1.0

6.0.0

5.0.1, 5.0.2, 5.0.3

5.0.0

4.0.4, 4.0.5, 4.0.6, 4.0.7

4.0.3

4.0.2

4.0.1

4.0.0

3.1.0

3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6

3.0.0

2.3.5

2.3.2, 2.3.3, 2.3.4

2.3.1

2.3.0

2.2.0

2.1.3

2.1.1

2.0.0

1.2.0

1.1.0