chore: merged main

2025-11-19 03:01:59 +10:00 · 2024-01-25 10:53:05 +02:00
parent d451a7acce d766b58f42
commit 2f18518961
21 changed files with 265 additions and 30 deletions
--- a/packages/email/template-components/template-footer.tsx
+++ b/packages/email/template-components/template-footer.tsx
@ -10,7 +10,7 @@ export const TemplateFooter = ({ isDocument = true }: TemplateFooterProps) => {
      {isDocument && (
        <Text className="my-4 text-base text-slate-400">
          This document was sent using{' '}
-          <Link className="text-[#7AC455]" href="https://documenso.com">
+          <Link className="text-[#7AC455]" href="https://documen.so/mail-footer">
            Documenso.
          </Link>
        </Text>
--- a/packages/lib/constants/auth.ts
+++ b/packages/lib/constants/auth.ts
@ -1,5 +1,12 @@
+import { IdentityProvider } from '@documenso/prisma/client';
+
 export const SALT_ROUNDS = 12;

+export const IDENTITY_PROVIDER_NAME: { [key in IdentityProvider]: string } = {
+  [IdentityProvider.DOCUMENSO]: 'Documenso',
+  [IdentityProvider.GOOGLE]: 'Google',
+};
+
 export const IS_GOOGLE_SSO_ENABLED = Boolean(
  process.env.NEXT_PRIVATE_GOOGLE_CLIENT_ID && process.env.NEXT_PRIVATE_GOOGLE_CLIENT_SECRET,
 );
--- a/packages/lib/constants/crypto.ts
+++ b/packages/lib/constants/crypto.ts
@ -1 +1,23 @@
 export const DOCUMENSO_ENCRYPTION_KEY = process.env.NEXT_PRIVATE_ENCRYPTION_KEY;
+
+export const DOCUMENSO_ENCRYPTION_SECONDARY_KEY = process.env.NEXT_PRIVATE_ENCRYPTION_SECONDARY_KEY;
+
+if (!DOCUMENSO_ENCRYPTION_KEY || !DOCUMENSO_ENCRYPTION_SECONDARY_KEY) {
+  throw new Error('Missing DOCUMENSO_ENCRYPTION_KEY or DOCUMENSO_ENCRYPTION_SECONDARY_KEY keys');
+}
+
+if (DOCUMENSO_ENCRYPTION_KEY === DOCUMENSO_ENCRYPTION_SECONDARY_KEY) {
+  throw new Error(
+    'DOCUMENSO_ENCRYPTION_KEY and DOCUMENSO_ENCRYPTION_SECONDARY_KEY cannot be equal',
+  );
+}
+
+if (DOCUMENSO_ENCRYPTION_KEY === 'CAFEBABE') {
+  console.warn('*********************************************************************');
+  console.warn('*');
+  console.warn('*');
+  console.warn('Please change the encryption key from the default value of "CAFEBABE"');
+  console.warn('*');
+  console.warn('*');
+  console.warn('*********************************************************************');
+}
--- a/packages/lib/next-auth/auth-options.ts
+++ b/packages/lib/next-auth/auth-options.ts
@ -10,6 +10,7 @@ import GoogleProvider from 'next-auth/providers/google';
 import { env } from 'next-runtime-env';

 import { prisma } from '@documenso/prisma';
+import { IdentityProvider } from '@documenso/prisma/client';

 import { isTwoFactorAuthenticationEnabled } from '../server-only/2fa/is-2fa-availble';
 import { validateTwoFactorAuthentication } from '../server-only/2fa/validate-2fa';
@ -96,7 +97,7 @@ export const NEXT_AUTH_OPTIONS: AuthOptions = {
    }),
  ],
  callbacks: {
-    async jwt({ token, user }) {
+    async jwt({ token, user, trigger, account }) {
      const merged = {
        ...token,
        ...user,
@ -141,6 +142,22 @@ export const NEXT_AUTH_OPTIONS: AuthOptions = {
        merged.emailVerified = user.emailVerified?.toISOString() ?? null;
      }

+      if ((trigger === 'signIn' || trigger === 'signUp') && account?.provider === 'google') {
+        merged.emailVerified = user?.emailVerified
+          ? new Date(user.emailVerified).toISOString()
+          : new Date().toISOString();
+
+        await prisma.user.update({
+          where: {
+            id: Number(merged.id),
+          },
+          data: {
+            emailVerified: merged.emailVerified,
+            identityProvider: IdentityProvider.GOOGLE,
+          },
+        });
+      }
+
      return {
        id: merged.id,
        name: merged.name,
--- a/packages/lib/server-only/crypto/decrypt.ts
+++ b/packages/lib/server-only/crypto/decrypt.ts
@ -0,0 +1,33 @@
+import { DOCUMENSO_ENCRYPTION_SECONDARY_KEY } from '@documenso/lib/constants/crypto';
+import { ZEncryptedDataSchema } from '@documenso/lib/server-only/crypto/encrypt';
+import { symmetricDecrypt } from '@documenso/lib/universal/crypto';
+
+/**
+ * Decrypt the passed in data. This uses the secondary encrypt key for miscellaneous data.
+ *
+ * @param encryptedData The data encrypted with the `encryptSecondaryData` function.
+ * @returns The decrypted value, or `null` if the data is invalid or expired.
+ */
+export const decryptSecondaryData = (encryptedData: string): string | null => {
+  if (!DOCUMENSO_ENCRYPTION_SECONDARY_KEY) {
+    throw new Error('Missing encryption key');
+  }
+
+  const decryptedBufferValue = symmetricDecrypt({
+    key: DOCUMENSO_ENCRYPTION_SECONDARY_KEY,
+    data: encryptedData,
+  });
+
+  const decryptedValue = Buffer.from(decryptedBufferValue).toString('utf-8');
+  const result = ZEncryptedDataSchema.safeParse(JSON.parse(decryptedValue));
+
+  if (!result.success) {
+    return null;
+  }
+
+  if (result.data.expiresAt !== undefined && result.data.expiresAt < Date.now()) {
+    return null;
+  }
+
+  return result.data.data;
+};
--- a/packages/lib/server-only/crypto/encrypt.ts
+++ b/packages/lib/server-only/crypto/encrypt.ts
@ -0,0 +1,42 @@
+import { z } from 'zod';
+
+import { DOCUMENSO_ENCRYPTION_SECONDARY_KEY } from '@documenso/lib/constants/crypto';
+import { symmetricEncrypt } from '@documenso/lib/universal/crypto';
+import type { TEncryptSecondaryDataMutationSchema } from '@documenso/trpc/server/crypto/schema';
+
+export const ZEncryptedDataSchema = z.object({
+  data: z.string(),
+  expiresAt: z.number().optional(),
+});
+
+export type EncryptDataOptions = {
+  data: string;
+
+  /**
+   * When the data should no longer be allowed to be decrypted.
+   *
+   * Leave this empty to never expire the data.
+   */
+  expiresAt?: number;
+};
+
+/**
+ * Encrypt the passed in data. This uses the secondary encrypt key for miscellaneous data.
+ *
+ * @returns The encrypted data.
+ */
+export const encryptSecondaryData = ({ data, expiresAt }: TEncryptSecondaryDataMutationSchema) => {
+  if (!DOCUMENSO_ENCRYPTION_SECONDARY_KEY) {
+    throw new Error('Missing encryption key');
+  }
+
+  const dataToEncrypt: z.infer<typeof ZEncryptedDataSchema> = {
+    data,
+    expiresAt,
+  };
+
+  return symmetricEncrypt({
+    key: DOCUMENSO_ENCRYPTION_SECONDARY_KEY,
+    data: JSON.stringify(dataToEncrypt),
+  });
+};
--- a/packages/lib/server-only/document/get-stats.ts
+++ b/packages/lib/server-only/document/get-stats.ts
@ -42,6 +42,11 @@ export const getStats = async ({ user }: GetStatsInput) => {
        _all: true,
      },
      where: {
+        User: {
+          email: {
+            not: user.email,
+          },
+        },
        OR: [
          {
            status: ExtendedDocumentStatus.PENDING,
--- a/packages/trpc/server/crypto/router.ts
+++ b/packages/trpc/server/crypto/router.ts
@ -0,0 +1,17 @@
+import { encryptSecondaryData } from '@documenso/lib/server-only/crypto/encrypt';
+
+import { procedure, router } from '../trpc';
+import { ZEncryptSecondaryDataMutationSchema } from './schema';
+
+export const cryptoRouter = router({
+  encryptSecondaryData: procedure
+    .input(ZEncryptSecondaryDataMutationSchema)
+    .mutation(({ input }) => {
+      try {
+        return encryptSecondaryData(input);
+      } catch {
+        // Never leak errors for crypto.
+        throw new Error('Failed to encrypt data');
+      }
+    }),
+});
--- a/packages/trpc/server/crypto/schema.ts
+++ b/packages/trpc/server/crypto/schema.ts
@ -0,0 +1,15 @@
+import { z } from 'zod';
+
+export const ZEncryptSecondaryDataMutationSchema = z.object({
+  data: z.string(),
+  expiresAt: z.number().optional(),
+});
+
+export const ZDecryptDataMutationSchema = z.object({
+  data: z.string(),
+});
+
+export type TEncryptSecondaryDataMutationSchema = z.infer<
+  typeof ZEncryptSecondaryDataMutationSchema
+>;
+export type TDecryptDataMutationSchema = z.infer<typeof ZDecryptDataMutationSchema>;
--- a/packages/trpc/server/router.ts
+++ b/packages/trpc/server/router.ts
@ -1,5 +1,6 @@
 import { adminRouter } from './admin-router/router';
 import { authRouter } from './auth-router/router';
+import { cryptoRouter } from './crypto/router';
 import { documentRouter } from './document-router/router';
 import { fieldRouter } from './field-router/router';
 import { profileRouter } from './profile-router/router';
@ -12,6 +13,7 @@ import { twoFactorAuthenticationRouter } from './two-factor-authentication-route

 export const appRouter = router({
  auth: authRouter,
+  crypto: cryptoRouter,
  profile: profileRouter,
  document: documentRouter,
  field: fieldRouter,
--- a/packages/tsconfig/process-env.d.ts
+++ b/packages/tsconfig/process-env.d.ts
@ -8,6 +8,7 @@ declare namespace NodeJS {

    NEXT_PRIVATE_DATABASE_URL: string;
    NEXT_PRIVATE_ENCRYPTION_KEY: string;
+    NEXT_PRIVATE_ENCRYPTION_SECONDARY_KEY: string;

    NEXT_PUBLIC_STRIPE_COMMUNITY_PLAN_MONTHLY_PRICE_ID: string;

--- a/packages/ui/primitives/command.tsx
+++ b/packages/ui/primitives/command.tsx
@ -35,7 +35,7 @@ const CommandDialog = ({ children, commandProps, ...props }: CommandDialogProps)
      <DialogContent className="overflow-hidden p-0 shadow-2xl">
        <Command
          {...commandProps}
-          className="[&_[cmdk-group-heading]]:text-muted-foreground [&_[cmdk-group-heading]]:px-2 [&_[cmdk-group-heading]]:font-medium [&_[cmdk-group]:not([hidden])_~[cmdk-group]]:pt-0 [&_[cmdk-group]]:px-2 [&_[cmdk-input-wrapper]_svg]:h-5 [&_[cmdk-input-wrapper]_svg]:w-5 [&_[cmdk-input]]:h-12 [&_[cmdk-item]]:px-2 [&_[cmdk-item]]:py-3 [&_[cmdk-item]_svg]:h-4 [&_[cmdk-item]_svg]:w-4"
+          className="[&_[cmdk-group-heading]]:text-muted-foreground [&_[cmdk-group-heading]]:px-0 [&_[cmdk-group-heading]]:font-medium [&_[cmdk-group]:not([hidden])_~[cmdk-group]]:pt-0 [&_[cmdk-group]]:px-2 [&_[cmdk-input-wrapper]_svg]:h-5 [&_[cmdk-input-wrapper]_svg]:w-5 [&_[cmdk-input]]:h-12 [&_[cmdk-item]]:px-2 [&_[cmdk-item]]:py-3 [&_[cmdk-item]_svg]:h-4 [&_[cmdk-item]_svg]:w-4"
        >
          {children}
        </Command>
@ -92,7 +92,7 @@ const CommandGroup = React.forwardRef<
  <CommandPrimitive.Group
    ref={ref}
    className={cn(
-      'text-foreground [&_[cmdk-group-heading]]:text-muted-foreground overflow-hidden p-1 [&_[cmdk-group-heading]]:px-2 [&_[cmdk-group-heading]]:py-1.5 [&_[cmdk-group-heading]]:text-xs [&_[cmdk-group-heading]]:font-medium',
+      'text-foreground [&_[cmdk-group-heading]]:text-muted-foreground mx-2 overflow-hidden border-b pb-2 last:border-0 [&_[cmdk-group-heading]]:mt-2 [&_[cmdk-group-heading]]:px-0 [&_[cmdk-group-heading]]:py-2 [&_[cmdk-group-heading]]:text-xs [&_[cmdk-group-heading]]:font-normal [&_[cmdk-group-heading]]:opacity-50 ',
      className,
    )}
    {...props}
@ -121,7 +121,7 @@ const CommandItem = React.forwardRef<
  <CommandPrimitive.Item
    ref={ref}
    className={cn(
-      'aria-selected:bg-accent aria-selected:text-accent-foreground relative flex cursor-default select-none items-center rounded-sm px-2 py-1.5 text-sm outline-none data-[disabled]:pointer-events-none data-[disabled]:opacity-50',
+      'aria-selected:bg-accent aria-selected:text-accent-foreground relative -mx-2 -my-1 flex cursor-default select-none items-center rounded-lg px-2 py-1.5 text-sm outline-none data-[disabled]:pointer-events-none data-[disabled]:opacity-50',
      className,
    )}
    {...props}