feat: add server crypto (#863)

## Description Currently we are required to ensure PII data is not passed around in search parameters and in the open for GDPR reasons. Allowing us to encrypt and decrypt values with expiry dates will allow us to ensure this doesn't happen. ## Changes Made - Added TPRC router for encryption method ## Testing Performed - Tested encrypting and decrypting data with and without `expiredAt` - Tested via directly accessing API and also via trpc in react components - Tested parsing en email search param in a page and decrypting it successfully ## Checklist - [X] I have tested these changes locally and they work as expected. - [X] I have followed the project's coding style guidelines.
2025-11-13 08:13:56 +10:00 · 2024-01-25 16:07:57 +11:00
parent e90dd518df
commit d766b58f42
9 changed files with 137 additions and 2 deletions
--- a/packages/trpc/server/crypto/router.ts
+++ b/packages/trpc/server/crypto/router.ts
@ -0,0 +1,17 @@
+import { encryptSecondaryData } from '@documenso/lib/server-only/crypto/encrypt';
+
+import { procedure, router } from '../trpc';
+import { ZEncryptSecondaryDataMutationSchema } from './schema';
+
+export const cryptoRouter = router({
+  encryptSecondaryData: procedure
+    .input(ZEncryptSecondaryDataMutationSchema)
+    .mutation(({ input }) => {
+      try {
+        return encryptSecondaryData(input);
+      } catch {
+        // Never leak errors for crypto.
+        throw new Error('Failed to encrypt data');
+      }
+    }),
+});
--- a/packages/trpc/server/crypto/schema.ts
+++ b/packages/trpc/server/crypto/schema.ts
@ -0,0 +1,15 @@
+import { z } from 'zod';
+
+export const ZEncryptSecondaryDataMutationSchema = z.object({
+  data: z.string(),
+  expiresAt: z.number().optional(),
+});
+
+export const ZDecryptDataMutationSchema = z.object({
+  data: z.string(),
+});
+
+export type TEncryptSecondaryDataMutationSchema = z.infer<
+  typeof ZEncryptSecondaryDataMutationSchema
+>;
+export type TDecryptDataMutationSchema = z.infer<typeof ZDecryptDataMutationSchema>;
--- a/packages/trpc/server/router.ts
+++ b/packages/trpc/server/router.ts
@ -1,5 +1,6 @@
 import { adminRouter } from './admin-router/router';
 import { authRouter } from './auth-router/router';
+import { cryptoRouter } from './crypto/router';
 import { documentRouter } from './document-router/router';
 import { fieldRouter } from './field-router/router';
 import { profileRouter } from './profile-router/router';
@ -12,6 +13,7 @@ import { twoFactorAuthenticationRouter } from './two-factor-authentication-route

 export const appRouter = router({
  auth: authRouter,
+  crypto: cryptoRouter,
  profile: profileRouter,
  document: documentRouter,
  field: fieldRouter,