store certs in db

prisma/schema/auth.prisma

@@ -41,3 +41,12 @@ model APIToken {
 
     @@index([token])
 }
+
+model Certificate {
+    id String @id @default(uuid())
+
+    privateKey  String
+    certificate String
+
+    blacklisted Boolean @default(false)
+}

server/internal/clients/ca-store.ts

@@ -1,6 +1,7 @@
 import path from "path";
 import fs from "fs";
 import { CertificateBundle } from "./ca";
+import prisma from "../db/database";
 
 export type CertificateStore = {
   store(name: string, data: CertificateBundle): Promise<void>;
@@ -33,3 +34,63 @@ export const fsCertificateStore = (base: string) => {
   };
   return store;
 };
+
+export const dbCertificateStore = () => {
+  const store: CertificateStore = {
+    async store(name: string, data: CertificateBundle) {
+      await prisma.certificate.upsert({
+        where: {
+          id: name,
+        },
+        create: {
+          id: name,
+          privateKey: data.priv,
+          certificate: data.cert,
+        },
+        update: {
+          privateKey: data.priv,
+          certificate: data.cert,
+        },
+      });
+    },
+    async fetch(name: string) {
+      const result = await prisma.certificate.findUnique({
+        where: {
+          id: name,
+        },
+        select: {
+          privateKey: true,
+          certificate: true,
+        },
+      });
+      if (result === null) return undefined;
+      return {
+        priv: result.privateKey,
+        cert: result.certificate,
+      };
+    },
+    async blacklistCertificate(name: string) {
+      await prisma.certificate.update({
+        where: {
+          id: name,
+        },
+        data: {
+          blacklisted: true,
+        },
+      });
+    },
+    async checkBlacklistCertificate(name: string): Promise<boolean> {
+      const result = await prisma.certificate.findUnique({
+        where: {
+          id: name,
+        },
+        select: {
+          blacklisted: true,
+        },
+      });
+      if (result === null) return false;
+      return result.blacklisted;
+    },
+  };
+  return store;
+};

server/plugins/ca.ts

@@ -1,6 +1,9 @@
 import { CertificateAuthority } from "../internal/clients/ca";
 import fs from "fs";
-import { fsCertificateStore } from "../internal/clients/ca-store";
+import {
+  dbCertificateStore,
+  fsCertificateStore,
+} from "../internal/clients/ca-store";
 
 let ca: CertificateAuthority | undefined;
 
@@ -10,9 +13,9 @@ export const useCertificateAuthority = () => {
 };
 
 export default defineNitroPlugin(async (nitro) => {
-  const basePath = process.env.CLIENT_CERTIFICATES ?? "./certs";
-  fs.mkdirSync(basePath, { recursive: true });
-  const store = fsCertificateStore(basePath);
+  // const basePath = process.env.CLIENT_CERTIFICATES ?? "./certs";
+  // fs.mkdirSync(basePath, { recursive: true });
+  // const store = fsCertificateStore(basePath);
 
-  ca = await CertificateAuthority.new(store);
+  ca = await CertificateAuthority.new(dbCertificateStore());
 });