diff --git a/src/lib/modules/crypto/aes.ts b/src/lib/modules/crypto/aes.ts index 7301373..ccf982f 100644 --- a/src/lib/modules/crypto/aes.ts +++ b/src/lib/modules/crypto/aes.ts @@ -23,6 +23,7 @@ export const generateDataKey = async () => { true, ["encrypt", "decrypt"], ), + dataKeyVersion: new Date(), }; }; diff --git a/src/lib/server/db/file.ts b/src/lib/server/db/file.ts index 0fa7772..f7aefdf 100644 --- a/src/lib/server/db/file.ts +++ b/src/lib/server/db/file.ts @@ -9,6 +9,7 @@ export interface NewDirectoryParams { parentId: DirectoryId; mekVersion: number; encDek: string; + dekVersion: Date; encName: string; encNameIv: string; } @@ -19,6 +20,7 @@ export interface NewFileParams { userId: number; mekVersion: number; encDek: string; + dekVersion: Date; encContentIv: string; encName: string; encNameIv: string; @@ -41,7 +43,7 @@ export const registerNewDirectory = async (params: NewDirectoryParams) => { userId: params.userId, mekVersion: params.mekVersion, encDek: params.encDek, - encryptedAt: now, + dekVersion: params.dekVersion, encName: { ciphertext: params.encName, iv: params.encNameIv }, }); }); @@ -72,14 +74,22 @@ export const getDirectory = async (userId: number, directoryId: number) => { export const setDirectoryEncName = async ( userId: number, directoryId: number, + dekVersion: Date, encName: string, encNameIv: string, ) => { - await db + const res = await db .update(directory) .set({ encName: { ciphertext: encName, iv: encNameIv } }) - .where(and(eq(directory.userId, userId), eq(directory.id, directoryId))) + .where( + and( + eq(directory.userId, userId), + eq(directory.id, directoryId), + eq(directory.dekVersion, dekVersion), + ), + ) .execute(); + return res.changes > 0; }; export const unregisterDirectory = async (userId: number, directoryId: number) => { @@ -128,7 +138,7 @@ export const registerNewFile = async (params: NewFileParams) => { userId: params.userId, mekVersion: params.mekVersion, encDek: params.encDek, - encryptedAt: now, + dekVersion: params.dekVersion, encContentIv: params.encContentIv, encName: { ciphertext: params.encName, iv: params.encNameIv }, }); @@ -160,14 +170,16 @@ export const getFile = async (userId: number, fileId: number) => { export const setFileEncName = async ( userId: number, fileId: number, + dekVersion: Date, encName: string, encNameIv: string, ) => { - await db + const res = await db .update(file) .set({ encName: { ciphertext: encName, iv: encNameIv } }) - .where(and(eq(file.userId, userId), eq(file.id, fileId))) + .where(and(eq(file.userId, userId), eq(file.id, fileId), eq(file.dekVersion, dekVersion))) .execute(); + return res.changes > 0; }; export const unregisterFile = async (userId: number, fileId: number) => { diff --git a/src/lib/server/db/schema/file.ts b/src/lib/server/db/schema/file.ts index b0bf7f8..c2ef676 100644 --- a/src/lib/server/db/schema/file.ts +++ b/src/lib/server/db/schema/file.ts @@ -19,7 +19,7 @@ export const directory = sqliteTable( .references(() => user.id), mekVersion: integer("master_encryption_key_version").notNull(), encDek: text("encrypted_data_encryption_key").notNull().unique(), // Base64 - encryptedAt: integer("encrypted_at", { mode: "timestamp_ms" }).notNull(), + dekVersion: integer("data_encryption_key_version", { mode: "timestamp_ms" }).notNull(), encName: ciphertext("encrypted_name").notNull(), }, (t) => ({ @@ -46,7 +46,7 @@ export const file = sqliteTable( .references(() => user.id), mekVersion: integer("master_encryption_key_version").notNull(), encDek: text("encrypted_data_encryption_key").notNull().unique(), // Base64 - encryptedAt: integer("encrypted_at", { mode: "timestamp_ms" }).notNull(), + dekVersion: integer("data_encryption_key_version", { mode: "timestamp_ms" }).notNull(), encContentIv: text("encrypted_content_iv").notNull(), // Base64 encName: ciphertext("encrypted_name").notNull(), }, diff --git a/src/lib/server/schemas/directory.ts b/src/lib/server/schemas/directory.ts index ae5ca9a..e7012d5 100644 --- a/src/lib/server/schemas/directory.ts +++ b/src/lib/server/schemas/directory.ts @@ -1,6 +1,7 @@ import { z } from "zod"; export const directoryRenameRequest = z.object({ + dekVersion: z.coerce.date(), name: z.string().base64().nonempty(), nameIv: z.string().base64().nonempty(), }); @@ -12,6 +13,7 @@ export const directoryInfoResponse = z.object({ createdAt: z.date(), mekVersion: z.number().int().positive(), dek: z.string().base64().nonempty(), + dekVersion: z.date(), name: z.string().base64().nonempty(), nameIv: z.string().base64().nonempty(), }) @@ -25,6 +27,7 @@ export const directoryCreateRequest = z.object({ parentId: z.union([z.enum(["root"]), z.number().int().positive()]), mekVersion: z.number().int().positive(), dek: z.string().base64().nonempty(), + dekVersion: z.coerce.date(), name: z.string().base64().nonempty(), nameIv: z.string().base64().nonempty(), }); diff --git a/src/lib/server/schemas/file.ts b/src/lib/server/schemas/file.ts index 5c43f00..13649e7 100644 --- a/src/lib/server/schemas/file.ts +++ b/src/lib/server/schemas/file.ts @@ -1,6 +1,7 @@ import { z } from "zod"; export const fileRenameRequest = z.object({ + dekVersion: z.coerce.date(), name: z.string().base64().nonempty(), nameIv: z.string().base64().nonempty(), }); @@ -10,6 +11,7 @@ export const fileInfoResponse = z.object({ createdAt: z.date(), mekVersion: z.number().int().positive(), dek: z.string().base64().nonempty(), + dekVersion: z.date(), contentIv: z.string().base64().nonempty(), name: z.string().base64().nonempty(), nameIv: z.string().base64().nonempty(), @@ -20,6 +22,7 @@ export const fileUploadRequest = z.object({ parentId: z.union([z.enum(["root"]), z.number().int().positive()]), mekVersion: z.number().int().positive(), dek: z.string().base64().nonempty(), + dekVersion: z.coerce.date(), contentIv: z.string().base64().nonempty(), name: z.string().base64().nonempty(), nameIv: z.string().base64().nonempty(), diff --git a/src/lib/server/services/directory.ts b/src/lib/server/services/directory.ts index 173a246..01d39d5 100644 --- a/src/lib/server/services/directory.ts +++ b/src/lib/server/services/directory.ts @@ -24,15 +24,20 @@ export const deleteDirectory = async (userId: number, directoryId: number) => { export const renameDirectory = async ( userId: number, directoryId: number, + dekVersion: Date, newEncName: string, newEncNameIv: string, ) => { const directory = await getDirectory(userId, directoryId); if (!directory) { error(404, "Invalid directory id"); + } else if (directory.dekVersion.getTime() !== dekVersion.getTime()) { + error(400, "Invalid DEK version"); } - await setDirectoryEncName(userId, directoryId, newEncName, newEncNameIv); + if (!(await setDirectoryEncName(userId, directoryId, dekVersion, newEncName, newEncNameIv))) { + error(500, "Invalid directory id or DEK version"); + } }; export const getDirectoryInformation = async (userId: number, directoryId: "root" | number) => { @@ -49,6 +54,7 @@ export const getDirectoryInformation = async (userId: number, directoryId: "root createdAt: directory.createdAt, mekVersion: directory.mekVersion, encDek: directory.encDek, + dekVersion: directory.dekVersion, encName: directory.encName, }, directories: directories.map(({ id }) => id), @@ -64,5 +70,11 @@ export const createDirectory = async (params: NewDirectoryParams) => { error(400, "Invalid MEK version"); } + const oneMinuteAgo = new Date(Date.now() - 60 * 1000); + const oneMinuteLater = new Date(Date.now() + 60 * 1000); + if (params.dekVersion <= oneMinuteAgo || params.dekVersion >= oneMinuteLater) { + error(400, "Invalid DEK version"); + } + await registerNewDirectory(params); }; diff --git a/src/lib/server/services/file.ts b/src/lib/server/services/file.ts index a884dac..11fa536 100644 --- a/src/lib/server/services/file.ts +++ b/src/lib/server/services/file.ts @@ -56,15 +56,20 @@ export const getFileStream = async (userId: number, fileId: number) => { export const renameFile = async ( userId: number, fileId: number, + dekVersion: Date, newEncName: string, newEncNameIv: string, ) => { const file = await getFile(userId, fileId); if (!file) { error(404, "Invalid file id"); + } else if (file.dekVersion.getTime() !== dekVersion.getTime()) { + error(400, "Invalid DEK version"); } - await setFileEncName(userId, fileId, newEncName, newEncNameIv); + if (!(await setFileEncName(userId, fileId, dekVersion, newEncName, newEncNameIv))) { + error(500, "Invalid file id or DEK version"); + } }; export const getFileInformation = async (userId: number, fileId: number) => { @@ -77,6 +82,7 @@ export const getFileInformation = async (userId: number, fileId: number) => { createdAt: file.createdAt, mekVersion: file.mekVersion, encDek: file.encDek, + dekVersion: file.dekVersion, encContentIv: file.encContentIv, encName: file.encName, }; @@ -113,6 +119,12 @@ export const uploadFile = async ( error(400, "Invalid MEK version"); } + const oneMinuteAgo = new Date(Date.now() - 60 * 1000); + const oneMinuteLater = new Date(Date.now() + 60 * 1000); + if (params.dekVersion <= oneMinuteAgo || params.dekVersion >= oneMinuteLater) { + error(400, "Invalid DEK version"); + } + const path = `${env.libraryPath}/${params.userId}/${uuidv4()}`; await mkdir(dirname(path), { recursive: true }); diff --git a/src/lib/services/file.ts b/src/lib/services/file.ts index adaa524..d97767e 100644 --- a/src/lib/services/file.ts +++ b/src/lib/services/file.ts @@ -5,6 +5,7 @@ export const decryptFileMetadata = async (metadata: FileInfoResponse, masterKey: const { dataKey } = await unwrapDataKey(metadata.dek, masterKey); return { dataKey, + dataKeyVersion: metadata.dekVersion, name: await decryptString(metadata.name, metadata.nameIv, dataKey), }; }; diff --git a/src/routes/(main)/directory/[[id]]/+page.svelte b/src/routes/(main)/directory/[[id]]/+page.svelte index da91160..89c6c64 100644 --- a/src/routes/(main)/directory/[[id]]/+page.svelte +++ b/src/routes/(main)/directory/[[id]]/+page.svelte @@ -109,12 +109,12 @@
{#if subDirectories} {#await subDirectories then subDirectories} - {#each subDirectories as { id, dataKey, name }} + {#each subDirectories as { id, dataKey, dataKeyVersion, name }} goto(`/directory/${id}`)} onOpenMenuClick={() => { - selectedEntry = { type: "directory", id, dataKey, name }; + selectedEntry = { type: "directory", id, dataKey, dataKeyVersion, name }; isDirectoryEntryMenuBottomSheetOpen = true; }} type="directory" @@ -124,12 +124,12 @@ {/if} {#if files} {#await files then files} - {#each files as { id, dataKey, name }} + {#each files as { id, dataKey, dataKeyVersion, name }} goto(`/file/${id}`)} onOpenMenuClick={() => { - selectedEntry = { type: "file", id, dataKey, name }; + selectedEntry = { type: "file", id, dataKey, dataKeyVersion, name }; isDirectoryEntryMenuBottomSheetOpen = true; }} type="file" diff --git a/src/routes/(main)/directory/[[id]]/service.ts b/src/routes/(main)/directory/[[id]]/service.ts index c549575..ce17472 100644 --- a/src/routes/(main)/directory/[[id]]/service.ts +++ b/src/routes/(main)/directory/[[id]]/service.ts @@ -23,6 +23,7 @@ export interface SelectedDirectoryEntry { type: "directory" | "file"; id: number; dataKey: CryptoKey; + dataKeyVersion: Date; name: string; } @@ -33,6 +34,7 @@ export const decryptDirectoryMetadata = async ( const { dataKey } = await unwrapDataKey(metadata.dek, masterKey); return { dataKey, + dataKeyVersion: metadata.dekVersion, name: await decryptString(metadata.name, metadata.nameIv, dataKey), }; }; @@ -42,12 +44,13 @@ export const requestDirectoryCreation = async ( parentId: "root" | number, masterKey: MasterKey, ) => { - const { dataKey } = await generateDataKey(); + const { dataKey, dataKeyVersion } = await generateDataKey(); const nameEncrypted = await encryptData(new TextEncoder().encode(name), dataKey); return await callPostApi("/api/directory/create", { parentId, mekVersion: masterKey.version, dek: await wrapDataKey(dataKey, masterKey.key), + dekVersion: dataKeyVersion, name: encodeToBase64(nameEncrypted.ciphertext), nameIv: nameEncrypted.iv, }); @@ -58,7 +61,7 @@ export const requestFileUpload = async ( parentId: "root" | number, masterKey: MasterKey, ) => { - const { dataKey } = await generateDataKey(); + const { dataKey, dataKeyVersion } = await generateDataKey(); const fileEncrypted = await encryptData(await file.arrayBuffer(), dataKey); const nameEncrypted = await encryptString(file.name, dataKey); @@ -69,6 +72,7 @@ export const requestFileUpload = async ( parentId, mekVersion: masterKey.version, dek: await wrapDataKey(dataKey, masterKey.key), + dekVersion: dataKeyVersion, contentIv: fileEncrypted.iv, name: nameEncrypted.ciphertext, nameIv: nameEncrypted.iv, @@ -90,11 +94,13 @@ export const requestDirectoryEntryRename = async ( if (entry.type === "directory") { await callPostApi(`/api/directory/${entry.id}/rename`, { + dekVersion: entry.dataKeyVersion, name: newNameEncrypted.ciphertext, nameIv: newNameEncrypted.iv, }); } else { await callPostApi(`/api/file/${entry.id}/rename`, { + dekVersion: entry.dataKeyVersion, name: newNameEncrypted.ciphertext, nameIv: newNameEncrypted.iv, }); diff --git a/src/routes/api/directory/[id]/+server.ts b/src/routes/api/directory/[id]/+server.ts index 9b147ac..be47ca6 100644 --- a/src/routes/api/directory/[id]/+server.ts +++ b/src/routes/api/directory/[id]/+server.ts @@ -23,6 +23,7 @@ export const GET: RequestHandler = async ({ cookies, params }) => { createdAt: metadata.createdAt, mekVersion: metadata.mekVersion, dek: metadata.encDek, + dekVersion: metadata.dekVersion, name: metadata.encName.ciphertext, nameIv: metadata.encName.iv, }, diff --git a/src/routes/api/directory/[id]/rename/+server.ts b/src/routes/api/directory/[id]/rename/+server.ts index ee52ac5..13aab5a 100644 --- a/src/routes/api/directory/[id]/rename/+server.ts +++ b/src/routes/api/directory/[id]/rename/+server.ts @@ -18,8 +18,8 @@ export const POST: RequestHandler = async ({ request, cookies, params }) => { const bodyZodRes = directoryRenameRequest.safeParse(await request.json()); if (!bodyZodRes.success) error(400, "Invalid request body"); - const { name, nameIv } = bodyZodRes.data; + const { dekVersion, name, nameIv } = bodyZodRes.data; - await renameDirectory(userId, id, name, nameIv); + await renameDirectory(userId, id, dekVersion, name, nameIv); return text("Directory renamed", { headers: { "Content-Type": "text/plain" } }); }; diff --git a/src/routes/api/directory/create/+server.ts b/src/routes/api/directory/create/+server.ts index 0f97117..05ab7d6 100644 --- a/src/routes/api/directory/create/+server.ts +++ b/src/routes/api/directory/create/+server.ts @@ -9,13 +9,14 @@ export const POST: RequestHandler = async ({ request, cookies }) => { const zodRes = directoryCreateRequest.safeParse(await request.json()); if (!zodRes.success) error(400, "Invalid request body"); - const { parentId, mekVersion, dek, name, nameIv } = zodRes.data; + const { parentId, mekVersion, dek, dekVersion, name, nameIv } = zodRes.data; await createDirectory({ userId, parentId, mekVersion, encDek: dek, + dekVersion, encName: name, encNameIv: nameIv, }); diff --git a/src/routes/api/file/[id]/+server.ts b/src/routes/api/file/[id]/+server.ts index 7c83075..afaf9dc 100644 --- a/src/routes/api/file/[id]/+server.ts +++ b/src/routes/api/file/[id]/+server.ts @@ -16,15 +16,14 @@ export const GET: RequestHandler = async ({ cookies, params }) => { if (!zodRes.success) error(400, "Invalid path parameters"); const { id } = zodRes.data; - const { createdAt, mekVersion, encDek, encContentIv, encName } = await getFileInformation( - userId, - id, - ); + const { createdAt, mekVersion, encDek, dekVersion, encContentIv, encName } = + await getFileInformation(userId, id); return json( fileInfoResponse.parse({ createdAt, mekVersion, dek: encDek, + dekVersion, contentIv: encContentIv, name: encName.ciphertext, nameIv: encName.iv, diff --git a/src/routes/api/file/[id]/rename/+server.ts b/src/routes/api/file/[id]/rename/+server.ts index d9bcd60..7331000 100644 --- a/src/routes/api/file/[id]/rename/+server.ts +++ b/src/routes/api/file/[id]/rename/+server.ts @@ -18,8 +18,8 @@ export const POST: RequestHandler = async ({ request, cookies, params }) => { const bodyZodRes = fileRenameRequest.safeParse(await request.json()); if (!bodyZodRes.success) error(400, "Invalid request body"); - const { name, nameIv } = bodyZodRes.data; + const { dekVersion, name, nameIv } = bodyZodRes.data; - await renameFile(userId, id, name, nameIv); + await renameFile(userId, id, dekVersion, name, nameIv); return text("File renamed", { headers: { "Content-Type": "text/plain" } }); }; diff --git a/src/routes/api/file/upload/+server.ts b/src/routes/api/file/upload/+server.ts index 0cd1cab..166c5b7 100644 --- a/src/routes/api/file/upload/+server.ts +++ b/src/routes/api/file/upload/+server.ts @@ -16,7 +16,7 @@ export const POST: RequestHandler = async ({ request, cookies }) => { const zodRes = fileUploadRequest.safeParse(JSON.parse(metadata)); if (!zodRes.success) error(400, "Invalid request body"); - const { parentId, mekVersion, dek, contentIv, name, nameIv } = zodRes.data; + const { parentId, mekVersion, dek, dekVersion, contentIv, name, nameIv } = zodRes.data; await uploadFile( { @@ -24,6 +24,7 @@ export const POST: RequestHandler = async ({ request, cookies }) => { parentId, mekVersion, encDek: dek, + dekVersion, encContentIv: contentIv, encName: name, encNameIv: nameIv,