DEK 버전을 프론트엔드에서 명시적으로 관리하도록 변경

src/lib/modules/crypto/aes.ts

@@ -23,6 +23,7 @@ export const generateDataKey = async () => {
       true,
       ["encrypt", "decrypt"],
     ),
+    dataKeyVersion: new Date(),
   };
 };
 

src/lib/server/db/file.ts

@@ -9,6 +9,7 @@ export interface NewDirectoryParams {
   parentId: DirectoryId;
   mekVersion: number;
   encDek: string;
+  dekVersion: Date;
   encName: string;
   encNameIv: string;
 }
@@ -19,6 +20,7 @@ export interface NewFileParams {
   userId: number;
   mekVersion: number;
   encDek: string;
+  dekVersion: Date;
   encContentIv: string;
   encName: string;
   encNameIv: string;
@@ -41,7 +43,7 @@ export const registerNewDirectory = async (params: NewDirectoryParams) => {
       userId: params.userId,
       mekVersion: params.mekVersion,
       encDek: params.encDek,
-      encryptedAt: now,
+      dekVersion: params.dekVersion,
       encName: { ciphertext: params.encName, iv: params.encNameIv },
     });
   });
@@ -72,14 +74,22 @@ export const getDirectory = async (userId: number, directoryId: number) => {
 export const setDirectoryEncName = async (
   userId: number,
   directoryId: number,
+  dekVersion: Date,
   encName: string,
   encNameIv: string,
 ) => {
-  await db
+  const res = await db
     .update(directory)
     .set({ encName: { ciphertext: encName, iv: encNameIv } })
-    .where(and(eq(directory.userId, userId), eq(directory.id, directoryId)))
+    .where(
+      and(
+        eq(directory.userId, userId),
+        eq(directory.id, directoryId),
+        eq(directory.dekVersion, dekVersion),
+      ),
+    )
     .execute();
+  return res.changes > 0;
 };
 
 export const unregisterDirectory = async (userId: number, directoryId: number) => {
@@ -128,7 +138,7 @@ export const registerNewFile = async (params: NewFileParams) => {
       userId: params.userId,
       mekVersion: params.mekVersion,
       encDek: params.encDek,
-      encryptedAt: now,
+      dekVersion: params.dekVersion,
       encContentIv: params.encContentIv,
       encName: { ciphertext: params.encName, iv: params.encNameIv },
     });
@@ -160,14 +170,16 @@ export const getFile = async (userId: number, fileId: number) => {
 export const setFileEncName = async (
   userId: number,
   fileId: number,
+  dekVersion: Date,
   encName: string,
   encNameIv: string,
 ) => {
-  await db
+  const res = await db
     .update(file)
     .set({ encName: { ciphertext: encName, iv: encNameIv } })
-    .where(and(eq(file.userId, userId), eq(file.id, fileId)))
+    .where(and(eq(file.userId, userId), eq(file.id, fileId), eq(file.dekVersion, dekVersion)))
     .execute();
+  return res.changes > 0;
 };
 
 export const unregisterFile = async (userId: number, fileId: number) => {

src/lib/server/db/schema/file.ts

@@ -19,7 +19,7 @@ export const directory = sqliteTable(
       .references(() => user.id),
     mekVersion: integer("master_encryption_key_version").notNull(),
     encDek: text("encrypted_data_encryption_key").notNull().unique(), // Base64
-    encryptedAt: integer("encrypted_at", { mode: "timestamp_ms" }).notNull(),
+    dekVersion: integer("data_encryption_key_version", { mode: "timestamp_ms" }).notNull(),
     encName: ciphertext("encrypted_name").notNull(),
   },
   (t) => ({
@@ -46,7 +46,7 @@ export const file = sqliteTable(
       .references(() => user.id),
     mekVersion: integer("master_encryption_key_version").notNull(),
     encDek: text("encrypted_data_encryption_key").notNull().unique(), // Base64
-    encryptedAt: integer("encrypted_at", { mode: "timestamp_ms" }).notNull(),
+    dekVersion: integer("data_encryption_key_version", { mode: "timestamp_ms" }).notNull(),
     encContentIv: text("encrypted_content_iv").notNull(), // Base64
     encName: ciphertext("encrypted_name").notNull(),
   },

src/lib/server/schemas/directory.ts

@@ -1,6 +1,7 @@
 import { z } from "zod";
 
 export const directoryRenameRequest = z.object({
+  dekVersion: z.coerce.date(),
   name: z.string().base64().nonempty(),
   nameIv: z.string().base64().nonempty(),
 });
@@ -12,6 +13,7 @@ export const directoryInfoResponse = z.object({
       createdAt: z.date(),
       mekVersion: z.number().int().positive(),
       dek: z.string().base64().nonempty(),
+      dekVersion: z.date(),
       name: z.string().base64().nonempty(),
       nameIv: z.string().base64().nonempty(),
     })
@@ -25,6 +27,7 @@ export const directoryCreateRequest = z.object({
   parentId: z.union([z.enum(["root"]), z.number().int().positive()]),
   mekVersion: z.number().int().positive(),
   dek: z.string().base64().nonempty(),
+  dekVersion: z.coerce.date(),
   name: z.string().base64().nonempty(),
   nameIv: z.string().base64().nonempty(),
 });

src/lib/server/schemas/file.ts

@@ -1,6 +1,7 @@
 import { z } from "zod";
 
 export const fileRenameRequest = z.object({
+  dekVersion: z.coerce.date(),
   name: z.string().base64().nonempty(),
   nameIv: z.string().base64().nonempty(),
 });
@@ -10,6 +11,7 @@ export const fileInfoResponse = z.object({
   createdAt: z.date(),
   mekVersion: z.number().int().positive(),
   dek: z.string().base64().nonempty(),
+  dekVersion: z.date(),
   contentIv: z.string().base64().nonempty(),
   name: z.string().base64().nonempty(),
   nameIv: z.string().base64().nonempty(),
@@ -20,6 +22,7 @@ export const fileUploadRequest = z.object({
   parentId: z.union([z.enum(["root"]), z.number().int().positive()]),
   mekVersion: z.number().int().positive(),
   dek: z.string().base64().nonempty(),
+  dekVersion: z.coerce.date(),
   contentIv: z.string().base64().nonempty(),
   name: z.string().base64().nonempty(),
   nameIv: z.string().base64().nonempty(),

src/lib/server/services/directory.ts

@@ -24,15 +24,20 @@ export const deleteDirectory = async (userId: number, directoryId: number) => {
 export const renameDirectory = async (
   userId: number,
   directoryId: number,
+  dekVersion: Date,
   newEncName: string,
   newEncNameIv: string,
 ) => {
   const directory = await getDirectory(userId, directoryId);
   if (!directory) {
     error(404, "Invalid directory id");
+  } else if (directory.dekVersion.getTime() !== dekVersion.getTime()) {
+    error(400, "Invalid DEK version");
   }
 
-  await setDirectoryEncName(userId, directoryId, newEncName, newEncNameIv);
+  if (!(await setDirectoryEncName(userId, directoryId, dekVersion, newEncName, newEncNameIv))) {
+    error(500, "Invalid directory id or DEK version");
+  }
 };
 
 export const getDirectoryInformation = async (userId: number, directoryId: "root" | number) => {
@@ -49,6 +54,7 @@ export const getDirectoryInformation = async (userId: number, directoryId: "root
       createdAt: directory.createdAt,
       mekVersion: directory.mekVersion,
       encDek: directory.encDek,
+      dekVersion: directory.dekVersion,
       encName: directory.encName,
     },
     directories: directories.map(({ id }) => id),
@@ -64,5 +70,11 @@ export const createDirectory = async (params: NewDirectoryParams) => {
     error(400, "Invalid MEK version");
   }
 
+  const oneMinuteAgo = new Date(Date.now() - 60 * 1000);
+  const oneMinuteLater = new Date(Date.now() + 60 * 1000);
+  if (params.dekVersion <= oneMinuteAgo || params.dekVersion >= oneMinuteLater) {
+    error(400, "Invalid DEK version");
+  }
+
   await registerNewDirectory(params);
 };

src/lib/server/services/file.ts

@@ -56,15 +56,20 @@ export const getFileStream = async (userId: number, fileId: number) => {
 export const renameFile = async (
   userId: number,
   fileId: number,
+  dekVersion: Date,
   newEncName: string,
   newEncNameIv: string,
 ) => {
   const file = await getFile(userId, fileId);
   if (!file) {
     error(404, "Invalid file id");
+  } else if (file.dekVersion.getTime() !== dekVersion.getTime()) {
+    error(400, "Invalid DEK version");
   }
 
-  await setFileEncName(userId, fileId, newEncName, newEncNameIv);
+  if (!(await setFileEncName(userId, fileId, dekVersion, newEncName, newEncNameIv))) {
+    error(500, "Invalid file id or DEK version");
+  }
 };
 
 export const getFileInformation = async (userId: number, fileId: number) => {
@@ -77,6 +82,7 @@ export const getFileInformation = async (userId: number, fileId: number) => {
     createdAt: file.createdAt,
     mekVersion: file.mekVersion,
     encDek: file.encDek,
+    dekVersion: file.dekVersion,
     encContentIv: file.encContentIv,
     encName: file.encName,
   };
@@ -113,6 +119,12 @@ export const uploadFile = async (
     error(400, "Invalid MEK version");
   }
 
+  const oneMinuteAgo = new Date(Date.now() - 60 * 1000);
+  const oneMinuteLater = new Date(Date.now() + 60 * 1000);
+  if (params.dekVersion <= oneMinuteAgo || params.dekVersion >= oneMinuteLater) {
+    error(400, "Invalid DEK version");
+  }
+
   const path = `${env.libraryPath}/${params.userId}/${uuidv4()}`;
   await mkdir(dirname(path), { recursive: true });
 

src/lib/services/file.ts

@@ -5,6 +5,7 @@ export const decryptFileMetadata = async (metadata: FileInfoResponse, masterKey:
   const { dataKey } = await unwrapDataKey(metadata.dek, masterKey);
   return {
     dataKey,
+    dataKeyVersion: metadata.dekVersion,
     name: await decryptString(metadata.name, metadata.nameIv, dataKey),
   };
 };

src/routes/(main)/directory/[[id]]/+page.svelte

@@ -109,12 +109,12 @@
   <div class="my-4 pb-[4.5rem]">
     {#if subDirectories}
       {#await subDirectories then subDirectories}
-        {#each subDirectories as { id, dataKey, name }}
+        {#each subDirectories as { id, dataKey, dataKeyVersion, name }}
           <DirectoryEntry
             {name}
             onclick={() => goto(`/directory/${id}`)}
             onOpenMenuClick={() => {
-              selectedEntry = { type: "directory", id, dataKey, name };
+              selectedEntry = { type: "directory", id, dataKey, dataKeyVersion, name };
               isDirectoryEntryMenuBottomSheetOpen = true;
             }}
             type="directory"
@@ -124,12 +124,12 @@
     {/if}
     {#if files}
       {#await files then files}
-        {#each files as { id, dataKey, name }}
+        {#each files as { id, dataKey, dataKeyVersion, name }}
           <DirectoryEntry
             {name}
             onclick={() => goto(`/file/${id}`)}
             onOpenMenuClick={() => {
-              selectedEntry = { type: "file", id, dataKey, name };
+              selectedEntry = { type: "file", id, dataKey, dataKeyVersion, name };
               isDirectoryEntryMenuBottomSheetOpen = true;
             }}
             type="file"

src/routes/(main)/directory/[[id]]/service.ts

@@ -23,6 +23,7 @@ export interface SelectedDirectoryEntry {
   type: "directory" | "file";
   id: number;
   dataKey: CryptoKey;
+  dataKeyVersion: Date;
   name: string;
 }
 
@@ -33,6 +34,7 @@ export const decryptDirectoryMetadata = async (
   const { dataKey } = await unwrapDataKey(metadata.dek, masterKey);
   return {
     dataKey,
+    dataKeyVersion: metadata.dekVersion,
     name: await decryptString(metadata.name, metadata.nameIv, dataKey),
   };
 };
@@ -42,12 +44,13 @@ export const requestDirectoryCreation = async (
   parentId: "root" | number,
   masterKey: MasterKey,
 ) => {
-  const { dataKey } = await generateDataKey();
+  const { dataKey, dataKeyVersion } = await generateDataKey();
   const nameEncrypted = await encryptData(new TextEncoder().encode(name), dataKey);
   return await callPostApi<DirectoryCreateRequest>("/api/directory/create", {
     parentId,
     mekVersion: masterKey.version,
     dek: await wrapDataKey(dataKey, masterKey.key),
+    dekVersion: dataKeyVersion,
     name: encodeToBase64(nameEncrypted.ciphertext),
     nameIv: nameEncrypted.iv,
   });
@@ -58,7 +61,7 @@ export const requestFileUpload = async (
   parentId: "root" | number,
   masterKey: MasterKey,
 ) => {
-  const { dataKey } = await generateDataKey();
+  const { dataKey, dataKeyVersion } = await generateDataKey();
   const fileEncrypted = await encryptData(await file.arrayBuffer(), dataKey);
   const nameEncrypted = await encryptString(file.name, dataKey);
 
@@ -69,6 +72,7 @@ export const requestFileUpload = async (
       parentId,
       mekVersion: masterKey.version,
       dek: await wrapDataKey(dataKey, masterKey.key),
+      dekVersion: dataKeyVersion,
       contentIv: fileEncrypted.iv,
       name: nameEncrypted.ciphertext,
       nameIv: nameEncrypted.iv,
@@ -90,11 +94,13 @@ export const requestDirectoryEntryRename = async (
 
   if (entry.type === "directory") {
     await callPostApi<DirectoryRenameRequest>(`/api/directory/${entry.id}/rename`, {
+      dekVersion: entry.dataKeyVersion,
       name: newNameEncrypted.ciphertext,
       nameIv: newNameEncrypted.iv,
     });
   } else {
     await callPostApi<FileRenameRequest>(`/api/file/${entry.id}/rename`, {
+      dekVersion: entry.dataKeyVersion,
       name: newNameEncrypted.ciphertext,
       nameIv: newNameEncrypted.iv,
     });

src/routes/api/directory/[id]/+server.ts

@@ -23,6 +23,7 @@ export const GET: RequestHandler = async ({ cookies, params }) => {
         createdAt: metadata.createdAt,
         mekVersion: metadata.mekVersion,
         dek: metadata.encDek,
+        dekVersion: metadata.dekVersion,
         name: metadata.encName.ciphertext,
         nameIv: metadata.encName.iv,
       },

src/routes/api/directory/[id]/rename/+server.ts

@@ -18,8 +18,8 @@ export const POST: RequestHandler = async ({ request, cookies, params }) => {
 
   const bodyZodRes = directoryRenameRequest.safeParse(await request.json());
   if (!bodyZodRes.success) error(400, "Invalid request body");
-  const { name, nameIv } = bodyZodRes.data;
+  const { dekVersion, name, nameIv } = bodyZodRes.data;
 
-  await renameDirectory(userId, id, name, nameIv);
+  await renameDirectory(userId, id, dekVersion, name, nameIv);
   return text("Directory renamed", { headers: { "Content-Type": "text/plain" } });
 };

src/routes/api/directory/create/+server.ts

@@ -9,13 +9,14 @@ export const POST: RequestHandler = async ({ request, cookies }) => {
 
   const zodRes = directoryCreateRequest.safeParse(await request.json());
   if (!zodRes.success) error(400, "Invalid request body");
-  const { parentId, mekVersion, dek, name, nameIv } = zodRes.data;
+  const { parentId, mekVersion, dek, dekVersion, name, nameIv } = zodRes.data;
 
   await createDirectory({
     userId,
     parentId,
     mekVersion,
     encDek: dek,
+    dekVersion,
     encName: name,
     encNameIv: nameIv,
   });

src/routes/api/file/[id]/+server.ts

@@ -16,15 +16,14 @@ export const GET: RequestHandler = async ({ cookies, params }) => {
   if (!zodRes.success) error(400, "Invalid path parameters");
   const { id } = zodRes.data;
 
-  const { createdAt, mekVersion, encDek, encContentIv, encName } = await getFileInformation(
+  const { createdAt, mekVersion, encDek, dekVersion, encContentIv, encName } =
-    userId,
+    await getFileInformation(userId, id);
-    id,
-  );
   return json(
     fileInfoResponse.parse({
       createdAt,
       mekVersion,
       dek: encDek,
+      dekVersion,
       contentIv: encContentIv,
       name: encName.ciphertext,
       nameIv: encName.iv,

src/routes/api/file/[id]/rename/+server.ts

@@ -18,8 +18,8 @@ export const POST: RequestHandler = async ({ request, cookies, params }) => {
 
   const bodyZodRes = fileRenameRequest.safeParse(await request.json());
   if (!bodyZodRes.success) error(400, "Invalid request body");
-  const { name, nameIv } = bodyZodRes.data;
+  const { dekVersion, name, nameIv } = bodyZodRes.data;
 
-  await renameFile(userId, id, name, nameIv);
+  await renameFile(userId, id, dekVersion, name, nameIv);
   return text("File renamed", { headers: { "Content-Type": "text/plain" } });
 };

src/routes/api/file/upload/+server.ts

@@ -16,7 +16,7 @@ export const POST: RequestHandler = async ({ request, cookies }) => {
 
   const zodRes = fileUploadRequest.safeParse(JSON.parse(metadata));
   if (!zodRes.success) error(400, "Invalid request body");
-  const { parentId, mekVersion, dek, contentIv, name, nameIv } = zodRes.data;
+  const { parentId, mekVersion, dek, dekVersion, contentIv, name, nameIv } = zodRes.data;
 
   await uploadFile(
     {
@@ -24,6 +24,7 @@ export const POST: RequestHandler = async ({ request, cookies }) => {
       parentId,
       mekVersion,
       encDek: dek,
+      dekVersion,
       encContentIv: contentIv,
       encName: name,
       encNameIv: nameIv,