레포지토리 레이어의 코드를 Kysely 기반으로 모두 마이그레이션 (WiP)

.env.example

@@ -1,8 +1,12 @@
 # Required environment variables
+DATABASE_PASSWORD=
 SESSION_SECRET=
 
 # Optional environment variables
-DATABASE_URL=
+DATABASE_HOST=
+DATABASE_PORT=
+DATABASE_USER=
+DATABASE_NAME=
 SESSION_EXPIRES=
 USER_CLIENT_CHALLENGE_EXPIRES=
 SESSION_UPGRADE_CHALLENGE_EXPIRES=

docker-compose.dev.yaml

@@ -0,0 +1,15 @@
+services:
+  database:
+    image: postgres:17.2
+    restart: on-failure
+    volumes:
+      - database:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_USER=${DATABASE_USER:-}
+      - POSTGRES_PASSWORD=${DATABASE_PASSWORD:?} # Required
+      - POSTGRES_DB=${DATABASE_NAME:-}
+    ports:
+      - ${DATABASE_PORT:-5432}:5432
+
+volumes:
+  database:

docker-compose.yaml

@@ -1,13 +1,17 @@
 services:
   server:
     build: .
-    restart: unless-stopped
+    restart: on-failure
+    depends_on:
+      - database
     user: ${CONTAINER_UID:-0}:${CONTAINER_GID:-0}
     volumes:
-      - ./data:/app/data
+      - ./data/library:/app/data/library
     environment:
       # ArkVault
-      - DATABASE_URL=/app/data/database.sqlite
+      - DATABASE_HOST=database
+      - DATABASE_USER=arkvault
+      - DATABASE_PASSWORD=${DATABASE_PASSWORD:?} # Required
       - SESSION_SECRET=${SESSION_SECRET:?} # Required
       - SESSION_EXPIRES
       - USER_CLIENT_CHALLENGE_EXPIRES
@@ -19,3 +23,12 @@ services:
       - NODE_ENV=${NODE_ENV:-production}
     ports:
       - ${PORT:-80}:3000
+
+  database:
+    image: postgres:17.2-alpine
+    restart: on-failure
+    volumes:
+      - ./data/database:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_USER=arkvault
+      - POSTGRES_PASSWORD=${DATABASE_PASSWORD:?}

package.json

@@ -5,6 +5,7 @@
   "type": "module",
   "scripts": {
     "dev": "vite dev",
+    "dev:db": "docker compose -f docker-compose.dev.yaml up -d",
     "build": "vite build",
     "preview": "vite preview",
     "check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json",

src/lib/server/db/client.ts

@@ -1,53 +1,97 @@
-import { SqliteError } from "better-sqlite3";
+import { DatabaseError } from "pg";
-import { and, or, eq, gt, lte } from "drizzle-orm";
-import db from "./drizzle";
 import { IntegrityError } from "./error";
-import { client, userClient, userClientChallenge } from "./schema";
+import db from "./kysely";
+import type { UserClientState } from "./schema";
+
+interface Client {
+  id: number;
+  encPubKey: string;
+  sigPubKey: string;
+}
+
+interface UserClient {
+  userId: number;
+  clientId: number;
+  state: UserClientState;
+}
+
+interface UserClientWithDetails extends UserClient {
+  encPubKey: string;
+  sigPubKey: string;
+}
 
 export const createClient = async (encPubKey: string, sigPubKey: string, userId: number) => {
-  return await db.transaction(
+  return await db
-    async (tx) => {
+    .transaction()
-      const clients = await tx
+    .setIsolationLevel("serializable")
-        .select({ id: client.id })
+    .execute(async (trx) => {
-        .from(client)
+      const client = await trx
-        .where(or(eq(client.encPubKey, sigPubKey), eq(client.sigPubKey, encPubKey)))
+        .selectFrom("client")
-        .limit(1);
+        .where((eb) =>
-      if (clients.length !== 0) {
+          eb.or([
+            eb("encryption_public_key", "=", encPubKey),
+            eb("encryption_public_key", "=", sigPubKey),
+            eb("signature_public_key", "=", encPubKey),
+            eb("signature_public_key", "=", sigPubKey),
+          ]),
+        )
+        .limit(1)
+        .executeTakeFirst();
+      if (client) {
         throw new IntegrityError("Public key(s) already registered");
       }
 
-      const newClients = await tx
+      const { clientId } = await trx
-        .insert(client)
+        .insertInto("client")
-        .values({ encPubKey, sigPubKey })
+        .values({ encryption_public_key: encPubKey, signature_public_key: sigPubKey })
-        .returning({ id: client.id });
+        .returning("id as clientId")
-      const { id: clientId } = newClients[0]!;
+        .executeTakeFirstOrThrow();
-      await tx.insert(userClient).values({ userId, clientId });
+      await trx
-
+        .insertInto("user_client")
-      return clientId;
+        .values({ user_id: userId, client_id: clientId })
-    },
+        .execute();
-    { behavior: "exclusive" },
+      return { clientId };
-  );
+    });
 };
 
 export const getClient = async (clientId: number) => {
-  const clients = await db.select().from(client).where(eq(client.id, clientId)).limit(1);
+  const client = await db
-  return clients[0] ?? null;
+    .selectFrom("client")
+    .selectAll()
+    .where("id", "=", clientId)
+    .limit(1)
+    .executeTakeFirst();
+  return client
+    ? ({
+        id: client.id,
+        encPubKey: client.encryption_public_key,
+        sigPubKey: client.signature_public_key,
+      } satisfies Client)
+    : null;
 };
 
 export const getClientByPubKeys = async (encPubKey: string, sigPubKey: string) => {
-  const clients = await db
+  const client = await db
-    .select()
+    .selectFrom("client")
-    .from(client)
+    .selectAll()
-    .where(and(eq(client.encPubKey, encPubKey), eq(client.sigPubKey, sigPubKey)))
+    .where("encryption_public_key", "=", encPubKey)
-    .limit(1);
+    .where("signature_public_key", "=", sigPubKey)
-  return clients[0] ?? null;
+    .limit(1)
+    .executeTakeFirst();
+  return client
+    ? ({
+        id: client.id,
+        encPubKey: client.encryption_public_key,
+        sigPubKey: client.signature_public_key,
+      } satisfies Client)
+    : null;
 };
 
 export const createUserClient = async (userId: number, clientId: number) => {
   try {
-    await db.insert(userClient).values({ userId, clientId });
+    await db.insertInto("user_client").values({ user_id: userId, client_id: clientId }).execute();
   } catch (e) {
-    if (e instanceof SqliteError && e.code === "SQLITE_CONSTRAINT_PRIMARYKEY") {
+    if (e instanceof DatabaseError && e.code === "23505") {
       throw new IntegrityError("User client already exists");
     }
     throw e;
@@ -55,52 +99,76 @@ export const createUserClient = async (userId: number, clientId: number) => {
 };
 
 export const getAllUserClients = async (userId: number) => {
-  return await db.select().from(userClient).where(eq(userClient.userId, userId));
+  const userClients = await db
+    .selectFrom("user_client")
+    .selectAll()
+    .where("user_id", "=", userId)
+    .execute();
+  return userClients.map(
+    ({ user_id, client_id, state }) =>
+      ({
+        userId: user_id,
+        clientId: client_id,
+        state,
+      }) satisfies UserClient,
+  );
 };
 
 export const getUserClient = async (userId: number, clientId: number) => {
-  const userClients = await db
+  const userClient = await db
-    .select()
+    .selectFrom("user_client")
-    .from(userClient)
+    .selectAll()
-    .where(and(eq(userClient.userId, userId), eq(userClient.clientId, clientId)))
+    .where("user_id", "=", userId)
-    .limit(1);
+    .where("client_id", "=", clientId)
-  return userClients[0] ?? null;
+    .limit(1)
+    .executeTakeFirst();
+  return userClient
+    ? ({
+        userId: userClient.user_id,
+        clientId: userClient.client_id,
+        state: userClient.state,
+      } satisfies UserClient)
+    : null;
 };
 
 export const getUserClientWithDetails = async (userId: number, clientId: number) => {
-  const userClients = await db
+  const userClient = await db
-    .select()
+    .selectFrom("user_client")
-    .from(userClient)
+    .innerJoin("client", "user_client.client_id", "client.id")
-    .innerJoin(client, eq(userClient.clientId, client.id))
+    .selectAll()
-    .where(and(eq(userClient.userId, userId), eq(userClient.clientId, clientId)))
+    .where("user_id", "=", userId)
-    .limit(1);
+    .where("client_id", "=", clientId)
-  return userClients[0] ?? null;
+    .limit(1)
+    .executeTakeFirst();
+  return userClient
+    ? ({
+        userId: userClient.user_id,
+        clientId: userClient.client_id,
+        state: userClient.state,
+        encPubKey: userClient.encryption_public_key,
+        sigPubKey: userClient.signature_public_key,
+      } satisfies UserClientWithDetails)
+    : null;
 };
 
 export const setUserClientStateToPending = async (userId: number, clientId: number) => {
   await db
-    .update(userClient)
+    .updateTable("user_client")
     .set({ state: "pending" })
-    .where(
+    .where("user_id", "=", userId)
-      and(
+    .where("client_id", "=", clientId)
-        eq(userClient.userId, userId),
+    .where("state", "=", "challenging")
-        eq(userClient.clientId, clientId),
+    .execute();
-        eq(userClient.state, "challenging"),
-      ),
-    );
 };
 
 export const setUserClientStateToActive = async (userId: number, clientId: number) => {
   await db
-    .update(userClient)
+    .updateTable("user_client")
     .set({ state: "active" })
-    .where(
+    .where("user_id", "=", userId)
-      and(
+    .where("client_id", "=", clientId)
-        eq(userClient.userId, userId),
+    .where("state", "=", "pending")
-        eq(userClient.clientId, clientId),
+    .execute();
-        eq(userClient.state, "pending"),
-      ),
-    );
 };
 
 export const registerUserClientChallenge = async (
@@ -110,30 +178,30 @@ export const registerUserClientChallenge = async (
   allowedIp: string,
   expiresAt: Date,
 ) => {
-  await db.insert(userClientChallenge).values({
+  await db
-    userId,
+    .insertInto("user_client_challenge")
-    clientId,
+    .values({
+      user_id: userId,
+      client_id: clientId,
       answer,
-    allowedIp,
+      allowed_ip: allowedIp,
-    expiresAt,
+      expires_at: expiresAt,
-  });
+    })
+    .execute();
 };
 
 export const consumeUserClientChallenge = async (userId: number, answer: string, ip: string) => {
-  const challenges = await db
+  const challenge = await db
-    .delete(userClientChallenge)
+    .deleteFrom("user_client_challenge")
-    .where(
+    .where("user_id", "=", userId)
-      and(
+    .where("answer", "=", answer)
-        eq(userClientChallenge.userId, userId),
+    .where("allowed_ip", "=", ip)
-        eq(userClientChallenge.answer, answer),
+    .where("expires_at", ">", new Date())
-        eq(userClientChallenge.allowedIp, ip),
+    .returning("client_id")
-        gt(userClientChallenge.expiresAt, new Date()),
+    .executeTakeFirst();
-      ),
+  return challenge ? { clientId: challenge.client_id } : null;
-    )
-    .returning({ clientId: userClientChallenge.clientId });
-  return challenges[0] ?? null;
 };
 
 export const cleanupExpiredUserClientChallenges = async () => {
-  await db.delete(userClientChallenge).where(lte(userClientChallenge.expiresAt, new Date()));
+  await db.deleteFrom("user_client_challenge").where("expires_at", "<=", new Date()).execute();
 };

src/lib/server/db/file.ts

@@ -1,21 +1,23 @@
-import { and, eq, isNull } from "drizzle-orm";
-import db from "./drizzle";
 import { IntegrityError } from "./error";
-import { directory, directoryLog, file, fileLog, hsk, mek } from "./schema";
+import db from "./kysely";
+import type { Ciphertext } from "./schema";
 
 type DirectoryId = "root" | number;
 
-export interface NewDirectoryParams {
+interface Directory {
+  id: number;
   parentId: DirectoryId;
   userId: number;
   mekVersion: number;
   encDek: string;
   dekVersion: Date;
-  encName: string;
+  encName: Ciphertext;
-  encNameIv: string;
 }
 
-export interface NewFileParams {
+export type NewDirectory = Omit<Directory, "id">;
+
+interface File {
+  id: number;
   parentId: DirectoryId;
   userId: number;
   path: string;
@@ -27,216 +29,263 @@ export interface NewFileParams {
   contentType: string;
   encContentIv: string;
   encContentHash: string;
-  encName: string;
+  encName: Ciphertext;
-  encNameIv: string;
+  encCreatedAt: Ciphertext | null;
-  encCreatedAt: string | null;
+  encLastModifiedAt: Ciphertext;
-  encCreatedAtIv: string | null;
-  encLastModifiedAt: string;
-  encLastModifiedAtIv: string;
 }
 
-export const registerDirectory = async (params: NewDirectoryParams) => {
+export type NewFile = Omit<File, "id">;
-  await db.transaction(
+
-    async (tx) => {
+export const registerDirectory = async (params: NewDirectory) => {
-      const meks = await tx
+  await db.transaction().execute(async (trx) => {
-        .select({ version: mek.version })
+    const mek = await trx
-        .from(mek)
+      .selectFrom("master_encryption_key")
-        .where(and(eq(mek.userId, params.userId), eq(mek.state, "active")))
+      .select("version")
-        .limit(1);
+      .where("user_id", "=", params.userId)
-      if (meks[0]?.version !== params.mekVersion) {
+      .where("state", "=", "active")
+      .limit(1)
+      .forUpdate()
+      .executeTakeFirst();
+    if (mek?.version !== params.mekVersion) {
       throw new IntegrityError("Inactive MEK version");
     }
 
-      const newDirectories = await tx
+    const { directoryId } = await trx
-        .insert(directory)
+      .insertInto("directory")
       .values({
-          parentId: params.parentId === "root" ? null : params.parentId,
+        parent_id: params.parentId !== "root" ? params.parentId : null,
-          userId: params.userId,
+        user_id: params.userId,
-          mekVersion: params.mekVersion,
+        master_encryption_key_version: params.mekVersion,
-          encDek: params.encDek,
+        encrypted_data_encryption_key: params.encDek,
-          dekVersion: params.dekVersion,
+        data_encryption_key_version: params.dekVersion,
-          encName: { ciphertext: params.encName, iv: params.encNameIv },
+        encrypted_name: params.encName,
       })
-        .returning({ id: directory.id });
+      .returning("id as directoryId")
-      const { id: directoryId } = newDirectories[0]!;
+      .executeTakeFirstOrThrow();
-      await tx.insert(directoryLog).values({
+    await trx
-        directoryId,
+      .insertInto("directory_log")
+      .values({
+        directory_id: directoryId,
         timestamp: new Date(),
         action: "create",
-        newName: { ciphertext: params.encName, iv: params.encNameIv },
+        new_name: params.encName,
+      })
+      .execute();
   });
-    },
-    { behavior: "exclusive" },
-  );
 };
 
 export const getAllDirectoriesByParent = async (userId: number, parentId: DirectoryId) => {
-  return await db
+  let query = db.selectFrom("directory").selectAll().where("user_id", "=", userId);
-    .select()
+  query =
-    .from(directory)
+    parentId === "root"
-    .where(
+      ? query.where("parent_id", "is", null)
-      and(
+      : query.where("parent_id", "=", parentId);
-        eq(directory.userId, userId),
+  const directories = await query.execute();
-        parentId === "root" ? isNull(directory.parentId) : eq(directory.parentId, parentId),
+  return directories.map(
-      ),
+    (directory) =>
+      ({
+        id: directory.id,
+        parentId: directory.parent_id ?? "root",
+        userId: directory.user_id,
+        mekVersion: directory.master_encryption_key_version,
+        encDek: directory.encrypted_data_encryption_key,
+        dekVersion: directory.data_encryption_key_version,
+        encName: directory.encrypted_name,
+      }) satisfies Directory,
   );
 };
 
 export const getDirectory = async (userId: number, directoryId: number) => {
-  const res = await db
+  const directory = await db
-    .select()
+    .selectFrom("directory")
-    .from(directory)
+    .selectAll()
-    .where(and(eq(directory.userId, userId), eq(directory.id, directoryId)))
+    .where("id", "=", directoryId)
-    .limit(1);
+    .where("user_id", "=", userId)
-  return res[0] ?? null;
+    .limit(1)
+    .executeTakeFirst();
+  return directory
+    ? ({
+        id: directory.id,
+        parentId: directory.parent_id ?? "root",
+        userId: directory.user_id,
+        mekVersion: directory.master_encryption_key_version,
+        encDek: directory.encrypted_data_encryption_key,
+        dekVersion: directory.data_encryption_key_version,
+        encName: directory.encrypted_name,
+      } satisfies Directory)
+    : null;
 };
 
 export const setDirectoryEncName = async (
   userId: number,
   directoryId: number,
   dekVersion: Date,
-  encName: string,
+  encName: Ciphertext,
-  encNameIv: string,
 ) => {
-  await db.transaction(
+  await db.transaction().execute(async (trx) => {
-    async (tx) => {
+    const directory = await trx
-      const directories = await tx
+      .selectFrom("directory")
-        .select({ version: directory.dekVersion })
+      .select("data_encryption_key_version")
-        .from(directory)
+      .where("id", "=", directoryId)
-        .where(and(eq(directory.userId, userId), eq(directory.id, directoryId)))
+      .where("user_id", "=", userId)
-        .limit(1);
+      .limit(1)
-      if (!directories[0]) {
+      .forUpdate()
+      .executeTakeFirst();
+    if (!directory) {
       throw new IntegrityError("Directory not found");
-      } else if (directories[0].version.getTime() !== dekVersion.getTime()) {
+    } else if (directory.data_encryption_key_version.getTime() !== dekVersion.getTime()) {
       throw new IntegrityError("Invalid DEK version");
     }
 
-      await tx
+    await trx
-        .update(directory)
+      .updateTable("directory")
-        .set({ encName: { ciphertext: encName, iv: encNameIv } })
+      .set({ encrypted_name: encName })
-        .where(and(eq(directory.userId, userId), eq(directory.id, directoryId)));
+      .where("id", "=", directoryId)
-      await tx.insert(directoryLog).values({
+      .where("user_id", "=", userId)
-        directoryId,
+      .execute();
+    await trx
+      .insertInto("directory_log")
+      .values({
+        directory_id: directoryId,
         timestamp: new Date(),
         action: "rename",
-        newName: { ciphertext: encName, iv: encNameIv },
+        new_name: encName,
+      })
+      .execute();
   });
-    },
-    { behavior: "exclusive" },
-  );
 };
 
 export const unregisterDirectory = async (userId: number, directoryId: number) => {
-  return await db.transaction(
+  return await db
-    async (tx) => {
+    .transaction()
+    .setIsolationLevel("repeatable read") // TODO: Sufficient?
+    .execute(async (trx) => {
       const unregisterFiles = async (parentId: number) => {
-        return await tx
+        return await trx
-          .delete(file)
+          .deleteFrom("file")
-          .where(and(eq(file.userId, userId), eq(file.parentId, parentId)))
+          .where("parent_id", "=", parentId)
-          .returning({ id: file.id, path: file.path });
+          .where("user_id", "=", userId)
+          .returning(["id", "path"])
+          .execute();
       };
       const unregisterDirectoryRecursively = async (
         directoryId: number,
       ): Promise<{ id: number; path: string }[]> => {
         const files = await unregisterFiles(directoryId);
-        const subDirectories = await tx
+        const subDirectories = await trx
-          .select({ id: directory.id })
+          .selectFrom("directory")
-          .from(directory)
+          .select("id")
-          .where(and(eq(directory.userId, userId), eq(directory.parentId, directoryId)));
+          .where("parent_id", "=", directoryId)
+          .where("user_id", "=", userId)
+          .execute();
         const subDirectoryFilePaths = await Promise.all(
           subDirectories.map(async ({ id }) => await unregisterDirectoryRecursively(id)),
         );
 
-        const deleteRes = await tx.delete(directory).where(eq(directory.id, directoryId));
+        const deleteRes = await trx
-        if (deleteRes.changes === 0) {
+          .deleteFrom("directory")
+          .where("id", "=", directoryId)
+          .where("user_id", "=", userId)
+          .executeTakeFirst();
+        if (deleteRes.numDeletedRows === 0n) {
           throw new IntegrityError("Directory not found");
         }
         return files.concat(...subDirectoryFilePaths);
       };
       return await unregisterDirectoryRecursively(directoryId);
-    },
+    });
-    { behavior: "exclusive" },
-  );
 };
 
-export const registerFile = async (params: NewFileParams) => {
+export const registerFile = async (params: NewFile) => {
-  if (
+  if ((params.hskVersion && !params.contentHmac) || (!params.hskVersion && params.contentHmac)) {
-    (params.hskVersion && !params.contentHmac) ||
-    (!params.hskVersion && params.contentHmac) ||
-    (params.encCreatedAt && !params.encCreatedAtIv) ||
-    (!params.encCreatedAt && params.encCreatedAtIv)
-  ) {
     throw new Error("Invalid arguments");
   }
 
-  await db.transaction(
+  await db.transaction().execute(async (trx) => {
-    async (tx) => {
+    const mek = await trx
-      const meks = await tx
+      .selectFrom("master_encryption_key")
-        .select({ version: mek.version })
+      .select("version")
-        .from(mek)
+      .where("user_id", "=", params.userId)
-        .where(and(eq(mek.userId, params.userId), eq(mek.state, "active")))
+      .where("state", "=", "active")
-        .limit(1);
+      .limit(1)
-      if (meks[0]?.version !== params.mekVersion) {
+      .forUpdate()
+      .executeTakeFirst();
+    if (mek?.version !== params.mekVersion) {
       throw new IntegrityError("Inactive MEK version");
     }
 
     if (params.hskVersion) {
-        const hsks = await tx
+      const hsk = await trx
-          .select({ version: hsk.version })
+        .selectFrom("hmac_secret_key")
-          .from(hsk)
+        .select("version")
-          .where(and(eq(hsk.userId, params.userId), eq(hsk.state, "active")))
+        .where("user_id", "=", params.userId)
-          .limit(1);
+        .where("state", "=", "active")
-        if (hsks[0]?.version !== params.hskVersion) {
+        .limit(1)
+        .forUpdate()
+        .executeTakeFirst();
+      if (hsk?.version !== params.hskVersion) {
         throw new IntegrityError("Inactive HSK version");
       }
     }
 
-      const newFiles = await tx
+    const { fileId } = await trx
-        .insert(file)
+      .insertInto("file")
       .values({
+        parent_id: params.parentId !== "root" ? params.parentId : null,
+        user_id: params.userId,
         path: params.path,
-          parentId: params.parentId === "root" ? null : params.parentId,
+        master_encryption_key_version: params.mekVersion,
-          userId: params.userId,
+        encrypted_data_encryption_key: params.encDek,
-          mekVersion: params.mekVersion,
+        data_encryption_key_version: params.dekVersion,
-          hskVersion: params.hskVersion,
+        hmac_secret_key_version: params.hskVersion,
-          encDek: params.encDek,
+        content_hmac: params.contentHmac,
-          dekVersion: params.dekVersion,
+        content_type: params.contentType,
-          contentHmac: params.contentHmac,
+        encrypted_content_iv: params.encContentIv,
-          contentType: params.contentType,
+        encrypted_content_hash: params.encContentHash,
-          encContentIv: params.encContentIv,
+        encrypted_name: params.encName,
-          encContentHash: params.encContentHash,
+        encrypted_created_at: params.encCreatedAt,
-          encName: { ciphertext: params.encName, iv: params.encNameIv },
+        encrypted_last_modified_at: params.encLastModifiedAt,
-          encCreatedAt:
-            params.encCreatedAt && params.encCreatedAtIv
-              ? { ciphertext: params.encCreatedAt, iv: params.encCreatedAtIv }
-              : null,
-          encLastModifiedAt: {
-            ciphertext: params.encLastModifiedAt,
-            iv: params.encLastModifiedAtIv,
-          },
       })
-        .returning({ id: file.id });
+      .returning("id as fileId")
-      const { id: fileId } = newFiles[0]!;
+      .executeTakeFirstOrThrow();
-      await tx.insert(fileLog).values({
+    await trx
-        fileId,
+      .insertInto("file_log")
+      .values({
+        file_id: fileId,
         timestamp: new Date(),
         action: "create",
-        newName: { ciphertext: params.encName, iv: params.encNameIv },
+        new_name: params.encName,
+      })
+      .execute();
   });
-    },
-    { behavior: "exclusive" },
-  );
 };
 
 export const getAllFilesByParent = async (userId: number, parentId: DirectoryId) => {
-  return await db
+  let query = db.selectFrom("file").selectAll().where("user_id", "=", userId);
-    .select()
+  query =
-    .from(file)
+    parentId === "root"
-    .where(
+      ? query.where("parent_id", "is", null)
-      and(
+      : query.where("parent_id", "=", parentId);
-        eq(file.userId, userId),
+  const files = await query.execute();
-        parentId === "root" ? isNull(file.parentId) : eq(file.parentId, parentId),
+  return files.map(
-      ),
+    (file) =>
+      ({
+        id: file.id,
+        parentId: file.parent_id ?? "root",
+        userId: file.user_id,
+        path: file.path,
+        mekVersion: file.master_encryption_key_version,
+        encDek: file.encrypted_data_encryption_key,
+        dekVersion: file.data_encryption_key_version,
+        hskVersion: file.hmac_secret_key_version,
+        contentHmac: file.content_hmac,
+        contentType: file.content_type,
+        encContentIv: file.encrypted_content_iv,
+        encContentHash: file.encrypted_content_hash,
+        encName: file.encrypted_name,
+        encCreatedAt: file.encrypted_created_at,
+        encLastModifiedAt: file.encrypted_last_modified_at,
+      }) satisfies File,
   );
 };
 
@@ -245,69 +294,93 @@ export const getAllFileIdsByContentHmac = async (
   hskVersion: number,
   contentHmac: string,
 ) => {
-  return await db
+  const files = await db
-    .select({ id: file.id })
+    .selectFrom("file")
-    .from(file)
+    .select("id")
-    .where(
+    .where("user_id", "=", userId)
-      and(
+    .where("hmac_secret_key_version", "=", hskVersion)
-        eq(file.userId, userId),
+    .where("content_hmac", "=", contentHmac)
-        eq(file.hskVersion, hskVersion),
+    .execute();
-        eq(file.contentHmac, contentHmac),
+  return files.map(({ id }) => ({ id }));
-      ),
-    );
 };
 
 export const getFile = async (userId: number, fileId: number) => {
-  const res = await db
+  const file = await db
-    .select()
+    .selectFrom("file")
-    .from(file)
+    .selectAll()
-    .where(and(eq(file.userId, userId), eq(file.id, fileId)))
+    .where("id", "=", fileId)
-    .limit(1);
+    .where("user_id", "=", userId)
-  return res[0] ?? null;
+    .limit(1)
+    .executeTakeFirst();
+  return file
+    ? ({
+        id: file.id,
+        parentId: file.parent_id ?? "root",
+        userId: file.user_id,
+        path: file.path,
+        mekVersion: file.master_encryption_key_version,
+        encDek: file.encrypted_data_encryption_key,
+        dekVersion: file.data_encryption_key_version,
+        hskVersion: file.hmac_secret_key_version,
+        contentHmac: file.content_hmac,
+        contentType: file.content_type,
+        encContentIv: file.encrypted_content_iv,
+        encContentHash: file.encrypted_content_hash,
+        encName: file.encrypted_name,
+        encCreatedAt: file.encrypted_created_at,
+        encLastModifiedAt: file.encrypted_last_modified_at,
+      } satisfies File)
+    : null;
 };
 
 export const setFileEncName = async (
   userId: number,
   fileId: number,
   dekVersion: Date,
-  encName: string,
+  encName: Ciphertext,
-  encNameIv: string,
 ) => {
-  await db.transaction(
+  await db.transaction().execute(async (trx) => {
-    async (tx) => {
+    const file = await trx
-      const files = await tx
+      .selectFrom("file")
-        .select({ version: file.dekVersion })
+      .select("data_encryption_key_version")
-        .from(file)
+      .where("id", "=", fileId)
-        .where(and(eq(file.userId, userId), eq(file.id, fileId)))
+      .where("user_id", "=", userId)
-        .limit(1);
+      .limit(1)
-      if (!files[0]) {
+      .forUpdate()
+      .executeTakeFirst();
+    if (!file) {
       throw new IntegrityError("File not found");
-      } else if (files[0].version.getTime() !== dekVersion.getTime()) {
+    } else if (file.data_encryption_key_version.getTime() !== dekVersion.getTime()) {
       throw new IntegrityError("Invalid DEK version");
     }
 
-      await tx
+    await trx
-        .update(file)
+      .updateTable("file")
-        .set({ encName: { ciphertext: encName, iv: encNameIv } })
+      .set({ encrypted_name: encName })
-        .where(and(eq(file.userId, userId), eq(file.id, fileId)));
+      .where("id", "=", fileId)
-      await tx.insert(fileLog).values({
+      .where("user_id", "=", userId)
-        fileId,
+      .execute();
+    await trx
+      .insertInto("file_log")
+      .values({
+        file_id: fileId,
         timestamp: new Date(),
         action: "rename",
-        newName: { ciphertext: encName, iv: encNameIv },
+        new_name: encName,
+      })
+      .execute();
   });
-    },
-    { behavior: "exclusive" },
-  );
 };
 
 export const unregisterFile = async (userId: number, fileId: number) => {
-  const files = await db
+  const file = await db
-    .delete(file)
+    .deleteFrom("file")
-    .where(and(eq(file.userId, userId), eq(file.id, fileId)))
+    .where("id", "=", fileId)
-    .returning({ path: file.path });
+    .where("user_id", "=", userId)
-  if (!files[0]) {
+    .returning("path")
+    .executeTakeFirst();
+  if (!file) {
     throw new IntegrityError("File not found");
   }
-  return files[0].path;
+  return { path: file.path };
 };

src/lib/server/db/hsk.ts

@@ -1,8 +1,15 @@
-import { SqliteError } from "better-sqlite3";
+import { DatabaseError } from "pg";
-import { and, eq } from "drizzle-orm";
-import db from "./drizzle";
 import { IntegrityError } from "./error";
-import { hsk, hskLog } from "./schema";
+import db from "./kysely";
+import type { HskState } from "./schema";
+
+interface Hsk {
+  userId: number;
+  version: number;
+  state: HskState;
+  mekVersion: number;
+  encHsk: string;
+}
 
 export const registerInitialHsk = async (
   userId: number,
@@ -10,37 +17,52 @@ export const registerInitialHsk = async (
   mekVersion: number,
   encHsk: string,
 ) => {
-  await db.transaction(
+  await db.transaction().execute(async (trx) => {
-    async (tx) => {
     try {
-        await tx.insert(hsk).values({
+      await trx
-          userId,
+        .insertInto("hmac_secret_key")
+        .values({
+          user_id: userId,
           version: 1,
           state: "active",
-          mekVersion,
+          master_encryption_key_version: mekVersion,
-          encHsk,
+          encrypted_key: encHsk,
-        });
+        })
-        await tx.insert(hskLog).values({
+        .execute();
-          userId,
+      await trx
-          hskVersion: 1,
+        .insertInto("hmac_secret_key_log")
+        .values({
+          user_id: userId,
+          hmac_secret_key_version: 1,
           timestamp: new Date(),
           action: "create",
-          actionBy: createdBy,
+          action_by: createdBy,
-        });
+        })
+        .execute();
     } catch (e) {
-        if (e instanceof SqliteError && e.code === "SQLITE_CONSTRAINT_PRIMARYKEY") {
+      if (e instanceof DatabaseError && e.code === "23505") {
         throw new IntegrityError("HSK already registered");
       }
       throw e;
     }
-    },
+  });
-    { behavior: "exclusive" },
-  );
 };
 
 export const getAllValidHsks = async (userId: number) => {
-  return await db
+  const hsks = await db
-    .select()
+    .selectFrom("hmac_secret_key")
-    .from(hsk)
+    .selectAll()
-    .where(and(eq(hsk.userId, userId), eq(hsk.state, "active")));
+    .where("user_id", "=", userId)
+    .where("state", "=", "active")
+    .execute();
+  return hsks.map(
+    ({ user_id, version, state, master_encryption_key_version, encrypted_key }) =>
+      ({
+        userId: user_id,
+        version,
+        state: state as "active",
+        mekVersion: master_encryption_key_version,
+        encHsk: encrypted_key,
+      }) satisfies Hsk,
+  );
 };

src/lib/server/db/kysely.ts

@@ -1,10 +1,15 @@
 import { Kysely, PostgresDialect } from "kysely";
 import { Pool } from "pg";
+import env from "$lib/server/loadenv";
 import type { Database } from "./schema";
 
 const dialect = new PostgresDialect({
   pool: new Pool({
-    // TODO
+    host: env.database.host,
+    port: env.database.port,
+    user: env.database.user,
+    password: env.database.password,
+    database: env.database.name,
   }),
 });
 

src/lib/server/db/mek.ts

@@ -1,8 +1,19 @@
-import { SqliteError } from "better-sqlite3";
+import { DatabaseError } from "pg";
-import { and, or, eq } from "drizzle-orm";
-import db from "./drizzle";
 import { IntegrityError } from "./error";
-import { mek, mekLog, clientMek } from "./schema";
+import db from "./kysely";
+import type { MekState } from "./schema";
+
+interface Mek {
+  userId: number;
+  version: number;
+  state: MekState;
+}
+
+interface ClientMekWithDetails extends Mek {
+  clientId: number;
+  encMek: string;
+  encMekSig: string;
+}
 
 export const registerInitialMek = async (
   userId: number,
@@ -10,58 +21,80 @@ export const registerInitialMek = async (
   encMek: string,
   encMekSig: string,
 ) => {
-  await db.transaction(
+  await db.transaction().execute(async (trx) => {
-    async (tx) => {
     try {
-        await tx.insert(mek).values({
+      await trx
-          userId,
+        .insertInto("master_encryption_key")
+        .values({
+          user_id: userId,
           version: 1,
           state: "active",
-        });
+        })
-        await tx.insert(clientMek).values({
+        .execute();
-          userId,
+      await trx
-          clientId: createdBy,
+        .insertInto("client_master_encryption_key")
-          mekVersion: 1,
+        .values({
-          encMek,
+          user_id: userId,
-          encMekSig,
+          client_id: createdBy,
-        });
+          version: 1,
-        await tx.insert(mekLog).values({
+          encrypted_key: encMek,
-          userId,
+          encrypted_key_signature: encMekSig,
-          mekVersion: 1,
+        })
+        .execute();
+      await trx
+        .insertInto("master_encryption_key_log")
+        .values({
+          user_id: userId,
+          master_encryption_key_version: 1,
           timestamp: new Date(),
           action: "create",
-          actionBy: createdBy,
+          action_by: createdBy,
-        });
+        })
+        .execute();
     } catch (e) {
-        if (e instanceof SqliteError && e.code === "SQLITE_CONSTRAINT_PRIMARYKEY") {
+      if (e instanceof DatabaseError && e.code === "23505") {
         throw new IntegrityError("MEK already registered");
       }
       throw e;
     }
-    },
+  });
-    { behavior: "exclusive" },
-  );
 };
 
 export const getInitialMek = async (userId: number) => {
-  const meks = await db
+  const mek = await db
-    .select()
+    .selectFrom("master_encryption_key")
-    .from(mek)
+    .selectAll()
-    .where(and(eq(mek.userId, userId), eq(mek.version, 1)))
+    .where("user_id", "=", userId)
-    .limit(1);
+    .where("version", "=", 1)
-  return meks[0] ?? null;
+    .limit(1)
+    .executeTakeFirst();
+  return mek
+    ? ({ userId: mek.user_id, version: mek.version, state: mek.state } satisfies Mek)
+    : null;
 };
 
 export const getAllValidClientMeks = async (userId: number, clientId: number) => {
-  return await db
+  const clientMeks = await db
-    .select()
+    .selectFrom("client_master_encryption_key")
-    .from(clientMek)
+    .innerJoin("master_encryption_key", (join) =>
-    .innerJoin(mek, and(eq(clientMek.userId, mek.userId), eq(clientMek.mekVersion, mek.version)))
+      join
-    .where(
+        .onRef("client_master_encryption_key.user_id", "=", "master_encryption_key.user_id")
-      and(
+        .onRef("client_master_encryption_key.version", "=", "master_encryption_key.version"),
-        eq(clientMek.userId, userId),
+    )
-        eq(clientMek.clientId, clientId),
+    .selectAll()
-        or(eq(mek.state, "active"), eq(mek.state, "retired")),
+    .where("user_id", "=", userId)
-      ),
+    .where("client_id", "=", clientId)
+    .where((eb) => eb.or([eb("state", "=", "active"), eb("state", "=", "retired")]))
+    .execute();
+  return clientMeks.map(
+    ({ user_id, client_id, version, state, encrypted_key, encrypted_key_signature }) =>
+      ({
+        userId: user_id,
+        version,
+        state: state as "active" | "retired",
+        clientId: client_id,
+        encMek: encrypted_key,
+        encMekSig: encrypted_key_signature,
+      }) satisfies ClientMekWithDetails,
   );
 };

src/lib/server/db/schema/client.ts

@@ -67,10 +67,12 @@ interface ClientTable {
   signature_public_key: string; // Base64
 }
 
+export type UserClientState = "challenging" | "pending" | "active";
+
 interface UserClientTable {
   user_id: number;
   client_id: number;
-  state: "challenging" | "pending" | "active";
+  state: ColumnType<UserClientState, UserClientState | undefined>;
 }
 
 interface UserClientChallengeTable {

src/lib/server/db/schema/file.ts

@@ -1,5 +1,5 @@
 import { sqliteTable, text, integer, foreignKey } from "drizzle-orm/sqlite-core";
-import type { ColumnType, Generated, JSONColumnType } from "kysely";
+import type { ColumnType, Generated } from "kysely";
 import { hsk } from "./hsk";
 import { mek } from "./mek";
 import { user } from "./user";
@@ -88,10 +88,10 @@ export const fileLog = sqliteTable("file_log", {
   newName: ciphertext("new_name"),
 });
 
-type Ciphertext = JSONColumnType<{
+export type Ciphertext = {
   ciphertext: string; // Base64
   iv: string; // Base64
-}>;
+};
 
 interface DirectoryTable {
   id: Generated<number>;

src/lib/server/db/schema/hsk.ts

@@ -44,10 +44,12 @@ export const hskLog = sqliteTable(
   }),
 );
 
+export type HskState = "active";
+
 interface HskTable {
   user_id: number;
   version: number;
-  state: "active";
+  state: HskState;
   master_encryption_key_version: number;
   encrypted_key: string; // Base64
 }

src/lib/server/db/schema/index.ts

@@ -5,4 +5,5 @@ export * from "./mek";
 export * from "./session";
 export * from "./user";
 
+// eslint-disable-next-line @typescript-eslint/no-empty-object-type
 export interface Database {}

src/lib/server/db/schema/mek.ts

@@ -60,10 +60,12 @@ export const clientMek = sqliteTable(
   }),
 );
 
+export type MekState = "active" | "retired" | "dead";
+
 interface MekTable {
   user_id: number;
   version: number;
-  state: "active" | "retired" | "dead";
+  state: MekState;
 }
 
 interface MekLogTable {

src/lib/server/db/session.ts

@@ -1,30 +1,31 @@
-import { SqliteError } from "better-sqlite3";
+import { DatabaseError } from "pg";
-import { and, eq, ne, gt, lte, isNull } from "drizzle-orm";
 import env from "$lib/server/loadenv";
-import db from "./drizzle";
 import { IntegrityError } from "./error";
-import { session, sessionUpgradeChallenge } from "./schema";
+import db from "./kysely";
 
 export const createSession = async (
   userId: number,
   clientId: number | null,
   sessionId: string,
   ip: string | null,
-  userAgent: string | null,
+  agent: string | null,
 ) => {
   try {
     const now = new Date();
-    await db.insert(session).values({
+    await db
+      .insertInto("session")
+      .values({
         id: sessionId,
-      userId,
+        user_id: userId,
-      clientId,
+        client_id: clientId,
-      createdAt: now,
+        created_at: now,
-      lastUsedAt: now,
+        last_used_at: now,
-      lastUsedByIp: ip || null,
+        last_used_by_ip: ip || null,
-      lastUsedByUserAgent: userAgent || null,
+        last_used_by_agent: agent || null,
-    });
+      })
+      .execute();
   } catch (e) {
-    if (e instanceof SqliteError && e.code === "SQLITE_CONSTRAINT_UNIQUE") {
+    if (e instanceof DatabaseError && e.code === "23505") {
       throw new IntegrityError("Session already exists");
     }
     throw e;
@@ -34,49 +35,55 @@ export const createSession = async (
 export const refreshSession = async (
   sessionId: string,
   ip: string | null,
-  userAgent: string | null,
+  agent: string | null,
 ) => {
   const now = new Date();
-  const sessions = await db
+  const session = await db
-    .update(session)
+    .updateTable("session")
     .set({
-      lastUsedAt: now,
+      last_used_at: now,
-      lastUsedByIp: ip || undefined,
+      last_used_by_ip: ip !== "" ? ip : undefined, // Don't update if empty
-      lastUsedByUserAgent: userAgent || undefined,
+      last_used_by_agent: agent !== "" ? agent : undefined, // Don't update if empty
     })
-    .where(
+    .where("id", "=", sessionId)
-      and(
+    .where("last_used_at", ">", new Date(now.getTime() - env.session.exp))
-        eq(session.id, sessionId),
+    .returning(["user_id", "client_id"])
-        gt(session.lastUsedAt, new Date(now.getTime() - env.session.exp)),
+    .executeTakeFirst();
-      ),
+  if (!session) {
-    )
-    .returning({ userId: session.userId, clientId: session.clientId });
-  if (!sessions[0]) {
     throw new IntegrityError("Session not found");
   }
-  return sessions[0];
+  return { userId: session.user_id, clientId: session.client_id };
 };
 
 export const upgradeSession = async (sessionId: string, clientId: number) => {
   const res = await db
-    .update(session)
+    .updateTable("session")
-    .set({ clientId })
+    .set({ client_id: clientId })
-    .where(and(eq(session.id, sessionId), isNull(session.clientId)));
+    .where("id", "=", sessionId)
-  if (res.changes === 0) {
+    .where("client_id", "is", null)
+    .executeTakeFirst();
+  if (res.numUpdatedRows === 0n) {
     throw new IntegrityError("Session not found");
   }
 };
 
 export const deleteSession = async (sessionId: string) => {
-  await db.delete(session).where(eq(session.id, sessionId));
+  await db.deleteFrom("session").where("id", "=", sessionId).execute();
 };
 
 export const deleteAllOtherSessions = async (userId: number, sessionId: string) => {
-  await db.delete(session).where(and(eq(session.userId, userId), ne(session.id, sessionId)));
+  await db
+    .deleteFrom("session")
+    .where("id", "!=", sessionId)
+    .where("user_id", "=", userId)
+    .execute();
 };
 
 export const cleanupExpiredSessions = async () => {
-  await db.delete(session).where(lte(session.lastUsedAt, new Date(Date.now() - env.session.exp)));
+  await db
+    .deleteFrom("session")
+    .where("last_used_at", "<=", new Date(Date.now() - env.session.exp))
+    .execute();
 };
 
 export const registerSessionUpgradeChallenge = async (
@@ -87,15 +94,18 @@ export const registerSessionUpgradeChallenge = async (
   expiresAt: Date,
 ) => {
   try {
-    await db.insert(sessionUpgradeChallenge).values({
+    await db
-      sessionId,
+      .insertInto("session_upgrade_challenge")
-      clientId,
+      .values({
+        session_id: sessionId,
+        client_id: clientId,
         answer,
-      allowedIp,
+        allowed_ip: allowedIp,
-      expiresAt,
+        expires_at: expiresAt,
-    });
+      })
+      .execute();
   } catch (e) {
-    if (e instanceof SqliteError && e.code === "SQLITE_CONSTRAINT_UNIQUE") {
+    if (e instanceof DatabaseError && e.code === "23505") {
       throw new IntegrityError("Challenge already registered");
     }
     throw e;
@@ -107,22 +117,17 @@ export const consumeSessionUpgradeChallenge = async (
   answer: string,
   ip: string,
 ) => {
-  const challenges = await db
+  const challenge = await db
-    .delete(sessionUpgradeChallenge)
+    .deleteFrom("session_upgrade_challenge")
-    .where(
+    .where("session_id", "=", sessionId)
-      and(
+    .where("answer", "=", answer)
-        eq(sessionUpgradeChallenge.sessionId, sessionId),
+    .where("allowed_ip", "=", ip)
-        eq(sessionUpgradeChallenge.answer, answer),
+    .where("expires_at", ">", new Date())
-        eq(sessionUpgradeChallenge.allowedIp, ip),
+    .returning("client_id")
-        gt(sessionUpgradeChallenge.expiresAt, new Date()),
+    .executeTakeFirst();
-      ),
+  return challenge ? { clientId: challenge.client_id } : null;
-    )
-    .returning({ clientId: sessionUpgradeChallenge.clientId });
-  return challenges[0] ?? null;
 };
 
 export const cleanupExpiredSessionUpgradeChallenges = async () => {
-  await db
+  await db.deleteFrom("session_upgrade_challenge").where("expires_at", "<=", new Date()).execute();
-    .delete(sessionUpgradeChallenge)
-    .where(lte(sessionUpgradeChallenge.expiresAt, new Date()));
 };

src/lib/server/db/user.ts

@@ -1,21 +1,36 @@
-import { eq } from "drizzle-orm";
+import db from "./kysely";
-import db from "./drizzle";
+
-import { user } from "./schema";
+interface User {
+  id: number;
+  email: string;
+  nickname: string;
+  password: string;
+}
 
 export const getUser = async (userId: number) => {
-  const users = await db.select().from(user).where(eq(user.id, userId)).limit(1);
+  const user = await db
-  return users[0] ?? null;
+    .selectFrom("user")
+    .selectAll()
+    .where("id", "=", userId)
+    .limit(1)
+    .executeTakeFirst();
+  return user ? (user satisfies User) : null;
 };
 
 export const getUserByEmail = async (email: string) => {
-  const users = await db.select().from(user).where(eq(user.email, email)).limit(1);
+  const user = await db
-  return users[0] ?? null;
+    .selectFrom("user")
-};
+    .selectAll()
-
+    .where("email", "=", email)
-export const setUserPassword = async (userId: number, password: string) => {
+    .limit(1)
-  await db.update(user).set({ password }).where(eq(user.id, userId));
+    .executeTakeFirst();
+  return user ? (user satisfies User) : null;
 };
 
 export const setUserNickname = async (userId: number, nickname: string) => {
-  await db.update(user).set({ nickname }).where(eq(user.id, userId));
+  await db.updateTable("user").set({ nickname }).where("id", "=", userId).execute();
+};
+
+export const setUserPassword = async (userId: number, password: string) => {
+  await db.updateTable("user").set({ password }).where("id", "=", userId).execute();
 };

src/lib/server/loadenv.ts

@@ -3,11 +3,18 @@ import { building } from "$app/environment";
 import { env } from "$env/dynamic/private";
 
 if (!building) {
+  if (!env.DATABASE_PASSWORD) throw new Error("DATABASE_PASSWORD not set");
   if (!env.SESSION_SECRET) throw new Error("SESSION_SECRET not set");
 }
 
 export default {
-  databaseUrl: env.DATABASE_URL || "local.db",
+  database: {
+    host: env.DATABASE_HOST || "localhost",
+    port: parseInt(env.DATABASE_PORT || "5432", 10),
+    user: env.DATABASE_USER,
+    password: env.DATABASE_PASSWORD!,
+    name: env.DATABASE_NAME,
+  },
   session: {
     secret: env.SESSION_SECRET!,
     exp: ms(env.SESSION_EXPIRES || "14d"),