DEK를 AES-256-KW를 이용해 암호화하는 것으로 변경

src/lib/server/db/file.ts

@@ -9,7 +9,6 @@ export interface NewDirectroyParams {
   parentId: DirectroyId;
   mekVersion: number;
   encDek: string;
-  encDekIv: string;
   encName: string;
   encNameIv: string;
 }
@@ -30,7 +29,7 @@ export const registerNewDirectory = async (params: NewDirectroyParams) => {
       parentId: params.parentId === "root" ? null : params.parentId,
       userId: params.userId,
       mekVersion: params.mekVersion,
-      encDek: { ciphertext: params.encDek, iv: params.encDekIv },
+      encDek: params.encDek,
       encryptedAt: now,
       encName: { ciphertext: params.encName, iv: params.encNameIv },
     });

src/lib/server/db/schema/file.ts

@@ -4,8 +4,8 @@ import { user } from "./user";
 
 const ciphertext = (name: string) =>
   text(name, { mode: "json" }).$type<{
-    ciphertext: string;
-    iv: string;
+    ciphertext: string; // Base64
+    iv: string; // Base64
   }>();
 
 export const directory = sqliteTable(
@@ -18,7 +18,7 @@ export const directory = sqliteTable(
       .notNull()
       .references(() => user.id),
     mekVersion: integer("master_encryption_key_version").notNull(),
-    encDek: ciphertext("encrypted_data_encryption_key").notNull().unique(),
+    encDek: text("encrypted_data_encryption_key").notNull().unique(), // Base64
     encryptedAt: integer("encrypted_at", { mode: "timestamp_ms" }).notNull(),
     encName: ciphertext("encrypted_name").notNull(),
   },
@@ -45,7 +45,7 @@ export const file = sqliteTable(
       .notNull()
       .references(() => user.id),
     mekVersion: integer("master_encryption_key_version").notNull(),
-    encDek: ciphertext("encrypted_data_encryption_key").notNull().unique(),
+    encDek: text("encrypted_data_encryption_key").notNull().unique(), // Base64
     encryptedAt: integer("encrypted_at", { mode: "timestamp_ms" }).notNull(),
     encName: ciphertext("encrypted_name").notNull(),
   },

src/lib/server/schemas/directory.ts

@@ -1,12 +1,11 @@
 import { z } from "zod";
 
-export const directroyEntriesResponse = z.object({
+export const directroyInfoResponse = z.object({
   metadata: z
     .object({
       createdAt: z.date(),
       mekVersion: z.number().int().positive(),
       dek: z.string().base64().nonempty(),
-      dekIv: z.string().base64().nonempty(),
       name: z.string().base64().nonempty(),
       nameIv: z.string().base64().nonempty(),
     })
@@ -14,13 +13,12 @@ export const directroyEntriesResponse = z.object({
   subDirectories: z.number().int().positive().array(),
   files: z.number().int().positive().array(),
 });
-export type DirectroyEntriesResponse = z.infer<typeof directroyEntriesResponse>;
+export type DirectroyInfoResponse = z.infer<typeof directroyInfoResponse>;
 
 export const directoryCreateRequest = z.object({
   parentId: z.union([z.enum(["root"]), z.number().int().positive()]),
   mekVersion: z.number().int().positive(),
   dek: z.string().base64().nonempty(),
-  dekIv: z.string().base64().nonempty(),
   name: z.string().base64().nonempty(),
   nameIv: z.string().base64().nonempty(),
 });

src/lib/server/services/client.ts

@@ -22,7 +22,7 @@ export const getUserClientList = async (userId: number) => {
   return {
     userClients: userClients.map(({ clientId, state }) => ({
       id: clientId,
-      state,
+      state: state as "pending" | "active",
     })),
   };
 };
@@ -83,7 +83,7 @@ export const getUserClientStatus = async (userId: number, clientId: number) => {
   }
 
   return {
-    state: userClient.state,
+    state: userClient.state as "pending" | "active",
     isInitialMekNeeded: await isInitialMekNeeded(userId),
   };
 };

src/lib/server/services/mek.ts

@@ -8,7 +8,7 @@ export const getClientMekList = async (userId: number, clientId: number) => {
   return {
     encMeks: clientMeks.map((clientMek) => ({
       version: clientMek.master_encryption_key.version,
-      state: clientMek.master_encryption_key.state,
+      state: clientMek.master_encryption_key.state as "active" | "retired",
       encMek: clientMek.client_master_encryption_key.encMek,
       encMekSig: clientMek.client_master_encryption_key.encMekSig,
     })),

src/routes/api/auth/upgradeToken/+server.ts

@@ -1,5 +1,9 @@
 import { error, json } from "@sveltejs/kit";
-import { tokenUpgradeRequest, tokenUpgradeResponse } from "$lib/server/schemas/auth";
+import {
+  tokenUpgradeRequest,
+  tokenUpgradeResponse,
+  type TokenUpgradeResponse,
+} from "$lib/server/schemas/auth";
 import { createTokenUpgradeChallenge } from "$lib/server/services/auth";
 import type { RequestHandler } from "./$types";
 
@@ -17,5 +21,5 @@ export const POST: RequestHandler = async ({ request, cookies, getClientAddress
     encPubKey,
     sigPubKey,
   );
-  return json(tokenUpgradeResponse.parse({ challenge }));
+  return json(tokenUpgradeResponse.parse({ challenge } satisfies TokenUpgradeResponse));
 };

src/routes/api/client/list/+server.ts

@@ -1,11 +1,11 @@
 import { json } from "@sveltejs/kit";
 import { authenticate } from "$lib/server/modules/auth";
-import { clientListResponse } from "$lib/server/schemas/client";
+import { clientListResponse, type ClientListResponse } from "$lib/server/schemas/client";
 import { getUserClientList } from "$lib/server/services/client";
 import type { RequestHandler } from "@sveltejs/kit";
 
 export const GET: RequestHandler = async ({ cookies }) => {
   const { userId } = authenticate(cookies);
   const { userClients } = await getUserClientList(userId);
-  return json(clientListResponse.parse({ clients: userClients }));
+  return json(clientListResponse.parse({ clients: userClients } satisfies ClientListResponse));
 };

src/routes/api/client/register/+server.ts

@@ -1,6 +1,10 @@
 import { error, json } from "@sveltejs/kit";
 import { authenticate } from "$lib/server/modules/auth";
-import { clientRegisterRequest, clientRegisterResponse } from "$lib/server/schemas/client";
+import {
+  clientRegisterRequest,
+  clientRegisterResponse,
+  type ClientRegisterResponse,
+} from "$lib/server/schemas/client";
 import { registerUserClient } from "$lib/server/services/client";
 import type { RequestHandler } from "./$types";
 
@@ -15,5 +19,5 @@ export const POST: RequestHandler = async ({ request, cookies, getClientAddress
   const { encPubKey, sigPubKey } = zodRes.data;
 
   const { challenge } = await registerUserClient(userId, getClientAddress(), encPubKey, sigPubKey);
-  return json(clientRegisterResponse.parse({ challenge }));
+  return json(clientRegisterResponse.parse({ challenge } satisfies ClientRegisterResponse));
 };

src/routes/api/client/status/+server.ts

@@ -1,6 +1,6 @@
 import { error, json } from "@sveltejs/kit";
 import { authenticate } from "$lib/server/modules/auth";
-import { clientStatusResponse } from "$lib/server/schemas/client";
+import { clientStatusResponse, type ClientStatusResponse } from "$lib/server/schemas/client";
 import { getUserClientStatus } from "$lib/server/services/client";
 import type { RequestHandler } from "@sveltejs/kit";
 
@@ -11,5 +11,11 @@ export const GET: RequestHandler = async ({ cookies }) => {
   }
 
   const { state, isInitialMekNeeded } = await getUserClientStatus(userId, clientId);
-  return json(clientStatusResponse.parse({ id: clientId, state, isInitialMekNeeded }));
+  return json(
+    clientStatusResponse.parse({
+      id: clientId,
+      state,
+      isInitialMekNeeded,
+    } satisfies ClientStatusResponse),
+  );
 };

src/routes/api/directory/[id]/+server.ts

@@ -1,7 +1,7 @@
 import { error, json } from "@sveltejs/kit";
 import { z } from "zod";
 import { authorize } from "$lib/server/modules/auth";
-import { directroyEntriesResponse } from "$lib/server/schemas/directory";
+import { directroyInfoResponse, type DirectroyInfoResponse } from "$lib/server/schemas/directory";
 import { getDirectroyInformation } from "$lib/server/services/file";
 import type { RequestHandler } from "./$types";
 
@@ -18,17 +18,16 @@ export const GET: RequestHandler = async ({ cookies, params }) => {
 
   const { metadata, directories, files } = await getDirectroyInformation(userId, id);
   return json(
-    directroyEntriesResponse.parse({
+    directroyInfoResponse.parse({
       metadata: metadata && {
         createdAt: metadata.createdAt,
         mekVersion: metadata.mekVersion,
-        dek: metadata.encDek.ciphertext,
-        dekIv: metadata.encDek.iv,
+        dek: metadata.encDek,
         name: metadata.encName.ciphertext,
         nameIv: metadata.encName.iv,
       },
       subDirectories: directories,
       files,
-    }),
+    } satisfies DirectroyInfoResponse),
   );
 };

src/routes/api/directory/create/+server.ts

@@ -7,7 +7,7 @@ import type { RequestHandler } from "./$types";
 
 export const POST: RequestHandler = async ({ request, cookies }) => {
   const { userId, clientId } = await authorize(cookies, "activeClient");
-  const { parentId, mekVersion, dek, dekIv, name, nameIv } = await parseSignedRequest(
+  const { parentId, mekVersion, dek, name, nameIv } = await parseSignedRequest(
     clientId,
     await request.json(),
     directoryCreateRequest,
@@ -18,7 +18,6 @@ export const POST: RequestHandler = async ({ request, cookies }) => {
     parentId,
     mekVersion,
     encDek: dek,
-    encDekIv: dekIv,
     encName: name,
     encNameIv: nameIv,
   });

src/routes/api/mek/list/+server.ts

@@ -1,6 +1,6 @@
 import { json } from "@sveltejs/kit";
 import { authorize } from "$lib/server/modules/auth";
-import { masterKeyListResponse } from "$lib/server/schemas/mek";
+import { masterKeyListResponse, type MasterKeyListResponse } from "$lib/server/schemas/mek";
 import { getClientMekList } from "$lib/server/services/mek";
 import type { RequestHandler } from "./$types";
 
@@ -15,6 +15,6 @@ export const GET: RequestHandler = async ({ cookies }) => {
         mek: encMek,
         mekSig: encMekSig,
       })),
-    }),
+    } satisfies MasterKeyListResponse),
   );
 };