refactor: move encryption/decryption of pks responsibility to dao (#998)

Author: lautarodragan

src/Frost.ts

@@ -42,7 +42,7 @@ export async function Frost(localVars: any = {}) {
   const mongoClient = await MongoClient.connect(configuration.mongodbUrl)
   const dbConnection = await mongoClient.db()
   const accountCollection = dbConnection.collection('accounts')
-  const accountDao = AccountDao(accountCollection)
+  const accountDao = AccountDao(accountCollection, configuration.privateKeyEncryptionKey)
 
   const sendEmail = SendEmail({
     nodemailer: {
@@ -78,14 +78,10 @@ export async function Frost(localVars: any = {}) {
     configuration: {
       verifiedAccount: configuration.verifiedAccount,
       jwtSecret: configuration.jwt,
-      privateKeyEncryptionKey: configuration.privateKeyEncryptionKey,
     },
   })
 
   const workController = WorkController({
-    configuration: {
-      privateKeyEncryptionKey: configuration.privateKeyEncryptionKey,
-    },
     dependencies: {
       logger: logger.child({ file: 'WorkController' }),
       mainnetNode,

src/controllers/AccountController.ts

@@ -18,7 +18,6 @@ import {
   Unauthorized,
 } from '../errors/errors'
 import { PasswordHelper } from '../helpers/Password'
-import { encrypt } from '../helpers/crypto'
 import { tokenMatch } from '../helpers/token'
 import { uuid4 } from '../helpers/uuid'
 import { isJWTData, JWTData } from '../interfaces/JWTData'
@@ -76,7 +75,6 @@ interface Dependencies {
 interface Configuration {
   readonly verifiedAccount: boolean
   readonly jwtSecret: string
-  readonly privateKeyEncryptionKey: string
 }
 
 interface Arguments {
@@ -132,7 +130,6 @@ export const AccountController = ({
 
     const id = await getUnusedId()
     const { privateKey, publicKey } = generateED25519Base58Keys()
-    const encryptedPrivateKey = encrypt(privateKey, configuration.privateKeyEncryptionKey)
     const apiToken = await createJWT({ accountId: id, network: Network.TEST }, Token.TestApiKey)
     const encryptedToken = await Vault.encrypt(`TEST_${apiToken}`)
     const issuer = createIssuerFromPrivateKey(privateKey)
@@ -143,7 +140,7 @@ export const AccountController = ({
       email,
       emailPublic: false,
       password: hashedPassword,
-      privateKey: encryptedPrivateKey,
+      privateKey,
       publicKey,
       createdAt: Date.now().toString(), // .toString(): legacy reasons
       verified: configuration.verifiedAccount,

src/controllers/WorkController.ts

@@ -7,7 +7,6 @@ import * as Pino from 'pino'
 import { pipeP } from 'ramda'
 
 import { PoetNode, WorkSearchFilters } from '../daos/PoetNodeDao'
-import { decrypt } from '../helpers/crypto'
 import { Network } from '../interfaces/Network'
 
 export interface WorkController {
@@ -23,14 +22,9 @@ export interface WorkController {
 }
 
 interface Arguments {
-  readonly configuration: Configuration
   readonly dependencies: Dependencies
 }
 
-interface Configuration {
-  readonly privateKeyEncryptionKey: string
-}
-
 interface Dependencies {
   readonly logger: Pino.Logger
   readonly mainnetNode: PoetNode
@@ -45,9 +39,6 @@ export const WorkController = ({
     testnetNode,
     verifiableClaimSigner,
   },
-  configuration: {
-    privateKeyEncryptionKey,
-  },
 }: Arguments): WorkController => {
   const networkToNode = (network: Network) => network === Network.LIVE ? mainnetNode : testnetNode
 
@@ -61,7 +52,7 @@ export const WorkController = ({
     return node.searchWorks(filters)
   }
 
-  const create = async (claim: any, context: any, issuer: string, encryptedPrivateKey: string, network: Network) => {
+  const create = async (claim: any, context: any, issuer: string, privateKey: string, network: Network) => {
     const node = networkToNode(network)
 
     const legacyContext = {
@@ -75,8 +66,6 @@ export const WorkController = ({
       },
     }
 
-    const privateKey = decrypt(encryptedPrivateKey, privateKeyEncryptionKey)
-
     const createAndSignClaim = pipeP(
       configureCreateVerifiableClaim({ issuer, context: { ...legacyContext, ...context, ...aboutContext} }),
       verifiableClaimSigner.configureSignVerifiableClaim({ privateKey }),

src/daos/AccountDao.ts

@@ -1,5 +1,7 @@
 import { Collection, Binary } from 'mongodb'
+import { pipe } from 'ramda'
 
+import { encrypt, decrypt } from '../helpers/crypto'
 import { bytesToUuid, uuidToBytes } from '../helpers/uuid'
 import { Network } from '../interfaces/Network'
 import { Account } from '../models/Account'
@@ -12,31 +14,34 @@ export interface AccountDao {
   insertToken: (filter: Partial<Account>, network: Network, token: string) => Promise<void>
 }
 
-export const AccountDao = (collection: Collection): AccountDao => {
+export const AccountDao = (collection: Collection, encryptionKey: string): AccountDao => {
+  const modelToEncryptedDocument = pipe(encryptAccount(encryptionKey), modelToDocument)
+  const documentToDecryptedModel = pipe(documentToModel, decryptAccount(encryptionKey))
+
   const createIndices = async () => {
     await collection.createIndex({ email: 1 }, { unique: true })
     await collection.createIndex({ id: 1 }, { unique: false })
   }
 
   const insertOne = async (account: Account): Promise<void> => {
-    const document = modelToDocument(account)
+    const document = modelToEncryptedDocument(account)
     await collection.insertOne(document)
   }
 
   const findOne = async (filter: Partial<Account>): Promise<Account> => {
-    const document = modelToDocument(filter)
+    const document = modelToEncryptedDocument(filter)
     const account: AccountDocument = await collection.findOne(document)
-    return account && documentToModel(account) as Account
+    return account && documentToDecryptedModel(account) as Account
   }
 
   const updateOne = async (filter: Partial<Account>, updates: Partial<Account>): Promise<void> => {
-    const filterDocument = modelToDocument(filter)
-    const updatesDocument = modelToDocument(updates)
+    const filterDocument = modelToEncryptedDocument(filter)
+    const updatesDocument = modelToEncryptedDocument(updates)
     await collection.updateOne(filterDocument, { $set: updatesDocument })
   }
 
   const insertToken = async (filter: Partial<Account>, network: Network, token: string): Promise<void> => {
-    const filterDocument = modelToDocument(filter)
+    const filterDocument = modelToEncryptedDocument(filter)
     const array = network === Network.LIVE ? 'apiTokens' : 'testApiTokens'
     await collection.updateOne(filterDocument, { $push: { [array]: { token } }})
   }
@@ -81,6 +86,30 @@ const modelToDocument = (model: Partial<Account>): Partial<AccountDocument> => {
   return document
 }
 
+const encryptAccount = (encryptionKey: string) => (account: Partial<Account>): Partial<Account> => {
+  const encryptedAccount = {
+    ...account,
+    privateKey: account.privateKey && encrypt(account.privateKey, encryptionKey),
+  }
+
+  if (!account.privateKey)
+    delete encryptedAccount.privateKey
+
+  return encryptedAccount
+}
+
+const decryptAccount = (decryptionKey: string) => (account: Partial<Account>): Partial<Account> => {
+  const decryptedAccount = {
+    ...account,
+    privateKey: account.privateKey && decrypt(account.privateKey, decryptionKey),
+  }
+
+  if (!account.privateKey)
+    delete decryptedAccount.privateKey
+
+  return decryptedAccount
+}
+
 interface AccountDocument {
   readonly id?: Buffer | Binary
   readonly email: string