anything-llm/collector/middleware/setDataSigner.js

const { EncryptionWorker } = require("../utils/EncryptionWorker");
const { CommunicationKey } = require("../utils/comKey");

/** 
 * Express Response Object interface with defined encryptionWorker attached to locals property.
 * @typedef {import("express").Response & import("express").Response['locals'] & {encryptionWorker: EncryptionWorker} } ResponseWithSigner
*/

// You can use this middleware to assign the EncryptionWorker to the response locals
// property so that if can be used to encrypt/decrypt arbitrary data via response object.
// eg: Encrypting API keys in chunk sources.

// The way this functions is that the rolling RSA Communication Key is used server-side to private-key encrypt the raw
// key of the persistent EncryptionManager credentials. Since EncryptionManager credentials do _not_ roll, we should not send them
// even between server<>collector in plaintext because if the user configured the server/collector to be public they could technically
// be exposing the key in transit via the X-Payload-Signer header. Even if this risk is minimal we should not do this.

// This middleware uses the CommunicationKey public key to first decrypt the base64 representation of the EncryptionManager credentials
// and then loads that in to the EncryptionWorker as a buffer so we can use the same credentials across the system. Should we ever break the
// collector out into its own service this would still work without SSL/TLS.

/**
 * 
 * @param {import("express").Request} request 
 * @param {import("express").Response} response 
 * @param {import("express").NextFunction} next 
 */
function setDataSigner(request, response, next) {
  const comKey = new CommunicationKey();
  const encryptedPayloadSigner = request.header("X-Payload-Signer");
  if (!encryptedPayloadSigner) console.log('Failed to find signed-payload to set encryption worker! Encryption calls will fail.');

  const decryptedPayloadSignerKey = comKey.decrypt(encryptedPayloadSigner);
  const encryptionWorker = new EncryptionWorker(decryptedPayloadSignerKey);
  response.locals.encryptionWorker = encryptionWorker;
  next();
}

module.exports = {
  setDataSigner
}
[BETA] Live document sync (#1719) * wip bg workers for live document sync * Add ability to re-embed specific documents across many workspaces via background queue bgworkser is gated behind expieremental system setting flag that needs to be explictly enabled UI for watching/unwatching docments that are embedded. TODO: UI to easily manage all bg tasks and see run results TODO: UI to enable this feature and background endpoints to manage it * create frontend views and paths Move elements to correct experimental scope * update migration to delete runs on removal of watched document * Add watch support to YouTube transcripts (#1716) * Add watch support to YouTube transcripts refactor how sync is done for supported types * Watch specific files in Confluence space (#1718) Add failure-prune check for runs * create tmp workflow modifications for beta image * create tmp workflow modifications for beta image * create tmp workflow modifications for beta image * dual build update copy of alert modals * update job interval * Add support for live-sync of Github files * update copy for document sync feature * hide Experimental features from UI * update docs links * [FEAT] Implement new settings menu for experimental features (#1735) * implement new settings menu for experimental features * remove unused context save bar --------- Co-authored-by: timothycarambat <rambat1010@gmail.com> * dont run job on boot * unset workflow changes * Add persistent encryption service Relay key to collector so persistent encryption can be used Encrypt any private data in chunkSources used for replay during resync jobs * update jsDOC * Linting and organization * update modal copy for feature --------- Co-authored-by: Sean Hatfield <seanhatfield5@gmail.com> 2024-06-21 22:38:50 +02:00			`const { EncryptionWorker } = require("../utils/EncryptionWorker");`
			`const { CommunicationKey } = require("../utils/comKey");`

			`/**`
			`* Express Response Object interface with defined encryptionWorker attached to locals property.`
			`* @typedef {import("express").Response & import("express").Response['locals'] & {encryptionWorker: EncryptionWorker} } ResponseWithSigner`
			`*/`

			`// You can use this middleware to assign the EncryptionWorker to the response locals`
			`// property so that if can be used to encrypt/decrypt arbitrary data via response object.`
			`// eg: Encrypting API keys in chunk sources.`

			`// The way this functions is that the rolling RSA Communication Key is used server-side to private-key encrypt the raw`
			`// key of the persistent EncryptionManager credentials. Since EncryptionManager credentials do _not_ roll, we should not send them`
			`// even between server<>collector in plaintext because if the user configured the server/collector to be public they could technically`
			`// be exposing the key in transit via the X-Payload-Signer header. Even if this risk is minimal we should not do this.`

			`// This middleware uses the CommunicationKey public key to first decrypt the base64 representation of the EncryptionManager credentials`
			`// and then loads that in to the EncryptionWorker as a buffer so we can use the same credentials across the system. Should we ever break the`
			`// collector out into its own service this would still work without SSL/TLS.`

			`/**`
			`*`
			`* @param {import("express").Request} request`
			`* @param {import("express").Response} response`
			`* @param {import("express").NextFunction} next`
			`*/`
			`function setDataSigner(request, response, next) {`
			`const comKey = new CommunicationKey();`
			`const encryptedPayloadSigner = request.header("X-Payload-Signer");`
			`if (!encryptedPayloadSigner) console.log('Failed to find signed-payload to set encryption worker! Encryption calls will fail.');`

			`const decryptedPayloadSignerKey = comKey.decrypt(encryptedPayloadSigner);`
			`const encryptionWorker = new EncryptionWorker(decryptedPayloadSignerKey);`
			`response.locals.encryptionWorker = encryptionWorker;`
			`next();`
			`}`

			`module.exports = {`
			`setDataSigner`
			`}`