data-fair · albanm · May 12, 2025 · May 12, 2025
diff --git a/api/src/routers/processings.ts b/api/src/routers/processings.ts
@@ -15,14 +15,14 @@ import { reqOrigin, session } from '@data-fair/lib-express/index.js'
 import { httpError } from '@data-fair/lib-utils/http-errors.js'
 import { createNext } from '@data-fair/processings-shared/runs.ts'
 import { applyProcessing, deleteProcessing } from '../utils/runs.ts'
+import { cipher, decipher } from '@data-fair/processings-shared/cipher.ts'
 import mongo from '#mongo'
 import config from '#config'
 import locks from '#locks'
 import { resolvedSchema as processingSchema } from '#types/processing/index.ts'
 import getApiDoc from '../utils/api-docs.ts'
 import findUtils from '../utils/find.ts'
 import permissions from '../utils/permissions.ts'
-import { cipher } from '../utils/cipher.ts'
 
 const router = Router()
 export default router
@@ -52,12 +52,21 @@ const validateFullProcessing = async (processing: Processing) => {
   // Get the plugin file and execute the prepare function if it exists
   const plugin = await import(path.resolve(process.cwd(), pluginsDir, processing.plugin, 'index.js'))
   if (plugin.prepare && typeof plugin.prepare === 'function') {
-    const res = await (plugin.prepare as PrepareFunction)({ processingConfig: processing.config })
+    // Decipher the actuals secrets if they are present
+    const secrets: Record<string, string> = {}
+    if (processing.secrets) {
+      Object.keys(processing.secrets).forEach(key => {
+        secrets[key] = decipher(processing.secrets![key], config.cipherPassword)
+      })
+    }
+
+    // Call the prepare function
+    const res = await (plugin.prepare as PrepareFunction)({ processingConfig: processing.config, secrets })
     if (res.processingConfig) processing.config = res.processingConfig
     if (res.secrets) {
       processing.secrets = {}
       Object.keys(res.secrets).forEach(key => {
-        processing.secrets![key] = cipher(res.secrets![key])
+        processing.secrets![key] = cipher(res.secrets![key], config.cipherPassword)
       })
     }
   }

diff --git a/api/src/utils/cipher.ts b/api/src/utils/cipher.ts
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -41,7 +41,7 @@
     "@data-fair/lib-types-builder": "^1.7.0"
   },
   "devDependencies": {
-    "@data-fair/lib-common-types": "^1.10.0",
+    "@data-fair/lib-common-types": "^1.10.1",
     "@commitlint/cli": "^19.7.1",
     "@commitlint/config-conventional": "^19.7.1",
     "@data-fair/lib-node": "^2.4.0",

diff --git a/shared/cipher.ts b/shared/cipher.ts
@@ -0,0 +1,32 @@
+import type { CipheredContent } from '#api/type/processing/index.js'
+import { createHash, createCipheriv, createDecipheriv, randomBytes } from 'node:crypto'
+
+const getSecurityKey = (password: string): Buffer => {
+  return createHash('sha256').update(password).digest()
+}
+
+export const cipher = (content: CipheredContent | string, cipherPassword: string): CipheredContent => {
+  const securityKey = getSecurityKey(cipherPassword)
+  if (typeof content !== 'string') return content
+
+  const initVector = randomBytes(16)
+  const algo = 'aes256'
+  const cipher = createCipheriv(algo, securityKey, initVector)
+  let encryptedData = cipher.update(content, 'utf-8', 'hex')
+  encryptedData += cipher.final('hex')
+  return {
+    iv: initVector.toString('hex'),
+    alg: algo,
+    data: encryptedData
+  }
+}
+
+export const decipher = (cipheredContent: CipheredContent | string, cipherPassword: string): string => {
+  const securityKey = getSecurityKey(cipherPassword)
+
+  if (typeof cipheredContent === 'string') return cipheredContent
+  const decipher = createDecipheriv(cipheredContent.alg, securityKey, Buffer.from(cipheredContent.iv, 'hex'))
+  let content = decipher.update(cipheredContent.data, 'hex', 'utf-8')
+  content += decipher.final('utf8')
+  return content
+}
diff --git a/tsconfig.json b/tsconfig.json
@@ -11,6 +11,7 @@
     "skipLibCheck": true,
     "paths": {
       "#api/types": ["./api/types/index.ts"],
+      "#api/type/*": ["./api/types/*"]
     }
   },
   "exclude": ["node_modules", ".type", "ui", "dev", "data", "test-it"]

diff --git a/worker/src/task/task.ts b/worker/src/task/task.ts
@@ -13,8 +13,8 @@ import tmp from 'tmp-promise'
 import { DataFairWsClient } from '@data-fair/lib-node/ws-client.js'
 import { httpAgent, httpsAgent } from '@data-fair/lib-node/http-agents.js'
 import * as wsEmitter from '@data-fair/lib-node/ws-emitter.js'
+import { decipher } from '@data-fair/processings-shared/cipher.ts'
 import { running } from '../utils/runs.ts'
-import { decipher } from '../utils/cipher.ts'
 import config from '#config'
 
 fs.ensureDirSync(config.dataDir)
@@ -188,7 +188,7 @@ export const run = async (db: Db, mailTransport: any) => {
   const secrets: Record<string, string> = {}
   if (processing.secrets) {
     Object.keys(processing.secrets).forEach(key => {
-      secrets[key] = decipher(processing.secrets![key])
+      secrets[key] = decipher(processing.secrets![key], config.cipherPassword)
     })
   }
 

diff --git a/worker/src/utils/cipher.ts b/worker/src/utils/cipher.ts