(encryptedValue: string, apiEncryptionKey: string)
| 44 | } |
| 45 | |
| 46 | function decryptApiKey(encryptedValue: string, apiEncryptionKey: string): string { |
| 47 | const parts = encryptedValue.split(':') |
| 48 | if (parts.length !== 3) { |
| 49 | return encryptedValue |
| 50 | } |
| 51 | |
| 52 | const key = Buffer.from(apiEncryptionKey, 'hex') |
| 53 | const [ivHex, encrypted, authTagHex] = parts |
| 54 | if (!ivHex || !encrypted || !authTagHex) { |
| 55 | throw new Error('Invalid encrypted api_key format. Expected "iv:encrypted:authTag"') |
| 56 | } |
| 57 | |
| 58 | const iv = Buffer.from(ivHex, 'hex') |
| 59 | const authTag = Buffer.from(authTagHex, 'hex') |
| 60 | |
| 61 | const decipher = createDecipheriv('aes-256-gcm', key, iv, { authTagLength: 16 }) |
| 62 | decipher.setAuthTag(authTag) |
| 63 | |
| 64 | let decrypted = decipher.update(encrypted, 'hex', 'utf8') |
| 65 | decrypted += decipher.final('utf8') |
| 66 | return decrypted |
| 67 | } |
| 68 | |
| 69 | /** |
| 70 | * Computes the hash to write to `key_hash` for a row during backfill. Pure: |
no outgoing calls
no test coverage detected