Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
mongoose-field-encryption
Advanced tools
A simple symmetric encryption plugin for individual fields. The goal of this plugin is to encrypt data but still allow searching over fields with string values. This plugin relies on the Node crypto
module. Encryption and decryption happen transparently during save and find.
As of the stable 1.0.0 release, this plugin works on individual fields of any type. However, note that for non-string fields, the original value is set to undefined after encryption. This is because if the schema has defined a field as an array, it would not be possible to replace it with a string value.
Also consider mongoose-encryption if you are looking to encrypt the entire document.
Encryption is performed using AES-256-CBC
. To encrypt, the relevant fields are encrypted with the provided secret + random salt. The generated salt and the resulting encrypted value is concatenated together using a :
character and the final string is put in place of the actual value for string
values. An extra boolean
field with the prefix __enc_
is added to the document which indicates if the provided field is encrypted or not.
Fields which are either objects or of a different type are converted to strings using JSON.stringify
and the value stored in an extra marker field of type string
with a naming scheme of __enc_
as prefix and _d
as suffix on the original field name. The original field is then set to undefined
. Please note that this might break any custom validation and application of this plugin on non-string fields needs to be done with care.
>=4.4.7
>=2.6.10
>=4.0.0
npm install mongoose-field-encryption
bcrypt
is one great option. You can also encrypt the password afer hashing it although it is not necessary.For example, given a schema as follows:
const mongoose = require("mongoose");
const mongooseFieldEncryption = require("mongoose-field-encryption").fieldEncryption;
const Schema = mongoose.Schema;
const Post = new Schema({
title: String,
message: String,
references: {
author: String,
date: Date
}
});
Post.plugin(mongooseFieldEncyption, { fields: ["message", "references"], secret: "some secret key" });
The resulting documents will have the following format:
{
_id: ObjectId,
title: String,
message: String, // encrypted salt and hex value as string, e.g. 9d6a0ca4ac2c80fc84df0a06de36b548:cee57185fed78c055ed31ca6a8be9bf20d303283200a280d0f4fc8a92902e0c1
__enc_message: true, // boolean marking if the field is encrypted or not
references: undefined, // encrypted object set to undefined
__enc_references: true, // boolean marking if the field is encrypted or not
__enc_references_d: String // encrypted salt and hex object value as string, e.g. 6df2171f25fd1d32adc4a4059f867a82:5909152856cf9cdb7dc32c6af321c8fe69390c359c6b19d967eaa6e7a0a97216
}
find
works transparently and you can make new documents as normal, but you should not use the lean
option on a find if you want the fields of the document to be decrypted. findOne
, findById
and save
also all work as normal. update
works only for string fields and you would also need to manually set the __enc_
field value to false if you're updating an encrypted field.
From the mongoose package documentation: Note that findAndUpdate/Remove do not execute any hooks or validation before making the change in the database. If you need hooks and validation, first query for the document and then save it.
Note that as of 1.2.0
release, support for findOneAndUpdate
has also been added. Note that you would need to specifically set the encryption field marker for it to be encrypted. For example:
Post.findOneAndUpdate({ _id: postId }, { $set: { message: "snoop", __enc_message: false } });
The above also works for non-string fields. See changelog for more details.
Also note that if you manually set the value __enc_
prefix field to true then the encryption is not run on the corresponding field and this may result in the plain value being stored in the db.
fields
(required): an array list of the required fieldssecret
(required): a string cipher which is used to encrypt the data (don't lose this!)useAes256Ctr
(optional, default false
): a boolean indicating whether the older aes-256-ctr
algorithm should be used. Note that this is strictly a backwards compatibility feature and for new installations it is recommended to leave this at default.For performance reasons, once the document has been encrypted, it remains so. The following methods are thus added to the schema:
encryptFieldsSync()
: synchronous call that encrypts all fields as given by the plugin optionsdecryptFieldsSync()
: synchronous call that decrypts encrypted fields as given by the plugin optionsstripEncryptionFieldMarkers()
: synchronous call that removes the encryption field markers (useful for returning documents without letting the user know that something was encrypted)Multiple calls to the above methods have no effect, i.e. once a field is encrypted and the __enc_
marker field value is set to true then the ecrypt operation is ignored. Same for the decrypt operation. Of course if the field markers have been removed via the stripEncryptionFieldMarkers()
call, then the encryption will be executed if invoked.
To enable searching over the encrypted fields the encrypt
and decrypt
methods have also been exposed.
const fieldEncryption = require('mongoose-field-encryption')
const encrypted = fieldEncryption.encrypt('some text', 'secret'));
const decrypted = fieldEncryption.decrypt(encrypted, 'secret')); // decrypted = 'some text'
npm install
and install mongo if you don't have it yet.mongod
.npm test
. Additionally you can pass your own mongodb uri as an environment variable if you would like to test against your own database, for e.g. URI='mongodb://username:password@127.0.0.1:27017/mongoose-field-encryption-test' npm test
release-it patch,minor,major
npm version patch,minor,major
npm publish
find()
, #23.Use cipheriv
instead of plain cipher
, #17.
Note that this might break any fixed search capability as the encrypted values are now based on a random salt.
Also note that while this version maintains backward compatibility, i.e. decryption will automatically fall back to using the aes-256-ctr
algorithm, any further updates will lead to the value being encrypted with the salt. In order to fully maintain backwards compatibilty, an new option useAes256Ctr
has been introduced (default false
), which can be set to true
to continue using the plugin as before. It is highly recommended to start using the newer algorithm however, see issue for more details.
findOneAndUpdate
https://github.com/wheresvic/mongoose-field-encryption/pull/20peerDependencies
.FAQs
A simple symmetric encryption plugin for individual fields. Dependency free, only mongoose peer dependency.
The npm package mongoose-field-encryption receives a total of 4,351 weekly downloads. As such, mongoose-field-encryption popularity was classified as popular.
We found that mongoose-field-encryption demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.