fix: unintented encryptions/decryptions with a lock context by calvinbrewer · Pull Request #58 · cipherstash/stack

calvinbrewer · 2025-01-23T02:43:20Z

Enforced lock context to be called as a proto function rather than an optional argument for crypto functions.

There was a bug that caused the lock context to be interpreted as undefined when the users intention was to use it causing the encryption/decryption to fail.

This is a breaking change for users who were using the lock context as an optional argument, hence the major version bump.

To use the lock context, call the withLockContext method on the encrypt, decrypt, and bulk encrypt/decrypt functions, passing the lock context as a parameter rather than as an optional argument.

Old:

const ciphertext = await eqlClient.encrypt('plaintext', {
  column: 'column_name',
  table: 'users',
  lockContext,
})

const plaintext = await eqlClient.decrypt(ciphertext)

New:

const ciphertext = await eqlClient.encrypt('plaintext', {
  column: 'column_name',
  table: 'users',
}).withLockContext(lockContext)

README.md

packages/jseql/src/ffi/index.ts

coderdan · 2025-01-23T04:03:03Z

I'd prefer if we could use a stronger type guarantee of the use of LockContext. I've created an example of what I mean here. The idea is that when you call with_lock_context, you are converting this into a new type that always applies a context and must have a token. This makes testing easier as well as providing a strong guarantee of correctness.

coderdan

I'd prefer to see this use the type state pattern like here: https://gist.github.com/coderdan/d6e620609b46b760471f5c9b65c2f47a

fix: unintented encryptions/decryptions with a lock context

5c08fe5