Skip to content

feat: implement sql dump encryption #3510

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

feat: implement sql dump encryption #3510

wants to merge 11 commits into from

Conversation

@oripka
Copy link
Contributor

@oripka oripka commented Aug 19, 2025

Description

This PR introduces encrypted SQL dumps to Nuxt Content v3, allowing prerendered content dumps to be safely hosted on a CDN or static platform without exposing raw .sql data.

When enabled, dumps are AES-256-GCM encrypted at build time and decrypted in the browser only after the client requests a short-lived key from your app (post-authentication).

Key points

  • 🔒 New content.encryption option in nuxt.config.ts

    • enabled: true enables encrypted dumps and key endpoint
    • masterKey (optional) – base64(32 bytes); if omitted, one is generated at build time

  • ✨ Adds runtime API endpoints:

    • GET /__nuxt_content/:collection/sql_dump.enc → encrypted dump
    • GET /api/__nuxt_content/:collection/key → returns derived AES key (must be protected by your auth middleware)
    • Legacy sql_dump.txt routes remain available if encryption is disabled

  • 🧩 Middleware example added for access control of private collections

  • 📚 Documentation updated with new guides:

    • docs/content/docs/1.getting-started/3.configuration.md (content.encryption)
    • docs/content/docs/8.advanced/9.private.md (full guide on encrypted dumps)

  • 🛠 Internal changes:

    • New runtime/internal/encryption.ts utilities (HKDF, AES-GCM, envelope handling)
    • Client & server loaders updated to support decrypt-and-hydrate flow
    • Shared dumps preset (src/presets/shared-dumps.ts) ensures consistent handling across Node, Cloudflare, and NuxtHub

Type of change

  • 📖 Documentation
  • 🐞 Bug fix
  • 👌 Enhancement
  • ✨ New feature
  • ⚠️ Breaking change

Checklist

  • Added docs for new config (content.encryption)
  • Updated presets (node, cloudflare, nuxthub) to support encrypted dumps
  • Added runtime encryption/decryption logic
  • Ensured backwards compatibility with legacy .sql dumps

@vercel
Copy link

vercel bot commented Aug 19, 2025

@oripka is attempting to deploy a commit to the NuxtLabs Team on Vercel.

A member of the Team first needs to authorize it.

@oripka oripka changed the title feat: implement collection encryption feat: implement sql dump encryption Aug 19, 2025
@pkg-pr-new
Copy link

pkg-pr-new bot commented Aug 19, 2025
edited
Loading 

npm i https://pkg.pr.new/@nuxt/content@3510

commit: 4ccffc7

@oripka oripka force-pushed the feat-encrypted-sql-dumps branch 2 times, most recently from 48d54ae to 28d88dd Compare September 21, 2025 13:57
@oripka oripka force-pushed the feat-encrypted-sql-dumps branch from 28d88dd to 4ccffc7 Compare September 21, 2025 13:59
vercel[bot]
vercel bot reviewed Nov 18, 2025
View reviewed changes
vercel[bot]
vercel bot reviewed Nov 18, 2025
View reviewed changes
@oripka
fix: now imports subtle from uncrypto and uses it for AES-GCM import/…
b991d68 
…decrypt, matching the rest of the encryption code.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vercel vercel[bot] vercel[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@oripka