JSDoc: Module: utils/credentialEncryption

Module: utils/credentialEncryption

AES-256-GCM encryption for project credentials at rest.

Credentials (login username, password, CSS selectors) are encrypted before being persisted to the JSON database and decrypted when needed by the crawl/test pipeline.

The encryption key is derived from CREDENTIAL_SECRET env var (or the JWT_SECRET as fallback). In development, a deterministic key is derived from the project directory — acceptable for local use but NOT for production.

Exports

encryptCredentials — Encrypt a credentials object.
decryptCredentials — Decrypt a credentials object.

Source:

utils/credentialEncryption.js, line 1

Methods

(static) decryptCredentials(creds) → {Object|null}

Decrypt sensitive fields in a credentials object for use by the pipeline. If the credentials are not encrypted (legacy data), returns them as-is.

Parameters:

Name	Type	Description
`creds`	Object \| null	Stored credentials (possibly encrypted).

Source:

utils/credentialEncryption.js, line 147

Returns:

Decrypted credentials object, or null.

Type: Object | null

(static) decryptString(value) → {string|null}

Decrypt a string produced by encryptString. Legacy plaintext values (no enc:v1: prefix) are returned unchanged so callers can transparently migrate a column from plaintext to encrypted storage.

Parameters:

Name	Type	Description
`value`	string \| null \| undefined

Source:

utils/credentialEncryption.js, line 128

Returns:

Type: string | null

(static) encryptCredentials(creds) → {Object|null}

Encrypt sensitive fields in a credentials object before storage. Non-sensitive fields (CSS selectors) are stored as-is.

Parameters:

Name	Type	Description
`creds`	Object \| null	`{ usernameSelector, username, passwordSelector, password, submitSelector }`

Source:

utils/credentialEncryption.js, line 90

Returns:

Encrypted credentials object, or null.

Type: Object | null

(static) encryptString(plaintext) → {string|null}

Encrypt an arbitrary string with a version-prefixed format so callers can distinguish encrypted values from legacy plaintext on read.

Returns "enc:v1:<iv-hex>:<authTag-hex>:<ciphertext-hex>". The enc:v1: prefix is the format marker — decryptString returns the input unchanged when the prefix is absent, so callers can transparently migrate a column from plaintext to encrypted without a one-shot backfill (rows re-encrypt naturally on next write).

Parameters:

Name	Type	Description
`plaintext`	string \| null \| undefined

Source:

utils/credentialEncryption.js, line 115

Returns:

Encrypted string, or null when input is empty.

Type: string | null