feat: encrypt emails at rest for demo login (#5759)

## About the changes This allows us to encrypt emails at signup for demo users to further secure our demo instance. Currently, emails are anonymized before displaying events performed by demo users. But this means that emails are stored at rest in our DB. By encrypting the emails at login, we're adding another layer of protection. This can be enabled with a flag and requires the encryption key and the initialization vector (IV for short) to be present as environment variables.
2025-06-04 01:18:20 +02:00 · 2024-01-05 14:21:20 +01:00 · 2024-01-05 14:21:20 +01:00 · 1724219487
commit 1724219487
parent 27f70cd062
4 changed files with 34 additions and 3 deletions
--- a/src/lib/snapshots/create-config.test.ts.snap
+++ b/src/lib/snapshots/create-config.test.ts.snap
@ -85,6 +85,7 @@ exports[`should create default config 1`] = `
      "embedProxy": true,
      "embedProxyFrontend": true,
      "enableLicense": false,
+      "encryptEmails": false,
      "featureSearchAPI": false,
      "featureSearchFeedback": false,
      "featureSearchFeedbackPosting": false,
--- a/src/lib/middleware/demo-authentication.ts
+++ b/src/lib/middleware/demo-authentication.ts
@ -6,15 +6,22 @@ import ApiUser from '../types/api-user';
 import { ApiTokenType } from '../types/models/api-token';
 import { IAuthRequest } from 'lib/server-impl';
 import { IApiRequest } from 'lib/routes/unleash-types';
+import { encrypt } from '../util';

 function demoAuthentication(
    app: Application,
    basePath: string,
    { userService }: Pick<IUnleashServices, 'userService'>,
-    { authentication }: Pick<IUnleashConfig, 'authentication'>,
+    {
+        authentication,
+        flagResolver,
+    }: Pick<IUnleashConfig, 'authentication' | 'flagResolver'>,
 ): void {
    app.post(`${basePath}/auth/demo/login`, async (req: IAuthRequest, res) => {
-        const { email } = req.body;
+        let { email } = req.body;
+        email = flagResolver.isEnabled('encryptEmails', { email })
+            ? encrypt(email)
+            : email;
        try {
            const user = await userService.loginUserWithoutPassword(
                email,
--- a/src/lib/types/experimental.ts
+++ b/src/lib/types/experimental.ts
@ -5,6 +5,7 @@ import { getDefaultVariant } from 'unleash-client/lib/variant';
 export type IFlagKey =
    | 'accessLogs'
    | 'anonymiseEventLog'
+    | 'encryptEmails'
    | 'enableLicense'
    | 'embedProxy'
    | 'embedProxyFrontend'
@ -169,6 +170,10 @@ const flags: IFlags = {
        process.env.UNLEASH_EXPERIMENTAL_NEW_STRATEGY_CONFIGURATION_FEEDBACK,
        false,
    ),
+    encryptEmails: parseEnvVarBoolean(
+        process.env.UNLEASH_EXPERIMENTAL_ENCRYPT_EMAILS,
+        false,
+    ),
    edgeBulkMetricsKillSwitch: parseEnvVarBoolean(
        process.env.UNLEASH_EXPERIMENTAL_EDGE_BULK_METRICS_KILL_SWITCH,
        false,
--- a/src/lib/util/anonymise.ts
+++ b/src/lib/util/anonymise.ts
@ -1,4 +1,22 @@
-import { createHash } from 'crypto';
+import { createCipheriv, createHash } from 'crypto';
+
+export function encrypt(s?: string): string {
+    const key = process.env.UNLEASH_ENCRYPTION_KEY;
+    const iv = process.env.UNLEASH_ENCRYPTION_IV;
+    if (!s || !key || !iv) {
+        return s ?? '';
+    }
+
+    const algorithm = 'aes-256-cbc';
+
+    const cipher = createCipheriv(
+        algorithm,
+        Buffer.from(key, 'hex'),
+        Buffer.from(iv, 'hex'),
+    );
+    const encrypted = cipher.update(s, 'utf8', 'hex') + cipher.final('hex');
+    return `${encrypted}@unleash.run`;
+}

 export function anonymise(s?: string): string {
    if (!s) {