Secrets-API

Secrets-API provides a REST backend to store secret information in an encrypted form.

Demo and API Documentation:

Documented endpoints (and an interactive demo) are available in the Swagger UI

Note: After receiving a json web token (jwt) from login or signup, click the Authorize button (upper right corner) and enter Bearer [jwt] into the box (replace [jwt] with the actual json web token)

Brief Overview:

• Upon account creation, the server generates a random encryption key and envelope-encrypts the key with the user's password.
• Upon login, the server decrypts the envelope-encrypted encryption key with the user's password. It is then re-encrypted with a random password (stored in the database) and the server's secret. This server-decryptable form of the key is then passed in the JSON Web Token so it can be used for subsequent operations during the same session.
• Secrets can be created/read/updated/deleted using standard CRUD operations
• Upon logout, the random password is destroyed, so the server can no longer decrypt the user's encryption key (and thus user data is protected at rest).

Testing Considerations

• Primarily used Test Driven Development (TDD) to evaluate functionality
• 45 Test cases are spread out across the test directory to simulate the authentication flow and secret operations.
• It includes tests for scenarios that should result in both successful and erroneous responses.
• Would Beta-test with others, since test scripts don't cover all scenarios.

Getting Started

####Setup

• git clone https://github.com/ravirahman/Secrets-API.git
• cd Secrets-API
• npm install
• export SERVER_SECRET=********
• export MONGO_DB_URI=mongodb://username:password@hostname:port/db

####Build and Run Note that Secrets-API listens on the specified PORT below (using http.createServer(app).listen(PORT)). PROTOCOL, HOSTNAME, and LIVE_PORT are used for CORS and JWT Audience / Issuer, not for running the actual server.

• (Optionally EXPORT the following environmental variables -- default values provided below)
  • export PROTOCOL=http://
  • export HOSTNAME=localhost
  • export PORT=3000
  • export LIVE_PORT=PORT (Defaults to PORT)
• npm start
• Visit http://localhost:3000 for the Swagger-UI (or the protocol/hostname/port combination specified via environmental variables)

####Test Note that testing will use the database specified above in setup and will run all the test cases in the test directory

• npm test

Design Considerations

• Used envelope encryption to allow for password changes without having re-encrypting all secrets
• Decided against client-side encryption (and SRP authentication) to allow for client-agnostic use via REST
• Only encrypts content of secret so the title is searchable

Future Improvements

• Implement secret-specific encryption key and permission structure to allow for sharing of secrets between accounts
• Search in encrypted fields (so both title and content can be encrypted)

Core dependencies

• AES encryption is done via node-cryptojs-aes.
• Web server is powered by express
• MongoDB stores all data, and is interacted with via mongoose
• JSON web tokens for authentication, via jsonwebtoken and express-jwt
• Data validated by swagger-express-middleware via the Swagger specification
• Demo is powered by swagger-ui
• Test cases are executed by mocha and chai

A full list of dependencies is available in package.json

License

MIT