Merge pull request #183 from mattrltrent/reconcile_encryption

Refactor: Consolidates `masked` & `hash` fields
confesi · Mar 7, 2024 · 97ee1f0 · 97ee1f0
2 parents e9f0dfd + cdc9223
commit 97ee1f0
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 21 deletions.
diff --git a/db/models.go b/db/models.go
@@ -78,12 +78,21 @@ func (mu EncryptedID) MarshalJSON() ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	hashed := encryption.Hash(mu.Val)
-	data := map[string]interface{}{
-		"masked": masked, // volatile, reversible
-		"hash":   hashed, // consistent, not reversible
+	return json.Marshal(masked)
+}
+
+func (mu *EncryptedID) UnmarshalJSON(data []byte) error {
+	var masked string
+	err := json.Unmarshal(data, &masked)
+	if err != nil {
+		return err
 	}
-	return json.Marshal(data)
+	unmasked, err := encryption.Unmask(masked)
+	if err != nil {
+		return err
+	}
+	mu.Val = unmasked
+	return nil
 }
 
 func (mu *EncryptedID) Scan(value interface{}) error {

diff --git a/lib/encryption/encryption.go b/lib/encryption/encryption.go
@@ -40,14 +40,6 @@ func encrypt(id uint32) string {
 	return encoding.EncodeToString(buf)
 }
 
-func Hash(id uint) string {
-	if id > math.MaxUint32 {
-		panic("id out of range")
-	}
-
-	return encrypt(uint32(id))
-}
-
 func Mask(id uint) (string, error) {
 	if id > math.MaxUint32 {
 		return "", fmt.Errorf("id out of range")
@@ -69,7 +61,7 @@ func Unmask(ciphertext string) (uint, error) {
 	block.Decrypt(buf, buf)
 
 	// 256 - 32 = 224 bits for authenticated encryption. This check doesn't need to be timing-safe.
-	for _, b := range(buf[4:]) {
+	for _, b := range buf[4:] {
 		if b != 0 {
 			return 0, fmt.Errorf("invalid ciphertext")
 		}

diff --git a/lib/encryption/encryption_test.go b/lib/encryption/encryption_test.go
@@ -10,19 +10,34 @@ import (
 //! Tests require `MASK_SECRET` env var to be set to pass
 
 func TestUniqueHash(t *testing.T) {
-	assert.Equal(t, Hash(1), Hash(1), "Hash should be deterministic")
-	assert.NotEqual(t, Hash(1), Hash(2), "Hash should be unique")
+
+	firstMask1, err := Mask(1)
+	if err != nil {
+		t.Errorf("Encryption error: %v", err)
+	}
+	secondMask1, err := Mask(1)
+	if err != nil {
+		t.Errorf("Encryption error: %v", err)
+	}
+
+	mask2, err := Mask(2)
+	if err != nil {
+		t.Errorf("Encryption error: %v", err)
+	}
+
+	assert.Equal(t, firstMask1, secondMask1, "Mask should be deterministic")
+	assert.NotEqual(t, firstMask1, mask2, "Mask should be unique")
 }
 
 func TestEncryptionAndDecryption(t *testing.T) {
 	tests := []struct {
 		id uint
 	}{
-		{0},                 // sub-test case 1
-		{123452121},         // sub-test case 2
-		{987654},            // sub-test case 3
-		{42},                // sub-test case 4
-		{123},               // sub-test case 5
+		{0},         // sub-test case 1
+		{123452121}, // sub-test case 2
+		{987654},    // sub-test case 3
+		{42},        // sub-test case 4
+		{123},       // sub-test case 5
 	}
 
 	for _, test := range tests {