Allow passing a known key to Vault encrypt/decrypt functions#1317
Allow passing a known key to Vault encrypt/decrypt functions#1317hexedpackets wants to merge 1 commit intomainfrom
Conversation
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
Greptile Summary
This PR introduces performance optimizations to the Vault module by allowing applications to cache and reuse data keys for multiple encrypt/decrypt operations. The changes add optional parameters to the encrypt() and decrypt() methods that accept pre-computed keys (DataKeyPair and DataKey respectively), eliminating the need for repeated API calls when processing multiple operations with the same encryption context.
Key changes include:
- Making the
decode()method public and async to support advanced use cases - Adding optional
keyPairparameter toencrypt()method - Adding optional
dataKeyparameter todecrypt()method - Allowing
decrypt()to accept either a string or pre-decodedDecodedobject - Maintaining full backward compatibility - existing code continues to work unchanged
This implementation follows the envelope encryption pattern commonly used in cryptographic libraries, where key management is separated from actual encryption/decryption operations. The optimization is particularly beneficial for batch processing scenarios or applications that need to encrypt/decrypt multiple values sharing the same encryption context, as it reduces API overhead and improves performance.
The changes integrate well with the existing Vault architecture and maintain the same error handling and security patterns already established in the codebase.
Confidence score: 4/5
- This PR appears safe to merge with well-structured optimizations that maintain backward compatibility
- Score reflects the addition of new optional parameters and method signature changes that could affect type checking, though the implementation looks solid
- The test file (
src/vault/vault.spec.ts) should be reviewed more carefully to ensure comprehensive coverage of the new functionality
2 files reviewed, no comments
| const decoded = this.decode(encryptedData); | ||
| const dataKey = await this.decryptDataKey({ keys: decoded.keys }); | ||
| const decoded = | ||
| typeof encryptedData === 'string' |
There was a problem hiding this comment.
This feels strange to me, like two methods are being mixed here. Why not introduce localencrypt/localdecrypt methods that have distinct signatures from encrypt/decrypt?
2 participants
Description
This lets an application cache a data key and use it for multiple operations without having to call the Vault API each time.
Documentation
Does this require changes to the WorkOS Docs? E.g. the API Reference or code snippets need updates.
If yes, link a related docs PR and add a docs maintainer as a reviewer. Their approval is required.