Encrypt payload to the node-server and add header "X-ENCRYPTED"

Author: dragonpoo

server/api-service/lowcoder-domain/src/main/java/org/lowcoder/domain/encryption/EncryptionService.java

@@ -4,6 +4,8 @@ public interface EncryptionService {
 
     String encryptString(String plaintext);
 
+    String encryptStringForNodeServer(String plaintext);
+
     String decryptString(String encryptedText);
 
     String encryptPassword(String plaintext);

server/api-service/lowcoder-domain/src/main/java/org/lowcoder/domain/encryption/EncryptionServiceImpl.java

@@ -5,6 +5,7 @@
 import org.lowcoder.sdk.config.CommonConfig;
 import org.lowcoder.sdk.config.CommonConfig.Encrypt;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.encrypt.Encryptors;
 import org.springframework.security.crypto.encrypt.TextEncryptor;
@@ -14,13 +15,20 @@
 public class EncryptionServiceImpl implements EncryptionService {
 
     private final TextEncryptor textEncryptor;
+    private final TextEncryptor textEncryptorForNodeServer;
     private final BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder();
 
     @Autowired
-    public EncryptionServiceImpl(CommonConfig commonConfig) {
+    public EncryptionServiceImpl(
+        CommonConfig commonConfig,
+        @Value("${lowcoder.node-server.password}") String password,
+        @Value("${lowcoder.node-server.salt}") String salt
+    ) {
         Encrypt encrypt = commonConfig.getEncrypt();
         String saltInHex = Hex.encodeHexString(encrypt.getSalt().getBytes());
         this.textEncryptor = Encryptors.text(encrypt.getPassword(), saltInHex);
+        String saltInHexForNodeServer = Hex.encodeHexString(salt.getBytes());
+        this.textEncryptorForNodeServer = Encryptors.text(password, saltInHexForNodeServer);
     }
 
     @Override
@@ -30,6 +38,13 @@ public String encryptString(String plaintext) {
         }
         return textEncryptor.encrypt(plaintext);
     }
+    @Override
+    public String encryptStringForNodeServer(String plaintext) {
+        if (StringUtils.isEmpty(plaintext)) {
+            return plaintext;
+        }
+        return textEncryptorForNodeServer.encrypt(plaintext);
+    }
 
     @Override
     public String decryptString(String encryptedText) {

server/api-service/lowcoder-domain/src/main/java/org/lowcoder/domain/plugin/client/DatasourcePluginClient.java

@@ -5,6 +5,7 @@
 import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.collections4.MapUtils;
 import org.apache.commons.lang3.StringUtils;
+import org.lowcoder.domain.encryption.EncryptionService;
 import org.lowcoder.domain.plugin.client.dto.DatasourcePluginDefinition;
 import org.lowcoder.domain.plugin.client.dto.GetPluginDynamicConfigRequestDTO;
 import org.lowcoder.infra.js.NodeServerClient;
@@ -30,6 +31,8 @@
 
 import static org.lowcoder.sdk.constants.GlobalContext.REQUEST;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
+
 @Slf4j
 @RequiredArgsConstructor
 @Component
@@ -46,12 +49,15 @@ public class DatasourcePluginClient implements NodeServerClient {
 
     private final CommonConfigHelper commonConfigHelper;
     private final NodeServerHelper nodeServerHelper;
+    private final EncryptionService encryptionService;
 
     private static final String PLUGINS_PATH = "plugins";
     private static final String RUN_PLUGIN_QUERY = "runPluginQuery";
     private static final String VALIDATE_PLUGIN_DATA_SOURCE_CONFIG = "validatePluginDataSourceConfig";
     private static final String GET_PLUGIN_DYNAMIC_CONFIG = "getPluginDynamicConfig";
 
+    private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
+
     public Mono<List<Object>> getPluginDynamicConfigSafely(List<GetPluginDynamicConfigRequestDTO> getPluginDynamicConfigRequestDTOS) {
         return getPluginDynamicConfig(getPluginDynamicConfigRequestDTOS)
                 .onErrorResume(throwable -> {
@@ -119,21 +125,37 @@ public Flux<DatasourcePluginDefinition> getDatasourcePluginDefinitions() {
     @SuppressWarnings("unchecked")
     public Mono<QueryExecutionResult> executeQuery(String pluginName, Object queryDsl, List<Map<String, Object>> context, Object datasourceConfig) {
         return getAcceptLanguage()
-                .flatMap(language -> WEB_CLIENT
-                        .post()
-                        .uri(nodeServerHelper.createUri(RUN_PLUGIN_QUERY))
-                        .header(HttpHeaders.ACCEPT_LANGUAGE, language)
-                        .bodyValue(Map.of("pluginName", pluginName, "dsl", queryDsl, "context", context, "dataSourceConfig", datasourceConfig))
-                        .exchangeToMono(response -> {
-                            if (response.statusCode().is2xxSuccessful()) {
-                                return response.bodyToMono(Map.class)
-                                        .map(map -> map.get("result"))
-                                        .map(QueryExecutionResult::success);
-                            }
-                            return response.bodyToMono(Map.class)
-                                    .map(map -> MapUtils.getString(map, "message"))
-                                    .map(QueryExecutionResult::errorWithMessage);
-                        }));
+                .flatMap(language -> {
+                    try {
+                        Map<String, Object> body = Map.of(
+                                "pluginName", pluginName,
+                                "dsl", queryDsl,
+                                "context", context,
+                                "dataSourceConfig", datasourceConfig
+                        );
+                        String json = OBJECT_MAPPER.writeValueAsString(body);
+                        String encrypted = encryptionService.encryptStringForNodeServer(json);
+                        return WEB_CLIENT
+                                .post()
+                                .uri(nodeServerHelper.createUri(RUN_PLUGIN_QUERY))
+                                .header(HttpHeaders.ACCEPT_LANGUAGE, language)
+                                .header("X-Encrypted", "true") // Optional: custom header to indicate encryption
+                                .bodyValue(encrypted)
+                                .exchangeToMono(response -> {
+                                    if (response.statusCode().is2xxSuccessful()) {
+                                        return response.bodyToMono(Map.class)
+                                                .map(map -> map.get("result"))
+                                                .map(QueryExecutionResult::success);
+                                    }
+                                    return response.bodyToMono(Map.class)
+                                            .map(map -> MapUtils.getString(map, "message"))
+                                            .map(QueryExecutionResult::errorWithMessage);
+                                });
+                    } catch (Exception e) {
+                        log.error("Encryption error", e);
+                        return Mono.error(new ServerException("Encryption error"));
+                    }
+                });
     }
 
     @SuppressWarnings("unchecked")

server/api-service/lowcoder-server/src/main/resources/application-debug.yaml

@@ -61,4 +61,9 @@ logging:
     org.lowcoder: debug
 
 default:
-  query-timeout: ${LOWCODER_DEFAULT_QUERY_TIMEOUT:10s}
+  query-timeout: ${LOWCODER_DEFAULT_QUERY_TIMEOUT:10s}
+
+lowcoder:
+  node-server:
+    password: ${LOWCODER_NODE_SERVICE_SECRET:lowcoderpwd}
+    salt: ${LOWCODER_NODE_SERVICE_SECRET_SALT:lowcodersalt}

server/api-service/lowcoder-server/src/main/resources/application.yaml

@@ -130,3 +130,8 @@ management:
       enabled: true
     diskspace:
       enabled: false
+      
+lowcoder:
+  node-server:
+    password: ${LOWCODER_NODE_SERVICE_SECRET:lowcoderpwd}
+    salt: ${LOWCODER_NODE_SERVICE_SECRET_SALT:lowcodersalt}

server/node-service/src/controllers/plugins.ts

@@ -3,6 +3,23 @@ import { Request, Response } from "express";
 import _ from "lodash";
 import { Config } from "lowcoder-sdk/dataSource";
 import * as pluginServices from "../services/plugin";
+// Add import for decryption utility
+import { decryptString } from "../utils/encryption"; // <-- implement this utility as needed
+
+async function getDecryptedBody(req: Request): Promise<any> {
+  if (req.headers["x-encrypted"]) {
+    // Assume body is a raw encrypted string, decrypt and parse as JSON
+    const encrypted = typeof req.body === "string" ? req.body : req.body?.toString?.();
+    if (!encrypted) throw badRequest("Missing encrypted body");
+    const decrypted = await decryptString(encrypted);
+    try {
+      return JSON.parse(decrypted);
+    } catch (e) {
+      throw badRequest("Failed to parse decrypted body as JSON");
+    }
+  }
+  return req.body;
+}
 
 export async function listPlugins(req: Request, res: Response) {
   let ids = req.query["id"] || [];
@@ -15,12 +32,10 @@ export async function listPlugins(req: Request, res: Response) {
 }
 
 export async function runPluginQuery(req: Request, res: Response) {
-  const { pluginName, dsl, context, dataSourceConfig } = req.body;
+  const body = await getDecryptedBody(req);
+  const { pluginName, dsl, context, dataSourceConfig } = body;
   const ctx = pluginServices.getPluginContext(req);
 
-
-  // console.log("pluginName: ", pluginName, "dsl: ", dsl, "context: ", context, "dataSourceConfig: ", dataSourceConfig, "ctx: ", ctx);
-
   const result = await pluginServices.runPluginQuery(
     pluginName,
     dsl,
@@ -32,7 +47,8 @@ export async function runPluginQuery(req: Request, res: Response) {
 }
 
 export async function validatePluginDataSourceConfig(req: Request, res: Response) {
-  const { pluginName, dataSourceConfig } = req.body;
+  const body = await getDecryptedBody(req);
+  const { pluginName, dataSourceConfig } = body;
   const ctx = pluginServices.getPluginContext(req);
   const result = await pluginServices.validatePluginDataSourceConfig(
     pluginName,
@@ -50,10 +66,11 @@ type GetDynamicDefReqBody = {
 
 export async function getDynamicDef(req: Request, res: Response) {
   const ctx = pluginServices.getPluginContext(req);
-  if (!Array.isArray(req.body)) {
+  const body = await getDecryptedBody(req);
+  if (!Array.isArray(body)) {
     throw badRequest("request body is not a valid array");
   }
-  const fields = req.body as GetDynamicDefReqBody;
+  const fields = body as GetDynamicDefReqBody;
   const result: Config[] = [];
   for (const item of fields) {
     const def = await pluginServices.getDynamicConfigDef(

server/node-service/src/server.ts

@@ -9,6 +9,7 @@ import { collectDefaultMetrics } from "prom-client";
 import apiRouter from "./routes/apiRouter";
 import systemRouter from "./routes/systemRouter";
 import cors, { CorsOptions } from "cors";
+import bodyParser from "body-parser";
 collectDefaultMetrics();
 
 const prefix = "/node-service";
@@ -32,6 +33,15 @@ router.use(morgan("dev"));
 /** Parse the request */
 router.use(express.urlencoded({ extended: false }));
 
+/** Custom middleware: use raw body for encrypted requests */
+router.use((req, res, next) => {
+  if (req.headers["x-encrypted"]) {
+    bodyParser.text({ type: "*/*" })(req, res, next);
+  } else {
+    bodyParser.json()(req, res, next);
+  }
+});
+
 /** Takes care of JSON data */
 router.use(
   express.json({

server/node-service/src/utils/encryption.ts

@@ -0,0 +1,58 @@
+import { createDecipheriv, createHash } from "crypto";
+import { badRequest } from "../common/error";
+
+// Spring's Encryptors.text uses AES-256-CBC with a key derived from password and salt (hex).
+// The encrypted string format is: hex(salt) + encryptedBase64
+// See: https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/encrypt/Encryptors.html
+
+const ALGORITHM = "aes-256-cbc";
+const KEY_LENGTH = 32; // 256 bits
+const IV_LENGTH = 16;  // 128 bits
+
+// You must set these to match your Java config:
+const PASSWORD = process.env.LOWCODER_NODE_SERVICE_SECRET || "lowcoderpwd";
+const SALT_HEX = process.env.LOWCODER_NODE_SERVICE_SECRET_SALT || "lowcodersalt";
+
+/**
+ * Convert a string to its binary representation, then to a hex string.
+ */
+function stringToHexFromBinary(str: string): string {
+  // Convert string to binary (Buffer), then to hex string
+  return Buffer.from(str, "utf8").toString("hex");
+}
+
+/**
+ * Derive key from password and salt using SHA-256 (Spring's default).
+ */
+function deriveKey(password: string, saltHex: string): Buffer {
+  // Convert salt string to binary, then to hex string
+  const saltHexFromBinary = stringToHexFromBinary(saltHex);
+  const salt = Buffer.from(saltHexFromBinary, "hex");
+  const hash = createHash("sha256");
+  hash.update(password);
+  hash.update(salt);
+  return hash.digest();
+}
+
+/**
+ * Decrypt a string encrypted by Spring's Encryptors.text.
+ */
+export async function decryptString(encrypted: string): Promise<string> {
+  try {
+    // Spring's format: hex(salt) + encryptedBase64
+    // But if you know salt, encrypted is just Base64(IV + ciphertext)
+    const key = deriveKey(PASSWORD, SALT_HEX);
+
+    // Spring's Encryptors.text prepends a random IV (16 bytes) to the ciphertext, all base64 encoded.
+    const encryptedBuf = Buffer.from(encrypted, "base64");
+    const iv = encryptedBuf.slice(0, IV_LENGTH);
+    const ciphertext = encryptedBuf.slice(IV_LENGTH);
+
+    const decipher = createDecipheriv(ALGORITHM, key, iv);
+    let decrypted = decipher.update(ciphertext, undefined, "utf8");
+    decrypted += decipher.final("utf8");
+    return decrypted;
+  } catch (e) {
+    throw badRequest("Failed to decrypt string");
+  }
+}