src/blobs.js

/* jslint node:true */

import assert from 'node:assert';
import database from './database.js';

const CERT_PREFIX = 'cert';
const CERT_SUFFIX = 'cert';


const BLOBS_FIELDS = [ 'id', 'value' ].join(',');

async function get(id) {
    assert.strictEqual(typeof id, 'string');

    const result = await database.query(`SELECT ${BLOBS_FIELDS} FROM blobs WHERE id = ?`, [ id ]);
    if (result.length === 0) return null;
    return result[0].value;
}

async function getString(id) {
    assert.strictEqual(typeof id, 'string');

    const result = await database.query(`SELECT ${BLOBS_FIELDS} FROM blobs WHERE id = ?`, [ id ]);
    if (result.length === 0) return null;
    return result[0].value.toString('utf8');
}

async function set(id, value) {
    assert.strictEqual(typeof id, 'string');
    assert(value === null || Buffer.isBuffer(value));

    await database.query('INSERT INTO blobs (id, value) VALUES (?, ?) ON DUPLICATE KEY UPDATE value=VALUES(value)', [ id, value ]);
}

async function setString(id, value) {
    assert.strictEqual(typeof id, 'string');
    assert(value === null || typeof value === 'string');

    await database.query('INSERT INTO blobs (id, value) VALUES (?, ?) ON DUPLICATE KEY UPDATE value=VALUES(value)', [ id, Buffer.from(value) ]);
}

async function del(id) {
    await database.query('DELETE FROM blobs WHERE id=?', [ id ]);
}

async function clear() {
    await database.query('DELETE FROM blobs');
}

async function listCertIds() {
    const result = await database.query('SELECT id FROM blobs WHERE id LIKE ?', [ `${CERT_PREFIX}-%.${CERT_SUFFIX}` ]);
    return result.map(r => r.id);
}

export default {
    get,
    getString,
    set,
    setString,
    del,

    listCertIds,

    ACME_ACCOUNT_KEY: 'acme_account_key',
    ADDON_TURN_SECRET: 'addon_turn_secret',

    // the code relies on sftp_<keytype>_* pattern
    SFTP_RSA_PUBLIC_KEY: 'sftp_rsa_public_key',
    SFTP_RSA_PRIVATE_KEY: 'sftp_rsa_private_key',
    SFTP_ED25519_PUBLIC_KEY: 'sftp_ed25519_public_key',
    SFTP_ED25519_PRIVATE_KEY: 'sftp_ed25519_private_key',

    PROXY_AUTH_TOKEN_SECRET: 'proxy_auth_token_secret',

    OIDC_KEY_EDDSA: 'oidc_key_eddsa', // this is only JWT private key, the public key will be derived
    OIDC_KEY_RS256: 'oidc_key_rs256',

    CERT_PREFIX,
    CERT_SUFFIX,
    _clear: clear
};
add async support to database.query() 2021-05-02 21:12:38 -07:00			`/* jslint node:true */`

Migrate codebase from CommonJS to ES Modules - Convert all require()/module.exports to import/export across 260+ files - Add "type": "module" to package.json to enable ESM by default - Add migrations/package.json with "type": "commonjs" to keep db-migrate compatible - Convert eslint.config.js to ESM with sourceType: "module" - Replace __dirname/__filename with import.meta.dirname/import.meta.filename - Replace require.main === module with process.argv[1] === import.meta.filename - Remove 'use strict' directives (implicit in ESM) - Convert dynamic require() in switch statements to static import lookup maps (dns.js, domains.js, backupformats.js, backupsites.js, network.js) - Extract self-referencing exports.CONSTANT patterns into standalone const declarations (apps.js, services.js, locks.js, users.js, mail.js, etc.) - Lazify SERVICES object in services.js to avoid circular dependency TDZ issues - Add clearMailQueue() to mailer.js for ESM-safe queue clearing in tests - Add _setMockApp() to ldapserver.js for ESM-safe test mocking - Add _setMockResolve() wrapper to dig.js for ESM-safe DNS mocking in tests - Convert backupupload.js to use dynamic imports so --check exits before loading the module graph (which requires BOX_ENV) - Update check-install to use ESM import for infra_version.js - Convert scripts/ (hotfix, release, remote_hotfix.js, find-unused-translations) - All 1315 tests passing Migration stats (AI-assisted using Cursor with Claude): - Wall clock time: ~3-4 hours - Assistant completions: ~80-100 - Estimated token usage: ~1-2M tokens Co-authored-by: Cursor <cursoragent@cursor.com> 2026-02-14 09:53:14 +01:00			`import assert from 'node:assert';`
migrate to "export default" also, set no-use-before-define in linter 2026-02-14 15:43:24 +01:00			`import database from './database.js';`
Add secrets table this will hold keys, certs etc 2021-04-30 21:54:53 -07:00
Migrate codebase from CommonJS to ES Modules - Convert all require()/module.exports to import/export across 260+ files - Add "type": "module" to package.json to enable ESM by default - Add migrations/package.json with "type": "commonjs" to keep db-migrate compatible - Convert eslint.config.js to ESM with sourceType: "module" - Replace __dirname/__filename with import.meta.dirname/import.meta.filename - Replace require.main === module with process.argv[1] === import.meta.filename - Remove 'use strict' directives (implicit in ESM) - Convert dynamic require() in switch statements to static import lookup maps (dns.js, domains.js, backupformats.js, backupsites.js, network.js) - Extract self-referencing exports.CONSTANT patterns into standalone const declarations (apps.js, services.js, locks.js, users.js, mail.js, etc.) - Lazify SERVICES object in services.js to avoid circular dependency TDZ issues - Add clearMailQueue() to mailer.js for ESM-safe queue clearing in tests - Add _setMockApp() to ldapserver.js for ESM-safe test mocking - Add _setMockResolve() wrapper to dig.js for ESM-safe DNS mocking in tests - Convert backupupload.js to use dynamic imports so --check exits before loading the module graph (which requires BOX_ENV) - Update check-install to use ESM import for infra_version.js - Convert scripts/ (hotfix, release, remote_hotfix.js, find-unused-translations) - All 1315 tests passing Migration stats (AI-assisted using Cursor with Claude): - Wall clock time: ~3-4 hours - Assistant completions: ~80-100 - Estimated token usage: ~1-2M tokens Co-authored-by: Cursor <cursoragent@cursor.com> 2026-02-14 09:53:14 +01:00			`const CERT_PREFIX = 'cert';`
			`const CERT_SUFFIX = 'cert';`

Add secrets table this will hold keys, certs etc 2021-04-30 21:54:53 -07:00
add async support to database.query() 2021-05-02 21:12:38 -07:00			`const BLOBS_FIELDS = [ 'id', 'value' ].join(',');`
Add secrets table this will hold keys, certs etc 2021-04-30 21:54:53 -07:00
add async support to database.query() 2021-05-02 21:12:38 -07:00			`async function get(id) {`
			`assert.strictEqual(typeof id, 'string');`
Add secrets table this will hold keys, certs etc 2021-04-30 21:54:53 -07:00
add async support to database.query() 2021-05-02 21:12:38 -07:00			const result = await database.query(`SELECT ${BLOBS_FIELDS} FROM blobs WHERE id = ?`, [ id ]);
			`if (result.length === 0) return null;`
			`return result[0].value;`
Add secrets table this will hold keys, certs etc 2021-04-30 21:54:53 -07:00			`}`

proxyAuth: persist the secret token 2022-02-01 17:16:25 -08:00			`async function getString(id) {`
			`assert.strictEqual(typeof id, 'string');`

			const result = await database.query(`SELECT ${BLOBS_FIELDS} FROM blobs WHERE id = ?`, [ id ]);
			`if (result.length === 0) return null;`
			`return result[0].value.toString('utf8');`
			`}`

add async support to database.query() 2021-05-02 21:12:38 -07:00			`async function set(id, value) {`
secrets -> blobs this will also have certs which are not really "secrets" 2021-04-30 22:26:51 -07:00			`assert.strictEqual(typeof id, 'string');`
add async support to database.query() 2021-05-02 21:12:38 -07:00			`assert(value === null \|\| Buffer.isBuffer(value));`
Add secrets table this will hold keys, certs etc 2021-04-30 21:54:53 -07:00
add async support to database.query() 2021-05-02 21:12:38 -07:00			`await database.query('INSERT INTO blobs (id, value) VALUES (?, ?) ON DUPLICATE KEY UPDATE value=VALUES(value)', [ id, value ]);`
			`}`
Add secrets table this will hold keys, certs etc 2021-04-30 21:54:53 -07:00
proxyAuth: persist the secret token 2022-02-01 17:16:25 -08:00			`async function setString(id, value) {`
			`assert.strictEqual(typeof id, 'string');`
			`assert(value === null \|\| typeof value === 'string');`

			`await database.query('INSERT INTO blobs (id, value) VALUES (?, ?) ON DUPLICATE KEY UPDATE value=VALUES(value)', [ id, Buffer.from(value) ]);`
			`}`

delete certs that have long expired (6 months) fixes #783 2021-05-18 13:28:48 -07:00			`async function del(id) {`
			`await database.query('DELETE FROM blobs WHERE id=?', [ id ]);`
			`}`

add async support to database.query() 2021-05-02 21:12:38 -07:00			`async function clear() {`
			`await database.query('DELETE FROM blobs');`
Add secrets table this will hold keys, certs etc 2021-04-30 21:54:53 -07:00			`}`
reverseproxy: rework cert logic 9c8f78a0595c0e08671db143ffcc7293c806b9d3 already fixed many of the cert issues. However, some issues were caught in the CI: * The TLS addon has to be rebuilt and not just restarted. For this reason, we now move things to a directory instead of mounting files. This way the container is just restarted. * Cleanups must be driven by the database and not the filesystem . Deleting files on disk or after a restore, the certs are left dangling forever in the db. * Separate the db cert logic and disk cert logic. This way we can sync as many times as we want and whenever we want. 2022-11-28 22:32:34 +01:00
			`async function listCertIds() {`
Migrate codebase from CommonJS to ES Modules - Convert all require()/module.exports to import/export across 260+ files - Add "type": "module" to package.json to enable ESM by default - Add migrations/package.json with "type": "commonjs" to keep db-migrate compatible - Convert eslint.config.js to ESM with sourceType: "module" - Replace __dirname/__filename with import.meta.dirname/import.meta.filename - Replace require.main === module with process.argv[1] === import.meta.filename - Remove 'use strict' directives (implicit in ESM) - Convert dynamic require() in switch statements to static import lookup maps (dns.js, domains.js, backupformats.js, backupsites.js, network.js) - Extract self-referencing exports.CONSTANT patterns into standalone const declarations (apps.js, services.js, locks.js, users.js, mail.js, etc.) - Lazify SERVICES object in services.js to avoid circular dependency TDZ issues - Add clearMailQueue() to mailer.js for ESM-safe queue clearing in tests - Add _setMockApp() to ldapserver.js for ESM-safe test mocking - Add _setMockResolve() wrapper to dig.js for ESM-safe DNS mocking in tests - Convert backupupload.js to use dynamic imports so --check exits before loading the module graph (which requires BOX_ENV) - Update check-install to use ESM import for infra_version.js - Convert scripts/ (hotfix, release, remote_hotfix.js, find-unused-translations) - All 1315 tests passing Migration stats (AI-assisted using Cursor with Claude): - Wall clock time: ~3-4 hours - Assistant completions: ~80-100 - Estimated token usage: ~1-2M tokens Co-authored-by: Cursor <cursoragent@cursor.com> 2026-02-14 09:53:14 +01:00			const result = await database.query('SELECT id FROM blobs WHERE id LIKE ?', [ `${CERT_PREFIX}-%.${CERT_SUFFIX}` ]);
reverseproxy: rework cert logic 9c8f78a0595c0e08671db143ffcc7293c806b9d3 already fixed many of the cert issues. However, some issues were caught in the CI: * The TLS addon has to be rebuilt and not just restarted. For this reason, we now move things to a directory instead of mounting files. This way the container is just restarted. * Cleanups must be driven by the database and not the filesystem . Deleting files on disk or after a restore, the certs are left dangling forever in the db. * Separate the db cert logic and disk cert logic. This way we can sync as many times as we want and whenever we want. 2022-11-28 22:32:34 +01:00			`return result.map(r => r.id);`
			`}`
migrate to "export default" also, set no-use-before-define in linter 2026-02-14 15:43:24 +01:00
			`export default {`
			`get,`
			`getString,`
			`set,`
			`setString,`
			`del,`

			`listCertIds,`

			`ACME_ACCOUNT_KEY: 'acme_account_key',`
			`ADDON_TURN_SECRET: 'addon_turn_secret',`

			`// the code relies on sftp_<keytype>_* pattern`
			`SFTP_RSA_PUBLIC_KEY: 'sftp_rsa_public_key',`
			`SFTP_RSA_PRIVATE_KEY: 'sftp_rsa_private_key',`
			`SFTP_ED25519_PUBLIC_KEY: 'sftp_ed25519_public_key',`
			`SFTP_ED25519_PRIVATE_KEY: 'sftp_ed25519_private_key',`

			`PROXY_AUTH_TOKEN_SECRET: 'proxy_auth_token_secret',`

			`OIDC_KEY_EDDSA: 'oidc_key_eddsa', // this is only JWT private key, the public key will be derived`
			`OIDC_KEY_RS256: 'oidc_key_rs256',`

			`CERT_PREFIX,`
			`CERT_SUFFIX,`
			`_clear: clear`
			`};`