secrets

package
v1.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 9, 2026 License: MIT Imports: 9 Imported by: 0

Documentation

Overview

Package secrets decrypts ManyRows config-secret envelopes using the workspace's private ECDH key.

Usage: 

import (
    "encoding/json"
    manyrows "github.com/manyrows/manyrows-auth-go"
    "github.com/manyrows/manyrows-auth-go/secrets"
)

// Load your workspace private key once at startup. It's the JWK
// you exported when you generated the keypair in the ManyRows
// admin UI. Stash it in a secret manager or env var; never check
// it into source control.
var privateKeyJWK = []byte(`{"kty":"EC","crv":"P-256","x":"...","y":"...","d":"..."}`)

delivery, _ := client.GetDelivery(ctx)
for _, sec := range delivery.Config.Secrets {
    if sec.IsSet == nil || !*sec.IsSet || len(sec.Envelope) == 0 {
        continue
    }
    plaintext, err := secrets.Decrypt(sec.Envelope, privateKeyJWK)
    if err != nil {
        log.Fatal(err)
    }
    // plaintext is the JSON-encoded value the browser stored.
    // For a string secret, plaintext == `"hello"` (with quotes).
    var v string
    _ = json.Unmarshal(plaintext, &v)
}

Algorithm: ECDH P-256 → HKDF-SHA256 (salt "manyrows:secrets:v1", info "workspace-fingerprint:<hex>") → AES-256-GCM. Mirrors the browser-side encrypt path in manyrows-ui's ConfigKeys page; if the algorithm constants ever change there, update them here too.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Decrypt 

func Decrypt(envelope []byte, privateKeyJSON []byte) ([]byte, error)

Decrypt verifies the envelope, performs the ECDH+HKDF+AES-GCM ceremony, and returns the JSON-encoded plaintext exactly as the browser stored it (i.e. for a string-typed secret you'll get `"hello"` with the surrounding quotes — pass it to json.Unmarshal to recover the typed value).

`envelope` is the raw JSON from `delivery.config.secrets[].envelope`. `privateKeyJSON` is the customer's private JWK (`{"kty":"EC","crv":"P-256","x":"...","y":"...","d":"..."}`).

Returns an error if any of the following are off: malformed envelope, mismatched algorithm version, base64 decode failure, missing/garbled key material, GCM authentication failure (which covers both ciphertext tamper and wrong-key cases).

Types

type Envelope 

type Envelope struct {
	V                  int             `json:"v"`
	Alg                string          `json:"alg"`
	FingerprintSha256  string          `json:"fingerprintSha256"`
	EphemeralPublicJWK json.RawMessage `json:"ephemeralPublicKeyJwk"`
	IVB64              string          `json:"ivB64"`
	CiphertextB64      string          `json:"ciphertextB64"`
}

Envelope is the on-the-wire shape produced by the browser at secret-save time. The Server API delivery returns one of these (as raw JSON) per secret entry under `delivery.config.secrets[].envelope`.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.