feat(protect): hanlde bulk decrypt fallible response correctly

Author: calvinbrewer

packages/protect/__tests__/bulk-protect.test.ts

@@ -53,7 +53,7 @@
 	},
 	"dependencies": {
 		"@byteslice/result": "^0.2.0",
-		"@cipherstash/protect-ffi": "0.15.0",
+		"@cipherstash/protect-ffi": "0.16.0-0",
 		"zod": "^3.24.2"
 	},
 	"optionalDependencies": {

packages/protect/__tests__/protect.test.ts

@@ -10,6 +10,8 @@ import type {
   EncryptOptions,
   EncryptPayload,
   SearchTerm,
+  BulkEncryptPayload,
+  BulkDecryptPayload,
 } from '../types'
 import { EncryptModelOperation } from './operations/encrypt-model'
 import { DecryptModelOperation } from './operations/decrypt-model'
@@ -18,10 +20,8 @@ import { BulkDecryptModelsOperation } from './operations/bulk-decrypt-models'
 import { EncryptOperation } from './operations/encrypt'
 import { DecryptOperation } from './operations/decrypt'
 import { SearchTermsOperation } from './operations/search-terms'
-import {
-  BulkEncryptOperation,
-  type BulkEncryptPayload,
-} from './operations/bulk-encrypt'
+import { BulkEncryptOperation } from './operations/bulk-encrypt'
+import { BulkDecryptOperation } from './operations/bulk-decrypt'
 import {
   type EncryptConfig,
   encryptConfigSchema,
@@ -170,6 +170,16 @@ export class ProtectClient {
     return new BulkEncryptOperation(this.client, plaintexts, opts)
   }
 
+  /**
+   * Bulk decryption - returns a thenable object.
+   * Usage:
+   *    await eqlClient.bulkDecrypt(encryptedPayloads)
+   *    await eqlClient.bulkDecrypt(encryptedPayloads).withLockContext(lockContext)
+   */
+  bulkDecrypt(encryptedPayloads: BulkDecryptPayload): BulkDecryptOperation {
+    return new BulkDecryptOperation(this.client, encryptedPayloads)
+  }
+
   /**
    * Create search terms to use in a query searching encrypted data
    * Usage:

packages/protect/package.json

@@ -1,18 +1,71 @@
-import { decryptBulk } from '@cipherstash/protect-ffi'
+import {
+  decryptBulkFallible,
+  type DecryptResult,
+} from '@cipherstash/protect-ffi'
 import { withResult, type Result } from '@byteslice/result'
 import { noClientError } from '../index'
 import { type ProtectError, ProtectErrorTypes } from '../..'
 import { logger } from '../../../../utils/logger'
-import type { LockContext } from '../../identify'
-import type { Client, EncryptedPayload } from '../../types'
+import type { LockContext, Context } from '../../identify'
+import type { Client, BulkDecryptPayload, BulkDecryptedData } from '../../types'
 import { ProtectOperation } from './base-operation'
 
-export type BulkDecryptPayload =
-  | Array<{ id?: string; c: EncryptedPayload }>
-  | Array<EncryptedPayload | null>
-export type BulkDecryptedData =
-  | Array<{ id?: string; plaintext: string | null }>
-  | Array<string | null>
+// Helper functions for better composability
+const createDecryptPayloads = (
+  encryptedPayloads: BulkDecryptPayload,
+  lockContext?: Context,
+) => {
+  return encryptedPayloads
+    .map((item, index) => ({ ...item, originalIndex: index }))
+    .filter(({ data }) => data !== null)
+    .map(({ id, data, originalIndex }) => ({
+      id,
+      ciphertext: (typeof data === 'object' && data !== null
+        ? data.c
+        : data) as string,
+      originalIndex,
+      ...(lockContext && { lockContext }),
+    }))
+}
+
+const createNullResult = (
+  encryptedPayloads: BulkDecryptPayload,
+): BulkDecryptedData => {
+  return encryptedPayloads.map(({ id }) => ({
+    id,
+    data: null,
+  }))
+}
+
+const mapDecryptedDataToResult = (
+  encryptedPayloads: BulkDecryptPayload,
+  decryptedData: DecryptResult[],
+): BulkDecryptedData => {
+  const result: BulkDecryptedData = new Array(encryptedPayloads.length)
+  let decryptedIndex = 0
+
+  for (let i = 0; i < encryptedPayloads.length; i++) {
+    if (encryptedPayloads[i].data === null) {
+      result[i] = { id: encryptedPayloads[i].id, data: null }
+    } else {
+      const decryptResult = decryptedData[decryptedIndex]
+      if ('error' in decryptResult) {
+        result[i] = {
+          id: encryptedPayloads[i].id,
+          error: decryptResult.error,
+        }
+      } else {
+        result[i] = {
+          id: encryptedPayloads[i].id,
+          data: decryptResult.data,
+        }
+      }
+      decryptedIndex++
+    }
+  }
+
+  return result
+}
 
 export class BulkDecryptOperation extends ProtectOperation<BulkDecryptedData> {
   private client: Client
@@ -38,70 +91,17 @@ export class BulkDecryptOperation extends ProtectOperation<BulkDecryptedData> {
         if (!this.encryptedPayloads || this.encryptedPayloads.length === 0)
           return []
 
-        const isSimpleArray =
-          typeof this.encryptedPayloads[0] !== 'object' ||
-          this.encryptedPayloads[0] === null ||
-          !('c' in (this.encryptedPayloads[0] || {}))
-        if (isSimpleArray) {
-          const simplePayloads = this
-            .encryptedPayloads as Array<EncryptedPayload | null>
-          const nonNullPayloads = simplePayloads
-            .map((c, index) => ({ c, index }))
-            .filter(({ c }) => c !== null)
-            .map(({ c, index }) => ({
-              ciphertext: (typeof c === 'object' && c !== null
-                ? c.c
-                : c) as string,
-              originalIndex: index,
-            }))
-          if (nonNullPayloads.length === 0)
-            return simplePayloads.map(() => null)
-          const decryptedData = await decryptBulk(this.client, nonNullPayloads)
-          const result: Array<string | null> = new Array(simplePayloads.length)
-          let decryptedIndex = 0
-          for (let i = 0; i < simplePayloads.length; i++) {
-            if (simplePayloads[i] === null) {
-              result[i] = null
-            } else {
-              result[i] = decryptedData[decryptedIndex]
-              decryptedIndex++
-            }
-          }
-          return result
-        }
-        // Array of objects (with or without id)
-        const objPayloads = this.encryptedPayloads as Array<{
-          id?: string
-          c: EncryptedPayload
-        }>
-        const nonNullPayloads = objPayloads
-          .map((item, index) => ({ ...item, originalIndex: index }))
-          .filter(({ c }) => c !== null)
-          .map(({ id, c, originalIndex }) => ({
-            id,
-            ciphertext: (typeof c === 'object' && c !== null
-              ? c.c
-              : c) as string,
-            originalIndex,
-          }))
-        if (nonNullPayloads.length === 0)
-          return objPayloads.map(({ id }) => ({ id, plaintext: null }))
-        const decryptedData = await decryptBulk(this.client, nonNullPayloads)
-        const result: Array<{ id?: string; plaintext: string | null }> =
-          new Array(objPayloads.length)
-        let decryptedIndex = 0
-        for (let i = 0; i < objPayloads.length; i++) {
-          if (objPayloads[i].c === null) {
-            result[i] = { id: objPayloads[i].id, plaintext: null }
-          } else {
-            result[i] = {
-              id: objPayloads[i].id,
-              plaintext: decryptedData[decryptedIndex],
-            }
-            decryptedIndex++
-          }
+        const nonNullPayloads = createDecryptPayloads(this.encryptedPayloads)
+
+        if (nonNullPayloads.length === 0) {
+          return createNullResult(this.encryptedPayloads)
         }
-        return result
+
+        const decryptedData = await decryptBulkFallible(
+          this.client,
+          nonNullPayloads,
+        )
+        return mapDecryptedDataToResult(this.encryptedPayloads, decryptedData)
       },
       (error: unknown) => ({
         type: ProtectErrorTypes.DecryptionError,
@@ -136,85 +136,31 @@ export class BulkDecryptOperationWithLockContext extends ProtectOperation<BulkDe
       async () => {
         const { client, encryptedPayloads } = this.operation.getOperation()
         logger.debug('Bulk decrypting data WITH a lock context')
+
         if (!client) throw noClientError()
         if (!encryptedPayloads || encryptedPayloads.length === 0) return []
+
         const context = await this.lockContext.getLockContext()
-        if (context.failure)
+        if (context.failure) {
           throw new Error(`[protect]: ${context.failure.message}`)
-        const isSimpleArray =
-          typeof encryptedPayloads[0] !== 'object' ||
-          encryptedPayloads[0] === null ||
-          !('c' in (encryptedPayloads[0] || {}))
-        if (isSimpleArray) {
-          const simplePayloads =
-            encryptedPayloads as Array<EncryptedPayload | null>
-          const nonNullPayloads = simplePayloads
-            .map((c, index) => ({ c, index }))
-            .filter(({ c }) => c !== null)
-            .map(({ c, index }) => ({
-              ciphertext: (typeof c === 'object' && c !== null
-                ? c.c
-                : c) as string,
-              originalIndex: index,
-              lockContext: context.data.context,
-            }))
-          if (nonNullPayloads.length === 0)
-            return simplePayloads.map(() => null)
-          const decryptedData = await decryptBulk(
-            client,
-            nonNullPayloads,
-            context.data.ctsToken,
-          )
-          const result: Array<string | null> = new Array(simplePayloads.length)
-          let decryptedIndex = 0
-          for (let i = 0; i < simplePayloads.length; i++) {
-            if (simplePayloads[i] === null) {
-              result[i] = null
-            } else {
-              result[i] = decryptedData[decryptedIndex]
-              decryptedIndex++
-            }
-          }
-          return result
         }
-        // Array of objects (with or without id)
-        const objPayloads = encryptedPayloads as Array<{
-          id?: string
-          c: EncryptedPayload
-        }>
-        const nonNullPayloads = objPayloads
-          .map((item, index) => ({ ...item, originalIndex: index }))
-          .filter(({ c }) => c !== null)
-          .map(({ id, c, originalIndex }) => ({
-            id,
-            ciphertext: (typeof c === 'object' && c !== null
-              ? c.c
-              : c) as string,
-            originalIndex,
-            lockContext: context.data.context,
-          }))
-        if (nonNullPayloads.length === 0)
-          return objPayloads.map(({ id }) => ({ id, plaintext: null }))
-        const decryptedData = await decryptBulk(
+
+        const nonNullPayloads = createDecryptPayloads(
+          encryptedPayloads,
+          context.data.context,
+        )
+
+        if (nonNullPayloads.length === 0) {
+          return createNullResult(encryptedPayloads)
+        }
+
+        const decryptedData = await decryptBulkFallible(
           client,
           nonNullPayloads,
           context.data.ctsToken,
         )
-        const result: Array<{ id?: string; plaintext: string | null }> =
-          new Array(objPayloads.length)
-        let decryptedIndex = 0
-        for (let i = 0; i < objPayloads.length; i++) {
-          if (objPayloads[i].c === null) {
-            result[i] = { id: objPayloads[i].id, plaintext: null }
-          } else {
-            result[i] = {
-              id: objPayloads[i].id,
-              plaintext: decryptedData[decryptedIndex],
-            }
-            decryptedIndex++
-          }
-        }
-        return result
+
+        return mapDecryptedDataToResult(encryptedPayloads, decryptedData)
       },
       (error: unknown) => ({
         type: ProtectErrorTypes.DecryptionError,