- Add encryption key parameter for web

- Dynamically load multiple cipher module factory

Author: mugikhan

demos/react-supabase-todolist/package.json

@@ -13,7 +13,7 @@
     "@powersync/web": "workspace:*",
     "@emotion/react": "11.11.4",
     "@emotion/styled": "11.11.5",
-    "@journeyapps/wa-sqlite": "^1.0.0",
+    "@journeyapps/wa-sqlite": "^1.1.1",
     "@mui/icons-material": "^5.15.12",
     "@mui/material": "^5.15.12",
     "@mui/x-data-grid": "^6.19.6",

packages/web/package.json

@@ -60,7 +60,7 @@
   "author": "JOURNEYAPPS",
   "license": "Apache-2.0",
   "peerDependencies": {
-    "@journeyapps/wa-sqlite": "^1.0.0",
+    "@journeyapps/wa-sqlite": "^1.1.1",
     "@powersync/common": "workspace:^1.22.0"
   },
   "dependencies": {
@@ -72,7 +72,7 @@
     "js-logger": "^1.6.1"
   },
   "devDependencies": {
-    "@journeyapps/wa-sqlite": "^1.0.0",
+    "@journeyapps/wa-sqlite": "^1.1.1",
     "@types/uuid": "^9.0.6",
     "@vitest/browser": "^2.1.4",
     "crypto-browserify": "^3.12.0",

packages/web/src/db/PowerSyncDatabase.ts

@@ -56,17 +56,35 @@ type WithWebSyncOptions<Base> = Base & {
   sync?: WebSyncOptions;
 };
 
+export interface WebEncryptionOptions {
+  /**
+   * Encryption key for the database.
+   * If set, the database will be encrypted using Multiple Ciphers.
+   */
+  encryptionKey?: string;
+}
+
+type WithWebEncryptionOptions<Base> = Base & {
+  /**
+   * Encryption key for the database.
+   * If set, the database will be encrypted using Multiple Ciphers.
+   */
+  encryptionKey?: string;
+};
+
 export type WebPowerSyncDatabaseOptionsWithAdapter = WithWebSyncOptions<
-  WithWebFlags<PowerSyncDatabaseOptionsWithDBAdapter>
+  WithWebFlags<WithWebEncryptionOptions<PowerSyncDatabaseOptionsWithDBAdapter>>
 >;
 export type WebPowerSyncDatabaseOptionsWithOpenFactory = WithWebSyncOptions<
-  WithWebFlags<PowerSyncDatabaseOptionsWithOpenFactory>
+  WithWebFlags<WithWebEncryptionOptions<PowerSyncDatabaseOptionsWithOpenFactory>>
 >;
 export type WebPowerSyncDatabaseOptionsWithSettings = WithWebSyncOptions<
-  WithWebFlags<PowerSyncDatabaseOptionsWithSettings>
+  WithWebFlags<WithWebEncryptionOptions<PowerSyncDatabaseOptionsWithSettings>>
 >;
 
-export type WebPowerSyncDatabaseOptions = WithWebSyncOptions<WithWebFlags<PowerSyncDatabaseOptions>>;
+export type WebPowerSyncDatabaseOptions = WithWebSyncOptions<
+  WithWebFlags<WithWebEncryptionOptions<PowerSyncDatabaseOptions>>
+>;
 
 export const DEFAULT_POWERSYNC_FLAGS: Required<WebPowerSyncFlags> = {
   ...DEFAULT_WEB_SQL_FLAGS,
@@ -121,7 +139,8 @@ export class PowerSyncDatabase extends AbstractPowerSyncDatabase {
   protected openDBAdapter(options: WebPowerSyncDatabaseOptionsWithSettings): DBAdapter {
     const defaultFactory = new WASQLiteOpenFactory({
       ...options.database,
-      flags: resolveWebPowerSyncFlags(options.flags)
+      flags: resolveWebPowerSyncFlags(options.flags),
+      encryptionKey: options.encryptionKey
     });
     return defaultFactory.openDB();
   }

packages/web/src/db/adapters/wa-sqlite/WASQLiteConnection.ts

@@ -36,7 +36,7 @@ export type SQLiteModule = Parameters<typeof SQLite.Factory>[0];
 /**
  * @internal
  */
-export type WASQLiteModuleFactoryOptions = { dbFileName: string };
+export type WASQLiteModuleFactoryOptions = { dbFileName: string; encryptionKey?: string };
 
 /**
  * @internal
@@ -53,6 +53,14 @@ export const AsyncWASQLiteModuleFactory = async () => {
   return factory();
 };
 
+/**
+ * @internal
+ */
+export const MultiCipherAsyncWASQLiteModuleFactory = async () => {
+  const { default: factory } = await import('@journeyapps/wa-sqlite/dist/mc-wa-sqlite-async.mjs');
+  return factory();
+};
+
 /**
  * @internal
  */
@@ -61,12 +69,25 @@ export const SyncWASQLiteModuleFactory = async () => {
   return factory();
 };
 
+/**
+ * @internal
+ */
+export const MultiCipherSyncWASQLiteModuleFactory = async () => {
+  const { default: factory } = await import('@journeyapps/wa-sqlite/dist/mc-wa-sqlite.mjs');
+  return factory();
+};
+
 /**
  * @internal
  */
 export const DEFAULT_MODULE_FACTORIES = {
   [WASQLiteVFS.IDBBatchAtomicVFS]: async (options: WASQLiteModuleFactoryOptions) => {
-    const module = await AsyncWASQLiteModuleFactory();
+    let module;
+    if (options.encryptionKey) {
+      module = await MultiCipherAsyncWASQLiteModuleFactory();
+    } else {
+      module = await AsyncWASQLiteModuleFactory();
+    }
     const { IDBBatchAtomicVFS } = await import('@journeyapps/wa-sqlite/src/examples/IDBBatchAtomicVFS.js');
     return {
       module,
@@ -75,7 +96,12 @@ export const DEFAULT_MODULE_FACTORIES = {
     };
   },
   [WASQLiteVFS.AccessHandlePoolVFS]: async (options: WASQLiteModuleFactoryOptions) => {
-    const module = await SyncWASQLiteModuleFactory();
+    let module;
+    if (options.encryptionKey) {
+      module = await MultiCipherSyncWASQLiteModuleFactory();
+    } else {
+      module = await SyncWASQLiteModuleFactory();
+    }
     // @ts-expect-error The types for this static method are missing upstream
     const { AccessHandlePoolVFS } = await import('@journeyapps/wa-sqlite/src/examples/AccessHandlePoolVFS.js');
     return {
@@ -84,7 +110,12 @@ export const DEFAULT_MODULE_FACTORIES = {
     };
   },
   [WASQLiteVFS.OPFSCoopSyncVFS]: async (options: WASQLiteModuleFactoryOptions) => {
-    const module = await SyncWASQLiteModuleFactory();
+    let module;
+    if (options.encryptionKey) {
+      module = await MultiCipherSyncWASQLiteModuleFactory();
+    } else {
+      module = await SyncWASQLiteModuleFactory();
+    }
     // @ts-expect-error The types for this static method are missing upstream
     const { OPFSCoopSyncVFS } = await import('@journeyapps/wa-sqlite/src/examples/OPFSCoopSyncVFS.js');
     return {
@@ -146,15 +177,35 @@ export class WASqliteConnection
     return this._dbP;
   }
 
+  protected async executeEncryptionPragma(): Promise<void> {
+    if (this.options.encryptionKey && this._dbP) {
+      await this.executeSingleStatement(`PRAGMA key = "${this.options.encryptionKey}"`);
+    }
+    return;
+  }
+
   protected async openSQLiteAPI(): Promise<SQLiteAPI> {
-    const { module, vfs } = await this._moduleFactory({ dbFileName: this.options.dbFilename });
+    const { module, vfs } = await this._moduleFactory({
+      dbFileName: this.options.dbFilename,
+      encryptionKey: this.options.encryptionKey
+    });
     const sqlite3 = SQLite.Factory(module);
     sqlite3.vfs_register(vfs, true);
     /**
      * Register the PowerSync core SQLite extension
      */
     module.ccall('powersync_init_static', 'int', []);
 
+    /**
+     * Create the multiple cipher vfs if an encryption key is provided
+     */
+    if (this.options.encryptionKey) {
+      const createResult = module.ccall('sqlite3mc_vfs_create', 'int', ['string', 'int'], [this.options.dbFilename, 1]);
+      if (createResult !== 0) {
+        throw new Error('Failed to create multiple cipher vfs, Database encryption will not work');
+      }
+    }
+
     return sqlite3;
   }
 
@@ -182,6 +233,7 @@ export class WASqliteConnection
     await this.openDB();
     this.registerBroadcastListeners();
     await this.executeSingleStatement(`PRAGMA temp_store = ${this.options.temporaryStorage};`);
+    await this.executeEncryptionPragma();
 
     this.sqliteAPI.update_hook(this.dbP, (updateType: number, dbName: string | null, tableName: string | null) => {
       if (!tableName) {

packages/web/src/db/adapters/wa-sqlite/WASQLiteDBAdapter.ts

@@ -27,6 +27,12 @@ export interface WASQLiteDBAdapterOptions extends Omit<PowerSyncOpenFactoryOptio
 
   vfs?: WASQLiteVFS;
   temporaryStorage?: TemporaryStorageOption;
+
+  /**
+   * Encryption key for the database.
+   * If set, the database will be encrypted using multiple-ciphers.
+   */
+  encryptionKey?: string;
 }
 
 /**

packages/web/src/db/adapters/wa-sqlite/WASQLiteOpenFactory.ts

@@ -10,10 +10,12 @@ import { WASqliteConnection, WASQLiteVFS } from './WASQLiteConnection';
 
 export interface WASQLiteOpenFactoryOptions extends WebSQLOpenFactoryOptions {
   vfs?: WASQLiteVFS;
+  encryptionKey?: string;
 }
 
 export interface ResolvedWASQLiteOpenFactoryOptions extends ResolvedWebSQLOpenOptions {
   vfs: WASQLiteVFS;
+  encryptionKey?: string;
 }
 /**
  * Opens a SQLite connection using WA-SQLite.
@@ -39,7 +41,11 @@ export class WASQLiteOpenFactory extends AbstractWebSQLOpenFactory {
 
   async openConnection(): Promise<AsyncDatabaseConnection> {
     const { enableMultiTabs, useWebWorker } = this.resolvedFlags;
-    const { vfs = WASQLiteVFS.IDBBatchAtomicVFS, temporaryStorage = TemporaryStorageOption.MEMORY } = this.waOptions;
+    const {
+      vfs = WASQLiteVFS.IDBBatchAtomicVFS,
+      temporaryStorage = TemporaryStorageOption.MEMORY,
+      encryptionKey
+    } = this.waOptions;
 
     if (!enableMultiTabs) {
       this.logger.warn('Multiple tabs are not enabled in this browser');
@@ -67,7 +73,8 @@ export class WASQLiteOpenFactory extends AbstractWebSQLOpenFactory {
           dbFilename: this.options.dbFilename,
           vfs,
           temporaryStorage,
-          flags: this.resolvedFlags
+          flags: this.resolvedFlags,
+          encryptionKey: encryptionKey
         }),
         identifier: this.options.dbFilename
       });
@@ -79,7 +86,8 @@ export class WASQLiteOpenFactory extends AbstractWebSQLOpenFactory {
         debugMode: this.options.debugMode,
         vfs,
         temporaryStorage,
-        flags: this.resolvedFlags
+        flags: this.resolvedFlags,
+        encryptionKey: encryptionKey
       });
     }
   }