Skip to content

feat: implement sql dump encryption#3510

Open
oripka wants to merge 24 commits intonuxt:mainfrom
oripka:feat-encrypted-sql-dumps
Open

feat: implement sql dump encryption#3510
oripka wants to merge 24 commits intonuxt:mainfrom
oripka:feat-encrypted-sql-dumps

Conversation

@oripka
Copy link
Contributor

@oripka oripka commented Aug 19, 2025

Description

This PR introduces encrypted SQL dumps to Nuxt Content v3, allowing prerendered content dumps to be safely hosted on a CDN or static platform without exposing raw .sql data.

When enabled, dumps are AES-256-GCM encrypted at build time and decrypted in the browser only after the client requests a short-lived key from your app (post-authentication).

Key points

  • 🔒 New content.encryption option in nuxt.config.ts

    • enabled: true enables encrypted dumps and key endpoint
    • masterKey (optional) – base64(32 bytes); if omitted, one is generated at build time

  • ✨ Adds runtime API endpoints:

    • GET /__nuxt_content/:collection/sql_dump.enc → encrypted dump
    • GET /api/__nuxt_content/:collection/key → returns derived AES key (must be protected by your auth middleware)
    • Legacy sql_dump.txt routes remain available if encryption is disabled

  • 🧩 Middleware example added for access control of private collections

  • 📚 Documentation updated with new guides:

    • docs/content/docs/1.getting-started/3.configuration.md (content.encryption)
    • docs/content/docs/8.advanced/9.private.md (full guide on encrypted dumps)

  • 🛠 Internal changes:

    • New runtime/internal/encryption.ts utilities (HKDF, AES-GCM, envelope handling)
    • Client & server loaders updated to support decrypt-and-hydrate flow
    • Shared dumps preset (src/presets/shared-dumps.ts) ensures consistent handling across Node, Cloudflare, and NuxtHub

Type of change

  • 📖 Documentation
  • 🐞 Bug fix
  • 👌 Enhancement
  • ✨ New feature
  • ⚠️ Breaking change

Checklist

  • Added docs for new config (content.encryption)
  • Updated presets (node, cloudflare, nuxthub) to support encrypted dumps
  • Added runtime encryption/decryption logic
  • Ensured backwards compatibility with legacy .sql dumps
@vercel
Copy link

vercel bot commented Aug 19, 2025

@oripka is attempting to deploy a commit to the NuxtLabs Team on Vercel.

A member of the Team first needs to authorize it.
@oripka oripka changed the title feat: implement collection encryption Aug 19, 2025
@pkg-pr-new
Copy link

pkg-pr-new bot commented Aug 19, 2025
edited
Loading 

npm i https://pkg.pr.new/@nuxt/content@3510

commit: 0e20684
@oripka oripka force-pushed the feat-encrypted-sql-dumps branch 2 times, most recently from 48d54ae to 28d88dd Compare September 21, 2025 13:57
@oripka oripka force-pushed the feat-encrypted-sql-dumps branch from 28d88dd to 4ccffc7 Compare September 21, 2025 13:59
vercel[bot]
vercel bot reviewed Nov 18, 2025
View reviewed changes
vercel[bot]
vercel bot reviewed Nov 18, 2025
View reviewed changes
@oripka
Merge remote-tracking branch 'origin/main' into feat-encrypted-sql-du…
1393332 
…mps-3.9.0

Resolved conflicts in package.json, src/presets/nuxthub.ts, src/runtime/presets/cloudflare/database-handler.ts

Fixed type error in src/runtime/internal/database.server.ts
@oripka
fix: db
09b8c8e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant

@oripka