content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon nuxt

feat: implement sql dump encryption

Open oripka opened this issue 5 months ago • 2 comments

Description

This PR introduces encrypted SQL dumps to Nuxt Content v3, allowing prerendered content dumps to be safely hosted on a CDN or static platform without exposing raw .sql data.

When enabled, dumps are AES-256-GCM encrypted at build time and decrypted in the browser only after the client requests a short-lived key from your app (post-authentication).

Key points

  • 🔒 New content.encryption option in nuxt.config.ts

    • enabled: true enables encrypted dumps and key endpoint
    • masterKey (optional) – base64(32 bytes); if omitted, one is generated at build time

  • ✨ Adds runtime API endpoints:

    • GET /__nuxt_content/:collection/sql_dump.enc → encrypted dump
    • GET /api/__nuxt_content/:collection/key → returns derived AES key (must be protected by your auth middleware)
    • Legacy sql_dump.txt routes remain available if encryption is disabled

  • 🧩 Middleware example added for access control of private collections

  • 📚 Documentation updated with new guides:

    • docs/content/docs/1.getting-started/3.configuration.md (content.encryption)
    • docs/content/docs/8.advanced/9.private.md (full guide on encrypted dumps)

  • 🛠 Internal changes:

    • New runtime/internal/encryption.ts utilities (HKDF, AES-GCM, envelope handling)
    • Client & server loaders updated to support decrypt-and-hydrate flow
    • Shared dumps preset (src/presets/shared-dumps.ts) ensures consistent handling across Node, Cloudflare, and NuxtHub

Type of change

  • [ ] 📖 Documentation
  • [ ] 🐞 Bug fix
  • [ ] 👌 Enhancement
  • [x] ✨ New feature
  • [ ] ⚠️ Breaking change

Checklist

  • [x] Added docs for new config (content.encryption)
  • [x] Updated presets (node, cloudflare, nuxthub) to support encrypted dumps
  • [x] Added runtime encryption/decryption logic
  • [x] Ensured backwards compatibility with legacy .sql dumps

oripka avatar Aug 19 '25 21:08 oripka

@oripka is attempting to deploy a commit to the NuxtLabs Team on Vercel.

A member of the Team first needs to authorize it.

vercel[bot] avatar Aug 19 '25 21:08 vercel[bot] 

npm i https://pkg.pr.new/@nuxt/content@3510

commit: 0e20684

pkg-pr-new[bot] avatar Aug 19 '25 21:08 pkg-pr-new[bot]