feat(saas): update schema for db-per-tenant and per-component FIEL encryption

- Rename Tenant.schemaName to databaseName across all services - Add Subscription and Payment models to Prisma schema - Update FielCredential to per-component IV/tag encryption columns - Switch FIEL encryption key from JWT_SECRET to FIEL_ENCRYPTION_KEY - Add Subscription and Payment shared types - Update JWTPayload to use databaseName Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-15 23:15:55 +00:00
parent 0d17fe3494
commit f96a9c55c5
10 changed files with 175 additions and 97 deletions
--- a/apps/api/src/services/fiel.service.ts
+++ b/apps/api/src/services/fiel.service.ts
@@ -58,15 +58,19 @@ export async function uploadFiel(
      };
    }
    
-    // Encriptar credenciales (todas juntas con el mismo IV/tag)
+    // Encriptar credenciales (per-component IV/tag)
    const {
      encryptedCer,
      encryptedKey,
      encryptedPassword,
-      iv,
-      tag,
+      cerIv,
+      cerTag,
+      keyIv,
+      keyTag,
+      passwordIv,
+      passwordTag,
    } = encryptFielCredentials(cerData, keyData, password);
-    
+
    // Guardar o actualizar en BD
    await prisma.fielCredential.upsert({
      where: { tenantId },
@@ -76,8 +80,12 @@ export async function uploadFiel(
        cerData: encryptedCer,
        keyData: encryptedKey,
        keyPasswordEncrypted: encryptedPassword,
-        encryptionIv: iv,
-        encryptionTag: tag,
+        cerIv,
+        cerTag,
+        keyIv,
+        keyTag,
+        passwordIv,
+        passwordTag,
        serialNumber,
        validFrom,
        validUntil,
@@ -88,8 +96,12 @@ export async function uploadFiel(
        cerData: encryptedCer,
        keyData: encryptedKey,
        keyPasswordEncrypted: encryptedPassword,
-        encryptionIv: iv,
-        encryptionTag: tag,
+        cerIv,
+        cerTag,
+        keyIv,
+        keyTag,
+        passwordIv,
+        passwordTag,
        serialNumber,
        validFrom,
        validUntil,
@@ -198,13 +210,17 @@ export async function getDecryptedFiel(tenantId: string): Promise<{
  }

  try {
-    // Desencriptar todas las credenciales juntas
+    // Desencriptar credenciales (per-component IV/tag)
    const { cerData, keyData, password } = decryptFielCredentials(
      Buffer.from(fiel.cerData),
      Buffer.from(fiel.keyData),
      Buffer.from(fiel.keyPasswordEncrypted),
-      Buffer.from(fiel.encryptionIv),
-      Buffer.from(fiel.encryptionTag)
+      Buffer.from(fiel.cerIv),
+      Buffer.from(fiel.cerTag),
+      Buffer.from(fiel.keyIv),
+      Buffer.from(fiel.keyTag),
+      Buffer.from(fiel.passwordIv),
+      Buffer.from(fiel.passwordTag)
    );

    return {