[SOLVED] Encrypt data on persistence (v12.4)

a_v_l · May 7, 2025, 8:27am

Hi everybody,

I extended the fe_user-model with some custom properties and want to encrypt the data (string) on persistence. Of course, the data should be decrypted on retrieval. I think a custom type converter is an option. I just can’t find how to apply the converter to my custom properties.

Or should this be done by hydrating / thawing? And how?

Thanks for any help, hint or (even better) example,
Arndt

sorenmalling · May 7, 2025, 8:47am

With suggest a TypeConverter you will get all data - you might want to extend the defaut PersistentObjectConverter instead.
Alternatively, the AfterObjectThawedEvent could be a good choice - you can most likely touch only the single properties needed

Working with encrypted data in the backend
If working from the backend with similar data, I have a field myself that I encrypt via a formevals like this

#ext_localconf.php
$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['tce']['formevals'][ApiCredential::class] = '';

#ApiCredential.php
final class ApiCredential
{
    public const OBFUSCATED_VALUE = '********';


    public function evaluateFieldValue(string $value): string
    {
        if ($value === self::OBFUSCATED_VALUE) {
            return $value;
        }

        return Credentials::encrypt($value);
    }

    /**
     * @param array{value: string} $parameters
     */
    public function deevaluateFieldValue(array $parameters): string
    {
        if ($parameters['value'] === '') {
            return '';
        }

        return self::OBFUSCATED_VALUE;
    }
}

# Configuration/TCA/<table>.php
        'api_secret' => [
            'label' => 'LLL:EXT:extension/Resources/Private/Language/TCA/table.xlf:columns.api_secret.label',
            'config' => [
                'type' => 'input',
                'required' => true,
                'eval' => ApiCredential::class
            ]
        ]

a_v_l · May 7, 2025, 10:44am

Thank you for hinting to the AfterObjectThawedEvent. This would make decrypting the data very easy. However, it seems, that a listener to this event can see but not manipulate the data.
I am not sure if this is a bug or intended, but the eventDispatcher doesn’t return any data:

github.com/TYPO3/typo3

typo3/sysext/extbase/Classes/Persistence/Generic/Mapper/DataMapper.php

12.4


      
              // @todo: this also needs to contain the query's languageAspect with its configuration
              // which should be changed along with https://review.typo3.org/c/Packages/TYPO3.CMS/+/75093
              $identifier = $row['uid'] . (isset($row['_LOCALIZED_UID']) ? '_' . $row['_LOCALIZED_UID'] : '');
              if ($this->persistenceSession->hasIdentifier($identifier, $className)) {
                  $object = $this->persistenceSession->getObjectByIdentifier($identifier, $className);
              } else {
                  $object = $this->createEmptyObject($className);
                  $this->persistenceSession->registerObject($object, $identifier);
                  $this->thawProperties($object, $row);
                  $event = new AfterObjectThawedEvent($object, $row);
                  $this->eventDispatcher->dispatch($event);
                  $object->_memorizeCleanState();
                  $this->persistenceSession->registerReconstitutedEntity($object);
              }
              return $object;
          }
          
          /**
           * Creates a skeleton of the specified object. This is
           * designed to *not* call class constructor when hydrating,
           * but *do call* initializeObject() if exists and obey

I don’t need to obfuscate the data in the backend.

sorenmalling · May 7, 2025, 12:09pm

The event has a getRecord method - that allows you to retrieve and manipulate the record using it’s set* method.

Like

$encryptedValue = Encryptor::encrypt($event->getRecord()->getSecret());
$event->getRecord()->setSecret($encryptedValue)

a_v_l · May 7, 2025, 1:32pm

Yes, you are right. Except that it is the getObject-method:

$user = $event->getObject();
if (method_exists($user, 'getSensitiveProp')) {
	$encryptedProp = $this->encryptionService->encrypt($user->getSensitiveProp());
	$user->setSensitiveProp($encryptedProp);
}

$event->getRecord() returns an array.

But how would I encrypt the sensitiveProp on persistence? Maybe with the event EntityAddedToPersistenceEvent?

sorenmalling · May 7, 2025, 1:49pm

Yep, I would go for them if your situation is receiving data:

TYPO3\CMS\Extbase\Event\Persistence\EntityAddedToPersistenceEvent
TYPO3\CMS\Extbase\Event\Persistence\EntityUpdatedInPersistenceEvent