CipherStash Docs
StackLatestIdentityClasses

LockContext

Manages CipherStash lock contexts for row-level access control. A `LockContext` ties encryption/decryption operations to an authenticated user identity via ...

@cipherstash/stack

Class: LockContext

Defined in: .tmp-stack/packages/stack/src/identity/index.ts:53

Manages CipherStash lock contexts for row-level access control.

A LockContext ties encryption/decryption operations to an authenticated user identity via CTS (CipherStash Token Service). Call identify with a user's JWT to obtain a CTS token, then pass the LockContext to .withLockContext() on any encrypt/decrypt operation.

Example

import { LockContext } from "@cipherstash/stack/identity"

const lc = new LockContext()
const identified = await lc.identify(userJwt)

if (identified.failure) throw new Error(identified.failure.message)

const result = await client
  .encrypt(value, { column: users.email, table: users })
  .withLockContext(identified.data)

Constructors

Constructor

new LockContext(__namedParameters?): LockContext;

Defined in: .tmp-stack/packages/stack/src/identity/index.ts:58

Parameters

__namedParameters?

LockContextOptions = {}

Returns

LockContext

Methods

identify()

identify(jwtToken): Promise<Result<LockContext, EncryptionError>>;

Defined in: .tmp-stack/packages/stack/src/identity/index.ts:94

Exchange a user's JWT for a CTS token and bind it to this lock context.

Parameters

jwtToken

string

A valid OIDC / JWT token for the current user.

Returns

Promise<Result<LockContext, EncryptionError>>

A Result containing this LockContext (now authenticated) or an error.

Example

const lc = new LockContext()
const result = await lc.identify(userJwt)
if (result.failure) {
  console.error("Auth failed:", result.failure.message)
}

getLockContext()

getLockContext(): Promise&lt;Result&lt;GetLockContextResponse, EncryptionError&gt;>;

Defined in: .tmp-stack/packages/stack/src/identity/index.ts:156

Retrieve the current CTS token and context for use with encryption operations.

Must be called after identify. Returns the token/context pair that .withLockContext() expects.

Returns

Promise<Result<GetLockContextResponse, EncryptionError>>

A Result containing the CTS token and identity context, or an error if identify has not been called.

identity

API reference for identity

Context

API reference for Context

On this page

Class: LockContextExampleConstructorsConstructorParameters__namedParameters?ReturnsMethodsidentify()ParametersjwtTokenReturnsExamplegetLockContext()Returns