mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity
830 Commits 91 Branches 4 Tags
d5a0696e67338659558160d2603bb238878d1544
Commit Graph

3 Commits

Author SHA1 Message Date
Jason Woltje
737eb40d18 feat(#352): Encrypt existing plaintext Account tokens
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details 
Implements transparent encryption/decryption of OAuth tokens via Prisma middleware with progressive migration strategy.

Core Implementation:
- Prisma middleware transparently encrypts tokens on write, decrypts on read
- Auto-detects ciphertext format: aes:iv:authTag:encrypted, vault:v1:..., or plaintext
- Uses existing CryptoService (AES-256-GCM) for encryption
- Progressive encryption: tokens encrypted as they're accessed/refreshed
- Zero-downtime migration (schema change only, no bulk data migration)

Security Features:
- Startup key validation prevents silent data loss if ENCRYPTION_KEY changes
- Secure error logging (no stack traces that could leak sensitive data)
- Graceful handling of corrupted encrypted data
- Idempotent encryption prevents double-encryption
- Future-proofed for OpenBao Transit encryption (Phase 2)

Token Fields Encrypted:
- accessToken (OAuth access tokens)
- refreshToken (OAuth refresh tokens)
- idToken (OpenID Connect ID tokens)

Backward Compatibility:
- Existing plaintext tokens readable (encryptionVersion = NULL)
- Progressive encryption on next write
- BetterAuth integration transparent (middleware layer)

Test Coverage:
- 20 comprehensive unit tests (89.06% coverage)
- Encryption/decryption scenarios
- Null/undefined handling
- Corrupted data handling
- Legacy plaintext compatibility
- Future vault format support
- All CRUD operations (create, update, updateMany, upsert)

Files Created:
- apps/api/src/prisma/account-encryption.middleware.ts
- apps/api/src/prisma/account-encryption.middleware.spec.ts
- apps/api/prisma/migrations/20260207_encrypt_account_tokens/migration.sql

Files Modified:
- apps/api/src/prisma/prisma.service.ts (register middleware)
- apps/api/src/prisma/prisma.module.ts (add CryptoService)
- apps/api/src/federation/crypto.service.ts (add key validation)
- apps/api/prisma/schema.prisma (add encryptionVersion)
- .env.example (document ENCRYPTION_KEY)

Fixes #352

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-07 13:16:43 -06:00
Jason Woltje
77d1d14e08 fix(#289): Prevent private key decryption error data leaks 
Modified decrypt() error handling to only log error type without
stack traces, error details, or encrypted content. Added test to
verify sensitive data is not exposed in logs.

Security improvement: Prevents leakage of encrypted data or partial
decryption results through error logs.

Fixes #289

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-02-03 21:35:15 -06:00
Jason Woltje
e3dd490d4d fix(#84): address critical security issues in federation identity 
Implemented comprehensive security fixes for federation instance identity:

CRITICAL SECURITY FIXES:
1. Private Key Encryption at Rest (AES-256-GCM)
   - Implemented CryptoService with AES-256-GCM encryption
   - Private keys encrypted before database storage
   - Decrypted only when needed in-memory
   - Master key stored in ENCRYPTION_KEY environment variable
   - Updated schema comment to reflect actual encryption method

2. Admin Authorization on Key Regeneration
   - Created AdminGuard for system-level admin operations
   - Requires workspace ownership for admin privileges
   - Key regeneration restricted to admin users only
   - Proper authorization checks before sensitive operations

3. Private Key Never Exposed in API Responses
   - Changed regenerateKeypair return type to PublicInstanceIdentity
   - Service method strips private key before returning
   - Added tests to verify private key exclusion
   - Controller returns only public identity

ADDITIONAL SECURITY IMPROVEMENTS:
4. Audit Logging for Key Regeneration
   - Created FederationAuditService
   - Logs all keypair regeneration events
   - Includes userId, instanceId, and timestamp
   - Marked as security events for compliance

5. Input Validation for INSTANCE_URL
   - Validates URL format (must be HTTP/HTTPS)
   - Throws error on invalid URLs
   - Prevents malformed configuration

6. Added .env.example
   - Documents all required environment variables
   - Includes INSTANCE_NAME, INSTANCE_URL
   - Includes ENCRYPTION_KEY with generation instructions
   - Clear security warnings for production use

TESTING:
- Added 11 comprehensive crypto service tests
- Updated 8 federation service tests for encryption
- Updated 5 controller tests for security verification
- Total: 24 tests passing (100% success rate)
- Verified private key never exposed in responses
- Verified encryption/decryption round-trip
- Verified admin authorization requirements

FILES CREATED:
- apps/api/src/federation/crypto.service.ts (encryption)
- apps/api/src/federation/crypto.service.spec.ts (tests)
- apps/api/src/federation/audit.service.ts (audit logging)
- apps/api/src/auth/guards/admin.guard.ts (authorization)
- apps/api/.env.example (configuration template)

FILES MODIFIED:
- apps/api/prisma/schema.prisma (updated comment)
- apps/api/src/federation/federation.service.ts (encryption integration)
- apps/api/src/federation/federation.controller.ts (admin guard, audit)
- apps/api/src/federation/federation.module.ts (new providers)
- All test files updated for new security requirements

CODE QUALITY:
- All tests passing (24/24)
- TypeScript compilation: PASS
- ESLint: PASS
- Test coverage maintained at 100%

Fixes #84

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-02-03 11:13:12 -06:00