Jason Woltje
737eb40d18
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Implements transparent encryption/decryption of OAuth tokens via Prisma middleware with progressive migration strategy. Core Implementation: - Prisma middleware transparently encrypts tokens on write, decrypts on read - Auto-detects ciphertext format: aes:iv:authTag:encrypted, vault:v1:..., or plaintext - Uses existing CryptoService (AES-256-GCM) for encryption - Progressive encryption: tokens encrypted as they're accessed/refreshed - Zero-downtime migration (schema change only, no bulk data migration) Security Features: - Startup key validation prevents silent data loss if ENCRYPTION_KEY changes - Secure error logging (no stack traces that could leak sensitive data) - Graceful handling of corrupted encrypted data - Idempotent encryption prevents double-encryption - Future-proofed for OpenBao Transit encryption (Phase 2) Token Fields Encrypted: - accessToken (OAuth access tokens) - refreshToken (OAuth refresh tokens) - idToken (OpenID Connect ID tokens) Backward Compatibility: - Existing plaintext tokens readable (encryptionVersion = NULL) - Progressive encryption on next write - BetterAuth integration transparent (middleware layer) Test Coverage: - 20 comprehensive unit tests (89.06% coverage) - Encryption/decryption scenarios - Null/undefined handling - Corrupted data handling - Legacy plaintext compatibility - Future vault format support - All CRUD operations (create, update, updateMany, upsert) Files Created: - apps/api/src/prisma/account-encryption.middleware.ts - apps/api/src/prisma/account-encryption.middleware.spec.ts - apps/api/prisma/migrations/20260207_encrypt_account_tokens/migration.sql Files Modified: - apps/api/src/prisma/prisma.service.ts (register middleware) - apps/api/src/prisma/prisma.module.ts (add CryptoService) - apps/api/src/federation/crypto.service.ts (add key validation) - apps/api/prisma/schema.prisma (add encryptionVersion) - .env.example (document ENCRYPTION_KEY) Fixes #352 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
38 lines
1.8 KiB
SQL
38 lines
1.8 KiB
SQL
-- Encrypt existing plaintext Account tokens
|
|
-- This migration adds an encryption_version column and marks existing records for encryption
|
|
-- The actual encryption happens via Prisma middleware on first read/write
|
|
|
|
-- Add encryption_version column to track encryption state
|
|
-- NULL = not encrypted (legacy plaintext)
|
|
-- 'aes' = AES-256-GCM encrypted
|
|
-- 'vault' = OpenBao Transit encrypted (Phase 2)
|
|
ALTER TABLE accounts ADD COLUMN IF NOT EXISTS encryption_version VARCHAR(20);
|
|
|
|
-- Create index for efficient queries filtering by encryption status
|
|
-- This index is also declared in Prisma schema (@@index([encryptionVersion]))
|
|
-- Using CREATE INDEX IF NOT EXISTS for idempotency
|
|
CREATE INDEX IF NOT EXISTS "accounts_encryption_version_idx" ON accounts(encryption_version);
|
|
|
|
-- Verify index was created successfully by running:
|
|
-- SELECT indexname, indexdef FROM pg_indexes WHERE tablename = 'accounts' AND indexname = 'accounts_encryption_version_idx';
|
|
|
|
-- Update statistics for query planner
|
|
ANALYZE accounts;
|
|
|
|
-- Migration Note:
|
|
-- This migration does NOT encrypt data in-place to avoid downtime and data corruption risks.
|
|
-- Instead, the Prisma middleware (account-encryption.middleware.ts) handles encryption:
|
|
--
|
|
-- 1. On READ: Detects format (plaintext vs encrypted) and decrypts if needed
|
|
-- 2. On WRITE: Encrypts tokens and sets encryption_version = 'aes'
|
|
-- 3. Backward compatible: Plaintext tokens (encryption_version = NULL) are passed through unchanged
|
|
--
|
|
-- To actively encrypt existing tokens, run the companion script:
|
|
-- node scripts/encrypt-account-tokens.js
|
|
--
|
|
-- This approach ensures:
|
|
-- - Zero downtime migration
|
|
-- - No risk of corrupting tokens during bulk encryption
|
|
-- - Progressive encryption as tokens are accessed/refreshed
|
|
-- - Easy rollback (middleware is idempotent)
|