fix(oauth2): Fixed field encryption for OAuth2 apps

postalsys · Dec 13, 2024 · a0c3eaa · a0c3eaa
1 parent 6427728
commit a0c3eaa
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 11 deletions.
diff --git a/encrypt.js b/encrypt.js
@@ -218,7 +218,7 @@ async function main() {
 
         try {
             let appUpdated = false;
-            for (let key of ['clientSecret', 'serviceKey']) {
+            for (let key of ['clientSecret', 'serviceKey', 'accessToken']) {
                 if (entry[key]) {
                     let value = await processSecret(entry[key], encryptSecret);
                     if (value !== entry[key]) {

diff --git a/lib/oauth2-apps.js b/lib/oauth2-apps.js
@@ -8,6 +8,7 @@ const { encrypt, decrypt } = require('./encrypt');
 const Boom = require('@hapi/boom');
 const settings = require('./settings');
 const Lock = require('ioredfour');
+const getSecret = require('./get-secret');
 
 const { OutlookOauth, outlookScopes } = require('./oauth/outlook');
 const { GmailOauth, GMAIL_SCOPES } = require('./oauth/gmail');
@@ -151,6 +152,22 @@ class OAuth2AppsHandler {
     constructor(options) {
         this.options = options || {};
         this.redis = this.options.redis;
+
+        this.secret = null;
+    }
+
+    async encrypt(value) {
+        if (this.secret === null) {
+            this.secret = await getSecret();
+        }
+        return await encrypt(value, this.secret);
+    }
+
+    async decrypt(value) {
+        if (this.secret === null) {
+            this.secret = await getSecret();
+        }
+        return await decrypt(value, this.secret);
     }
 
     getIndexKey() {
@@ -511,7 +528,7 @@ class OAuth2AppsHandler {
         let encryptedValues = {};
         for (let key of ['clientSecret', 'serviceKey', 'accessToken']) {
             if (data[key]) {
-                encryptedValues[key] = await encrypt(data[key]);
+                encryptedValues[key] = await this.encrypt(data[key]);
             }
         }
 
@@ -582,7 +599,7 @@ class OAuth2AppsHandler {
         let encryptedValues = {};
         for (let key of ['clientSecret', 'serviceKey', 'accessToken']) {
             if (data[key]) {
-                encryptedValues[key] = await encrypt(data[key]);
+                encryptedValues[key] = await this.encrypt(data[key]);
             }
         }
 
@@ -1060,7 +1077,7 @@ class OAuth2AppsHandler {
         switch (appData.provider) {
             case 'gmail': {
                 let clientId = appData.clientId;
-                let clientSecret = appData.clientSecret ? await decrypt(appData.clientSecret) : null;
+                let clientSecret = appData.clientSecret ? await this.decrypt(appData.clientSecret) : null;
                 let redirectUrl = appData.redirectUrl;
                 let scopes = formatExtraScopes(appData.extraScopes, appData.baseScopes, GMAIL_SCOPES, appData.skipScopes);
 
@@ -1102,7 +1119,7 @@ class OAuth2AppsHandler {
                 let serviceClient = appData.serviceClient;
 
                 let serviceClientEmail = appData.serviceClientEmail;
-                let serviceKey = appData.serviceKey ? await decrypt(appData.serviceKey) : null;
+                let serviceKey = appData.serviceKey ? await this.decrypt(appData.serviceKey) : null;
 
                 let scopes = formatExtraScopes(appData.extraScopes, appData.baseScopes, GMAIL_SCOPES, appData.skipScopes);
 
@@ -1143,7 +1160,7 @@ class OAuth2AppsHandler {
             case 'outlook': {
                 let authority = await appData.authority;
                 let clientId = appData.clientId;
-                let clientSecret = appData.clientSecret ? await decrypt(appData.clientSecret) : null;
+                let clientSecret = appData.clientSecret ? await this.decrypt(appData.clientSecret) : null;
                 let redirectUrl = appData.redirectUrl;
 
                 let cloud = appData.cloud || 'global';
@@ -1183,7 +1200,7 @@ class OAuth2AppsHandler {
 
             case 'mailRu': {
                 let clientId = appData.clientId;
-                let clientSecret = appData.clientSecret ? await decrypt(appData.clientSecret) : null;
+                let clientSecret = appData.clientSecret ? await this.decrypt(appData.clientSecret) : null;
                 let redirectUrl = appData.redirectUrl;
                 let scopes = formatExtraScopes(appData.extraScopes, appData.baseScopes, MAIL_RU_SCOPES, appData.skipScopes);
 
@@ -1224,7 +1241,7 @@ class OAuth2AppsHandler {
     }
 
     async getServiceAccessToken(appData, client) {
-        let accessToken = appData.accessToken ? await decrypt(appData.accessToken) : null;
+        let accessToken = appData.accessToken ? await this.decrypt(appData.accessToken) : null;
         let accessTokenExpires = appData.accessTokenExpires ? new Date(appData.accessTokenExpires) : null;
         let now = Date.now();
 
@@ -1256,7 +1273,7 @@ class OAuth2AppsHandler {
             // check if already renewed
             appData = await this.get(appData.id);
 
-            accessToken = appData.accessToken ? await decrypt(appData.accessToken) : null;
+            accessToken = appData.accessToken ? await this.decrypt(appData.accessToken) : null;
             accessTokenExpires = appData.accessTokenExpires ? new Date(appData.accessTokenExpires) : null;
             now = Date.now();
 

diff --git a/package.json b/package.json
@@ -8,8 +8,8 @@
     "scripts": {
         "start": "node server.js",
         "dev": "EE_OPENAPI_VERBOSE=true EENGINE_LOG_RAW=true node --tls-keylog=keylog.txt server --dbs.redis='redis://127.0.0.1:6379/9' --api.port=7003 --api.host=0.0.0.0 | tee $HOME/ee.log.dev.txt  | pino-pretty",
-        "single": "EE_OPENAPI_VERBOSE=true EENGINE_LOG_RAW=true EENGINE_WORKERS=1 node --inspect server --dbs.redis='redis://127.0.0.1:6379/10' --api.port=7002 --api.host=0.0.0.0 | tee $HOME/ee.log.single.txt | pino-pretty",
-        "gmail": "EE_OPENAPI_VERBOSE=true EENGINE_LOG_RAW=true EENGINE_FEATURE_MS_API=true EENGINE_WORKERS=2 node --inspect server --dbs.redis='redis://127.0.0.1:6379/11' --api.port=7003 --api.host=0.0.0.0 | tee $HOME/ee.log.gmail.txt | pino-pretty",
+        "single": "EE_OPENAPI_VERBOSE=true EENGINE_LOG_RAW=true EENGINE_SECRET=your-encryption-key EENGINE_WORKERS=1 node --inspect server --dbs.redis='redis://127.0.0.1:6379/10' --api.port=7003 --api.host=0.0.0.0 | tee $HOME/ee.log.single.txt | pino-pretty",
+        "gmail": "EE_OPENAPI_VERBOSE=true EENGINE_LOG_RAW=true EENGINE_SECRET=your-encryption-key EENGINE_WORKERS=2 node --inspect server --dbs.redis='redis://127.0.0.1:6379/11' --api.port=7003 --api.host=0.0.0.0 | tee $HOME/ee.log.gmail.txt | pino-pretty",
         "test": "grunt && node --test test/",
         "swagger": "./getswagger.sh",
         "build-source": "rm -rf node_modules && npm install && rm -rf node_modules && npm ci --omit=dev && ./update-info.sh",