diff --git a/encrypt.js b/encrypt.js index 065b0ad0..8d5135fa 100644 --- a/encrypt.js +++ b/encrypt.js @@ -218,7 +218,7 @@ async function main() { try { let appUpdated = false; - for (let key of ['clientSecret', 'serviceKey']) { + for (let key of ['clientSecret', 'serviceKey', 'accessToken']) { if (entry[key]) { let value = await processSecret(entry[key], encryptSecret); if (value !== entry[key]) { diff --git a/lib/oauth2-apps.js b/lib/oauth2-apps.js index 74b59351..652bc7e0 100644 --- a/lib/oauth2-apps.js +++ b/lib/oauth2-apps.js @@ -8,6 +8,7 @@ const { encrypt, decrypt } = require('./encrypt'); const Boom = require('@hapi/boom'); const settings = require('./settings'); const Lock = require('ioredfour'); +const getSecret = require('./get-secret'); const { OutlookOauth, outlookScopes } = require('./oauth/outlook'); const { GmailOauth, GMAIL_SCOPES } = require('./oauth/gmail'); @@ -151,6 +152,22 @@ class OAuth2AppsHandler { constructor(options) { this.options = options || {}; this.redis = this.options.redis; + + this.secret = null; + } + + async encrypt(value) { + if (this.secret === null) { + this.secret = await getSecret(); + } + return await encrypt(value, this.secret); + } + + async decrypt(value) { + if (this.secret === null) { + this.secret = await getSecret(); + } + return await decrypt(value, this.secret); } getIndexKey() { @@ -511,7 +528,7 @@ class OAuth2AppsHandler { let encryptedValues = {}; for (let key of ['clientSecret', 'serviceKey', 'accessToken']) { if (data[key]) { - encryptedValues[key] = await encrypt(data[key]); + encryptedValues[key] = await this.encrypt(data[key]); } } @@ -582,7 +599,7 @@ class OAuth2AppsHandler { let encryptedValues = {}; for (let key of ['clientSecret', 'serviceKey', 'accessToken']) { if (data[key]) { - encryptedValues[key] = await encrypt(data[key]); + encryptedValues[key] = await this.encrypt(data[key]); } } @@ -1060,7 +1077,7 @@ class OAuth2AppsHandler { switch (appData.provider) { case 'gmail': { let clientId = appData.clientId; - let clientSecret = appData.clientSecret ? await decrypt(appData.clientSecret) : null; + let clientSecret = appData.clientSecret ? await this.decrypt(appData.clientSecret) : null; let redirectUrl = appData.redirectUrl; let scopes = formatExtraScopes(appData.extraScopes, appData.baseScopes, GMAIL_SCOPES, appData.skipScopes); @@ -1102,7 +1119,7 @@ class OAuth2AppsHandler { let serviceClient = appData.serviceClient; let serviceClientEmail = appData.serviceClientEmail; - let serviceKey = appData.serviceKey ? await decrypt(appData.serviceKey) : null; + let serviceKey = appData.serviceKey ? await this.decrypt(appData.serviceKey) : null; let scopes = formatExtraScopes(appData.extraScopes, appData.baseScopes, GMAIL_SCOPES, appData.skipScopes); @@ -1143,7 +1160,7 @@ class OAuth2AppsHandler { case 'outlook': { let authority = await appData.authority; let clientId = appData.clientId; - let clientSecret = appData.clientSecret ? await decrypt(appData.clientSecret) : null; + let clientSecret = appData.clientSecret ? await this.decrypt(appData.clientSecret) : null; let redirectUrl = appData.redirectUrl; let cloud = appData.cloud || 'global'; @@ -1183,7 +1200,7 @@ class OAuth2AppsHandler { case 'mailRu': { let clientId = appData.clientId; - let clientSecret = appData.clientSecret ? await decrypt(appData.clientSecret) : null; + let clientSecret = appData.clientSecret ? await this.decrypt(appData.clientSecret) : null; let redirectUrl = appData.redirectUrl; let scopes = formatExtraScopes(appData.extraScopes, appData.baseScopes, MAIL_RU_SCOPES, appData.skipScopes); @@ -1224,7 +1241,7 @@ class OAuth2AppsHandler { } async getServiceAccessToken(appData, client) { - let accessToken = appData.accessToken ? await decrypt(appData.accessToken) : null; + let accessToken = appData.accessToken ? await this.decrypt(appData.accessToken) : null; let accessTokenExpires = appData.accessTokenExpires ? new Date(appData.accessTokenExpires) : null; let now = Date.now(); @@ -1256,7 +1273,7 @@ class OAuth2AppsHandler { // check if already renewed appData = await this.get(appData.id); - accessToken = appData.accessToken ? await decrypt(appData.accessToken) : null; + accessToken = appData.accessToken ? await this.decrypt(appData.accessToken) : null; accessTokenExpires = appData.accessTokenExpires ? new Date(appData.accessTokenExpires) : null; now = Date.now(); diff --git a/package.json b/package.json index 47141cea..d643e260 100644 --- a/package.json +++ b/package.json @@ -8,8 +8,8 @@ "scripts": { "start": "node server.js", "dev": "EE_OPENAPI_VERBOSE=true EENGINE_LOG_RAW=true node --tls-keylog=keylog.txt server --dbs.redis='redis://127.0.0.1:6379/9' --api.port=7003 --api.host=0.0.0.0 | tee $HOME/ee.log.dev.txt | pino-pretty", - "single": "EE_OPENAPI_VERBOSE=true EENGINE_LOG_RAW=true EENGINE_WORKERS=1 node --inspect server --dbs.redis='redis://127.0.0.1:6379/10' --api.port=7002 --api.host=0.0.0.0 | tee $HOME/ee.log.single.txt | pino-pretty", - "gmail": "EE_OPENAPI_VERBOSE=true EENGINE_LOG_RAW=true EENGINE_FEATURE_MS_API=true EENGINE_WORKERS=2 node --inspect server --dbs.redis='redis://127.0.0.1:6379/11' --api.port=7003 --api.host=0.0.0.0 | tee $HOME/ee.log.gmail.txt | pino-pretty", + "single": "EE_OPENAPI_VERBOSE=true EENGINE_LOG_RAW=true EENGINE_SECRET=your-encryption-key EENGINE_WORKERS=1 node --inspect server --dbs.redis='redis://127.0.0.1:6379/10' --api.port=7003 --api.host=0.0.0.0 | tee $HOME/ee.log.single.txt | pino-pretty", + "gmail": "EE_OPENAPI_VERBOSE=true EENGINE_LOG_RAW=true EENGINE_SECRET=your-encryption-key EENGINE_WORKERS=2 node --inspect server --dbs.redis='redis://127.0.0.1:6379/11' --api.port=7003 --api.host=0.0.0.0 | tee $HOME/ee.log.gmail.txt | pino-pretty", "test": "grunt && node --test test/", "swagger": "./getswagger.sh", "build-source": "rm -rf node_modules && npm install && rm -rf node_modules && npm ci --omit=dev && ./update-info.sh",