|
| 1 | +import crypto from "node:crypto"; |
| 2 | +import os from "node:os"; |
1 | 3 | import path from "node:path"; |
2 | | -import { app } from "electron"; |
| 4 | +import { app, ipcMain } from "electron"; |
3 | 5 | import Store from "electron-store"; |
| 6 | +import { machineIdSync } from "node-machine-id"; |
4 | 7 | import type { |
5 | 8 | RegisteredFolder, |
6 | 9 | TaskFolderAssociation, |
7 | 10 | } from "../../shared/types"; |
8 | 11 | import { deleteWorktreeIfExists } from "./worktreeUtils"; |
9 | 12 |
|
| 13 | +// Key derived from hardware UUID - data only decryptable on this machine |
| 14 | +// No keychain prompts, prevents token theft via cloud sync/backups |
| 15 | +const APP_SALT = "array-v1"; |
| 16 | +const ENCRYPTION_VERSION = 1; |
| 17 | + |
| 18 | +function getMachineKey(): Buffer { |
| 19 | + const machineId = machineIdSync(); |
| 20 | + const identifier = [machineId, os.platform(), os.arch()].join("|"); |
| 21 | + return crypto.scryptSync(identifier, APP_SALT, 32); |
| 22 | +} |
| 23 | + |
| 24 | +function encrypt(plaintext: string): string { |
| 25 | + const key = getMachineKey(); |
| 26 | + const iv = crypto.randomBytes(16); |
| 27 | + const cipher = crypto.createCipheriv("aes-256-gcm", key, iv); |
| 28 | + |
| 29 | + const encrypted = Buffer.concat([ |
| 30 | + cipher.update(plaintext, "utf8"), |
| 31 | + cipher.final(), |
| 32 | + ]); |
| 33 | + const authTag = cipher.getAuthTag(); |
| 34 | + |
| 35 | + return JSON.stringify({ |
| 36 | + v: ENCRYPTION_VERSION, |
| 37 | + iv: iv.toString("base64"), |
| 38 | + data: encrypted.toString("base64"), |
| 39 | + tag: authTag.toString("base64"), |
| 40 | + }); |
| 41 | +} |
| 42 | + |
| 43 | +function decrypt(encryptedJson: string): string | null { |
| 44 | + try { |
| 45 | + const { iv, data, tag } = JSON.parse(encryptedJson); |
| 46 | + const key = getMachineKey(); |
| 47 | + const decipher = crypto.createDecipheriv( |
| 48 | + "aes-256-gcm", |
| 49 | + key, |
| 50 | + Buffer.from(iv, "base64"), |
| 51 | + ); |
| 52 | + decipher.setAuthTag(Buffer.from(tag, "base64")); |
| 53 | + |
| 54 | + return decipher.update(data, "base64", "utf8") + decipher.final("utf8"); |
| 55 | + } catch { |
| 56 | + return null; |
| 57 | + } |
| 58 | +} |
| 59 | + |
10 | 60 | interface FoldersSchema { |
11 | 61 | folders: RegisteredFolder[]; |
12 | 62 | taskAssociations: TaskFolderAssociation[]; |
13 | 63 | } |
14 | 64 |
|
| 65 | +interface RendererStoreSchema { |
| 66 | + [key: string]: string; |
| 67 | +} |
| 68 | + |
15 | 69 | const schema = { |
16 | 70 | folders: { |
17 | 71 | type: "array" as const, |
@@ -84,4 +138,30 @@ export async function clearAllStoreData(): Promise<void> { |
84 | 138 | } |
85 | 139 |
|
86 | 140 | foldersStore.clear(); |
| 141 | + rendererStore.clear(); |
87 | 142 | } |
| 143 | + |
| 144 | +export const rendererStore = new Store<RendererStoreSchema>({ |
| 145 | + name: "renderer-storage", |
| 146 | + cwd: getStorePath(), |
| 147 | +}); |
| 148 | + |
| 149 | +// IPC handlers for renderer storage with machine-key encryption |
| 150 | +ipcMain.handle("renderer-store:get", (_event, key: string): string | null => { |
| 151 | + if (!rendererStore.has(key)) { |
| 152 | + return null; |
| 153 | + } |
| 154 | + const encrypted = rendererStore.get(key) as string; |
| 155 | + return decrypt(encrypted); |
| 156 | +}); |
| 157 | + |
| 158 | +ipcMain.handle( |
| 159 | + "renderer-store:set", |
| 160 | + (_event, key: string, value: string): void => { |
| 161 | + rendererStore.set(key, encrypt(value)); |
| 162 | + }, |
| 163 | +); |
| 164 | + |
| 165 | +ipcMain.handle("renderer-store:remove", (_event, key: string): void => { |
| 166 | + rendererStore.delete(key); |
| 167 | +}); |
0 commit comments