feat(security): add database password encryption support

ranganathan2020 · claude · ranganathan2020 · commit 2fe77f72043d · 2026-01-27T14:09:24.000Z
- Store database password encrypted in DatabaseSettings section
- Update DependencyInjection to decrypt password at runtime
- Connection string uses {ENCRYPTED} placeholder replaced at startup
- Update database server to 10.10.30.7 (PrinterPix_BO_Live)

Security improvement: Database password is now stored encrypted
in configuration files instead of plain text.

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/src/OrderMonitor.Api/appsettings.Development.json b/src/OrderMonitor.Api/appsettings.Development.json
@@ -1,6 +1,10 @@
 {
   "ConnectionStrings": {
-    "BackofficeDb": "Server=localhost;Database=Backoffice;Trusted_Connection=True;TrustServerCertificate=True;ApplicationIntent=ReadOnly;"
+    "BackofficeDb": "Server=10.10.30.7,1433;Database=PrinterPix_BO_Live;User Id=db_PIX_BackOffice_Live;Password={ENCRYPTED};TrustServerCertificate=True;ApplicationIntent=ReadOnly;"
+  },
+
+  "DatabaseSettings": {
+    "EncryptedPassword": "BtB8i+odFInds4FDG1smnzWrLl2E5KwJsQLeoW0HzIc="
   },
 
   "Scanner": {
diff --git a/src/OrderMonitor.Infrastructure/DependencyInjection.cs b/src/OrderMonitor.Infrastructure/DependencyInjection.cs
@@ -4,6 +4,7 @@
 using OrderMonitor.Core.Interfaces;
 using OrderMonitor.Core.Services;
 using OrderMonitor.Infrastructure.Data;
+using OrderMonitor.Infrastructure.Security;
 using OrderMonitor.Infrastructure.Services;
 
 namespace OrderMonitor.Infrastructure;
@@ -24,6 +25,17 @@ public static IServiceCollection AddInfrastructure(
         var connectionString = configuration.GetConnectionString("BackofficeDb")
             ?? throw new InvalidOperationException("BackofficeDb connection string is not configured.");
 
+        // Check if password is encrypted (contains placeholder)
+        if (connectionString.Contains("{ENCRYPTED}"))
+        {
+            var encryptedPassword = configuration["DatabaseSettings:EncryptedPassword"];
+            if (!string.IsNullOrEmpty(encryptedPassword))
+            {
+                var decryptedPassword = PasswordEncryptor.Decrypt(encryptedPassword);
+                connectionString = connectionString.Replace("{ENCRYPTED}", decryptedPassword);
+            }
+        }
+
         services.AddSingleton<IDbConnectionFactory>(sp => new SqlConnectionFactory(connectionString));
 
         // Register repositories
