#3597 secrets: improve simplecrypt fallback when keychain access fails

Signed-off-by: Patrizio Bekerle <patrizio@bekerle.com>

Author: pbek

CHANGELOG.md

@@ -5,6 +5,10 @@
 - Fixed the missing internal `bookmarks.svg` icon resource used by the note
   bookmark menu, so QOwnNotes no longer logs a startup warning for that icon
   (for [#3649](https://github.com/pbek/QOwnNotes/issues/3649))
+- Improved secret storage fallback handling by keeping legacy SimpleCrypt
+  encryption compatible with pre-qtkeychain secrets and migrating old plaintext
+  secret settings to encrypted storage even when the desktop keychain is
+  unavailable (for [#3597](https://github.com/pbek/QOwnNotes/issues/3597))
 
 ## 26.6.8
 

src/dialogs/websockettokendialog.cpp

@@ -5,6 +5,7 @@
 #include <QShowEvent>
 #include <QtGui/QClipboard>
 
+#include "services/cryptoservice.h"
 #include "services/settingsservice.h"
 #include "ui_websockettokendialog.h"
 
@@ -20,7 +21,8 @@ WebSocketTokenDialog::~WebSocketTokenDialog() { delete ui; }
 
 void WebSocketTokenDialog::loadTokenFromSettings() {
     SettingsService settings;
-    _initialToken = settings.value(QStringLiteral("webSocketServerService/token")).toString();
+    _initialToken = CryptoService::instance()->decryptToStringWithPlaintextFallback(
+        settings.value(QStringLiteral("webSocketServerService/token")).toString());
 
     if (_initialToken.isEmpty()) {
         ui->tokenLineEdit->setText(generateToken());
@@ -44,12 +46,17 @@ void WebSocketTokenDialog::on_generateButton_clicked() {
 
 void WebSocketTokenDialog::on_buttonBox_accepted() {
     SettingsService settings;
-    settings.setValue(QStringLiteral("webSocketServerService/token"), ui->tokenLineEdit->text());
+    settings.setValue(
+        QStringLiteral("webSocketServerService/token"),
+        CryptoService::instance()->encryptToString(
+            ui->tokenLineEdit->text(), QStringLiteral("settings/webSocketServerService/token")));
 }
 
 void WebSocketTokenDialog::reject() {
     SettingsService settings;
-    settings.setValue(QStringLiteral("webSocketServerService/token"), _initialToken);
+    settings.setValue(QStringLiteral("webSocketServerService/token"),
+                      CryptoService::instance()->encryptToString(
+                          _initialToken, QStringLiteral("settings/webSocketServerService/token")));
     ui->tokenLineEdit->setText(_initialToken.isEmpty() ? generateToken() : _initialToken);
 
     MasterDialog::reject();

src/services/cryptoservice.cpp

@@ -155,6 +155,16 @@ QString CryptoService::decryptToString(const QString &text) {
     return legacyDecryptToString(text);
 }
 
+QString CryptoService::decryptToStringWithPlaintextFallback(const QString &text) {
+    const QString plainText = decryptToString(text);
+
+    if (plainText.isEmpty() && !text.isEmpty() && !isKeychainReference(text)) {
+        return text;
+    }
+
+    return plainText;
+}
+
 bool CryptoService::isKeychainReference(const QString &text) {
     return text.startsWith(KeychainMarkerPrefix);
 }
@@ -247,10 +257,12 @@ QStringList CryptoService::keychainReferencesFromDiskDatabase() {
 }
 
 QString CryptoService::legacyEncryptToString(const QString &text) {
+    // Keep this compatible with the pre-qtkeychain SimpleCrypt storage format.
     return _simpleCrypt->encryptToString(text);
 }
 
 QString CryptoService::legacyDecryptToString(const QString &text) {
+    // Keep this compatible with the pre-qtkeychain SimpleCrypt storage format.
     return _simpleCrypt->decryptToString(text);
 }
 
@@ -321,7 +333,16 @@ bool CryptoService::migrateSecret(QString *storedValue, const QString &key,
         plainText = *storedValue;
     }
 
-    if (plainText.isEmpty() || !writeSecret(key, plainText)) {
+    if (plainText.isEmpty()) {
+        return false;
+    }
+
+    if (!writeSecret(key, plainText)) {
+        if (allowPlaintextFallback && *storedValue == plainText) {
+            *storedValue = legacyEncryptToString(plainText);
+            return true;
+        }
+
         return false;
     }
 
@@ -350,7 +371,10 @@ void CryptoService::migrateSettingsSecrets() {
     };
     const QStringList plaintextFallbackSettingsKeys = {
         QStringLiteral("webSocketServerService/bookmarkSuggestionApiToken"),
+        QStringLiteral("webSocketServerService/token"),
+        QStringLiteral("webAppClientService/token"),
         QStringLiteral("ai/mcpServerToken"),
+        QStringLiteral("languageToolApiKey"),
     };
 
     SettingsService settings;

src/services/cryptoservice.h

@@ -19,6 +19,7 @@ class CryptoService : public QObject {
     QString encryptToString(const QString &text);
     QString encryptToString(const QString &text, const QString &key);
     QString decryptToString(const QString &text);
+    QString decryptToStringWithPlaintextFallback(const QString &text);
     static bool isKeychainReference(const QString &text);
     bool deleteSecret(const QString &storedValueOrKey) const;
     void deleteSecrets(const QStringList &storedValuesOrKeys) const;

src/services/languagetoolchecker.cpp

@@ -11,6 +11,7 @@
 #include "helpers/qownspellchecker.h"
 #include "libraries/qmarkdowntextedit/markdownhighlighter.h"
 #include "mainwindow.h"
+#include "services/cryptoservice.h"
 #include "services/languagetoolclient.h"
 #include "services/settingsservice.h"
 
@@ -335,7 +336,10 @@ void LanguageToolChecker::readSettings() {
             .trimmed();
     _language =
         settings.value(QStringLiteral("languageToolLanguage"), QStringLiteral("auto")).toString();
-    _apiKey = settings.value(QStringLiteral("languageToolApiKey")).toString().trimmed();
+    _apiKey = CryptoService::instance()
+                  ->decryptToStringWithPlaintextFallback(
+                      settings.value(QStringLiteral("languageToolApiKey")).toString())
+                  .trimmed();
     _checkDelayMs = settings.value(QStringLiteral("languageToolCheckDelay"), 1500).toInt();
     _timeoutMs = settings.value(QStringLiteral("languageToolTimeout"), 5000).toInt();
     _enabledCategories =

src/services/webappclientservice.cpp

@@ -34,6 +34,7 @@
 #include <memory>
 
 #include "metricsservice.h"
+#include "services/cryptoservice.h"
 #include "services/settingsservice.h"
 
 using namespace std;
@@ -208,12 +209,21 @@ QString WebAppClientService::getServerUrl() {
 }
 
 QString WebAppClientService::getOrGenerateToken() {
-    QString token = SettingsService().value(QStringLiteral("webAppClientService/token")).toString();
+    SettingsService settings;
+    const QString key = QStringLiteral("webAppClientService/token");
+    const QString stored = settings.value(key).toString();
+    QString token = CryptoService::instance()->decryptToStringWithPlaintextFallback(stored);
+
+    if (!token.isEmpty() && token == stored && !CryptoService::isKeychainReference(stored)) {
+        settings.setValue(key, CryptoService::instance()->encryptToString(
+                                   token, QStringLiteral("settings/") + key));
+    }
 
     // if not token was set
     if (token.isEmpty()) {
         token = Utils::Misc::generateRandomString(32);
-        SettingsService().setValue(QStringLiteral("webAppClientService/token"), token);
+        settings.setValue(key, CryptoService::instance()->encryptToString(
+                                   token, QStringLiteral("settings/") + key));
     }
 
     return token;

src/services/websocketserverservice.cpp

@@ -476,7 +476,18 @@ void WebSocketServerService::processMessage(const QString &message) {
     MetricsService::instance()->sendVisitIfEnabled("websocket/message/" + type);
     const QString token = jsonObject.value(QStringLiteral("token")).toString();
     SettingsService settings;
-    QString storedToken = settings.value(QStringLiteral("webSocketServerService/token")).toString();
+    const QString storedTokenValue =
+        settings.value(QStringLiteral("webSocketServerService/token")).toString();
+    QString storedToken =
+        CryptoService::instance()->decryptToStringWithPlaintextFallback(storedTokenValue);
+
+    if (!storedToken.isEmpty() && storedToken == storedTokenValue &&
+        !CryptoService::isKeychainReference(storedTokenValue)) {
+        settings.setValue(
+            QStringLiteral("webSocketServerService/token"),
+            CryptoService::instance()->encryptToString(
+                storedToken, QStringLiteral("settings/webSocketServerService/token")));
+    }
 
     // request the token if not set
     if (token.isEmpty() || storedToken.isEmpty() || token != storedToken) {

src/utils/misc.cpp

@@ -2357,6 +2357,7 @@ QString Utils::Misc::generateDebugInformation(bool withGitHubLineBreaks, bool an
                                  "networking/proxyPassword",
                                  "ai/groq/apiKey",
                                  "ai/openai/apiKey",
+                                 "languageToolApiKey",
                                  "webSocketServerService/token",
                                  "webSocketServerService/bookmarkSuggestionApiToken",
                                  "webAppClientService/token"};

src/widgets/settings/languagetoolsettingswidget.cpp

@@ -16,6 +16,7 @@
 
 #include <QMessageBox>
 
+#include "services/cryptoservice.h"
 #include "services/settingsservice.h"
 #include "ui_languagetoolsettingswidget.h"
 
@@ -61,7 +62,8 @@ void LanguageToolSettingsWidget::readSettings() {
             .value(QStringLiteral("languageToolServerUrl"), QStringLiteral("http://localhost:8081"))
             .toString());
     ui->languageToolApiKeyLineEdit->setText(
-        settings.value(QStringLiteral("languageToolApiKey")).toString());
+        CryptoService::instance()->decryptToStringWithPlaintextFallback(
+            settings.value(QStringLiteral("languageToolApiKey")).toString()));
     ui->languageToolCheckDelaySpinBox->setValue(
         settings.value(QStringLiteral("languageToolCheckDelay"), 1500).toInt());
 
@@ -111,8 +113,10 @@ void LanguageToolSettingsWidget::storeSettings() {
                       ui->languageToolLanguageComboBox->currentData().toString().isEmpty()
                           ? ui->languageToolLanguageComboBox->currentText().trimmed()
                           : ui->languageToolLanguageComboBox->currentData().toString());
-    settings.setValue(QStringLiteral("languageToolApiKey"),
-                      ui->languageToolApiKeyLineEdit->text().trimmed());
+    settings.setValue(
+        QStringLiteral("languageToolApiKey"),
+        CryptoService::instance()->encryptToString(ui->languageToolApiKeyLineEdit->text().trimmed(),
+                                                   QStringLiteral("settings/languageToolApiKey")));
     settings.setValue(QStringLiteral("languageToolCheckDelay"),
                       ui->languageToolCheckDelaySpinBox->value());
     settings.setValue(QStringLiteral("languageToolEnabledCategories"),

src/widgets/settings/webapplicationsettingswidget.cpp

@@ -20,6 +20,7 @@
 #include <QMessageBox>
 #include <QSysInfo>
 
+#include "services/cryptoservice.h"
 #include "services/settingsservice.h"
 #include "services/webappclientservice.h"
 #include "ui_webapplicationsettingswidget.h"
@@ -59,7 +60,10 @@ void WebApplicationSettingsWidget::storeSettings() {
                       ui->enableWebApplicationCheckBox->isChecked());
     settings.setValue(QStringLiteral("webAppClientService/serverUrl"),
                       ui->webAppServerUrlLineEdit->text());
-    settings.setValue(QStringLiteral("webAppClientService/token"), ui->webAppTokenLineEdit->text());
+    settings.setValue(
+        QStringLiteral("webAppClientService/token"),
+        CryptoService::instance()->encryptToString(
+            ui->webAppTokenLineEdit->text(), QStringLiteral("settings/webAppClientService/token")));
     settings.setValue(QStringLiteral("webAppClientService/connectionName"),
                       ui->webAppConnectionNameLineEdit->text());
 }