AINATIVEM-42 add AES-256-GCM token encryption

- generate src/crypto/encrypt.ts with encrypt/decrypt using node:crypto
- wire CryptoStep into NodeProjectBuilder, add ENCRYPTION_KEY to .env.example
- widen access_token/refresh_token columns to TEXT (varchar(768) too small for ciphertext)
- encrypt on write, decrypt on read in tokenRepository for all db drivers
- add RUN mkdir -p /app/data && chown in Dockerfile for sqlite volume permissions
- replace docker compose with docker-compose in CLI next steps
- add USER node to generated Dockerfile

Author: youssef-saber-3

src/cli.test.ts

@@ -9,7 +9,7 @@ Next steps:
   cd test-app
   cp .env.example .env
   # fill in PIPEDRIVE_CLIENT_ID and PIPEDRIVE_CLIENT_SECRET
-  docker compose up`);
+  docker-compose up`);
 	});
 });
 

src/cli.ts

@@ -16,7 +16,7 @@ export function nextStepLines(options: NextStepOptions): string[] {
 		`cd ${options.nameOrPath}`,
 		'cp .env.example .env',
 		'# fill in PIPEDRIVE_CLIENT_ID and PIPEDRIVE_CLIENT_SECRET',
-		'docker compose up',
+		'docker-compose up',
 	];
 
 	return ['', 'Next steps:', ...steps.map((s) => `  ${s}`)];

src/generators/node/crypto.test.ts

@@ -0,0 +1,61 @@
+import { describe, expect, it, beforeEach, afterEach } from 'vitest';
+import { mkdtemp, rm, writeFile, readFile } from 'node:fs/promises';
+import { tmpdir } from 'node:os';
+import { join, dirname, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const repoRoot = resolve(dirname(fileURLToPath(import.meta.url)), '../../..');
+
+describe('generateCrypto', () => {
+	let tmpDir: string;
+
+	beforeEach(async () => {
+		tmpDir = await mkdtemp(join(tmpdir(), 'cpa-crypto-test-'));
+	});
+
+	afterEach(async () => {
+		await rm(tmpDir, { recursive: true, force: true });
+	});
+
+	it('generates src/crypto/encrypt.ts', async () => {
+		const { generateCrypto } = await import('./crypto.js');
+		await generateCrypto(tmpDir);
+		const content = await readFile(join(tmpDir, 'src/crypto/encrypt.ts'), 'utf8');
+		expect(content).toContain("from 'node:crypto'");
+		expect(content).toContain('aes-256-gcm');
+		expect(content).toContain('ENCRYPTION_KEY');
+		expect(content).toContain('export function encrypt');
+		expect(content).toContain('export function decrypt');
+		expect(content).toContain('randomBytes(12)');
+		expect(content).toContain('getAuthTag');
+		expect(content).toContain('base64url');
+	});
+
+	it('generated encrypt/decrypt round-trips correctly', async () => {
+		const { generateCrypto } = await import('./crypto.js');
+		await generateCrypto(tmpDir);
+
+		const runner = join(tmpDir, 'test-runner.ts');
+		await writeFile(
+			runner,
+			`
+import { encrypt, decrypt } from '${join(tmpDir, 'src/crypto/encrypt.ts')}';
+process.env.ENCRYPTION_KEY = 'a'.repeat(64);
+const plain = 'hello-token-value';
+const enc = encrypt(plain);
+const dec = decrypt(enc);
+if (dec !== plain) throw new Error(\`expected \${plain}, got \${dec}\`);
+const parts = enc.split('.');
+if (parts.length !== 3) throw new Error('expected 3 parts');
+console.log('ok');
+`,
+		);
+		const { execSync } = await import('node:child_process');
+		const out = execSync(`./node_modules/.bin/tsx ${runner}`, {
+			cwd: repoRoot,
+		})
+			.toString()
+			.trim();
+		expect(out).toBe('ok');
+	});
+});

src/generators/node/crypto.ts

@@ -0,0 +1,38 @@
+import dedent from 'dedent';
+import { join } from 'node:path';
+import { writeFile } from '../../utils/writeFile.js';
+
+export async function generateCrypto(outputDir: string): Promise<void> {
+	await writeFile(
+		join(outputDir, 'src/crypto/encrypt.ts'),
+		dedent`
+			import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto';
+
+			const ALGORITHM = 'aes-256-gcm';
+
+			function getKey(): Buffer {
+				const key = process.env.ENCRYPTION_KEY;
+				if (!key) throw new Error('ENCRYPTION_KEY is required');
+				const buf = Buffer.from(key, 'hex');
+				if (buf.length !== 32) throw new Error('ENCRYPTION_KEY must be a 64-char hex string (32 bytes)');
+				return buf;
+			}
+
+			export function encrypt(plaintext: string): string {
+				const iv = randomBytes(12);
+				const cipher = createCipheriv(ALGORITHM, getKey(), iv);
+				const ciphertext = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+				const authTag = cipher.getAuthTag();
+				return \`\${iv.toString('base64url')}.\${authTag.toString('base64url')}.\${ciphertext.toString('base64url')}\`;
+			}
+
+			export function decrypt(ciphertext: string): string {
+				const [ivB64, authTagB64, dataB64] = ciphertext.split('.');
+				if (!ivB64 || !authTagB64 || !dataB64) throw new Error('Invalid ciphertext format');
+				const decipher = createDecipheriv(ALGORITHM, getKey(), Buffer.from(ivB64, 'base64url'));
+				decipher.setAuthTag(Buffer.from(authTagB64, 'base64url'));
+				return Buffer.concat([decipher.update(Buffer.from(dataB64, 'base64url')), decipher.final()]).toString('utf8');
+			}
+		`,
+	);
+}

src/generators/node/database.test.ts

@@ -387,4 +387,78 @@ describe('generateDatabase — tokenRepository.ts', () => {
 		expect(compose).toContain('depends_on:');
 		expect(compose).toContain('condition: service_healthy');
 	});
+
+	it('postgres schema uses text for access_token and refresh_token', async () => {
+		const { generateDatabase } = await import('./database.js');
+		await generateDatabase(tmpDir, pgOptions);
+		const schema = await read('src/database/schema.ts');
+		expect(schema).not.toContain("varchar('access_token'");
+		expect(schema).not.toContain("varchar('refresh_token'");
+		expect(schema).toContain("text('access_token')");
+		expect(schema).toContain("text('refresh_token')");
+	});
+
+	it('postgres migration uses TEXT for access_token and refresh_token', async () => {
+		const { generateDatabase } = await import('./database.js');
+		await generateDatabase(tmpDir, pgOptions);
+		const migration = await read('src/database/migrations/0000_init.sql');
+		expect(migration).toMatch(/"access_token" TEXT/);
+		expect(migration).toMatch(/"refresh_token" TEXT/);
+	});
+
+	it('tokenRepository imports encrypt and decrypt', async () => {
+		const { generateDatabase } = await import('./database.js');
+		await generateDatabase(tmpDir, pgOptions);
+		const repo = await read('src/database/tokenRepository.ts');
+		expect(repo).toContain("from '../crypto/encrypt.js'");
+		expect(repo).toContain('encrypt(token.access_token)');
+		expect(repo).toContain('encrypt(token.refresh_token)');
+		expect(repo).toContain('decrypt(row.accessToken)');
+		expect(repo).toContain('decrypt(row.refreshToken)');
+	});
+
+	it('mysql schema uses text for access_token and refresh_token', async () => {
+		const { generateDatabase } = await import('./database.js');
+		await generateDatabase(tmpDir, mysqlOptions);
+		const schema = await read('src/database/schema.ts');
+		expect(schema).not.toContain("varchar('access_token'");
+		expect(schema).not.toContain("varchar('refresh_token'");
+		expect(schema).toContain("text('access_token')");
+		expect(schema).toContain("text('refresh_token')");
+	});
+
+	it('mysql migration uses TEXT for access_token and refresh_token', async () => {
+		const { generateDatabase } = await import('./database.js');
+		await generateDatabase(tmpDir, mysqlOptions);
+		const migration = await read('src/database/migrations/0000_init.sql');
+		expect(migration).toMatch(/`access_token` TEXT/);
+		expect(migration).toMatch(/`refresh_token` TEXT/);
+	});
+
+	it('mysql tokenRepository imports encrypt and decrypt', async () => {
+		const { generateDatabase } = await import('./database.js');
+		await generateDatabase(tmpDir, mysqlOptions);
+		const repo = await read('src/database/tokenRepository.ts');
+		expect(repo).toContain("from '../crypto/encrypt.js'");
+		expect(repo).toContain('encrypt(token.access_token)');
+		expect(repo).toContain('encrypt(token.refresh_token)');
+		expect(repo).toContain('decrypt(row.accessToken)');
+		expect(repo).toContain('decrypt(row.refreshToken)');
+	});
+});
+
+describe('generateDatabase — Dockerfile', () => {
+	it('generates Dockerfile with USER node when no app extensions', async () => {
+		const { generateDatabase } = await import('./database.js');
+		await generateDatabase(tmpDir, sqliteOptions);
+		expect(await exists(join(tmpDir, 'Dockerfile'))).toBe(true);
+		const content = await read('Dockerfile');
+		expect(content).toContain('FROM node:24-alpine');
+		expect(content).toContain('WORKDIR /app');
+		expect(content).toContain('COPY package*.json ./');
+		expect(content).toContain('RUN npm install');
+		expect(content).toContain('COPY . .');
+		expect(content).toContain('RUN mkdir -p /app/data && chown -R node:node /app/data');
+		expect(content).toContain('USER node');
+	});
 });

src/generators/node/database.ts

@@ -36,8 +36,8 @@ function schemaContent(database: GeneratorOptions['database']): string {
 				{
 					pipedriveCompanyId: integer('pipedrive_company_id').notNull(),
 					pipedriveUserId: integer('pipedrive_user_id').notNull(),
-					accessToken: varchar('access_token', { length: 768 }).notNull(),
-					refreshToken: varchar('refresh_token', { length: 768 }).notNull(),
+					accessToken: text('access_token').notNull(),
+					refreshToken: text('refresh_token').notNull(),
 					tokenType: varchar('token_type', { length: 50 }).notNull().default('bearer'),
 					accessTokenExpiresAt: timestamp('access_token_expires_at').notNull(),
 					refreshTokenExpiresAt: timestamp('refresh_token_expires_at').notNull(),
@@ -62,8 +62,8 @@ function schemaContent(database: GeneratorOptions['database']): string {
 				{
 					pipedriveCompanyId: int('pipedrive_company_id').notNull(),
 					pipedriveUserId: int('pipedrive_user_id').notNull(),
-					accessToken: varchar('access_token', { length: 768 }).notNull(),
-					refreshToken: varchar('refresh_token', { length: 768 }).notNull(),
+					accessToken: text('access_token').notNull(),
+					refreshToken: text('refresh_token').notNull(),
 					tokenType: varchar('token_type', { length: 50 }).notNull().default('bearer'),
 					accessTokenExpiresAt: timestamp('access_token_expires_at').notNull(),
 					refreshTokenExpiresAt: timestamp('refresh_token_expires_at').notNull(),
@@ -196,8 +196,8 @@ function migrationSqlContent(database: GeneratorOptions['database']): string {
 			CREATE TABLE IF NOT EXISTS "pipedrive_tokens" (
 			  "pipedrive_company_id" INTEGER NOT NULL,
 			  "pipedrive_user_id" INTEGER NOT NULL,
-			  "access_token" VARCHAR(768) NOT NULL,
-			  "refresh_token" VARCHAR(768) NOT NULL,
+			  "access_token" TEXT NOT NULL,
+			  "refresh_token" TEXT NOT NULL,
 			  "token_type" VARCHAR(50) NOT NULL DEFAULT 'bearer',
 			  "access_token_expires_at" TIMESTAMP NOT NULL,
 			  "refresh_token_expires_at" TIMESTAMP NOT NULL,
@@ -215,8 +215,8 @@ function migrationSqlContent(database: GeneratorOptions['database']): string {
 			CREATE TABLE IF NOT EXISTS \`pipedrive_tokens\` (
 			  \`pipedrive_company_id\` INT NOT NULL,
 			  \`pipedrive_user_id\` INT NOT NULL,
-			  \`access_token\` VARCHAR(768) NOT NULL,
-			  \`refresh_token\` VARCHAR(768) NOT NULL,
+			  \`access_token\` TEXT NOT NULL,
+			  \`refresh_token\` TEXT NOT NULL,
 			  \`token_type\` VARCHAR(50) NOT NULL DEFAULT 'bearer',
 			  \`access_token_expires_at\` TIMESTAMP NOT NULL,
 			  \`refresh_token_expires_at\` TIMESTAMP NOT NULL,
@@ -258,15 +258,16 @@ function tokenRepositoryContent(database: GeneratorOptions['database']): string
 			import type { TokenResponse } from 'pipedrive/v2';
 			import { db } from './index.js';
 			import { pipedriveTokens } from './schema.js';
+			import { encrypt, decrypt } from '../crypto/encrypt.js';
 
 			const REFRESH_TOKEN_TTL_MS = 60 * 24 * 60 * 60 * 1000;
 
 			export type StoredToken = { companyId: number; userId: number; token: TokenResponse };
 
 			function toTokenResponse(row: typeof pipedriveTokens.$inferSelect): TokenResponse {
 				return {
-					access_token: row.accessToken,
-					refresh_token: row.refreshToken,
+					access_token: decrypt(row.accessToken),
+					refresh_token: decrypt(row.refreshToken),
 					token_type: row.tokenType,
 					expires_in: Math.max(0, Math.floor((row.accessTokenExpiresAt.getTime() - Date.now()) / 1000)),
 					scope: row.scope ?? '',
@@ -304,8 +305,8 @@ function tokenRepositoryContent(database: GeneratorOptions['database']): string
 					.values({
 						pipedriveCompanyId: companyId,
 						pipedriveUserId: userId,
-						accessToken: token.access_token,
-						refreshToken: token.refresh_token,
+						accessToken: encrypt(token.access_token),
+						refreshToken: encrypt(token.refresh_token),
 						tokenType: token.token_type,
 						accessTokenExpiresAt,
 						refreshTokenExpiresAt,
@@ -316,8 +317,8 @@ function tokenRepositoryContent(database: GeneratorOptions['database']): string
 					})
 					.onDuplicateKeyUpdate({
 						set: {
-							accessToken: token.access_token,
-							refreshToken: token.refresh_token,
+							accessToken: encrypt(token.access_token),
+							refreshToken: encrypt(token.refresh_token),
 							tokenType: token.token_type,
 							accessTokenExpiresAt,
 							refreshTokenExpiresAt,
@@ -335,15 +336,16 @@ function tokenRepositoryContent(database: GeneratorOptions['database']): string
 		import type { TokenResponse } from 'pipedrive/v2';
 		import { db } from './index.js';
 		import { pipedriveTokens } from './schema.js';
+		import { encrypt, decrypt } from '../crypto/encrypt.js';
 
 		const REFRESH_TOKEN_TTL_MS = 60 * 24 * 60 * 60 * 1000;
 
 		export type StoredToken = { companyId: number; userId: number; token: TokenResponse };
 
 		function toTokenResponse(row: typeof pipedriveTokens.$inferSelect): TokenResponse {
 			return {
-				access_token: row.accessToken,
-				refresh_token: row.refreshToken,
+				access_token: decrypt(row.accessToken),
+				refresh_token: decrypt(row.refreshToken),
 				token_type: row.tokenType,
 				expires_in: Math.max(0, Math.floor((row.accessTokenExpiresAt.getTime() - Date.now()) / 1000)),
 				scope: row.scope ?? '',
@@ -381,8 +383,8 @@ function tokenRepositoryContent(database: GeneratorOptions['database']): string
 				.values({
 					pipedriveCompanyId: companyId,
 					pipedriveUserId: userId,
-					accessToken: token.access_token,
-					refreshToken: token.refresh_token,
+					accessToken: encrypt(token.access_token),
+					refreshToken: encrypt(token.refresh_token),
 					tokenType: token.token_type,
 					accessTokenExpiresAt,
 					refreshTokenExpiresAt,
@@ -394,8 +396,8 @@ function tokenRepositoryContent(database: GeneratorOptions['database']): string
 				.onConflictDoUpdate({
 					target: [pipedriveTokens.pipedriveCompanyId, pipedriveTokens.pipedriveUserId],
 					set: {
-						accessToken: token.access_token,
-						refreshToken: token.refresh_token,
+						accessToken: encrypt(token.access_token),
+						refreshToken: encrypt(token.refresh_token),
 						tokenType: token.token_type,
 						accessTokenExpiresAt,
 						refreshTokenExpiresAt,
@@ -794,6 +796,8 @@ async function generateDockerfile(outputDir: string): Promise<void> {
 			COPY package*.json ./
 			RUN npm install
 			COPY . .
+			RUN mkdir -p /app/data && chown -R node:node /app/data
+			USER node
 		`,
 	);
 }

src/generators/node/index.ts

@@ -5,6 +5,7 @@ export const nodeGenerator: Generator = {
 	async generate(outputDir: string, options: GeneratorOptions): Promise<void> {
 		await new NodeProjectBuilder(outputDir, options)
 			.addDatabase()
+			.addCrypto()
 			.addOAuth()
 			.addApp()
 			.when(options.appExtensions.length > 0, (b) => b.addAppExtensions())

src/generators/node/projectBuilder.test.ts

@@ -1,5 +1,5 @@
 import { describe, expect, it } from 'vitest';
-import { readFile, rm } from 'node:fs/promises';
+import { readFile, rm, mkdtemp } from 'node:fs/promises';
 import { join } from 'node:path';
 import { tmpdir } from 'node:os';
 import type { GeneratorOptions } from '../interface.js';
@@ -166,4 +166,37 @@ describe('NodeProjectBuilder', () => {
 
 		await rm(tmpDir, { recursive: true, force: true });
 	});
+
+	it('generates ENCRYPTION_KEY in .env.example', async () => {
+		const outputDir = await mkdtemp(join(tmpdir(), 'cpa-builder-crypto-'));
+		try {
+			const builder = new NodeProjectBuilder(outputDir, {
+				projectName: 'test',
+				database: 'sqlite',
+				appExtensions: [],
+			});
+			await builder.addEnvExample().build();
+			const env = await readFile(join(outputDir, '.env.example'), 'utf8');
+			expect(env).toContain('ENCRYPTION_KEY=');
+			expect(env).toContain('openssl rand -hex 32');
+		} finally {
+			await rm(outputDir, { recursive: true, force: true });
+		}
+	});
+
+	it('generates src/crypto/encrypt.ts via addCrypto', async () => {
+		const outputDir = await mkdtemp(join(tmpdir(), 'cpa-builder-crypto-'));
+		try {
+			const builder = new NodeProjectBuilder(outputDir, {
+				projectName: 'test',
+				database: 'sqlite',
+				appExtensions: [],
+			});
+			await builder.addCrypto().build();
+			const content = await readFile(join(outputDir, 'src/crypto/encrypt.ts'), 'utf8');
+			expect(content).toContain('aes-256-gcm');
+		} finally {
+			await rm(outputDir, { recursive: true, force: true });
+		}
+	});
 });