feedback

Author: brendan-kellam

packages/backend/src/ee/accountPermissionSyncer.ts

@@ -167,7 +167,7 @@ export class AccountPermissionSyncer {
         logger.info(`Syncing permissions for ${account.provider} account (id: ${account.id}) for user ${account.user.email}...`);
 
         // Decrypt tokens (stored encrypted in the database)
-        const accessToken = decryptOAuthToken(account.access_token, env.AUTH_SECRET);
+        const accessToken = decryptOAuthToken(account.access_token);
 
         // Get a list of all repos that the user has access to from all connected accounts.
         const repoIds = await (async () => {

packages/shared/src/crypto.ts

@@ -1,5 +1,6 @@
 import crypto from 'crypto';
 import fs from 'fs';
+import { z } from 'zod';
 import { env } from './env.server.js';
 import { Token } from '@sourcebot/schemas/v3/shared.type';
 import { SecretManagerServiceClient } from "@google-cloud/secret-manager";
@@ -113,21 +114,30 @@ export const getTokenFromConfig = async (token: Token): Promise<string> => {
 const oauthAlgorithm = 'aes-256-gcm';
 const oauthIvLength = 16;
 const oauthSaltLength = 64;
-const oauthTagLength = 16;
-const oauthTagPosition = oauthSaltLength + oauthIvLength;
-const oauthEncryptedPosition = oauthTagPosition + oauthTagLength;
-const minEncryptedLength = 128; // Minimum base64-encoded length for encrypted tokens
+
+/**
+ * Schema for encrypted OAuth token structure.
+ * Stored as base64-encoded JSON in the database.
+ */
+const encryptedOAuthTokenSchema = z.object({
+    v: z.literal(1), // Version for future format changes
+    salt: z.string(), // hex-encoded salt for key derivation
+    iv: z.string(),   // hex-encoded initialization vector
+    tag: z.string(),  // hex-encoded auth tag
+    data: z.string(), // hex-encoded encrypted data
+});
+
+type EncryptedOAuthToken = z.infer<typeof encryptedOAuthTokenSchema>;
 
 function deriveOAuthKey(authSecret: string, salt: Buffer): Buffer {
     return crypto.pbkdf2Sync(authSecret, salt, 100000, 32, 'sha256');
 }
 
 function isOAuthTokenEncrypted(token: string): boolean {
-    if (token.length < minEncryptedLength) return false;
-    
     try {
-        const decoded = Buffer.from(token, 'base64');
-        return decoded.length >= (oauthSaltLength + oauthIvLength + oauthTagLength);
+        const decoded = Buffer.from(token, 'base64').toString('utf8');
+        const parsed = JSON.parse(decoded);
+        return encryptedOAuthTokenSchema.safeParse(parsed).success;
     } catch {
         return false;
     }
@@ -136,40 +146,59 @@ function isOAuthTokenEncrypted(token: string): boolean {
 /**
  * Encrypts OAuth token using AUTH_SECRET. Idempotent - returns token unchanged if already encrypted.
  */
-export function encryptOAuthToken(text: string | null | undefined, authSecret: string): string | null {
-    if (!text || !authSecret) return null;
-    if (isOAuthTokenEncrypted(text)) return text;
-    
+export function encryptOAuthToken(text: string | null | undefined): string | undefined {
+    if (!text) {
+        return undefined;
+    }
+
+    if (isOAuthTokenEncrypted(text)) {
+        return text;
+    }
+
     const iv = crypto.randomBytes(oauthIvLength);
     const salt = crypto.randomBytes(oauthSaltLength);
-    const key = deriveOAuthKey(authSecret, salt);
-    
+    const key = deriveOAuthKey(env.AUTH_SECRET, salt);
+
     const cipher = crypto.createCipheriv(oauthAlgorithm, key, iv);
     const encrypted = Buffer.concat([cipher.update(text, 'utf8'), cipher.final()]);
     const tag = cipher.getAuthTag();
-    
-    return Buffer.concat([salt, iv, tag, encrypted]).toString('base64');
+
+    const tokenData: EncryptedOAuthToken = {
+        v: 1,
+        salt: salt.toString('hex'),
+        iv: iv.toString('hex'),
+        tag: tag.toString('hex'),
+        data: encrypted.toString('hex'),
+    };
+
+    return Buffer.from(JSON.stringify(tokenData)).toString('base64');
 }
 
 /**
  * Decrypts OAuth token using AUTH_SECRET. Returns plaintext tokens unchanged during migration.
  */
-export function decryptOAuthToken(encryptedText: string | null | undefined, authSecret: string): string | null {
-    if (!encryptedText || !authSecret) return null;
-    if (!isOAuthTokenEncrypted(encryptedText)) return encryptedText;
-    
+export function decryptOAuthToken(encryptedText: string | null | undefined): string | undefined {
+    if (!encryptedText) {
+        return undefined;
+    }
+
+    if (!isOAuthTokenEncrypted(encryptedText)) {
+        return encryptedText;
+    }
+
     try {
-        const data = Buffer.from(encryptedText, 'base64');
-        
-        const salt = data.subarray(0, oauthSaltLength);
-        const iv = data.subarray(oauthSaltLength, oauthTagPosition);
-        const tag = data.subarray(oauthTagPosition, oauthEncryptedPosition);
-        const encrypted = data.subarray(oauthEncryptedPosition);
-        
-        const key = deriveOAuthKey(authSecret, salt);
+        const decoded = Buffer.from(encryptedText, 'base64').toString('utf8');
+        const tokenData = encryptedOAuthTokenSchema.parse(JSON.parse(decoded));
+
+        const salt = Buffer.from(tokenData.salt, 'hex');
+        const iv = Buffer.from(tokenData.iv, 'hex');
+        const tag = Buffer.from(tokenData.tag, 'hex');
+        const encrypted = Buffer.from(tokenData.data, 'hex');
+
+        const key = deriveOAuthKey(env.AUTH_SECRET, salt);
         const decipher = crypto.createDecipheriv(oauthAlgorithm, key, iv);
         decipher.setAuthTag(tag);
-        
+
         return decipher.update(encrypted, undefined, 'utf8') + decipher.final('utf8');
     } catch {
         // Decryption failed - likely a plaintext token, return as-is

packages/web/src/ee/features/permissionSyncing/tokenRefresh.ts

@@ -42,8 +42,8 @@ export async function refreshLinkedAccountTokens(
                                 }
                             },
                             data: {
-                                access_token: encryptOAuthToken(refreshedTokens.accessToken, env.AUTH_SECRET),
-                                refresh_token: encryptOAuthToken(refreshedTokens.refreshToken, env.AUTH_SECRET),
+                                access_token: encryptOAuthToken(refreshedTokens.accessToken),
+                                refresh_token: encryptOAuthToken(refreshedTokens.refreshToken),
                                 expires_at: refreshedTokens.expiresAt,
                             },
                         });

packages/web/src/lib/encryptedPrismaAdapter.ts

@@ -1,17 +1,17 @@
 import { PrismaAdapter } from "@auth/prisma-adapter";
 import type { Adapter, AdapterAccount } from "next-auth/adapters";
 import { PrismaClient } from "@sourcebot/db";
-import { encryptOAuthToken, env } from "@sourcebot/shared";
+import { encryptOAuthToken } from "@sourcebot/shared";
 
 /**
  * Encrypts OAuth tokens in account data before database storage
  */
 function encryptAccountTokens(account: AdapterAccount): AdapterAccount {
     return {
         ...account,
-        access_token: encryptOAuthToken(account.access_token, env.AUTH_SECRET),
-        refresh_token: encryptOAuthToken(account.refresh_token, env.AUTH_SECRET),
-        id_token: encryptOAuthToken(account.id_token, env.AUTH_SECRET),
+        access_token: encryptOAuthToken(account.access_token),
+        refresh_token: encryptOAuthToken(account.refresh_token),
+        id_token: encryptOAuthToken(account.id_token),
     };
 }
 
@@ -23,7 +23,7 @@ export function EncryptedPrismaAdapter(prisma: PrismaClient): Adapter {
 
     return {
         ...baseAdapter,
-        async linkAccount(account: AdapterAccount) {
+        linkAccount(account: AdapterAccount) {
             return baseAdapter.linkAccount!(encryptAccountTokens(account));
         },
     };
@@ -36,12 +36,14 @@ export function encryptAccountData(data: {
     access_token?: string | null;
     refresh_token?: string | null;
     id_token?: string | null;
-    [key: string]: any;
+    expires_at?: number | null;
+    token_type?: string | null;
+    scope?: string | null;
 }) {
     return {
         ...data,
-        access_token: encryptOAuthToken(data.access_token, env.AUTH_SECRET),
-        refresh_token: encryptOAuthToken(data.refresh_token, env.AUTH_SECRET),
-        id_token: encryptOAuthToken(data.id_token, env.AUTH_SECRET),
+        access_token: encryptOAuthToken(data.access_token),
+        refresh_token: encryptOAuthToken(data.refresh_token),
+        id_token: encryptOAuthToken(data.id_token),
     };
 }