Add encryption for ConnectedApps::Vine#data

Added layer of security, we encrypt the API key and related secret. It requires setting up some encryption keys that can be generated wiht `bin/rails db:encryption:init`
2026-01-11 18:26:50 +00:00 · 2024-10-07 14:53:35 +11:00
parent b14a1e72f3
commit a3d8ae693d
5 changed files with 28 additions and 0 deletions
--- a/.env
+++ b/.env
@@ -61,3 +61,9 @@ SMTP_PASSWORD="f00d"
 # NEW_RELIC_AGENT_ENABLED=true
 # NEW_RELIC_APP_NAME="Open Food Network"
 # NEW_RELIC_LICENSE_KEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+
+# Database encryption configuration, required for VINE connected app
+# Generate with bin/rails db:encryption:init
+# ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+# ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+# ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
--- a/.env.development
+++ b/.env.development
@@ -24,3 +24,8 @@ SITE_URL="0.0.0.0:3000"
 RACK_TIMEOUT_SERVICE_TIMEOUT="0"
 RACK_TIMEOUT_WAIT_TIMEOUT="0"
 RACK_TIMEOUT_WAIT_OVERTIME="0"
+
+# Database encryption configuration, required for VINE connected app
+ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY="dev_primary_key"
+ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY="dev_determinnistic_key"
+ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT="dev_derivation_salt"
--- a/.env.test
+++ b/.env.test
@@ -18,3 +18,7 @@ SITE_URL="test.host"
 OPENID_APP_ID="test-provider"
 OPENID_APP_SECRET="12345"
 OPENID_REFRESH_TOKEN="dummy-refresh-token"
+
+ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY="test_primary_key"
+ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY="test_deterministic_key"
+ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT="test_derivation_salt"
--- a/app/models/connected_apps/vine.rb
+++ b/app/models/connected_apps/vine.rb
@@ -4,6 +4,8 @@
 #
 module ConnectedApps
  class Vine < ConnectedApp
+    encrypts :data
+
    def connect(api_key:, secret:, vine_api:, **_opts)
      response = vine_api.my_team

--- a/config/application.rb
+++ b/config/application.rb
@@ -255,5 +255,16 @@ module Openfoodnetwork
    config.exceptions_app = self.routes

    config.view_component.generate.sidecar = true # Always generate components in subfolders
+
+    # Database encryption configuration, required for VINE connected app
+    config.active_record.encryption.primary_key = ENV.fetch(
+      "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY", nil
+    )
+    config.active_record.encryption.deterministic_key = ENV.fetch(
+      "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY", nil
+    )
+    config.active_record.encryption.key_derivation_salt = ENV.fetch(
+      "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT", nil
+    )
  end
 end