mirror of
https://github.com/mauriceboe/TREK.git
synced 2026-06-19 13:21:46 +00:00
jubnl
bba50f038b
The oidc_client_secret was written to app_settings as plaintext, unlike Maps and OpenWeather API keys which are protected with apiKeyCrypto. An attacker with read access to the SQLite file (e.g. via a backup download) could obtain the secret and impersonate the application with the identity provider. - Encrypt on write in PUT /api/admin/oidc via maybe_encrypt_api_key - Decrypt on read in GET /api/admin/oidc and in getOidcConfig() (oidc.ts) before passing the secret to the OIDC client library - Add a startup migration that encrypts any existing plaintext value already present in the database