Added Encryptions to All stored token and passwords

Author: arunavo4

.env.example

@@ -12,6 +12,7 @@ DATABASE_URL=sqlite://data/gitea-mirror.db
 # Security
 BETTER_AUTH_SECRET=change-this-to-a-secure-random-string-in-production
 BETTER_AUTH_URL=http://localhost:4321
+# ENCRYPTION_SECRET=optional-encryption-key-for-token-encryption # Generate with: openssl rand -base64 48
 
 # Optional GitHub/Gitea Mirror Configuration (for docker-compose, can also be set via web UI)
 # Uncomment and set as needed. These are passed as environment variables to the container.

.gitignore

@@ -31,3 +31,6 @@ certs/*.crt
 certs/*.pem
 certs/*.cer
 !certs/README.md
+
+# Hosted version documentation (local only)
+docs/HOSTED_VERSION.md

README.md

@@ -199,6 +199,25 @@ bun run build
 - **APIs**: GitHub (Octokit), Gitea REST API
 - **Auth**: JWT tokens with bcryptjs password hashing
 
+## Security
+
+### Token Encryption
+- All GitHub and Gitea API tokens are encrypted at rest using AES-256-GCM
+- Encryption is automatic and transparent to users
+- Set `ENCRYPTION_SECRET` environment variable for production deployments
+- Falls back to `BETTER_AUTH_SECRET` or `JWT_SECRET` if not set
+
+### Password Security
+- User passwords are hashed using bcrypt (via Better Auth)
+- Never stored in plaintext
+- Secure session management with JWT tokens
+
+### Migration
+If upgrading from a version without token encryption:
+```bash
+bun run migrate:encrypt-tokens
+```
+
 ## Contributing
 
 Contributions are welcome! Please read our [Contributing Guidelines](CONTRIBUTING.md) for details on our code of conduct and the process for submitting pull requests.

package.json

@@ -23,6 +23,7 @@
     "db:check": "bun drizzle-kit check",
     "db:studio": "bun drizzle-kit studio",
     "migrate:better-auth": "bun scripts/migrate-to-better-auth.ts",
+    "migrate:encrypt-tokens": "bun scripts/migrate-tokens-encryption.ts",
     "startup-recovery": "bun scripts/startup-recovery.ts",
     "startup-recovery-force": "bun scripts/startup-recovery.ts --force",
     "test-recovery": "bun scripts/test-recovery.ts",

scripts/migrate-tokens-encryption.ts

@@ -0,0 +1,135 @@
+#!/usr/bin/env bun
+/**
+ * Migration script to encrypt existing GitHub and Gitea tokens in the database
+ * Run with: bun run scripts/migrate-tokens-encryption.ts
+ */
+
+import { db, configs } from "../src/lib/db";
+import { eq } from "drizzle-orm";
+import { encrypt, isEncrypted, migrateToken } from "../src/lib/utils/encryption";
+
+async function migrateTokens() {
+  console.log("Starting token encryption migration...");
+  
+  try {
+    // Fetch all configs
+    const allConfigs = await db.select().from(configs);
+    
+    console.log(`Found ${allConfigs.length} configurations to check`);
+    
+    let migratedCount = 0;
+    let skippedCount = 0;
+    let errorCount = 0;
+    
+    for (const config of allConfigs) {
+      try {
+        let githubUpdated = false;
+        let giteaUpdated = false;
+        
+        // Parse configs
+        const githubConfig = typeof config.githubConfig === "string"
+          ? JSON.parse(config.githubConfig)
+          : config.githubConfig;
+          
+        const giteaConfig = typeof config.giteaConfig === "string"
+          ? JSON.parse(config.giteaConfig)
+          : config.giteaConfig;
+        
+        // Check and migrate GitHub token
+        if (githubConfig.token) {
+          if (!isEncrypted(githubConfig.token)) {
+            console.log(`Encrypting GitHub token for config ${config.id} (user: ${config.userId})`);
+            githubConfig.token = encrypt(githubConfig.token);
+            githubUpdated = true;
+          } else {
+            console.log(`GitHub token already encrypted for config ${config.id}`);
+          }
+        }
+        
+        // Check and migrate Gitea token
+        if (giteaConfig.token) {
+          if (!isEncrypted(giteaConfig.token)) {
+            console.log(`Encrypting Gitea token for config ${config.id} (user: ${config.userId})`);
+            giteaConfig.token = encrypt(giteaConfig.token);
+            giteaUpdated = true;
+          } else {
+            console.log(`Gitea token already encrypted for config ${config.id}`);
+          }
+        }
+        
+        // Update config if any tokens were migrated
+        if (githubUpdated || giteaUpdated) {
+          await db
+            .update(configs)
+            .set({
+              githubConfig,
+              giteaConfig,
+              updatedAt: new Date(),
+            })
+            .where(eq(configs.id, config.id));
+            
+          migratedCount++;
+          console.log(`✓ Config ${config.id} updated successfully`);
+        } else {
+          skippedCount++;
+        }
+        
+      } catch (error) {
+        errorCount++;
+        console.error(`✗ Error processing config ${config.id}:`, error);
+      }
+    }
+    
+    console.log("\n=== Migration Summary ===");
+    console.log(`Total configs: ${allConfigs.length}`);
+    console.log(`Migrated: ${migratedCount}`);
+    console.log(`Skipped (already encrypted): ${skippedCount}`);
+    console.log(`Errors: ${errorCount}`);
+    
+    if (errorCount > 0) {
+      console.error("\n⚠️  Some configs failed to migrate. Please check the errors above.");
+      process.exit(1);
+    } else {
+      console.log("\n✅ Token encryption migration completed successfully!");
+    }
+    
+  } catch (error) {
+    console.error("Fatal error during migration:", error);
+    process.exit(1);
+  }
+}
+
+// Verify environment setup
+function verifyEnvironment() {
+  const requiredEnvVars = ["ENCRYPTION_SECRET", "JWT_SECRET", "BETTER_AUTH_SECRET"];
+  const availableSecrets = requiredEnvVars.filter(varName => process.env[varName]);
+  
+  if (availableSecrets.length === 0) {
+    console.error("❌ No encryption secret found!");
+    console.error("Please set one of the following environment variables:");
+    console.error("  - ENCRYPTION_SECRET (recommended)");
+    console.error("  - JWT_SECRET");
+    console.error("  - BETTER_AUTH_SECRET");
+    process.exit(1);
+  }
+  
+  console.log(`Using encryption secret from: ${availableSecrets[0]}`);
+}
+
+// Main execution
+async function main() {
+  console.log("=== Gitea Mirror Token Encryption Migration ===\n");
+  
+  // Verify environment
+  verifyEnvironment();
+  
+  // Run migration
+  await migrateTokens();
+  
+  process.exit(0);
+}
+
+main().catch((error) => {
+  console.error("Unexpected error:", error);
+  process.exit(1);
+});

src/lib/gitea.ts

@@ -11,6 +11,7 @@ import { httpPost, httpGet } from "./http-client";
 import { createMirrorJob } from "./helpers";
 import { db, organizations, repositories } from "./db";
 import { eq, and } from "drizzle-orm";
+import { decryptConfigTokens } from "./utils/config-encryption";
 
 /**
  * Helper function to get organization configuration including destination override
@@ -183,12 +184,15 @@ export const isRepoPresentInGitea = async ({
       throw new Error("Gitea config is required.");
     }
 
+    // Decrypt config tokens for API usage
+    const decryptedConfig = decryptConfigTokens(config as Config);
+
     // Check if the repository exists at the specified owner location
     const response = await fetch(
       `${config.giteaConfig.url}/api/v1/repos/${owner}/${repoName}`,
       {
         headers: {
-          Authorization: `token ${config.giteaConfig.token}`,
+          Authorization: `token ${decryptedConfig.giteaConfig.token}`,
         },
       }
     );
@@ -371,7 +375,7 @@ export const mirrorGithubRepoToGitea = async ({
         service: "git",
       },
       {
-        Authorization: `token ${config.giteaConfig.token}`,
+        Authorization: `token ${decryptedConfig.giteaConfig.token}`,
       }
     );
 
@@ -480,7 +484,7 @@ export async function getOrCreateGiteaOrg({
       `${config.giteaConfig.url}/api/v1/orgs/${orgName}`,
       {
         headers: {
-          Authorization: `token ${config.giteaConfig.token}`,
+          Authorization: `token ${decryptedConfig.giteaConfig.token}`,
           "Content-Type": "application/json",
         },
       }
@@ -533,7 +537,7 @@ export async function getOrCreateGiteaOrg({
     const createRes = await fetch(`${config.giteaConfig.url}/api/v1/orgs`, {
       method: "POST",
       headers: {
-        Authorization: `token ${config.giteaConfig.token}`,
+        Authorization: `token ${decryptedConfig.giteaConfig.token}`,
         "Content-Type": "application/json",
       },
       body: JSON.stringify({
@@ -720,7 +724,7 @@ export async function mirrorGitHubRepoToGiteaOrg({
         private: repository.isPrivate,
       },
       {
-        Authorization: `token ${config.giteaConfig.token}`,
+        Authorization: `token ${decryptedConfig.giteaConfig.token}`,
       }
     );
 
@@ -1074,6 +1078,9 @@ export const syncGiteaRepo = async ({
       throw new Error("Gitea config is required.");
     }
 
+    // Decrypt config tokens for API usage
+    const decryptedConfig = decryptConfigTokens(config as Config);
+
     console.log(`Syncing repository ${repository.name}`);
 
     // Mark repo as "syncing" in DB
@@ -1200,6 +1207,9 @@ export const mirrorGitRepoIssuesToGitea = async ({
     throw new Error("Missing GitHub or Gitea configuration.");
   }
 
+  // Decrypt config tokens for API usage
+  const decryptedConfig = decryptConfigTokens(config as Config);
+
   const [owner, repo] = repository.fullName.split("/");
 
   // Fetch GitHub issues

src/lib/recovery.ts

@@ -11,6 +11,7 @@ import { createGitHubClient } from './github';
 import { processWithResilience } from './utils/concurrency';
 import { repositoryVisibilityEnum, repoStatusEnum } from '@/types/Repository';
 import type { Repository } from './db/schema';
+import { getDecryptedGitHubToken } from './utils/config-encryption';
 
 // Recovery state tracking
 let recoveryInProgress = false;
@@ -262,7 +263,8 @@ async function recoverMirrorJob(job: any, remainingItemIds: string[]) {
     // Create GitHub client with error handling
     let octokit;
     try {
-      octokit = createGitHubClient(config.githubConfig.token);
+      const decryptedToken = getDecryptedGitHubToken(config);
+      octokit = createGitHubClient(decryptedToken);
     } catch (error) {
       throw new Error(`Failed to create GitHub client: ${error instanceof Error ? error.message : String(error)}`);
     }

src/lib/utils/config-encryption.ts

@@ -0,0 +1,52 @@
+import { decrypt } from "./encryption";
+import type { Config } from "@/types/config";
+
+/**
+ * Decrypts tokens in a config object for use in API calls
+ * @param config The config object with potentially encrypted tokens
+ * @returns Config object with decrypted tokens
+ */
+export function decryptConfigTokens(config: Config): Config {
+  const decryptedConfig = { ...config };
+  
+  // Deep clone the config objects
+  if (config.githubConfig) {
+    decryptedConfig.githubConfig = { ...config.githubConfig };
+    if (config.githubConfig.token) {
+      decryptedConfig.githubConfig.token = decrypt(config.githubConfig.token);
+    }
+  }
+  
+  if (config.giteaConfig) {
+    decryptedConfig.giteaConfig = { ...config.giteaConfig };
+    if (config.giteaConfig.token) {
+      decryptedConfig.giteaConfig.token = decrypt(config.giteaConfig.token);
+    }
+  }
+  
+  return decryptedConfig;
+}
+
+/**
+ * Gets a decrypted GitHub token from config
+ * @param config The config object
+ * @returns Decrypted GitHub token
+ */
+export function getDecryptedGitHubToken(config: Config): string {
+  if (!config.githubConfig?.token) {
+    throw new Error("GitHub token not found in config");
+  }
+  return decrypt(config.githubConfig.token);
+}
+
+/**
+ * Gets a decrypted Gitea token from config
+ * @param config The config object
+ * @returns Decrypted Gitea token
+ */
+export function getDecryptedGiteaToken(config: Config): string {
+  if (!config.giteaConfig?.token) {
+    throw new Error("Gitea token not found in config");
+  }
+  return decrypt(config.giteaConfig.token);
+}