FEATURE (protection): Do not expose sensetive data of databases, notifiers and storages from API + make backups lazy loaded

Author: RostislavDugin

backend/internal/features/backups/backups/controller.go

@@ -23,11 +23,13 @@ func (c *BackupController) RegisterRoutes(router *gin.RouterGroup) {
 
 // GetBackups
 // @Summary Get backups for a database
-// @Description Get all backups for the specified database
+// @Description Get paginated backups for the specified database
 // @Tags backups
 // @Produce json
 // @Param database_id query string true "Database ID"
-// @Success 200 {array} Backup
+// @Param limit query int false "Number of items per page" default(10)
+// @Param offset query int false "Offset for pagination" default(0)
+// @Success 200 {object} GetBackupsResponse
 // @Failure 400
 // @Failure 401
 // @Failure 500
@@ -39,25 +41,25 @@ func (c *BackupController) GetBackups(ctx *gin.Context) {
 		return
 	}
 
-	databaseIDStr := ctx.Query("database_id")
-	if databaseIDStr == "" {
-		ctx.JSON(http.StatusBadRequest, gin.H{"error": "database_id query parameter is required"})
+	var request GetBackupsRequest
+	if err := ctx.ShouldBindQuery(&request); err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		return
 	}
 
-	databaseID, err := uuid.Parse(databaseIDStr)
+	databaseID, err := uuid.Parse(request.DatabaseID)
 	if err != nil {
 		ctx.JSON(http.StatusBadRequest, gin.H{"error": "invalid database_id"})
 		return
 	}
 
-	backups, err := c.backupService.GetBackups(user, databaseID)
+	response, err := c.backupService.GetBackups(user, databaseID, request.Limit, request.Offset)
 	if err != nil {
 		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		return
 	}
 
-	ctx.JSON(http.StatusOK, backups)
+	ctx.JSON(http.StatusOK, response)
 }
 
 // MakeBackup

backend/internal/features/backups/backups/controller_test.go

@@ -102,10 +102,11 @@ func Test_GetBackups_PermissionsEnforced(t *testing.T) {
 			)
 
 			if tt.expectSuccess {
-				var backups []*Backup
-				err := json.Unmarshal(testResp.Body, &backups)
+				var response GetBackupsResponse
+				err := json.Unmarshal(testResp.Body, &response)
 				assert.NoError(t, err)
-				assert.GreaterOrEqual(t, len(backups), 1)
+				assert.GreaterOrEqual(t, len(response.Backups), 1)
+				assert.GreaterOrEqual(t, response.Total, int64(1))
 			} else {
 				assert.Contains(t, string(testResp.Body), "insufficient permissions")
 			}
@@ -329,9 +330,9 @@ func Test_DeleteBackup_PermissionsEnforced(t *testing.T) {
 				ownerUser, err := userService.GetUserFromToken(owner.Token)
 				assert.NoError(t, err)
 
-				backups, err := GetBackupService().GetBackups(ownerUser, database.ID)
+				response, err := GetBackupService().GetBackups(ownerUser, database.ID, 10, 0)
 				assert.NoError(t, err)
-				assert.Equal(t, 0, len(backups))
+				assert.Equal(t, 0, len(response.Backups))
 			}
 		})
 	}

backend/internal/features/backups/backups/dto.go

@@ -0,0 +1,14 @@
+package backups
+
+type GetBackupsRequest struct {
+	DatabaseID string `form:"database_id" binding:"required"`
+	Limit      int    `form:"limit"`
+	Offset     int    `form:"offset"`
+}
+
+type GetBackupsResponse struct {
+	Backups []*Backup `json:"backups"`
+	Total   int64     `json:"total"`
+	Limit   int       `json:"limit"`
+	Offset  int       `json:"offset"`
+}

backend/internal/features/backups/backups/repository.go

@@ -195,3 +195,38 @@ func (r *BackupRepository) FindBackupsBeforeDate(
 
 	return backups, nil
 }
+
+func (r *BackupRepository) FindByDatabaseIDWithPagination(
+	databaseID uuid.UUID,
+	limit, offset int,
+) ([]*Backup, error) {
+	var backups []*Backup
+
+	if err := storage.
+		GetDb().
+		Preload("Database").
+		Preload("Storage").
+		Where("database_id = ?", databaseID).
+		Order("created_at DESC").
+		Limit(limit).
+		Offset(offset).
+		Find(&backups).Error; err != nil {
+		return nil, err
+	}
+
+	return backups, nil
+}
+
+func (r *BackupRepository) CountByDatabaseID(databaseID uuid.UUID) (int64, error) {
+	var count int64
+
+	if err := storage.
+		GetDb().
+		Model(&Backup{}).
+		Where("database_id = ?", databaseID).
+		Count(&count).Error; err != nil {
+		return 0, err
+	}
+
+	return count, nil
+}

backend/internal/features/backups/backups/service.go

@@ -93,7 +93,8 @@ func (s *BackupService) MakeBackupWithAuth(
 func (s *BackupService) GetBackups(
 	user *users_models.User,
 	databaseID uuid.UUID,
-) ([]*Backup, error) {
+	limit, offset int,
+) (*GetBackupsResponse, error) {
 	database, err := s.databaseService.GetDatabaseByID(databaseID)
 	if err != nil {
 		return nil, err
@@ -111,12 +112,29 @@ func (s *BackupService) GetBackups(
 		return nil, errors.New("insufficient permissions to access backups for this database")
 	}
 
-	backups, err := s.backupRepository.FindByDatabaseID(databaseID)
+	if limit <= 0 {
+		limit = 10
+	}
+	if offset < 0 {
+		offset = 0
+	}
+
+	backups, err := s.backupRepository.FindByDatabaseIDWithPagination(databaseID, limit, offset)
+	if err != nil {
+		return nil, err
+	}
+
+	total, err := s.backupRepository.CountByDatabaseID(databaseID)
 	if err != nil {
 		return nil, err
 	}
 
-	return backups, nil
+	return &GetBackupsResponse{
+		Backups: backups,
+		Total:   total,
+		Limit:   limit,
+		Offset:  offset,
+	}, nil
 }
 
 func (s *BackupService) DeleteBackup(

backend/internal/features/backups/config/service.go

@@ -82,19 +82,6 @@ func (s *BackupConfigService) SaveBackupConfig(
 		}
 	}
 
-	if !backupConfig.IsBackupsEnabled && existingConfig.StorageID != nil {
-		if err := s.dbStorageChangeListener.OnBeforeBackupsStorageChange(
-			backupConfig.DatabaseID,
-		); err != nil {
-			return nil, err
-		}
-
-		// we clear storage for disabled backups to allow
-		// storage removal for unused storages
-		backupConfig.Storage = nil
-		backupConfig.StorageID = nil
-	}
-
 	return s.backupConfigRepository.Save(backupConfig)
 }
 

backend/internal/features/databases/controller_test.go

@@ -768,3 +768,161 @@ func createTestDatabaseViaAPI(
 
 	return &database
 }
+
+func Test_DatabaseSensitiveDataLifecycle_AllTypes(t *testing.T) {
+	testCases := []struct {
+		name                string
+		databaseType        DatabaseType
+		createDatabase      func(workspaceID uuid.UUID) *Database
+		updateDatabase      func(workspaceID uuid.UUID, databaseID uuid.UUID) *Database
+		verifySensitiveData func(t *testing.T, database *Database)
+		verifyHiddenData    func(t *testing.T, database *Database)
+	}{
+		{
+			name:         "PostgreSQL Database",
+			databaseType: DatabaseTypePostgres,
+			createDatabase: func(workspaceID uuid.UUID) *Database {
+				testDbName := "test_db"
+				return &Database{
+					WorkspaceID: &workspaceID,
+					Name:        "Test PostgreSQL Database",
+					Type:        DatabaseTypePostgres,
+					Postgresql: &postgresql.PostgresqlDatabase{
+						Version:  tools.PostgresqlVersion16,
+						Host:     "localhost",
+						Port:     5432,
+						Username: "postgres",
+						Password: "original-password-secret",
+						Database: &testDbName,
+					},
+				}
+			},
+			updateDatabase: func(workspaceID uuid.UUID, databaseID uuid.UUID) *Database {
+				testDbName := "updated_test_db"
+				return &Database{
+					ID:          databaseID,
+					WorkspaceID: &workspaceID,
+					Name:        "Updated PostgreSQL Database",
+					Type:        DatabaseTypePostgres,
+					Postgresql: &postgresql.PostgresqlDatabase{
+						Version:  tools.PostgresqlVersion17,
+						Host:     "updated-host",
+						Port:     5433,
+						Username: "updated_user",
+						Password: "",
+						Database: &testDbName,
+					},
+				}
+			},
+			verifySensitiveData: func(t *testing.T, database *Database) {
+				assert.Equal(t, "original-password-secret", database.Postgresql.Password)
+			},
+			verifyHiddenData: func(t *testing.T, database *Database) {
+				assert.Equal(t, "", database.Postgresql.Password)
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			router := createTestRouter()
+			owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+			workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+
+			// Phase 1: Create database with sensitive data
+			initialDatabase := tc.createDatabase(workspace.ID)
+			var createdDatabase Database
+			test_utils.MakePostRequestAndUnmarshal(
+				t,
+				router,
+				"/api/v1/databases/create",
+				"Bearer "+owner.Token,
+				*initialDatabase,
+				http.StatusCreated,
+				&createdDatabase,
+			)
+			assert.NotEmpty(t, createdDatabase.ID)
+			assert.Equal(t, initialDatabase.Name, createdDatabase.Name)
+
+			// Phase 2: Read via service - sensitive data should be hidden
+			var retrievedDatabase Database
+			test_utils.MakeGetRequestAndUnmarshal(
+				t,
+				router,
+				fmt.Sprintf("/api/v1/databases/%s", createdDatabase.ID.String()),
+				"Bearer "+owner.Token,
+				http.StatusOK,
+				&retrievedDatabase,
+			)
+			tc.verifyHiddenData(t, &retrievedDatabase)
+			assert.Equal(t, initialDatabase.Name, retrievedDatabase.Name)
+
+			// Phase 3: Update with non-sensitive changes only (sensitive fields empty)
+			updatedDatabase := tc.updateDatabase(workspace.ID, createdDatabase.ID)
+			var updateResponse Database
+			test_utils.MakePostRequestAndUnmarshal(
+				t,
+				router,
+				"/api/v1/databases/update",
+				"Bearer "+owner.Token,
+				*updatedDatabase,
+				http.StatusOK,
+				&updateResponse,
+			)
+
+			// Phase 4: Retrieve directly from repository to verify sensitive data preservation
+			repository := &DatabaseRepository{}
+			databaseFromDB, err := repository.FindByID(createdDatabase.ID)
+			assert.NoError(t, err)
+
+			// Verify original sensitive data is still present in DB
+			tc.verifySensitiveData(t, databaseFromDB)
+
+			// Verify non-sensitive fields were updated in DB
+			assert.Equal(t, updatedDatabase.Name, databaseFromDB.Name)
+
+			// Phase 5: Additional verification - Check via GET that data is still hidden
+			var finalRetrieved Database
+			test_utils.MakeGetRequestAndUnmarshal(
+				t,
+				router,
+				fmt.Sprintf("/api/v1/databases/%s", createdDatabase.ID.String()),
+				"Bearer "+owner.Token,
+				http.StatusOK,
+				&finalRetrieved,
+			)
+			tc.verifyHiddenData(t, &finalRetrieved)
+
+			// Phase 6: Verify GetDatabasesByWorkspace also hides sensitive data
+			var workspaceDatabases []Database
+			test_utils.MakeGetRequestAndUnmarshal(
+				t,
+				router,
+				fmt.Sprintf("/api/v1/databases?workspace_id=%s", workspace.ID.String()),
+				"Bearer "+owner.Token,
+				http.StatusOK,
+				&workspaceDatabases,
+			)
+			var foundDatabase *Database
+			for i := range workspaceDatabases {
+				if workspaceDatabases[i].ID == createdDatabase.ID {
+					foundDatabase = &workspaceDatabases[i]
+					break
+				}
+			}
+			assert.NotNil(t, foundDatabase, "Database should be found in workspace databases list")
+			tc.verifyHiddenData(t, foundDatabase)
+
+			// Clean up: Delete database before removing workspace
+			test_utils.MakeDeleteRequest(
+				t,
+				router,
+				fmt.Sprintf("/api/v1/databases/%s", createdDatabase.ID.String()),
+				"Bearer "+owner.Token,
+				http.StatusNoContent,
+			)
+
+			workspaces_testing.RemoveTestWorkspace(workspace, router)
+		})
+	}
+}

backend/internal/features/databases/databases/postgresql/model.go

@@ -66,6 +66,23 @@ func (p *PostgresqlDatabase) TestConnection(logger *slog.Logger) error {
 	return testSingleDatabaseConnection(logger, ctx, p)
 }
 
+func (p *PostgresqlDatabase) HideSensitiveData() {
+	p.Password = ""
+}
+
+func (p *PostgresqlDatabase) Update(incoming *PostgresqlDatabase) {
+	p.Version = incoming.Version
+	p.Host = incoming.Host
+	p.Port = incoming.Port
+	p.Username = incoming.Username
+	p.Database = incoming.Database
+	p.IsHttps = incoming.IsHttps
+
+	if incoming.Password != "" {
+		p.Password = incoming.Password
+	}
+}
+
 // testSingleDatabaseConnection tests connection to a specific database for pg_dump
 func testSingleDatabaseConnection(
 	logger *slog.Logger,

backend/internal/features/databases/interfaces.go

@@ -12,6 +12,8 @@ type DatabaseValidator interface {
 
 type DatabaseConnector interface {
 	TestConnection(logger *slog.Logger) error
+
+	HideSensitiveData()
 }
 
 type DatabaseCreationListener interface {