feat: Encrypt auth keys in token store and enforce 401 for invalid tokens across endpoints.

TimilsinaBimal · TimilsinaBimal · commit 5ef98c0df94c · 2025-12-07T00:51:13.000+05:45
diff --git a/.env.example b/.env.example
@@ -7,7 +7,8 @@ TOKEN_TTL_SECONDS=0
 ANNOUNCEMENT_HTML=
 HOST_NAME=<your_addon_url>
 RECOMMENDATION_SOURCE_ITEMS_LIMIT=10 # fetches recent watched/loved 10 movies and series to recommend based on those
-
+TOKEN_SALT=change-me
+# generate some very long random string preferrably using cryptography libraries
 # UPDATER
 CATALOG_UPDATE_MODE=cron # Available options: cron, interval
 # cron updates catalogs at specified times
diff --git a/app/api/endpoints/catalogs.py b/app/api/endpoints/catalogs.py
@@ -43,6 +43,8 @@ async def get_catalog(type: str, id: str, response: Response, token: str):
     logger.info(f"[{token}] Fetching catalog for {type} with id {id}")
 
     credentials = await token_store.get_user_data(token)
+    if not credentials:
+        raise HTTPException(status_code=401, detail="Invalid or expired token. Please reconfigure the addon.")
     try:
         # Extract settings from credentials
         settings_dict = credentials.get("settings", {})
diff --git a/app/api/endpoints/manifest.py b/app/api/endpoints/manifest.py
@@ -59,6 +59,8 @@ def get_base_manifest(user_settings: UserSettings | None = None):
 @alru_cache(maxsize=1000, ttl=3600)
 async def fetch_catalogs(token: str):
     credentials = await token_store.get_user_data(token)
+    if not credentials:
+        raise HTTPException(status_code=401, detail="Invalid or expired token. Please reconfigure the addon.")
 
     if credentials.get("settings"):
         user_settings = UserSettings(**credentials["settings"])
diff --git a/app/api/endpoints/tokens.py b/app/api/endpoints/tokens.py
@@ -93,6 +93,8 @@ async def create_token(payload: TokenRequest, request: Request) -> TokenResponse
     # 2. Check if user already exists
     token = token_store.get_token_from_user_id(user_id)
     existing_data = await token_store.get_user_data(token)
+    if not existing_data:
+        raise HTTPException(status_code=401, detail="Invalid or expired token. Please reconfigure the addon.")
 
     # 3. Construct Settings
     default_settings = get_default_settings()
diff --git a/app/core/config.py b/app/core/config.py
@@ -21,6 +21,7 @@ class Settings(BaseSettings):
     ADDON_NAME: str = "Watchly"
     REDIS_URL: str = "redis://redis:6379/0"
     REDIS_TOKEN_KEY: str = "watchly:token:"
+    TOKEN_SALT: str = "change-me"
     TOKEN_TTL_SECONDS: int = 0  # 0 = never expire
     ANNOUNCEMENT_HTML: str = ""
     AUTO_UPDATE_CATALOGS: bool = True
diff --git a/app/services/catalog_updater.py b/app/services/catalog_updater.py
@@ -4,6 +4,7 @@
 from apscheduler.schedulers.asyncio import AsyncIOScheduler
 from apscheduler.triggers.cron import CronTrigger
 from apscheduler.triggers.interval import IntervalTrigger
+from fastapi import HTTPException
 from loguru import logger
 
 from app.core.config import settings
@@ -17,6 +18,10 @@
 
 
 async def refresh_catalogs_for_credentials(token: str, credentials: dict[str, Any]) -> bool:
+    if not credentials:
+        logger.warning(f"[{token}] Attempted to refresh catalogs with no credentials.")
+        raise HTTPException(status_code=401, detail="Invalid or expired token. Please reconfigure the addon.")
+
     auth_key = credentials.get("authKey")
     stremio_service = StremioService(auth_key=auth_key)
     # check if user has addon installed or not
diff --git a/app/services/token_store.py b/app/services/token_store.py
@@ -1,9 +1,13 @@
+import base64
 import json
 from collections.abc import AsyncIterator
 from typing import Any
 
 import redis.asyncio as redis
 from cachetools import TTLCache
+from cryptography.fernet import Fernet
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
 from loguru import logger
 
 from app.core.config import settings
@@ -23,6 +27,38 @@ def __init__(self) -> None:
         if not settings.REDIS_URL:
             logger.warning("REDIS_URL is not set. Token storage will fail until a Redis instance is configured.")
 
+        if not settings.TOKEN_SALT or settings.TOKEN_SALT == "change-me":
+            logger.warning(
+                "TOKEN_SALT is missing or using the default placeholder. Set a strong value to secure tokens."
+            )
+
+    def _ensure_secure_salt(self) -> None:
+        if not settings.TOKEN_SALT or settings.TOKEN_SALT == "change-me":
+            logger.error("Refusing to store credentials because TOKEN_SALT is unset or using the insecure default.")
+            raise RuntimeError(
+                "Server misconfiguration: TOKEN_SALT must be set to a non-default value before storing credentials."
+            )
+
+    def _get_cipher(self) -> Fernet:
+        """Get or create Fernet cipher instance based on TOKEN_SALT."""
+        if self._cipher is None:
+            kdf = PBKDF2HMAC(
+                algorithm=hashes.SHA256(),
+                length=32,
+                salt=b"",  # empty salt
+                iterations=200_000,
+            )
+
+            key = base64.urlsafe_b64encode(kdf.derive(settings.TOKEN_SALT.encode("utf-8")))
+            self._cipher = Fernet(key)
+        return self._cipher
+
+    def encrypt_token(self, token: str) -> str:
+        return self._cipher.encrypt(token.encode("utf-8")).decode("utf-8")
+
+    def decrypt_token(self, enc: str) -> str:
+        return self._cipher.decrypt(enc.encode("utf-8")).decode("utf-8")
+
     async def _get_client(self) -> redis.Redis:
         if self._client is None:
             self._client = redis.from_url(settings.REDIS_URL, decode_responses=True, encoding="utf-8")
@@ -39,6 +75,7 @@ def get_user_id_from_token(self, token: str) -> str:
         return token.strip() if token else ""
 
     async def store_user_data(self, user_id: str, payload: dict[str, Any]) -> str:
+        self._ensure_secure_salt()
         token = self.get_token_from_user_id(user_id)
         key = self._format_key(token)
 
@@ -48,6 +85,9 @@ async def store_user_data(self, user_id: str, payload: dict[str, Any]) -> str:
         # Store user_id in payload for convenience
         storage_data["user_id"] = user_id
 
+        if storage_data.get("authKey"):
+            storage_data["authKey"] = self.encrypt_token(storage_data["authKey"])
+
         client = await self._get_client()
         json_str = json.dumps(storage_data)
 
@@ -74,6 +114,8 @@ async def get_user_data(self, token: str) -> dict[str, Any] | None:
 
         try:
             data = json.loads(data_raw)
+            if data.get("authKey"):
+                data["authKey"] = self.decrypt_token(data["authKey"])
             self._payload_cache[token] = data
             return data
         except json.JSONDecodeError:
