feat: encrypt token on disk using safe storage api

setchy · setchy · commit 613599e6afe9 · 2025-02-01T07:31:43.000-05:00
Signed-off-by: Adam Setch &lt;adam.setch@outlook.com&gt;
diff --git a/src/main/main.ts b/src/main/main.ts
@@ -1,4 +1,4 @@
-import { app, globalShortcut, ipcMain as ipc } from 'electron';
+import { app, globalShortcut, ipcMain as ipc, safeStorage } from 'electron';
 import log from 'electron-log';
 import { menubar } from 'menubar';
 
@@ -169,6 +169,15 @@ app.whenReady().then(async () => {
   });
 });
 
+// Safe Storage
+ipc.handle(namespacedEvent('safe-storage-encrypt'), (_, settings) => {
+  return safeStorage.encryptString(settings).toString('base64');
+});
+
+ipc.handle(namespacedEvent('safe-storage-decrypt'), (_, settings) => {
+  return safeStorage.decryptString(Buffer.from(settings, 'base64'));
+});
+
 // Handle gitify:// custom protocol URL events for OAuth 2.0 callback
 app.on('open-url', (event, url) => {
   event.preventDefault();
diff --git a/src/renderer/__mocks__/electron.js b/src/renderer/__mocks__/electron.js
@@ -43,6 +43,10 @@ module.exports = {
           return Promise.resolve('darwin');
         case namespacedEvent('version'):
           return Promise.resolve('0.0.1');
+        case namespacedEvent('safe-storage-encrypt'):
+          return Promise.resolve('encrypted');
+        case namespacedEvent('safe-storage-decrypt'):
+          return Promise.resolve('decrypted');
         default:
           return Promise.reject(new Error(`Unknown channel: ${channel}`));
       }
diff --git a/src/renderer/context/App.tsx b/src/renderer/context/App.tsx
@@ -28,6 +28,7 @@ import {
   type Status,
   type SystemSettingsState,
   Theme,
+  type Token,
 } from '../types';
 import type { Notification } from '../typesGitHub';
 import { headNotifications } from '../utils/api/client';
@@ -44,6 +45,8 @@ import {
   removeAccount,
 } from '../utils/auth/utils';
 import {
+  decryptValue,
+  encryptValue,
   setAlternateIdleIcon,
   setAutoLaunch,
   setKeyboardShortcut,
@@ -281,20 +284,45 @@ export const AppProvider = ({ children }: { children: ReactNode }) => {
     if (existing.settings) {
       setKeyboardShortcut(existing.settings.keyboardShortcut);
       setAlternateIdleIcon(existing.settings.useAlternateIdleIcon);
-      setSettings({ ...defaultSettings, ...existing.settings });
+      setSettings({
+        ...defaultSettings,
+        ...Object.fromEntries(
+          Object.entries(existing.settings).filter(
+            ([key]) => key in defaultSettings,
+          ),
+        ),
+      });
       webFrame.setZoomLevel(
         zoomPercentageToLevel(existing.settings.zoomPercentage),
       );
     }
 
     if (existing.auth) {
-      setAuth({ ...defaultAuth, ...existing.auth });
+      setAuth({
+        ...defaultAuth,
+        ...Object.fromEntries(
+          Object.entries(existing.auth).filter(([key]) => key in defaultAuth),
+        ),
+      });
 
       // Refresh account data on app start
       for (const account of existing.auth.accounts) {
+        /**
+         * Check if each account has an encrypted token.
+         * If not encrypt it and save it.
+         */
+        try {
+          await decryptValue(account.token);
+        } catch (err) {
+          const encryptedToken = await encryptValue(account.token);
+          account.token = encryptedToken as Token;
+        }
+
         await refreshAccount(account);
       }
     }
+
+    // saveState({  auth: existing.auth, settings });
   }, []);
 
   const fetchNotificationsWithAccounts = useCallback(
diff --git a/src/renderer/utils/api/request.ts b/src/renderer/utils/api/request.ts
@@ -4,8 +4,9 @@ import axios, {
   type Method,
 } from 'axios';
 
-import { logError } from '../../../shared/logger';
+import { logError, logWarn } from '../../../shared/logger';
 import type { Link, Token } from '../../types';
+import { decryptValue } from '../comms';
 import { getNextURLFromLinkHeader } from './utils';
 
 /**
@@ -44,8 +45,15 @@ export async function apiRequestAuth(
   data = {},
   fetchAllRecords = false,
 ): AxiosPromise | null {
+  let apiToken = token;
+  try {
+    apiToken = (await decryptValue(token)) as Token;
+  } catch (err) {
+    logWarn('apiRequestAuth', 'Token is not yet encrypted');
+  }
+
   axios.defaults.headers.common.Accept = 'application/json';
-  axios.defaults.headers.common.Authorization = `token ${token}`;
+  axios.defaults.headers.common.Authorization = `token ${apiToken}`;
   axios.defaults.headers.common['Content-Type'] = 'application/json';
   axios.defaults.headers.common['Cache-Control'] = shouldRequestWithNoCache(url)
     ? 'no-cache'
diff --git a/src/renderer/utils/auth/utils.ts b/src/renderer/utils/auth/utils.ts
@@ -18,7 +18,7 @@ import type {
 import type { UserDetails } from '../../typesGitHub';
 import { getAuthenticatedUser } from '../api/client';
 import { apiRequest } from '../api/request';
-import { openExternalLink } from '../comms';
+import { encryptValue, openExternalLink } from '../comms';
 import { Constants } from '../constants';
 import { getPlatformFromHostname } from '../helpers';
 import type { AuthMethod, AuthResponse, AuthTokenResponse } from './types';
@@ -109,12 +109,13 @@ export async function addAccount(
   hostname: Hostname,
 ): Promise<AuthState> {
   const accountList = auth.accounts;
+  const encryptedToken = await encryptValue(token);
 
   let newAccount = {
     hostname: hostname,
     method: method,
     platform: getPlatformFromHostname(hostname),
-    token: token,
+    token: encryptedToken,
   } as Account;
 
   newAccount = await refreshAccount(newAccount);
diff --git a/src/renderer/utils/comms.test.ts b/src/renderer/utils/comms.test.ts
@@ -4,6 +4,8 @@ import { namespacedEvent } from '../../shared/events';
 import { mockSettings } from '../__mocks__/state-mocks';
 import type { Link } from '../types';
 import {
+  decryptValue,
+  encryptValue,
   getAppVersion,
   hideWindow,
   openExternalLink,
@@ -68,6 +70,24 @@ describe('renderer/utils/comms.ts', () => {
     expect(ipcRenderer.invoke).toHaveBeenCalledWith(namespacedEvent('version'));
   });
 
+  it('should encrypt a value', async () => {
+    await encryptValue('value');
+    expect(ipcRenderer.invoke).toHaveBeenCalledTimes(1);
+    expect(ipcRenderer.invoke).toHaveBeenCalledWith(
+      namespacedEvent('safe-storage-encrypt'),
+      'value',
+    );
+  });
+
+  it('should decrypt a value', async () => {
+    await decryptValue('value');
+    expect(ipcRenderer.invoke).toHaveBeenCalledTimes(1);
+    expect(ipcRenderer.invoke).toHaveBeenCalledWith(
+      namespacedEvent('safe-storage-decrypt'),
+      'value',
+    );
+  });
+
   it('should quit the app', () => {
     quitApp();
     expect(ipcRenderer.send).toHaveBeenCalledTimes(1);
diff --git a/src/renderer/utils/comms.ts b/src/renderer/utils/comms.ts
@@ -24,6 +24,20 @@ export async function getAppVersion(): Promise<string> {
   return await ipcRenderer.invoke(namespacedEvent('version'));
 }
 
+export async function encryptValue(value: string): Promise<string> {
+  return await ipcRenderer.invoke(
+    namespacedEvent('safe-storage-encrypt'),
+    value,
+  );
+}
+
+export async function decryptValue(value: string): Promise<string> {
+  return await ipcRenderer.invoke(
+    namespacedEvent('safe-storage-decrypt'),
+    value,
+  );
+}
+
 export function quitApp(): void {
   ipcRenderer.send(namespacedEvent('quit'));
 }
