Implement user information storage and encryption in graphDBdataAccess

[praveshkumar1988]

No description provided.

In general, the fix is to ensure that no sensitive information (passwords, tokens, secrets) is written to logs or standard output. If debugging is required, log only non-sensitive metadata (e.g., that encryption/decryption succeeded) rather than the secret values themselves.

For this specific case in backend/src/graphDB_dataAccess.py, the best fix without changing existing functionality is:

• Remove or replace the three debug print statements that output:
  • the plain password (credentials.password),
  • the encrypted password (encrypted_password),
  • and the decrypted password (d_password).
• Keep the integrity check (the call to decrypt_text_aes_gcm) so that behavior is unchanged, but only log a generic success/failure message if needed.
• Use the existing logging facility instead of print if we still want confirmation that encryption/decryption worked, but without including any credential content.

Concretely:

• Around lines 697–700:
  • Delete the three print lines.
  • Optionally retain the decryption call to verify integrity, and wrap it in a try/except if we want to treat decryption failure as an error. However, as per the current snippet, the decryption is already inside the outer try and will be covered by the existing except Exception as e, so we only need to keep the decryption call and remove the prints.
• No new imports or helper methods are required.

[praveshkumar1988]

Removed

[Copilot]

Pull request overview

This PR updates the Neo4j connection-check flow to pass around a Neo4jCredentials object and adds functionality intended to persist user DB connection details (including an encrypted password) via graphDBdataAccess.

Changes:

• Refactors connection_check_and_get_vector_dimensions to accept a credentials object instead of individual parameters.
• Adds AES-GCM encryption/decryption helpers and a new save_user_information() method to persist user DB details.
• Updates /connect endpoint to use the refactored connection check and to call save_user_information().

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 10 comments.

File	Description
backend/src/main.py	Updates helper wrapper signature to pass credentials object through.
backend/src/graphDB_dataAccess.py	Adds encryption helpers, refactors connection-check signature, and adds user info persistence logic.
backend/score.py	Updates /connect to call the refactored connection-check method and persist user info.

Comments suppressed due to low confidence (1)

backend/src/graphDB_dataAccess.py:275

• The docstring for connection_check_and_get_vector_dimensions still documents the old parameter list (database, email, uri). Since the method now takes a single credentials object, the Args section is misleading and should be updated to reflect the new input shape.

    def connection_check_and_get_vector_dimensions(self, credentials):
        """
        Get the vector index dimension from database and application configuration and DB connection status
        
        Args:
            uri: URI of the graph to extract
            userName: Username to use for graph creation ( if None will use username from config file )
            password: Password to use for graph creation ( if None will use password from config file )
            db_name: db_name is database name to connect to graph db
        Returns:

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

save_user_information() returns a status dict on failure (e.g., missing ENCRYPTION_PASSPHRASE or missing email), but the result is ignored here, so /connect can return Success even though user info wasn’t persisted. Consider checking the returned status and either (a) fail the request, or (b) include a warning/message in the response when persistence fails.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 8 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The ENCRYPTION_PASSPHRASE description says it should be “32 bytes base64 encoded for AES-256-GCM”, but the implementation derives a key from an arbitrary passphrase via PBKDF2 and does not base64-decode this value. Update this comment to match actual behavior, or update the code to accept/decode a base64 key if that’s the intended contract.

Suggested change

	ENCRYPTION_PASSPHRASE="" #REQUIRED- Default_Value = "Randomly generated string" -- Passphrase used for encrypting sensitive data in the database, should be 32 bytes base64 encoded for AES-256-GCM
	ENCRYPTION_PASSPHRASE="" #REQUIRED- Default_Value = "Randomly generated string" -- Passphrase used for encrypting sensitive data in the database; it is processed via PBKDF2 to derive the AES-256-GCM encryption key, so use a strong, randomly generated passphrase

[Copilot]

connection_check_and_get_vector_dimensions was refactored to accept (graph, credentials), but there are still call sites using the previous (graph, database, email, uri) signature (e.g. backend/score.py later calls it with 4 args). This will raise a TypeError at runtime. Either keep this wrapper backward-compatible (accept both signatures) or update all call sites to pass a Neo4jCredentials object.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

save_user_information always keys the MERGE on email, but email is optional when AUTHENTICATION_REQUIRED is false. In that mode this will either fail (Neo4j cannot MERGE on a null property) or create inconsistent user records, and it also diverges from existing user lookup logic (e.g., get_user_embedding_model / track_token_usage merge by db_url when auth is off). Align the MERGE key with AUTHENTICATION_REQUIRED (email vs db_url) and normalize values similarly to track_token_usage.

[Copilot]

Connection cleanup uses graph.close(), but elsewhere in the codebase Neo4jGraph connections are closed via graph._driver.close() after checking graph._driver._closed (e.g., backend/src/main.py:759-761). If Neo4jGraph doesn’t expose close(), this will raise in the finally block and mask the original error. Consider following the existing pattern and closing the underlying driver safely.

[Copilot]

connection_check_and_get_vector_dimensions was refactored to take a single credentials argument (and is now also called as a method). There is still a call site in this file (/backend_connection_configuration) that invokes it with the old signature (graph, database, None, uri), which will raise a TypeError at runtime. Please update that endpoint to pass a Neo4jCredentials object (or switch it to graphDBdataAccess(...).connection_check_and_get_vector_dimensions(credentials)).

[Copilot]

PBKDF2HMAC no longer requires (and in newer cryptography versions deprecates/removes) the explicit backend=default_backend() argument. Keeping this can break installs depending on the pinned cryptography version. Consider removing the default_backend import and the backend=... parameter to keep the KDF call forward-compatible.