config/server: Add gh_token_encryption field

Turbo87 · Turbo87 · commit b011bb0e212b · 2025-08-04T12:13:51.000+02:00
diff --git a/src/config/server.rs b/src/config/server.rs
@@ -5,6 +5,7 @@ use url::Url;
 
 use crate::Env;
 use crate::rate_limiter::{LimitedAction, RateLimiterConfig};
+use crate::util::gh_token_encryption::GitHubTokenEncryption;
 
 use super::base::Base;
 use super::database_pools::DatabasePools;
@@ -42,6 +43,7 @@ pub struct Server {
     pub session_key: cookie::Key,
     pub gh_client_id: ClientId,
     pub gh_client_secret: ClientSecret,
+    pub gh_token_encryption: GitHubTokenEncryption,
     pub max_upload_size: u32,
     pub max_unpack_size: u64,
     pub max_dependencies: usize,
@@ -106,6 +108,7 @@ impl Server {
     /// - `SESSION_KEY`: The key used to sign and encrypt session cookies.
     /// - `GH_CLIENT_ID`: The client ID of the associated GitHub application.
     /// - `GH_CLIENT_SECRET`: The client secret of the associated GitHub application.
+    /// - `GITHUB_TOKEN_ENCRYPTION_KEY`: Key for encrypting GitHub access tokens (64 hex characters).
     /// - `BLOCKED_TRAFFIC`: A list of headers and environment variables to use for blocking
     ///   traffic. See the `block_traffic` module for more documentation.
     /// - `DOWNLOADS_PERSIST_INTERVAL_MS`: how frequent to persist download counts (in ms).
@@ -205,6 +208,7 @@ impl Server {
             session_key: cookie::Key::derive_from(required_var("SESSION_KEY")?.as_bytes()),
             gh_client_id: ClientId::new(required_var("GH_CLIENT_ID")?),
             gh_client_secret: ClientSecret::new(required_var("GH_CLIENT_SECRET")?),
+            gh_token_encryption: GitHubTokenEncryption::from_environment()?,
             max_upload_size: 10 * 1024 * 1024, // 10 MB default file upload size limit
             max_unpack_size: 512 * 1024 * 1024, // 512 MB max when decompressed
             max_dependencies: DEFAULT_MAX_DEPENDENCIES,
diff --git a/src/tests/util/test_app.rs b/src/tests/util/test_app.rs
@@ -9,6 +9,7 @@ use crate::rate_limiter::{LimitedAction, RateLimiterConfig};
 use crate::storage::StorageConfig;
 use crate::tests::util::chaosproxy::ChaosProxy;
 use crate::tests::util::github::MOCK_GITHUB_DATA;
+use crate::util::gh_token_encryption::GitHubTokenEncryption;
 use crate::worker::{Environment, RunnerExt};
 use crate::{App, Emails, Env};
 use claims::assert_some;
@@ -489,6 +490,7 @@ fn simple_config() -> config::Server {
         session_key: cookie::Key::derive_from("test this has to be over 32 bytes long".as_bytes()),
         gh_client_id: ClientId::new(dotenvy::var("GH_CLIENT_ID").unwrap_or_default()),
         gh_client_secret: ClientSecret::new(dotenvy::var("GH_CLIENT_SECRET").unwrap_or_default()),
+        gh_token_encryption: GitHubTokenEncryption::for_testing(),
         max_upload_size: 128 * 1024, // 128 kB should be enough for most testing purposes
         max_unpack_size: 128 * 1024, // 128 kB should be enough for most testing purposes
         max_features: 10,
