feat: update _sensitive_datas

Author: aeltorio

_sensitive_datas/.gitignore

@@ -0,0 +1 @@
+_sensitive_datas.tar.xz

_sensitive_datas/_sensitive_datas.tar.xz.enc

@@ -0,0 +1 @@
+da0c31374d149b7e6d271c589c6b241fd3bf9ff012a0d8f99860675751e500d9

_sensitive_datas/_sensitive_datas.tar.xz.sha256

@@ -1,25 +1,185 @@
 #!/bin/bash
+#
+# Copyright (c) 2025 Ronan Le Meillat - SCTG Development
+#
+# Permission is hereby granted, free of charge, to anyone obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+# =============================================================================
+# Secure Restore Script for Sensitive Data
+# =============================================================================
+#
+# This script decrypts and displays the contents of an encrypted backup archive
+# created by the store_sensitive_datas script. It provides a preview of what
+# will be restored without actually performing the restoration.
+#
+# The restore process:
+# 1. Validates PROJECT_ROOT environment variable
+# 2. Ensures .gitignore excludes the archive from version control
+# 3. Decrypts the AES-256-CBC encrypted archive
+# 4. Verifies archive integrity using SHA256 hash
+# 5. Lists the contents of the decrypted archive
+# 6. Provides manual restoration instructions
+#
+# Requirements:
+# - PROJECT_ROOT environment variable must be set
+# - CRYPTOKEN environment variable must be set for decryption (if encrypted)
+# - OpenSSL must be installed
+# - tar must be installed
+# - Encrypted backup file must exist: _sensitive_datas/_sensitive_datas.tar.xz.enc
+#
+# Usage:
+#   export PROJECT_ROOT="/path/to/project"
+#   export CRYPTOKEN="your-encryption-key"  # Only if backup was encrypted
+#   ./restore_sensitive_datas
+#
+# Note: This script only decrypts and shows contents. Manual restoration required.
+# =============================================================================
+
+# Configuration Section
+# ====================
+
+# Encryption configuration (must match store_sensitive_datas)
+# AES-256-CBC with PBKDF2 provides strong encryption with key derivation
+# Note: AES-GCM would be preferred for authenticated encryption, but may not be
+# supported in all OpenSSL versions. AES-CBC with PBKDF2 is widely compatible.
+CIPHER_ALGO="aes-256-cbc"
+
+# PBKDF2 iterations for key derivation (must match encryption settings)
+PBKDF2_ITERATIONS=100000
+
+# =============================================================================
+# Main Script Logic
+# =============================================================================
+
+# .env file is located one level from this script
+# load it
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+if [ -f "$SCRIPT_DIR/../.env" ]; then
+    set -a
+    source "$SCRIPT_DIR/../.env"
+    set +a
+fi
+
+# Step 1: Validate PROJECT_ROOT
+# -----------------------------
 if [ ! -n "$PROJECT_ROOT" ]; then
-    echo "If you restore for a cloned repo you may declare a PROJECT_ROOT environment variable before running this"
+    echo "INFO: PROJECT_ROOT environment variable not set"
+    echo "For restoring in a cloned repository, set PROJECT_ROOT to the project root directory"
+    echo "Example: export PROJECT_ROOT=\"/path/to/project\""
     exit 0
 fi
+
 echo "PROJECT_ROOT is set to '$PROJECT_ROOT'"
+
+# Interactive confirmation (can be disabled for automation)
+echo "This will decrypt and show the contents of the backup archive."
 read -p "Press any key to continue... " -n1 -s
+echo ""  # New line after user input
+
+# Save current directory and navigate to home (safety measure)
 PWD=`pwd`
 cd ~
-#1-decrypt
+
+# Step 2: Ensure .gitignore excludes the archive
+# -----------------------------------------------
+GITIGNORE_FILE="$PROJECT_ROOT/_sensitive_datas/.gitignore"
+if [ ! -f "$GITIGNORE_FILE" ]; then
+    echo "Creating .gitignore file to exclude sensitive archive..."
+    # Ensure the directory exists
+    mkdir -p "$PROJECT_ROOT/_sensitive_datas"
+    echo "_sensitive_datas.tar.xz" > "$GITIGNORE_FILE"
+    echo "✓ Created $GITIGNORE_FILE with archive exclusion rules"
+elif ! grep -q "^_sensitive_datas\.tar\.xz$" "$GITIGNORE_FILE"; then
+    echo "Adding archive exclusion to existing .gitignore..."
+    echo "_sensitive_datas.tar.xz" >> "$GITIGNORE_FILE"
+    echo "✓ Updated $GITIGNORE_FILE with archive exclusion rules"
+else
+    echo "✓ Archive exclusion already present in .gitignore"
+fi
+
+# Step 3: Decrypt the archive
+# ---------------------------
+echo "Decrypting backup archive..."
+
+# Build decryption command based on whether CRYPTOKEN is provided
 DECRYPT=""
 if [ -n "$CRYPTOKEN" ]; then
     DECRYPT="-pass pass:$CRYPTOKEN"
-    echo "Decrypting with 'openssl aes-256-cbc -a -d -md sha256 $DECRYPT -in $PROJECT_ROOT/_sensitive_datas/_sensitive_datas.tar.xz.enc -out $PROJECT_ROOT/_sensitive_datas/_sensitive_datas.tar.xz'"
+    echo "Using encryption key for decryption..."
+    echo "Command: openssl enc -${CIPHER_ALGO} -d -pbkdf2 -iter ${PBKDF2_ITERATIONS} $DECRYPT -in $PROJECT_ROOT/_sensitive_datas/_sensitive_datas.tar.xz.enc -out $PROJECT_ROOT/_sensitive_datas/_sensitive_datas.tar.xz"
+else
+    echo "No encryption key provided - attempting unencrypted restore..."
+fi
+
+# Perform the decryption
+openssl enc -${CIPHER_ALGO} -d -pbkdf2 -iter ${PBKDF2_ITERATIONS} $DECRYPT \
+    -in $PROJECT_ROOT/_sensitive_datas/_sensitive_datas.tar.xz.enc \
+    -out $PROJECT_ROOT/_sensitive_datas/_sensitive_datas.tar.xz
+
+# Check if decryption was successful
+if [ $? -ne 0 ]; then
+    echo "ERROR: Decryption failed!"
+    echo "Possible causes:"
+    echo "  - Wrong encryption key (CRYPTOKEN)"
+    echo "  - Corrupted backup file"
+    echo "  - File not found: $PROJECT_ROOT/_sensitive_datas/_sensitive_datas.tar.xz.enc"
+    exit 1
+fi
+
+# Step 4: Verify archive integrity
+# ----------------------------------
+echo "Verifying archive integrity..."
+if [ -f "$PROJECT_ROOT/_sensitive_datas/_sensitive_datas.tar.xz.sha256" ]; then
+    EXPECTED_HASH=$(cat "$PROJECT_ROOT/_sensitive_datas/_sensitive_datas.tar.xz.sha256")
+    ACTUAL_HASH=$(sha256sum "$PROJECT_ROOT/_sensitive_datas/_sensitive_datas.tar.xz" | cut -d' ' -f1)
+    
+    if [ "$EXPECTED_HASH" != "$ACTUAL_HASH" ]; then
+        echo "⚠️  WARNING: Archive integrity check FAILED!"
+        echo "Expected: $EXPECTED_HASH"
+        echo "Actual:   $ACTUAL_HASH"
+        echo "The archive may be corrupted. Proceed with caution!"
+    else
+        echo "✓ Archive integrity verified"
+    fi
 else
-    DECRYPT=""
+    echo "⚠️  WARNING: No integrity hash file found. Cannot verify archive integrity."
 fi
-openssl aes-256-cbc -a -d -md sha256 $DECRYPT -in $PROJECT_ROOT/_sensitive_datas/_sensitive_datas.tar.xz.enc -out $PROJECT_ROOT/_sensitive_datas/_sensitive_datas.tar.xz
-#2-show content
-echo "++++++++++++++++++++++++++++++++++++++++++++++++++"
-echo "_sensitive_datas/_sensitive_datas.tar.xz contains:"
+
+# Step 5: Display archive contents
+# --------------------------------
+echo ""
+echo "=================================================================================="
+echo "✓ Decryption successful! Archive contents:"
+echo "=================================================================================="
 tar -tvJf $PROJECT_ROOT/_sensitive_datas/_sensitive_datas.tar.xz
-#3 show help
-echo "if you want to restore enter:"
-echo "cd $PROJECT_ROOT && tar -xvJf $PROJECT_ROOT/_sensitive_datas/_sensitive_datas.tar.xz && rm $PROJECT_ROOT/_sensitive_datas/_sensitive_datas.tar.xz"
+
+# Step 6: Provide restoration instructions
+# ----------------------------------------
+echo ""
+echo "=================================================================================="
+echo "RESTORATION INSTRUCTIONS"
+echo "=================================================================================="
+echo "To complete the restoration, run these commands manually:"
+echo ""
+echo "  cd $PROJECT_ROOT"
+echo "  tar -xvJf $PROJECT_ROOT/_sensitive_datas/_sensitive_datas.tar.xz"
+echo "  rm $PROJECT_ROOT/_sensitive_datas/_sensitive_datas.tar.xz"
+echo ""
+echo "WARNING: This will overwrite existing files with the same names!"
+echo "=================================================================================="

_sensitive_datas/restore_sensitive_datas

@@ -1,17 +1,169 @@
 #!/bin/bash
-#1-store
+#
+# Copyright (c) 2025 Ronan Le Meillat - SCTG Development
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+# =============================================================================
+# Secure Backup Script for Sensitive Data
+# =============================================================================
+#
+# This script creates an encrypted backup of sensitive project files including:
+# - Environment variables (.env files)
+# - Cloudflare Worker configuration (.wrangler)
+# - VS Code settings and launch configurations
+# - Launch scripts
+#
+# The backup process:
+# 1. Validates required environment variables
+# 2. Creates a compressed tar.xz archive of specified files
+# 3. Calculates SHA256 integrity hash for verification
+# 4. Ensures .gitignore excludes the archive from version control
+# 5. Encrypts the archive using AES-256-CBC with PBKDF2 key derivation
+# 6. Removes the unencrypted archive for security
+#
+# Requirements:
+# - PROJECT_ROOT environment variable must be set
+# - CRYPTOKEN environment variable must be set for encryption
+# - OpenSSL must be installed
+# - tar must be installed
+#
+# Usage:
+#   export PROJECT_ROOT="/path/to/project"
+#   export CRYPTOKEN="your-encryption-key"
+#   ./store_sensitive_datas
+#
+# Output:
+#   _sensitive_datas/_sensitive_datas.tar.xz.enc (encrypted backup)
+# =============================================================================
+
+# Configuration Section
+# ====================
+
+# List of files and directories to include in the backup
+# Uses glob patterns for flexible file matching
+FILES_TO_BACKUP=(
+    ".env"                                           # Environment variables
+    "cloudflare-worker/.wrangler"
+    "cloudflare-worker/.vscode/launch.json"
+    "cloudflare-worker/.vscode/settings.json"
+    client/.vscode/launch.json client/.vscode/settings.json
+    ./launch-* .env                                       # Launch scripts
+)
+
+# .env file is located one level from this script
+# load it
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+if [ -f "$SCRIPT_DIR/../.env" ]; then
+    set -a
+    source "$SCRIPT_DIR/../.env"
+    set +a
+fi
+
+# Encryption configuration
+# AES-256-CBC with PBKDF2 provides strong encryption with key derivation
+# Note: AES-GCM would be preferred for authenticated encryption, but may not be
+# supported in all OpenSSL versions. AES-CBC with PBKDF2 is widely compatible.
+CIPHER_ALGO="aes-256-cbc"
+
+# PBKDF2 iterations for key derivation (higher = more secure but slower)
+# 100,000 iterations provides good security while remaining practical
+PBKDF2_ITERATIONS=100000
+
+# =============================================================================
+# Main Script Logic
+# =============================================================================
+
+# Step 1: Validate environment variables
+# --------------------------------------
+if [ -z "${PROJECT_ROOT}" ]; then
+    echo "ERROR: PROJECT_ROOT is empty: $PROJECT_ROOT"
+    echo "Please set PROJECT_ROOT to the project root directory"
+    exit -1
+fi
+
 cd $PROJECT_ROOT
+
 if [ -z "${CRYPTOKEN}" ]; then
-    echo "CRYPTOKEN is empty: $CRYPTOKEN"
+    echo "ERROR: CRYPTOKEN is empty: $CRYPTOKEN"
+    echo "Please set CRYPTOKEN to your encryption passphrase"
     exit -1
 fi
+
+# Step 2: Create compressed archive
+# ---------------------------------
+echo "Creating compressed archive of sensitive files..."
+rm -f _sensitive_datas/_sensitive_datas.tar.xz
 tar -cvJf _sensitive_datas/_sensitive_datas.tar.xz \
-    cloudflare-worker/.wrangler cloudflare-worker/.vscode/launch.json cloudflare-worker/.vscode/settings.json \
-    client/.vscode/launch.json client/.vscode/settings.json \
-    ./launch-* .env
-#2-encrypt
-openssl aes-256-cbc -base64 -md sha256 -pass pass:"$CRYPTOKEN" -in _sensitive_datas/_sensitive_datas.tar.xz -out _sensitive_datas/_sensitive_datas.tar.xz.enc
-#3-delete 
+    "${FILES_TO_BACKUP[@]}"
+
+# Verify archive was created successfully
+if [ -z _sensitive_datas/_sensitive_datas.tar.xz ]; then
+    echo "ERROR: Failed to create archive"
+    exit 1
+fi
+
+# Step 3: Calculate integrity hash
+# -----------------------------------
+echo "Calculating SHA256 integrity hash..."
+ARCHIVE_HASH=$(sha256sum _sensitive_datas/_sensitive_datas.tar.xz | cut -d' ' -f1)
+echo "$ARCHIVE_HASH" > _sensitive_datas/_sensitive_datas.tar.xz.sha256
+echo "✓ Integrity hash saved: $ARCHIVE_HASH"
+
+# Step 4: Ensure .gitignore excludes the archive
+# -----------------------------------------------
+GITIGNORE_FILE="$PROJECT_ROOT/_sensitive_datas/.gitignore"
+if [ ! -f "$GITIGNORE_FILE" ]; then
+    echo "Creating .gitignore file to exclude sensitive archive..."
+    # Ensure the directory exists
+    mkdir -p "$PROJECT_ROOT/_sensitive_datas"
+    echo "_sensitive_datas.tar.xz" > "$GITIGNORE_FILE"
+    echo "✓ Created $GITIGNORE_FILE with archive exclusion rules"
+elif ! grep -q "^_sensitive_datas\.tar\.xz$" "$GITIGNORE_FILE"; then
+    echo "Adding archive exclusion to existing .gitignore..."
+    echo "_sensitive_datas.tar.xz" >> "$GITIGNORE_FILE"
+    echo "✓ Updated $GITIGNORE_FILE with archive exclusion rules"
+else
+    echo "✓ Archive exclusion already present in .gitignore"
+fi
+
+# Step 5: Encrypt the archive
+# ---------------------------
+echo "Encrypting archive with ${CIPHER_ALGO}..."
+openssl enc -${CIPHER_ALGO} -pbkdf2 -iter ${PBKDF2_ITERATIONS} -salt -pass pass:"$CRYPTOKEN" \
+    -in _sensitive_datas/_sensitive_datas.tar.xz \
+    -out _sensitive_datas/_sensitive_datas.tar.xz.enc
+
+# Verify encryption was successful
+if [ $? -ne 0 ]; then
+    echo "ERROR: Encryption failed"
+    # Don't delete the unencrypted file if encryption failed
+    exit 1
+fi
+
+# Step 6: Clean up unencrypted archive
+# ------------------------------------
+echo "Removing unencrypted archive for security..."
 rm _sensitive_datas/_sensitive_datas.tar.xz
 
-echo "CRYPTED with 'openssl aes-256-cbc -base64 -md sha256 -pass pass:\"$CRYPTOKEN\"'"
+# Step 7: Confirmation
+# -------------------
+echo "✓ Backup completed successfully!"
+echo "Encrypted backup saved as: _sensitive_datas/_sensitive_datas.tar.xz.enc"
+echo "Algorithm used: ${CIPHER_ALGO} with PBKDF2 (${PBKDF2_ITERATIONS} iterations)"

_sensitive_datas/store_sensitive_datas

@@ -99,6 +99,9 @@ export default defineConfig({
     "import.meta.env.AMAZON_BASE_URL": JSON.stringify(
       process.env.AMAZON_BASE_URL || "https://www.amazon.fr/gp/your-account/order-details?orderID=",
     ),
+    "import.meta.env.PAYPAL_TRANSACTION_BASE_URL": JSON.stringify(
+      process.env.PAYPAL_TRANSACTION_BASE_URL || "https://www.paypal.com/myaccount/activities/details/",
+    ),
   },
   plugins: [react(), tsconfigPaths(), tailwindcss(), githubPagesSpa()],
   build: {