v0.6.8: security hardening

- Hash API keys with SHA-256 before storing (was plaintext)
- Encrypt workspace aiApiKey with AES-256-GCM at rest
- Remove API key from localStorage; web UI uses session cookie only
- Add per-email rate limiting on magic-link endpoints (3/min)
- Switch docker-compose DB credentials to env var substitution
- Fix www redirect to use req.protocol instead of raw XFF header
- Remove unsafe-eval from Swagger CSP
- Gate debug startup logging behind NODE_ENV !== production
- Strip internal state (dbConnected) from public health endpoint
- Add SRI hash to Seline analytics script

Author: dantelex

.env.example

@@ -0,0 +1,15 @@
+# Docker Compose environment variables
+# Copy this file to .env and fill in values before running docker-compose up.
+# .env is gitignored — never commit it with real credentials.
+
+# PostgreSQL credentials (used by docker-compose for the postgres service and api service)
+# POSTGRES_USER defaults to "privateconnect" if not set.
+POSTGRES_USER=privateconnect
+
+# POSTGRES_PASSWORD is required — docker-compose will refuse to start without it.
+# Use a strong, randomly generated value in any shared or production environment.
+# Generate one with: openssl rand -base64 32
+POSTGRES_PASSWORD=
+
+# POSTGRES_DB defaults to "privateconnect" if not set.
+POSTGRES_DB=privateconnect

apps/api/.env.example

@@ -20,6 +20,13 @@ EMAIL_FROM="Private Connect <noreply@yourdomain.com>"
 # Public URL for magic links
 APP_URL="https://yourdomain.com"
 
+# ============================================
+# Field-level encryption key (required for AI API key storage)
+# Generate with: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
+# Must be exactly 64 hex characters (32 bytes). Keep this secret and back it up.
+# ============================================
+FIELD_ENCRYPTION_KEY=
+
 # ============================================
 # Ask LLM settings (for /ask page)
 # ============================================

apps/api/package.json

@@ -1,6 +1,6 @@
 {
   "name": "api",
-  "version": "0.6.4",
+  "version": "0.6.8",
   "private": true,
   "scripts": {
     "dev": "nest start --watch",

apps/api/prisma/migrations/20260304_hash_api_keys/migration.sql

@@ -0,0 +1,19 @@
+-- Migration: Hash API keys
+-- Replaces the plaintext `key` column with a SHA-256 `keyHash` column.
+-- The raw key is never stored after this migration.
+
+-- Step 1: Add the new keyHash column (nullable initially so we can backfill)
+ALTER TABLE "ApiKey" ADD COLUMN "keyHash" TEXT;
+
+-- Step 2: Backfill keyHash for all existing rows by hashing the plaintext key.
+-- encode(digest(key, 'sha256'), 'hex') uses the pgcrypto extension.
+-- If pgcrypto is not available, run: CREATE EXTENSION IF NOT EXISTS pgcrypto;
+CREATE EXTENSION IF NOT EXISTS pgcrypto;
+UPDATE "ApiKey" SET "keyHash" = encode(digest("key", 'sha256'), 'hex');
+
+-- Step 3: Make keyHash NOT NULL and add the unique constraint
+ALTER TABLE "ApiKey" ALTER COLUMN "keyHash" SET NOT NULL;
+CREATE UNIQUE INDEX "ApiKey_keyHash_key" ON "ApiKey"("keyHash");
+
+-- Step 4: Drop the old plaintext key column
+ALTER TABLE "ApiKey" DROP COLUMN "key";

apps/api/prisma/schema.prisma

@@ -62,7 +62,7 @@ model Workspace {
   // AI Copilot settings (workspace-level defaults)
   aiProvider    String?   // ollama | openai | anthropic
   aiModel       String?   // Model name (e.g., llama3, gpt-4o, claude-sonnet)
-  aiApiKey      String?   // Encrypted API key for cloud providers
+  aiApiKey      String?   // AES-256-GCM encrypted API key for cloud providers (see encryptField/decryptField in security.ts)
   aiAutoAnalyze Boolean   @default(false) // Auto-analyze errors
   aiOllamaUrl   String?   // Custom Ollama URL (default: http://localhost:11434)
   
@@ -78,8 +78,8 @@ model ApiKey {
   id               String    @id @default(uuid())
   workspaceId      String
   name             String
-  key              String    @unique
-  keyPrefix        String    // First 8 chars for display (pc_xxxxxxxx...)
+  keyHash          String    @unique  // SHA-256 hash of the key (never store plaintext)
+  keyPrefix        String    // First 11 chars for display (pc_xxxxxxxx...)
   allowedIpRanges  String[]  // CIDR ranges: ["10.0.0.0/8", "192.168.1.0/24"]
   createdAt        DateTime  @default(now())
   lastUsedAt       DateTime?

apps/api/src/agents/agents.service.ts

@@ -340,10 +340,11 @@ export class AgentsService {
   }
 
   async validateWorkspaceApiKey(apiKey: string, clientIp?: string) {
+    const keyHash = createHash('sha256').update(apiKey).digest('hex');
     // Use withoutRls() for API key validation - we don't know the workspace yet
     const key = await this.prisma.withoutRls(() =>
       this.prisma.apiKey.findUnique({
-        where: { key: apiKey },
+        where: { keyHash },
         include: { workspace: true },
       })
     );

apps/api/src/ai/ai.service.ts

@@ -1,6 +1,6 @@
 import { Injectable } from '@nestjs/common';
 import { PrismaService } from '../prisma/prisma.service';
-import { SecureLogger } from '../common/security';
+import { SecureLogger, encryptField, decryptField } from '../common/security';
 
 export interface AIConfig {
   provider: 'ollama' | 'openai' | 'anthropic';
@@ -66,7 +66,7 @@ export class AIService {
     return {
       provider: workspace.aiProvider as AIConfig['provider'],
       model: workspace.aiModel || this.getDefaultModel(workspace.aiProvider),
-      apiKey: workspace.aiApiKey || undefined,
+      apiKey: workspace.aiApiKey ? decryptField(workspace.aiApiKey) : undefined,
       ollamaUrl: workspace.aiOllamaUrl || this.defaultOllamaUrl,
     };
   }
@@ -80,7 +80,7 @@ export class AIService {
       data: {
         aiProvider: config.provider,
         aiModel: config.model,
-        aiApiKey: config.apiKey,
+        aiApiKey: config.apiKey != null ? encryptField(config.apiKey) : config.apiKey,
         aiOllamaUrl: config.ollamaUrl,
       },
     });

apps/api/src/api-keys/api-keys.service.ts

@@ -1,8 +1,12 @@
 import { Injectable, NotFoundException, ForbiddenException, ConflictException } from '@nestjs/common';
 import { PrismaService } from '../prisma/prisma.service';
-import { randomBytes } from 'crypto';
+import { randomBytes, createHash } from 'crypto';
 import { Prisma } from '@prisma/client';
 
+function hashApiKey(key: string): string {
+  return createHash('sha256').update(key).digest('hex');
+}
+
 @Injectable()
 export class ApiKeysService {
   constructor(private prisma: PrismaService) {}
@@ -17,13 +21,14 @@ export class ApiKeysService {
   }> {
     const key = `pc_${randomBytes(24).toString('hex')}`;
     const keyPrefix = key.slice(0, 11); // "pc_" + first 8 chars
+    const keyHash = hashApiKey(key);
 
     try {
       const apiKey = await this.prisma.apiKey.create({
         data: {
           workspaceId,
           name: name.trim(),
-          key,
+          keyHash,
           keyPrefix,
         },
       });
@@ -91,10 +96,11 @@ export class ApiKeysService {
 
   // Validate an API key and return the workspace
   async validateApiKey(key: string) {
+    const keyHash = hashApiKey(key);
     // Use withoutRls() for API key validation - we don't know the workspace yet
     const apiKey = await this.prisma.withoutRls(() =>
       this.prisma.apiKey.findUnique({
-        where: { key },
+        where: { keyHash },
         include: { workspace: true },
       })
     );

apps/api/src/auth/api-key.guard.ts

@@ -1,6 +1,11 @@
 import { Injectable, CanActivate, ExecutionContext, UnauthorizedException, ForbiddenException } from '@nestjs/common';
+import { createHash } from 'crypto';
 import { PrismaService } from '../prisma/prisma.service';
 
+function hashApiKey(key: string): string {
+  return createHash('sha256').update(key).digest('hex');
+}
+
 /**
  * Check if an IP address matches a CIDR range
  * Supports IPv4 only for now
@@ -69,7 +74,7 @@ export class ApiKeyGuard implements CanActivate {
     // Use withoutRls() because we don't know the workspace yet - we're authenticating
     const key = await this.prisma.withoutRls(() =>
       this.prisma.apiKey.findUnique({
-        where: { key: apiKey },
+        where: { keyHash: hashApiKey(apiKey) },
         include: { workspace: true },
       })
     );

apps/api/src/auth/auth.controller.ts

@@ -3,7 +3,7 @@ import { ApiTags, ApiOperation, ApiResponse, ApiBody } from '@nestjs/swagger';
 import { ThrottlerGuard, Throttle } from '@nestjs/throttler';
 import { Request, Response } from 'express';
 import { AuthService } from './auth.service';
-import { authRateLimiter } from '../common/rate-limiter';
+import { authRateLimiter, authEmailRateLimiter } from '../common/rate-limiter';
 
 interface RegisterDto {
   email: string;
@@ -51,6 +51,16 @@ export class AuthController {
     if (!body.email || !body.workspaceName) {
       throw new UnauthorizedException('Email and workspace name are required');
     }
+
+    // Rate limit by email address to prevent magic-link spam to a target inbox
+    const normalizedEmail = body.email.toLowerCase().trim();
+    if (!authEmailRateLimiter.isAllowed(`register-email:${normalizedEmail}`)) {
+      throw new HttpException(
+        { error: 'Too many requests', message: 'Please wait before trying again.', retryAfter: authEmailRateLimiter.getResetTime(`register-email:${normalizedEmail}`) },
+        HttpStatus.TOO_MANY_REQUESTS,
+      );
+    }
+
     return this.authService.register(body.email, body.workspaceName);
   }
 
@@ -85,6 +95,16 @@ export class AuthController {
     if (!body.email) {
       throw new UnauthorizedException('Email is required');
     }
+
+    // Rate limit by email address to prevent magic-link spam to a target inbox
+    const normalizedEmail = body.email.toLowerCase().trim();
+    if (!authEmailRateLimiter.isAllowed(`login-email:${normalizedEmail}`)) {
+      throw new HttpException(
+        { error: 'Too many requests', message: 'Please wait before trying again.', retryAfter: authEmailRateLimiter.getResetTime(`login-email:${normalizedEmail}`) },
+        HttpStatus.TOO_MANY_REQUESTS,
+      );
+    }
+
     return this.authService.login(body.email);
   }