MultiUsers: encrypt API key (#941)

This will make it so that we can safely look up the user by API key
without the risk of timing attacks.

Author: mockdeep

.env.development

@@ -1,2 +1,7 @@
-# use `rails secret` to generate this for production
+# you can use `rails secret` to generate this for production
 SECRET_KEY_BASE=dev_secret
+
+# you can use `rails db:encryption:init` to generate these for production
+ENCRYPTION_PRIMARY_KEY=dev_primary_key
+ENCRYPTION_DETERMINISTIC_KEY=dev_deterministic_key
+ENCRYPTION_KEY_DERIVATION_SALT=dev_derivation_salt

.env.test

@@ -1,2 +1,7 @@
-# use `rails secret` to generate this for production
+# you can use `rails secret` to generate this for production
 SECRET_KEY_BASE=test_secret
+
+# you can use `rails db:encryption:init` to generate these for production
+ENCRYPTION_PRIMARY_KEY=test_primary_key
+ENCRYPTION_DETERMINISTIC_KEY=test_deterministic_key
+ENCRYPTION_KEY_DERIVATION_SALT=test_derivation_salt

app.json

@@ -16,6 +16,18 @@
       "description": "Secret key used by rails for encryption",
       "generator": "secret"
     },
+    "ENCRYPTION_PRIMARY_KEY": {
+      "description": "Secret key used by rails for encryption",
+      "generator": "secret"
+    },
+    "ENCRYPTION_DETERMINISTIC_KEY": {
+      "description": "Secret key used by rails for encryption",
+      "generator": "secret"
+    },
+    "ENCRYPTION_KEY_DERIVATION_SALT": {
+      "description": "Secret key used by rails for encryption",
+      "generator": "secret"
+    },
     "LOCALE": {
       "description": "Specify the translation locale you wish to use",
       "value": "en"

app/models/user.rb

@@ -6,6 +6,8 @@ class User < ApplicationRecord
   has_secure_password
   has_secure_token :api_key
 
+  encrypts :api_key, deterministic: true
+
   has_many :feeds, dependent: :delete_all
   has_many :groups, dependent: :delete_all
 

config/application.rb

@@ -39,5 +39,12 @@ class Application < Rails::Application
     config.generators.system_tests = nil
 
     config.active_record.belongs_to_required_by_default = false
+
+    config.active_record.encryption.primary_key =
+      ENV.fetch("ENCRYPTION_PRIMARY_KEY")
+    config.active_record.encryption.deterministic_key =
+      ENV.fetch("ENCRYPTION_DETERMINISTIC_KEY")
+    config.active_record.encryption.key_derivation_salt =
+      ENV.fetch("ENCRYPTION_KEY_DERIVATION_SALT")
   end
 end

config/initializers/dotenv.rb

@@ -1,3 +1,8 @@
 # frozen_string_literal: true
 
-Dotenv.require_keys("SECRET_KEY_BASE")
+Dotenv.require_keys(
+  "SECRET_KEY_BASE",
+  "ENCRYPTION_PRIMARY_KEY",
+  "ENCRYPTION_DETERMINISTIC_KEY",
+  "ENCRYPTION_KEY_DERIVATION_SALT"
+)

db/migrate/20230301024452_encrypt_api_key.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class EncryptAPIKey < ActiveRecord::Migration[7.0]
+  def change
+    ActiveRecord::Encryption.config.support_unencrypted_data = true
+
+    User.find_each do |user|
+      user.regenerate_api_key if user.api_key.blank?
+      user.encrypt
+    end
+
+    ActiveRecord::Encryption.config.support_unencrypted_data = false
+
+    change_column_null :users, :api_key, false
+    add_index :users, :api_key, unique: true
+  end
+end

db/schema.rb

@@ -19,6 +19,9 @@ services:
     ports:
       - 80:8080
     environment:
-      - SECRET_KEY_BASE=YOUR_SECRET_KEY_BASE
+      - SECRET_KEY_BASE=<your configuration>
+      - ENCRYPTION_PRIMARY_KEY<your configuration>
+      - ENCRYPTION_DETERMINISTIC_KEY=<your configuration>
+      - ENCRYPTION_KEY_DERIVATION_SALT=<your configuration>
       - PORT=8080
       - DATABASE_URL=postgres://db_user:super_secret_password@postgres:5432/stringer

docker-compose.yml

@@ -2,10 +2,15 @@
 git clone [email protected]:stringer-rss/stringer.git
 cd stringer
 heroku create
+
+heroku config:set SECRET_KEY_BASE=`openssl rand -hex 64`
+heroku config:set ENCRYPTION_PRIMARY_KEY=`openssl rand -hex 64`
+heroku config:set ENCRYPTION_DETERMINISTIC_KEY=`openssl rand -hex 64`
+heroku config:set ENCRYPTION_KEY_DERIVATION_SALT=`openssl rand -hex 64`
+
 git push heroku main
 
 heroku config:set APP_URL=`heroku apps:info --shell | grep web_url | cut -d= -f2`
-heroku config:set SECRET_KEY_BASE=`openssl rand -hex 64`
 
 heroku run rake db:migrate
 heroku restart

docs/Heroku.md

@@ -32,10 +32,13 @@ Deploying into OpenShift
     chmod +x .openshift/action_hooks/deploy
  ```
 
-5. Set the SECRET_KEY_BASE as a rhc environment variable by generating it with the command below.
+5. Set the environment variables by generating them with the commands below.
 
  ```sh
     rhc env set SECRET_KEY_BASE="`openssl rand -hex 64`"
+    rhc env set ENCRYPTION_PRIMARY_KEY="`openssl rand -hex 64`"
+    rhc env set ENCRYPTION_DETERMINISTIC_KEY="`openssl rand -hex 64`"
+    rhc env set ENCRYPTION_KEY_DERIVATION_SALT="`openssl rand -hex 64`"
  ```
 
 6. Configuration of the database server is next. Open the file config/database.yml and add in the configuration for Production as shown below. OpenShift is able to use environment variables to push the information into the application.

docs/OpenShift.md

@@ -93,6 +93,9 @@ Stringer uses environment variables to configure the application. Edit these val
     echo 'export RACK_ENV="production"' >> $HOME/.bash_profile
     echo 'export RAILS_ENV="production"' >> $HOME/.bash_profile
     echo "export SECRET_KEY_BASE=`openssl rand -hex 64`" >> $HOME/.bash_profile
+    echo "export ENCRYPTION_PRIMARY_KEY=`openssl rand -hex 64`" >> $HOME/.bash_profile
+    echo "export ENCRYPTION_DETERMINISTIC_KEY=`openssl rand -hex 64`" >> $HOME/.bash_profile
+    echo "export ENCRYPTION_KEY_DERIVATION_SALT=`openssl rand -hex 64`" >> $HOME/.bash_profile
     source ~/.bash_profile
 
 Tell stringer to run the database in production mode, using the `postgres` database you created earlier.

docs/VPS.md

@@ -37,6 +37,9 @@ docker run --detach \
     -e PORT=8080 \
     -e DATABASE_URL=postgres://postgres:myPassword@stringer-postgres/stringer \
     -e SECRET_KEY_BASE=$(openssl rand -hex 64) \
+    -e ENCRYPTION_PRIMARY_KEY=$(openssl rand -hex 64) \
+    -e ENCRYPTION_DETERMINISTIC_KEY=$(openssl rand -hex 64) \
+    -e ENCRYPTION_KEY_DERIVATION_SALT=$(openssl rand -hex 64) \
     -e FETCH_FEEDS_CRON="*/5 * * * *" \ # optional
     -e CLEANUP_CRON="0 0 * * *" \ # optional
     -p 127.0.0.1:8080:8080 \