feat: implement encryption for sensitive fields in volume backends

2025-12-10 12:10:51 +01:00 · 2025-12-04 00:04:26 +01:00
parent 7ff38f0128
commit f6b8e7e5a2
4 changed files with 40 additions and 5 deletions
--- a/app/server/modules/volumes/volume.service.ts
+++ b/app/server/modules/volumes/volume.service.ts
@@ -8,6 +8,7 @@ import slugify from "slugify";
 import { getCapabilities } from "../../core/capabilities";
 import { db } from "../../db/db";
 import { volumesTable } from "../../db/schema";
+import { cryptoUtils } from "../../utils/crypto";
 import { toMessage } from "../../utils/errors";
 import { generateShortId } from "../../utils/id";
 import { getStatFs, type StatFs } from "../../utils/mountinfo";
@@ -19,6 +20,23 @@ import { logger } from "../../utils/logger";
 import { serverEvents } from "../../core/events";
 import type { BackendConfig } from "~/schemas/volumes";

+async function encryptSensitiveFields(config: BackendConfig): Promise<BackendConfig> {
+	switch (config.backend) {
+		case "smb":
+			return {
+				...config,
+				password: await cryptoUtils.encrypt(config.password),
+			};
+		case "webdav":
+			return {
+				...config,
+				password: config.password ? await cryptoUtils.encrypt(config.password) : undefined,
+			};
+		default:
+			return config;
+	}
+}
+
 const listVolumes = async () => {
 	const volumes = await db.query.volumesTable.findMany({});

@@ -37,13 +55,14 @@ const createVolume = async (name: string, backendConfig: BackendConfig) => {
 	}

 	const shortId = generateShortId();
+	const encryptedConfig = await encryptSensitiveFields(backendConfig);

 	const [created] = await db
 		.insert(volumesTable)
 		.values({
 			shortId,
 			name: slug,
-			config: backendConfig,
+			config: encryptedConfig,
 			type: backendConfig.backend,
 		})
 		.returning();
@@ -175,11 +194,13 @@ const updateVolume = async (name: string, volumeData: UpdateVolumeBody) => {
 		await backend.unmount();
 	}

+	const encryptedConfig = volumeData.config ? await encryptSensitiveFields(volumeData.config) : undefined;
+
 	const [updated] = await db
 		.update(volumesTable)
 		.set({
 			name: newName,
-			config: volumeData.config,
+			config: encryptedConfig,
 			type: volumeData.config?.backend,
 			autoRemount: volumeData.autoRemount,
 			updatedAt: Date.now(),