feat(security): implement AES-256-GCM encryption for API keys and HMAC-signed session tokens

This commit introduces: - AES-256-GCM encryption for LLM provider API keys in the database. - HMAC-SHA256 signed session tokens with activity-based refresh logic. - Standardized frontend XSS protection using a global escapeHtml utility. - Hardened security headers and request body size limits. - Improved database integrity with foreign key enforcement and atomic transactions. - Integration tests for the full encrypted key storage and proxy usage lifecycle.
2026-03-06 14:17:56 -05:00
parent 149a7c3a29
commit 9b8483e797
28 changed files with 1260 additions and 227 deletions
--- a/src/dashboard/providers.rs
+++ b/src/dashboard/providers.rs
@@ -9,6 +9,7 @@ use std::collections::HashMap;
 use tracing::warn;

 use super::{ApiResponse, DashboardState};
+use crate::utils::crypto;

 #[derive(Deserialize)]
 pub(super) struct UpdateProviderRequest {
@@ -265,21 +266,44 @@ pub(super) async fn handle_update_provider(
    Path(name): Path<String>,
    Json(payload): Json<UpdateProviderRequest>,
 ) -> Json<ApiResponse<serde_json::Value>> {
-    if let Err(e) = super::auth::require_admin(&state, &headers).await {
-        return e;
-    }
+    let (session, _) = match super::auth::require_admin(&state, &headers).await {
+        Ok((session, new_token)) => (session, new_token),
+        Err(e) => return e,
+    };

    let pool = &state.app_state.db_pool;

-    // Update or insert into database (include billing_mode)
+    // Prepare API key encryption if provided
+    let (api_key_to_store, api_key_encrypted_flag) = match &payload.api_key {
+        Some(key) if !key.is_empty() => {
+            match crypto::encrypt(key) {
+                Ok(encrypted) => (Some(encrypted), Some(true)),
+                Err(e) => {
+                    warn!("Failed to encrypt API key for provider {}: {}", name, e);
+                    return Json(ApiResponse::error(format!("Failed to encrypt API key: {}", e)));
+                }
+            }
+        }
+        Some(_) => {
+            // Empty string means clear the key
+            (None, Some(false))
+        }
+        None => {
+            // Keep existing key, we'll rely on COALESCE in SQL
+            (None, None)
+        }
+    };
+
+    // Update or insert into database (include billing_mode and api_key_encrypted)
    let result = sqlx::query(
        r#"
-        INSERT INTO provider_configs (id, display_name, enabled, base_url, api_key, credit_balance, low_credit_threshold, billing_mode)
-        VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+        INSERT INTO provider_configs (id, display_name, enabled, base_url, api_key, api_key_encrypted, credit_balance, low_credit_threshold, billing_mode)
+        VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
        ON CONFLICT(id) DO UPDATE SET
            enabled = excluded.enabled,
            base_url = excluded.base_url,
            api_key = COALESCE(excluded.api_key, provider_configs.api_key),
+            api_key_encrypted = COALESCE(excluded.api_key_encrypted, provider_configs.api_key_encrypted),
            credit_balance = COALESCE(excluded.credit_balance, provider_configs.credit_balance),
            low_credit_threshold = COALESCE(excluded.low_credit_threshold, provider_configs.low_credit_threshold),
            billing_mode = COALESCE(excluded.billing_mode, provider_configs.billing_mode),
@@ -290,7 +314,8 @@ pub(super) async fn handle_update_provider(
    .bind(name.to_uppercase())
    .bind(payload.enabled)
    .bind(&payload.base_url)
-    .bind(&payload.api_key)
+    .bind(&api_key_to_store)
+    .bind(api_key_encrypted_flag)
    .bind(payload.credit_balance)
    .bind(payload.low_credit_threshold)
    .bind(payload.billing_mode)