feat(security): implement AES-256-GCM encryption for API keys and HMAC-signed session tokens

This commit introduces: - AES-256-GCM encryption for LLM provider API keys in the database. - HMAC-SHA256 signed session tokens with activity-based refresh logic. - Standardized frontend XSS protection using a global escapeHtml utility. - Hardened security headers and request body size limits. - Improved database integrity with foreign key enforcement and atomic transactions. - Integration tests for the full encrypted key storage and proxy usage lifecycle.
2026-03-06 14:17:56 -05:00
parent 149a7c3a29
commit 9b8483e797
28 changed files with 1260 additions and 227 deletions
--- a/src/providers/mod.rs
+++ b/src/providers/mod.rs
@@ -7,6 +7,7 @@ use std::sync::Arc;
 use crate::errors::AppError;
 use crate::models::UnifiedRequest;

+
 pub mod deepseek;
 pub mod gemini;
 pub mod grok;
@@ -125,17 +126,35 @@ impl ProviderManager {
        db_pool: &crate::database::DbPool,
    ) -> Result<()> {
        // Load override from database
-        let db_config = sqlx::query("SELECT enabled, base_url, api_key FROM provider_configs WHERE id = ?")
+        let db_config = sqlx::query("SELECT enabled, base_url, api_key, api_key_encrypted FROM provider_configs WHERE id = ?")
            .bind(name)
            .fetch_optional(db_pool)
            .await?;

        let (enabled, base_url, api_key) = if let Some(row) = db_config {
-            (
-                row.get::<bool, _>("enabled"),
-                row.get::<Option<String>, _>("base_url"),
-                row.get::<Option<String>, _>("api_key"),
-            )
+            let enabled = row.get::<bool, _>("enabled");
+            let base_url = row.get::<Option<String>, _>("base_url");
+            let api_key_encrypted = row.get::<bool, _>("api_key_encrypted");
+            let api_key = row.get::<Option<String>, _>("api_key");
+            // Decrypt API key if encrypted
+            let api_key = match (api_key, api_key_encrypted) {
+                (Some(key), true) => {
+                    match crate::utils::crypto::decrypt(&key) {
+                        Ok(decrypted) => Some(decrypted),
+                        Err(e) => {
+                            tracing::error!("Failed to decrypt API key for provider {}: {}", name, e);
+                            None
+                        }
+                    }
+                }
+                (Some(key), false) => {
+                    // Plaintext key - optionally encrypt and update database (lazy migration)
+                    // For now, just use plaintext
+                    Some(key)
+                }
+                (None, _) => None,
+            };
+            (enabled, base_url, api_key)
        } else {
            // No database override, use defaults from AppConfig
            match name {