Move encrypt/decrypt closer to the data layer

DreamExposure · Oct 2, 2023 · c4b4b1a · c4b4b1a
1 parent 78e9bcf
commit c4b4b1a
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 25 deletions.
diff --git a/cam/src/main/kotlin/org/dreamexposure/discal/cam/google/GoogleAuth.kt b/cam/src/main/kotlin/org/dreamexposure/discal/cam/google/GoogleAuth.kt
@@ -12,7 +12,6 @@ import org.dreamexposure.discal.cam.json.google.RefreshData
 import org.dreamexposure.discal.core.business.CalendarService
 import org.dreamexposure.discal.core.business.CredentialService
 import org.dreamexposure.discal.core.config.Config
-import org.dreamexposure.discal.core.crypto.AESEncryption
 import org.dreamexposure.discal.core.exceptions.AccessRevokedException
 import org.dreamexposure.discal.core.exceptions.EmptyNotAllowedException
 import org.dreamexposure.discal.core.exceptions.NotFoundException
@@ -36,37 +35,33 @@ class GoogleAuth(
 ) {
 
     suspend fun requestNewAccessToken(calendar: Calendar): CredentialData? {
-        val aes = AESEncryption(calendar.secrets.privateKey)
-        if (!calendar.secrets.expiresAt.isExpiredTtl()) {
-            return aes.decrypt(calendar.secrets.encryptedAccessToken)
-                .map { CredentialData(it, calendar.secrets.expiresAt) }
-                .awaitSingle()
-        }
-        LOGGER.debug("Refreshing access token | guildId:{} | calendar:{}", calendar.guildId, calendar.number)
+        if (!calendar.secrets.expiresAt.isExpiredTtl()) return CredentialData(calendar.secrets.accessToken, calendar.secrets.expiresAt)
 
-        val refreshToken = aes.decrypt(calendar.secrets.encryptedRefreshToken).awaitSingle()
-        val refreshedCredential = doAccessTokenRequest(refreshToken) ?: return null
+        LOGGER.debug("Refreshing access token | guildId:{} | calendar:{}", calendar.guildId, calendar.number)
 
+        val refreshedCredential = doAccessTokenRequest(calendar.secrets.refreshToken) ?: return null
+        calendar.secrets.accessToken = refreshedCredential.accessToken
         calendar.secrets.expiresAt = refreshedCredential.validUntil.minus(Duration.ofMinutes(5)) // Add some wiggle room
-        calendar.secrets.encryptedAccessToken = aes.encrypt(refreshedCredential.accessToken).awaitSingle()
-
         calendarService.updateCalendar(calendar)
 
+        LOGGER.debug("Refreshing access token | guildId:{} | calendar:{}", calendar.guildId, calendar.number)
+
         return refreshedCredential
     }
 
     suspend fun requestNewAccessToken(credentialId: Int): CredentialData {
         val credential = credentialService.getCredential(credentialId) ?: throw NotFoundException()
         if (!credential.expiresAt.isExpiredTtl()) return CredentialData(credential.accessToken, credential.expiresAt)
 
-
         LOGGER.debug("Refreshing access token | credentialId:$credentialId")
 
         val refreshedCredentialData = doAccessTokenRequest(credential.refreshToken) ?: throw EmptyNotAllowedException()
         credential.accessToken = refreshedCredentialData.accessToken
         credential.expiresAt = refreshedCredentialData.validUntil.minus(Duration.ofMinutes(5)) // Add some wiggle room
         credentialService.updateCredential(credential)
 
+        LOGGER.debug("Refreshed access token | credentialId:{} | validUntil{}", credentialId, credential.expiresAt)
+
         return refreshedCredentialData
     }
 

diff --git a/core/src/main/kotlin/org/dreamexposure/discal/core/business/CalendarService.kt b/core/src/main/kotlin/org/dreamexposure/discal/core/business/CalendarService.kt
@@ -4,6 +4,7 @@ import discord4j.common.util.Snowflake
 import kotlinx.coroutines.reactor.awaitSingle
 import kotlinx.coroutines.reactor.awaitSingleOrNull
 import org.dreamexposure.discal.CalendarCache
+import org.dreamexposure.discal.core.crypto.AESEncryption
 import org.dreamexposure.discal.core.database.CalendarRepository
 import org.dreamexposure.discal.core.`object`.new.Calendar
 import org.springframework.stereotype.Component
@@ -31,6 +32,10 @@ class DefaultCalendarService(
     }
 
     override suspend fun updateCalendar(calendar: Calendar) {
+        val aes = AESEncryption(calendar.secrets.privateKey)
+        val encryptedRefreshToken = aes.encrypt(calendar.secrets.refreshToken).awaitSingle()
+        val encryptedAccessToken = aes.encrypt(calendar.secrets.accessToken).awaitSingle()
+
         calendarRepository.updateCalendarByGuildIdAndCalendarNumber(
             guildId = calendar.guildId.asLong(),
             calendarNumber = calendar.number,
@@ -40,8 +45,8 @@ class DefaultCalendarService(
             external = calendar.external,
             credentialId = calendar.secrets.credentialId,
             privateKey = calendar.secrets.privateKey,
-            accessToken = calendar.secrets.encryptedAccessToken,
-            refreshToken = calendar.secrets.encryptedRefreshToken,
+            accessToken = encryptedAccessToken,
+            refreshToken = encryptedRefreshToken,
             expiresAt = calendar.secrets.expiresAt.toEpochMilli(),
         ).awaitSingleOrNull()
 

diff --git a/core/src/main/kotlin/org/dreamexposure/discal/core/object/new/Calendar.kt b/core/src/main/kotlin/org/dreamexposure/discal/core/object/new/Calendar.kt
@@ -1,6 +1,8 @@
 package org.dreamexposure.discal.core.`object`.new
 
 import discord4j.common.util.Snowflake
+import kotlinx.coroutines.reactor.awaitSingle
+import org.dreamexposure.discal.core.crypto.AESEncryption
 import org.dreamexposure.discal.core.database.CalendarData
 import org.dreamexposure.discal.core.enums.calendar.CalendarHost
 import org.dreamexposure.discal.core.extensions.asInstantMilli
@@ -23,20 +25,27 @@ data class Calendar(
         id = data.calendarId,
         address = data.calendarAddress,
         external = data.external,
-        secrets = Secrets(
-            credentialId = data.credentialId,
-            privateKey = data.privateKey,
-            encryptedRefreshToken = data.refreshToken,
-            encryptedAccessToken = data.accessToken,
-            expiresAt = data.expiresAt.asInstantMilli(),
-        )
+        secrets = Secrets(data)
     )
 
     data class Secrets(
         val credentialId: Int,
         val privateKey: String,
-        val encryptedRefreshToken: String, // TODO: Secrets should be unencrypted immediately before/after Db write/read respectively
-        var encryptedAccessToken: String, // TODO: Secrets should be unencrypted immediately before/after Db write/read respectively
         var expiresAt: Instant,
-    )
+    ) {
+        lateinit var refreshToken: String
+        lateinit var accessToken: String
+
+        constructor(data: CalendarData) : this(
+            credentialId = data.credentialId,
+            privateKey = data.privateKey,
+            expiresAt = data.expiresAt.asInstantMilli()
+        ) {
+            suspend {
+                val aes = AESEncryption(privateKey)
+                refreshToken = aes.decrypt(data.refreshToken).awaitSingle()
+                accessToken = aes.decrypt(data.accessToken).awaitSingle()
+            }
+        }
+    }
 }