CRITICAL: SMTP password stored in plaintext in SQLite #69
Labels
No Label
architecture
backend
bug
feature
frontend
priority:critical
priority:high
priority:low
priority:medium
priority:nice-to-have
ux
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: null/BillTracker#69
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Bug Description
The SMTP password (notify_smtp_password) is stored directly in the user_settings table as plaintext. While it is masked (dots) in API GET responses (routes/notifications.js:20), anyone with direct access to the SQLite database file (e.g., via backup extraction or filesystem access) can read the SMTP credentials in cleartext.
This contrasts with the data_sources table, which properly encrypts secrets using AES-256-GCM via encryptionService.
Affected Files
Impact
If the SQLite database is accessed (backup download, filesystem breach), SMTP credentials are immediately exposed. The data_sources.encrypted_secret column demonstrates the correct pattern already exists.
Recommended Fix
0.34.2.1 corrected