LOW: OIDC client secret stored in plaintext in user_settings table #84
Labels
No Label
architecture
backend
bug
feature
frontend
priority:critical
priority:high
priority:low
priority:medium
priority:nice-to-have
ux
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: null/BillTracker#84
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Bug Description
The OIDC client secret is stored in the user_settings table as plaintext (same pattern as SMTP password in #69). It is never returned to clients (oidcService.js:105 comment: server-side only), but it is accessible via direct DB access.
This contrasts with data_sources.encrypted_secret which uses AES-256-GCM encryption.
Affected Files
Recommended Fix
Apply the same encryptionService.encryptSecret/decryptSecret pattern used for SimpleFIN access tokens.
Added getOidcClientSecret() helper — reads from DB, decrypts with fallback to plaintext for any legacy value saved before this fix
Replaced 3 read sites (getOidcConfig, getOidcConfigStatus, buildSubmittedOidcConfig) to use the helper instead of raw getSetting
Line 359: write path now calls encryptSecret(...) before setSetting
db/database.js
Added migration v0.79 — on first startup after deploy, finds any existing plaintext oidc_client_secret in the settings table and encrypts it in place. Safe to run if already encrypted (tries to decrypt first, skips if it succeeds)