LOW: OIDC client secret stored in plaintext in user_settings table #84

Closed
opened 2026-05-31 12:04:12 -05:00 by null · 1 comment
Owner

Bug Description

The OIDC client secret is stored in the user_settings table as plaintext (same pattern as SMTP password in #69). It is never returned to clients (oidcService.js:105 comment: server-side only), but it is accessible via direct DB access.

This contrasts with data_sources.encrypted_secret which uses AES-256-GCM encryption.

Affected Files

  • services/oidcService.js:93,119,222,232

Apply the same encryptionService.encryptSecret/decryptSecret pattern used for SimpleFIN access tokens.

## Bug Description The OIDC client secret is stored in the user_settings table as plaintext (same pattern as SMTP password in #69). It is never returned to clients (oidcService.js:105 comment: server-side only), but it is accessible via direct DB access. This contrasts with data_sources.encrypted_secret which uses AES-256-GCM encryption. ## Affected Files - services/oidcService.js:93,119,222,232 ## Recommended Fix Apply the same encryptionService.encryptSecret/decryptSecret pattern used for SimpleFIN access tokens.
null added the
backend
priority:low
labels 2026-05-31 12:04:12 -05:00
Author
Owner

Added getOidcClientSecret() helper — reads from DB, decrypts with fallback to plaintext for any legacy value saved before this fix
Replaced 3 read sites (getOidcConfig, getOidcConfigStatus, buildSubmittedOidcConfig) to use the helper instead of raw getSetting
Line 359: write path now calls encryptSecret(...) before setSetting
db/database.js

Added migration v0.79 — on first startup after deploy, finds any existing plaintext oidc_client_secret in the settings table and encrypts it in place. Safe to run if already encrypted (tries to decrypt first, skips if it succeeds)

Added getOidcClientSecret() helper — reads from DB, decrypts with fallback to plaintext for any legacy value saved before this fix Replaced 3 read sites (getOidcConfig, getOidcConfigStatus, buildSubmittedOidcConfig) to use the helper instead of raw getSetting Line 359: write path now calls encryptSecret(...) before setSetting db/database.js Added migration v0.79 — on first startup after deploy, finds any existing plaintext oidc_client_secret in the settings table and encrypts it in place. Safe to run if already encrypted (tries to decrypt first, skips if it succeeds)
null closed this issue 2026-06-03 19:57:48 -05:00
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: null/BillTracker#84
No description provided.