The oidc_client_secret was written to app_settings as plaintext, unlike Maps and OpenWeather API keys which are protected with apiKeyCrypto. An attacker with read access to the SQLite file (e.g. via a backup download) could obtain the secret and impersonate the application with the identity provider. - Encrypt on write in PUT /api/admin/oidc via maybe_encrypt_api_key - Decrypt on read in GET /api/admin/oidc and in getOidcConfig() (oidc.ts) before passing the secret to the OIDC client library - Add a startup migration that encrypts any existing plaintext value already present in the database |
||
|---|---|---|
| .. | ||
| public | ||
| src | ||
| .env.example | ||
| package-lock.json | ||
| package.json | ||
| reset-admin.js | ||
| tsconfig.json | ||