The oidc_client_secret was written to app_settings as plaintext, unlike Maps and OpenWeather API keys which are protected with apiKeyCrypto. An attacker with read access to the SQLite file (e.g. via a backup download) could obtain the secret and impersonate the application with the identity provider. - Encrypt on write in PUT /api/admin/oidc via maybe_encrypt_api_key - Decrypt on read in GET /api/admin/oidc and in getOidcConfig() (oidc.ts) before passing the secret to the OIDC client library - Add a startup migration that encrypts any existing plaintext value already present in the database |
||
|---|---|---|
| .. | ||
| database.ts | ||
| migrations.ts | ||
| schema.ts | ||
| seeds.ts | ||