Trek_CN/server/src/db
jubnl bba50f038b
fix: encrypt OIDC client secret at rest using AES-256-GCM
The oidc_client_secret was written to app_settings as plaintext,
unlike Maps and OpenWeather API keys which are protected with
apiKeyCrypto. An attacker with read access to the SQLite file
(e.g. via a backup download) could obtain the secret and
impersonate the application with the identity provider.

- Encrypt on write in PUT /api/admin/oidc via maybe_encrypt_api_key
- Decrypt on read in GET /api/admin/oidc and in getOidcConfig()
  (oidc.ts) before passing the secret to the OIDC client library
- Add a startup migration that encrypts any existing plaintext value
  already present in the database
2026-04-01 07:56:29 +02:00
..
database.ts fix: route db helper functions through the null-safe proxy 2026-04-01 07:56:01 +02:00
migrations.ts fix: encrypt OIDC client secret at rest using AES-256-GCM 2026-04-01 07:56:29 +02:00
schema.ts feat: configurable trip reminders, admin full access, and enhanced audit logging 2026-03-31 22:23:38 +03:00
seeds.ts feat: configurable trip reminders, admin full access, and enhanced audit logging 2026-03-31 22:23:38 +03:00