feat: encrypt tokens using safe storage api (#1800)

* feat: encrypt token on disk using safe storage api

Signed-off-by: Adam Setch <adam.setch@outlook.com>

* feat: encrypt token on disk using safe storage api

Signed-off-by: Adam Setch <adam.setch@outlook.com>

* feat: encrypt token on disk using safe storage api

Signed-off-by: Adam Setch <adam.setch@outlook.com>

* feat: encrypt token on disk using safe storage api

Signed-off-by: Adam Setch <adam.setch@outlook.com>

---------

Signed-off-by: Adam Setch <adam.setch@outlook.com>

Author: setchy

src/main/main.ts

@@ -1,4 +1,4 @@
-import { app, globalShortcut, ipcMain as ipc } from 'electron';
+import { app, globalShortcut, ipcMain as ipc, safeStorage } from 'electron';
 import log from 'electron-log';
 import { menubar } from 'menubar';
 
@@ -171,6 +171,15 @@ app.whenReady().then(async () => {
   });
 });
 
+// Safe Storage
+ipc.handle(namespacedEvent('safe-storage-encrypt'), (_, settings) => {
+  return safeStorage.encryptString(settings).toString('base64');
+});
+
+ipc.handle(namespacedEvent('safe-storage-decrypt'), (_, settings) => {
+  return safeStorage.decryptString(Buffer.from(settings, 'base64'));
+});
+
 // Handle gitify:// custom protocol URL events for OAuth 2.0 callback
 app.on('open-url', (event, url) => {
   event.preventDefault();

src/renderer/__mocks__/electron.js

@@ -43,6 +43,10 @@ module.exports = {
           return Promise.resolve('darwin');
         case namespacedEvent('version'):
           return Promise.resolve('0.0.1');
+        case namespacedEvent('safe-storage-encrypt'):
+          return Promise.resolve('encrypted');
+        case namespacedEvent('safe-storage-decrypt'):
+          return Promise.resolve('decrypted');
         default:
           return Promise.reject(new Error(`Unknown channel: ${channel}`));
       }

src/renderer/context/App.test.tsx

@@ -237,7 +237,7 @@ describe('renderer/context/App.tsx', () => {
       expect(apiRequestAuthMock).toHaveBeenCalledWith(
         'https://api.github.com/user',
         'GET',
-        '123-456',
+        'encrypted',
       );
     });
   });

src/renderer/context/App.tsx

@@ -28,6 +28,7 @@ import {
   type Status,
   type SystemSettingsState,
   Theme,
+  type Token,
 } from '../types';
 import type { Notification } from '../typesGitHub';
 import { headNotifications } from '../utils/api/client';
@@ -44,6 +45,8 @@ import {
   removeAccount,
 } from '../utils/auth/utils';
 import {
+  decryptValue,
+  encryptValue,
   setAlternateIdleIcon,
   setAutoLaunch,
   setKeyboardShortcut,
@@ -292,6 +295,17 @@ export const AppProvider = ({ children }: { children: ReactNode }) => {
 
       // Refresh account data on app start
       for (const account of existing.auth.accounts) {
+        /**
+         * Check if the account is using an encrypted token.
+         * If not encrypt it and save it.
+         */
+        try {
+          await decryptValue(account.token);
+        } catch (err) {
+          const encryptedToken = await encryptValue(account.token);
+          account.token = encryptedToken as Token;
+        }
+
         await refreshAccount(account);
       }
     }

src/renderer/utils/api/__snapshots__/client.test.ts.snap

@@ -4,8 +4,9 @@ import axios, {
   type Method,
 } from 'axios';
 
-import { logError } from '../../../shared/logger';
+import { logError, logWarn } from '../../../shared/logger';
 import type { Link, Token } from '../../types';
+import { decryptValue } from '../comms';
 import { getNextURLFromLinkHeader } from './utils';
 
 /**
@@ -44,8 +45,16 @@ export async function apiRequestAuth(
   data = {},
   fetchAllRecords = false,
 ): AxiosPromise | null {
+  let apiToken = token;
+  // TODO - Remove this try-catch block in a future release
+  try {
+    apiToken = (await decryptValue(token)) as Token;
+  } catch (err) {
+    logWarn('apiRequestAuth', 'Token is not yet encrypted');
+  }
+
   axios.defaults.headers.common.Accept = 'application/json';
-  axios.defaults.headers.common.Authorization = `token ${token}`;
+  axios.defaults.headers.common.Authorization = `token ${apiToken}`;
   axios.defaults.headers.common['Content-Type'] = 'application/json';
   axios.defaults.headers.common['Cache-Control'] = shouldRequestWithNoCache(url)
     ? 'no-cache'

src/renderer/utils/api/__snapshots__/request.test.ts.snap

@@ -191,7 +191,7 @@ describe('renderer/utils/auth/utils.ts', () => {
             hostname: 'github.com' as Hostname,
             method: 'Personal Access Token',
             platform: 'GitHub Cloud',
-            token: '123-456' as Token,
+            token: 'encrypted' as Token,
             user: mockGitifyUser,
             version: 'latest',
           },
@@ -211,7 +211,7 @@ describe('renderer/utils/auth/utils.ts', () => {
             hostname: 'github.com' as Hostname,
             method: 'OAuth App',
             platform: 'GitHub Cloud',
-            token: '123-456' as Token,
+            token: 'encrypted' as Token,
             user: mockGitifyUser,
             version: 'latest',
           },
@@ -243,7 +243,7 @@ describe('renderer/utils/auth/utils.ts', () => {
             hostname: 'github.gitify.io' as Hostname,
             method: 'Personal Access Token',
             platform: 'GitHub Enterprise Server',
-            token: '123-456' as Token,
+            token: 'encrypted' as Token,
             user: mockGitifyUser,
             version: '3.0.0',
           },
@@ -263,7 +263,7 @@ describe('renderer/utils/auth/utils.ts', () => {
             hostname: 'github.gitify.io' as Hostname,
             method: 'OAuth App',
             platform: 'GitHub Enterprise Server',
-            token: '123-456' as Token,
+            token: 'encrypted' as Token,
             user: mockGitifyUser,
             version: '3.0.0',
           },

src/renderer/utils/api/request.ts

@@ -18,7 +18,7 @@ import type {
 import type { UserDetails } from '../../typesGitHub';
 import { getAuthenticatedUser } from '../api/client';
 import { apiRequest } from '../api/request';
-import { openExternalLink } from '../comms';
+import { encryptValue, openExternalLink } from '../comms';
 import { Constants } from '../constants';
 import { getPlatformFromHostname } from '../helpers';
 import type { AuthMethod, AuthResponse, AuthTokenResponse } from './types';
@@ -109,12 +109,13 @@ export async function addAccount(
   hostname: Hostname,
 ): Promise<AuthState> {
   const accountList = auth.accounts;
+  const encryptedToken = await encryptValue(token);
 
   let newAccount = {
     hostname: hostname,
     method: method,
     platform: getPlatformFromHostname(hostname),
-    token: token,
+    token: encryptedToken,
   } as Account;
 
   newAccount = await refreshAccount(newAccount);

src/renderer/utils/auth/utils.test.ts

@@ -4,6 +4,8 @@ import { namespacedEvent } from '../../shared/events';
 import { mockSettings } from '../__mocks__/state-mocks';
 import type { Link } from '../types';
 import {
+  decryptValue,
+  encryptValue,
   getAppVersion,
   hideWindow,
   openExternalLink,
@@ -68,6 +70,24 @@ describe('renderer/utils/comms.ts', () => {
     expect(ipcRenderer.invoke).toHaveBeenCalledWith(namespacedEvent('version'));
   });
 
+  it('should encrypt a value', async () => {
+    await encryptValue('value');
+    expect(ipcRenderer.invoke).toHaveBeenCalledTimes(1);
+    expect(ipcRenderer.invoke).toHaveBeenCalledWith(
+      namespacedEvent('safe-storage-encrypt'),
+      'value',
+    );
+  });
+
+  it('should decrypt a value', async () => {
+    await decryptValue('value');
+    expect(ipcRenderer.invoke).toHaveBeenCalledTimes(1);
+    expect(ipcRenderer.invoke).toHaveBeenCalledWith(
+      namespacedEvent('safe-storage-decrypt'),
+      'value',
+    );
+  });
+
   it('should quit the app', () => {
     quitApp();
     expect(ipcRenderer.send).toHaveBeenCalledTimes(1);

src/renderer/utils/auth/utils.ts

@@ -24,6 +24,20 @@ export async function getAppVersion(): Promise<string> {
   return await ipcRenderer.invoke(namespacedEvent('version'));
 }
 
+export async function encryptValue(value: string): Promise<string> {
+  return await ipcRenderer.invoke(
+    namespacedEvent('safe-storage-encrypt'),
+    value,
+  );
+}
+
+export async function decryptValue(value: string): Promise<string> {
+  return await ipcRenderer.invoke(
+    namespacedEvent('safe-storage-decrypt'),
+    value,
+  );
+}
+
 export function quitApp(): void {
   ipcRenderer.send(namespacedEvent('quit'));
 }