From af3f48168f9e48b1c80506bc8e421eb5af39191e Mon Sep 17 00:00:00 2001 From: userAdityaa Date: Tue, 5 May 2026 18:58:16 +0545 Subject: [PATCH] chore: encrypt tenant NWC URL at rest and stop secret exposure in tenant APIs --- backend/src/api.rs | 50 ++++++++++++++++++++++++++++++++++++------ backend/src/billing.rs | 7 ++++-- backend/src/cipher.rs | 28 +++++++++++++++++++++++ backend/src/lib.rs | 1 + backend/src/main.rs | 1 + 5 files changed, 78 insertions(+), 9 deletions(-) create mode 100644 backend/src/cipher.rs diff --git a/backend/src/api.rs b/backend/src/api.rs index f806ee8..a7576b2 100644 --- a/backend/src/api.rs +++ b/backend/src/api.rs @@ -445,6 +445,31 @@ struct IdentityResponse { is_admin: bool, } +#[derive(Serialize)] +struct TenantResponse { + pubkey: String, + nwc_is_set: bool, + nwc_error: Option, + created_at: i64, + stripe_customer_id: String, + stripe_subscription_id: Option, + past_due_at: Option, +} + +impl From for TenantResponse { + fn from(t: Tenant) -> Self { + TenantResponse { + nwc_is_set: !t.nwc_url.is_empty(), + pubkey: t.pubkey, + nwc_error: t.nwc_error, + created_at: t.created_at, + stripe_customer_id: t.stripe_customer_id, + stripe_subscription_id: t.stripe_subscription_id, + past_due_at: t.past_due_at, + } + } +} + #[derive(Deserialize)] struct CreateRelayRequest { tenant: String, @@ -486,7 +511,13 @@ async fn list_tenants( state.api.require_admin(&pubkey)?; match state.api.query.list_tenants().await { - Ok(tenants) => Ok(ok(StatusCode::OK, tenants)), + Ok(tenants) => Ok(ok( + StatusCode::OK, + tenants + .into_iter() + .map(TenantResponse::from) + .collect::>(), + )), Err(e) => Ok(err( StatusCode::INTERNAL_SERVER_ERROR, "internal", @@ -515,7 +546,7 @@ async fn create_tenant( let pubkey = state.api.extract_auth_pubkey(&headers)?; match state.api.query.get_tenant(&pubkey).await { - Ok(Some(t)) => Ok(ok(StatusCode::OK, t)), + Ok(Some(t)) => Ok(ok(StatusCode::OK, TenantResponse::from(t))), Ok(None) => { let stripe_customer_id = match state.api.billing.stripe_create_customer(&pubkey).await { Ok(id) => id, @@ -539,10 +570,10 @@ async fn create_tenant( }; match state.api.command.create_tenant(&tenant).await { - Ok(()) => Ok(ok(StatusCode::OK, tenant)), + Ok(()) => Ok(ok(StatusCode::OK, TenantResponse::from(tenant))), Err(e) if matches!(map_unique_error(&e), Some("pubkey-exists")) => { match state.api.query.get_tenant(&pubkey).await { - Ok(Some(t)) => Ok(ok(StatusCode::OK, t)), + Ok(Some(t)) => Ok(ok(StatusCode::OK, TenantResponse::from(t))), Ok(None) => Ok(err( StatusCode::INTERNAL_SERVER_ERROR, "internal", @@ -585,7 +616,7 @@ async fn get_tenant( let auth = state.api.extract_auth_pubkey(&headers)?; state.api.require_admin_or_tenant(&auth, &pubkey)?; let tenant = state.api.get_tenant_or_404(&pubkey).await?; - Ok(ok(StatusCode::OK, tenant)) + Ok(ok(StatusCode::OK, TenantResponse::from(tenant))) } async fn list_relays( @@ -1103,7 +1134,12 @@ async fn update_tenant( let nwc_previously_empty = tenant.nwc_url.is_empty(); if let Some(nwc_url) = payload.nwc_url { - tenant.nwc_url = nwc_url; + if nwc_url.is_empty() { + tenant.nwc_url = String::new(); + } else { + tenant.nwc_url = + crate::cipher::encrypt(&nwc_url).map_err(|e| ApiError::Internal(e.to_string()))?; + } } match state.api.command.update_tenant(&tenant).await { @@ -1122,7 +1158,7 @@ async fn update_tenant( } }); } - Ok(ok(StatusCode::OK, tenant)) + Ok(ok(StatusCode::OK, TenantResponse::from(tenant))) } Err(e) => Ok(err( StatusCode::INTERNAL_SERVER_ERROR, diff --git a/backend/src/billing.rs b/backend/src/billing.rs index 320090d..fa12bce 100644 --- a/backend/src/billing.rs +++ b/backend/src/billing.rs @@ -422,13 +422,14 @@ impl Billing { // 1. NWC auto-pay: if the tenant has a nwc_url if !tenant.nwc_url.is_empty() { + let plain_nwc_url = crate::cipher::decrypt(&tenant.nwc_url)?; match self .nwc_pay_invoice( invoice_id, &tenant.pubkey, amount_due, currency, - &tenant.nwc_url, + &plain_nwc_url, ) .await? { @@ -857,6 +858,8 @@ impl Billing { return Ok(()); } + let plain_nwc_url = crate::cipher::decrypt(&tenant.nwc_url)?; + let invoices = self .stripe_list_invoices(&tenant.stripe_customer_id) .await?; @@ -878,7 +881,7 @@ impl Billing { &tenant.pubkey, amount_due, currency, - &tenant.nwc_url, + &plain_nwc_url, ) .await? { diff --git a/backend/src/cipher.rs b/backend/src/cipher.rs new file mode 100644 index 0000000..bcf1e35 --- /dev/null +++ b/backend/src/cipher.rs @@ -0,0 +1,28 @@ +use anyhow::{Result, anyhow}; +use nostr_sdk::prelude::*; + +pub fn encrypt(plaintext: &str) -> Result { + let keys = load_key()?; + nip44::encrypt( + keys.secret_key(), + &keys.public_key(), + plaintext, + nip44::Version::V2, + ) + .map_err(|e| anyhow!("encryption failed: {e}")) +} + +pub fn decrypt(ciphertext: &str) -> Result { + let keys = load_key()?; + nip44::decrypt(keys.secret_key(), &keys.public_key(), ciphertext) + .map_err(|e| anyhow!("decryption failed: {e}")) +} + +fn load_key() -> Result { + let secret = std::env::var("ENCRYPTION_SECRET") + .map_err(|_| anyhow!("missing ENCRYPTION_SECRET environment variable"))?; + if secret.trim().is_empty() { + return Err(anyhow!("ENCRYPTION_SECRET is empty")); + } + Keys::parse(&secret).map_err(|e| anyhow!("invalid ENCRYPTION_SECRET: {e}")) +} diff --git a/backend/src/lib.rs b/backend/src/lib.rs index 98f3936..32359b6 100644 --- a/backend/src/lib.rs +++ b/backend/src/lib.rs @@ -1,5 +1,6 @@ pub mod api; pub mod billing; +pub mod cipher; pub mod command; pub mod infra; pub mod models; diff --git a/backend/src/main.rs b/backend/src/main.rs index 1751165..5f92556 100644 --- a/backend/src/main.rs +++ b/backend/src/main.rs @@ -1,5 +1,6 @@ mod api; mod billing; +mod cipher; mod command; mod infra; mod models;