chore: encrypt tenant NWC URL at rest and stop secret exposure in tenant APIs #58

2026-05-02T11:21:52Z

userAdityaa commented

2026-05-02 11:21:52 +00:00

Summary

This PR fixes #57 by encrypting tenant NWC URLs in storage, decrypting only for internal backend use, and redacting tenant API responses so secrets are never returned to clients.

Problem

Tenant NWC URLs were stored in plaintext and exposed through tenant API payloads, creating a high-risk secret leakage path.

closes #57

### Summary This PR fixes #57 by encrypting tenant NWC URLs in storage, decrypting only for internal backend use, and redacting tenant API responses so secrets are never returned to clients. ### Problem Tenant NWC URLs were stored in plaintext and exposed through tenant API payloads, creating a high-risk secret leakage path. closes #57

hodlbod reviewed 2026-05-02 14:22:51 +00:00

backend/src/nwc_url_cipher.rs Outdated

						
				@@ -0,0 +107,4 @@

				        .decode(value)

				        .or_else(|_| base64::engine::general_purpose::URL_SAFE_NO_PAD.decode(value))

				        .map_err(|e| anyhow!("NWC_URL_CIPHER_KEY must be 32-byte hex or base64: {e}"))

				}

hodlbod commented

2026-05-02 14:22:47 +00:00

What if we just used nip 44? It would keep things a little lighter, one fewer dependency.

👍 1

backend/src/pool.rs Outdated

						
				@@ -40,0 +61,4 @@

				    }

				    Ok(())

				}

hodlbod commented

2026-05-02 14:21:59 +00:00

We don't need the migration, no data exists yet.

👍 1

hodlbod reviewed 2026-05-04 15:43:54 +00:00

hodlbod left a comment

This all feels very coupled, can't we just parse the key and encrypt using rust-nostr? The nwc_url_cipher file seems like it should be unnecessary

userAdityaa commented

2026-05-04 15:51:29 +00:00

This all feels very coupled, can't we just parse the key and encrypt using rust-nostr? The nwc_url_cipher file seems like it should be unnecessary

I’ll dig into this further and assess whether it can be simplified and updated accordingly.

> This all feels very coupled, can't we just parse the key and encrypt using rust-nostr? The nwc_url_cipher file seems like it should be unnecessary I’ll dig into this further and assess whether it can be simplified and updated accordingly.

hodlbod reviewed 2026-05-04 21:51:42 +00:00

hodlbod left a comment

This feels both over and under-engineered. The NWC url is just a string field, on write it should be encrypted and stored, when sent to the frontend it should be converted into nwc_is_set or whatever. When we need to use it, we can decrypt on demand.

Some concrete changes:

Rename NWC_URL_CIPHER_KEY to ENCRYPTION_SECRET or something more generic. Add a utility to simply decrypt/encrypt using this key any string value instead of adding the Tenant impl block.
TenantResponse shouldn't have nwc_url on it

This feels both over and under-engineered. The NWC url is just a string field, on write it should be encrypted and stored, when sent to the frontend it should be converted into nwc_is_set or whatever. When we need to use it, we can decrypt on demand. Some concrete changes: - Rename NWC_URL_CIPHER_KEY to ENCRYPTION_SECRET or something more generic. Add a utility to simply decrypt/encrypt using this key any string value instead of adding the Tenant impl block. - TenantResponse shouldn't have nwc_url on it

backend/src/models.rs Outdated

						
				@@ -39,0 +77,4 @@

				            return Err(anyhow!(

				                "unsupported legacy encrypted nwc_url envelope; re-save tenant configuration"

				            ));

				        }