fix: encrypt SMTP password at rest using AES-256-GCM

The smtp_pass setting was stored as plaintext in app_settings, exposing SMTP credentials to anyone with database read access. Apply the same encrypt_api_key/decrypt_api_key pattern already used for OIDC client secrets and API keys. A new migration transparently re-encrypts any existing plaintext value on startup; decrypt_api_key handles legacy plaintext gracefully so in-flight reads remain safe during upgrade.
2026-04-01 04:33:17 +02:00
parent bba50f038b
commit 1b28bd96d4
3 changed files with 11 additions and 2 deletions
--- a/server/src/db/migrations.ts
+++ b/server/src/db/migrations.ts
@@ -456,6 +456,13 @@ function runMigrations(db: Database.Database): void {
        db.prepare("UPDATE app_settings SET value = ? WHERE key = 'oidc_client_secret'").run(encrypt_api_key(row.value));
      }
    },
+    // Encrypt any plaintext smtp_pass left in app_settings
+    () => {
+      const row = db.prepare("SELECT value FROM app_settings WHERE key = 'smtp_pass'").get() as { value: string } | undefined;
+      if (row?.value && !row.value.startsWith('enc:v1:')) {
+        db.prepare("UPDATE app_settings SET value = ? WHERE key = 'smtp_pass'").run(encrypt_api_key(row.value));
+      }
+    },
  ];

  if (currentVersion < migrations.length) {
--- a/server/src/routes/auth.ts
+++ b/server/src/routes/auth.ts
@@ -18,7 +18,7 @@ import { randomBytes, createHash } from 'crypto';
 import { revokeUserSessions } from '../mcp';
 import { AuthRequest, OptionalAuthRequest, User } from '../types';
 import { writeAudit, getClientIp } from '../services/auditLog';
-import { decrypt_api_key, maybe_encrypt_api_key } from '../services/apiKeyCrypto';
+import { decrypt_api_key, maybe_encrypt_api_key, encrypt_api_key } from '../services/apiKeyCrypto';
 import { startTripReminders } from '../scheduler';

 authenticator.options = { window: 1 };
@@ -665,6 +665,7 @@ router.put('/app-settings', authenticate, (req: Request, res: Response) => {
      }
      // Don't save masked password
      if (key === 'smtp_pass' && val === '••••••••') continue;
+      if (key === 'smtp_pass') val = encrypt_api_key(val);
      db.prepare("INSERT OR REPLACE INTO app_settings (key, value) VALUES (?, ?)").run(key, val);
    }
  }
--- a/server/src/services/notifications.ts
+++ b/server/src/services/notifications.ts
@@ -1,6 +1,7 @@
 import nodemailer from 'nodemailer';
 import fetch from 'node-fetch';
 import { db } from '../db/database';
+import { decrypt_api_key } from './apiKeyCrypto';
 import { logInfo, logDebug, logError } from './auditLog';

 // ── Types ──────────────────────────────────────────────────────────────────
@@ -32,7 +33,7 @@ function getSmtpConfig(): SmtpConfig | null {
  const host = process.env.SMTP_HOST || getAppSetting('smtp_host');
  const port = process.env.SMTP_PORT || getAppSetting('smtp_port');
  const user = process.env.SMTP_USER || getAppSetting('smtp_user');
-  const pass = process.env.SMTP_PASS || getAppSetting('smtp_pass');
+  const pass = process.env.SMTP_PASS || decrypt_api_key(getAppSetting('smtp_pass')) || '';
  const from = process.env.SMTP_FROM || getAppSetting('smtp_from');
  if (!host || !port || !from) return null;
  return { host, port: parseInt(port, 10), user: user || '', pass: pass || '', from, secure: parseInt(port, 10) === 465 };