fix: encrypt SMTP password at rest using AES-256-GCM

The smtp_pass setting was stored as plaintext in app_settings, exposing SMTP credentials to anyone with database read access. Apply the same encrypt_api_key/decrypt_api_key pattern already used for OIDC client secrets and API keys. A new migration transparently re-encrypts any existing plaintext value on startup; decrypt_api_key handles legacy plaintext gracefully so in-flight reads remain safe during upgrade.
2026-04-01 04:33:17 +02:00
parent bba50f038b
commit 1b28bd96d4
3 changed files with 11 additions and 2 deletions
--- a/server/src/db/migrations.ts
+++ b/server/src/db/migrations.ts
@@ -456,6 +456,13 @@ function runMigrations(db: Database.Database): void {
        db.prepare("UPDATE app_settings SET value = ? WHERE key = 'oidc_client_secret'").run(encrypt_api_key(row.value));
      }
    },
+    // Encrypt any plaintext smtp_pass left in app_settings
+    () => {
+      const row = db.prepare("SELECT value FROM app_settings WHERE key = 'smtp_pass'").get() as { value: string } | undefined;
+      if (row?.value && !row.value.startsWith('enc:v1:')) {
+        db.prepare("UPDATE app_settings SET value = ? WHERE key = 'smtp_pass'").run(encrypt_api_key(row.value));
+      }
+    },
  ];

  if (currentVersion < migrations.length) {