Merge pull request #52 from lepidus/stable-3_3_0

fix/password encryption (OMP 3.3.0)

Author: thiagolepidus

.gitlab-ci.yml

@@ -10,8 +10,6 @@ include:
 
 .unit_test_template:
   before_script:
-    - rm -rf lib/APIKeyEncryption
-    - git submodule update --init --depth 1
     - composer install
 
 plugin_unit_tests_omp:

.gitmodules

@@ -19,7 +19,7 @@
 use ThothApi\GraphQL\Client;
 
 import('lib.pkp.classes.form.Form');
-import('plugins.generic.thoth.lib.APIKeyEncryption.APIKeyEncryption');
+import('plugins.generic.thoth.classes.encryption.DataEncryption');
 
 class ThothSettingsForm extends Form
 {
@@ -38,7 +38,8 @@ public function __construct($plugin, $contextId)
         $this->contextId = $contextId;
         $this->plugin = $plugin;
 
-        $template = APIKeyEncryption::secretConfigExists() ? 'settingsForm.tpl' : 'tokenError.tpl';
+        $encryption = new DataEncryption();
+        $template = $encryption->secretConfigExists() ? 'settingsForm.tpl' : 'tokenError.tpl';
         parent::__construct($plugin->getTemplateResource($template));
 
         $form = $this;
@@ -75,9 +76,10 @@ public function initData()
     {
         foreach (self::SETTINGS as $setting) {
             if ($setting == 'password') {
+                $encryption = new DataEncryption();
                 $password = $this->plugin->getSetting($this->contextId, $setting);
-                $this->_data[$setting] = (APIKeyEncryption::secretConfigExists() && $password) ?
-                    APIKeyEncryption::decryptString($password) :
+                $this->_data[$setting] = ($encryption->secretConfigExists() && $password) ?
+                    $encryption->decryptString($password) :
                     null;
                 continue;
             }
@@ -99,14 +101,21 @@ public function fetch($request, $template = null, $display = false)
 
     public function execute(...$functionArgs)
     {
+        $this->encryptPassword();
         foreach (self::SETTINGS as $setting) {
-            if ($setting == 'password') {
-                $encryptedPassword = APIKeyEncryption::encryptString(trim($this->getData($setting)));
-                $this->plugin->updateSetting($this->contextId, $setting, $encryptedPassword, 'string');
-                continue;
-            }
             $this->plugin->updateSetting($this->contextId, $setting, trim($this->getData($setting)), 'string');
         }
         parent::execute(...$functionArgs);
     }
+
+    private function encryptPassword()
+    {
+        $encryption = new DataEncryption();
+        $password = $this->getData('password');
+
+        if (!$encryption->textIsEncrypted($password)) {
+            $encryptedPassword = $encryption->encryptString($password);
+            $this->setData('password', $encryptedPassword);
+        }
+    }
 }

ThothSettingsForm.inc.php

@@ -18,6 +18,7 @@
 use ThothApi\GraphQL\Client;
 
 import('plugins.generic.thoth.classes.container.providers.ContainerProvider');
+import('plugins.generic.thoth.classes.encryption.DataEncryption');
 import('plugins.generic.thoth.classes.factories.ThothBookFactory');
 import('plugins.generic.thoth.classes.factories.ThothChapterFactory');
 import('plugins.generic.thoth.classes.factories.ThothContributionFactory');
@@ -39,13 +40,13 @@
 import('plugins.generic.thoth.classes.repositories.ThothSubjectRepository');
 import('plugins.generic.thoth.classes.repositories.ThothWorkRelationRepository');
 import('plugins.generic.thoth.classes.repositories.ThothWorkRepository');
-import('plugins.generic.thoth.lib.APIKeyEncryption.APIKeyEncryption');
 
 class ThothRepositoryProvider implements ContainerProvider
 {
     public function register($container)
     {
         $container->set('config', function ($container) {
+            $encryption = new DataEncryption();
             $pluginSettingsDao = & DAORegistry::getDAO('PluginSettingsDAO');
             $contextId = Application::get()->getRequest()->getContext()->getId();
 
@@ -56,7 +57,7 @@ public function register($container)
             return [
                 'testEnvironment' => $testEnvironment,
                 'email' => $email,
-                'password' => APIKeyEncryption::decryptString($password)
+                'password' => $encryption->decryptString($password)
             ];
         });
 

classes/container/providers/ThothRepositoryProvider.inc.php

@@ -0,0 +1,79 @@
+<?php
+
+use Illuminate\Encryption\Encrypter;
+
+class DataEncryption
+{
+    private const ENCRYPTION_CIPHER = 'AES-256-CBC';
+    private const BASE64_PREFIX = 'base64:';
+
+    public function secretConfigExists(): bool
+    {
+        try {
+            $this->getSecretFromConfig();
+        } catch (Exception $e) {
+            return false;
+        }
+        return true;
+    }
+
+    private function getSecretFromConfig(): string
+    {
+        $secret = \Config::getVar('security', 'api_key_secret');
+        if ($secret === "") {
+            throw new Exception("Thoth Error: A secret must be set in the config file ('api_key_secret') so that keys can be encrypted and decrypted");
+        }
+
+        return $this->normalizeSecret($secret);
+    }
+
+    private function normalizeSecret(string $secret): string
+    {
+        return hash('sha256', $secret, true);
+    }
+
+    public function textIsEncrypted(string $text): bool
+    {
+        if (!str_starts_with($text, self::BASE64_PREFIX)) {
+            return false;
+        }
+
+        try {
+            $this->decryptString($text);
+            return true;
+        } catch (Exception $e) {
+            return false;
+        }
+    }
+
+    public function encryptString(string $plainText): string
+    {
+        $secret = $this->getSecretFromConfig();
+        $encrypter = new Encrypter($secret, self::ENCRYPTION_CIPHER);
+
+        try {
+            $encryptedString = $encrypter->encrypt($plainText);
+        } catch (Exception $e) {
+            throw new Exception("Thoth Error: Failed to encrypt string");
+        }
+
+        return self::BASE64_PREFIX . base64_encode($encryptedString);
+    }
+
+    public function decryptString(string $encryptedText): string
+    {
+        $secret = $this->getSecretFromConfig();
+        $encrypter = new Encrypter($secret, self::ENCRYPTION_CIPHER);
+
+        $encryptedText = str_replace(self::BASE64_PREFIX, '', $encryptedText);
+        $payload = base64_decode($encryptedText);
+
+        try {
+            $decryptedString = $encrypter->decrypt($payload);
+        } catch (Exception $e) {
+            throw new Exception("Thoth Error: Failed to decrypt string");
+        }
+
+        return $decryptedString;
+    }
+}

classes/encryption/DataEncryption.inc.php

@@ -0,0 +1,80 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Capsule\Manager as Capsule;
+
+import('plugins.generic.thoth.classes.encryption.DataEncryption');
+
+class PasswordEncryptionMigration extends Migration
+{
+    public function up(): void
+    {
+        $encrypter = new DataEncryption();
+        if (!$encrypter->secretConfigExists()) {
+            return;
+        }
+
+        Capsule::table('plugin_settings')
+            ->where('plugin_name', 'thothplugin')
+            ->where('setting_name', 'password')
+            ->get(['context_id', 'setting_value'])
+            ->each(function ($row) use ($encrypter) {
+                if (empty($row->setting_value) || $encrypter->textIsEncrypted($row->setting_value)) {
+                    return;
+                }
+
+                if ($this->isJWT($row->setting_value)) {
+                    $decodedPayload = $this->decodeJWT($row->setting_value);
+                    if ($decodedPayload !== null) {
+                        $row->setting_value = json_decode($decodedPayload);
+                    }
+                }
+
+                $encryptedValue = $encrypter->encryptString($row->setting_value);
+                Capsule::table('plugin_settings')
+                    ->where('plugin_name', 'thothplugin')
+                    ->where('context_id', $row->context_id)
+                    ->where('setting_name', 'password')
+                    ->update(['setting_value' => $encryptedValue]);
+            });
+    }
+
+    public function base64URLDecode($data)
+    {
+        $remainder = strlen($data) % 4;
+        if ($remainder) {
+            $padlen = 4 - $remainder;
+            $data .= str_repeat('=', $padlen);
+        }
+        $data = strtr($data, '-_', '+/');
+        return base64_decode($data);
+    }
+
+    public function isJWT(string $token): bool
+    {
+        $parts = explode('.', $token);
+        if (count($parts) !== 3) {
+            return false;
+        }
+
+        foreach ($parts as $part) {
+            if (!preg_match('/^[A-Za-z0-9\-_]+$/', $part)) {
+                return false;
+            }
+        }
+
+        [$header, $payload, $signature] = $parts;
+        if ($this->base64URLDecode($header) === false || $this->base64URLDecode($payload) === false) {
+            return false;
+        }
+
+        return true;
+    }
+
+    public function decodeJWT($string): ?string
+    {
+        list($header, $payload, $signature) = explode('.', $string);
+        $decodedPayload = $this->base64URLDecode($payload);
+        return $decodedPayload ? $decodedPayload : null;
+    }
+}

classes/migrations/PasswordEncryptionMigration.inc.php

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE install SYSTEM "../../../lib/pkp/dtd/install.dtd">
+
+<install version="0.1.11.0">
+    <migration
+        class="plugins.generic.thoth.classes.migrations.PasswordEncryptionMigration"
+    />
+</install>

lib/APIKeyEncryption

@@ -3,8 +3,8 @@
 <version>
 	<application>thoth</application>
 	<type>plugins.generic</type>
-	<release>0.1.10.6</release>
-	<date>2025-08-26</date>
+	<release>0.1.11.0</release>
+	<date>2025-10-30</date>
 	<lazy-load>1</lazy-load>
 	<class>ThothPlugin</class>
 </version>