feat: Enforcing Database Encryption & Enable HTTPS by default (#603)

* add placeholder stylus version

* FO-33 - First version encryption

* refactor: Refactor check token logic on FE and BE

[FO-33]

* FO-33 - Run server without token

* FO-33 - Optimization design for setup-token page

* FO-33 - First change

* FO-33 - Resolve undefined appConfig in handlers

* FO-33 - Remove encrypt_db from .gitignore

* FO-33 - Use literal string for encryption token

* FO-33 - Optimization server and handler

* FO-33-SSL - add ssl in dockerfile and app

* feat: Improve token wizard flow, add get token component and revamp restore token UI

[FO-33]

* feat: Add redirect to main page button after token is set

[FO-33]

* FO-33 - optimization run server

* feat: Adjust generate token flow, add mandatory download

[FO-33]

* FO-33 - Validation token connect db

* feat: Improve validate token flow, add test token functionality

[FO-33]

* FO-33 - fix validate token

* FO-33 - optimization when token is wrong

* FO-33-SSL - Remove mkcert from dockerfile

* FO-33-SSL - ignore only crt and key

* chore: remove unused var

* chore: remove unused volumes

* chore: rename var name

* chore: rename funct

* chore: refactor encryption-key related components and handlers

* chore: revert stylus change

* chore: remove unused member

* chore: revert exportable field

* chore: remove running server in a loop. making appEngine reinitialize logic self-contained

* misc: cleanup

* misc: cleanup

* misc: cleanup

* misc: cleanup

* chore: adjust tests

* chore: rename encryption packege to regular random

* chore: rename encryption_key

* chore: add opt-out for database encryption option

* chore: revert useless changes

* chore: refactor encryption-status-guard

* chore: cleanup

* chore: cleanup

* chore: cleanup

* chore: cleanup

* chore: fix config test

* chore: send encryption key as json

* fix: resolve client routing issue

* fix: bug on updating the state on encryption-key/wizard-restore

* fix: adjust backend config validation

* chore: revert config tests

* misc: cleanup

* chore: adjust backend tests

* chore: fix backend test

* chore: refactor encryption-key/wizard-restore flow

* chore: adjust the component with a minimalistic test spec

* chore: adjust the look of the get-encryption-key-wizard component

* chore: change the look of get-encryption-key-wizard component

* chore: make default config database.encryption false

* chore: revert Dockerfile changes

* chore: revert useless changes

* chore: add auto-gen certificates when server runs with https option on

* chore: adjust ng-cli dev mode options

* chore: adjust ng-cli dev options

* chore: mount shared certs folder in docker compose

* docs: update launching docs

* chore: put rootCA-key.pem into shared dir

* fix: adjust get-encryption-key component

* chore: define clear stanby flag for the server. refactor frontend flow arround the flag

* fix: clean broken deps

* fix: log messages

* fix: encryption-status guard logic

* chore: adjust tls-related info

* chore: misc

---------

Co-authored-by: Mihai Pop @ TSA <hello@techstackapps.com>

Author: groundmuffin

.gitignore

@@ -81,3 +81,5 @@ fasten.db-wal
 
 backend/resources/related_versions.json
 frontend/documentation.json
+
+certs/

README.md

@@ -140,6 +140,66 @@ If you prefer not to run the `set_env.sh` script, you can configure the `.env` f
     PORT=9090
     ```
 
+Next, open a browser to `https://localhost:9090`
+
+### <a name="using-https"></a>🔒 Using HTTPS and Trusting the Self-Signed Certificate
+
+By default, Fasten On-Prem runs with HTTPS enabled to ensure your data is secure. It uses a self-signed **TLS** certificate, which offers the same level of encryption as a commercially issued certificate. The first time you connect, your browser will display a security warning because it doesn't yet trust the certificate's issuer. The steps below will guide you through the simple, one-time process of telling your browser to trust the certificate, ensuring a secure connection without future warnings. Please note that the generated certificates can be replaced at any time with your own valid TLS certificates.
+
+#### How it Works: The Chain of Trust
+
+To establish a secure connection, your browser needs to trust the server's TLS certificate. Here’s how the process works in Fasten On-Prem:
+
+1.  **Root Certificate Authority (CA):** When the application first starts, it generates its own self-contained Certificate Authority, called `"Fasten Health CA"`. Think of this as the highest level of trust. The public part of this CA is the `rootCA.pem` file.
+2.  **Server Certificate:** The application then uses the `"Fasten Health CA"` to issue and sign a specific certificate for the web server (e.g., for `localhost`).
+3.  **Browser Verification:** When you connect to the server, it presents the server certificate to your browser. Your browser checks who signed it and sees it was `"Fasten Health CA"`. The browser then asks, "Do I trust the 'Fasten Health CA'?"
+
+Initially, the answer is no, which is why you see a security warning. By following the steps below to import the `rootCA.pem` file, you are telling your browser or operating system to trust our self-generated CA. Once the CA is trusted, any certificates it signs—including the server certificate—will also be trusted, and the connection will be secure without any warnings.
+
+#### 1. Locate the Root CA Certificate
+
+When you run the application using the production Docker Compose file (`docker-compose-prod.yml`), it automatically generates a `rootCA.pem` file. This file is located in the `certs` directory on your host machine.
+
+-   **Certificate Path:** `certs/rootCA.pem`
+
+#### 2. Import the Certificate
+
+You will need to import this certificate into your operating system's or browser's trust store. Here are general instructions for different platforms:
+
+**macOS**
+
+1.  Open the **Keychain Access** application.
+2.  Select the **System** keychain.
+3.  Go to **File > Import Items** and select the `certs/rootCA.pem` file.
+4.  Find the "Fasten Health CA" certificate in the list, double-click it, and under the **Trust** section, set "When using this certificate" to **Always Trust**.
+
+**Windows**
+
+1.  Double-click the `certs/rootCA.pem` file.
+2.  Click **Install Certificate...** and choose **Local Machine**.
+3.  Select **Place all certificates in the following store**, click **Browse**, and choose **Trusted Root Certification Authorities**.
+4.  Complete the wizard to finish the import process.
+
+**Linux (Ubuntu/Debian)**
+
+1.  Copy the certificate to the trusted certificates directory:
+    ```bash
+    sudo cp certs/rootCA.pem /usr/local/share/ca-certificates/fasten-health-ca.crt
+    ```
+2.  Update the system's certificate store:
+    ```bash
+    sudo update-ca-certificates
+    ```
+
+**Firefox**
+
+Firefox has its own trust store. To import the certificate:
+
+1.  Go to **Settings > Privacy & Security**.
+2.  Scroll down to **Certificates** and click **View Certificates...**.
+3.  In the **Authorities** tab, click **Import...** and select the `certs/rootCA.pem` file.
+4.  Check the box for **Trust this CA to identify websites** and click **OK**.
+
 ### 🧪 Develop
 
 Use local development settings for testing and iteration. 
@@ -170,13 +230,11 @@ docker run --rm \
 ghcr.io/fastenhealth/fasten-onprem:main
 ```
 
-Next, open a browser to `http://localhost:9090`
-
 At this point you'll be redirected to the login page.
 
 ### Logging In
 
-Before you can use the Fasten BETA, you'll need to [Create an Account](http://localhost:9090/web/auth/signup).
+Before you can use the Fasten BETA, you'll need to [Create an Account](https://localhost:9090/web/auth/signup).
 
 It can be as simple as
 - **Username:** `testuser`

backend/cmd/fasten/fasten.go

@@ -76,7 +76,6 @@ func main() {
 				Name:  "start",
 				Usage: "Start the fasten server",
 				Action: func(c *cli.Context) error {
-					//fmt.Fprintln(c.App.Writer, c.Command.Usage)
 					if c.IsSet("config") {
 						err = appconfig.ReadConfig(c.String("config")) // Find and read the config file
 						if err != nil {                                // Handle errors reading the config file

backend/pkg/config/config.go

@@ -25,6 +25,8 @@ func (c *configuration) Init() error {
 	c.SetDefault("web.listen.host", "0.0.0.0")
 	c.SetDefault("web.listen.basepath", "")
 	c.SetDefault("web.listen.https.enabled", false)
+	c.SetDefault("web.listen.https.certDir", "certs")
+	c.SetDefault("web.listen.https.sharedDir", "certs/shared")
 
 	// allow unsafe endpoints should never be enabled in Production.
 	// It enables direct API access to healthcare providers without authentication.
@@ -33,6 +35,7 @@ func (c *configuration) Init() error {
 	c.SetDefault("web.src.frontend.path", "/opt/fasten/web")
 	c.SetDefault("database.type", "sqlite")
 	c.SetDefault("database.location", "/opt/fasten/db/fasten.db")
+	c.SetDefault("database.encryption.enabled", false)
 	//c.SetDefault("database.encryption.key", "") //encryption key must be set by the user.
 	c.SetDefault("cache.location", "/opt/fasten/cache/")
 

backend/pkg/database/factory.go

@@ -11,7 +11,7 @@ import (
 func NewRepository(appConfig config.Interface, globalLogger logrus.FieldLogger, eventBus event_bus.Interface) (DatabaseRepository, error) {
 	switch pkg.DatabaseRepositoryType(appConfig.GetString("database.type")) {
 	case pkg.DatabaseRepositoryTypeSqlite:
-		return newSqliteRepository(appConfig, globalLogger, eventBus)
+		return newSqliteRepository(appConfig, globalLogger, eventBus, appConfig.GetBool("database.validation_mode"))
 	case pkg.DatabaseRepositoryTypePostgres:
 		return newPostgresRepository(appConfig, globalLogger, eventBus)
 	default:

backend/pkg/database/gorm_repository_graph_test.go

@@ -62,6 +62,8 @@ func (suite *RepositoryGraphTestSuite) TestGetFlattenedResourceGraph() {
 	fakeConfig.EXPECT().GetString("database.type").Return("sqlite").AnyTimes()
 	fakeConfig.EXPECT().IsSet("database.encryption.key").Return(false).AnyTimes()
 	fakeConfig.EXPECT().GetString("log.level").Return("INFO").AnyTimes()
+	fakeConfig.EXPECT().GetBool("database.validation_mode").Return(false).AnyTimes()
+	fakeConfig.EXPECT().GetBool("database.encryption.enabled").Return(false).AnyTimes()
 	dbRepo, err := NewRepository(fakeConfig, logrus.WithField("test", suite.T().Name()), event_bus.NewNoopEventBusServer())
 	require.NoError(suite.T(), err)
 
@@ -130,6 +132,8 @@ func (suite *RepositoryGraphTestSuite) TestGetFlattenedResourceGraph_NDJson() {
 	fakeConfig.EXPECT().GetString("database.type").Return("sqlite").AnyTimes()
 	fakeConfig.EXPECT().IsSet("database.encryption.key").Return(false).AnyTimes()
 	fakeConfig.EXPECT().GetString("log.level").Return("INFO").AnyTimes()
+	fakeConfig.EXPECT().GetBool("database.validation_mode").Return(false).AnyTimes()
+	fakeConfig.EXPECT().GetBool("database.encryption.enabled").Return(false).AnyTimes()
 	dbRepo, err := NewRepository(fakeConfig, logrus.WithField("test", suite.T().Name()), event_bus.NewNoopEventBusServer())
 	require.NoError(suite.T(), err)
 

backend/pkg/database/gorm_repository_query_sql_test.go

@@ -46,6 +46,8 @@ func (suite *RepositorySqlTestSuite) BeforeTest(suiteName, testName string) {
 	fakeConfig.EXPECT().GetString("database.type").Return("sqlite").AnyTimes()
 	fakeConfig.EXPECT().IsSet("database.encryption.key").Return(false).AnyTimes()
 	fakeConfig.EXPECT().GetString("log.level").Return("INFO").AnyTimes()
+	fakeConfig.EXPECT().GetBool("database.validation_mode").Return(false).AnyTimes()
+	fakeConfig.EXPECT().GetBool("database.encryption.enabled").Return(false).AnyTimes()
 	dbRepo, err := NewRepository(fakeConfig, logrus.WithField("test", suite.T().Name()), event_bus.NewNoopEventBusServer())
 	require.NoError(suite.T(), err)
 	suite.TestRepository = dbRepo

backend/pkg/database/gorm_repository_query_test.go

@@ -267,6 +267,8 @@ func (suite *RepositoryTestSuite) TestQueryResources_SQL() {
 	fakeConfig.EXPECT().GetString("database.type").Return("sqlite").AnyTimes()
 	fakeConfig.EXPECT().IsSet("database.encryption.key").Return(false).AnyTimes()
 	fakeConfig.EXPECT().GetString("log.level").Return("INFO").AnyTimes()
+	fakeConfig.EXPECT().GetBool("database.validation_mode").Return(false).AnyTimes()
+	fakeConfig.EXPECT().GetBool("database.encryption.enabled").Return(false).AnyTimes()
 	dbRepo, err := NewRepository(fakeConfig, logrus.WithField("test", suite.T().Name()), event_bus.NewNoopEventBusServer())
 	require.NoError(suite.T(), err)
 	userModel := &models.User{

backend/pkg/database/gorm_repository_related_test.go

@@ -42,6 +42,8 @@ func (suite *RepositoryRelatedTestSuite) SetupTest() {
 	fakeConfig.EXPECT().GetString("database.type").Return("sqlite").AnyTimes()
 	fakeConfig.EXPECT().IsSet("database.encryption.key").Return(false).AnyTimes()
 	fakeConfig.EXPECT().GetString("log.level").Return("DEBUG").AnyTimes()
+	fakeConfig.EXPECT().GetBool("database.validation_mode").Return(false).AnyTimes()
+	fakeConfig.EXPECT().GetBool("database.encryption.enabled").Return(false).AnyTimes()
 
 	dbRepo, err := NewRepository(fakeConfig, logrus.WithField("test", suite.T().Name()), event_bus.NewNoopEventBusServer())
 	require.NoError(suite.T(), err, "Failed to create repository")

backend/pkg/database/gorm_repository_settings_test.go

@@ -40,6 +40,7 @@ func (suite *RepositorySettingsTestSuite) BeforeTest(suiteName, testName string)
 	testConfig, err := config.Create()
 	require.NoError(suite.T(), err)
 	testConfig.SetDefault("database.location", suite.TestDatabase.Name())
+	testConfig.SetDefault("database.encryption.enabled", false)
 	testConfig.SetDefault("log.level", "INFO")
 	suite.TestConfig = testConfig