[Breaking] Use encryption password instead of secret key for encryption (#281)

adam-maj · web-flow · commit 12460244301d · 2023-11-01T15:30:42.000-07:00
* Migrate to ENCRYPTION_PASSWORD instead of THIRDWEB_API_SECRET_KEY for encryption

* Update README.md

* Update

* Add encryption migration for auth wallet

* Update auth checks

* Fix bugs and add logs

* Remove README.md

* README.md
diff --git a/docs/1-user-guide.md b/docs/1-user-guide.md
@@ -8,7 +8,8 @@
 | ------------------------- | ------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------- | -------- |
 | `THIRDWEB_API_SECRET_KEY` | thirdweb Api Secret Key (get it from thirdweb.com/dashboard)                                                        |                                                                      | ✅       |
 | `POSTGRES_CONNECTION_URL` | PostgreSQL Connection string                                                                                        | postgres://postgres:postgres@localhost:5432/postgres?sslmode=disable | ✅       |
-| `ADMIN_WALLET_ADDRESS`    | The initial admin wallet address that can connect to this engine instance from the thirdweb dashboard for setup.    |                                                                      | ✅       |
+| `ADMIN_WALLET_ADDRESS`    | The initial admin wallet address that can connect to this engine instance from the thirdweb dashboard for setup.    |
+| `ENCRYPTION_PASSWORD`     | A password used to encrypt sensitive wallet data for security.                                                      |                                                                      | ✅       |
 | `HOST`                    | Host name of the API Server                                                                                         | `localhost`                                                          | ❌       |
 | `PORT`                    | Port number of the API Server                                                                                       | `3005`                                                               | ❌       |
 | `CHAIN_OVERRIDES`         | Pass your own RPC urls to override the default ones. This can be file or an URL. See example override-rpc-urls.json |                                                                      | ❌       |
diff --git a/src/db/configuration/getConfiguration.ts b/src/db/configuration/getConfiguration.ts
@@ -3,6 +3,7 @@ import { LocalWallet } from "@thirdweb-dev/wallets";
 import { WalletType } from "../../schema/wallet";
 import { decrypt } from "../../utils/crypto";
 import { env } from "../../utils/env";
+import { logger } from "../../utils/logger";
 import { prisma } from "../client";
 import { updateConfiguration } from "./updateConfiguration";
 
@@ -27,35 +28,94 @@ interface Config extends Configuration {
       };
 }
 
-const withWalletConfig = (config: Configuration): Config => {
+const withWalletConfig = async (config: Configuration): Promise<Config> => {
+  // TODO: Remove backwards compatibility with next breaking change
+  if (config.awsAccessKeyId && config.awsSecretAccessKey && config.awsRegion) {
+    // First try to load the aws secret using the encryption password
+    let awsSecretAccessKey = decrypt(
+      config.awsSecretAccessKey,
+      env.ENCRYPTION_PASSWORD,
+    );
+
+    // If that fails, try to load the aws secret using the thirdweb api secret key
+    if (!awsSecretAccessKey) {
+      awsSecretAccessKey = decrypt(
+        config.awsSecretAccessKey,
+        env.THIRDWEB_API_SECRET_KEY,
+      );
+
+      // If that succeeds, update the configuration with the encryption password instead
+      if (awsSecretAccessKey) {
+        logger.worker.info(
+          `[Encryption] Updating awsSecretAccessKey to use ENCRYPTION_PASSWORD`,
+        );
+        await updateConfiguration({
+          awsSecretAccessKey,
+        });
+      }
+    }
+
+    return {
+      ...config,
+      walletConfiguration: {
+        type: WalletType.awsKms,
+        awsRegion: config.awsRegion,
+        awsAccessKeyId: config.awsAccessKeyId,
+        awsSecretAccessKey,
+      },
+    };
+  }
+
+  // TODO: Remove backwards compatibility with next breaking change
+  if (
+    config.gcpApplicationProjectId &&
+    config.gcpKmsLocationId &&
+    config.gcpKmsKeyRingId &&
+    config.gcpApplicationCredentialEmail &&
+    config.gcpApplicationCredentialPrivateKey
+  ) {
+    // First try to load the gcp secret using the encryption password
+    let gcpApplicationCredentialPrivateKey = decrypt(
+      config.gcpApplicationCredentialPrivateKey,
+      env.ENCRYPTION_PASSWORD,
+    );
+
+    // If that fails, try to load the gcp secret using the thirdweb api secret key
+    if (!gcpApplicationCredentialPrivateKey) {
+      gcpApplicationCredentialPrivateKey = decrypt(
+        config.gcpApplicationCredentialPrivateKey,
+        env.THIRDWEB_API_SECRET_KEY,
+      );
+
+      // If that succeeds, update the configuration with the encryption password instead
+      if (gcpApplicationCredentialPrivateKey) {
+        logger.worker.info(
+          `[Encryption] Updating gcpApplicationCredentialPrivateKey to use ENCRYPTION_PASSWORD`,
+        );
+        await updateConfiguration({
+          gcpApplicationCredentialPrivateKey,
+        });
+      }
+    }
+
+    return {
+      ...config,
+      walletConfiguration: {
+        type: WalletType.gcpKms,
+        gcpApplicationProjectId: config.gcpApplicationProjectId,
+        gcpKmsLocationId: config.gcpKmsLocationId,
+        gcpKmsKeyRingId: config.gcpKmsKeyRingId,
+        gcpApplicationCredentialEmail: config.gcpApplicationCredentialEmail,
+        gcpApplicationCredentialPrivateKey,
+      },
+    };
+  }
+
   return {
     ...config,
-    walletConfiguration:
-      config.awsAccessKeyId && config.awsSecretAccessKey && config.awsRegion
-        ? {
-            type: WalletType.awsKms,
-            awsAccessKeyId: config.awsAccessKeyId,
-            awsSecretAccessKey: decrypt(config.awsSecretAccessKey),
-            awsRegion: config.awsRegion,
-          }
-        : config.gcpApplicationProjectId &&
-          config.gcpKmsLocationId &&
-          config.gcpKmsKeyRingId &&
-          config.gcpApplicationCredentialEmail &&
-          config.gcpApplicationCredentialPrivateKey
-        ? {
-            type: WalletType.gcpKms,
-            gcpApplicationProjectId: config.gcpApplicationProjectId,
-            gcpKmsLocationId: config.gcpKmsLocationId,
-            gcpKmsKeyRingId: config.gcpKmsKeyRingId,
-            gcpApplicationCredentialEmail: config.gcpApplicationCredentialEmail,
-            gcpApplicationCredentialPrivateKey: decrypt(
-              config.gcpApplicationCredentialPrivateKey,
-            ),
-          }
-        : {
-            type: WalletType.local,
-          },
+    walletConfiguration: {
+      type: WalletType.local,
+    },
   };
 };
 
@@ -64,7 +124,7 @@ const createAuthWalletEncryptedJson = async () => {
   await wallet.generate();
   return wallet.export({
     strategy: "encryptedJson",
-    password: env.THIRDWEB_API_SECRET_KEY,
+    password: env.ENCRYPTION_PASSWORD,
   });
 };
 
diff --git a/src/server/middleware/auth.ts b/src/server/middleware/auth.ts
@@ -9,11 +9,13 @@ import { AsyncWallet } from "@thirdweb-dev/wallets/evm/wallets/async";
 import { utils } from "ethers";
 import { FastifyInstance } from "fastify";
 import { getConfiguration } from "../../db/configuration/getConfiguration";
+import { updateConfiguration } from "../../db/configuration/updateConfiguration";
 import { getPermissions } from "../../db/permissions/getPermissions";
 import { createToken } from "../../db/tokens/createToken";
 import { getToken } from "../../db/tokens/getToken";
 import { revokeToken } from "../../db/tokens/revokeToken";
 import { env } from "../../utils/env";
+import { logger } from "../../utils/logger";
 import { Permission } from "../schemas/auth";
 
 export type TAuthData = never;
@@ -83,10 +85,33 @@ export const withAuth = async (server: FastifyInstance) => {
       getSigner: async () => {
         const config = await getConfiguration();
         const wallet = new LocalWallet();
-        await wallet.import({
-          encryptedJson: config.authWalletEncryptedJson,
-          password: env.THIRDWEB_API_SECRET_KEY,
-        });
+
+        try {
+          // First, we try to load the wallet with the encryption password
+          await wallet.import({
+            encryptedJson: config.authWalletEncryptedJson,
+            password: env.ENCRYPTION_PASSWORD,
+          });
+        } catch {
+          // If that fails, we try to load the wallet with the secret key
+          await wallet.import({
+            encryptedJson: config.authWalletEncryptedJson,
+            password: env.THIRDWEB_API_SECRET_KEY,
+          });
+
+          // And then update the auth wallet to use encryption password instead
+          const encryptedJson = await wallet.export({
+            strategy: "encryptedJson",
+            password: env.ENCRYPTION_PASSWORD,
+          });
+
+          logger.worker.info(
+            `[Encryption] Updating authWalletEncryptedJson to use ENCRYPTION_PASSWORD`,
+          );
+          await updateConfiguration({
+            authWalletEncryptedJson: encryptedJson,
+          });
+        }
 
         return wallet.getSigner();
       },
@@ -114,7 +139,12 @@ export const withAuth = async (server: FastifyInstance) => {
         }
 
         const { payload } = parseJWT(jwt);
-        await revokeToken({ id: payload.jti });
+
+        try {
+          await revokeToken({ id: payload.jti });
+        } catch {
+          logger.worker.error(`[Auth] Failed to revoke token ${payload.jti}`);
+        }
       },
     },
   });
diff --git a/src/server/routes/auth/access-tokens/create.ts b/src/server/routes/auth/access-tokens/create.ts
@@ -4,6 +4,7 @@ import { LocalWallet } from "@thirdweb-dev/wallets";
 import { FastifyInstance } from "fastify";
 import { StatusCodes } from "http-status-codes";
 import { getConfiguration } from "../../../../db/configuration/getConfiguration";
+import { updateConfiguration } from "../../../../db/configuration/updateConfiguration";
 import { createToken } from "../../../../db/tokens/createToken";
 import { env } from "../../../../utils/env";
 import { AccessTokenSchema } from "./getAll";
@@ -43,10 +44,31 @@ export async function createAccessToken(fastify: FastifyInstance) {
 
       const config = await getConfiguration();
       const wallet = new LocalWallet();
-      await wallet.import({
-        encryptedJson: config.authWalletEncryptedJson,
-        password: env.THIRDWEB_API_SECRET_KEY,
-      });
+
+      // TODO: Remove this with next breaking change
+      try {
+        // First try to load the wallet using the encryption password
+        await wallet.import({
+          encryptedJson: config.authWalletEncryptedJson,
+          password: env.ENCRYPTION_PASSWORD,
+        });
+      } catch {
+        // If that fails, try the thirdweb api secret key for backwards compatibility
+        await wallet.import({
+          encryptedJson: config.authWalletEncryptedJson,
+          password: env.THIRDWEB_API_SECRET_KEY,
+        });
+
+        // If that works, save the wallet using the encryption password for the future
+        const authWalletEncryptedJson = await wallet.export({
+          strategy: "encryptedJson",
+          password: env.ENCRYPTION_PASSWORD,
+        });
+
+        await updateConfiguration({
+          authWalletEncryptedJson,
+        });
+      }
 
       const jwt = await buildJWT({
         wallet,
diff --git a/src/server/utils/wallets/createLocalWallet.ts b/src/server/utils/wallets/createLocalWallet.ts
@@ -22,7 +22,7 @@ export const createLocalWallet = async ({
   // Creating wallet details row is handled by LocalFileStorage
   await wallet.save({
     strategy: "encryptedJson",
-    password: env.THIRDWEB_API_SECRET_KEY,
+    password: env.ENCRYPTION_PASSWORD,
     storage: new LocalFileStorage(walletAddress, label),
   });
 
diff --git a/src/server/utils/wallets/getLocalWallet.ts b/src/server/utils/wallets/getLocalWallet.ts
@@ -1,6 +1,8 @@
 import { getChainByChainId } from "@thirdweb-dev/chains";
 import { LocalWallet } from "@thirdweb-dev/wallets";
+import { getWalletDetails } from "../../../db/wallets/getWalletDetails";
 import { env } from "../../../utils/env";
+import { logger } from "../../../utils/logger";
 import { LocalFileStorage } from "../storage/localStorage";
 
 interface GetLocalWalletParams {
@@ -14,11 +16,44 @@ export const getLocalWallet = async ({
 }: GetLocalWalletParams) => {
   const chain = getChainByChainId(chainId);
   const wallet = new LocalWallet({ chain });
-  await wallet.load({
-    strategy: "encryptedJson",
-    password: env.THIRDWEB_API_SECRET_KEY,
-    storage: new LocalFileStorage(walletAddress),
-  });
+
+  // TODO: Remove this with next breaking change
+  try {
+    // First, try to load the wallet using the encryption password
+    await wallet.load({
+      strategy: "encryptedJson",
+      password: env.ENCRYPTION_PASSWORD,
+      storage: new LocalFileStorage(walletAddress),
+    });
+  } catch {
+    // If that fails, try the thirdweb api secret key for backwards compatibility
+    await wallet.load({
+      strategy: "encryptedJson",
+      password: env.THIRDWEB_API_SECRET_KEY,
+      storage: new LocalFileStorage(walletAddress),
+    });
+
+    // If that works, save the wallet using the encryption password for the future
+    const walletDetails = await getWalletDetails({ address: walletAddress });
+    if (!walletDetails) {
+      throw new Error(
+        `Wallet details not found for wallet address ${walletAddress}`,
+      );
+    }
+
+    logger.worker.info(
+      `[Encryption] Updating local wallet ${walletAddress} to use ENCRYPTION_PASSWORD`,
+    );
+
+    await wallet.save({
+      strategy: "encryptedJson",
+      password: env.ENCRYPTION_PASSWORD,
+      storage: new LocalFileStorage(
+        walletAddress,
+        walletDetails.label ?? undefined,
+      ),
+    });
+  }
 
   return wallet;
 };
diff --git a/src/server/utils/wallets/importLocalWallet.ts b/src/server/utils/wallets/importLocalWallet.ts
@@ -51,7 +51,7 @@ export const importLocalWallet = async (
   // Creating wallet details gets handled by LocalFileStorage
   await wallet.save({
     strategy: "encryptedJson",
-    password: env.THIRDWEB_API_SECRET_KEY,
+    password: env.ENCRYPTION_PASSWORD,
     storage: new LocalFileStorage(walletAddress, options.label),
   });
 
diff --git a/src/utils/crypto.ts b/src/utils/crypto.ts
@@ -2,11 +2,9 @@ import crypto from "crypto-js";
 import { env } from "./env";
 
 export const encrypt = (data: string): string => {
-  return crypto.AES.encrypt(data, env.THIRDWEB_API_SECRET_KEY).toString();
+  return crypto.AES.encrypt(data, env.ENCRYPTION_PASSWORD).toString();
 };
 
-export const decrypt = (data: string) => {
-  return crypto.AES.decrypt(data, env.THIRDWEB_API_SECRET_KEY).toString(
-    crypto.enc.Utf8,
-  );
+export const decrypt = (data: string, password: string) => {
+  return crypto.AES.decrypt(data, password).toString(crypto.enc.Utf8);
 };
diff --git a/src/utils/env.ts b/src/utils/env.ts
