sami7777/dashcaddy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6979302fb7ff88a9092bffcdace20c7cd90cc11d
dashcaddy/dashcaddy-api/credential-manager.js
Sami 6979302fb7 Fix 7 critical security bugs and 1 high-severity data loss bug 
- CSRF: HMAC-signed double-submit cookie (server-bound, not raw compare)
- Keychain: execFileSync with arg arrays to prevent command injection
- Caddy config: always use structured generation, never accept raw config
- Templates: replace {{GENERATED_SECRET}} with crypto.randomBytes
- Caddyfile removal: move regex inside ctx.caddy.modify() to fix TOCTOU race
- Credentials: proper-lockfile for all file operations, fix key rotation
  to decrypt with old key before generating new key
- Service removal: filter by ID only, not AND with appTemplate

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-06 23:08:30 -08:00

391 lines
11 KiB
JavaScript
Raw Blame History

/**
* Credential Manager for DashCaddy
* Unified interface for secure credential storage
* Uses OS keychain when available, falls back to encrypted file storage
*/
const keychainManager = require('./keychain-manager');
const cryptoUtils = require('./crypto-utils');
const lockfile = require('proper-lockfile');
const fs = require('fs');
const path = require('path');
const CREDENTIALS_FILE = process.env.CREDENTIALS_FILE || path.join(__dirname, 'credentials.json');
class CredentialManager {
constructor() {
this.useKeychain = keychainManager.available;
this.cache = new Map(); // In-memory cache for performance
this.lockOptions = {
retries: { retries: 10, minTimeout: 100, maxTimeout: 300 },
stale: 30000
};
console.log(`[CredentialManager] Initialized with ${this.useKeychain ? 'OS keychain' : 'encrypted file'} storage`);
}
/**
* Store a credential securely
* @param {string} key - Credential identifier (e.g., 'dns.token', 'cloudflare.apikey')
* @param {string} value - Credential value
* @param {Object} metadata - Optional metadata (non-sensitive)
* @returns {Promise<boolean>} Success status
*/
async store(key, value, metadata = {}) {
try {
// Validate inputs
if (!key || typeof key !== 'string') {
throw new Error('Credential key is required');
}
if (!value || typeof value !== 'string') {
throw new Error('Credential value is required');
}
// Try OS keychain first
if (this.useKeychain) {
const success = await keychainManager.store(key, value);
if (success) {
// Store metadata separately in file
await this.storeMetadata(key, metadata);
this.cache.set(key, value);
console.log(`[CredentialManager] Stored '${key}' in OS keychain`);
return true;
}
console.warn(`[CredentialManager] Keychain storage failed for '${key}', falling back to encrypted file`);
}
// Fallback to encrypted file storage
await this.storeInFile(key, value, metadata);
this.cache.set(key, value);
console.log(`[CredentialManager] Stored '${key}' in encrypted file`);
return true;
} catch (error) {
console.error(`[CredentialManager] Failed to store '${key}':`, error.message);
return false;
}
}
/**
* Retrieve a credential
* @param {string} key - Credential identifier
* @returns {Promise<string|null>} Credential value or null
*/
async retrieve(key) {
try {
// Check cache first
if (this.cache.has(key)) {
return this.cache.get(key);
}
// Try OS keychain first
if (this.useKeychain) {
const value = await keychainManager.retrieve(key);
if (value) {
this.cache.set(key, value);
return value;
}
}
// Fallback to encrypted file storage
const value = await this.retrieveFromFile(key);
if (value) {
this.cache.set(key, value);
}
return value;
} catch (error) {
console.error(`[CredentialManager] Failed to retrieve '${key}':`, error.message);
return null;
}
}
/**
* Delete a credential
* @param {string} key - Credential identifier
* @returns {Promise<boolean>} Success status
*/
async delete(key) {
try {
// Remove from cache
this.cache.delete(key);
// Try OS keychain
if (this.useKeychain) {
await keychainManager.delete(key);
}
// Remove from file storage
await this.deleteFromFile(key);
console.log(`[CredentialManager] Deleted '${key}'`);
return true;
} catch (error) {
console.error(`[CredentialManager] Failed to delete '${key}':`, error.message);
return false;
}
}
/**
* List all stored credential keys (not values)
* @returns {Promise<Array<string>>} Array of credential keys
*/
async list() {
try {
const credentials = await this.loadCredentialsFile();
return Object.keys(credentials);
} catch (error) {
console.error('[CredentialManager] Failed to list credentials:', error.message);
return [];
}
}
/**
* Get metadata for a credential
* @param {string} key - Credential identifier
* @returns {Promise<Object|null>} Metadata object or null
*/
async getMetadata(key) {
try {
const credentials = await this.loadCredentialsFile();
return credentials[key]?.metadata || null;
} catch (error) {
return null;
}
}
/**
* Rotate encryption key (re-encrypt all credentials with new key)
* @returns {Promise<boolean>} Success status
*/
async rotateEncryptionKey() {
let release;
try {
console.log('[CredentialManager] Starting encryption key rotation...');
// Ensure file exists before locking
this._ensureFileExists();
release = await lockfile.lock(CREDENTIALS_FILE, this.lockOptions);
const data = fs.readFileSync(CREDENTIALS_FILE, 'utf8');
const credentials = JSON.parse(data);
const keys = Object.keys(credentials);
if (keys.length === 0) {
console.log('[CredentialManager] No credentials to rotate');
return true;
}
// Decrypt all values with the CURRENT key first
const decryptedEntries = {};
for (const key of keys) {
const value = credentials[key].value;
decryptedEntries[key] = {
plaintext: cryptoUtils.isEncrypted(value) ? cryptoUtils.decrypt(value) : value,
metadata: credentials[key].metadata
};
}
// Generate new key (this replaces the cached key and saves to disk)
const { oldKey } = cryptoUtils.rotateKey();
// Re-encrypt all credentials with the new key
const rotated = {};
for (const key of keys) {
rotated[key] = {
value: cryptoUtils.encrypt(decryptedEntries[key].plaintext),
metadata: decryptedEntries[key].metadata,
rotatedAt: new Date().toISOString()
};
}
// Save with new encryption
fs.writeFileSync(CREDENTIALS_FILE, JSON.stringify(rotated, null, 2), { mode: 0o600 });
// Clear cache to force reload
this.cache.clear();
console.log(`[CredentialManager] Successfully rotated ${keys.length} credentials`);
return true;
} catch (error) {
console.error('[CredentialManager] Key rotation failed:', error.message);
return false;
} finally {
if (release) {
try { await release(); } catch (e) { /* lock will expire via stale timeout */ }
}
}
}
/**
* Migrate plaintext credentials to encrypted format
* @returns {Promise<Object>} Migration results
*/
async migrateToEncrypted() {
try {
let migrated = 0;
let skipped = 0;
await this._lockedUpdate(credentials => {
for (const [key, data] of Object.entries(credentials)) {
if (!cryptoUtils.isEncrypted(data.value)) {
credentials[key].value = cryptoUtils.encrypt(data.value);
credentials[key].migratedAt = new Date().toISOString();
migrated++;
} else {
skipped++;
}
}
return credentials;
});
if (migrated > 0) {
this.cache.clear();
console.log(`[CredentialManager] Migrated ${migrated} plaintext credentials to encrypted format`);
}
return { migrated, skipped, total: migrated + skipped };
} catch (error) {
console.error('[CredentialManager] Migration failed:', error.message);
throw error;
}
}
// Private methods
/**
* Ensure credentials file exists (needed before locking)
* @private
*/
_ensureFileExists() {
if (!fs.existsSync(CREDENTIALS_FILE)) {
const dir = path.dirname(CREDENTIALS_FILE);
if (!fs.existsSync(dir)) {
fs.mkdirSync(dir, { recursive: true });
}
fs.writeFileSync(CREDENTIALS_FILE, '{}', { mode: 0o600 });
}
}
/**
* Atomic read-modify-write with file locking
* @param {Function} updateFn - Receives current credentials object, returns updated object
* @returns {Promise<Object>} Updated credentials
* @private
*/
async _lockedUpdate(updateFn) {
this._ensureFileExists();
let release;
try {
release = await lockfile.lock(CREDENTIALS_FILE, this.lockOptions);
const data = fs.readFileSync(CREDENTIALS_FILE, 'utf8');
const credentials = JSON.parse(data);
const updated = await updateFn(credentials);
fs.writeFileSync(CREDENTIALS_FILE, JSON.stringify(updated, null, 2), { mode: 0o600 });
return updated;
} catch (error) {
if (error.code === 'ELOCKED') {
throw new Error('Credentials file is locked by another process. Try again.');
}
throw error;
} finally {
if (release) {
try { await release(); } catch (e) { /* lock will expire via stale timeout */ }
}
}
}
async storeInFile(key, value, metadata) {
await this._lockedUpdate(credentials => {
credentials[key] = {
value: cryptoUtils.encrypt(value),
metadata,
updatedAt: new Date().toISOString()
};
return credentials;
});
}
async retrieveFromFile(key) {
const credentials = await this.loadCredentialsFile();
const data = credentials[key];
if (!data) return null;
return cryptoUtils.isEncrypted(data.value)
? cryptoUtils.decrypt(data.value)
: data.value;
}
async deleteFromFile(key) {
await this._lockedUpdate(credentials => {
delete credentials[key];
return credentials;
});
}
async storeMetadata(key, metadata) {
await this._lockedUpdate(credentials => {
if (!credentials[key]) {
credentials[key] = { metadata };
} else {
credentials[key].metadata = metadata;
}
credentials[key].updatedAt = new Date().toISOString();
return credentials;
});
}
async loadCredentialsFile() {
try {
if (!fs.existsSync(CREDENTIALS_FILE)) {
return {};
}
const data = fs.readFileSync(CREDENTIALS_FILE, 'utf8');
return JSON.parse(data);
} catch (error) {
console.error('[CredentialManager] Failed to load credentials file:', error.message);
return {};
}
}
/**
* Export credentials for backup (encrypted)
* @returns {Promise<string>} Encrypted backup data
*/
async exportBackup() {
const credentials = await this.loadCredentialsFile();
const backup = {
version: '1.0',
exportedAt: new Date().toISOString(),
credentials
};
return cryptoUtils.encrypt(JSON.stringify(backup));
}
/**
* Import credentials from backup
* @param {string} encryptedBackup - Encrypted backup data
* @returns {Promise<boolean>} Success status
*/
async importBackup(encryptedBackup) {
try {
const decrypted = cryptoUtils.decrypt(encryptedBackup);
const backup = JSON.parse(decrypted);
if (backup.version !== '1.0') {
throw new Error('Unsupported backup version');
}
await this._lockedUpdate(() => backup.credentials);
this.cache.clear();
console.log('[CredentialManager] Successfully imported backup');
return true;
} catch (error) {
console.error('[CredentialManager] Failed to import backup:', error.message);
return false;
}
}
}
// Export singleton instance
module.exports = new CredentialManager();
Reference in New Issue View Git Blame Copy Permalink