sami7777/dashcaddy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
77030931b7058f0a459ca8cb3a96bb694a908919
dashcaddy/dashcaddy-api/credential-manager.js
Sami f61e85d9a7 Initial commit: DashCaddy v1.0 
Full codebase including API server (32 modules + routes), dashboard frontend,
DashCA certificate distribution, installer script, and deployment skills.
2026-03-05 02:26:12 -08:00

342 lines
9.9 KiB
JavaScript
Raw Blame History

/**
* Credential Manager for DashCaddy
* Unified interface for secure credential storage
* Uses OS keychain when available, falls back to encrypted file storage
*/
const keychainManager = require('./keychain-manager');
const cryptoUtils = require('./crypto-utils');
const fs = require('fs');
const path = require('path');
const CREDENTIALS_FILE = process.env.CREDENTIALS_FILE || path.join(__dirname, 'credentials.json');
class CredentialManager {
constructor() {
this.useKeychain = keychainManager.available;
this.cache = new Map(); // In-memory cache for performance
console.log(`[CredentialManager] Initialized with ${this.useKeychain ? 'OS keychain' : 'encrypted file'} storage`);
}
/**
* Store a credential securely
* @param {string} key - Credential identifier (e.g., 'dns.token', 'cloudflare.apikey')
* @param {string} value - Credential value
* @param {Object} metadata - Optional metadata (non-sensitive)
* @returns {Promise<boolean>} Success status
*/
async store(key, value, metadata = {}) {
try {
// Validate inputs
if (!key || typeof key !== 'string') {
throw new Error('Credential key is required');
}
if (!value || typeof value !== 'string') {
throw new Error('Credential value is required');
}
// Try OS keychain first
if (this.useKeychain) {
const success = await keychainManager.store(key, value);
if (success) {
// Store metadata separately in file
await this.storeMetadata(key, metadata);
this.cache.set(key, value);
console.log(`[CredentialManager] Stored '${key}' in OS keychain`);
return true;
}
console.warn(`[CredentialManager] Keychain storage failed for '${key}', falling back to encrypted file`);
}
// Fallback to encrypted file storage
await this.storeInFile(key, value, metadata);
this.cache.set(key, value);
console.log(`[CredentialManager] Stored '${key}' in encrypted file`);
return true;
} catch (error) {
console.error(`[CredentialManager] Failed to store '${key}':`, error.message);
return false;
}
}
/**
* Retrieve a credential
* @param {string} key - Credential identifier
* @returns {Promise<string|null>} Credential value or null
*/
async retrieve(key) {
try {
// Check cache first
if (this.cache.has(key)) {
return this.cache.get(key);
}
// Try OS keychain first
if (this.useKeychain) {
const value = await keychainManager.retrieve(key);
if (value) {
this.cache.set(key, value);
return value;
}
}
// Fallback to encrypted file storage
const value = await this.retrieveFromFile(key);
if (value) {
this.cache.set(key, value);
}
return value;
} catch (error) {
console.error(`[CredentialManager] Failed to retrieve '${key}':`, error.message);
return null;
}
}
/**
* Delete a credential
* @param {string} key - Credential identifier
* @returns {Promise<boolean>} Success status
*/
async delete(key) {
try {
// Remove from cache
this.cache.delete(key);
// Try OS keychain
if (this.useKeychain) {
await keychainManager.delete(key);
}
// Remove from file storage
await this.deleteFromFile(key);
console.log(`[CredentialManager] Deleted '${key}'`);
return true;
} catch (error) {
console.error(`[CredentialManager] Failed to delete '${key}':`, error.message);
return false;
}
}
/**
* List all stored credential keys (not values)
* @returns {Promise<Array<string>>} Array of credential keys
*/
async list() {
try {
const credentials = await this.loadCredentialsFile();
return Object.keys(credentials);
} catch (error) {
console.error('[CredentialManager] Failed to list credentials:', error.message);
return [];
}
}
/**
* Get metadata for a credential
* @param {string} key - Credential identifier
* @returns {Promise<Object|null>} Metadata object or null
*/
async getMetadata(key) {
try {
const credentials = await this.loadCredentialsFile();
return credentials[key]?.metadata || null;
} catch (error) {
return null;
}
}
/**
* Rotate encryption key (re-encrypt all credentials with new key)
* @returns {Promise<boolean>} Success status
*/
async rotateEncryptionKey() {
try {
console.log('[CredentialManager] Starting encryption key rotation...');
// Load all credentials with old key
const credentials = await this.loadCredentialsFile();
const keys = Object.keys(credentials);
if (keys.length === 0) {
console.log('[CredentialManager] No credentials to rotate');
return true;
}
// Generate new encryption key
cryptoUtils.loadOrCreateKey(); // This will generate a new key
// Re-encrypt all credentials
const rotated = {};
for (const key of keys) {
const value = credentials[key].value;
const metadata = credentials[key].metadata;
// Decrypt with old key, encrypt with new key
const decrypted = cryptoUtils.isEncrypted(value) ? cryptoUtils.decrypt(value) : value;
rotated[key] = {
value: cryptoUtils.encrypt(decrypted),
metadata,
rotatedAt: new Date().toISOString()
};
}
// Save with new encryption
await this.saveCredentialsFile(rotated);
// Clear cache to force reload
this.cache.clear();
console.log(`[CredentialManager] Successfully rotated ${keys.length} credentials`);
return true;
} catch (error) {
console.error('[CredentialManager] Key rotation failed:', error.message);
return false;
}
}
/**
* Migrate plaintext credentials to encrypted format
* @returns {Promise<Object>} Migration results
*/
async migrateToEncrypted() {
try {
const credentials = await this.loadCredentialsFile();
let migrated = 0;
let skipped = 0;
for (const [key, data] of Object.entries(credentials)) {
if (!cryptoUtils.isEncrypted(data.value)) {
credentials[key].value = cryptoUtils.encrypt(data.value);
credentials[key].migratedAt = new Date().toISOString();
migrated++;
} else {
skipped++;
}
}
if (migrated > 0) {
await this.saveCredentialsFile(credentials);
this.cache.clear();
console.log(`[CredentialManager] Migrated ${migrated} plaintext credentials to encrypted format`);
}
return { migrated, skipped, total: migrated + skipped };
} catch (error) {
console.error('[CredentialManager] Migration failed:', error.message);
throw error;
}
}
// Private methods
async storeInFile(key, value, metadata) {
const credentials = await this.loadCredentialsFile();
credentials[key] = {
value: cryptoUtils.encrypt(value),
metadata,
updatedAt: new Date().toISOString()
};
await this.saveCredentialsFile(credentials);
}
async retrieveFromFile(key) {
const credentials = await this.loadCredentialsFile();
const data = credentials[key];
if (!data) return null;
return cryptoUtils.isEncrypted(data.value)
? cryptoUtils.decrypt(data.value)
: data.value;
}
async deleteFromFile(key) {
const credentials = await this.loadCredentialsFile();
delete credentials[key];
await this.saveCredentialsFile(credentials);
}
async storeMetadata(key, metadata) {
const credentials = await this.loadCredentialsFile();
if (!credentials[key]) {
credentials[key] = { metadata };
} else {
credentials[key].metadata = metadata;
}
credentials[key].updatedAt = new Date().toISOString();
await this.saveCredentialsFile(credentials);
}
async loadCredentialsFile() {
try {
if (!fs.existsSync(CREDENTIALS_FILE)) {
return {};
}
const data = fs.readFileSync(CREDENTIALS_FILE, 'utf8');
return JSON.parse(data);
} catch (error) {
console.error('[CredentialManager] Failed to load credentials file:', error.message);
return {};
}
}
async saveCredentialsFile(credentials) {
try {
// Ensure directory exists
const dir = path.dirname(CREDENTIALS_FILE);
if (!fs.existsSync(dir)) {
fs.mkdirSync(dir, { recursive: true });
}
// Write with restrictive permissions
fs.writeFileSync(CREDENTIALS_FILE, JSON.stringify(credentials, null, 2), { mode: 0o600 });
} catch (error) {
console.error('[CredentialManager] Failed to save credentials file:', error.message);
throw error;
}
}
/**
* Export credentials for backup (encrypted)
* @returns {Promise<string>} Encrypted backup data
*/
async exportBackup() {
const credentials = await this.loadCredentialsFile();
const backup = {
version: '1.0',
exportedAt: new Date().toISOString(),
credentials
};
return cryptoUtils.encrypt(JSON.stringify(backup));
}
/**
* Import credentials from backup
* @param {string} encryptedBackup - Encrypted backup data
* @returns {Promise<boolean>} Success status
*/
async importBackup(encryptedBackup) {
try {
const decrypted = cryptoUtils.decrypt(encryptedBackup);
const backup = JSON.parse(decrypted);
if (backup.version !== '1.0') {
throw new Error('Unsupported backup version');
}
await this.saveCredentialsFile(backup.credentials);
this.cache.clear();
console.log('[CredentialManager] Successfully imported backup');
return true;
} catch (error) {
console.error('[CredentialManager] Failed to import backup:', error.message);
return false;
}
}
}
// Export singleton instance
module.exports = new CredentialManager();
Reference in New Issue View Git Blame Copy Permalink