Encrypt Datasource Credentials at Rest

[ragsav]

Description:
To facilitate connections to third-party databases and APIs (e.g., PostgreSQL, Stripe, Airtable), the platform stores connection strings, API keys, and passwords. If these secrets are stored in plaintext or basic Base64 encoding within the Prisma database, any subsequent vulnerability (like an SQL injection or a leaked backup) will expose them.

Impact:
A single breach acts as a supply-chain attack, giving attackers full administrative access to all third-party systems and databases connected to the platform by its users.

Affected Components:

apps/backend/prisma/schema.prisma (Datasource models)

apps/backend/modules/datasource/datasource.service.js

Suggested Remediation:

Implement symmetric encryption (e.g., AES-256-GCM via Node's crypto module) for all sensitive fields in the Datasource model.

Encrypt secrets before writing to the database and decrypt them entirely in memory just before connecting to the external source.

Store the master encryption key solely in environment variables (process.env), ensuring it is never logged or stored in the database.