refactor: update encryption key handling and configuration in backend

Author: LuggaPugga

apps/backend/.env.example

@@ -1,5 +1,6 @@
 DATABASE_URL=postgres://user:password@localhost:5432/sourcemaps
-ENCRYPTION_KEY=0000000000000000000000000000000000000000000000000000000000000000
+FILE_ENCRYPTION_KEY=0000000000000000000000000000000000000000000000000000000000000000
+APIKEY_ENCRYPTION_KEY=1111111111111111111111111111111111111111111111111111111111111111
 S3_BUCKET=
 S3_REGION=
 S3_ENDPOINT=

apps/backend/src/auth.rs

@@ -47,7 +47,7 @@ impl FromRequestParts<SharedState> for AuthenticatedProject {
         let project_id: Uuid = row.get("project_id");
         let encrypted_key: String = row.get("encrypted_key");
 
-        if !verify_api_key(&state.crypto, &encrypted_key, token)? {
+        if !verify_api_key(&state.apikey_crypto, &encrypted_key, token)? {
             return Err(AppError::Unauthorized);
         }
 

apps/backend/src/config.rs

@@ -3,7 +3,8 @@ use std::net::SocketAddr;
 #[derive(Clone)]
 pub struct Config {
     pub database_url: String,
-    pub encryption_key: String,
+    pub file_encryption_key: String,
+    pub apikey_encryption_key: String,
     pub s3_bucket: String,
     pub s3_region: String,
     pub s3_endpoint: String,
@@ -29,7 +30,9 @@ impl Config {
 
         Ok(Self {
             database_url: std::env::var("DATABASE_URL")?,
-            encryption_key: std::env::var("ENCRYPTION_KEY")
+            file_encryption_key: std::env::var("FILE_ENCRYPTION_KEY")
+                .or_else(|_| std::env::var("ENCRYPTION_KEY"))?,
+            apikey_encryption_key: std::env::var("APIKEY_ENCRYPTION_KEY")
                 .or_else(|_| std::env::var("SOURCEMAP_API_KEY_SECRET"))?,
             s3_bucket: std::env::var("S3_BUCKET")?,
             s3_region: std::env::var("S3_REGION").unwrap_or_else(|_| "us-east-1".into()),

apps/backend/src/main.rs

@@ -17,7 +17,7 @@ use storage::Storage;
 pub struct AppState {
     pub db: sqlx::PgPool,
     pub storage: Storage,
-    pub crypto: Arc<Crypto>,
+    pub apikey_crypto: Arc<Crypto>,
     pub admin_token: Arc<str>,
 }
 
@@ -61,19 +61,27 @@ async fn main() {
 }
 
 async fn build_state(config: &Config) -> AppState {
-    let crypto = Arc::new(Crypto::new(&config.encryption_key).expect("invalid ENCRYPTION_KEY"));
+    if config.file_encryption_key == config.apikey_encryption_key {
+        panic!("FILE_ENCRYPTION_KEY and APIKEY_ENCRYPTION_KEY must be different");
+    }
+
+    let file_crypto =
+        Arc::new(Crypto::new(&config.file_encryption_key).expect("invalid FILE_ENCRYPTION_KEY"));
+    let apikey_crypto = Arc::new(
+        Crypto::new(&config.apikey_encryption_key).expect("invalid APIKEY_ENCRYPTION_KEY"),
+    );
     let db = PgPoolOptions::new()
         .max_connections(10)
         .connect(&config.database_url)
         .await
         .expect("failed to connect to database");
     let s3_client = s3_client(config);
-    let storage = Storage::new(s3_client, config.s3_bucket.clone(), crypto.clone());
+    let storage = Storage::new(s3_client, config.s3_bucket.clone(), file_crypto.clone());
 
     AppState {
         db,
         storage,
-        crypto,
+        apikey_crypto,
         admin_token: Arc::<str>::from(config.admin_token.clone()),
     }
 }