Initial security fixes (#461)

* Initial sec

* Update PII fields

* FIX add tests

* FIX safely read plaintext data on rake backfill

* Update user.rb

* FIX tests

* encryption_ready? block

* Test conditional to encryption on

---------

Signed-off-by: Juan José Mata <juanjo.mata@gmail.com>
Co-authored-by: Juan José Mata <juanjo.mata@gmail.com>

app/models/api_key.rb

@@ -1,8 +1,12 @@
 class ApiKey < ApplicationRecord
+  include Encryptable
+
   belongs_to :user
 
-  # Use Rails built-in encryption for secure storage
-  encrypts :display_key, deterministic: true
+  # Encrypt display_key if ActiveRecord encryption is configured
+  if encryption_ready?
+    encrypts :display_key, deterministic: true
+  end
 
   # Constants
   SOURCES = [ "web", "mobile" ].freeze

app/models/concerns/encryptable.rb

@@ -0,0 +1,16 @@
+module Encryptable
+  extend ActiveSupport::Concern
+
+  class_methods do
+    # Helper to detect if ActiveRecord Encryption is configured for this app.
+    # This allows encryption to be optional - if not configured, sensitive fields
+    # are stored in plaintext (useful for development or legacy deployments).
+    def encryption_ready?
+      creds_ready = Rails.application.credentials.active_record_encryption.present?
+      env_ready = ENV["ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"].present? &&
+                  ENV["ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"].present? &&
+                  ENV["ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"].present?
+      creds_ready || env_ready
+    end
+  end
+end

app/models/enable_banking_account.rb

@@ -1,5 +1,11 @@
 class EnableBankingAccount < ApplicationRecord
-  include CurrencyNormalizable
+  include CurrencyNormalizable, Encryptable
+
+  # Encrypt raw payloads if ActiveRecord encryption is configured
+  if encryption_ready?
+    encrypts :raw_payload
+    encrypts :raw_transactions_payload
+  end
 
   belongs_to :enable_banking_item
 

app/models/enable_banking_item.rb

@@ -1,21 +1,14 @@
 class EnableBankingItem < ApplicationRecord
-  include Syncable, Provided, Unlinking
+  include Syncable, Provided, Unlinking, Encryptable
 
   enum :status, { good: "good", requires_update: "requires_update" }, default: :good
 
-  # Helper to detect if ActiveRecord Encryption is configured for this app
-  def self.encryption_ready?
-    creds_ready = Rails.application.credentials.active_record_encryption.present?
-    env_ready = ENV["ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"].present? &&
-                ENV["ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"].present? &&
-                ENV["ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"].present?
-    creds_ready || env_ready
-  end
-
-  # Encrypt sensitive credentials if ActiveRecord encryption is configured
+  # Encrypt sensitive credentials and raw payloads if ActiveRecord encryption is configured
   if encryption_ready?
     encrypts :client_certificate, deterministic: true
     encrypts :session_id, deterministic: true
+    encrypts :raw_payload
+    encrypts :raw_institution_payload
   end
 
   validates :name, presence: true

app/models/invitation.rb

@@ -1,7 +1,15 @@
 class Invitation < ApplicationRecord
+  include Encryptable
+
   belongs_to :family
   belongs_to :inviter, class_name: "User"
 
+  # Encrypt sensitive fields if ActiveRecord encryption is configured
+  if encryption_ready?
+    encrypts :token, deterministic: true
+    encrypts :email, deterministic: true, downcase: true
+  end
+
   validates :email, presence: true, format: { with: URI::MailTo::EMAIL_REGEXP }
   validates :role, presence: true, inclusion: { in: %w[admin member] }
   validates :token, presence: true, uniqueness: true

app/models/invite_code.rb

@@ -1,4 +1,11 @@
 class InviteCode < ApplicationRecord
+  include Encryptable
+
+  # Encrypt token if ActiveRecord encryption is configured
+  if encryption_ready?
+    encrypts :token, deterministic: true, downcase: true
+  end
+
   before_validation :generate_token, on: :create
 
   class << self

app/models/lunchflow_account.rb

@@ -1,5 +1,11 @@
 class LunchflowAccount < ApplicationRecord
-  include CurrencyNormalizable
+  include CurrencyNormalizable, Encryptable
+
+  # Encrypt raw payloads if ActiveRecord encryption is configured
+  if encryption_ready?
+    encrypts :raw_payload
+    encrypts :raw_transactions_payload
+  end
 
   belongs_to :lunchflow_item
 

app/models/lunchflow_item.rb

@@ -1,20 +1,13 @@
 class LunchflowItem < ApplicationRecord
-  include Syncable, Provided, Unlinking
+  include Syncable, Provided, Unlinking, Encryptable
 
   enum :status, { good: "good", requires_update: "requires_update" }, default: :good
 
-  # Helper to detect if ActiveRecord Encryption is configured for this app
-  def self.encryption_ready?
-    creds_ready = Rails.application.credentials.active_record_encryption.present?
-    env_ready = ENV["ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"].present? &&
-                ENV["ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"].present? &&
-                ENV["ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"].present?
-    creds_ready || env_ready
-  end
-
-  # Encrypt sensitive credentials if ActiveRecord encryption is configured (credentials OR env vars)
+  # Encrypt sensitive credentials and raw payloads if ActiveRecord encryption is configured
   if encryption_ready?
     encrypts :api_key, deterministic: true
+    encrypts :raw_payload
+    encrypts :raw_institution_payload
   end
 
   validates :name, presence: true

app/models/mobile_device.rb

@@ -1,4 +1,11 @@
 class MobileDevice < ApplicationRecord
+  include Encryptable
+
+  # Encrypt device_id if ActiveRecord encryption is configured
+  if encryption_ready?
+    encrypts :device_id, deterministic: true
+  end
+
   belongs_to :user
   belongs_to :oauth_application, class_name: "Doorkeeper::Application", optional: true
 

app/models/plaid_account.rb

@@ -1,4 +1,14 @@
 class PlaidAccount < ApplicationRecord
+  include Encryptable
+
+  # Encrypt raw payloads if ActiveRecord encryption is configured
+  if encryption_ready?
+    encrypts :raw_payload
+    encrypts :raw_transactions_payload
+    encrypts :raw_investments_payload
+    encrypts :raw_liabilities_payload
+  end
+
   belongs_to :plaid_item
 
   # Legacy association via foreign key (will be removed after migration)

app/models/plaid_item.rb

@@ -1,21 +1,14 @@
 class PlaidItem < ApplicationRecord
-  include Syncable, Provided
+  include Syncable, Provided, Encryptable
 
   enum :plaid_region, { us: "us", eu: "eu" }
   enum :status, { good: "good", requires_update: "requires_update" }, default: :good
 
-  # Helper to detect if ActiveRecord Encryption is configured for this app
-  def self.encryption_ready?
-    creds_ready = Rails.application.credentials.active_record_encryption.present?
-    env_ready = ENV["ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"].present? &&
-                ENV["ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"].present? &&
-                ENV["ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"].present?
-    creds_ready || env_ready
-  end
-
-  # Encrypt sensitive credentials if ActiveRecord encryption is configured (credentials OR env vars)
+  # Encrypt sensitive credentials and raw payloads if ActiveRecord encryption is configured
   if encryption_ready?
     encrypts :access_token, deterministic: true
+    encrypts :raw_payload
+    encrypts :raw_institution_payload
   end
 
   validates :name, presence: true

app/models/session.rb

@@ -1,14 +1,18 @@
 class Session < ApplicationRecord
+  include Encryptable
+
+  # Encrypt user_agent if ActiveRecord encryption is configured
+  if encryption_ready?
+    encrypts :user_agent
+  end
+
   belongs_to :user
   belongs_to :active_impersonator_session,
     -> { where(status: :in_progress) },
     class_name: "ImpersonationSession",
     optional: true
 
-  before_create do
-    self.user_agent = Current.user_agent
-    self.ip_address = Current.ip_address
-  end
+  before_create :capture_session_info
 
   def get_preferred_tab(tab_key)
     data.dig("tab_preferences", tab_key)
@@ -19,4 +23,13 @@ class Session < ApplicationRecord
     data["tab_preferences"][tab_key] = tab_value
     save!
   end
+
+  private
+
+    def capture_session_info
+      self.user_agent = Current.user_agent
+      raw_ip = Current.ip_address
+      self.ip_address = raw_ip
+      self.ip_address_digest = Digest::SHA256.hexdigest(raw_ip.to_s) if raw_ip.present?
+    end
 end

app/models/simplefin_account.rb

@@ -1,4 +1,13 @@
 class SimplefinAccount < ApplicationRecord
+  include Encryptable
+
+  # Encrypt raw payloads if ActiveRecord encryption is configured
+  if encryption_ready?
+    encrypts :raw_payload
+    encrypts :raw_transactions_payload
+    encrypts :raw_holdings_payload
+  end
+
   belongs_to :simplefin_item
 
   # Legacy association via foreign key (will be removed after migration)

app/models/simplefin_item.rb

@@ -1,5 +1,5 @@
 class SimplefinItem < ApplicationRecord
-  include Syncable, Provided
+  include Syncable, Provided, Encryptable
   include SimplefinItem::Unlinking
 
   enum :status, { good: "good", requires_update: "requires_update" }, default: :good
@@ -7,18 +7,11 @@ class SimplefinItem < ApplicationRecord
   # Virtual attribute for the setup token form field
   attr_accessor :setup_token
 
-  # Helper to detect if ActiveRecord Encryption is configured for this app
-  def self.encryption_ready?
-    creds_ready = Rails.application.credentials.active_record_encryption.present?
-    env_ready = ENV["ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"].present? &&
-                ENV["ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"].present? &&
-                ENV["ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"].present?
-    creds_ready || env_ready
-  end
-
-  # Encrypt sensitive credentials if ActiveRecord encryption is configured (credentials OR env vars)
+  # Encrypt sensitive credentials and raw payloads if ActiveRecord encryption is configured
   if encryption_ready?
     encrypts :access_url, deterministic: true
+    encrypts :raw_payload
+    encrypts :raw_institution_payload
   end
 
   validates :name, presence: true

app/models/sso_provider.rb

@@ -1,8 +1,12 @@
 # frozen_string_literal: true
 
 class SsoProvider < ApplicationRecord
-  # Encrypt sensitive credentials using Rails 7.2 built-in encryption
-  encrypts :client_secret, deterministic: false
+  include Encryptable
+
+  # Encrypt sensitive credentials if ActiveRecord encryption is configured
+  if encryption_ready?
+    encrypts :client_secret, deterministic: false
+  end
 
   # Default enabled to true for new providers
   attribute :enabled, :boolean, default: true

app/models/user.rb

@@ -1,8 +1,27 @@
 class User < ApplicationRecord
+  include Encryptable
+
   # Allow nil password for SSO-only users (JIT provisioning).
   # Custom validation ensures password is present for non-SSO registration.
   has_secure_password validations: false
 
+  # Encrypt sensitive fields if ActiveRecord encryption is configured
+  if encryption_ready?
+    # MFA secrets
+    encrypts :otp_secret, deterministic: true
+    # Note: otp_backup_codes is a PostgreSQL array column which doesn't support
+    # AR encryption. To encrypt it, a migration would be needed to change the
+    # column type from array to text/jsonb.
+
+    # PII - emails (deterministic for lookups, downcase for case-insensitive)
+    encrypts :email, deterministic: true, downcase: true
+    encrypts :unconfirmed_email, deterministic: true, downcase: true
+
+    # PII - names (non-deterministic for maximum security)
+    encrypts :first_name
+    encrypts :last_name
+  end
+
   belongs_to :family
   belongs_to :last_viewed_chat, class_name: "Chat", optional: true
   has_many :sessions, dependent: :destroy
@@ -332,7 +351,7 @@ class User < ApplicationRecord
       if (index = otp_backup_codes.index(code))
         remaining_codes = otp_backup_codes.dup
         remaining_codes.delete_at(index)
-        update_column(:otp_backup_codes, remaining_codes)
+        update!(otp_backup_codes: remaining_codes)
         true
       else
         false