Initial security fixes (#461)

* Initial sec * Update PII fields * FIX add tests * FIX safely read plaintext data on rake backfill * Update user.rb * FIX tests * encryption_ready? block * Test conditional to encryption on --------- Signed-off-by: Juan José Mata <juanjo.mata@gmail.com> Co-authored-by: Juan José Mata <juanjo.mata@gmail.com>
2026-04-19 03:54:08 +00:00 · 2026-01-23 22:05:28 +01:00
parent 71f10c5e4a
commit 696ff0966b
21 changed files with 645 additions and 55 deletions
--- a/app/models/concerns/encryptable.rb
+++ b/app/models/concerns/encryptable.rb
@@ -0,0 +1,16 @@
+module Encryptable
+  extend ActiveSupport::Concern
+
+  class_methods do
+    # Helper to detect if ActiveRecord Encryption is configured for this app.
+    # This allows encryption to be optional - if not configured, sensitive fields
+    # are stored in plaintext (useful for development or legacy deployments).
+    def encryption_ready?
+      creds_ready = Rails.application.credentials.active_record_encryption.present?
+      env_ready = ENV["ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"].present? &&
+                  ENV["ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"].present? &&
+                  ENV["ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"].present?
+      creds_ready || env_ready
+    end
+  end
+end