Initial security fixes (#461)

* Initial sec * Update PII fields * FIX add tests * FIX safely read plaintext data on rake backfill * Update user.rb * FIX tests * encryption_ready? block * Test conditional to encryption on --------- Signed-off-by: Juan José Mata <juanjo.mata@gmail.com> Co-authored-by: Juan José Mata <juanjo.mata@gmail.com>
2026-04-19 12:04:08 +00:00 · 2026-01-23 22:05:28 +01:00
parent 71f10c5e4a
commit 696ff0966b
21 changed files with 645 additions and 55 deletions
--- a/app/models/sso_provider.rb
+++ b/app/models/sso_provider.rb
@@ -1,8 +1,12 @@
 # frozen_string_literal: true

 class SsoProvider < ApplicationRecord
-  # Encrypt sensitive credentials using Rails 7.2 built-in encryption
-  encrypts :client_secret, deterministic: false
+  include Encryptable
+
+  # Encrypt sensitive credentials if ActiveRecord encryption is configured
+  if encryption_ready?
+    encrypts :client_secret, deterministic: false
+  end

  # Default enabled to true for new providers
  attribute :enabled, :boolean, default: true