mirror of
https://github.com/we-promise/sure.git
synced 2026-07-12 21:05:20 +00:00
* feat(security): warn when ActiveRecord encryption is not configured Self-hosted instances without explicit ACTIVE_RECORD_ENCRYPTION_* keys (or Rails credentials) store sensitive columns - API keys, provider/bank tokens, the MFA (TOTP) secret, and PII - unencrypted at rest. The app boots and works normally so this plaintext at rest state is easy to miss. Change: Make it visible: - log a clear startup warning (config/initializers/encryption_warning.rb) - show a warning banner on /settings/security when encryption is unconfigured * refactor(security): apply review feedback on encryption warning - list the three ACTIVE_RECORD_ENCRYPTION_* keys in the banner, rendered via the DS::Alert content block to match the log - drop the redundant respond_to?(:self_hosted?) guard in the initializer so it matches the controller check - add a managed-mode test asserting the banner is hidden
22 lines
961 B
Ruby
22 lines
961 B
Ruby
# frozen_string_literal: true
|
|
|
|
# Warn self-hosted operators when ActiveRecord Encryption is NOT configured.
|
|
#
|
|
# This emits a clear startup warning so plaintext-at-rest is never silent.
|
|
require Rails.root.join("lib/active_record_encryption_config").to_s
|
|
|
|
Rails.application.config.after_initialize do
|
|
app_mode = Rails.application.config.app_mode
|
|
if app_mode.self_hosted? && !ActiveRecordEncryptionConfig.explicitly_configured?
|
|
Rails.logger.warn(<<~WARN)
|
|
[SECURITY] ActiveRecord Encryption is NOT configured. Sensitive data
|
|
(API keys, provider/bank tokens, MFA secrets, and PII) are being stored
|
|
UNENCRYPTED at rest. To enable encryption, set the following keys in your Rails credentials or environment variables:
|
|
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
|
|
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
|
|
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
|
|
Generate a set with: bin/rails db:encryption:init
|
|
WARN
|
|
end
|
|
end
|