jack/PocketVeto
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d378f35cc5f9b278547d90e6113b652ed29c4ba4
PocketVeto/backend/app/core/crypto.py
Jack Levy 9633b4dcb8 feat: v1.0.0 — UX polish, security hardening, code quality 
UI/UX:
- Bill detail page tab UI (Analysis / Timeline / Votes / Notes)
- Topic tag pills on bill detail and listing pages — filtered to known
  topics, clickable, properly labelled via shared lib/topics.ts
- Notes panel always-open in Notes tab; sign-in prompt for guests
- Collapsible sidebar with icon-only mode and localStorage persistence
- Bills page defaults to has-text filter enabled
- Follow mode dropdown transparency fix
- Favicon (Landmark icon, blue background)

Security:
- Fernet encryption for ntfy passwords at rest (app/core/crypto.py)
- Separate ENCRYPTION_SECRET_KEY env var; falls back to JWT derivation
- ntfy_password no longer returned in GET response — replaced with
  ntfy_password_set: bool; NotificationSettingsUpdate type for writes
- JWT_SECRET_KEY fail-fast on startup if using default placeholder
- get_optional_user catches (JWTError, ValueError) only, not Exception

Bug fixes & code quality:
- Dashboard N+1 topic query replaced with single OR query
- notification_utils.py topic follower N+1 replaced with batch query
- Note query in bill detail page gated on token (enabled: !!token)
- search.py max_length=500 guard against oversized queries
- CollectionCreate.validate_name wired up with @field_validator
- LLM_RATE_LIMIT_RPM default raised from 10 to 50

Authored by: Jack Levy
2026-03-15 01:10:31 -04:00

45 lines
1.6 KiB
Python
Raw Blame History

"""Symmetric encryption for sensitive user prefs (e.g. ntfy password).
Key priority:
1. ENCRYPTION_SECRET_KEY env var (recommended — dedicated key, easily rotatable)
2. Derived from JWT_SECRET_KEY (fallback for existing installs)
Generate a dedicated key:
python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
"""
import base64
import hashlib
from cryptography.fernet import Fernet
_PREFIX = "enc:"
_fernet_instance: Fernet | None = None
def _fernet() -> Fernet:
global _fernet_instance
if _fernet_instance is None:
from app.config import settings
if settings.ENCRYPTION_SECRET_KEY:
# Use dedicated key directly (must be a valid 32-byte base64url key)
_fernet_instance = Fernet(settings.ENCRYPTION_SECRET_KEY.encode())
else:
# Fallback: derive from JWT secret
key_bytes = hashlib.sha256(settings.JWT_SECRET_KEY.encode()).digest()
_fernet_instance = Fernet(base64.urlsafe_b64encode(key_bytes))
return _fernet_instance
def encrypt_secret(plaintext: str) -> str:
"""Encrypt a string and return a prefixed ciphertext."""
if not plaintext:
return plaintext
return _PREFIX + _fernet().encrypt(plaintext.encode()).decode()
def decrypt_secret(value: str) -> str:
"""Decrypt a value produced by encrypt_secret. Returns plaintext as-is (legacy support)."""
if not value or not value.startswith(_PREFIX):
return value # legacy plaintext — return unchanged
return _fernet().decrypt(value[len(_PREFIX):].encode()).decode()
Reference in New Issue View Git Blame Copy Permalink