Encrypt git token

backend/internal/db/db.go

@@ -2,15 +2,19 @@ package db
 
 import (
 	"database/sql"
+	"fmt"
+
+	"novamd/internal/crypto"
 
 	_ "github.com/mattn/go-sqlite3"
 )
 
 type DB struct {
 	*sql.DB
+	crypto *crypto.Crypto
 }
 
-func Init(dbPath string) (*DB, error) {
+func Init(dbPath string, encryptionKey string) (*DB, error) {
 	db, err := sql.Open("sqlite3", dbPath)
 	if err != nil {
 		return nil, err
@@ -20,7 +24,17 @@ func Init(dbPath string) (*DB, error) {
 		return nil, err
 	}
 
-	database := &DB{db}
+	// Initialize crypto service
+	cryptoService, err := crypto.New(encryptionKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize encryption: %w", err)
+	}
+
+	database := &DB{
+		DB:     db,
+		crypto: cryptoService,
+	}
+
 	if err := database.Migrate(); err != nil {
 		return nil, err
 	}
@@ -31,3 +45,18 @@ func Init(dbPath string) (*DB, error) {
 func (db *DB) Close() error {
 	return db.DB.Close()
 }
+
+// Helper methods for token encryption/decryption
+func (db *DB) encryptToken(token string) (string, error) {
+	if token == "" {
+		return "", nil
+	}
+	return db.crypto.Encrypt(token)
+}
+
+func (db *DB) decryptToken(token string) (string, error) {
+	if token == "" {
+		return "", nil
+	}
+	return db.crypto.Decrypt(token)
+}

backend/internal/db/workspaces.go

@@ -2,6 +2,7 @@ package db
 
 import (
 	"database/sql"
+	"fmt"
 	"novamd/internal/models"
 )
 
@@ -11,6 +12,12 @@ func (db *DB) CreateWorkspace(workspace *models.Workspace) error {
 		workspace.GetDefaultSettings()
 	}
 
+	// Encrypt token if present
+	encryptedToken, err := db.encryptToken(workspace.GitToken)
+	if err != nil {
+		return fmt.Errorf("failed to encrypt token: %w", err)
+	}
+
 	result, err := db.Exec(`
 		INSERT INTO workspaces (
 			user_id, name, theme, auto_save, 
@@ -18,7 +25,7 @@ func (db *DB) CreateWorkspace(workspace *models.Workspace) error {
 			git_auto_commit, git_commit_msg_template
 		) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
 		workspace.UserID, workspace.Name, workspace.Theme, workspace.AutoSave,
-		workspace.GitEnabled, workspace.GitURL, workspace.GitUser, workspace.GitToken,
+		workspace.GitEnabled, workspace.GitURL, workspace.GitUser, encryptedToken,
 		workspace.GitAutoCommit, workspace.GitCommitMsgTemplate,
 	)
 	if err != nil {
@@ -35,6 +42,8 @@ func (db *DB) CreateWorkspace(workspace *models.Workspace) error {
 
 func (db *DB) GetWorkspaceByID(id int) (*models.Workspace, error) {
 	workspace := &models.Workspace{}
+	var encryptedToken string
+
 	err := db.QueryRow(`
 		SELECT 
 			id, user_id, name, created_at, 
@@ -47,15 +56,57 @@ func (db *DB) GetWorkspaceByID(id int) (*models.Workspace, error) {
 	).Scan(
 		&workspace.ID, &workspace.UserID, &workspace.Name, &workspace.CreatedAt,
 		&workspace.Theme, &workspace.AutoSave,
-		&workspace.GitEnabled, &workspace.GitURL, &workspace.GitUser, &workspace.GitToken,
+		&workspace.GitEnabled, &workspace.GitURL, &workspace.GitUser, &encryptedToken,
 		&workspace.GitAutoCommit, &workspace.GitCommitMsgTemplate,
 	)
 	if err != nil {
 		return nil, err
 	}
+
+	// Decrypt token
+	workspace.GitToken, err = db.decryptToken(encryptedToken)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decrypt token: %w", err)
+	}
+
 	return workspace, nil
 }
 
+func (db *DB) UpdateWorkspace(workspace *models.Workspace) error {
+	// Encrypt token before storing
+	encryptedToken, err := db.encryptToken(workspace.GitToken)
+	if err != nil {
+		return fmt.Errorf("failed to encrypt token: %w", err)
+	}
+
+	_, err = db.Exec(`
+		UPDATE workspaces 
+		SET 
+			name = ?,
+			theme = ?,
+			auto_save = ?,
+			git_enabled = ?,
+			git_url = ?,
+			git_user = ?,
+			git_token = ?,
+			git_auto_commit = ?,
+			git_commit_msg_template = ?
+		WHERE id = ? AND user_id = ?`,
+		workspace.Name,
+		workspace.Theme,
+		workspace.AutoSave,
+		workspace.GitEnabled,
+		workspace.GitURL,
+		workspace.GitUser,
+		encryptedToken,
+		workspace.GitAutoCommit,
+		workspace.GitCommitMsgTemplate,
+		workspace.ID,
+		workspace.UserID,
+	)
+	return err
+}
+
 func (db *DB) GetWorkspacesByUserID(userID int) ([]*models.Workspace, error) {
 	rows, err := db.Query(`
 		SELECT 
@@ -75,49 +126,28 @@ func (db *DB) GetWorkspacesByUserID(userID int) ([]*models.Workspace, error) {
 	var workspaces []*models.Workspace
 	for rows.Next() {
 		workspace := &models.Workspace{}
+		var encryptedToken string
 		err := rows.Scan(
 			&workspace.ID, &workspace.UserID, &workspace.Name, &workspace.CreatedAt,
 			&workspace.Theme, &workspace.AutoSave,
-			&workspace.GitEnabled, &workspace.GitURL, &workspace.GitUser, &workspace.GitToken,
+			&workspace.GitEnabled, &workspace.GitURL, &workspace.GitUser, &encryptedToken,
 			&workspace.GitAutoCommit, &workspace.GitCommitMsgTemplate,
 		)
 		if err != nil {
 			return nil, err
 		}
+
+		// Decrypt token
+		workspace.GitToken, err = db.decryptToken(encryptedToken)
+		if err != nil {
+			return nil, fmt.Errorf("failed to decrypt token: %w", err)
+		}
+
 		workspaces = append(workspaces, workspace)
 	}
 	return workspaces, nil
 }
 
-func (db *DB) UpdateWorkspace(workspace *models.Workspace) error {
-	_, err := db.Exec(`
-		UPDATE workspaces 
-		SET 
-			name = ?,
-			theme = ?,
-			auto_save = ?,
-			git_enabled = ?,
-			git_url = ?,
-			git_user = ?,
-			git_token = ?,
-			git_auto_commit = ?,
-			git_commit_msg_template = ?
-		WHERE id = ? AND user_id = ?`,
-		workspace.Name,
-		workspace.Theme,
-		workspace.AutoSave,
-		workspace.GitEnabled,
-		workspace.GitURL,
-		workspace.GitUser,
-		workspace.GitToken,
-		workspace.GitAutoCommit,
-		workspace.GitCommitMsgTemplate,
-		workspace.ID,
-		workspace.UserID,
-	)
-	return err
-}
-
 // UpdateWorkspaceSettings updates only the settings portion of a workspace
 // This is useful when you don't want to modify the name or other core workspace properties
 func (db *DB) UpdateWorkspaceSettings(workspace *models.Workspace) error {