4d8e1eb352
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
- Add internal/crypto package: AES-256-GCM encrypt/decrypt with migration passthrough for existing plain-text records (no "enc:" prefix = plain text) - Store.NewStoreWithCipher injects cipher; SaveToken/UpdateLocationConfig encrypt cast_api_key before write; GetToken/ListTokens decrypt on read - Add CREDENTIALS_ENCRYPTION_KEY env var (64-hex / 32-byte); warns if unset - Add MongoDB authentication: MONGO_ROOT_USERNAME / MONGO_ROOT_PASSWORD via docker-compose MONGO_INITDB_ROOT_USERNAME/PASSWORD; MONGO_URI now requires credentials in .env.example - Update .env.example with generation instructions for all secrets Co-Authored-By: SideKx <sidekx.ai@sds.dev>
76 lines
2.4 KiB
Go
76 lines
2.4 KiB
Go
package config
|
|
|
|
import (
|
|
"fmt"
|
|
"log/slog"
|
|
"os"
|
|
"strings"
|
|
)
|
|
|
|
type Config struct {
|
|
Port string
|
|
BaseURL string
|
|
GHLClientID string
|
|
GHLClientSecret string
|
|
GHLWebhookPublicKey string
|
|
GHLConversationProviderID string
|
|
CastAPIKey string
|
|
CastAPIURL string
|
|
CastSenderID string
|
|
MongoURI string
|
|
InboundAPIKey string
|
|
// CredentialsEncryptionKey is a 64-hex-char (32-byte) AES-256 key used to
|
|
// encrypt per-location Cast API keys at rest in MongoDB.
|
|
// Optional: if unset, keys are stored in plain text (not recommended for production).
|
|
CredentialsEncryptionKey string
|
|
}
|
|
|
|
func Load() (*Config, error) {
|
|
c := &Config{
|
|
Port: getEnvDefault("PORT", "3002"),
|
|
BaseURL: os.Getenv("BASE_URL"),
|
|
GHLClientID: os.Getenv("GHL_CLIENT_ID"),
|
|
GHLClientSecret: os.Getenv("GHL_CLIENT_SECRET"),
|
|
GHLWebhookPublicKey: os.Getenv("GHL_WEBHOOK_PUBLIC_KEY"),
|
|
GHLConversationProviderID: os.Getenv("GHL_CONVERSATION_PROVIDER_ID"),
|
|
CastAPIKey: os.Getenv("CAST_API_KEY"),
|
|
CastAPIURL: getEnvDefault("CAST_API_URL", "https://api.cast.ph"),
|
|
CastSenderID: os.Getenv("CAST_SENDER_ID"),
|
|
MongoURI: os.Getenv("MONGO_URI"),
|
|
InboundAPIKey: os.Getenv("INBOUND_API_KEY"),
|
|
CredentialsEncryptionKey: os.Getenv("CREDENTIALS_ENCRYPTION_KEY"),
|
|
}
|
|
|
|
var missing []string
|
|
required := map[string]string{
|
|
"BASE_URL": c.BaseURL,
|
|
"GHL_CLIENT_ID": c.GHLClientID,
|
|
"GHL_CLIENT_SECRET": c.GHLClientSecret,
|
|
"GHL_WEBHOOK_PUBLIC_KEY": c.GHLWebhookPublicKey,
|
|
"GHL_CONVERSATION_PROVIDER_ID": c.GHLConversationProviderID,
|
|
"CAST_API_KEY": c.CastAPIKey,
|
|
"MONGO_URI": c.MongoURI,
|
|
}
|
|
for key, val := range required {
|
|
if val == "" {
|
|
missing = append(missing, key)
|
|
}
|
|
}
|
|
if len(missing) > 0 {
|
|
return nil, fmt.Errorf("missing required environment variables: %s", strings.Join(missing, ", "))
|
|
}
|
|
|
|
if c.CredentialsEncryptionKey == "" {
|
|
slog.Warn("CREDENTIALS_ENCRYPTION_KEY is not set — per-location Cast API keys will be stored in plain text")
|
|
}
|
|
|
|
return c, nil
|
|
}
|
|
|
|
func getEnvDefault(key, def string) string {
|
|
if v := os.Getenv(key); v != "" {
|
|
return v
|
|
}
|
|
return def
|
|
}
|