feat: database encryption

piotrpdev · piotrpdev · commit 781307552f62 · 2025-04-30T21:36:17.000+01:00
diff --git a/backend/Cargo.lock b/backend/Cargo.lock
diff --git a/backend/Cargo.toml b/backend/Cargo.toml
@@ -25,7 +25,8 @@ axum-login = "0.16.0"
 http = "1.0.0"
 password-auth = { version = "1.0.0", default-features = false, features = ["argon2"] }
 serde = "1.0.0"
-sqlx = { version = "0.8.1", default-features = false, features = ["json"] }
+sqlx = { version = "0.8.1", default-features = false, features = ["json", "sqlite"] }
+libsqlite3-sys = { version = "0.30.1", default-features = false, features = ["bundled-sqlcipher"] }
 time = { version = "0.3.30", default-features = false }
 tokio = { workspace = true }
 futures-util = { workspace = true }
diff --git a/backend/src/web/app.rs b/backend/src/web/app.rs
@@ -60,7 +60,8 @@ use super::{ImageContainer, MdnsChannelMessage};
 // TODO: Maybe use `std::future::pending::<()>();` instead of sleeping forever
 
 // TODO: Change default admin and guest hashes, remember to search and update where they're hardcoded
-const SQLITE_URL: &str = "sqlite://data.db";
+const SQLITE_PROD_URL: &str = "sqlite://oko.db";
+const SQLITE_DEV_URL: &str = "sqlite://data.db";
 const VIDEO_PATH: &str = "./videos/";
 const DEFAULT_ADMIN_USERNAME: &str = "admin";
 const DEFAULT_ADMIN_PASS_HASH: &str = "$argon2id$v=19$m=19456,t=2,p=1$VE0e3g7DalWHgDwou3nuRA$uC6TER156UQpk0lNQ5+jHM0l5poVjPA1he/Tyn9J4Zw";
@@ -94,10 +95,25 @@ pub struct App {
 }
 
 impl App {
+    #[allow(clippy::cognitive_complexity)]
     #[allow(clippy::similar_names)]
     pub async fn new() -> Result<Self, Box<dyn std::error::Error + Send + Sync>> {
-        let sqlite_connect_options =
-            SqliteConnectOptions::from_str(SQLITE_URL)?.create_if_missing(true);
+        let sqlite_connect_options = if cfg!(debug_assertions) {
+            SqliteConnectOptions::from_str(SQLITE_DEV_URL)?.create_if_missing(true)
+        } else {
+            let Ok(password) = std::env::var("OKO_DB_PASSWORD") else {
+                error!("No password provided for database. Please provide a password using the OKO_DB_PASSWORD environment variable.");
+                return Err("No password provided for database. Please provide a password using the OKO_DB_PASSWORD environment variable.".into());
+            };
+
+            SqliteConnectOptions::from_str(SQLITE_PROD_URL)?
+                .create_if_missing(true)
+                .pragma("key", password)
+                .pragma("cipher_page_size", "1024")
+                .pragma("kdf_iter", "64000")
+                .pragma("cipher_hmac_algorithm", "HMAC_SHA1")
+                .pragma("cipher_kdf_algorithm", "PBKDF2_HMAC_SHA1")
+        };
 
         let db = SqlitePool::connect_with(sqlite_connect_options).await?;
 
