[TASK] Add api key encryption

Author: o-ba

Classes/Backend/FormDataProvider/DecryptApiKey.php

@@ -0,0 +1,45 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of TYPO3 CMS-based extension "aim" by b13.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ */
+
+namespace B13\Aim\Backend\FormDataProvider;
+
+use B13\Aim\Crypto\ApiKeyEncryption;
+use TYPO3\CMS\Backend\Form\FormDataProviderInterface;
+
+/**
+ * Decrypts the api_key value before it is rendered in the backend form.
+ *
+ * Admins editing a tx_aim_configuration record see the plaintext key and
+ * can verify or replace it. On submit, the DataHandler hook encrypts the
+ * value again. If the admin re-saves the record without touching api_key,
+ * the form re-sends plaintext, which the hook re-encrypts — the value on
+ * disk stays encrypted throughout.
+ */
+final class DecryptApiKey implements FormDataProviderInterface
+{
+    public function __construct(private readonly ApiKeyEncryption $encryption) {}
+
+    public function addData(array $result): array
+    {
+        if (($result['tableName'] ?? '') !== 'tx_aim_configuration') {
+            return $result;
+        }
+
+        $value = (string)($result['databaseRow']['api_key'] ?? '');
+        if ($value === '' || !$this->encryption->isEncrypted($value)) {
+            return $result;
+        }
+
+        $result['databaseRow']['api_key'] = $this->encryption->decrypt($value);
+        return $result;
+    }
+}

Classes/Crypto/ApiKeyEncryption.php

@@ -0,0 +1,166 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of TYPO3 CMS-based extension "aim" by b13.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ */
+
+namespace B13\Aim\Crypto;
+
+use B13\Aim\Exception\ApiKeyEncryptionException;
+use TYPO3\CMS\Core\Crypto\Cipher\CipherDecryptionFailedException;
+use TYPO3\CMS\Core\Crypto\Cipher\CipherException;
+use TYPO3\CMS\Core\Crypto\Cipher\CipherService;
+use TYPO3\CMS\Core\Crypto\Cipher\CipherValue;
+use TYPO3\CMS\Core\Crypto\Cipher\KeyFactory;
+use TYPO3\CMS\Core\Utility\GeneralUtility;
+
+/**
+ * Encrypts and decrypts AiM provider API keys stored in the database.
+ *
+ * On TYPO3 v14+ this delegates to the core CipherService (XChaCha20-Poly1305
+ * AEAD, key derived via sodium_crypto_kdf_derive_from_key from SYS/encryptionKey).
+ * On v12/v13 — where CipherService does not exist yet — we use a libsodium
+ * secretbox implementation (XSalsa20-Poly1305) with the same SYS/encryptionKey
+ * as input, derived through sodium_crypto_generichash.
+ *
+ * Wire format selects the path on decrypt:
+ *   aim:enc:v1: ... — local secretbox payload (used on v12/v13)
+ *   aim:enc:v2: ... — TYPO3 CipherService payload (used on v14+)
+ *
+ * Values without either prefix are treated as legacy plaintext and returned
+ * unchanged, so the upgrade wizard can migrate them in-place.
+ */
+final class ApiKeyEncryption
+{
+    public const PREFIX_V1 = 'aim:enc:v1:';
+    public const PREFIX_V2 = 'aim:enc:v2:';
+    public const PREFIX_ANY = 'aim:enc:';
+
+    private const KEY_DOMAIN = 'aim:apikey:v1';
+
+    public function encrypt(string $plaintext): string
+    {
+        if ($plaintext === '' || $this->isEncrypted($plaintext) || $this->isEndpointUrl($plaintext)) {
+            return $plaintext;
+        }
+
+        if ($this->coreCipherAvailable()) {
+            return self::PREFIX_V2 . $this->encryptViaCore($plaintext);
+        }
+        return self::PREFIX_V1 . $this->encryptViaSecretbox($plaintext);
+    }
+
+    /**
+     * The api_key column doubles as an endpoint URL for providers that
+     * expose a local HTTP service (Ollama, LM Studio, OpenAI-compatible
+     * proxies). Those values aren't secrets and shouldn't be encrypted.
+     */
+    public function isEndpointUrl(string $value): bool
+    {
+        return str_starts_with($value, 'http://') || str_starts_with($value, 'https://');
+    }
+
+    public function decrypt(string $value): string
+    {
+        if ($value === '') {
+            return $value;
+        }
+        if (str_starts_with($value, self::PREFIX_V2)) {
+            return $this->decryptViaCore(substr($value, strlen(self::PREFIX_V2)));
+        }
+        if (str_starts_with($value, self::PREFIX_V1)) {
+            return $this->decryptViaSecretbox(substr($value, strlen(self::PREFIX_V1)));
+        }
+        return $value;
+    }
+
+    public function isEncrypted(string $value): bool
+    {
+        return str_starts_with($value, self::PREFIX_ANY);
+    }
+
+    private function coreCipherAvailable(): bool
+    {
+        return class_exists(CipherService::class) && class_exists(KeyFactory::class);
+    }
+
+    private function encryptViaCore(string $plaintext): string
+    {
+        $keyFactory = GeneralUtility::makeInstance(KeyFactory::class);
+        $cipher = GeneralUtility::makeInstance(CipherService::class);
+        $sharedKey = $keyFactory->deriveSharedKeyFromEncryptionKey(self::class);
+        return $cipher->encrypt($plaintext, $sharedKey)->encode();
+    }
+
+    private function decryptViaCore(string $payload): string
+    {
+        try {
+            $keyFactory = GeneralUtility::makeInstance(KeyFactory::class);
+            $cipher = GeneralUtility::makeInstance(CipherService::class);
+            $sharedKey = $keyFactory->deriveSharedKeyFromEncryptionKey(self::class);
+            return $cipher->decrypt(CipherValue::fromSerialized($payload), $sharedKey);
+        } catch (CipherDecryptionFailedException | CipherException $e) {
+            throw new ApiKeyEncryptionException(
+                'AiM API key could not be decrypted via core CipherService: ' . $e->getMessage(),
+                1773874410,
+                $e,
+            );
+        }
+    }
+
+    private function encryptViaSecretbox(string $plaintext): string
+    {
+        $key = $this->deriveSecretboxKey();
+        $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
+        $ciphertext = sodium_crypto_secretbox($plaintext, $nonce, $key);
+        sodium_memzero($key);
+
+        return base64_encode($nonce . $ciphertext);
+    }
+
+    private function decryptViaSecretbox(string $payload): string
+    {
+        $bytes = base64_decode($payload, true);
+        if ($bytes === false || strlen($bytes) <= SODIUM_CRYPTO_SECRETBOX_NONCEBYTES) {
+            throw new ApiKeyEncryptionException('AiM API key ciphertext is malformed.', 1773874400);
+        }
+
+        $nonce = substr($bytes, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
+        $ciphertext = substr($bytes, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
+        $key = $this->deriveSecretboxKey();
+        $plaintext = sodium_crypto_secretbox_open($ciphertext, $nonce, $key);
+        sodium_memzero($key);
+
+        if ($plaintext === false) {
+            throw new ApiKeyEncryptionException(
+                'AiM API key could not be decrypted. The system encryption key may have changed.',
+                1773874401,
+            );
+        }
+
+        return $plaintext;
+    }
+
+    private function deriveSecretboxKey(): string
+    {
+        $systemKey = (string)($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'] ?? '');
+        if ($systemKey === '') {
+            throw new ApiKeyEncryptionException(
+                'AiM API key encryption requires $GLOBALS[\'TYPO3_CONF_VARS\'][\'SYS\'][\'encryptionKey\'] to be set.',
+                1773874402,
+            );
+        }
+
+        return sodium_crypto_generichash(
+            self::KEY_DOMAIN . "\0" . $systemKey,
+            '',
+            SODIUM_CRYPTO_SECRETBOX_KEYBYTES,
+        );
+    }
+}

Classes/DependencyInjection/SymfonyAiCompilerPass.php

@@ -195,7 +195,7 @@ private function resolveNamespace(string $packageName): ?string
     private function buildBridgeDefinition(array $package): ?array
     {
         $namespace = $package['namespace'];
-        $factoryClass = $namespace . '\\PlatformFactory';
+        $factoryClass = $namespace . '\\Factory';
 
         if (!class_exists($factoryClass)) {
             return null;
@@ -397,15 +397,15 @@ private function deriveName(string $packageName): string
     }
 
     /**
-     * Detect the primary authentication parameter of a PlatformFactory::create() method.
+     * Detect the primary authentication parameter of a Factory::createProvider() method.
      *
      * Most bridges use `apiKey`. Some (Ollama, LM Studio) use `endpoint`.
      * We check the first parameter name via reflection.
      */
     private function detectFactoryParam(string $factoryClass): string
     {
         try {
-            $method = new \ReflectionMethod($factoryClass, 'create');
+            $method = new \ReflectionMethod($factoryClass, 'createProvider');
             foreach ($method->getParameters() as $param) {
                 $name = $param->getName();
                 if ($name === 'endpoint' || $name === 'hostUrl' || $name === 'baseUrl') {

Classes/Domain/Repository/ProviderConfigurationRepository.php

@@ -12,6 +12,7 @@
 
 namespace B13\Aim\Domain\Repository;
 
+use B13\Aim\Crypto\ApiKeyEncryption;
 use B13\Aim\Domain\Model\ProviderConfiguration;
 use B13\Aim\Domain\Model\ProviderConfigurationFactory;
 use TYPO3\CMS\Core\Database\Connection;
@@ -26,6 +27,7 @@ class ProviderConfigurationRepository
 
     public function __construct(
         private readonly ConnectionPool $connectionPool,
+        private readonly ApiKeyEncryption $encryption,
     ) {}
 
     public function findByUid(int $uid): ?ProviderConfiguration
@@ -188,6 +190,9 @@ protected function map(array $rows): array
 
     protected function mapSingleRow(array $row): ProviderConfiguration
     {
+        if (isset($row['api_key']) && $row['api_key'] !== '') {
+            $row['api_key'] = $this->encryption->decrypt((string)$row['api_key']);
+        }
         return ProviderConfigurationFactory::fromRow($row);
     }
 

Classes/Exception/ApiKeyEncryptionException.php

@@ -0,0 +1,18 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of TYPO3 CMS-based extension "aim" by b13.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ */
+
+namespace B13\Aim\Exception;
+
+/**
+ * Thrown when an AiM API key cannot be encrypted or decrypted.
+ */
+final class ApiKeyEncryptionException extends \RuntimeException {}

Classes/Hooks/EncryptApiKey.php

@@ -0,0 +1,50 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of TYPO3 CMS-based extension "aim" by b13.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ */
+
+namespace B13\Aim\Hooks;
+
+use B13\Aim\Crypto\ApiKeyEncryption;
+use TYPO3\CMS\Core\DataHandling\DataHandler;
+
+/**
+ * Encrypts AiM provider API keys before they are written to the database.
+ *
+ * Runs in processDatamap_postProcessFieldArray so the encrypted value is
+ * what DataHandler persists. Idempotent: already-encrypted values pass
+ * through unchanged, which means re-saving an unchanged row does not
+ * double-encrypt the value.
+ */
+final class EncryptApiKey
+{
+    private const TABLE = 'tx_aim_configuration';
+
+    public function __construct(private readonly ApiKeyEncryption $encryption) {}
+
+    public function processDatamap_postProcessFieldArray(
+        string $status,
+        string $table,
+        $id,
+        array &$fieldArray,
+        DataHandler $dataHandler,
+    ): void {
+        if ($table !== self::TABLE || !array_key_exists('api_key', $fieldArray)) {
+            return;
+        }
+
+        $value = (string)$fieldArray['api_key'];
+        if ($value === '') {
+            return;
+        }
+
+        $fieldArray['api_key'] = $this->encryption->encrypt($value);
+    }
+}

Classes/Provider/SymfonyAi/SymfonyAiPlatformAdapter.php

@@ -37,7 +37,7 @@
 use Symfony\AI\Platform\Message\Content\Image;
 use Symfony\AI\Platform\Message\Message;
 use Symfony\AI\Platform\Message\MessageBag;
-use Symfony\AI\Platform\PlatformInterface;
+use Symfony\AI\Platform\ProviderInterface;
 use Symfony\AI\Platform\TokenUsage\TokenUsageInterface;
 
 /**
@@ -61,13 +61,13 @@ class SymfonyAiPlatformAdapter implements
     ToolCallingCapableInterface,
     EmbeddingCapableInterface
 {
-    /** @var array<string, PlatformInterface> Platforms cached by configuration key */
+    /** @var array<string, ProviderInterface> Providers cached by configuration key */
     private array $platforms = [];
 
     private readonly string $maxTokensKey;
 
     /**
-     * @param string $factoryClass Fully-qualified class name of the bridge's PlatformFactory
+     * @param string $factoryClass Fully-qualified class name of the bridge's Factory
      * @param string $factoryParam Name of the factory parameter to pass the config value to ('apiKey' or 'endpoint')
      */
     public function __construct(
@@ -237,16 +237,16 @@ public function processEmbeddingRequest(EmbeddingRequest $request): EmbeddingRes
     }
 
     /**
-     * Lazily create and cache a Platform instance per provider configuration.
+     * Lazily create and cache a Provider instance per provider configuration.
      */
-    private function getPlatform(ProviderConfiguration $config): PlatformInterface
+    private function getPlatform(ProviderConfiguration $config): ProviderInterface
     {
         $cacheKey = $config->uid > 0 ? (string)$config->uid : md5($config->apiKey . $config->model);
         if (!isset($this->platforms[$cacheKey])) {
             $factoryClass = $this->factoryClass;
             $this->platforms[$cacheKey] = match ($this->factoryParam) {
-                'endpoint' => $factoryClass::create(endpoint: $config->apiKey),
-                default => $factoryClass::create(apiKey: $config->apiKey),
+                'endpoint' => $factoryClass::createProvider(endpoint: $config->apiKey),
+                default => $factoryClass::createProvider(apiKey: $config->apiKey),
             };
         }
         return $this->platforms[$cacheKey];