[All] Encrypt SignedInUser blobs in previous-users store

PreviousUsersUtils persists a JSON SignedInUser per known account in a
plain SharedPreferences file. The blob includes token, accessToken,
refreshToken, and clientSecret, so simply encrypting ApiPrefs left
those credentials in plaintext at rest as soon as the user had ever
signed in. Wrap the JSON with the Keystore AES-GCM codec on write,
unwrap on read, and lazy-migrate any legacy plaintext entries the
first time get() loads them.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: hermannakos

libs/login-api-2/src/main/java/com/instructure/loginapi/login/util/PreviousUsersUtils.kt

@@ -21,6 +21,7 @@ import com.google.gson.Gson
 import com.instructure.canvasapi2.managers.OAuthManager
 import com.instructure.canvasapi2.models.User
 import com.instructure.canvasapi2.utils.ApiPrefs
+import com.instructure.canvasapi2.utils.SecureCredentialCodec
 import com.instructure.loginapi.login.model.SignedInUser
 
 object PreviousUsersUtils {
@@ -33,21 +34,33 @@ object PreviousUsersUtils {
         val signedInUsers = ArrayList<SignedInUser>()
 
         val sharedPreferences = context.getSharedPreferences(SIGNED_IN_USERS_PREF_NAME, Context.MODE_PRIVATE)
-        val keys = sharedPreferences.all
-        for ((_, value) in keys) {
-            var signedInUser: SignedInUser? = null
+        val migrationEditor = sharedPreferences.edit()
+        var migrated = false
 
-            try {
-                signedInUser = Gson().fromJson(value.toString(), SignedInUser::class.java)
+        for ((key, value) in sharedPreferences.all) {
+            val raw = value?.toString() ?: continue
+            val isEncrypted = raw.startsWith(SecureCredentialCodec.ENCRYPTED_PREFIX)
+            val json = if (isEncrypted) SecureCredentialCodec.decrypt(raw) ?: continue else raw
+
+            val signedInUser = try {
+                Gson().fromJson(json, SignedInUser::class.java)
             } catch (ignore: Exception) {
-                //Do Nothing
+                null
             }
 
             if (signedInUser != null) {
                 signedInUsers.add(signedInUser)
+                if (!isEncrypted) {
+                    SecureCredentialCodec.encrypt(json)?.let {
+                        migrationEditor.putString(key, it)
+                        migrated = true
+                    }
+                }
             }
         }
 
+        if (migrated) migrationEditor.apply()
+
         //Sort by last signed in date.
         signedInUsers.sort()
         return signedInUsers
@@ -90,17 +103,21 @@ object PreviousUsersUtils {
     ): Boolean {
 
         val signedInUserJSON = Gson().toJson(signedInUser)
+        val storedValue = SecureCredentialCodec.encrypt(signedInUserJSON) ?: signedInUserJSON
 
         //Save Signed In User to sharedPreferences
         val sharedPreferences = context.getSharedPreferences(SIGNED_IN_USERS_PREF_NAME, Context.MODE_PRIVATE)
         val editor = sharedPreferences.edit()
-        editor.putString(getGlobalUserId(domain, user), signedInUserJSON)
+        editor.putString(getGlobalUserId(domain, user), storedValue)
         return editor.commit()
     }
 
     fun getSignedInUser(context: Context, domain: String, userId: Long): SignedInUser? {
         val prefs = context.getSharedPreferences(SIGNED_IN_USERS_PREF_NAME, Context.MODE_PRIVATE)
-        val userJson = prefs.getString(getGlobalUserId(domain, userId), null)
+        val raw = prefs.getString(getGlobalUserId(domain, userId), null) ?: return null
+        val userJson = if (raw.startsWith(SecureCredentialCodec.ENCRYPTED_PREFIX)) {
+            SecureCredentialCodec.decrypt(raw) ?: return null
+        } else raw
         return try {
             Gson().fromJson(userJson, SignedInUser::class.java)
         } catch (e: Exception) {