fix: enforce encryption of client secret

cemalkilic · cemalkilic · commit 3a6933e4e584 · 2026-02-05T20:48:29.000+07:00
diff --git a/internal/models/custom_oauth_provider.go b/internal/models/custom_oauth_provider.go
@@ -79,13 +79,10 @@ func (p CustomOAuthProvider) TableName() string {
 }
 
 // SetClientSecret encrypts and stores the client secret using the configured
-// database encryption settings. If encryption is disabled, the secret is
-// stored in plaintext (temporary fallback for now)
+// database encryption settings. Encryption must be enabled to store client secrets.
 func (p *CustomOAuthProvider) SetClientSecret(secret string, dbEncryption conf.DatabaseEncryptionConfiguration) error {
 	if !dbEncryption.Encrypt {
-		// Fallback: store in plaintext when encryption is not enabled.
-		p.ClientSecret = secret
-		return nil
+		return errors.New("database encryption must be enabled to store custom OAuth provider client secrets")
 	}
 
 	if dbEncryption.EncryptionKeyID == "" || dbEncryption.EncryptionKey == "" {

Original file line number	Diff line number	Diff line change
`@@ -79,13 +79,10 @@ func (p CustomOAuthProvider) TableName() string {`
`79`	`79`	`}`
`80`	`80`
`81`	`81`	`// SetClientSecret encrypts and stores the client secret using the configured`
`82`		`-// database encryption settings. If encryption is disabled, the secret is`
`83`		`-// stored in plaintext (temporary fallback for now)`
	`82`	`+// database encryption settings. Encryption must be enabled to store client secrets.`
`84`	`83`	`func (p *CustomOAuthProvider) SetClientSecret(secret string, dbEncryption conf.DatabaseEncryptionConfiguration) error {`
`85`	`84`	`if !dbEncryption.Encrypt {`
`86`		`- // Fallback: store in plaintext when encryption is not enabled.`
`87`		`- p.ClientSecret = secret`
`88`		`- return nil`
	`85`	`+ return errors.New("database encryption must be enabled to store custom OAuth provider client secrets")`
`89`	`86`	`}`
`90`	`87`
`91`	`88`	`if dbEncryption.EncryptionKeyID == "" \|\| dbEncryption.EncryptionKey == "" {`