diff --git a/.env.development.local.template b/.env.development.local.template index bb2535f..52898b0 100644 --- a/.env.development.local.template +++ b/.env.development.local.template @@ -1,14 +1,23 @@ DATABASE_URL=postgres://localhost:5432/socialchange_development + DOMAIN_NAME=localhost DOMAIN_EMAIL_ADDRESS=email@example.com + SECRET_KEY= + EMAIL_SERVER_HOST=smtp.email-service.com EMAIL_SERVER_PORT=465 EMAIL_SERVER_USER=user@email-service.com EMAIL_SERVER_PASSWORD= + AWS_ENDPOINT_URL_S3= AWS_ACCESS_KEY_ID= AWS_SECRET_ACCESS_KEY= AWS_REGION= BUCKET_NAME= + BUGSNAG_API_KEY= + +ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY= +ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY= +ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT= diff --git a/app/models/user.rb b/app/models/user.rb index bc3c470..8bfd413 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -3,6 +3,10 @@ class User < ApplicationRecord include Discard::Model + # Encrypt email attribute + # We use deterministic encryption to allow searching by email (esp when inviting) + encrypts :email, deterministic: true, downcase: true + has_and_belongs_to_many :roles has_many :stories, dependent: :destroy diff --git a/config/application.rb b/config/application.rb index 91172c4..9f89e7e 100644 --- a/config/application.rb +++ b/config/application.rb @@ -19,6 +19,20 @@ class Application < Rails::Application # config.time_zone = "Central Time (US & Canada)" # config.eager_load_paths << Rails.root.join("extras") + # Active Record Encryption configuration + config.active_record.encryption.primary_key = ENV["ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"] + config.active_record.encryption.deterministic_key = ENV["ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"] + config.active_record.encryption.key_derivation_salt = ENV["ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"] + + # When true, queries referencing deterministically encrypted attributes + # will be modified to include additional values if needed. + # https://guides.rubyonrails.org/v7.0/active_record_encryption.html#config-active-record-encryption-extend-queries + config.active_record.encryption.extend_queries = true + + # Support unencrypted data to ease migration + # @todo - remove this once all data is encrypted and migrated + config.active_record.encryption.support_unencrypted_data = true + # https://guides.rubyonrails.org/configuring.html#configuring-i18n config.i18n.available_locales = %i[en nl] config.i18n.default_locale = :en diff --git a/db/migrate/20240316113449_encrypt_email_user_attribute.rb b/db/migrate/20240316113449_encrypt_email_user_attribute.rb new file mode 100644 index 0000000..c462c81 --- /dev/null +++ b/db/migrate/20240316113449_encrypt_email_user_attribute.rb @@ -0,0 +1,9 @@ +class EncryptEmailUserAttribute < ActiveRecord::Migration[7.1] + def up + User.all.find_each { |u| u.encrypt.save } + end + + def down + User.all.find_each { |u| u.decrypt.save } + end +end diff --git a/db/schema.rb b/db/schema.rb index 2b1dbdc..9c00823 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -10,7 +10,7 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema[7.1].define(version: 2024_02_21_150807) do +ActiveRecord::Schema[7.1].define(version: 2024_03_16_113449) do # These are extensions that must be enabled in order to support this database enable_extension "pg_trgm" enable_extension "plpgsql"