@realtimex/email-automator 2.28.0 → 2.28.2

package/api/server.ts

@@ -15,126 +15,7 @@ import { logger } from './src/utils/logger.js';
 import { getServerSupabase, getServiceRoleSupabase } from './src/services/supabase.js';
 import { startScheduler, stopScheduler } from './src/services/scheduler.js';
 import { setEncryptionKey, getEncryptionKeyHex } from './src/utils/encryption.js';
-
-// Initialize Persistence Encryption
-// NOTE: In RealTimeX Desktop sandbox, all config is stored in Supabase (no .env files)
-async function initializePersistenceEncryption() {
-    try {
-        const supabase = getServiceRoleSupabase();
-
-        if (!supabase) {
-            // BYOK mode: Supabase not configured at startup (credentials come via HTTP headers)
-            // Generate encryption key anyway and keep it in memory
-            logger.info('Supabase not configured yet (BYOK mode)');
-            logger.info('Generating encryption key in memory - will persist when Supabase becomes available');
-            const newKey = crypto.randomBytes(32).toString('hex');
-            setEncryptionKey(newKey);
-            logger.info('✓ Encryption key generated and loaded in memory');
-            return;
-        }
-
-        // 1. Check if ANY user has an encryption key stored
-        // In sandbox mode, encryption key is always in database
-        const { data: users, error } = await supabase
-            .from('user_settings')
-            .select('user_id, encryption_key')
-            .not('encryption_key', 'is', null)
-            .limit(1);
-
-        if (error) {
-            logger.warn('Failed to query user_settings for encryption key', { error });
-            // Still generate a key for in-memory use
-            const newKey = crypto.randomBytes(32).toString('hex');
-            setEncryptionKey(newKey);
-            logger.info('✓ Generated fallback encryption key due to DB error');
-            return;
-        }
-
-        if (users && users.length > 0 && users[0].encryption_key) {
-            // Found a persisted key in database
-            logger.info('✓ Loaded encryption key from database');
-            setEncryptionKey(users[0].encryption_key);
-            return;
-        }
-
-        // 2. No key in database - auto-generate and persist
-        // This happens on first run or after fresh database setup
-        logger.info('No encryption key found in database, generating new key...');
-        const newKey = crypto.randomBytes(32).toString('hex');
-        setEncryptionKey(newKey);
-
-        // 3. Persist to all existing users in database
-        const { data: allUsers } = await supabase
-            .from('user_settings')
-            .select('user_id')
-            .limit(100);
-
-        if (allUsers && allUsers.length > 0) {
-            logger.info(`Saving encryption key to database for ${allUsers.length} user(s)...`);
-
-            // Update all users with the new key
-            const updates = allUsers.map(user =>
-                supabase
-                    .from('user_settings')
-                    .update({ encryption_key: newKey })
-                    .eq('user_id', user.user_id)
-            );
-
-            await Promise.all(updates);
-            logger.info('✓ Encryption key saved to database');
-        } else {
-            logger.info('No users found yet, encryption key loaded in memory');
-            logger.info('Key will be persisted when users are created');
-        }
-
-    } catch (err) {
-        logger.error('Error initializing encryption:', err);
-        // Always ensure we have a key, even if there was an error
-        if (!getEncryptionKeyHex()) {
-            logger.warn('Generating emergency fallback encryption key');
-            const fallbackKey = crypto.randomBytes(32).toString('hex');
-            setEncryptionKey(fallbackKey);
-        }
-    }
-}
-
-// Periodic sync: Persist in-memory encryption key to users without one
-// This handles the "first user" case and any users created before key was persisted
-async function syncEncryptionKeyToUsers() {
-    try {
-        const supabase = getServiceRoleSupabase();
-        if (!supabase) return;
-
-        const currentKey = getEncryptionKeyHex();
-        if (!currentKey) return; // No key in memory yet
-
-        // Find users without encryption key
-        const { data: usersWithoutKey, error } = await supabase
-            .from('user_settings')
-            .select('user_id')
-            .is('encryption_key', null)
-            .limit(100);
-
-        if (error || !usersWithoutKey || usersWithoutKey.length === 0) {
-            return; // No users to update
-        }
-
-        logger.info(`Found ${usersWithoutKey.length} user(s) without encryption key, persisting...`);
-
-        // Update all users without a key
-        const updates = usersWithoutKey.map(user =>
-            supabase
-                .from('user_settings')
-                .update({ encryption_key: currentKey })
-                .eq('user_id', user.user_id)
-        );
-
-        await Promise.all(updates);
-        logger.info(`✓ Persisted encryption key to ${usersWithoutKey.length} user(s)`);
-    } catch (err) {
-        logger.warn('Error syncing encryption key to users:', { error: err });
-    }
-}
+import { initializePersistenceEncryption, syncEncryptionKeyToUsers } from './src/services/encryptionInit.js';
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);

package/api/src/middleware/auth.ts

@@ -7,6 +7,7 @@ import { createLogger, Logger } from '../utils/logger.js';
 const logger = createLogger('AuthMiddleware');
 
 import { getServerSupabase, isValidUrl } from '../services/supabase.js';
+import { initializePersistenceEncryption, isEncryptionReady } from '../services/encryptionInit.js';
 
 // Extend Express Request to include user
 declare global {
@@ -82,6 +83,13 @@ export async function authMiddleware(
                 req.supabase = supabase;
                 // Initialize logger persistence for mock user
                 Logger.setPersistence(supabase, req.user.id);
+
+                // If encryption is not ready, try to initialize it now
+                if (!isEncryptionReady()) {
+                    initializePersistenceEncryption(supabase).catch(err => 
+                        logger.warn('Failed to initialize encryption in dev mode', { error: err.message })
+                    );
+                }
             } else {
                 throw new AuthenticationError('Supabase not configured. Please set up Supabase in the app or provide SUPABASE_URL/ANON_KEY in .env');
             }
@@ -118,6 +126,13 @@ export async function authMiddleware(
             throw new AuthenticationError('Invalid or expired token');
         }
 
+        // If encryption is not ready, initialize it now with the authenticated client
+        if (!isEncryptionReady()) {
+            initializePersistenceEncryption(supabase).catch(err => 
+                logger.warn('Failed to initialize encryption with authenticated client', { error: err.message })
+            );
+        }
+
         // Initialize logger persistence for this request
         Logger.setPersistence(supabase, user.id);
 

package/api/src/routes/auth.ts

@@ -7,7 +7,7 @@ import { getGmailService } from '../services/gmail.js';
 import { getMicrosoftService } from '../services/microsoft.js';
 import { getImapService } from '../services/imap-service.js';
 import { createLogger } from '../utils/logger.js';
-import { getEncryptionKeyHex, setEncryptionKey } from '../utils/encryption.js';
+import { initializePersistenceEncryption } from '../services/encryptionInit.js';
 
 const router = Router();
 const logger = createLogger('AuthRoutes');
@@ -24,53 +24,8 @@ router.post('/imap/connect',
             smtpHost, smtpPort, smtpSecure
         } = req.body;
 
-        // CRITICAL FIX: Sync encryption key between server memory and database
-        // In BYOK mode, database trigger generates key but server has random key in memory
-        // We need to sync them: prefer database key (persistent) over server key (ephemeral)
-        const { data: userSettings, error: fetchError } = await req.supabase!
-            .from('user_settings')
-            .select('encryption_key')
-            .eq('user_id', req.user!.id)
-            .single();
-
-        if (fetchError) {
-            logger.error('Failed to fetch user settings', { error: fetchError });
-            throw new ValidationError('Failed to load user settings. Please try again.');
-        }
-
-        const currentServerKey = getEncryptionKeyHex();
-        const databaseKey = userSettings?.encryption_key;
-
-        logger.info('Encryption key sync check', {
-            hasServerKey: !!currentServerKey,
-            hasDatabaseKey: !!databaseKey,
-            userId: req.user!.id
-        });
-
-        if (databaseKey) {
-            // Database has a key - use it (it's the source of truth)
-            if (currentServerKey !== databaseKey) {
-                logger.info('Loading encryption key from database (overriding server memory)');
-                setEncryptionKey(databaseKey);
-            }
-        } else if (currentServerKey) {
-            // Server has key but database doesn't - persist to database
-            logger.info('Database missing encryption key, persisting server key');
-            const { error: updateError } = await req.supabase!
-                .from('user_settings')
-                .update({ encryption_key: currentServerKey })
-                .eq('user_id', req.user!.id);
-
-            if (updateError) {
-                logger.error('Failed to persist encryption key', { error: updateError });
-                throw new ValidationError('Failed to initialize encryption. Please try again.');
-            }
-            logger.info('✓ Encryption key persisted to database');
-        } else {
-            // Neither server nor database has key - this should never happen with new trigger
-            logger.error('No encryption key found in server OR database!');
-            throw new ValidationError('Encryption not initialized. Please contact support.');
-        }
+        // Reconcile encryption key with database before saving credentials
+        await initializePersistenceEncryption(req.supabase);
 
         const imapService = getImapService();
         const imapConfig = {

package/api/src/services/encryptionInit.ts

@@ -0,0 +1,170 @@
+import crypto from 'crypto';
+import { setEncryptionKey, getEncryptionKeyHex } from '../utils/encryption.js';
+import { getServiceRoleSupabase } from './supabase.js';
+import { createLogger } from '../utils/logger.js';
+
+const logger = createLogger('EncryptionInit');
+
+let isEncryptionInitialized = false;
+
+/**
+ * Initialize encryption key from Supabase or generate a new one.
+ * In BYOK mode, this might be called multiple times as different Supabase clients become available.
+ * 
+ * @param providedSupabase Optional Supabase client (service role recommended)
+ */
+export async function initializePersistenceEncryption(providedSupabase?: any) {
+    try {
+        const supabase = providedSupabase || getServiceRoleSupabase();
+
+        if (!supabase) {
+            // BYOK mode: Supabase not configured at startup (credentials come via HTTP headers)
+            // If we don't have a key yet, generate a temporary one in memory
+            if (!getEncryptionKeyHex()) {
+                logger.info('Supabase not configured yet (BYOK mode) - using temporary key');
+                const newKey = crypto.randomBytes(32).toString('hex');
+                setEncryptionKey(newKey);
+            }
+            return;
+        }
+
+        // Check client type for logging
+        const isServiceRole = !!(supabase as any).supabaseServiceRoleKey || !(supabase as any).auth?.session;
+        const hasToken = !!(supabase as any).realtime?.accessToken; // Simple check for authenticated client
+        
+        if (!isServiceRole && !hasToken) {
+            logger.debug('Skipping encryption reconciliation with unauthenticated anon client');
+            return;
+        }
+
+        logger.info(`Reconciling encryption key with database (${isServiceRole ? 'Service Role' : 'Authenticated User'})`);
+
+        // 1. Check if ANY user has an encryption key stored
+        // In sandbox mode, encryption key is always in database
+        const { data: users, error } = await supabase
+            .from('user_settings')
+            .select('user_id, encryption_key')
+            .not('encryption_key', 'is', null)
+            .limit(1);
+
+        if (error) {
+            logger.warn('Failed to query user_settings for encryption key', { error });
+            // If no key in memory, generate one as fallback
+            if (!getEncryptionKeyHex()) {
+                const newKey = crypto.randomBytes(32).toString('hex');
+                setEncryptionKey(newKey);
+                logger.info('✓ Generated fallback encryption key due to DB error');
+            }
+            return;
+        }
+
+        if (users && users.length > 0 && users[0].encryption_key) {
+            // Found a persisted key in database
+            const dbKey = users[0].encryption_key;
+            const currentKey = getEncryptionKeyHex();
+
+            if (currentKey && currentKey !== dbKey) {
+                logger.warn('⚠️ In-memory encryption key differs from database. Overwriting with DB key to ensure consistency across instances.');
+            }
+
+            logger.info('✓ Loaded encryption key from database');
+            setEncryptionKey(dbKey);
+            isEncryptionInitialized = true;
+            return;
+        }
+
+        // 2. No key in database - only generate and persist if we are the "Master" (Service Role)
+        // or if we've explicitly decided this is a fresh setup.
+        if (isServiceRole) {
+            let finalKey = getEncryptionKeyHex();
+            if (!finalKey) {
+                logger.info('No encryption key found in database or memory, generating new key...');
+                finalKey = crypto.randomBytes(32).toString('hex');
+                setEncryptionKey(finalKey);
+            } else {
+                logger.info('Persisting in-memory encryption key to database...');
+            }
+
+            // 3. Persist to all existing users in database
+            const { data: allUsers } = await supabase
+                .from('user_settings')
+                .select('user_id')
+                .limit(100);
+
+            if (allUsers && allUsers.length > 0) {
+                logger.info(`Saving encryption key to database for ${allUsers.length} user(s)...`);
+
+                // Update all users with the new key
+                const updates = allUsers.map((user: any) =>
+                    supabase
+                        .from('user_settings')
+                        .update({ encryption_key: finalKey })
+                        .eq('user_id', user.user_id)
+                );
+
+                await Promise.all(updates);
+                logger.info('✓ Encryption key saved to database');
+                isEncryptionInitialized = true;
+            } else {
+                logger.info('No users found yet, encryption key loaded in memory');
+                logger.info('Key will be persisted when users are created');
+                // We don't set isEncryptionInitialized = true here because we still want 
+                // to try reconciling once a user is actually created/logged in
+            }
+        } else {
+            logger.warn('No encryption key found in database, but cannot persist one with user-restricted client.');
+        }
+    } catch (err) {
+        logger.error('Error initializing encryption:', err);
+        // Always ensure we have a key, even if there was an error
+        if (!getEncryptionKeyHex()) {
+            logger.warn('Generating emergency fallback encryption key');
+            const fallbackKey = crypto.randomBytes(32).toString('hex');
+            setEncryptionKey(fallbackKey);
+        }
+    }
+}
+
+/**
+ * Periodic sync: Persist in-memory encryption key to users without one
+ * This handles the "first user" case and any users created before key was persisted
+ */
+export async function syncEncryptionKeyToUsers() {
+    try {
+        const supabase = getServiceRoleSupabase();
+        if (!supabase) return;
+
+        const currentKey = getEncryptionKeyHex();
+        if (!currentKey) return; // No key in memory yet
+
+        // Find users without encryption key
+        const { data: usersWithoutKey, error } = await supabase
+            .from('user_settings')
+            .select('user_id')
+            .is('encryption_key', null)
+            .limit(100);
+
+        if (error || !usersWithoutKey || usersWithoutKey.length === 0) {
+            return; // No users to update
+        }
+
+        logger.info(`Found ${usersWithoutKey.length} user(s) without encryption key, persisting...`);
+
+        // Update all users without a key
+        const updates = usersWithoutKey.map((user: any) =>
+            supabase
+                .from('user_settings')
+                .update({ encryption_key: currentKey })
+                .eq('user_id', user.user_id)
+        );
+
+        await Promise.all(updates);
+        logger.info(`✓ Persisted encryption key to ${usersWithoutKey.length} user(s)`);
+    } catch (err) {
+        logger.warn('Error syncing encryption key to users:', { error: err });
+    }
+}
+
+export function isEncryptionReady() {
+    return isEncryptionInitialized;
+}