@realtimex/email-automator 2.28.1 → 2.28.2

package/api/src/middleware/auth.ts

@@ -57,20 +57,6 @@ export async function authMiddleware(
         const supabaseUrl = isEnvUrlValid ? envUrl : (headerConfig?.url || '');
         const supabaseAnonKey = isEnvKeyValid ? envKey : (headerConfig?.anonKey || '');
 
-        // If encryption is not ready, try to initialize it using available Supabase config
-        if (!isEncryptionReady() && supabaseUrl && supabaseAnonKey) {
-            // Note: Ideally we use service role to read encryption_key from user_settings,
-            // but even with anon key it might work if RLS allows or if we just use it 
-            // to check for existence of keys.
-            const initClient = createClient(supabaseUrl, supabaseAnonKey, {
-                auth: { autoRefreshToken: false, persistSession: false },
-            });
-            // Run in background to not block auth
-            initializePersistenceEncryption(initClient).catch(err => 
-                logger.warn('Failed to initialize encryption in auth middleware', { error: err.message })
-            );
-        }
-
         // Development bypass: skip auth if DISABLE_AUTH=true in non-production
         if (config.security.disableAuth && !config.isProduction) {
             logger.warn('Auth disabled for development - creating mock user');
@@ -97,6 +83,13 @@ export async function authMiddleware(
                 req.supabase = supabase;
                 // Initialize logger persistence for mock user
                 Logger.setPersistence(supabase, req.user.id);
+
+                // If encryption is not ready, try to initialize it now
+                if (!isEncryptionReady()) {
+                    initializePersistenceEncryption(supabase).catch(err => 
+                        logger.warn('Failed to initialize encryption in dev mode', { error: err.message })
+                    );
+                }
             } else {
                 throw new AuthenticationError('Supabase not configured. Please set up Supabase in the app or provide SUPABASE_URL/ANON_KEY in .env');
             }
@@ -133,6 +126,13 @@ export async function authMiddleware(
             throw new AuthenticationError('Invalid or expired token');
         }
 
+        // If encryption is not ready, initialize it now with the authenticated client
+        if (!isEncryptionReady()) {
+            initializePersistenceEncryption(supabase).catch(err => 
+                logger.warn('Failed to initialize encryption with authenticated client', { error: err.message })
+            );
+        }
+
         // Initialize logger persistence for this request
         Logger.setPersistence(supabase, user.id);
 

package/api/src/services/encryptionInit.ts

@@ -21,15 +21,24 @@ export async function initializePersistenceEncryption(providedSupabase?: any) {
             // BYOK mode: Supabase not configured at startup (credentials come via HTTP headers)
             // If we don't have a key yet, generate a temporary one in memory
             if (!getEncryptionKeyHex()) {
-                logger.info('Supabase not configured yet (BYOK mode)');
-                logger.info('Generating temporary encryption key in memory - will be reconciled when Supabase becomes available');
+                logger.info('Supabase not configured yet (BYOK mode) - using temporary key');
                 const newKey = crypto.randomBytes(32).toString('hex');
                 setEncryptionKey(newKey);
-                logger.info('✓ Temporary encryption key generated and loaded in memory');
             }
             return;
         }
 
+        // Check client type for logging
+        const isServiceRole = !!(supabase as any).supabaseServiceRoleKey || !(supabase as any).auth?.session;
+        const hasToken = !!(supabase as any).realtime?.accessToken; // Simple check for authenticated client
+        
+        if (!isServiceRole && !hasToken) {
+            logger.debug('Skipping encryption reconciliation with unauthenticated anon client');
+            return;
+        }
+
+        logger.info(`Reconciling encryption key with database (${isServiceRole ? 'Service Role' : 'Authenticated User'})`);
+
         // 1. Check if ANY user has an encryption key stored
         // In sandbox mode, encryption key is always in database
         const { data: users, error } = await supabase
@@ -64,42 +73,47 @@ export async function initializePersistenceEncryption(providedSupabase?: any) {
             return;
         }
 
-        // 2. No key in database - use in-memory key or generate and persist
-        // This happens on first run or after fresh database setup
-        let finalKey = getEncryptionKeyHex();
-        if (!finalKey) {
-            logger.info('No encryption key found in database or memory, generating new key...');
-            finalKey = crypto.randomBytes(32).toString('hex');
-            setEncryptionKey(finalKey);
-        } else {
-            logger.info('Persisting in-memory encryption key to new Supabase instance...');
-        }
-
-        // 3. Persist to all existing users in database
-        const { data: allUsers } = await supabase
-            .from('user_settings')
-            .select('user_id')
-            .limit(100);
-
-        if (allUsers && allUsers.length > 0) {
-            logger.info(`Saving encryption key to database for ${allUsers.length} user(s)...`);
-
-            // Update all users with the new key
-            const updates = allUsers.map((user: any) =>
-                supabase
-                    .from('user_settings')
-                    .update({ encryption_key: finalKey })
-                    .eq('user_id', user.user_id)
-            );
+        // 2. No key in database - only generate and persist if we are the "Master" (Service Role)
+        // or if we've explicitly decided this is a fresh setup.
+        if (isServiceRole) {
+            let finalKey = getEncryptionKeyHex();
+            if (!finalKey) {
+                logger.info('No encryption key found in database or memory, generating new key...');
+                finalKey = crypto.randomBytes(32).toString('hex');
+                setEncryptionKey(finalKey);
+            } else {
+                logger.info('Persisting in-memory encryption key to database...');
+            }
 
-            await Promise.all(updates);
-            logger.info('✓ Encryption key saved to database');
+            // 3. Persist to all existing users in database
+            const { data: allUsers } = await supabase
+                .from('user_settings')
+                .select('user_id')
+                .limit(100);
+
+            if (allUsers && allUsers.length > 0) {
+                logger.info(`Saving encryption key to database for ${allUsers.length} user(s)...`);
+
+                // Update all users with the new key
+                const updates = allUsers.map((user: any) =>
+                    supabase
+                        .from('user_settings')
+                        .update({ encryption_key: finalKey })
+                        .eq('user_id', user.user_id)
+                );
+
+                await Promise.all(updates);
+                logger.info('✓ Encryption key saved to database');
+                isEncryptionInitialized = true;
+            } else {
+                logger.info('No users found yet, encryption key loaded in memory');
+                logger.info('Key will be persisted when users are created');
+                // We don't set isEncryptionInitialized = true here because we still want 
+                // to try reconciling once a user is actually created/logged in
+            }
         } else {
-            logger.info('No users found yet, encryption key loaded in memory');
-            logger.info('Key will be persisted when users are created');
+            logger.warn('No encryption key found in database, but cannot persist one with user-restricted client.');
         }
-
-        isEncryptionInitialized = true;
     } catch (err) {
         logger.error('Error initializing encryption:', err);
         // Always ensure we have a key, even if there was an error

package/dist/api/src/middleware/auth.js

@@ -33,17 +33,6 @@ export async function authMiddleware(req, _res, next) {
         const isEnvKeyValid = !!envKey && envKey.length > 0;
         const supabaseUrl = isEnvUrlValid ? envUrl : (headerConfig?.url || '');
         const supabaseAnonKey = isEnvKeyValid ? envKey : (headerConfig?.anonKey || '');
-        // If encryption is not ready, try to initialize it using available Supabase config
-        if (!isEncryptionReady() && supabaseUrl && supabaseAnonKey) {
-            // Note: Ideally we use service role to read encryption_key from user_settings,
-            // but even with anon key it might work if RLS allows or if we just use it 
-            // to check for existence of keys.
-            const initClient = createClient(supabaseUrl, supabaseAnonKey, {
-                auth: { autoRefreshToken: false, persistSession: false },
-            });
-            // Run in background to not block auth
-            initializePersistenceEncryption(initClient).catch(err => logger.warn('Failed to initialize encryption in auth middleware', { error: err.message }));
-        }
         // Development bypass: skip auth if DISABLE_AUTH=true in non-production
         if (config.security.disableAuth && !config.isProduction) {
             logger.warn('Auth disabled for development - creating mock user');
@@ -67,6 +56,10 @@ export async function authMiddleware(req, _res, next) {
                 req.supabase = supabase;
                 // Initialize logger persistence for mock user
                 Logger.setPersistence(supabase, req.user.id);
+                // If encryption is not ready, try to initialize it now
+                if (!isEncryptionReady()) {
+                    initializePersistenceEncryption(supabase).catch(err => logger.warn('Failed to initialize encryption in dev mode', { error: err.message }));
+                }
             }
             else {
                 throw new AuthenticationError('Supabase not configured. Please set up Supabase in the app or provide SUPABASE_URL/ANON_KEY in .env');
@@ -95,6 +88,10 @@ export async function authMiddleware(req, _res, next) {
             logger.debug('Auth failed', { error: error?.message });
             throw new AuthenticationError('Invalid or expired token');
         }
+        // If encryption is not ready, initialize it now with the authenticated client
+        if (!isEncryptionReady()) {
+            initializePersistenceEncryption(supabase).catch(err => logger.warn('Failed to initialize encryption with authenticated client', { error: err.message }));
+        }
         // Initialize logger persistence for this request
         Logger.setPersistence(supabase, user.id);
         // Attach user and supabase client to request

package/dist/api/src/services/encryptionInit.js

@@ -17,14 +17,20 @@ export async function initializePersistenceEncryption(providedSupabase) {
             // BYOK mode: Supabase not configured at startup (credentials come via HTTP headers)
             // If we don't have a key yet, generate a temporary one in memory
             if (!getEncryptionKeyHex()) {
-                logger.info('Supabase not configured yet (BYOK mode)');
-                logger.info('Generating temporary encryption key in memory - will be reconciled when Supabase becomes available');
+                logger.info('Supabase not configured yet (BYOK mode) - using temporary key');
                 const newKey = crypto.randomBytes(32).toString('hex');
                 setEncryptionKey(newKey);
-                logger.info('✓ Temporary encryption key generated and loaded in memory');
             }
             return;
         }
+        // Check client type for logging
+        const isServiceRole = !!supabase.supabaseServiceRoleKey || !supabase.auth?.session;
+        const hasToken = !!supabase.realtime?.accessToken; // Simple check for authenticated client
+        if (!isServiceRole && !hasToken) {
+            logger.debug('Skipping encryption reconciliation with unauthenticated anon client');
+            return;
+        }
+        logger.info(`Reconciling encryption key with database (${isServiceRole ? 'Service Role' : 'Authenticated User'})`);
         // 1. Check if ANY user has an encryption key stored
         // In sandbox mode, encryption key is always in database
         const { data: users, error } = await supabase
@@ -54,37 +60,44 @@ export async function initializePersistenceEncryption(providedSupabase) {
             isEncryptionInitialized = true;
             return;
         }
-        // 2. No key in database - use in-memory key or generate and persist
-        // This happens on first run or after fresh database setup
-        let finalKey = getEncryptionKeyHex();
-        if (!finalKey) {
-            logger.info('No encryption key found in database or memory, generating new key...');
-            finalKey = crypto.randomBytes(32).toString('hex');
-            setEncryptionKey(finalKey);
-        }
-        else {
-            logger.info('Persisting in-memory encryption key to new Supabase instance...');
-        }
-        // 3. Persist to all existing users in database
-        const { data: allUsers } = await supabase
-            .from('user_settings')
-            .select('user_id')
-            .limit(100);
-        if (allUsers && allUsers.length > 0) {
-            logger.info(`Saving encryption key to database for ${allUsers.length} user(s)...`);
-            // Update all users with the new key
-            const updates = allUsers.map((user) => supabase
+        // 2. No key in database - only generate and persist if we are the "Master" (Service Role)
+        // or if we've explicitly decided this is a fresh setup.
+        if (isServiceRole) {
+            let finalKey = getEncryptionKeyHex();
+            if (!finalKey) {
+                logger.info('No encryption key found in database or memory, generating new key...');
+                finalKey = crypto.randomBytes(32).toString('hex');
+                setEncryptionKey(finalKey);
+            }
+            else {
+                logger.info('Persisting in-memory encryption key to database...');
+            }
+            // 3. Persist to all existing users in database
+            const { data: allUsers } = await supabase
                 .from('user_settings')
-                .update({ encryption_key: finalKey })
-                .eq('user_id', user.user_id));
-            await Promise.all(updates);
-            logger.info('✓ Encryption key saved to database');
+                .select('user_id')
+                .limit(100);
+            if (allUsers && allUsers.length > 0) {
+                logger.info(`Saving encryption key to database for ${allUsers.length} user(s)...`);
+                // Update all users with the new key
+                const updates = allUsers.map((user) => supabase
+                    .from('user_settings')
+                    .update({ encryption_key: finalKey })
+                    .eq('user_id', user.user_id));
+                await Promise.all(updates);
+                logger.info('✓ Encryption key saved to database');
+                isEncryptionInitialized = true;
+            }
+            else {
+                logger.info('No users found yet, encryption key loaded in memory');
+                logger.info('Key will be persisted when users are created');
+                // We don't set isEncryptionInitialized = true here because we still want 
+                // to try reconciling once a user is actually created/logged in
+            }
         }
         else {
-            logger.info('No users found yet, encryption key loaded in memory');
-            logger.info('Key will be persisted when users are created');
+            logger.warn('No encryption key found in database, but cannot persist one with user-restricted client.');
         }
-        isEncryptionInitialized = true;
     }
     catch (err) {
         logger.error('Error initializing encryption:', err);