@solidxai/core 0.1.8-beta.1 → 0.1.8-beta.11

package/src/services/api-key.service.ts

@@ -0,0 +1,111 @@
+import {
+    ForbiddenException,
+    Injectable,
+    Logger,
+    NotFoundException,
+    UnauthorizedException,
+} from '@nestjs/common';
+import { createHash, randomBytes } from 'crypto';
+import { CreateApiKeyDto } from 'src/dtos/create-api-key.dto';
+import { UpdateApiKeyDto } from 'src/dtos/update-api-key.dto';
+import { UserApiKey } from 'src/entities/user-api-key.entity';
+import { User } from 'src/entities/user.entity';
+import { ActiveUserData } from 'src/interfaces/active-user-data.interface';
+import { UserApiKeyRepository } from 'src/repository/user-api-key.repository';
+import { PermissionMetadataService } from 'src/services/permission-metadata.service';
+
+@Injectable()
+export class ApiKeyService {
+    private readonly logger = new Logger(ApiKeyService.name);
+
+    constructor(
+        private readonly apiKeyRepository: UserApiKeyRepository,
+        private readonly permissionMetadataService: PermissionMetadataService,
+    ) {}
+
+    async generate(userId: number, dto: CreateApiKeyDto): Promise<{ apiKey: string; record: UserApiKey }> {
+        const user = await this.apiKeyRepository.manager.findOne(User, {
+            where: { id: userId },
+            select: ['id', 'isAllowedToGenerateApiKeys'],
+        });
+
+        if (!user?.isAllowedToGenerateApiKeys) {
+            throw new ForbiddenException('You are not allowed to generate API keys');
+        }
+
+        const rawKey = 'sldx_' + randomBytes(32).toString('hex');
+        const hashedKey = this.hash(rawKey);
+        const maskedKey = 'sldx_****' + rawKey.slice(-4);
+
+        const record = this.apiKeyRepository.create({
+            name: dto.name,
+            hashedKey,
+            maskedKey,
+            isActive: true,
+            expiresAt: dto.expiresAt ? new Date(dto.expiresAt) : null,
+            user,
+        });
+
+        await this.apiKeyRepository.save(record);
+
+        // Strip hashedKey from the returned record — maskedKey is all the UI needs
+        delete (record as any).hashedKey;
+
+        return { apiKey: rawKey, record };
+    }
+
+    async validate(rawKey: string): Promise<ActiveUserData> {
+        const hashedKey = this.hash(rawKey);
+
+        // Bypass security rules for auth validation — must find the key regardless of caller context
+        const keyRecord = await this.apiKeyRepository.findOne({
+            where: { hashedKey, isActive: true },
+            relations: ['user', 'user.roles'],
+        });
+
+        if (!keyRecord) {
+            throw new UnauthorizedException();
+        }
+
+        if (keyRecord.expiresAt && keyRecord.expiresAt < new Date()) {
+            throw new UnauthorizedException('API key expired');
+        }
+
+        // Fire-and-forget — does not need security rule context
+        this.apiKeyRepository.update(keyRecord.id, { lastUsedAt: new Date() }).catch((err) => {
+            this.logger.warn(`Failed to update lastUsedAt for key ${keyRecord.id}: ${err.message}`);
+        });
+
+        const roles = (keyRecord.user.roles ?? []).map((r) => r.name);
+        const permissions = await this.permissionMetadataService.findAllUsingRoles(roles);
+
+        return {
+            sub: keyRecord.user.id,
+            username: keyRecord.user.username,
+            email: keyRecord.user.email,
+            roles,
+            permissions: permissions.map((p) => p.name),
+        };
+    }
+
+    async updateKey(id: number, userId: number, dto: UpdateApiKeyDto): Promise<void> {
+        const keyRecord = await this.apiKeyRepository.findOne({
+            where: { id, user: { id: userId } },
+        });
+
+        if (!keyRecord) {
+            throw new NotFoundException('API key not found');
+        }
+
+        await this.apiKeyRepository.manager
+            .createQueryBuilder()
+            .update(UserApiKey)
+            .set({ isActive: dto.isActive })
+            .where('id = :id', { id })
+            .execute();
+    }
+
+    private hash(rawKey: string): string {
+        return createHash('sha256').update(rawKey).digest('hex');
+    }
+}

package/src/services/authentication.service.ts

@@ -41,6 +41,7 @@ import { EventDetails, EventType } from "../interfaces";
 import { ActiveUserData } from '../interfaces/active-user-data.interface';
 import { HashingService } from './hashing.service';
 import { InvalidatedRefreshTokenError, RefreshTokenIdsStorageService } from './refresh-token-ids-storage.service';
+import { SsoCodeStorageService } from './sso-code-storage.service';
 import { RoleMetadataService } from './role-metadata.service';
 import { SettingService } from './setting.service';
 import { UserActivityHistoryService } from './user-activity-history.service';
@@ -78,6 +79,7 @@ export class AuthenticationService {
         private readonly settingService: SettingService,
         private readonly roleMetadataService: RoleMetadataService,
         private readonly userActivityHistoryService: UserActivityHistoryService,
+        private readonly ssoCodeStorage: SsoCodeStorageService,
 
         @InjectDataSource()
         private readonly dataSource: DataSource,
@@ -152,6 +154,10 @@ export class AuthenticationService {
             const defaultRole = this.settingService.getConfigValue<SolidCoreSetting>('defaultRole');
 
             var { user, pwd, autoGeneratedPwd } = await this.populateForSignup(new User(), signUpDto, activateUserOnRegistration, onForcePasswordChange);
+            const privateDto = signUpDto as { isAllowedToGenerateApiKeys?: boolean };
+            if (privateDto.isAllowedToGenerateApiKeys !== undefined) {
+                user.isAllowedToGenerateApiKeys = privateDto.isAllowedToGenerateApiKeys;
+            }
             const savedUser = await this.userRepository.save(user);
             // Also assign a default role to the newly created user. 
             const userRoles = signUpDto.roles ?? [];
@@ -879,11 +885,15 @@ export class AuthenticationService {
         }
     }
 
-    private async buildLoginTokenResponse(user: User) {
-        const { accessToken, refreshToken } = await this.generateTokens(user);
+    private buildUserPayload(user: User) {
         const { id, username, email, mobile, lastLoginProvider } = user;
         const roles = user.roles.map((role) => role.name);
-        return { accessToken, refreshToken, user: { id, username, email, mobile, lastLoginProvider, roles } };
+        return { id, username, email, mobile, lastLoginProvider, roles };
+    }
+
+    private async buildLoginTokenResponse(user: User) {
+        const { accessToken, refreshToken } = await this.generateTokens(user);
+        return { accessToken, refreshToken, user: this.buildUserPayload(user) };
     }
 
     async changePassword(changePasswordDto: ChangePasswordDto, activeUser: ActiveUserData) {
@@ -1414,6 +1424,28 @@ export class AuthenticationService {
         return response;
     }
 
+    async generateSsoCode(activeUser: ActiveUserData, rawAccessToken: string): Promise<{ ssoCode: string }> {
+        const refreshTokenState = await this.refreshTokenIdsStorage.getCurrentRefreshTokenState(activeUser.sub);
+        if (!refreshTokenState?.currentRefreshToken) {
+            throw new UnauthorizedException('No active session found');
+        }
+        const ssoCode = await this.ssoCodeStorage.generateCode(
+            activeUser.sub,
+            rawAccessToken,
+            refreshTokenState.currentRefreshToken,
+        );
+        return { ssoCode };
+    }
+
+    async exchangeSsoCode(code: string) {
+        const { userId, accessToken, refreshToken } = await this.ssoCodeStorage.consumeCode(code);
+        const user = await this.userRepository.findOne({ where: { id: userId }, relations: { roles: true } });
+        if (!user) {
+            throw new UnauthorizedException('User not found');
+        }
+        return { accessToken, refreshToken, user: this.buildUserPayload(user) };
+    }
+
 }
 
 function parseUniqueConstraintError(detail: string): string {

package/src/services/chatter-message.service.ts

@@ -53,6 +53,13 @@ export class ChatterMessageService extends CRUDService<ChatterMessage> {
         chatterMessage.messageBody = postDto.messageBody;
         chatterMessage.coModelEntityId = postDto.coModelEntityId;
         chatterMessage.coModelName = postDto.coModelName;
+        chatterMessage.modelUserKey = postDto.modelUserKey ?? null;
+
+        const model = await this.modelMetadataRepo.findOne({
+            where: { singularName: lowerFirst(postDto.coModelName) },
+            relations: { userKeyField: true }
+        });
+        chatterMessage.modelDisplayName = model?.displayName ?? null;
 
         const activeUser = this.requestContextService.getActiveUser();
 

package/src/services/encryption.service.ts

@@ -0,0 +1,43 @@
+import * as crypto from 'crypto';
+
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 12;
+const AUTH_TAG_LENGTH = 16;
+const KEY_LENGTH = 32;
+const SCRYPT_SALT = 'solid-encryption-salt';
+const ENC_PREFIX = 'enc:';
+
+export class EncryptionService {
+  private readonly key: Buffer;
+
+  constructor(secret: string) {
+    if (!secret) throw new Error('EncryptionService: secret must not be empty');
+    this.key = crypto.scryptSync(secret, SCRYPT_SALT, KEY_LENGTH) as Buffer;
+  }
+
+  encrypt(plaintext: string): string {
+    const iv = crypto.randomBytes(IV_LENGTH);
+    const cipher = crypto.createCipheriv(ALGORITHM, this.key, iv, { authTagLength: AUTH_TAG_LENGTH });
+    const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    return `${ENC_PREFIX}${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted.toString('hex')}`;
+  }
+
+  decrypt(ciphertext: string): string {
+    if (!ciphertext.startsWith(ENC_PREFIX)) {
+      throw new Error('EncryptionService: value does not appear to be encrypted');
+    }
+    const payload = ciphertext.slice(ENC_PREFIX.length);
+    const [ivHex, authTagHex, encryptedHex] = payload.split(':');
+    const iv = Buffer.from(ivHex, 'hex');
+    const authTag = Buffer.from(authTagHex, 'hex');
+    const encryptedBuf = Buffer.from(encryptedHex, 'hex');
+    const decipher = crypto.createDecipheriv(ALGORITHM, this.key, iv, { authTagLength: AUTH_TAG_LENGTH });
+    decipher.setAuthTag(authTag);
+    return decipher.update(encryptedBuf).toString('utf8') + decipher.final('utf8');
+  }
+
+  isEncrypted(value: string): boolean {
+    return typeof value === 'string' && value.startsWith(ENC_PREFIX);
+  }
+}

package/src/services/export-transaction.service.ts

@@ -274,32 +274,6 @@ export class ExportTransactionService extends CRUDService<ExportTransaction> {
           }
         }
 
-        // Include userKey from each related field
-        for (const [relatedFieldName, userKeyFieldName] of relatedModelsUserKeyMap.entries()) {
-          const relatedData = record[relatedFieldName];
-          const displayKey = fieldNameToDisplayName.get(relatedFieldName) ?? relatedFieldName;
-
-          if (Array.isArray(relatedData)) {
-            // For many-to-many or one-to-many
-            const values = relatedData
-              .map(item => {
-                let val = item?.[userKeyFieldName];
-                const relatedFieldMeta = modelFields.find(f => f.name === relatedFieldName);
-                if ((relatedFieldMeta?.type === 'datetime' || relatedFieldMeta?.type === 'date') && val) {
-                  val = new Date(val).toISOString();
-                }
-                return val;
-              })
-              .filter(Boolean);
-            newRecord[displayKey] = values.join(', ');
-          } else if (relatedData && typeof relatedData === 'object') {
-            // For many-to-one or one-to-one
-            newRecord[relatedFieldName] = relatedData?.[userKeyFieldName] ?? null;
-          } else {
-            newRecord[displayKey] = null;
-          }
-        }
-
         // Include userKey from each related field (with displayName)
         for (const [relatedFieldName, userKeyFieldName] of relatedModelsUserKeyMap.entries()) {
           const relatedData = record[relatedFieldName];

package/src/services/field-metadata.service.ts

@@ -18,7 +18,6 @@ import { ERROR_MESSAGES } from 'src/constants/error-messages';
 import qs from 'qs';
 import { ResolveS3UrlDto } from 'src/dtos/resolve-s3-url.dto';
 import { MediaStorageProviderMetadataRepository } from 'src/repository/media-storage-provider-metadata.repository';
-import { ConfigService } from '@nestjs/config';
 import { S3FileService } from './file';
 import { MediaStorageProviderMetadata } from 'src/entities/media-storage-provider-metadata.entity';
 
@@ -27,7 +26,6 @@ import { MediaStorageProviderMetadata } from 'src/entities/media-storage-provide
 export class FieldMetadataService implements OnApplicationBootstrap {
     constructor(
         private readonly fieldMetadataRepo: FieldMetadataRepository,
-        private readonly configService: ConfigService,
         private readonly fileService: S3FileService,
         private readonly mediaStorageProviderMetadataRepository: MediaStorageProviderMetadataRepository,
 
@@ -1291,7 +1289,6 @@ export class FieldMetadataService implements OnApplicationBootstrap {
     }
 
     async resolveS3Url(resolveS3UrlDto: ResolveS3UrlDto) {
-        let url = "";
         const normalizedKey = this.normalizeS3Key(resolveS3UrlDto.s3Key);
 
         let resolvedBucketName = resolveS3UrlDto.bucketName;
@@ -1308,14 +1305,11 @@ export class FieldMetadataService implements OnApplicationBootstrap {
         }
         this.logger.debug(`INSIDE::resolveS3Url:: resolvedBucketName: ${resolvedBucketName}`)
 
-        if (resolveS3UrlDto.isPrivate == "true") {
-            const expiryInSeconds = 60 * 60;
-            url = await this.fileService.getUrl(`${resolvedBucketName}:${normalizedKey}`, { expiresIn: expiryInSeconds });
-        } else {
-            url = `https://${resolvedBucketName}.s3.${this.configService.get(
-                'S3_AWS_REGION_NAME',
-            )}.amazonaws.com/${normalizedKey}`;
-        }
+        const expiryInSeconds = resolveS3UrlDto.isPrivate == "true" ? 60 * 60 : 0;
+        const url = await this.fileService.getUrl(`${resolvedBucketName}:${normalizedKey}`, {
+            expiresIn: expiryInSeconds,
+        });
+
         return { url: url }
     }
 
@@ -1332,4 +1326,3 @@ export class FieldMetadataService implements OnApplicationBootstrap {
     }
 }
 
-

package/src/services/file/disk-file.service.ts

@@ -44,7 +44,7 @@ export class DiskFileService implements IFileService {
   async write(filePath: string, data: Buffer | string, options?: WriteOptions): Promise<string> {
     await this.ensureDirectoryExists(filePath);
     await fsPromises.writeFile(filePath, data);
-    return `${this.baseUrl}/${filePath}`;
+    return this.buildUrl(filePath);
   }
 
   /**
@@ -57,7 +57,7 @@ export class DiskFileService implements IFileService {
     const writeStream = fs.createWriteStream(filePath);
     await pipeline(stream, writeStream);
     this.logger.debug(`File saved via stream: ${filePath}`);
-    return `${this.baseUrl}/${filePath}`;
+    return this.buildUrl(filePath);
   }
 
   /**
@@ -97,13 +97,10 @@ export class DiskFileService implements IFileService {
   }
 
   /**
-   * Get an accessible URL/path for the file
-   * For disk storage, returns the file path as-is
+   * Get an accessible URL for the file
    */
   async getUrl(filePath: string, options?: UrlOptions): Promise<string> {
-    // For disk storage, we simply return the path
-    // The caller is responsible for constructing a full URL if needed
-    return filePath;
+    return this.buildUrl(filePath);
   }
 
   /**
@@ -117,4 +114,15 @@ export class DiskFileService implements IFileService {
       await fsPromises.mkdir(dir, { recursive: true });
     }
   }
+
+  private buildUrl(filePath: string): string {
+    const normalizedBaseUrl = this.baseUrl.replace(/\/+$/, '');
+    const normalizedPath = filePath.replace(/^\/+/, '');
+
+    if (!normalizedBaseUrl) {
+      return `/${normalizedPath}`;
+    }
+
+    return `${normalizedBaseUrl}/${normalizedPath}`;
+  }
 }

package/src/services/media.service.ts

@@ -53,51 +53,29 @@ export class MediaService extends CRUDService<Media> {
     if (data.records) {
 
       for (const media of data.records) {
-        if (media.mediaStorageProviderMetadata?.type === MediaStorageProviderType.Filesystem) {
-          media.relativeUri = `${this.settingService.getConfigValue<SolidCoreSetting>("baseUrl")}/${this.getFullFilePathForDisk(media.relativeUri)}`;
-        } else if (media.mediaStorageProviderMetadata?.type === MediaStorageProviderType.AwsS3) {
-          media.relativeUri = this.getAwsS3FullFilePath(
-            media.relativeUri,
-            media.mediaStorageProviderMetadata.bucketName,
-            media.mediaStorageProviderMetadata.region
-          );
+        const mediaStorageProvider = media.mediaStorageProviderMetadata;
+
+        if (mediaStorageProvider?.type === MediaStorageProviderType.Filesystem) {
+          media.relativeUri = await this.diskFileService.getUrl(this.getFullFilePathForDisk(media.relativeUri));
+        } else if (mediaStorageProvider?.type === MediaStorageProviderType.AwsS3) {
+          media.relativeUri = await this.s3FileService.getUrl(`${mediaStorageProvider.bucketName}:${media.relativeUri}`, { region: mediaStorageProvider.region });
         }
       }
-      // data.records.forEach((media: Media) => {
-      //       if (media.mediaStorageProviderMetadata?.type === MediaStorageProviderType.Filesystem) {
-      //   media.relativeUri = `${process.env.BASE_URL}/${this.getFileSysytemFullFilePath(media.relativeUri)}`;
-      // } else if (media.mediaStorageProviderMetadata?.type === MediaStorageProviderType.AwsS3) {
-      //   media.relativeUri = this.getAwsS3FullFilePath(
-      //     media.relativeUri,
-      //     media.mediaStorageProviderMetadata.bucketName,
-      //     media.mediaStorageProviderMetadata.region
-      //   );
-      // }
-      // });
     }
     if (data.groupRecords) {
 
       for (const group of data.groupRecords) {
         for (const media of group.groupData.records) {
-          if (media.mediaStorageProviderMetadata?.type === MediaStorageProviderType.Filesystem) {
-            media.relativeUri = `${this.settingService.getConfigValue<SolidCoreSetting>("baseUrl")}/${this.getFullFilePathForDisk(media.relativeUri)}`;
+          const mediaStorageProvider = media.mediaStorageProviderMetadata;
+
+          if (mediaStorageProvider?.type === MediaStorageProviderType.Filesystem) {
+            media.relativeUri = await this.diskFileService.getUrl(this.getFullFilePathForDisk(media.relativeUri));
           }
-          else if (media.mediaStorageProviderMetadata?.type === MediaStorageProviderType.AwsS3) {
-            media.relativeUri = this.getAwsS3FullFilePath(media.relativeUri, media.mediaStorageProviderMetadata.bucketName, media.mediaStorageProviderMetadata.region);
+          else if (mediaStorageProvider?.type === MediaStorageProviderType.AwsS3) {
+            media.relativeUri = await this.s3FileService.getUrl(`${mediaStorageProvider.bucketName}:${media.relativeUri}`, { region: mediaStorageProvider.region });
           }
         }
       }
-
-      // data.groupRecords.forEach((group) => {
-      //   group.groupData.records.forEach((media) => {
-      //     if (media.mediaStorageProviderMetadata?.type === MediaStorageProviderType.Filesystem) {
-      //       media.relativeUri = `${process.env.BASE_URL}/${this.getFileSysytemFullFilePath(media.relativeUri)}`;
-      //     }
-      //     else if (media.mediaStorageProviderMetadata?.type === MediaStorageProviderType.AwsS3) {
-      //       media.relativeUri = this.getAwsS3FullFilePath(media.relativeUri, media.mediaStorageProviderMetadata.bucketName, media.mediaStorageProviderMetadata.region);
-      //     }
-      //   });
-      // });
     }
     return data
   }
@@ -172,24 +150,12 @@ export class MediaService extends CRUDService<Media> {
       }
     }
     );
-    // if (media.mediaStorageProviderMetadata.type === 'filesystem') {
-    //     const fileStorageProvider = new FileStorageProvider(this.configService, this.fileService, this);
-
-    //     await fileStorageProvider.delete(media, media.fieldMetadata);
-
-    // } else if (media.mediaStorageProviderMetadata.type === 'aws-s3') {
-    //     const fileStorageProvider = new FileS3StorageProvider(this.configService, this.fileService, this);
-    //     await fileStorageProvider.delete(media, media.fieldMetadata);
-
-    // } else {
-    // }
     const storageProviderType = media.mediaStorageProviderMetadata.type as MediaStorageProviderType;
     const storageProvider = await getMediaStorageProvider(this.moduleRef, storageProviderType);
     await storageProvider.delete(modelEntity, media.fieldMetadata);
 
     return this.repo.remove(media);
   }
-  //TODO: Move this to a app builder config
 
   private getFullFilePathForDisk(fileName: string): string {
     const base = this.settingService.getConfigValue<SolidCoreSetting>("fileStorageDir")
@@ -200,11 +166,6 @@ export class MediaService extends CRUDService<Media> {
     return `${base}/${fileName}`;
   }
 
-  private getAwsS3FullFilePath(awsMediaurl: string, bucketName: string, regionName: string): string {
-    // https://lunarismedia.s3.ap-south-1.amazonaws.com/LUNARIS_CP_REGISTRATION_CREATIVE.jpg
-    return `https://${bucketName}.s3.${regionName}.amazonaws.com/${awsMediaurl}`;
-  }
-
   private getFileName(file: Express.Multer.File): string {
     return `${file.filename}-${file.originalname}`;
   }

package/src/services/setting.service.ts

@@ -15,6 +15,7 @@ import { ISettingsProvider, NoInfer, SettingDefinition, SettingLevel } from '../
 import { ModuleMetadataRepository } from 'src/repository/module-metadata.repository';
 import type { SolidCoreSetting } from './settings/default-settings-provider.service';
 import { Logger } from '@nestjs/common';
+import { EncryptionService } from './encryption.service';
 
 
 @Injectable()
@@ -23,6 +24,7 @@ export class SettingService {
 
   private settings: SettingDefinition[] = [];
   private settingsByKey = new Map<string, SettingDefinition>();
+  private readonly encryptionService: EncryptionService | null;
 
   private readonly arrayKeysToSkip = new Set([
     'authenticationPasswordRegex',
@@ -38,7 +40,11 @@ export class SettingService {
     readonly moduleMetadataRepo: ModuleMetadataRepository,
     private readonly requestContextService: RequestContextService,
     @InjectRepository(User) private readonly userRepository: Repository<User>,
-  ) { }
+  ) {
+    const encKey = process.env.APP_ENCRYPTION_KEY;
+    this.encryptionService = encKey ? new EncryptionService(encKey) : null;
+    if (!encKey) this._logger.warn('APP_ENCRYPTION_KEY is not set — encrypted settings will not be decrypted');
+  }
 
   private async getSettingsFromDb(): Promise<Setting[]> {
     const settings = await this.repo.find({ relations: ['user'] });
@@ -112,7 +118,15 @@ export class SettingService {
       const settingFromDb = settingsFromDbByKey.get(setting.key);
       const valueFromDb = settingFromDb?.value;
       if (settingFromDb?.key && valueFromDb !== undefined && valueFromDb !== null) {
-        const parsedValue = typeof valueFromDb === 'string' ? this.parseSettingValue(valueFromDb, settingFromDb.key) : valueFromDb;
+        let rawValue = valueFromDb;
+        if (settingFromDb.encrypted && this.encryptionService) {
+          try {
+            rawValue = this.encryptionService.decrypt(rawValue);
+          } catch {
+            this._logger.warn(`Failed to decrypt setting "${setting.key}" — using raw value`);
+          }
+        }
+        const parsedValue = typeof rawValue === 'string' ? this.parseSettingValue(rawValue, settingFromDb.key) : rawValue;
         return { ...setting, value: parsedValue };
       }
       return setting;
@@ -149,30 +163,38 @@ export class SettingService {
     const settingsToMutate: Setting[] = [];
     // const settingsToUpdate: Setting[] = [];
 
-    for (const { key, value, level, moduleName } of saEditableAndAbove) {
+    for (const { key, value, level, moduleName, encrypted } of saEditableAndAbove) {
       const moduleMetadata = await this.moduleMetadataRepo.findOneBy({ name: moduleName });
       if (!existingSettingsFromDbByKey.has(key)) {
         const setting = new Setting();
         setting.key = key;
         setting.level = level;
+        setting.encrypted = !!encrypted;
         if (moduleMetadata)
           setting.moduleMetadata = moduleMetadata;
 
+        let rawValue: string | null;
         if (typeof value === 'boolean') {
-          setting.value = value.toString();
+          rawValue = value.toString();
         } else if (Array.isArray(value)) {
-          setting.value = value.join(',');
+          rawValue = value.join(',');
         } else if (value === null || value === undefined) {
-          setting.value = null;
+          rawValue = null;
         } else {
-          setting.value = String(value);
+          rawValue = String(value);
         }
 
+        if (encrypted && this.encryptionService && rawValue !== null) {
+          rawValue = this.encryptionService.encrypt(rawValue);
+        }
+        setting.value = rawValue;
+
         settingsToMutate.push(setting);
       }
       else {
         const setting = existingSettingsFromDbByKey.get(key);
         setting.level = level;
+        setting.encrypted = !!encrypted;
         if (moduleMetadata)
           setting.moduleMetadata = moduleMetadata;
         settingsToMutate.push(setting);
@@ -289,22 +311,29 @@ export class SettingService {
       }
 
       const key = settingDto.key;
-      // const value = settingDto.value ?? '';
       const rawValue = settingDto.value;
-      const value = rawValue === null || rawValue === undefined ? null : String(rawValue);
+      let value = rawValue === null || rawValue === undefined ? null : String(rawValue);
 
       const settingType = settingDto.type ?? 'system';
+      const definition = this.settingsByKey.get(key);
+      const shouldEncrypt = !!definition?.encrypted && this.encryptionService !== null && value !== null;
+
+      if (shouldEncrypt) {
+        value = this.encryptionService.encrypt(value);
+      }
 
       const existingSetting = existingSettings.find(s => s.key === key);
       if (existingSetting) {
         existingSetting.value = value;
         existingSetting.type = settingType;
+        existingSetting.encrypted = shouldEncrypt;
         settingsToUpdate.push(existingSetting);
       } else {
         const newSetting = new Setting();
         newSetting.key = key;
         newSetting.value = value;
         newSetting.type = settingType;
+        newSetting.encrypted = shouldEncrypt;
 
         if (settingType === 'user' && user) {
           newSetting.user = user;

package/src/services/settings/default-settings-provider.service.ts

@@ -34,10 +34,14 @@ const getSolidCoreSettings = (isProd: boolean) => ([
   { moduleName: "solid-core", key: "authScreenCenterBackgroundImage", value: null, level: SettingLevel.SystemAdminEditable },
   {
     moduleName: "solid-core", key: "solidXGenAiCodeBuilderConfig", value: JSON.stringify({
-      fastModel: { provider: "", availableProviders: [] },
-      defaultProvider: { provider: "", availableProviders: [] },
-    }), level: SettingLevel.SystemAdminEditable
+      models: {
+        default: { providerId: "", model: "", behavior: { streaming: false, custom: "" } },
+        fast: { providerId: "", model: "", behavior: { streaming: false, custom: "" } },
+      },
+      providers: {},
+    }), level: SettingLevel.SystemAdminEditable, encrypted: true
   },
+  { moduleName: "solid-core", key: "appEncryptionKey", value: process.env.APP_ENCRYPTION_KEY, level: SettingLevel.SystemEnv },
   { moduleName: "solid-core", key: "mcpEnabled", value: process.env.MCP_ENABLED || false, level: SettingLevel.SystemAdminReadonly },
   { moduleName: "solid-core", key: "mcpServerUrl", value: process.env.MCP_SERVER_URL, level: SettingLevel.SystemAdminReadonly },
   { moduleName: "solid-core", key: "mcpApiKey", value: process.env.MCP_API_KEY, level: SettingLevel.SystemEnv },

package/src/services/sso-code-storage.service.ts

@@ -0,0 +1,36 @@
+import { CACHE_MANAGER } from '@nestjs/cache-manager';
+import { Inject, Injectable, UnauthorizedException } from '@nestjs/common';
+import { Cache } from 'cache-manager';
+import { randomBytes } from 'crypto';
+
+const SSO_CODE_TTL_MS = 60 * 1000; // 60 seconds
+
+interface SsoCodeEntry {
+    userId: number;
+    accessToken: string;
+    refreshToken: string;
+}
+
+@Injectable()
+export class SsoCodeStorageService {
+    constructor(@Inject(CACHE_MANAGER) private cacheManager: Cache) {}
+
+    async generateCode(userId: number, accessToken: string, refreshToken: string): Promise<string> {
+        const code = randomBytes(32).toString('hex');
+        await this.cacheManager.set(this.getKey(code), { userId, accessToken, refreshToken }, SSO_CODE_TTL_MS);
+        return code;
+    }
+
+    async consumeCode(code: string): Promise<SsoCodeEntry> {
+        const entry = await this.cacheManager.get<SsoCodeEntry>(this.getKey(code));
+        if (!entry) {
+            throw new UnauthorizedException('Invalid or expired SSO code');
+        }
+        await this.cacheManager.del(this.getKey(code));
+        return entry;
+    }
+
+    private getKey(code: string): string {
+        return `sso-code-${code}`;
+    }
+}

package/src/services/user.service.ts

@@ -102,8 +102,9 @@ export class UserService extends CRUDService<User> {
     if (!user) {
       throw new Error(ERROR_MESSAGES.USER_NOT_FOUND);
     }
-    const roles = updateDto.roles ? updateDto.roles : [];
-    await this.addRolesToUser(user.username, roles);
+    if (updateDto.roles != null) {
+      await this.addRolesToUser(user.username, updateDto.roles);
+    }
     await this.update(id, updateDto, files, true);
   }