thelounge-plugin-ntfy 1.2.0 → 1.3.0

package/README.md

@@ -1,5 +1,8 @@
 # The Lounge ntfy Plugin
 
+![NPM Version](https://img.shields.io/npm/v/thelounge-plugin-ntfy?style=for-the-badge)
+![NPM Downloads](https://img.shields.io/npm/dy/thelounge-plugin-ntfy?style=for-the-badge)
+
 A plugin for [The Lounge](https://thelounge.chat/) that sends a message to an [ntfy](https://ntfy.sh/) server whenever you are mentioned in a chat.
 
 ## Installation

package/docker-compose.yml

@@ -12,3 +12,6 @@ services:
       - $PWD/index.js:/var/opt/thelounge/packages/thelounge-plugin-ntfy/index.js
       - $PWD/package.json:/var/opt/thelounge/packages/thelounge-plugin-ntfy/package.json
       - $PWD/package-lock.json:/var/opt/thelounge/packages/thelounge-plugin-ntfy/package-lock.json
+
+# Installation: su node -c "thelounge install file:/var/opt/thelounge/packages/thelounge-plugin-ntfy"
+# Removal: su node -c "thelounge uninstall thelounge-plugin-ntfy"

package/index.js

@@ -22,17 +22,17 @@ const ntfyCommand = {
       say(`/${command} start - Start the ntfy listener for this network`);
       say(`/${command} stop - Stop the ntfy listener for this network`);
       say(
-        `/${command} status - Show the ntfy listener status for this network`
+        `/${command} status - Show the ntfy listener status for this network`,
       );
       say(`/${command} test - Send a test notification`);
       say(
-        `/${command} config set <setting_key> <setting_value> - Set a configuration setting`
+        `/${command} config set <setting_key> <setting_value> - Set a configuration setting`,
       );
       say(
-        `/${command} config remove <setting_key> - Set configuration setting to null`
+        `/${command} config remove <setting_key> - Set configuration setting to null`,
       );
       say(
-        `/${command} config print - Print the current configuration with warnings if any`
+        `/${command} config print - Print the current configuration with warnings if any`,
       );
     };
 
@@ -197,7 +197,7 @@ const ntfyCommand = {
             const response = saveUserSetting(
               client.client.name,
               settingKey,
-              settingValue
+              settingValue,
             );
 
             say(response);
@@ -217,7 +217,7 @@ const ntfyCommand = {
             const response = saveUserSetting(
               client.client.name,
               settingKey,
-              null
+              null,
             );
 
             say(response);
@@ -228,6 +228,8 @@ const ntfyCommand = {
           case "print": {
             const [userConfig, errors] = loadUserConfig(client.client.name);
 
+            const sensitiveKeys = new Set(["ntfy.password", "ntfy.token"]);
+
             const printConfig = (obj, parentKey = "") => {
               for (const key in obj) {
                 const value = obj[key];
@@ -235,6 +237,8 @@ const ntfyCommand = {
 
                 if (typeof value === "object" && value !== null) {
                   printConfig(value, fullKey);
+                } else if (sensitiveKeys.has(fullKey) && value) {
+                  say(`${fullKey}=********`);
                 } else {
                   say(`${fullKey}=${value}`);
                 }
@@ -257,7 +261,7 @@ const ntfyCommand = {
               userConfig.ntfy.password
             ) {
               say(
-                "Warning: Both ntfy.token and ntfy.username/password are set, ntfy.token will be used for authentication"
+                "Warning: Both ntfy.token and ntfy.username/password are set, ntfy.token will be used for authentication",
               );
             }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thelounge-plugin-ntfy",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "A plugin for The Lounge that sends push notifications via ntfy when highlighted",
   "keywords": [
     "thelounge",
@@ -29,7 +29,7 @@
     "ajv": "^8.17.1",
     "ajv-errors": "^3.0.0",
     "ajv-formats": "^3.0.1",
-    "ntfy": "^1.11.8",
+    "ntfy": "~1.13.3",
     "thelounge": "^4.4.3"
   }
 }

package/src/config.js

@@ -5,6 +5,12 @@ const path = require("path");
 const Ajv2019 = require("ajv/dist/2019").default;
 const addFormats = require("ajv-formats");
 const addErrors = require("ajv-errors");
+const {
+  initEncryptionKey,
+  encrypt,
+  decrypt,
+  isEncrypted,
+} = require("./crypto.js");
 
 const DEFAULT_CONFIG = {
   ntfy: {
@@ -30,6 +36,8 @@ const ALLOWED_KEYS = new Set([
 
 const BOOLEAN_KEYS = new Set(["config.notify_on_private_messages"]);
 
+const SENSITIVE_KEYS = new Set(["ntfy.password", "ntfy.token"]);
+
 const userConfigSchema = {
   type: "object",
   additionalProperties: false,
@@ -121,6 +129,38 @@ let rootDir = null;
 
 function setRootDir(dir) {
   rootDir = dir;
+  initEncryptionKey(dir);
+}
+
+function decryptSensitiveFields(config) {
+  const decrypted = JSON.parse(JSON.stringify(config)); // Deep clone
+
+  for (const key of SENSITIVE_KEYS) {
+    const keys = key.split(".");
+    let curr = decrypted;
+
+    for (let i = 0; i < keys.length - 1; i++) {
+      if (curr[keys[i]]) {
+        curr = curr[keys[i]];
+      } else {
+        curr = null;
+        break;
+      }
+    }
+
+    if (curr) {
+      const finalKey = keys[keys.length - 1];
+      if (curr[finalKey] && isEncrypted(curr[finalKey])) {
+        try {
+          curr[finalKey] = decrypt(curr[finalKey]);
+        } catch (e) {
+          // Leave as-is
+        }
+      }
+    }
+  }
+
+  return decrypted;
 }
 
 function loadUserConfig(username) {
@@ -142,10 +182,12 @@ function loadUserConfig(username) {
       userConfig = JSON.parse(fs.readFileSync(userConfigPath, "utf-8"));
     } catch (e) {
       throw new Error(
-        `Invalid JSON in user config for ${username}: ${e.message}`
+        `Invalid JSON in user config for ${username}: ${e.message}`,
       );
     }
 
+    userConfig = decryptSensitiveFields(userConfig);
+
     const validate = ajv.compile(userConfigSchema);
     const valid = validate(userConfig);
 
@@ -153,6 +195,33 @@ function loadUserConfig(username) {
   }
 }
 
+function encryptSensitiveFields(config) {
+  const encrypted = JSON.parse(JSON.stringify(config)); // Deep clone
+
+  for (const key of SENSITIVE_KEYS) {
+    const keys = key.split(".");
+    let curr = encrypted;
+
+    for (let i = 0; i < keys.length - 1; i++) {
+      if (curr[keys[i]]) {
+        curr = curr[keys[i]];
+      } else {
+        curr = null;
+        break;
+      }
+    }
+
+    if (curr) {
+      const finalKey = keys[keys.length - 1];
+      if (curr[finalKey] && !isEncrypted(curr[finalKey])) {
+        curr[finalKey] = encrypt(curr[finalKey]);
+      }
+    }
+  }
+
+  return encrypted;
+}
+
 function saveUserSetting(username, settingKey, settingValue) {
   if (!rootDir) {
     throw new Error("Root directory is not set");
@@ -192,20 +261,22 @@ function saveUserSetting(username, settingKey, settingValue) {
 
     curr[keys[keys.length - 1]] = settingValue;
 
+    const configToSave = encryptSensitiveFields(userConfig);
+
     const userConfigPath = path.join(rootDir, "config", `${username}.json`);
 
     fs.mkdirSync(path.dirname(userConfigPath), { recursive: true });
     fs.writeFileSync(
       userConfigPath,
-      JSON.stringify(userConfig, null, 2),
-      "utf-8"
+      JSON.stringify(configToSave, null, 2),
+      "utf-8",
     );
 
     return "Success";
   }
 
   return `Invalid setting ${settingKey}, allowed settings are: ${Array.from(
-    ALLOWED_KEYS
+    ALLOWED_KEYS,
   ).join(", ")}`;
 }
 

package/src/crypto.js

@@ -0,0 +1,111 @@
+"use strict";
+
+const crypto = require("crypto");
+const fs = require("fs");
+const path = require("path");
+
+const ALGORITHM = "aes-256-gcm";
+const KEY_LENGTH = 32; // 256 bits
+const IV_LENGTH = 16; // 128 bits
+const AUTH_TAG_LENGTH = 16; // 128 bits
+const ENCRYPTED_PREFIX = "enc:";
+
+let encryptionKey = null;
+
+function initEncryptionKey(configDir) {
+  const keyPath = path.join(configDir, ".ntfy_key");
+
+  if (fs.existsSync(keyPath)) {
+    const keyData = fs.readFileSync(keyPath, "utf-8").trim();
+    encryptionKey = Buffer.from(keyData, "hex");
+
+    if (encryptionKey.length !== KEY_LENGTH) {
+      throw new Error("Invalid encryption key length");
+    }
+  } else {
+    encryptionKey = crypto.randomBytes(KEY_LENGTH);
+    fs.mkdirSync(configDir, { recursive: true });
+    fs.writeFileSync(keyPath, encryptionKey.toString("hex"), {
+      encoding: "utf-8",
+      mode: 0o600, // R/W for owner only
+    });
+  }
+}
+
+function isInitialized() {
+  return encryptionKey !== null;
+}
+
+function encrypt(plaintext) {
+  if (!encryptionKey) {
+    throw new Error("Encryption key not initialized");
+  }
+
+  if (!plaintext || typeof plaintext !== "string") {
+    return plaintext;
+  }
+
+  if (plaintext.startsWith(ENCRYPTED_PREFIX)) {
+    return plaintext;
+  }
+
+  const iv = crypto.randomBytes(IV_LENGTH);
+  const cipher = crypto.createCipheriv(ALGORITHM, encryptionKey, iv, {
+    authTagLength: AUTH_TAG_LENGTH,
+  });
+
+  let encrypted = cipher.update(plaintext, "utf8", "hex");
+  encrypted += cipher.final("hex");
+
+  const authTag = cipher.getAuthTag();
+
+  return `${ENCRYPTED_PREFIX}${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted}`;
+}
+
+function decrypt(encryptedText) {
+  if (!encryptionKey) {
+    throw new Error("Encryption key not initialized");
+  }
+
+  if (!encryptedText || typeof encryptedText !== "string") {
+    return encryptedText;
+  }
+
+  if (!encryptedText.startsWith(ENCRYPTED_PREFIX)) {
+    return encryptedText;
+  }
+
+  const data = encryptedText.slice(ENCRYPTED_PREFIX.length);
+  const parts = data.split(":");
+
+  if (parts.length !== 3) {
+    throw new Error("Invalid encrypted data format");
+  }
+
+  const [ivHex, authTagHex, encrypted] = parts;
+  const iv = Buffer.from(ivHex, "hex");
+  const authTag = Buffer.from(authTagHex, "hex");
+
+  const decipher = crypto.createDecipheriv(ALGORITHM, encryptionKey, iv, {
+    authTagLength: AUTH_TAG_LENGTH,
+  });
+  decipher.setAuthTag(authTag);
+
+  let decrypted = decipher.update(encrypted, "hex", "utf8");
+  decrypted += decipher.final("utf8");
+
+  return decrypted;
+}
+
+function isEncrypted(value) {
+  return typeof value === "string" && value.startsWith(ENCRYPTED_PREFIX);
+}
+
+module.exports = {
+  initEncryptionKey,
+  isInitialized,
+  encrypt,
+  decrypt,
+  isEncrypted,
+  ENCRYPTED_PREFIX,
+};