feat(security): two-factor authentication and secret encryption

Signed-off-by: GitHub <[email protected]>

Author: virtual-designer

.gitignore

@@ -10,6 +10,7 @@ yarn-error.log
 .env
 /.env*
 /.env.docker
+/.env.encrypted
 
 # IDEs and editors
 .idea/

package.json

@@ -89,6 +89,7 @@
         "glob": "^11.0.0",
         "json5": "^2.2.3",
         "jsonwebtoken": "^9.0.2",
+        "mlkem": "^2.3.0",
         "module-alias": "^2.2.3",
         "pg": "^8.13.1",
         "pm2": "^5.4.3",

src/main/typescript/api/controllers/AuthController.ts

@@ -24,7 +24,7 @@ import type Request from "@framework/api/http/Request";
 import Response from "@framework/api/http/Response";
 import { Inject } from "@framework/container/Inject";
 import { fetchUser } from "@framework/utils/entities";
-import { env } from "@main/env/env";
+import { getEnvData } from "@main/env/env";
 import { users } from "@main/models/User";
 import AuthService from "@main/services/AuthService";
 import { APIErrorCode } from "@main/types/APIErrorCode";
@@ -137,11 +137,11 @@ class AuthController extends Controller {
 
         try {
             const body = new URLSearchParams({
-                client_id: env.CLIENT_ID,
-                client_secret: env.CLIENT_SECRET,
+                client_id: getEnvData().CLIENT_ID,
+                client_secret: getEnvData().CLIENT_SECRET,
                 code,
                 grant_type: "authorization_code",
-                redirect_uri: `${env.FRONTEND_URL}/challenge/auth/discord`,
+                redirect_uri: `${getEnvData().FRONTEND_URL}/challenge/auth/discord`,
                 scope: "identify guilds"
             }).toString();
 

src/main/typescript/api/controllers/VerificationController.ts

@@ -23,7 +23,7 @@ import Controller from "@framework/api/http/Controller";
 import type Request from "@framework/api/http/Request";
 import { Inject } from "@framework/container/Inject";
 import type VerificationService from "@main/automod/VerificationService";
-import { env } from "@main/env/env";
+import { getEnvData } from "@main/env/env";
 import { verificationEntries } from "@main/models/VerificationEntry";
 import type ConfigurationManager from "@main/services/ConfigurationManager";
 import { getAxiosClient } from "@main/utils/axios";
@@ -42,7 +42,7 @@ class VerificationController extends Controller {
             const response = await getAxiosClient().post(
                 "https://challenges.cloudflare.com/turnstile/v0/siteverify",
                 {
-                    secret: env.CF_TURNSTILE_SECRET,
+                    secret: getEnvData().CF_TURNSTILE_SECRET,
                     response: token,
                     remoteip: ip
                 }

src/main/typescript/automod/AIAutoModeration.ts

@@ -20,7 +20,7 @@
 import { Inject } from "@framework/container/Inject";
 import { Name } from "@framework/services/Name";
 import { Service } from "@framework/services/Service";
-import { env } from "@main/env/env";
+import { getEnvData } from "@main/env/env";
 import type { GuildConfig } from "@main/schemas/GuildConfigSchema";
 import type PermissionManagerService from "@main/services/PermissionManagerService";
 import { safeMemberFetch } from "@main/utils/fetch";
@@ -47,6 +47,8 @@ class AIAutoModeration extends Service {
     private counter = 0;
 
     private async analyzeComment(comment: string) {
+        const env = getEnvData();
+
         if (!env.PERSPECTIVE_API_TOKEN) {
             return null;
         }
@@ -143,7 +145,7 @@ class AIAutoModeration extends Service {
     }
 
     private async moderate(message: Message<true>, event: "create" | "update") {
-        if (!env.PERSPECTIVE_API_TOKEN) {
+        if (!getEnvData().PERSPECTIVE_API_TOKEN) {
             return null;
         }
 

src/main/typescript/automod/VerificationService.ts

@@ -25,7 +25,7 @@ import { Events } from "@framework/types/ClientEvents";
 import { BUG } from "@framework/utils/devflow";
 import { fetchChannel, fetchMember, fetchUser } from "@framework/utils/entities";
 import { Colors } from "@main/constants/Colors";
-import { env } from "@main/env/env";
+import { getEnvData } from "@main/env/env";
 import { verificationEntries, VerificationStatus } from "@main/models/VerificationEntry";
 import { VerificationMethod, verificationRecords } from "@main/models/VerificationRecord";
 import VerificationExpiredQueue from "@main/queues/VerificationExpiredQueue";
@@ -193,12 +193,12 @@ class VerificationService extends Service {
     }
 
     private getVerificationDomain() {
-        return env.FRONTEND_GUILD_MEMBER_VERIFICATION_URL ?? env.FRONTEND_URL;
+        return getEnvData().FRONTEND_GUILD_MEMBER_VERIFICATION_URL ?? getEnvData().FRONTEND_URL;
     }
 
     private getVerificationURL(guildId: string, memberId: string, token: string) {
         const domain = this.getVerificationDomain();
-        return `${domain}${domain === env.FRONTEND_URL ? "/verify" : ""}/guilds/${encodeURIComponent(guildId)}/challenge/onboarding?t=${encodeURIComponent(token)}&u=${encodeURIComponent(memberId)}`;
+        return `${domain}${domain === getEnvData().FRONTEND_URL ? "/verify" : ""}/guilds/${encodeURIComponent(guildId)}/challenge/onboarding?t=${encodeURIComponent(token)}&u=${encodeURIComponent(memberId)}`;
     }
 
     public async startVerification(member: GuildMember, reason: string, silent = false) {
@@ -208,6 +208,8 @@ class VerificationService extends Service {
             return;
         }
 
+        const env = getEnvData();
+
         await member.roles.add(config.unverified_roles, reason).catch(this.logger.error);
         await member.roles.remove(config.verified_roles, reason).catch(this.logger.error);
 
@@ -409,6 +411,7 @@ class VerificationService extends Service {
     }
 
     public async isProxy(ip: string) {
+        const env = getEnvData();
         const response = await getAxiosClient().get(
             `https://proxycheck.io/v2/${encodeURIComponent(ip)}?vpn=1&asn=1` +
                 (env.PROXYCHECKIO_API_KEY
@@ -439,11 +442,11 @@ class VerificationService extends Service {
     ) {
         try {
             const body = new URLSearchParams({
-                client_id: env.CLIENT_ID,
-                client_secret: env.CLIENT_SECRET,
+                client_id: getEnvData().CLIENT_ID,
+                client_secret: getEnvData().CLIENT_SECRET,
                 code: discordCode,
                 grant_type: "authorization_code",
-                redirect_uri: `${env.FRONTEND_GUILD_MEMBER_VERIFICATION_URL}/next/discord`,
+                redirect_uri: `${getEnvData().FRONTEND_GUILD_MEMBER_VERIFICATION_URL}/next/discord`,
                 scope: "identify guilds",
                 state: `${guildId}|${memberId}|${token}`
             }).toString();

src/main/typescript/commands/fun/CatCommand.ts

@@ -19,7 +19,7 @@
 
 import { Command } from "@framework/commands/Command";
 import type Context from "@framework/commands/Context";
-import { env } from "@main/env/env";
+import { getEnvData } from "@main/env/env";
 import { getAxiosClient } from "@main/utils/axios";
 import type { AxiosError } from "axios";
 
@@ -30,6 +30,7 @@ class CatCommand extends Command {
     public override readonly systemPermissions = [];
 
     public override async execute(context: Context): Promise<void> {
+        const env = getEnvData();
         const token = env.CAT_API_TOKEN;
 
         if (!token) {

src/main/typescript/commands/fun/DogCommand.ts

@@ -19,7 +19,7 @@
 
 import { Command } from "@framework/commands/Command";
 import type Context from "@framework/commands/Context";
-import { env } from "@main/env/env";
+import { getEnvData } from "@main/env/env";
 import { getAxiosClient } from "@main/utils/axios";
 import type { AxiosError } from "axios";
 
@@ -30,6 +30,7 @@ class DogCommand extends Command {
     public override readonly systemPermissions = [];
 
     public override async execute(context: Context): Promise<void> {
+        const env = getEnvData();
         const token = env.DOG_API_TOKEN;
 
         if (!token) {

src/main/typescript/commands/fun/JokeCommand.ts

@@ -20,7 +20,7 @@
 import type { Buildable } from "@framework/commands/Command";
 import { Command } from "@framework/commands/Command";
 import type Context from "@framework/commands/Context";
-import { env } from "@main/env/env";
+import { getEnvData } from "@main/env/env";
 import { getAxiosClient } from "@main/utils/axios";
 import { EmbedBuilder } from "discord.js";
 
@@ -52,6 +52,7 @@ class JokeCommand extends Command {
     }
 
     public override async execute(context: Context): Promise<void> {
+        const env = getEnvData();
         const isDadJoke =
             context.commandName === "dadjoke" ||
             (context.isChatInput() && context.options.getString("type") === "dad_joke");

src/main/typescript/commands/fun/PixabayCommand.ts

@@ -24,7 +24,7 @@ import StringArgument from "@framework/arguments/StringArgument";
 import type { Buildable } from "@framework/commands/Command";
 import { Command } from "@framework/commands/Command";
 import type Context from "@framework/commands/Context";
-import { env } from "@main/env/env";
+import { getEnvData } from "@main/env/env";
 import { getAxiosClient } from "@main/utils/axios";
 import { AxiosError } from "axios";
 
@@ -115,6 +115,7 @@ class PixabayCommand extends Command {
         context: Context,
         { query, type }: PixabayCommandArgs
     ): Promise<void> {
+        const env = getEnvData();
         type = context.isChatInput() ? (context.options.getSubcommand(true) as typeof type) : type;
 
         if (!["image", "photo", "vector", "illustration"].includes(type)) {

src/main/typescript/commands/settings/AboutCommand.ts

@@ -19,7 +19,7 @@
 
 import type { ChatContext } from "@framework/commands/Command";
 import { Command } from "@framework/commands/Command";
-import { env } from "@main/env/env";
+import { getEnvData } from "@main/env/env";
 import { ActionRowBuilder, ButtonBuilder, ButtonStyle } from "discord.js";
 import type { MetadataType } from "../../core/DiscordKernel";
 
@@ -29,6 +29,7 @@ class AboutCommand extends Command {
     public override readonly aliases = ["botinfo"];
 
     public override async execute(context: ChatContext) {
+        const env = getEnvData();
         const metadata = this.application.metadata as MetadataType;
         const avatar = this.application.getClient().user?.displayAvatarURL();
         const emoji = context.emoji("sudobot") || null;

src/main/typescript/commands/settings/RestartCommand.ts

@@ -22,6 +22,7 @@ import { Command } from "@framework/commands/Command";
 import type Context from "@framework/commands/Context";
 import { Inject } from "@framework/container/Inject";
 import { GatewayEventListener } from "@framework/events/GatewayEventListener";
+import { getEnvData } from "@main/env/env";
 import StartupManager from "@main/services/StartupManager";
 import { emoji } from "@main/utils/emoji";
 import {
@@ -135,10 +136,14 @@ class RestartCommand extends Command {
 
     public override async execute(context: Context): Promise<void> {
         if (
-            process.env.CREDENTIAL_SERVER &&
+            getEnvData().TWO_FACTOR_AUTH_URL &&
             (!context.isChatInput() || context.options.getString("credential_key"))
         ) {
-            await context.error("Please enter the credential server 2FA code to restart the bot!");
+            await context.error(
+                "Please enter the credential server 2FA code to restart the bot" +
+                    (context.isLegacy() ? " using the slash command" : "") +
+                    "!"
+            );
             return;
         }