southseact-3d/shopify-ai-backup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7e5dc8b62d5b638acbf4c1749b41ffd38c2115d7
shopify-ai-backup/chat/DATABASE_IMPLEMENTATION.md
copilot-swe-agent[bot] 650d849ad2 Implement Phase 1.2: Database with encryption at rest and core infrastructure 
Co-authored-by: southseact-3d <217551146+southseact-3d@users.noreply.github.com>
2026-02-09 19:33:00 +00:00

7.2 KiB
Raw Blame History

Secure Database Implementation (Phases 1.2 & 1.3)

This implementation adds database encryption at rest and secure session management with token revocation to the Shopify AI App Builder.

Features

Phase 1.2: Database with Encryption at Rest

  • SQLite database with better-sqlite3
  • Field-level AES-256-GCM encryption for sensitive data
  • PBKDF2 key derivation (100,000 iterations)
  • WAL mode for better concurrency
  • Comprehensive audit logging
  • Backward compatibility with JSON files
  • Zero-downtime migration support

Phase 1.3: Session Revocation and Token Management

  • JWT access tokens (15-minute TTL)
  • Refresh tokens (7-day TTL) with rotation
  • Device fingerprinting for security
  • Token blacklist for immediate revocation
  • Session management (list, revoke individual, revoke all)
  • Audit logging for all authentication events

Architecture

Database Schema

  • users: User accounts with encrypted email, name, 2FA secrets
  • sessions: Active sessions for revocation
  • refresh_tokens: Refresh tokens with device fingerprinting
  • token_blacklist: Immediate token revocation
  • affiliates, withdrawals, feature_requests, contact_messages
  • audit_log: Comprehensive security event logging
  • payment_sessions: DoDo payment tracking

Encryption

  • Algorithm: AES-256-GCM with authenticated encryption
  • Key Derivation: PBKDF2 with 100,000 iterations
  • Per-field: Sensitive fields encrypted individually
  • Token Storage: PBKDF2 hashed (not encrypted) for secure comparison

Token Management

  • Access Token: JWT with 15-minute expiration
  • Refresh Token: 128-byte random token, hashed with PBKDF2
  • Device Fingerprint: SHA-256 hash of user agent, IP, language
  • Token Rotation: New refresh token issued on every use
  • Blacklist: Immediate revocation via token blacklist

Container Deployment

The database is automatically initialized when the container starts:

  1. First deployment: Database and encryption keys are automatically generated
  2. Subsequent deployments: Uses existing database and keys
  3. JSON fallback: Set USE_JSON_DATABASE=1 to use legacy JSON files

Environment Variables

Required:

DATABASE_ENCRYPTION_KEY=<64-character-hex-string>  # Generate with: openssl rand -hex 32
JWT_SECRET=<64-character-hex-string>              # Generate with: openssl rand -hex 32

Optional:

USE_JSON_DATABASE=1              # Use JSON files instead of database (for rollback)
DATABASE_PATH=./.data/shopify_ai.db
DATABASE_BACKUP_ENABLED=1
DATABASE_WAL_MODE=1
JWT_ACCESS_TOKEN_TTL=900         # 15 minutes in seconds
JWT_REFRESH_TOKEN_TTL=604800     # 7 days in seconds

Automatic Setup

On container startup, the entrypoint script automatically:

  1. Checks if database exists
  2. Generates encryption keys if not provided (and saves them)
  3. Runs database setup if needed
  4. Notifies about migration if JSON files exist

Manual Operations

Initial Setup

# Inside the container or locally
cd /opt/webchat
node scripts/setup-database.js

Migration from JSON

# Migrate existing JSON data to database
cd /opt/webchat
node scripts/migrate-to-database.js

# This will:
# - Create a backup of JSON files
# - Migrate users, sessions, affiliates
# - Report success/failure counts

Rollback to JSON

# Set environment variable
export USE_JSON_DATABASE=1

# Restart the service
# The system will automatically use JSON files

Security Features

Encryption at Rest

  • Database-level: SQLite with WAL mode
  • Field-level: AES-256-GCM for sensitive fields
  • Key management: PBKDF2 key derivation
  • Token storage: PBKDF2 hashed (not reversible)

Session Security

  • Short-lived tokens: 15-minute access tokens
  • Token rotation: New refresh token on every use
  • Device binding: Tokens bound to device fingerprint
  • Theft detection: Automatic revocation on fingerprint mismatch
  • Immediate revocation: Token blacklist for instant logout

Audit Trail

  • All logins/logouts logged
  • Token refresh events logged
  • Session revocations logged
  • Data access logged
  • IP address and user agent captured

Testing

Verify Database Setup

# Check database exists and tables are created
sqlite3 ./.data/shopify_ai.db ".tables"

# Should output:
# affiliates         payment_sessions   token_blacklist
# audit_log          refresh_tokens     users
# contact_messages   sessions           withdrawals
# feature_requests

Test Encryption

# Run setup (includes encryption test)
node scripts/setup-database.js

Test Migration

# With test data
node scripts/migrate-to-database.js

Monitoring

Database Health

  • Check file size: ls -lh ./.data/shopify_ai.db
  • Check WAL mode: sqlite3 ./.data/shopify_ai.db "PRAGMA journal_mode;"
  • Check tables: sqlite3 ./.data/shopify_ai.db ".tables"

Audit Logs

Audit logs are stored in the audit_log table and include:

  • User authentication events (login, logout, refresh)
  • Session management (create, revoke)
  • Token events (blacklist, rotation)
  • IP addresses and user agents

Files Created

chat/
├── src/
│   ├── database/
│   │   ├── connection.js       # Database connection
│   │   ├── schema.sql          # Database schema
│   │   └── compat.js           # Backward compatibility
│   ├── repositories/
│   │   ├── userRepository.js   # User data access
│   │   ├── sessionRepository.js # Session data access
│   │   ├── auditRepository.js  # Audit logging
│   │   └── index.js            # Repository exports
│   └── utils/
│       ├── encryption.js       # Field-level encryption
│       └── tokenManager.js     # JWT + refresh tokens
├── scripts/
│   ├── setup-database.js       # Initial schema setup
│   ├── migrate-to-database.js  # Data migration
│   └── init-database.js        # Auto-initialization
└── .data/
    ├── shopify_ai.db           # Encrypted SQLite database
    ├── shopify_ai.db-wal       # Write-ahead log
    ├── .encryption_key         # Generated encryption key (if auto-generated)
    ├── .jwt_secret             # Generated JWT secret (if auto-generated)
    └── migration_backup_*/     # Backup directories

Success Criteria

  • All data stored in encrypted database
  • Sessions can be revoked individually and globally
  • Token rotation working correctly
  • Device fingerprinting detecting mismatches
  • Rollback tested and working (JSON mode)
  • Audit logging capturing all security events
  • Automatic setup on container deployment

Next Steps

  1. Database encryption at rest implemented
  2. Session revocation and token management implemented
  3. Backward compatibility layer implemented
  4. Migration scripts created
  5. Container auto-initialization implemented
  6. Integration with existing server.js (Phase 2)
  7. New auth endpoints (Phase 3)
  8. Testing and validation (Phase 4)

Support

For issues or questions:

  1. Check logs: docker logs <container-id>
  2. Verify environment variables are set correctly
  3. Check database file permissions
  4. Review audit logs in database
Reference in New Issue View Git Blame Copy Permalink