southseact-3d/shopify-ai-backup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d3580b091a35ff74d113cbb8a5f4b8fd996733e4
shopify-ai-backup/chat/DATABASE_IMPLEMENTATION.md
southseact-3d cb95a916ae Add database migration scripts and configuration files 
- Add verify-migration.js script for testing database migrations
- Add database config module for centralized configuration
- Add chutes.txt prompt for system responses
- Update database implementation and testing documentation
- Add database migration and setup scripts
- Update session system and LLM tool configuration
- Update deployment checklist and environment example
- Update Dockerfile and docker-compose configuration
2026-02-20 12:38:43 +00:00

236 lines
7.6 KiB
Markdown
Raw Blame History

# Secure Database Implementation (Phases 1.2 & 1.3)
This implementation adds database encryption at rest and secure session management with token revocation to the Shopify AI App Builder.
## Features
### Phase 1.2: Database with Encryption at Rest
- ✅ SQLCipher-encrypted SQLite database with better-sqlite3
- ✅ Field-level AES-256-GCM encryption for sensitive data
- ✅ PBKDF2 key derivation (100,000 iterations)
- ✅ WAL mode for better concurrency
- ✅ Comprehensive audit logging
- ✅ Backward compatibility with JSON files
- ✅ Zero-downtime migration support
### Phase 1.3: Session Revocation and Token Management
- ✅ JWT access tokens (15-minute TTL)
- ✅ Refresh tokens (7-day TTL) with rotation
- ✅ Device fingerprinting for security
- ✅ Token blacklist for immediate revocation
- ✅ Session management (list, revoke individual, revoke all)
- ✅ Audit logging for all authentication events
## Architecture
### Database Schema
- **users**: User accounts with encrypted email, name, 2FA secrets + JSON data column
- **sessions**: Active sessions for revocation
- **refresh_tokens**: Refresh tokens with device fingerprinting
- **token_blacklist**: Immediate token revocation
- **affiliate_accounts** (current app), **affiliates** (legacy), **withdrawals**, **feature_requests**, **contact_messages**
- **audit_log**: Comprehensive security event logging
- **payment_sessions**: DoDo payment tracking
### Encryption
- **Database**: SQLCipher encryption at rest
- **Algorithm**: AES-256-GCM with authenticated encryption (field-level)
- **Key Derivation**: PBKDF2 with 100,000 iterations
- **Per-field**: Sensitive fields encrypted individually
- **Token Storage**: PBKDF2 hashed (not encrypted) for secure comparison
### Token Management
- **Access Token**: JWT with 15-minute expiration
- **Refresh Token**: 128-byte random token, hashed with PBKDF2
- **Device Fingerprint**: SHA-256 hash of user agent, IP, language
- **Token Rotation**: New refresh token issued on every use
- **Blacklist**: Immediate revocation via token blacklist
## Container Deployment
The database is automatically initialized when the container starts:
1. **First deployment**: Database and encryption keys are automatically generated
2. **Subsequent deployments**: Uses existing database and keys
3. **JSON fallback**: Set `USE_JSON_DATABASE=1` to use legacy JSON files
### Environment Variables
Required:
```bash
DATABASE_ENCRYPTION_KEY=<64-character-hex-string> # Generate with: openssl rand -hex 32
JWT_SECRET=<64-character-hex-string> # Generate with: openssl rand -hex 32
```
Optional:
```bash
USE_JSON_DATABASE=1 # Use JSON files instead of database (for rollback)
DATABASE_PATH=./.data/shopify_ai.db
DATABASE_KEY_FILE=./.data/.encryption_key
DATABASE_BACKUP_ENABLED=1
DATABASE_WAL_MODE=1
DATABASE_USE_SQLCIPHER=1
DATABASE_CIPHER_COMPAT=4
DATABASE_KDF_ITER=64000
JWT_ACCESS_TOKEN_TTL=900 # 15 minutes in seconds
JWT_REFRESH_TOKEN_TTL=604800 # 7 days in seconds
```
### Automatic Setup
On container startup, the entrypoint script automatically:
1. Checks if database exists
2. Generates encryption keys if not provided (and saves them)
3. Runs database setup if needed
4. Notifies about migration if JSON files exist
## Manual Operations
### Initial Setup
```bash
# Inside the container or locally
cd /opt/webchat
node scripts/setup-database.js
```
### Migration from JSON
```bash
# Migrate existing JSON data to database
cd /opt/webchat
node scripts/migrate-to-database.js
# This will:
# - Create a backup of JSON files
# - Migrate users, sessions, affiliates
# - Report success/failure counts
```
### Rollback to JSON
```bash
# Set environment variable
export USE_JSON_DATABASE=1
# Restart the service
# The system will automatically use JSON files
```
## Security Features
### Encryption at Rest
- Database-level: SQLite with WAL mode
- Field-level: AES-256-GCM for sensitive fields
- Key management: PBKDF2 key derivation
- Token storage: PBKDF2 hashed (not reversible)
### Session Security
- Short-lived tokens: 15-minute access tokens
- Token rotation: New refresh token on every use
- Device binding: Tokens bound to device fingerprint
- Theft detection: Automatic revocation on fingerprint mismatch
- Immediate revocation: Token blacklist for instant logout
### Audit Trail
- All logins/logouts logged
- Token refresh events logged
- Session revocations logged
- Data access logged
- IP address and user agent captured
## Testing
### Verify Database Setup
```bash
# Check database exists and tables are created (SQLCipher)
sqlcipher ./.data/shopify_ai.db "PRAGMA key = '$DATABASE_ENCRYPTION_KEY'; .tables"
# Should output:
# affiliate_accounts payment_sessions token_blacklist
# affiliates refresh_tokens users
# audit_log sessions withdrawals
# contact_messages feature_requests
```
### Test Encryption
```bash
# Run setup (includes encryption test)
node scripts/setup-database.js
```
### Test Migration
```bash
# With test data
node scripts/migrate-to-database.js
```
## Monitoring
### Database Health
- Check file size: `ls -lh ./.data/shopify_ai.db`
- Check WAL mode: `sqlcipher ./.data/shopify_ai.db "PRAGMA key = '$DATABASE_ENCRYPTION_KEY'; PRAGMA journal_mode;"`
- Check tables: `sqlcipher ./.data/shopify_ai.db "PRAGMA key = '$DATABASE_ENCRYPTION_KEY'; .tables"`
### Audit Logs
Audit logs are stored in the `audit_log` table and include:
- User authentication events (login, logout, refresh)
- Session management (create, revoke)
- Token events (blacklist, rotation)
- IP addresses and user agents
## Files Created
```
chat/
├── src/
│ ├── database/
│ │ ├── connection.js # Database connection
│ │ ├── schema.sql # Database schema
│ │ └── compat.js # Backward compatibility
│ ├── repositories/
│ │ ├── userRepository.js # User data access
│ │ ├── sessionRepository.js # Session data access
│ │ ├── auditRepository.js # Audit logging
│ │ └── index.js # Repository exports
│ └── utils/
│ ├── encryption.js # Field-level encryption
│ └── tokenManager.js # JWT + refresh tokens
├── scripts/
│ ├── setup-database.js # Initial schema setup
│ ├── migrate-to-database.js # Data migration
│ └── init-database.js # Auto-initialization
└── .data/
├── shopify_ai.db # Encrypted SQLite database
├── shopify_ai.db-wal # Write-ahead log
├── .encryption_key # Generated encryption key (if auto-generated)
├── .jwt_secret # Generated JWT secret (if auto-generated)
└── migration_backup_*/ # Backup directories
```
## Success Criteria
- ✅ All data stored in encrypted database
- ✅ Sessions can be revoked individually and globally
- ✅ Token rotation working correctly
- ✅ Device fingerprinting detecting mismatches
- ✅ Rollback tested and working (JSON mode)
- ✅ Audit logging capturing all security events
- ✅ Automatic setup on container deployment
## Next Steps
1. ✅ Database encryption at rest implemented
2. ✅ Session revocation and token management implemented
3. ✅ Backward compatibility layer implemented
4. ✅ Migration scripts created
5. ✅ Container auto-initialization implemented
6. ⏳ Integration with existing server.js (Phase 2)
7. ⏳ New auth endpoints (Phase 3)
8. ⏳ Testing and validation (Phase 4)
## Support
For issues or questions:
1. Check logs: `docker logs <container-id>`
2. Verify environment variables are set correctly
3. Check database file permissions
4. Review audit logs in database
Reference in New Issue View Git Blame Copy Permalink