improve security

fractal-analytics-platform · Feb 4, 2025 · c644bdf · c644bdf
1 parent f18111b
commit c644bdf
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 7 deletions.
diff --git a/fractal_server/app/security/signup_email.py b/fractal_server/app/security/signup_email.py
@@ -2,6 +2,8 @@
 from email.message import EmailMessage
 from email.utils import formataddr
 
+from cryptography.fernet import Fernet
+
 from fractal_server.config import MailSettings
 
 
@@ -29,9 +31,12 @@ def mail_new_oauth_signup(msg: str, mail_settings: MailSettings):
             server.starttls()
             server.ehlo()
         if mail_settings.use_login:
-            server.login(
-                user=mail_settings.sender, password=mail_settings.password
+            password = (
+                Fernet(mail_settings.encryption_key)
+                .decrypt(mail_settings.encrypted_password)
+                .decode("utf-8")
             )
+            server.login(user=mail_settings.sender, password=password)
         server.sendmail(
             from_addr=mail_settings.sender,
             to_addrs=mail_settings.recipients,

diff --git a/fractal_server/config.py b/fractal_server/config.py
@@ -54,7 +54,8 @@ class MailSettings(BaseModel):
     recipients: list[EmailStr] = Field(min_items=1)
     smtp_server: str
     port: int
-    password: str
+    encrypted_password: str
+    encryption_key: str
     instance_name: str
     use_starttls: bool
     use_login: bool
@@ -645,7 +646,7 @@ def assert_key(key: str):
                     )
                 else:
                     try:
-                        decryped_password = (
+                        (
                             Fernet(email_values["FRACTAL_EMAIL_PASSWORD_KEY"])
                             .decrypt(email_values["FRACTAL_EMAIL_PASSWORD"])
                             .decode("utf-8")
@@ -660,15 +661,14 @@ def assert_key(key: str):
                             "Invalid FRACTAL_EMAIL_PASSWORD_KEY. "
                             f"Original error: '{e}'."
                         )
-            else:
-                decryped_password = None
 
             values["FRACTAL_EMAIL_SETTINGS"] = MailSettings(
                 sender=email_values["FRACTAL_EMAIL_SENDER"],
                 recipients=email_values["FRACTAL_EMAIL_RECIPIENTS"].split(","),
                 smtp_server=email_values["FRACTAL_EMAIL_SMTP_SERVER"],
                 port=email_values["FRACTAL_EMAIL_SMTP_PORT"],
-                password=decryped_password,
+                encrypted_password=email_values.get("FRACTAL_EMAIL_PASSWORD"),
+                encryption_key=email_values.get("FRACTAL_EMAIL_PASSWORD_KEY"),
                 instance_name=email_values["FRACTAL_EMAIL_INSTANCE_NAME"],
                 use_starttls=email_values.get(
                     "FRACTAL_EMAIL_USE_STARTTLS", True