add validate callback loading state and encryption

server/lib/config.ts

@@ -92,7 +92,18 @@ const configSchema = z.object({
             })
             .optional(),
         trust_proxy: z.boolean().optional().default(true),
-        secret: z.string()
+        secret: z
+            .string()
+            .optional()
+            .transform(getEnvOrYaml("SERVER_SECRET"))
+            .pipe(
+                z
+                    .string()
+                    .min(
+                        32,
+                        "SERVER_SECRET must be at least 32 characters long"
+                    )
+            )
     }),
     traefik: z.object({
         http_entrypoint: z.string(),

server/lib/crypto.ts

@@ -0,0 +1,37 @@
+import * as crypto from "crypto";
+
+const ALGORITHM = "aes-256-gcm";
+
+export function encrypt(value: string, key: string): string {
+    const iv = crypto.randomBytes(12);
+    const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+
+    const encrypted = Buffer.concat([
+        cipher.update(value, "utf8"),
+        cipher.final()
+    ]);
+    const authTag = cipher.getAuthTag();
+
+    return [
+        iv.toString("base64"),
+        encrypted.toString("base64"),
+        authTag.toString("base64")
+    ].join(":");
+}
+
+export function decrypt(encryptedValue: string, key: string): string {
+    const [ivB64, encryptedB64, authTagB64] = encryptedValue.split(":");
+
+    const iv = Buffer.from(ivB64, "base64");
+    const encrypted = Buffer.from(encryptedB64, "base64");
+    const authTag = Buffer.from(authTagB64, "base64");
+
+    const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+
+    const decrypted = Buffer.concat([
+        decipher.update(encrypted),
+        decipher.final()
+    ]);
+    return decrypted.toString("utf8");
+}