fix: secure token persistence

[jroth1111]

Summary

• add securefile helpers for locked reads/writes and auth JSON encryption
• harden filestore/save paths and store writes using securefile
• add git-repo guard rails and sensitive JSON helpers

Motivation

• reduce risk of credential leakage with secure, atomic writes and encryption-at-rest
• make all auth stores consistent when reading/writing sensitive data

Testing

• go test ./internal/securefile

[gemini-code-assist]

Summary of Changes

Hello @jroth1111, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security posture of token persistence by introducing a dedicated securefile package. This package centralizes robust file operations, including atomic writes, advisory locking, and encryption for authentication JSON files. These secure mechanisms are then systematically applied across all existing token storage implementations, ensuring that sensitive data is handled with greater care. Additionally, the changes include proactive warnings for users storing authentication data within Git repositories and automatic redaction of sensitive information from JSON logs, further reducing the risk of data exposure.

Highlights

• Secure File Operations: Introduced a new securefile package that provides atomic file writes, advisory file locking, and encryption capabilities for sensitive data.
• Authentication Data Encryption: Implemented encryption-at-rest for authentication JSON files, allowing secrets to be stored securely on disk using AES-256-GCM.
• Hardened File Permissions: Updated file and directory permissions to be more restrictive (e.g., 0600 for files, 0700 for directories) for sensitive data, enhancing security.
• Git Repository Guard Rails: Added checks to detect if the authentication directory (auth-dir) is located within a Git repository, logging warnings to prevent accidental exposure of sensitive token files.
• Sensitive JSON Masking in Logs: Implemented a utility to automatically mask common sensitive fields (e.g., tokens, secrets, passwords) within JSON request/response bodies before logging, preventing credentials from appearing in plain text in log files.
• Integration Across Token Stores: Integrated the new secure file operations and encryption features into GitTokenStore, ObjectTokenStore, PostgresStore, and FileTokenStore for consistent secure handling of authentication data.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request significantly improves the security of token persistence. It introduces a new securefile package that provides helpers for atomic file writes with locking, and encryption for authentication data. The file permissions for logs and other sensitive files have been hardened. The stores (gitstore, objectstore, postgresstore, filestore) have been updated to use these new secure helpers, which is a great improvement. Additionally, sensitive information is now masked in request logs, and a warning is issued if the authentication directory is located within a Git repository, preventing accidental credential exposure.

Overall, this is an excellent set of changes that hardens the application's security posture. I have one suggestion to improve the error handling logic when decoding authentication data from the PostgreSQL store.

[gemini-code-assist]

The current error handling for DecodeAuthJSON is a bit convoluted. If decryption fails, it logs a misleading message ("treating payload as raw json") and then relies on the subsequent json.Unmarshal to fail, which logs another error. This can make debugging more difficult.

A cleaner approach is to handle the decryption error directly and skip the record. This simplifies the logic, avoids double-logging, and provides a more accurate error message.

decoded, _, errDecode := securefile.DecodeAuthJSON(raw, securefile.CurrentAuthEncryption())
if errDecode != nil {
	log.WithError(errDecode).Warnf("postgres store: auth %s decode failed, skipping", id)
	continue
}
if err = json.Unmarshal(decoded, &metadata); err != nil {

[luispater]

This PR broke some management APIs and hidden functions (like the proxy_url and prefix in OAuth files), so I've closed it.

[jroth1111]

Rebased on upstream/main; management auth file handling now reads/decrypts secure auth JSON and preserves fields like proxy_url/prefix. Uploads re-secure files. @luispater could you reopen and re-review when you have a moment?

[jroth1111]

Opened a replacement PR: #673 (links back to #664). Improvements included:\n- Management auth endpoints now read/decrypt secure auth JSON so fields like proxy_url/prefix are preserved.\n- Auth file uploads are re-written via securefile to enforce encryption when enabled.\n- Log files are created with 0600 permissions.