Security: OAuth credentials stored in plaintext JSON #112

New Issue

Closed

opened 2026-06-06 11:50:08 +00:00 by jmiller · 1 comment

jmiller commented 2026-06-06 11:50:08 +00:00

Owner

Copy Link

Copy Source

Audit Finding

Severity: Medium

Issue:
OAuth access tokens, refresh tokens, API keys, and secrets are stored as plaintext JSON in the credentials column. CLAUDE.md states credentials should use Joomla's encrypted params, but the implementation uses json_encode() without encryption.

Fix: Encrypt credentials JSON before storing using sodium_crypto_secretbox() and decrypt on read.

Files: OAuthHelper.php, ServiceModel.php

## Audit Finding **Severity:** Medium **Issue:** OAuth access tokens, refresh tokens, API keys, and secrets are stored as plaintext JSON in the `credentials` column. CLAUDE.md states credentials should use Joomla's encrypted params, but the implementation uses `json_encode()` without encryption. **Fix:** Encrypt credentials JSON before storing using `sodium_crypto_secretbox()` and decrypt on read. **Files:** `OAuthHelper.php`, `ServiceModel.php`

jmiller commented 2026-06-06 11:50:10 +00:00

Author

Owner

Copy Link

Copy Source

Branch created: feature/112-security-oauth-credentials-stored-in-pla

git fetch origin
git checkout feature/112-security-oauth-credentials-stored-in-pla

Branch created: [`feature/112-security-oauth-credentials-stored-in-pla`](https://git.mokoconsulting.tech/MokoConsulting/MokoJoomCross/src/branch/feature/112-security-oauth-credentials-stored-in-pla) ```bash git fetch origin git checkout feature/112-security-oauth-credentials-stored-in-pla ```

jmiller referenced this issue from a commit 2026-06-06 14:33:22 +00:00

security: fix 9 security and critical bugs (#107-#115, #120)

jmiller closed this issue 2026-06-06 14:35:10 +00:00

Sign in to join this conversation.

Labels

Clear labels

bug

Something is not working

chore

Maintenance and housekeeping

documentation

Documentation improvements

enhancement

Improvement to existing functionality

feature

New feature or request

pending: dependency

Blocked by another issue or external dependency

pending: deployment

Tested and approved, awaiting deployment to production

pending: design

Needs UI/UX or architecture design before implementation

pending: documentation

Feature works, needs documentation/wiki update

pending: feedback

Awaiting feedback or decision from stakeholder

pending: review

Implementation complete, awaiting code review

pending: testing

Feature implemented but not yet tested

refactor

Code restructuring without behavior change

roadmap

Planned feature or enhancement tracked on the roadmap

scope: client

Client-specific work

scope: dolibarr

Dolibarr modules and customizations

scope: infrastructure

Server, CI, backups, monitoring

scope: joomla

Joomla templates and extensions

scope: waas

MokoWaaS platform

security

Security vulnerability or hardening

No labels

Priority -

Type —

Milestone

No items

No Milestone

Assignees

Clear assignees

jmiller (Jonathan Miller)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: MokoConsulting/MokoJoomCross#112