cauldron/cauldron/crypto.py

"""Fernet wrapper for at-rest encryption of per-user secrets (Mealie tokens).

The Fernet master key lives in env (CAULDRON_FERNET_KEY) and never on disk
in the cauldron container itself — it's bind-mounted in via the env_file.
Rotating it requires re-encrypting every cauldron_user_mealie_tokens row;
not implemented yet (would need a rotation flow with old + new key).
"""
from cryptography.fernet import Fernet, InvalidToken


class TokenCrypto:
    def __init__(self, master_key: str):
        # Fernet expects bytes; ours is a 44-char urlsafe-b64 string in env
        self.f = Fernet(master_key.encode() if isinstance(master_key, str) else master_key)

    def encrypt(self, plaintext: str) -> bytes:
        return self.f.encrypt(plaintext.encode("utf-8"))

    def decrypt(self, blob: bytes) -> str:
        try:
            return self.f.decrypt(blob).decode("utf-8")
        except InvalidToken as e:
            raise RuntimeError("fernet decrypt failed (bad key or corrupted blob)") from e