Merge pull request #11540 from firefly-iii/release-1768662669

🤖 Automatically merge the PR into the develop branch.

.env.example

@@ -14,7 +14,15 @@ SITE_OWNER=mail@example.com
 # Change it to a string of exactly 32 chars or use something like `php artisan key:generate` to generate it.
 # If you use Docker or similar, you can set this variable from a file by using APP_KEY_FILE
 #
-# Avoid the "#" character in your APP_KEY, it may break things.
+# Try to avoid special characters like #, < and > in your app key. This string does not need full entropy
+# When in doubt, follow the link below and pick one.
+#
+# https://www.random.org/strings/?num=5&len=32&digits=on&upperalpha=on&loweralpha=on&unique=on&format=html&rnd=new
+#
+# If you are a fancy linux nerd like me, use this command:
+#
+# head /dev/urandom | LC_ALL=C tr -dc 'A-Za-z0-9' | head -c 32 && echo
+#
 #
 APP_KEY=SomeRandomStringOf32CharsExactly
 

app/Console/Commands/Correction/RestoresOAuthKeys.php

@@ -27,6 +27,7 @@ namespace FireflyIII\Console\Commands\Correction;
 use FireflyIII\Console\Commands\ShowsFriendlyMessages;
 use FireflyIII\Support\System\OAuthKeys;
 use Illuminate\Console\Command;
+use Illuminate\Support\Facades\Log;
 
 class RestoresOAuthKeys extends Command
 {
@@ -40,7 +41,9 @@ class RestoresOAuthKeys extends Command
      */
     public function handle(): int
     {
+        Log::debug('Restore OAuth Keys command.');
         $this->restoreOAuthKeys();
+        Log::debug('Done with OAuth Keys command.');
 
         return 0;
     }

app/Support/System/OAuthKeys.php

@@ -24,12 +24,12 @@ declare(strict_types=1);
 
 namespace FireflyIII\Support\System;
 
-use Illuminate\Support\Facades\Log;
 use FireflyIII\Exceptions\FireflyException;
 use FireflyIII\Support\Facades\FireflyConfig;
 use Illuminate\Contracts\Encryption\DecryptException;
 use Illuminate\Support\Facades\Artisan;
 use Illuminate\Support\Facades\Crypt;
+use Illuminate\Support\Facades\Log;
 use Laravel\Passport\Console\KeysCommand;
 use Psr\Container\ContainerExceptionInterface;
 use Psr\Container\NotFoundExceptionInterface;
@@ -48,16 +48,27 @@ class OAuthKeys
 
     public static function generateKeys(): void
     {
+        Log::debug('Will now run generateKeys()');
         Artisan::registerCommand(new KeysCommand());
         Artisan::call('firefly-iii:laravel-passport-keys');
+        Log::debug('Done with generateKeys()');
     }
 
     public static function hasKeyFiles(): bool
     {
-        $private = storage_path('oauth-private.key');
-        $public  = storage_path('oauth-public.key');
+        Log::debug('hasKeyFiles()');
+        $private       = storage_path('oauth-private.key');
+        $public        = storage_path('oauth-public.key');
+        $privateExists = file_exists($private);
+        $publicExists  = file_exists($public);
 
-        return file_exists($private) && file_exists($public);
+        Log::debug(sprintf('Private key file at "%s" exists? %s', $private, var_export($privateExists, true)));
+        Log::debug(sprintf('Public key file at "%s" exists ? %s', $public, var_export($publicExists, true)));
+
+        $result        = file_exists($private) && file_exists($public);
+        Log::debug(sprintf('Method will return %s', var_export($result, true)));
+
+        return $result;
     }
 
     public static function keysInDatabase(): bool
@@ -65,17 +76,36 @@ class OAuthKeys
         $privateKey = '';
         $publicKey  = '';
         // better check if keys are in the database:
-        if (FireflyConfig::has(self::PRIVATE_KEY) && FireflyConfig::has(self::PUBLIC_KEY)) {
+        $hasPrivate = FireflyConfig::has(self::PRIVATE_KEY);
+        $hasPublic  = FireflyConfig::has(self::PUBLIC_KEY);
+
+        Log::debug(sprintf('keysInDatabase: hasPrivate:%s, hasPublic:%s', var_export($hasPrivate, true), var_export($hasPublic, true)));
+
+        if ($hasPrivate && $hasPublic) {
             try {
-                $privateKey = (string)FireflyConfig::get(self::PRIVATE_KEY)?->data;
-                $publicKey  = (string)FireflyConfig::get(self::PUBLIC_KEY)?->data;
+                $privateKey = trim((string)FireflyConfig::get(self::PRIVATE_KEY)?->data);
+                $publicKey  = trim((string)FireflyConfig::get(self::PUBLIC_KEY)?->data);
             } catch (ContainerExceptionInterface|FireflyException|NotFoundExceptionInterface $e) {
                 Log::error(sprintf('Could not validate keysInDatabase(): %s', $e->getMessage()));
                 Log::error($e->getTraceAsString());
             }
         }
+        if ('' === $privateKey) {
+            Log::warning('Private key in DB is unexpectedly an empty string.');
+        }
+        if ('' === $publicKey) {
+            Log::warning('Public key in DB is unexpectedly an empty string.');
+        }
+        if ('' !== $privateKey) {
+            Log::debug(sprintf('SHA2 hash of private key in DB: %s', hash('sha256', $privateKey)));
+        }
+        if ('' !== $publicKey) {
+            Log::debug(sprintf('SHA2 hash of public key in DB : %s', hash('sha256', $publicKey)));
+        }
+        $return     = '' !== $privateKey && '' !== $publicKey;
+        Log::debug(sprintf('keysInDatabase will return %s', var_export($return, true)));
 
-        return '' !== $privateKey && '' !== $publicKey;
+        return $return;
     }
 
     /**
@@ -86,12 +116,20 @@ class OAuthKeys
      */
     public static function restoreKeysFromDB(): bool
     {
+        Log::debug('restoreKeysFromDB()');
         $privateKey = (string)FireflyConfig::get(self::PRIVATE_KEY)?->data;
         $publicKey  = (string)FireflyConfig::get(self::PUBLIC_KEY)?->data;
 
+        if ('' === $privateKey) {
+            Log::warning('Private key is not in the database.');
+        }
+        if ('' === $publicKey) {
+            Log::warning('Public key is not in the database.');
+        }
+
         try {
-            $privateContent = Crypt::decrypt($privateKey);
-            $publicContent  = Crypt::decrypt($publicKey);
+            $privateContent = trim(Crypt::decrypt($privateKey));
+            $publicContent  = trim(Crypt::decrypt($publicKey));
         } catch (DecryptException $e) {
             Log::error('Could not decrypt pub/private keypair.');
             Log::error($e->getMessage());
@@ -99,6 +137,7 @@ class OAuthKeys
             // delete config vars from DB:
             FireflyConfig::delete(self::PRIVATE_KEY);
             FireflyConfig::delete(self::PUBLIC_KEY);
+            Log::debug('Done with generateKeysFromDB(), return FALSE');
 
             return false;
         }
@@ -107,15 +146,24 @@ class OAuthKeys
         file_put_contents($private, $privateContent);
         file_put_contents($public, $publicContent);
 
+        Log::debug(sprintf('Will store private key with hash "%s" in file "%s"', hash('sha256', $privateContent), $private));
+        Log::debug(sprintf('Will store public key with hash "%s" in file "%s"', hash('sha256', $publicContent), $public));
+        Log::debug('Done with generateKeysFromDB()');
+
         return true;
     }
 
     public static function storeKeysInDB(): void
     {
-        $private = storage_path('oauth-private.key');
-        $public  = storage_path('oauth-public.key');
-        FireflyConfig::set(self::PRIVATE_KEY, Crypt::encrypt(file_get_contents($private)));
-        FireflyConfig::set(self::PUBLIC_KEY, Crypt::encrypt(file_get_contents($public)));
+        $private        = storage_path('oauth-private.key');
+        $public         = storage_path('oauth-public.key');
+        $privateContent = file_get_contents($private);
+        $publicContent  = file_get_contents($public);
+        FireflyConfig::set(self::PRIVATE_KEY, Crypt::encrypt($privateContent));
+        FireflyConfig::set(self::PUBLIC_KEY, Crypt::encrypt($publicContent));
+
+        Log::debug(sprintf('Will store the content of file "%s" as "%s" in the database (hash: %s)', $private, self::PRIVATE_KEY, hash('sha256', $privateContent)));
+        Log::debug(sprintf('Will store the content of file "%s" as "%s" in the database (hash: %s)', $public, self::PUBLIC_KEY, hash('sha256', $publicContent)));
     }
 
     public static function verifyKeysRoutine(): void

changelog.md

@@ -12,7 +12,6 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 - [Discussion 11431](https://github.com/orgs/firefly-iii/discussions/11431) (Settings don't get saved) started by @PVTejas
 - [Issue 11473](https://github.com/firefly-iii/firefly-iii/issues/11473) (Searching transaction with two tags_contains returns results matching only one of those) reported by @F-DXI
 - [Issue 11474](https://github.com/firefly-iii/firefly-iii/issues/11474) (Potential error in sub total computation for group in subscription) reported by @ma-clog
-- [Discussion 11475](https://github.com/orgs/firefly-iii/discussions/11475) (Potential error in sub total computation for group in subscription) started by @ma-clog
 - [Issue 11479](https://github.com/firefly-iii/firefly-iii/issues/11479) (Editing a user profile as admin without setting a new password causes a 500 Internal server error) reported by @watertrainer
 - [Issue 11501](https://github.com/firefly-iii/firefly-iii/issues/11501) (Schema of /api/v1/available-budgets different from spec) reported by @RadCod3
 - [Issue 11502](https://github.com/firefly-iii/firefly-iii/issues/11502) (Visual bug - Transaction notes' markdown doesn't properly render code blocks in dark mode) reported by @AyluinReymaer

config/firefly.php

@@ -79,7 +79,7 @@ return [
         // see cer.php for exchange rates feature flag.
     ],
     'version'                              => 'develop/2026-01-17',
-    'build_time'                           => 1768630588,
+    'build_time'                           => 1768662564,
     'api_version'                          => '2.1.0', // field is no longer used.
     'db_version'                           => 28, // field is no longer used.