flownative
diff --git a/‎Classes/Authorization.php
+57-7 b/‎Classes/Authorization.php
+57-7
diff --git a/‎Classes/Command/OAuthCommandController.php
+28-1 b/‎Classes/Command/OAuthCommandController.php
+28-1
diff --git a/‎Classes/EncryptionService.php
+104 b/‎Classes/EncryptionService.php
+104
diff --git a/‎Configuration/Settings.yaml
+7 b/‎Configuration/Settings.yaml
+7
diff --git a/‎Migrations/Mysql/Version20201109140652.php
+45 b/‎Migrations/Mysql/Version20201109140652.php
+45
@@ -15,6 +15,7 @@
 
 use Doctrine\ORM\Mapping as ORM;
 use Exception;
+use InvalidArgumentException;
 use JsonException;
 use League\OAuth2\Client\Token\AccessToken;
 use League\OAuth2\Client\Token\AccessTokenInterface;
@@ -70,6 +71,17 @@ class Authorization
      */
     protected $serializedAccessToken;
 
+    /**
+     * @var string
+     * @ORM\Column(nullable = true, type = "text")
+     */
+    protected $encryptedSerializedAccessToken;
+
+    /**
+     * @var EncryptionService
+     */
+    protected $encryptionService;
+
     /**
      * @param string $authorizationId
      * @param string $serviceName
@@ -86,6 +98,14 @@ public function __construct(string $authorizationId, string $serviceName, string
         $this->scope = $scope;
     }
 
+    /**
+     * @param EncryptionService $encryptionService
+     */
+    public function injectEncryptionService(EncryptionService $encryptionService): void
+    {
+        $this->encryptionService = $encryptionService;
+    }
+
     /**
      * Calculate an authorization identifier (for this model) from the given parameters.
      *
@@ -99,7 +119,7 @@ public static function generateAuthorizationIdForAuthorizationCodeGrant(string $
     {
         try {
             return $serviceType . '-' . $serviceName . '-' . Uuid::uuid4()->toString();
-        // @codeCoverageIgnoreStart
+            // @codeCoverageIgnoreStart
         } catch (Exception $e) {
             throw new OAuthClientException(sprintf('Failed generating authorization id for %s %s', $serviceName, $clientId), 1597311416, $e);
         }
@@ -185,18 +205,38 @@ public function setSerializedAccessToken(string $serializedAccessToken): void
         $this->serializedAccessToken = $serializedAccessToken;
     }
 
+    /**
+     * @return string
+     */
+    public function getEncryptedSerializedAccessToken(): string
+    {
+        return $this->encryptedSerializedAccessToken ?? '';
+    }
+
+    /**
+     * @param string $encryptedSerializedAccessToken
+     */
+    public function setEncryptedSerializedAccessToken(string $encryptedSerializedAccessToken): void
+    {
+        $this->encryptedSerializedAccessToken = $encryptedSerializedAccessToken;
+    }
+
     /**
      * @param AccessTokenInterface $accessToken
      * @return void
-     * @throws \InvalidArgumentException
+     * @throws InvalidArgumentException
      */
     public function setAccessToken(AccessTokenInterface $accessToken): void
     {
         try {
-            $this->serializedAccessToken = json_encode($accessToken, JSON_THROW_ON_ERROR, 512);
+            if ($this->encryptionService !== null && $this->encryptionService->isConfigured()) {
+                $this->encryptedSerializedAccessToken = $this->encryptionService->encryptAndEncode(json_encode($accessToken, JSON_THROW_ON_ERROR, 512));
+            } else {
+                $this->serializedAccessToken = json_encode($accessToken, JSON_THROW_ON_ERROR, 512);
+            }
             // @codeCoverageIgnoreStart
-        } catch (JsonException $e) {
-            throw new \InvalidArgumentException('Failed serializing the given access token', 1602515717);
+        } catch (JsonException | Exception $e) {
+            throw new InvalidArgumentException('Failed serializing the given access token', 1602515717, $e);
             // @codeCoverageIgnoreEnd
         }
     }
@@ -206,10 +246,20 @@ public function setAccessToken(AccessTokenInterface $accessToken): void
      */
     public function getAccessToken(): ?AccessToken
     {
+        if (empty($this->serializedAccessToken) && empty($this->encryptedSerializedAccessToken)) {
+            return null;
+        }
+        if (!empty($this->encryptedSerializedAccessToken) && !$this->encryptionService->isConfigured()) {
+            return null;
+        }
         try {
+            if (!empty($this->encryptedSerializedAccessToken)) {
+                $deserializedAccessToken = json_decode($this->encryptionService->decodeAndDecrypt($this->encryptedSerializedAccessToken), true, 512, JSON_THROW_ON_ERROR);
+                return new AccessToken($deserializedAccessToken);
+            }
             if (!empty($this->serializedAccessToken)) {
-                $unserializedAccessToken = json_decode($this->serializedAccessToken, true, 512, JSON_THROW_ON_ERROR);
-                return new AccessToken($unserializedAccessToken);
+                $deserializedAccessToken = json_decode($this->serializedAccessToken, true, 512, JSON_THROW_ON_ERROR);
+                return new AccessToken($deserializedAccessToken);
             }
         } catch (JsonException $e) {
         }
 
@@ -4,7 +4,9 @@
 use Doctrine\ORM\EntityManagerInterface as DoctrineEntityManagerInterface;
 use Doctrine\ORM\OptimisticLockException;
 use Doctrine\ORM\ORMException;
+use Exception;
 use Flownative\OAuth2\Client\Authorization;
+use Flownative\OAuth2\Client\EncryptionService;
 use Neos\Flow\Cli\CommandController;
 use Neos\Flow\Persistence\Doctrine\Query;
 
@@ -47,6 +49,7 @@ public function listAuthorizationsCommand(): void
 
             $rows[] = [
                 $authorization->getAuthorizationId(),
+                empty($authorization->getEncryptedSerializedAccessToken()) ? 'no' : 'yes',
                 $authorization->getServiceName(),
                 $authorization->getClientId(),
                 $authorization->getGrantType(),
@@ -55,7 +58,7 @@ public function listAuthorizationsCommand(): void
                 $values
             ];
         }
-        $this->output->outputTable($rows, ['Authorization Id', 'Service Name', 'Client ID', 'Grant Type', 'Scope', 'Expiration Time', 'Values']);
+        $this->output->outputTable($rows, ['Authorization Id', 'Encrypted', 'Service Name', 'Client ID', 'Grant Type', 'Scope', 'Expiration Time', 'Values']);
     }
 
     /**
@@ -99,4 +102,28 @@ public function removeAuthorizationsCommand(string $id = '', bool $all = false):
         }
         $this->outputLine('<success>Done</success>');
     }
+
+    /**
+     * Generate encryption key
+     *
+     * this command generates a random encryption key which can be used as a vale of the
+     * "encryption.base64EncodedKey" setting.
+     *
+     * @param string $construction
+     * @return void
+     * @throws Exception
+     */
+    public function generateEncryptionKeyCommand(string $construction = 'ChaCha20-Poly1305-IETF'): void
+    {
+        if (!extension_loaded('sodium')) {
+            $this->outputLine('<error>This command requires the "sodium" PHP extension to be installed</error>');
+            exit(1);
+        }
+        if ($construction !== 'ChaCha20-Poly1305-IETF') {
+            $this->outputLine('<error>Currently only ChaCha20-Poly1305-IETF is supported</error>');
+        }
+
+        $encryptionService = new EncryptionService();
+        $this->outputLine(base64_encode($encryptionService->generateEncryptionKey()));
+    }
 }
@@ -0,0 +1,104 @@
+<?php
+
+namespace Flownative\OAuth2\Client;
+
+use Exception;
+use Neos\Flow\Annotations as Flow;
+
+/**
+ * @Flow\Scope("singleton")
+ */
+class EncryptionService {
+
+    /**
+     * @Flow\InjectConfiguration(path="encryption.base64EncodedKey")
+     * @var string
+     */
+    protected $base64EncodedKey;
+
+    /**
+     * @var string
+     */
+    protected $key;
+
+    /**
+     * @return void
+     */
+    public function initializeObject(): void
+    {
+        $this->key = base64_decode($this->base64EncodedKey, true);
+        if ($this->key === false) {
+            throw new \RuntimeException('Failed base64-decoding the encryption key provided as setting encryption.base64EncodedKey', 1604935600);
+        }
+    }
+
+    /**
+     * @param string $key
+     */
+    public function setKey(string $key): void
+    {
+        $this->key = $key;
+    }
+
+    /**
+     * @return bool
+     */
+    public function isConfigured(): bool
+    {
+        return !empty($this->key);
+    }
+
+    /**
+     * Encrypts the given data using the configured encryption method and returns a string
+     * containing the construction name and the base64-encoded nonce and encrypted data.
+     *
+     * @param string $data Data to encrypt
+     * @return string Encoded, encrypted data, suitable for storage (e.g. in the database)
+     * @throws Exception
+     */
+    public function encryptAndEncode(string $data): string
+    {
+        $nonce = random_bytes(SODIUM_CRYPTO_AEAD_CHACHA20POLY1305_IETF_NPUBBYTES);
+        $encryptedData = sodium_crypto_aead_chacha20poly1305_ietf_encrypt(
+            $data,
+            $nonce,
+            $nonce,
+            $this->key
+        );
+
+        return 'ChaCha20-Poly1305-IETF$' . base64_encode($nonce) . '$' . base64_encode($encryptedData);
+    }
+
+    /**
+     * Decrypts the given encoded and encrypted data using the configured encryption method
+     * and returns the decrypted data.
+     *
+     * @param string $encodedAndEncryptedData The data originally created by encryptAndEncode()
+     * @return string Decrypted data
+     */
+    public function decodeAndDecrypt(string $encodedAndEncryptedData): string
+    {
+        list($construction, $encodedNonce, $encodedEncryptedSerializedAccessToken) = explode('$', $encodedAndEncryptedData);
+        if ($construction !== 'ChaCha20-Poly1305-IETF') {
+            throw new \RuntimeException(sprintf('Failed decrypting serialized access token: unsupported AEAD construction "%s"', $construction), 1604938723);
+        }
+
+        $nonce = base64_decode($encodedNonce);
+        return sodium_crypto_aead_chacha20poly1305_ietf_decrypt(
+            base64_decode($encodedEncryptedSerializedAccessToken),
+            $nonce,
+            $nonce,
+            $this->key
+        );
+    }
+
+    /**
+     * @return string
+     * @throws Exception
+     */
+    public function generateEncryptionKey(): string
+    {
+        return sodium_crypto_aead_chacha20poly1305_ietf_keygen();
+    }
+
+}
@@ -13,6 +13,13 @@ Flownative:
       services: []
 #        - name: 'flownative-beach'
 #          className: 'Flownative\Beach\BeachClient'
+      encryption:
+
+        # A base64-encoded random key, for example generated with ./flow oauth:generateencryptionkey
+        base64EncodedKey: ''
+
+        # AEAD construction to use; currently only "ChaCha20-Poly1305-IETF" is supported
+        construction: 'ChaCha20-Poly1305-IETF'
 
 Neos:
   Flow:
 
@@ -0,0 +1,45 @@
+<?php
+namespace Neos\Flow\Persistence\Doctrine\Migrations;
+
+use Doctrine\Migrations\AbstractMigration;
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\DBAL\Migrations\AbortMigrationException;
+
+/**
+ * Introduce encrypted serialized access token
+ */
+class Version20201109140652 extends AbstractMigration
+{
+
+    /**
+     * @return string
+     */
+    public function getDescription(): string
+    {
+        return 'Introduce encrypted serialized access token';
+    }
+
+    /**
+     * @param Schema $schema
+     * @return void
+     * @throws AbortMigrationException
+     */
+    public function up(Schema $schema): void
+    {
+        $this->abortIf($this->connection->getDatabasePlatform()->getName() !== 'mysql', 'Migration can only be executed safely on "mysql".');
+
+        $this->addSql('ALTER TABLE flownative_oauth2_client_authorization ADD encryptedserializedaccesstoken LONGTEXT DEFAULT NULL');
+    }
+
+    /**
+     * @param Schema $schema
+     * @return void
+     * @throws AbortMigrationException
+     */
+    public function down(Schema $schema): void
+    {
+        $this->abortIf($this->connection->getDatabasePlatform()->getName() !== 'mysql', 'Migration can only be executed safely on "mysql".');
+
+        $this->addSql('ALTER TABLE flownative_oauth2_client_authorization DROP encryptedserializedaccesstoken');
+    }
+}