chore(deps): bump @react-aria/i18n from 3.12.7 to 3.12.12 in /services/frontend

.github/workflows/build-image-manual.yml

@@ -0,0 +1,43 @@
+name: Build Image Manual Branch
+
+on:
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: 'Branch to build and release'
+        required: true
+        default: 'develop'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.inputs.branch }}
+
+      - name: Build Frontend Docker Image
+        run: docker build . --file services/frontend/Dockerfile --tag justnz/exflow:frontend-${{ github.sha }} --tag justnz/exflow:frontend-${{ github.ref_name }}
+
+      - name: Build Backend Docker Image
+        run: docker build . --file services/backend/Dockerfile --tag justnz/exflow:backend-${{ github.sha }} --tag justnz/exflow:backend-${{ github.ref_name }}
+
+      - name: Build exFlow Docker Image
+        run: docker build . --file Dockerfile --tag justnz/exflow:${{ github.sha }} --tag justnz/exflow:${{ github.ref_name }}
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Push Docker Images
+        run: |
+          docker push justnz/exflow:frontend-${{ github.sha }}
+          docker push justnz/exflow:frontend-${{ github.ref_name }}
+          docker push justnz/exflow:backend-${{ github.sha }}
+          docker push justnz/exflow:backend-${{ github.ref_name }}
+          docker push justnz/exflow:${{ github.sha }}
+          docker push justnz/exflow:${{ github.ref_name }}

.gitignore

@@ -43,6 +43,7 @@ services/backend/*.exe~
 services/backend/*.dll
 services/backend/*.so
 services/backend/*.dylib
+services/backend/*.sql
 
 # Test binary, built with `go test -c`
 services/backend/*.test

Dockerfile

@@ -1,7 +1,7 @@
-FROM node:23-alpine AS base
+FROM node:24.7-alpine AS base
 
 # Stage 1: Build the frontend
-FROM node:23-alpine AS frontend-builder
+FROM node:24.7-alpine AS frontend-builder
 RUN apk add --no-cache libc6-compat
 WORKDIR /app/frontend
 COPY services/frontend/package.json services/frontend/pnpm-lock.yaml ./
@@ -49,11 +49,10 @@ RUN mkdir .next \
 COPY --from=frontend-builder --chown=nextjs:nodejs /app/frontend/.next/standalone ./
 COPY --from=frontend-builder --chown=nextjs:nodejs /app/frontend/.next/static ./.next/static
 
-# Copy .env file to the working directory
-COPY --from=frontend-builder --chown=nextjs:nodejs /app/frontend/.env /app/.env
+RUN chown -R nextjs:nodejs /app
 
-RUN mkdir -p /etc/exflow
-COPY services/backend/config/config.yaml /etc/exflow/backend_config.yaml
+RUN mkdir -p /etc/exflow \
+    && chown -R nextjs:nodejs /etc/exflow
 
 # Set environment variables
 ENV NODE_ENV=production
@@ -69,4 +68,4 @@ USER nextjs
 ENTRYPOINT ["/sbin/tini", "--"]
 
 # Start the backend and frontend
-CMD ["sh", "-c", "./exflow-backend --config /etc/exflow/backend_config.yaml & node /app/server.js"]
+CMD ["sh", "-c", "./exflow-backend --config /etc/exflow/config.yaml & node /app/server.js"]

ENCRYPTION_SECURITY.md

@@ -0,0 +1,110 @@
+# Secure Project-Based Encryption Setup
+
+## Overview
+
+The enhanced encryption system now uses **key derivation** instead of storing encryption keys directly in the database. This significantly improves security by ensuring that even if someone gains access to your database, they cannot decrypt the data without the master secret.
+
+## How It Works
+
+1. **Master Secret**: A single secret stored outside the database (environment variable, config file, external key management system)
+2. **Project Salts**: Random salts generated per project and stored in the database
+3. **Key Derivation**: Encryption keys are derived using PBKDF2(master_secret + project_salt)
+
+Even if an attacker gains access to your database, they only see:
+- Encrypted data
+- Random salts (which are useless without the master secret)
+
+## Configuration
+
+### Option 1: Environment Variable (Recommended for Production)
+```bash
+# Set the master secret as an environment variable
+export EXFLOW_ENCRYPTION_MASTER_SECRET="your-very-long-and-secure-master-secret-here"
+```
+
+### Option 2: Configuration File
+```yaml
+# In your backend config.yaml
+encryption:
+  master_secret: "your-very-long-and-secure-master-secret-here"
+  # Fallback key for legacy data (optional)
+  key: "legacy-key-for-backward-compatibility"
+```
+
+## Master Secret Requirements
+
+- **Length**: Minimum 32 characters, recommended 64+ characters
+- **Randomness**: Use a cryptographically secure random generator
+- **Characters**: Include letters, numbers, and symbols
+- **Uniqueness**: Must be unique per exFlow installation
+
+### Generate a Secure Master Secret
+
+```bash
+# Option 1: Using OpenSSL
+openssl rand -base64 64
+
+# Option 2: Using Python
+python3 -c "import secrets; print(secrets.token_urlsafe(64))"
+
+# Option 3: Using Go
+go run -c "package main; import (\"crypto/rand\", \"encoding/base64\", \"fmt\"); func main() { b := make([]byte, 64); rand.Read(b); fmt.Println(base64.URLEncoding.EncodeToString(b)) }"
+```
+
+## Security Benefits
+
+1. **Database Compromise Protection**: Even with full database access, encrypted data remains secure
+2. **Per-Project Isolation**: Each project uses a unique derived key
+3. **Key Rotation**: Changing the master secret or project salt rotates all encryption
+4. **Audit Trail**: Key derivation can be logged and monitored
+5. **Compliance**: Meets most regulatory requirements for encryption key management
+
+## Migration from Legacy System
+
+The system maintains backward compatibility:
+
+1. **New Projects**: Automatically use the secure key derivation system
+2. **Existing Projects**: Continue working with existing keys until migrated
+3. **Gradual Migration**: Projects can be migrated one by one using the key rotation feature
+
+## Best Practices
+
+### Storage
+- **Never** store the master secret in the database
+- Use environment variables or external key management systems
+- Rotate the master secret periodically (quarterly/annually)
+- Keep secure backups of the master secret
+
+### Access Control
+- Limit access to the master secret to essential personnel only
+- Use separate master secrets for different environments (dev/staging/prod)
+- Log all access to encryption keys
+
+### Monitoring
+- Monitor for unusual encryption/decryption patterns
+- Alert on encryption failures
+- Regular security audits of key management processes
+
+## Troubleshooting
+
+### "Master secret not configured" Error
+1. Ensure the master secret is set in your configuration
+2. Restart the backend service after setting the secret
+3. Check environment variable spelling
+
+### "Failed to decrypt" Errors
+1. Verify the master secret hasn't changed
+2. Check if the project salt was corrupted
+3. Consider falling back to legacy key mode temporarily
+
+### Performance Considerations
+- Key derivation adds ~1-2ms per operation
+- Consider caching derived keys in memory for high-throughput scenarios
+- Monitor CPU usage during bulk encryption operations
+
+## Example Implementation
+
+```go
+// Environment variable
+masterSecret := os.Getenv("EXFLOW_ENCRYPTION_MASTER_SECRET")
+```

README.md

@@ -117,9 +117,10 @@ To get started with the exFlow project, follow these steps:
       password: postgres
 
     encryption:
-      enabled: true
-      # maximum 32 characters
-      key: null
+      # Minimum 32 characters, recommended 64+ characters
+      master_secret: "your-very-long-and-secure-master-secret-here"
+      # Fallback key for legacy data (optional)
+      key: "legacy-key-for-backward-compatibility"
 
     jwt:
       secret: null

docker-compose.yaml

@@ -20,20 +20,9 @@ services:
       - "3000:3000" # exFlow frontend
       - "8080:8080" # exFlow backend
     volumes:
-      - ./config.yaml:/etc/exflow/backend_config.yaml
-    # environment:
-      # Adjust these if your config.yaml uses different DB settings
-      # BACKEND_LOG_LEVEL: info
-      # BACKEND_PORT: 8080
-      # BACKEND_DATABASE_SERVER: db
-      # BACKEND_DATABASE_PORT: 5432
-      # BACKEND_DATABASE_NAME: postgres
-      # BACKEND_DATABASE_USER: postgres
-      # BACKEND_DATABASE_PASSWORD: postgres
-      # BACKEND_ENCRYPTION_ENABLED: "true"
-      # BACKEND_ENCRYPTION_KEY: "change-me"
-      # BACKEND_JWT_SECRET: "change-me"
-    entrypoint: ["/bin/sh", "-c", "until pg_isready -h db -p 5432 -U postgres; do sleep 1; done; exec ./exflow-backend --config /etc/exflow/backend_config.yaml & exec node /app/server.js"]
+      - exflow_data:/etc/exflow
+    entrypoint: ["/bin/sh", "-c", "until pg_isready -h db -p 5432 -U postgres; do sleep 1; done; exec ./exflow-backend --config /etc/exflow/config.yaml & exec node /app/server.js"]
 
 volumes:
-  db_data:
+  db_data:
+  exflow_data:

services/backend/Dockerfile

@@ -1,25 +1,30 @@
 FROM golang:1.24-alpine as builder
 
-WORKDIR /backend
+WORKDIR /app/backend
 
 COPY services/backend/go.mod services/backend/go.sum ./
 RUN go mod download
 
 COPY services/backend/ ./
 
 # Build
-RUN CGO_ENABLED=0 GOOS=linux go build -o /exflow-backend
+RUN go build -o exflow-backend
 
-FROM alpine:3.12 as runner
+FROM alpine:3.22 as runner
 WORKDIR /app
 
-COPY --from=builder /exflow-backend /exflow-backend
+COPY --from=builder /app/backend/exflow-backend /app/
 
-RUN mkdir /app/config
-COPY services/backend/config/config.yaml /etc/exflow/backend_config.yaml
+RUN addgroup --system --gid 1001 exflow
+RUN adduser --system --uid 1001 exflow
+
+RUN mkdir -p /etc/exflow \
+    && chown -R exflow:exflow /etc/exflow
+
+RUN chown -R exflow:exflow /app
 
 VOLUME [ "/etc/exflow" ]
 
 EXPOSE 8080
 
-CMD [ "/exflow-backend", "--config", "/etc/exflow/backend_config.yaml" ]
+CMD [ "/exflow-backend", "--config", "/etc/exflow/config.yaml" ]

services/backend/config/config.yaml

@@ -12,9 +12,10 @@ database:
   password: postgres
 
 encryption:
-  enabled: true
-  # maximum 32 characters
-  key: null
+  # Minimum 32 characters, recommended 64+ characters
+  master_secret: "your-very-long-and-secure-master-secret-here"
+  # Fallback key for legacy data (optional)
+  key: "legacy-key-for-backward-compatibility"
 
 jwt:
   secret: null

services/backend/config/main.go

@@ -46,8 +46,8 @@ type JWTConf struct {
 }
 
 type EncryptionConf struct {
-	Enabled bool   `mapstructure:"enabled" validate:"required"`
-	Key     string `mapstructure:"key"`
+	Key          string `mapstructure:"key"`
+	MasterSecret string `mapstructure:"master_secret" validate:"required"`
 }
 
 type RunnerConf struct {
@@ -84,8 +84,8 @@ func (cm *ConfigurationManager) LoadConfig(configFile string) error {
 		"database.name":               "BACKEND_DATABASE_NAME",
 		"database.user":               "BACKEND_DATABASE_USER",
 		"database.password":           "BACKEND_DATABASE_PASSWORD",
-		"encryption.enabled":          "BACKEND_ENCRYPTION_ENABLED",
 		"encryption.key":              "BACKEND_ENCRYPTION_KEY",
+		"encryption.master_secret":    "BACKEND_ENCRYPTION_MASTER_SECRET",
 		"jwt.secret":                  "BACKEND_JWT_SECRET",
 		"runner.shared_runner_secret": "BACKEND_RUNNER_SHARED_RUNNER_SECRET",
 	}
@@ -118,6 +118,10 @@ func (cm *ConfigurationManager) LoadConfig(configFile string) error {
 	// Assign to package-level variable for global access
 	Config = &config
 
+	if config.Encryption.MasterSecret == "" {
+		log.Fatal("Master secret is required for encryption")
+	}
+
 	log.WithFields(log.Fields{
 		"file":    configFile,
 		"content": cm.viper.AllSettings(),

services/backend/database/migrations/10_flows_type_col.go

@@ -0,0 +1,60 @@
+package migrations
+
+import (
+	"context"
+	"fmt"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/uptrace/bun"
+)
+
+func init() {
+	Migrations.MustRegister(func(ctx context.Context, db *bun.DB) error {
+		return addTypeToFlows(ctx, db)
+	}, func(ctx context.Context, db *bun.DB) error {
+		return removeTypeFromFlows(ctx, db)
+	})
+}
+
+func addTypeToFlows(ctx context.Context, db *bun.DB) error {
+	// add type column
+	exists, err := columnExists(ctx, db, "flows", "type")
+	if err != nil {
+		return fmt.Errorf("failed to check if type column exists: %v", err)
+	}
+	if !exists {
+		_, err := db.NewAddColumn().
+			Table("flows").
+			ColumnExpr("type TEXT DEFAULT 'default'").
+			Exec(ctx)
+
+		if err != nil {
+			return fmt.Errorf("failed to add type column to flows table: %v", err)
+		}
+	} else {
+		log.Debug("type column already exists in flows table")
+	}
+
+	return nil
+}
+
+func removeTypeFromFlows(ctx context.Context, db *bun.DB) error {
+	exists, err := columnExists(ctx, db, "flows", "type")
+	if err != nil {
+		return fmt.Errorf("failed to check if type column exists: %v", err)
+	}
+	if exists {
+		_, err := db.NewDropColumn().
+			Table("flows").
+			Column("type").
+			Exec(ctx)
+
+		if err != nil {
+			return fmt.Errorf("failed to remove type column from flows table: %v", err)
+		}
+	} else {
+		log.Debug("type column already removed from flows table")
+	}
+
+	return nil
+}