Encrypt WordPress OAuth tokens at rest with rollout-safe migration by AJaySi · Pull Request #489 · AJaySi/ALwrity

AJaySi · 2026-05-11T10:18:23Z

Protect stored WordPress OAuth credentials by encrypting access_token and refresh_token at rest using a managed key.
Prevent accidental leakage by ensuring logs and API responses never return raw token material or token-derived fragments.
Provide a safe, backward-compatible migration path to re-encrypt existing plaintext tokens during rollout.

Added Fernet-based encryption/decryption helpers (_initialize_fernet, _encrypt_token, _decrypt_token, _is_likely_encrypted_blob) with key lookup from WORDPRESS_TOKEN_ENCRYPTION_KEY and fallback to OAUTH_TOKEN_ENCRYPTION_KEY and initialization in the service constructor.
Persist only encrypted token blobs into wordpress_oauth_tokens on OAuth callback and removed returning raw access_token in the callback response.
Added _migrate_plaintext_tokens_if_needed which detects plaintext rows and re-encrypts access_token/refresh_token on first-read, and integrated migration calls into token read paths to provide a one-time rollout migration.
Decrypt encrypted tokens only at call-time (e.g., inside get_user_tokens) and added safe fallbacks to read plaintext until migrated; added error handling for decryption failures and avoided logging token values or code/state fragments.

Ran python -m py_compile backend/services/integrations/wordpress_oauth.py and the module compiled successfully.

Secure WordPress OAuth token storage with encryption and migration

9eb6d01

AJaySi added the codex label May 11, 2026 — with ChatGPT Codex Connector

Provide feedback