fix(security): Remove inline token support from schema

- Remove string token support as it's considered a security footgun
- V3 intentionally removed this feature from V2
- Tokens must now use secret or env references only

Addresses: brendan-kellam's security concern

Author: zuharz

packages/crypto/src/tokenUtils.test.ts

@@ -0,0 +1,96 @@
+import { describe, test, expect, vi, beforeEach } from 'vitest';
+import { PrismaClient } from '@sourcebot/db';
+import { getTokenFromConfig } from './tokenUtils';
+
+// Mock the decrypt function
+vi.mock('./index.js', () => ({
+    decrypt: vi.fn().mockReturnValue('decrypted-secret-value')
+}));
+
+describe('tokenUtils', () => {
+    let mockPrisma: any;
+    const testOrgId = 1;
+
+    beforeEach(() => {
+        mockPrisma = {
+            secret: {
+                findUnique: vi.fn(),
+            },
+        };
+
+        vi.clearAllMocks();
+        delete process.env.TEST_TOKEN;
+        delete process.env.EMPTY_TOKEN;
+    });
+
+    describe('getTokenFromConfig', () => {
+        test('handles secret-based tokens', async () => {
+            const mockSecret = { 
+                iv: 'test-iv', 
+                encryptedValue: 'encrypted-value' 
+            };
+            mockPrisma.secret.findUnique.mockResolvedValue(mockSecret);
+
+            const config = { secret: 'my-secret' };
+            const result = await getTokenFromConfig(config, testOrgId, mockPrisma);
+
+            expect(result).toBe('decrypted-secret-value');
+            expect(mockPrisma.secret.findUnique).toHaveBeenCalledWith({
+                where: { 
+                    orgId_key: {
+                        key: 'my-secret',
+                        orgId: testOrgId
+                    }
+                }
+            });
+        });
+
+        test('handles environment variable tokens', async () => {
+            process.env.TEST_TOKEN = 'env-token-value';
+
+            const config = { env: 'TEST_TOKEN' };
+            const result = await getTokenFromConfig(config, testOrgId, mockPrisma);
+
+            expect(result).toBe('env-token-value');
+        });
+
+        test('throws error for string tokens (security)', async () => {
+            const config = 'direct-string-token';
+
+            await expect(getTokenFromConfig(config as any, testOrgId, mockPrisma))
+                .rejects.toThrow('Invalid token configuration');
+        });
+
+        test('throws error for malformed token objects', async () => {
+            const config = { invalid: 'format' };
+
+            await expect(getTokenFromConfig(config as any, testOrgId, mockPrisma))
+                .rejects.toThrow('Invalid token configuration');
+        });
+
+        test('throws error for missing secret', async () => {
+            mockPrisma.secret.findUnique.mockResolvedValue(null);
+
+            const config = { secret: 'non-existent-secret' };
+
+            await expect(getTokenFromConfig(config, testOrgId, mockPrisma))
+                .rejects.toThrow('Secret with key non-existent-secret not found for org 1');
+        });
+
+        test('throws error for missing environment variable', async () => {
+            const config = { env: 'NON_EXISTENT_VAR' };
+
+            await expect(getTokenFromConfig(config, testOrgId, mockPrisma))
+                .rejects.toThrow('Environment variable NON_EXISTENT_VAR not found.');
+        });
+
+        test('handles empty environment variable', async () => {
+            process.env.EMPTY_TOKEN = '';
+
+            const config = { env: 'EMPTY_TOKEN' };
+
+            await expect(getTokenFromConfig(config, testOrgId, mockPrisma))
+                .rejects.toThrow('Environment variable EMPTY_TOKEN not found.');
+        });
+    });
+});

packages/crypto/src/tokenUtils.ts

@@ -3,9 +3,8 @@ import { Token } from "@sourcebot/schemas/v3/shared.type";
 import { decrypt } from "./index.js";
 
 export const getTokenFromConfig = async (token: Token, orgId: number, db: PrismaClient) => {
-    // Handle direct string tokens
-    if (typeof token === 'string') {
-        return token;
+    if (typeof token !== 'object' || token === null) {
+        throw new Error('Invalid token configuration');
     }
 
     if ('secret' in token) {

packages/schemas/src/v3/shared.schema.test.ts

@@ -0,0 +1,155 @@
+import { describe, test, expect, beforeEach } from 'vitest';
+import Ajv from 'ajv';
+import { sharedSchema } from './shared.schema';
+
+describe('shared schema validation', () => {
+    let ajv: Ajv;
+
+    beforeEach(() => {
+        ajv = new Ajv({ strict: false });
+    });
+
+    describe('Token validation', () => {
+        test('accepts valid secret token format', () => {
+            const tokenSchema = sharedSchema.definitions!.Token;
+            const validate = ajv.compile(tokenSchema);
+
+            const validToken = { secret: 'my-secret-name' };
+            const isValid = validate(validToken);
+
+            expect(isValid).toBe(true);
+            expect(validate.errors).toBeNull();
+        });
+
+        test('accepts valid environment variable token format', () => {
+            const tokenSchema = sharedSchema.definitions!.Token;
+            const validate = ajv.compile(tokenSchema);
+
+            const validToken = { env: 'MY_TOKEN_VAR' };
+            const isValid = validate(validToken);
+
+            expect(isValid).toBe(true);
+            expect(validate.errors).toBeNull();
+        });
+
+        test('rejects string tokens (security measure)', () => {
+            const tokenSchema = sharedSchema.definitions!.Token;
+            const validate = ajv.compile(tokenSchema);
+
+            const stringToken = 'direct-string-token';
+            const isValid = validate(stringToken);
+
+            expect(isValid).toBe(false);
+            expect(validate.errors).toBeTruthy();
+            expect(validate.errors![0].message).toContain('must be object');
+        });
+
+        test('rejects empty string tokens', () => {
+            const tokenSchema = sharedSchema.definitions!.Token;
+            const validate = ajv.compile(tokenSchema);
+
+            const emptyStringToken = '';
+            const isValid = validate(emptyStringToken);
+
+            expect(isValid).toBe(false);
+            expect(validate.errors).toBeTruthy();
+        });
+
+        test('rejects malformed token objects', () => {
+            const tokenSchema = sharedSchema.definitions!.Token;
+            const validate = ajv.compile(tokenSchema);
+
+            const malformedToken = { invalid: 'format' };
+            const isValid = validate(malformedToken);
+
+            expect(isValid).toBe(false);
+            expect(validate.errors).toBeTruthy();
+        });
+
+        test('rejects token objects with both secret and env', () => {
+            const tokenSchema = sharedSchema.definitions!.Token;
+            const validate = ajv.compile(tokenSchema);
+
+            const invalidToken = { secret: 'my-secret', env: 'MY_VAR' };
+            const isValid = validate(invalidToken);
+
+            expect(isValid).toBe(false);
+            expect(validate.errors).toBeTruthy();
+        });
+
+        test('rejects empty secret name (security measure)', () => {
+            const tokenSchema = sharedSchema.definitions!.Token;
+            const validate = ajv.compile(tokenSchema);
+
+            const tokenWithEmptySecret = { secret: '' };
+            const isValid = validate(tokenWithEmptySecret);
+
+            expect(isValid).toBe(false);
+            expect(validate.errors).toBeTruthy();
+        });
+
+        test('rejects empty environment variable name (security measure)', () => {
+            const tokenSchema = sharedSchema.definitions!.Token;
+            const validate = ajv.compile(tokenSchema);
+
+            const tokenWithEmptyEnv = { env: '' };
+            const isValid = validate(tokenWithEmptyEnv);
+
+            expect(isValid).toBe(false);
+            expect(validate.errors).toBeTruthy();
+        });
+
+        test('rejects token objects with additional properties', () => {
+            const tokenSchema = sharedSchema.definitions!.Token;
+            const validate = ajv.compile(tokenSchema);
+
+            const invalidToken = { secret: 'my-secret', extra: 'property' };
+            const isValid = validate(invalidToken);
+
+            expect(isValid).toBe(false);
+            expect(validate.errors).toBeTruthy();
+        });
+    });
+
+    describe('GitRevisions validation', () => {
+        test('accepts valid GitRevisions object', () => {
+            const revisionsSchema = sharedSchema.definitions!.GitRevisions;
+            const validate = ajv.compile(revisionsSchema);
+
+            const validRevisions = {
+                branches: ['main', 'develop'],
+                tags: ['v1.0.0', 'latest']
+            };
+            const isValid = validate(validRevisions);
+
+            expect(isValid).toBe(true);
+            expect(validate.errors).toBeNull();
+        });
+
+        test('accepts empty GitRevisions object', () => {
+            const revisionsSchema = sharedSchema.definitions!.GitRevisions;
+            const validate = ajv.compile(revisionsSchema);
+
+            const emptyRevisions = {};
+            const isValid = validate(emptyRevisions);
+
+            expect(isValid).toBe(true);
+            expect(validate.errors).toBeNull();
+        });
+
+        test('rejects GitRevisions with additional properties', () => {
+            const revisionsSchema = sharedSchema.definitions!.GitRevisions;
+            const validate = ajv.compile(revisionsSchema);
+
+            const invalidRevisions = {
+                branches: ['main'],
+                tags: ['v1.0.0'],
+                invalid: 'property'
+            };
+            const isValid = validate(invalidRevisions);
+
+            expect(isValid).toBe(false);
+            expect(validate.errors).toBeTruthy();
+        });
+    });
+});

packages/schemas/src/v3/shared.schema.ts

@@ -5,16 +5,12 @@ const schema = {
   "definitions": {
     "Token": {
       "anyOf": [
-        {
-          "type": "string",
-          "description": "Direct token value (SECURITY RISK: not recommended for production - use secrets or environment variables instead)",
-          "minLength": 1
-        },
         {
           "type": "object",
           "properties": {
             "secret": {
               "type": "string",
+              "minLength": 1,
               "description": "The name of the secret that contains the token."
             }
           },
@@ -28,6 +24,7 @@ const schema = {
           "properties": {
             "env": {
               "type": "string",
+              "minLength": 1,
               "description": "The name of the environment variable that contains the token. Only supported in declarative connection configs."
             }
           },

packages/schemas/src/v3/shared.type.ts

@@ -5,7 +5,6 @@
  * via the `definition` "Token".
  */
 export type Token =
-  | string
   | {
       /**
        * The name of the secret that contains the token.

schemas/v3/shared.json

@@ -4,16 +4,12 @@
     "definitions": {
         "Token": {
             "anyOf": [
-                {
-                    "type": "string",
-                    "description": "Direct token value (SECURITY RISK: not recommended for production - use secrets or environment variables instead)",
-                    "minLength": 1
-                },
                 {
                     "type": "object",
                     "properties": {
                         "secret": {
                             "type": "string",
+                            "minLength": 1,
                             "description": "The name of the secret that contains the token."
                         }
                     },
@@ -27,6 +23,7 @@
                     "properties": {
                         "env": {
                             "type": "string",
+                            "minLength": 1,
                             "description": "The name of the environment variable that contains the token. Only supported in declarative connection configs."
                         }
                     },