From 90481b946283541cd5ea5fb65b8e2263182c5a0d Mon Sep 17 00:00:00 2001 From: Anish Sarkar <104695310+AnishSarkar22@users.noreply.github.com> Date: Thu, 19 Mar 2026 17:57:51 +0530 Subject: [PATCH] feat: Added logic to encrypt the access token, refresh token, and client secret if the configuration specifies token encryption for native Gmail connector --- .../app/connectors/google_gmail_connector.py | 33 ++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/surfsense_backend/app/connectors/google_gmail_connector.py b/surfsense_backend/app/connectors/google_gmail_connector.py index 5568dceb0..0491aba62 100644 --- a/surfsense_backend/app/connectors/google_gmail_connector.py +++ b/surfsense_backend/app/connectors/google_gmail_connector.py @@ -134,7 +134,38 @@ class GoogleGmailConnector: raise RuntimeError( "GMAIL connector not found; cannot persist refreshed token." ) - connector.config = json.loads(self._credentials.to_json()) + + from app.config import config + from app.utils.oauth_security import TokenEncryption + + creds_dict = json.loads(self._credentials.to_json()) + token_encrypted = connector.config.get( + "_token_encrypted", False + ) + + if token_encrypted and config.SECRET_KEY: + token_encryption = TokenEncryption(config.SECRET_KEY) + if creds_dict.get("token"): + creds_dict["token"] = ( + token_encryption.encrypt_token( + creds_dict["token"] + ) + ) + if creds_dict.get("refresh_token"): + creds_dict["refresh_token"] = ( + token_encryption.encrypt_token( + creds_dict["refresh_token"] + ) + ) + if creds_dict.get("client_secret"): + creds_dict["client_secret"] = ( + token_encryption.encrypt_token( + creds_dict["client_secret"] + ) + ) + creds_dict["_token_encrypted"] = True + + connector.config = creds_dict flag_modified(connector, "config") await self._session.commit() except Exception as e: