Home Security User Data Encryption in Play2

User Data Encryption in Play2

Author

Date

Category

Recent news shows the importance of data encryption.  For instance, the attack on MongoHQ showed how OAuth might be exploited if not properly handled. Buffer learnt from it the hard way. But so should all of us and that’s why we at Codacy would like to share how we’ve protected our Infrastructure Secrets.

We too at Codacy use OAuth tokens, in our case to access Github and Google’s API. The leak of these tokens would mean granting an attacker our users’ code. Of course, this would be unacceptable. So, it would be better to follow Buffer’s example and cipher it. This way if an attacker breaches our database and gets hold of the ciphered tokens they’d be useless.

Although necessary, security may be a burden. In spite of that, we wanted a way to secure data in the database that would be effortless to the rest of the team while developing. So that you know, as part of our stack we’re using Play Framework for Scala and play-slick as the interface for PostgreSQL.

This was the solution we came up with. A simple case class named SecureString that stores a String and ciphers it. A SecureTable trait containing an implicit TypeMapper to take care of the conversion between String and SecureString. Then just combine the two by mixing the trait with the model and declare the columns we want to be ciphered as SecureString.

Take a look at this simple example where we have a LoveLetter and want to cipher the contents of the letter:

https://gist.github.com/mrfyda/7554222

For this change to be completely transparent to the rest of your code you can set implicit conversions between SecureString and String:

implicit def toSecureString(str: String): SecureString = SecureString(str)
 implicit def fromSecureString(str: SecureString): String = str.toString

This makes an automatic transformation of String into SecureString which means that we treat those as the same.
This in turn means that our code has minimal change cost to implement encrypted strings.

And that’s it. We hope this is useful in your projects.


Edit: We just published an ebook: “The Ultimate Guide to Code Review” based on a survey of 680+ developers. Enjoy!


*This is a blog post of our Code Reading Wednesdays from Codacy (http://www.codacy.com): we make code reviews easier and automatic.

About Codacy

Codacy is used by thousands of developers to analyze billions of lines of code every day!

Getting started is easy – and free! Just use your  GitHub, Bitbucket or Google account to sign up.

GET STARTED

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.

Recent posts

7 drawbacks of linting tools

Linting tools (also known as linters or static analyzers) help automate the code review process. They perform basic static code analysis by flagging programming...

Using the API to add Codacy Grade details to the Readme

Some context Codacy has a badge mechanism that can be included in your Readme file. It gives you an idea of the grade of your repository, from...

March Product Update: Support for Cloud Infrastructure-as-code, Custom Reports with API endpoints & more 🚀

Here are some fresh updates from March! This month we bring you a new product offering, new features, and product updates, interesting reads, and...

Top 10 ways to perform fast code review

We always want to be fast at code review.. How frequent is it for you to be reviewing code at 3am? When code reviewing, do you...

Interview with Gary McKay, Somos’ Director of Agile Service Delivery

Somos is a proven leader in registry management and data solutions. Somos fosters meaningful connections by delivering value, innovation and confidence to consumers. We...