Encrypt TOTP secret before saving to database

handler/auth/totp/totp.go

@@ -39,7 +39,12 @@ func POST(w http.ResponseWriter, r *http.Request) {
 	}
 	code := r.Form.Get("code")
 	_, user, key := session.GetSession(r)
-	totp := gotp.NewDefaultTOTP(user.Totp)
+	decryptedSecret, err := app.Server.Encryption.Decrypt(user.Totp)
+	if err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		app.Server.Logger.Error(err.Error())
+	}
+	totp := gotp.NewDefaultTOTP(decryptedSecret)
 
 	if totp.Verify(code, time.Now().Unix()) {
 		storeSession := session.Get(key)

handler/user/totp/setup.go

@@ -82,12 +82,18 @@ func POST(w http.ResponseWriter, r *http.Request) {
 	}
 	var component templ.Component
 	if totp.Verify(code, time.Now().Unix()) {
-		if err := app.Server.Database.InitializeTotp(userSession.Email, secret); err != nil {
+		encryptedSecret, err := app.Server.Encryption.Encrypt(secret)
+		if err != nil {
 			w.WriteHeader(http.StatusInternalServerError)
 			app.Server.Logger.Error(err.Error())
 			return
 		}
-		err := app.Server.Cache.RemoveUserCache(r.Context(), userSession.Email)
+		if err := app.Server.Database.InitializeTotp(userSession.Email, encryptedSecret); err != nil {
+			w.WriteHeader(http.StatusInternalServerError)
+			app.Server.Logger.Error(err.Error())
+			return
+		}
+		err = app.Server.Cache.RemoveUserCache(r.Context(), userSession.Email)
 		if err != nil {
 			w.WriteHeader(http.StatusInternalServerError)
 			app.Server.Logger.Error(err.Error())