Encrypt access_token and refresh_token

Gemfile

@@ -21,9 +21,12 @@ gem 'jbuilder'
 # Reduces boot times through caching; required in config/boot.rb
 gem 'bootsnap', '>= 1.4.2', require: false
 
+gem 'lockbox'
+
+# gem 'airrecord'
 gem 'google-api-client'
 gem 'rack-cors'
-gem "sentry-raven"
+gem 'sentry-raven'
 
 group :development, :test do
   # Call 'byebug' anywhere in the code to stop execution and get a debugger console

Gemfile.lock

@@ -100,6 +100,7 @@ GEM
     listen (3.2.1)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
+    lockbox (0.3.4)
     loofah (2.5.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
@@ -224,6 +225,7 @@ DEPENDENCIES
   google-api-client
   jbuilder
   listen
+  lockbox
   pg
   puma
   rack-cors

app/models/authentication.rb

@@ -1,6 +1,9 @@
 class Authentication < ApplicationRecord
   belongs_to :user
 
+  encrypts :access_token
+  encrypts :refresh_token
+
   def expired?
     expires_at <= Time.current
   end

db/migrate/20200408212150_add_lockbox_columns.rb

@@ -0,0 +1,8 @@
+class AddLockboxColumns < ActiveRecord::Migration[6.0]
+  def change
+    add_column :authentications, :access_token_ciphertext, :text
+    add_column :authentications, :refresh_token_ciphertext, :text
+    remove_column :authentications, :access_token
+    remove_column :authentications, :refresh_token
+  end
+end

db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 2020_04_05_161905) do
+ActiveRecord::Schema.define(version: 2020_04_08_212150) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"

env.example

@@ -1,3 +1,4 @@
 GOOGLE_CLIENT_ID=clientid
 GOOGLE_CLIENT_SECRET=secret
 GOOGLE_PROJECT_ID=projectid
+LOCKBOX_MASTER_KEY=f7b18b63d3f7ec48fa78bab327cdf81b0969020f70dc16947b14572cde3e2b7d