release: secrets-mcp 0.5.2

Bump version: secrets-mcp-0.5.1 tag already existed while crates had further changes.

Made-with: Cursor

crates/secrets-core/src/db.rs

@@ -36,12 +36,31 @@ fn build_connect_options(config: &DatabaseConfig) -> Result<PgConnectOptions> {
 pub async fn create_pool(config: &DatabaseConfig) -> Result<PgPool> {
     tracing::debug!("connecting to database");
     let connect_options = build_connect_options(config)?;
+
+    // Connection pool configuration from environment
+    let max_connections = std::env::var("SECRETS_DATABASE_POOL_SIZE")
+        .ok()
+        .and_then(|v| v.parse::<u32>().ok())
+        .unwrap_or(10);
+
+    let acquire_timeout_secs = std::env::var("SECRETS_DATABASE_ACQUIRE_TIMEOUT")
+        .ok()
+        .and_then(|v| v.parse::<u64>().ok())
+        .unwrap_or(5);
+
     let pool = PgPoolOptions::new()
-        .max_connections(10)
-        .acquire_timeout(std::time::Duration::from_secs(5))
+        .max_connections(max_connections)
+        .acquire_timeout(std::time::Duration::from_secs(acquire_timeout_secs))
+        .max_lifetime(std::time::Duration::from_secs(1800)) // 30 minutes
+        .idle_timeout(std::time::Duration::from_secs(600)) // 10 minutes
         .connect_with(connect_options)
         .await?;
-    tracing::debug!("database connection established");
+
+    tracing::debug!(
+        max_connections,
+        acquire_timeout_secs,
+        "database connection established"
+    );
     Ok(pool)
 }
 

crates/secrets-core/src/error.rs

@@ -15,6 +15,18 @@ pub enum AppError {
     #[error("Entry not found")]
     NotFoundEntry,
 
+    #[error("User not found")]
+    NotFoundUser,
+
+    #[error("Secret not found")]
+    NotFoundSecret,
+
+    #[error("Authentication failed")]
+    AuthenticationFailed,
+
+    #[error("Unauthorized: insufficient permissions")]
+    Unauthorized,
+
     #[error("Validation failed: {message}")]
     Validation { message: String },
 
@@ -24,6 +36,9 @@ pub enum AppError {
     #[error("Decryption failed — the encryption key may be incorrect")]
     DecryptionFailed,
 
+    #[error("Encryption key not set — user must set passphrase first")]
+    EncryptionKeyNotSet,
+
     #[error(transparent)]
     Internal(#[from] anyhow::Error),
 }
@@ -119,6 +134,18 @@ mod tests {
         let err = AppError::NotFoundEntry;
         assert_eq!(err.to_string(), "Entry not found");
 
+        let err = AppError::NotFoundUser;
+        assert_eq!(err.to_string(), "User not found");
+
+        let err = AppError::NotFoundSecret;
+        assert_eq!(err.to_string(), "Secret not found");
+
+        let err = AppError::AuthenticationFailed;
+        assert_eq!(err.to_string(), "Authentication failed");
+
+        let err = AppError::Unauthorized;
+        assert!(err.to_string().contains("Unauthorized"));
+
         let err = AppError::Validation {
             message: "too long".to_string(),
         };
@@ -126,6 +153,9 @@ mod tests {
 
         let err = AppError::ConcurrentModification;
         assert!(err.to_string().contains("Concurrent modification"));
+
+        let err = AppError::EncryptionKeyNotSet;
+        assert!(err.to_string().contains("Encryption key not set"));
     }
 
     #[test]

crates/secrets-core/src/service/api_key.rs

@@ -2,6 +2,8 @@ use anyhow::Result;
 use sqlx::PgPool;
 use uuid::Uuid;
 
+use crate::error::AppError;
+
 const KEY_PREFIX: &str = "sk_";
 
 /// Generate a new API key: `sk_<64 hex chars>` = 67 characters total.
@@ -14,23 +16,32 @@ pub fn generate_api_key() -> String {
 }
 
 /// Return the user's existing API key, or generate and store a new one if NULL.
+/// Uses a transaction with atomic update to prevent TOCTOU race conditions.
 pub async fn ensure_api_key(pool: &PgPool, user_id: Uuid) -> Result<String> {
-    let existing: Option<(Option<String>,)> =
-        sqlx::query_as("SELECT api_key FROM users WHERE id = $1")
-            .bind(user_id)
-            .fetch_optional(pool)
-            .await?;
+    let mut tx = pool.begin().await?;
 
-    if let Some((Some(key),)) = existing {
+    // Lock the row and check existing key
+    let existing: (Option<String>,) =
+        sqlx::query_as("SELECT api_key FROM users WHERE id = $1 FOR UPDATE")
+            .bind(user_id)
+            .fetch_optional(&mut *tx)
+            .await?
+            .ok_or(AppError::NotFoundUser)?;
+
+    if let Some(key) = existing.0 {
+        tx.commit().await?;
         return Ok(key);
     }
 
+    // Generate and store new key atomically
     let new_key = generate_api_key();
     sqlx::query("UPDATE users SET api_key = $1 WHERE id = $2")
         .bind(&new_key)
         .bind(user_id)
-        .execute(pool)
+        .execute(&mut *tx)
         .await?;
+
+    tx.commit().await?;
     Ok(new_key)
 }
 

crates/secrets-core/src/service/user.rs

@@ -16,14 +16,17 @@ pub struct OAuthProfile {
 /// Find or create a user from an OAuth profile.
 /// Returns (user, is_new) where is_new indicates first-time registration.
 pub async fn find_or_create_user(pool: &PgPool, profile: OAuthProfile) -> Result<(User, bool)> {
-    // Check if this OAuth account already exists
+    // Use a transaction with FOR UPDATE to prevent TOCTOU race conditions
+    let mut tx = pool.begin().await?;
+
+    // Check if this OAuth account already exists (with row lock)
     let existing: Option<OauthAccount> = sqlx::query_as(
         "SELECT id, user_id, provider, provider_id, email, name, avatar_url, created_at \
-         FROM oauth_accounts WHERE provider = $1 AND provider_id = $2",
+         FROM oauth_accounts WHERE provider = $1 AND provider_id = $2 FOR UPDATE",
     )
     .bind(&profile.provider)
     .bind(&profile.provider_id)
-    .fetch_optional(pool)
+    .fetch_optional(&mut *tx)
     .await?;
 
     if let Some(oa) = existing {
@@ -32,8 +35,9 @@ pub async fn find_or_create_user(pool: &PgPool, profile: OAuthProfile) -> Result
              FROM users WHERE id = $1",
         )
         .bind(oa.user_id)
-        .fetch_one(pool)
+        .fetch_one(&mut *tx)
         .await?;
+        tx.commit().await?;
         return Ok((user, false));
     }
 
@@ -43,8 +47,6 @@ pub async fn find_or_create_user(pool: &PgPool, profile: OAuthProfile) -> Result
         .clone()
         .unwrap_or_else(|| profile.email.clone().unwrap_or_else(|| "User".to_string()));
 
-    let mut tx = pool.begin().await?;
-
     let user: User = sqlx::query_as(
         "INSERT INTO users (email, name, avatar_url) \
          VALUES ($1, $2, $3) \
@@ -125,13 +127,16 @@ pub async fn bind_oauth_account(
     user_id: Uuid,
     profile: OAuthProfile,
 ) -> Result<OauthAccount> {
-    // Check if this provider_id is already linked to someone else
+    // Use a transaction with FOR UPDATE to prevent TOCTOU race conditions
+    let mut tx = pool.begin().await?;
+
+    // Check if this provider_id is already linked to someone else (with row lock)
     let conflict: Option<(Uuid,)> = sqlx::query_as(
-        "SELECT user_id FROM oauth_accounts WHERE provider = $1 AND provider_id = $2",
+        "SELECT user_id FROM oauth_accounts WHERE provider = $1 AND provider_id = $2 FOR UPDATE",
     )
     .bind(&profile.provider)
     .bind(&profile.provider_id)
-    .fetch_optional(pool)
+    .fetch_optional(&mut *tx)
     .await?;
 
     if let Some((existing_user_id,)) = conflict {
@@ -148,11 +153,11 @@ pub async fn bind_oauth_account(
     }
 
     let existing_provider_for_user: Option<(String,)> = sqlx::query_as(
-        "SELECT provider_id FROM oauth_accounts WHERE user_id = $1 AND provider = $2",
+        "SELECT provider_id FROM oauth_accounts WHERE user_id = $1 AND provider = $2 FOR UPDATE",
     )
     .bind(user_id)
     .bind(&profile.provider)
-    .fetch_optional(pool)
+    .fetch_optional(&mut *tx)
     .await?;
 
     if existing_provider_for_user.is_some() {
@@ -174,9 +179,10 @@ pub async fn bind_oauth_account(
     .bind(&profile.email)
     .bind(&profile.name)
     .bind(&profile.avatar_url)
-    .fetch_one(pool)
+    .fetch_one(&mut *tx)
     .await?;
 
+    tx.commit().await?;
     Ok(account)
 }