From 61d4f8ce634c4e47fc799924a2027b76e6552d07 Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Wed, 4 Dec 2024 13:11:49 +0100
Subject: [PATCH 01/32] First draft of auth via remotes endpoint

---
 src/app/api/proxy/route.ts                    |  70 +----------
 .../checkIfJsonOrYaml.ts                      |  12 ++
 .../downloadFile.ts                           |  58 +++++++++
 .../[encodedRemoteSpecification]/route.ts     | 110 ++++++++++++++++++
 .../projects/data/GitHubProjectDataSource.ts  |   2 +-
 5 files changed, 183 insertions(+), 69 deletions(-)
 create mode 100644 src/app/api/remotes/[encodedRemoteSpecification]/checkIfJsonOrYaml.ts
 create mode 100644 src/app/api/remotes/[encodedRemoteSpecification]/downloadFile.ts
 create mode 100644 src/app/api/remotes/[encodedRemoteSpecification]/route.ts

diff --git a/src/app/api/proxy/route.ts b/src/app/api/proxy/route.ts
index 256ee955..ee606f0c 100644
--- a/src/app/api/proxy/route.ts
+++ b/src/app/api/proxy/route.ts
@@ -1,7 +1,8 @@
 import { NextRequest, NextResponse } from "next/server"
 import { env, makeAPIErrorResponse, makeUnauthenticatedAPIErrorResponse } from "@/common"
 import { session } from "@/composition"
-import { parse as parseYaml } from "yaml"
+import { downloadFile } from "../remotes/[encodedRemoteSpecification]/downloadFile"
+import { checkIfJsonOrYaml } from "../remotes/[encodedRemoteSpecification]/checkIfJsonOrYaml"
 
 const ErrorName = {
   MAX_FILE_SIZE_EXCEEDED: "MaxFileSizeExceededError",
@@ -46,70 +47,3 @@ export async function GET(req: NextRequest) {
     }
   }
 }
-
-async function downloadFile(params: {
-  url: URL,
-  maxBytes: number,
-  timeoutInSeconds: number
-}): Promise<string> {
-  const { url, maxBytes, timeoutInSeconds } = params
-  const abortController = new AbortController()
-  const timeoutSignal = AbortSignal.timeout(timeoutInSeconds * 1000)
-  const headers: {[key: string]: string} = {}
-  // Extract basic auth from URL and construct an Authorization header instead.
-  if ((url.username && url.username.length > 0) || (url.password && url.password.length > 0)) {
-    const username = decodeURIComponent(url.username)
-    const password = decodeURIComponent(url.password)
-    headers["Authorization"] = "Basic " + btoa(`${username}:${password}`)
-  }
-  // Make sure basic auth is removed from URL.
-  const urlWithoutAuth = url
-  urlWithoutAuth.username = ""
-  urlWithoutAuth.password = ""
-  const response = await fetch(urlWithoutAuth, {
-    method: "GET",
-    headers,
-    signal: AbortSignal.any([abortController.signal, timeoutSignal])
-  })
-  if (!response.body) {
-    throw new Error("Response body unavailable")
-  }
-  let totalBytes = 0
-  let didExceedMaxBytes = false
-  const reader = response.body.getReader()
-  const chunks: Uint8Array[] = []
-  // eslint-disable-next-line no-constant-condition
-  while (true) {
-    // eslint-disable-next-line no-await-in-loop
-    const { done, value } = await reader.read()
-    if (done) {
-      break
-    }
-    totalBytes += value.length
-    chunks.push(value)
-    if (totalBytes >= maxBytes) {
-      didExceedMaxBytes = true
-      abortController.abort()
-      break
-    }
-  }
-  if (didExceedMaxBytes) {
-    const error = new Error("Maximum file size exceeded")
-    error.name = ErrorName.MAX_FILE_SIZE_EXCEEDED
-    throw error
-  }
-  const blob = new Blob(chunks)
-  const arrayBuffer = await blob.arrayBuffer()
-  const decoder = new TextDecoder()
-  return decoder.decode(arrayBuffer)
-}
-
-function checkIfJsonOrYaml(fileText: string) {
-  try {
-    parseYaml(fileText) // will also parse JSON as it is a subset of YAML
-  } catch {
-    const error = new Error("File is not JSON or YAML")
-    error.name = ErrorName.NOT_JSON_OR_YAML
-    throw error
-  }
-}
diff --git a/src/app/api/remotes/[encodedRemoteSpecification]/checkIfJsonOrYaml.ts b/src/app/api/remotes/[encodedRemoteSpecification]/checkIfJsonOrYaml.ts
new file mode 100644
index 00000000..6668814f
--- /dev/null
+++ b/src/app/api/remotes/[encodedRemoteSpecification]/checkIfJsonOrYaml.ts
@@ -0,0 +1,12 @@
+import { parse as parseYaml } from "yaml"
+import { ErrorName } from "./route"
+
+export function checkIfJsonOrYaml(fileText: string) {
+  try {
+    parseYaml(fileText) // will also parse JSON as it is a subset of YAML
+  } catch {
+    const error = new Error("File is not JSON or YAML")
+    error.name = ErrorName.NOT_JSON_OR_YAML
+    throw error
+  }
+}
diff --git a/src/app/api/remotes/[encodedRemoteSpecification]/downloadFile.ts b/src/app/api/remotes/[encodedRemoteSpecification]/downloadFile.ts
new file mode 100644
index 00000000..cb95a6f7
--- /dev/null
+++ b/src/app/api/remotes/[encodedRemoteSpecification]/downloadFile.ts
@@ -0,0 +1,58 @@
+import { ErrorName } from "./route";
+
+export async function downloadFile(params: {
+  url: URL;
+  maxBytes: number;
+  timeoutInSeconds: number;
+  basicAuthUsername?: string;
+  basicAuthPassword?: string;
+}): Promise<string> {
+  const { url, maxBytes, timeoutInSeconds, basicAuthUsername, basicAuthPassword } = params;
+  const abortController = new AbortController();
+  const timeoutSignal = AbortSignal.timeout(timeoutInSeconds * 1000);
+  const headers: { [key: string]: string; } = {};
+  // Extract basic auth from URL and construct an Authorization header instead.
+  if (basicAuthUsername && basicAuthPassword) {
+    headers["Authorization"] = "Basic " + btoa(`${basicAuthUsername}:${basicAuthPassword}`);
+  }
+  // Make sure basic auth is removed from URL.
+  const urlWithoutAuth = url;
+  urlWithoutAuth.username = "";
+  urlWithoutAuth.password = "";
+  const response = await fetch(urlWithoutAuth, {
+    method: "GET",
+    headers,
+    signal: AbortSignal.any([abortController.signal, timeoutSignal])
+  });
+  if (!response.body) {
+    throw new Error("Response body unavailable");
+  }
+  let totalBytes = 0;
+  let didExceedMaxBytes = false;
+  const reader = response.body.getReader();
+  const chunks: Uint8Array[] = [];
+  // eslint-disable-next-line no-constant-condition
+  while (true) {
+    // eslint-disable-next-line no-await-in-loop
+    const { done, value } = await reader.read();
+    if (done) {
+      break;
+    }
+    totalBytes += value.length;
+    chunks.push(value);
+    if (totalBytes >= maxBytes) {
+      didExceedMaxBytes = true;
+      abortController.abort();
+      break;
+    }
+  }
+  if (didExceedMaxBytes) {
+    const error = new Error("Maximum file size exceeded");
+    error.name = ErrorName.MAX_FILE_SIZE_EXCEEDED;
+    throw error;
+  }
+  const blob = new Blob(chunks);
+  const arrayBuffer = await blob.arrayBuffer();
+  const decoder = new TextDecoder();
+  return decoder.decode(arrayBuffer);
+}
diff --git a/src/app/api/remotes/[encodedRemoteSpecification]/route.ts b/src/app/api/remotes/[encodedRemoteSpecification]/route.ts
new file mode 100644
index 00000000..94362cf2
--- /dev/null
+++ b/src/app/api/remotes/[encodedRemoteSpecification]/route.ts
@@ -0,0 +1,110 @@
+import { NextRequest, NextResponse } from "next/server"
+import { session } from "@/composition"
+import { env, makeAPIErrorResponse, makeUnauthenticatedAPIErrorResponse } from "@/common"
+import { privateDecrypt, constants } from 'crypto'
+import { z } from 'zod';
+import { downloadFile } from "./downloadFile";
+import { checkIfJsonOrYaml } from "./checkIfJsonOrYaml";
+
+export const ErrorName = {
+  MAX_FILE_SIZE_EXCEEDED: "MaxFileSizeExceededError",
+  TIMEOUT: "TimeoutError",
+  NOT_JSON_OR_YAML: "NotJsonOrYamlError",
+}
+
+interface RemoteSpecificationParams {
+  encodedRemoteSpecification: string
+}
+
+const AuthSchema = z.object({
+  type: z.string(),
+  username: z.string(),
+  password: z.string(),
+});
+type Auth = z.infer<typeof AuthSchema>;
+
+const RemoteSpecificationSchema = z.object({
+  url: z.string().url(),
+  auth: AuthSchema.optional(),
+});
+type RemoteSpecification = z.infer<typeof RemoteSpecificationSchema>;
+
+const privateKey = `-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDPvqSIXsEJIHro
+Mw3Lsxmq91LVVBCEnIYZO4rVBk2mdA7FADwqfv/2T0tA49eYd8RcZp8CHWDmK36a
+OVsN3sMy3Lh7YwaIFqOAyD6gm1hPlpb0oJE4U3a9aZXh9WnaWepCKNHJhxSWhlL2
+6h+miv8vblSFvG+6v0FVbh4obXDMbp/ruf+BHZEns+KMczkQp5HaNHLRVoeW76n8
+E473cM4kdSeJBSJmcSdhMB+b0P1QypozbJxqh+tztMPdqf9w58QKFE4KTqyVE/pw
+RnLCBN31YaD6CL3VtGGHJdZwKqLfEWfnRvWBu87HOJHwVXCTAW8osbLXI5SdZAfJ
+bTEcSaXTAgMBAAECggEAAaf9zQZXwg8NJAn68pm0FkJc0geqFmlqQjaxy2ISBvSq
+o+bS8RAnl7UdZphuTJ7hhAEhj+H3Wa3ufCfLc1DMHu2Qw+yELtB6Do8lSG6CMkaK
+8z95jcLrnWwuAx5AH6tmgodtglCHA9r8t+pf+zEyzBvDzEHB+FaBhVJ5i3CaOgnn
+sldRDFXPbIK5vp9znNmJiCttdFh4o1zClVybH+GdDXERlal9zBAdOGR9RQsW5Ps8
+rEldFdInFdW2Jwzg1Q2AMu0+uxdpGDX2s//jp6q99W4VZFrq1NAoqfGDAaRePJ23
+w5K1qoLTXF+IkvBRK749SznUcZyE4ZmLHJoKCVjMYQKBgQDxulf0fw1h1+jQ9OmC
+Dim8UV82WyjOknDyhpdpHauhcPQQwMDgF6ugZA5H5HZRAnjWNctEcQ72V+ET/6eU
+9SUmvnI6z+gd/eJGGKQxkNoTaWkkRqc6RSBwiVUc1Fv3x0nqhtd65VGIi6i6psUn
+gnLvMI1QxANtcgXdb3qp1pBAGQKBgQDcAqbJ/5BgiYGgef/QoyRTI6M8ZQWJ4lf9
+xrYzY+96T8JNEBshFu3gqCOclcV8jS21BTbWudpyhDradmdRRsypYTJh0HBxfzd2
+gXsMZ27jDMQ8q91xhgaziEGTVKrx/02dHJaLUza6MqkfVVyAzWDx0Hu6sN5Qxe4D
+8bBSmO+iywKBgC0t7+yBpqWn7hrH+7DUJtbMuqf1J85cLoIVx8zcv8xfyS4saKA5
+rFlA+i5TtA12EdGvojs7illemXHccZz0qKnyJHV7kF2yqw0A5AdjlG7WX9Fo5y6L
+5wFBmcfWpQ3NkLIl27Zbj/6eY73nF6hHyGWORItY528YRaJaiKmfsbxZAoGBAJUW
+6uW53KG+rOwNoHBHDaeVX9neb2lny876aJ/cmf0drYLBZlD/E8YIytEioUhs90tT
+ND1AhqrRtnwyfoMSYkBp0FV+haQz3GbfCX53XSpZjWW75X03oLTqod1wI8OICZVt
+OQtDIbP9/qNwGhZils5nRGFX19+OsWNU1fKzFrkPAoGARA4wcLbshkxX6KGhfE5x
+LB1apVkCG0y6jUAq4469svfpeILUtqgNBMBWYa9O7ID5NSfRn5DjyEl9U3SYz0H4
+psXP4eE1x86Lz37lAuXPpnrtE93xiRVFMYB3KXdyeGlTpwKLSGbf8pex85yrQU42
+CKpLoFTucpZ0hyD+upn2KMI=
+-----END PRIVATE KEY-----`
+
+export async function GET(req: NextRequest, { params }: { params: RemoteSpecificationParams }) {
+  const isAuthenticated = await session.getIsAuthenticated()
+  if (!isAuthenticated) {
+    return makeUnauthenticatedAPIErrorResponse()
+  }
+
+  const encryptedRemoteSpecification = decodeURIComponent(params.encodedRemoteSpecification)
+
+  // Decrypt the encrypted specification
+  const decryptedRemoteSpecification = privateDecrypt(
+    {
+      key: privateKey,
+      padding: constants.RSA_PKCS1_OAEP_PADDING,
+      oaepHash: 'sha256'
+    },
+    Buffer.from(encryptedRemoteSpecification, 'base64')
+  ).toString('utf-8')
+
+  const remoteSpecification: RemoteSpecification = RemoteSpecificationSchema.parse(JSON.parse(decryptedRemoteSpecification))
+
+  console.log(remoteSpecification)
+
+  let url: URL
+  try {
+    url = new URL(remoteSpecification.url)
+  } catch {
+    return makeAPIErrorResponse(400, "Invalid \"url\" query parameter.")
+  }
+  try {
+    const maxMegabytes = Number(env.getOrThrow("PROXY_API_MAXIMUM_FILE_SIZE_IN_MEGABYTES"))
+    const timeoutInSeconds = Number(env.getOrThrow("PROXY_API_TIMEOUT_IN_SECONDS"))
+    const maxBytes = maxMegabytes * 1024 * 1024
+    const fileText = await downloadFile({ url, maxBytes, timeoutInSeconds, basicAuthUsername: remoteSpecification.auth?.username, basicAuthPassword: remoteSpecification.auth?.password })
+    checkIfJsonOrYaml(fileText)
+    return new NextResponse(fileText, { status: 200, headers: { "Content-Type": "text/plain" } })
+  } catch (error) {
+    if (error instanceof Error == false) {
+      return makeAPIErrorResponse(500, "An unknown error occurred.")
+    }
+    if (error.name === ErrorName.MAX_FILE_SIZE_EXCEEDED) {
+      return makeAPIErrorResponse(413, "The operation was aborted.")
+    } else if (error.name === ErrorName.TIMEOUT) {
+      return makeAPIErrorResponse(408, "The operation timed out.")
+    } else if (error.name === ErrorName.NOT_JSON_OR_YAML) {
+      return makeAPIErrorResponse(400, "Url does not point to a JSON or YAML file.")
+    } else {
+      return makeAPIErrorResponse(500, error.message)
+    }
+  }
+}
diff --git a/src/features/projects/data/GitHubProjectDataSource.ts b/src/features/projects/data/GitHubProjectDataSource.ts
index bc79fe25..bd186693 100644
--- a/src/features/projects/data/GitHubProjectDataSource.ts
+++ b/src/features/projects/data/GitHubProjectDataSource.ts
@@ -170,7 +170,7 @@ export default class GitHubProjectDataSource implements IProjectDataSource {
         return {
           id: this.makeURLSafeID((e.id || e.name).toLowerCase()),
           name: e.name,
-          url: `/api/proxy?url=${encodeURIComponent(e.url)}`
+          url: "/api/remotes/EKNYViMOSUnJggD4c4UwEoOGkGKZIPjWtijfeoYqgrkRP%2FIwXa770oxwRsVTdVFzmbjWuartdrUhUjkq7EyT4m3NBQOph0UaRTQhFgxm4Q5v2KJ%2BkhJ6TTKwiEgEdS%2BdOvTzAzXtk80T4amaNdeET9JVGJo0y8G47qtUIZCWmyzxamTnOJYOhkj4NcH9XlyafghwUV%2FO%2FAShlzwscFPy%2BlDFuhl8jmYV4fvClI2%2F4iFyew%2Bg5LGvNXPTS8wEZcz9GBKrcgSE6ScK3oeAGesKPyYblkKiU7dAxi%2FlRs9jiKQId%2BEFLWFcDgNw8aLDyZjKMT2u4gF9dfLx4iRQhaJ7KQ%3D%3D"
         }
       })
       versions.push({

From ef793d5b70dcb31fcf64c4ba7d909ccca5e192d0 Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Wed, 4 Dec 2024 13:32:01 +0100
Subject: [PATCH 02/32] Introduce encryption service

---
 .env.example                                  |   2 +
 src/app/api/proxy/route.ts                    |   9 +-
 .../checkIfJsonOrYaml.ts                      |  12 --
 .../downloadFile.ts                           |  58 ---------
 .../[encodedRemoteSpecification]/route.ts     | 110 ------------------
 .../remotes/[encryptedRemoteConfig]/route.ts  |  72 ++++++++++++
 src/common/encryption/EncryptionService.ts    |  42 +++++++
 src/common/utils/fileUtils.ts                 |  74 ++++++++++++
 src/composition.ts                            |   8 +-
 9 files changed, 198 insertions(+), 189 deletions(-)
 delete mode 100644 src/app/api/remotes/[encodedRemoteSpecification]/checkIfJsonOrYaml.ts
 delete mode 100644 src/app/api/remotes/[encodedRemoteSpecification]/downloadFile.ts
 delete mode 100644 src/app/api/remotes/[encodedRemoteSpecification]/route.ts
 create mode 100644 src/app/api/remotes/[encryptedRemoteConfig]/route.ts
 create mode 100644 src/common/encryption/EncryptionService.ts
 create mode 100644 src/common/utils/fileUtils.ts

diff --git a/.env.example b/.env.example
index 1e98a941..239f191a 100644
--- a/.env.example
+++ b/.env.example
@@ -22,3 +22,5 @@ GITHUB_CLIENT_ID=GitHub App client ID
 GITHUB_CLIENT_SECRET=GitHub App client secret
 GITHUB_APP_ID=123456
 GITHUB_PRIVATE_KEY_BASE_64=base 64 encoded version of the private key - see README.md for more info
+ENCRYPTION_PUBLIC_KEY_BASE_64=base 64 encoded version of the public key
+ENCRYPTION_PRIVATE_KEY_BASE_64=base 64 encoded version of the private key
diff --git a/src/app/api/proxy/route.ts b/src/app/api/proxy/route.ts
index ee606f0c..3a1e2716 100644
--- a/src/app/api/proxy/route.ts
+++ b/src/app/api/proxy/route.ts
@@ -1,14 +1,7 @@
 import { NextRequest, NextResponse } from "next/server"
 import { env, makeAPIErrorResponse, makeUnauthenticatedAPIErrorResponse } from "@/common"
 import { session } from "@/composition"
-import { downloadFile } from "../remotes/[encodedRemoteSpecification]/downloadFile"
-import { checkIfJsonOrYaml } from "../remotes/[encodedRemoteSpecification]/checkIfJsonOrYaml"
-
-const ErrorName = {
-  MAX_FILE_SIZE_EXCEEDED: "MaxFileSizeExceededError",
-  TIMEOUT: "TimeoutError",
-  NOT_JSON_OR_YAML: "NotJsonOrYamlError",
-}
+import { checkIfJsonOrYaml, downloadFile, ErrorName } from "@/common/utils/fileUtils"
 
 export async function GET(req: NextRequest) {
   const isAuthenticated = await session.getIsAuthenticated()
diff --git a/src/app/api/remotes/[encodedRemoteSpecification]/checkIfJsonOrYaml.ts b/src/app/api/remotes/[encodedRemoteSpecification]/checkIfJsonOrYaml.ts
deleted file mode 100644
index 6668814f..00000000
--- a/src/app/api/remotes/[encodedRemoteSpecification]/checkIfJsonOrYaml.ts
+++ /dev/null
@@ -1,12 +0,0 @@
-import { parse as parseYaml } from "yaml"
-import { ErrorName } from "./route"
-
-export function checkIfJsonOrYaml(fileText: string) {
-  try {
-    parseYaml(fileText) // will also parse JSON as it is a subset of YAML
-  } catch {
-    const error = new Error("File is not JSON or YAML")
-    error.name = ErrorName.NOT_JSON_OR_YAML
-    throw error
-  }
-}
diff --git a/src/app/api/remotes/[encodedRemoteSpecification]/downloadFile.ts b/src/app/api/remotes/[encodedRemoteSpecification]/downloadFile.ts
deleted file mode 100644
index cb95a6f7..00000000
--- a/src/app/api/remotes/[encodedRemoteSpecification]/downloadFile.ts
+++ /dev/null
@@ -1,58 +0,0 @@
-import { ErrorName } from "./route";
-
-export async function downloadFile(params: {
-  url: URL;
-  maxBytes: number;
-  timeoutInSeconds: number;
-  basicAuthUsername?: string;
-  basicAuthPassword?: string;
-}): Promise<string> {
-  const { url, maxBytes, timeoutInSeconds, basicAuthUsername, basicAuthPassword } = params;
-  const abortController = new AbortController();
-  const timeoutSignal = AbortSignal.timeout(timeoutInSeconds * 1000);
-  const headers: { [key: string]: string; } = {};
-  // Extract basic auth from URL and construct an Authorization header instead.
-  if (basicAuthUsername && basicAuthPassword) {
-    headers["Authorization"] = "Basic " + btoa(`${basicAuthUsername}:${basicAuthPassword}`);
-  }
-  // Make sure basic auth is removed from URL.
-  const urlWithoutAuth = url;
-  urlWithoutAuth.username = "";
-  urlWithoutAuth.password = "";
-  const response = await fetch(urlWithoutAuth, {
-    method: "GET",
-    headers,
-    signal: AbortSignal.any([abortController.signal, timeoutSignal])
-  });
-  if (!response.body) {
-    throw new Error("Response body unavailable");
-  }
-  let totalBytes = 0;
-  let didExceedMaxBytes = false;
-  const reader = response.body.getReader();
-  const chunks: Uint8Array[] = [];
-  // eslint-disable-next-line no-constant-condition
-  while (true) {
-    // eslint-disable-next-line no-await-in-loop
-    const { done, value } = await reader.read();
-    if (done) {
-      break;
-    }
-    totalBytes += value.length;
-    chunks.push(value);
-    if (totalBytes >= maxBytes) {
-      didExceedMaxBytes = true;
-      abortController.abort();
-      break;
-    }
-  }
-  if (didExceedMaxBytes) {
-    const error = new Error("Maximum file size exceeded");
-    error.name = ErrorName.MAX_FILE_SIZE_EXCEEDED;
-    throw error;
-  }
-  const blob = new Blob(chunks);
-  const arrayBuffer = await blob.arrayBuffer();
-  const decoder = new TextDecoder();
-  return decoder.decode(arrayBuffer);
-}
diff --git a/src/app/api/remotes/[encodedRemoteSpecification]/route.ts b/src/app/api/remotes/[encodedRemoteSpecification]/route.ts
deleted file mode 100644
index 94362cf2..00000000
--- a/src/app/api/remotes/[encodedRemoteSpecification]/route.ts
+++ /dev/null
@@ -1,110 +0,0 @@
-import { NextRequest, NextResponse } from "next/server"
-import { session } from "@/composition"
-import { env, makeAPIErrorResponse, makeUnauthenticatedAPIErrorResponse } from "@/common"
-import { privateDecrypt, constants } from 'crypto'
-import { z } from 'zod';
-import { downloadFile } from "./downloadFile";
-import { checkIfJsonOrYaml } from "./checkIfJsonOrYaml";
-
-export const ErrorName = {
-  MAX_FILE_SIZE_EXCEEDED: "MaxFileSizeExceededError",
-  TIMEOUT: "TimeoutError",
-  NOT_JSON_OR_YAML: "NotJsonOrYamlError",
-}
-
-interface RemoteSpecificationParams {
-  encodedRemoteSpecification: string
-}
-
-const AuthSchema = z.object({
-  type: z.string(),
-  username: z.string(),
-  password: z.string(),
-});
-type Auth = z.infer<typeof AuthSchema>;
-
-const RemoteSpecificationSchema = z.object({
-  url: z.string().url(),
-  auth: AuthSchema.optional(),
-});
-type RemoteSpecification = z.infer<typeof RemoteSpecificationSchema>;
-
-const privateKey = `-----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDPvqSIXsEJIHro
-Mw3Lsxmq91LVVBCEnIYZO4rVBk2mdA7FADwqfv/2T0tA49eYd8RcZp8CHWDmK36a
-OVsN3sMy3Lh7YwaIFqOAyD6gm1hPlpb0oJE4U3a9aZXh9WnaWepCKNHJhxSWhlL2
-6h+miv8vblSFvG+6v0FVbh4obXDMbp/ruf+BHZEns+KMczkQp5HaNHLRVoeW76n8
-E473cM4kdSeJBSJmcSdhMB+b0P1QypozbJxqh+tztMPdqf9w58QKFE4KTqyVE/pw
-RnLCBN31YaD6CL3VtGGHJdZwKqLfEWfnRvWBu87HOJHwVXCTAW8osbLXI5SdZAfJ
-bTEcSaXTAgMBAAECggEAAaf9zQZXwg8NJAn68pm0FkJc0geqFmlqQjaxy2ISBvSq
-o+bS8RAnl7UdZphuTJ7hhAEhj+H3Wa3ufCfLc1DMHu2Qw+yELtB6Do8lSG6CMkaK
-8z95jcLrnWwuAx5AH6tmgodtglCHA9r8t+pf+zEyzBvDzEHB+FaBhVJ5i3CaOgnn
-sldRDFXPbIK5vp9znNmJiCttdFh4o1zClVybH+GdDXERlal9zBAdOGR9RQsW5Ps8
-rEldFdInFdW2Jwzg1Q2AMu0+uxdpGDX2s//jp6q99W4VZFrq1NAoqfGDAaRePJ23
-w5K1qoLTXF+IkvBRK749SznUcZyE4ZmLHJoKCVjMYQKBgQDxulf0fw1h1+jQ9OmC
-Dim8UV82WyjOknDyhpdpHauhcPQQwMDgF6ugZA5H5HZRAnjWNctEcQ72V+ET/6eU
-9SUmvnI6z+gd/eJGGKQxkNoTaWkkRqc6RSBwiVUc1Fv3x0nqhtd65VGIi6i6psUn
-gnLvMI1QxANtcgXdb3qp1pBAGQKBgQDcAqbJ/5BgiYGgef/QoyRTI6M8ZQWJ4lf9
-xrYzY+96T8JNEBshFu3gqCOclcV8jS21BTbWudpyhDradmdRRsypYTJh0HBxfzd2
-gXsMZ27jDMQ8q91xhgaziEGTVKrx/02dHJaLUza6MqkfVVyAzWDx0Hu6sN5Qxe4D
-8bBSmO+iywKBgC0t7+yBpqWn7hrH+7DUJtbMuqf1J85cLoIVx8zcv8xfyS4saKA5
-rFlA+i5TtA12EdGvojs7illemXHccZz0qKnyJHV7kF2yqw0A5AdjlG7WX9Fo5y6L
-5wFBmcfWpQ3NkLIl27Zbj/6eY73nF6hHyGWORItY528YRaJaiKmfsbxZAoGBAJUW
-6uW53KG+rOwNoHBHDaeVX9neb2lny876aJ/cmf0drYLBZlD/E8YIytEioUhs90tT
-ND1AhqrRtnwyfoMSYkBp0FV+haQz3GbfCX53XSpZjWW75X03oLTqod1wI8OICZVt
-OQtDIbP9/qNwGhZils5nRGFX19+OsWNU1fKzFrkPAoGARA4wcLbshkxX6KGhfE5x
-LB1apVkCG0y6jUAq4469svfpeILUtqgNBMBWYa9O7ID5NSfRn5DjyEl9U3SYz0H4
-psXP4eE1x86Lz37lAuXPpnrtE93xiRVFMYB3KXdyeGlTpwKLSGbf8pex85yrQU42
-CKpLoFTucpZ0hyD+upn2KMI=
------END PRIVATE KEY-----`
-
-export async function GET(req: NextRequest, { params }: { params: RemoteSpecificationParams }) {
-  const isAuthenticated = await session.getIsAuthenticated()
-  if (!isAuthenticated) {
-    return makeUnauthenticatedAPIErrorResponse()
-  }
-
-  const encryptedRemoteSpecification = decodeURIComponent(params.encodedRemoteSpecification)
-
-  // Decrypt the encrypted specification
-  const decryptedRemoteSpecification = privateDecrypt(
-    {
-      key: privateKey,
-      padding: constants.RSA_PKCS1_OAEP_PADDING,
-      oaepHash: 'sha256'
-    },
-    Buffer.from(encryptedRemoteSpecification, 'base64')
-  ).toString('utf-8')
-
-  const remoteSpecification: RemoteSpecification = RemoteSpecificationSchema.parse(JSON.parse(decryptedRemoteSpecification))
-
-  console.log(remoteSpecification)
-
-  let url: URL
-  try {
-    url = new URL(remoteSpecification.url)
-  } catch {
-    return makeAPIErrorResponse(400, "Invalid \"url\" query parameter.")
-  }
-  try {
-    const maxMegabytes = Number(env.getOrThrow("PROXY_API_MAXIMUM_FILE_SIZE_IN_MEGABYTES"))
-    const timeoutInSeconds = Number(env.getOrThrow("PROXY_API_TIMEOUT_IN_SECONDS"))
-    const maxBytes = maxMegabytes * 1024 * 1024
-    const fileText = await downloadFile({ url, maxBytes, timeoutInSeconds, basicAuthUsername: remoteSpecification.auth?.username, basicAuthPassword: remoteSpecification.auth?.password })
-    checkIfJsonOrYaml(fileText)
-    return new NextResponse(fileText, { status: 200, headers: { "Content-Type": "text/plain" } })
-  } catch (error) {
-    if (error instanceof Error == false) {
-      return makeAPIErrorResponse(500, "An unknown error occurred.")
-    }
-    if (error.name === ErrorName.MAX_FILE_SIZE_EXCEEDED) {
-      return makeAPIErrorResponse(413, "The operation was aborted.")
-    } else if (error.name === ErrorName.TIMEOUT) {
-      return makeAPIErrorResponse(408, "The operation timed out.")
-    } else if (error.name === ErrorName.NOT_JSON_OR_YAML) {
-      return makeAPIErrorResponse(400, "Url does not point to a JSON or YAML file.")
-    } else {
-      return makeAPIErrorResponse(500, error.message)
-    }
-  }
-}
diff --git a/src/app/api/remotes/[encryptedRemoteConfig]/route.ts b/src/app/api/remotes/[encryptedRemoteConfig]/route.ts
new file mode 100644
index 00000000..c0477992
--- /dev/null
+++ b/src/app/api/remotes/[encryptedRemoteConfig]/route.ts
@@ -0,0 +1,72 @@
+import { NextRequest, NextResponse } from "next/server"
+import { encryptionService, session } from "@/composition"
+import { env, makeAPIErrorResponse, makeUnauthenticatedAPIErrorResponse } from "@/common"
+import { z } from 'zod';
+import { downloadFile, checkIfJsonOrYaml, ErrorName } from "@/common/utils/fileUtils";
+
+interface RemoteSpecificationParams {
+  encryptedRemoteConfig: string // encrypted and URL encoded JSON string
+}
+
+const RemoteSpecAuthSchema = z.object({
+  type: z.string(),
+  username: z.string(),
+  password: z.string(),
+});
+type RemoteSpecAuth = z.infer<typeof RemoteSpecAuthSchema>;
+
+const RemoteConfigSchema = z.object({
+  url: z.string().url(),
+  auth: RemoteSpecAuthSchema.optional(),
+});
+type RemoteConfig = z.infer<typeof RemoteConfigSchema>;
+
+export async function GET(req: NextRequest, { params }: { params: RemoteSpecificationParams }) {
+  const isAuthenticated = await session.getIsAuthenticated()
+  if (!isAuthenticated) {
+    return makeUnauthenticatedAPIErrorResponse()
+  }
+
+  const decodedEncryptedRemoteConfig = decodeURIComponent(params.encryptedRemoteConfig)
+
+  const decryptedRemoteConfig = encryptionService.decrypt(decodedEncryptedRemoteConfig)
+
+  const remoteConfig = RemoteConfigSchema.parse(JSON.parse(decryptedRemoteConfig))
+
+  let url: URL
+  try {
+    url = new URL(remoteConfig.url)
+  } catch {
+    return makeAPIErrorResponse(400, "Invalid \"url\" query parameter.")
+  }
+  try {
+    const maxMegabytes = Number(env.getOrThrow("PROXY_API_MAXIMUM_FILE_SIZE_IN_MEGABYTES"))
+    const timeoutInSeconds = Number(env.getOrThrow("PROXY_API_TIMEOUT_IN_SECONDS"))
+    const maxBytes = maxMegabytes * 1024 * 1024
+    
+    const fileText = await downloadFile({ 
+      url, 
+      maxBytes, 
+      timeoutInSeconds, 
+      basicAuthUsername: remoteConfig.auth?.username, 
+      basicAuthPassword: remoteConfig.auth?.password 
+    })
+    
+    checkIfJsonOrYaml(fileText)
+    
+    return new NextResponse(fileText, { status: 200, headers: { "Content-Type": "text/plain" } })
+  } catch (error) {
+    if (error instanceof Error == false) {
+      return makeAPIErrorResponse(500, "An unknown error occurred.")
+    }
+    if (error.name === ErrorName.MAX_FILE_SIZE_EXCEEDED) {
+      return makeAPIErrorResponse(413, "The operation was aborted.")
+    } else if (error.name === ErrorName.TIMEOUT) {
+      return makeAPIErrorResponse(408, "The operation timed out.")
+    } else if (error.name === ErrorName.NOT_JSON_OR_YAML) {
+      return makeAPIErrorResponse(400, "Url does not point to a JSON or YAML file.")
+    } else {
+      return makeAPIErrorResponse(500, error.message)
+    }
+  }
+}
diff --git a/src/common/encryption/EncryptionService.ts b/src/common/encryption/EncryptionService.ts
new file mode 100644
index 00000000..9a58ba4d
--- /dev/null
+++ b/src/common/encryption/EncryptionService.ts
@@ -0,0 +1,42 @@
+import { publicEncrypt, privateDecrypt, constants } from 'crypto';
+
+interface IEncryptionService {
+    encrypt(data: string): string;
+    decrypt(encryptedDataBase64: string): string;
+}
+
+class RsaEncryptionService implements IEncryptionService {
+    private publicKey: string;
+    private privateKey: string;
+
+    constructor({ publicKey, privateKey }: { publicKey: string; privateKey: string }) {
+        this.publicKey = publicKey;
+        this.privateKey = privateKey;
+    }
+
+    encrypt(data: string): string {
+        const buffer = Buffer.from(data, 'utf-8');
+        const encrypted = publicEncrypt(
+            {
+                key: this.publicKey,
+                padding: constants.RSA_PKCS1_OAEP_PADDING,
+                oaepHash: 'sha256'
+            },
+            buffer
+        );
+        return encrypted.toString('base64');
+    }
+
+    decrypt(encryptedDataBase64: string): string {
+        return privateDecrypt(
+              {
+                key: this.privateKey,
+                padding: constants.RSA_PKCS1_OAEP_PADDING,
+                oaepHash: 'sha256'
+              },
+              Buffer.from(encryptedDataBase64, 'base64')
+            ).toString('utf-8')
+    }
+}
+
+export default RsaEncryptionService;
diff --git a/src/common/utils/fileUtils.ts b/src/common/utils/fileUtils.ts
new file mode 100644
index 00000000..8308e1f9
--- /dev/null
+++ b/src/common/utils/fileUtils.ts
@@ -0,0 +1,74 @@
+import { parse as parseYaml } from "yaml"
+
+export const ErrorName = {
+    MAX_FILE_SIZE_EXCEEDED: "MaxFileSizeExceededError",
+    TIMEOUT: "TimeoutError",
+    NOT_JSON_OR_YAML: "NotJsonOrYamlError",
+}
+
+export async function downloadFile(params: {
+    url: URL;
+    maxBytes: number;
+    timeoutInSeconds: number;
+    basicAuthUsername?: string;
+    basicAuthPassword?: string;
+}): Promise<string> {
+    const { url, maxBytes, timeoutInSeconds, basicAuthUsername, basicAuthPassword } = params;
+    const abortController = new AbortController();
+    const timeoutSignal = AbortSignal.timeout(timeoutInSeconds * 1000);
+    const headers: { [key: string]: string; } = {};
+    // Extract basic auth from URL and construct an Authorization header instead.
+    if (basicAuthUsername && basicAuthPassword) {
+        headers["Authorization"] = "Basic " + btoa(`${basicAuthUsername}:${basicAuthPassword}`);
+    }
+    // Make sure basic auth is removed from URL.
+    const urlWithoutAuth = url;
+    urlWithoutAuth.username = "";
+    urlWithoutAuth.password = "";
+    const response = await fetch(urlWithoutAuth, {
+        method: "GET",
+        headers,
+        signal: AbortSignal.any([abortController.signal, timeoutSignal])
+    });
+    if (!response.body) {
+        throw new Error("Response body unavailable");
+    }
+    let totalBytes = 0;
+    let didExceedMaxBytes = false;
+    const reader = response.body.getReader();
+    const chunks: Uint8Array[] = [];
+    // eslint-disable-next-line no-constant-condition
+    while (true) {
+        // eslint-disable-next-line no-await-in-loop
+        const { done, value } = await reader.read();
+        if (done) {
+            break;
+        }
+        totalBytes += value.length;
+        chunks.push(value);
+        if (totalBytes >= maxBytes) {
+            didExceedMaxBytes = true;
+            abortController.abort();
+            break;
+        }
+    }
+    if (didExceedMaxBytes) {
+        const error = new Error("Maximum file size exceeded");
+        error.name = ErrorName.MAX_FILE_SIZE_EXCEEDED;
+        throw error;
+    }
+    const blob = new Blob(chunks);
+    const arrayBuffer = await blob.arrayBuffer();
+    const decoder = new TextDecoder();
+    return decoder.decode(arrayBuffer);
+}
+
+export function checkIfJsonOrYaml(fileText: string) {
+    try {
+        parseYaml(fileText) // will also parse JSON as it is a subset of YAML
+    } catch {
+        const error = new Error("File is not JSON or YAML")
+        error.name = ErrorName.NOT_JSON_OR_YAML
+        throw error
+    }
+}
diff --git a/src/composition.ts b/src/composition.ts
index 8514a16b..af18122b 100644
--- a/src/composition.ts
+++ b/src/composition.ts
@@ -51,6 +51,7 @@ import {
   PullRequestCommenter
 } from "@/features/hooks/domain"
 import { RepoRestrictedGitHubClient } from "./common/github/RepoRestrictedGitHubClient"
+import RsaEncryptionService from "./common/encryption/EncryptionService"
 
 const gitHubAppCredentials = {
   appId: env.getOrThrow("GITHUB_APP_ID"),
@@ -219,4 +220,9 @@ export const gitHubHookHandler = new GitHubHookHandler({
       })
     })
   })
-})
\ No newline at end of file
+})
+
+export const encryptionService = new RsaEncryptionService({
+  publicKey: Buffer.from(env.getOrThrow("ENCRYPTION_PUBLIC_KEY_BASE_64"), "base64").toString("utf-8"),
+  privateKey: Buffer.from(env.getOrThrow("ENCRYPTION_PRIVATE_KEY_BASE_64"), "base64").toString("utf-8")
+})

From 82869a17c23e1e449641228103bd1189fb03134e Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Wed, 4 Dec 2024 14:02:06 +0100
Subject: [PATCH 03/32] Add page for encrypting with public key

---
 src/app/(authed)/encrypt/action.ts  |  7 ++++
 src/app/(authed)/encrypt/layout.tsx | 20 +++++++++++
 src/app/(authed)/encrypt/page.tsx   | 53 +++++++++++++++++++++++++++++
 3 files changed, 80 insertions(+)
 create mode 100644 src/app/(authed)/encrypt/action.ts
 create mode 100644 src/app/(authed)/encrypt/layout.tsx
 create mode 100644 src/app/(authed)/encrypt/page.tsx

diff --git a/src/app/(authed)/encrypt/action.ts b/src/app/(authed)/encrypt/action.ts
new file mode 100644
index 00000000..ed1161c1
--- /dev/null
+++ b/src/app/(authed)/encrypt/action.ts
@@ -0,0 +1,7 @@
+'use server'
+
+import { encryptionService } from '@/composition'
+
+export async function encrypt(text: string): Promise<string> {
+    return encryptionService.encrypt(text)
+}
diff --git a/src/app/(authed)/encrypt/layout.tsx b/src/app/(authed)/encrypt/layout.tsx
new file mode 100644
index 00000000..d4114d0c
--- /dev/null
+++ b/src/app/(authed)/encrypt/layout.tsx
@@ -0,0 +1,20 @@
+import { Box, Stack } from "@mui/material"
+import SecondarySplitHeader from "@/features/sidebar/view/SecondarySplitHeader"
+
+export default function Page({ children }: { children: React.ReactNode }) {
+  return (
+    <Stack sx={{ height: "100%" }}>
+      <SecondarySplitHeader/>
+      <Box
+        sx={{
+          flexGrow: 1,
+          overflowY: "auto",
+          paddingLeft: 2,
+          paddingRight: 2
+        }}
+      >
+        {children}
+      </Box>
+    </Stack>
+  )
+}
\ No newline at end of file
diff --git a/src/app/(authed)/encrypt/page.tsx b/src/app/(authed)/encrypt/page.tsx
new file mode 100644
index 00000000..bb5fddb1
--- /dev/null
+++ b/src/app/(authed)/encrypt/page.tsx
@@ -0,0 +1,53 @@
+'use client'
+
+import { useState } from 'react'
+import { encrypt } from './action'
+import { Box, Button, TextareaAutosize, Typography } from '@mui/material'
+
+export default function EncryptPage() {
+    const [inputText, setInputText] = useState('')
+    const [encryptedText, setEncryptedText] = useState('')
+
+    const handleSubmit = async (event: React.FormEvent) => {
+        event.preventDefault()
+        const encrypted = await encrypt(inputText)
+        setEncryptedText(encrypted)
+    }
+
+    return (
+        <Box
+            display="flex"
+            alignItems="center"
+            justifyContent="center"
+            flexDirection="column"
+            height={1}
+            width={1}
+            gap={6}
+        >
+            <Typography variant="h4">
+                Encrypt text for remote config
+            </Typography>
+            <Typography variant="body1">
+                Use this to encrypt values to be used in the configuration file.<br />
+                The input text is encrypted using the public key of the server.
+            </Typography>
+            <form onSubmit={handleSubmit}>
+                <TextareaAutosize
+                    value={inputText}
+                    onChange={(e) => setInputText(e.target.value)}
+                    cols={50}
+                    minRows={10}
+                />
+                <br />
+                <Button type="submit" variant="outlined"
+                    color="primary"
+                    size="large"
+                    sx={{ height: 56, width: 1 }}
+                >Encrypt</Button>
+            </form>
+            {encryptedText && (
+                <textarea readOnly value={encryptedText} rows={10} cols={50} />
+            )}
+        </Box>
+    )
+}

From 50b3652cd9a64482fdcfc6606a8e032ccba1c48e Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Wed, 4 Dec 2024 14:46:51 +0100
Subject: [PATCH 04/32] Handle auth for remote specifications

---
 .../remotes/[encryptedRemoteConfig]/route.ts  |  4 +-
 .../projects/data/GitHubProjectDataSource.ts  | 41 ++++++++++++++++---
 .../projects/domain/IProjectConfig.ts         |  7 +++-
 3 files changed, 44 insertions(+), 8 deletions(-)

diff --git a/src/app/api/remotes/[encryptedRemoteConfig]/route.ts b/src/app/api/remotes/[encryptedRemoteConfig]/route.ts
index c0477992..59855813 100644
--- a/src/app/api/remotes/[encryptedRemoteConfig]/route.ts
+++ b/src/app/api/remotes/[encryptedRemoteConfig]/route.ts
@@ -13,13 +13,13 @@ const RemoteSpecAuthSchema = z.object({
   username: z.string(),
   password: z.string(),
 });
-type RemoteSpecAuth = z.infer<typeof RemoteSpecAuthSchema>;
+export type RemoteSpecAuth = z.infer<typeof RemoteSpecAuthSchema>;
 
 const RemoteConfigSchema = z.object({
   url: z.string().url(),
   auth: RemoteSpecAuthSchema.optional(),
 });
-type RemoteConfig = z.infer<typeof RemoteConfigSchema>;
+export type RemoteConfig = z.infer<typeof RemoteConfigSchema>;
 
 export async function GET(req: NextRequest, { params }: { params: RemoteSpecificationParams }) {
   const isAuthenticated = await session.getIsAuthenticated()
diff --git a/src/features/projects/data/GitHubProjectDataSource.ts b/src/features/projects/data/GitHubProjectDataSource.ts
index bd186693..008e7626 100644
--- a/src/features/projects/data/GitHubProjectDataSource.ts
+++ b/src/features/projects/data/GitHubProjectDataSource.ts
@@ -9,10 +9,14 @@ import {
   GitHubRepository,
   GitHubRepositoryRef
 } from "../domain"
+import { RemoteConfig } from "@/app/api/remotes/[encryptedRemoteConfig]/route"
+import RsaEncryptionService from "@/common/encryption/EncryptionService"
+import { env } from "@/common"
 
 export default class GitHubProjectDataSource implements IProjectDataSource {
   private readonly repositoryDataSource: IGitHubRepositoryDataSource
   private readonly repositoryNameSuffix: string
+  private readonly encryptionService: RsaEncryptionService
   
   constructor(config: {
     repositoryDataSource: IGitHubRepositoryDataSource
@@ -20,6 +24,10 @@ export default class GitHubProjectDataSource implements IProjectDataSource {
   }) {
     this.repositoryDataSource = config.repositoryDataSource
     this.repositoryNameSuffix = config.repositoryNameSuffix
+    this.encryptionService = new RsaEncryptionService({
+      publicKey: Buffer.from(env.getOrThrow("ENCRYPTION_PUBLIC_KEY_BASE_64"), "base64").toString("utf-8"),
+      privateKey: Buffer.from(env.getOrThrow("ENCRYPTION_PRIVATE_KEY_BASE_64"), "base64").toString("utf-8")
+    })
   }
   
   async getProjects(): Promise<Project[]> {
@@ -167,11 +175,34 @@ export default class GitHubProjectDataSource implements IProjectDataSource {
       const existingVersionIdCount = versionIds.filter(e => e == baseVersionId).length
       const versionId = baseVersionId + (existingVersionIdCount > 0 ? existingVersionIdCount : "")
       const specifications = remoteVersion.specifications.map(e => {
-        return {
-          id: this.makeURLSafeID((e.id || e.name).toLowerCase()),
-          name: e.name,
-          url: "/api/remotes/EKNYViMOSUnJggD4c4UwEoOGkGKZIPjWtijfeoYqgrkRP%2FIwXa770oxwRsVTdVFzmbjWuartdrUhUjkq7EyT4m3NBQOph0UaRTQhFgxm4Q5v2KJ%2BkhJ6TTKwiEgEdS%2BdOvTzAzXtk80T4amaNdeET9JVGJo0y8G47qtUIZCWmyzxamTnOJYOhkj4NcH9XlyafghwUV%2FO%2FAShlzwscFPy%2BlDFuhl8jmYV4fvClI2%2F4iFyew%2Bg5LGvNXPTS8wEZcz9GBKrcgSE6ScK3oeAGesKPyYblkKiU7dAxi%2FlRs9jiKQId%2BEFLWFcDgNw8aLDyZjKMT2u4gF9dfLx4iRQhaJ7KQ%3D%3D"
-        }
+        if (e.auth) {
+          // decrypt username and password
+          const username = this.encryptionService.decrypt(e.auth.encryptedUsername)
+          const password = this.encryptionService.decrypt(e.auth.encryptedPassword)
+          // construct remote config
+          const remoteConfig: RemoteConfig = {
+            url: e.url,
+            auth: {
+              type: e.auth.type,
+              username,
+              password
+            }
+          }
+          // encrypt and encode remote config
+          const encryptedRemoteConfig = encodeURIComponent(this.encryptionService.encrypt(JSON.stringify(remoteConfig)))
+          
+          return {
+            id: this.makeURLSafeID((e.id || e.name).toLowerCase()),
+            name: e.name,
+            url: `/api/remotes/${encryptedRemoteConfig}`
+          }
+        } else {
+          return {
+            id: this.makeURLSafeID((e.id || e.name).toLowerCase()),
+            name: e.name,
+            url: `/api/proxy?url=${encodeURIComponent(e.url)}`
+          }
+      }
       })
       versions.push({
         id: versionId,
diff --git a/src/features/projects/domain/IProjectConfig.ts b/src/features/projects/domain/IProjectConfig.ts
index ef4fd74b..08e27f7c 100644
--- a/src/features/projects/domain/IProjectConfig.ts
+++ b/src/features/projects/domain/IProjectConfig.ts
@@ -3,7 +3,12 @@ import { z } from "zod"
 export const ProjectConfigRemoteSpecificationSchema = z.object({
   id: z.coerce.string().optional(),
   name: z.coerce.string(),
-  url: z.string()
+  url: z.string(),
+  auth: z.object({
+    type: z.string(),
+    encryptedUsername: z.string(),
+    encryptedPassword: z.string()
+  }).optional(),
 })
 
 export const ProjectConfigRemoteVersionSchema = z.object({

From 75ea62da4399917ca0b8e11c51278ad73ea83ae6 Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Wed, 4 Dec 2024 16:06:42 +0100
Subject: [PATCH 05/32] Base64 encode remote spec config

---
 .../remotes/[encryptedRemoteConfig]/route.ts  |  2 +-
 .../projects/data/GitHubProjectDataSource.ts  | 47 +++++++------------
 2 files changed, 19 insertions(+), 30 deletions(-)

diff --git a/src/app/api/remotes/[encryptedRemoteConfig]/route.ts b/src/app/api/remotes/[encryptedRemoteConfig]/route.ts
index 59855813..0479ade8 100644
--- a/src/app/api/remotes/[encryptedRemoteConfig]/route.ts
+++ b/src/app/api/remotes/[encryptedRemoteConfig]/route.ts
@@ -27,7 +27,7 @@ export async function GET(req: NextRequest, { params }: { params: RemoteSpecific
     return makeUnauthenticatedAPIErrorResponse()
   }
 
-  const decodedEncryptedRemoteConfig = decodeURIComponent(params.encryptedRemoteConfig)
+  const decodedEncryptedRemoteConfig = Buffer.from(params.encryptedRemoteConfig, 'base64').toString('utf-8');
 
   const decryptedRemoteConfig = encryptionService.decrypt(decodedEncryptedRemoteConfig)
 
diff --git a/src/features/projects/data/GitHubProjectDataSource.ts b/src/features/projects/data/GitHubProjectDataSource.ts
index 008e7626..571a99f1 100644
--- a/src/features/projects/data/GitHubProjectDataSource.ts
+++ b/src/features/projects/data/GitHubProjectDataSource.ts
@@ -24,7 +24,7 @@ export default class GitHubProjectDataSource implements IProjectDataSource {
   }) {
     this.repositoryDataSource = config.repositoryDataSource
     this.repositoryNameSuffix = config.repositoryNameSuffix
-    this.encryptionService = new RsaEncryptionService({
+    this.encryptionService = new RsaEncryptionService({ // TODO: Would be better to load from composition root, but causes errors
       publicKey: Buffer.from(env.getOrThrow("ENCRYPTION_PUBLIC_KEY_BASE_64"), "base64").toString("utf-8"),
       privateKey: Buffer.from(env.getOrThrow("ENCRYPTION_PRIVATE_KEY_BASE_64"), "base64").toString("utf-8")
     })
@@ -175,34 +175,23 @@ export default class GitHubProjectDataSource implements IProjectDataSource {
       const existingVersionIdCount = versionIds.filter(e => e == baseVersionId).length
       const versionId = baseVersionId + (existingVersionIdCount > 0 ? existingVersionIdCount : "")
       const specifications = remoteVersion.specifications.map(e => {
-        if (e.auth) {
-          // decrypt username and password
-          const username = this.encryptionService.decrypt(e.auth.encryptedUsername)
-          const password = this.encryptionService.decrypt(e.auth.encryptedPassword)
-          // construct remote config
-          const remoteConfig: RemoteConfig = {
-            url: e.url,
-            auth: {
-              type: e.auth.type,
-              username,
-              password
-            }
-          }
-          // encrypt and encode remote config
-          const encryptedRemoteConfig = encodeURIComponent(this.encryptionService.encrypt(JSON.stringify(remoteConfig)))
-          
-          return {
-            id: this.makeURLSafeID((e.id || e.name).toLowerCase()),
-            name: e.name,
-            url: `/api/remotes/${encryptedRemoteConfig}`
-          }
-        } else {
-          return {
-            id: this.makeURLSafeID((e.id || e.name).toLowerCase()),
-            name: e.name,
-            url: `/api/proxy?url=${encodeURIComponent(e.url)}`
-          }
-      }
+        const remoteConfig: RemoteConfig = {
+          url: e.url,
+          auth: e.auth ? {
+            type: e.auth.type,
+            username: this.encryptionService.decrypt(e.auth.encryptedUsername),
+            password: this.encryptionService.decrypt(e.auth.encryptedPassword)
+          } : undefined
+        };
+
+        // Encrypt and encode remote config
+        const encryptedRemoteConfig = Buffer.from(this.encryptionService.encrypt(JSON.stringify(remoteConfig))).toString('base64');
+
+        return {
+          id: this.makeURLSafeID((e.id || e.name).toLowerCase()),
+          name: e.name,
+          url: `/api/remotes/${encryptedRemoteConfig}`
+        };
       })
       versions.push({
         id: versionId,

From d3b962f08b34e99195b00927da6f04d8e66703bf Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Wed, 4 Dec 2024 16:07:14 +0100
Subject: [PATCH 06/32] Set filename - used when browser downloads the file

---
 src/app/api/remotes/[encryptedRemoteConfig]/route.ts | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/app/api/remotes/[encryptedRemoteConfig]/route.ts b/src/app/api/remotes/[encryptedRemoteConfig]/route.ts
index 0479ade8..778645f8 100644
--- a/src/app/api/remotes/[encryptedRemoteConfig]/route.ts
+++ b/src/app/api/remotes/[encryptedRemoteConfig]/route.ts
@@ -53,8 +53,16 @@ export async function GET(req: NextRequest, { params }: { params: RemoteSpecific
     })
     
     checkIfJsonOrYaml(fileText)
+
+    const fileName = url.pathname.split('/').pop()
     
-    return new NextResponse(fileText, { status: 200, headers: { "Content-Type": "text/plain" } })
+    return new NextResponse(fileText, { 
+      status: 200, 
+      headers: { 
+        "Content-Type": "text/plain",
+        "Content-Disposition": `attachment; filename="${fileName}"` // used for when downloading the file
+      }
+    })
   } catch (error) {
     if (error instanceof Error == false) {
       return makeAPIErrorResponse(500, "An unknown error occurred.")

From d422deb739854d3af2c9567e42f7a73485922bae Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Wed, 4 Dec 2024 16:08:00 +0100
Subject: [PATCH 07/32] Bye bye proxy - use remotes endpoint now

---
 src/app/api/proxy/route.ts | 42 --------------------------------------
 1 file changed, 42 deletions(-)
 delete mode 100644 src/app/api/proxy/route.ts

diff --git a/src/app/api/proxy/route.ts b/src/app/api/proxy/route.ts
deleted file mode 100644
index 3a1e2716..00000000
--- a/src/app/api/proxy/route.ts
+++ /dev/null
@@ -1,42 +0,0 @@
-import { NextRequest, NextResponse } from "next/server"
-import { env, makeAPIErrorResponse, makeUnauthenticatedAPIErrorResponse } from "@/common"
-import { session } from "@/composition"
-import { checkIfJsonOrYaml, downloadFile, ErrorName } from "@/common/utils/fileUtils"
-
-export async function GET(req: NextRequest) {
-  const isAuthenticated = await session.getIsAuthenticated()
-  if (!isAuthenticated) {
-    return makeUnauthenticatedAPIErrorResponse()
-  }
-  const rawURL = req.nextUrl.searchParams.get("url")
-  if (!rawURL) {
-    return makeAPIErrorResponse(400, "Missing \"url\" query parameter.")
-  }
-  let url: URL
-  try {
-    url = new URL(rawURL)
-  } catch {
-    return makeAPIErrorResponse(400, "Invalid \"url\" query parameter.")
-  }
-  try {
-    const maxMegabytes = Number(env.getOrThrow("PROXY_API_MAXIMUM_FILE_SIZE_IN_MEGABYTES"))
-    const timeoutInSeconds = Number(env.getOrThrow("PROXY_API_TIMEOUT_IN_SECONDS"))
-    const maxBytes = maxMegabytes * 1024 * 1024
-    const fileText = await downloadFile({ url, maxBytes, timeoutInSeconds })
-    checkIfJsonOrYaml(fileText)
-    return new NextResponse(fileText, { status: 200, headers: { "Content-Type": "text/plain" } })
-  } catch (error) {
-    if (error instanceof Error == false) {
-      return makeAPIErrorResponse(500, "An unknown error occurred.")
-    }
-    if (error.name === ErrorName.MAX_FILE_SIZE_EXCEEDED) {
-      return makeAPIErrorResponse(413, "The operation was aborted.")
-    } else if (error.name === ErrorName.TIMEOUT) {
-      return makeAPIErrorResponse(408, "The operation timed out.")
-    } else if (error.name === ErrorName.NOT_JSON_OR_YAML) {
-      return makeAPIErrorResponse(400, "Url does not point to a JSON or YAML file.")
-    } else {
-      return makeAPIErrorResponse(500, error.message)
-    }
-  }
-}

From a57bc3c066be4f28d859b3c9b243588920cdb4df Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Wed, 4 Dec 2024 18:04:18 +0100
Subject: [PATCH 08/32] Export IEncryptionService

---
 src/common/encryption/EncryptionService.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/common/encryption/EncryptionService.ts b/src/common/encryption/EncryptionService.ts
index 9a58ba4d..67155e5c 100644
--- a/src/common/encryption/EncryptionService.ts
+++ b/src/common/encryption/EncryptionService.ts
@@ -1,6 +1,6 @@
 import { publicEncrypt, privateDecrypt, constants } from 'crypto';
 
-interface IEncryptionService {
+export interface IEncryptionService {
     encrypt(data: string): string;
     decrypt(encryptedDataBase64: string): string;
 }

From 23644ba225aa216adeba4a1fcd1086b0d9d9284b Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Wed, 4 Dec 2024 18:04:53 +0100
Subject: [PATCH 09/32] Inject encryption service into GitHubProjectDataSource

---
 src/composition.ts                                  | 13 +++++++------
 .../projects/data/GitHubProjectDataSource.ts        | 11 ++++-------
 2 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/src/composition.ts b/src/composition.ts
index af18122b..a73faabe 100644
--- a/src/composition.ts
+++ b/src/composition.ts
@@ -177,6 +177,11 @@ export const projectRepository = new ProjectRepository({
   repository: projectUserDataRepository
 })
 
+export const encryptionService = new RsaEncryptionService({
+  publicKey: Buffer.from(env.getOrThrow("ENCRYPTION_PUBLIC_KEY_BASE_64"), "base64").toString("utf-8"),
+  privateKey: Buffer.from(env.getOrThrow("ENCRYPTION_PRIVATE_KEY_BASE_64"), "base64").toString("utf-8")
+})
+
 export const projectDataSource = new CachingProjectDataSource({
   dataSource: new GitHubProjectDataSource({
     repositoryDataSource: new FilteringGitHubRepositoryDataSource({
@@ -190,7 +195,8 @@ export const projectDataSource = new CachingProjectDataSource({
         projectConfigurationFilename: env.getOrThrow("FRAMNA_DOCS_PROJECT_CONFIGURATION_FILENAME")
       })
     }),
-    repositoryNameSuffix: env.getOrThrow("REPOSITORY_NAME_SUFFIX")
+    repositoryNameSuffix: env.getOrThrow("REPOSITORY_NAME_SUFFIX"),
+    encryptionService: encryptionService
   }),
   repository: projectRepository
 })
@@ -221,8 +227,3 @@ export const gitHubHookHandler = new GitHubHookHandler({
     })
   })
 })
-
-export const encryptionService = new RsaEncryptionService({
-  publicKey: Buffer.from(env.getOrThrow("ENCRYPTION_PUBLIC_KEY_BASE_64"), "base64").toString("utf-8"),
-  privateKey: Buffer.from(env.getOrThrow("ENCRYPTION_PRIVATE_KEY_BASE_64"), "base64").toString("utf-8")
-})
diff --git a/src/features/projects/data/GitHubProjectDataSource.ts b/src/features/projects/data/GitHubProjectDataSource.ts
index 571a99f1..6bddf5d2 100644
--- a/src/features/projects/data/GitHubProjectDataSource.ts
+++ b/src/features/projects/data/GitHubProjectDataSource.ts
@@ -10,24 +10,21 @@ import {
   GitHubRepositoryRef
 } from "../domain"
 import { RemoteConfig } from "@/app/api/remotes/[encryptedRemoteConfig]/route"
-import RsaEncryptionService from "@/common/encryption/EncryptionService"
-import { env } from "@/common"
+import { IEncryptionService } from "@/common/encryption/EncryptionService"
 
 export default class GitHubProjectDataSource implements IProjectDataSource {
   private readonly repositoryDataSource: IGitHubRepositoryDataSource
   private readonly repositoryNameSuffix: string
-  private readonly encryptionService: RsaEncryptionService
+  private readonly encryptionService: IEncryptionService
   
   constructor(config: {
     repositoryDataSource: IGitHubRepositoryDataSource
     repositoryNameSuffix: string
+    encryptionService: IEncryptionService
   }) {
     this.repositoryDataSource = config.repositoryDataSource
     this.repositoryNameSuffix = config.repositoryNameSuffix
-    this.encryptionService = new RsaEncryptionService({ // TODO: Would be better to load from composition root, but causes errors
-      publicKey: Buffer.from(env.getOrThrow("ENCRYPTION_PUBLIC_KEY_BASE_64"), "base64").toString("utf-8"),
-      privateKey: Buffer.from(env.getOrThrow("ENCRYPTION_PRIVATE_KEY_BASE_64"), "base64").toString("utf-8")
-    })
+    this.encryptionService = config.encryptionService
   }
   
   async getProjects(): Promise<Project[]> {

From 69197033cf9c8888a3fda9bcce83cf542d1f9ee7 Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Wed, 4 Dec 2024 18:11:04 +0100
Subject: [PATCH 10/32] Move types to separate files

---
 .../api/remotes/[encryptedRemoteConfig]/route.ts  | 15 +--------------
 .../projects/data/GitHubProjectDataSource.ts      |  2 +-
 src/features/projects/domain/RemoteConfig.ts      | 11 +++++++++++
 src/features/projects/domain/RemoteSpecAuth.ts    | 11 +++++++++++
 4 files changed, 24 insertions(+), 15 deletions(-)
 create mode 100644 src/features/projects/domain/RemoteConfig.ts
 create mode 100644 src/features/projects/domain/RemoteSpecAuth.ts

diff --git a/src/app/api/remotes/[encryptedRemoteConfig]/route.ts b/src/app/api/remotes/[encryptedRemoteConfig]/route.ts
index 778645f8..488d9ada 100644
--- a/src/app/api/remotes/[encryptedRemoteConfig]/route.ts
+++ b/src/app/api/remotes/[encryptedRemoteConfig]/route.ts
@@ -1,26 +1,13 @@
 import { NextRequest, NextResponse } from "next/server"
 import { encryptionService, session } from "@/composition"
 import { env, makeAPIErrorResponse, makeUnauthenticatedAPIErrorResponse } from "@/common"
-import { z } from 'zod';
 import { downloadFile, checkIfJsonOrYaml, ErrorName } from "@/common/utils/fileUtils";
+import { RemoteConfigSchema } from "@/features/projects/domain/RemoteConfig";
 
 interface RemoteSpecificationParams {
   encryptedRemoteConfig: string // encrypted and URL encoded JSON string
 }
 
-const RemoteSpecAuthSchema = z.object({
-  type: z.string(),
-  username: z.string(),
-  password: z.string(),
-});
-export type RemoteSpecAuth = z.infer<typeof RemoteSpecAuthSchema>;
-
-const RemoteConfigSchema = z.object({
-  url: z.string().url(),
-  auth: RemoteSpecAuthSchema.optional(),
-});
-export type RemoteConfig = z.infer<typeof RemoteConfigSchema>;
-
 export async function GET(req: NextRequest, { params }: { params: RemoteSpecificationParams }) {
   const isAuthenticated = await session.getIsAuthenticated()
   if (!isAuthenticated) {
diff --git a/src/features/projects/data/GitHubProjectDataSource.ts b/src/features/projects/data/GitHubProjectDataSource.ts
index 6bddf5d2..0a1d5ce2 100644
--- a/src/features/projects/data/GitHubProjectDataSource.ts
+++ b/src/features/projects/data/GitHubProjectDataSource.ts
@@ -9,8 +9,8 @@ import {
   GitHubRepository,
   GitHubRepositoryRef
 } from "../domain"
-import { RemoteConfig } from "@/app/api/remotes/[encryptedRemoteConfig]/route"
 import { IEncryptionService } from "@/common/encryption/EncryptionService"
+import RemoteConfig from "../domain/RemoteConfig"
 
 export default class GitHubProjectDataSource implements IProjectDataSource {
   private readonly repositoryDataSource: IGitHubRepositoryDataSource
diff --git a/src/features/projects/domain/RemoteConfig.ts b/src/features/projects/domain/RemoteConfig.ts
new file mode 100644
index 00000000..5afb559b
--- /dev/null
+++ b/src/features/projects/domain/RemoteConfig.ts
@@ -0,0 +1,11 @@
+import { z } from 'zod'
+import { RemoteSpecAuthSchema } from './RemoteSpecAuth'
+
+export const RemoteConfigSchema = z.object({
+    url: z.string().url(),
+    auth: RemoteSpecAuthSchema.optional(),
+})
+
+type RemoteConfig = z.infer<typeof RemoteConfigSchema>
+
+export default RemoteConfig
diff --git a/src/features/projects/domain/RemoteSpecAuth.ts b/src/features/projects/domain/RemoteSpecAuth.ts
new file mode 100644
index 00000000..5d72a335
--- /dev/null
+++ b/src/features/projects/domain/RemoteSpecAuth.ts
@@ -0,0 +1,11 @@
+import { z } from 'zod'
+
+export const RemoteSpecAuthSchema = z.object({
+    type: z.string(),
+    username: z.string(),
+    password: z.string(),
+})
+
+type RemoteSpecAuth = z.infer<typeof RemoteSpecAuthSchema>
+
+export default RemoteSpecAuth

From d6510d54de2d377a84129b32e201e98c44bb7c85 Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Wed, 4 Dec 2024 20:18:51 +0100
Subject: [PATCH 11/32] Encapsulate encoding/decoding of RemoteConfig

---
 .../route.ts                                  | 11 ++-----
 src/composition.ts                            |  8 +++--
 .../projects/data/GitHubProjectDataSource.ts  | 11 ++++---
 .../projects/domain/RemoteConfigEncoder.ts    | 29 +++++++++++++++++++
 4 files changed, 45 insertions(+), 14 deletions(-)
 rename src/app/api/remotes/{[encryptedRemoteConfig] => [encodedRemoteConfig]}/route.ts (80%)
 create mode 100644 src/features/projects/domain/RemoteConfigEncoder.ts

diff --git a/src/app/api/remotes/[encryptedRemoteConfig]/route.ts b/src/app/api/remotes/[encodedRemoteConfig]/route.ts
similarity index 80%
rename from src/app/api/remotes/[encryptedRemoteConfig]/route.ts
rename to src/app/api/remotes/[encodedRemoteConfig]/route.ts
index 488d9ada..ba20014f 100644
--- a/src/app/api/remotes/[encryptedRemoteConfig]/route.ts
+++ b/src/app/api/remotes/[encodedRemoteConfig]/route.ts
@@ -1,11 +1,10 @@
 import { NextRequest, NextResponse } from "next/server"
-import { encryptionService, session } from "@/composition"
+import { remoteConfigEncoder, session } from "@/composition"
 import { env, makeAPIErrorResponse, makeUnauthenticatedAPIErrorResponse } from "@/common"
 import { downloadFile, checkIfJsonOrYaml, ErrorName } from "@/common/utils/fileUtils";
-import { RemoteConfigSchema } from "@/features/projects/domain/RemoteConfig";
 
 interface RemoteSpecificationParams {
-  encryptedRemoteConfig: string // encrypted and URL encoded JSON string
+  encodedRemoteConfig: string
 }
 
 export async function GET(req: NextRequest, { params }: { params: RemoteSpecificationParams }) {
@@ -14,11 +13,7 @@ export async function GET(req: NextRequest, { params }: { params: RemoteSpecific
     return makeUnauthenticatedAPIErrorResponse()
   }
 
-  const decodedEncryptedRemoteConfig = Buffer.from(params.encryptedRemoteConfig, 'base64').toString('utf-8');
-
-  const decryptedRemoteConfig = encryptionService.decrypt(decodedEncryptedRemoteConfig)
-
-  const remoteConfig = RemoteConfigSchema.parse(JSON.parse(decryptedRemoteConfig))
+  const remoteConfig = remoteConfigEncoder.decode(params.encodedRemoteConfig)
 
   let url: URL
   try {
diff --git a/src/composition.ts b/src/composition.ts
index a73faabe..18df06d9 100644
--- a/src/composition.ts
+++ b/src/composition.ts
@@ -52,6 +52,7 @@ import {
 } from "@/features/hooks/domain"
 import { RepoRestrictedGitHubClient } from "./common/github/RepoRestrictedGitHubClient"
 import RsaEncryptionService from "./common/encryption/EncryptionService"
+import RemoteConfigEncoder from "./features/projects/domain/RemoteConfigEncoder"
 
 const gitHubAppCredentials = {
   appId: env.getOrThrow("GITHUB_APP_ID"),
@@ -177,11 +178,13 @@ export const projectRepository = new ProjectRepository({
   repository: projectUserDataRepository
 })
 
-export const encryptionService = new RsaEncryptionService({
+const encryptionService = new RsaEncryptionService({
   publicKey: Buffer.from(env.getOrThrow("ENCRYPTION_PUBLIC_KEY_BASE_64"), "base64").toString("utf-8"),
   privateKey: Buffer.from(env.getOrThrow("ENCRYPTION_PRIVATE_KEY_BASE_64"), "base64").toString("utf-8")
 })
 
+export const remoteConfigEncoder = new RemoteConfigEncoder(encryptionService)
+
 export const projectDataSource = new CachingProjectDataSource({
   dataSource: new GitHubProjectDataSource({
     repositoryDataSource: new FilteringGitHubRepositoryDataSource({
@@ -196,7 +199,8 @@ export const projectDataSource = new CachingProjectDataSource({
       })
     }),
     repositoryNameSuffix: env.getOrThrow("REPOSITORY_NAME_SUFFIX"),
-    encryptionService: encryptionService
+    encryptionService: encryptionService,
+    remoteConfigEncoder: remoteConfigEncoder
   }),
   repository: projectRepository
 })
diff --git a/src/features/projects/data/GitHubProjectDataSource.ts b/src/features/projects/data/GitHubProjectDataSource.ts
index 0a1d5ce2..93bbaea9 100644
--- a/src/features/projects/data/GitHubProjectDataSource.ts
+++ b/src/features/projects/data/GitHubProjectDataSource.ts
@@ -1,3 +1,4 @@
+import { IEncryptionService } from "@/common/encryption/EncryptionService"
 import {
   Project,
   Version,
@@ -9,22 +10,25 @@ import {
   GitHubRepository,
   GitHubRepositoryRef
 } from "../domain"
-import { IEncryptionService } from "@/common/encryption/EncryptionService"
 import RemoteConfig from "../domain/RemoteConfig"
+import RemoteConfigEncoder from "../domain/RemoteConfigEncoder"
 
 export default class GitHubProjectDataSource implements IProjectDataSource {
   private readonly repositoryDataSource: IGitHubRepositoryDataSource
   private readonly repositoryNameSuffix: string
   private readonly encryptionService: IEncryptionService
+  private readonly remoteConfigEncoder: RemoteConfigEncoder
   
   constructor(config: {
     repositoryDataSource: IGitHubRepositoryDataSource
     repositoryNameSuffix: string
     encryptionService: IEncryptionService
+    remoteConfigEncoder: RemoteConfigEncoder
   }) {
     this.repositoryDataSource = config.repositoryDataSource
     this.repositoryNameSuffix = config.repositoryNameSuffix
     this.encryptionService = config.encryptionService
+    this.remoteConfigEncoder = config.remoteConfigEncoder
   }
   
   async getProjects(): Promise<Project[]> {
@@ -181,13 +185,12 @@ export default class GitHubProjectDataSource implements IProjectDataSource {
           } : undefined
         };
 
-        // Encrypt and encode remote config
-        const encryptedRemoteConfig = Buffer.from(this.encryptionService.encrypt(JSON.stringify(remoteConfig))).toString('base64');
+        const encodedRemoteConfig = this.remoteConfigEncoder.encode(remoteConfig);
 
         return {
           id: this.makeURLSafeID((e.id || e.name).toLowerCase()),
           name: e.name,
-          url: `/api/remotes/${encryptedRemoteConfig}`
+          url: `/api/remotes/${encodedRemoteConfig}`
         };
       })
       versions.push({
diff --git a/src/features/projects/domain/RemoteConfigEncoder.ts b/src/features/projects/domain/RemoteConfigEncoder.ts
new file mode 100644
index 00000000..ba0ccdbf
--- /dev/null
+++ b/src/features/projects/domain/RemoteConfigEncoder.ts
@@ -0,0 +1,29 @@
+import { IEncryptionService } from "@/common/encryption/EncryptionService";
+import RemoteConfig, { RemoteConfigSchema } from "./RemoteConfig";
+
+/**
+ * Encodes and decodes remote configs.
+ * 
+ * The remote config is first stringified to JSON, then encrypted, and finally encoded in base64.
+ * 
+ * At the receiving end, the encoded string is first decoded from base64, then decrypted, and finally parsed as JSON.
+ */
+export default class RemoteConfigEncoder {
+    private readonly encryptionService: IEncryptionService;
+
+    constructor(encryptionService: IEncryptionService) {
+        this.encryptionService = encryptionService;
+    }
+
+    encode(remoteConfig: RemoteConfig): string {
+        const jsonString = JSON.stringify(remoteConfig);
+        const encryptedString = this.encryptionService.encrypt(jsonString);
+        return Buffer.from(encryptedString).toString('base64');
+    }
+
+    decode(encodedString: string): RemoteConfig {
+        const decodedString = Buffer.from(encodedString, 'base64').toString('utf-8');
+        const decryptedString = this.encryptionService.decrypt(decodedString);
+        return RemoteConfigSchema.parse(JSON.parse(decryptedString));
+    }
+}

From 06ab8135f35b7614d05a610963e5f0f535d7bd05 Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Wed, 4 Dec 2024 20:20:54 +0100
Subject: [PATCH 12/32] Remove comment

---
 src/common/utils/fileUtils.ts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/common/utils/fileUtils.ts b/src/common/utils/fileUtils.ts
index 8308e1f9..f5764e72 100644
--- a/src/common/utils/fileUtils.ts
+++ b/src/common/utils/fileUtils.ts
@@ -17,7 +17,6 @@ export async function downloadFile(params: {
     const abortController = new AbortController();
     const timeoutSignal = AbortSignal.timeout(timeoutInSeconds * 1000);
     const headers: { [key: string]: string; } = {};
-    // Extract basic auth from URL and construct an Authorization header instead.
     if (basicAuthUsername && basicAuthPassword) {
         headers["Authorization"] = "Basic " + btoa(`${basicAuthUsername}:${basicAuthPassword}`);
     }

From 0a0453b7a784c690c8245a858881bc2ffabab123 Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Thu, 5 Dec 2024 08:02:05 +0100
Subject: [PATCH 13/32] Export encryption service

---
 src/composition.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/composition.ts b/src/composition.ts
index 18df06d9..afdb4f0a 100644
--- a/src/composition.ts
+++ b/src/composition.ts
@@ -178,7 +178,7 @@ export const projectRepository = new ProjectRepository({
   repository: projectUserDataRepository
 })
 
-const encryptionService = new RsaEncryptionService({
+export const encryptionService = new RsaEncryptionService({
   publicKey: Buffer.from(env.getOrThrow("ENCRYPTION_PUBLIC_KEY_BASE_64"), "base64").toString("utf-8"),
   privateKey: Buffer.from(env.getOrThrow("ENCRYPTION_PRIVATE_KEY_BASE_64"), "base64").toString("utf-8")
 })

From 4edfe946b7f1a8b46034b0978e3ceb58ac58724e Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Thu, 5 Dec 2024 08:59:42 +0100
Subject: [PATCH 14/32] Create nicer layout for encryption page

---
 src/app/(authed)/encrypt/page.tsx             | 76 +++++++++----------
 src/features/encrypt/view/EncryptionForm.tsx  | 71 +++++++++++++++++
 .../encrypt/view/encryptAction.ts}            |  0
 3 files changed, 105 insertions(+), 42 deletions(-)
 create mode 100644 src/features/encrypt/view/EncryptionForm.tsx
 rename src/{app/(authed)/encrypt/action.ts => features/encrypt/view/encryptAction.ts} (100%)

diff --git a/src/app/(authed)/encrypt/page.tsx b/src/app/(authed)/encrypt/page.tsx
index bb5fddb1..c96db18b 100644
--- a/src/app/(authed)/encrypt/page.tsx
+++ b/src/app/(authed)/encrypt/page.tsx
@@ -1,53 +1,45 @@
-'use client'
+import { Box, Typography } from '@mui/material'
+import MessageLinkFooter from "@/common/ui/MessageLinkFooter"
+import { EncryptionForm } from "@/features/encrypt/view/EncryptionForm"
+import { env } from '@/common'
 
-import { useState } from 'react'
-import { encrypt } from './action'
-import { Box, Button, TextareaAutosize, Typography } from '@mui/material'
-
-export default function EncryptPage() {
-    const [inputText, setInputText] = useState('')
-    const [encryptedText, setEncryptedText] = useState('')
-
-    const handleSubmit = async (event: React.FormEvent) => {
-        event.preventDefault()
-        const encrypted = await encrypt(inputText)
-        setEncryptedText(encrypted)
-    }
+const HELP_URL = env.getOrThrow("FRAMNA_DOCS_HELP_URL")
+const SITE_NAME = env.getOrThrow("FRAMNA_DOCS_TITLE")
 
+export default async function EncryptPage() {
     return (
         <Box
             display="flex"
-            alignItems="center"
             justifyContent="center"
-            flexDirection="column"
-            height={1}
+            alignItems="center"
             width={1}
-            gap={6}
         >
-            <Typography variant="h4">
-                Encrypt text for remote config
-            </Typography>
-            <Typography variant="body1">
-                Use this to encrypt values to be used in the configuration file.<br />
-                The input text is encrypted using the public key of the server.
-            </Typography>
-            <form onSubmit={handleSubmit}>
-                <TextareaAutosize
-                    value={inputText}
-                    onChange={(e) => setInputText(e.target.value)}
-                    cols={50}
-                    minRows={10}
-                />
-                <br />
-                <Button type="submit" variant="outlined"
-                    color="primary"
-                    size="large"
-                    sx={{ height: 56, width: 1 }}
-                >Encrypt</Button>
-            </form>
-            {encryptedText && (
-                <textarea readOnly value={encryptedText} rows={10} cols={50} />
-            )}
+            <Box
+                display="flex"
+                alignItems="center"
+                flexDirection="column"
+                gap={6}
+                sx={{ width: '80%', maxWidth: '600px' }}
+            >
+                <Typography variant="h4">
+                    Encrypt secrets for remote config
+                </Typography>
+                <Typography sx={{ textAlign: "center" }}>
+                    When adding authentication information to remote specifications it 
+                    is required to encrypt the authentication information with our public 
+                    key before storing it in the repository.<br />
+                    <br />
+                    This page allows you to encrypt the secret using {SITE_NAME}{SITE_NAME.endsWith('s') ? "'" : "'s"} 
+                    public key, which means only {SITE_NAME} can decrypt it.
+                </Typography>
+                <EncryptionForm />
+                {HELP_URL &&
+                    <MessageLinkFooter
+                        url={HELP_URL}
+                        content="Need help? Explore our wiki for more info."
+                    />
+                }
+            </Box>
         </Box>
     )
 }
diff --git a/src/features/encrypt/view/EncryptionForm.tsx b/src/features/encrypt/view/EncryptionForm.tsx
new file mode 100644
index 00000000..a8131313
--- /dev/null
+++ b/src/features/encrypt/view/EncryptionForm.tsx
@@ -0,0 +1,71 @@
+'use client'
+
+import { useState } from 'react'
+import { Box, Button, Snackbar, TextField, Tooltip } from '@mui/material'
+import { encrypt } from "./encryptAction"
+
+export const EncryptionForm = () => {
+    const [inputText, setInputText] = useState('')
+    const [encryptedText, setEncryptedText] = useState('')
+    const [openSnackbar, setOpenSnackbar] = useState(false)
+
+    const handleSubmit = async (event: React.FormEvent) => {
+        event.preventDefault()
+        const encrypted = await encrypt(inputText)
+        setEncryptedText(encrypted)
+    }
+
+    const handleCopy = () => {
+        navigator.clipboard.writeText(encryptedText)
+        setOpenSnackbar(true)
+    }
+
+    const handleCloseSnackbar = () => {
+        setOpenSnackbar(false)
+    }
+
+    return <Box
+        component="form"
+        onSubmit={handleSubmit}
+        display="flex"
+        flexDirection="column"
+        gap={2}
+        alignItems="center"
+    >
+        <TextField
+            value={inputText}
+            onChange={(e) => setInputText(e.target.value)}
+            multiline
+            rows={8}
+            variant="outlined"
+            placeholder="Enter text to encrypt"
+            sx={{ width: "300px" }}
+        />
+        
+        <Button 
+            type="submit" 
+            variant="outlined" 
+            color="primary"
+            size="large"
+            sx={{ width: "300px" }}
+        >Encrypt</Button>
+
+        <Tooltip title="Click to copy to clipboard">
+            <TextField
+                value={encryptedText}
+                onClick={handleCopy}
+                sx={{ input: { cursor: 'pointer' }, width: "300px" }}
+                slotProps={{ input: { readOnly: true } }}
+                placeholder="Encrypted text will appear here"
+            />
+        </Tooltip>
+        
+        <Snackbar
+            open={openSnackbar}
+            autoHideDuration={3000}
+            onClose={handleCloseSnackbar}
+            message="Copied to clipboard"
+            anchorOrigin={{ vertical: 'top', horizontal: 'right' }}
+        />
+    </Box>;
+}
diff --git a/src/app/(authed)/encrypt/action.ts b/src/features/encrypt/view/encryptAction.ts
similarity index 100%
rename from src/app/(authed)/encrypt/action.ts
rename to src/features/encrypt/view/encryptAction.ts

From 5884fdaf5c592b89433b4feb405e72af11fc1655 Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Thu, 5 Dec 2024 09:00:13 +0100
Subject: [PATCH 15/32] Move encrypt to (home) folder

---
 src/app/(authed)/{ => (home)}/encrypt/layout.tsx | 0
 src/app/(authed)/{ => (home)}/encrypt/page.tsx   | 0
 2 files changed, 0 insertions(+), 0 deletions(-)
 rename src/app/(authed)/{ => (home)}/encrypt/layout.tsx (100%)
 rename src/app/(authed)/{ => (home)}/encrypt/page.tsx (100%)

diff --git a/src/app/(authed)/encrypt/layout.tsx b/src/app/(authed)/(home)/encrypt/layout.tsx
similarity index 100%
rename from src/app/(authed)/encrypt/layout.tsx
rename to src/app/(authed)/(home)/encrypt/layout.tsx
diff --git a/src/app/(authed)/encrypt/page.tsx b/src/app/(authed)/(home)/encrypt/page.tsx
similarity index 100%
rename from src/app/(authed)/encrypt/page.tsx
rename to src/app/(authed)/(home)/encrypt/page.tsx

From cedc18c15bf5c7257305b9eb7e25b708acdef7a9 Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Thu, 5 Dec 2024 09:02:24 +0100
Subject: [PATCH 16/32] Move encryption service

---
 src/composition.ts                                              | 2 +-
 .../encryption => features/encrypt}/EncryptionService.ts        | 0
 src/features/projects/data/GitHubProjectDataSource.ts           | 2 +-
 src/features/projects/domain/RemoteConfigEncoder.ts             | 2 +-
 4 files changed, 3 insertions(+), 3 deletions(-)
 rename src/{common/encryption => features/encrypt}/EncryptionService.ts (100%)

diff --git a/src/composition.ts b/src/composition.ts
index afdb4f0a..40a754bc 100644
--- a/src/composition.ts
+++ b/src/composition.ts
@@ -51,7 +51,7 @@ import {
   PullRequestCommenter
 } from "@/features/hooks/domain"
 import { RepoRestrictedGitHubClient } from "./common/github/RepoRestrictedGitHubClient"
-import RsaEncryptionService from "./common/encryption/EncryptionService"
+import RsaEncryptionService from "./features/encrypt/EncryptionService"
 import RemoteConfigEncoder from "./features/projects/domain/RemoteConfigEncoder"
 
 const gitHubAppCredentials = {
diff --git a/src/common/encryption/EncryptionService.ts b/src/features/encrypt/EncryptionService.ts
similarity index 100%
rename from src/common/encryption/EncryptionService.ts
rename to src/features/encrypt/EncryptionService.ts
diff --git a/src/features/projects/data/GitHubProjectDataSource.ts b/src/features/projects/data/GitHubProjectDataSource.ts
index 93bbaea9..4e623a8b 100644
--- a/src/features/projects/data/GitHubProjectDataSource.ts
+++ b/src/features/projects/data/GitHubProjectDataSource.ts
@@ -1,4 +1,4 @@
-import { IEncryptionService } from "@/common/encryption/EncryptionService"
+import { IEncryptionService } from "@/features/encrypt/EncryptionService"
 import {
   Project,
   Version,
diff --git a/src/features/projects/domain/RemoteConfigEncoder.ts b/src/features/projects/domain/RemoteConfigEncoder.ts
index ba0ccdbf..5318fab9 100644
--- a/src/features/projects/domain/RemoteConfigEncoder.ts
+++ b/src/features/projects/domain/RemoteConfigEncoder.ts
@@ -1,4 +1,4 @@
-import { IEncryptionService } from "@/common/encryption/EncryptionService";
+import { IEncryptionService } from "@/features/encrypt/EncryptionService";
 import RemoteConfig, { RemoteConfigSchema } from "./RemoteConfig";
 
 /**

From 5e03f971d3a4ab5c2579ed2f170d6320ef7792c9 Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Thu, 5 Dec 2024 09:04:49 +0100
Subject: [PATCH 17/32] Fix headline

---
 src/app/(authed)/(home)/encrypt/page.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/app/(authed)/(home)/encrypt/page.tsx b/src/app/(authed)/(home)/encrypt/page.tsx
index c96db18b..859b3614 100644
--- a/src/app/(authed)/(home)/encrypt/page.tsx
+++ b/src/app/(authed)/(home)/encrypt/page.tsx
@@ -22,7 +22,7 @@ export default async function EncryptPage() {
                 sx={{ width: '80%', maxWidth: '600px' }}
             >
                 <Typography variant="h4">
-                    Encrypt secrets for remote config
+                    Encrypt secrets
                 </Typography>
                 <Typography sx={{ textAlign: "center" }}>
                     When adding authentication information to remote specifications it 

From ec15451018f8d951dd595ead559c460bbaa61018 Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Thu, 5 Dec 2024 09:21:12 +0100
Subject: [PATCH 18/32] Introduce interface for RemoteConfigEncoder

---
 src/features/projects/data/GitHubProjectDataSource.ts | 6 +++---
 src/features/projects/domain/RemoteConfigEncoder.ts   | 7 ++++++-
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/features/projects/data/GitHubProjectDataSource.ts b/src/features/projects/data/GitHubProjectDataSource.ts
index 4e623a8b..df97c6bb 100644
--- a/src/features/projects/data/GitHubProjectDataSource.ts
+++ b/src/features/projects/data/GitHubProjectDataSource.ts
@@ -11,19 +11,19 @@ import {
   GitHubRepositoryRef
 } from "../domain"
 import RemoteConfig from "../domain/RemoteConfig"
-import RemoteConfigEncoder from "../domain/RemoteConfigEncoder"
+import { IRemoteConfigEncoder } from "../domain/RemoteConfigEncoder"
 
 export default class GitHubProjectDataSource implements IProjectDataSource {
   private readonly repositoryDataSource: IGitHubRepositoryDataSource
   private readonly repositoryNameSuffix: string
   private readonly encryptionService: IEncryptionService
-  private readonly remoteConfigEncoder: RemoteConfigEncoder
+  private readonly remoteConfigEncoder: IRemoteConfigEncoder
   
   constructor(config: {
     repositoryDataSource: IGitHubRepositoryDataSource
     repositoryNameSuffix: string
     encryptionService: IEncryptionService
-    remoteConfigEncoder: RemoteConfigEncoder
+    remoteConfigEncoder: IRemoteConfigEncoder
   }) {
     this.repositoryDataSource = config.repositoryDataSource
     this.repositoryNameSuffix = config.repositoryNameSuffix
diff --git a/src/features/projects/domain/RemoteConfigEncoder.ts b/src/features/projects/domain/RemoteConfigEncoder.ts
index 5318fab9..6336efec 100644
--- a/src/features/projects/domain/RemoteConfigEncoder.ts
+++ b/src/features/projects/domain/RemoteConfigEncoder.ts
@@ -1,6 +1,11 @@
 import { IEncryptionService } from "@/features/encrypt/EncryptionService";
 import RemoteConfig, { RemoteConfigSchema } from "./RemoteConfig";
 
+export interface IRemoteConfigEncoder {
+    encode(remoteConfig: RemoteConfig): string;
+    decode(encodedString: string): RemoteConfig;
+}
+
 /**
  * Encodes and decodes remote configs.
  * 
@@ -8,7 +13,7 @@ import RemoteConfig, { RemoteConfigSchema } from "./RemoteConfig";
  * 
  * At the receiving end, the encoded string is first decoded from base64, then decrypted, and finally parsed as JSON.
  */
-export default class RemoteConfigEncoder {
+export default class RemoteConfigEncoder implements IRemoteConfigEncoder {
     private readonly encryptionService: IEncryptionService;
 
     constructor(encryptionService: IEncryptionService) {

From e8c300a598e0f712ef0906d43d7bf372bdbbcf10 Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Thu, 5 Dec 2024 09:21:45 +0100
Subject: [PATCH 19/32] Adjust GitHubProjectDataSource tests

---
 .../projects/GitHubProjectDataSource.test.ts  | 115 ++++++++++++++----
 1 file changed, 89 insertions(+), 26 deletions(-)

diff --git a/__test__/projects/GitHubProjectDataSource.test.ts b/__test__/projects/GitHubProjectDataSource.test.ts
index ac01eaa1..6dcbda37 100644
--- a/__test__/projects/GitHubProjectDataSource.test.ts
+++ b/__test__/projects/GitHubProjectDataSource.test.ts
@@ -1,4 +1,29 @@
 import { GitHubProjectDataSource } from "@/features/projects/data"
+import RemoteConfig from "@/features/projects/domain/RemoteConfig"
+
+/**
+ * Simple encryption service for testing. Does nothing.
+ */
+const noopEncryptionService = {
+  encrypt: function (data: string): string {
+    return data
+  },
+  decrypt: function (encryptedDataBase64: string): string {
+    return encryptedDataBase64
+  }
+}
+
+/**
+ * Simple encoder for testing
+ */
+const base64RemoteConfigEncoder = {
+  encode: function (remoteConfig: RemoteConfig): string {
+    return Buffer.from(JSON.stringify(remoteConfig)).toString("base64")
+  },
+  decode: function (encodedString: string): RemoteConfig {
+    return JSON.parse(Buffer.from(encodedString, "base64").toString())
+  }
+}
 
 test("It loads repositories from data source", async () => {
   let didLoadRepositories = false
@@ -9,7 +34,9 @@ test("It loads repositories from data source", async () => {
         didLoadRepositories = true
         return []
       }
-    }
+    },
+    encryptionService: noopEncryptionService,
+    remoteConfigEncoder: base64RemoteConfigEncoder
   })
   await sut.getProjects()
   expect(didLoadRepositories).toBeTruthy()
@@ -43,7 +70,9 @@ test("It maps projects including branches and tags", async () => {
           }]
         }]
       }
-    }
+    },
+    encryptionService: noopEncryptionService,
+    remoteConfigEncoder: base64RemoteConfigEncoder
   })
   const projects = await sut.getProjects()
   expect(projects).toEqual([{
@@ -107,7 +136,9 @@ test("It removes suffix from project name", async () => {
           }]
         }]
       }
-    }
+    },
+    encryptionService: noopEncryptionService,
+    remoteConfigEncoder: base64RemoteConfigEncoder
   })
   const projects = await sut.getProjects()
   expect(projects[0].id).toEqual("acme-foo")
@@ -147,7 +178,9 @@ test("It supports multiple OpenAPI specifications on a branch", async () => {
           }]
         }]
       }
-    }
+    },
+    encryptionService: noopEncryptionService,
+    remoteConfigEncoder: base64RemoteConfigEncoder
   })
   const projects = await sut.getProjects()
   expect(projects).toEqual([{
@@ -209,7 +242,9 @@ test("It filters away projects with no versions", async () => {
           tags: []
         }]
       }
-    }
+    },
+    encryptionService: noopEncryptionService,
+    remoteConfigEncoder: base64RemoteConfigEncoder
   })
   const projects = await sut.getProjects()
   expect(projects.length).toEqual(0)
@@ -243,7 +278,9 @@ test("It filters away branches with no specifications", async () => {
           tags: []
         }]
       }
-    }
+    },
+    encryptionService: noopEncryptionService,
+    remoteConfigEncoder: base64RemoteConfigEncoder
   })
   const projects = await sut.getProjects()
   expect(projects[0].versions.length).toEqual(1)
@@ -283,7 +320,9 @@ test("It filters away tags with no specifications", async () => {
           }]
         }]
       }
-    }
+    },
+    encryptionService: noopEncryptionService,
+    remoteConfigEncoder: base64RemoteConfigEncoder
   })
   const projects = await sut.getProjects()
   expect(projects[0].versions.length).toEqual(2)
@@ -314,7 +353,9 @@ test("It reads image from configuration file with .yml extension", async () => {
           tags: []
         }]
       }
-    }
+    },
+    encryptionService: noopEncryptionService,
+    remoteConfigEncoder: base64RemoteConfigEncoder
   })
   const projects = await sut.getProjects()
   expect(projects[0].imageURL).toEqual("/api/blob/acme/foo-openapi/icon.png?ref=12345678")
@@ -345,7 +386,9 @@ test("It reads display name from configuration file with .yml extension", async
           tags: []
         }]
       }
-    }
+    },
+    encryptionService: noopEncryptionService,
+    remoteConfigEncoder: base64RemoteConfigEncoder
   })
   const projects = await sut.getProjects()
   expect(projects[0].id).toEqual("acme-foo")
@@ -378,7 +421,9 @@ test("It reads image from configuration file with .yaml extension", async () =>
           tags: []
         }]
       }
-    }
+    },
+    encryptionService: noopEncryptionService,
+    remoteConfigEncoder: base64RemoteConfigEncoder
   })
   const projects = await sut.getProjects()
   expect(projects[0].imageURL).toEqual("/api/blob/acme/foo-openapi/icon.png?ref=12345678")
@@ -409,7 +454,9 @@ test("It reads display name from configuration file with .yaml extension", async
           tags: []
         }]
       }
-    }
+    },
+    encryptionService: noopEncryptionService,
+    remoteConfigEncoder: base64RemoteConfigEncoder
   })
   const projects = await sut.getProjects()
   expect(projects[0].id).toEqual("acme-foo")
@@ -478,7 +525,9 @@ test("It sorts projects alphabetically", async () => {
           tags: []
         }]
       }
-    }
+    },
+    encryptionService: noopEncryptionService,
+    remoteConfigEncoder: base64RemoteConfigEncoder
   })
   const projects = await sut.getProjects()
   expect(projects[0].name).toEqual("anne")
@@ -529,7 +578,9 @@ test("It sorts versions alphabetically", async () => {
           }]
         }]
       }
-    }
+    },
+    encryptionService: noopEncryptionService,
+    remoteConfigEncoder: base64RemoteConfigEncoder
   })
   const projects = await sut.getProjects()
   expect(projects[0].versions[0].name).toEqual("1.0")
@@ -593,7 +644,9 @@ test("It prioritizes main, master, develop, and development branch names when so
           }]
         }]
       }
-    }
+    },
+    encryptionService: noopEncryptionService,
+    remoteConfigEncoder: base64RemoteConfigEncoder
   })
   const projects = await sut.getProjects()
   expect(projects[0].versions[0].name).toEqual("main")
@@ -641,7 +694,9 @@ test("It identifies the default branch in returned versions", async () => {
           tags: []
         }]
       }
-    }
+    },
+    encryptionService: noopEncryptionService,
+    remoteConfigEncoder: base64RemoteConfigEncoder
   })
   const projects = await sut.getProjects()
   const defaultVersionNames = projects[0]
@@ -682,7 +737,9 @@ test("It adds remote versions from the project configuration", async () => {
           tags: []
         }]
       }
-    }
+    },
+    encryptionService: noopEncryptionService,
+    remoteConfigEncoder: base64RemoteConfigEncoder
   })
   const projects = await sut.getProjects()
   expect(projects[0].versions).toEqual([{
@@ -692,11 +749,11 @@ test("It adds remote versions from the project configuration", async () => {
     specifications: [{
       id: "huey",
       name: "Huey",
-      url: `/api/proxy?url=${encodeURIComponent("https://example.com/huey.yml")}`
+      url: `/api/remotes/${base64RemoteConfigEncoder.encode({ url: "https://example.com/huey.yml" })}`
     }, {
       id: "dewey",
       name: "Dewey",
-      url: `/api/proxy?url=${encodeURIComponent("https://example.com/dewey.yml")}`
+      url: `/api/remotes/${base64RemoteConfigEncoder.encode({ url: "https://example.com/dewey.yml" })}`
     }]
   }, {
     id: "bobby",
@@ -705,7 +762,7 @@ test("It adds remote versions from the project configuration", async () => {
     specifications: [{
       id: "louie",
       name: "Louie",
-      url: `/api/proxy?url=${encodeURIComponent("https://example.com/louie.yml")}`
+      url: `/api/remotes/${base64RemoteConfigEncoder.encode({ url: "https://example.com/louie.yml" })}`
     }]
   }])
 })
@@ -745,7 +802,9 @@ test("It modifies ID of remote version if the ID already exists", async () => {
           tags: []
         }]
       }
-    }
+    },
+    encryptionService: noopEncryptionService,
+    remoteConfigEncoder: base64RemoteConfigEncoder
   })
   const projects = await sut.getProjects()
   expect(projects[0].versions).toEqual([{
@@ -766,7 +825,7 @@ test("It modifies ID of remote version if the ID already exists", async () => {
     specifications: [{
       id: "baz",
       name: "Baz",
-      url: `/api/proxy?url=${encodeURIComponent("https://example.com/baz.yml")}`
+      url: `/api/remotes/${base64RemoteConfigEncoder.encode({ url: "https://example.com/baz.yml" })}`
     }]
   }, {
     id: "bar2",
@@ -775,7 +834,7 @@ test("It modifies ID of remote version if the ID already exists", async () => {
     specifications: [{
       id: "hello",
       name: "Hello",
-      url: `/api/proxy?url=${encodeURIComponent("https://example.com/hello.yml")}`
+      url: `/api/remotes/${base64RemoteConfigEncoder.encode({ url: "https://example.com/hello.yml" })}`
     }]
   }])
 })
@@ -806,7 +865,9 @@ test("It lets users specify the ID of a remote version", async () => {
           tags: []
         }]
       }
-    }
+    },
+    encryptionService: noopEncryptionService,
+    remoteConfigEncoder: base64RemoteConfigEncoder
   })
   const projects = await sut.getProjects()
   expect(projects[0].versions).toEqual([{
@@ -816,7 +877,7 @@ test("It lets users specify the ID of a remote version", async () => {
     specifications: [{
       id: "baz",
       name: "Baz",
-      url: `/api/proxy?url=${encodeURIComponent("https://example.com/baz.yml")}`
+      url: `/api/remotes/${base64RemoteConfigEncoder.encode({ url: "https://example.com/baz.yml" })}`
     }]
   }])
 })
@@ -847,7 +908,9 @@ test("It lets users specify the ID of a remote specification", async () => {
           tags: []
         }]
       }
-    }
+    },
+    encryptionService: noopEncryptionService,
+    remoteConfigEncoder: base64RemoteConfigEncoder
   })
   const projects = await sut.getProjects()
   expect(projects[0].versions).toEqual([{
@@ -857,7 +920,7 @@ test("It lets users specify the ID of a remote specification", async () => {
     specifications: [{
       id: "some-spec",
       name: "Baz",
-      url: `/api/proxy?url=${encodeURIComponent("https://example.com/baz.yml")}`
+      url: `/api/remotes/${base64RemoteConfigEncoder.encode({ url: "https://example.com/baz.yml" })}`
     }]
   }])
 })

From 88c20ad794b3aac37a535bcdb9e36f70f9023209 Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Thu, 5 Dec 2024 11:45:41 +0100
Subject: [PATCH 20/32] Adjust text on encrypt page

---
 src/app/(authed)/(home)/encrypt/page.tsx | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/src/app/(authed)/(home)/encrypt/page.tsx b/src/app/(authed)/(home)/encrypt/page.tsx
index 859b3614..35254e8f 100644
--- a/src/app/(authed)/(home)/encrypt/page.tsx
+++ b/src/app/(authed)/(home)/encrypt/page.tsx
@@ -25,12 +25,9 @@ export default async function EncryptPage() {
                     Encrypt secrets
                 </Typography>
                 <Typography sx={{ textAlign: "center" }}>
-                    When adding authentication information to remote specifications it 
-                    is required to encrypt the authentication information with our public 
-                    key before storing it in the repository.<br />
+                    When adding authentication information to remote specifications it is required to encrypt the authentication information with {SITE_NAME}{SITE_NAME.endsWith('s') ? "'" : "'s"} public key before storing it in the repository.<br />
                     <br />
-                    This page allows you to encrypt the secret using {SITE_NAME}{SITE_NAME.endsWith('s') ? "'" : "'s"} 
-                    public key, which means only {SITE_NAME} can decrypt it.
+                    Use the form to encrypt the secret using {SITE_NAME}{SITE_NAME.endsWith('s') ? "'" : "'s"} public key, which means only {SITE_NAME} can decrypt it.
                 </Typography>
                 <EncryptionForm />
                 {HELP_URL &&

From dd7f0c78d20466c112fd48268b0deb49c774d284 Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Thu, 5 Dec 2024 11:46:06 +0100
Subject: [PATCH 21/32] Add test for encryption service

---
 __test__/encrypt/EncryptionService.test.ts | 54 ++++++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 __test__/encrypt/EncryptionService.test.ts

diff --git a/__test__/encrypt/EncryptionService.test.ts b/__test__/encrypt/EncryptionService.test.ts
new file mode 100644
index 00000000..d1e366c2
--- /dev/null
+++ b/__test__/encrypt/EncryptionService.test.ts
@@ -0,0 +1,54 @@
+import RsaEncryptionService from '../../src/features/encrypt/EncryptionService'
+import { generateKeyPairSync } from 'crypto'
+
+describe('RsaEncryptionService', () => {
+    const { publicKey, privateKey } = generateKeyPairSync('rsa', {
+        modulusLength: 2048,
+        publicKeyEncoding: {
+            type: 'spki',
+            format: 'pem'
+        },
+        privateKeyEncoding: {
+            type: 'pkcs8',
+            format: 'pem'
+        }
+    })
+
+    const encryptionService = new RsaEncryptionService({ publicKey, privateKey })
+
+    it('should encrypt and decrypt data correctly', () => {
+        const data = 'Hello, World!'
+        const encryptedData = encryptionService.encrypt(data)
+        const decryptedData = encryptionService.decrypt(encryptedData)
+
+        expect(decryptedData).toBe(data)
+    })
+
+    it('should throw an error when decrypting with incorrect data', () => {
+        const incorrectData = 'invalidEncryptedData'
+
+        expect(() => {
+            encryptionService.decrypt(incorrectData)
+        }).toThrow()
+    })
+
+    it('should throw an error when encrypting with an invalid public key', () => {
+        const invalidPublicKey = 'invalidPublicKey'
+        const invalidEncryptionService = new RsaEncryptionService({ publicKey: invalidPublicKey, privateKey })
+
+        expect(() => {
+            invalidEncryptionService.encrypt('test')
+        }).toThrow()
+    })
+
+    it('should throw an error when decrypting with an invalid private key', () => {
+        const data = 'Hello, World!'
+        const encryptedData = encryptionService.encrypt(data)
+        const invalidPrivateKey = 'invalidPrivateKey'
+        const invalidEncryptionService = new RsaEncryptionService({ publicKey, privateKey: invalidPrivateKey })
+
+        expect(() => {
+            invalidEncryptionService.decrypt(encryptedData)
+        }).toThrow()
+    })
+})

From 6014aeea4a71f5eb2c7df026b938ac71434a45c0 Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Thu, 5 Dec 2024 11:46:16 +0100
Subject: [PATCH 22/32] Add test for remote config encoder

---
 __test__/projects/RemoteConfigEncoder.test.ts | 38 +++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 __test__/projects/RemoteConfigEncoder.test.ts

diff --git a/__test__/projects/RemoteConfigEncoder.test.ts b/__test__/projects/RemoteConfigEncoder.test.ts
new file mode 100644
index 00000000..7ee98085
--- /dev/null
+++ b/__test__/projects/RemoteConfigEncoder.test.ts
@@ -0,0 +1,38 @@
+import RemoteConfigEncoder from "@/features/projects/domain/RemoteConfigEncoder"
+import { IEncryptionService } from "@/features/encrypt/EncryptionService"
+import RemoteConfig from "@/features/projects/domain/RemoteConfig"
+import { ZodError } from "zod"
+
+describe('RemoteConfigEncoder', () => {
+    const encryptionService: IEncryptionService = {
+        encrypt: (data: string) => `encrypted-${data}`,
+        decrypt: (data: string) => data.replace('encrypted-', '')
+    }
+
+    const encoder = new RemoteConfigEncoder(encryptionService)
+
+    it('should encode a remote config by first encrypting and then encoding with base64', () => {
+        const remoteConfig: RemoteConfig = { url: 'https://example.com/spec.yaml' }
+        const encoded = encoder.encode(remoteConfig)
+        const expectedEncoded = Buffer.from('encrypted-{"url":"https://example.com/spec.yaml"}').toString('base64')
+        expect(encoded).toEqual(expectedEncoded)
+    })
+
+    it('should decode an encoded string', () => {
+        const encodedString = Buffer.from('encrypted-{"url":"https://example.com/spec.yaml"}').toString('base64')
+        const decoded = encoder.decode(encodedString)
+        const expectedDecoded: RemoteConfig = { url: 'https://example.com/spec.yaml' }
+        expect(decoded).toEqual(expectedDecoded)
+    })
+
+    it('should throw an error if the decrypted string is not valid JSON', () => {
+        const invalidJson = Buffer.from('encrypted-invalid-json').toString('base64')
+        expect(() => encoder.decode(invalidJson)).toThrow("Unexpected token i in JSON at position 0")
+    })
+
+    it('should throw an error if the remote config is not valid', () => {
+        const remoteConfig: RemoteConfig = { url: '' }
+        const encoded = encoder.encode(remoteConfig)
+        expect(() => encoder.decode(encoded)).toThrow(ZodError)
+    })
+})

From e44a49b058487042128a37ee67537fa289390ae1 Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Thu, 5 Dec 2024 11:50:37 +0100
Subject: [PATCH 23/32] Expect "Unexpected token"

---
 __test__/projects/RemoteConfigEncoder.test.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/__test__/projects/RemoteConfigEncoder.test.ts b/__test__/projects/RemoteConfigEncoder.test.ts
index 7ee98085..924f5633 100644
--- a/__test__/projects/RemoteConfigEncoder.test.ts
+++ b/__test__/projects/RemoteConfigEncoder.test.ts
@@ -27,7 +27,7 @@ describe('RemoteConfigEncoder', () => {
 
     it('should throw an error if the decrypted string is not valid JSON', () => {
         const invalidJson = Buffer.from('encrypted-invalid-json').toString('base64')
-        expect(() => encoder.decode(invalidJson)).toThrow("Unexpected token i in JSON at position 0")
+        expect(() => encoder.decode(invalidJson)).toThrow(/Unexpected token/)
     })
 
     it('should throw an error if the remote config is not valid', () => {

From f94e45cfc7cca233edef69a3165de0416fc0efac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simon=20St=C3=B8vring?= <mail@simonbs.dk>
Date: Thu, 5 Dec 2024 11:57:55 +0100
Subject: [PATCH 24/32] Updates texts

---
 src/app/(authed)/(home)/encrypt/page.tsx | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/src/app/(authed)/(home)/encrypt/page.tsx b/src/app/(authed)/(home)/encrypt/page.tsx
index 859b3614..5e6c28d4 100644
--- a/src/app/(authed)/(home)/encrypt/page.tsx
+++ b/src/app/(authed)/(home)/encrypt/page.tsx
@@ -7,6 +7,7 @@ const HELP_URL = env.getOrThrow("FRAMNA_DOCS_HELP_URL")
 const SITE_NAME = env.getOrThrow("FRAMNA_DOCS_TITLE")
 
 export default async function EncryptPage() {
+    const possessiveName = SITE_NAME + (SITE_NAME.endsWith('s') ? "'" : "'s")
     return (
         <Box
             display="flex"
@@ -25,12 +26,10 @@ export default async function EncryptPage() {
                     Encrypt secrets
                 </Typography>
                 <Typography sx={{ textAlign: "center" }}>
-                    When adding authentication information to remote specifications it 
-                    is required to encrypt the authentication information with our public 
-                    key before storing it in the repository.<br />
-                    <br />
-                    This page allows you to encrypt the secret using {SITE_NAME}{SITE_NAME.endsWith('s') ? "'" : "'s"} 
-                    public key, which means only {SITE_NAME} can decrypt it.
+                    Use the form below to encrypt a secret using {possessiveName} public key.
+                    <br/><br />
+                    Authentication in remote specifications must be encrypted using {possessiveName} public key
+                    before it is stored in a repository on GitHub.
                 </Typography>
                 <EncryptionForm />
                 {HELP_URL &&

From b481ff27a24c53b62e52d05c36c8d30f4b693350 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simon=20St=C3=B8vring?= <mail@simonbs.dk>
Date: Thu, 5 Dec 2024 11:58:59 +0100
Subject: [PATCH 25/32] Styles text field with encrypted value

---
 src/features/encrypt/view/EncryptionForm.tsx | 51 ++++++++++++++++----
 1 file changed, 41 insertions(+), 10 deletions(-)

diff --git a/src/features/encrypt/view/EncryptionForm.tsx b/src/features/encrypt/view/EncryptionForm.tsx
index a8131313..6f57a806 100644
--- a/src/features/encrypt/view/EncryptionForm.tsx
+++ b/src/features/encrypt/view/EncryptionForm.tsx
@@ -1,8 +1,12 @@
 'use client'
 
 import { useState } from 'react'
-import { Box, Button, Snackbar, TextField, Tooltip } from '@mui/material'
+import { Box, Button, Snackbar, TextField, Tooltip, InputAdornment } from '@mui/material'
+import { styled } from '@mui/material/styles'
+import AccountCircle from '@mui/icons-material/AccountCircle';
 import { encrypt } from "./encryptAction"
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome"
+import { faClipboard } from "@fortawesome/free-regular-svg-icons"
 
 export const EncryptionForm = () => {
     const [inputText, setInputText] = useState('')
@@ -11,18 +15,30 @@ export const EncryptionForm = () => {
 
     const handleSubmit = async (event: React.FormEvent) => {
         event.preventDefault()
-        const encrypted = await encrypt(inputText)
-        setEncryptedText(encrypted)
+        if (inputText.length > 0) {
+            const encrypted = await encrypt(inputText)
+            setEncryptedText(encrypted)
+        } else {
+            setEncryptedText("")
+        }
     }
 
     const handleCopy = () => {
-        navigator.clipboard.writeText(encryptedText)
-        setOpenSnackbar(true)
+        if (encryptedText.length > 0) {
+            navigator.clipboard.writeText(encryptedText)
+            setOpenSnackbar(true)
+        }
     }
 
     const handleCloseSnackbar = () => {
         setOpenSnackbar(false)
     }
+    
+    const EncryptedValueTextField = styled(TextField)({
+        '& .MuiInputBase-root': {
+            backgroundColor: '#F8F8F8'
+        }
+    })
 
     return <Box
         component="form"
@@ -51,13 +67,28 @@ export const EncryptionForm = () => {
         >Encrypt</Button>
 
         <Tooltip title="Click to copy to clipboard">
-            <TextField
+            <EncryptedValueTextField
                 value={encryptedText}
                 onClick={handleCopy}
-                sx={{ input: { cursor: 'pointer' }, width: "300px" }}
-                slotProps={{ input: { readOnly: true } }}
-                placeholder="Encrypted text will appear here"
-            />
+                sx={{
+                    width: "300px",
+                    input: {
+                        cursor: "pointer",
+                        color: "#727272"
+                    }
+                }}
+                slotProps={{
+                  input: {
+                      readOnly: true,
+                      startAdornment: (
+                        <InputAdornment position="start">
+                            <FontAwesomeIcon icon={faClipboard} size="lg" />
+                        </InputAdornment>
+                    )
+                  }
+                }}
+                placeholder="Encrypted text appears here"
+              />
         </Tooltip>
         
         <Snackbar

From 534e88b9d698bcadf52badeaf9a0646670af1cfd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simon=20St=C3=B8vring?= <mail@simonbs.dk>
Date: Thu, 5 Dec 2024 12:00:46 +0100
Subject: [PATCH 26/32] Aligns indentation

---
 src/features/encrypt/view/EncryptionForm.tsx | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/features/encrypt/view/EncryptionForm.tsx b/src/features/encrypt/view/EncryptionForm.tsx
index 6f57a806..94a55954 100644
--- a/src/features/encrypt/view/EncryptionForm.tsx
+++ b/src/features/encrypt/view/EncryptionForm.tsx
@@ -78,14 +78,14 @@ export const EncryptionForm = () => {
                     }
                 }}
                 slotProps={{
-                  input: {
-                      readOnly: true,
-                      startAdornment: (
-                        <InputAdornment position="start">
-                            <FontAwesomeIcon icon={faClipboard} size="lg" />
-                        </InputAdornment>
-                    )
-                  }
+                    input: {
+                        readOnly: true,
+                        startAdornment: (
+                            <InputAdornment position="start">
+                                <FontAwesomeIcon icon={faClipboard} size="lg" />
+                            </InputAdornment>
+                        )
+                    }
                 }}
                 placeholder="Encrypted text appears here"
               />

From b7672960b14f717ea27b34ffc361078a1ed42c04 Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Thu, 5 Dec 2024 12:12:46 +0100
Subject: [PATCH 27/32] Hardcode keypair in test

---
 __test__/encrypt/EncryptionService.test.ts | 54 ++++++++++++++++------
 1 file changed, 40 insertions(+), 14 deletions(-)

diff --git a/__test__/encrypt/EncryptionService.test.ts b/__test__/encrypt/EncryptionService.test.ts
index d1e366c2..3b378088 100644
--- a/__test__/encrypt/EncryptionService.test.ts
+++ b/__test__/encrypt/EncryptionService.test.ts
@@ -1,21 +1,47 @@
 import RsaEncryptionService from '../../src/features/encrypt/EncryptionService'
-import { generateKeyPairSync } from 'crypto'
 
-describe('RsaEncryptionService', () => {
-    const { publicKey, privateKey } = generateKeyPairSync('rsa', {
-        modulusLength: 2048,
-        publicKeyEncoding: {
-            type: 'spki',
-            format: 'pem'
-        },
-        privateKeyEncoding: {
-            type: 'pkcs8',
-            format: 'pem'
-        }
-    })
+const publicKey = `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1k4JT719AUz/wuXb2rt
+8933okfM2Iynmc6akSsZWEsW19byzO0UHp8b79xvsmNQKM1wBEBnXb5t+uLjJJZe
+rqCiTB7fBL64tExSKIDIRAlMnQtMfHs/rMgR+o/N2Yo2KimQw9G84goCEbBF2kbw
+5/MQfe43HeEoVWbNfgmRyP8VudO1UtVr07dGoUEWvFjudtd/h5H9THVdEpp2vH2Z
+pSGypn8hRAbOzhIM4ExLOH4ZHb8gPQGiHRGUYXk3Cy95RSf/SpEnRi0p4/63Nx5M
+JNXGM2Jk0RgGcYZcwJvLanT5Xdb9LM/IsDxLKXN+utDUgkzddvJbBC12aLaKaJA5
+LwIDAQAB
+-----END PUBLIC KEY-----`
 
-    const encryptionService = new RsaEncryptionService({ publicKey, privateKey })
+const privateKey = `-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7WTglPvX0BTP/
+C5dvau3z3feiR8zYjKeZzpqRKxlYSxbX1vLM7RQenxvv3G+yY1AozXAEQGddvm36
+4uMkll6uoKJMHt8Evri0TFIogMhECUydC0x8ez+syBH6j83ZijYqKZDD0bziCgIR
+sEXaRvDn8xB97jcd4ShVZs1+CZHI/xW507VS1WvTt0ahQRa8WO5213+Hkf1MdV0S
+mna8fZmlIbKmfyFEBs7OEgzgTEs4fhkdvyA9AaIdEZRheTcLL3lFJ/9KkSdGLSnj
+/rc3Hkwk1cYzYmTRGAZxhlzAm8tqdPld1v0sz8iwPEspc3660NSCTN128lsELXZo
+topokDkvAgMBAAECggEAAWQMl0laQ8OZfiqWY72Ry0oYPgFvFO1PpkQHObm3+S+d
+8Q81IgXNLNtWKSA4VpXYQ4zcJUpADmg1ZdxAfszUB4kcshHdpz4Z9Y849i6KW4l4
+qZsP3hbQWtTbgYWG71+M+y2sqJu0hgCkLPmm31AsJDG6zPtEKokKbYH7jWV0Xo5z
+0g6IUqepc1ElNzsJAU10hgX5UZUPxvzbWHxhBhFzC51GKpfx/W5ZOQtB+W8+nlmC
+OSVlZ9pfr6qxOZbSLWESU1xplywPTPLoYs/38oN5OHIJvB2j8kl+JfcR7v2ezLeV
+fx1Z+x9ME0at7AbGCfhjIfJtftPsoCR60nzN3wWoAQKBgQDfOmfzLaWhVkvt49Hn
+zeLdLI8pwqWXVYozsPMRlExwuIT1KeNolPzWWKx6dG38UzY4XWSvq+w3WAcQ7m6E
+qiRWoRPL3qlWu3pDJYr/EfR2haPMQMwbJM/hg+nC0bhUSVqBEjOZgaQUHStIyugb
+SWQFI3jE9fgj71DtbiVNrb1vAQKBgQDW2ljkotAjF81vI+EoN9QmuPYnejo42nK9
+jlSEU4hrDQMLiqxc5yJidQh75vZRfaO9rdUqHxoXK0DEU3Jk16Kb0n4nkM+xqKoc
+yHTtAgUyflpenbrr4pRZf783XgI0bn/FhoMFQtAvSblru3NfEFQUtKIY82+Xa5H5
+g+cezSDYLwKBgBeViB39GJ6vC16azzZ6XhmX95gl5HDUrMFBVKzqyhiupf1w64HF
+G+FZhP97BZO/Bt91nomg1FgUiMqVJkAF6cjtQ7YqVCHBtO0bLlA8iWNsQx31Spsj
+jIL6+NuIZL0i8tjoH2N8euVVH5mVNmiLnHGeicflZM4HHrm3BWHrlTQBAoGBALeW
+W98CQFe8Pw542ixDiESOR8fz6UwrXWAb/pwTxL20oKV8GUxJNFhtKJK3CEMZ2JB7
+uWoEqYairvUTWOxSVeBQPPwSAWcNeE6f+0mKMGa1EQNIRDDLq3fOcNYevkOPKB7g
+kZQtQzclCAvGYQ8aJL6MmvY3DWOVx2YuD4+COE6BAoGAEGdChfJW5QGXaXEO/PnA
+PbQCCzcqbs+0O6LVR1w68H0WQww94tZjfWPqn9kvwjzLd22ZMmdiBJ3bEbDeCjmG
+Ybt48kS7y9n22CDgL7JkatszYpybvBSrDQL7ms7x2kKPkTMb7C5zpIIzdtvwH+Jf
+6K3kQbqfFCM7VmyR7AmoyOk=
+-----END PRIVATE KEY-----`
 
+const encryptionService = new RsaEncryptionService({ publicKey, privateKey })
+
+describe('RsaEncryptionService', () => {
     it('should encrypt and decrypt data correctly', () => {
         const data = 'Hello, World!'
         const encryptedData = encryptionService.encrypt(data)

From ad394d4e88e501263107fb69e08c8ad920dd52f6 Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Thu, 5 Dec 2024 12:14:47 +0100
Subject: [PATCH 28/32] Remove unused AccountCircle

---
 src/features/encrypt/view/EncryptionForm.tsx | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/features/encrypt/view/EncryptionForm.tsx b/src/features/encrypt/view/EncryptionForm.tsx
index 94a55954..1c23f660 100644
--- a/src/features/encrypt/view/EncryptionForm.tsx
+++ b/src/features/encrypt/view/EncryptionForm.tsx
@@ -3,7 +3,6 @@
 import { useState } from 'react'
 import { Box, Button, Snackbar, TextField, Tooltip, InputAdornment } from '@mui/material'
 import { styled } from '@mui/material/styles'
-import AccountCircle from '@mui/icons-material/AccountCircle';
 import { encrypt } from "./encryptAction"
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome"
 import { faClipboard } from "@fortawesome/free-regular-svg-icons"

From beaac0bad780eeb697eb42340d88356138d4abbe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simon=20St=C3=B8vring?= <mail@simonbs.dk>
Date: Thu, 5 Dec 2024 12:19:15 +0100
Subject: [PATCH 29/32] Removes unused import

---
 src/features/encrypt/view/EncryptionForm.tsx | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/features/encrypt/view/EncryptionForm.tsx b/src/features/encrypt/view/EncryptionForm.tsx
index 94a55954..1c23f660 100644
--- a/src/features/encrypt/view/EncryptionForm.tsx
+++ b/src/features/encrypt/view/EncryptionForm.tsx
@@ -3,7 +3,6 @@
 import { useState } from 'react'
 import { Box, Button, Snackbar, TextField, Tooltip, InputAdornment } from '@mui/material'
 import { styled } from '@mui/material/styles'
-import AccountCircle from '@mui/icons-material/AccountCircle';
 import { encrypt } from "./encryptAction"
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome"
 import { faClipboard } from "@fortawesome/free-regular-svg-icons"

From 66f7eacb2c4ef4db9e249c7aa350145292bcf719 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simon=20St=C3=B8vring?= <mail@simonbs.dk>
Date: Thu, 5 Dec 2024 12:22:24 +0100
Subject: [PATCH 30/32] Ignores unused argument

---
 src/app/api/remotes/[encodedRemoteConfig]/route.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/app/api/remotes/[encodedRemoteConfig]/route.ts b/src/app/api/remotes/[encodedRemoteConfig]/route.ts
index ba20014f..936dd67b 100644
--- a/src/app/api/remotes/[encodedRemoteConfig]/route.ts
+++ b/src/app/api/remotes/[encodedRemoteConfig]/route.ts
@@ -7,7 +7,7 @@ interface RemoteSpecificationParams {
   encodedRemoteConfig: string
 }
 
-export async function GET(req: NextRequest, { params }: { params: RemoteSpecificationParams }) {
+export async function GET(_req: NextRequest, { params }: { params: RemoteSpecificationParams }) {
   const isAuthenticated = await session.getIsAuthenticated()
   if (!isAuthenticated) {
     return makeUnauthenticatedAPIErrorResponse()

From 7a36503a4c57ed3c681d16f069cfa2b1a864fb9a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simon=20St=C3=B8vring?= <mail@simonbs.dk>
Date: Thu, 5 Dec 2024 12:30:46 +0100
Subject: [PATCH 31/32] Errors when URL includes basic auth

---
 .../api/remotes/[encodedRemoteConfig]/route.ts   |  2 ++
 src/common/utils/fileUtils.ts                    | 16 ++++++++--------
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/src/app/api/remotes/[encodedRemoteConfig]/route.ts b/src/app/api/remotes/[encodedRemoteConfig]/route.ts
index 936dd67b..61950a87 100644
--- a/src/app/api/remotes/[encodedRemoteConfig]/route.ts
+++ b/src/app/api/remotes/[encodedRemoteConfig]/route.ts
@@ -55,6 +55,8 @@ export async function GET(_req: NextRequest, { params }: { params: RemoteSpecifi
       return makeAPIErrorResponse(408, "The operation timed out.")
     } else if (error.name === ErrorName.NOT_JSON_OR_YAML) {
       return makeAPIErrorResponse(400, "Url does not point to a JSON or YAML file.")
+    } else if (error.name === ErrorName.URL_MAY_NOT_INCLUDE_BASIC_AITH) {
+      return makeAPIErrorResponse(400, "Url may not include basic auth.")
     } else {
       return makeAPIErrorResponse(500, error.message)
     }
diff --git a/src/common/utils/fileUtils.ts b/src/common/utils/fileUtils.ts
index f5764e72..10b9ed86 100644
--- a/src/common/utils/fileUtils.ts
+++ b/src/common/utils/fileUtils.ts
@@ -4,6 +4,7 @@ export const ErrorName = {
     MAX_FILE_SIZE_EXCEEDED: "MaxFileSizeExceededError",
     TIMEOUT: "TimeoutError",
     NOT_JSON_OR_YAML: "NotJsonOrYamlError",
+    URL_MAY_NOT_INCLUDE_BASIC_AITH: "UrlMayNotIncludeBasicAuth"
 }
 
 export async function downloadFile(params: {
@@ -21,14 +22,13 @@ export async function downloadFile(params: {
         headers["Authorization"] = "Basic " + btoa(`${basicAuthUsername}:${basicAuthPassword}`);
     }
     // Make sure basic auth is removed from URL.
-    const urlWithoutAuth = url;
-    urlWithoutAuth.username = "";
-    urlWithoutAuth.password = "";
-    const response = await fetch(urlWithoutAuth, {
-        method: "GET",
-        headers,
-        signal: AbortSignal.any([abortController.signal, timeoutSignal])
-    });
+    if ((url.username && url.username.length > 0) || (url.password && url.password.length > 0)) {
+        const error = new Error("URL may not include basic auth");
+        error.name = ErrorName.URL_MAY_NOT_INCLUDE_BASIC_AITH;
+        throw error;
+    }
+    let fetchSignal = AbortSignal.any([abortController.signal, timeoutSignal])
+    const response = await fetch(url, { method: "GET", headers, signal: fetchSignal })
     if (!response.body) {
         throw new Error("Response body unavailable");
     }

From 7092c9cac398f7365e670dafb5d7c072ad97bee6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simon=20St=C3=B8vring?= <mail@simonbs.dk>
Date: Thu, 5 Dec 2024 12:35:56 +0100
Subject: [PATCH 32/32] Fixes linting error

---
 src/common/utils/fileUtils.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/common/utils/fileUtils.ts b/src/common/utils/fileUtils.ts
index 10b9ed86..acc3b062 100644
--- a/src/common/utils/fileUtils.ts
+++ b/src/common/utils/fileUtils.ts
@@ -27,7 +27,7 @@ export async function downloadFile(params: {
         error.name = ErrorName.URL_MAY_NOT_INCLUDE_BASIC_AITH;
         throw error;
     }
-    let fetchSignal = AbortSignal.any([abortController.signal, timeoutSignal])
+    const fetchSignal = AbortSignal.any([abortController.signal, timeoutSignal])
     const response = await fetch(url, { method: "GET", headers, signal: fetchSignal })
     if (!response.body) {
         throw new Error("Response body unavailable");