feat: Secure external credentials with database encryption (#12648)

## Changelog

- Added conditional Active Record encryption to every external
credential we store (SMTP/IMAP passwords, Twilio tokens,
Slack/OpenAI hook tokens, Facebook/Instagram tokens, LINE/Telegram keys,
Twitter secrets) so new writes are encrypted
whenever Chatwoot.encryption_configured? is true; legacy installs still
receive plaintext until their secrets are
    updated.
- Tuned encryption settings in config/application.rb to allow legacy
reads (support_unencrypted_data) and to extend
deterministic queries so lookups continue to match plaintext rows during
the rollout; added TODOs to retire the
    fallback once encryption becomes mandatory.
- Introduced an MFA-pipeline test suite
(spec/models/external_credentials_encryption_spec.rb) plus shared
examples to
verify each attribute encrypts at rest and that plaintext records
re-encrypt on update, with a dedicated Telegram case.
The existing MFA GitHub workflow now runs these tests using the
preconfigured encryption keys.

fixes:
https://linear.app/chatwoot/issue/CW-5453/encrypt-sensitive-credentials-stored-in-plain-text-in-database

## Testing Instructions

 1. Instance without encryption keys
- Unset ACTIVE_RECORD_ENCRYPTION_* vars (or run in an environment where
they’re absent).
      - Create at least one credentialed channel (e.g., Email SMTP).
- Confirm workflows still function (send/receive mail or a similar
sanity check).
- In the DB you should still see plaintext values—this confirms the
guard prevents encryption when keys are missing.
  2. Instance with encryption keys
      - Configure the three encryption env vars and restart.
- Pick a couple of representative integrations (e.g., Email SMTP +
Twilio SMS).
      - Legacy channel check:
- Use existing records created before enabling keys. Trigger their
workflow (send an email / SMS, or hit the
            webhook) to ensure they still authenticate.
- Inspect the raw column—value remains plaintext until changed.
      - Update legacy channel:
- Edit one legacy channel’s credential (e.g., change SMTP password).
- Verify the operation still works and the stored value is now encrypted
(raw column differs, accessor returns
            original).
      - New channel creation:
- Create a new channel of the same type; confirm functionality and that
the stored credential is encrypted from
            the start.

---------

Co-authored-by: Muhsin Keloth <muhsinkeramam@gmail.com>

spec/models/application_record_external_credentials_encryption_spec.rb

@@ -0,0 +1,113 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe ApplicationRecord do
+  it_behaves_like 'encrypted external credential',
+                  factory: :channel_email,
+                  attribute: :smtp_password,
+                  value: 'smtp-secret'
+
+  it_behaves_like 'encrypted external credential',
+                  factory: :channel_email,
+                  attribute: :imap_password,
+                  value: 'imap-secret'
+
+  it_behaves_like 'encrypted external credential',
+                  factory: :channel_twilio_sms,
+                  attribute: :auth_token,
+                  value: 'twilio-secret'
+
+  it_behaves_like 'encrypted external credential',
+                  factory: :integrations_hook,
+                  attribute: :access_token,
+                  value: 'hook-secret'
+
+  it_behaves_like 'encrypted external credential',
+                  factory: :channel_facebook_page,
+                  attribute: :page_access_token,
+                  value: 'fb-page-secret'
+
+  it_behaves_like 'encrypted external credential',
+                  factory: :channel_facebook_page,
+                  attribute: :user_access_token,
+                  value: 'fb-user-secret'
+
+  it_behaves_like 'encrypted external credential',
+                  factory: :channel_instagram,
+                  attribute: :access_token,
+                  value: 'ig-secret'
+
+  it_behaves_like 'encrypted external credential',
+                  factory: :channel_line,
+                  attribute: :line_channel_secret,
+                  value: 'line-secret'
+
+  it_behaves_like 'encrypted external credential',
+                  factory: :channel_line,
+                  attribute: :line_channel_token,
+                  value: 'line-token-secret'
+
+  it_behaves_like 'encrypted external credential',
+                  factory: :channel_telegram,
+                  attribute: :bot_token,
+                  value: 'telegram-secret'
+
+  it_behaves_like 'encrypted external credential',
+                  factory: :channel_twitter_profile,
+                  attribute: :twitter_access_token,
+                  value: 'twitter-access-secret'
+
+  it_behaves_like 'encrypted external credential',
+                  factory: :channel_twitter_profile,
+                  attribute: :twitter_access_token_secret,
+                  value: 'twitter-secret-secret'
+
+  context 'when backfilling legacy plaintext' do
+    before do
+      skip('encryption keys missing; see run_mfa_spec workflow') unless Chatwoot.encryption_configured?
+    end
+
+    it 'reads existing plaintext and encrypts on update' do
+      account = create(:account)
+      channel = create(:channel_email, account: account, smtp_password: nil)
+
+      # Simulate legacy plaintext by updating the DB directly
+      sql = ActiveRecord::Base.send(
+        :sanitize_sql_array,
+        ['UPDATE channel_email SET smtp_password = ? WHERE id = ?', 'legacy-plain', channel.id]
+      )
+      ActiveRecord::Base.connection.execute(sql)
+
+      legacy_record = Channel::Email.find(channel.id)
+      expect(legacy_record.smtp_password).to eq('legacy-plain')
+
+      legacy_record.update!(smtp_password: 'encrypted-now')
+
+      stored_value = legacy_record.reload.read_attribute_before_type_cast(:smtp_password)
+      expect(stored_value).to be_present
+      expect(stored_value).not_to include('encrypted-now')
+      expect(legacy_record.smtp_password).to eq('encrypted-now')
+    end
+  end
+
+  context 'when looking up telegram legacy records' do
+    before do
+      skip('encryption keys missing; see run_mfa_spec workflow') unless Chatwoot.encryption_configured?
+    end
+
+    it 'finds plaintext records via fallback lookup' do
+      channel = create(:channel_telegram, bot_token: 'legacy-token')
+
+      # Simulate legacy plaintext by updating the DB directly
+      sql = ActiveRecord::Base.send(
+        :sanitize_sql_array,
+        ['UPDATE channel_telegram SET bot_token = ? WHERE id = ?', 'legacy-token', channel.id]
+      )
+      ActiveRecord::Base.connection.execute(sql)
+
+      found = Channel::Telegram.find_by(bot_token: 'legacy-token')
+      expect(found).to eq(channel)
+    end
+  end
+end

spec/support/examples/encrypted_external_credential_examples.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+RSpec.shared_examples 'encrypted external credential' do |factory:, attribute:, value: 'secret-token'|
+  before do
+    skip('encryption keys missing; see run_mfa_spec workflow') unless Chatwoot.encryption_configured?
+    if defined?(Facebook::Messenger::Subscriptions)
+      allow(Facebook::Messenger::Subscriptions).to receive(:subscribe).and_return(true)
+      allow(Facebook::Messenger::Subscriptions).to receive(:unsubscribe).and_return(true)
+    end
+  end
+
+  it "encrypts #{attribute} at rest" do
+    record = create(factory, attribute => value)
+
+    raw_stored_value = record.reload.read_attribute_before_type_cast(attribute).to_s
+    expect(raw_stored_value).to be_present
+    expect(raw_stored_value).not_to include(value)
+    expect(record.public_send(attribute)).to eq(value)
+    expect(record.encrypted_attribute?(attribute)).to be(true)
+  end
+end