From f7bdc010201853fa371bb1d84708f495bb641fc9 Mon Sep 17 00:00:00 2001
From: florian <flo@meergans.org>
Date: Tue, 4 Nov 2025 22:09:11 +0100
Subject: [PATCH] Wip1

---
 requirements.txt      |  1 +
 src/db.py             |  2 +-
 src/main.py           | 11 ++++++++++-
 src/secret_handler.py | 35 -----------------------------------
 4 files changed, 12 insertions(+), 37 deletions(-)
 delete mode 100644 src/secret_handler.py

diff --git a/requirements.txt b/requirements.txt
index c752c3d..b383720 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -8,6 +8,7 @@ cryptography==46.0.2
 fastapi==0.118.0
 h11==0.16.0
 idna==3.10
+lib-secret-manager[encryption] @ git+https://git.gansejunge.com/notifier/lib-secret-manager.git@main
 lib-uvicorn-config @ git+https://git.gansejunge.com/notifier/lib-uvicorn-config.git@main
 mysql-connector-python==9.4.0
 prometheus_client==0.23.1
diff --git a/src/db.py b/src/db.py
index ed00779..084275d 100644
--- a/src/db.py
+++ b/src/db.py
@@ -1,6 +1,6 @@
 from mysql.connector import pooling, Error
 import threading
-from secret_handler import return_credentials
+from secret_manager import return_credentials
 import os
 import time
 from simple_logger_handler import setup_logger
diff --git a/src/main.py b/src/main.py
index 0ac3bff..d7ba345 100644
--- a/src/main.py
+++ b/src/main.py
@@ -5,7 +5,8 @@ from starlette.exceptions import HTTPException as StarletteHTTPException
 from typing import Optional,List
 from pydantic import BaseModel
 from validator import is_valid_platform,is_valid_token,verify_api_key
-from secret_handler import encrypt_token
+from secret_manager.fernet_encryption import encrypt_token
+from secret_manager import cleanup_secret_files
 from db import get_db, create_connection_pool, close_connection_pool, start_healthcheck_thread
 from simple_logger_handler import setup_logger, LOG_LEVEL
 import uuid
@@ -44,6 +45,14 @@ async def lifespan(app: FastAPI):
 
 	start_healthcheck_thread()
 	logger.info("MySQL healthcheck thread started.")
+
+	SECRET_PATHS = frozenset({
+		"/etc/secrets/encryption_key",
+		"/etc/secrets/db_username",
+		"/etc/secrets/db_password"
+	})
+	cleanup_secret_files(SECRET_PATHS)
+
 	yield
 	logger.info("Closing MySQL connection pool...")
 	close_connection_pool()
diff --git a/src/secret_handler.py b/src/secret_handler.py
deleted file mode 100644
index 897b59e..0000000
--- a/src/secret_handler.py
+++ /dev/null
@@ -1,35 +0,0 @@
-from cryptography.fernet import Fernet
-from simple_logger_handler import setup_logger
-
-logger = setup_logger(__name__)
-
-try:
-	with open("/etc/secrets/encryption_key","rb") as file:
-			  encryption_key = file.read()
-except FileNotFoundError:
-	logger.fatal("[FATAL] Encryption key not found")
-	raise
-except Exception as e:
-	logger.fatal(f"[FATAL]Failed to read encryption key: {e}")
-	raise
-
-fernet = Fernet(encryption_key)
-
-def  encrypt_token(token:str)->str:
-	return fernet.encrypt(token.encode()).decode()
-
-def decrypt_token(token:str)->str:
-	return fernet.decrypt(token.encode()).decode()
-		  
-def return_credentials(path: str)->str:
-	try:
-		with open (path) as file:
-			return file.read().strip()
-	except FileNotFoundError:
-		logger.fatal(f"[FATAL] Secret file not found: {path}")
-		raise
-	except Exception as e:
-		logger.fatal(f"[FATAL] Failed to read secret file {path}: {e}")
-		raise
-
-