Add delete account endpoint and file encryption at rest

Delete Account (Plan #2): - DELETE /api/auth/account/ with password or "DELETE" confirmation - Cascade delete across 15+ tables in correct FK order - Auth provider detection (email/apple/google) for /auth/me/ - File cleanup after account deletion - Handler + repository tests (12 tests) Encryption at Rest (Plan #3): - AES-256-GCM envelope encryption (per-file DEK wrapped by KEK) - Encrypt on upload, auto-decrypt on serve via StorageService.ReadFile() - MediaHandler serves decrypted files via c.Blob() - TaskService email image loading uses ReadFile() - cmd/migrate-encrypt CLI tool with --dry-run for existing files - Encryption service + storage service tests (18 tests)
2026-03-26 10:41:01 -05:00
parent 72866e935e
commit 4abc57535e
22 changed files with 1675 additions and 82 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -93,6 +93,9 @@ services:
      APNS_TOPIC: ${APNS_TOPIC}
      APNS_USE_SANDBOX: "${APNS_USE_SANDBOX:-false}"
      FCM_SERVER_KEY: ${FCM_SERVER_KEY}
+
+      # Storage encryption
+      STORAGE_ENCRYPTION_KEY: ${STORAGE_ENCRYPTION_KEY}
    volumes:
      - push_certs:/certs:ro
      - uploads:/app/uploads