From e97a1f8efd447a64a10197a13a5db70ae9df3ea7 Mon Sep 17 00:00:00 2001
From: yannis <yannishoareau26@gmail.com>
Date: Wed, 2 Jul 2025 09:20:54 +0200
Subject: [PATCH] feat: encrypt/decrypt token

---
 htdocs/api/admin/token_list.php | 2 +-
 htdocs/user/api_token/card.php  | 9 ++++++---
 htdocs/user/api_token/list.php  | 2 +-
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/htdocs/api/admin/token_list.php b/htdocs/api/admin/token_list.php
index 35965a25dc7..ac842f1af4b 100644
--- a/htdocs/api/admin/token_list.php
+++ b/htdocs/api/admin/token_list.php
@@ -449,7 +449,7 @@ if (empty($reshook)) {
 			}
 			print '<td>';
 			print '<a href="'.DOL_URL_ROOT.'/user/api_token/card.php?id='.$obj->user_id.'&tokenid='.$obj->token_id.'">';
-			print $obj->token;
+			print dolDecrypt($obj->token);
 			print '</a>';
 			print '</td>';
 			print '<td>';
diff --git a/htdocs/user/api_token/card.php b/htdocs/user/api_token/card.php
index 1243aefb0a3..5e7655bfda9 100644
--- a/htdocs/user/api_token/card.php
+++ b/htdocs/user/api_token/card.php
@@ -275,7 +275,7 @@ if (empty($reshook)) {
 
 		$sqlforcount = 'SELECT COUNT(*) as nbtotalofrecords';
 		$sqlforcount .= " FROM ".MAIN_DB_PREFIX."oauth_token as oat";
-		$sqlforcount .= " WHERE token = '".$db->escape($tokenstring)."'";
+		$sqlforcount .= " WHERE token = '".$db->escape(dolEncrypt($tokenstring, '', '', 'dolibarr'))."'";
 		$sqlforcount .= " AND service = 'dolibarr_rest_api'";
 		$resql = $db->query($sqlforcount);
 		if ($resql) {
@@ -294,7 +294,7 @@ if (empty($reshook)) {
 			$db->begin();
 
 			$sql = "INSERT INTO ".MAIN_DB_PREFIX."oauth_token (service, token, fk_user, entity, datec)";
-			$sql .= " VALUES ('dolibarr_rest_api', '".$db->escape($tokenstring)."', ".($useridtoadd).", ".((int) $conf->entity).", '".$db->idate(dol_now())."')";
+			$sql .= " VALUES ('dolibarr_rest_api', '".$db->escape(dolEncrypt($tokenstring, '', '', 'dolibarr'))."', ".($useridtoadd).", ".((int) $conf->entity).", '".$db->idate(dol_now())."')";
 			$resql = $db->query($sql);
 
 			if (!$resql) {
@@ -336,6 +336,7 @@ if (isset($reloadtoken)) { // If we add or del rights, we want to refresh the to
 
 	$resql = $db->query($sql);
 	$token = $db->fetch_object($resql);
+	$tokenvalue = dolDecrypt($token->token);
 }
 
 /*
@@ -412,6 +413,8 @@ if ($action == 'create') {
 
 	print dol_get_fiche_head($head, 'apitoken', $title, -1, 'user');
 
+	$tokenvalue = dolDecrypt($token->token);
+
 	$linkback = '<a href="'.DOL_URL_ROOT.'/user/api_token/list.php?id='.$id.'">'.$langs->trans("BackToList").'</a>';
 
 	$morehtmlref = '<a href="'.DOL_URL_ROOT.'/user/vcard.php?id='.$object->id.'&output=file&file='.urlencode(dol_sanitizeFileName($object->getFullName($langs).'.vcf')).'" class="refid" rel="noopener">';
@@ -453,7 +456,7 @@ if ($action == 'create') {
 	// Token
 	print '<tr><td class="titlefield">'.$langs->trans("ApiToken").'</td>';
 	print '<td>';
-	print showValueWithClipboardCPButton($token->token, 1, $token->token);
+	print showValueWithClipboardCPButton($tokenvalue, 1, $tokenvalue);
 	print '</td>';
 	print '</tr>'."\n";
 
diff --git a/htdocs/user/api_token/list.php b/htdocs/user/api_token/list.php
index c5eef1e14df..6321cf80c23 100644
--- a/htdocs/user/api_token/list.php
+++ b/htdocs/user/api_token/list.php
@@ -515,7 +515,7 @@ if (empty($reshook)) {
 			}
 			print '<td>';
 			print '<a href="'.DOL_URL_ROOT.'/user/api_token/card.php?id='.$object->id.'&tokenid='.$obj->token_id.'">';
-			print $obj->token;
+			print dolDecrypt($obj->token);
 			print '</a>';
 			print '</td>';
 			if (isModEnabled('multicompany')) {