feat: encrypt cached data

Author: Mike van den Hoek

README.md

@@ -46,6 +46,23 @@ See [here](https://github.com/OpenWebconcept/plugin-prefill-gravity-forms/blob/m
 2. Go to the form settings of the form you want to configure.
 3. Scroll down and look for the 'iConnect' panel and configure the settings.
 
+### 🔐 Cache Encryption
+
+To enable secure caching of sensitive data, you **must define an encryption key** in your `wp-config.php` file. This key is used to encrypt and decrypt the cached data and should be kept secret at all times.
+
+Add the following line to your `wp-config.php`:
+
+```php
+// Prefill Gravity Forms – Cache Encryption Key
+define('PG_CACHE_ENCRYPTION_KEY', 'your-unique-32-character-key');
+```
+
+Important:
+
+- Use a randomly generated, 32-character key for strong AES-256 encryption.
+- Never store this key in the database.
+- Keep it secret and secure — anyone with access to this key can decrypt cached data.
+
 ## License
 
 The source code is made available under the [EUPL 1.2 license](https://github.com/OpenWebconcept/plugin-prefill-gravity-forms/blob/main/LICENSE.md). Some of the dependencies are licensed differently, with the BSD or MIT license, for example.

src/PrefillGravityForms/Controllers/BaseController.php

@@ -299,13 +299,17 @@ protected function getCurlHeaders(string $doelBinding = ''): array
 
     protected function handleCurl(array $args, string $transientKey): array
     {
-        /**
-         * IMPORTANT NOTE: when adjusting this piece of code, please make sure
-         * that the transient key is unique per request. Otherwise, different requests
-         * might return the same cached response.
-        */
-        if ($cachedResponse = CacheService::getArrayFromTransient($transientKey)) {
-            return $cachedResponse;
+        try {
+            /**
+             * IMPORTANT NOTE: when adjusting this piece of code, please make sure
+             * that the transient key is unique per request. Otherwise, different requests
+             * might return the same cached response.
+             */
+            if ($cachedResponse = CacheService::getArrayFromTransient($transientKey)) {
+                return $cachedResponse;
+            }
+        } catch (Exception $e) {
+            $this->logError('Failed to get transient: ' . $e->getMessage(), $e->getCode());
         }
 
         $curl = curl_init();
@@ -352,6 +356,14 @@ protected function handleCurl(array $args, string $transientKey): array
         }
     }
 
+    /**
+     * Extracts the burgerservicenummer (BSN) from the API response.
+     */
+    protected function extractBSN(array $response): string
+    {
+        return (string) ($response['burgerservicenummer'] ?? '');
+    }
+
     /**
      * Validates whether the necessary conditions are met before setting the transient.
      *
@@ -361,7 +373,7 @@ protected function handleCurl(array $args, string $transientKey): array
      */
     protected function handleTransient(array $response, string $transientKey): void
     {
-        $responseBSN = (string) ($response['burgerservicenummer'] ?? '');
+        $responseBSN = $this->extractBSN($response);
 
         if ('' === $responseBSN) {
             throw new Exception('No burgerservicenummer found in the response.', 404);
@@ -374,7 +386,11 @@ protected function handleTransient(array $response, string $transientKey): void
             throw new Exception('Transient key mismatch.', 500);
         }
 
-        CacheService::setTransient($transientKey, $response);
+        try {
+            CacheService::setTransient($transientKey, $response);
+        } catch (Exception $e) {
+            $this->logError('Failed to set transient: ' . $e->getMessage(), $e->getCode());
+        }
     }
 
     protected function timeoutOptionCURL(): int

src/PrefillGravityForms/Controllers/WeAreFrankController.php

@@ -101,6 +101,14 @@ protected function getExpandFields(string $expand): array
         return array_filter(explode(',', $expand));
     }
 
+    /**
+     * @inheritDoc
+     */
+    protected function extractBSN(array $response): string
+    {
+        return (string) ($response['personen'][0]['burgerservicenummer'] ?? '');
+    }
+
     protected function fetchPersonData(array $preparedData, string $bsn): array
     {
         $apiResponse = $this->request($preparedData, $bsn);

src/PrefillGravityForms/Services/CacheService.php

@@ -8,19 +8,28 @@ class CacheService
 {
     private static int $defaultExpiration = HOUR_IN_SECONDS;
 
+    /**
+     * @throws Exception
+     */
     public static function getArrayFromTransient(string $transientKey): array
     {
         if ('' === trim($transientKey)) {
-            return [];
+            throw new Exception('Transient key is empty.', 500);
         }
 
         $cachedResponse = get_transient($transientKey);
 
-        if (! is_array($cachedResponse) || [] === $cachedResponse) {
+        if (! is_string($cachedResponse) || '' === $cachedResponse) {
             return [];
         }
 
-        return $cachedResponse;
+        $decrypted = EncryptionService::decrypt($cachedResponse);
+
+        if (! is_array($decrypted)) {
+            throw new Exception('Decrypted data is not an array.', 500);
+        }
+
+        return $decrypted;
     }
 
     /**
@@ -32,7 +41,9 @@ public static function setTransient(string $transientKey, $data, int $expiration
             throw new Exception('Transient key is empty.', 500);
         }
 
-        set_transient($transientKey, $data, $expiration ?: static::$defaultExpiration);
+        $encrypted = EncryptionService::encrypt($data);
+
+        set_transient($transientKey, $encrypted, $expiration ?: static::$defaultExpiration);
     }
 
     /**

src/PrefillGravityForms/Services/EncryptionService.php

@@ -0,0 +1,78 @@
+<?php
+
+namespace OWC\PrefillGravityForms\Services;
+
+use Exception;
+
+class EncryptionService
+{
+    private static string $cipher = 'aes-256-gcm';
+    private const TAG_LENGTH = 16;
+
+    /**
+     * Encrypts the given data array into a secure string.
+     */
+    public static function encrypt(array $data): string
+    {
+        $iv = random_bytes(openssl_cipher_iv_length(self::$cipher));
+        $tag = '';
+        $plaintext = serialize($data);
+
+        $ciphertext = openssl_encrypt(
+            $plaintext,
+            self::$cipher,
+            static::getEncryptionKey(),
+            0,
+            $iv,
+            $tag,
+            '',
+            self::TAG_LENGTH
+        );
+
+        return base64_encode($iv . $tag . $ciphertext);
+    }
+
+    /**
+     * Decrypts the given string back into a data array.
+     *
+     * @throws Exception
+     * @return mixed
+     */
+    public static function decrypt(string $encrypted)
+    {
+        $raw = base64_decode($encrypted);
+
+        $ivLength = openssl_cipher_iv_length(self::$cipher);
+        $iv = substr($raw, 0, $ivLength);
+        $tag = substr($raw, $ivLength, self::TAG_LENGTH);
+        $ciphertext = substr($raw, $ivLength + self::TAG_LENGTH);
+
+        $plaintext = openssl_decrypt(
+            $ciphertext,
+            self::$cipher,
+            static::getEncryptionKey(),
+            0,
+            $iv,
+            $tag
+        );
+
+        if (! is_string($plaintext)) {
+            throw new Exception('Decryption failed. Invalid data or key.', 500);
+        }
+
+        return unserialize($plaintext);
+    }
+
+    /**
+     * @throws Exception
+     */
+    private static function getEncryptionKey(): string
+    {
+        if (! defined('PG_CACHE_ENCRYPTION_KEY') || strlen(PG_CACHE_ENCRYPTION_KEY) < 32) {
+            throw new Exception('Encryption key is not defined or too short. Please define a constant PG_CACHE_ENCRYPTION_KEY with at least 32 characters in wp-config.php', 500);
+        }
+
+
+        return PG_CACHE_ENCRYPTION_KEY;
+    }
+}