Encrypt Discord token at rest in settings file (machine-bound)

[Copilot]

• In Read(): cipher naming (encrypted data being read)
• In Write(): cipherSource variable for plaintext span before in-place encryption; layout comment with size annotation
• Fix CSharpier formatting in 5 localization files (PersistTokenTooltip = """ inline)
• Fix CSharpier formatting in TokenEncryptionConverter.cs (exception filter style + trailing newline)
• Build: 0 warnings, 0 errors, format check passing

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Tyrrrz]

@copilot additional requirement: the token should be decryptable only on the machine it was encrypted for. If Settings.dat is stolen, the attacker shouldn't be able to decrypt it on a different machine.

[Copilot]

Pull request overview

This PR aims to prevent Discord tokens from being stored in plain text inside Settings.dat by introducing transparent encryption at the JSON serialization layer and updating UI tooltips to clarify the security properties.

Changes:

• Added TokenEncryptionConverter (JsonConverter<string?>) that encrypts/decrypts LastToken values using AES-CBC with a randomized IV and randomized plaintext prefix, storing values as enc:<base64(...)>.
• Annotated SettingsService.LastToken with the new converter for backward-compatible read and automatic re-save in encrypted form.
• Updated localization strings for PersistTokenTooltip across all supported languages to mention encrypted-at-rest storage.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

File	Description
DiscordChatExporter.Gui/Services/TokenEncryptionConverter.cs	Introduces the token encryption/decryption converter and on-disk format (enc: + Base64 blob).
DiscordChatExporter.Gui/Services/SettingsService.cs	Applies the converter to LastToken so persisted settings no longer store the token in plaintext.
DiscordChatExporter.Gui/Localization/LocalizationManager.{English,French,German,Spanish,Ukrainian}.cs	Updates tooltip text to reflect encrypted-at-rest storage and its limitations.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Read() allocates multiple temporary arrays/strings via range slicing (data[17..], data[..16], and decrypted[...]). Since DecryptCbc and Encoding.UTF8.GetString accept spans, consider using data.AsSpan(...) and decrypted.AsSpan(padLen) (and cache padLen) to avoid these allocations.

Suggested change

	var decrypted = aes.DecryptCbc(data[17..], data[..16]);
	return Encoding.UTF8.GetString(decrypted[data[16]..]);
	var ivSpan = data.AsSpan(0, 16);
	var padLen = data[16];
	var cipherSpan = data.AsSpan(17);
	var decrypted = aes.DecryptCbc(cipherSpan, ivSpan);
	return Encoding.UTF8.GetString(decrypted.AsSpan(padLen));

[Tyrrrz]

@copilot

[Tyrrrz]

We use a hex string for encoding bytes in other places, can we do that here too?

[Copilot]

Switched to Convert.FromHexString / Convert.ToHexStringLower in 1f791ee, consistent with the pattern in ExportAssetDownloader.cs.

[Tyrrrz]

Why did you choose CBC? Can we use GCM? Or is it for a specific reason?

[Copilot]

Switched to AES-GCM in 1f791ee. CBC was the initial choice for simplicity, but GCM is strictly better here — it gives authenticated encryption (integrity via the 16-byte tag) so a tampered or wrong-key ciphertext is detected cleanly. The new layout is Nonce[12] | padLen[1] | Tag[16] | Ciphertext.

[Copilot]

@copilot additional requirement: the token should be decryptable only on the machine it was encrypted for. If Settings.dat is stolen, the attacker shouldn't be able to decrypt it o...

Done in 1721ac4. The encryption key is now derived from a machine-specific identifier via PBKDF2-SHA256 (10,000 iterations):

• Windows: HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid (stable GUID written at OS install)
• Linux: /etc/machine-id or /var/lib/dbus/machine-id (set by systemd at first boot)
• macOS / fallback: Environment.MachineName

If Settings.dat is stolen and moved to a different machine, the derived key will differ so decryption will fail and return null — the user simply re-enters their token.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• av-build-tel-api-v1.avaloniaui.net
  • Triggering command: /usr/share/dotnet/dotnet dotnet exec --runtimeconfig /home/REDACTED/.nuget/packages/avalonia.buildservices/11.3.2/tools/netstandard2.0/runtimeconfig.json /home/REDACTED/.nuget/packages/avalonia.buildservices/11.3.2/tools/netstandard2.0/Avalonia.BuildServices.Collector.dll (dns block)
  • Triggering command: /usr/share/dotnet/dotnet dotnet exec --runtimeconfig /home/REDACTED/.nuget/packages/avalonia.buildservices/11.3.2/tools/netstandard2.0/runtimeconfig.json /home/REDACTED/.nuget/packages/avalonia.buildservices/11.3.2/tools/netstandard2.0/Avalonia.BuildServices.Collector.dll unset --global tch-f9790762941c1c04/dbs/csharp/working/.dotnet/dotnet pull.rebase (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• av-build-tel-api-v1.avaloniaui.net
  • Triggering command: /usr/share/dotnet/dotnet dotnet exec --runtimeconfig /home/REDACTED/.nuget/packages/avalonia.buildservices/11.3.2/tools/netstandard2.0/runtimeconfig.json /home/REDACTED/.nuget/packages/avalonia.buildservices/11.3.2/tools/netstandard2.0/Avalonia.BuildServices.Collector.dll (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Tyrrrz]

@copilot

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• av-build-tel-api-v1.avaloniaui.net
  • Triggering command: /usr/share/dotnet/dotnet dotnet exec --runtimeconfig /home/REDACTED/.nuget/packages/avalonia.buildservices/11.3.2/tools/netstandard2.0/runtimeconfig.json /home/REDACTED/.nuget/packages/avalonia.buildservices/11.3.2/tools/netstandard2.0/Avalonia.BuildServices.Collector.dll (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Tyrrrz]

@copilot Note the build errors

[Tyrrrz]

@copilot can you fix the build errors please?

[Copilot]

@copilot Note the build errors

Fixed in 93d4a63 — the CSharpier format check was failing because multiline string assignments in 5 localization files used =\n """ instead of = """, and TokenEncryptionConverter.cs had a trailing blank line and different exception-filter indentation. Running dotnet build -t:CSharpierFormat auto-corrected all 6 files; those fixes are now committed.

@copilot can you fix the build errors please?

Done in 93d4a63 — the format job failure is fixed. All 6 affected files were reformatted by CSharpier and committed.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• av-build-tel-api-v1.avaloniaui.net
  • Triggering command: /usr/share/dotnet/dotnet dotnet exec --runtimeconfig /home/REDACTED/.nuget/packages/avalonia.buildservices/11.3.2/tools/netstandard2.0/runtimeconfig.json /home/REDACTED/.nuget/packages/avalonia.buildservices/11.3.2/tools/netstandard2.0/Avalonia.BuildServices.Collector.dll (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Tyrrrz]

@copilot currently getting this:

DiscordChatExporter.Cli/bin/publish/ --configuration Release --runtime osx-x64 --self-contained
  dotnet publish DiscordChatExporter.Cli -p:Version=999.9.9-ci-9149cd4cdf7214115d3ccd3f0ae2a816bf6ef5e4 -p:CSharpier_Bypass=true -p:EncryptionSalt=*** -p:PublishMacOSBundle=true --output DiscordChatExporter.Cli/bin/publish/ --configuration Release --runtime osx-x64 --self-contained
  shell: /bin/bash -e {0}
  env:
    DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
    DOTNET_NOLOGO: true
    DOTNET_CLI_TELEMETRY_OPTOUT: true
    DOTNET_ROOT: /Users/runner/.dotnet
/Users/runner/work/_temp/6a02142b-9f43-4f93-9a4a-9af7c337bd2c.sh: line 1: unexpected EOF while looking for matching `''
Error: Process completed with exit code 2.

[Copilot]

@copilot currently getting this:

...

Fixed in cf8fdea — the ENCRYPTION_SALT secret value contains a ', which broke bash when passed unquoted. Changed to "-p:EncryptionSalt=${{ secrets.ENCRYPTION_SALT }}" so the value is inside double quotes; single quotes have no special meaning there.

[Tyrrrz]

@copilot new error popped up so I changed the secret to not contain '. Please revert your last fix.

[Copilot]

@copilot new error popped up so I changed the secret to not contain '. Please revert your last fix.

Reverted in 18e3ec1 — the argument is back to unquoted -p:EncryptionSalt=${{ secrets.ENCRYPTION_SALT }}.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.