feat: Migrate PreferencesManager to DataStore with Encrypted Storage (#477)

* feat: Migrate PreferencesManager to DataStore with Encrypted Storage

* fix: according to PR review

Author: PavloNetrebchuk

app/build.gradle

@@ -133,6 +133,7 @@ dependencies {
     ksp "androidx.room:room-compiler:$room_version"
 
     implementation "androidx.core:core-splashscreen:$core_splashscreen_version"
+    implementation "androidx.datastore:datastore-preferences:1.2.0"
 
     api platform("com.google.firebase:firebase-bom:$firebase_version")
     api "com.google.firebase:firebase-messaging"

app/src/main/java/org/openedx/app/data/storage/DataStoreEncryption.kt

@@ -0,0 +1,86 @@
+package org.openedx.app.data.storage
+
+import android.security.keystore.KeyGenParameterSpec
+import android.security.keystore.KeyProperties
+import android.util.Base64
+import android.util.Log
+import java.security.KeyStore
+import javax.crypto.Cipher
+import javax.crypto.KeyGenerator
+import javax.crypto.SecretKey
+import javax.crypto.spec.GCMParameterSpec
+
+class DataStoreEncryption {
+
+    private companion object {
+        const val TAG = "DataStoreEncryption"
+        const val ANDROID_KEYSTORE = "AndroidKeyStore"
+        const val KEY_ALIAS = "openedx_datastore_key"
+        const val TRANSFORMATION = "AES/GCM/NoPadding"
+        const val GCM_IV_LENGTH = 12
+        const val GCM_TAG_LENGTH = 16
+        const val GCM_TAG_LENGTH_BITS = GCM_TAG_LENGTH * 8
+        const val KEY_SIZE = 256
+    }
+
+    private val keyStore: KeyStore = KeyStore.getInstance(ANDROID_KEYSTORE).apply { load(null) }
+
+    private fun getOrCreateSecretKey(): SecretKey {
+        keyStore.getEntry(KEY_ALIAS, null)?.let { entry ->
+            return (entry as KeyStore.SecretKeyEntry).secretKey
+        }
+
+        val keyGenerator = KeyGenerator.getInstance(
+            KeyProperties.KEY_ALGORITHM_AES,
+            ANDROID_KEYSTORE
+        )
+
+        val keyGenParameterSpec = KeyGenParameterSpec.Builder(
+            KEY_ALIAS,
+            KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT
+        )
+            .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
+            .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
+            .setKeySize(KEY_SIZE)
+            .build()
+
+        keyGenerator.init(keyGenParameterSpec)
+        return keyGenerator.generateKey()
+    }
+
+    fun encrypt(plainText: String): String {
+        if (plainText.isEmpty()) return ""
+
+        val cipher = Cipher.getInstance(TRANSFORMATION)
+        cipher.init(Cipher.ENCRYPT_MODE, getOrCreateSecretKey())
+
+        val iv = cipher.iv
+        val encryptedBytes = cipher.doFinal(plainText.toByteArray(Charsets.UTF_8))
+
+        val combined = ByteArray(iv.size + encryptedBytes.size)
+        System.arraycopy(iv, 0, combined, 0, iv.size)
+        System.arraycopy(encryptedBytes, 0, combined, iv.size, encryptedBytes.size)
+
+        return Base64.encodeToString(combined, Base64.NO_WRAP)
+    }
+
+    fun decrypt(encryptedText: String): String {
+        if (encryptedText.isEmpty()) return ""
+
+        return try {
+            val combined = Base64.decode(encryptedText, Base64.NO_WRAP)
+
+            val iv = combined.copyOfRange(0, GCM_IV_LENGTH)
+            val encryptedBytes = combined.copyOfRange(GCM_IV_LENGTH, combined.size)
+
+            val cipher = Cipher.getInstance(TRANSFORMATION)
+            val spec = GCMParameterSpec(GCM_TAG_LENGTH_BITS, iv)
+            cipher.init(Cipher.DECRYPT_MODE, getOrCreateSecretKey(), spec)
+
+            String(cipher.doFinal(encryptedBytes), Charsets.UTF_8)
+        } catch (e: Exception) {
+            Log.e(TAG, "Decryption failed", e)
+            ""
+        }
+    }
+}