refactor(crypto): reject encrypted values from another secret in sealSecret

This commit is contained in:
Nicolas Meienberger 2026-05-18 22:00:21 +02:00
parent 66ebc249ca
commit b292f94186
No known key found for this signature in database
2 changed files with 20 additions and 4 deletions

View file

@ -0,0 +1,20 @@
import { describe, expect, test, vi } from "vitest";
describe("cryptoUtils", () => {
test("sealSecret rejects encrypted values that cannot be decrypted with the current app secret", async () => {
const { cryptoUtils } = await vi.importActual<typeof import("../crypto")>("../crypto");
const invalidEncryptedValue = "encv1:00:00:00:00";
await expect(cryptoUtils.sealSecret(invalidEncryptedValue)).rejects.toThrow(
"You have provided an encrypted value that cannot be decrypted with the current APP_SECRET",
);
});
test("sealSecret preserves encrypted values that can be decrypted with the current app secret", async () => {
const { cryptoUtils } = await vi.importActual<typeof import("../crypto")>("../crypto");
const encryptedValue = await cryptoUtils.sealSecret("plain secret");
await expect(cryptoUtils.sealSecret(encryptedValue)).resolves.toBe(encryptedValue);
});
});

View file

@ -102,10 +102,6 @@ const resolveSecret = async (value: string): Promise<string> => {
* Prepares a secret value for storage.
*/
const sealSecret = async (value: string): Promise<string> => {
if (isEncrypted(value)) {
return value;
}
return encrypt(value);
};