refactor(crypto): reject encrypted values from another secret in sealSecret
This commit is contained in:
parent
66ebc249ca
commit
b292f94186
2 changed files with 20 additions and 4 deletions
20
app/server/utils/__tests__/crypto.test.ts
Normal file
20
app/server/utils/__tests__/crypto.test.ts
Normal file
|
|
@ -0,0 +1,20 @@
|
|||
import { describe, expect, test, vi } from "vitest";
|
||||
|
||||
describe("cryptoUtils", () => {
|
||||
test("sealSecret rejects encrypted values that cannot be decrypted with the current app secret", async () => {
|
||||
const { cryptoUtils } = await vi.importActual<typeof import("../crypto")>("../crypto");
|
||||
const invalidEncryptedValue = "encv1:00:00:00:00";
|
||||
|
||||
await expect(cryptoUtils.sealSecret(invalidEncryptedValue)).rejects.toThrow(
|
||||
"You have provided an encrypted value that cannot be decrypted with the current APP_SECRET",
|
||||
);
|
||||
});
|
||||
|
||||
test("sealSecret preserves encrypted values that can be decrypted with the current app secret", async () => {
|
||||
const { cryptoUtils } = await vi.importActual<typeof import("../crypto")>("../crypto");
|
||||
|
||||
const encryptedValue = await cryptoUtils.sealSecret("plain secret");
|
||||
|
||||
await expect(cryptoUtils.sealSecret(encryptedValue)).resolves.toBe(encryptedValue);
|
||||
});
|
||||
});
|
||||
|
|
@ -102,10 +102,6 @@ const resolveSecret = async (value: string): Promise<string> => {
|
|||
* Prepares a secret value for storage.
|
||||
*/
|
||||
const sealSecret = async (value: string): Promise<string> => {
|
||||
if (isEncrypted(value)) {
|
||||
return value;
|
||||
}
|
||||
|
||||
return encrypt(value);
|
||||
};
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue