From b292f941861b95139898b4ea159ba460847f0af1 Mon Sep 17 00:00:00 2001 From: Nicolas Meienberger Date: Mon, 18 May 2026 22:00:21 +0200 Subject: [PATCH] refactor(crypto): reject encrypted values from another secret in sealSecret --- app/server/utils/__tests__/crypto.test.ts | 20 ++++++++++++++++++++ app/server/utils/crypto.ts | 4 ---- 2 files changed, 20 insertions(+), 4 deletions(-) create mode 100644 app/server/utils/__tests__/crypto.test.ts diff --git a/app/server/utils/__tests__/crypto.test.ts b/app/server/utils/__tests__/crypto.test.ts new file mode 100644 index 00000000..30a5e756 --- /dev/null +++ b/app/server/utils/__tests__/crypto.test.ts @@ -0,0 +1,20 @@ +import { describe, expect, test, vi } from "vitest"; + +describe("cryptoUtils", () => { + test("sealSecret rejects encrypted values that cannot be decrypted with the current app secret", async () => { + const { cryptoUtils } = await vi.importActual("../crypto"); + const invalidEncryptedValue = "encv1:00:00:00:00"; + + await expect(cryptoUtils.sealSecret(invalidEncryptedValue)).rejects.toThrow( + "You have provided an encrypted value that cannot be decrypted with the current APP_SECRET", + ); + }); + + test("sealSecret preserves encrypted values that can be decrypted with the current app secret", async () => { + const { cryptoUtils } = await vi.importActual("../crypto"); + + const encryptedValue = await cryptoUtils.sealSecret("plain secret"); + + await expect(cryptoUtils.sealSecret(encryptedValue)).resolves.toBe(encryptedValue); + }); +}); diff --git a/app/server/utils/crypto.ts b/app/server/utils/crypto.ts index a310d911..d29a4614 100644 --- a/app/server/utils/crypto.ts +++ b/app/server/utils/crypto.ts @@ -102,10 +102,6 @@ const resolveSecret = async (value: string): Promise => { * Prepares a secret value for storage. */ const sealSecret = async (value: string): Promise => { - if (isEncrypted(value)) { - return value; - } - return encrypt(value); };