fix: validate encrypted token payload sizes

[saurabhhhcodes]

Summary

• closes fix : add validation for encrypted token payload lengths #442
• validates encrypted token IVs as exactly 12 bytes / 24 hex characters before AES-GCM decipher creation
• rejects encrypted payloads that are non-hex, odd-length, or shorter than the 16-byte auth tag
• adds focused node:test coverage for malformed IVs, short payloads, and valid token round-trips

Validation

• node --test test/crypto.test.js test/check-deps.test.js
• npm run type-check
• npm run lint (passes with existing warnings in BadgeSection.tsx and CommitTimeChart.tsx)
• git diff --check

Note

npm run build compiles successfully, then stops during page-data collection because local Supabase environment variables are not configured (supabaseUrl is required).

[vercel]

@saurabhhhcodes is attempting to deploy a commit to the PRIYANSHU DOSHI's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

GSSoC Label Checklist 🏷️

@Priyanshu-byte-coder — please apply the appropriate labels before merging:

Difficulty (pick one):

• level:beginner — 20 pts
• level:intermediate — 35 pts
• level:advanced — 55 pts
• level:critical — 80 pts

Quality (optional):

• quality:clean — ×1.2 multiplier
• quality:exceptional — ×1.5 multiplier

Validation (required to score):

• gssoc:approved — counts for points
• gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus

[saurabhhhcodes]

This one looks merge-ready from the checks side.

Current status I see:

• CI Type check, Lint, Build, Dependency audit are green
• Playwright smoke tests are green
• GitGuardian is green
• auto type labels already added type:bug and type:testing

For scoring before merge, could a maintainer please add gssoc:approved plus the appropriate difficulty/quality labels? Since this validates encrypted token payload boundaries and includes test coverage, I think level:intermediate + quality:clean would be reasonable if it matches your review.

[Priyanshu-byte-coder]

Merge conflict — rebase on main to resolve. Crypto validation logic is correct; once conflict is cleared this can merge immediately.

[saurabhhhcodes]

Rebased onto latest main and resolved the src/lib/crypto.ts conflict by keeping the stricter encrypted-token validation while preserving upstream's latest surrounding changes.

Validation after the merge:

• node --test test/crypto.test.js test/check-deps.test.js
• npm run type-check
• npm run lint (passes with existing non-blocking warnings in unrelated components)
• git diff --check
• npm run build compiles successfully, then still stops at page-data collection because local Supabase env is missing (supabaseUrl is required), same local env blocker as before.

This should clear the merge conflict you flagged.

[saurabhhhcodes]

Thanks for the quick review earlier. I fixed the remaining Playwright smoke failure after the rebase as well.

Root cause: the dashboard E2E token was being encoded with an explicit salt: "next-auth.session-token", but the server-side getServerSession(authOptions) path decodes the JWT with the default NextAuth key derivation. That made the test cookie undecryptable, so /dashboard redirected away and the dashboard widgets never rendered.

What changed:

• removed the extra Playwright token salt so the injected next-auth.session-token matches the app's real NextAuth decode path
• kept the production auth-bypass removal from latest main intact
• left the actual token validation fix unchanged

Validation run locally:

• npm run type-check
• npm run lint (passes with existing image/hook warnings)
• PORT=4317 PLAYWRIGHT_BASE_URL=http://127.0.0.1:4317 npm run test:e2e -- e2e/dashboard-widgets.spec.js --reporter=list -> 3 passed
• git diff --check

This should clear the remaining smoke-test blocker on the PR now.

[saurabhhhcodes]

Synced the branch with latest main again after the new workflow-only commits landed upstream. There were no code conflicts; the merge only brought in the new star-request workflow files from upstream.

Validation after sync:

• npm run type-check
• npm run lint (passes with the existing unrelated image/hook warnings)
• PORT=4317 PLAYWRIGHT_BASE_URL=http://127.0.0.1:4317 npm run test:e2e -- e2e/dashboard-widgets.spec.js --reporter=list -> 3 passed
• git diff --check

This should clear the branch-behind blocker again.

[saurabhhhcodes]

Rebase conflict has been cleared now and the PR is mergeable again.

I re-ran the focused validation after the rebase:

• node --test test/crypto.test.js test/check-deps.test.js
• npm run type-check
• npm run lint
• git diff --check

The crypto validation logic is unchanged from the version you marked as correct; only the base sync/conflict cleanup changed.

[saurabhhhcodes]

Synced with latest main again and pushed merge commit 14320ff to clear the fresh conflict in e2e/dashboard-widgets.spec.js.

Resolution note: I kept upstream's single sessionToken helper and removed the duplicate inline token encoding, so the earlier NextAuth cookie fix remains intact.

Validation after resolving:

• node --test test/crypto.test.js test/check-deps.test.js -> 12 passed
• ./node_modules/.bin/tsc --noEmit -> passed
• ./node_modules/.bin/eslint . -> passed with the existing non-blocking warnings only
• git diff --check -> passed

I also tried the focused Playwright dashboard smoke, but the local run stayed silent while next dev was running on its generated port, so I stopped that local harness instead of overstating it. The production crypto validation change is unchanged; this push only clears the base conflict.

[saurabhhhcodes]

Synced this branch with the latest main again and pushed merge commit 5b106bf so the PR is no longer behind. There were no conflicts in the token validation code.\n\nValidation after the sync:\n- node --test test/crypto.test.js test/check-deps.test.js -> 12 passed\n- ./node_modules/.bin/tsc --noEmit -> passed\n- ./node_modules/.bin/eslint . -> passed with the existing non-blocking image warnings only\n- git diff --check origin/main...HEAD -> passed\n\nThe encrypted-token payload size validation remains unchanged; this push only brings in the latest upstream changes.

[Priyanshu-byte-coder]

Missing EOF newline on test/crypto.test.js — add \n after the last line.