Skip to content

fix: validate encrypted token payload sizes #468

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
saurabhhhcodes wants to merge 8 commits into
base: main
Choose a base branch
from
Open

fix: validate encrypted token payload sizes #468

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
dfd1911
fix: validate encrypted token payload sizes
saurabhhhcodes May 20, 2026
199ca80
Merge origin/main into token validation branch
saurabhhhcodes May 21, 2026
4463db9
test: align Playwright session token encoding
saurabhhhcodes May 21, 2026
ba0a275
Merge remote-tracking branch 'origin/main' into fix/token-payload-val…
saurabhhhcodes May 21, 2026
14320ff
Merge remote-tracking branch 'origin/main' into fix/token-payload-val…
saurabhhhcodes May 21, 2026
5b106bf
Merge remote-tracking branch 'origin/main' into fix/token-payload-val…
saurabhhhcodes May 22, 2026
eb4e0d9
Merge remote-tracking branch 'origin/main' into fix/token-payload-val…
saurabhhhcodes May 22, 2026
3e3fa80
test: disambiguate landing heading smoke check
saurabhhhcodes May 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion e2e/landing.spec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ import { expect, test } from "@playwright/test";
test("landing page renders GitHub sign-in entrypoint", async ({ page }) => {
await page.goto("/");

await expect(page.getByRole("heading", { name: "DevTrack" })).toBeVisible();
await expect(page.getByRole("heading", { name: "DevTrack", exact: true })).toBeVisible();
await expect(
page.getByRole("link", { name: "Sign in with GitHub" }),
).toHaveAttribute("href", /\/api\/auth\/signin\/github\?callbackUrl=\/dashboard/);
Expand Down
35 changes: 24 additions & 11 deletions src/lib/crypto.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@ const IV_LENGTH = 12;
const AUTH_TAG_LENGTH = 16;
const KEY_ERROR_MESSAGE =
"ENCRYPTION_KEY env var must be a 32-byte hex string";
const IV_ERROR_MESSAGE =
"Encrypted token IV must be a 12-byte hex string";
const PAYLOAD_ERROR_MESSAGE =
"Encrypted token payload must include at least a 16-byte auth tag";

function getEncryptionKey(): Buffer {
const key = process.env.ENCRYPTION_KEY;
Expand All @@ -26,6 +30,24 @@ function getEncryptionKey(): Buffer {
return keyBuffer;
}

function assertFixedHex(value: string, expectedChars: number, message: string) {
if (!new RegExp(`^[0-9a-fA-F]{${expectedChars}}$`).test(value)) {
throw new Error(message);
}
}

function validateEncryptedTokenPayload(encrypted: string, iv: string) {
assertFixedHex(iv, IV_LENGTH * 2, IV_ERROR_MESSAGE);

if (
encrypted.length < AUTH_TAG_LENGTH * 2 ||
encrypted.length % 2 !== 0 ||
!/^[0-9a-fA-F]+$/.test(encrypted)
) {
throw new Error(PAYLOAD_ERROR_MESSAGE);
}
}

export function encryptToken(plaintext: string): {
encrypted: string;
iv: string;
Expand All @@ -46,22 +68,13 @@ export function encryptToken(plaintext: string): {
};
}


export function decryptToken(
encrypted: string,
iv: string
): string | null {
try {
const key = getEncryptionKey();

if (!/^[0-9a-fA-F]*$/.test(encrypted) || encrypted.length % 2 !== 0) {
throw new Error("Invalid encrypted token format");
}

if (!/^[0-9a-fA-F]*$/.test(iv) || iv.length % 2 !== 0) {
throw new Error("Invalid IV format");
}

validateEncryptedTokenPayload(encrypted, iv);
const encryptedBuffer = Buffer.from(encrypted, "hex");
const ivBuffer = Buffer.from(iv, "hex");

Expand Down Expand Up @@ -94,4 +107,4 @@ export function decryptToken(
console.error("Token decryption failed:", error);
return null;
}
}
}
61 changes: 61 additions & 0 deletions test/crypto.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
const assert = require("node:assert/strict");
const fs = require("node:fs");
const os = require("node:os");
const path = require("node:path");
const test = require("node:test");
const ts = require("typescript");

function loadCryptoModule() {
const sourcePath = path.join(__dirname, "..", "src", "lib", "crypto.ts");
const outDir = fs.mkdtempSync(path.join(os.tmpdir(), "devtrack-crypto-"));
const outPath = path.join(outDir, "crypto.cjs");
const source = fs.readFileSync(sourcePath, "utf8");
const output = ts.transpileModule(source, {
compilerOptions: {
esModuleInterop: true,
module: ts.ModuleKind.CommonJS,
target: ts.ScriptTarget.ES2020,
},
}).outputText;

fs.writeFileSync(outPath, output);
return require(outPath);
}

test("decryptToken rejects malformed IV before decipher creation", () => {
const { decryptToken } = loadCryptoModule();
process.env.ENCRYPTION_KEY = "a".repeat(64);
const originalError = console.error;
console.error = () => {};

try {
assert.equal(decryptToken("0".repeat(32), "abcd"), null);
} finally {
console.error = originalError;
}
});

test("decryptToken rejects payloads shorter than the auth tag", () => {
const { decryptToken } = loadCryptoModule();
process.env.ENCRYPTION_KEY = "b".repeat(64);
const originalError = console.error;
console.error = () => {};

try {
assert.equal(decryptToken("0".repeat(30), "1".repeat(24)), null);
} finally {
console.error = originalError;
}
});

test("decryptToken still decrypts valid encrypted tokens", () => {
const { decryptToken, encryptToken } = loadCryptoModule();
process.env.ENCRYPTION_KEY = "c".repeat(64);

const encrypted = encryptToken("github-token-123");

assert.equal(
decryptToken(encrypted.encrypted, encrypted.iv),
"github-token-123"
);
});
Loading