Skip to content

fix(auth): encrypt OAuth tokens using encryption utility directly#144

Open
Ridanshi wants to merge 1 commit into
Dev-Card:mainfrom
Ridanshi:fix/oauth-token-encryption
Open

fix(auth): encrypt OAuth tokens using encryption utility directly#144
Ridanshi wants to merge 1 commit into
Dev-Card:mainfrom
Ridanshi:fix/oauth-token-encryption

Conversation

@Ridanshi
Copy link
Copy Markdown

@Ridanshi Ridanshi commented May 18, 2026
edited
Loading

Summary

auth.ts was silently storing GitHub OAuth access tokens as plaintext.

The encryption check tested (app as any).encryption, which is never
registered as a Fastify decorator, so the condition always evaluated false
and the raw token was written to the database.

connect.ts called app.encryption.encrypt() directly. Since that
property does not exist, it caused a runtime TypeError and broke the
GitHub platform connection flow.

Both routes now import and use encrypt() directly from
utils/encryption.ts, consistent with the existing pattern already used
in follow.ts.

Closes #126

Changes Made

apps/backend/src/routes/auth.ts

  • imported encrypt directly from utils/encryption.ts
  • replaced the plaintext fallback logic with direct token encryption before persistence

apps/backend/src/routes/connect.ts

  • imported encrypt directly from utils/encryption.ts
  • replaced the invalid app.encryption.encrypt() usage with direct utility-based encryption

Impact

Security

Ensures GitHub OAuth access tokens are encrypted before database persistence.

Reliability

Fixes runtime crashes in the GitHub account connection flow.

Consistency

Aligns route behavior with the existing encryption/decryption utility pattern already used in follow.ts.

Test Plan

  • Focused two-file change with no unrelated modifications
  • Verified consistency with existing encryption utility usage
  • Verify GitHub OAuth login stores encrypted values in OAuthToken.accessToken
  • Verify GitHub connect flow completes without TypeError
  • Confirm ENCRYPTION_KEY is configured correctly in environment variables

Notes

This PR intentionally keeps the implementation:

  • minimal
  • focused
  • backward compatible
  • aligned with existing repository patterns

No architectural refactors or unrelated changes were introduced.

@Harxhit Harxhit added the gssoc:approved Required label for every approved PR. Gives the base +50 points and enables contribution tracking. label May 18, 2026
@ShantKhatri ShantKhatri requested a review from Harxhit May 20, 2026 09:58
ShantKhatri
ShantKhatri approved these changes May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@ShantKhatri ShantKhatri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@ShantKhatri
Copy link
Copy Markdown
Contributor

ShantKhatri commented May 20, 2026

@Ridanshi Please fix the merge conflicts.

@Ridanshi
Copy link
Copy Markdown
Author

Ridanshi commented May 20, 2026

Thanks for the review. I’m currently resolving the merge conflicts in apps/backend/src/routes/auth.ts and will update the branch shortly with the latest changes from main.

@Ridanshi
fix(auth): encrypt OAuth tokens using encryption utility directly
f2c3273 
auth.ts silently stored GitHub OAuth access tokens as plaintext because
the encryption check relied on a non-existent `app.encryption` Fastify
decorator - the condition always evaluated false, falling back to the raw
token. connect.ts called `app.encryption.encrypt()` directly, throwing
a TypeError at runtime and breaking the GitHub connect flow entirely.

Both routes now import `encrypt()` directly from utils/encryption.ts,
consistent with how follow.ts already imports `decrypt()` from the same module.
@Ridanshi Ridanshi force-pushed the fix/oauth-token-encryption branch from 83aae1c to f2c3273 Compare May 20, 2026 10:31
@Ridanshi
Copy link
Copy Markdown
Author

Ridanshi commented May 20, 2026

Resolved the merge conflicts by rebasing onto the latest upstream main and preserving the recent upstream auth changes alongside the OAuth token encryption fix.
Also verified:

  • encryption flow remains intact,
  • upstream redirect/state-generation changes are preserved,
  • branch is now fully up to date with upstream main.

The PR should now be mergeable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ShantKhatri ShantKhatri ShantKhatri approved these changes

@Harxhit Harxhit Awaiting requested review from Harxhit

Assignees

No one assigned

Labels

gssoc:approved Required label for every approved PR. Gives the base +50 points and enables contribution tracking.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: OAuth access tokens stored as plaintext due to missing encryption utility usage

3 participants

@Ridanshi @ShantKhatri @Harxhit