fix: remove SUPABASE_SECRET_KEY fallback from encryptionKey()#107
Closed
bmersereau wants to merge 3 commits into
Closed
fix: remove SUPABASE_SECRET_KEY fallback from encryptionKey()#107bmersereau wants to merge 3 commits into
bmersereau wants to merge 3 commits into
Conversation
bmersereau
commented
May 13, 2026
bmersereau
left a comment
bmersereau
left a comment
Author
There was a problem hiding this comment.
PR Review
Summary
Removes the SUPABASE_SECRET_KEY fallback from encryptionKey() in userApiKeys.ts, closing a secret-isolation vulnerability where the JWT verification key could silently double as the AES-256-GCM encryption key when USER_API_KEYS_ENCRYPTION_SECRET was not set. The fix is correct and the test suite explicitly verifies the removal. vi.mock is correctly hoisted at module top-level (not inside describe/it).
Findings
- [severity:low]
vi.resetModules()inbeforeEachre-instantiates the module under test on each dynamicimport(), which is correct. However,vi.resetModules()combined with a top-levelvi.mockdepends on Vitest's mock-registry persistence across module resets — this currently works as expected (tests pass), but it's a subtle interaction worth noting in a comment so future maintainers don't remove the top-levelvi.mock. - [severity:nit]
beforeEachcleansUSER_API_KEYS_ENCRYPTION_SECRET,API_KEYS_ENCRYPTION_SECRET, andSUPABASE_SECRET_KEYfrom the environment. There is no correspondingafterEachto restore them. If env vars were set in CI before this test runs, thebeforeEachdelete may interfere with subsequent test files. Low risk sinceisolate: trueis set, but worth addingafterEachcleanup for hygiene. - [severity:nit] The
API_KEYS_ENCRYPTION_SECRETfallback is retained (onlySUPABASE_SECRET_KEYis removed). IfAPI_KEYS_ENCRYPTION_SECRETis a deprecated alias forUSER_API_KEYS_ENCRYPTION_SECRET, a comment or deprecation notice would help operators know which to use.
Verdict
Approve with nits
What I verified
- Tests: pass (3/3)
- vitest.config.ts has
includefilter: pass ("src/**/__tests__/**/*.test.ts") - package.json has
"test": "vitest run": pass vi.mockis at module top-level (not insidedescribe/it): passSUPABASE_SECRET_KEYremoved from fallback chain inuserApiKeys.ts: pass- Test explicitly covers SUPABASE_SECRET_KEY-only case now throwing: pass
bmersereau
commented
May 13, 2026
bmersereau
left a comment
bmersereau
left a comment
Author
There was a problem hiding this comment.
PR Review
Summary
Removes SUPABASE_SECRET_KEY from the encryptionKey() fallback chain in userApiKeys.ts. Three tests verify the SUPABASE_SECRET_KEY fallback is gone and that a dedicated secret is required. vi.mock is correctly hoisted to module top-level (issue #118 resolved).
Findings
- [severity:praise]
vi.mockat module top-level, beforedescribe— hoisting semantics correct ✓ - [severity:praise]
API_KEYS_ENCRYPTION_SECRETalias retained for backward-compat with existing deployments that set the old name - [severity:nit] Test name
"throws when only SUPABASE_SECRET_KEY is set (fallback removed)"is slightly verbose but clear
Specific checks
-
"test": "vitest run"in package.json ✓ -
vitest.config.tsinclude filter present ✓ -
vi.mockis top-level ✓ (issue #118) - Tests pass: 3/3 ✓
Verdict
Approve — clean.
Owner
|
Thanks Beau, this has been fixed in a more targeted PR #137 without the test script |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
process.env.SUPABASE_SECRET_KEYfrom the fallback chain inencryptionKey()inbackend/src/lib/userApiKeys.tsUSER_API_KEYS_ENCRYPTION_SECRET(or its aliasAPI_KEYS_ENCRYPTION_SECRET) is now required; the function throws if neither is setCloses #98
Closes #114
Closes #117
Closes #118
Changes
backend/src/lib/userApiKeys.ts— removeSUPABASE_SECRET_KEYfrom encryptionKey() fallback chainbackend/src/lib/__tests__/encryptionKey.test.ts— tests that SUPABASE_SECRET_KEY fallback is gone and dedicated secret is required;vi.mockhoisted to module top-levelbackend/package.json/backend/package-lock.json— addvitestdev dependency and"test": "vitest run"scriptbackend/vitest.config.ts— include filter scoping tests tosrc/to exclude compileddist/artifactsTest plan