Skip to content

fix(auth): encrypt OAuth tokens using encryption utility directly#144

Open
Ridanshi wants to merge 1 commit into
Dev-Card:mainfrom
Ridanshi:fix/oauth-token-encryption
Open

fix(auth): encrypt OAuth tokens using encryption utility directly#144
Ridanshi wants to merge 1 commit into
Dev-Card:mainfrom
Ridanshi:fix/oauth-token-encryption

Conversation

@Ridanshi
Copy link
Copy Markdown

@Ridanshi Ridanshi commented May 18, 2026
edited
Loading

Summary

auth.ts was silently storing GitHub OAuth access tokens as plaintext.

The encryption check tested (app as any).encryption, which is never
registered as a Fastify decorator, so the condition always evaluated false
and the raw token was written to the database.

connect.ts called app.encryption.encrypt() directly. Since that
property does not exist, it caused a runtime TypeError and broke the
GitHub platform connection flow.

Both routes now import and use encrypt() directly from
utils/encryption.ts, consistent with the existing pattern already used
in follow.ts.

Closes #126

Changes Made

apps/backend/src/routes/auth.ts

  • imported encrypt directly from utils/encryption.ts
  • replaced the plaintext fallback logic with direct token encryption before persistence

apps/backend/src/routes/connect.ts

  • imported encrypt directly from utils/encryption.ts
  • replaced the invalid app.encryption.encrypt() usage with direct utility-based encryption

Impact

Security

Ensures GitHub OAuth access tokens are encrypted before database persistence.

Reliability

Fixes runtime crashes in the GitHub account connection flow.

Consistency

Aligns route behavior with the existing encryption/decryption utility pattern already used in follow.ts.

Test Plan

  • Focused two-file change with no unrelated modifications
  • Verified consistency with existing encryption utility usage
  • Verify GitHub OAuth login stores encrypted values in OAuthToken.accessToken
  • Verify GitHub connect flow completes without TypeError
  • Confirm ENCRYPTION_KEY is configured correctly in environment variables

Notes

This PR intentionally keeps the implementation:

  • minimal
  • focused
  • backward compatible
  • aligned with existing repository patterns

No architectural refactors or unrelated changes were introduced.

@Ridanshi
fix(auth): encrypt OAuth tokens using encryption utility directly
83aae1c 
auth.ts silently stored GitHub OAuth access tokens as plaintext because
the encryption check relied on a non-existent `app.encryption` Fastify
decorator - the condition always evaluated false, falling back to the raw
token. connect.ts called `app.encryption.encrypt()` directly, throwing
a TypeError at runtime and breaking the GitHub connect flow entirely.

Both routes now import `encrypt()` directly from utils/encryption.ts,
consistent with how follow.ts already imports `decrypt()` from the same module.
@Harxhit Harxhit added the gssoc:approved Required label for every approved PR. Gives the base +50 points and enables contribution tracking. label May 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

gssoc:approved Required label for every approved PR. Gives the base +50 points and enables contribution tracking.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: OAuth access tokens stored as plaintext due to missing encryption utility usage

2 participants

@Ridanshi @Harxhit