chore(payment): mark legacy AES ciphertext fallback as deprecated
明文 JSON 已经是新写入的默认格式;保留 AES 密文读取仅为兼容迁移期间的旧 记录,一旦所有部署通过管理后台重存过一次即可删除。标记为 deprecated 并加 TODO,几个版本后统一清理掉:payment.Encrypt / payment.Decrypt、两处 decryptConfig 的 AES 分支、PaymentConfigService.encryptionKey 和 DefaultLoadBalancer.encryptionKey 字段。
This commit is contained in:
erio
@@ -16,6 +16,11 @@ const AES256KeySize = 32
|
||||
// Encrypt encrypts plaintext using AES-256-GCM with the given 32-byte key.
|
||||
// The output format is "iv:authTag:ciphertext" where each component is base64-encoded,
|
||||
// matching the Node.js crypto.ts format for cross-compatibility.
|
||||
//
|
||||
// Deprecated: payment provider configs are now stored as plaintext JSON.
|
||||
// This function is kept only for seeding legacy ciphertext in tests and for
|
||||
// the transitional Decrypt fallback. Scheduled for removal after all live
|
||||
// deployments complete migration by re-saving their configs.
|
||||
func Encrypt(plaintext string, key []byte) (string, error) {
|
||||
if len(key) != AES256KeySize {
|
||||
return "", fmt.Errorf("encryption key must be %d bytes, got %d", AES256KeySize, len(key))
|
||||
@@ -54,6 +59,11 @@ func Encrypt(plaintext string, key []byte) (string, error) {
|
||||
|
||||
// Decrypt decrypts a ciphertext string produced by Encrypt.
|
||||
// The input format is "iv:authTag:ciphertext" where each component is base64-encoded.
|
||||
//
|
||||
// Deprecated: payment provider configs are now stored as plaintext JSON.
|
||||
// This function remains only as a read-path fallback for pre-migration
|
||||
// ciphertext records. Scheduled for removal once all deployments re-save
|
||||
// their provider configs through the admin UI.
|
||||
func Decrypt(ciphertext string, key []byte) (string, error) {
|
||||
if len(key) != AES256KeySize {
|
||||
return "", fmt.Errorf("encryption key must be %d bytes, got %d", AES256KeySize, len(key))
|
||||
|
||||
@@ -283,6 +283,11 @@ func (lb *DefaultLoadBalancer) buildSelection(selected *dbent.PaymentProviderIns
|
||||
// Unreadable values (legacy ciphertext without a valid key, or malformed data)
|
||||
// are treated as empty so the service keeps running while the admin re-enters
|
||||
// the config via the UI.
|
||||
//
|
||||
// TODO(deprecated-legacy-ciphertext): The AES fallback branch below is a
|
||||
// transitional compatibility shim for pre-plaintext records. Remove it (and
|
||||
// the encryptionKey field + the Decrypt import) after a few releases once all
|
||||
// live deployments have re-saved their provider configs through the UI.
|
||||
func (lb *DefaultLoadBalancer) decryptConfig(stored string) (map[string]string, error) {
|
||||
if stored == "" {
|
||||
return nil, nil
|
||||
@@ -291,7 +296,9 @@ func (lb *DefaultLoadBalancer) decryptConfig(stored string) (map[string]string,
|
||||
if err := json.Unmarshal([]byte(stored), &config); err == nil {
|
||||
return config, nil
|
||||
}
|
||||
// Deprecated: legacy AES-256-GCM ciphertext fallback — scheduled for removal.
|
||||
if len(lb.encryptionKey) == AES256KeySize {
|
||||
//nolint:staticcheck // SA1019: intentional legacy fallback, scheduled for removal
|
||||
if plaintext, err := Decrypt(stored, lb.encryptionKey); err == nil {
|
||||
if err := json.Unmarshal([]byte(plaintext), &config); err == nil {
|
||||
return config, nil
|
||||
|
||||
Reference in New Issue
Block a user