chore(payment): mark legacy AES ciphertext fallback as deprecated
明文 JSON 已经是新写入的默认格式;保留 AES 密文读取仅为兼容迁移期间的旧 记录,一旦所有部署通过管理后台重存过一次即可删除。标记为 deprecated 并加 TODO,几个版本后统一清理掉:payment.Encrypt / payment.Decrypt、两处 decryptConfig 的 AES 分支、PaymentConfigService.encryptionKey 和 DefaultLoadBalancer.encryptionKey 字段。
This commit is contained in:
erio
@@ -16,6 +16,11 @@ const AES256KeySize = 32
|
|||||||
// Encrypt encrypts plaintext using AES-256-GCM with the given 32-byte key.
|
// Encrypt encrypts plaintext using AES-256-GCM with the given 32-byte key.
|
||||||
// The output format is "iv:authTag:ciphertext" where each component is base64-encoded,
|
// The output format is "iv:authTag:ciphertext" where each component is base64-encoded,
|
||||||
// matching the Node.js crypto.ts format for cross-compatibility.
|
// matching the Node.js crypto.ts format for cross-compatibility.
|
||||||
|
//
|
||||||
|
// Deprecated: payment provider configs are now stored as plaintext JSON.
|
||||||
|
// This function is kept only for seeding legacy ciphertext in tests and for
|
||||||
|
// the transitional Decrypt fallback. Scheduled for removal after all live
|
||||||
|
// deployments complete migration by re-saving their configs.
|
||||||
func Encrypt(plaintext string, key []byte) (string, error) {
|
func Encrypt(plaintext string, key []byte) (string, error) {
|
||||||
if len(key) != AES256KeySize {
|
if len(key) != AES256KeySize {
|
||||||
return "", fmt.Errorf("encryption key must be %d bytes, got %d", AES256KeySize, len(key))
|
return "", fmt.Errorf("encryption key must be %d bytes, got %d", AES256KeySize, len(key))
|
||||||
@@ -54,6 +59,11 @@ func Encrypt(plaintext string, key []byte) (string, error) {
|
|||||||
|
|
||||||
// Decrypt decrypts a ciphertext string produced by Encrypt.
|
// Decrypt decrypts a ciphertext string produced by Encrypt.
|
||||||
// The input format is "iv:authTag:ciphertext" where each component is base64-encoded.
|
// The input format is "iv:authTag:ciphertext" where each component is base64-encoded.
|
||||||
|
//
|
||||||
|
// Deprecated: payment provider configs are now stored as plaintext JSON.
|
||||||
|
// This function remains only as a read-path fallback for pre-migration
|
||||||
|
// ciphertext records. Scheduled for removal once all deployments re-save
|
||||||
|
// their provider configs through the admin UI.
|
||||||
func Decrypt(ciphertext string, key []byte) (string, error) {
|
func Decrypt(ciphertext string, key []byte) (string, error) {
|
||||||
if len(key) != AES256KeySize {
|
if len(key) != AES256KeySize {
|
||||||
return "", fmt.Errorf("encryption key must be %d bytes, got %d", AES256KeySize, len(key))
|
return "", fmt.Errorf("encryption key must be %d bytes, got %d", AES256KeySize, len(key))
|
||||||
|
|||||||
@@ -283,6 +283,11 @@ func (lb *DefaultLoadBalancer) buildSelection(selected *dbent.PaymentProviderIns
|
|||||||
// Unreadable values (legacy ciphertext without a valid key, or malformed data)
|
// Unreadable values (legacy ciphertext without a valid key, or malformed data)
|
||||||
// are treated as empty so the service keeps running while the admin re-enters
|
// are treated as empty so the service keeps running while the admin re-enters
|
||||||
// the config via the UI.
|
// the config via the UI.
|
||||||
|
//
|
||||||
|
// TODO(deprecated-legacy-ciphertext): The AES fallback branch below is a
|
||||||
|
// transitional compatibility shim for pre-plaintext records. Remove it (and
|
||||||
|
// the encryptionKey field + the Decrypt import) after a few releases once all
|
||||||
|
// live deployments have re-saved their provider configs through the UI.
|
||||||
func (lb *DefaultLoadBalancer) decryptConfig(stored string) (map[string]string, error) {
|
func (lb *DefaultLoadBalancer) decryptConfig(stored string) (map[string]string, error) {
|
||||||
if stored == "" {
|
if stored == "" {
|
||||||
return nil, nil
|
return nil, nil
|
||||||
@@ -291,7 +296,9 @@ func (lb *DefaultLoadBalancer) decryptConfig(stored string) (map[string]string,
|
|||||||
if err := json.Unmarshal([]byte(stored), &config); err == nil {
|
if err := json.Unmarshal([]byte(stored), &config); err == nil {
|
||||||
return config, nil
|
return config, nil
|
||||||
}
|
}
|
||||||
|
// Deprecated: legacy AES-256-GCM ciphertext fallback — scheduled for removal.
|
||||||
if len(lb.encryptionKey) == AES256KeySize {
|
if len(lb.encryptionKey) == AES256KeySize {
|
||||||
|
//nolint:staticcheck // SA1019: intentional legacy fallback, scheduled for removal
|
||||||
if plaintext, err := Decrypt(stored, lb.encryptionKey); err == nil {
|
if plaintext, err := Decrypt(stored, lb.encryptionKey); err == nil {
|
||||||
if err := json.Unmarshal([]byte(plaintext), &config); err == nil {
|
if err := json.Unmarshal([]byte(plaintext), &config); err == nil {
|
||||||
return config, nil
|
return config, nil
|
||||||
|
|||||||
@@ -296,6 +296,10 @@ func (s *PaymentConfigService) mergeConfig(ctx context.Context, id int64, newCon
|
|||||||
// ("iv:authTag:ciphertext"). Values that cannot be parsed as either — including
|
// ("iv:authTag:ciphertext"). Values that cannot be parsed as either — including
|
||||||
// legacy ciphertext with no/invalid TOTP_ENCRYPTION_KEY — are treated as empty,
|
// legacy ciphertext with no/invalid TOTP_ENCRYPTION_KEY — are treated as empty,
|
||||||
// letting the admin re-enter the config via the UI to complete the migration.
|
// letting the admin re-enter the config via the UI to complete the migration.
|
||||||
|
//
|
||||||
|
// TODO(deprecated-legacy-ciphertext): The AES fallback branch is a transitional
|
||||||
|
// shim for pre-plaintext records. Remove it (and the encryptionKey field) after
|
||||||
|
// a few releases once all live deployments have re-saved their provider configs.
|
||||||
func (s *PaymentConfigService) decryptConfig(stored string) (map[string]string, error) {
|
func (s *PaymentConfigService) decryptConfig(stored string) (map[string]string, error) {
|
||||||
if stored == "" {
|
if stored == "" {
|
||||||
return nil, nil
|
return nil, nil
|
||||||
@@ -304,7 +308,9 @@ func (s *PaymentConfigService) decryptConfig(stored string) (map[string]string,
|
|||||||
if err := json.Unmarshal([]byte(stored), &cfg); err == nil {
|
if err := json.Unmarshal([]byte(stored), &cfg); err == nil {
|
||||||
return cfg, nil
|
return cfg, nil
|
||||||
}
|
}
|
||||||
|
// Deprecated: legacy AES-256-GCM ciphertext fallback — scheduled for removal.
|
||||||
if len(s.encryptionKey) == payment.AES256KeySize {
|
if len(s.encryptionKey) == payment.AES256KeySize {
|
||||||
|
//nolint:staticcheck // SA1019: intentional legacy fallback, scheduled for removal
|
||||||
if plaintext, err := payment.Decrypt(stored, s.encryptionKey); err == nil {
|
if plaintext, err := payment.Decrypt(stored, s.encryptionKey); err == nil {
|
||||||
if err := json.Unmarshal([]byte(plaintext), &cfg); err == nil {
|
if err := json.Unmarshal([]byte(plaintext), &cfg); err == nil {
|
||||||
return cfg, nil
|
return cfg, nil
|
||||||
|
|||||||
Reference in New Issue
Block a user