fix(review): harden payment, oauth, and migration paths

2026-04-22 10:26:22 +08:00
parent 7fbd5177c2
commit c229f33e9e
33 changed files with 704 additions and 79 deletions
--- a/backend/internal/payment/wire.go
+++ b/backend/internal/payment/wire.go
@@ -4,6 +4,7 @@ import (
 	"encoding/hex"
 	"fmt"
 	"log/slog"
+	"strings"

 	dbent "github.com/Wei-Shaw/sub2api/ent"
 	"github.com/Wei-Shaw/sub2api/internal/config"
@@ -19,11 +20,22 @@ type EncryptionKey []byte
 // When the key is non-empty but invalid (bad hex or wrong length), an error is returned
 // to prevent startup with a misconfigured encryption key.
 func ProvideEncryptionKey(cfg *config.Config) (EncryptionKey, error) {
-	if cfg.Totp.EncryptionKey == "" {
+	if cfg == nil {
+		slog.Warn("payment encryption key not configured — encrypted payment config and resume signing will be unavailable")
+		return nil, nil
+	}
+	keyHex := strings.TrimSpace(cfg.Totp.EncryptionKey)
+	if keyHex == "" {
 		slog.Warn("payment encryption key not configured — encrypted payment config will be unavailable")
 		return nil, nil
 	}
-	key, err := hex.DecodeString(cfg.Totp.EncryptionKey)
+	// Reject auto-generated TOTP keys for payment signing.
+	// They change across restarts/instances and can silently break resume-token flows.
+	if !cfg.Totp.EncryptionKeyConfigured {
+		slog.Warn("payment encryption/signing key is not explicitly configured; set TOTP_ENCRYPTION_KEY to enable payment resume tokens")
+		return nil, nil
+	}
+	key, err := hex.DecodeString(keyHex)
 	if err != nil {
 		return nil, fmt.Errorf("invalid payment encryption key (hex decode): %w", err)
 	}