chore(pagination): improve encryption key handling (#870)

zepatrik · web-flow · commit 40e467825ea5 · 2025-06-25T17:41:26.000+02:00
diff --git a/pagination/keysetpagination_v2/page_token.go b/pagination/keysetpagination_v2/page_token.go
@@ -29,8 +29,16 @@ type (
 	}
 )
 
-func (t PageToken) Columns() []Column            { return t.cols }
-func (t PageToken) Encrypt(key *[32]byte) string { return hyrumtoken.Marshal(key, t) }
+func (t PageToken) Columns() []Column { return t.cols }
+
+// Encrypt encrypts the page token using the first key in the provided keyset.
+// It panics if no keys are provided.
+func (t PageToken) Encrypt(keys [][32]byte) string {
+	if len(keys) == 0 {
+		panic("keyset pagination: cannot encrypt page token with no keys")
+	}
+	return hyrumtoken.Marshal(&keys[0], t)
+}
 
 func (t PageToken) MarshalJSON() ([]byte, error) {
 	now := time.Now
diff --git a/pagination/keysetpagination_v2/page_token_test.go b/pagination/keysetpagination_v2/page_token_test.go
@@ -39,3 +39,26 @@ func TestPageToken(t *testing.T) {
 		assert.ErrorIs(t, decodedToken.UnmarshalJSON(raw), ErrPageTokenExpired)
 	})
 }
+
+func TestPageToken_Encrypt(t *testing.T) {
+	t.Parallel()
+
+	keys := [][32]byte{{1, 2, 3}, {4, 5, 6}}
+	token := NewPageToken(Column{Name: "id", Value: "token"})
+
+	t.Run("encrypts with the first key", func(t *testing.T) {
+		encrypted := token.Encrypt(keys)
+
+		decrypted, err := ParsePageToken(keys[:1], encrypted)
+		require.NoError(t, err)
+		assert.Equal(t, token, decrypted)
+
+		_, err = ParsePageToken(keys[1:], encrypted)
+		assert.ErrorContains(t, err, "decrypt token")
+	})
+
+	t.Run("panics with no keys", func(t *testing.T) {
+		assert.PanicsWithValue(t, "keyset pagination: cannot encrypt page token with no keys", func() { token.Encrypt(nil) })
+		assert.PanicsWithValue(t, "keyset pagination: cannot encrypt page token with no keys", func() { token.Encrypt([][32]byte{}) })
+	})
+}
diff --git a/pagination/keysetpagination_v2/parse_header_test.go b/pagination/keysetpagination_v2/parse_header_test.go
@@ -18,14 +18,13 @@ func TestParseHeader(t *testing.T) {
 
 	u, err := url.Parse("https://www.ory.sh/")
 	require.NoError(t, err)
-	key := [32]byte{1, 2, 3}
-	keys := [][32]byte{key}
+	keys := [][32]byte{{1, 2, 3}}
 	defaultToken, nextToken := NewPageToken(Column{Name: "id", Value: "default"}), NewPageToken(Column{Name: "id", Value: "next"})
 
 	t.Run("has next page", func(t *testing.T) {
 		p := NewPaginator(WithSize(2), WithDefaultToken(defaultToken), WithToken(nextToken))
 		r := httptest.NewRecorder()
-		SetLinkHeader(r, &key, u, p)
+		SetLinkHeader(r, keys, u, p)
 
 		first, next, isLast := ParseHeader(&http.Response{Header: r.Header()})
 		require.NotEqual(t, first, next, r.Header())
@@ -43,7 +42,7 @@ func TestParseHeader(t *testing.T) {
 	t.Run("is last page", func(t *testing.T) {
 		p := NewPaginator(WithSize(2), WithDefaultToken(defaultToken), WithToken(nextToken), withIsLast(true))
 		r := httptest.NewRecorder()
-		SetLinkHeader(r, &key, u, p)
+		SetLinkHeader(r, keys, u, p)
 
 		first, next, isLast := ParseHeader(&http.Response{Header: r.Header()})
 		assert.Empty(t, next, r.Header())
diff --git a/pagination/keysetpagination_v2/request_params.go b/pagination/keysetpagination_v2/request_params.go
@@ -68,11 +68,11 @@ type ResponseHeaders struct {
 
 // SetLinkHeader adds the Link header for the page encoded by the paginator.
 // It contains links to the first and next page, if one exists.
-func SetLinkHeader(w http.ResponseWriter, key *[32]byte, u *url.URL, p *Paginator) {
+func SetLinkHeader(w http.ResponseWriter, keys [][32]byte, u *url.URL, p *Paginator) {
 	size := p.Size()
-	link := []string{linkPart(u, "first", p.DefaultToken().Encrypt(key), size)}
+	link := []string{linkPart(u, "first", p.DefaultToken().Encrypt(keys), size)}
 	if !p.isLast {
-		link = append(link, linkPart(u, "next", p.PageToken().Encrypt(key), size))
+		link = append(link, linkPart(u, "next", p.PageToken().Encrypt(keys), size))
 	}
 	w.Header().Set("Link", strings.Join(link, ","))
 }
@@ -109,9 +109,14 @@ func ParseQueryParams(keys [][32]byte, q url.Values) ([]Option, error) {
 	return opts, nil
 }
 
+// ParsePageToken parses a page token from the given raw string using the provided keys.
+// It panics if no keys are provided.
 func ParsePageToken(keys [][32]byte, raw string) (t PageToken, err error) {
-	for _, key := range keys {
-		err = errors.WithStack(hyrumtoken.Unmarshal(&key, raw, &t))
+	if len(keys) == 0 {
+		panic("keysetpagination: cannot parse page token with no keys")
+	}
+	for i := range keys {
+		err = errors.WithStack(hyrumtoken.Unmarshal(&keys[i], raw, &t))
 		if err == nil {
 			return
 		}
diff --git a/pagination/keysetpagination_v2/request_params_test.go b/pagination/keysetpagination_v2/request_params_test.go
@@ -17,7 +17,7 @@ import (
 func TestSetLinkHeader(t *testing.T) {
 	t.Parallel()
 
-	key := [32]byte{1, 2, 3}
+	keys := [][32]byte{{1, 2, 3}}
 	defaultToken, nextToken := NewPageToken(Column{Name: "id", Value: "default"}), NewPageToken(Column{Name: "id", Value: "next"})
 	opts := []Option{WithSize(2), WithDefaultToken(defaultToken), WithToken(nextToken)}
 
@@ -30,7 +30,7 @@ func TestSetLinkHeader(t *testing.T) {
 		assert.Equal(t, "https", u.Scheme)
 		assert.Equal(t, "ory.sh", u.Host)
 		raw := u.Query().Get("page_token")
-		token, err := ParsePageToken([][32]byte{key}, raw)
+		token, err := ParsePageToken(keys, raw)
 		require.NoError(t, err)
 		return token
 	}
@@ -39,7 +39,7 @@ func TestSetLinkHeader(t *testing.T) {
 		r := httptest.NewRecorder()
 		p := NewPaginator(opts...)
 
-		SetLinkHeader(r, &key, u, p)
+		SetLinkHeader(r, keys, u, p)
 
 		assert.Len(t, r.Result().Header.Values("link"), 1, "make sure we send one header with multiple comma-separated values rather than multiple headers")
 		links := link.ParseResponse(r.Result())
@@ -55,7 +55,7 @@ func TestSetLinkHeader(t *testing.T) {
 		r := httptest.NewRecorder()
 		p := NewPaginator(append(opts, withIsLast(true))...)
 
-		SetLinkHeader(r, &key, u, p)
+		SetLinkHeader(r, keys, u, p)
 
 		assert.Len(t, r.Result().Header.Values("link"), 1, "make sure we send one header with multiple comma-separated values rather than multiple headers")
 		links := link.ParseResponse(r.Result())
@@ -73,20 +73,23 @@ func TestParsePageToken(t *testing.T) {
 	keys := [][32]byte{{1, 2, 3}, {4, 5, 6}}
 
 	expectedToken := NewPageToken(Column{Name: "id", Value: "token"}, Column{Name: "name", Order: OrderDescending, Value: "test"})
+	encryptedToken := expectedToken.Encrypt(keys)
 
 	t.Run("with valid key", func(t *testing.T) {
-		for i, key := range keys {
-			encoded := expectedToken.Encrypt(&key)
-			token, err := ParsePageToken(keys, encoded)
-			require.NoErrorf(t, err, "%d", i)
-			assert.Equal(t, expectedToken, token)
-		}
+		token, err := ParsePageToken(keys, encryptedToken)
+		require.NoError(t, err)
+		assert.Equal(t, expectedToken, token)
+	})
+
+	t.Run("with rotated key", func(t *testing.T) {
+		encryptedToken := expectedToken.Encrypt(keys[1:])
+		token, err := ParsePageToken(keys, encryptedToken)
+		require.NoError(t, err)
+		assert.Equal(t, expectedToken, token)
 	})
 
 	t.Run("with invalid key", func(t *testing.T) {
-		invalidKey := [32]byte{7, 8, 9}
-		encoded := expectedToken.Encrypt(&invalidKey)
-		token, err := ParsePageToken(keys, encoded)
+		token, err := ParsePageToken([][32]byte{{7, 8, 9}}, encryptedToken)
 		require.ErrorContains(t, err, "decrypt token")
 		assert.Zero(t, token)
 	})
@@ -98,7 +101,7 @@ func TestParse(t *testing.T) {
 	keys := [][32]byte{{1, 2, 3}}
 	token := NewPageToken(Column{Name: "id", Value: "token"}, Column{Name: "name", Order: OrderDescending, Value: "test"})
 	defaultToken := NewPageToken(Column{Name: "id", Value: "default"}, Column{Name: "name", Order: OrderDescending, Value: "default name"})
-	encodedToken := token.Encrypt(&keys[0])
+	encryptedToken := token.Encrypt(keys)
 
 	for _, tc := range []struct {
 		name          string
@@ -114,7 +117,7 @@ func TestParse(t *testing.T) {
 		},
 		{
 			name:          "with page token",
-			q:             url.Values{"page_token": {encodedToken}},
+			q:             url.Values{"page_token": {encryptedToken}},
 			expectedSize:  DefaultSize,
 			expectedToken: token,
 		},
@@ -126,7 +129,7 @@ func TestParse(t *testing.T) {
 		},
 		{
 			name:          "with page size and page token",
-			q:             url.Values{"page_size": {"123"}, "page_token": {encodedToken}},
+			q:             url.Values{"page_size": {"123"}, "page_token": {encryptedToken}},
 			expectedSize:  123,
 			expectedToken: token,
 		},
@@ -158,7 +161,7 @@ func TestParse(t *testing.T) {
 		assert.Equal(t, defaultToken, paginator.PageToken())
 		assert.Equal(t, DefaultSize, paginator.Size())
 
-		opts, err = ParseQueryParams(keys, url.Values{"page_token": {"", encodedToken, ""}, "page_size": {"", "123", ""}})
+		opts, err = ParseQueryParams(keys, url.Values{"page_token": {"", encryptedToken, ""}, "page_size": {"", "123", ""}})
 		require.NoError(t, err)
 		paginator = NewPaginator(append(opts, WithDefaultToken(defaultToken))...)
 		assert.Equal(t, token, paginator.PageToken())
