Skip to content

fix(security): remove insecure legacy crypto and fix Turnstile in Docker#43

Merged
pankaj-bind merged 2 commits intomainfrom
bug-fix
Apr 4, 2026
Merged

fix(security): remove insecure legacy crypto and fix Turnstile in Docker#43
pankaj-bind merged 2 commits intomainfrom
bug-fix

Conversation

@pankaj-bind
Copy link
Copy Markdown
Owner

@pankaj-bind pankaj-bind commented Apr 4, 2026

Summary

  • Removed hashPasswordForAuth from encryption.ts — a dangerous legacy function using naive SHA-256(password||salt) with zero key stretching, completely undermining the Argon2id protection. No production code was calling it (dead code), but it was exported and available as an attack surface.
  • Removed _plaintext bypass from decryptCredentialFields — this allowed data tagged with _plaintext to skip client-side decryption entirely. A compromised server could inject _plaintext into any API response to bypass the zero-knowledge encryption model.
  • Removed _plaintext fields from backend duress fake vault data in services.py. Duress mode continues to work via the zero-knowledge vault path (ZeroKnowledgeVaultService with decoy_vault_blob + duress_salt).
  • Fixed Cloudflare Turnstile not rendering in Docker builds — .dockerignore excluded .env files, so REACT_APP_TURNSTILE_SITE_KEY was empty at npm run build time inside Docker. Added ARG/ENV directives to both Dockerfile.local and Dockerfile, and args to docker-compose.local.yml.

Files Changed

File Change
frontend/src/utils/encryption.ts Deleted hashPasswordForAuth, removed _plaintext type and bypass
frontend/src/utils/__tests__/encryption.test.ts Removed hashPasswordForAuth import and 4 tests
backend/api/features/vault/services.py Removed all _plaintext blocks from fake vault data
frontend/Dockerfile.local Added ARG/ENV for React build-time env vars
frontend/Dockerfile Added ARG/ENV for React build-time env vars
docker-compose.local.yml Added args to pass Turnstile key and API URL

Test plan

  • All 27 encryption unit tests pass after changes
  • Verify Turnstile widget renders on registration page at http://localhost
  • Verify duress mode still works via zero-knowledge vault path
  • Confirm no production code imports hashPasswordForAuth

@vercel
Copy link
Copy Markdown

vercel bot commented Apr 4, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
accountsafe Ready Ready Preview, Comment Apr 4, 2026 7:34pm

@pankaj-bind @claude
fix(security): remove insecure hashPasswordForAuth, _plaintext bypass…
7a33984 
…, and fix Turnstile in Docker

- Delete hashPasswordForAuth from encryption.ts: naive SHA-256(password||salt)
  with no key stretching that undermined Argon2id protection
- Remove _plaintext bypass from decryptCredentialFields: allowed a compromised
  server to inject plaintext and skip client-side decryption entirely
- Remove _plaintext fields from backend duress fake vault data in services.py
- Remove associated hashPasswordForAuth tests from encryption.test.ts
- Fix Cloudflare Turnstile not rendering in Docker builds: .dockerignore excluded
  .env files so REACT_APP_TURNSTILE_SITE_KEY was empty at build time. Added ARG/ENV
  directives to Dockerfile.local and Dockerfile, and build args to docker-compose

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@pankaj-bind
docs: fix incorrect PBKDF2 references across docs and frontend pages
128b17a 
The project uses Argon2id (memory-hard KDF) via cryptoService.ts for
key derivation, but all documentation and user-facing pages incorrectly
stated PBKDF2. Updated:

- README.md: sequence diagram, features, tech stack table
- SECURITY.md: key derivation diagram
- docs/API.md: auth_hash field descriptions
- frontend/public/docs/: README, SECURITY, API (served to users)
- HomePage.tsx, LandingPage.tsx: hero section encryption description

Note: encryption.ts still correctly references PBKDF2 since that file
genuinely uses PBKDF2 for legacy per-field encryption via Web Crypto API.
@pankaj-bind pankaj-bind merged commit 0118fa9 into main Apr 4, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pankaj-bind