Merge pull request #3710 from abh/validate-key

fix(config): validate access_key_encryption at startup

Author: fiftin

util/config.go

@@ -969,11 +969,36 @@ func validate(value any) error {
 	return nil
 }
 
+func validateAccessKeyEncryption(key string) error {
+	if key == "" {
+		return nil
+	}
+
+	encryption, err := base64.StdEncoding.DecodeString(key)
+	if err != nil {
+		return fmt.Errorf("access_key_encryption must be a valid base64 string: %w", err)
+	}
+
+	switch len(encryption) {
+	case 16, 24, 32:
+		return nil
+	default:
+		return fmt.Errorf(
+			"access_key_encryption has invalid decoded length %d bytes; AES requires 16, 24, or 32 bytes (use `openssl rand -base64 32` to generate a valid key)",
+			len(encryption),
+		)
+	}
+}
+
 func validateConfig() {
 	err := validate(Config)
 	if err != nil {
 		panic(err)
 	}
+
+	if err := validateAccessKeyEncryption(Config.AccessKeyEncryption); err != nil {
+		panic(err)
+	}
 }
 
 func loadEnvironmentToObject(obj any) error {

util/config_test.go

@@ -417,4 +417,21 @@ func TestValidateConfig(t *testing.T) {
 	Config.Dialect = "someOtherDB"
 	ensureConfigValidationFailure(t, "Dialect", Config.Dialect)
 	Config.Dialect = testDbDialect
+
+	// AccessKeyEncryption: empty is allowed (no encryption)
+	Config.AccessKeyEncryption = ""
+	validateConfig()
+
+	// AccessKeyEncryption: valid 32-byte key
+	Config.AccessKeyEncryption = testCookieHash
+	validateConfig()
+
+	// AccessKeyEncryption: invalid base64
+	Config.AccessKeyEncryption = "not-valid-base64!!!"
+	ensureConfigValidationFailure(t, "AccessKeyEncryption", Config.AccessKeyEncryption)
+
+	// AccessKeyEncryption: valid base64 but wrong size (48 bytes)
+	Config.AccessKeyEncryption = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+	ensureConfigValidationFailure(t, "AccessKeyEncryption", Config.AccessKeyEncryption)
+	Config.AccessKeyEncryption = testCookieHash
 }