dennii/Termix
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases 22 Wiki Activity

Fix: SSH credential public key decryption across browser sessions #342

Merged
thorved merged 1 commits from fix/ssh-credential-public-key-decryption into dev-1.8.0 2025-10-05 00:09:10 +00:00
Conversation 3 Commits 1 Files Changed 2 +18 -1
2 changed files with 18 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/backend/utils/field-crypto.ts
View File

@@ -17,18 +17,31 @@ class FieldCrypto {
private static readonly ENCRYPTED_FIELDS = {
users: new Set([
"password_hash",
"passwordHash",
"client_secret",
"clientSecret",
"totp_secret",
"totpSecret",
"totp_backup_codes",
"totpBackupCodes",
"oidc_identifier",
"oidcIdentifier",
]),
ssh_data: new Set([
"password",
"key",
"key_password",
"keyPassword",
]),
ssh_data: new Set(["password", "key", "key_password"]),
ssh_credentials: new Set([
"password",
"private_key",
"privateKey",
"key_password",
"keyPassword",
"key",
"public_key",
"publicKey",
]),
};
gemini-code-assist[bot] commented 2025-10-04 06:24:18 +00:00 (Migrated from github.com)
Review
Copy Link

medium

While adding both snake_case and camelCase versions of the field names fixes the issue, it introduces duplication and makes maintenance more error-prone. A developer might forget to add both versions for a new encrypted field in the future.

A more robust and maintainable approach would be to keep only the canonical snake_case names in ENCRYPTED_FIELDS and handle the case conversion inside the shouldEncryptField method. This would centralize the logic and keep the configuration clean.

For example, shouldEncryptField could convert the incoming fieldName to snake_case before checking for its existence in the set. This would work for both camelCase and snake_case inputs and would allow you to revert this part of the change, simplifying the configuration.

![medium](https://www.gstatic.com/codereviewagent/medium-priority.svg) While adding both `snake_case` and `camelCase` versions of the field names fixes the issue, it introduces duplication and makes maintenance more error-prone. A developer might forget to add both versions for a new encrypted field in the future. A more robust and maintainable approach would be to keep only the canonical `snake_case` names in `ENCRYPTED_FIELDS` and handle the case conversion inside the `shouldEncryptField` method. This would centralize the logic and keep the configuration clean. For example, `shouldEncryptField` could convert the incoming `fieldName` to `snake_case` before checking for its existence in the set. This would work for both `camelCase` and `snake_case` inputs and would allow you to revert this part of the change, simplifying the configuration.

4
src/backend/utils/lazy-field-encryption.ts
View File

@@ -6,6 +6,10 @@ export class LazyFieldEncryption {
key_password: "keyPassword",
private_key: "privateKey",
public_key: "publicKey",
// Reverse mappings for Drizzle ORM (camelCase -> snake_case)
keyPassword: "key_password",
privateKey: "private_key",
publicKey: "public_key",
};
static isPlaintextField(value: string): boolean {