Commit Graph

2 Commits

Author SHA1 Message Date
null 1457de487f feat(security): show a key fingerprint (not the key) in the encryption status
The encryption key must never be retrievable through the app (that would undo
the whole point of TOKEN_ENCRYPTION_KEY — a stolen session/XSS could then read
the master key). Instead surface a non-reversible fingerprint so operators can:
- verify which key is currently active,
- confirm a running instance matches the key they backed up, and
- spot an accidental key change (which would make existing secrets unrecoverable).

- encryptionService.keyFingerprint(): domain-separated SHA-256 prefix of the
  active key (env if set, else the stored DB key); never force-creates a key
  (returns null when none exists), shares nothing with the cipher derivation.
- admin bank-sync-config exposes key_fingerprint alongside encryption_key_source.
- Admin Bank Sync card renders it with backup guidance.
- Test: stable per key, differs by key, not reversible / not the raw key.

Co-Authored-By: Claude Opus 4.8 <[email protected]>
2026-07-05 19:15:32 -05:00
null b95f771d18 test(security): lock in encryptionService — the secret-at-rest crown jewel (Phase 1)
Zero coverage on the AES-256-GCM + HKDF crypto that protects SimpleFIN
bank tokens, TOTP/recovery secrets, SMTP/OIDC creds and login-history
PII. A silent break in decryptSecret or the startup reEncryptWithEnvKey
migration would render every stored secret unrecoverable, invisibly.

Covers: round-trip on both key paths (env e2: / db v2:), unicode/empty/
large payloads, GCM tamper rejection, legacy (pre-v0.78 SHA-256) decrypt,
the env-key-required error, and the migration (migrate/skip/idempotent/
corrupt-tolerant). Suite 200 green.

Co-Authored-By: Claude Opus 4.8 <[email protected]>
2026-07-05 12:55:51 -05:00