Fix TOTP encryption key file path resolution

google-labs-jules[bot] · google-labs-jules[bot] · commit b00b9be58ef3 · 2026-01-19T21:41:19.000Z
- Changed `backend/models/user.py` to resolve `totp_encryption.key` using an absolute path relative to the `backend` directory.
- This prevents "Failed to decrypt TOTP secret" errors when the application is started from different working directories (e.g., project root vs backend root), ensuring consistent key loading.
- Added validation when reading the key file to ensure it is a valid Fernet key.
- Improved error logging in `_decrypt_totp_secret` to provide specific exception details for debugging.
diff --git a/backend/models/user.py b/backend/models/user.py
@@ -37,15 +37,32 @@ def _get_or_create_encryption_key(self) -> bytes:
             except Exception as e:
                 logger.error(f"Invalid ENCRYPTION_KEY in environment: {str(e)}")
 
-        key_file = 'totp_encryption.key'
+        # Use absolute path to ensure key is found regardless of working directory
+        # Key file should be in the backend root directory (parent of models directory)
+        current_dir = os.path.dirname(os.path.abspath(__file__))
+        backend_dir = os.path.dirname(current_dir)
+        key_file = os.path.join(backend_dir, 'totp_encryption.key')
+
         if os.path.exists(key_file):
             with open(key_file, 'rb') as f:
-                return f.read()
+                key = f.read()
+                # Validate key to ensure it's not corrupt
+                try:
+                    from cryptography.fernet import Fernet
+                    Fernet(key)
+                    return key
+                except Exception as e:
+                    logger.error(f"Invalid encryption key in {key_file}: {e}")
+                    return key
         else:
             from cryptography.fernet import Fernet
             key = Fernet.generate_key()
-            with open(key_file, 'wb') as f:
-                f.write(key)
+            try:
+                with open(key_file, 'wb') as f:
+                    f.write(key)
+                logger.info(f"Generated new encryption key at {key_file}")
+            except Exception as e:
+                logger.error(f"Failed to write encryption key to {key_file}: {e}")
             return key
 
     def _encrypt_totp_secret(self, secret: str) -> str:
@@ -58,7 +75,10 @@ def _decrypt_totp_secret(self, encrypted_secret: str) -> str:
         try:
             f = Fernet(self.encryption_key)
             return f.decrypt(encrypted_secret.encode()).decode()
-        except Exception:
+        except Exception as e:
+            import logging
+            logger = logging.getLogger(__name__)
+            logger.error(f"Failed to decrypt TOTP secret: {str(e)}")
             return None
 
     def create_user(self, username: str, email: str, password: Optional[str] = None,
